Forum Discussion
NimbostratusSelective SNAT and Calculate CRC32 Checksum
The pool members in Exchange 2013 needs to communicate to pool members in Exchange 2007. It is on the same subnet. To do this we would like to enable selective SNAT between the two pool members but we would also like 1) ensure sessions are split correctly (Calculate the crc32 checksum of the client IP) 2) we would like to have 2 or 3 snatpool members eventually.
iRules taken from F5 Solution Guide for Exchange 2010 Deployment and Selective SNAT iRule combined. Will it work as required?
when RULE_INIT { set static::snat_exch2007(0) 10.73.17.248 } when CLIENT_ACCEPTED { snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}]) } when LB_SELECTED {
if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {
snatpool snat_exch2007 } }
8 Replies
mmory09_63087Will this iRule work? Two iRules combined..
when RULE_INIT {
set static::snat_exch2007(0) 10.73.17.248
}
when CLIENT_ACCEPTED {
snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}]) }
when LB_SELECTED {
if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} {
snatpool snat_exch2007}
}
I'm not sure if you're planning to use this rule with other rules that are dependent on the variables, but if all you want to do is to SNAT requests from certain IPs or networks, then this iRule should do it.
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals exch2007servers ] } { snatpool snat_exch2007 } }Note that you have to create and populate an address type data group list, ie "exch2007", with the IPs or network of the exchange servers.
/Patrik
If you're dealing with exchange, this command is important for your snat:
snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}])The reason why is that RPC in particular, will require re-authentication if a client IP changes midstream. Since RPC clients can open up to 10 connections to the same server, it is important that each of these connections has the same source IP, otherwise the session may fail completely.
If you do not use that command for snatting, then subsequent requests from the same client may get a different IP address from the snatpool, and your service may fail.
Also, if your HTTP application requires reauthentication if a session's IP addresss changes, the command serves the same purpose.
Finally, make sure to put the IP addresses you use inside a snatpool, otherwise the F5 will not answer ARP traffic for those addresses, and your service will not function correctly.
- mmory09_63087Exactly right. That command is required if the snatpool has a few members but shouldn't be an issue if its a single member. The challenge for me is how I can include that in the selective irule below. when CLIENT_ACCEPTED { snat $static::snat_exch2007([expr {[crc32 [IP::client_addr]] % [array size static::snat_exch2007]}]) } when LB_SELECTED { if {[IP::addr "[IP::client_addr]/24" equals "[LB::server addr]/24"]} { snatpool snat_exch2007 } }
- mmory09_63087What takes precedent? I'd like the LTM to only SNAT those same subnet but not the request coming from the client. Once the LTM does the SNAT, it should perform that required command for the exchange...
- If you only have one server in the SNAT pool, my rule below will work as you want it to, it only SNAT the servers and use the same IP while doing so. /Patrik
