Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
May 08, 2014

Routing Traffic via Self-IP/SNAT based on provided/allowed source subnet

Hi Team,

 

After a long gap, again coming back to the same topic(Dividing or routing traffic through SNAT or Self-IP) where I got the concept:

 

when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals my_ip_datagroup] } { snat 1.1.1.1 } else { snat 2.2.2.2 } }

 

Now I wanted to relate this to three environments:

 

PROD: which got the enviroment's subnet as 10.25.128.0/24 where Self IP's are ( Floating IP: 10.25.128.99, In primary:10.25.128.98 and in secondary LTM:10.25.128.97) PREP: which got the environment's subnet as 10.25.129.0/24 where Self IP's are ( Floating IP: 10.25.129.99, In primary:10.25.129.98 and in secondary LTM:10.25.129.97) EDI : which got the environment's subnet as 10.25.130.0/24 where Self IP's are ( Floating IP: 10.25.130.99, In primary:10.25.130.98 and in secondary LTM:10.25.130.97) 1.Now Idea is to create a Data-group named PROD_ip_datagroup which will contains a source segment of 10.25.128.x and 64.x.x.x), which can only access the PROD enviroments. 2.Similarly Idea is to create a Data-group named PREP_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments. 3.Similarly Idea is to create a Data-group named EDI_ip_datagroup which will contains a source segment of 10.25.129.x and 64.x.x.x), which can only access the PREP enviroments.

 

Once the above created, idea is to have below:

 

If the Data-Group:PROD_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.128.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.128.109. Else the connections will be through SNAT:10.25.128.99( WHICH is the floating IP).

 

If the Data-Group:PREP_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.129.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.129.99( WHICH is the floating IP).

 

If the Data-Group:EDI_ip_datagroup source segment matched, they are allowed to access the PROD environment( which is 10.25.130.x subnet), and the connections will come through the new planned SELF-IP, lets say 10.25.129.109. Else the connections will be through SNAT:10.25.130.99( WHICH is the floating IP).

 

Kindly guide how my Irule will look like.

 

Quick query: Let's say in all the Data-groups, lets say we have a common source:64.x.x.x, so is there any specific condition to put to route through different SNAT's to different environments( PROD, PREP and EDI).

 

Thanks and Regards

 

application delivery
devops
iRules

2 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 08, 2014

    I don't think you need three different datagroups, instead, use the key/value pairing options in datagroups (just a swag on your 64.x networks):

    ltm data-group internal ipdg {
    records {
        10.25.128.0/24 {
            data snatpool-prod
        }
        10.25.129.0/24 {
            data snatpool-prep
        }
        10.25.130.0/24 {
            data snatpool-edi
        }
        64.0.128.0/24 {
            data snatpool-prod
        }
        64.0.129.0/24 {
            data snatpool-prep
        }
        64.0.130.0/24 {
            data snatpool-edi
        }
    }
    type ip
}

    each snatpool would be your 10.25.x.109 address. then in the iRule, if there is a match on the class, snat on the class value, otherwise, use snat automap, which could be your default condition on the virtual to simply the configuration. The datagroup will be a first match, so for your final question, you should order on best case, or put logic in the rule above your class matching to look at source and destination before making a determination

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    May 09, 2014

    Hi Jason,

     

    Thank you very much for your guidance. I make this by making the simple Irule for One environment:

     

    when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals MY_IP] } { snat 10.25.129.99

     

    } else { snat 10.25.129.109 } }

     

    ==

     

    But wanted to add/enable log local.0 after each SNAT IP which will track all the sessions of the source IP address, kindly guide how can I process into this.

     

    Thanks and Regards Parveez