F5 LTM creating VLANs etc

what bigip version are you running?

 

 

can you open a case to verify whether it is this bug?

 

Bug 401193 - Cannot create selfIP with VLAN when both are in partition with a default RD that is in /Common

 

 

bug 401193 is fixed in 11.2.1 hf4 and 11.3.0.

BIG-IP 11.2.0 Build 2446.0 Final

 

 

I was using the Private partition though does that matter?

I was using the Private partition though does that matter?i believe so.

root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.0
  Build    2446.0
  Edition  Final
  Date     Tue May 29 22:02:24 PDT 2012

root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create auth partition pr1
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net route-domain /pr1/rd1 id 1
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify auth partition pr1 default-route-domain 1
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net vlan /pr1/vlan1 interfaces add { 1.1 { tagged }}
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1/24 vlan /pr1/vlan1
01070712:3: Caught configuration exception (0), Cannot get device index for vlan1 in rd1 - ioctl failed: No such device - net/validation/routing.cpp, line 353.

root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1%1/24 vlan /pr1/vlan1
01070712:3: Caught configuration exception (0), Cannot get device index for vlan1 in rd1 - ioctl failed: No such device - net/validation/routing.cpp, line 353.

 workaround (cr. David Karakas)

root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify net route-domain /pr1/rd1 vlans delete { /pr1/vlan1 }
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify net route-domain /pr1/rd1 vlans add { /pr1/vlan1 }
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1/24 vlan /pr1/vlan1
root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) list net self /pr1/1.1.1.1/24
net self /pr1/1.1.1.1/24 {
    address 1.1.1.1%1/24
    partition pr1
    traffic-group traffic-group-local-only
    vlan /pr1/vlan1
}

In terms of routing, it is not recommended to have the same HA/Floating IP on your switch infrastructure and your LTM. In the switching realm, you would create the HSRP environment (Vlan 5) on your distribution-pair switch (common setup) but you would not create another SVI for the same vlan (Vlan 5) on another L3 switch. In the same sense, you would not create a Vlan 5 interface on your LTM. Hence, why Vlan 6 works but Vlan 5 does not. Especially since they are all in the same L3 routing domain.

 

You can perform L2 pass thru routing from your HSRP config to the LTM without having the forwarding/L4/vlan setup on your LTM. But is it considered "best practice"? Im not sure on that one. Overall, if you were to perform the L2 pass thru method... insure that V5 is routed down to your LTM "transit" global forwarding-IP.

 

 

HTH

 

-e

 

I am sorry but I do not understand still, what do you mean it is not recommended to have the same floating IP on the switch infrastructure and LTM? IP gets used only once on one single device I can't put the same IP on two different devices. So you are saying that since I already have VLAN5 SVI on our cores I should not be using that. I'll need to get two complete separate VLAN's lets say VLAN20 and VLAN30 and not create the SVI on the switch just add them to the VLAN database.

 

 

Next on the F5's create VLAN20 and VLAN30 and assign the interfaces to them and connect them to switch access port on the respective VLAN's?

 

For example:

 

Core A - vlan 5 SVI - 10.10.10.2/24 HA-10.10.10.1 (Gateway)

 

Core B - vlan 5 SVI - 10.10.10.3/24 HA-10.10.10.1

 

 

Ltm A - vlan 5 Self-IP 10.10.10.4/24 Floating-10.10.10.1 (Same gateway as your Core switches)

 

Ltm B - vlan 5 Self-IP 10.10.10.5/24

 

 

By doing this method, your routing table will have 2 default gateway routes for this subnet and the mac table will be on both the LTM and the Core switch. Due to this, you will have a lot of routing issues. (It will break!)

 

 

The L2 pass thru methodology would be to not have any self IPs for vlan 5 on the LTMs but yet still use the vlan5 subnet as "backend/Real IP" pool members of your VS. In this way, the routing table to the LTM will not have a 'directly connected' route in its table and go out its global default route. So, if you wanted to utilize vlan5 on your LTM... remove all self IPs, forwarding VS, L4 VS, and Vlans that relate to vlan5 on the LTM. Just make sure there is a global default route that goes back to your core switches. Also, insure that vlan5 is extended down to the LTM trunk if you are utilizing vlan allow list on your core switches.

 

Thank you for the reply ok so I removed all VLAN5 stuff from the F5 LTM, here is how it looks:

 

 

VLAN250 --> Interface 1.1 (Connected to an Access Port) --> Self IP 10.1.250.241 (Floating) & 10.1.250.242 (Non Floating)

 

 

So looks like from what you said I need to convert that access port into a trunk port?

 

Then simply create nodes from VLAN5 and then Virtual from VLAN6?

 

 

Also since VLAN250 is under Common partition when I setup the nodes under Common partition health monitor works but if I put them under Private health monitor does not work. I'm assuming that I need to put the nodes in the same partition as VLAN250 that is connected to the switch?

 

 

Will I need to change the default gateway on the servers that are in VLAN5 or it stays the same?

 

 

VLAN 6 do I route it via 10.1.250.241 (which is the floating IP)

 

Sorry to join the party late but Mali, you don't need a VLAN for your Virtual Servers at all. Before you continue with further re-configurations, perhaps you can state your actual requirements and give a little detail about your current infrastructure?

 

 

Here's a brief example of how you might route to your VS subnet without having a LTM Self IP in it (in that range): http://sdrv.ms/XTFhKD

 

Thank you ok that makes sense and that is what I did:

 

I removed VLAN 5 IP's from the F5 LTM

 

I setup Self IP's from VLAN 250 (10.1.250.241 (floating) 10.1.250.242 (Primary) 10.1.250.243 (Secondary)

 

On the Core Switches I have the SVI for the 250 VLAN

 

I setup Virtual Server from the VLAN 6 (I did not create this on any of the switches) 10.1.6.0/24

 

On the Cores I setup a route to 10.1.6.0/24 via 10.1.250.241 (which is the floating IP on the F5 LTM)

 

Now I can ping the IP of the Virtual server from my laptop. However rest is still not working

 

Also looks like if I want users from the outside to come in I need to create another Self IP etc like VLAN250 ?

 

What I am working on is the VMWare View project

 

not sure if i understand correctly. you are saying that (1) client is coming from vlan250, (2) virtual server ip is not in vlan250 subnet (but listening on vlan250) and (3) server is in vlan5 (but vlan5 is not in bigip), aren't you?

 

 

so, how can bigip reach the server in vlan5 e.g. route through vlan250?