Forum Discussion

Nimbostratus

Jul 06, 2008

Question on LTM Wild Card Virtual Servers

If a host (with a BigIP as its default gateway) establishes a new connection to the BigIP, in what order will it apply Virtual Server, SNAT, Wild-Card Virtual Server configurations? Our situa...

config

design

hoolio

Cirrostratus

Jul 07, 2008

The precedence (Click here) for matching would be the most specific VIP, then the wildcard VIP, then the SNAT. The SNAT will take effect if there isn't a SNAT setting enabled on the VIP and/or pool. If you use a rule to specify a SNAT it will override both the SNAT options on the VIP and/or pool as well as a default SNAT.

To simplify the troubleshooting process if the above rule and classes don't work, you could add logging:

 
 when CLIENT_ACCEPTED {  
    log local0. "[IP::client_addr]:[TCP::client_port]: new connection to [IP::local_addr]:[TCP::local_port]" 
    if { [matchclass  [ip::remote_addr] equals $::routed_network_list ] } {  
        SNAT traffic to the routable networks 
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::routed_network_list" 
       snat 64.x.x.52 
    } elseif { [matchclass  [ip::remote_addr] equals $::local_srvr_list ] }{  
        SNAT traffic to the other internal machines  
       log local0. "[IP::client_addr]:[TCP::client_port]: matched \$::local_srvr_list" 
       snat 10.10.8.3  
    } else {  
        drop to the default router for this VLAN.  
       log local0. "[IP::client_addr]:[TCP::client_port]: default" 
       node 10.10.8.1  
    } 
 } 
 when SERVER_CONNECTED { 
    log local0. "[IP::client_addr]:[TCP::client_port]: connected to [IP::remote_addr]:[TCP::remote_port]" 
 }

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)