Routing iRule

Question

Hi, 
&nbsp;  
&nbsp; We have a layer2 configuration on our LTM. There's a down stream FW, behind which the hosts to be load balanced to reside.  
&nbsp;  
&nbsp; Can a iRule be written to sent traffic destined to a specific destination (non loc al) to a gateway address (FW)? 
&nbsp;  
&nbsp; Hopefully that make sense. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Christopher G Davis 
&nbsp; Sr. Network Engineer 
&nbsp; SITA Atlanta Data Center

deb_allen_18 · Answer

most likely. something like this:when CLIENT_ACCEPTED {   
      if {[IP::addr [IP::remote_addr] eq 10.0.1.0/24] }{   
         node    
      }   
      elseif {[IP::addr [IP::remote_addr] eq 10.0.2.0/24] }{   
         node    
      }   
   }would get you started.   
      
   But really you'd probably want to build the same  of gateway pools as firewalls, each using all firewalls in a different priority order, so you have some way to verify the health of the fw before sending traffic to it, and a fallback in case it fails:pool FW1 {   
     member :0 prio 100   
     member :0 prio  50   
     monitor FW_transparent   
   }   
   pool FW2 {   
     member :0 prio 100   
     member :0 prio  50   
     monitor FW_transparent   
   }   
      
   when CLIENT_ACCEPTED {   
      if {[IP::addr [IP::remote_addr] eq 10.0.1.0/24] }{   
         pool FW1   
      }   
      elseif {[IP::addr [IP::remote_addr] eq 10.0.2.0/24] }{   
         pool FW2   
      }   
   }   
   Each pool member would ideally be monitored with a transparent monitor targetting a host one hop past it.   
      
   Persistence might be required for some apps as well, but might create an undesirable traffic pattern on failback after failover, so think it through &amp; test thoroughly.    
      
   /d

chris_g_davis_1 · Answer

Thanks for the info. 
&nbsp;  
&nbsp; Couple more questions, so on the vip configuration I would have the pool with the destination nodes attached and a iRule that points traffic destine to the destination nodes ip addresses to the fw or next hop? Also the monitor would need to be pointed to the fw I guess?  
&nbsp;  
&nbsp; --cd &nbsp;

deb_allen_18 · Answer

VS config would use one of the iRules above as its only resource.  
&nbsp;    
&nbsp;  For more info about transparent monitors, see this AskF5 Solution:  SOL8971: Creating transparent ICMP health monitors (Click here) 
&nbsp;    
&nbsp;  If you are going with the node approach (iRule 1), you can apply a transparent ICMP monitor (such as that referenced in the 1st section of the solution) to each node address, but there is no fallback defined if it fails: Connections will be reset by LTM.  
&nbsp;    
&nbsp;  If you are going with the monitored pool approach (iRule 2), you would first need to create the pools it references, and apply a transparent gateway ICMP monitor (such as that referenced in the 2nd section of the solution) to each pool. This solution provides fallback in case of firewall failure.  
&nbsp;    
&nbsp;  /d  
&nbsp;    &nbsp;

chris_g_davis_1 · Answer

Thanks for your help!!!

deb_allen_18 · Answer

np 
&nbsp; :D

Forum Discussion

Routing iRule

5 Replies

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

SSH forward proxy

Multiple Default Gateways

ASM Sec-CH-UA-Full-Version-List backquote in Header

Scenarios where Service Policy should be used over iRule and Vice versa

Issue on connection limit

Related Content

BIG-IP Next: iRules pool routing

Routing options by hostname with iRules, NGINX, and Distributed Cloud

Converting TCL-Based iRules to Distributed Cloud Service Policies and L7 Routes

SNI Routing with BIG-IP

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS