For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

LTM Design - BIGIP on a Stick

Hi,   We are having some weird routing issues I'm hoping you all can help with our design.   We have two F5's (5000) in a redundant pair. Each of the F5's has one internal and one external lin...
application delivery
BIG-IP
design
LTM
svi
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Sep 04, 2014

An F5 is a deny by default device, hence your need for the 'routing' VIP which I assume allowed you to manage the servers 'behind' the F5 from somewhere else on the network.

You obviously need at least one SVI on your core to allow traffic to be routed to the F5 via the external VLAN.

What routing have you setup within LTM.

I don't see why you would have issues with the server connectivity from a application perspective:

Client > network device > Core SVI > F5 external floating IP > server on internal VLAN
  • This would require the core to route your VS range to the F5 (and perhaps the 'real server ranges' for your other (management?) traffic
  • The F5 would need a default route back to the core
  • The servers would need a default route back to the F5 internal floating IP

The 'routing' Virtual would be required only for traffic not handled by a Virtual Server or S/NAT - in other words, outbound server traffic for patches, inbound management traffic etc.

Hope this makes some sense.