Forum Discussion

SSHSSH_97332's avatar
SSHSSH_97332
Icon for Nimbostratus rankNimbostratus
Dec 19, 2011

F5 LTM Question

I have 2 vlans , external & Internal

 

Internal Vlan has some servers , External is connected to internet

 

my questions is :

 

 

 

Q1 : If traffic received on external vlan is not matching VS , will it be routed according to F5 Routing table ( same as router ) or traffic will be dropped ?

 

 

 

Q2 : If traffic is initiated from server behind internal vlan , this server is not member of any pools , will it be routed according to F5 Routing table ( same as router ) or traffic will be dropped ?

 

 

 

 

 

config
design
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 19, 2011
    As the ltm is a proxy, To route across the ltm you need a network virtual server. Routing without a vs was removed when moving from v4 to v9.

     

     

    Assuming you have a firewall in place and routing table configured you can use a network vs of type forwarding and address of 0.0.0.0 mask 0.0.0.0 port 0, and all trafic (e.g. Udp,tcp, icmp etc).
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 19, 2011
    Q2 : If traffic is initiated from server behind internal vlan , this server is not member of any pools , will it be routed according to F5 Routing table ( same as router ) or traffic will be dropped ?

     

     

    As Hamish said, it doesn't matter if the host originating the connection is a member of a pool. Traffic will only be passed if the destination IP:port matches a virtual server or the client matches a SNAT. I much prefer using virtual servers over SNATs as you have more visibility and control using a virtual server.

     

     

    If you do create wildcard address virtuals make sure to enable them only on the ingress VLAN(s) you want to allow clients from. Creating a 0.0.0.0:0 virtual server enabled on all VLANs will allow any client that can reach LTM to traverse LTM.

     

     

    Aaron
  • SSHSSH_97332's avatar
    SSHSSH_97332
    Icon for Nimbostratus rankNimbostratus
    Dec 20, 2011
    Thanks Alot

     

    So Vs 0.0.0.0:0 on ingress Vlan will allow internal vlan users to traverse LTM based on LTM routing Table , right ?

     

    Also will i put any pool at this VS or it will be empty VS ?

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 20, 2011
    Make it 'Forwarding (IP)' and it won't take a pool.

     

     

    It will allow any packets inbound on the interface you have allowed the VS on to pass (Via the LTM routing table). No checks are made on the inbound packets to ensure they should have come in that interface (Beyond the usual ones of LTM not supporting asymmetric routing).

     

     

    H

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 20, 2011
    just for information. bigip is not like router/switch which forward/route traffic by default. listener object is required to pass traffic from one vlan to another vlan. there are 3 listener objects which are nat, snat and virtual server. you can use either one. nat and snat are source based listner object. virtual server is destination based listen object. the following sol talks about their precedence.

     

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html

     

     

    hope this helps.