Forum Discussion

usmansa1's avatar
usmansa1
Icon for Altostratus rankAltostratus
Jul 10, 2024

Need help to understand operation between RE and CE ?

Hi all,    We have installed CE site in our network and this site has established IPSEC tunnels with RE nodes. The on-prem DC site has workloads (e.g actual web application servers that are serving...
application delivery
Distributed Cloud
F5 XC
load balancer
Networking
usmansa1's avatar
usmansa1
Icon for Altostratus rankAltostratus
Jul 22, 2024

Moreover, these labs may also need to include the basic setup

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jul 22, 2024

    A fast summary is that SNAT is always performed by XC and this is why you need to use Proxy Protocol or XFF HTTP header to see the real client IPs  in the backend. The SNAT on the CE is the exit interface IP address. On the RE as each RE location is made of several servers/devices the source up address will change based on the list https://docs.cloud.f5.com/docs/reference/network-cloud-ref . If your HTTP LB is on the RE and the origin is on the CE then the SNAT will be done on the CE. The destination NAT is just the NAT of the origin servers as to change the address of the HTTP lb to the one of the selected origin servers. When you mention network connector you probably mean Customer Edge(CE) and as I mentioned SNAT is always performed, so the origin servers just need to return it to the CE interface ip address or in case with the RE without a CE the servers need internet access . You can use static routing or bgp on the CE for it to know how to reach the origin servers if they are not connected directly on layer 2 with the CE interfaces. 

    • usmansa1's avatar
      usmansa1
      Icon for Altostratus rankAltostratus
      Jul 22, 2024

      thanks alot mate, well that actually cleared lot of things in my mind, however I have one more vital question and I will be really thankful if you can help me to understand this whole process, 

      lets say my HTTP LB is on the RE. When the request falls on the LB-RE and LB checks that origin server is on the site (via origin pool) and then :-

      1. will it send the request directly to CE via IPSEC or SSL tunnels OR (?)
      2. Will it check the origin server, do the destination NAT and then send the request to CE site (?)

       

      Now suppose whatever is the case the request has now reached to Site and it will land on site local outside VN because here we have IPSEC tunnels configured, now technically the procedure will be something like below: (Please correct where I am wrong) 

      1. Site local outside should check the routing and then see that destination address is inside the "site local inside"
      2. Site local outside will pass the request to site local inside while the request is being passed, the SNAT has to be done on the request. I assume that this SNAT will be the IP address (either interface IP or virtual IP) of the site local inside 
        1. Will this SNAT will happen automatically or needs to be defined via network connector (?)
      3. Site local inside will check the address and then send it to the respective server (Simple case of connectivity)
      4. Once the server responds back to the request, it will come to the site local inside IP address and then the NAT will occur and the request will be sent to the site local outside 
      5. Before sending it to site local outside it should have some kind of routing to be installed 
        1. Technically this should be default route, so can we add it separately (?) 
      6. The site local outside have three interfaces 
        1. Two of them are IPSEC interface 
        2. One of them the real physical interface
      7. The real physical interface has DHCP IP addresses which means that the default route is automatically installed in the network but this request needs to go via IPSEC so this means that during the bootstrap process when the network service becomes active it must have changed the routes (Please correct me if I am wrong) 
        1. When I was doing the lab I tried to check the routing table but I couldn't able to check it because "help" showed me network status command but I couldn't able to run

       

      Based on all the above understanding and almost all the documents which I read what I think we need network connectors between SLI and SLO and there are only three types of network connectors so what type of those network connectors will that be ? otherwise How the routing will be done, how the SNAT  will occur and how the reverse routing will be performed.

      PS: Once I am able to understand I will write an article with Figures so it will help for someone like me 

      • LiefZimmerman's avatar
        LiefZimmerman
        Icon for Admin rankAdmin
        Jul 23, 2024

        FWIW - this reply got stuck in our SPAM filter over the weekend. I just released it - hopefully that didn't mess up the flow of the conversation too much.