Inter-VLAN Routing on F5

I assume your F5 has an IP on those subnets and is the default gateway for those backend systems?

Correct Chris! I have created float IPs for every VLAN and those float ips are the DG for the back end systems...

 

 

and the problem is that when server A in VLAN ACS tries to talk to server B in VLAN NAS it just cant....

 

 

I though this should be pretty straight forward since all routes are directly connect to the BIG-IPs but for some reason it is not...

 

 

I created SNAT for all VLANS with no possitive effect...

 

 

This is an extract of the routing table:

 

 

root@F5-LTM1(Active)(tmos.net) show route

 

 

Net::Routes

 

default gw 201.192.246.X static

 

127.1.1.0/24 interface tmm0 connected

 

127.10.0.0/16 interface tmm_bp connected

 

172.31.39.0/26 interface ICE_internal connected

 

172.31.39.64/26 interface MNG connected

 

172.31.39.128/27 interface ACS connected

 

172.31.39.160/27 interface NAS connected

 

201.192.246.X/28 interface Gestion_CPEs_RAI_Prod connected

 

201.192.246.X/28 interface Gestion_CPEs_RAI_Test connected

 

 

thanks for your response!

 

 

can you try ip forwarding virtual server?

 

 

sol7595: Overview of IP forwarding virtual servers

 

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html

Setting up the F5 as a router is fairly simple (once you know how to do that 😉

According to some technotes all you basically needs to do is:

 
ltm virtual /Common/VS_ROUTE {
    destination /Common/0.0.0.0:any
    ip-forward
    mask any
    profiles {
        /Common/FASTL4_ROUTE { }
    }
    translate-address disabled
    translate-port disabled
    vlans-disabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    mask any
    traffic-group /Common/traffic-group-1
}
ltm profile fastl4 /Common/FASTL4_ROUTE {
    app-service none
    defaults-from /Common/fastL4
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}

*se below for udp config*

and voila the F5 will start to behave like a router/L3-switch (looking at its routing table for traffic that doesnt match any other VS). If you need dynamic routing you enable zebos in the ssh and then use vtysh to get cisco-style configuration (unfortunately the dynamic routing config isnt available in the GUI - only in the cli/ssh).

A note regarding the idle timout, its just to clear the flow from the internal statetable (since reset on timeout is disabled) in order to keep the statetable as short (and fast) as possible. One could see the statetable in this case as similar to CEF (Cisco Express Forwarding) if you are used to cisco-lingo.

And here is the UDP tweak (the F5-forum doesnt seem to like two code-blocks after each other with some regular text in between):

 

 

and to tweak UDP traffic you also add:

 

 

something is broken in the F5-forum... will do a second attempt below...

 

Lets see if it works this time?

ltm virtual /Common/VS_ROUTE_UDP {
    destination /Common/0.0.0.0:any
    ip-forward
    ip-protocol udp
    mask any
    profiles {
        /Common/FASTL4_ROUTE_UDP { }
    }
    translate-address disabled
    translate-port disabled
    vlans-disabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    mask any
    traffic-group /Common/traffic-group-1
}
ltm profile fastl4 /Common/FASTL4_ROUTE_UDP {
    app-service none
    defaults-from /Common/fastL4
    idle-timeout 5
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}
 

Posted By mikand on 01/14/2012 02:31 PM

 

And here is the UDP tweak (the F5-forum doesnt seem to like two code-blocks after each other with some regular text in between):

 

 

and to tweak UDP traffic you also add:

 

 

something is broken in the F5-forum... will do a second attempt below...

 

 

Hi Mikand,

 

 

The quick reply feature doesn't handle two code blocks (or quote blocks?) in the same post. The main reply functionality does though. So either use the reply button instead of quick reply, or you can use quick reply and then click edit and save.

 

 

Aaron

 

mikand:

i guess you don´t have any firewalls between your subnets?

 

because of loose option...

 

 

 

/Beinhard

 

The loose open/close is because the entry will go away from the internal statetable in the F5.

 

 

If you dont enable loose open/close the F5 will step in and tell the client that there is no current state available (since F5 nowadays is default deny).

 

 

There is a pdf somewhere on the F5 site that better explains why these settings is needed.

Det "document" I had in mind:

 

 

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html (the stuff regarding PVA can be ignored on modern F5 appliances).