Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Feb 09, 2010

iRule to mimic Cisco ACL for Forwarding VIP

Hi All,

 

 

Can somebody please help me write an iRule that will permit/deny the outside world from accessing the real servers behind the F5???

 

 

For example I have an inside_vlan_502 (forwarding VIP) configured that forwards all ip traffic for 210.15.210.0/24 from the outside_vlan. Is there something similar to Cisco's ACL that I can incorporate into an iRule to permit/deny certain IP's or TCP connections to the real servers.

 

 

Say for example I want the following:

 

 

1/ Allow 172.16.9.0/24 to access any real servers in 210.15.210.0/24

 

2/ Allow a single host 172.16.10.1 to access any real servers on port 80 only

 

3/ Deny everything else

 

 

In Cisco ACL, I would write it like so...

 

 

permit ip 172.16.9.0 0.0.0.255 210.15.210.0 0.0.0.255

 

permit tcp host 172.16.10.1 210.15.210.0 0.0.0.255 eq 80

 

deny ip any any

 

 

How might this be done with an iRule for a forwarding VIP?

 

 

Thanks.

 

 

Andy
application delivery
dev
devops
iRules

14 Replies

Show More
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2010
    Sorry Aaron, not sure if you're still about...

     

     

    But with the code below, how would I include an additional data group to be allowed?? Say for example I wanted to forward traffic for both trustedAddresses and a new data group called newAddresses.

     

     

    if { [matchclass [IP::client_addr] equals trustedAddresses] }{

     

     

    I'm not a programmer by any stretch of the imagination and I've tried various things but can't make it work. I either get compile errors or when there's no compile error, the IP's listed in the newAddresses data group are not being forwarded.

     

     

    Thanks.

     

     

    Andy
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2010
    This seems to work, but is it the most efficient way to write it...

     

     

    if { [matchclass [IP::client_addr] equals trustedAddresses] or [matchclass [IP::client_addr] equals testAddresses] }{
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 15, 2010
    If you want to maintain two datagroups with allowed client IP addresses/networks, then that line you've posted is fine. Another option is to combine the two datagroups into one and remove the 'or [matchclass ...'.

     

     

    Aaron