Forum Discussion

TMcGov_92811's avatar
TMcGov_92811
Icon for Nimbostratus rankNimbostratus
May 15, 2014

LTM Routing - How to bypass a directly connected interface

I have a scenario in which my LTM is the default gateway for all hosts on VLAN10. The LTM also has a directly connected interface in VLAN20. However, hosts in VLAN20 do not use the LTM as the gateway...
availability
BIG-IP Access Policy Manager (APM)
design
security
TMOS
DuaneP_25052's avatar
DuaneP_25052
Icon for Nimbostratus rankNimbostratus
May 16, 2014
Tom,
     I just solved for a similar issue in my environment.  I added the below iRule like Tom suggested to my Forwarding IP (also below) that sends traffic out of the private VLAN (your VLAN10).  I used the IP instead of MAC for nexthop since the default gateway of my LTM is an HSRP router pair.  This PBR (policy-based-routing) iRule was the best answer for us because I have about 7 directly connected VLANs.  These are used for 2-arm SNAT configurations to servers that exist on routed subnets that most of our LB traffic uses.  Now tcpdumps show my traffic flows entering/leaving my private VLAN symmetrically and using the routed network even for directly-connected VLANS.
     My private VLAN is only used when my application guys MUST have the clients' true IP.  It is not part of my routed network.  To allow for management and non-load-balanced traffic I am distributing a static route to this VLAN from the same routers that the LTM use as its default gateway.  This worked fine until a private VLAN host needed to talk to a locally connected VLAN or the traffic flow crossed a firewall.  My forwarding VS is only listening on the private VALN and has the private VLANs source subnet defined so it will only apply to traffic leaving host in that VLAN.

Forwarding IP vs:

    ltm virtual vsfwd_LTM-ServerLAN_out {
        description "Wilcard virtual server to allow LTM-ServerLAN traffic out to routed network"
        destination 0.0.0.0:any
        ip-forward
        mask any
        profiles {
            pr_LTM-ServerLAN_out_fastL4 { }
        }
        rules {
            ir_routed-traffic-nexthop
        }
        source 10.1.1.0/24
        source-port preserve-strict
        translate-address disabled
        translate-port disabled
        vlans {
            *{Private-LAN}*
        }
        vlans-enabled
        vs-index 30
    }

iRule:

ltm rule ir_routed-traffic-nexthop {
    when CLIENT_ACCEPTED {

  if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] }   {
     nexthop *{external VLAN with gateway}* 10.2.2.1
    }
}
}
Related Content