Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Is there any way in a traffic policy to match on IP address?

Is there any way in a local traffic policy to match on IP address? For example, being able to say, "If the source IP is such and such, do this", or "If the destination IP is such and such, do that?" I can't seem to find any way to do this. If it's not available, is there any way to suggest this as a feature?

Specific Scenario: I have an ASM farm configuration. Various VIPs on the LTM send traffic to the ASM farm for processing. To make administration easier and cut down on IP address usage, each ASM has a single VIP for processing. The LTMs each use a different SNAT address when sending traffic to the ASMs, and I would like to be able to apply a different APM policy depending on the source IP address of the traffic.

I've had this setup working since the 10.2 days using HTTP classes and an iRule: the iRule looks up the IP source addresses in a datagroup file, and then does an HTTP class match to select an HTTP class containing that ASM policy.

The problem is I'm stuck on 11.3 because HTTP classes have gone away in 11.4, and are replaced with local traffic policies. But there is no equivalent "local traffic policy match" iRule command to pick a specific traffic policy containing my ASM policy, and the local traffic policy also doesn't seem to have any way to write a rule that matches based on source address. So I'm concerned that there is no equivalent functionality to what I could do before, and that there is no way to move forward without re-archictecting unless I can get the local traffic policy to match on source address somehow.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is there any way in a local traffic policy to match on IP address? For example, being able to say, "If the source IP is such and such, do this", or "If the destination IP is such and such, do that?"

it is available in 11.6.0.

ID409418 - CPM needs IP address/subnet matching

in the meantime, is ASM::enable useful?

ASM::enable
https://devcentral.f5.com/wiki/iRules.ASM__enable.ashx

0
Comments on this Answer
Comment made 04-Jan-2016 by Craig Jackson 57
I'm running 11.6.0 HF5 and I can't see how to do this. I don't see Client IP in the list of things which can be selected in a rule -- only GeoIP and a bunch of http header things. Can you supply some more information?
0
Comment made 26-Oct-2017 by Javier Somoza 122

Im using in v13 this policy condition to filter based on source IP:

“TCP” – “address” – “matches” – “in datagroup” – at “request” time (apply traffic on “remote” side of “external” interface)

Also see:

F5 BIGIP – Bug when using datagroups in LTM policies

https://somoit.net/f5-big-ip/f5-bigip-bug-when-using-datagroups-in-ltm-policies

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This is great, thanks!

0