fir3net
PPS-Firenetbanner-780.5x190-30-03-17

BIG-IP F5 LTM - Geolocation

One great feature of the F5 Local Traffic Manager is ability to distribute traffic basic on its geographical location. This feature was introduced within v10.1 thanks to F5`s partnership with Neustar (previously) Quova.

The geolocation component uses a (local) IP geolocation database (on the F5) to determine the geographically location of the IP address. To perform a geolocation look-up on an IP address the 'whereis' iRule command is used.
To update the database you can either update it manually using the latest geolocation database. Obtained via https://downloads.f5.com

Note : A license is required via Neustar to either use the geolocation data within your application or to obtain city level geolocation features.

 

iRule Example

Below is an example of an iRule utilizing geolocation. Note :

  • Traffic is permitted based on the continent or country from which the connection originated from.
  • Additional countries/continents are added via the relevant datagroups named 'country/continent'.
  • Also any IP that is not known within the database is automatically forwarded.

ltm rule IRULE-GEOLOCATION {
    # Allow traffic based on GeoLocation.
    # Access is granted via the country/continent datagroups.
    #
    # Country Reference   - http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
    # Continent Reference - http://en.wikipedia.org/wiki/List_of_sovereign_states_and_dependent_territories_by_continent_%28data_file%29

    when CLIENT_ACCEPTED {
    if {  ([class match [whereis [IP::client_addr] continent] equals continent ] or [class match [whereis [IP::client_addr] country] equals country ])} {
      log local0. "irule - Permit IP: [IP::client_addr] from continent [whereis [IP::client_addr] continent] and country [whereis [IP::client_addr] country]"
      pool pool-example
    }
    elseif { [whereis [IP::client_addr] continent] equals "" and [whereis [IP::client_addr] country] equals "" } {
      log local0. "irule - Permit IP: [IP::client_addr] from continent <UNKNOWN> and country <UNKNOWN>"
      pool pool-example
    }
    else
    {
      drop
      log local0. "irule - Deny IP: [IP::client_addr] from continent [whereis [IP::client_addr] continent] and country [whereis [IP::client_addr] country]" }
    }
    }

 

 

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001