SNAT with iRules

Hi Leonardo,

 

 

- Is this configuration acceptable by our Big-IP box?

 

It should be able to do what your wanting to do. You will have to control and log the information that you are wanting (control the SNAT and logging) within an iRule. Applying this to the Virtual Server would work, but you would not be able to log the information you are wanting.

 

 

- Can this configuration impact the overall performance of the Big-IP box?

 

I am assuming that you are going to use HSL (High Speed Logging) to send the transactions to your remote server.

 

 

Depending on the load you might see some impact but I doubt that it will degrade your performance much since it is not having to process the logging locally.

 

 

- Does anyone knows if there is a maximum size of an iRule or a maximum number of configurable SNATs?

 

There are no posted maximum figures posted for the maximum number posted because that number is directly proportional to the amount of traffic that the box is passing.

 

 

Each SNAT IP Address has a maximum number of connections that it can sustain (which is the maximum number of ports per IP Address 65536). Keep in mind that each client browser will open from 3 to 6 connections on average, so you are going to want to insure that you have enough SNAT Addresses to handle the load for all of your sites.

 

 

I would suggest looking into SNAT Pools (if you just use SNAT Automap the LTM will use its own Self-IP Addresses which could cause traffic to fail if your firewalls are not allowing traffic from each of them), so that you will know what IP Addresses to expect the traffic to some from.

 

 

Hope this helps.

Hi Michael!

 

 

First of all, thanks for the reply!

 

 

Well, I am currently doing a lab to test all this items and options but obviously I'm spending a lot of time generating a iRule to implement SNAT for 15K subnets... Let's see what the testing results will show...

 

 

 

Best regards