cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRule and BGP

rolf
Cirrus
Cirrus

Hi,

 

I have a customer case, where I need to apply a specific SNAT depending on the routing decision.

The Routing contains the following paths:

ISP 1 (default GW)

ISP 2 (default GW)

BGP Cloud Link

 

All the routes are directly attached to the F5 LTM. The F5 LTM runs the BGP 'termination' to the Cloud.

 

So I would like to execute an iRule which monitors the egress VLAN and depending on this I would like to assign a specific SNAT Address.

Is this possible?

 

Thanks,

Rolf

 

1 ACCEPTED SOLUTION

Hi Rolf,

 

Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

 

Kind regards,

 

Niels

View solution in original post

6 REPLIES 6

Simon_Blakely
F5 Employee
F5 Employee

You can do this if your outgoing routes are set up using a gateway pool with priority groups, so that an irule like the following can be used:

 

when CLIENT_ACCEPTED { if {[LB::status default_gateway_pool <ISP1 ip> 0] eq "up"} { snat pool smtp_outbound member <ISP1 outbound ip> } elseif {[LB::status default_gateway_pool <ISP2 ip> 0] eq "up"} { snat pool smtp_outbound member <ISP2 outbound ip> } elseif {[LB::status default_gateway_pool <BGP Cloud Link ip> 0] eq "up"} { snat pool smtp_outbound member <BGP Cloud Link outbound ip> } }

 

rolf
Cirrus
Cirrus

Thanks for your Feedback.

 

The customer setup requires, that in case a BGP Route exists, always the BGP Link is choosen. So I first have to check if the routing points to the BGP gateway.

Do you know if this can be done using iRule?

You can't query the routing table directly from an iRule.

 

You could do this by specifying nodes and transparent monitor.

Create a node for each of your gateways.

For each node, create a transparent ICMP monitor that checks an IP address past the gateway.

K8971:  Creating transparent ICMP health monitors

 

In your iRule, use LB::status to determine which of the nodes (gateways) is available, and set the outgoing SNAT as appropriate based on the route priority.

 

Hi,

 

Ok thanks for that. That sounds like an interessting approach, but still I do not know what Route a specific connection has choosen. So I do not know what SNAT Pool to assing using the iRule...

 

Best Regards

Rolf

 

 

Hi Rolf,

 

Take a look at the NAT policies you can configure within AFM. These policies are very comprehensive, and if I’m not mistaking you can alter the source address based on the egress interface the packet is leaving the BIG-IP.

 

Kind regards,

 

Niels

rolf
Cirrus
Cirrus

Hi Niels,

 

I just checked the policies, I think you are Right, it's possible to configure SNAT based on Egress interface.

Great, thanks for that!!

 

Best Regards,

Rolf