How to Create a Virtual Listener on a Network Domain

Prerequisites:

1. Recommended reading: Introduction to Virtual Listeners / VIPs in MCP 2.0
2. Data Center must be MCP 2.0.
3. Data Center must not be in Network Maintenance.
4. Only the Primary Administrator or a User with the Network role can create Virtual Listeners.
5. Network Domain must be 'Advanced'. This functionality is not supported on 'Essentials' Network Domains. 
6. A Virtual Listener can't function without having a Pool associated with it. For details on how to create a Pool, see How to Add a Pool on a Network Domain.
7. You can specify a non-RFC 1918 IPv4 Address for a Virtual Listener as long as it does not exist within the same Network Domain, and it is subject to the validations enumerated at Introduction to IP Addressing in MCP 2.0.
8. You can only create one Virtual Listener per IPv4 Address and port combination
9. You cannot create a Virtual Listener on the Network Domain SNAT Address
10. If adding an SSL Offload Profile ID, the ID must be associated with the same Network Domain
11. A maximum of one (1) SSL Offload Profile can be associated with a Virtual Listener at any one time
12. An SSL Offload Profile can only be added if:
    1. Virtual Listener type is Standard
       1. Type Performance Layer 4 cannot be used in conjunction with SSL Offload
    2. Protocol is TCP, HTTP, FTP or SMTP
       1. Type Standard and Protocol "Any" cannot be used with SSL Offload
       2. Type Standard and Protocol "UDP" cannot be used with SSL Offload
    3. Optimization Profile is either TCP (default) or TCP Legacy
       1. The LAN_OPT, WAN_OPT and MOBILE_OPT Optimization Profiles cannot be used with SSL Offload
13. You cannot add a Virtual Listener with SSL Offload if the addition would cause your organization to exceed the Maximum Virtual Listeners with SSL limitation, as identified here:
    How do I Identify Hardware Specifications and Capabilities Available in a Data Center Location

Content / Solution:

1. From the Home page, select the Data Center where the Network Domain on which you want to deploy a Virtual Listener is located:
   
   
   

2. The Data Center dashboard will be displayed. Select the Network Domain on which you want to deploy a Virtual Listener:
   
   
   

3. The Network Domain dashboard will be displayed:
   
   
   

4. Click on the Load Balancing / Virtual IPs tab, then click on the Actions button and select Virtual Listener from the drop-down menu:
   
   
   

5. The Add Virtual Listener form will be displayed:
   
   
   

6. Fill out the form with the desired information:

   • Virtual Listener Name - Enter a descriptive Name for the Virtual Listener. This name should be unique across the Network Domain, and can only include alphanumeric characters, "_", and "." (no spaces).

   • Status - The status of the Virtual Listener.

     • Enabled  - All connections will be processed. 
     • Disabled - Continues to process persistent and active connections. It can accept new connections only if the connections belong to an existing persistence session.
   • Description - The optional Description is limited to a maximum length of 255 characters.
   • Listener IP Address - The IPv4 address in dot-decimal notation that the Virtual Listener will use to listen for traffic (IPv6 is not supported). 
     • Addressability of the Listener IP Address falls into three categories:
       • Public (PUBLIC_IP_BLOCK)
         • Public is selected by default. 
         • A Public IPv4 Address can be selected from the list or – if "Next Available" is selected – CloudControl will assign an available IPv4 Address from the Public IPv4 Address Blocks deployed on the Network Domain. 
       • Private RFC 1918 (PRIVATE_RFC1918)
         • An IP Address from the RFC 1918 set of IP ranges. For details refer to Introduction to IP Addressing in MCP 2.0.
       • Private Non-RFC 1918 (PRIVATE_NON_RFC1918)
         • An IP Address not within the RFC 1918 set of IP ranges. This will be treated as Private by CloudControl. For details refer to Introduction to IP Addressing in MCP 2.0.
     • Validation applies slightly differently depending on the addressability:
       • For all Virtual Listeners:
         • An IP address already in use on a Virtual Listener can be provided if a different Port is used and the existing Virtual Listener is not set to use Any port. 
           
         • The IP address cannot already be in use by either the Internal IP or External IP of a NAT Rule on the Network Domain.
         • The IP address cannot fall within any of the System-Restricted spaces as detailed here: Introduction to IP Addressing in MCP 2.0.
           
