Scott_Hopkins
Jul 06, 2008Nimbostratus
Question on LTM Wild Card Virtual Servers
If a host (with a BigIP as its default gateway) establishes a new connection to the BigIP, in what order will it apply Virtual Server, SNAT, Wild-Card Virtual Server configurations?
Our situation:
We currently have multiple hosts behind our LTM devices that not only serve requests via Virtual Servers, but also communicate directly to some of the client hosts. Due to infrastructure requirements, (an effort to keep the number of participants in our routing infrastructure low), the LTM does not have an active part in routing, and currently drops all traffic on the floor that is not either a response, or covered by a SNAT.
This means that any clients communicating through the VIP (which get routed back to the LTM via static routes), can only communication via the BigIP (and therefore losing direct communication with the application servers), unless we add a SNAT for the client host (which requires additional static routes on the client machines).
We're looking to change this by using a wild-card virtual server for each VLAN, with an iRule that would either SNAT the traffic outbound, or force the traffic to the router for that VLAN. This would coincide with making the LTM the default gateway for all of these machines. I've seen some of the other multi-gateway routing threads, and wondered if the LTM would work like this:
VIRTUAL SERVER :
Is the destination IP a virtual server I host?
Yes, send traffic to the virtual server.
No, fall to SNAT.
SNAT:
Do I have a SNAT rule for this source IP?
Yes, use the SNAT.
No, fall to Wild Card Virtual Server (WC-VS).
WC-VS:
Use an iRule to determine how to process the traffic (iRule below).
iRule
Pre-defined Classes / Data Groups:
routed_network_list
= List of ip/subnets that require a routable address
local_srvr_list
= List of Servers that need to be SNAT’ed to allow direct machine to machine communication.
when CLIENT_ACCEPTED {
if { [matchclass [ip::remote_addr] equals $::routed_network_list ] } {
// SNAT traffic to the routable networks
snat 64.x.x.52
} elseif { [matchclass [ip::remote_addr] equals $::local_srvr_list ] }{
// SNAT traffic to the other internal machines
snat 10.10.8.3
} else {
// drop to the default router for this VLAN.
node 10.10.8.1
}
}
If not, how does it decide what to apply first? Does this seem like a reasonable approach, or is there a better way to achieve what we are looking for?