aflex ip based traffic management

leburton · March 23, 2017, 12:56pm

Hi, i’m having a problem with some (basic) aflex traffic redirection on a virtual server that I’m trying to use.

I’m trying to match certain subnet ranges of users to a prioritised server pool (sg2-80), but to not prevent them from connectivity if that prioritised pool goes down for some reason, and send the majority of traffic to the sg1-80 pool. (traffic to real servers is http over port 80 with ssl terminated at a10).

I’ve applied the aflex template to the virtual server, and at the moment it seems to be matching all traffic to the default in the switch statement regardless of the other cases matching before it (so no traffic is going to sg2) if i take away the “default” then traffic it works but won’t catch any cases that dont match the specific ruleset (if it’s not in 10.10.0.0/16 in this case).

In the virtual server I haven’t bound any service group (the aflex template seems to take care of service group mapping) but if i do then again it seems to ignore the custom matching for specific subnets in the 10.10.0.0/16 range (outside those sent to service group 1)

for reference we have a a10 thunder series 3030s.

I have changed the ip addresses / urls in the aflex code below for privacy, but essentially i’m using these sort of pattern matching rules:

\#\# Redirect end-user connections based on ip address / host header statements on ipv4
\# work out if sg2-80 pool is down or if request is specifically for sg2-80 pool on a separate cname alias in host header

when HTTP\_REQUEST \{
if \{[LB::status pool sg2-80] == "down" \} \{ pool sg1-80 
\} elseif \{ [HTTP::host] contains "alternate.websitename.co.uk" \} \{ pool sg2-80 \}

# matching of internal user subnets to redirect traffic as appropriate

switch [IP::client\_addr] \{
10.10.10.0/24 \{ pool sg1-80 \}
10.10.28.0/22 \{ pool sg1-80 \} 
10.10.60.0/24 \{ pool sg1-80 \} 
10.10.0.0/16 \{ pool sg2-80 \}
192.168.0.0/24 \{ pool sg2-80 \}
default \{ pool sg1-80 \}
\}
\#\#\#\# at this point I could add ( if \{ [HTTP::host] contains "default.websitename.co.uk" \} \{ pool sg1-80 \} ) to catch outliers which might be a solution but it’s not ideal as it requires working out all the outlying cases… when it would be better to just have a catch all at the bottom

#### alternately I could try using an if{}elseif{} for all tests which may work, but the switch statement is recommended and is certainly more readable as here : aFleX Scripting Language Optimization | A10 Networks
}
Thanks for your help, apologies if some of this doesn’t entirely make sense at first glance!

DaniTom · March 23, 2017, 5:30pm

Hi, I guess, it’s not possible with the switch command (maybe other guys knows it better then me ;o).
My assumption is that switch just compare the “string” of your ip address and thatswhy you will never get a match on the subnet address - like:

10.10.10.1 is not equal 10.10.10.0/24.
I think you have two options:

a) using the "Class::match ip" command  or
b) the "IP::addr" command

With both commands you can compare an IP address to a subnet. I used that in a “if … else” statement (but maybe it is usable in “switch” command too???)

Here my example I just tested some minutes before in my lab and it works for me.

First I created to classlists called “CL_SRC_POOL_1” and “CL_SRC_POOL_”
Both classlists are of type ip and have values of subnets:

; Class list - CL_SRC_POOL_1
; IPv4

; IP subnet (Total: 2)
10.10.10.0 /24
10.10.28.0 /24

; Class list - CL\_SRC\_POOL\_2

; IPv4

; IP subnet (Total: 2)
10.12.0.0 /16
10.16.160.0 /24

Then create a new aflex :

when RULE\_INIT \{
        \# for debugging - set it to 0 no logging is perfromed, if set to 1 info log messages in system log is created

set ::DEBUG 1
}
#
when HTTP_REQUEST {
# matching of internal user subnets to redirect traffic as appropriate
#

set SRC [IP::client\_addr]
set ::CL\_01 CL\_SRC\_POOL\_1
set ::CL\_02 CL\_SRC\_POOL\_2

#

    if \{ [CLASS::match $SRC $::CL\_01 ip] \} \{
        if \{ $::DEBUG == 1 \} \{ log "$SRC is on $::CL\_01" \}

pool SG_POD1

        \} elseif \{ [CLASS::match $SRC $::CL\_02 ip] \} \{
        if \{ $::DEBUG == 1 \} \{ log "$SRC is on $::CL\_02" \}

pool SG_POD2

    \} else \{
        if \{ $::DEBUG == 1 \} \{ log "IP address: $SRC not found on any class-list" \}

pool SG_POD1
}
#
}
So, I tried that one and it works in my environment. If my IP is in classlist 1 then use poo1, if my IP in cl2 thenn pool2 otherwise if not in any cl then pool1.
I’m not pretty sure what happens if the ip matches in both cls !?!?! You should give them a try but I assume it grabs on the first match.

The other option is to use the IP::addr command but I didn’t try it. From the documentation:

when CLIENT\_ACCEPTED \{
if \{ [IP::addr [IP::client\_addr] equals 10.10.10.0/24] \} \{

pool my_pool

\}
\}

Hope that helps a little and have a good day,
Thomas.

leburton · March 28, 2017, 9:08am

Hi Thomas,
This is a good solution to my problem, thanks very much!
as I had a large number of ranges to add, using a class-list makes sense, not a feature i’ve used before
Thanks for your help!

Laurence

Discussion		Replies	Views
Redirect traffic based on Destination IP aFleX redirect , aflex , slb-adc	1	302	February 8, 2024
Preserve Port on HTTP Redirect aFleX redirect , aflex	1	604	July 14, 2020
A10 vThunder ADC/SLB - Redirection based on URL aFleX redirect , aflex , load-balancing-method , a10-thunder	3	803	May 9, 2023
1 VIP to 15 Websites same ports aFleX	8	71	May 28, 2014
Server response redirected to other port. aFleX redirect	0	21	February 16, 2016

aflex ip based traffic management

Related topics