I'm wondering if the following design can work ?
I would like to know if the Virutal Server (VS) can be set in a subnet not known by the F5, I mean in a subnet not associated to a vlan. To be more clear, see the example below.
- create a vlan "link" + self-IP : 10.1.1.1/30 associated to the vlan "link". This "link" is used to connect the LTM to a router in the network. So a route to the LTM is possible through this vlan.
- create a VS : 192.168.1.1/32. As you can see this VS is not in the vlan previously defined. So it is a single IP only known internal to the LTM.
Could the design work ? Is it possible or must the VS in a defined vlan ?
If I configure a static route on the router saying that 192.168.1.1 can be reached by 10.1.1.1, could it work ? Does the LTM automatically consider the VS ?
Thank you in advance
It is an interesting question. I always thought that it is not possible, as an official documentation states, that when you're creating Virtual Server, in the Destination Address field, you should: "The IP address or addresses for this field must be on the same subnet as the external self-IP address."
I've just checked and this statement is even in the latest version:
But James said that's not a problem. I wonder why the documentation restricts it? I should try it in LAB environment.
James Thomson, thanks for your support, but could you please share your comment with Documentation or how would this work.
My understanding was as Giorgi explained it, Virtual Server should have the same IP with external self-IP address for the route to work.
Yes, Giorgi, I agree, that document is a bit confusing. My only guess is that they are going through a very basic example of a BIG-IP configuration. If the BIG-IP receives traffic destined for an IP address, it goes through this process to determine which Virtual Server it will use. As long as something matches, it will work. The example in that documentation is assuming there's no external routers that have specific routes for "Virtual Server Subnets". There are many people using, for example BGP on the BIG-IP, to advertise certain subnets that the BIG-IP uses for virtual servers, but the BIG-IP does not have VLAN self-ip's for. As long as you have routing set up correctly to get traffic to the BIG-IP, it will use any matching virtual servers.
You can even create virtual servers that listen for an entire subnet and have the BIG-IP do intelligent traffic routing. These are called wildcard virtual servers. You could also have a virtual server listen for traffic on 0.0.0.0/0 and if you routed all outbound traffic to the internet through the BIG-IP it could provide Firewall services with BIG-IP AFM, or Carrier Grade Source NAT'ing or source based routing.
Those are a little advanced topics, but used as an example to show you that virtual servers do not need to have a /32 address the same as a self-IP on a VLAN.