"VRF" and IP forwarding

Hi all,

 

 

After some help here please, I have an LTM with multiple "internal" VLANs and multiple "external" vlans. There is one external VLAN for each internal VLAN. We're effectively trying to replicate VRF functionality.

 

 

Each external VLAN connects to a separate firewall interface.

 

 

The goal is that we need IP forwarding functionality for node-to-node and client-to-node connectivity. However, we want traffic between VLAN's to go through the corresponding firewall interface (including traffic from one internal VLAN to another internal VLAN).

 

 

To this end, for each internal VLAN we create a pool which has one member of the gateway of each corresponding external VLAN (the firewall interface).Then we make a VIP of type performance L4, destination 0.0.0.0/0 and enable it on one internal VLAN (the internal VLAN which matches the external VLAN in the pool).

 

 

Our routing table is empty (no default route either)

 

 

This works for outbound connectivity - can ping and get replies, and browse Internet even though there is no return IP forwarding VIP to route the reply packets - I assume this is by design that the LTM is effectively IP forwarding the return traffic because it matches a session that was created by the "outbound" VIP.

 

 

So now traffic initiated by inside is working and we get reply packets.

 

 

Traffic initiated from outside however is not working, as we expect, because there is no IP forwarding VIP on the external VLAN.

 

 

If I make a IP forwarding VIP with destination 0.0.0.0/0 and enable it on the external VLANs I can get it to work, but only by creating a matching default route in the routing table. This is not what I want because if my default route points to external VLAN 100, and I come in on external VLAN 200, the return traffic wont be sent back via external VLAN 200 and hence have firewall issues or will auto_lasthop fix this?

 

 

I guess this topology is analogous to a firewall sandwich in a way - multiple gateways on the external side, all active, but all on different vlans.

 

 

I tried creating the "reverse" of the internal setup concurrently with the working outbound setup, by making a pool with a node address, and then a performance L4 VIP with destination of the node, enabled on the external VLAN, with the pool containing the node, but it doesn't seem to work - reason unknown. NATs/SNATs and translation are all disabled.