Applies To:

Show Versions Show Versions

Manual Chapter: Traffic Listeners
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview

Part of configuring the BIG-IP system to be a data center firewall is to create virtual servers and SNATs. For some virtual servers, you can create iRules that filter traffic based on specific user-defined criteria.

Virtual server configuration

To complete the deployment of a BIG-IP data center firewall, you must set up your virtual server configuration. A virtual server is an IP address and port specification on the BIG-IP system. The BIG-IP system listens for traffic destined for that virtual server, and then directs that traffic either to a specific host for load balancing or to an entire network.

A virtual server provides a level of security, similar to an access control list (ACL), because its destination address includes a port specification, causing the virtual server to accept only traffic destined for that port.

When you create a virtual server, you can optionally assign an iRule that functions as another layer of security, filtering out specific unwanted traffic or allowing specific traffic destined for that virtual server. The virtual server emulates a traditional ACL, while the iRule customizes the virtual server even further by filtering out or allowing individual source IP addresses and ports that you specify.

Example 1

This example shows an ACL that you can logically implement using a host virtual server with an assigned iRule. In this example, the virtual server has a destination host address of 204.170.25.11:80, with an iRule specifying that only traffic originating from the network 204.170.0.0/24 is allowed:

allow src 204.170.0.0/24 port 80 dst 204.170.25.11 port 80 deny all

In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for host 204.170.25.11:80 is accepted and load balanced, according to the virtual server configuration. The virtual server denies all other traffic.

Example 2

This example shows an ACL that you can logically implement using a network virtual server with an assigned iRule. In this example, the virtual server has a destination network address of 204.170.25.0:80, with an iRule specifying that only traffic originating from the network 204.170.0.0/24 is allowed:

allow src 204.170.0.0/24 port 80 dst 204.170.25.0 port 80 deny all

In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for network 204.170.25.0:80 is accepted and forwarded to that network. The virtual server denies all other traffic.

You can find additional examples of how to create a comprehensive iRule for these scenarios on the F5 Networks DevCentral web site http://www.devcentral.f5.com.

Creating a Services profile within LTM

One of the Layer 7 tasks that you perform to configure BIG-IP® Local Traffic Manager™ as a data center firewall is to create one or more custom application-layer profiles. You create a unique profile for each type of application traffic, and then assign the profile to a virtual server that specifies that particular service. For example, if the BIG-IP data center firewall must handle HTTP traffic, you can create a custom HTTP profile and then assign that profile to a virtual server that listens for traffic on port 80 on the BIG-IP system. This particular procedure creates an HTTP profile. You can use a variation of this task to create other profiles as well, such as an FTP or SMTP profile.
Important: You can create as many profiles as you need.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP . The HTTP profile list screen opens.
  2. Click Create. The New HTTP Profile screen opens.
  3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. From the Parent Profile list, retain http.
  5. Select the Custom check box. The fields in the Settings area become available for revision.
  6. Adjust all settings as required. You can use the default values or change them to suit your needs.
  7. Click Finished.
A custom BIG-IP® LTM™ profile now appears in the relevant profile list in the BIG-IP Configuration utility.
After creating this profile, you must assign the profile to a virtual server.

Creating a load balancing pool

You can create a load balancing pool (a logical set of devices such as web servers that you group together to receive and process traffic) to efficiently distribute the load on your server resources.
Note: You must create the pool before you create the corresponding virtual server.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.
    Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.
  5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool. The default is Round Robin.
  6. For the Priority Group Activation setting, select the way to handle priority groups:
    • Retain the default option, Disabled to disable priority groups.
    • Select Less than, and type the minimum number of members in the Available Members field that must remain available in each priority group in order for traffic to remain confined to that group.
  7. Using the New Members setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the Address field, or select a node address from the Node List.
    2. Type a port number in the Service Port field, or select a service name from the list.
    3. To specify a priority group, type a priority number in the Priority field.
    4. Click Add.
  8. Click Finished.
The load balancing pool appears in the Pools list.

Creating an iRule

Use this procedure to create an iRule.
  1. On the Main tab, click Local Traffic > iRules.
  2. Click Create. The New iRule screen opens.
  3. In the Name field, type a 1- to 31-character name, such as virtual_acl_irule.
  4. In the Definition field, type the syntax for the iRule, using Tool Command Language (Tcl) syntax. For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site http://devcentral.f5.com.
  5. Click Finished.

Host virtual servers

A host virtual server listens for traffic destined for a specific site, such as an Internet web site or an FTP site, and then directs that traffic to content servers that are members of a pool. A host virtual server provides a level of security, similar to an access control list (ACL), because its destination address includes a port specification, causing the virtual server to accept only traffic destined for that port.

