Forum Discussion
Nathan_67739
Nimbostratus
NimbostratusForcing "routed" traffic back to gateway
We currently have a LTM 3600 (running 10.0.1), set up in a router-on-a-stick model (vlan based network with backend servers and VIPs logically, but not physically, behind the LTM).
We are expanding our network access controls on our core network, and would really like to be able to do our access controls on the core network devices instead of on the LTM. (We have one active LTM pair and LOTS of routers from another vendor.)
The volume of traffic that crosses between LTM subnets is relatively small, so I'm not concerned about the overhead of sending traffic out and back in.
Scenario:
core(10.0.0.1)--interconnect-->LTM(10.0.0.2)
LTM(10.1.0.1)--real-server-net-1--->Real-10(10.1.0.10)
LTM(10.2.0.1)--real-server-net-2--->Real-20(10.2.0.20)
LTM(10.3.0.1)--real-server-net-3--->Real-30(10.3.0.30)
Currently, all traffic between 10.3.0.30 and 10.2.0.20 will hit the LTM self-ip on real-server-net-3, and then immediately back out to real-server-net-2.
I would like to configure the LTM to not route between those two networks, but instead, send the traffic up to core(10.0.0.1).
It looked like I might be able to do this with route domains, but it wasn't entirely clear. Note though - I am _NOT_ going to have any overlapping IP ranges. They will all be distinct, I just don't want the LTM routing the traffic directly between the subnets.
Does anyone have a quick walkthru to accomplish something like this? Is it even possible?
- The_BhattmanHi Nathan,
Is the core (10.0.0.1) and 10.3.0.30 and 10.2.0.20 physically on the same device (Meaning is your core also a switch?)
Bhattman 
Nathan_67739Yes, but not guaranteed to be the exact same device. (We have two datacenters, L2 connectivity between each one, LTM at each site.) LTM interconnect vlan is L2 common between both data centers, as are the the 10.x subnets/vlans. There are also other vlans (also with L2 between the two datacenters). Only way for those other subnets (and the outside world) to get to the 10.1/2/3 subnets is through the LTM unit.
There could potentially be 3-4 other switches in the intermediate path between the particular two machines on 10.2 and 10.3.
I'll be happy to provide more detail as needed, figured on just describing the smallest representative case. (If I actually described the entirety of the deployment, it gets quite a bit more complicated.)
Why do you ask?- Nathan_67739Another detail - the 10.1/2/3 addresses behind the LTM are static routed from the core through via the 10.0 interconnect route. On all of the subnets (including the interconnect) there are two self-ips, and one floating self-ip.
- The_BhattmanHi Nathan,
I was thinking perhaps you can create another gateway on the 10.2 and 10.3 which is carried by the network. This way 10.2 and 10.3 have 2 hops to choose which is the LTM or the Network.
Bhattman - Nathan_67739Hmm... I could certainly create additional "fake/duplicate/etc" gateways upstream from the LTM, but what's going to cause the LTM to actually send it to that gateway, since it knows about the subnet as being directly attached?
Or are you saying to eliminate the LTM self-ip on 10.2/10.3? In that case, I don't think any load balancing would work unless I went to SNAT for everything. Right now, the backend servers (mostly, have 3-5 out of 100+ vips using SNAT) all see the real client IPs. Going full SNAT would definitely allow this to work - at that point, the LTM would not need to do any routing. - The_BhattmanHi Nathan,
You would have to repoint your servers to the new gateway. A policy based route on your network would look at the packets and determine whether they need to bypass the LTM or not. I suspect the only time you want to go to the LTM is in response to packets hitting a virtual yes?
Bhattman - Nathan_67739But the servers currently have the self-ip of the LTM as their gateway... If I used a different IP, connections through the load balancer won't work without SNAT since they would respond directly to the client. (Plain TCP might, but certainly nothing that alters the stream with tcp/http profiles, or ssl offloading of any kind since the session is going to be altered by the LTM.)
Not sure if I'm explaining this clearly or not.
I saw something in another thread about "auto lasthop" - would that possibly have any applicability here? (Haven't read up on it.) - Nathan_67739Hmmm. from a quick read, doens't look like auto lasthop would be applicable. That would allow me to use different in/out gateways for the different subnets, but I think the LTM would still route between the subnets directly. Route domains still look very applicable, but not familiar with the details or whether they would do what I need.
- Nathan_67739Something else just occurred to me. We have a 'default forwarding' virtual server, set up as a 'Forwarding (IP)' type virtual server with a 0.0.0.0 addr and mask. Could this be done differently to tell the LTM "don't forward between subnets, only between the subnet and the gateway"?
HamishCirrocumulus
Posted By Nathan on 01/16/2010 4:44 PM
Something else just occurred to me. We have a 'default forwarding' virtual server, set up as a 'Forwarding (IP)' type virtual server with a 0.0.0.0 addr and mask. Could this be done differently to tell the LTM "don't forward between subnets, only between the subnet and the gateway"?
Yes.
You set the destination for the default network VS as a pool. And the poolmember(s) just happen to be the gateway. I do this where a single F5 is used for a number of DMZ's between the firewall and the DMZ's themselves. In this way any traffic between subnets is forwarded via the gateway (Firewall), and not direct.
I normally set the allowed VLAN's as well just to make sure that traffic inbound on some interfaces is treated slightly differently (eg. traffic TO the subnets doesn't want to match the default VS so the allowed VLAN's is set to just the subnets behind the F5)
