F5 LTM Transparent mode configuration

Martin,

 

Sounds like you need a forwarding virtual server setup. Unless you specifically have a virtual server set up then the f5 will block by default. To have a catch all vs, perhaps for inline mode, than a forwading virtual server is what you will need, alongside any application specific VSs you may have.

 

Hope this helps,

 

N

 

Hi Nathan,

 

Thank you for your comment. I read somewhere about that forwarding virtual server but I noticed that if I use that VS I am not able to do Load Balancing functions (Not possible to configure Pool) I will just allow the L2 traffic to flow via my LTM. From my point of view it will be the best if I can use transparent mode and did a load balance functions + monitoring and so on.

 

As addition I would like to apologize about my stupid questions but I am still new in that.

 

Yes you're right. A forwarding vs (either L2 or IP) simply takes a packet and forwards it on, as specified in the destination ip address or mac address. It simply makes the f5 act as a router. no load balancing is required.

 

if you need to create pools of backend servers then you're most likely to create a standard virtual server with associated pool.

 

Perhaps I'm not clear on what you mean by transparent mode.

 

Rgds

 

N

 

I doesn't like to use Layer 3 routing. In our current situation we had servers + LB + Gateway. We use a LB in a bridge mode Layer 2 switching only (Transparent as I said) we doesn't like to change that. It that possible in F5 ? A few days ago I do that with Routing Domains feature but it looks too complicated so I am still looking for some other options.

 

Thank you !

 

i think we do not need virtual server for bridging traffic in vlan group.

 

what platform and software version are you using? is it standalone unit or ha pair?

 

Hello Nitass,

 

At the moment I am using standalone device version 11.3.0.

 

As a result I am not able to ping the external and internal network it looks as the LTM Block the entire flow.

 

have you tried tcpdump?

 

No I am not but I can try. My idea is to use that bridge mode with Virtual Servers pools and so on as it is shown in the configuration guide :

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_implementation/sol_vlans.html1062318

 

Hi

 

I did the tcp dump and noticed that it looks like the LTM is isolated and it is not able reach all other devices.

 

03:20:22.650841 02:0c:29:8d:86:62 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 123, p 0, ethertype ARP, arp who-has 10.128.20.22 tell 10.128.20.200 03:20:23.650653 02:0c:29:8d:86:62 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 122, p 0, ethertype ARP, arp who-has 10.128.20.22 tell 10.128.20.200 03:20:23.650661 02:0c:29:8d:86:62 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 123, p 0, ethertype ARP, arp who-has 10.128.20.22 tell 10.128.20.200 03:20:24.650607 02:0c:29:8d:86:62 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 122, p 0, ethertype ARP, arp who-has 10.128.20.22 tell 10.128.20.200

 

this is mine.

 version

root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) show sys version |grep -A 6 Package
Main Package
  Product  BIG-IP
  Version  11.3.0
  Build    3144.0
  Edition  Hotfix HF8
  Date     Thu Oct  3 18:22:28 PDT 2013

 config

root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) list net vlan-group
net vlan-group vg {
    members {
        external
        internal
    }
}

root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) list net vlan external
net vlan external {
    if-index 256
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 1149
}
root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) list net vlan internal
net vlan internal {
    if-index 240
    interfaces {
        1.1 {
            tagged
        }
    }
    tag 423
}

root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) list net self
net self 200.200.200.18/24 {
    address 200.200.200.18/24
    allow-service {
        default
    }
    traffic-group traffic-group-local-only
    vlan vg
}

root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual
root@(B1600-R66-S18)(cfg-sync Standalone)(Active)(/Common)(tmos)

 arp

[root@B1600-R66-S18:Active:Standalone] config  tmsh show net arp

---------------------------------------------------------------------------------------------
Net::Arp
Name             Address          HWaddress         Vlan              Expire-in-sec  Status
---------------------------------------------------------------------------------------------
200.200.200.3    200.200.200.3    0:50:56:b3:78:63  /Common/external  189            resolved
200.200.200.101  200.200.200.101  0:50:56:b3:1:b    /Common/internal  200            resolved

 trace

[root@B1600-R66-S18:Active:Standalone] config  tcpdump -nni 0.0 -s0 -e icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:44:40.249064 00:50:56:b3:01:0b > 02:50:56:b3:78:63, ethertype 802.1Q (0x8100), length 109: vlan 423, p 0, ethertype IPv4, 200.200.200.101 > 200.200.200.3: ICMP echo request, id 28204, seq 1, length 64 in slot1/tmm1 lis=
10:44:40.249457 02:50:56:b3:01:0b > 00:50:56:b3:78:63, ethertype 802.1Q (0x8100), length 109: vlan 1149, p 0, ethertype IPv4, 200.200.200.101 > 200.200.200.3: ICMP echo request, id 28204, seq 1, length 64 out slot1/tmm0 lis=
10:44:40.250039 02:50:56:b3:78:63 > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 109: vlan 423, p 0, ethertype IPv4, 200.200.200.3 > 200.200.200.101: ICMP echo reply, id 28204, seq 1, length 64 out slot1/tmm0 lis=
10:44:40.249957 00:50:56:b3:78:63 > 02:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 109: vlan 1149, p 0, ethertype IPv4, 200.200.200.3 > 200.200.200.101: ICMP echo reply, id 28204, seq 1, length 64 in slot1/tmm1 lis=