For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Maisha's avatar
Maisha
Icon for Nimbostratus rankNimbostratus
Apr 29, 2020

How to configure One ARM setup with multiple VLAN

I have attached our network scenario as an attachment here. My concern is how to configure the F5 LTM as One ARM having multiple VLANS where the VIP and the actual nodes are in different VLAN. A defa...
application delivery
BIG-IP
Maisha's avatar
Maisha
Icon for Nimbostratus rankNimbostratus
May 01, 2020

Hi Steve Blakely,

 

Thanks for your reply. Would you help me to guide a setup scenario? I am building a F5 VE HA infrastructure. One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

Do I have to define individual Internal and External Interface for each Pool Members? Our real servers does not have a default gateway in the F5. As I told before the traffics are being forwarded via a policy based routing for only load balanced traffic to the F5 to their External floating self-IP addresses.

 

Example:

VLAN 10 (10.0.0.0/24) to External interface 1.1 and VLAN 100 (10.10.100.0/24) to Internal Interface 1.2

VLAN 20 (20.0.0.0/24) to External Interface 1.1 and VLAN 200 (10.10.200.0/24) to Internal Interface 1.2

 

net self IP_10.0.0.0 {

address 10.0.0.1/24

traffic-group traffic-group-local-only

vlan VLAN-10

}

net self IP_20.0.0.0 {

address 20.0.0.1/24

traffic-group traffic-group-local-only

vlan VLAN-20

}

net self IP_10.0.0.0 {

address 10.0.0.3/24

traffic-group traffic-group-1

vlan VLAN-10

}

net self IP_20.0.0.0 {

address 20.0.0.3/24

traffic-group traffic-group-1

vlan VLAN-20

}

AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?

 

My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
May 01, 2020

> One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

First - you can only assign one VNIC to Management - it's a single interface. On a VE - it's the first VNIC.

 

> and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

Again, this isn't how it works - the VNICs are connected to the virtual network infrastructure as Interfaces 1.1 and 1.2. You may be able to define the two links as a trunk.

 

> Do I have to define individual Internal and External Interface for each Pool Members?

 

Are you talking about pool members (i.e destination servers that deliver content) or virtual servers - listeners on the BigIP that forward traffic to the pool members.

 

> AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?

 

Every VLAN (tagged or untagged) has to have both non-floating and floating self-ip addresses to accept or send traffic.

 

If your internal servers cannot have their default gateway set to be the BigIP, then you will need to SNAT the traffic so that the return traffic from the pool members goes back to the BigIP.

 

> My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?

 

As I said before, a one-arm setup only has one vlan. You do not appear to be doing this.

  • Maisha's avatar
    Maisha
    Icon for Nimbostratus rankNimbostratus
    May 01, 2020

    Hi Simon Blakely,

     

    Thanks for your response. So in my case One ARM setup is not possible because My VIP is on VLAN 10 and Nodes are VLAN 100. How can I setup it as a Routed mode and still enable SNAT since my Nodes have a default gateway towards VLAN100 SVI 10.10.100.1 at the Cisco switch?

     

    Do I also need to set a Internal Interface's Self-IP & Floating Self-IP for HA pair for VLAN100 (VM1: 10.10.100.4, VM1 Floating: 10.10.100.6) (VM2: 10.10.100.5, VM2 Floating: 10.10.100.6)?

     

    According to your direction, I have to create similar Internal and External Interface for Each set of Network like for My another VIP is on VLAN 20 and Nodes are VLAN 200?

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    May 03, 2020

    if you just setup all networks then creating a virtual server in one VLAN with a pool with servers on another VLAN will work. it will "route" from the external to the internal network for the configured traffic. you can enable SNAT on that virtual server (option: Source Address Translation) to make sure traffic returns to the BIG-IP.

     

    if you want to communicate with systems on a network then IP adresses on those networks are advises. in a HA setup then node addresses and a floating one is best pratice.

     

    you can continue that setup with multiple sets of external and internal networks. also keep in mind your virtual server network can be a non physical one, but just a subtnet you route to the BIG-IP.