Forum Discussion
Nimbostratusis the routing on the F5 the same as on a router ?
Hello,
I have an F5 and one of its interfaces is configured on a network e.g. 128.1.1.0 subnet 255.255.255.0. On the same F5, I have another interface which is configured on the network 10.1.1.0 subnet 255.255.255.0 Between these interfaces there are a two firewalls. I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls. Is this feasible or the F5 will act like a router and forward the packet internally to the other interface ? This is why I am asking if the F5 is an expensive router as far as BIG-IP LTM routing is concerned. Tx in advance
18 Replies
- nitass
Employee
Is this feasible or the F5 will act like a router and forward the packet internally to the other interface ?
sol7595: Overview of IP forwarding virtual servers
https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html
cmard_195831Hello Nitass, The question I have asked is not treated by the SOL described. On a PC with two adapter (OS is unix), I configure two different subnets i.e. two networks. Also these two interfaces (adapters on the PC) I connect them to a firewall who has rules that allows communication between the two subnets. I want to connect from one subnet to the other. Thus I can communicate from one subnet to the other one Either internally or via the Firewall (longer path). My packets will always STAY within the PC and never travel from the one subnet to the other via the firewall. Basic routing rules. Is the same functionality inherent on the F5 ? That's why I am asking if the F5 is an expensive for of a router. Tx BR
nitass_89166Noctilucent
Is this feasible or the F5 will act like a router and forward the packet internally to the other interface ?
sol7595: Overview of IP forwarding virtual servers
https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html- cmard_195831Hello Nitass, The question I have asked is not treated by the SOL described. On a PC with two adapter (OS is unix), I configure two different subnets i.e. two networks. Also these two interfaces (adapters on the PC) I connect them to a firewall who has rules that allows communication between the two subnets. I want to connect from one subnet to the other. Thus I can communicate from one subnet to the other one Either internally or via the Firewall (longer path). My packets will always STAY within the PC and never travel from the one subnet to the other via the firewall. Basic routing rules. Is the same functionality inherent on the F5 ? That's why I am asking if the F5 is an expensive for of a router. Tx BR
- nitass
I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls.
you are talking about traffic from device in 128.1.1.0 subnet (not traffic from bigip itself), aren't you? the device in 128.1.1.0 subnet's default gateway is bigip, isn't it?
you can create network virtual server (e.g. 10.1.1.0/24) listening on 128.1.1.0 vlan and use firewall as a pool. so, when traffic matches the virtual server, it will be sent to firewall.
- cmard_195831No. I am referring to the configuration ON the F5 of two interfaces e.g. 1.2 and 1.3. Interface 1.2 will have the IP of 128.1.1.1 (belonging to VLAN X, and interface 1.3 will have the IP of 10.1.1.1 (belonging to VLAN Y). These two interfaces are connected physically by a firewall, which has the needed rules for communication as needed. I want to configure my F5 that the packets leaving interface 1.2 go to interface 1.3 VIA the firewall. Question 1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ? tx Br
- nitass_89166
I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls.
you are talking about traffic from device in 128.1.1.0 subnet (not traffic from bigip itself), aren't you? the device in 128.1.1.0 subnet's default gateway is bigip, isn't it?
you can create network virtual server (e.g. 10.1.1.0/24) listening on 128.1.1.0 vlan and use firewall as a pool. so, when traffic matches the virtual server, it will be sent to firewall.
- cmard_195831No. I am referring to the configuration ON the F5 of two interfaces e.g. 1.2 and 1.3. Interface 1.2 will have the IP of 128.1.1.1 (belonging to VLAN X, and interface 1.3 will have the IP of 10.1.1.1 (belonging to VLAN Y). These two interfaces are connected physically by a firewall, which has the needed rules for communication as needed. I want to configure my F5 that the packets leaving interface 1.2 go to interface 1.3 VIA the firewall. Question 1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ? tx Br
- nitass
1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ?
if you are talking about traffic that is initiated from f5 (e.g. on f5 cli, ping 10.1.1.x), f5 will use interface 1.3 (not interface 1.2) to send icmp out.
if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall and also be configured to send traffic to 10.1.1.0 subnet internally (not through firewall).
