Wildcard VIP with iRule defining Port

Option C doesn't need an iRule. If you set the pool members up with a wildard port as well, the ltm by default will forward the inbound port.

Maybe I should have clarified. I want to drop traffic not on the ports specified... security.

Still don't need a rule if you use a packet filter, but if you want a rule, this should work for you assuming your pool members have their port set to any:

class myRadius_class {
  "1645"
  "1646"
  "1812"
  "1813"
}
when CLIENT_ACCEPTED {
  if { ([TCP::local_port] == 49) or [matchclass [UDP::local_port] equals $::myRadius_class ] } {
    pool myPool
  } else { discard }
}

citizen_elah,

 

 

Thank you for the example - it will be very helpful!

 

 

 

Rob

 

I used data group lists instead of classes and tweaked yours to the irule below (probably unnecessary, but a good excercise for a new irule-er). When I apply the rule, the vip is looking for both tcp and udp profiles to be applied (due to the matchclass statements). Being configured as a standard vip, this is not possible. Will I need to configure this as a 'Performance (Layer 4)' type vip with '*All Protocols' selected?

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

When a client is accepted, if the port matches a port in the corresponding protocol data_group_list then forward to the pool. Else discard.

 

 

when CLIENT_ACCEPTED {

 

if { [matchclass [UDP::local_port] equals $::ciscoSecureUDP ] or [matchclass [TCP::local_port] equals $::ciscoSecureTCP ] } {

 

pool acs.deloitte.com_Wildcard

 

} else { discard }

 

}

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Thanks,

 

 

Rob

 

Yes, you'll need the performance l4 type to match both tcp & udp.