For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

randyw_75267's avatar
randyw_75267
Icon for Nimbostratus rankNimbostratus
Mar 21, 2008

NAT/SNAT + routing order of operations

Hi folks,

 

 

Very new to F5, and trying to get a handle on some of the order of operations for traffic flow types. Specifically, I'm curious to see how layer 3 routing is handled by BigIP devices when NAT, SNAT or virtual servers are in play. That is, as the traffic flows through the F5, does layer 3 routing take place prior to or following the application of a NAT, SNAT or virtual server translation? Is it dependent on the direction (e.g. with Cisco NAT, outside-to-inside order of operations has NAT occur first, followed by routing, while inside-to-outside has routing occur first, then NAT)? If this is covered in better detail in one of the F5 docs, I'd be happy to read up, but haven't been able to find such a reference yet. Thanks for your assistance.

 

 

Regards,

 

Randy Williams
config
design

5 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2008
    NAT, SNAT and standard routing are all happening at Layer 3. I think it's reasonable to postulate that standard routing is looked at first then SNAT then NAT. The reason why SNAT over NAT is because F5 seems to be place more emphasis on it.

     

     

    Alas the experts can tell you for sure.
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Mar 28, 2008
    Hi Randy -

     

     

    Thanks for posting, great question.

     

     

    For LTM, inbound & outbound flows aren't managed separately and routing will take place after NAT/SNAT/dest translation is performed in all cases.

     

     

    Traffic flows from the client to LTM VS address or SNAT with a matching origin address, then source and destination address changes are applied, then the routing table is used to determine the egress vlan.

     

     

    It's worth noting that the Last Hop feature is enabled by default, which keeps track of the L2 source of a request and returns responses to the same L2 hop in precedence of the routing table logic.

     

     

    HTH

     

    /deb
  • mfread_111345's avatar
    mfread_111345
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2010
    "For LTM, inbound & outbound flows aren't managed separately and routing will take place after NAT/SNAT/dest translation is performed in all cases.

     

     

    Traffic flows from the client to LTM VS address or SNAT with a matching origin address, then source and destination address changes are applied, then the routing table is used to determine the egress vlan.

     

     

    It's worth noting that the Last Hop feature is enabled by default, which keeps track of the L2 source of a request and returns responses to the same L2 hop in precedence of the routing table logic."

     

     

    Any insight into where this is documented?

     

  • marlon_frank_24's avatar
    marlon_frank_24
    Historic F5 Account
    Mar 09, 2018

    Order LTM processes traffic:

     

    1) Connection table

     

    2) Packet rule

     

    3) Virtual Server

     

    4) SNAT

     

    5) NAT

     

    6) Self-IP

     

    7) Drop