F5 LTM setup with Cisco FWSMs

There are several ways to accomplish this. We have a similar setup, although we utilize SNAT. Therefore, the gateways of the servers are -not- the BIG-IP, they are the firewall/switch/SVI interfaces for that particular VLAN that the servers reside on. The BIG-IPs are directly connected to our core infrastructure which handles all Layer 3 - one trunk for the "external" side of the BIG-IP (this is where our VIPs reside), and one trunk carrying multiple VLANs for the "internal" side of the BIG-IP (this is where our servers reside).

 

 

Josh

Yes there are many ways to do that as mentioned by Josh. I would prefer the approach mentioned by you if you have the flexibility of changing server IP or building a new setup. Have all server point to LTM as a gateway and then have FWSM as gateway for LTM.

 

 

User -> FWSM -> External (Virtual Servers) -> LTM -> Internal -> Servers.

 

 

You can refer to the BIG-IP implementation guide.

Thanks guy! Is there any link you can forward to me where I can see guideline!

I'm not sure if there are any guides or not, but I would suggest that you talk to your SE or account manager to help you carve out a design that fits into your existing network.

 

 

Josh

Using FWSMs id recommend placing your vlans behind the bigip so that you just have two vlans one your fwsm... Then if you want to firewall your vlans from each other use network virtual servers to push inter vlan traffic via the firewall instead of direct.

 

 

H

I think we did get help from SE when we originally setup our F5 with FWSM. 'cause I don't know how they would've figured out how to do what they've done.

 

 

Having F5 route the vlans behind it, and bounce off the FWSM so that the FWSM can control the inter-vlan traffic.

 

 

However, we've had this problem...where if the standby unit is disconnected...the active unit will try to failover (because traffic stops). Eventually, the came down to the FWSM.

 

 

The explanation I got from networking is the vlans are done by the FWSM, and they do what they do to make it go to both external interfaces of the F5 pair. But, if either side goes down...the FWSM makes the other side pause.

 

 

Lately our outages have been because the fiber to the standby got interrupted. Though in the past we had problems where there's been a problem where one path will go away (due to an attempt to upgrade to non-Cisco equipment)...so vlan failsafe has saved us.

 

 

But, sure would like to solve this problem....since the Cisco switch that the F5's are connected to are EOL (6509), and eventually I'm going to have to move and I'd like to do it with minimal disruption....to Nexus.

 

 

I'm in the Enterprise Systems group....and I manage the F5. We have a separate networking group. And, a separate firewall group. And, I'm not in the discussions between network and firewall (or Cisco) on this issue.

 

 

L

Hi Fawad,

 

As Josh and other people said, you can plan as per their design suggestion. Or else involve your F5 SE to help you in this matter. You may also prepare a network diagram on visio and share here so we may comment on your design.

 

 

Regards,

Not sure I envy you with this one.

 

 

When you say 'the standby unit is disconnected... the active unit will try to failover' do you mean the FWSM's? Or BigIP? Not sure I like the description that the VLANs are done by the FWSM. That implies they think the BigIP is going to NOT be inline with the traffic to/from the VLANs. Unless they've implemented TWO actual vans for each server vlan (One in front of F5, one for the servers themselves). It sounds messy (Which is what usually happens when the groups don't talk to each other and theres a bit of a battle going on as each side attempts to make it all work how they see it.. Sadly they usually see it differently, and with no holistic view, it gets real complicated real fast).

 

 

Anyway.. Any chance of a diagram to show us how the routing is accomplished? I'm not sure I follow the bit about both external interfaces and making the other side pause. If your networks people really want the SVI's to be on the FWSM's, there's not a lot you can do. But they're making life difficult and i'm not sure I follow why. A simple FWSM with 2 SVI's and a whole lot of Layer-2 VLAN's that the BigIP is the router for has got to be easier for them. (I'm also assuming here you have multiple FWSM's in an active/standby config with multiple 6509's and the VLANs are all spanned across both switches with a trunk between them (That's a cisco trunk, not an F5 one :)

 

 

Oh... 6509's aren't really EOL yet. The card modules may be if they're old, but the chassis and the sups (Esp if they're sup720's or sup32's) have a bit of life left in them. e.g. Sup720-3B/3BXL have had EOL notices, but they're still on sale until next year, and supported until Jan 31 2018. Sup32's until March 2017. There are replacement 65xx parts BTW as well. YMMV depending on modules you have...

 

 

Oh... Assuming you're doing network failover, do you have a link between the two BigIP's that isn't on the same switches? I usually like to have a dedicated physical switch for HB's... Just in case...

 

 

H

The standby BigiP unit got disconnected, to move its fiber connection.

 

 

Opened a ticket on it, and they said the active unit didn't see traffic...so vlan failsafe tried to failover. Eventually....Networking then opened a ticket with Cisco, and they pointed to how the FWSM is handling vlans. Which is managed by the IT Security group. And, its somewhere between networking and it security on whether it'll get resolved now.

 

 

From what I've gathered....our core is a dual ring network (though nothing that would resemble a ring)...and it presents to us as a pair of 6509's in the datacenter....where the F5's are connected to different 6509's.

 

 

From what I read, the 6509 reached end of HW support on November 30th, 2012. The 6509-E is the replacement. Not sure what 6500 series stuff is in the core. But, they've been working on getting Nexus stuff going on the other side of the datacenter for some time...so that's likely what we'll all be converting to soon.

 

 

Someday soon they hope to be able to deliver gig to every jack. Though does it count in buildings are still wired with 10Base5 and/or 10Base2? Though I'm on the otherside of the datacenter door, and I don't have gig yet....

 

 

Actually, we're doing serial failover. But, we used to be on Extreme switches (that had problems doing STP), and traffic would go into loops and sometimes we would find traffic to active side would stop, but standby side was working. So, we added vlan failsafe to try to deal with this.