Forum Discussion

MAC2014_141917's avatar
MAC2014_141917
Icon for Nimbostratus rankNimbostratus
Jan 22, 2014

F5 - Npath routing

Hi,

 

I'm trying to setup Npath routing by the book: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_npath.html However there are some issues and doubts about this configuration.

 

First of all, everything is on the same network:

 

Client IP: 10.233.203.222

 

Load Balancer F5 Big-IP (version 10.2.1) Virtual IP: 10.233.203.218

 

Pool members: 10.233.203.216 and 10.233.203.217

 

Route table in each pool member:

 

Kernel IP routing table

 

Destination Gateway Genmask Flags Metric Ref Use Iface

 

default 10.233.203.129 0.0.0.0 UG 0 0 0 eth0

 

10.233.203.0 * 255.255.255.0 U 0 0 0 eth0

 

link-local * 255.255.0.0 U 1002 0 0 eth0

 

As described in documentation I added Virtual Server IP in loopback interface using the following command:

 

ip addr add 10.233.203.218 label lo:0 dev lo scope global

 

I'm not a network specialist but I would like to understand the flow between request and response using Npath.

 

Some doubts:

 

- What's the role of VIP in loopback interface?

 

- Why even LB down I'm able to ping 10.233.203.218 (VIP) from outside? Is it not supposed loopback does not accept traffic from outside?

 

- Because everything is on the same network make sense to use Npath?

 

- Even with Npath how can I control the outbound traffic if node, LB and server are in the same network: 10.233.203.X?

 

I do not understand well the entire flow:

 

CLIENT -> LB -> SERVER1 OR SERVER2 -> LB -> CLIENT

 

or using Npath:

 

CLIENT -> LB -> SERVER1 or SERVER 2-> CLIENT

 

Thanks for you support

 

Mac

 

  • What's the role of VIP in loopback interface?

     

    i understand it is used to accept traffic from f5 because f5 does not change destination ip (10.233.203.218) when sending traffic to server.

     

    Why even LB down I'm able to ping 10.233.203.218 (VIP) from outside? Is it not supposed loopback does not accept traffic from outside?

     

    i think it depends on how loopback is configured on server (e.g. arp).

     

    Because everything is on the same network make sense to use Npath?

     

    you can use snatpool or snat automap instead of npath. by the way, why do you want to use npath? is it due to performance issue?

     

    Even with Npath how can I control the outbound traffic if node, LB and server are in the same network: 10.233.203.X?

     

    is there any problem you observe?

     

  • Thanks for you response!

     

    We want to use Npath for performance issues (trying to maximize throughput).

     

    I tried "ifconfig lo -arp" (Linux) and I'm still able to ping the loopback interface from outside.

     

    Related to outbound traffic, if you see the route table:

     

    Destination Gateway Genmask Flags Metric Ref Use Iface

     

    default 10.233.203.129 0.0.0.0 UG 0 0 0 eth0

     

    10.233.203.0 * 255.255.255.0 U 0 0 0 eth0

     

    link-local * 255.255.0.0 U 1002 0 0 eth0

     

    Loopback interface is listening the request (because of the same IP address on LB) and I don't understand the flow of response... goes trough default gateway? because client (10.233.203.222 is on the same network than node)...

     

    Thanks!

     

  • I tried "ifconfig lo -arp" (Linux) and I'm still able to ping the loopback interface from outside.

     

    shouldn't it be configurable (to not respond to arp)?

     

    Loopback interface is listening the request (because of the same IP address on LB) and I don't understand the flow of response... goes trough default gateway? because client (10.233.203.222 is on the same network than node)...

     

    does server use loopback ip as source when responds to request from client/f5? if yes, i do not think it is an issue there.

     

  • I don't know how to disable ARP properly in Linux...

     

    Related to loopback... f5 is adding client IP to the packet and because of it, the server will send the response directly to client, right? If loopback is not configured, the response goes through LB, right?

     

    Thanks

     

  • I don't know how to disable ARP properly in Linux...

     

    Using arp announce/arp ignore to disable ARP

     

    http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP

     

    f5 is adding client IP to the packet and because of it, the server will send the response directly to client, right?

     

    source (client) ip is not change because f5 does not do snat. so, server can send response to client directly.

     

    If loopback is not configured, the response goes through LB, right?

     

    there are 2 options to force response through f5. one is to change server default gateway to f5 and the other one is to do snat on f5. when doing snat, source (client) ip will be changed to f5 ip. so, response packet will be sent to f5.

