Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule and BGP

Go to solution
rolf
Cirrus
Cirrus

‎24-Feb-2020 02:51

Hi,

 

I have a customer case, where I need to apply a specific SNAT depending on the routing decision.

The Routing contains the following paths:

ISP 1 (default GW)

ISP 2 (default GW)

BGP Cloud Link

 

All the routes are directly attached to the F5 LTM. The F5 LTM runs the BGP 'termination' to the Cloud.

 

So I would like to execute an iRule which monitors the egress VLAN and depending on this I would like to assign a specific SNAT Address.

Is this possible?

 

Thanks,

Rolf

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Niels_van_Sluis
MVP
MVP

‎05-Mar-2020 10:16

Hi Rolf,

 

Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

 

Kind regards,

 

Niels

View solution in original post

6 REPLIES 6

Go to solution
Simon_Blakely
F5 Employee
F5 Employee

‎24-Feb-2020 14:20

You can do this if your outgoing routes are set up using a gateway pool with priority groups, so that an irule like the following can be used:

 

when CLIENT_ACCEPTED { if {[LB::status default_gateway_pool <ISP1 ip> 0] eq "up"} { snat pool smtp_outbound member <ISP1 outbound ip> } elseif {[LB::status default_gateway_pool <ISP2 ip> 0] eq "up"} { snat pool smtp_outbound member <ISP2 outbound ip> } elseif {[LB::status default_gateway_pool <BGP Cloud Link ip> 0] eq "up"} { snat pool smtp_outbound member <BGP Cloud Link outbound ip> } }

 

0 Kudos

Go to solution
rolf
Cirrus
Cirrus

‎24-Feb-2020 22:04

Thanks for your Feedback.

 

The customer setup requires, that in case a BGP Route exists, always the BGP Link is choosen. So I first have to check if the routing points to the BGP gateway.

Do you know if this can be done using iRule?

0 Kudos

Go to solution
Simon_Blakely
F5 Employee
F5 Employee
In response to rolf

‎25-Feb-2020 12:58

You can't query the routing table directly from an iRule.

 

You could do this by specifying nodes and transparent monitor.

Create a node for each of your gateways.

For each node, create a transparent ICMP monitor that checks an IP address past the gateway.

K8971:  Creating transparent ICMP health monitors

 

In your iRule, use LB::status to determine which of the nodes (gateways) is available, and set the outgoing SNAT as appropriate based on the route priority.

 

Go to solution
rolf
Cirrus
Cirrus
In response to Simon_Blakely

‎04-Mar-2020 21:43

Hi,

 

Ok thanks for that. That sounds like an interessting approach, but still I do not know what Route a specific connection has choosen. So I do not know what SNAT Pool to assing using the iRule...

 

Best Regards

Rolf

 

 

0 Kudos

Go to solution
Niels_van_Sluis
MVP
MVP

‎05-Mar-2020 10:16

Hi Rolf,

 

Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

 

Kind regards,

 

Niels

Go to solution
rolf
Cirrus
Cirrus

‎06-Mar-2020 00:22

Hi Niels,

 

I just checked the policies, I think you are Right, it's possible to configure SNAT based on Egress interface.

Great, thanks for that!!

 

Best Regards,

Rolf

0 Kudos
Copyright © 2023 Khoros, LLC