F5 BIG-IP Virtual Server traffic processing order. Explained.
What happens when there are multiple virtual servers configured on a BIG-IP LTM and all of them match incoming traffic from clients?
How does BIG-IP LTM know which virtual server is the best match out of all the different virtual servers?
It uses virtual server traffic processing order to select the best matching server.
BIG-IP system determines the order of precedence applied to new inbound connections using an algorithm that places a higher precedence on the address netmask and a lesser emphasis on the port. It means most specific IP address will always match before proceeding to less specific IP addresses or subnets.
BIG-IP LTM sets virtual server priority according to the following criteria:
π Choose the virtual server that has the longest subnet match for the incoming connection. 192.168.1.11/32 will be chosen over 192.168.1.0/27.
π If the number of bits in the subnet mask match, the algorithm chooses the virtual server that has a port match. 192.168.1.11/32 with port 80 will be matched over 192.168.1.11/32 with wildcard (*) port.
π If no port match is found, the algorithm uses the wildcard server (if a wildcard virtual server is defined).
π A wildcard address has a netmask length of zero; thus, it has a lower precedence than any matching virtual server with a defined address.
This algorithm results in the following order of precedence:
- <specific address>:<specific port>
- <specific address>:<* (All ports)>
- <network>:<port>
- <network>:<* (All ports)>
- *:<port>
- *:*
For example, for a BIG-IP system with the following virtual servers configured:
1. 10.0.0.0/8:80
2. 10.10.0.0/16:80
3. 10.10.10.10/32:80
4. 20.0.0.0/8:*
5. 20.0.0.0/8:80
6. *:80 (alternatively noted as 0.0.0.0/0:80)
7. *:* (alternatively noted as any: any, 0.0.0.0/0:any)
Traffic will be processed as shown in the below table.
