Forum Discussion

rolf's avatar
rolf
Icon for Cirrus rankCirrus
Feb 24, 2020
Solved

iRule and BGP

Hi,

 

I have a customer case, where I need to apply a specific SNAT depending on the routing decision.

The Routing contains the following paths:

ISP 1 (default GW)

ISP 2 (default GW)

BGP Cloud Link

 

All the routes are directly attached to the F5 LTM. The F5 LTM runs the BGP 'termination' to the Cloud.

 

So I would like to execute an iRule which monitors the egress VLAN and depending on this I would like to assign a specific SNAT Address.

Is this possible?

 

Thanks,

Rolf

 

application delivery
BIG-IP
LTM
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Mar 05, 2020

    Hi Rolf,

     

    Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

     

    Kind regards,

     

    Niels

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Feb 24, 2020

    You can do this if your outgoing routes are set up using a gateway pool with priority groups, so that an irule like the following can be used:

    when CLIENT_ACCEPTED {
  if {[LB::status default_gateway_pool <ISP1 ip> 0] eq "up"}
    { snat pool smtp_outbound member <ISP1 outbound ip> }
  elseif {[LB::status default_gateway_pool <ISP2 ip> 0] eq "up"}
    { snat pool smtp_outbound member <ISP2 outbound ip> }
  elseif {[LB::status default_gateway_pool <BGP Cloud Link ip> 0] eq "up"}
    { snat pool smtp_outbound member <BGP Cloud Link outbound ip> }
}
  • rolf's avatar
    rolf
    Icon for Cirrus rankCirrus
    Feb 25, 2020

    Thanks for your Feedback.

     

    The customer setup requires, that in case a BGP Route exists, always the BGP Link is choosen. So I first have to check if the routing points to the BGP gateway.

    Do you know if this can be done using iRule?

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      Feb 25, 2020

      You can't query the routing table directly from an iRule.

       

      You could do this by specifying nodes and transparent monitor.

      Create a node for each of your gateways.

      For each node, create a transparent ICMP monitor that checks an IP address past the gateway.

      K8971:  Creating transparent ICMP health monitors

       

      In your iRule, use LB::status to determine which of the nodes (gateways) is available, and set the outgoing SNAT as appropriate based on the route priority.

       

      • rolf's avatar
        rolf
        Icon for Cirrus rankCirrus
        Mar 05, 2020

        Hi,

         

        Ok thanks for that. That sounds like an interessting approach, but still I do not know what Route a specific connection has choosen. So I do not know what SNAT Pool to assing using the iRule...

         

        Best Regards

        Rolf

         

         

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 05, 2020

    Hi Rolf,

     

    Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

     

    Kind regards,

     

    Niels

  • rolf's avatar
    rolf
    Icon for Cirrus rankCirrus
    Mar 06, 2020

    Hi Niels,

     

    I just checked the policies, I think you are Right, it's possible to configure SNAT based on Egress interface.

    Great, thanks for that!!

     

    Best Regards,

    Rolf