cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How to configure One ARM setup with multiple VLAN

Maisha
Nimbostratus
Nimbostratus

I have attached our network scenario as an attachment here. My concern is how to configure the F5 LTM as One ARM having multiple VLANS where the VIP and the actual nodes are in different VLAN. A default One ARM configuration suggests to have both VIP and Node IP addresses are on a same IP sub-network.

 

Here, I have Multiple VIP VLAN as 10 & 20 and My Nodes are in VLAN 100,120 & 200. What would be my Internal and External Interface and their Self IP at the LTM setup? I am hosting a Virtual edition of Big-IP LTM on Esxi server where I have 4 VMNICs available 2 for Management and 2 for Production network which are Trunk with a MLS Switch at VLAN 10,20,100,120 & 200.

 

0691T000008sxdRQAQ.jpeg

11 REPLIES 11

Simon_Blakely
F5 Employee
F5 Employee

By definition, a One-Arm setup only has a single VLAN.

 

You do not have a one-arm setup. You have a single trunk, over which you will configure several tagged VLANs.

 

Each VLAN has non-floating and floating self IPs to match the network range associated with the vlan.

 

You will have multiple internal and external vlans defined.

Maisha
Nimbostratus
Nimbostratus

Hi Steve Blakely,

 

Thanks for your reply. Would you help me to guide a setup scenario? I am building a F5 VE HA infrastructure. One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

Do I have to define individual Internal and External Interface for each Pool Members? Our real servers does not have a default gateway in the F5. As I told before the traffics are being forwarded via a policy based routing for only load balanced traffic to the F5 to their External floating self-IP addresses.

 

Example:

VLAN 10 (10.0.0.0/24) to External interface 1.1 and VLAN 100 (10.10.100.0/24) to Internal Interface 1.2

VLAN 20 (20.0.0.0/24) to External Interface 1.1 and VLAN 200 (10.10.200.0/24) to Internal Interface 1.2

 

net self IP_10.0.0.0 {

address 10.0.0.1/24

traffic-group traffic-group-local-only

vlan VLAN-10

}

net self IP_20.0.0.0 {

address 20.0.0.1/24

traffic-group traffic-group-local-only

vlan VLAN-20

}

net self IP_10.0.0.0 {

address 10.0.0.3/24

traffic-group traffic-group-1

vlan VLAN-10

}

net self IP_20.0.0.0 {

address 20.0.0.3/24

traffic-group traffic-group-1

vlan VLAN-20

}

AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?

 

My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?

> One F5 VE VM has four VMNICS, 2 for Management (VMNIC0 Active and VMNIC1 as standby) and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

First - you can only assign one VNIC to Management - it's a single interface. On a VE - it's the first VNIC.

 

> and 2 Production (VMNIC 2 primary and VMNIC3 as Standby).

 

Again, this isn't how it works - the VNICs are connected to the virtual network infrastructure as Interfaces 1.1 and 1.2. You may be able to define the two links as a trunk.

 

> Do I have to define individual Internal and External Interface for each Pool Members?

 

Are you talking about pool members (i.e destination servers that deliver content) or virtual servers - listeners on the BigIP that forward traffic to the pool members.

 

> AS the Internal VLAN can't have a default gateway on F5 since they are connected with the Cisco switch, what would be the Internal Interface setup look like? Will it be Just a tagged Interface with VLAN 100 and No "non-floating and floating Self-IP"?

 

Every VLAN (tagged or untagged) has to have both non-floating and floating self-ip addresses to accept or send traffic.

 

If your internal servers cannot have their default gateway set to be the BigIP, then you will need to SNAT the traffic so that the return traffic from the pool members goes back to the BigIP.

 

> My ultimate goal is to setup the F5 VE HA pair to act like an One ARM but having External and Internal VLAN are in different sub-netwrok. What would be my setup in this case?

 

As I said before, a one-arm setup only has one vlan. You do not appear to be doing this.

Hi Simon Blakely,

 

Thanks for your response. So in my case One ARM setup is not possible because My VIP is on VLAN 10 and Nodes are VLAN 100. How can I setup it as a Routed mode and still enable SNAT since my Nodes have a default gateway towards VLAN100 SVI 10.10.100.1 at the Cisco switch?

 

Do I also need to set a Internal Interface's Self-IP & Floating Self-IP for HA pair for VLAN100 (VM1: 10.10.100.4, VM1 Floating: 10.10.100.6) (VM2: 10.10.100.5, VM2 Floating: 10.10.100.6)?

 

According to your direction, I have to create similar Internal and External Interface for Each set of Network like for My another VIP is on VLAN 20 and Nodes are VLAN 200?

if you just setup all networks then creating a virtual server in one VLAN with a pool with servers on another VLAN will work. it will "route" from the external to the internal network for the configured traffic. you can enable SNAT on that virtual server (option: Source Address Translation) to make sure traffic returns to the BIG-IP.

 

if you want to communicate with systems on a network then IP adresses on those networks are advises. in a HA setup then node addresses and a floating one is best pratice.

 

you can continue that setup with multiple sets of external and internal networks. also keep in mind your virtual server network can be a non physical one, but just a subtnet you route to the BIG-IP.

Maisha
Nimbostratus
Nimbostratus

Hi  ,

Thanks for your advise. I did setup the external and internal vlan as your told and also created self-ip and floating ip for each vlan. I also setup SNAT and it worked perfectly for me but it creates another issue. It could not preserve the Client's source IP address (We need to preserve it). If I take off the SNAT then it can't reach the Virtual server IP at all. I think an asymmetric routing occurred here but I could not find a solution to resolve it> Can you suggest me something?   

 

My Client IP = 10.10.100.100

My External VLAN10= selfip 1010.10.10, floating self-ip 10.10.10.12

My Virtual server = 10.10.10.50

My Internal VLAN20= selfip 1010.20.10, floating self-ip 10.10.20.12

 

My Nodes are on VLAN20= 10.10.20.21 & 10.10.20.22 (but their default GW IP 10.10.20.1 is at the L3 Switch, since these nodes and not directly connected to the F5). Both f5 and Nodes are VM hosts and are connected to a L3 switch.

If you don’t want to use SNAT then you have two options - make the default route for the servers the big-ip floating up address, or use SNAT and insert the x-forwarded-for header in the http profile.

Hi  

 

Thanks for your reply. I can't use F5 as a default GW. I also have several TCP custom port based Virtual servers where I can't use HTTP profiles to insert x-forwarder and also an x-forwarder will need custom config at the Web server side which is not possible as well. I saw something about "nPath routing" will that work? I have to implement it at Layer3, I beleieve?

Hi Maisha, nPath deals with asymmetric routing ie traffic comes in via the big-ip but goes back to the client via a different path. You do that with a layer 4 vs with loose init and loose close set. Pete

 I need to create a fastL4 custome profile enable loose init and loose close set. Do I need to add/select then from all of my Virtual Servers which requires a Direct routing to the client bypassing the F5?

 

the following guide said to use iApp? https://www.f5.com/services/resources/deployment-guides/npath-routing-direct-server-return-big-ip-v1...

Yes. Performance layer 4 with a custom fastl4 profile.