Forum Discussion
7 Replies
- Vernon_97235Historic F5 Account
Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).
- IainThomson85_1Cumulonimbus
As Vernon mentions - Creating 4 VIPS (if your list of 4 ports is exhaustive) would be the far simplest implementation.
If you're stuck on the True-Client-IP variable, there's plenty of articles on Dev Central.
Just do a quick search
- benniehanas_239Nimbostratus
The issue here is that the traffic is generated by Akamai IP, they also send True-Client-IP. The True-Client-IP is what I need to pass to the backend servers. I can just create 3 VS instead of just one, but wanted my config to be cleaner and less cluttered. Do you think it is still best to create 3?
- VernonWellsEmployee
Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).
- IainThomson85_1Cumulonimbus
As Vernon mentions - Creating 4 VIPS (if your list of 4 ports is exhaustive) would be the far simplest implementation.
If you're stuck on the True-Client-IP variable, there's plenty of articles on Dev Central.
Just do a quick search
- benniehanas_239Nimbostratus
The issue here is that the traffic is generated by Akamai IP, they also send True-Client-IP. The True-Client-IP is what I need to pass to the backend servers. I can just create 3 VS instead of just one, but wanted my config to be cleaner and less cluttered. Do you think it is still best to create 3?
- VernonWellsEmployee
If your only objective is to pass the True-Client-IP HTTP header without alteration, and the Akamai source is inserting that header itself, you don't need an iRule, and in fact, don't even need the http profile on the Virtual Servers. In this case, separate Virtual Servers are definitely cleaner and more performant. If you need to either generate the True-Client-IP header, or need to make the source IP of traffic toward your servers be the True-Client-IP address, then an iRule and the http profile are both required. Even in this case, it's more performant to use separate Virtual Servers, and as I say, as long as the number of destination ports is low, then it is (in my opinion) still cleaner.
Incidentally, if the BIG-IP must parse or insert the True-Client-IP, and if the traffic bound for port 443 is SSL, you must terminate the SSL on the BIG-IP. If you are simply passing the header along, then as with all of the other Virtuals, you may simply use a FastL4 profile.
As
@IanThomson85points out, there are a number of DevCentral discussions along a similar vein. For example: