F5 - Npath routing

Question

Hi,&nbsp;
I'm trying to setup Npath routing by the book: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_npath.html
However there are some issues and doubts about this configuration.&nbsp;
First of all, everything is on the same network:&nbsp;
Client IP: 10.233.203.222&nbsp;
Load Balancer F5 Big-IP (version 10.2.1) Virtual IP: 10.233.203.218&nbsp;
Pool members: 10.233.203.216 and 10.233.203.217&nbsp;
Route table in each pool member: &nbsp;
Kernel IP routing table&nbsp;
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface&nbsp;
default         10.233.203.129  0.0.0.0         UG    0      0        0 eth0&nbsp;
10.233.203.0    *               255.255.255.0   U     0      0        0 eth0&nbsp;
link-local      *               255.255.0.0     U     1002   0        0 eth0  &nbsp;
As described in documentation I added Virtual Server IP in loopback interface using the following command:&nbsp;
ip addr add 10.233.203.218 label lo:0 dev lo scope global  &nbsp;
I'm not a network specialist but I would like to understand the flow between request and response using Npath.&nbsp;
Some doubts:&nbsp;
- What's the role of VIP in loopback interface?&nbsp;
- Why even LB down I'm able to ping 10.233.203.218 (VIP) from outside? Is it not supposed loopback does not accept traffic from outside?&nbsp;
- Because everything is on the same network make sense to use Npath? &nbsp;
- Even with Npath how can I control the outbound traffic if node, LB and server are in the same network: 10.233.203.X?  &nbsp;
I do not understand well the entire flow:&nbsp;
CLIENT -&gt; LB -&gt; SERVER1 OR SERVER2 -&gt; LB -&gt; CLIENT&nbsp;
or using Npath:&nbsp;
CLIENT -&gt; LB -&gt; SERVER1 or SERVER 2-&gt; CLIENT  &nbsp;
Thanks for you support&nbsp;
Mac  &nbsp;

nitass · Answer

What's the role of VIP in loopback interface?&nbsp;

i understand it is used to accept traffic from f5 because f5 does not change destination ip (10.233.203.218) when sending traffic to server.&nbsp;

Why even LB down I'm able to ping 10.233.203.218 (VIP) from outside? Is it not supposed loopback does not accept traffic from outside?&nbsp;

i think it depends on how loopback is configured on server (e.g. arp).&nbsp;

Because everything is on the same network make sense to use Npath?&nbsp;

you can use snatpool or snat automap instead of npath. by the way, why do you want to use npath? is it due to performance issue?&nbsp;

Even with Npath how can I control the outbound traffic if node, LB and server are in the same network: 10.233.203.X?&nbsp;

is there any problem you observe?&nbsp;

mac2014_141917 · Answer

Thanks for you response!&nbsp;
We want to use Npath for performance issues (trying to maximize throughput).  &nbsp;
I tried "ifconfig lo -arp" (Linux) and I'm still able to ping the loopback interface from outside.&nbsp;
Related to outbound traffic, if you see the route table:&nbsp;
Destination Gateway Genmask Flags Metric Ref Use Iface&nbsp;
default 10.233.203.129 0.0.0.0 UG 0 0 0 eth0&nbsp;
10.233.203.0 * 255.255.255.0 U 0 0 0 eth0&nbsp;
link-local * 255.255.0.0 U 1002 0 0 eth0  &nbsp;
Loopback interface is listening the request (because of the same IP address on LB) and I don't understand the flow of response... goes trough default gateway? because client (10.233.203.222 is on the same network than node)...&nbsp;
Thanks!&nbsp;

nitass · Answer

I tried "ifconfig lo -arp" (Linux) and I'm still able to ping the loopback interface from outside.&nbsp;

shouldn't it be configurable (to not respond to arp)?&nbsp;

Loopback interface is listening the request (because of the same IP address on LB) and I don't understand the flow of response... goes trough default gateway? because client (10.233.203.222 is on the same network than node)...&nbsp;

does server use loopback ip as source when responds to request from client/f5? if yes, i do not think it is an issue there.&nbsp;

mac2014_141917 · Answer

I don't know how to disable ARP properly in Linux...&nbsp;
Related to loopback... f5 is adding client IP to the packet and because of it, the server will send the response directly to client, right? If loopback is not configured, the response goes through LB, right?&nbsp;
Thanks&nbsp;

nitass · Answer

I don't know how to disable ARP properly in Linux...&nbsp;

Using arp announce/arp ignore to disable ARP&nbsp;
http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP&nbsp;

f5 is adding client IP to the packet and because of it, the server will send the response directly to client, right?&nbsp;

source (client) ip is not change because f5 does not do snat. so, server can send response to client directly.&nbsp;

If loopback is not configured, the response goes through LB, right?&nbsp;

there are 2 options to force response through f5. one is to change server default gateway to f5 and the other one is to do snat on f5. when doing snat, source (client) ip will be changed to f5 ip. so, response packet will be sent to f5.&nbsp;

Forum Discussion

F5 - Npath routing

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Layer 3 npath routing

Setting default route using VLANs

Routing problem for connect() in iRule

How is the F5 -> node path mantained for nPath server side connections?

Use of loopback IP in DSR (Layer3 npath routing)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS