Forum Discussion
DanS
Nimbostratus
NimbostratusRestrict Traffic To VIP By Subnet
I would like to restrict a subnet (192.168.1.0/24) from accessing VIP: 10.10.10.10. Is this possible with a irule? I can only find ways on how to restrict traffic from a single IP and not a subnet. Any help would be appreciated.
Thanks
Dan
Just go with a datagroup with Irule method. So that you can add more IP's in the blacklist group on the file. You need not keep editing your irule.
Create a datagroup called blacklist subnet, make sure its type IP.
type: ip
ltm data-group internal blacklist_subnet { records { 20.20.20.0/32 { } 30.30.30.30/25 { } } type ip }Then create your irule like below,
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] eq blacklist_subnet] } { log local0. "Client IP - [IP::client_addr] is blacklisted. Dropped traffic" drop } }
Faruk_AYDINuse this:
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr]/24 equals 192.168.1.0] } { drop } }
jaikumar_f5MVP
Just go with a datagroup with Irule method. So that you can add more IP's in the blacklist group on the file. You need not keep editing your irule.
Create a datagroup called blacklist subnet, make sure its type IP.
type: ip
ltm data-group internal blacklist_subnet { records { 20.20.20.0/32 { } 30.30.30.30/25 { } } type ip }Then create your irule like below,
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] eq blacklist_subnet] } { log local0. "Client IP - [IP::client_addr] is blacklisted. Dropped traffic" drop } }- DanS
Thanks Jaikumar and Faruk! The help is much appreciated!
The data group intrigues me. I don't see an option to create an "IP" type data group. The options I have are address, string, integer, and external file.
- DanS
Thanks I got it figured out with the data groups. Your example was command line instead of GUI so it threw me off. Thanks again for your help!