Forum Discussion

sandiksk_35282's avatar
sandiksk_35282
Icon for Altostratus rankAltostratus
Mar 06, 2018

F5 Whitelisting/ Allowing a specific range of traffic to VS

We have a req to allow only specific subnet range and IPs to access the virtual server it would be great if you help me on this. VS on f5 is configured to listen only on port 443.  
application delivery
BIG-IP
iRules
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Mar 06, 2018

    Create IP type LTM data-group. Define allowed IP/subnet values, and add optional descriptions. You can find data-group creation page at 

    Local Traffic - iRules - Data-group List
    . Example of an IP type data-group in CLI/TEXT format:

    ltm data-group internal datagroup_allowed_ip {
  records {
    100.20.20.0/32 { }
    199.20.20.128/25 { }
  }
  type ip
}

    Create an iRule that checks for matches against entries in datagroup_allowed_ip

    when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
     Traffic is allowed. Client IP match found in datagroup_allowed_ip
    return
  } else {
     Traffic is dropped. Client IP match not found in datagroup_allowed_ip
    drop
  }
}
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 06, 2018

Create IP type LTM data-group. Define allowed IP/subnet values, and add optional descriptions. You can find data-group creation page at 

Local Traffic - iRules - Data-group List
. Example of an IP type data-group in CLI/TEXT format:

ltm data-group internal datagroup_allowed_ip {
  records {
    100.20.20.0/32 { }
    199.20.20.128/25 { }
  }
  type ip
}

Create an iRule that checks for matches against entries in datagroup_allowed_ip

when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] eq "datagroup_allowed_ip" ] }{
     Traffic is allowed. Client IP match found in datagroup_allowed_ip
    return
  } else {
     Traffic is dropped. Client IP match not found in datagroup_allowed_ip
    drop
  }
}
  • sandiksk_35282's avatar
    sandiksk_35282
    Icon for Altostratus rankAltostratus
    Mar 06, 2018

    Thankyou , configuring for the QA setup , will get back to you if I run into any issues.

     

  • sandiksk_35282's avatar
    sandiksk_35282
    Icon for Altostratus rankAltostratus
    Mar 07, 2018

    I am not able to see any traffic hitting the irule . In the datagroup we specified the IP range . BUt i dont see any hits.

     

  • Maneesh_72711's avatar
    Maneesh_72711
    Icon for Cirrostratus rankCirrostratus
    Mar 07, 2018

    What do you mean not seeing any traffic hitting the i-rule have you enabled logging on i-rule and dont see the logic getting triggered ? Hannes has provided correct i-rule as per your requirement, are you coming from correct sources ?

     

  • sandiksk_35282's avatar
    sandiksk_35282
    Icon for Altostratus rankAltostratus
    Mar 08, 2018

    Yaa the irule is working as I dint add the source IPs which are used for testing in the datagroup. Now its working as expected. Thanks a lot Hannes for your help.