Forum Discussion

John_Pribula_10's avatar
John_Pribula_10
Icon for Nimbostratus rankNimbostratus
Apr 30, 2012

Multiple inbound gateways connecting to all vlans.

I have done quite a bit of searching in the forums but I haven't quite found an answer to my problem.

 

 

In front of the F5 I have multiple gateways sending traffic in different IP blocks. I would like traffic from both of these gateways to access the servers behind the F5 and route out appropriately. I have it working with one external vlan talking to all internal vlans when I add a second external vlan I cannot route traffic through it to all internal vlans and back out. I have enabled a snat from internal to external for every single VIP but I can't get the route from the F5 to the second vlan to work correctly. I also have self groups set up for each vlan.

 

 

 

note that I am using v11.1 HF2

 

________

 

vlan a ----> || -----> vlan 1

 

|F5| -----> vlan 2

 

|| -----> vlan 3

 

|| -----> vlan 4

 

vlan b ---->|_______| -----> vlan 5

 

 

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mmm... Absent a good diagram, the description sounds fine. Not sure why you're bothering with SNAT... auto last-hop would take care of ensuring the return traffic passes via the correct external VLAN without SNAT'ing.

     

     

    H
  • It seems to attempt to route out of the vlan a with or without snat, I should note that a default route is in place using vlan a's gateway with destination 0.0.0.0 netmask 0.0.0.0 if that is cause of the problem I will feel especially dumb.
  • Remvoing the snats did nothing

    Removing the default route seems to break all routing.

     

     

  • I'm attaching a better diagram, note that the external vlans use our publicly routable address space, not 192.168

     

     

    and to summarize, currently vlan a is the active external vlan, a default route is in place with destination and netmask of 0.0.0.0 using vlan a's gateway,

     

     

     

    all internal vlans are routed through the f5's and all servers are using the f5's self ip's as their gateway address.

     

     

     

    snats are in place to force any outbound traffic from internal servers through the correct vip.

     

     

     

    when adding vlan b to the mix I cannot get traffic to route in and out of addresses with the vlan b address space.

     

     

     

    if i remove the default route and rely on auto last hop all traffic flow seems broken.

     

     

     

    I cannot segregate the internal vlan's using a route domain as we have a mish mash of them and may need to route out of either of the external address spaces depending on use case.

     

     

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Big vlans...

     

     

    Anyway. You can actually do this without a default route... Or with one. Depending on how you configure the VS's used to pass traffic through. Remember that the LTM is a proxy. Not a router. So where traffic flows depends entirely on the VS's that match the traffic.

     

     

    Assuming that we don't have a firewall or anything that needs to pass inter-vlan traffic (Keeps it a bit more simple than otherwise), we have 5 vlans and 5 routes to directly attached networks.

     

     

    Therefore we have 3 network VS's that are used to pass traffic to the server vlans. One each for 10.48.0.0/16, 10.9.0.0/16 and 10.14.0.0/16. Each is of type forwarding and available (By default) on all vlans. As traffic coming into the LTM matches the VS's the traffic is then 'forwarded' to the target vlan. Because we have auto last-hop enabled by default, it doesn't matter whether traffic came in via vlan a or vlan b. It'll pass BACK through the same MAC address that forwarded it TO the LTM.

     

     

    Now for traffic OUTBOUND from the server VLANs to anywhere else. You have the choice of

     

     

    A. Using a default route via one of the VLANs

     

    B. Using one or more pools consisting of the router addresses off vlanA or vlanB to your destinations.

     

     

    If using A then we can actually shortcut the 3 VLANs setup above. And have a SINGLE default (0.0.0.0/0) network VS of type forwarding. It'll just follow the routing table.

     

     

    If using B. then we can take the original 3 VS's and add a new one (Or ones) of type standard. Disable IP and port translation. Destination IP and mask whet eve the destination is, and add the pool as the default. Traffic will be 'forwarded' to the pool members just like a router would. That leads you decide with an address/mask to route via either vlanA or vlanB.

     

     

     

    You can make this as simple (One VS and routing table entries) or complex (Multiple network VS's with iRules and pools) as you like.

     

     

    H

     

     

     

     

  • I'm still having issues with this config so i went back to the basics. When i only have vlan a external i can traceroute from the lrm itselfout to anything including addresses in the vlan b space when i add self ip's in the vlan b space the ltm can no longer traceroute to anything in that space.