Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRules Optimization for MAC filtering with Data Groups (If/else)

Hello Everyone,

I'm trying to figure out an optimized version of the following (currently working) iRules, in order to validate via Machine Info, the incoming MAC Address from different customers to a BIG-IP APM Access Policy.

The iRules have been validated in version 12.1 and 13. Any advice/recommendation will be welcome.

Here we have an example of the LTM Data Groups deployed:

pedro.haoa@(f5chile)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm data-group one-line
ltm data-group internal MACGRP_1001_external_chile { records { F4:15:63:11:22:33 { } F4:15:63:11:22:34 { } F4:15:63:11:22:35 { } } type string }
.
.(Output Omitted)
.
ltm data-group internal MACGRP_1370_external_chile { records { F4:15:63:44:55:66 { } F4:15:63:44:55:67 { } F4:15:63:44:55:68 { } } type string }
.
.(Output Omitted)
.
ltm data-group internal MACGRP_2001_external_bolivia { records { 00:23:E9:22:33:44 { } 00:23:E9:22:33:44 { } 00:23:E9:22:33:44 { } } type string }
.
.(Output Omitted)
.
ltm data-group internal MACGRP_2350_external_bolivia { records { 00:23:E9:55:66:77 { } 00:23:E9:55:66:78 { } 00:23:E9:55:66:79 { } } type string }
.
.(Output Omitted)
.

And here we have two iRules to validate more than 700 different Data Groups:

# BIG-IP APM Event
when ACCESS_POLICY_AGENT_EVENT priority 410 {
# Access Policy Branch Filter
if { [ACCESS::policy agent_id] eq "macgrp" } {
# Variables for LAN/WLAN Interfaces
    set mac0 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address"]
    set mac1 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[1\].mac_address"]
# Variable to reduce data along the iRule due to the 64k limit.
    set s session.logon.custom.macgrp
# if/else statements to validate the MAC addresses contained within each data group
if {[class match $mac0 eq MACGRP_1001_external_chile]||[class match $mac1 eq MACGRP_1001_external_chile]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_1002_external_chile]||[class match $mac1 eq MACGRP_1002_external_chile]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_1003_external_chile]||[class match $mac1 eq MACGRP_1003_external_chile]} {ACCESS::session data set $s 1}
#.
#.(Output Omitted)
#.
elseif {[class match $mac0 eq MACGRP_1369_external_chile]||[class match $mac1 eq MACGRP_1369_external_chile]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_1370_external_chile]||[class match $mac1 eq MACGRP_1370_external_chile]} {ACCESS::session data set $s 1}
} }

Second iRule (Split mode):

# BIG-IP APM Event
when ACCESS_POLICY_AGENT_EVENT priority 420 {
# Access Policy Branch Filter
if { [ACCESS::policy agent_id] eq "macgrp" } {
# Variables for LAN/WLAN Interfaces
#   set mac0 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[0\].mac_address"]
#   set mac1 [ACCESS::session data get "session.machine_info.last.net_adapter.list.\[1\].mac_address"]
# Variable to reduce data along the iRule due to the 64k limit.
#   set s session.logon.custom.macgrp
# if/else statements to validate the MAC addresses contained within each data group
if {[class match $mac0 eq MACGRP_2001_external_bolivia]||[class match $mac1 eq MACGRP_2001_external_bolivia]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_2002_external_bolivia]||[class match $mac1 eq MACGRP_2002_external_bolivia]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_2003_external_bolivia]||[class match $mac1 eq MACGRP_2003_external_bolivia]} {ACCESS::session data set $s 1}
#.
#.(Output Omitted)
#.
elseif {[class match $mac0 eq MACGRP_2349_external_bolivia]||[class match $mac1 eq MACGRP_2349_external_bolivia]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACGRP_2350_external_bolivia]||[class match $mac1 eq MACGRP_2350_external_bolivia]} {ACCESS::session data set $s 1}
elseif {[class match $mac0 eq MACADM_CHECK]||[class match $mac1 eq MACADM_CHECK]} {ACCESS::session data set $s 1}
} }

Cheers!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Instead of checking existence, wouldn't it be better to make a giant key->value pair datagroup and have the MAC searched (key) returned the number of the group matched (value).

0
Comments on this Answer
Comment made 20-Aug-2017 by Pedro Haoa

It could be.

This approach is worse because it's heavier to process. But I think this way is better in terms of management, segmentation and granularity.

Can you add more details with an example?

0