For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mil-Lite_61941's avatar
Mil-Lite_61941
Icon for Nimbostratus rankNimbostratus
Dec 12, 2008

Policy SNAT Routing

Hi, I have a possible "unique" scenario where I have 3 VIPs (10.10.10.100/24; 10.10.10.150/24; 10.10.10.200/24) in the same broadcast domain/network. Clients always initiate and based on the service they're using they'll target either of the following virtual servers:

 

 

VIP 100 requests are forwarded to ServerA

 

VIP 150 requests are forwarded to ServerB

 

VIP 200 requests are forwarded to ServerC

 

 

All 3 servers default route to the LTM. Fine! So far no problem.

 

 

Now here's the challange... ServerD needs to be the backup to all 3 virtual servers so in the event ServerA fails and the LTM redirects traffic for VIP 10.10.10.100 to ServerD how can I tell ServerD to use the SNAT of ServerA (10.10.10.100)? The same applies VIPs 150 and 200.

 

 

Can this be accomplished using iRules? If so, how complex is it and is this a common configuration.

 

 

Unfortunately I don't know anything about scripting; just a simple network geek.

 

 

application delivery
dev
devops
iRules

3 Replies

  • James_Quinby_46's avatar
    James_Quinby_46
    Historic F5 Account
    Dec 12, 2008
    I'm wondering if you need an iRule for this at all - using priority group activation as a LB method might be the ticket for you. You would add ServerD to all 3 pools and only have it come into service if A, B or C failed. Take a look at:

     

     

    https://support.f5.com/kb/en-us/solutions/public/7000/000/sol7065.html

     

     

    and

     

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-05-1.htmlwp1216212

     

     

    ...for more info.
  • Mil-Lite_61941's avatar
    Mil-Lite_61941
    Icon for Nimbostratus rankNimbostratus
    Dec 12, 2008
    Hi and thanks for the post. How can I associate ServerD with more than one SNAT entry (10.10.10.100, 10.10.10.150 & 10.10.10.200) for egress traffic? I am using priority group activation as noted in the links posted above however when trying to associate ServerD to multiple SNAT lists, the LTM spits out the following message:

     

     

    "Snat origin and mask 10.50.50.52 and 255.255.255.255 already enabled on same VLAN by Snat VIP100. "

     

     

    Basically ServerD can only be assigned to a single SNAT list. Can anything be done using iRules to accommodate my situation?

     

     

    I am using version 9.30.
  • eyeball_35403's avatar
    eyeball_35403
    Icon for Nimbostratus rankNimbostratus
    Dec 12, 2008
    how did you config your server's default gateway?

     

    is that gateway pointing to the self IP of bigip?

     

    is that the case, why would you need SNAT?