Forum Discussion

hung_37471's avatar
hung_37471
Icon for Nimbostratus rankNimbostratus
Sep 27, 2011

How to config PBR

hi all     can you help me , how to config PBR on the BIg Ip ?     on the web GUI , i can't see anywhere to config PBR     thanks all      
config
design
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Sep 01, 2014

the end client is not hitting the virtual address directly.

 

the virtual server address is not self ip, is it?

 

  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Sep 01, 2014
    The virtual server is on floating VIP. Let me clarify a bit more. A sample packet coming from end client has Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: google.com Dst port: 80/443. This traffic needs to go to virtual server with floating IP 10.206.0.4 and load balanced to the real server pool. Other traffic, say Src Addr: 10.1.0.100/24 Src port: (>1024); Dst Addr: www.f5.com Dst port: SFTP needs to go directly to the ISP gateway. We need to do this routing in F5. Usually, for F5 advised set-up, we directly hit the virtual server address, but not here. User transparently goes to the Internet, not knowing an F5 is sitting in between LAN and ISP.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 01, 2014
    is pool /Common/WHTTP cache server pool? if yes, you may create new virtual servers on port 80 and port 443 (i.e. 0.0.0.0/0:80 and 0.0.0.0/0:443) and use /Common/WHTTP as a pool.
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Sep 01, 2014
    yes Nitaas, WHTTP is a pool of proxy cache servers. How do I post diagram here?
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 01, 2014
    you can post image by clicking at insert image icon. by the way, are virtual servers on port 80 and port 443 usable?
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Sep 01, 2014
    Hi Nitass, I could not understand your last point. Create new virtual servers on port 80 and port 443. Why will the address be 0.0.0.0/0:80 and not VIP 10.206.0.4:80? Will 0.0.0.0/0:80 be able to fwd traffic to real pool servers?
  • Sumanta_88744's avatar
    Sumanta_88744
    Icon for Cirrus rankCirrus
    Sep 01, 2014
    Hi Nitass, I think I am getting what you say. I will create the below to intercept port 80/443 traffic (directed to Internet IP, subset of 0.0.0.0/0) and send rest to ISP next hop. Pls correct me if I am wrong. And do we need address/port translation in this case? How will I do the default next hop to ISP? See below config:- ltm virtual /Common/WHTTP_vs { description "WHTTP virtual server" destination /Common/0.0.0.0:80 ip-protocol tcp mask 0.0.0.0 persist { /Common/Persistence-1 { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 10.1.0.0/24 translate-address enabled translate-port enabled vlans { /Common/external_vlan } vlans-enabled } ltm virtual /Common/WHTTPs_vs { description "WHTTPs virtual server" destination /Common/0.0.0.0:443 ip-protocol tcp mask 0.0.0.0 persist { /Common/Persistence-1 { default yes } } pool /Common/WHTTP profiles { /Common/fastL4 { } } source 10.1.0.0/24 translate-address enabled translate-port enabled vlans { /Common/external_vlan } vlans-enabled } ltm virtual /Common/forward-to-Internet_vs { description "Outbound traffic to Internet" destination /Common/0.0.0.0:0 ip-forward ip-protocol tcp mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/internal_vlan } vlans-enabled } ltm virtual /Common/Internet_vs { description "Default traffic to Internet" destination /Common/0.0.0.0:0 ip-forward ip-protocol tcp mask any profiles { /Common/IP-Gateway { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/external_vlan } vlans-enabled }
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 01, 2014
    please take a look Stephan's answer