--> By Default, A Virtual Server will only translate the destination IP address of an Incoming Packet. The source IP address of the packet does not change.
--> SNAT is used to change the source IP address of the client incoming packets.
--> SNAT mainly used for two functions:
1) For the servers behind the F5 to go to the Internet ( Private --> Public)
2) To make sure the server does not send the response directly to the client without going via BIG IP LTM.
--> SNAT can be configured in multiple ways:
1) One to One Mapping
2) Many to One Mapping
3) All to One Mapping
--> SNAT must be enabled on the VLAN where the client traffic comes to BIG IP System.
--> By default SNAT is enabled on all the VLANs configured on the BIG IP system.
--> By default SNAT supports only UDP and TCP.
--> By default, the BIG-IP system attempts to preserve the source port, but if the port is already in use on the selected translation address, the system also translates the source port.
--> There are four types of SNAT available on the BIG IP System:
1) SNAT Address:
--> Map one or more original IP address to a specific translation address that you choose.
--> It is the same as SNAT automap but in this case, we can have a different IP other than floating self IP address.
--> Virtual Server address can be used as a SNAT address.
--> SNAT address can be created by using CLI with the help of the following command:
create /ltm snat client_snat translation 10.0.0.1 origins add {0.0.0.0/0}
2) SNAT Automap:
--> Map one or more original IP address to a floating address of the egress VLAN.
--> Easy to configure and Implement.
--> Virtual Server address can not be used as SNAT address.
3) SNAT Pools:
--> Map one or more original IP address to multiple translation addresses that you choose.
--> SNAT Pool can contain the Ip addresses from Egress VLAN as well as Non-Egress VLAN.
--> The BIG-IP system load balances SNAT pool connections between members using the least connections algorithm.
--> SNAT Pool will intelligently choose always egress VLAN ip address to the incoming client connection by checking the destination IP address in the packet.
--> Virtual Server address can be present in the SNAT Pool.
--> SNAT Pool can be created by using CLI with the help of following command:
create /ltm snat client_snat snatpool snat_pool origins add {10.0.0.0/8}
4) Intelligent SNAT:
--> Map one or more original IP address to a one or multiple translation addresses based upon irule.
--> An intelligent SNAT allows the BIG-IP system to perform translation address on any piece of packet data that you specify.
--> This piece of data could be the original client IP address, or it could be a server port or an HTTP cookie.
--> Before creating irule to perform Intelligent SNAT, You need to do the following:
1) On what basis you want to perform SNAT
2) Create SNAT address or SNAT Pool to associate to irule.
Ref:F5.com
Md.Kareemoddin
CCIE #54759
--> SNAT is used to change the source IP address of the client incoming packets.
--> SNAT mainly used for two functions:
1) For the servers behind the F5 to go to the Internet ( Private --> Public)
2) To make sure the server does not send the response directly to the client without going via BIG IP LTM.
--> SNAT can be configured in multiple ways:
1) One to One Mapping
2) Many to One Mapping
3) All to One Mapping
--> SNAT must be enabled on the VLAN where the client traffic comes to BIG IP System.
--> By default SNAT is enabled on all the VLANs configured on the BIG IP system.
--> By default SNAT supports only UDP and TCP.
--> By default, the BIG-IP system attempts to preserve the source port, but if the port is already in use on the selected translation address, the system also translates the source port.
--> There are four types of SNAT available on the BIG IP System:
1) SNAT Address:
--> Map one or more original IP address to a specific translation address that you choose.
--> It is the same as SNAT automap but in this case, we can have a different IP other than floating self IP address.
--> Virtual Server address can be used as a SNAT address.
--> SNAT address can be created by using CLI with the help of the following command:
create /ltm snat client_snat translation 10.0.0.1 origins add {0.0.0.0/0}
2) SNAT Automap:
--> Map one or more original IP address to a floating address of the egress VLAN.
--> Easy to configure and Implement.
--> Virtual Server address can not be used as SNAT address.
3) SNAT Pools:
--> Map one or more original IP address to multiple translation addresses that you choose.
--> SNAT Pool can contain the Ip addresses from Egress VLAN as well as Non-Egress VLAN.
--> The BIG-IP system load balances SNAT pool connections between members using the least connections algorithm.
--> SNAT Pool will intelligently choose always egress VLAN ip address to the incoming client connection by checking the destination IP address in the packet.
--> Virtual Server address can be present in the SNAT Pool.
--> SNAT Pool can be created by using CLI with the help of following command:
create /ltm snat client_snat snatpool snat_pool origins add {10.0.0.0/8}
4) Intelligent SNAT:
--> Map one or more original IP address to a one or multiple translation addresses based upon irule.
--> An intelligent SNAT allows the BIG-IP system to perform translation address on any piece of packet data that you specify.
--> This piece of data could be the original client IP address, or it could be a server port or an HTTP cookie.
--> Before creating irule to perform Intelligent SNAT, You need to do the following:
1) On what basis you want to perform SNAT
2) Create SNAT address or SNAT Pool to associate to irule.
Ref:F5.com
Md.Kareemoddin
CCIE #54759
The only thing, which I didn't know about is '' SNAT Pools '' . After reading this information, everything became clear to me.
ReplyDelete