Forum Discussion
CirrusF5 BGP Peering in Active /Standby Cluster
Hi team ,
I am trying to achieve Dynamic Routing over F5 BIGIP Devices with Cisco ACI in front which has the following design requirements.
F5 is configured to be as default gateway for pool of webservers with a Virtual IP Subnet hosted for VIP on the F5 itself. The BGP is established by using a separate vlan to peer with CISCO ACI BGP Peering running an EBGP.
The BGP peering is established by declaring selfip on the BGP Vlan and the route is advertised through the peering.
I can see the Virtual Subnet a.a.a.a and Pool Member Subnet b.b.b.b as directly connected routes in the sh ip route on Imish console. Moreover a.a.a.a and b.b.b.b are consistently being advertised from Active and Standby F5 devices to Cisco ACI peers from their specific BGP peers hosted locally in F5.
I tried to inject a Route for VIP subnet a.a.a.a with /32 by advertising route on BGP which is advertised as Kernel route and works well in Clustering scenario by being advertised from Active Boxes.
The problem comes for Pool Member subnet b.b.b.b which is being advertised as connected route from both active and standby devices to Cisco ACI Peers and traffic ends up taking both the paths simultaneously.
I have few questions in this design :
Is there a way we can supress routes from Standby device being advertised to the upstream routers?
Is there a way we can adjust the metrics for directly connected routes to be advertised with low metrics from Standby device.
I have tried to configure the Pool Member as Wild Card Forwarding IP and to inject the RHI for b.b.b.b subnet as TMM route but the same was not honoured as TMM route because of its nature of directly connected routes.
Any way to feasibly stop route advertisement from Standby would be greatly appreciated.
Hi I was able to advertise routes by declaring a floating Ip for the bgp peering subnet self ips and attaching it to default traffic group , rest F5 takes care of advertising routes only via floating ip on both active and standby
8 Replies
nocturnal_soulAltocumulus
Try this:
Restructure the network so pool member subnet is NOT directly connected to F5:
bash
# Remove the directly connected self-IP from pool member VLAN tmsh delete net self <pool-member-selfip> # Create a static route to reach pool members via another gateway tmsh create net route pool-members-route network b.b.b.b/24 gw <gateway-ip> # Now create virtual address with RHI for the subnet tmsh create ltm virtual-address b.b.b.b/24 route-advertisement selective
With this approach:
Pool member subnet is no longer "directly connected"
RHI will work because F5 can generate kernel routes
Only active device will advertise the route
Since you can't use RHI, configure different BGP attributes based on HA role:bash
# Create scripts that modify BGP route-maps based on HA status # On standby device - prepend AS path to make routes less preferred route-map STANDBY_SUPPRESS permit 10 match ip address pool-subnet-acl set as-path prepend <YOUR-AS> <YOUR-AS> <YOUR-AS> route-map STANDBY_SUPPRESS permit 20 # Apply to redistribution on standby only router bgp <AS> redistribute kernel route-map STANDBY_SUPPRESS
Move pool member VLAN to a dedicated traffic group:
bash
# Create dedicated traffic group for pool member subnet tmsh create cm traffic-group pool-members-tg # Assign pool member VLAN to the traffic group tmsh modify net vlan pool-member-vlan traffic-group pool-members-tg # Configure traffic group failover preferences tmsh modify cm traffic-group pool-members-tg ha-order { device1 device2 }
The most feasible solution would be removing the direct connection to the pool member subnet so RHI can function properly, or implementing AS-path manipulation with automation to adjust based on HA state changes.
I saw this behaviour being confirmed by F5 documentation on reddit: here
- zamroni777
MVP
let say you dont use f5 but a pair cisco routers as the pool member's default gw,
both cisco routers will advertise pool member's subnet isnt it?
f5 zebos-based tmrouted, including on standby node, does the same.https://my.f5.com/manage/s/article/K10168
so for example, when admin wants to ssh the pool member, it's ok if the ip traffic goes through standby f5.
just like when you use non f5, if you dont want users to access pool member app ports but must be through f5 vserver,
then you need to configure network firewall or f5 acl accordingly.
rhi is intended to advertise f5 vip, which surely wont be active in standby node.
