NAT/SNAT + routing order of operations

Question

Hi folks,&nbsp;
&nbsp;Very new to F5, and trying to get a handle on some of the order of operations for traffic flow types. Specifically, I'm curious to see how layer 3 routing is handled by BigIP devices when NAT, SNAT or virtual servers are in play. That is, as the traffic flows through the F5, does layer 3 routing take place prior to or following the application of a NAT, SNAT or virtual server translation? Is it dependent on the direction (e.g. with Cisco NAT, outside-to-inside order of operations has NAT occur first, followed by routing, while inside-to-outside has routing occur first, then NAT)? If this is covered in better detail in one of the F5 docs, I'd be happy to read up, but haven't been able to find such a reference yet. Thanks for your assistance.&nbsp;
&nbsp;Regards,
&nbsp;Randy Williams

the_bhattman · Answer

NAT, SNAT and standard routing are all happening at Layer 3.   I think it's reasonable to postulate that standard routing is looked at first then SNAT then NAT.  The reason why SNAT over NAT is because F5 seems to be place more emphasis on it.&nbsp;
&nbsp;Alas the experts can tell you for sure.

deb_allen_18 · Answer

Hi Randy -&nbsp;
&nbsp;Thanks for posting, great question.&nbsp;
&nbsp;For LTM, inbound &amp; outbound flows aren't managed separately and routing will take place after NAT/SNAT/dest translation is performed in all cases.&nbsp;
&nbsp;Traffic flows from the client to LTM VS address or SNAT with a matching origin address, then source and destination address changes are applied, then the routing table is used to determine the egress vlan.&nbsp;
&nbsp;It's worth noting that the Last Hop feature is enabled by default, which keeps track of the L2 source of a request and returns responses to the same L2 hop in precedence of the routing table logic.&nbsp;
&nbsp;HTH
&nbsp;/deb

randyw_75267 · Answer

Excellent, that helps substantially. Thanks very much for the info.

mfread_111345 · Answer

"For LTM, inbound &amp; outbound flows aren't managed separately and routing will take place after NAT/SNAT/dest translation is performed in all cases. 
&nbsp;  
&nbsp; Traffic flows from the client to LTM VS address or SNAT with a matching origin address, then source and destination address changes are applied, then the routing table is used to determine the egress vlan. 
&nbsp;  
&nbsp; It's worth noting that the Last Hop feature is enabled by default, which keeps track of the L2 source of a request and returns responses to the same L2 hop in precedence of the routing table logic." 
&nbsp;  
&nbsp; Any insight into where this is documented? &nbsp;

marlon_frank_24 · Answer

Order LTM processes traffic: &nbsp;
1) Connection table&nbsp;
2) Packet rule&nbsp;
3) Virtual Server&nbsp;
4) SNAT&nbsp;
5) NAT&nbsp;
6) Self-IP&nbsp;
7) Drop&nbsp;

Forum Discussion

NAT/SNAT + routing order of operations

Recent Discussions

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

full-proxy HTTP2

Related Content

Conditional XOR operations

Route domain SNAT and NAT implementation

BIG-IP Next: iRules pool routing

2. SYN Cookie: Operation

Security Operations Center - Helpers Behind the Scenes

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS