Forum Discussion
jpowys_46893
Nimbostratus
NimbostratusComplex VLAN routing config
I was asked to set up a set of servers, a cisco 2960G switch and a bigip 3400 appliance in an odd way, and after a few days of working at it I seem to have gotten stuck. I'm not sure if it's due to the requirements or if I'm just not able to find the right piece of documentation to help.
The request was to have each interface on the cisco switch have its own VLAN, to have all VLAN traffic go to the f5. There's going to be at least 2 VLAN Groups where each server (connected to the switch, and thus in its own vlan) needs to be able to talk to the others within the VLAN Group.
The purpose of this was to be able to reassign the servers from one VLAN Group to another VLAN Group strictly by accessing the F5 api.
The problem is getting the routing to work between the servers (they can't ping each other) and getting requests from outside to touch the servers. the problem looks a lot like http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&postid=28021&view=topic but with a stack of vlans instead of one, all are trunked through to the f5, and I got far enough along that the servers can ping the selfIP of the VLAN Group.
The external VLAN SelfIP is 192.168.132.101, the internal VLANs have no SelfIPs, but are all grouped into a testGroup with a SelfIP of 10.10.5.1.
All of the internal servers are 10.10.5.x and their gateways are 10.10.5.1.
The default IPV4 route's gateway is set to 192.168.132.1.
A Pool contains the server's individual IPs (is that a mistake?).
A Virtual Server has the IP 192.168.132.202, and is pointed at the Pool.
I can ping the VLAN external SelfIP and the external Virtual Server IP.
All internal servers can ping 10.10.5.1 but nothing else.
The bigip bash shell can't ping the individual servers. The servers can't ping each other. The switch seems to be passing traffic fine.
Am I missing a route? Do I need multiple VLAN Groups or some other config to allow traffic through? I'm sure I'm really, really close with this but it's the end of day 3 and I've gotten so much good info in these forums I thought I'd come to you with the weird config directly and see if you have some insight
Thanks
- JRahm
Admin
Do you have a drawing you can post? 
jpowys_46893I made this in dia, trying to match the format used in the other threads.- JRahmwhat bridge mode are you using on your vlan group? Are you using a standalone LTM or an HA pair?
- jpowys_46893I had bridge all traffic checked and it's a standalone LTM for the test.
- JRahmWhat I mean is the bridging mode transparent, translucent, or opaque? There are several bugs associated with the vlan group, and I try to avoid using them if at all possible. With that said, have you done a tcpdump to see what's going on?
tcpdump -ni 0.0 -w/var/tmp/myCapture.pcap net 10.10.5.0/24 -s0
This will save your capture to a file in /var/tmp/ which you can scp off to read in wireshark if you have it. Or you can read at the command line with tcpdump -r /var/tmp/myCapture.pcap - jpowys_46893I've tried the bridging in both transparent and translucent.
- JRahmAnything in the vlan group should be able to communicate without the need of a forwarding virtual server. Anything off-net will need one, though. Did you take a capture?
- jpowys_46893Yes. Having 2 separate VLANs with self IPs assigned lets the hosts on the switch ping the selfIPs of the vlans. Adding those vlans to a vlan group immediately cuts off any traffic, the dump stops right then and there.
- JRahmI'd get a support case open, you may be hitting one of many bugs associated with utilizing vlan groups.
- jpowys_46893Thanks citizen_elah