Creating a host virtual server

Use this task to create a standard, host type of virtual server for application traffic. A host type of virtual server listens for traffic destined for the specified destination IP address and service. You must create a separate virtual server for each destination IP address/service combination. For example, if you want the BIG-IP® firewall device to handle HTTP, SMTP, and FTP traffic, and you want to use the virtual address 204.170.25.11, you create three separate virtual servers: 204.170.25.11:80, 204.170.25.11:25, and 204.170.25.11:21 on the BIG-IP data center firewall.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the host IP address that you want to use for the virtual server. This is the IP address on the BIG-IP system to which inbound application traffic is destined.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. Assign any LTM® traffic profiles as needed.
  7. From the Configuration list, select Advanced.
  8. From the Request Logging Profile list, select the custom request logging profile that you created earlier.
  9. Locate the Resources area of the screen.
  10. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, and using the Move button, move the name into the Enabled list. This step is optional.
  11. From the Default Pool list, select the name of the pool that you created previously.
  12. Click Finished.
The BIG-IP system now listens for traffic destined for the specified destination IP address and service, and applies all assigned profiles and any load balancing pool. Also, all log messages pertaining to the application traffic are logged to the pool of remote logging servers specified in the assign Request Logging profile.

Example 1: Host virtual server configurations

This example shows the BIG-IP data center firewall also functioning as an application delivery controller (ADC). In the illustration shown, the BIG-IP system contains two host virtual servers (FTP VIP and App VIP) to perform application delivery controller (ADC) functions, while still providing security. Specifically, the two virtual servers perform these functions:

  • Load balancing traffic to FTP resources
  • Load balancing traffic to internal ADCs that handle specific applications. (The illustration shows one internal ADC named App ADC.)

The benefit of the first function is that you do not need to position the BIG-IP data center firewall between two ADCs before sending traffic to the internal resources. This simplifies the management of the environment.

The second function illustrates the same benefit but also shows that the BIG-IP system can load balance the request to an internal ADC that is handling the more specialized tasks required for an application, such as web acceleration, compression, caching, or web optimization.

Host virtual server configurations

Network virtual servers

A network virtual server listens for traffic destined for a specific network and simply forwards that traffic to that network. A network virtual server provides a level of security because its destination network address includes a port specification, causing the virtual server to accept only traffic destined for that port on the specified network.

Creating a network virtual server

Use this task to create a standard, network type of virtual server for application traffic. A network type of virtual server listens for traffic destined for a specific network. The BIG-IP system then forwards the traffic to that network, to the host specified in the system's routing configuration.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the network IP address that you want to use for the virtual server. This is the network for which inbound application traffic is destined.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the Configuration list, select Advanced.
  7. From the Request Logging Profile list, select the custom request logging profile that you created earlier.
  8. Locate the Resources area of the screen.
  9. For the iRules setting, from the Available list, select the name of the iRule that you want to assign, and using the Move button, move the name into the Enabled list. This step is optional.
  10. Click Finished.
Now the BIG-IP system listens for traffic destined for the specified destination IP address and service, and applies all assigned profiles and iRules.

Example 2: Network virtual server configurations

This example shows the BIG-IP data center firewall configured with a network virtual server. This configuration is generally used when you do not want the BIG-IP data center firewall to perform address translation on incoming requests; instead, the packets are simply forwarded to publicly-accessible resources while still providing security.

As shown, an ADC provides traditional application delivery functionality along with possibly more specialized functionality behind the BIG-IP data center firewall. The illustration also shows a DNS server located behind the BIG-IP data center firewall, but with a publicly-accessible address. This could be a direct DNS server, or even a GTM system providing global DNS services to an infrastructure.

Network virtual server configurations

Adding a static route

On the BIG-IP data center firewall, use this task to create a static route to a BIG-IP device on another network.
  1. On the Main tab, click Network > Routes.
  2. Click Add. The New Route screen opens.
  3. In the Name field, type a unique name for the route.
  4. In the Destination field, type the destination IP address in the route. This address can represent either a host or a network. Also, ifyou are using the route domains and the relevant route domain is the partition default route domain, you do not need to append a route domain ID to this address.
  5. In the Netmask field, type the network mask for the destination IP address.
  6. From the Resource list, select Use Gateway. The gateway represents a next-hop or last-hop address in the route.
  7. For the Gateway Address setting, select IP Address and type an IP address.
  8. At the bottom of the screen, click Finished.
Now, packets targeted for the destination address specified in the route can reach that destination.

Configuring a SNAT

To protect IP addresses on the private network from being exposed to nodes on a public network, you can define a SNAT. A SNAT changes the source IP address on a packet to a SNAT external address located on the BIG-IP system.
  1. On the Main tab, click Local Traffic > SNATs . The SNAT List screen displays a list of existing SNATs.
  2. Click Create.
  3. Name the new SNAT.
  4. In the Translation field, type the IP address that you want to use as a translation IP address.
  5. From the Origin list, select Address List.
  6. For each client to which you want to assign a translation address, do the following:
    1. Select Host.
    2. Type a client IP address in the Address field.
    3. Click Add.
  7. From the VLAN Traffic list, select Enabled on.
  8. For the VLAN List setting, in the Available field, select an external VLAN, and using the Move button, move the VLAN name to the Selected field.
  9. Click Finished.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)