Forum Discussion
NimbostratusDefining "loopback" address on F5
To summarize and state in a different way, just so my point is clear:
Physical IPs of HA pair = 10.x.x.1, 10.x.x.2
Floating IP of HA pair = 10.x.x.3
External VIP space = 84.x.x.x static routed to 10.x.x.3
I want to build the following and be able to communicate with the external MGMT IPs on port 22 and 4353:
External MGMT IP 1 = 84.x.x.1 static routed to 10.x.x.1
External MGMT IP 1 = 84.x.x.2 static routed to 10.x.x.2
How do I configure each of the LTMs to allow SSH/iquery to 84.x.x.1, 84.x.x.2 without defining a physical VLAN?
5 Replies
- nitass
Employee
have you tried to create another selfip e.g. 84.x.x.1, 84.x.x.2 on the same vlan? didn't it work? 
Greg_BurchThe problem with that, though, is wouldn't the F5 then source monitoring checks from those self-IPs in addition to the 10.x.x.1 and 10.x.x.2 IPs? That would likely cause issues...- Eric_St__JohnWhat about creating a VIP with the necessary IPs, and attach the following iRule:
when CLIENT_ACCEPTED { node 10.1.1.1 }
Eric 
TechgeeegHi Greg,
When in the Fail-over pair the only accessible IP will be the floating IP which will point to the active unit the standby unit wont be accessible. I am sure you must have configured the NAT to the floating IP of the LTM pair. Did it work or no? if it didn't then the following may stand.
I am not exactly sure but the commands bigip_add will not work from behind the NAT you have to get the LTM units the public IP address. I prefer you open a case with F5 and do share how you got this resolved.
Regards,- nitass
Eric, cool!
Greg, can you try what Eric suggested?
this is my testing.
) list net self 10.201.59.133
net self 10.201.59.133 {
address 10.201.59.133/27
allow-service all
traffic-group traffic-group-local-only
vlan internal
}
) list net self|grep 84.1.1
)) list ltm virtual bar
ltm virtual bar {
destination 84.1.1.1:443
ip-protocol tcp
mask 255.255.255.255
profiles {
tcp { }
}
rules {
myrule
}
vlans-disabled
}
) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
node 10.201.59.133 443
}
}[root@bigip:Active] config ssldump -Aed -nni 0.0 port 443 -k /config/httpd/conf/ssl.key/server.key
New TCP connection 1: 10.253.114.7(41499) <-> 84.1.1.1(443)
1 10 1342776301.2545 (0.0271) C>SV3.1(167) application_data
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 84.1.1.1
Accept: */*---------------------------------------------------------------
1 11 1342776301.2555 (0.0010) S>CV3.1(280) application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 20 Jul 2012 09:25:01 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 21 Nov 2011 02:51:30 GMT
ETag: "172a9-ced-c3831080"
Accept-Ranges: bytes
Content-Length: 3309
Content-Type: text/html; charset=ISO-8859-1---------------------------------------------------------------
