How to config PBR

Before doing anything else please turn on the port lockdown (allow none) on the self IPs (as well for floating self IPs) associated with your production networks. Otherwise you have a good chance to be hacked ... Btw, port lockdown only affects the managability on a network interface and how it can be used as a listener for other services (including dynamic routing).

 

Why do you want to pass dynamic routing information through the BIG-IP to another L3 network? As the F5 is used as a L3 component in your environment, the floating self IPs on the different interfaces will be used as next hop (in static routes) on the locally attached devices.

 

The HSRP address of your ISP router´s southern interface will be configured as next hop for the default route on your BIG-IPs. That´s it in a typical deployment.

 

Running tcpdump with parameter "-ei 0.0" shows traffic on all visible interfaces including L2 data (MAC address and VLAN information). So you know, on which interface a packet can be seen.

 

But again, I´m not aware of a reason to route HSRP packets.

 

Generally if routing is required, a host or network virtual server with address translation disabled (destination NAT) in ForwardingIP mode will typically do the job. It requires static routes on the BIG-IP to forward traffic via a next hop to non-locally-attached networks.

 

Alternatively you can configure next hop pools (members are locally attached HSRP addresses of your peripheral firewall or router) as next hop information in a route or use it as a resource for a virtual server in PerformanceL4 mode (destination NAT disabled as well).

 

Hi Sumanta, regarding "tmsh list ltm":

 

The output contains all preconfigured profiles, iRules, policies etc.. The /config/bigip.conf contains primarily your additions to the logical configuration.

 

The /config/bigip_base.conf contains primarily configurations objects related to network configuration which are typically not synchronized in a sync-failover device-group.

 

What´s wrong with the tcpdumps?

 

Thanks,

 

Stephan

 

Hi Stephan Will the below work? Condition has to be such that if pool is unavailable, then all traffic has to be forwarded to next hop.

           rule pbr-rule {

when CLIENT_ACCEPTED { log local0. "PBR iRule starting" if {[class match -- [IP::client_addr] equals subnet_bypass]} { if { [active_members pool_hop_1] < 1 } { log local0. "No active pool members so will forward to next-hop" } { forward } else {[class match -- [IP::client_addr] equals subnet_permit]}{ pool WHTTP_Transparent log local0. "PBR successful" } }

}

Hi Sumanta, I changed it a bit and added comments:

rule pbr-rule {
when CLIENT_ACCEPTED {
    log local0. "PBR iRule starting"
     client IP is from subnet_bypass and will be forwarded via pool_hop_1
    if {[class match -- [IP::client_addr] equals subnet_bypass]} {
         if pool_hop_1 has no members, connections will be forwarded according to routing table
        if { [active_members pool_hop_1] < 1 } { 
            log local0. "No active pool members so will forward to next-hop"
            forward
         if pool_hop_1 has available members, connections will be forwarded via pool_hop_1
        } else {
            pool pool_hop_1
        }
     client IP is from subnet_permit and will be forwarded via WHTTP_Transparent
    } elseif {[class match -- [IP::client_addr] equals subnet_permit]} {
        pool WHTTP_Transparent
        log local0. "PBR successful"
    }
}
}

Thanks, Stephan