F5 LTM and GTM 2023 Lab Guide
Turnkey LAMP installation
Initial Config
Topology / Theory
Initial Config
Basic Standard Virtual Server
Source/Cookie Persistence Profile
HTTP Health Monitor
HTTP Profile Insert header and Redirect
Compressed Content in HTTP
HTTP Stream Profile to change content
Offloading SSL - HTTPS to HTTP
HTTP Redirect to HTTPS
iRules - Log IP
iRule - Client from two ISP Network to different node
Install GEO Location package
iRule - FLOW_INIT with client_addr country allow
iRule - HTTP_REQUEST - HTTP redirect
iRule - HTTP_RESPONSE 404 - HTTP respond 301/redirect/header
iRule - HTTP_RESPONSE 404 - with HTTP 202 content
iRule - HTTP RESPONSE - Log Server Response Elapse
iRule - Stream replace string
Outbound SNAT
Outbound NAT - Inside server farm path select two ISP
Application Visibility and Reporting (AVR)
DNS (GTM) Lab
DNS Topology and iRules
DNS iRule ISP networks to Pool
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Basic Standard Virtual Server
Floating IP
Node Health Monitor
Nodes
Pool Health Monitor
Pool Member
Virtual Server
Theory: Load Balancing Method
Understanding F5 Load Balancing Methods
From <https://wtit.com/blog/2019/05/27/understanding-f5-load-balancing-methods/>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Turnkey LAMP installation
https://172.77.77.200:12321/tklbam/index.cgi?xnavigation=1
confconsole
Create sub interfaces
Add IP/Port info in index page
root@lamp /var/www# vi index.php
<h2 style="color:DodgerBlue;"> Server addr: <?php print $_SERVER[SERVER_ADDR] ?><br> </h1>
<h2 style="color:DodgerBlue;"> Server port: <?php print $_SERVER[SERVER_PORT] ?><br> </h1>
<h2 style="color:Tomato;"> Remote addr: <?php print $_SERVER[REMOTE_ADDR] ?><br> </h2>
<h2 style="color:Tomato;"> Remote port: <?php print $_SERVER[REMOTE_PORT] ?><br> </h2>
Global Traffic Manager --> BIG-IP DNS
Local Traffic manager (LTM): Load-balance, HA, Proxy, iRules
Access Policy Manager (APM): SSL VPN
Application Security Manager (ASM): WAF
Advanced Firewall Manager (AFM): Firewall
Big-IP iSeries hardware - fixed ports
VIPRION hardware - chassis
BIG-IP VE
BIG-IP Cloud-Edition
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Initial Config
Config Management IP
Show current mgmt IP
[root@BIGIP-A:Active:Standalone] config # tmsh
root@(BIGIP-A)(cfg-sync Standalone)(Active)(/Common)(tmos)# root@(BIGIP-A)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /sys management-ip
sys management-ip 10.8.25.212/25 {
description configured-statically
TMSH Config management IP
Tmsh
Create /sys management-ip 10.8.25.212/25
Create /sys management-route default gateway 10.8.25.131
Save /sys config partitions all
NTP
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Theory and Topology
Virtual Server > Pool > Nodes
Case 1 - nPath
Changes destination mac address, and keep original IP, destination IP, source port and destination port. Servers need a loopback address. (less used); asymmetric routing, mostly used in video servers.
Case 2 - Secure Network Address Translation(SNAT)
One-To-many mapping
Automap translates server-side source IP address to Internal Self-IP address or Floating IP address
Resolve Asynchronous routing issue
Works with Load Balancing
Unable to find real client address
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Initial Config
VLANs
Self-ip
Port Lockdown - Allow Default
Traffic allowed
From <https://network-knowledge.work/bigip-portlockdown/>
Traffic Group
Default route
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Source/Cookie Persistence Profile
Source Persistence
Problem is NAT source address not changed.
