Forum Discussion
hooleylist
Nov 05, 2007Cirrostratus
Hi,
You could use packet filters to restrict access (Click here).
Else, if you want to use an iRule, you can use the IP::addr (Click here) command to compare the client IP address with a specific IP or IP range, or matchclass (Click here) to compare the client IP address with a set of IP's or ranges.
There are a few related codeshare examples:
Access Control Based On IPClick here
Access Control Based On Network or HostClick here
If you do want to use an iRule instead of packet filters, and you're working with a single IP virtual server, it probably be easiest to use the matchclass command:
Datagroup which defines allowed client IP addresses/networks
class allowed_clients_datagroup {
network 10.30.0.0/16
host 10.40.1.1
}
this event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::allowed_clients_datagroup] }{
Uncomment the line below to turn on logging.
log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
Do nothing... request will be sent to the pool
} else {
Uncomment the line below to turn on logging.
log local0. "Invalid client IP: [IP::client_addr] - discarding"
discard
}
}
Reply if you have any questions.
Aaron