Forum Discussion

westtex_98130's avatar
westtex_98130
Icon for Nimbostratus rankNimbostratus
Oct 02, 2012

seperating traffic of virtual servers

Hello Everyone

 

I am new to F5, sorry, but I have been going through the f5 documentation, the training videos etc, and I have a couple of questions,

 

my current setup assumed only one application would be in use, and users access thru int 1.1 (untagged) on vlan 21, the vlan is not set on the port and it looks like a default external and internal vlan was set up using 4094 ext and 4093 int?

 

we have recently installed a new applications virtual servers, pools etc, and the system works fine as long as we stay on the same vlan and int 1.1 as the existing system.

 

we needed to readdress the new applications servers, and also want to seperate traffic between the two apps.

 

I would like the new app to use interface 1.3 and use vlan 22, what Im not understanding is can I assign a specific vlan to int 1.3 by port (tagged) and not have to assign a specifc vlan to int 1.1 (untagged)? or more properly must all interfaces be either untagged or tagged or can we mix them? the documentation online doesnt show a mixed environment.

 

I dont want to interupt the production environment on int 1.1 and want to set up a new environment using int 1.3 and keep them seperate.

 

my second question concerns the use of the mac masquerade address. Is it best practice to use mac masquerade in a redundant system? If so in case of failover if we dont have one set then the destination server wont be able to communicate with the F5 big-ip? Do we implement a mac masquerade only when using a tagged interface or should we set one up for use with untagged interfaces as well?

 

I inherited the F5 big-ip from another location so I am trying to get up to speed very quickly, any help would be greatly appreciated.

 

Thank You

 

 

 

config
design
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 02, 2012
    I would like the new app to use interface 1.3 and use vlan 22, what Im not understanding is can I assign a specific vlan to int 1.3 by port (tagged) and not have to assign a specifc vlan to int 1.1 (untagged)? or more properly must all interfaces be either untagged or tagged or can we mix them? the documentation online doesnt show a mixed environment.it can be mixed.

     

     

    my second question concerns the use of the mac masquerade address. Is it best practice to use mac masquerade in a redundant system? If so in case of failover if we dont have one set then the destination server wont be able to communicate with the F5 big-ip?if upstream/downstream device is able to update their arp table properly when failover, they would be able to communicate to new active unit. anyway, i think it is better to set mac maq.

     

     

    Do we implement a mac masquerade only when using a tagged interface or should we set one up for use with untagged interfaces as well?both i.e. tagged and untagged interfaces.

     

     

    hope this helps.
  • westtex_98130's avatar
    westtex_98130
    Icon for Nimbostratus rankNimbostratus
    Oct 04, 2012
    hey thank you so much, I really apreciate the help and that was exactly what I was looking for
  • westtex_98130's avatar
    westtex_98130
    Icon for Nimbostratus rankNimbostratus
    Oct 05, 2012
    ok, so if I want to have vlan 21 on interface 1.1 and vlan 22 on interface 1.3, I need to define my vlans, assign each virtual server to use their own particualr vlan. The last question I have then is how do I configure the routes? My current setup has the virtual servers using all vlans and one default gateway and everything uses vlan 21 on interface 1.1. Can I define a second default gatway or must i setup a gateway pool to use multiple gateways?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 05, 2012
    If all clients come in on VLAN21 then both Virtual Servers need to be enabled on VLAN21 and your default route should point back down this path I assume. If you want servers (Pool Members) on different VLANs that's fine, the Virtual Servers and routing don't have to be different per VLAN. If I've got it all wrong, forgive me, it's hard to design on a forum!

     

     

    BTW Auto last hop probably precludes the need to have two gateways if there are two, it'll return traffic to the MAC address is came from rather than do a route lookup.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 06, 2012
    The last question I have then is how do I configure the routes?for return traffic, we do not really need default route. auto lasthop is feature bigip uses to track source mac address when traffic is coming, so bigip will just send return traffic to that mac address (no route lookup is performed).

     

     

    sol11796: Overview of the Auto Last Hop setting (9.x - 10.x)

     

    http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11796.html

     

     

    anyway, if server initiates traffic, it is different story. in that case, bigip still need default route.

     

     

    LTM: Per-VLAN Default Gateways by Deb

     

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/247/LTM-Per-VLAN-Default-Gateways.aspx

     

     

    hope this helps.