jrmorris_151361
Apr 29, 2015Nimbostratus
Log server on in-line network
I am running an inline model in my f5 environment. One external network for VS, one internal for nodes. Everything is fine except when I have a node on the internal network that needs to communicate with another node on the internal network. I obviously get an asymmetric routing issue. I can overcome this by using an iRule that does selective SNAT. My issue is that some servers on this internal network (log servers, smtp servers, authentication servers) actually need the source address preserved for obvious reasons.
I have thought of a few ways to get around this but am looking for more help (other ideas, iRule help).
- Use iRule to SNAT traffic to the VS address. This would at least allow the log collector to know what pool the message came from.
- SNAT traffic to pre-determined SNAT pool. So if I have 10.10.1.0/24, I could create a one-to-one SNAT pool using 10.10.2.0/24. Users would then know to where to lok if they saw 10.10.2.100 in a log entry.
- Create an iRule that examines the actual source address, then increments the third octet (I'm using networks bigger than a /24) and SNATs traffic to the incremented address. Basically the same method as 2 just without multiple SNAT pools.
I am definitely open to other methods as well. Thanks.