Chris_Phillips
Sep 13, 2006Nimbostratus
unique snat address with minimal overhead
Hi,
One of our pairs of F5's sits infront of a firewall which in turn is infront of the servers. we have a lot of clients hitting virtual servers and need to retain visibilty of the client ip's onwards past the big-ip's for debugging and logging etc... at the same time we still need to snat the ip address on the big-ips as otherwise the firewall can't distinguish between forwarded LTM traffic or direct hits.
As such i am thinking that the best way is to write an irule that can basically convert any ip into a manually translatable address that is still unique. as this is likely to be used on 95% of the traffic running through the box I am keen to ensure the overhead is as low as possible.
My thoughts initially would be to do a bit flip on the first bit of the address. i.e. do a logical AND with 127.0.0.0 so 10.xy.z. would emerge as 137.x.y.z and 192.168.y.x would emerge as 64.168.y.z (if my maths is right there...) this potentially seems simpler than adding 1 to the first octet as it's doing it at a lower level, but here's where i'd like to open it to the floor for either a basic principle or example iRule to do this sort of thing with the absolute minimum of impact where possible.
hope this makes sense.
cheers
Chris