Shripatyhi , yes that is correct , the f5 is acting as two arm here the external vlan will be used for vip and for that i am able to inject RHI feature successfully whereas the Internal VLAN being used for Pool Member subnets has its own self ip and floating ip which will be used by Webservers as their default gateway to achieve Direct Server Return policy. The TMM route is being advertised successfully for External VLAN but the problem I m facing is how to control the route advertisement for Internal VLAN since the redistribute connected command does advertises both the external connected subnet and as well internal connected subnet from active and standby
- nocturnal_soul
This could be an approach for controlling pool member subnet advertisements:
Create a static route to null0 for your pool member subnet:
text
tmsh create net route b.b.b.b/subnet_mask interface null0
Configure BGP aggregate-address in imish:text
router bgp YOUR_ASN
aggregate-address b.b.b.b/subnet_mask
Enable kernel route redistribution instead of connected routes:text
router bgp YOUR_ASN
redistribute kernel
no redistribute connectedControl route advertisement using route-maps to filter based on device state:
Create a prefix-list for pool member subnets:
text
ip prefix-list POOL_MEMBERS seq 10 permit b.b.b.b/subnet_mask
Create route-maps with conditional logic:text
route-map EXPORT_TO_ACI permit 10
match ip address prefix-list POOL_MEMBERS
set metric 100 ! Lower metric on active, higher on standbyroute-map EXPORT_TO_ACI permit 20
Apply route-map to BGP neighbors:text
router bgp YOUR_ASN
neighbor ACI_PEER_IP route-map EXPORT_TO_ACI outIf you cannot suppress routes entirely, manipulate BGP attributes to prefer the active device:
On Active Device:
text
route-map ACTIVE_DEVICE permit 10
match ip address prefix-list POOL_MEMBERS
set metric 50
set local-preference 200
On Standby Device:text
route-map STANDBY_DEVICE permit 10
match ip address prefix-list POOL_MEMBERS
set metric 200
set local-preference 100Ensure your floating self-IPs and virtual addresses are properly associated with traffic groups. This is critical for proper route advertisement behavior:
text
tmsh modify ltm virtual-address b.b.b.b/32 traffic-group traffic-group-1
tmsh modify ltm virtual-address b.b.b.b/32 route-advertisement selectiveConfigure identical BGP settings on both devices, but let the HA mechanism control which routes are actually advertised:
text
tmsh modify net route-domain 0 routing-protocol add { BGP }Regular monitoring commands to verify proper behavior:
bash
# Check BGP advertised routes
show ip bgp neighbors X.X.X.X advertised-routes# Verify kernel routes (should differ between active/standby)
show ip route kernel# Check traffic group status
tmsh show cm traffic-groupThe aggregate-address with null0 approach is the most reliable method to achieve your goal. It leverages F5's HA mechanisms to ensure only the active device advertises pool member routes while maintaining proper failover behavior. This solution aligns with F5's design principles and provides the cleanest routing behavior for your Cisco ACI integration.
- Shripaty
Hi, thanks for the brief explanation. I tried adding the route for null0 but since I have declared the selfip(will be used for pool member health check) and floating ip address (which acts as gateway for Pool Member subnet b.b.b.b ) it tries to deny because of an implied route present due to Self IP being configured for the pool member subnet.
I am successfully able to achieve the TMM route being injected for External Subnet a.a.a.a which will be used for VIP but when it comes to Pool member subnet or Internal Subnet b.b.b.b , the route is being advertised by both active and standby through redistribute connected. I tried with conditional prefixing but to advertise route metrics is a good idea when we dont have auto failover configured for the devices.
How will that play a role when we have traffic failover done and the previous standby device takes over the active role then it will absolutely have a lower metrics configured for the route and traffic will still flow through previous active device.
How will it help in case of traffic failover, is there a key metric which can increase the metric of route in case of traffic failover.
On Active Device:
text
route-map ACTIVE_DEVICE permit 10
match ip address prefix-list POOL_MEMBERS
set metric 50
set local-preference 200
On Standby Device:text
route-map STANDBY_DEVICE permit 10
match ip address prefix-list POOL_MEMBERS
set metric 200
set local-preference 100
- nocturnal_soul
Try this approach using F5's iCall framework to automatically adjust BGP route advertisements based on traffic group state:
Step 1: Create Traffic Group State Detection Script
bash
tmsh create sys icall event-processor traffic-group-state {
definition {
set traffic_group [tmsh::get_status cm traffic-group traffic-group-1]
if {[lindex $traffic_group 0 1] eq "active"} {
# Device is active - advertise with good metrics
exec /usr/bin/vtysh -c "configure terminal" -c "route-map POOL_MEMBERS permit 10" -c "set metric 50" -c "set local-preference 200"
} else {
# Device is standby - suppress or advertise with poor metrics
exec /usr/bin/vtysh -c "configure terminal" -c "route-map POOL_MEMBERS deny 10"
}
exec /usr/bin/vtysh -c "clear ip bgp * out"
}
}
Step 2: Create Route-Map for Pool Member Subnetsbash
# In imish on both devices
ip prefix-list POOL_MEMBERS seq 10 permit b.b.b.b/subnet_mask
route-map POOL_MEMBERS permit 10
match ip address prefix-list POOL_MEMBERS
set metric 50
set local-preference 200router bgp YOUR_ASN
neighbor ACI_PEER_IP route-map POOL_MEMBERS out
Step 3: Trigger Script on Failover Eventsbash
tmsh create sys icall periodic-handler traffic-group-monitor {
interval 30
script traffic-group-state
}
This solution ensures route advertisements automatically follow the active/standby state - Shripaty
Hi I was able to advertise routes by declaring a floating Ip for the bgp peering subnet self ips and attaching it to default traffic group , rest F5 takes care of advertising routes only via floating ip on both active and standby
- Melissa_C
Moderator
Hello Shripaty,
If this is the solution to your question it would be ideal to mark as solution for yourself an future users to reference. If it is not and you are needing more details please update the post to see if we can get you to a solution.
Thank you for using our community!
-Melissa
