Forum Discussion
NimbostratusVIP to VIP communications on the same BigIP LTM
Is it possible to have two members of a pool, communicate with members of a different pool using their VIPs? Both pools are configured on the same BigIP LTM, doing an Air Watch implementation which has 3 sets of load balanced servers and requires the servers to communicate with each other using their VIP.
Yes, it is possible.
27 Replies
kunjanYes, it is possible.
D_VCUHS_116063is there an example of the configuration for this in the F5 Knowledge Database ?
kunjan_118660Cumulonimbus
Yes, it is possible.
- D_VCUHS_116063is there an example of the configuration for this in the F5 Knowledge Database ?
- nitass
Employee
is there an example of the configuration for this in the F5 Knowledge Database ?
if i do not misunderstand, i think you just need to add pool member's vlan on virtual server. anyway, it may be easier if you can show your configuration (e.g. virtual servers, pools, traffic flow you want).
- D_VCUHS_116063
Pool1(DS1 & DS2)---> VIP(DS) 443 pass through Pool2(SG1 & SG2)---> VIP(SG) 443 pass through Nodes DS1,DS2,SG1 & SG2 are all in the same vlan/IP subnet. VIP(DS)&(SG) are in the same IP subnet. There is a static route pointing to IP segment of the nodes. There is also a static route sending all other IP addresses destinations to an external firewall. I have a request for: Pool1 to communicate with Pool2 VIP(DS)443 -----> VIP(SG) Pool2 to communicate with Pool1 VIP(SG)443 -----> VIP(DS)
- D_VCUHS_116063
Pool1(DS1 & DS2)---> VIP(DS) 443 pass through
Pool2(SG1 & SG2)---> VIP(SG) 443 pass through
Nodes DS1,DS2,SG1 & SG2 are all in the same vlan/IP subnet. VIP(DS)&(SG) are in the same IP subnet. There is a static route pointing to IP segment of the nodes. There is also a static route sending all other IP addresses destinations to an external firewall.
I have a request for:
Pool1 to communicate with Pool2 VIP(DS)443 -----> VIP(SG)
Pool2 to communicate with Pool1 VIP(SG)443 -----> VIP(DS)
- dragonflymr
Cirrostratus
I am probably missing something here. Pool can't communicate with anything as pool is not IP object, it's just container for pool memebers which in turn has IP:port assigned. Still pool member is not something existing as an server on LTM it's just object allowing to direct traffic to some backend server outside LTM. So if: Pool members (DS1 & DS2) as defined on LTM are pointing to the same VIP of VS that a bit do not make sense, two pool members pointing to one IP:Port are not something that will LB any traffic as well as not possible to be configured as separate entities, there is no way to create two separate pool members with same IP:port. You can of course use given pool member in different pools but those will be instances of the same service (IP:port) by pool members (DS1 & DS2) you mean actual servers to which LTM is LB traffic and you need those servers to access another VIP (means another VS) on LTM that should be completely doable, you just need to enable those VS (that should be accessible to servers) on the VLAN where servers are connected (by default VS is enabled on all VLANs defined on LTM, so it should not be issue). In this case you will have flow looking something like that: Client traffic -> VIP (VS with pool containing DS1&DS2) -> DS1 server or DS2 server (based on LB decision inside pool) -> VIP (SG) -> SG1 or SG2 server (based on LB decision inside pool) Piotr
- nitass_89166
Noctilucent
Pool1 to communicate with Pool2
VIP(DS)443 -----> VIP(SG)
when pool1 wants to talk to pool2, does it talk to virtual server ip (i.e. sg) or pool member ip (i.e. sg1 or sg2)?
if it is virtual server ip, can you try to add pool1 vlan (i.e. ds1/ds2 vlan) on pool2's virtual server (i.e. sg)?
- D_VCUHS_116063Adding SG1 and SG2 to pool 2, will it also cause both to be Load balanced by VS(SG). VS(SG) and VS(DS) are load balancing for incoming connections from other clients.
- nitass_89166no, i mean enabling vlan on virtual server.
- D_VCUHS_116063Is this under the VS configuration " VLANS and Tunnels" ? Currently I have the vlan of the shared network interface to a firewall selected.
- nitass
Pool1 to communicate with Pool2
VIP(DS)443 -----> VIP(SG)
when pool1 wants to talk to pool2, does it talk to virtual server ip (i.e. sg) or pool member ip (i.e. sg1 or sg2)?
if it is virtual server ip, can you try to add pool1 vlan (i.e. ds1/ds2 vlan) on pool2's virtual server (i.e. sg)?
- D_VCUHS_116063Adding SG1 and SG2 to pool 2, will it also cause both to be Load balanced by VS(SG). VS(SG) and VS(DS) are load balancing for incoming connections from other clients.
- nitassno, i mean enabling vlan on virtual server.
- D_VCUHS_116063Is this under the VS configuration " VLANS and Tunnels" ? Currently I have the vlan of the shared network interface to a firewall selected.
- D_VCUHS_116063
The DS1,DS2,SG1 and SG2 are real servers in the same external vlan/IP subnet, they are assigned two different pool groups
Pool1 is assigned to a VS(DS) and Pool2 is assigned to VS(SG).
DS1 or DS2 will initiate the connection to VS(SG)443 and SG1 or SG2 will initiate the connection to VS(DS)443
The Air Watch servers( DS1,DS2,SG1 & SG2) are configured to communicate with the URL associated with VS(SG) or VS(DS).
- kunjan
DS1 or DS2 will initiate the connection to VS(SG)443 and SG1 or SG2 will initiate the connection to VS(DS)443
Does this mean DS1 and DS2 are clients that initiate a connection to a URL that hit VS(SG)? Similarly SG1 and SG2 are clients that initiate connection to hit VS(DS)?
If so, there is no VS to VS communication as both are independent. Just confirming there is no loop as such.
- D_VCUHS_116063Yes, DS1 or DS2 will initiate a connection to a URL to VS(SG); SG2 or SG1 will also initiate a connection to a URL to VS(SG). It was explained to me that each will us its VS as a SNAT for outbound connections.
- kunjan_118660
DS1 or DS2 will initiate the connection to VS(SG)443 and SG1 or SG2 will initiate the connection to VS(DS)443
Does this mean DS1 and DS2 are clients that initiate a connection to a URL that hit VS(SG)? Similarly SG1 and SG2 are clients that initiate connection to hit VS(DS)?
If so, there is no VS to VS communication as both are independent. Just confirming there is no loop as such.
- D_VCUHS_116063Yes, DS1 or DS2 will initiate a connection to a URL to VS(SG); SG2 or SG1 will also initiate a connection to a URL to VS(SG). It was explained to me that each will us its VS as a SNAT for outbound connections.