Cookie Persistence
Customize cookie name
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Health Monitor
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Profile Insert header and Redirect
Local Traffic ›› Virtual Servers : Virtual Server List ›› vs_http1
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Compressed Content in HTTP
Virtual Server: makes LTM sees non-compressed data but still sends compressed data to server and client
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Stream Profile to change content
Virtual server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Offloading SSL - HTTPS to HTTP
Root CA & CSR bind server certificate
Bind root ca
SSL:Client profile
Virtual server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Redirect to HTTPS
Common use for all http to https
tcl:https://[getfield [HTTP::host] : 1][HTTP::uri]
Same effect
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Securing your Applications with iRules Labs
From <https://clouddocs.f5.com/training/community/irules/html/class2/module1/module1.html>
iRules - Log IP
when CLIENT_ACCEPTED {
log local0. "[virtual] - client ip=[IP::client_addr]:[TCP::client_port]"
}
[root@BIGIP-A:Active:Standalone] config # tail -f /var/log/ltm
….
Jun 27 10:28:31 BIGIP-A.clab.com info tmm3[10587]: Rule /Common/clab_irule <CLIENT_ACCEPTED>: /Common/vs_https1 - client ip=172.88.88.140:49350
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - Client from two ISP to different node
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals ISP1] } {
log local0. "from ISP1"
node 172.77.77.201 80
}
elseif { [class match [IP::client_addr] equals ISP2] } {
log local0. "from ISP2"
node 172.77.77.202 80
}
else {
log local0. "default pool"
pool Pool_web
}
}
[root@BIGIP-A:Active:Standalone] config # tail -f /var/log/ltm
Jun 27 12:04:40 BIGIP-A.clab.com info tmm[10587]: Rule /Common/clab_irule_2isp <CLIENT_ACCEPTED>: from ISP2
Jun 27 12:04:47 BIGIP-A.clab.com info tmm[10587]: Rule /Common/clab_irule_2isp <CLIENT_ACCEPTED>: from ISP1
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Install GEO Location database
K11176: Downloading and installing updates to the IP geolocation database
From <https://my.f5.com/manage/s/article/K11176#download>
[root@BIGIP-A:Active:Standalone] config # cd
[root@BIGIP-A:Active:Standalone] ~ # unzip ip-geolocation-v2-2.0.0-20230612.47.0.zip
[root@BIGIP-A:Active:Standalone] ~ # ls
dead.letter geoip-data-v2-Region2-2.0.0-20230612.47.0.i686.rpm
geoip-data-v2-ISP-2.0.0-20230612.47.0.i686.rpm ip-geolocation-v2-2.0.0-20230612.47.0.zip
geoip-data-v2-Org-2.0.0-20230612.47.0.i686.rpm README.txt
[root@BIGIP-A:Active:Standalone] ~ # geoip_update_data -f geoip-data-v2-ISP-2.0.0-20230612.47.0.i686.rpm
[root@BIGIP-A:Active:Standalone] ~ # geoip_update_data -f geoip-data-v2-Org-2.0.0-20230612.47.0.i686.rpm
[root@BIGIP-A:Active:Standalone] ~ # geoip_update_data -f geoip-data-v2-Region2-2.0.0-20230612.47.0.i686.rpm
[root@BIGIP-A:Offline:Standalone] ~ # geoip_lookup 202.100.10.11
Will attempt to lookup ip '202.100.10.11'
No database specified.
