Forum Discussion

Dazzla_20011's avatar
Dazzla_20011
Icon for Nimbostratus rankNimbostratus
Feb 25, 2011

i-rule to force traffic to one Pool Member unless it fails

Hi,

 

 

I've a pool containing two bluecoat proxies which are load balanced using Dynamic Raio (member) and source ip persistence of 10 hours. I have a requirement to force traffic going to a particular https website to always use the same pool member unless it fail. Once the pool member is up the traffic to this particular destination needs to be sent via it.

 

 

Is this something I can achieve easily with an i-rule. I've not created an i-rule yet so any guidance appreciated.

 

 

Thanks

 

Darren
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2011
    Hey Darren,

     

     

    Sorry for the delay in replying to your other posts. I'll try to answer this one and then read through the others in more detail. Does this sound like an accurate description of your scenario?

     

     

    You have a wildcard virtual server listening on an internal VLAN for traffic on port 80. It load balances traffic without destination address translation to a pool of Bluecoat web proxies. Clients have their browsers configured with the virtual server as their proxy server. When they establish a connection to the virtual server, the destination IP is the virtual server and the URI is a fully qualified URL for the end destination server.

     

     

    If that sounds accurate, then I think you'd need to add an HTTP profile to the virtual server and parse the [HTTP::uri] value for the FQDN of the destination to see if it's your own special site. For those requests, you could send them to the specific pool member. For all other requests, you'd use the virtual server's default pool.

     

     

    If that looks about right, I can write up an example iRule.

     

     

    Aaron
  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Feb 25, 2011
    Hi Aaron,

     

     

    That's OK, sorry I should probably be trying to figure this out more myself but having the time to learn is proving difficult at the moment.Pretty much, we've allocated a specific address for the virtual server, 10.128.x.x:8080. The Pool contains two bluecoat proxies, we are using SNAT as the bluecoats reside on different vlans to the F5 so don't have a route back to the clients via the F5. For users the load balancing via both proxies is working really well.

     

     

    The requirement is to send traffic from a group of servers to a specific https site always via the same bluecoat unless a problem occurs. The servers specify the proxy address (virtual server) within a file. My plan was to create a dedicated virtual server specifically for this particular application (different to the users virtual server) traffic so I can apply whatever settings I need to.

     

     

    Thanks

     

    Darren

     

     

     

  • Steve_Brown_882's avatar
    Steve_Brown_882
    Historic F5 Account
    Feb 26, 2011
    Hi the way I read your problem you could continue to use 1 virtual server and just apply an irule similar to the one below. This would send your servers to one specific proxy unless it was down and continue load balance all of your users.

     

     

     

    when CLIENT_ACCEPTED {

     

     

    Check to see if the IP matches an one in a group and that the member is up. before sending it directly to that member.

     

     

    if { [class match [IP::client_addr] equals "ServerGroup" ] and [[LB::status pool Pool1 member 10.1.2.3 80] ne "down" }] {

     

    pool Pool1 member 10.1.2.3 80]

     

     

    Check to see if the IP matches an one in a group and that the member is up. before sending it directly to that member.

     

     

    } elseif [class match [IP::client_addr] equals "ServerGroup" ] and [[LB::status pool Pool1 member 10.1.2.4 80] ne "down" }] {

     

    pool Pool1 member 10.1.2.4 80]

     

     

    Default to load balancing all users

     

     

    } else {

     

    pool Pool1

     

    }

     

    }

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 01, 2011
    Here is a slightly more efficient version with a few typos fixed: 

    when CLIENT_ACCEPTED {

   Check to see if the IP matches an one in a group and that the member is up. before sending it directly to that member.
   if { [class match [IP::client_addr] equals "ServerGroup" ] }{
   
      if { [LB::status pool Pool1 member 10.1.2.3 80] ne "down" } {

         pool Pool1 member 10.1.2.3 80

          Exit this event from this rule
         return

      } elseif {[LB::status pool Pool1 member 10.1.2.4 80] ne "down" } {

         pool Pool1 member 10.1.2.4 80

          Exit this event from this rule
         return 
      }
   }

   Default to load balancing all users
   pool Pool1
}

    Aaron
  • Dazzla_20011's avatar
    Dazzla_20011
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2011
    Hi,

     

     

    Got it working so thanks very much for your help. If you don't mind I would just like to claify my understanding.

     

     

    If client address is from ServerGroup then it will first check Pool1 member 10.1.2.3 80 is not down. If it is not down it will send the traffic to this pool member.

     

     

    If Pool1 member 10.1.2.3 80 is down it checks to see if Pool1 member 10.1.2.4 80 is not down. If it is not down it will send traffic sourced from ServerGroup to Pool1 member 10.1.2.4 80.

     

     

     

    Everything not equal to ServerGroup is always just sent to Pool1.

     

     

    One question if Pool1 member 10.1.2.3 80 goes down and comes back up then traffic from ServerGroup should then start using Pool1 member 10.1.2.3 8 as for each new connection it will check the i-rule? Therefore the persitence profile is invalid for traffic sourced from ServerGroup?

     

     

    Thanks again

     

    Darren