For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

liang_14081's avatar
liang_14081
Icon for Nimbostratus rankNimbostratus
Feb 21, 2009

Who can help ?

Hi all, Could you please check below scenario whether it can be implemented by F5 Big-IP and thanks all of your help.

 

1.remote PC dial-up for get internet access.

 

2.When NAS server receive that request, it sneds RADIUS message to the accounting servers which behind F5 load balancer.

 

3.F5 redirect that RADIUS message which from NAS device to the one of active accounting server according to the dispatch method you define.

 

4.F5 device will create a mapping table which include user phone number, IP address which PC get from DHCP server and which accounting server is used for that user now.

 

5.After that, remote PC can access internet, but all traffic which comes from that PC need to load balance to the same accounting server according to the table that I mentioned before base on source IP address, keep the persistency.

 

6.Please notic here, RADIUS message which sends from NAS device destination IP is the VIP address in the F5 box, BUT all traffic from remote PC’s destination IP are NOT relevant on F5 box, all destination IP addresses are the real sevrers in the internet.

 

 

Can we do that? If we can how to configure the F5 box? Need complex iRules?? Thanks very much again !!!!

 

 

 

application delivery
dev
devops
iRules

16 Replies

Show More
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2009
    I suppose you can then use clone pool or port mirror to the Radius Acounting Server.

     

     

    If you have access to F5 Knowledge base take a look at the following link

     

     

    https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html

     

     

  • liang_14081's avatar
    liang_14081
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2009
    I don't think the clone pool or port mirror can match my requirement, becasue the RADIUS message is sent by NAS, but I need traffic which from client should be redirected to corresponding accounting server according to client's source IP address base on "mapping table" which in F5; port mirror don't have load balancing function and couldn't stick the traffic. Thanks very much!
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2009
    I think I see. I think the key is that if the persistence record between the NAS and the F5 VIP can be shared by Forward Virtual IP (assuming you have one) to allow traffic at a layer 3 to pass through the F5.

     

     

     

     

     

     

  • liang_14081's avatar
    liang_14081
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2009
    You are right, can we do that? Or even no virtual IP for the clients' traffic, because all traffic which from clients' detination are real servers in internet, can we still do that by iRule??? Thanks very much for your great help.
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 22, 2009
    If you have a universal persistence profile with "match accross virtual servers" then I think within the iRule you can create a persistance table based on the client IP address and the destination IP address and then on another irule on the Forwarding Virtual IP you can do a look up and then forward based on the table. Of course i am not exactly sure how to do this but in theory it would work.

     

     

    CB