For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nineheadbird_67's avatar
nineheadbird_67
Icon for Nimbostratus rankNimbostratus
Nov 11, 2009

multiple subnets within a vlan not allowed?

We have 6900 LTM connected to Cisco router, on cisco end, there are four subnets on interface vlan 299(see below). Tagged interface 299 from cisco to F5 configured as vlan external on F5, and there are four subnets configured(through self-ip) on the F5 corresponding to the four subnets on Cisco router interface.

 

 

I was told by

 

F5 support multiple subnets within same vlan is not allowed, is that true? I didn't get any error when configure self IPs from different subnets to the same vlan. I would appreciate a lot if experts on this list can clarify this.

 

 

Here is cisco side config:

 

 

interface Vlan299

 

description Vlan299

 

ip address 10.79.1.253 255.255.255.0 secondary

 

ip address 10.79.0.253 255.255.255.0 secondary

 

ip address 192.168.0.253 255.255.255.0 secondary

 

ip address 192.168.1.253 255.255.255.0

 

ip access-group VLAN-299-OUT out

 

...

 

standby version 2

 

standby 127 ip 192.168.1.254

 

standby 127 ip 10.79.0.254 secondary

 

standby 127 ip 10.79.1.254 secondary

 

standby 127 ip 192.168.0.254 secondary

 

 

 

 

Here is F5 self IP config:

 

 

self 10.79.0.248 {

 

netmask 255.255.255.0

 

vlan external

 

allow default

 

}

 

self 10.79.1.248 {

 

netmask 255.255.255.0

 

vlan external

 

allow default

 

}

 

self 192.168.0.248 {

 

netmask 255.255.255.0

 

vlan external

 

allow default

 

}

 

self 192.168.1.248 {

 

netmask 255.255.255.0

 

vlan external

 

allow default

 

}

 

 

 

config
design

14 Replies

Show More
  • Wintrode_61162's avatar
    Wintrode_61162
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2011
    This works, having multiple subnets per VLAN. It's just as easy as adding a self IP on the other subnet and putting it in the vlan.

     

     

    Boomchke, I know this is bad joo-joo from an architecture standpoint, but it's not my decision and beyond my control. I think it is this way as a result of trying to migrate from one addressing scheme to another....but the old one never went away...lucky me.
  • boomchke_11156's avatar
    boomchke_11156
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2011
    Wintrode, I hear you. Lots of times its not your call, just thought I'd bring it up.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 04, 2011
    Just to confirm behavior, I have two self IPs on one vlan (config below): 

    
net self 10.79.1.1 {
    address 10.79.1.1/24
    vlan vlan_1
}
net self 10.79.2.1 {
    address 10.79.2.1/24
    vlan vlan_1
}

    Results:

    [root@golgotha:Active] backups ping 10.79.1.1

    PING 10.79.1.1 (10.79.1.1) 56(84) bytes of data.

    64 bytes from 10.79.1.1: icmp_seq=1 ttl=64 time=0.069 ms

    64 bytes from 10.79.1.1: icmp_seq=2 ttl=64 time=0.038 ms

    --- 10.79.1.1 ping statistics ---

    2 packets transmitted, 2 received, 0% packet loss, time 1000ms

    rtt min/avg/max/mdev = 0.038/0.053/0.069/0.017 ms

    [root@golgotha:Active] backups ping 10.79.2.1

    PING 10.79.2.1 (10.79.2.1) 56(84) bytes of data.

    64 bytes from 10.79.2.1: icmp_seq=1 ttl=64 time=0.043 ms

    64 bytes from 10.79.2.1: icmp_seq=2 ttl=64 time=0.028 ms

    --- 10.79.2.1 ping statistics ---

    2 packets transmitted, 2 received, 0% packet loss, time 1000ms

    rtt min/avg/max/mdev = 0.028/0.035/0.043/0.009 ms
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 04, 2011
    Really useful for migration / expansion, but not recommended for long-term use.