How to config PBR

Can you tell us what PBR is? I have no idea what you are referring to.

PBR typically refers to "Policy Based Routing" not surehow the origninal poster was looking to employ PBR but I could see using an irule with a forwarding virtual server to accomplish some sort of PBR.

You can accomplish simple PBR using VS's... And tie them to explicit inbound vlans...

 

 

More complex will require an iRule... But the world is your oyster there... Just be aware that you probably won't get any acceleration if you're using iRules on a VS...

 

 

H

Hi Hung,

Creating a PBR is very similar to creating a vip and pool along with an iRule.

1. You would create a wildcard virtual forwarding server.

2. Then you would create a pool with the IP address of the next hops that will be chosen based on your conditions.

Example Irule

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::local_addr] equals 10.0.0.1/24 ]}{ 
         pool pool_hop_1
    } elseif { [IP::addr [IP::client_addr] equals 192.168.1.0/24]}{ 
         pool pool_hop_2
    } else { 
         pool pool_hop_3
    }
}

I hope this is a good start

Bhattman

This may be possible using Acces Policy Manager

Can you tell us exactly what' you're trying to accomplish?

 

 

I'm new to F5 products and try to figure out the same thing, how to config policy based routing, so please don't mind me if I'm going to continue this thread.

 

 

From Bhattman reply, my understanding is wildcard virtual server will process every packets come to F5 and iRule associated with that wildcard virtual server will choose appropriate pool for those packets according to the sequence.

 

 

But what I still don't understand is since command 'pool' has been used, wouldn't F5 modified dst ip of packets to next hop ip address of a member selected? What we want is just to send it out the way we want but not to alter its dst ip.

 

 

Could someone explain to me and apologize for a newbie question. Thank you in advanced.

wouldn't F5 modified dst ip of packets to next hop ip address of a member selected? What we want is just to send it out the way we want but not to alter its dst ip. when creating wildcard virtual server, by default translate address and service are disabled. so, destination address won't be changed when packet is sending out.

[root@iris:Active] config  b virtual test list all
virtual test {
   enable
   limit 0
   rate class none
   mirror disable
   translate address disable
   translate service disable
   srcport preserve
   pool
   snat none
   cmp enable
   cmp processor none
   lasthop pool none
   snatpool none
   pool gw1
   fallback persist none
   destination any:any
   mask 0.0.0.0
   ip protocol tcp
   partition Common
   rules none
   httpclass none
   persist none
   auth none
   clone pools none
   profiles tcp {
         all
      }
   traffic classes none
   vlans none disable
}
[root@iris:Active] config  b pool gw1 list
pool gw1 {
   members 172.28.17.254:any {}
}
[root@iris:Active] config  b route list
No Routing Table Entries were found.

[root@iris:Active] config  tcpdump -nni 0.0 -e port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
12:13:18.896745 00:01:d7:20:81:85 > 00:01:d7:2f:0d:c3, ethertype 802.1Q (0x8100), length 78: vlan 4094, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: S 865485221:865485221(0) win 5840 
12:13:18.896802 00:01:d7:2f:0d:c3 > 00:01:d7:20:81:85, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 8.8.8.8.80 > 10.10.72.60.59619: S 1705596133:1705596133(0) ack 865485222 win 4380 
12:13:18.897850 00:01:d7:20:81:85 > 00:01:d7:2f:0d:c3, ethertype 802.1Q (0x8100), length 70: vlan 4094, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: . ack 1 win 46 
12:13:18.897925 00:01:d7:2f:0d:c4 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 10.10.72.60.59619 > 8.8.8.8.80: S 3006714883:3006714883(0) win 4380 

5 packets captured
5 packets received by filter
0 packets dropped by kernel

[root@iris:Active] config  b arp 172.28.17.254
ARP 172.28.17.254 - 00:01:E8:D5:D4:47   VLAN external   expire 269s   resolved

Thank you, nitass.

 

 

From your answer, let me explain my understanding and please correct me if something wrong:

 

- 'translate address' is a setting that allow/disallow virtual server to alter dst ip in the packet, right?

 

- the same goes for 'translate server'. Is it a setting that allow/disallow virtual server to alter dst port?

 

 

So what exactly happened when F5 try to send packet out if we disable 'translate address'?

 

My guess is F5 try to send packet to a selected member in selected pool according to its routing table, however not to alter dst ip? Is that correct?

My guess is F5 try to send packet to a selected member in selected pool according to its routing table, however not to alter dst ip? Is that correct?something like that. anyway, u know pool is connected subnet, so no routing is needed.