Forum Discussion

omar05_132659's avatar
omar05_132659
Icon for Nimbostratus rankNimbostratus
Oct 20, 2014

which one is matching first? SNAT or iRule?

Hello folks,

 

Hope you could help me with this simple question about LTM behaviour.

 

I just assumed as LTM admnistrator. My boss has asked me to optimize the configuration of a BIG IP by removing unused objects. I have realized that I have two objects which seem to perform the same task. I have a virtual server which is taking out mail traffic from inside my net to the Internet by using three different ISP´s routers as a next hop. Such vserver has a iRule applied which just mask the source IP by choosing one of some IP´s from a SNAT Pool. But, my configuration also has a global SNAT which is using the same SNAT Pool. So, I need to know which one is working. Which one is matching first? The iRule attached to the vserver or the global SNAT?

 

Does someone know the order for traffic processing when having a Global SNAT, a virtual server, an iRule, etc?

 

Thanks in advance.

 

OL

 

application delivery
availability
design
LTM
management

5 Replies

Sort By
  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2014

    It depends on which iRule event you are using as iRules can be applied in multiple places in the packet flow. Have a look on What Lies Beneath's TCP traffic diagram. He has also done a nice diagrams on iRule events order for http and https.

     

  • omar05_132659's avatar
    omar05_132659
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2014

    Hello folks,

    Thanks a lot for responding.

    After seeing the diagram you recommended, I conclude that if there is no a packet filter, the virtual server will match first and then its iRule and the other objects inside it even an SNAT. And then, a Global SNAT will match. In my case, I need to erase the global SNAT right?

    My irule is as follows:

    when CLIENT_ACCEPTED {
               if {[IP::addr [IP::client_addr] equals 10.1.1.2/32]}{
               snatpool snat_pool_mail_mydomain_dot_com
               }
               if {[IP::addr [IP::client_addr] equals 10.1.1.3/32]}{
               snatpool snat_pool_mail_mydomain_dot_com
               }
  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2014

    I would prefer the use of a dedicated SNAT over global SNAT. So limiting the SNAT effect only where it is needed. Using a global SNAT is global and may later cause unwanted effects for some other packet flows and make troubleshooting more difficult. You can confirm that the snat is working ok fairly easily with a tcpdump.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 22, 2014

    i understand traffic matching virtual server uses snat setting under virtual server or snat in irule (global snat is not used). unless the snat is set to none and no snat in the irule, global snat will be used.

     

    if you want to make sure no other traffic using global snat, you may try to reset the global snat statistics (tmsh reset-stats ltm snat) and see if it is increasing.