Forum Discussion
NimbostratusDefault gateway other than F5
With SNAT AutoMap disabled and using route domains, is it possible to have a default gateway on common load balanced servers/nodes behind the F5 as something other than that of the F5 floating IP address -? The DG is a HSRP address from the router.
Is anyone able to also give me a better understanding of the traffic flows to understand how this solution would work?
Here’s an example:
===internet=== ===private network===
=Firewall with NAT= =Firewall with 1:1 NAT Cust:Internal =
| |
VLAN 10 VLAN 20
| |
------------ F5 LTM Partition 1------------------- -------- F5 LTM Partition 2---------------------------
- VS 192.168.10.1%1 - - VS 192.168.20.1%2 -
- Self/Outside A 192.168.10.11%1 - - Self/Outside A 192.168.20.11%2 -
- Self/Outside B 192.168.10.12%1 - - Self/Outside B 192.168.20.12%2 -
- Floating/Outside 1 192.168.10.10%1 - - Floating/Outside 2 192.168.20.10%2 -
- node 1 192.168.30.50%1 - - node 1 192.168.30.50%2 -
- node 2 192.168.30.51%1 - - node 2 192.168.30.51%2 -
- Self/Inside 1 192.168.30.10%1/MAC A - - Self/Inside 3 192.168.30.13%2/MAC D -
- Self/Inside 2 192.168.30.11%1/MAC B - - Self/Inside 4 192.168.30.14%2/MAC E -
- Floating/Inside 1 192.168.10.12%1/MAC C - - Floating/Inside 2 192.168.30.15%2/MAC F -
-------------------------------------------------------------- --------------------------------------------------------------
| |
---------------------------------------------------
|
VLAN 30
|
==Server 1 (192.168.30.50)== ==Server 2 (192.168.30.51)==
==DG 192.168.30.254== ==DG 192.168.30.254==
| |
---------------------------------------------------
HSRP 192.168.30.254
Routes:
Anything to ‘private network’ route via 192.168.30.15
Anything to ‘internet network’ route via 192.168.30.12
This example may somewhat defeat the purpose of route domains, but we are using them in this particular solution for customers in a multi tenanted environment accessing services from two unique paths, which we are trying to secure as an audit requirement (separation of internet and private traffic).
8 Replies
What_Lies_Bene1Cirrostratus
I assume this should be - Floating/Inside 1 192.168.30.12%1/MAC C.
Anyway, can you not just use static routes on the servers for each address range (internet and private) and point those at the relevant floating IP?
Will_F_98397Yeah sorry, that is a typo.
Wanted to avoid static routes on the servers.- What_Lies_Bene1Well the only way I can see you doing that is by routing to the F5 via .254 it's not optimal but...
- Will_F_98397If I put the common components into its own routing domain (dropping it down to only one set of inside addresses), set the DG on the servers to that floating and maybe disabled strict isolation on that new rd, what would be the behaviour then? Would the LTM route correctly?
- What_Lies_Bene1I thought you didn't want the F5s as the default gateway?
- What_Lies_Bene1Perhaps dedicated VLANs on the 'inside' would be better?
- Will_F_98397I guess the problem that was flagged is if there was a single floating ip on the inside and 2 distint paths on the outside with seperate route domains, how would the f5 select the correct path (without having the SNAT)? That's what lead to having a gateway other than the LTM.
- What_Lies_Bene1Well the F5 is stateful and records details in and uses a connection table, responses would take the correct return path. I'm not too hot on Route Domains but I don't see why this wouldn't work.
