How to Divert traffic based on Self-IP's not on basis on SNAT

You could try something like this:

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals my_ip_datagroup] } {
        snat 1.1.1.1
    } else {
        snat 2.2.2.2
    }
}

where "my_ip_datagroup" is an address-based data group with specific IPs or IP subnets.

One query Kevin, as you specified SNAT into the irule not selfIP, will that suit our requirement , because we wanted to specify with the SELF-IP address or do I need to create SNAT against that with the same IP's specified in SELF-IP ?

 

I am aware that if we select Auto-Map into the Virtual-server, it will automatically select one of the Self-IP against the subnet through which it will reach destination servers.

 

And secondly for creating my_ip_datagroup as the address-based data group, how will I specify the range. Can create Host and Network, but please assist in guiding how to specify range here.

 

Range: 10.0.0.0 - 10.255.255.255 Range: 172.16.0.0 - 172.31.255.255 Range: 192.168.0.0 - 192.168.255.255

 

Thanks and Regards Parveez

 

as you specified SNAT into the irule not selfIP, will that suit our requirement , because we wanted to specify with the SELF-IP address or do I need to create SNAT against that with the same IP's specified in SELF-IP ?

You can specify a selfIP address in the snat command

And secondly for creating my_ip_datagroup as the address-based data group, how will I specify the range. Can create Host and Network, but please assist in guiding how to specify range here.

These are all ranges with clearly defined subnet boundaries:

10.0.0.0 - 10.255.255.255 is 10.0.0.0/8 (255.0.0.0)
172.16.0.0 - 172.31.255.255 is 172.16.0.0/12 (255.240.0.0)
192.168.0.0 - 192.168.255.255 is 192.168.0.0/16 (255.255.0.0)

Thank you so much Kevin, so just to clarify myself:

 

SNAT is for response from the servers While SELF-IP is for request from the remote end (client).

 

So, as we are planning to segregate the traffic based on request from the client, so editing the irule by replacing snat with selfip, kindly guide whether this is correct:

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals my_ip_datagroup] } { selfip 1.1.1.1 } else { selfip 2.2.2.2 } }

 

Thanks and Regards Parveez

 

SNAT is for response from the servers While SELF-IP is for request from the remote end (client).

 

I'm not exactly sure what you're saying here, but a SNAT is a mechanism to transform the client source address on ingress (request) to a locally-managed address on the F5 for the purposes of forced routing. Automap is a SNAT function that changes the client source to one of the F5's selfIP addresses. You can either specify a SNAT address literally, or allow Automap to select a selfIP. Using the SNAT command with a selfIP address allows the F5 to transform the client source to that IP address.

 

Using the snat command with a self IP address should get you what you need.

 

Thank you so much Kevin for clearing the doubts, now it is very much clear.

 

Your inputs are always a added point for the starters like us, which enhance our knowledge.

 

Thanks and Regards Parveez

 

Hi Kevin,

 

After a long gap, again coming back to the same topic(Dividing or routing traffic through SNAT or Self-IP) where I got the concept:

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals my_ip_datagroup] } { snat 1.1.1.1 } else { snat 2.2.2.2 } }

 

Now I wanted to relate this to three environments:

 

1. PROD: which got the enviroment's subnet as 10.25.128.0/24 where Self IP's are ( Floating IP: 10.25.128.99, In primary:10.25.128.98 and in secondary LTM:10.25.128.97)
2. PREP: which got the environment's subnet as 10.25.129.0/24 where Self IP's are ( Floating IP: 10.25.129.99, In primary:10.25.129.98 and in secondary LTM:10.25.129.97)
3. EDI : which got the environment's subnet as 10.25.130.0/24 where Self IP's are ( Floating IP: 10.25.130.99, In primary:10.25.130.98 and in secondary LTM:10.25.130.97)

1.Now Idea is to create a Data-group named PROD_ip_datagroup which will contains a source segment of 10.25.128.x and 64.x.x.x), which can only access the PROD enviroments. 2.Similarly Idea is to create a Data-group named PREP_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments. 3.Similarly Idea is to create a Data-group named EDI_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments.

 

Once the above created, idea is to have below:

 

1. If the Data-Group:PROD_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.128.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.128.109. Else the connections will be through SNAT:10.25.128.99( WHICH is the floating IP).

    

2. If the Data-Group:PREP_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.129.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.129.99( WHICH is the floating IP).

    

3. If the Data-Group:EDI_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.130.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.130.99( WHICH is the floating IP).

    

Kindly guide how my Irule will look like.

 

Quick query: Let's say in all the Data-groups, lets say we have a common source:64.x.x.x, so is there any specific condition to put to route through different SNAT's to different environments( PROD, PREP and EDI).

 

Thanks and Regards

 

Hi Kevin,

 

Kindly suggest.

 

Thanks and Regards Parveez