For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chuck_334's avatar
Chuck_334
Icon for Nimbostratus rankNimbostratus
Oct 01, 2008

What is wrong with this design?

I'm trying to implement our F5 that we've had shelved for 3 years now. I have been unable to find the support and assistance needed from those who are tasked with providing it, so I figure that I'd ask the professionals here.

 

 

So I have a Cisco switching network with several VLAN's consecutively in range. Starting from VLAN 95 going to VLAN 105. Our servers are located on VLAN 100, with clients on the rest of the VLAN's. The F5 is intended to ballance internal network traffic from our 10.6 network. So the server would be at 10.6.100.xx with a client who needs access from 10.6.95.xx.

 

 

The network is built, everything is routing, but my problem is that I can assign an IP to the Management port where I can configure the F5, but I cannot get traffic to pass through the interfaces 1.1 - 1.4. I figured that I'd start with a simple test and use ports 1.3 and 1.4 in my test. These interfaces show that they're up. I've trunked my port to the switch on 1.4. And tagged VLAN 100 to the server on 1.3. But I cannot ping from the client to the server. Nor can the server ping to the gateway. So what could be the problem?
config
design

2 Replies

  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 01, 2008
    The management port cannot be on the same network as load-balanced traffic. It is a NIC and not part of the switch fabric. So that's the first problem. You'll need to move the mgmt IP off the 10.6.100.x network.

     

     

    Ideally, you should have the LTM set up as a Layer 3 device with it having an external and an internal VLAN, with the servers on the internal VLAN, and the LTM's internal self-IP as the server's gateway.

     

     

    If that is not possible due to the need to re-IP servers and such, you could tag VLAN 100 on one of the switch ports (1.1 - 1.4) and set it up as a "one-armed" configuration, such that the virtual servers are also on the 10.6.100.x network with the real servers. However you will need to SNAT to get the routing to work in that configuration (SNAT Automap is usually easiest).

     

     

    That should get you started, take a look on AskF5 for more configuration guides or post back if you need more help from that point.

     

     

    Denny
  • Chuck_334's avatar
    Chuck_334
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2008
    Thank-you Thank-you Thank-you!

     

     

    That gets me started in the right direction. I can't believe that I missed that mistake! I've read through the installation and quickstart guides at AskF5, but there must have been a chapter missing in my PDF's because nothing came close to explaining this tiny pearl of wisdom!
Related Content