I have attached our network scenario as an attachment here. My concern is how to configure the F5 LTM as One ARM having multiple VLANS where the VIP and the actual nodes are in different VLAN. A default One ARM configuration suggests to have both VIP and Node IP addresses are on a same IP sub-network. Here, I have Multiple VIP VLAN as 10 & 20 and My Nodes are in VLAN 100,120 & 200. What would be my Internal and External Interface and their Self IP at the LTM setup? I am hosting a Virtual edition of Big-IP LTM on Esxi server where I have 4 VMNICs available 2 for Management and 2 for Production network which are Trunk with a MLS Switch at VLAN 10,20,100,120 & 200.

By definition, a One-Arm setup only has a single VLAN. You do not have a one-arm setup. You have a single trunk, over which you will configure several tagged VLANs. Each VLAN has non-floating and floating self IPs to match the network range associated with the vlan. You will have multiple internal and external vlans defined.

Hi Steve Blakely, Thanks for your reply. Would you help me to guide a setup scenario? I am building a F5 VE HA infrastructure. One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby). Do I have to define individual Internal and External Interface for each Pool Members? Our real servers does not have a default gateway in the F5. As I told before the traffics are being forwarded via a policy based routing for only load balanced traffic to the F5 to their External floating self-IP addresses. Example: VLAN 10 (10.0.0.0/24) to External interface 1.1 and VLAN 100 (10.10.100.0/24) to Internal Interface 1.2VLAN 20 (20.0.0.0/24) to External Interface 1.1 and VLAN 200 (10.10.200.0/24) to Internal Interface 1.2 net self IP_10.0.0.0 { address 10.0.0.1/24 traffic-group traffic-group-local-only vlan VLAN-10 }net self IP_20.0.0.0 {address 20.0.0.1/24traffic-group traffic-group-local-onlyvlan VLAN-20}net self IP_10.0.0.0 { address 10.0.0.3/24 traffic-group traffic-group-1 vlan VLAN-10 }net self IP_20.0.0.0 {address 20.0.0.3/24traffic-group traffic-group-1vlan VLAN-20}AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"? My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?

> One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby). First - you can only assign one VNIC to Management - it's a single interface. On a VE - it's the first VNIC. > and 2 Production (VMNIC 2 primary and VMNIC3 as Standby). Again, this isn't how it works - the VNICs are connected to the virtual network infrastructure as Interfaces 1.1 and 1.2. You may be able to define the two links as a trunk. > Do I have to define individual Internal and External Interface for each Pool Members? Are you talking about pool members (i.e destination servers that deliver content) or virtual servers - listeners on the BigIP that forward traffic to the pool members. > AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"? Every VLAN (tagged or untagged) has to have both non-floating and floating self-ip addresses to accept or send traffic. If your internal servers cannot have their default gateway set to be the BigIP, then you will need to SNAT the traffic so that the return traffic from the pool members goes back to the BigIP. > My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case? As I said before, a one-arm setup only has one vlan. You do not appear to be doing this.

Hi Simon Blakely, Thanks for your response. So in my case One ARM setup is not possible because My VIP is on VLAN 10 and Nodes are VLAN 100. How can I setup it as a Routed mode and still enable SNAT since my Nodes have a default gateway towards VLAN100 SVI 10.10.100.1 at the Cisco switch? Do I also need to set a Internal Interface's Self-IP & Floating Self-IP for HA pair for VLAN100 (VM1: 10.10.100.4, VM1 Floating: 10.10.100.6) (VM2: 10.10.100.5, VM2 Floating: 10.10.100.6)? According to your direction, I have to create similar Internal and External Interface for Each set of Network like for My another VIP is on VLAN 20 and Nodes are VLAN 200?

if you just setup all networks then creating a virtual server in one VLAN with a pool with servers on another VLAN will work. it will "route" from the external to the internal network for the configured traffic. you can enable SNAT on that virtual server (option: Source Address Translation) to make sure traffic returns to the BIG-IP. if you want to communicate with systems on a network then IP adresses on those networks are advises. in a HA setup then node addresses and a floating one is best pratice. you can continue that setup with multiple sets of external and internal networks. also keep in mind your virtual server network can be a non physical one, but just a subtnet you route to the BIG-IP.

How to configure One ARM setup with multiple VLAN

Simon_Blakely
Employee
Apr 30, 2020
By definition, a One-Arm setup only has a single VLAN.

You do not have a one-arm setup. You have a single trunk, over which you will configure several tagged VLANs.

Each VLAN has non-floating and floating self IPs to match the network range associated with the vlan.

You will have multiple internal and external vlans defined.
Maisha
Nimbostratus
May 01, 2020
Hi Steve Blakely,

Thanks for your reply. Would you help me to guide a setup scenario? I am building a F5 VE HA infrastructure. One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

Do I have to define individual Internal and External Interface for each Pool Members? Our real servers does not have a default gateway in the F5. As I told before the traffics are being forwarded via a policy based routing for only load balanced traffic to the F5 to their External floating self-IP addresses.

