Forum Discussion

Chiggo's avatar
Chiggo
Icon for Nimbostratus rankNimbostratus
Nov 13, 2020
Solved

LTM VE Deployment limited VLANs

Hi, I need to deploy a pair of LTM VE appliances in HA in an internal environment. The problem is, i am told there are only 2 VLANs available on the deployed virtual switch I would be using, and I need to deploy MGMT / HA / Internal. This seems a bit mad but I believe a previous employee deployed the VM environment and there are concerns about expansion ( I won't go into the obvious lack of planning at the outset here!).

 

As HA is just for chat between the 2 x F5s themselves, I was thinking of using a separate non routable subnet for this though utilizing one of the available VLANs used for MGMT or Internal. Would this kick up an error due to same VLAN being used or does the F5 just check assigned IP address/subnet?

Thanks in advance

  • Hi,

     

    It's not a big problem for f5 devices. Of course it's better to have a separate VLAN for each traffic: MGMT, HA, DMZ, External, etc. But if you can't, that's not a big deal, big-ip DSC cluster can work with those two VLAN also. You can use Internal VLAN for Config-Sync and for HA you can use either MGMT or the same Internal VLAN.

     

    Also, you can create any non-routable subnet/VLAN and give IPs from that range for HA and if those Virtual Machines are located on the same ESXi host, they'll still be able to see each other, as there's no physical network involved. Just pay attention to port lockdown feature, as you need (if I'm correct 1026/UDP for failover).

3 Replies

  • Hi,

     

    It's not a big problem for f5 devices. Of course it's better to have a separate VLAN for each traffic: MGMT, HA, DMZ, External, etc. But if you can't, that's not a big deal, big-ip DSC cluster can work with those two VLAN also. You can use Internal VLAN for Config-Sync and for HA you can use either MGMT or the same Internal VLAN.

     

    Also, you can create any non-routable subnet/VLAN and give IPs from that range for HA and if those Virtual Machines are located on the same ESXi host, they'll still be able to see each other, as there's no physical network involved. Just pay attention to port lockdown feature, as you need (if I'm correct 1026/UDP for failover).

  • Chiggo's avatar
    Chiggo
    Icon for Nimbostratus rankNimbostratus

    Thanks Giorgi, we deployed these yesterday and all good. Bit of a pain using the network setup wizard it forced me to setup the External interface. Then when all completed I could delete the External self ip and VLAN but not the interface. Not to worry, it's just an annoyance really and non impacting obviously.

    • You're right, wizard is not for non-standard configurations. That's why when I'm configuring new big-ip appliance, I always just activate license, enable modules which I'm going to use, generate/import device certificates, configure hostname and time zone and then there is a special button below to complete wizard at that step.

       

      So you do not have to go through the Network Configuration part. This avoids you an unnecessary configuration, which you have to delete after ;-)