DNS resolver iRule
Hello Everyone,
This is my first time using iRules and posting to this forum, so if the upcoming question is lacking knowledge then that's the reason.
We have a network behind an F5 that is attempting to connect to the Cisco Smart Licence service. The service itself on the switch uses a URL to connect with. Traffic is hitting the F5 from the source address of the switch to a destination VIP on port 8080 ('Standard' Virtual Server configured on F5).
Our current iRule statement is detailed below:
when HTTP_REQUEST {
if {[class match [HTTP::host] equals license_url_grp]} {
if {[class match [IP::client_addr] equals license_client_grp] } {
return;
} else {
log local0. "dropped connection my ip address[IP::client_addr]"
reject
}
}
}
The 'license_url_grp' contains a number of URLs related to Cisco Smart Licensing.
The 'license_client_grp' contains the network that the switch is located on.
We are pointing to Google DNS servers at 8.8.8.8 and 8.8.4.4. When using the nslookup command from tmsh, the URLs in the 'license_url_grp' resolve correctly.
The tcpdump output on the F5 is reporting the details below:
HTTP: CONNECT tools.cisco.com:443 HTTP/1.0 in slot1/tmm2 lis=/Common/vf-license-proxy_8080_vip
So I just have a number of questions:
- Does the Virtual Server (VIP address on port 8080) have to match the port 443 in the Smart Licence requestas per the tcpdump output?
- Does the iRule format look okay?
Thanks again for your help.
Regards,
Lee