Forum Discussion
GTM iRule split DNS
Greetings!
I was hoping you guys could scrutinize this iRule. The goal is to have the GTM return internal addresses to internal DNS queries and public addresses to public DNS queries. I also want to avoid having to create "internal only" VSs and Pools on the GTM. I have the following questions:
- Will it even work?
- What if all pool members are down?
- Can you foresee any "gotchas"?
- Can you make it better?
I would create a unique iRule for each WIP like the following:
-formatting fail, see my last post in this thread-
Environment:
- Active/Active data centers. One in Dallas, the other in Ft. Worth.
- A GTM and an LTM at each location.
- Each GTM has WIPs that point to pools that contain both a Dallas and Ft. Worth member (GTM configs are synced).
- Each GTM pool member has an Address (public IP) and a Translation (LTM VIP).
- Dallas LTM VIPs = 172.10.20.x. Ft. Worth LTM VIPs = 10.10.20.x.
- HamishCirrocumulus
There's an iRule to do this in the codeshare. It's extensible to multiple IP network views (i.e. separate internal, external, another external etc... Find it at GTM Translate
It uses the DNS_RESPONSE event rather than LB_SELECTED and does the lookups in a datagroup to translate between the real IP and the IP that various source LDNS servers will see the endpoints as.
H
- RiverFishAltostratus
Thanks Hamish. I read over your iRule. How does it know what's down? Looks like it's just grabbing an IP from a static datagroup list. Would it be possible to post your datagroups so I can better understand? What is gteHSL?
- HamishCirrocumulus
The iRule just does the translation. It fires AFTER GTM has done the hard work to determine which of the GTM pool members are available. The event is DNS_RESPONSE so the iRule grabs the IP's in the response and translates those. There's no selection at this point to be done.
The GTM determines what's available from the monitors used on the GTM servers. Most of my GTM pool members are LTM VS's. So the feed of information for them comes in via the big3d - gtmd protocol.
The data groups are a simple address DG, where the key is the internal IP and the value is the 'external' ip.
H
- RiverFishAltostratus
Ah, I see now. It all clicked when you said these two things:
"the iRule grabs the IP's in the response and translates those"
However, in the iRules section of the GTM there is no Data Group List tab like there is on the LTM. I don't understand what you mean when you say:
"Note that although developed for GTM, this is an LTM iRule and is attached to the LTM VS that is created by the GTM when you configure a listener address."
Could you please elaborate on this? On a GTM, the only place to assign an iRule is on a WIP (at least that I am aware of).
- HamishCirrocumulus
There's two types of iRules. GTM and LTM. A GTM iRule is attached to a WIP and operates at the WIP level. GTM iRules are pretty limited in what they can do (i.e. Only GTM stuff). So they're a bit of a subset of LTM iRules with the exception that they can get the pool member status of GTM Pools. (LTM iRules don't have access to GTM level information). I'm not sure GTM iRules can use data groups either...
However, even though GTM rules are pretty limited, because GTM is layer ON TOP of LTM, you can use an LTM iRule attached to the LTM VS that is created by GTM (You configure a 'listener' in GTM and that creates an LTM VS with lots of underscore in the name... You can attach LTM iRules to this VS to manipulate the traffic at the LTM level).
Using an LTM iRule gives you a much richer environment, as long as you don't want access to the list of pool members (VS's) in a GTM Pool. That's the approach this iRule takes. (For example, because GTM iRules and LTM iRules are different, I'm not sure you get things like functions etc in GTM iRules even in 11.4.1), I did have a discussion with a few of the F5 guys about GTM and LTM iRules and I think we came to the conclusion that GTM iRules aren't really very useful any more (In the old days, I think you didn't get the LTM level VS created, so pre v11 you were limited to GTM iRules or nothing. GTM doesn't really track LTM changes exceedingly well so I suspect they'll either drop GTM iRules entirely or merge the engines perhaps).
H
- RiverFishAltostratus
Okay, I see. You have to ssh to the GTM and look at the bigip.conf. And this is where you would add the iRule:
Now where do you create the DG? In the profile_base.conf? It would help me tremendously if you could show me your DGs.
- HamishCirrocumulus
Ahhh... You sound like you're editing the config files by hand... Why not use tmsh to do this? e.g. something like
tmsh create ltm data-group ....
to give something like
ltm data-group internal local_address_class { records { 10.0.0.0/8 { data internal } } type ip }
The translation data-groups (e.g. gte_translate_internet) will look something like this
ltm data-group internal gte_translate_internet { records { 192.168.99.25/32 { data 172.16.1.1 } } type ip }
and is again created (Or edited) using tmsh (or the GUI)
create ltm data-group internal test { type ip records add { 192.168.22.33 { data 172.16.1.1 }}}
obviousy if your DG already exists use modify, not create.
H
- HamishCirrocumulus
gte == GTM Translate External
3dp = 3rd Party (Private leased lines/networks as opposed to Internet).
H
- RiverFishAltostratus
I ended up just creating an iRule for each WIP. It's been working great:
when LB_SELECTED { if { ([matchregion ldns private-ranges]) && ([LB::server addr] starts_with "100.100.100.") } { host 172.1.1.1 } elseif { ([matchregion ldns private-ranges]) && ([LB::server addr] starts_with "200.200.200.") } { host 10.1.1.1 } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com