iRule to isolate node

Question

I need help with an iRule. I have BigIP LTM v11.6 HF4&nbsp;
We have a webfarm configuration that runs a primary server node and several secondaries. What I want to accomplish, is to ensure that when somebody connects from our corporate office, they connect to the primary node's website (so files and data can be updated and such). However, I don't want anybody from the outside world (non corp) to be able to hit the primary server's page. Currently, I have an iRule that forces people from my corp office (38.1.0.1 in this example) and locks them into the primary node (192.168.1.100) on port 80 so website content can be updated. See below: &nbsp;
when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 38.1.0.1] } {
     node 192.168.1.100 80
 }
}&nbsp;
I think that I should use some kind of "else CLIENT_REJECT" statement, or "else redirect". This way, I can protect access to my primary server, but still allow visitors to the page (via one of the secondary servers). Can this be done? &nbsp;
Hope this makes sense, &nbsp;
Thanks! &nbsp;
JD&nbsp;

shaggy · Answer

Should corporate users use the secondary nodes if the primary node is offline?
If so, I would create two separate pools - one with all pool members (primary and secondary) using priority group activation to use the primary server if it's available, and another pool that only contains secondary nodes.
The iRule would be very similar:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 38.1.0.1] } {
  pool primary-secondary_pool
}
else {
  pool secondary_pool
}
}

jdiaz_170339 · Answer

Thank you! 
If primary is offline, yes corp can \ should use secondary nodes. The two pool solution sounds good. &nbsp;
As I understand it, I should leave the pool that contains all members as the default pool for the virtual server, and then the iRule would handle the redirect to the pool that contains only the primary server. &nbsp;
At the pool level, the Priority Group activation should be set to "less than" 1 available member for the "new" primary only pool, but for the pool the contains all the nodes, Priority Group activation should remain disabled?&nbsp;
Sound correct? &nbsp;
Thanks again. &nbsp;

shaggy · Answer

There won't be a pool that contains only the primary server. The two pools would be - 1) a pool with all members and priority group activation enabled (less than 1, and the primary node has the highest priority) and 2) a pool with only secondary servers (no priority group activation).

The default pool shouldn't matter since the iRule will make all pool decisions in this configuration.

Does this VS have persistence enabled?

Forum Discussion

iRule to isolate node

3 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Export all node list

Cipher negotiated between F5 and Node

Pool Member Nodes: Different Partitions, Same IP Address

node monitor vs pool monitor?

Assign specific uri to a server\node in pool