Forum Discussion

wsalko's avatar
wsalko
Icon for Nimbostratus rankNimbostratus
Dec 06, 2023

pool member and self ip traffic

Hi. We're doing some cleaning up in our network and I'm wondering about self IP addresses. It turns out that I don't understand very much. Let's assume that I have a connection diagram as shown in ...
application delivery
wsalko's avatar
wsalko
Icon for Nimbostratus rankNimbostratus

thank you for your extensive answer.

 


in the virtual server configuration I use autmap and vlan vlan_lbs (the address of virtual_servers is 10.168.17.0/24 - the question is whether it should be like this or should I provide the vlans which are pool members?

from what I understand, the self ip address is the address in a given vlan that allows me to communicate within this vlan, but does this apply to pool member?

I'm not fluent with F5, sorry. I am already working in an environment that I am not fully familiar with yet. Another strange thing for me is that the www servers (pool member) have their default ip set to the self ip of the vlan_lbs vlan (i.e. this address is 10.168.17.0).

because of this, the servers do not have the Internet because they send everything to the gateway, I would like to avoid this, so I think that's what self-IP is for.

I'm trying to understand how traffic gets to web servers:
Let's assume it looks like this
I have a firewall connected to the core switch, and I have servers, esxi hosts managed by vcenter, connected to the core switch (I have different machines in different vlans on the hosts) I have a big ip connected to the core switch where I tag the vlans in which I have a web server and the vlan from the virtual server - these vlans are also on the firewall - I want it to be a gateway for these web servers, not big ip.

 

I have a domain.com domain that points to a public address on the firewall. 1.1.1.1->10.168.17.50
this move goes to vs f5, and now I don't understand how traffic from vs is directed to the pool member. I suspect that it is because I have a self ip in the pool member vlan and f5 knows about it, so it directs traffic from the virtual server through self ip to the target www server.

but I don't see a vlan assignment to a pool member anywhere in the configuration, so how can f5 know that the www server 10.168.7.50 is in vlan 207 and that it should direct traffic there?

I want F5 to internally forward traffic from the VS vlan to the pool member vlans, and I want to have a default gw on the web server on the firewall, not F5

PhatANhappy's avatar
PhatANhappy
Icon for MVP rankMVP
Dec 11, 2023

Missing from your diagram are the details of your text is what is going on at layer 3. 

It is important to remember the f5 is a full proxy and there are 2 different conversations happening, Client to f5  - AND - f5 to backend server.  The packet on the inbound from the firewall will appear on the vbs vlan, the f5 will know how to reply to the client based upon his source.   The 2nd conversation - from the F5 - to the backend server.   With "automap set" the f5 will pick the best match of selfs / routes to chose where the traffic is being sent.

Where is routing happening and what are the expectations?

If your f5's are "inline" as in the default gateway is being set on the servers to point to the f5, it should point to a floating address that way you can insure that the correct f5 is processing the traffic.  If you point to a local only address, and that becomes the standby -or goes down you will no longer route.   IMO - inline's are a lot easier to troubleshoot and manage, it certainly makes the packet capture process simpler to diagnose.

Lastly - if your servers are pointing to the float as the default gateway, and your servers are not getting to the internet - you will likely need a forwarding virtual server, start here.
https://my.f5.com/manage/s/article/K7595