I have a VLAN SVI (VLAN5) on our cores. I created another VLAN (VLAN6) in the database which will be the virtual servers for VLAN5. So basically users can hit the IP from VLAN6 which then will load balance to the servers in VLAN5. I also created the VLAN5 on the F5 LTM. Now every time I try to create floating and no floating IP's on it for the VLAN5 I'm getting errors: 01070712:3: Caught configuration exception (0), Cannot get device index for VLAN5 in rd2 - ioctl failed: No such device - net/validation/routing.cpp, line 353. What am I doing wrong here? I am assuming that the floating self IP on VLAN5 will be the default gateway for the servers that I want to load balance? Users from different VLAN's access the IP on VLAN6 for example 10.1.6.11 and that will have two servers from VLAN5 10.1.5.20 and 10.1.5.30 in the pool.

what bigip version are you running? can you open a case to verify whether it is this bug? Bug 401193 - Cannot create selfIP with VLAN when both are in partition with a default RD that is in /Common bug 401193 is fixed in 11.2.1 hf4 and 11.3.0.

BIG-IP 11.2.0 Build 2446.0 Final I was using the Private partition though does that matter?

I was using the Private partition though does that matter?i believe so. root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.2.0 Build 2446.0 Edition Final Date Tue May 29 22:02:24 PDT 2012 root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create auth partition pr1 root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net route-domain /pr1/rd1 id 1 root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify auth partition pr1 default-route-domain 1 root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net vlan /pr1/vlan1 interfaces add { 1.1 { tagged }} root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1/24 vlan /pr1/vlan1 01070712:3: Caught configuration exception (0), Cannot get device index for vlan1 in rd1 - ioctl failed: No such device - net/validation/routing.cpp, line 353. root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1%1/24 vlan /pr1/vlan1 01070712:3: Caught configuration exception (0), Cannot get device index for vlan1 in rd1 - ioctl failed: No such device - net/validation/routing.cpp, line 353. workaround (cr. David Karakas) root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify net route-domain /pr1/rd1 vlans delete { /pr1/vlan1 } root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) modify net route-domain /pr1/rd1 vlans add { /pr1/vlan1 } root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) create net self /pr1/1.1.1.1/24 vlan /pr1/vlan1 root@(B3600-R67-S41)(cfg-sync Standalone)(Active)(/Common)(tmos) list net self /pr1/1.1.1.1/24 net self /pr1/1.1.1.1/24 { address 1.1.1.1%1/24 partition pr1 traffic-group traffic-group-local-only vlan /pr1/vlan1 }

In terms of routing, it is not recommended to have the same HA/Floating IP on your switch infrastructure and your LTM. In the switching realm, you would create the HSRP environment (Vlan 5) on your distribution-pair switch (common setup) but you would not create another SVI for the same vlan (Vlan 5) on another L3 switch. In the same sense, you would not create a Vlan 5 interface on your LTM. Hence, why Vlan 6 works but Vlan 5 does not. Especially since they are all in the same L3 routing domain. You can perform L2 pass thru routing from your HSRP config to the LTM without having the forwarding/L4/vlan setup on your LTM. But is it considered "best practice"? Im not sure on that one. Overall, if you were to perform the L2 pass thru method... insure that V5 is routed down to your LTM "transit" global forwarding-IP. HTH -e

I am sorry but I do not understand still, what do you mean it is not recommended to have the same floating IP on the switch infrastructure and LTM? IP gets used only once on one single device I can't put the same IP on two different devices. So you are saying that since I already have VLAN5 SVI on our cores I should not be using that. I'll need to get two complete separate VLAN's lets say VLAN20 and VLAN30 and not create the SVI on the switch just add them to the VLAN database. Next on the F5's create VLAN20 and VLAN30 and assign the interfaces to them and connect them to switch access port on the respective VLAN's?

F5 LTM creating VLANs etc

mali77_57143
Nimbostratus
Mar 06, 2013
Posted By nitass on 03/06/2013 03:30 PM

not sure if i understand correctly. you are saying that (1) client is coming from vlan250, (2) virtual server ip is not in vlan250 subnet (but listening on vlan250) and (3) server is in vlan5 (but vlan5 is not in bigip), aren't you?

so, how can bigip reach the server in vlan5 e.g. route through vlan250?

(1) client is coming from vlan250

*** No VLAN250 has the SVI on the cores and I have it setup on the F5 LTM as well. Clients are on a totally different VLAN.