Example:
VLAN 10 (10.0.0.0/24) to External interface 1.1 and VLAN 100 (10.10.100.0/24) to Internal Interface 1.2
VLAN 20 (20.0.0.0/24) to External Interface 1.1 and VLAN 200 (10.10.200.0/24) to Internal Interface 1.2

net self IP_10.0.0.0 {
address 10.0.0.1/24
traffic-group traffic-group-local-only
vlan VLAN-10
}
net self IP_20.0.0.0 {
address 20.0.0.1/24
traffic-group traffic-group-local-only
vlan VLAN-20
}
net self IP_10.0.0.0 {
address 10.0.0.3/24
traffic-group traffic-group-1
vlan VLAN-10
}
net self IP_20.0.0.0 {
address 20.0.0.3/24
traffic-group traffic-group-1
vlan VLAN-20
}
AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?

My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?
- Simon_Blakely
  Employee
  May 01, 2020
  > One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).
  
  First - you can only assign one VNIC to Management - it's a single interface. On a VE - it's the first VNIC.
  
  > and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).
  
  Again, this isn't how it works - the VNICs are connected to the virtual network infrastructure as Interfaces 1.1 and 1.2. You may be able to define the two links as a trunk.
  
  > Do I have to define individual Internal and External Interface for each Pool Members?
  
  Are you talking about pool members (i.e destination servers that deliver content) or virtual servers - listeners on the BigIP that forward traffic to the pool members.
  
  > AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?
  
  Every VLAN (tagged or untagged) has to have both non-floating and floating self-ip addresses to accept or send traffic.
  
  If your internal servers cannot have their default gateway set to be the BigIP, then you will need to SNAT the traffic so that the return traffic from the pool members goes back to the BigIP.
  
  > My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?
  
  As I said before, a one-arm setup only has one vlan. You do not appear to be doing this.
  - Maisha
    Nimbostratus
    May 01, 2020
    Hi Simon Blakely,
    
    Thanks for your response. So in my case One ARM setup is not possible because My VIP is on VLAN 10 and Nodes are VLAN 100. How can I setup it as a Routed mode and still enable SNAT since my Nodes have a default gateway towards VLAN100 SVI 10.10.100.1 at the Cisco switch?
    
    Do I also need to set a Internal Interface's Self-IP & Floating Self-IP for HA pair for VLAN100 (VM1: 10.10.100.4, VM1 Floating: 10.10.100.6) (VM2: 10.10.100.5, VM2 Floating: 10.10.100.6)?
    
    According to your direction, I have to create similar Internal and External Interface for Each set of Network like for My another VIP is on VLAN 20 and Nodes are VLAN 200?
Maisha
Nimbostratus
May 08, 2020
Hi ,
Thanks for your advise. I did setup the external and internal vlan as your told and also created self-ip and floating ip for each vlan. I also setup SNAT and it worked perfectly for me but it creates another issue. It could not preserve the Client's source IP address (We need to preserve it). If I take off the SNAT then it can't reach the Virtual server IP at all. I think an asymmetric routing occurred here but I could not find a solution to resolve it> Can you suggest me something?

My Client IP = 10.10.100.100
My External VLAN10= selfip 1010.10.10, floating self-ip 10.10.10.12
My Virtual server = 10.10.10.50
My Internal VLAN20= selfip 1010.20.10, floating self-ip 10.10.20.12

My Nodes are on VLAN20= 10.10.20.21 & 10.10.20.22 (but their default GW IP 10.10.20.1 is at the L3 Switch, since these nodes and not directly connected to the F5). Both f5 and Nodes are VM hosts and are connected to a L3 switch.
- PeteWhite
  Employee
  May 08, 2020
  If you don’t want to use SNAT then you have two options - make the default route for the servers the big-ip floating up address, or use SNAT and insert the x-forwarded-for header in the http profile.
  - Maisha
    Nimbostratus
    May 08, 2020
    Hi
    
    Thanks for your reply. I can't use F5 as a default GW. I also have several TCP custom port based Virtual servers where I can't use HTTP profiles to insert x-forwarder and also an x-forwarder will need custom config at the Web server side which is not possible as well. I saw something about "nPath routing" will that work? I have to implement it at Layer3, I beleieve?

Forum Discussion

How to configure One ARM setup with multiple VLAN

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Multiple Ways to Configure Usage Reporting in NGINX

LTM VE behind Sophos Firewall deployment - configuration/setup question

F5 BIG-IP Advanced WAF – DOS profile configuration options.

How to Setup Shape Log Analysis in Fastly

Looking for Setup Advice

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS