Forum Discussion

unavailable's avatar
Aug 31, 2023

Disable vip that is listening on different ports

Hi All,

for a customers, I need to disable single vip that is listening on 50 different ports.
for instance 192.168.1.50:80 - 192.168.1.50:8080 - 192.168.1.50:8180 and so on

When I try to disable it from gui or cli, and enable it a new F5 device, it seems that the traffic continue to arrive to the old one even if I have disabled it.

As workround I have suggested to the customer to change the vip that I need to disable, for instance 192.168.10.10:80 to 192.168.11.10:80 but, I don't want to reper the same operations to the othe ports that are listening to the same vip.

Is there a solutions that assure me do not receive traffic for the vip that I have disabled ?
Many thanks in advance.

Awaiting your news.

Rgds,

  • Hello unavailable 

    As per my understanding, you want to disable the VIP on one F5 and use same IP to configure VIP on other F5 device. Please correct me if my understanding is wrong.

    If that’s the requirement, then traffic for disabled VIP IP going on the OLD F5 device is expected. Because, it depends on the routing configuration and Self IP network being used on the F5. If the Old VIP IP network is destined for the Old F5 device, then traffic will go there only.

    You should have separate network configured on other F5 device. So, you need to configure VIP using that network IP. So, traffic will hit the desired F5  device.

  • Hi unavailable , 
    As Mayur_Sutare said you should modify your routnig in peer devices to old and new F5 bigip devices for correct redirection , but disable will not solve it. 

    I will add only , if you can't change the routing , we will go to a complex solution , you have to use a forwarding virtual server and make sure there is no  connectivity issue  between old f5 bigip and new f5 bigip as both devices should be directly connected or connect them throug l2 domain. 

    you will create this forwarding VS by the Ip of destination " 192.168.10.10 " , then modify your routing on old bigip by adding static route :  
    For ex : dest >>> 192.168.10.10 next hop ( the new bigip selfip if direct connected ) 

    you will be restricted by making both devices directly connected to avoid any routing loops. 
    or you can find another way to avoid routing loop by working side by side with the network team , because I'm not aware by your network design but again it's a complex one.

    here inf about forwarding virtual server : https://my.f5.com/manage/s/article/K7595

  • unavailable as both Mohamed_Ahmed_Kansoh and Mayur_Sutare you can't disable certain ports and force them to go to the other F5. What is the reasoning for switching from one F5 to a new F5? Are you migrating between the two? If this is a migration you're better off creating a UCS of the old and importing that into the new F5 after you configure the master key from the old F5 on the new F5. After that you can disable the interfaces on the switch that the new F5 is connected to. During a maintenance you can disable the old F5 switch interfaces, clear ARP on the network device for both segments and then enable the switch interfaces for the new F5 so it will take over all communication that the old F5 had on it. If you don't want to do that sort of swap you're better off deploying a new segment for the new F5 and change NATs to point to the new F5 so you can move traffic between the two.

  • Hello unavailable 

    As per my understanding, you want to disable the VIP on one F5 and use same IP to configure VIP on other F5 device. Please correct me if my understanding is wrong.

    If that’s the requirement, then traffic for disabled VIP IP going on the OLD F5 device is expected. Because, it depends on the routing configuration and Self IP network being used on the F5. If the Old VIP IP network is destined for the Old F5 device, then traffic will go there only.

    You should have separate network configured on other F5 device. So, you need to configure VIP using that network IP. So, traffic will hit the desired F5  device.

  • Hi unavailable , 
    As Mayur_Sutare said you should modify your routnig in peer devices to old and new F5 bigip devices for correct redirection , but disable will not solve it. 

    I will add only , if you can't change the routing , we will go to a complex solution , you have to use a forwarding virtual server and make sure there is no  connectivity issue  between old f5 bigip and new f5 bigip as both devices should be directly connected or connect them throug l2 domain. 

    you will create this forwarding VS by the Ip of destination " 192.168.10.10 " , then modify your routing on old bigip by adding static route :  
    For ex : dest >>> 192.168.10.10 next hop ( the new bigip selfip if direct connected ) 

    you will be restricted by making both devices directly connected to avoid any routing loops. 
    or you can find another way to avoid routing loop by working side by side with the network team , because I'm not aware by your network design but again it's a complex one.

    here inf about forwarding virtual server : https://my.f5.com/manage/s/article/K7595

  • unavailable as both Mohamed_Ahmed_Kansoh and Mayur_Sutare you can't disable certain ports and force them to go to the other F5. What is the reasoning for switching from one F5 to a new F5? Are you migrating between the two? If this is a migration you're better off creating a UCS of the old and importing that into the new F5 after you configure the master key from the old F5 on the new F5. After that you can disable the interfaces on the switch that the new F5 is connected to. During a maintenance you can disable the old F5 switch interfaces, clear ARP on the network device for both segments and then enable the switch interfaces for the new F5 so it will take over all communication that the old F5 had on it. If you don't want to do that sort of swap you're better off deploying a new segment for the new F5 and change NATs to point to the new F5 so you can move traffic between the two.

  • Hi Cirrus,

    many thankls for your fast reply.

    The customer has been resolved the problem in this way, he has migrated the entire vip that are listening on different port, disabling virtual address and all single vip.

    At the moment, F5 does not send traffic to all disabled vip.

    Many thanks again for your time.

     

    Regards,