Forum Discussion

Sofiane_86327's avatar
Sofiane_86327
Icon for Nimbostratus rankNimbostratus
Feb 24, 2011

gateway pool selection based on source IP addresse

hi guys,

 

 

i am in charge of deploying a Big-IP link controller V10.2.1, this is my first experience with this product

 

 

this is my issue

 

 

as depicted in the diagramme bellow, we have 4 ISPs links. the idea is to use 2 links for publishing services ( www, mail,...) and to links for corporate users internet acces.

 

 

 

ISP1 ISP2 ISP3 ISP4

 

\ | | /

 

\ | | /

 

--------------------------- /

 

| Big-IP |

 

|--------------------------|

 

| 172.16.10.254

 

|

 

|

 

---------------------

 

| cisco router |

 

|-------------------|

 

| |

 

| |

 

172.16.30.X 10.X.X.X

 

 

 

 

i make some researches in your forums, and it seems the solution is the creation of an irule which filter traffic comming from 10. x network and associate the correct GW pool to it. and associate this irule to the default VS (0.0.0.0)

 

 

when CLIENT_ACCEPTED

 

{

 

if { [IP::client_addr] starts_with "10." }

 

{ pool GW_Pool_Corporate}

 

}

 

 

my question is:

 

 

- does this make sens !!! is it the correct solution

 

- is the irule correct for this issue

 

- do i have to specifie an SNAT POOL

 

 

regards

 

sofiane

 

 

 

 

 

 

 

 

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 24, 2011
    I had to do something very similar and you're off to a great start. You'll want to use a SNAT pool so LC can use the right SNAT per link.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2011
    Also, you can use IP::addr to perform a bit level comparison of the IP addresses. This should be more efficient and functional than just doing a string comparison to see if the client IP starts with "10.":

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2011
    Also, if you only want traffic from one VLAN to use any of the outbound links, you could enable the 0.0.0.0 virtual server just on that inbound VLAN and avoid an iRule.

     

     

    Aaron
  • Sofiane_86327's avatar
    Sofiane_86327
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2011
    hi guys,

     

     

    thans for your quick reply.

     

     

    based on your answers, this irule should do the job

     

     

    when CLIENT_ACCEPTED

     

    {

     

    if { [IP::addr [IP::client_addr] /8 equals 10.0.0.0] }

     

    {

     

    pool my_pool

     

    snat snat_pool

     

    }

     

    }

     

     

    Aaron, the traffic from the two internal networks arrives on the same vlan since it transits by a cisco router !!! ami right ??

     

     

    thanks
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 25, 2011
    You're correct. If the clients are coming into LTM on the same then you'll need an iRule to separate the traffic to different pools.

     

     

    Aaron