For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Oct 01, 2013

How to Divert traffic based on Self-IP's not on basis on SNAT

Lets say we have a Virtual-server having a pool with some set of Servers.   And currently to reach that Virtual-server's pool's subnet we have two Self-IP's created. Let's say whoever try to rea...
Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
May 07, 2014

Hi Kevin,

 

After a long gap, again coming back to the same topic(Dividing or routing traffic through SNAT or Self-IP) where I got the concept:

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals my_ip_datagroup] } { snat 1.1.1.1 } else { snat 2.2.2.2 } }

 

Now I wanted to relate this to three environments:

 

  1. PROD: which got the enviroment's subnet as 10.25.128.0/24 where Self IP's are ( Floating IP: 10.25.128.99, In primary:10.25.128.98 and in secondary LTM:10.25.128.97)
  2. PREP: which got the environment's subnet as 10.25.129.0/24 where Self IP's are ( Floating IP: 10.25.129.99, In primary:10.25.129.98 and in secondary LTM:10.25.129.97)
  3. EDI : which got the environment's subnet as 10.25.130.0/24 where Self IP's are ( Floating IP: 10.25.130.99, In primary:10.25.130.98 and in secondary LTM:10.25.130.97)

1.Now Idea is to create a Data-group named PROD_ip_datagroup which will contains a source segment of 10.25.128.x and 64.x.x.x), which can only access the PROD enviroments. 2.Similarly Idea is to create a Data-group named PREP_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments. 3.Similarly Idea is to create a Data-group named EDI_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments.

 

Once the above created, idea is to have below:

 

  1. If the Data-Group:PROD_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.128.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.128.109. Else the connections will be through SNAT:10.25.128.99( WHICH is the floating IP).

     

  2. If the Data-Group:PREP_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.129.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.129.99( WHICH is the floating IP).

     

  3. If the Data-Group:EDI_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.130.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.130.99( WHICH is the floating IP).

     

Kindly guide how my Irule will look like.

 

Quick query: Let's say in all the Data-groups, lets say we have a common source:64.x.x.x, so is there any specific condition to put to route through different SNAT's to different environments( PROD, PREP and EDI).

 

Thanks and Regards