For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Drodneys_24642's avatar
Drodneys_24642
Icon for Nimbostratus rankNimbostratus
Aug 10, 2010

VLAN Routing

Having an issue passing traffic from F5 BigIP to internal/external network. Both network's are using tagged VLAN's. I have configured BigIP to use the same VLAN number and assigned a Self IP to the same VLAN subnet. The ICMP monitors show all objects as down. From BigIP command line I am able to ping all self IP's and Virtual Servers, but nothing outside of BigIP. TCPDump shows arp request, but no response. Configuration is as follows;

 

 

96.193.25.1 Default Gateway

 

-

 

-

 

VLAN 900

 

-

 

-

 

96.193.25.21 Virtual Server

 

-

 

-

 

96.193.25.17 Self IP

 

-

 

-

 

-

 

F5 LTM/LC

 

-

 

-

 

172.18.7.10 Self IP

 

-

 

-

 

VLAN 17

 

-

 

-

 

172.18.7.63 Server

 

 

Any help would be greatly appreciated. I am sure I am missing something simple.

 

 

Thanks

 

 

 

config
design

19 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 10, 2010
    Hi,

     

     

    Can you post the output from 'b vlan VLAN_NAME list' for both VLANs? Do you have the VLAN tags set to the same as the tags on the upstream switch?

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 10, 2010
    Assuming the 172.18.7.10 self IP is on the same subnet as the 172.18.7.63, you shouldn't need routing to ping between the two IP's.

     

     

    I wonder if this might be a problem with the VLAN or trunk configuration between LTM and the switch(es). If there aren't trunks, would you need to use tagged VLANs on LTM? Any thoughts on that angle, Chris?

     

     

    Aaron
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 10, 2010
    Posted By hoolio on 08/10/2010 02:19 PM

     

    Assuming the 172.18.7.10 self IP is on the same subnet as the 172.18.7.63, you shouldn't need routing to ping between the two IP's.

     

     

    I wonder if this might be a problem with the VLAN or trunk configuration between LTM and the switch(es). If there aren't trunks, would you need to use tagged VLANs on LTM? Any thoughts on that angle, Chris?

     

     

    Aaron

     

     

    Aaron - I've never had that as a setup before (tagged port on one side, not tagged on other) but could see that as a problem. If you're configured as a trunk on the F5 but not as a portchannel on the switch, that could most definitely cause issues. I'd start off by changing to an untagged port to see if that changes anything...and if the trunk configs are different, try and standardize it.
  • Drodneys_24642's avatar
    Drodneys_24642
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2010
    There are trunks on the switch side for port 1.1. This port will have multiple vlan's. The external ports will only have one vlan.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 11, 2010
    Let's start off with your inside VLAN..

     

     

    Self-IP is 172.18.7.10/255.255.255.0 and is on VLAN 7

     

    Port 1.1 is a tagged port of VLAN 7.

     

    The port to which 1.1 connects is also a tagged port on the switch, with said port also being a member of VLAN 7?

     

     

    We're unable to ping a server (172.18.7.63) within our own subnet.

     

     

    Is that all correct?