Hi, I have this deployment in my customer's network Internal client sends a request to a server without going through BIG IP (It might be in this way). Default route of this server is BIG IP self ip. Server response obviously goes through big ip via VS_FORWARDING but BIG IP forward the response to fw with its mac address and the fw detects it like IP SPOOFING. It's possible that BIG IP send the response with client MAC address? Thanks in advance

You can view and manipulate the MAC address information with the LINK command. http://devcentral.f5.com/wiki/default.aspx/iRules.LINK

I need to amend my answer. The LINK::nexthop and Link::lasthop values are read-only.

a vlan group in transparent mode would be an option, as would an exception map in your firewall for layer2 inspection, depending on your product.

I don't think there is a way to modify the source MAC address from an iRule. Aaron

it's possible to rewrite mac address?

29 Replies

nitass
Employee
Apr 20, 2012
sorry i could not catch you.
Hamish
Cirrocumulus
Apr 20, 2012
You want to use the BigIP as the router? In that case you're probably better off having the network between server & f5 on a different subnet from the network between th f5 and the real router.

H
Spidey_29396
Nimbostratus
Apr 22, 2012
Hi Nitass/Hamish, I attached simple diagram of their set up. Original setup, the core router is the gateway of all the servers and we are using SNAT at VIP to return traffic to F5. The server admin needs to monitor the source ip of the clients connecting to server. We have to eliminate SNAT and make the F5 Self IP as gateway. After changing the gateway of servers to F5 self IP, the servers were not reachable from client but reachable from F5.As per client, need to enable proxy arp in F5 to relay mac-addresses of servers to core router. Thanks!https://devcentral.f5.com/DesktopModules/ActiveForums/themes/DC5/save32.png
nitass
Employee
Apr 22, 2012
After changing the gateway of servers to F5 self IP, the servers were not reachable from client but reachable from F5.it works with external client (one which is not in same subnet as the bigip/server), doesn't it?

As per client, need to enable proxy arp in F5 to relay mac-addresses of servers to core router. why does the core router need to see the server mac address?
Spidey_29396
Nimbostratus
Apr 22, 2012
Hi Nitass,

External Client can't access the server itself for management purposes.

As per Net Admin, F5 need to relay mac-addresses of servers in order so that servers can be reachable from external clients.
Spidey_29396
Nimbostratus
Apr 22, 2012
Hi Nitass,

External Client can't access the server itself for management purposes.

As per Net Admin, F5 need to relay mac-addresses of servers in order so that servers can be reachable from external clients.
nitass
Employee
Apr 22, 2012
why won't you create another virtual server on bigip for the server management traffic?
Spidey_29396
Nimbostratus
Apr 22, 2012
Hi Nitass,

I tried to create any:any virtual server with IP forwarding type but didn't work.
nitass
Employee
Apr 22, 2012
I tried to create any:any virtual server with IP forwarding type but didn't work.i guess bigip is deployed as one-armed. so, i think any virutal won't work. have you tried specific virtual server (ip or port)?
Spidey_29396
Nimbostratus
Apr 22, 2012
yes, it is one-armed.We never tried yet.This is a DNS farm and Virtual IP:202.126.41.5:53 is working well.but the problem is the server's IP were not reachable.