Forum Discussion
genseek_32178
Nimbostratus
NimbostratusBasic Setup of F5
Hi,
I want to setup a new F5 box in my network. Before, i do that i want to understand how it can actually be configured in Routed and Bridge mode.
I would really appreciate if someone can guide me on this.
F5 is connected to AGG pair A, with upstream device as Access Router and downstream device as L2 TOR switches connecting servers, as below.
Core
|
Access Router
|
|
F5---Trunk----Agg Switch - A
|
|
L2Hst TOR Switch
| |
| |
Server1 Server2
I want to start with Routed mode configuration using tmsh.
TH-genseek
38 Replies
- nitass
Employee
i created 2 vlans/selfips; one is internal which connects to server and the other one is external which connects to Agg Switch-A. server's default gateway is F5. F5's default gateway is Agg Switch-A. please let us know if i misunderstood anything here.
e.g.root@B3600-R66-S41(Active)(tmos) list net trunk trunk1 net trunk trunk1 { cfg-mbr-count 2 id 2 interfaces { 2.1 2.2 } mac-address 0:1:d7:b3:ab:13 } root@B3600-R66-S41(Active)(tmos) list net vlan internal net vlan internal { interfaces { trunk1 { tagged } } tag 4094 } root@B3600-R66-S41(Active)(tmos) list net vlan external net vlan external { interfaces { trunk1 { tagged } } tag 4093 } root@B3600-R66-S41(Active)(tmos) list net self 1.1.1.1/24 net self 1.1.1.1/24 { allow-service default vlan internal } root@B3600-R66-S41(Active)(tmos) list net self 2.2.2.2/24 net self 2.2.2.2/24 { allow-service default vlan external } root@B3600-R66-S41(Active)(tmos) list net route default net route default { gw 2.2.2.254 } 
genseek_32178Thank you for the quick reply, nitass. I appreciate.
I see that you have not created the pools and the correspoding virtual servers for load balancing. Can you do that also, please?- nitassof course.
e.g.root@B3600-R66-S41(Active)(tmos) list ltm pool foo ltm pool foo { members { 1.1.1.11:http { } 1.1.1.12:http { } 1.1.1.14:http { } } } root@B3600-R66-S41(Active)(tmos) list ltm virtual bar ltm virtual bar { destination 2.2.2.10:http ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } } - genseek_32178Nitass,
Can you also calrify the following along with the rest....
a) Are the F5 internal and external VLANs, in same lines as Client and Server VLAN in Cisco CSM?
If yes, then in routed mode, for Cisco, we use to configure the VIP of the virtual server in client VLAN range.
In F5, the VIP sits on the external VLAN range or any other range other than internal and external? I have seen few deployments of F5, where the VIPs sit directly on internet IP range. - nitassa) Are the F5 internal and external VLANs, in same lines as Client and Server VLAN in Cisco CSM? i am sorry i never used CSM, so i am not able to answer it.
In F5, the VIP sits on the external VLAN range or any other range other than internal and external? I have seen few deployments of F5, where the VIPs sit directly on internet IP range.virtual server is able to be listening on any ip range. - genseek_32178Nitass,
In routed mode, if VIP sits on the external VLAN range, i understand it but if its sits directly on internet IP which is not part of external VLAN range, then is it a normal deployment design suggested by F5?
Can you also, please now do the same config for Bridge Mode? I have 1000s of F5 deployed in Bridge mode, so i would appreciate if you show me the above routed mode config in Bridge mode. - nitassi thought bridge mode you said is something like this.
4 Installing a BIG-IP System without Changing the IP Network
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_vlans.html
as looking at your diagram, i think routed mode is more sense.
In routed mode, if VIP sits on the external VLAN range, i understand it but if its sits directly on internet IP which is not part of external VLAN range, then is it a normal deployment design suggested by F5? i am sorry i might not catch you. anyway, what i want to say is virtual server is able to be listening on any ip range on any vlan. definitely, you are able to enable virtual server on specific vlan.
e.g.[root@B3600-R66-S41:Active] config tmsh list ltm virtual bar ltm virtual bar { destination 2.2.2.10:http ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } vlans { external } vlans-enabled }
if traffic is able to reach virtual server, it is fine. for example, you may have virtual server listening on 3.3.3.3:80 (which does not belong to any vlan) on internal vlan. if client on internal vlan sends request to 3.3.3.3:80 and it can reach bigip (for example, client's default gateway is bigip), bigip will load balance it. - genseek_32178nitass,
What is the bigip address in the above config? Is it the self IP of the internal VLAN, 1.1.1.1, and will this also be the default gwy of all servers sitting on the internal vlan?
When the external incoming traffic frome hits the virtual server on, 3.3.3.3:80, while trying to load balance the incoming traffic to the servers in the pool, bigip would change the source ip of the incoming packet to that of its own IP and change the destn ip from VIP,3.3.3.3, to one of the servers in the pool, based on the load balancing method, .....Right?
And when servers reply, they would reply to the source IP in the paket as the destn IP, which is the BIGIP IP, and after bigip receives the reply from the server, it would restore the packet source ip to VIP, 3.3.3.3 and destn ip to, actual source IP, right?
bigip would take of routing between the VIP and the internal VLAN range, right? - nitassWhat is the bigip address in the above config? Is it the self IP of the internal VLAN, 1.1.1.1, and will this also be the default gwy of all servers sitting on the internal vlan?yes
When the external incoming traffic frome hits the virtual server on, 3.3.3.3:80, while trying to load balance the incoming traffic to the servers in the pool, bigip would change the source ip of the incoming packet to that of its own IP you can configure to translate source address (snat) or not. if you do not translate source address, you have to make sure return traffic will send to bigip e.g. pool member's default gateway is bigip.
and change the destn ip from VIP,3.3.3.3, to one of the servers in the pool, based on the load balancing method, .....Right? yes
bigip would take of routing between the VIP and the internal VLAN range, right?if it is not connected subnet, route entry is required (definitely, you are able to configure route in bigip). - genseek_32178nitass,
I see in your config, that you defined the VLANs as internal and external. Is this must? Or is this a case only in routed mode?
What about bridge mode, where all VLANs are in same range? Then also, do we define VLANs as internal and external?