So Core Switch: 10.1.250.1 (svi)

F5: 10.1.250.241 (floating IP)

(2) virtual server ip is not in vlan250 subnet (but listening on vlan250)

*** Virtual Server IP is just another network I picked 10.1.6.0/24 as it was mentioned above that I do not need a VLAN for it. I just created a route on the cores to get to 10.1.6.0/24

"ip route 10.1.6.0 255.255.255.0 10.1.250.241"

(3) server is in vlan5 (but vlan5 is not in bigip)

*** VLAN5 has all the servers in it. And no I did not setup VLAN 5 on the F5 LTM, just the nodes.
nitass
Employee
Mar 06, 2013
how can bigip reach the server in vlan5 e.g. route through vlan250?
mali77_57143
Nimbostratus
Mar 06, 2013
Posted By nitass on 03/06/2013 03:41 PM

how can bigip reach the server in vlan5 e.g. route through vlan250?

When I run a trace on the F5 it looks like it is getting to the VLAN 5 via Management Interface. So does this mean that I have to create a route on the F5 to route to VLAN5 via VLAN250?
nitass
Employee
Mar 06, 2013
When I run a trace on the F5 it looks like it is getting to the VLAN 5 via Management Interface.can server be reachable through tmm interface (selfip)? if so, can you try to set static route for server subnet through that tmm interface? application traffic should not be routed through management interface.

sol13284: Overview of management interface routing (11.x)

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13284.html

and under virtula server setting, can you try "snat automap"?
mali77_57143
Nimbostratus
Mar 06, 2013
Thank you I will try that tomorrow and post back the results :)
mali77_57143
Nimbostratus
Mar 07, 2013
Ok I'm attaching the lay out of the network. Goal is to use 10.1.6.0/24 network as Virtual Servers and point to the nodes in VLAN 5. But for some reason traffic is going through the management interface and not the VLAN 250 interface:

traceroute to 10.1.5.233 (10.1.5.233), 30 hops max, 40 byte packets

1 10.1.200.249 (10.1.200.249) 0.915 ms 0.945 ms 0.994 ms

2 fxxxxxxxxxx.xxx.com (10.1.5.233) 0.233 ms * *
mali77_57143
Nimbostratus
Mar 07, 2013
Ok so I got rid of the whole config and restarted from the scratch and ran the wizard. Attached is the updated config. After I ran the wizard there was a route created via external VLAN which was the default route. It was not letting me use the RADIUS as the source IP was no longer the MANAGEMENT IP. So I had to delete the default route and create static entries for the two specific servers. I hope there is a better way to do this because I don't want to have to create 100's of static entries.

What am I doing wrong in this I just can not believe how un necessarily horrible F5's interface and configuration is as compared to Cisco content switches.

Eh not only that these forums load so slow and what is wrong with attaching files it takes 10 tries before I can finally attach a file here.
nitass
Employee
Mar 07, 2013
can you post the virtual server configuration and routing to server?

tmsh list ltm virtual (name)

tmsh list ltm pool (name)

tmsh list net route (server ip/subnet)
mali77_57143
Nimbostratus
Mar 07, 2013
Posted By nitass on 03/07/2013 03:21 PM

can you post the virtual server configuration and routing to server?

tmsh list ltm virtual (name)

tmsh list ltm pool (name)

tmsh list net route (server ip/subnet)

ltm virtual 10.1.6.11 {

destination 10.1.6.11:any

ip-protocol tcp

mask 255.255.255.255

pool VMWare_ViewPool

profiles {

tcp { }

}

translate-port disabled

vlans-disabled

}

-----------------------------------------------------------------------------------------

ltm pool VMWare_ViewPool {

load-balancing-mode least-connections-member

members {

10.1.5.233:https {

address 10.1.5.233

session monitor-enabled

state up

}

10.1.5.252:https {

address 10.1.5.252

session monitor-enabled

state up

}

}

monitor https

}

---------------------------------------------------------------------------------------------

net route 10.1.5.233 {

gw 10.1.25.1

network 10.1.5.233/32

}

net route 10.1.5.252 {

gw 10.1.25.1

network 10.1.5.252/32

}
nitass
Employee
Mar 07, 2013
ltm virtual 10.1.6.11 {

destination 10.1.6.11:any

ip-protocol tcp

mask 255.255.255.255

pool VMWare_ViewPool

profiles {

tcp { }

}

translate-port disabled

vlans-disabled

}can you try "snat automap" under the virtual server configuration?

Forum Discussion

F5 LTM creating VLANs etc

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Create a virtual server on internal vlan

LTM VE Deployment limited VLANs

non-existent vlan strange although vlan is present

Creating IT Heroes

F5 Virtual appliance - VLAN Management

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS