Forum Discussion
sose_86565
Nimbostratus
NimbostratusSNAT descision based on client ip and link availability
I have 2 ISPs that are being load balanced. I also have a list of internal IP's that we do not want to use SNAT's if ISP-A is online. Can someone validate this iRule for me? The Hosts class is the list of the IP's not to NAT, and the LB-server IP listed is the IP of the link for ISP-A.
class Hosts {
host 128.94.2.9
host 128.94.2.10
host 128.94.2.11
host 128.94.2.12
host 128.94.2.13
host 128.94.2.14
host 128.94.2.15
host 128.94.2.16
host 128.94.2.17
host 128.94.2.18
host 128.94.2.19
host 128.94.2.20
host 128.94.2.23
host 128.94.2.25
host 128.94.2.52
host 128.94.2.53
host 128.94.2.100
host 128.94.2.101
host 128.94.2.103
host 128.94.2.104
}
when LB_SELECTED {
if {[matchclass [IP::client_addr] equals "$::Hosts"} {
if {[LB::server addr] == "128.94.240.254"} {
snat none
}
else {
snat automap
}
}
else {
snat automap
}
}
hoolioCirrostratus
The logic looks fine. You could use IP::addr to perform the IP address comparison:when LB_SELECTED { if {[matchclass [IP::client_addr] equals "$::Hosts"}{ if {[IP::addr [LB::server addr] equals 128.94.240.254]}{ snat none } else { snat automap } } else { snat automap } }
Aaron
sose_86565Thanks hoolio.. With this rule in place, what Address Translation settings should I configure for the outbound virtual server?- hoolioThe address translation checkbox in the VIP properties in the GUI refers to destination address only. If you have a network VIP (a VIP with a destination address that does not have a mask of 255.255.255.255) you'll need to leave address translation disabled so LTM doesn't try to change the destination address on the packets.
Because the iRule is setting SNAT in all cases, the SNAT setting on the VIP will be overridden by the iRule so that property doesn't matter. I think you would need to have SNAT enabled on the gateway pool in order for the iRule SNAT to be used.
Aaron 
briceAlong these same lines... Don't mean to hijack your thread, but it seems related...
I am working on some link controllers handling traffic for a datacenter and office with 50 or so users. They have a main connection (about 30Mb/s) and a backup T1. I have this configured using priority group activation so the T1 is only used when the main connection is down, and everything seems to be working as expected.
Now, if/when the main connection goes down, they do NOT want normal user traffic to pass the outbound network VIP. They want to make sure all of the bandwidth on the backup T1 will only be used for "real service traffic", and not just local users surfing Yahoo!
My idea is to create an iRule on the outbound network VIP that looks at the IP of the node in the default_gateway_pool that was chosen, and if it's the backup T1's IP, then just drop the traffic. Does that sound like a reasonable way to handle this situation? Anyone have any better ideas? Here is what I have for the current iRule...when LB_SELECTED { if {[IP::addr [LB::server addr] equals drop } }
Thanks in advance...
--brice