For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_G_Davis_1's avatar
Chris_G_Davis_1
Icon for Nimbostratus rankNimbostratus
Jan 26, 2009

Routing iRule

Hi,

 

 

We have a layer2 configuration on our LTM. There's a down stream FW, behind which the hosts to be load balanced to reside.

 

 

Can a iRule be written to sent traffic destined to a specific destination (non loc al) to a gateway address (FW)?

 

 

Hopefully that make sense.

 

 

Thanks,

 

 

Christopher G Davis

 

Sr. Network Engineer

 

SITA Atlanta Data Center
application delivery
dev
devops
iRules

5 Replies

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jan 26, 2009
    most likely. something like this:
    when CLIENT_ACCEPTED {   
      if {[IP::addr [IP::remote_addr] eq 10.0.1.0/24] }{   
         node    
      }   
      elseif {[IP::addr [IP::remote_addr] eq 10.0.2.0/24] }{   
         node    
      }   
   }
    would get you started.

    But really you'd probably want to build the same of gateway pools as firewalls, each using all firewalls in a different priority order, so you have some way to verify the health of the fw before sending traffic to it, and a fallback in case it fails:
    pool FW1 {   
     member :0 prio 100   
     member :0 prio  50   
     monitor FW_transparent   
   }   
   pool FW2 {   
     member :0 prio 100   
     member :0 prio  50   
     monitor FW_transparent   
   }   
      
   when CLIENT_ACCEPTED {   
      if {[IP::addr [IP::remote_addr] eq 10.0.1.0/24] }{   
         pool FW1   
      }   
      elseif {[IP::addr [IP::remote_addr] eq 10.0.2.0/24] }{   
         pool FW2   
      }   
   }
    Each pool member would ideally be monitored with a transparent monitor targetting a host one hop past it.

    Persistence might be required for some apps as well, but might create an undesirable traffic pattern on failback after failover, so think it through & test thoroughly.

    /d
  • Chris_G_Davis_1's avatar
    Chris_G_Davis_1
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2009
    Thanks for the info.

     

     

    Couple more questions, so on the vip configuration I would have the pool with the destination nodes attached and a iRule that points traffic destine to the destination nodes ip addresses to the fw or next hop? Also the monitor would need to be pointed to the fw I guess?

     

     

    --cd

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Jan 27, 2009
    VS config would use one of the iRules above as its only resource.

     

     

    For more info about transparent monitors, see this AskF5 Solution: SOL8971: Creating transparent ICMP health monitors (Click here)

     

     

    If you are going with the node approach (iRule 1), you can apply a transparent ICMP monitor (such as that referenced in the 1st section of the solution) to each node address, but there is no fallback defined if it fails: Connections will be reset by LTM.

     

     

    If you are going with the monitored pool approach (iRule 2), you would first need to create the pools it references, and apply a transparent gateway ICMP monitor (such as that referenced in the 2nd section of the solution) to each pool. This solution provides fallback in case of firewall failure.

     

     

    /d