Forum Discussion
flitz_29934
Nimbostratus
NimbostratusLTM : virtual server in different subnet than a vlan --> possible
Hi everybody,
I'm not able to test it in short term so I'm wondering if the following design can work ?
I would like to know if the Virutal Server (VS) can be set in a subnet not known by the F5, I mean in a subnet not associated to a vlan. To be more clear, see the example below.
- create a vlan "link" + self-IP : 10.1.1.1/30 associated to the vlan "link". This "link" is used to connect the LTM to a router in the network. So a route to the LTM is possible through this vlan.
- create a VS : 192.168.1.1/32. As you can see this VS is not in the vlan previously defined. So it is a single IP only known internal to the LTM.
Could the design work ? Is it possible or must the VS in a defined vlan ?
If I configure a static route on the router saying that 192.168.1.1 can be reached by 10.1.1.1, could it work ? Does the LTM automatically consider the VS ?
Thank you in advance
best regards
Jonathan_ScholiCirrostratus
Yes, as long as the LTM can reach the remote server through the default route, it shouldn't be a problem, you just need to use a SNAT pool so that the server knows to send responses to the LTM.
Documentation is here: http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aff/31/aft/1178682/afv/post/showtab/groupforums/Default.aspx
David_24361Hi Jonathan, I am in the same situation as flitz, really need some help. I tried to access the link you posted, but the link does not work. Do you have another link?
And what do you mean by default route, do I have to add default from on the LTM? RIght now i don't have any route configurations on my LTM.
I am using used snat pool combined with iRule, and applied on the virtual server but still doesn't work, even the packets are now looping between the F5 and the router in front of it and it causes "Inet port exhaustion on 10.30.10.47 to 10.40.0.1:3128 (proto 6)" error.
thank you in advance,
dave- Jonathan_ScholiSorry about the link, try this: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_snat.html1200756
On the left hand side of the configuration window, under Network, there is a Routes section. I would expect you would have a route here.
I'm guessing you need to add more IP addresses to your SNAT pool, or your idle timeout is set too high, that can cause the "Inet port exhaustion" message. - Jonathan_ScholiCould you describe what you mean by the packets are looping? What are you seeing?
- David_24361Hi jonathan, thanks for your reply :)
So the situation is like this:
Router 1 (10.3.11.66) -----------|
* |--------------- bigip1 (10.3.11.71)
* HSRP (10.3.11.65) |
* | floating ip 1 (10.3.11.73)
* | floating ip 2 (10.3.11.74)
Router 2 (10.3.11.67) -----------| add virtual server 10.4.0.10:8080
* |
* |---------------bigip2 (10.3.11.72)
* |
on the bigip bigip1 and bigip2 (both of the bigips are synced), I add the virtual server 10.4.0.10 (it is outside of the subnet range 10.3.11.x)
on the router 1, i put ip route 10.4.0.10/32 next-hop it floating ip 1 (10.3.11.73)
on the router 2, i put ip route 10.4.0.10/32 next-hop it floating ip 2 (10.3.11.74)
we have nothing configured on the Routes section on the bigips. However, we put on the virtual server 10.4.0.10:8080, on the Last Hop Pool setting, a pool containing 10.3.11.65:0 as member.
I suspect the packet is looped between the routers and the bigips. when i run a trace from some cloud before the routers, it indicates the packets from the routers is being forwarded to bigips. but from bigips, the packet is returned back to the routers, and so on until i got this error:
Tue May 3 01:13:03 WIT 2011 local/tmm crit tmm[2483] 01010201 Inet port exhaustion on 10.3.11.74 to 10.4.0.10:3128 (proto 6)
Tue May 3 01:13:03 WIT 2011 local/tmm info tmm[2483] 01010201 Per-invocation log rate exceeded; throttling.
Tue May 3 01:13:05 WIT 2011 local/tmm1 info tmm1[2484] 01010201 Resuming log processing at this invocation; held 50 messages.
for the snat pool setting, we are using the snat pool of these members: 10.3.11.43 and 10.3.11.74. the snat pool is being applied to the virtual server using an irule like this:
when CLIENT_ACCEPTED {
set local_nets 0
if { [class match [IP::local_addr] equals local_networks] }{
set local_nets 1
} else {
set local_nets 0
}
snatpool snat-Pool-to-Mobile
if { $local_nets equals 0 } { pool mobile_pool }
}
pool mobile_pool contains 10.3.11.65:0
I also tried to change the snat pool settings, but I got this error in return:
Tue May 3 03:03:57 WIT 2011 local/tmm warning tmm[2483] 01190004 address conflict detected for 10.3.11.74 (00:01:d7:be:f4:05) on vlan 4000
Tue May 3 03:03:57 WIT 2011 local/tmm warning tmm[2483] 01190004 address conflict detected for 10.3.11.74 (00:01:d7:be:f4:05) on vlan 4000
ok Jonathan, i hope this can get you a brief overview about the problem we have, thanks a lot, really hope u can help us :)
thanks,
David - Jonathan_ScholiAre your pool members getting traffic when you access 10.4.0.10:8080?
- David_24361yes jonathan, but just small amount of traffic. i suspect maybe it had been blocked by the loop :(
- Jonathan_ScholiI'm wondering if there is a way you could make this a more standard setup by putting the virtual server on a VLAN managed by the BigIP? It sounds like you have control of the router, so maybe you could try something like a NAT from 10.4.0.10 to an address on the VLAN managed by the BigIP.
L4L7_53191This is a long thread and I've not read it all. But if I understood the original use case correctly, you can do this.
Moreover, it can be a super powerful design pattern depending upon your goals. I wouldn't go so far as to say that it should be a best practice, but it's an absolutely killer solution for certain environments, and some large shops have things setup this way.
So here's the short story: A VIP address doesn't really have to be 'owned' by the BigIP; that is, it doesn't have to be mapped to the same network(s) as the self IPs. Moreover, the VIP address space need not exist anywhere but on the BigIP itself. For example (and this is JUST an example) think about it like this:
A Self IP lives on 192.168.1.x/24, and this is a real network with other devices. They arp, send packets, etc. like a network device should. But let's say you want to carve out some new address space for your virtual servers:
---> Virtual server space "A" lives on some other network totally, say 10.1.1.x/24 <== This is 'fake', i.e. it doesn't really exist anywhere on your network.
---> Another virtual server space, "B" lives on 10.2.2.x/24 <== ditto.
So here's the trick: 10.1.1.x and 10.2.2.x only live on the BigIP, and arp is disabled. To get it to work, just forward traffic to this address space by pointing your routes to the floating self IP on 192.168.1.x. The BigIP will handle the rest from there and your flows will work.
There's a bit more to it than this, but the short answer is that you can absolutely have made-up virtual server addresses on the BigIP and forward traffic to it at L3. One benefit of doing this is that you're now going to issue GARPs on only the 'real' networks - that is, the self-ip vlans. This can help fail over scenarios in some situations, among other things...
Good luck!
-Matt- David_24361yes jonathan, i also have 10.3.11.75:8080 as virtual server also. if i don't enable 10.4.0.10:8080, the 10.3.11.75:8080 can work properly. but if i enable 10.4.0.10:8080 and flow the traffic from the router, it can work for few seconds than hangs. 10.3.11.75:8080 can work again if i restore the config. Or I don't have to restore the config, but stop the flow.
My colleague (from other company) takes control of the router. I cannot do NAT there, because the bigip will be handling A LOT of traffic. If I do NAT on the router, I'm afraid it will hang also even in normal traffic condition. That's why the client are letting the bigip handling the NAT.