For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

stuart_weinstei's avatar
stuart_weinstei
Icon for Nimbostratus rankNimbostratus
Jan 10, 2012

resources on same VLAN

As I am new to F5 LTM, have ACE and CSS experience, I am in need of some guidance on the best way to handle the flow of traffic as follows

 

 

Nodes in the pool are in VLAN X, web services, that need to access DB server in the same VLAN X.

 

 

 

As I understand it, assuming I am, I could do a snat using the IP of the VIP or an Irule if i have it right)

 

 

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals x.x.x.x/bit mask }{

 

snat automap

 

}

 

}

 

 

 

 

Is the above correct? is there a better way?

 

 

 

Thanks in advance

 

config
design

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 10, 2012
    Hi Stuart,

     

     

    If all clients are on the same subnet as the servers being load balanced, you could just enable SNAT on the virtual server (either automap or an explicit pool) without using an iRule. Else, you could use that iRule if you only want to apply SNAT for a specific subnet(s). Here's an option for using SNAT only when the client and server are on the same subnet:

     

     

    http://devcentral.f5.com/wiki/iRules.SelectiveSNAT.ashx

     

     

    Aaron
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jan 11, 2012
    Aaron's right, you don't need an iRule for this and would likely be better served without one. But just in case you try your iRule, you're missing a bracket πŸ˜‰ 

    
when CLIENT_ACCEPTED { 
  if { [IP::addr [IP::client_addr] equals x.x.x.x/bit mask] }{ 
    snat automap
  }   
}

    Colin (The pedantic coder)