For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Valentine_96813's avatar
Valentine_96813
Icon for Nimbostratus rankNimbostratus
Aug 23, 2011

Filter Source IP

Had a request come across my desk from a user that I had never tried before and was wondering if someone might have done this.

 

 

What is requested is to have a live pool running as intended but have a rule in place that will filter a single or group of IPs and redirect them to a single backend server so that we can capture their session for various reasons.

 

 

Thoughts? I do this very thing filtering uris and such but never tried a source IP.

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 23, 2011
    Hi Valentine,

    Sure you can do this. For a single IP or network range, you could use the IP::addr command to check the client IP. For multiple comparisons, you can use a datagroup and the class match command (v10+) or the matchclass command (v9).

    Here's an example for v10+: 

     Datagroup containing the hosts/networks you want to pin to a pool member
class ip_subnets_class {
   {
      host 1.1.1.1
      network 2.2.2.0/24
   }
}

    And the iRule which selects a specific pool member based on the client being in the datagroup: 

    when CLIENT_ACCEPTED {

    Check if the client IP is in the ip_subnets_class
   if {[class match [IP::client_addr] equals ip_subnets_class]}{

       Select a specific pool member from the VS default pool for members of the datagroup 
      pool [LB::server pool] member 10.1.1.1 80

   } else {

       Select the VS default pool
      pool [LB::server pool] 
   }
}

    Aaron
  • Todd_94419's avatar
    Todd_94419
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2012
    In this scenario it appears that if the client IP is a match then traffic is directed to a specific pool member...

     

     

    Is there a way to direct that traffic to a separate pool as opposed to just a member of the default pool??

     

     

    Basically, I want all clients within a specific data group to be directed to a separate pool altogether...
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 05, 2012
    Hi Todd,

    Sure: 

    
when CLIENT_ACCEPTED {

    Check if the client IP is in the ip_subnets_class
   if {[class match [IP::client_addr] equals ip_subnets_class]}{

       Select a specific pool member from the VS default pool for members of the datagroup 
      pool other_pool

   } else {

       Select the VS default pool
      pool [LB::server pool] 
   }
}

    If you want to assign a pool per IP subnet, you could add the pool name as a value for each key in the data group and use:

    Look up the client IP in the ip_subnets_class data group and save the key's value to $pool_name

    if {[set pool_name [class match -value [IP::client_addr] equals ip_subnets_class]] ne ""}{

    pool $pool_name

    ...

    Aaron