For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_Keating's avatar
Jason_Keating
Icon for Altostratus rankAltostratus
Mar 04, 2008

IP Forwarding or Multiple VLANs

Hi,

 

 

I have some virtual servers on my external VLAN and a search engine on my internal VLAN, I'm using the search engine to index content on the virtual servers.

 

 

I see two ways of doing this...

 

 

1. IP Forwarding virtual server on all VLANS for addresses/network of the virtual servers on my external VLAN and SNAT

 

 

2. Bind the virtual servers I wish to index on the external AND internal VLAN, use SNAT.

 

 

Which of these is preferable? I'm thinking IP forwarding might be a more old school solution, but binding the virtual servers to the internal VLAN would certainly be easier and take advantage of the LTM flexibility, ( I am leaning toward the latter)

 

 

Can anyone advise? particularly if one is less secure than the other?

 

 

Cheers

 

J
config
design

3 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 05, 2008
    It sounds like you want something called VIP bounceback.

     

     

    I can only think of 3 ways to do this.

     

     

    Way 1: Autosnat all requests from the VIP.

     

     

    Way 2 : Use an IRULE and datagroups

     

     

    
when CLIENT_ACCEPTED {
if { [matchclass [IP::remote_addr] equals $::dg_internal]} {
  snat automap
 }
}

     

     

    What 3 use irule and switch command.

     

     

    
when CLIENT_ACCEPTED {
  switch [IP::remote_addr] {
    "IP ADDRESS/MASK" { snat automap }
    "2nd IP ADDRESS/MASK" { snat automap }
  }
}

     

     

    Way 1 will work but it snats EVERYTHING coming into the Virtual server

     

    Way 2 will work and selectively snats based on the Clients IP address. The irule is reusable

     

    Way 3 might be more efficient because it doesn't use a datagroup object, but the code cannot be reused because the "IP Address/MASK" is specifically in the IRULE statements

     

     

    My personal preference is WAY 2, but you can use any of these.

     

     

    I hope this helps.

     

     

    CB

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 05, 2008
    j.thomson posted an elegant solution for applying a SNAT only when the client and destination host are on the same subnet:

    Selective SNAT (Click here)

    
when LB_SELECTED {  
   if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {  
      snat automap 
   }
}

    Aaron
  • Jason_Keating's avatar
    Jason_Keating
    Icon for Altostratus rankAltostratus
    Mar 05, 2008
    Brilliant stuff! Thanks CB, thanks Aaron.

     

     

    Much appreciated!

     

     

    Regards

     

    J