IP Forwading VIP - Access List

Hi,

I've put together the following iRule to prevent two subnets communicating via the virtual forwarding VIP.

We have several VLANS behind the LTM and two of which cannot communicate with each other for compliance reasons. We use a forwarding VIP so that web servers can make out bound calls and we can connect to each individual web server over a WAN connection for testing purposes.

I did consider changing to using SNATs and removing the forwarding VIP, however this would also require changes on firewalls and routers and subsequently could get quite messy.

What I'd like to ask is if the following iRule looks correct (I currently lack a test environment to confirm this)

Or if SNAT would be a better solu

tion to prevent the two VLANS from communicating.

Thanks in advance

Lee

when CLIENT_ACCEPTED {

     if ip src = win_web_LIVE_front and dst = linux_web_LIVE_front
   if {
        ( [class match [IP::client_addr] equals win_web_LIVE_front_subnet])
    and
        ( [class match [IP::local_addr] equals lin_web_LIVE_front_subnet])
      }
            {
                log local0. "DENIED TRAFFIC Windows to Linux: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                send TCP RST
                reject
     else if ip src = linux_web_LIVE_front and dst = win_web_LIVE_front            
    } elseif {
        ( [class match [IP::client_addr] equals lin_web_LIVE_front_subnet])
    and
        ( [class match [IP::local_addr] equals win_web_LIVE_front_subnet])
    }
        {
                log local0. "DENIED TRAFFIC Linux to Windows: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                send TCP RST
                reject
    Permit    all other traffic
    } else {
                log local0. "PERMITED TRAFFIC: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
                forward
        }    
}