- cmard_195831Hello Nitass, I am talking about : if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall How can this be done ? tx BR
- nitass_89166
1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ?
if you are talking about traffic that is initiated from f5 (e.g. on f5 cli, ping 10.1.1.x), f5 will use interface 1.3 (not interface 1.2) to send icmp out.
if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall and also be configured to send traffic to 10.1.1.0 subnet internally (not through firewall).
- cmard_195831Hello Nitass, I am talking about : if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall How can this be done ? tx BR
- nitass
Indeed this is what I mean. Can you pls be more explicit as how to configure this ?
bigip has 2 vlans; one is external which is in 172.28.24.0/24 and the other one is v423 which is in 200.200.200.0/24. virtual server bar is network, 200.200.200.0/24, virtual server listening on external vlan. pool is 172.28.24.254 which is gateway in external vlan.
when traffic matches the virtual server bar, it will be forwarded to the gateway. you can check mac address in tcpdump.
selfip root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self net self 172.28.24.14/24 { address 172.28.24.14/24 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan external } net self 200.200.200.14/24 { address 200.200.200.14/24 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan v423 } configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 200.200.200.0:0 mask 255.255.255.0 pool foo profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vlans { external } vlans-enabled vs-index 8 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.254:0 { address 172.28.24.254 } } } test [root@ve11c:Active:In Sync] config tcpdump -e -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:42:43.064595 00:50:56:b3:59:8d > 00:50:56:93:16:39, ethertype 802.1Q (0x8100), length 85: vlan 4093, p 0, ethertype IPv4, 172.28.24.1.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840 in slot1/tmm1 lis= 17:42:43.064682 00:50:56:93:16:39 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 96: vlan 4093, p 0, ethertype IPv4, 172.28.24.14.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840 out slot1/tmm1 lis=/Common/bar arp root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) show net arp 172.28.24.254 ------------------------------------------------------------------------------------------ Net::Arp Name Address HWaddress Vlan Expire-in-sec Status ------------------------------------------------------------------------------------------ 172.28.24.254 172.28.24.254 00:01:e8:d5:d4:47 /Common/external 127 resolved- cmard_195831Hello Nitass, I will try this out and come back to you for any further clarification. BR
- cmard_195831Hello Nitass, Finally the penny drop as how the networking on the F5 works. Basically you need to attach to the interface where initiator traffic is coming a VS in order to receive the data, and then the static routing will take care from which interface and where the packets will go. tx
- nitass_89166
Indeed this is what I mean. Can you pls be more explicit as how to configure this ?
bigip has 2 vlans; one is external which is in 172.28.24.0/24 and the other one is v423 which is in 200.200.200.0/24. virtual server bar is network, 200.200.200.0/24, virtual server listening on external vlan. pool is 172.28.24.254 which is gateway in external vlan.
when traffic matches the virtual server bar, it will be forwarded to the gateway. you can check mac address in tcpdump.
selfip root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self net self 172.28.24.14/24 { address 172.28.24.14/24 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan external } net self 200.200.200.14/24 { address 200.200.200.14/24 allow-service { default } floating enabled traffic-group traffic-group-1 unit 1 vlan v423 } configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 200.200.200.0:0 mask 255.255.255.0 pool foo profiles { fastL4 { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address disabled translate-port disabled vlans { external } vlans-enabled vs-index 8 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.254:0 { address 172.28.24.254 } } } test [root@ve11c:Active:In Sync] config tcpdump -e -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:42:43.064595 00:50:56:b3:59:8d > 00:50:56:93:16:39, ethertype 802.1Q (0x8100), length 85: vlan 4093, p 0, ethertype IPv4, 172.28.24.1.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840 in slot1/tmm1 lis= 17:42:43.064682 00:50:56:93:16:39 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 96: vlan 4093, p 0, ethertype IPv4, 172.28.24.14.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840 out slot1/tmm1 lis=/Common/bar arp root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) show net arp 172.28.24.254 ------------------------------------------------------------------------------------------ Net::Arp Name Address HWaddress Vlan Expire-in-sec Status ------------------------------------------------------------------------------------------ 172.28.24.254 172.28.24.254 00:01:e8:d5:d4:47 /Common/external 127 resolved- cmard_195831Hello Nitass, I will try this out and come back to you for any further clarification. BR
- cmard_195831Hello Nitass, Finally the penny drop as how the networking on the F5 works. Basically you need to attach to the interface where initiator traffic is coming a VS in order to receive the data, and then the static routing will take care from which interface and where the packets will go. tx
