hung_37471
Sep 27, 2011Nimbostratus
How to config PBR
hi all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
can you help me , how to config PBR on the BIg Ip ?
on the web GUI , i can't see anywhere to config PBR
thanks all
I'll try to set things up with virtual machines. See the real thing works help me learn faster and easier, I hope. :)
Hi Experts
How will I modify the below PBR (i-Rule) to include port based forwarding? For example, I need to route traffic based on port 80/443 towards specific virtual server, for rest of the traffic, it should get routed, with F5 acting as a L3 hop.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24 ]}{
pool pool_hop_1
} elseif { [IP::addr [IP::client_addr] equals 192.168.1.0/24]}{
pool pool_hop_2
} else {
pool pool_hop_3
}
}
Hi,
Try this (haven't tested in a lab). Obviously pool named pool_hop_1 must exist.
when CLIENT_ACCEPTED {
log local0. "PBR iRule starting"
if { [TCP::local_port clientside] equals 80 } {
if { [active_members pool_hop_1] < 1 } {
log local0. "No active pool members so will SNAT"
snat automap
} else {
pool pool_hop_1
log local0. "PBR on port 80 successful"
}
}
}
how do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and
( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {
[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashxhow do I combine both conditions of IP address & port?
e.g.
if { [IP::addr [IP::local_addr] equals 10.0.0.1/24] and
( [TCP::local_port] == 80 or [TCP::local_port] == 443 ) } {
[active_members pool_hop_1] < 1
active_members command is used to make sure pool_hop_1 pool is up before sending traffic to.
active_members
https://devcentral.f5.com/wiki/iRules.active_members.ashxCan I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx
Can I use a named pool "my_subnets" instead of only IP segment 10.0.0.0/24? "my_subnets" would have, say 20 subnets?
if there are number of ip/subnet, you can use "class match" command instead of IP::addr. ip/subnet is defined in ip type data group.
class
https://devcentral.f5.com/wiki/irules.class.ashx
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
What I need is traffic from a pool of 2 subnets (say 10.1.0.0/24 and 10.2.0.0/24) would be forwarded to a Virtual Server (10.206.0.4)
is it only when connecting to 10.206.0.4:8080?
if yes, can't we just enable WHTTP_vs virtual server on www-internal vlan (i.e. add www-internal vlan to the WHTTP_vs virtual server)?
But for rest traffic, say port 22 traffic coming from 10.99.0.0/24, they have to be directly routed to the Internet. F5 is acting as L3 hop between LAN and Internet and directing specific traffic to App servers.
what is 10.99.0.0/24? was it typo? if you mean 10.1.0.0/24 and 10.2.0.0/24, other traffic such as port 22 will match forwardToInternet_vs virtual server and be sent to internet gateway. it won't match WHTTP_vs virtual server because destination is not 10.206.0.4:8080.
So you say no i_Rule needed at all?
yes