opening database in /shared/GeoIP/v2/F5GeoIP.dat
size of geoip database = 332224731, segments = 125240039, version = Copyright (c) F5 Networks Inc, All Rights Reserved GEOIP2 v1, 20230613
geoip_seek = 003000db
geoip record ip = 202.100.10.11
country_code = CN
country_name = China
region_name = Shaanxi
continent_code = AS
Scope = 18
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - FLOW_INIT with client_addr country allow
when FLOW_INIT {
set client_addr [IP::client_addr]
set client_country [whereis $client_addr country]
log local0. $client_addr
log local0. $client_country
if { $client_country equals "JP" } {
pool Pool_web
}
else {
reject
}
}
[root@BIGIP-A:Active:Standalone] config # tail -f /var/log/ltm
Jun 27 12:49:23 BIGIP-A.clab.com info tmm[10654]: Rule /Common/clab_irule_flow_init <FLOW_INIT>: 61.200.20.10
Jun 27 12:49:23 BIGIP-A.clab.com info tmm[10654]: Rule /Common/clab_irule_flow_init <FLOW_INIT>: JP
Jun 27 12:49:25 BIGIP-A.clab.com info tmm2[10654]: Rule /Common/clab_irule_flow_init <FLOW_INIT>: 202.100.10.10
Jun 27 12:49:25 BIGIP-A.clab.com info tmm2[10654]: Rule /Common/clab_irule_flow_init <FLOW_INIT>: CN
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - FLOW_INIT with switch client allow/drop/reset
when FLOW_INIT {
set ipaddr [IP::client_addr]
set locale [whereis $ipaddr country]
log local0. "IP Address/Country $ipaddr/$locale"
switch $locale {
"CN" -
"CA" { return }
"JP" {ACL::action drop}
default {ACL::action reset}
}
}
Apply to Virtual Server ( omitting…)
Jun 27 12:59:33 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/irule_FLOW_INIT_switch <FLOW_INIT>: IP Address/Country 202.100.10.10/CN
Jun 27 12:59:36 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/irule_FLOW_INIT_switch <FLOW_INIT>: IP Address/Country 61.200.20.10/JP
Jun 27 12:59:39 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/irule_FLOW_INIT_switch <FLOW_INIT>: IP Address/Country 61.200.20.10/JP
Jun 27 12:59:45 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/irule_FLOW_INIT_switch <FLOW_INIT>: IP Address/Country 61.200.20.10/JP
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - HTTP_REQUEST - HTTP redirect
when HTTP_REQUEST {
log local0. "HTTP URI [HTTP::uri]"
log local0. [TCP::bandwidth]
if { [HTTP::uri] ends_with ".php"}
{
HTTP::redirect "http://www.google.com"
}
}
Apply irule to Virtual Server ( omitting…)
Jun 27 13:31:52 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_http_redirect <HTTP_REQUEST>: 0
Jun 27 13:33:57 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_http_redirect <HTTP_REQUEST>: HTTP URI /index.php
Jun 27 13:33:57 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_http_redirect <HTTP_REQUEST>: 728
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - HTTP_RESPONSE 404 - HTTP respond 301/redirect/header
when HTTP_RESPONSE {
if { [HTTP::status] contains "404"} {
# HTTP::redirect "http://www.siterequest.com/"
HTTP::respond 301 Location https://www.google.com
#HTTP::header Host https://www.bing.com
}
}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - HTTP_RESPONSE 404 - with HTTP 202 content
when HTTP_RESPONSE {
if { [HTTP::status] contains "404"} {
HTTP::respond 200 content {
<html>
<head>
<title>Apology Page</title>
</head>
<body>
We are sorry, but the site you are looking for is temporarily out of service<br>
If you feel you have reached this page in error, please try again.
</body>
</html>
}
}
}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - HTTP RESPONSE - Log Server Response Elapse
when HTTP_REQUEST {
set reqURI [HTTP::uri]
set reqClient [IP::remote_addr]:[TCP::remote_port]
}
when SERVER_CONNECTED {
set reqAge [IP::stats age]
}
when HTTP_RESPONSE {
set respTime [expr {[IP::stats age] - $reqAge}]
log local0. $reqAge
log local0. [IP::stats age]
log local0. "Client at $reqClient requested $reqURI. \
Server response was received $respTime milliseconds after the request was sent to the server."
}
[root@BIGIP-A:Active:Standalone] config # tail -f /var/log/ltm
Jun 27 14:05:46 BIGIP-A.clab.com info tmm[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: 0
Jun 27 14:05:46 BIGIP-A.clab.com info tmm[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: 2
Jun 27 14:05:46 BIGIP-A.clab.com info tmm[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: Client at 202.100.10.10:49711 requested /. Server response was received 2 milliseconds after the request was sent to the server.
