Forum Discussion

Leonardo_Yata's avatar
Leonardo_Yata
Icon for Nimbostratus rankNimbostratus
Jun 19, 2012

SNAT with iRules

Hi there!

 

 

I have an structure that uses the "firewall sandwich" topology and it provides Internet access to a huge network. This network has 15.000 sites aproximately and I have to assign 1 Public IP address for each site. I'm planning to accomplish this task using iRules because I have to log the SNAT translations for auditing purposes (obviously, I'll point syslog messages to an external syslog server). We're currently using Big-IP 8900 model with 10.2.2 (Build 763.3) software. So, here it goes my questions:

 

 

- Is this configuration acceptable by our Big-IP box?

 

- Can this configuration impact the overall performance of the Big-IP box?

 

- Does anyone knows if there is a maximum size of an iRule or a maximum number of configurable SNATs?

 

 

 

Regards,

 

 

Leonardo Yata

 

  • Hi Leonardo,

     

     

    - Is this configuration acceptable by our Big-IP box?

     

    It should be able to do what your wanting to do. You will have to control and log the information that you are wanting (control the SNAT and logging) within an iRule. Applying this to the Virtual Server would work, but you would not be able to log the information you are wanting.

     

     

    - Can this configuration impact the overall performance of the Big-IP box?

     

    I am assuming that you are going to use HSL (High Speed Logging) to send the transactions to your remote server.

     

     

    Depending on the load you might see some impact but I doubt that it will degrade your performance much since it is not having to process the logging locally.

     

     

    - Does anyone knows if there is a maximum size of an iRule or a maximum number of configurable SNATs?

     

    There are no posted maximum figures posted for the maximum number posted because that number is directly proportional to the amount of traffic that the box is passing.

     

     

    Each SNAT IP Address has a maximum number of connections that it can sustain (which is the maximum number of ports per IP Address 65536). Keep in mind that each client browser will open from 3 to 6 connections on average, so you are going to want to insure that you have enough SNAT Addresses to handle the load for all of your sites.

     

     

    I would suggest looking into SNAT Pools (if you just use SNAT Automap the LTM will use its own Self-IP Addresses which could cause traffic to fail if your firewalls are not allowing traffic from each of them), so that you will know what IP Addresses to expect the traffic to some from.

     

     

    Hope this helps.
  • Hi Michael!

     

     

    First of all, thanks for the reply!

     

     

    Well, I am currently doing a lab to test all this items and options but obviously I'm spending a lot of time generating a iRule to implement SNAT for 15K subnets... Let's see what the testing results will show...

     

     

     

    Best regards