     

  • e.g.

    l2 npath configuration

    - client is 172.28.24.1

    - virtual server/loopback is 172.28.24.10

    - server is 172.28.24.4
     config on f5
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            fastl4_npath { }
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vs-index 5
    }
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            172.28.24.4:0 {
                address 172.28.24.4
            }
        }
    }
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_npath
    ltm profile fastl4 fastl4_npath {
        app-service none
        loose-close enabled
    }
    
     config on server
    
    [root@centos101 ~] grep net.ipv4.conf.eth0.arp /etc/sysctl.conf
    net.ipv4.conf.eth0.arp_ignore = 1
    net.ipv4.conf.eth0.arp_announce = 2
    
    [root@centos101 ~] ifconfig lo:10
    lo:10     Link encap:Local Loopback
              inet addr:172.28.24.10  Mask:255.255.255.255
              UP LOOPBACK RUNNING NOARP  MTU:16436  Metric:1
    
     client
    
    [root@centos1 ~] curl -I http://172.28.24.10
    HTTP/1.1 200 OK
    Date: Thu, 23 Jan 2014 05:35:33 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Thu, 23 May 2013 00:28:46 GMT
    ETag: "4185a8-59-c3efab80"
    Accept-Ranges: bytes
    Content-Length: 89
    Content-Type: text/html; charset=UTF-8
    
     tcpdump on f5
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
    21:43:05.680297 IP 172.28.24.1.35986 > 172.28.24.10.80: S 3281753833:3281753833(0) win 5840  in slot1/tmm0 lis=
    21:43:05.683689 IP 172.28.24.1.35986 > 172.28.24.10.80: S 3281753833:3281753833(0) win 5840  out slot1/tmm0 lis=/Common/bar
    21:43:05.685341 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 1912735987 win 46  in slot1/tmm0 lis=/Common/bar
    21:43:05.685351 IP 172.28.24.1.35986 > 172.28.24.10.80: P 0:155(155) ack 1 win 46  in slot1/tmm0 lis=/Common/bar
    21:43:05.685379 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 1 win 46  out slot1/tmm0 lis=/Common/bar
    21:43:05.685445 IP 172.28.24.1.35986 > 172.28.24.10.80: P 0:155(155) ack 1 win 46  out slot1/tmm0 lis=/Common/bar
    21:43:05.689183 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 244 win 54  in slot1/tmm0 lis=/Common/bar
    21:43:05.689184 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 244 win 54  out slot1/tmm0 lis=/Common/bar
    21:43:05.690171 IP 172.28.24.1.35986 > 172.28.24.10.80: F 155:155(0) ack 244 win 54  in slot1/tmm0 lis=/Common/bar
    21:43:05.690231 IP 172.28.24.1.35986 > 172.28.24.10.80: F 155:155(0) ack 244 win 54  out slot1/tmm0 lis=/Common/bar
    21:43:05.692370 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 245 win 54  in slot1/tmm0 lis=/Common/bar
    21:43:05.692408 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 245 win 54  out slot1/tmm0 lis=/Common/bar
    
     tcpdump on server
    
    [root@centos101 ~] tcpdump -nni eth0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    13:35:33.740303 IP 172.28.24.1.35986 > 172.28.24.10.80: S 3281753833:3281753833(0) win 5840 
    13:35:33.740566 IP 172.28.24.10.80 > 172.28.24.1.35986: S 1912735986:1912735986(0) ack 3281753834 win 5792 
    13:35:33.742306 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 1 win 46 
    13:35:33.742308 IP 172.28.24.1.35986 > 172.28.24.10.80: P 1:156(155) ack 1 win 46 
    13:35:33.742341 IP 172.28.24.10.80 > 172.28.24.1.35986: . ack 156 win 54 
    13:35:33.744324 IP 172.28.24.10.80 > 172.28.24.1.35986: P 1:244(243) ack 156 win 54 
    13:35:33.746570 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 244 win 54 
    13:35:33.746918 IP 172.28.24.1.35986 > 172.28.24.10.80: F 156:156(0) ack 244 win 54 
    13:35:33.746987 IP 172.28.24.10.80 > 172.28.24.1.35986: F 244:244(0) ack 157 win 54 
    13:35:33.749273 IP 172.28.24.1.35986 > 172.28.24.10.80: . ack 245 win 54