Virtual Server configuration

If your happy to apply an iRule (dropping non80/8080 traffic) to the All Ports VS the I'd go for option 1, two VSs. I wouldn't be happy with that option if you left the VS open to non port 80 and 8080 traffic (even if it isn't served). The admin saving with only having one HTTP VS outweighs managing a single simple iRule. The iRule would look like this (not sure if this needs the string command adding);

when CLIENT_ACCEPTED {
 if { (([TCP::local_port] == “80”) or ([TCP::local_port] == “8080”)) ] } {
   drop }
}

Beneath,

 

 

If he use only one VS for port 80 and 8080, and dosent use a irule to drop packets to others ports. What would be the real problem ? if in this case f5 wouldnt do anything to others ports

 

 

 

Att,

 

 

Kleython Kell

 

The VS would quite happily handle HTTP traffic on any other port without the iRule. Why potentially expose the HTTP parser unnecessarily to unwanted or unauthorised traffic? You also get the choice to drop or reject the traffic on a VS specific basis and not rely on the global Unmatched Packet behavior. Personally I'd rather use a packet filter to provide even better protection resource wise but they don't seem popular (perhaps AFM will change that).

It would be quite simple to use your second method and just create a VS per needed port.

 

(All VS will have the same IP)

 

VS1 port80

 

VS2 port 8080

 

VS3 port 445

 

 

Yes, it is very possible to do an "ALL Ports" but making it overly complicated is exactly that... complicated. But that is in my opinion and Im sure it works in other environments. I work in an environment where there are multiple people making adds, moves, and changes to the VS and I dont want to get those phone calls saying... "Huh?" Now, I have used the iRule method but the VS had a need for over 40+ ports to be opened and that is where I was using the iRule.