Forum Discussion
abachman_72712
Nimbostratus
NimbostratusFilter by incoming IP address
I need to write an iRule for a pool that will direct traffic to the correct member by incoming IP address. The pool members are setup to push traffic to member on service port 9081.
(e.g). Traffic destined for IP address 10.10.10.20 will go to .20, but if .20 is down traffic will go to pool member 10.10.10.21 and vice versa. Traffic with IP header 10.10.10.21 will go to member .21, but if not available will go to .20.
I am sure this is a simple iRule, but my synax is terrible. Any help would be appreciated
pmanet
hoolioCirrostratus
Hi,
Here are a few related posts. You can reply here if you get stuck.
Pool redirect based on source IP Range
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3486334864
Redirect Traffic Based on Source Address
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=56827&ptarget=56838
IP::addr
http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr
matchclass
http://devcentral.f5.com/wiki/default.aspx/iRules/matchclass
Aaron- hoolioNevermind... I thought you wanted to select the pool based on the source IP address. Can you elaborate on what you're trying to implement?
Do you have two virtual server IP addresses which you want to map to two server IP addresses? If so, you could create one VS on 1.0.0.1 which points to a pool containing 2.0.0.1 as priority 100 and 2.0.0.2 as priority 1. And you can create a second VS on 1.0.0.2 which points to a pool containing 2.0.0.2 as priority 100 and 2.0.0.1 as priority 1. The higher priority pool member would take precedence as long as it is marked up. If it marked down, connections would go to the lower priority member.
Or have I misunderstood your scenario?
Aaron 
abachman_72712Thanks. Sorry for any confusion.
The traffic will have the destination IP address in the packet. So I need to direct the traffic based on target IP. (e.g header packet will contain the target pool member it needs to go to by IP address 10.10.10.20). But, if this server is ever unavailable, I will need it to go to the other pool member 10.10.10.21. I need to build the rule to cover this both ways.
pmanet- hoolioI don't think that would work as is. I don't think both servers could be configured for 10.10.10.20 and 10.10.10.21. You would get IP conflicts if both hosts answered ARPs for both addresses.
It seems like it would be a lot more complicated to try to do something like transparent load balancing compared with just using a new IP address and load balancing the two servers with that.
Aaron - abachman_72712I am not sure I follow. Do you think if the traffic intended for .20 cannot get there, then it would produce an IP conflict b/c it would then try to go to .21 but doesn't match that address.
I will have to follow up with the application group, but the IP address may just be part of the content not the actual header packet. If this is the case, do you think this could be done? - hoolioWhat protocol/type of application is this for? Have you done something like this before?
I'm trying to work out the layer2/3 logistics of what you're describing.
It sounds like you'd want LTM to answer an ARP request for 10.10.10.20 and then check the state of server1 which is also answering for 10.10.10.20. If it's up, then send the request to server1. If server1 is down, then you'd want to check the state of server2. If server2 is up, then you'd want to translate the destination MAC address of the request and send it to 10.10.10.20 using server2's MAC address. Finally, if server1 and server2 are down, you'd potentially want to take some default action like send a reset back.
I'm not sure how LTM would be able to identify server1 and server2. I guess you could hardcode ARP entries for two dummy IP addresses and add these to the pool (1.1.1.1 MAC: 00:00:00:00:00:01 priority 100 and 2.2.2.2 MAC: 00:00:00:00:00:02 priority 10, assuming these MAC addresses were the real ones from server1 and server2). You could then create a VS on 10.10.10.20 with destination address translation disabled.
It's been forever since I tested a layer 2 bridging implementation. I'm not sure if you'd need VLAN groups for this or not. I'm also not sure whether the above description would work or is optimal.
Citizen, are you out there? Can you make sense of this? :D
Thanks,
Aaron - abachman_72712Never done this.
What if the IP address is only included in the content and not the header? - hoolioWhat protocol/type of application is this for? Is it TCP, HTTP, something custom built on UDP, etc?
If you have IP address for the VS that's different than the two servers it should be very simple to configure. Just add the two servers to a pool with server1 at a higher priority and configure a VS which references that pool. If you need to rewrite the TCP or HTTP payload based on the destination IP address, you can do that using a stream profile or by buffering the content with TCP::collect or HTTP::collect.
Aaron - abachman_72712This will be for Soap calls over HTTP. The traffic is intended for IBM Websphere application (Java based).
I just spoke with the developer. Forget the whole issue about having the destination IP address in the content. The traffic will be sent to a URL (VS IP address). What he was expecting to see the LTM to recognize the originating traffic coming from 10.10.10.20 and that the LTM would be able to send the traffic back to the same member of the pool 10.10.10.20. If 10.10.10.20 was not available, then push the traffic to the other member (10.10.10.21). This sounds like the issue with layer2/3.
Follow - abachman_72712What if I create 2 VS"s? 10.10.10.20 generates data to LTM VS 1, with .20 priority 1 and .21 as priority 2. 10.10.10.21 generates data to LTM VS 2, and .21 is priority 1 with .20 as priority 2. Create separate pools for both VS.
Does that simplify things or is this ridiculous?