iRules Optimization for MAC filtering with Data Groups (If/else)
Hello Everyone, I'm trying to figure out an optimized version of the following (currently working) iRules, in order to validate via Machine Info, the incoming MAC Address from different customers to a BIG-IP APM Access Policy. The iRules have been validated in version 12.1 and 13. Any advice/recommendation will be welcome. Here we have an example of the LTM Data Groups deployed: pedro.haoa@(f5chile)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group one-line ltm data-group internal MACGRP_1001_external_chile { records { F4:15:63:11:22:33 { } F4:15:63:11:22:34 { } F4:15:63:11:22:35 { } } type string } . .(Output Omitted) . ltm data-group internal MACGRP_1370_external_chile { records { F4:15:63:44:55:66 { } F4:15:63:44:55:67 { } F4:15:63:44:55:68 { } } type string } . .(Output Omitted) . ltm data-group internal MACGRP_2001_external_bolivia { records { 00:23:E9:22:33:44 { } 00:23:E9:22:33:44 { } 00:23:E9:22:33:44 { } } type string } . .(Output Omitted) . ltm data-group internal MACGRP_2350_external_bolivia { records { 00:23:E9:55:66:77 { } 00:23:E9:55:66:78 { } 00:23:E9:55:66:79 { } } type string } . .(Output Omitted) . And here we have two iRules to validate more than 700 different Data Groups: BIG-IP APM Event when ACCESS_POLICY_AGENT_EVENT priority 410 { Access Policy Branch Filter if { [ACCESS::policy agent_id] eq "macgrp" } { Variables for LAN/WLAN Interfaces set mac0 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address"] set mac1 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[1\].mac_address"] Variable to reduce data along the iRule due to the 64k limit. set s session.logon.custom.macgrp if/else statements to validate the MAC addresses contained within each data group if {[class match $mac0 eq MACGRP_1001_external_chile]||[class match $mac1 eq MACGRP_1001_external_chile]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_1002_external_chile]||[class match $mac1 eq MACGRP_1002_external_chile]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_1003_external_chile]||[class match $mac1 eq MACGRP_1003_external_chile]} {ACCESS::session data set $s 1} . .(Output Omitted) . elseif {[class match $mac0 eq MACGRP_1369_external_chile]||[class match $mac1 eq MACGRP_1369_external_chile]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_1370_external_chile]||[class match $mac1 eq MACGRP_1370_external_chile]} {ACCESS::session data set $s 1} } } Second iRule (Split mode): BIG-IP APM Event when ACCESS_POLICY_AGENT_EVENT priority 420 { Access Policy Branch Filter if { [ACCESS::policy agent_id] eq "macgrp" } { Variables for LAN/WLAN Interfaces set mac0 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address"] set mac1 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[1\].mac_address"] Variable to reduce data along the iRule due to the 64k limit. set s session.logon.custom.macgrp if/else statements to validate the MAC addresses contained within each data group if {[class match $mac0 eq MACGRP_2001_external_bolivia]||[class match $mac1 eq MACGRP_2001_external_bolivia]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_2002_external_bolivia]||[class match $mac1 eq MACGRP_2002_external_bolivia]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_2003_external_bolivia]||[class match $mac1 eq MACGRP_2003_external_bolivia]} {ACCESS::session data set $s 1} . .(Output Omitted) . elseif {[class match $mac0 eq MACGRP_2349_external_bolivia]||[class match $mac1 eq MACGRP_2349_external_bolivia]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACGRP_2350_external_bolivia]||[class match $mac1 eq MACGRP_2350_external_bolivia]} {ACCESS::session data set $s 1} elseif {[class match $mac0 eq MACADM_CHECK]||[class match $mac1 eq MACADM_CHECK]} {ACCESS::session data set $s 1} } } Cheers!