       • If Listener IP Address is in one of the Private categories then:
         • It must not be within the address space of any VLAN in the same Network Domain.
         • It cannot be already in use as the Private IPv4 Address of a Node on the same Network Domain.
         • It must not be within the address space of the Outside Transit VLAN IPv4 Subnet of the same Network Domain as detailed here: Introduction to IP Addressing in MCP 2.0.

     • Note: If you want to use a specific Listener IP Address and Port but do not wish to specify a Protocol then you must select Performance Layer 4 as the Type.

       IPv4 Virtual Listeners with Pools of IPv6 addresses are not reachable from within the Network Domain

       If the Virtual Listener is configured with an IPv4 address and a pool of IPv6 nodes, the Virtual Listener IPv4 address will not be reachable from VLANs within the same Network Domain. Other configurations do not have this limitation.

   • Port - This defines the tcp/udp port that the Virtual Listener will use to listen for traffic (can be set to Any).
     Note: If the Virtual Listener Service Port is set to Any then the Type must be set to "Performance Layer 4".
   • Source Port Preservation - Identifies how the port of the source traffic will be treated when sending connections to the pool member. 
     • Preserve - Specifies that the system preserves the value configured for the source port unless the source port from a particular SNAT is already in use, in which case the system uses a different port.
     • Preserve Strict - Specifies that the system preserves the value configured for the source port. If the port is already in use by another connection, the system resets the client-side connection.
     • Change - Specifies that the system always uses the next available port. No attempt is made to preserve the client source port. This setting ensures that a unique port is chosen for each new connection, and may be helpful in avoiding premature port reuse when load-balancing legacy systems that use longer than usual TIME-WAIT windows.
   • Connection Limit - The maximum number of simultaneous connections permitted on the Virtual Listener. Should be an integer between 1 and 100,000
   • Connection Rate Limit - The amount of new connections permitted every second. Should be an integer between 1 and 4000.
   • Type - The virtual listener type is used to both specify how the load balancer should handle traffic and what features/options can be assigned. 
     • Standard - Directs incoming traffic to a load balancing pool and is the most basic type of virtual server. It is a general purpose virtual server that does everything not expressly provided by the other type of virtual listeners.
     • Performance Layer 4 - Has a FastL4 profile associated with it. A Performance (Layer 4) virtual listener uses hardware acceleration within our infrastructure to increase performance and throughput for basic routing functions (Layer 4) and application switching (Layer 7)
   • Protocol - Select which protocol will be associated with the Virtual Listener 
     • If you select Standard for the Type, you will be able to choose from the following Protocols: Any, TCP, HTTP, FTP, SMTP, UDP
     • If you select Performance Layer 4 for the Type, you will be able to choose from the following protocols: Any, TCP, HTTP, UDP
   • Optimization Profile - For certain combinations of Virtual Listener type and protocol, it is possible to specify an additional optimization profile. Each is a set of parameters that optimize the handling of traffic based on application type and network protocol.  

   For the combination of Standard type and either the TCP, HTTP, FTP, or SMTP protocols, the pre-defined Optimization Profiles available are:

   • • TCP - Standard TCP optimization - this is the default option. Leave this selected if you do not want additional custom optimization. 
     • LAN OPT - "The tcp-lan-optimized profile is a pre-configured profile type that can be associated with a virtual server. In cases where the BIG-IP virtual server is load balancing LAN-based or interactive traffic, you can enhance the performance of your local-area TCP traffic by using the tcp-lan-optimized profile.
       
       If the traffic profile is strictly LAN-based, or highly interactive, and a standard virtual server with a TCP profile is required, you can configure your virtual server to use the tcp-lan-optimized profile to enhance LAN-based or interactive traffic. For example, applications producing an interactive TCP data flow, such as SSH and TELNET, normally generate a TCP packet for each keystroke. A TCP profile setting such as Slow Start can introduce latency when this type of traffic is being processed. By configuring your virtual server to use the tcp-lan-optimized profile, you can ensure that the BIG-IP system delivers LAN-based or interactive traffic without delay.
       
