For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

genseek_32178's avatar
genseek_32178
Icon for Nimbostratus rankNimbostratus
Jan 16, 2012

Virtual Server Cmds

Hi,

 

 

In our environment, we have Virtual Servers configured in the following way,

 

 

virtual apps_critical_BTK

 

{

 

pool bzt_pool destination 200.36.134.131:https

 

ip protocol tcp

 

persist persist_default

 

profiles tcp_default {}

 

vlans {

 

c_10.201.20.25_27

 

c_200.36.134.128_26

 

c_16.25.42.36_26

 

} enable

 

 

I want to understand, why, once the virutal server has been defined, the following 3 vlans

 

 

c_10.201.20.25_27

 

c_200.36.134.128_26

 

c_16.25.42.36_26

 

 

have been enabled or mapped to the virtual server?

 

 

what is the purpose? What if i remove the specific VLAN on which the VIP is sitting?

 

 

Help would to understand this would...appreciated.
basic
getting started
new to f5

14 Replies

Show More
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2012
    Can you try enabling the virtual server on all VLANs and retest? If that works then I'd guess the client wasn't on one of the VLANs that was enabled. If that doesn't work, then like Nitass suggested, try opening a case as something weird is going on.

     

     

    Aaron
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jan 17, 2012
    Ok, i will try opening a support case.

     

     

    1) .......But tell me, otherwise, if NO vlans are enabled on a virtual server, by default ALL vlans are allowed...right?

     

     

    Meaning....it (VS) will accept ANY traffic on the VIP..right...ie....icmp, ftp,ntp...etc

     

     

    2).......if any specific VLAN is enabled...on the virtual server and the VIP is on a different vlan...which too is NOT enabled on the VS, then also....VIP should ping.... right?

     

     

    I.e to say...irrespective of the specific VLAN on which VIP sits is..enabled or not on the virtual server.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2012
    When you're testing this, make sure in the GUI that it says VLAN and Tunnel Traffic: All VLANs and Tunnels. If you select Enabled On but don't select any VLANs then the VS won't accept connections.

    This bad config will show up in the bigip.conf as: 

    
 v11.1
ltm virtual ltm_ve_1_http_vs {
    destination 10.1.0.113:http
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        http { }
        tcp { }
    }
    rules {
        name_to_ipv6_geo_rule
    }
    snat automap
    vlans-enabled
}

    I'm not sure what you mean for your second question. By VIP do you mean virtual server IP address (ie, virtual address)? The VLAN config for a virtual server is only looked at for the inbound (or ingress) traffic. You don't need the virtual server enabled on the VLAN the servers are on if the servers are not originating connections to the virtual server.

    Aaron
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jan 17, 2012
    1)..........By VIP do you mean virtual server IP address (ie, virtual address)?

     

     

    yes, by VIP, i mean....the virtual address.

     

     

    2)........The VLAN config for a virtual server is only looked at for the inbound (or ingress) traffic.

     

     

    So, if the vlan on which Virtual address sits, is NOT enabled on th virtual server, will the VIP respond to icmp ping requests from within or outside?