Forum Discussion

rolf's avatar
rolf
Icon for Cirrus rankCirrus
Feb 24, 2020
Solved

iRule and BGP

Hi,

 

I have a customer case, where I need to apply a specific SNAT depending on the routing decision.

The Routing contains the following paths:

ISP 1 (default GW)

ISP 2 (default GW)

BGP Cloud Link

 

All the routes are directly attached to the F5 LTM. The F5 LTM runs the BGP 'termination' to the Cloud.

 

So I would like to execute an iRule which monitors the egress VLAN and depending on this I would like to assign a specific SNAT Address.

Is this possible?

 

Thanks,

Rolf

 

  • Hi Rolf,

     

    Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

     

    Kind regards,

     

    Niels

6 Replies

  • Hi Rolf,

     

    Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

     

    Kind regards,

     

    Niels

  • You can do this if your outgoing routes are set up using a gateway pool with priority groups, so that an irule like the following can be used:

    when CLIENT_ACCEPTED {
      if {[LB::status default_gateway_pool <ISP1 ip> 0] eq "up"}
        { snat pool smtp_outbound member <ISP1 outbound ip> }
      elseif {[LB::status default_gateway_pool <ISP2 ip> 0] eq "up"}
        { snat pool smtp_outbound member <ISP2 outbound ip> }
      elseif {[LB::status default_gateway_pool <BGP Cloud Link ip> 0] eq "up"}
        { snat pool smtp_outbound member <BGP Cloud Link outbound ip> }
    }
  • Thanks for your Feedback.

     

    The customer setup requires, that in case a BGP Route exists, always the BGP Link is choosen. So I first have to check if the routing points to the BGP gateway.

    Do you know if this can be done using iRule?

    • You can't query the routing table directly from an iRule.

       

      You could do this by specifying nodes and transparent monitor.

      Create a node for each of your gateways.

      For each node, create a transparent ICMP monitor that checks an IP address past the gateway.

      K8971:  Creating transparent ICMP health monitors

       

      In your iRule, use LB::status to determine which of the nodes (gateways) is available, and set the outgoing SNAT as appropriate based on the route priority.

       

      • rolf's avatar
        rolf
        Icon for Cirrus rankCirrus

        Hi,

         

        Ok thanks for that. That sounds like an interessting approach, but still I do not know what Route a specific connection has choosen. So I do not know what SNAT Pool to assing using the iRule...

         

        Best Regards

        Rolf

         

         

  • Hi Niels,

     

    I just checked the policies, I think you are Right, it's possible to configure SNAT based on Egress interface.

    Great, thanks for that!!

     

    Best Regards,

    Rolf