Forum Discussion
JCMATTOS_41723
Nimbostratus
NimbostratusLoadbalancing Two Environments Internal/External?
Hello all, we just got a pair of new 8400's 9.x and we are trying to consolidate our 2 CSM loadbalancing environments Internal/External on this new LTM platform. We have a total of 16 vlans and subnets on this box (4 VIPS/RIPS each external & 4 VIPS/RIPS each Internal respectively). On the external we are hanging off of several DMZ's on our FWSM and used as one gateway. On the internal we are using our core MSFC as our other gateway. The Servers are not able to initiate connections from behind the loadbalancer to talk to our DNS servers internally. I then realized that I have routes to consider, but are wondering how will I be able to route to multiple gateways (FWSM or MSFC) based on source IP or network? For example if a server initiates a connection in the Prod-External (10.1.24.100) it's gateway will always be FWSM (10.1.22.1) respective to its VIP. Not sure where to begin, hope this makes sense or if theres an easier way to accomplish this??? Please Help!
EXTERNAL:
Prod-External
VIP 10.1.22.0/23 => Gateway 10.1.22.1 (FWSM)
RIP 10.1.24.0/23
UAT-External
VIP 10.1.32.0/23 => Gateway 10.1.32.1 (FWSM)
RIP 10.1.34.0/23
QA-External
VIP 10.1.42.0/23 => Gateway 10.1.42.1 (FWSM)
RIP 10.1.44.0/23
DEV-External
VIP 10.1.52.0/23 => Gateway 10.1.52.1 (FWSM)
RIP 10.1.54.0/23
INTERNAL:
Prod-Internal
VIP 172.16.22.0/23 => Gateway 172.16.22.1 (MSFC)
RIP 172.16.24.0/23
UAT-Internal
VIP 172.16.32.0/23 => Gateway 172.16.32.1 (MSFC)
RIP 172.16.34.0/23
QA-Internal
VIP 172.16.42.0/23 => Gateway 172.16.42.1 (MSFC)
RIP 172.16.44.0/23
DEV-Internal
VIP 172.16.52.0/23 => Gateway 172.16.52.1 (MSFC)
RIP 172.16.54.0/23
- JRahm
Admin
Consider this thread and post back with your questions:
http://devcentral.f5.com/default.aspx?tabid=53&forumid=5&postid=7784&view=topic Click here 
JCMATTOS_41723Thx Citizen! I saw that posting earlier, but if im not doing SNAT can I still use this script to potentially create 8 different gateways, sourcing from 8 different source addresses? Not sure how to get started, sorry for being new to the whole irules thing?
class snat_gw {
"snat_IP1 gw_IP1"
"snat_IP2 gw_IP2"
"snat_IP3 gw_IP3"
"........ ......"
"snat_IP12 gw_IP12"
}
when CLIENT_ACCEPTED {
set my_gw [findclass [IP::client_addr] $::snat_gw " "]
if { $my_gw ne "" } {
node $my_gw
} else { discard }
}- JRahmyeah, those snat refs can just as easily be the source subnets...
You could do some string manipulation on the client_addr so that you could utilize a single class, otherwise you'll need something a little more sophisticated like Hoolio's suggestion in this post:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=1637616376 Click here - JCMATTOS_41723Awesome! Does this irule look good citizen? And do I still need a class statement or Data group list for this? Just to confirm I just apply this irule to a wildcard virtual server to all ports and lock down the vlans to inside vlans only? I'm trying to do everything thru the GUI not much of CLI guy...Thx a bunch!
when CLIENT_ACCEPTED {
if { [IP::addr [IP::remote_addr] equals "10.0.24.0/23"] ne 0} {node 10.0.22.1}
elseif { [IP::addr [IP::remote_addr] equals "10.0.34.0/23"] ne 0} {node 10.0.32.1}
elseif { [IP::addr [IP::remote_addr] equals "10.0.44.0/23"] ne 0} {node 10.0.42.1}
elseif { [IP::addr [IP::remote_addr] equals "10.0.54.0/23"] ne 0} {node 10.0.52.1}
elseif { [IP::addr [IP::remote_addr] equals "172.24.24.0/23"] ne 0} {node 172.24.22.1}
elseif { [IP::addr [IP::remote_addr] equals "172.24.34.0/23"] ne 0} {node 172.24.32.1}
elseif { [IP::addr [IP::remote_addr] equals "172.24.44.0/23"] ne 0} {node 172.24.42.1}
elseif { [IP::addr [IP::remote_addr] equals "172.24.54.0/23"] ne 0} {node 172.24.52.1}
else { discard }
} - JCMATTOS_41723Thx Citizen it looks like it worked! However, now I am not able to ping the loadbalanced servers from the rest of the network? How do I still continue to gain all port access to the servers directly from the anywhere? Is there something Im missing? Please Help!
- JRahmDo you have virtual forwarders enabled for those server networks? When you applied the wildcard 0.0.0.0/0 against internal vlans only, the external vlan's are no longer able to access them directly.
- JCMATTOS_41723I did add all the external vlans to that wildcard vserver, but still no luck? So I tried creating a new vserver with a network specific address w/ any ports and lock down to that VIP vlan and it worked!
vserver = VIP-PROD-DMZ
network ip = 10.1.24.0/23
port = any
vlan = specific vlan to reals RIP-PROD-DMZ
The only thing is I have to create one for each external access vlan? Is there a simpler way to acheive the same thing? - JRahmTough to say without having a clearer picture of your architecture. I personally specify all traffic flowing in/out of the box except for one passthru vlan that has a wildcard for destinations. It being in the DMZ makes me a little leary of permit all configurations
