For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cerpika_14370's avatar
cerpika_14370
Icon for Nimbostratus rankNimbostratus
Aug 26, 2010

Exclude servers from SNAT automap

Hello, I have a question regarding excluding 2 servers from a snat automap. The BIG-IP has SNAT automap set, and a forwarding virtual server to make sure the servers behind the BIG-IP find their appropriate outbound route.

 

 

I need to find a way to exclude these two servers from being SNAT'd. All of the other servers (which there are many) still need to be SNAT'd.

 

 

I cant find a way to exclude these 2 servers from being SNAT'd. It seems that with a global SNAT automap, you cannot explicity exclude IPs from the SNAT. When you create the SNAT you can explicitly include IPs, but not exclude.

 

 

I wrote an iRule for the forwarding virtual server to try and exclude these servers from being SNAT'd, however that does not seem to have an effect, as the SNAT that is doing the SNATting is a global SNAT.

 

 

What are my options here?

 

 

TIA

 

 

config
design

6 Replies

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 27, 2010
    Are the servers you're trying to exclude sending traffic outbound and that's where you'd like to prevent them from being SNATed? Or are they receiving inbound traffic and when they're selected, you'd like to keep the traffic from being SNATed on the way to them?

     

     

    This'll be a pretty easy rule...just curious as to your traffic direction.
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Aug 27, 2010
    Hi cerpika,

    Here are two ways to do the same thing. If you need more than two addresses or so, I'd recommend consolidating them into a datagroup for ease of manageability.

    Example 1: 

    when LB_SELECTED {
if { [[IP::server_addr] != 10.0.0.1] or [[IP::server_addr] != 10.0.0.2] } {
snat automap
}
}

    Example 2: 

    when LB_SELECTED {
switch -glob [IP::server_addr] {
10.0.0.1 -
10.0.0.2 { }
default {
snat automap
}
}
}

    Hope this helps,

    George
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 27, 2010
    Interesting. I would have gone with the snat none approach. I wonder if there is a performance hit for snat automap called in an iRule versus applied as profile in the virtual?
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Aug 27, 2010
    Good question Jason. I guess the opposite approach with the same functionality would be to turn on snat automap in the profile and then just say: 

    
when LB_SELECTED {
  switch -glob [IP::server_addr] {
    10.0.0.1 -
    10.0.0.2 { 
      snat none
    }
  }
}

    Same thing, really, but I wonder if there's a performance difference. To the test-cave!

    Colin
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 27, 2010
    Each of these examples assumes he's SNATing inbound traffic üòõ

    Since he mentioned both an IP_Forwarder and outbound routes, I'm assuming this is going to be an outbound SNAT...stealing Colin's example. 

    when CLIENT_ACCEPTED {
  switch -glob [IP::client_addr] {
    10.0.0.1 -
    10.0.0.2 { 
      snat none
    }
  }
}
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Aug 27, 2010
    Curse you, details, you elude me yet again!!!!11

     

     

    :p

     

     

    No seriously though, good catch.

     

     

    Colin