Forum Discussion

Sayali's avatar
Sayali
Icon for Altocumulus rankAltocumulus
Aug 23, 2020

Virtual servers and traffic groups - Functional query

Hi,

 

I am quite a beginner with F5 so apologies if this question comes out very naive.

 

I am trying to understand how traffic groups work and how to go about configuring those for below scenario:

 

Configuration:

 

  • Two VLANs - internal (for nodes - 192.168.10.0/24) and external (where client traffic incomes - 10.64.24.0/24)
  • A static self-ip and floating-ip corresponding to each VLAN on each BIGIP device (On external VLAN - 10.64.24.5 is the floating IP)
  • Nodes (subnet: 192.168.10.0/24)

 

Requirement:

 

  • I need to have two virtual servers that uses different pool of nodes (but, all the same VLAN - internal)
  • The two virtual servers will be in same external VLAN - 10.64.24.0/24 - and those two will by default be floating)
  • My question is, if I want to achieve active-active HA (one virtual server remains active on one), I believe I will need to configure two traffic groups with relevant HA group parameters with individual virtual servers in it. But, which traffic group will the external VLAN floating self-ip (10.64.24.5) belong to? I am guessing that interface needs to be active for BIGIP to accept virtual server traffic.. but, how to achieve that when two virtual servers in same VLAN/subnet are expected to be active on different BIGIP nodes?
  • Similarly, which traffic group will be internal VLAN floating self-ip belong to? Because the pool members belonging to different virtual servers (active on different BIGIP nodes) reside in same VLAN.

 

Do we require to break down VLANs to achieve this requirement?

 

 

Thanks :)

 

  • You need one floating self-IP per traffic group (so two floating self-IPs per vlan).

     

    You don't need to break down the vlan, but it may be administratively convenient to split the floating self IPs and virtual IPs into different CIDR ranges (10.64.24.1 and following for one traffic group, 10.64.24.129 and following for the other). Don't actually split the subnets, though.

    • Sayali's avatar
      Sayali
      Icon for Altocumulus rankAltocumulus

      Thanks :) Can give this a try!

       

      However, if both the virtual server pools have same physical nodes (hence, the same floating IP as a gateway).. is there a way to manage return traffic via correct BIGIP for each virtual server?

       

      Update: Cannot use SNAT, we need to retain actual source IPs without using X-Forwarded headers.

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee

        You can't. In that situation, one LTM will always have to handle the return traffic (the one with the gateway IP).

         

        You have to use stateless Performance (Layer 4) virtuals - i.e. a FastL4 profile that enables Loose Initiation and Loose Close on the incoming Virtual. This means it will just pass packets from the source to the pool member, without needing to maintain state.

         

        You also need an egress virtual on each LTM that is also a stateless Performance (Layer 4) virtual - it accepts return packets from the pool members to the client. This will handle the unmatched packets that originally passed through the other LTM.

         

        But it's a very odd way to set things up.