For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kirk_Bauer_1018's avatar
Kirk_Bauer_1018
Icon for Altostratus rankAltostratus
Sep 07, 2007

Selective SNAT rule, looking for suggestions

I wrote this rule for a customer who has 8 VLANs with real servers, and each pool may have servers from multiple VLANs. In addition sometimes the "client" comes from one of the VLANs as well, so I ne...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Jan 08, 2008
Also, I've elected to SNAT using the VIP address itself rather than use automap as that will give a better indication in the webserver logs whether the connection was related to an LTM monitor or whether the client was actually SNAT'ed.

 

 

Hi Nathan -

 

 

I like your "SNAT to local VS address" approach, will probably use that in future, but just thought I'd clarify one minor thing: If you are running a redundant pair, all monitors will be sourced from the non-floating selfIPs, while SNAT automap will only use the floating ones, so you already have some natural separation there...

 

 

Thanks for the contrib!

 

/deb