Hi Ashish,
F5s
[IP::addr]
or F5s
[class]
command in combination with an IP-ADDR based data-group can be used can be used to check if a given IP address falls in the range of a given
/CIDR
subnet.
The
[IP::addr]
command is useful if you need to compare just a few different subnets...
if { [IP::addr [IP::client_addr] equals 91.186.192.0/19] } then {
log local0.debug "The IP matches 91.186.192.0/19"
} elseif { [IP::addr [IP::client_addr] equals 91.186.224.0/19] } then {
log local0.debug "The IP matches 91.186.224.0/19"
} elseif { [IP::addr [IP::client_addr] equals 91.186.0.0/16] } then {
log local0.debug "The IP matches 91.186.0.0/16"
} else {
log local0.debug "The IP matches none of the subnets"
}
Note: The order of the [if]
statement is important for overlapping subnets. The check is always performed as "first-match".
Whereas the
[class]
command scales much better if you need to compare multiple subnets...
iRule:
if { [set result [class lookup -value [IP::client_addr] equals DG_MY_SUBNETS]] ne "" } then {
log local0.debug $result
}
Data-Group:
ltm data-group internal DG_MY_SUBNETS {
records {
91.186.192.0/19 {
data "The IP matches 91.186.192.0/19"
}
91.186.224.0/19 {
data "The IP matches 91.186.224.0/19"
}
91.186.0.0/16 {
data "The IP matches 91.186.0.0/16"
}
0.0.0.0/0 {
data "The IP matches none of the subnets"
}
}
type ip
}
Note: The order of the data-group does not matter. The check is always performed as "best-match"
Cheers, Kai