Jun 27 14:05:53 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: 0
Jun 27 14:05:53 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: 1
Jun 27 14:05:53 BIGIP-A.clab.com info tmm1[10654]: Rule /Common/clab_irule_server_respose_time <HTTP_RESPONSE>: Client at 61.200.20.10:49714 requested /. Server response was received 1 milliseconds after the request was sent to the server.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
iRule - Stream replace string
# Stream_iRule
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
STREAM::disable
}
when HTTP_RESPONSE {
STREAM::expression @TurnKey@Clab@
STREAM::enable
}
Virtual server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Outbound SNAT
Allow PING for SNAT
root@lamp ~# ping 172.88.88.141
PING 172.88.88.141 (172.88.88.141) 56(84) bytes of data.
64 bytes from 172.88.88.141: icmp_seq=1 ttl=126 time=5.98 ms
64 bytes from 172.88.88.141: icmp_seq=2 ttl=126 time=6.05 ms
64 bytes from 172.88.88.141: icmp_seq=3 ttl=126 time=8.42 ms
64 bytes from 172.88.88.141: icmp_seq=4 ttl=126 time=10.6 ms
^C
--- 172.88.88.141 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 5.983/7.756/10.573/1.898 ms
root@lamp ~# traceroute 172.88.88.141
traceroute to 172.88.88.141 (172.88.88.141), 30 hops max, 60 byte packets
1 172.77.77.31 (172.77.77.31) 0.211 ms 0.183 ms 0.089 ms
2 202.100.10.10 (202.100.10.10) 0.929 ms 0.910 ms 0.892 ms
3 172.88.88.141 (172.88.88.141) 4.678 ms * *
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Outbound NAT - Inside server farm path select two ISP
Node monitors
Node
Pool
iRules : Data Group List
iRule - outbound_path_select
when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals ISP1] }{
pool ISP1_GW_Pool}
elseif { [class match [IP::local_addr] equals ISP2] }{
pool ISP2_GW_Pool}
else {
pool Default
}
}
SNAT Pool List
TCP UDP Idle time
iRules - Snat_policy
when LB_SELECTED {
if { [IP::addr [LB::server addr] equals 202.100.10.10] } {
log local0. "Destination IP: [clientside {IP::local_addr}]"
log local0. "Source IP: [clientside {IP::remote_addr}]"
log local0. "GW IP: [LB::server addr]"
snatpool ISP1_Outbound_PAT_Pool
}
elseif { [IP::addr [LB::server addr] equals 61.200.20.10] } {
snatpool ISP2_Outbound_PAT_Pool
}
else {
snat automap
}
}
Virtual Server
Allow ICMP
[root@BIGIP-A:Active:Standalone] config # tmsh delete sys connection virtual-server Outbound_NAT_VS
[root@BIGIP-A:Active:Standalone] config # tmsh show sys connection virtual-server Outbound_NAT_VS
Sys::Connections
172.77.77.200:14265 172.88.88.141:8 202.100.10.15:18264 172.88.88.141:8 icmp 14 (tmm: 1) none none
172.77.77.200:50069 61.200.66.10:8 61.200.20.15:50069 61.200.66.10:8 icmp 72 (tmm: 0) none none
172.77.77.200:9418 172.88.88.1:8 61.200.20.15:9418 172.88.88.1:8 icmp 2 (tmm: 2) none none
172.77.77.200:59277 202.100.55.10:8 202.100.10.15:6901 202.100.55.10:8 icmp 77 (tmm: 0) none none
Total records returned: 4
[root@BIGIP-A:Active:Standalone] config # tail -f /var/log/ltm
…
Jul 4 11:59:26 BIGIP-A.clab.com info tmm3[10654]: Rule /Common/snat_policy <LB_SELECTED>: Destination IP: 202.100.55.10
Jul 4 11:59:26 BIGIP-A.clab.com info tmm3[10654]: Rule /Common/snat_policy <LB_SELECTED>: Source IP: 172.77.77.200
Jul 4 11:59:26 BIGIP-A.clab.com info tmm3[10654]: Rule /Common/snat_policy <LB_SELECTED>: GW IP: 202.100.10.10
FortiGate-600D (global) # get system info admin status
Index User name Login type From
Logged in users: 2
USERNAME TYPE FROM TIME
admin ssh 202.100.10.15 Tue Jul 4 15:08:56 2023
Shutdown loopback1 show translation records is using ISP2
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Application Visibility and Reporting (AVR)
Packet capture
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS Lab
LTM-1 virtual servers
License activation
DC
Server
Big3d Sync
root@(BIGIP-A-DNS)(cfg-sync Standalone)(Active)(/Common)(tmos)# run gtm big3d_install
Making sure all BIG-IP systems can be reached, and
checking kernel and big3d versions on each BIG-IP.