iRule for Outbound Pool ISP based Load Balancing
Dears, thanks in advance for your help. We have a customer who has several subnet and each subnet needs to connect to the internet on 2 ISPs. I am going to do load balancing based on ISPs (ISP1 AND ISP2) and if the user is load-balanced to ISP1 then he should be source natted with IP 1 and if ISP2 then IP 2. And if the source IP of users do not match any IPs, please be source natted with IP in ISP1 Range and go to that ISP. This is the iRule I made, but I'm facing troubles matching and pool members do not accept the connections, I think I'm making a serious mistake like doing 2 server side connections per 1 session which cause the page to reset and maybe I have mistake with the iRule that doesn't even let it match well Below is the iRule, I'm open to suggestions to make this easier or improve the mistakes in it, thanks a lot. Dears, thanks in advance for your help. We have a customer who has several subnet and each subnet needs to connect to the internet on 2 ISPs. I am going to do load balancing based on ISPs (ISP1 AND ISP2) and if the user is load-balanced to ISP1 then he should be source natted with IP 1 and if ISP2 then IP 2. And if the source IP of users do not match any IPs, please be source natted with IP in ISP1 Range and go to that ISP (192.168.5.5) This is the iRule I made, but I'm facing troubles matching and pool members do not accept the connections, I think I'm making a serious mistake like doing 2 server side connections per 1 session which cause the page to reset and maybe I have mistake with the iRule that doesn't even let it match well Below is the iRule, I'm open to suggestions to make this easier or improve the mistakes in it, thanks a lot. when LB_SELECTED { if {(not([class match [IP::client_addr] equals Group2 ]) && (not ([class match [IP::client_addr] equals wirlessEmp2Outside ])) && (not ([class match [IP::client_addr] equals wirlessEmp_br2Outside ])) && (not ([class match [IP::client_addr] equals Mail2Outside ])) && (not ([class match [IP::client_addr] equals wirlessGuest2Outside ])) && (not ([class match [IP::client_addr] equals wirlessGuest_br2Outside ])) && (not ([class match [IP::client_addr] equals wirlessTest2Outside ])) ) }{ log local0. "IP Not Found in Data Groups for [IP::client_addr] - sending to default ISP1 pool member" LB::detach pool irule_pool member 192.168.5.5 snat 6.6.6.6 } switch [LB::server addr] { 192.168.5.5 { LB pool was ISP1 , So select the corresponding SNAT Pool from ISP1 Groups if {[class match [IP::client_addr] equals User2Outside ] || [class match [IP::client_addr] equals DMZ2Outside ]} { log local0. "ISP1 source IP 1.1.1.1 was chosen for [IP::client_addr] within User2Outside or DMZ2Outside" snat 1.1.1.1 } elseif { [class match [IP::client_addr] equals Group2]} {l og local0. "ISP1 source IP 2.2.2.2 was chosen for [IP::client_addr] for Group2 " snat 2.2.2.2 } } 192.168.5.6 { LB pool was ISP2 , So select the corresponding SNAT IP from ISP2 if {[class match [IP::client_addr] equals User2Outside ] || [class match [IP::client_addr] equals DMZ2Outside ]} { log local0. "ISP2 source IP 3.3.3.3 was chosen for [IP::client_addr] within User2Outside or DMZ2Outside" snat 3.3.3.3 } elseif {[class match [IP::client_addr] equals Group2]} {log local0. "ISP2 source IP 4.4.4.4 was chosen for [IP::client_addr] for Group2 " snat 4.4.4.4 } } } }
Snatpool and Pool Selction based on URI
Hi Guys, Stuck here, been trying to work out an irule, for snatpool and pool selection based on a uri We have an existing irule which works on another environment (like for like) however on the new enviroment for some reason it does not work, we have a url we connect to, then by clicking on a tab it should redirect us to another pool based on the uri we selected, but just times out and say refused to connect. This is the irule: I had configured the logging commands and it states it does not match the uri, however this same irule works on the old environment going to the same uri when HTTP_REQUEST { HTTP::header remove sm_user if { [string tolower [HTTP::uri]] starts_with "/dn" } { pool AC } else { SSL::disable serverside HTTP::header insert WL-Proxy-SSL true pool AC-A } }