SNAT to designated Pool Members without iRule

Question

I know this is asking a lot... 
&nbsp;  
&nbsp; Consider a pool with two pool members. One member is in a LTM VLAN, and another is not. If I envision this correctly in my head, forwarding will fail to the member which is not in the LTM VLAN. I am wondering if it's possible to enable a SNAT to only a pool member which needs it (i.e. not in a LTM VLAN). But here's the trick - I want to find out if it's possible to do this without an iRule. 
&nbsp;  
&nbsp; To give you some color, we are considering how the LTM might allow us to load-balance pool members who are in different physical data centers. Those two data centers do not share the same IP network or VLAN. One of those data center networks is routed by the LTM, and the other is not. I am trying to figure out if its possible to route to both pool members when one is in a BigIP VLAN and the other not. I assume I would need SNAT to the member which is not in the BigIP VLAN. But we have so much traffic routed through the LTM that we will bring the it down if we force every session to be processed by an iRule.

hooleylist · Answer

Hi Scott, 
&nbsp;  
&nbsp; I think you'll need an iRule as the SNAT configuration you can add to a virtual server doesn't allow you to enable SNAT based on destination IP addresses/subnets.   
&nbsp;  
&nbsp; A selective SNAT iRule should be relatively low overhead and provide the functionality you're needing without having to explicitly define which pool members need SNAT and which ones don't: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html 
&nbsp;  
&nbsp; You could try adapting this to check if the LB::server addr is not in the same subnet as the self IP address that will be used to SNAT the request.  You'd probably need to hardcode this subnet in the iRule. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SNAT to designated Pool Members without iRule

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Considerations