Gathering big3d info from 0000:0000:0000:0000:0000:FFFF:0A0A:0A01
Attempting via iqsh ... Successful
Gathering big3d info from 0000:0000:0000:0000:0000:FFFF:CA64:0A0B
Attempting via iqsh ... Successful
Gathering big3d info from 0000:0000:0000:0000:0000:FFFF:3DC8:140B
Attempting via iqsh ... Successful
Gathering big3d info from 0000:0000:0000:0000:0000:FFFF:0A0A:0A02
Attempting via iqsh ... error from SSL_connect
140511789704880:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
SSL return code: SSL_ERROR_SYSCALL
---
New, (NONE), Cipher is (NONE)
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1688751635
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Unable to retrieve version and platform information via iqsh for 0000:0000:0000:0000:0000:FFFF:0A0A:0A02
Attempting via ssh ...
Password:
Gathering big3d info from 0000:0000:0000:0000:0000:FFFF:AC4D:4D21
Attempting via iqsh ... Connection to ::ffff:172.77.77.33:4353 failed: Connection refused
Unable to retrieve version and platform information via iqsh for 0000:0000:0000:0000:0000:FFFF:AC4D:4D21
Attempting via ssh ...
ssh: connect to host 0000:0000:0000:0000:0000:ffff:ac4d:4d21 port 22: Connection timed out
Unable to retrieve tmsh and/or big3d versions from 0000:0000:0000:0000:0000:FFFF:AC4D:4D21
There is 1 system that could not be reached.
There are multiple reasons that this can occur, including:- The network connection to the system is down.- The system is down.Do you want to continue? [y/n]
Do you want to continue? [y/n]
Do you want to continue? [y/n] u
Do you want to continue? [y/n] y
Continuing but skipping installing on BIG-IP systems:
0000:0000:0000:0000:0000:FFFF:AC4D:4D21
Local big3d version is 16.1.3.4.0.0.2
big3d version at 0000:0000:0000:0000:0000:FFFF:0A0A:0A01 is 16.1.3.4.0.0.2
Installing a new version of big3d at 0000:0000:0000:0000:0000:FFFF:0A0A:0A01
big3d version at 0000:0000:0000:0000:0000:FFFF:CA64:0A0B is 16.1.3.4.0.0.2
Installing a new version of big3d at 0000:0000:0000:0000:0000:FFFF:CA64:0A0B
big3d version at 0000:0000:0000:0000:0000:FFFF:3DC8:140B is 16.1.3.4.0.0.2
Installing a new version of big3d at 0000:0000:0000:0000:0000:FFFF:3DC8:140B
big3d version at 0000:0000:0000:0000:0000:FFFF:0A0A:0A02 is 16.1.3.4.0.0.2
Installing a new version of big3d at 0000:0000:0000:0000:0000:FFFF:0A0A:0A02
Password:
Copying new big3d to 0000:0000:0000:0000:0000:FFFF:0A0A:0A02 and restarting daemon
Password:
Done.
root@(BIGIP-A-DNS)(cfg-sync Standalone)(Active)(/Common)(tmos)# run gtm bigip_add10.8.25.213
Syntax Error: "bigip_add10.8.25.213" unexpected argument
root@(BIGIP-A-DNS)(cfg-sync Standalone)(Active)(/Common)(tmos)# run gtm bigip_add 10.8.25.213
Retrieving remote and installing local BIG-IP's SSL certs ...