       A tcp-lan-optimized profile is similar to a TCP profile, except that the default values of certain settings vary, in order to optimize the system for LAN-based traffic."
     • WAN OPT - The tcp-wan-optimized profile is a pre-configured profile type. In cases where the BIG-IP system is load balancing traffic over a WAN link, you can enhance the performance of your wide-area TCP traffic by using the tcp-wan-optimized profile.
       
       If the traffic profile is strictly WAN-based, and a standard virtual server with a TCP profile is required, you can configure your virtual server to use a tcp-wan-optimized profile to enhance WAN-based traffic. For example, in many cases, the client connects to the BIG-IP virtual server over a WAN link, which is generally slower than the connection between the BIG-IP system and the pool member servers. By configuring your virtual server to use the tcp-wan-optimized profile, the BIG-IP system can accept the data more quickly, allowing resources on the pool member servers to remain available. Also, use of this profile can increase the amount of data that the BIG-IP system buffers while waiting for a remote client to accept that data. Finally, you can increase network throughput by reducing the number of short TCP segments that the BIG-IP system sends on the network.
       
       A tcp-wan-optimized profile is similar to a TCP profile, except that the default values of certain settings vary, in order to optimize the system for WAN-based traffic.
     • MOBILE OPT - The tcp-mobile-optimized profile is a pre-configured profile type, for which the default values are set to give better performance to service providers' 3G and 4G customers. 
     • TCP-LEGACY - A legacy tcp profile offered by F5; provided to ensure "backwards" compatibility with older apps or clients who use this profile.

   For the combination of Standard type and UDP protocol, the pre-defined Optimization Profiles available are:

   • • SMTP - Tells the load balancer to automatically optimize the load balancing of SMTP traffic.
     • SIP - Allows the load balancer to automatically optimize the handling of SIP traffic.
   • iRules - Custom configured rules that are applied to Virtual Servers to perform a wide array of actions. 
     • CCDEFAULT.IpProtocolTimers - Extends the timeout values for TCP, UDP, ICMP and all other connections to mimic the MCP 1.0 values and ensure consistent performance in all MCP cloud platforms.
     • CCDEFAULT.HttpsRedirect - This simple iRule redirects traffic inbound on http to https.
     • CCDEFAULT.Ips - This iRule can be used only by specific Hosted Private CaaS or Private CaaS clients. For more details, see Introduction to iRules at an MCP 2.0 Data Center
     • CCDEFAULT.IpsHttp - Same as Ips rule but is designed to provide an HTML response back to the end user.

     • Note: The set of iRules that can be used for a given Virtual Listener depends on the combination of the Virtual Listener Type and Protocol - thus the displayed options will change depending on the aforementioned combinations. 

     • Note: iRules are executed in the order they are displayed. They are displayed in the order that they are added. You can drag and drop iRules to change their order.

   • Persistence Profile - Provides a method for ensuring that traffic from a client is sent to the same server in a pool based on an attribute of the connection.
   • Fallback Persistence Profile - Fallback Persistence is used when the primary Persistence Profile fails (i.e., if cookie persistence is used, but traffic arrives without a cookie, the fallback persistence profile will be used as a last resort.) 
   • SSL Offload Profile - SSL Offloading allows you to set up proxies for SSL certificates at the Virtual Listener level rather than having to set up SSL certificates on individual virtual servers. For more information on SSL Offloading, see Introduction to Virtual Listeners / VIPs in MCP 2.0
     
     Notes:
   • Valid ranges for Connection Limit and Connection Rate Limit for Virtual Listeners are displayed in the Data Center Details. See How do I Identify Hardware Specifications and Capabilities Available in a Data Center Location 
   • As general guidance and of relevance for API integration, the user interface is preloaded with recommended starting point values for certain fields:
     • Connection Limit: 100000
     • Connection Rate Limit: 4000
     • Source Port Preservation: Preserve.
   • Hover your mouse over an Information icon  to view a popup with helpful information.
      

7. Once the form has been filled out, click Add Virtual Listener:
    
   
   

8. The system will display a success message:
   
    

9. The Virtual Listener will be created and the UI will be updated to reflect the change: 
   

   Note: If there is a Non-RFC 1918 IP Address associated with the Virtual Listener, it will be distinguished by an  asterisk: