mr_evil_116524
Sep 20, 2013Nimbostratus
Question about vLAN isolation iRule
I have a simple iRule as follows:
when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals x.x.x.x/xx] }{
Uncomment the line below to turn on logging.
log local0. "accees not allowed: [IP::local_addr]:[TCP::local_port] - reject traffic"
reject
} else {
snat using this source address
snatpool pool_1
log local0. "SNATed, [IP::local_addr]:[TCP::local_port] --> [IP::local_addr]:[TCP::local_port]"
}
}
So idea above is if vLans you belong to a subnet you will NOT be able to talk other vLan, this rule does work but I dont know for some reason F5 is allowing ICMP pass through between vLANs but not if I try to do say telnet to port 3389 or 22 from vlAN Y to vLAN W it doesnt work (this is what I expect).
Does anyone know why ICMP is allowed through eventhough rule says to reject or ICMP require extra bit of code to be added.
Do not that this iRule is applied to a forwarding VS where is source is 0.0.0.0/0 and destination is also 0.0.0.0/0