What type of virtual server should be used to block responses for one IP in a subnet with a virtual server? (Choose one answer)
In the BIG-IP system, when you need to prevent traffic from reaching a specific destination or being processed by the system, you utilize specific Virtual Server types that act as 'denial' points.
Reject Virtual Servers: When a packet matches a Reject virtual server, the BIG-IP system stops the packet from being processed and sends a reset (RST) in the case of TCP, or an ICMP unreachable message in the case of UDP. This is the preferred method for 'blocking' specific IPs when you want the sender to receive immediate notification that the connection was refused.
Drop Virtual Servers: A Drop virtual server simply discards the packet without sending any response back to the source. While effective for 'stealthing' a network, it is often less desirable for standard administration unless specifically mitigating a DoS attack.
Comparison with Standard: A Standard virtual server is used to process and load balance traffic to a pool of members; it does not inherently act as a 'blocking' mechanism for a single IP within a subnet unless combined with complex iRules or Packet Filters.
Context of the Questio n: To block responses (or connection attempts) for a specific IP while other traffic in the subnet might be handled by more permissive virtual servers, a more specific (higher precedence) Reject virtual server is the standard administrative approach.
Currently there are no comments in this discussion, be the first to comment!