Documente Academic
Documente Profesional
Documente Cultură
Products
Community
Support
Partners
Education
About Us
Support
My Account
Self-Help
Documentation
Services
Downloads
AskF5 Home
Products
BIG-IP LTM
Traffic Listeners
Applies To:
Show Versions
Overview
Part of configuring the BIG-IP system to be a data center firewall is to create virtual servers
and SNATs. For some virtual servers, you can create iRules that filter traffic based on specific
user-defined criteria.
Example 1
This example shows an ACL that you can logically implement using a host virtual server with
an assigned iRule. In this example, the virtual server has a destination host address of
204.170.25.11:80, with an iRule specifying that only traffic originating from the network
204.170.0.0/24 is allowed:
allow src 204.170.0.0/24 port 80 dst 204.170.25.11 port 80 deny all
In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for
host 204.170.25.11:80 is accepted and load balanced, according to the virtual server
configuration. The virtual server denies all other traffic.
Example 2
This example shows an ACL that you can logically implement using a network virtual server
with an assigned iRule. In this example, the virtual server has a destination network address
of 204.170.25.0:80, with an iRule specifying that only traffic originating from the network
204.170.0.0/24 is allowed:
allow src 204.170.0.0/24 port 80 dst 204.170.25.0 port 80 deny all
In this case, only traffic originating from network 204.107.0.0/24 port 80 and destined for
network 204.170.25.0:80 is accepted and forwarded to that network. The virtual server
denies all other traffic.
You can find additional examples of how to create a comprehensive iRule for these scenarios
on the F5 Networks DevCentral web site http://www.devcentral.f5.com.
Creating an iRule
Use this procedure to create an iRule.
1. On the Main tab, click Local Traffic > iRules.
2. Click Create. The New iRule screen opens.
3. In the Name field, type a 1- to 31-character name, such as virtual_acl_irule.
4. In the Definition field, type the syntax for the iRule, using Tool Command Language
(Tcl) syntax. For complete and detailed information on iRules syntax, see the F5
Networks DevCentral web site http://devcentral.f5.com.
5. Click Finished.
11. From the Default Pool list, select the name of the pool that you created previously.
12. Click Finished.
The BIG-IP system now listens for traffic destined for the specified destination IP address
and service, and applies all assigned profiles and any load balancing pool. Also, all log
messages pertaining to the application traffic are logged to the pool of remote logging servers
specified in the assign Request Logging profile.
Example 1: Host virtual server configurations
This example shows the BIG-IP data center firewall also functioning as an application
delivery controller (ADC). In the illustration shown, the BIG-IP system contains two host
virtual servers (FTP VIP and App VIP) to perform application delivery controller (ADC)
functions, while still providing security. Specifically, the two virtual servers perform these
functions:
Load balancing traffic to internal ADCs that handle specific applications. (The
illustration shows one internal ADC named App ADC.)
The benefit of the first function is that you do not need to position the BIG-IP data center
firewall between two ADCs before sending traffic to the internal resources. This simplifies
the management of the environment.
The second function illustrates the same benefit but also shows that the BIG-IP system can
load balance the request to an internal ADC that is handling the more specialized tasks
required for an application, such as web acceleration, compression, caching, or web
optimization.
Host virtual
server configurations
Network virtual
server configurations
Configuring a SNAT
To protect IP addresses on the private network from being exposed to nodes on a public
network, you can define a SNAT. A SNAT changes the source IP address on a packet to a
SNAT external address located on the BIG-IP system.
1. On the Main tab, click Local Traffic > SNATs . The SNAT List screen displays a list
of existing SNATs.
2. Click Create.
3. Name the new SNAT.
4. In the Translation field, type the IP address that you want to use as a translation IP
address.
5. From the Origin list, select Address List.
6. For each client to which you want to assign a translation address, do the following:
a. Select Host.
Enter Captc