Forum Discussion
Joe_Scibilia_45
Nimbostratus
NimbostratusMultiple VLANs and routing
Hi,
I'm pretty new to this forum and I hope my question doesn't violate the intent of it. I have seen other discussion on configuring the LTM to support multiple VLANs and I know there are some folks out there who seem to know this stuff inside out, so I thought I'd post my specific config (see figure)and see what feedback I can elicit.
I have 3 vlans configured on my LTM. The app I'm working with is MS OCS 2007, so I have edge servers with interfaces in 2 vlans/subnets and pool front-ends and directors with interfaces in a third vlan. All traffic that crosses vlans needs to go through a router/fw interface. The diagram is somewhat simplified as it doesn't show the second LTM (for failover) and only shows a representative number of virtual servers/pools. And the addresses are notional, all my address space is publicly routable.
The members of all my pools are in the same subnet vlan as the virtual server they support. The virtual servers are configured to answer on (bound) just the VLAN that their address is on.
The DMZ-OUT vlan on the LTM has SNAT turned off, but the other two vlans have it on. My DMZ (edge) servers are configured to use the LTM DMZ-OUT IP as their gateway, and the LTM has a forwarding VS configured on the DMZ-OUT VLAN. The edge servers also have static routes for my internal networks pointing to the interior router/firewall.
The pool members in the enclave point to the router interface as their default gateway.
Right now I am more or less operational, but have a few issues and I'm trying to rule out a misconfiguration of my LTM(s). I have a high degree of latency from some of my external users and am wondering if it could be a routing loop issue. I've also had to disable one of my AV edge servers - if both are up and being load balanced my video quality suffers - but when either one is the sole pool member, things are ok. And I can load balance between 2 Access edge servers with no perceived performance issue.
Anyway, thanks to anyone who takes the time to read through this whole posting!
- Joe
Ken_Vondersaar_Joe,
I'm guessing that since you are using SNATs that you don't need to maintain source address information at layer 3. Correct?
If that is the case you can configure the VSs with pool members in the same network as the VS itself and use SNAT Automap feature. Then make sure the pool members use your router/FW device as their default gateway.
In this way, per your listed requirement, client connections to a VS must traverse your router/FW to reach the VS since it will be in the same network as your pool members. Also, the BigIP won't be sending traffic from a VS in vlan A to members in vlanB.
Pool members will know to send return traffic via the BigIP because it will appears sourced from the BigIP via SNAT Automap. Connections created this way will be subject to the auto last hop feature and return traffic will be sent via the same path instead of the BigIP's default gateway so there is no need for any routing tricks like forwarding VSs and static routes on your pool members.
As for your performance issues: I cannot say specifically, but it has been my general experience that performance degradation that disappears when only one member is in the pool are the result of a need for, or misconfiguration of, a persistence profile.
Hopefully this helps simplify your network setup a bit for you and weed out your performance issues.