Forum Discussion
Policy Routing in Multi-Arm Deployment
- Aug 27, 2018
I think this may be an environmental issue. I tested the REST command (changing the destination host and BIG-IP version) using a similar policy name on versions 14.0.0, 13.1.0.8, and 12.1.3. The error was not reproduced.
Here are my tests & results:
12.1.3
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.98/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=12.1.3","items":[{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=12.1.3","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.98/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=12.1.3","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":85,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-icmp-ipv6","fullPath":"no-icmp-ipv6","generation":86,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"255"}]}]}
13.1.0.8
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.74/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=13.1.0.8","items":[{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=13.1.0.8","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.74/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=13.1.0.8","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-udp","fullPath":"no-udp","generation":207,"selfLink":" UDP","ipProtocol":"udp","iruleSampleRate":1,"log":"no","status":"enabled","destination":{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"no-ipv6-icmp","fullPath":"no-ipv6-icmp","generation":81,"selfLink":";:{},"source":{"identity":{}}}]}
14.0.0
curl -sk -u admin:admin -H "Content-Type: application/json" -X GET https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules '{"kind":"tm:security:firewall:policy:policycollectionstate","selfLink":"https://192.168.1.69/mgmt/tm/security/firewall/policy?$select=rulesReference&ver=14.0.0","items":[{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-Global/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~DDCBU-management/rules?ver=14.0.0","isSubcollection":true}},{"rulesReference" {"link":"https://192.168.1.69/mgmt/tm/security/firewall/policy/~Common~self-protect/rules?ver=14.0.0","isSubcollection":true}}]}'
Result
{"kind":"tm:security:firewall:policy:rules:rulescollectionstate","selfLink":";:[{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"block-ping-ipv4","fullPath":"block-ping-ipv4","generation":277,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"do-nothing-rule","fullPath":"do-nothing-rule","generation":276,"selfLink":";:{},"source":{"identity":{}}},{"kind":"tm:security:firewall:policy:rules:rulesstate","name":"self-protect","fullPath":"self-protect","generation":275,"selfLink":";:{},"source":{"identity":{}},"icmp":[{"name":"1:3"},{"name":"255"}]}]}
Hi mOjO,
using iRules its the only way setting up Policy-Based-Routing (PBR) based on SRC_IP and DST_IP. The [class match] syntax of the iRules outlines in K20510467 is just "one" example how your PBR could be setup. You may also use native [if] expressions or [switch] statement to express your needs.
When designing such a PBR, then elect to most used routing scenario as your "default" and use F5s routing table to establish the routing as usual. The use the iRule to overwrite routing decissions based on your needs.
when CLIENT_ACCEPTED {
if { ( [IP::addr [IP::client_addr] equals "10.0.0.0/8"] )
and ( [IP::addr [IP::local_addr] equals "10.0.0.0/8"] ) } then {
# Let the build-in routing table forward traffic for:
#
# src=10.0.0.0/8 to DST=10.0.0.0/8
} elseif { ( ( [IP::addr [IP::client_addr] equals "172.16.0.0/12"] )
or ( [IP::addr [IP::client_addr] equals "192.168.0.0/24"] ) )
and ( ( [IP::addr [IP::local_addr] equals "172.16.0.0/12"] )
or ( [IP::addr [IP::local_addr] equals "192.168.0.0/24"] ) ) } then {
# Let the build-in routing table forward traffic for:
#
# src=172.16.0.0/12 or src=192.168.0.0/24 to DST=172.16.0.0/12 or DST=192.168.0.0/24
} elseif { ( [IP::addr [IP::client_addr] equals "10.0.0.0/8"] )
and ( [IP::addr [IP::local_addr] equals "20.20.20.0/24"] ) } then {
# Overwrite next hop to GW=10.10.10.1 for:
#
# src=10.0.0.0/8 to DST=20.20.20.0/24
nexthop 10.10.10.1
} elseif { [IP::addr [IP::client_addr] equals "10.0.0.0/8"] } then {
# Overwrite next hop to GW=10.10.20.1 for:
#
# src=10.0.0.0/8 to DST=REMAINING DESTINATIONS
nexthop 10.10.20.1
} else {
# let the build-in routing table handle remaining traffic...
}
}
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com