Enter root password for 10.8.25.213 if prompted
The authenticity of host '10.8.25.213 (10.8.25.213)' can't be established.
RSA key fingerprint is SHA256:oFNseZhKlEbhMtmyV6FQZ5rbvsIkkvEKqvDx8wwDKsM.
RSA key fingerprint is MD5:69:5f:66:90:1c:52:7a:24:c6:f0:7b:84:e2:9e:2d:b2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.25.213' (RSA) to the list of known hosts.
Password:
==> Done <==
root@(BIGIP-A-DNS)(cfg-sync Standalone)(Active)(/Common)(tmos)# QUIT
[root@BIGIP-A-DNS:Active:Standalone] config # big3d -v
big3d version big3d Version 16.1.3.4.0.0.2 for linux
[root@BIGIP-A-LTM:Active:Standalone] config # big3d -v
big3d version big3d Version 16.1.3.4.0.0.2 for linux
Pool
Wide IP
Listener
Delegation to www.clab.com windows DNS
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS Topology and iRules
regions
Topology: records
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS iRule ISP networks to Pool
when DNS_REQUEST {
log local0. "IP Log remote_addr [IP::remote_addr]"
log local0. "IP Log local_addr [IP::local_addr]"
log local0. "IP Log client_addr [IP::client_addr]"
if { [IP::addr [IP::remote_addr] equals 202.100.0.0/16] } {
ttl 1
pool ISP2_Pool
} elseif { [IP::addr [IP::remote_addr] equals 61.200.0.0/16] } {
ttl 1
pool ISP1_Pool
}
else {
discard
}
}
Before with topology
Wide IP
After with irule
[root@BIGIP-A-DNS:Active:Standalone] config # tail -f /var/log/ltm
…
Jul 7 17:03:41 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log remote_addr 61.200.20.10
Jul 7 17:03:41 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log local_addr 61.200.20.11
Jul 7 17:03:41 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log client_addr 61.200.20.10
…
Jul 7 17:03:53 BIGIP-A-DNS.clab.com info tmm[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log remote_addr 202.100.10.10
Jul 7 17:03:53 BIGIP-A-DNS.clab.com info tmm[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log local_addr 202.100.10.11
Jul 7 17:03:53 BIGIP-A-DNS.clab.com info tmm[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log client_addr 202.100.10.10
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS iRule Country to Pool
when DNS_REQUEST {
set client_addr [IP::client_addr]
set client_country [whereis $client_addr country]
log local0. $client_addr
log local0. $client_country
if { $client_country equals "CN" } {
pool ISP2_Pool
}
else {
discard
}
}
[root@BIGIP-A-DNS:Active:Standalone] config # tail -20 /var/log/ltm
…
Jul 7 17:18:18 BIGIP-A-DNS.clab.com info tmm3[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log remote_addr 202.100.10.10
Jul 7 17:18:18 BIGIP-A-DNS.clab.com info tmm3[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log local_addr 202.100.10.11
Jul 7 17:18:18 BIGIP-A-DNS.clab.com info tmm3[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log client_addr 202.100.10.10
Jul 7 17:18:18 BIGIP-A-DNS.clab.com info tmm3[19590]: Rule /Common/gtm_country_irule <DNS_REQUEST>: 202.100.10.10
Jul 7 17:18:18 BIGIP-A-DNS.clab.com info tmm3[19590]: Rule /Common/gtm_country_irule <DNS_REQUEST>: CN
…
Jul 7 17:18:31 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log remote_addr 61.200.20.10
Jul 7 17:18:31 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log local_addr 61.200.20.11
Jul 7 17:18:31 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_subnet_irule <DNS_REQUEST>: IP Log client_addr 61.200.20.10
Jul 7 17:18:31 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_country_irule <DNS_REQUEST>: 61.200.20.10
Jul 7 17:18:31 BIGIP-A-DNS.clab.com info tmm1[19590]: Rule /Common/gtm_country_irule <DNS_REQUEST>: JP
No comments:
Post a Comment