F5 LTM creating VLANs etc

Posted By nitass on 03/07/2013 03:33 PM

 

ltm virtual 10.1.6.11 {

 

destination 10.1.6.11:any

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool VMWare_ViewPool

 

profiles {

 

tcp { }

 

}

 

translate-port disabled

 

vlans-disabled

 

} can you try "snat automap" under the virtual server configuration?

 

 

Ah finally some kind of success so now certainly I got the certificate error but I was able to log in using the View Client. Thank you, you are a genius. Now what about the whole static routing issue I'll need to create static routes for every single node as I add more ? On the cores I have a route to 10.1.6.0/24 network via 10.1.250.241 which is the floating IP of VLAN250 (Internal VLAN on F5) is that a best practice?

 

Also this SNAT auto map what exactly is happening here ? I was trying to see if I can find the mappings any where in the stats but I can't.

 

Now what about the whole static routing issue I'll need to create static routes for every single node as I add more ?you can use route route (instead of host route) such as 10.1.5.0/24.

 

 

On the cores I have a route to 10.1.6.0/24 network via 10.1.250.241 which is the floating IP of VLAN250 (Internal VLAN on F5) is that a best practice?i believe so.

 

 

Also this SNAT auto map what exactly is happening here ?bigip will use its selfip as source address when sending traffic to server (pool member). so, this will make return traffic coming back to bigip first (and then bigp returns it to client). i guess the problem was return traffic going back from server to client directly.

I was trying to see if I can find the mappings any where in the stats but I can't.

have you tried to show active connection?

 

 

e.g.

 

tmsh show sys connection cs-server-addr 10.1.6.11 all-properties

 

Posted By nitass on 03/07/2013 03:56 PM

 

Now what about the whole static routing issue I'll need to create static routes for every single node as I add more ? you can use route route (instead of host route) such as 10.1.5.0/24.

 

 

On the cores I have a route to 10.1.6.0/24 network via 10.1.250.241 which is the floating IP of VLAN250 (Internal VLAN on F5) is that a best practice? i believe so.

 

 

Also this SNAT auto map what exactly is happening here ? bigip will use its selfip as source address when sending traffic to server (pool member). so, this will make return traffic coming back to bigip first (and then bigp returns it to client). i guess the problem was return traffic going back from server to client directly.

 

 

Thanks so much again I can do the network route but when I do that then I can't log into the F5's using my AD credentials because the source IP RADIUS server is seeing is not the management IP instead it is different.

 

***** Update ******* I got this resolved by manually adding the route to the RADIUS server through the management interface and removing the default one that was in there. I am assuming that is ok to do?

 

create /sys management-route radroute network 10.1.5.236/255.255.255.255 gateway 10.1.200.1

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Now since I am routing 10.1.6.0/24 via 10.1.250.241 (F5's floating IP - VLAN250), would it be a best practice to create a default route via VLAN250 (Internal VLAN)? What I want to do is use the 10.1.250.x internal VLAN for the clients inside and 10.1.25.x external VLAN for when the clients are coming in from the Internet. Should have I used the Virtual Server IP's from the Internal VLAN network instead of 10.1.6.x?

 

Also correct me if I am wrong but the servers that are in VLAN5 (10.1.5.0/24) nework I need to change the gateway on them to F5 as well? Which means do I need to create a VLAN5 and Self IP's from that VLAN etc on F5?

 

***** Update ******* I got this resolved by manually adding the route to the RADIUS server through the management interface and removing the default one that was in there. I am assuming that is ok to do?yes i believe so.

 

 

would it be a best practice to create a default route via VLAN250 (Internal VLAN)? normally, route on bigip (e.g. static route) is intended for bigip to be able to reach pool member/node. return traffic to client does not need the route because bigip is using auto last hop feature which is turned on by default.

 

 

sol13876: Overview of the Auto Last Hop setting (11.x)

 

http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13876.html

 

 

What I want to do is use the 10.1.250.x internal VLAN for the clients inside and 10.1.25.x external VLAN for when the clients are coming in from the Internet. Should have I used the Virtual Server IP's from the Internal VLAN network instead of 10.1.6.x?as you see, virtual server ip does not need to be in the same subnet as selfip (but we have to setup routing properly). so, i think either same or different subnet is okay.

 

 

Also correct me if I am wrong but the servers that are in VLAN5 (10.1.5.0/24) nework I need to change the gateway on them to F5 as well? Which means do I need to create a VLAN5 and Self IP's from that VLAN etc on F5?bigip has to see return traffic from server. we use snat automap to ensure the return traffic is coming back to bigip. anyway, if you have selfip on vlan5 and server default gateway is bigip, i believe you do not need to use snat automap (because the return traffic will be sent to default gateway which is bigip anyway).