Forum Discussion

GajAnna's avatar
GajAnna
Icon for Nimbostratus rankNimbostratus
Jul 14, 2019

LTM and internal vlans and external routing

Hi,

I have a situation where there are two internal vlans in an LTM. The vlan names are Internal and Servers with relevant self IPs. The LTM routes traffic via the external vlan to an upstream router. An IP forward VS has been setup having server vlan as source to any destination. This is to make nodes in the server vlan to talk to outside network for some backend activity. This is working fine when nodes from the server vlan talks to any outside network. The issue we are having is when nodes in Server vlan talk to nodes in Internal vlan and because both internal vlans are directly connected F5 tend to route internally.  The requirement is to have the nodes in server vlan to egress via the external upstream gateway.

Is it possible to achieve this by, using the same IP forward VS to do a source-network based forwarding (server vlan network) and set the next hop as external gateway or any other options available?

Any help would be much appreciated.

Thanks & Regards

3 Replies

  • Have you considered using route domains? If you put the server vlan and internal vlan in different route domains, the F5 BIG-IP will not route traffic between both VLANs internally when using the default route domain settings.

     

     

    • GajAnna's avatar
      GajAnna
      Icon for Nimbostratus rankNimbostratus

      Thanks Niels for pointing this out.

      I did consider using a seperate RD for the server vlan however was not sure if LTM can route traffic via the external vlan which is part of the default RD 0 anyway. Example, can LTM route the RD 1 traffic via the RD 0 external vlan (defualt external gateway) or any specific config required on the RD1 to achieve this?

       

      Also the nodes in the server VLAN has a virtual server VIP for incoming traffic for an application. Moving server vlan to another RD will have an impact on this too?

       

      Regards,

      • It's probably best to have each route domain connected to the upstream router/gateway directly. I think in this setup using parent route domains will not work, because then the F5 will again route the traffic internally. These are things that are best to tested in a test environment before making changes on the production environment. Then you also get an idea what the impact will be on the current setup.