Policy SNAT Routing

Question

Hi, I have a possible "unique" scenario where I have 3 VIPs (10.10.10.100/24; 10.10.10.150/24; 10.10.10.200/24) in the same broadcast domain/network.  Clients always initiate and based on the service they're using they'll target either of the following virtual servers: 
&nbsp;  
&nbsp; VIP 100 requests are forwarded to ServerA 
&nbsp; VIP 150 requests are forwarded to ServerB 
&nbsp; VIP 200 requests are forwarded to ServerC 
&nbsp;  
&nbsp; All 3 servers default route to the LTM.  Fine!  So far no problem. 
&nbsp;  
&nbsp; Now here's the challange... ServerD needs to be the backup to all 3 virtual servers so in the event ServerA fails and the LTM redirects traffic for VIP 10.10.10.100 to ServerD how can I tell ServerD to use the SNAT of ServerA (10.10.10.100)?  The same applies VIPs 150 and 200. 
&nbsp;  
&nbsp; Can this be accomplished using iRules? If so, how complex is it and is this a common configuration.  
&nbsp;  
&nbsp; Unfortunately I don't know anything about scripting; just a simple network geek. 
&nbsp;  
&nbsp;

james_quinby_46 · Answer

I'm wondering if you need an iRule for this at all - using priority group activation as a LB method might be the ticket for you. You would add ServerD to all 3 pools and only have it come into service if A, B or C failed. Take a look at: 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/000/sol7065.html 
&nbsp;  
&nbsp; and 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-05-1.htmlwp1216212 
&nbsp;  
&nbsp; ...for more info.

mil-lite_61941 · Answer

Hi and thanks for the post.  How can I associate ServerD with more than one SNAT entry (10.10.10.100, 10.10.10.150 &amp; 10.10.10.200) for egress traffic?  I am using priority group activation as noted in the links posted above however when trying to associate ServerD to multiple SNAT lists, the LTM spits out the following message: 
&nbsp;  
&nbsp; "Snat origin and mask 10.50.50.52 and 255.255.255.255 already enabled on same VLAN by Snat VIP100. " 
&nbsp;  
&nbsp; Basically ServerD can only be assigned to a single SNAT list.  Can anything be done using iRules to accommodate my situation?   
&nbsp;  
&nbsp; I am using version 9.30.

eyeball_35403 · Answer

how did you config your server's default gateway? 
&nbsp; is that gateway pointing to the self IP of bigip? 
&nbsp; is that the case, why would you need SNAT? 
&nbsp;  
&nbsp;  &nbsp;

Forum Discussion

Policy SNAT Routing

Recent Discussions

ppp TunnelStats: LCP_UNKNOWN_OPTIONS 1,LCP_PROTO_REJ 1,FSM_UNEXPECTED_DOWN 1,

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

F5 looses the token for the first call

feature request: container egress service

Related Content

Converting TCL-Based iRules to Distributed Cloud Service Policies and L7 Routes

Introduction to F5 Distributed Cloud Platform Per Route WAF Policy

Policy Routing in Multi-Arm Deployment

LTM policy to route traffic to different pools

Minimizing Security Complexity: Managing Distributed WAF Policies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS