Forum Discussion
F5 Inter VLAN routing / forwarding
Hi,
My question relates to the basic functionality of the F5s when used with Layer 2 VLANs. Here’s the configuration I have to which the following questions relate:
Remote clients (network 1.1.1.0) -> Firewall -> (Layer 2 VLAN 1) -> F5 -> (Layer 2 VLAN 2) -> Servers (network 2.2.2.0)
The remote clients target the VIP address configured on VLAN 1. The F5 then load balances to the servers situated on VLAN 2.
On the client -> server leg, the destination IP address is changed to one of the server addresses (network 2.2.2.0), as a function of load balancing, when exiting the F5 at VLAN 2. As no SNATs are in use here, does the source address of the outbound packet also get changed to an F5 interface address or does it remain as set by the originating client (network 1.1.1.0)? I’m assuming that in the absence of SNAT, the source addresses should remain unchanged, as is typically the case with IP.
On the server -> client leg (return journey), and assuming the source address was not changed at the F5 on the inbound leg, how will the F5 forward traffic between VLANs 1 and 2? I’ve read a little about IP and MAC Forwarding VSs, but only in the context of the inbound traffic, where specific servers are to be targeted. Static routes may also be the answer to forward traffic destined for network 1.1.1.0 that originates at the server network 2.2.2.0, though I’d prefer no to treat the F5 as a router.
I’d probably be able to work most of this out with a bit of trial and error, coupled with some network captures. However, the environment in which I work is particularly locked down making it difficult to investigate.
Any help much appreciated.
Thanks, Mark
- What_Lies_Bene1CirrostratusYes, the source IP for the server side connection will be the client IP if no SNAT is used. This creates a connection table entry. Assuming the device has a Self IP in VLAN1 and VLAN2, it'll route between the two just like a router, as long as a Virtual Server or NAT/SNAT has been created to handle the traffic.
- nitassEmployeethis is askf5 solution about auto last hop Steve mentioned.
[root@ve10:Active] config b virtual bar80 list virtual bar80 { pool foo destination 172.28.19.252:80 ip protocol 6 profiles { http {} tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } on bigip, no routing is configured [root@ve10:Active] config b route list No Routing Table Entries were found. on client (172.28.20.11), you can see although no routing is configured on bigip, bigip is able to send return traffic back to client properly. this is done by using auto last hop feature. client curl -I http://172.28.19.252 HTTP/1.1 200 OK Date: Fri, 04 Jan 2013 17:32:38 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT ETag: "4183f3-59-f28f94c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 tcpdump on bigip line (1) - (4) is on client-side (between client and bigip). line (5) - (8) is on server-side (between bigip and server). this solution might be helpful to understand how tcp is set up. sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes (1) 01:08:06.556968 IP 172.28.20.11.44684 > 172.28.19.252.80: S 2710000848:2710000848(0) win 14600 (2) 01:08:06.557007 IP 172.28.19.252.80 > 172.28.20.11.44684: S 3779632336:3779632336(0) ack 2710000849 win 4380 (3) 01:08:06.559934 IP 172.28.20.11.44684 > 172.28.19.252.80: . ack 1 win 115 (4) 01:08:06.559976 IP 172.28.20.11.44684 > 172.28.19.252.80: P 1:157(156) ack 1 win 115 (5) 01:08:06.560015 IP 172.28.20.11.44684 > 200.200.200.101.80: S 3998985522:3998985522(0) win 4380 (6) 01:08:06.560998 IP 200.200.200.101.80 > 172.28.20.11.44684: S 1193331176:1193331176(0) ack 3998985523 win 5792 (7) 01:08:06.561015 IP 172.28.20.11.44684 > 200.200.200.101.80: . ack 1 win 4380 (8) 01:08:06.561026 IP 172.28.20.11.44684 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com