Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Aug 15, 2013

SNAT Stats from an iRule

Hello, I'm currently using an iRule, on a Viprion 2400 running 11.4.0 HF2, that is handling a large amount of SNAT'd traffic with a data-group. For some reason, I am unable to see any SNAT statistics when using the "show /ltm snat" or "show /ltm snatpool". I am also unable to see SNAT stats in "Overview >Statistics > Local Traffic >Statistics Type (and select SNATs in the drop-down menu)" section. Do SNAT statistics only show up when using SNAT automap or SNAT Pools under the VS configuration? If so, any suggestions on collecting SNAT Statistics when using the SNAT statement in an irule? Thank you.

 

iRule Example: ltm rule SNAT-test { when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals snat-test]} { snat [class match -value [IP::client_addr] equals snat-test] } else { snat none } } }

 

3 Replies

  • uni's avatar
    uni
    Icon for Altostratus rankAltostratus

    The "show ltm snat" command show statistics for SNAT objects. You don't use one, you use a so-called intelligent snat - you set the snat by address in your rule.

     

  • Another option is modifying the irule to log stats and using the custom stats profile. Although if you find that the software behaves unexpectedly by not logging stats the way it's supposed to, feel free to open a support case.
  • uni's avatar
    uni
    Icon for Altostratus rankAltostratus

    I was answering someone else's question when it occurred to me an easy way for you to get the stats you want.

    First, create a data-group with the client IPs and SNAT IPs in it:

    ltm data-group internal test-ip-class {
        records {
            10.1.2.3/32 { 192.168.1.1 }
            10.2.3.4/32 { 192.168.1.2 }
            10.3.4.5/32 { 192.168.1.3 }
            10.4.5.6/32 { 192.168.1.4 }
        }
        type ip
    }
    

    Then create a snatpool with each snat IP in it as well (make sure every snat address in the data-group is in the snatpool:

    ltm snatpool test-snatpool {
        members {
            192.168.1.1
            192.168.1.2
            192.168.1.3
            192.168.1.4
        }
        partition dmza
    }
    

    The apply a rule like this to your virtual. It selects the specific member of the snatpool based on the client ip.

    ltm rule test-snat-rule {
        when CLIENTED_ACCEPTED {
            if { [class match [IP::client_addr] equals test-ip-class] } {
                snatpool test-snatpool member [class match -value [IP::client_addr] equals test-ip-class]
            }
        }
    }
    

    Note, I haven't tested this