We currently have a LTM 3600 (running 10.0.1), set up in a router-on-a-stick model (vlan based network with backend servers and VIPs logically, but not physically, behind the LTM). We are expanding our network access controls on our core network, and would really like to be able to do our access controls on the core network devices instead of on the LTM. (We have one active LTM pair and LOTS of routers from another vendor.) The volume of traffic that crosses between LTM subnets is relatively small, so I'm not concerned about the overhead of sending traffic out and back in. Scenario: core(10.0.0.1)--interconnect-->LTM(10.0.0.2) LTM(10.1.0.1)--real-server-net-1--->Real-10(10.1.0.10) LTM(10.2.0.1)--real-server-net-2--->Real-20(10.2.0.20) LTM(10.3.0.1)--real-server-net-3--->Real-30(10.3.0.30) Currently, all traffic between 10.3.0.30 and 10.2.0.20 will hit the LTM self-ip on real-server-net-3, and then immediately back out to real-server-net-2. I would like to configure the LTM to not route between those two networks, but instead, send the traffic up to core(10.0.0.1). It looked like I might be able to do this with route domains, but it wasn't entirely clear. Note though - I am _NOT_ going to have any overlapping IP ranges. They will all be distinct, I just don't want the LTM routing the traffic directly between the subnets. Does anyone have a quick walkthru to accomplish something like this? Is it even possible?

Hi Nathan, Is the core (10.0.0.1) and 10.3.0.30 and 10.2.0.20 physically on the same device (Meaning is your core also a switch?) Bhattman

Yes, but not guaranteed to be the exact same device. (We have two datacenters, L2 connectivity between each one, LTM at each site.) LTM interconnect vlan is L2 common between both data centers, as are the the 10.x subnets/vlans. There are also other vlans (also with L2 between the two datacenters). Only way for those other subnets (and the outside world) to get to the 10.1/2/3 subnets is through the LTM unit. There could potentially be 3-4 other switches in the intermediate path between the particular two machines on 10.2 and 10.3. I'll be happy to provide more detail as needed, figured on just describing the smallest representative case. (If I actually described the entirety of the deployment, it gets quite a bit more complicated.) Why do you ask?

Another detail - the 10.1/2/3 addresses behind the LTM are static routed from the core through via the 10.0 interconnect route. On all of the subnets (including the interconnect) there are two self-ips, and one floating self-ip.

Hi Nathan, I was thinking perhaps you can create another gateway on the 10.2 and 10.3 which is carried by the network. This way 10.2 and 10.3 have 2 hops to choose which is the LTM or the Network. Bhattman

Hmm... I could certainly create additional "fake/duplicate/etc" gateways upstream from the LTM, but what's going to cause the LTM to actually send it to that gateway, since it knows about the subnet as being directly attached? Or are you saying to eliminate the LTM self-ip on 10.2/10.3? In that case, I don't think any load balancing would work unless I went to SNAT for everything. Right now, the backend servers (mostly, have 3-5 out of 100+ vips using SNAT) all see the real client IPs. Going full SNAT would definitely allow this to work - at that point, the LTM would not need to do any routing.

Forum Discussion

Nathan_67739

Nimbostratus

Jan 15, 2010

Forcing "routed" traffic back to gateway

We currently have a LTM 3600 (running 10.0.1), set up in a router-on-a-stick model (vlan based network with backend servers and VIPs logically, but not physically, behind the LTM).

We are expanding our network access controls on our core network, and would really like to be able to do our access controls on the core network devices instead of on the LTM. (We have one active LTM pair and LOTS of routers from another vendor.)

The volume of traffic that crosses between LTM subnets is relatively small, so I'm not concerned about the overhead of sending traffic out and back in.

Scenario:

core(10.0.0.1)--interconnect-->LTM(10.0.0.2)

LTM(10.1.0.1)--real-server-net-1--->Real-10(10.1.0.10)

LTM(10.2.0.1)--real-server-net-2--->Real-20(10.2.0.20)

LTM(10.3.0.1)--real-server-net-3--->Real-30(10.3.0.30)

Currently, all traffic between 10.3.0.30 and 10.2.0.20 will hit the LTM self-ip on real-server-net-3, and then immediately back out to real-server-net-2.

I would like to configure the LTM to not route between those two networks, but instead, send the traffic up to core(10.0.0.1).

It looked like I might be able to do this with route domains, but it wasn't entirely clear. Note though - I am _NOT_ going to have any overlapping IP ranges. They will all be distinct, I just don't want the LTM routing the traffic directly between the subnets.

Does anyone have a quick walkthru to accomplish something like this? Is it even possible?

config

design

15 Replies

The_Bhattman
Nimbostratus
Jan 18, 2010
Posted By Nathan on 01/16/2010 4:36 PM

But the servers currently have the self-ip of the LTM as their gateway... If I used a different IP, connections through the load balancer won't work without SNAT since they would respond directly to the client. (Plain TCP might, but certainly nothing that alters the stream with tcp/http profiles, or ssl offloading of any kind since the session is going to be altered by the LTM.)

Not sure if I'm explaining this clearly or not.

I saw something in another thread about "auto lasthop" - would that possibly have any applicability here? (Haven't read up on it.)

I understand what you mean. However, what I am saying is there might be way to create HSRP addresses on 10.3.0.30 and 10.2.0.20 sub net so servers have a HOP where they can route directly using the core network and not though the LTM - basically VLAN to VLAN traffic. You could either add a static entry on each of your servers so they know which HOP they need to use to access each other's network OR change the gateway to HSRP address - If you have SNAT turned on the VIP then the traffic destined for the LTM will go through the LTM, while all other traffic can bypass the LTM.

Sorry if this concept is hard to explain.

Bhattman
Nathan_67739
Nimbostratus
Jan 18, 2010
But see - that's the problem - the traffic has to pass through the LTM or load balancing/ssl-offloading won't work right. Note - SNAT is _NOT_ in use here... Yes, if it were SNAT'd, it'd be trivial, cause at that point, I wouldn't bother putting ANY of the subnets logically behind the LTM other than the VIP subnet.

Another way of looking at this (alternative scenario) - pretend I'm an ISP that has two completely distinct customers. I give each one of them their own subnet, and each of them are fed from a different routed uplink on the LTM. I don't want the LTM to route directly between the two customer networks, since the firewall might not even be under my control.
hoolio
Cirrostratus
Jan 18, 2010
Hi Nathan,

I haven't read through the full thread to understand what's everything that's been discussed, but...

For the scenario you just mentioned with two customers and an external and internal VLAN for each which you don't want to route between, you can use a fairly simple configuration which Denny described nicely here:

Source routing

htp://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=2097922930

I recently set this up with routing domains for a customer who wanted to segregate their public to DMZ server traffic from internal users to internal servers. The advantage to route domains is that you can use overlapping subnets for each client. It also provides an additional layer of protection against misconfiguration of LTM allowing traffic to mix between the two sets of VLANs. I don't think the additional complexity in configuration is worth it though, if you don't need to support overlapping subnets.

Aaron
Nathan_67739
Nimbostratus
Jan 18, 2010
Bingo! THANK YOU Aaron!

That is exactly the information that I needed and looks like it will work perfectly.

-- Nathan
hoolio
Cirrostratus
Jan 19, 2010
Glad to hear that looks good for you. Let us know if you see any problems when you test it.

F5 seems open to the idea of documenting this configuration in an implementation guide or AskF5 solution (Click here).

Aaron