hung_37471
Sep 27, 2011Nimbostratus
How to config PBR
hi all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
Before doing anything else please turn on the port lockdown (allow none) on the self IPs (as well for floating self IPs) associated with your production networks. Otherwise you have a good chance to be hacked ... Btw, port lockdown only affects the managability on a network interface and how it can be used as a listener for other services (including dynamic routing).
Why do you want to pass dynamic routing information through the BIG-IP to another L3 network? As the F5 is used as a L3 component in your environment, the floating self IPs on the different interfaces will be used as next hop (in static routes) on the locally attached devices.
The HSRP address of your ISP router´s southern interface will be configured as next hop for the default route on your BIG-IPs. That´s it in a typical deployment.
Running tcpdump with parameter "-ei 0.0" shows traffic on all visible interfaces including L2 data (MAC address and VLAN information). So you know, on which interface a packet can be seen.
But again, I´m not aware of a reason to route HSRP packets.
Generally if routing is required, a host or network virtual server with address translation disabled (destination NAT) in ForwardingIP mode will typically do the job. It requires static routes on the BIG-IP to forward traffic via a next hop to non-locally-attached networks.
Alternatively you can configure next hop pools (members are locally attached HSRP addresses of your peripheral firewall or router) as next hop information in a route or use it as a resource for a virtual server in PerformanceL4 mode (destination NAT disabled as well).