Forum Discussion

Matt_Saunders_8's avatar
Icon for Nimbostratus rankNimbostratus
Oct 14, 2011

How to selectively SNAT on an egress vlan

Hi There,

I am running a pair of F5 LTM v10.2.1 and I cannot seem to find a way in which to perform a SNAT on a src network range going to a single specific destination vlan.


The setup I have is as follows:


src network - ""---->"" - interface 1.1


Dest vlan1 - ""---->"" - interface 1.4


Dest vlan2 - ""----->"" - interface 1.4


Dest vlan3 - ""----->"" - interface 1.4


Interface 1.4 is trunked down to a cisco switch and the destination vlans all point back to each vlans local gateway on the LTM.


The flow between src and destination uses a "forwarding VIP" since the LTM is simply routing between interfaces in this scenario.


What I am trying to achieve is to perform a source NAT when traffic is being sent from the ""----->"" vlan1 network


. I do not want to SNAT if traffic is destined to the other two vlans.

I am happy to use the self IP of the egress vlan when performing the SNAT or a specific SNAT IP.


So in summary the flows would look like this:


Client (C) Server (S) LTM (LB) 1. SNAT required from src to vlan1 (c) -----> (s) (LB) ----> (s) 2. No SNAT required from src to vlan2 (c) -----> (s) I appreciate that a FW is able to perform this task based on identifying the src and dst network though I have looked at some irules and I cannot seem to find a way in which to accomplish this.. I had hoped to see something like [IP::dst_address] available in irules in which I could create a class to match the source network and to SNAT only on the [IP::dst_address] (vlan2) else forward everything else though I cannot find anything in the reference guide.. Finally when trying to do this via the LTM Gui it only works if I perform the SNAT on the vlan in which the source traffic is arriving. This ends up source natting all incoming to all dest vlans and not the specific one I require.

1 Reply

  • not sure if i understood correctly. can u try this one?

       if {[IP::addr [IP::remote_addr]/16 equals] and [IP::addr [IP::local_addr]/24 equals]} {
          snat automap