Forum Discussion

Norman_Elton_13's avatar
Norman_Elton_13
Icon for Nimbostratus rankNimbostratus
Nov 12, 2018

Allowing TCP inspection on a L3 Forwarding virtual server

To be fair, I've never quite understood the distinction of the various types of virtual servers (Standard, Forwarding IP, etc)...

 

But I've noticed that I can't call TCP::collect in an iRule attached to a Forwarding IP virtual server. It magically works fine if the virtual server is Standard, with the protocol set to TCP.

 

Right now, I've got a Standard virtual server that inspects my TCP/443 traffic using TCP::collect, and a second Forwarding IP virtual server that inspects everything else, examining only L3 information.

 

Is it possible to funnel all traffic (TCP, UDP, ICMP, etc) through a single virtual server, with a single iRule, and then programmatically enable whatever functionality is required to call TCP::collect on TCP traffic?

 

Thanks!

 

Norman

 

1 Reply

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Essentially forwarding VS's are for forwarding traffic to 1 place. (As a Router or bridge)

     

    The slightly longer answer is that the forwarding virtual servers are specialised to just send traffic to a single place. It removes the ability to do certain things to them. e.g. destination address translation. Plus they don't have pools.

     

    They also come in two flavours. L2 (Which is more like bridging) or L3 (Which is the equivalent of routing)

     

    See https://support.f5.com/csp/article/K7595 and https://support.f5.com/csp/article/K14163

     

    If you want to do things like TCP::collect then use a standard VS.

     

    I don't believe you can change the VS type via an iRule... That doesn't make sense to me...