F5 BIG-IP Config Assistance Needed

"servers-inside" configured as a Tagged interface on interface 2.1, and "servers-outside" configured as an Untagged interface also on interface 2.1.

 

 

I am not a Cisco guru, but the config looks like 4948 is going to tag both 100 and 200. I would try to set both VLANS on 2.1 as tagged and test it again...

 

 

 

This is similer to out setup for the BIG-IP in which we have 10 Vlans in from the customers and 10 Vlans out to the reals. We are using SelfIP's in each of these subnets. On the BIG-IP do you see any IP's in the Dynamic ARP table? Also, here is a snap-shot of our interface configuration on the Cisco switch which I don't see on yours.

 

 

switchport trunk encapsulation dot1q

 

switchport trunk allowed vlan 459-479,497,1035,1435,1436

 

switchport mode trunk

 

On interface gi1/45 I think you'd also need an access statement for the trunked/tagged vlans... e.g.

 

 

cont f

 

int gi1/45

 

description My F5

 

switchport

 

switchport trunk allowed vlan 100,200

 

switchport mode trunk

 

no ip address

 

end

 

 

(The only one you're really missing is the 'switchport trunk allowed vlan 100,200' statement i think)

 

 

 

Thanks guys.

 

 

paja: I'll try tagging both.

 

 

wtb01: Why would I need self-IPs? Is that not basically setting the L3 interface for that VLAN (which is already done on the Cisco switch)

 

 

hamish: thats pretty much what I have. I might add the pruning commands anyway, but they are unnecessary.

 

 

Ah... If you don't have selfIP's on a VLAN then the F5 doesn't know what IP subnet is on there... So the traffic you think is destined from F5 -> subnet actually goes out the default route, which is (NormallY) the management port.

 

 

H

I appreciate the help. I'm still kinda fuzzy on the self-IP thing, though.

 

 

I've redrawn my diagram and included more information. Am I missing something? From my desktop I am not able to ping both 10.100.117.254 nor 216.21.117.254.

 

 

Thanks!!

 

I'm not really sure about the other stuff you were talking about, I'm not using the CLI for this.

 

 

That is easy - actually it was excrept from config file:

 

 

1. create virtual server with destination as follows:

 

- Kind: Network

 

- Destination: 0.0.0.0

 

- Network mask: 0.0.0.0

 

- Service port: 0 (all services)

 

- Check advanced configuration:

 

- Type: forwarding (IP)

 

- Protocol any

 

- VLAN: enable on inside

 

 

This will ensure, that packet will traverse through VLANS as defined in routing.

 

 

2. Create virtual with address and netmask as in second example and enable it on outside VLAN. This will ensure that packet from outside will be routed to inside VLAN (directly connected network).

 

 

Of course, You can make single VS 0/0 and enable it on both VLANs, creating more VSs will give You more control about wat will be forwarded where.

 

 

Maybe You can do a few tcpdumps to check where You see the packets and where not.

Posted By paja on 10/03/2008 12:12 AM

 

 

I'm not really sure about the other stuff you were talking about, I'm not using the CLI for this.

 

 

That is easy - actually it was excrept from config file:

 

 

1. create virtual server with destination as follows:

 

- Kind: Network

 

- Destination: 0.0.0.0

 

- Network mask: 0.0.0.0

 

- Service port: 0 (all services)

 

- Check advanced configuration:

 

- Type: forwarding (IP)

 

- Protocol any

 

- VLAN: enable on inside

 

 

This will ensure, that packet will traverse through VLANS as defined in routing.

 

 

2. Create virtual with address and netmask as in second example and enable it on outside VLAN. This will ensure that packet from outside will be routed to inside VLAN (directly connected network).

 

 

Of course, You can make single VS 0/0 and enable it on both VLANs, creating more VSs will give You more control about wat will be forwarded where.

 

 

Maybe You can do a few tcpdumps to check where You see the packets and where not.

 

 

 

Okay, now I'm -really- confused, more so than I was when I started. Why am I making virtual servers with 0.0.0.0? Shouldnt I be making a VS for 216.21.116.10 that uses a pool that includes the 10.100.116.10 node?

 

From my desktop I am not able to ping both 10.100.117.254 nor 216.21.117.254.

 

 

If You want to ping from PC to the VLAN behind (216.x -> 10.x) without intervening with load balancing You have to set up IP forarding, which is described above. The box does not act as a router by default.

 

 

Shouldnt I be making a VS for 216.21.116.10 that uses a pool that includes the 10.100.116.10 node?

 

 

Yes, this should be done - this is done to load balance and mangle with traffic to the webserver in 10.x network and making it accessible under 216.x address. The above virtuals may help for example, when You will set up Nagios in 216.x and want monitor directly nodes in 10.x.

 

 

Try to check, if You can ping from F5 to PC and make some dumps on outgoing interface. If You will see outgoing traffic, the problem is on Cisco. If not, check also interface eth0 - if You see the traffic there, You have probably problem with route setup.

 

 

Try to read the docs, there is pretty good description on setting up default gateways as pool and usage of IP Forwarding servers.

Posted By paja on 10/03/2008 7:30 AM

 

 

From my desktop I am not able to ping both 10.100.117.254 nor 216.21.117.254.

 

 

If You want to ping from PC to the VLAN behind (216.x -> 10.x) without intervening with load balancing You have to set up IP forarding, which is described above. The box does not act as a router by default.

 

 

 

Well no, I can ping the 10.x addresses just fine from the PC, since it just gets routed in the router...

 

 

Posted By paja on 10/03/2008 7:30 AM

 

 

Shouldnt I be making a VS for 216.21.116.10 that uses a pool that includes the 10.100.116.10 node?

 

 

Yes, this should be done - this is done to load balance and mangle with traffic to the webserver in 10.x network and making it accessible under 216.x address. The above virtuals may help for example, when You will set up Nagios in 216.x and want monitor directly nodes in 10.x.

 

 

Try to check, if You can ping from F5 to PC and make some dumps on outgoing interface. If You will see outgoing traffic, the problem is on Cisco. If not, check also interface eth0 - if You see the traffic there, You have probably problem with route setup.

 

 

Try to read the docs, there is pretty good description on setting up default gateways as pool and usage of IP Forwarding servers.

 

 

 

How do I ping from the F5? I dont see a ping tool anywhere.

 

 

I read the docs, but my topology is so much different from all the examples in the documentation, it makes it difficult.

 

 

Perhaps I'll just hire a consultant to set this up.