iRule to SNAT traffic to LTM in another network

Hi Matthew,

 

 

Are you looking to do a full HTTP Redirect, or proxy the Client to the LTM in the other Datacenter through the LTM that the Client has an established connection to?

 

 

Normally you would do this with a GTM, but you can configure similar (yet not as efficient) functionality with LTM's.

 

Problem is, I would have to build a pool and VS for each site on the remote LTM, on local LTM.have you tried "node" command?

 

 

node wiki

 

https://devcentral.f5.com/wiki/iRules.node.ashx

 

 

I am looking for help with iRule to SNAT traffic and send to other LTM which is in another data center.doesn't normal "snat" command work? please also make sure upstream router has to route return packet (i.e. snat ip as destination) to bigip.

 

 

snat wiki

 

https://devcentral.f5.com/wiki/iRules.snat.ashx

Michael,

 

I'm not sure of the value on LTM myself, but VP is asking for it. I suppose it sounds more like a redirect. He wants to make sure if LTM accepts traffic, but no members available, that we SNAT the traffic over to other LTM in second data center. Would LTM accept traffic if no pool members available? To me, LTM would propagate that DC availability to GTM, which would take DC out.

 

 

Nitass,

 

Node command sounds like it would do the trick. I guess the VIP in DC2 would be the node? So I would:

 

when CLIENT_ACCEPTED {

 

if {[active_members site1-poolA] < 1}{

 

snat automap Or snatpool xxxxx [where snatpool is configured for this]

 

node xxx.xxx.xxx.xxx 80 This would be VIP in other site?

 

} else {

 

pool site1-poolA

 

}

 

}

 

node xxx.xxx.xxx.xxx 80 This would be VIP in other site?yes

So I found out the reason for this. If any apps have VIP hard coded, they could still get to site2 is site1 is down. CYA I assume.

 

I wonder if this could also be achieved by configuring site2 VIP as node on site1, adding to it's own pool say poolA-backup, then use this pool in "last hop pool" setting on site1 VIP?

 

I think there's a few different things going on here. If you need client traffic to shift to site 2 if the pool members in site 1 are down, you can:

1. Do an explicit redirect to the site 2 LTM. You would absolutely need a VIP and pool on the site 2 LTM, regardless of the option.

   when HTTP_REQUEST {
       if { [active_members site1-poolA] < 1 } {
           HTTP::redirect "https://site2-vip.com"
       }
   }
   

2. Have GTM provide this failover automatically.

3. You could technically send client traffic through the site 1 VIP to the site 2 VIP either with an iRule node command or as a priority group-assigned pool member, or even as a separate pool. Your SNAT, if you need it all all, needs to be a site 1 LTM IP address that the site LTM can respond to - not necessarily the automap SNAT.

The big question I think would be what you constitute as a failure. If the entire site goes down, options 1 and 3 won't help you.

I wonder if this could also be achieved by configuring site2 VIP as node on site1, adding to it's own pool say poolA-backup, then use this pool in "last hop pool" setting on site1 VIP?

 

yes, assigning site2 vip to pool on site1 could also work. As Kevin mentioned, snat/snat automap is used to make sure return traffic come from site2 to site1 and then client.