For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jaked_150553's avatar
jaked_150553
Icon for Nimbostratus rankNimbostratus
Apr 10, 2014

routed environment

I needed to create a virtual with pool members to an ltm device. These new ips are no part of any of the networks available on any trunks on the bigip device. But the two members are still showing on...
jaked_150553's avatar
jaked_150553
Icon for Nimbostratus rankNimbostratus
Apr 11, 2014

thanks for the answers...did some poking around and this what I found, this is somewhat confusing though:

 

if we add an ip as pool member, bigip checks if it corresponds to any of the subnets from which the self ip addresses are added. if this ip corresponds to any of the self ip address and it's subnet, and there is SNAT automap on the corresponding virtual, bigip uses this self ip to send traffic to and fro to the pool member.

 

if we add an ip as pool member that doesn't correspond to any of the self ips and their subnets the bigip uses the management interface to send traffic which is not desirable on a production device( for reasons of maintenance and other stuff). This also breaks SNAT automap if any on the virtual. It might not be advisable to add mgmt ip to snat pools as well.

 

To overcome this, we have to define a route on the bigip, the gateway to be define is again a little tricky. we should chose an available network reaching which takes the least number of hops. I tried several gateways of several networks already configured on the bigip and each time ran "tcpdump -i any host " each time, i saw traffic being sent to the pool member from the corresponding self ip.

 

So, decision on which self ip is used either depends on whether there is a corresponding subnet on the bigip or if there is an explicit route using one of the subnets already configured.

 

Related Content