Forum Discussion

sose_86565's avatar
sose_86565
Icon for Nimbostratus rankNimbostratus
Jan 19, 2009

SNAT descision based on client ip and link availability

I have 2 ISPs that are being load balanced. I also have a list of internal IP's that we do not want to use SNAT's if ISP-A is online. Can someone validate this iRule for me? The Hosts class is the list of the IP's not to NAT, and the LB-server IP listed is the IP of the link for ISP-A.

 

 

class Hosts {

 

 

host 128.94.2.9

 

host 128.94.2.10

 

host 128.94.2.11

 

host 128.94.2.12

 

host 128.94.2.13

 

host 128.94.2.14

 

host 128.94.2.15

 

host 128.94.2.16

 

host 128.94.2.17

 

host 128.94.2.18

 

host 128.94.2.19

 

host 128.94.2.20

 

host 128.94.2.23

 

host 128.94.2.25

 

host 128.94.2.52

 

host 128.94.2.53

 

host 128.94.2.100

 

host 128.94.2.101

 

host 128.94.2.103

 

host 128.94.2.104

 

}

 

 

when LB_SELECTED {

 

if {[matchclass [IP::client_addr] equals "$::Hosts"} {

 

if {[LB::server addr] == "128.94.240.254"} {

 

snat none

 

}

 

else {

 

snat automap

 

}

 

}

 

else {

 

snat automap

 

}

 

}
application delivery
dev
devops
iRules

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 20, 2009
    The logic looks fine. You could use IP::addr to perform the IP address comparison: 

     
 when LB_SELECTED { 
    if {[matchclass [IP::client_addr] equals "$::Hosts"}{ 
       if {[IP::addr [LB::server addr] equals 128.94.240.254]}{ 
          snat none 
       } else { 
          snat automap 
       } 
    } else { 
       snat automap 
    } 
 }

    Aaron
  • sose_86565's avatar
    sose_86565
    Icon for Nimbostratus rankNimbostratus
    Jan 20, 2009
    Thanks hoolio.. With this rule in place, what Address Translation settings should I configure for the outbound virtual server?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 20, 2009
    The address translation checkbox in the VIP properties in the GUI refers to destination address only. If you have a network VIP (a VIP with a destination address that does not have a mask of 255.255.255.255) you'll need to leave address translation disabled so LTM doesn't try to change the destination address on the packets.

     

     

    Because the iRule is setting SNAT in all cases, the SNAT setting on the VIP will be overridden by the iRule so that property doesn't matter. I think you would need to have SNAT enabled on the gateway pool in order for the iRule SNAT to be used.

     

     

    Aaron
  • brice's avatar
    brice
    Icon for Nimbostratus rankNimbostratus
    Jan 21, 2009
    Along these same lines... Don't mean to hijack your thread, but it seems related...

    I am working on some link controllers handling traffic for a datacenter and office with 50 or so users. They have a main connection (about 30Mb/s) and a backup T1. I have this configured using priority group activation so the T1 is only used when the main connection is down, and everything seems to be working as expected.

    Now, if/when the main connection goes down, they do NOT want normal user traffic to pass the outbound network VIP. They want to make sure all of the bandwidth on the backup T1 will only be used for "real service traffic", and not just local users surfing Yahoo!

    My idea is to create an iRule on the outbound network VIP that looks at the IP of the node in the default_gateway_pool that was chosen, and if it's the backup T1's IP, then just drop the traffic. Does that sound like a reasonable way to handle this situation? Anyone have any better ideas? Here is what I have for the current iRule... 

    when LB_SELECTED {  
        if {[IP::addr [LB::server addr] equals            drop  
        }  
  }

    Thanks in advance...

    --brice