Is this possible with a single LTM?

I'm a bit lost by the description. Could you create a simple network diagram describing the scenario which includes sample IP addresses?

 

 

Thanks, Aaron

Here is the drawing. The server (appliance on the drawing) has 2 interfaces. Traffic from the clients always enter through int1 and gets out through int 2.

 

 

The appliance takes action based on a scenario and might send the traffic to intranet or internet resources but the return traffic from these resources has to come back to int2 and routed through int1 and should go through LTM before getting to the client.

 

 

I do not know if I really need a VIP for the int2 side but I created one any way. The vendor says the appliance does not do any NAT and retains the original source IP. I have not really understood how this will work with a single appliance without BigIP for the return traffic to come through int2 without directly going through the client.

 

 

Meena

 

 

I found more information and a sample configuration using Cisco CSM. The bottom line is the VIP for int1 ans int2 needs to be on separate subnets. I looked at virtual partitions on BigIP and as far as I can tell, it is only for administration level partition.

 

 

Is it possible with a single pair of LTM to have VIPs in 2 different subnets?

 

 

Meena

 

Hi Meena,

 

 

The diagram didn't get attached to your post. But in general, you can configure a single host VIP on multiple VLANs or many VIPs on many VLANs. You can also create a wildcard VIP (0.0.0.0/0.0.0.0 port 0) and enable it on one or more VLANs.

 

 

Does that answer your question? If not, can you try attaching the diagram once more?

 

 

Aaron

You don't need a second VS (You do mean Virtual Server when you say VIP right? Because a VS is a combination of IP and port - but the port could also be 0 == any) if I understand your configuration correctly. The only VS that is used in this scenario is the client -> service. Because the int2 interface is used by the appliances to communicate with their resources, and according to your diagram that traffic doesn't traverse the F5's at all.

 

 

Return traffic from the servers (appliance) will be matched by the F5 with the connection table entry and be routed back to the correct client (Just think of the F5 as a proxy with a bit of clever NAT'ing to fool the endpoints into thinking there's nothing there).

 

 

A VS will accept inbound traffic on any of the VLAN's configured on the F5 (By default). You can also limit the VLAN's that a VS will accept traffic on if you want to (The 'enabled on' option of a VS).

 

 

H

Thank you for your response Hamish.

 

 

I am testing this in the lab.

 

 

I added two appliances behind F5 and created a VS for the int1 side.

 

 

I configured automap for SNAT. I tried to use the DNS ( an intranet resource) for testing. The client traffic hit the VS and was sent to appliance1. The source IP became the selfIP of that vlan on LTM. When the traffic got routed to the DNS server through int2, DNS server sent the response bypassing the int2 side of the appliance

 

 

This is what is happening.

 

 

client (10.27.9.16) -> VS 10.10.31.116

 

 

SNAT automap is configured on the VS.

 

 

Now the source becomes the selfIP which is 10.22.232.5

 

 

Appliance forwards the traffic to the DNS server 10.22.238.101 through the int2 interface,

 

Source is still the self IP of 10.22.232.5

 

 

When DNS server sends the response, it directly sends it to the self IP through its default gateway which is a router.

 

 

I have to somehow force the traffic to come back through int2 of the appliance. I tried different SNATs but could not get the traffic come back to int2.

 

 

Is this possible with SNAT?

 

 

Meena

 

 

I used the idea from this following post

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/afv/topic/aft/22639/aff/31/showtab/groupforums/Default.aspx38402

 

 

and it seems to be working. I have not finished my testing but seems like it would work.

 

 

Meena