cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Would it possible to create virtual server in different subnet than a VLAN

Asmara
Nimbostratus
Nimbostratus

Hi everybody, 

 

 

I'm wondering if the following design can work ? 

 

 

I would like to know if the Virutal Server (VS) can be set in a subnet not known by the F5, I mean in a subnet not associated to a vlan. To be more clear, see the example below. 

 

 

- create a vlan "link" + self-IP : 10.1.1.1/30 associated to the vlan "link". This "link" is used to connect the LTM to a router in the network. So a route to the LTM is possible through this vlan.

 

- create a VS : 192.168.1.1/32. As you can see this VS is not in the vlan previously defined. So it is a single IP only known internal to the LTM. 

 

 

Could the design work ? Is it possible or must the VS in a defined vlan ? 

 

 

If I configure a static route on the router saying that 192.168.1.1 can be reached by 10.1.1.1, could it work ? Does the LTM automatically consider the VS ? 

 

 

Thank you in advance 

 

 

best regards

5 REPLIES 5

James_Thomson
F5 Employee
F5 Employee

Yes, this will work, no problem

It is an interesting question. I always thought that it is not possible, as an official documentation states, that when you're creating Virtual Server, in the Destination Address field, you should: "The IP address or addresses for this field must be on the same subnet as the external self-IP address."

 

I've just checked and this statement is even in the latest version:

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-local-traffic-management-basics-14-1-0/about-virtual-servers.html#GUID-5EDFD248-434E-4D3D-BBB8-1BCE9D24125B

 

But James said that's not a problem. I wonder why the documentation restricts it? I should try it in LAB environment.

Asmara
Nimbostratus
Nimbostratus

James Thomson​, thanks for your support, but could you please share your comment with Documentation or how would this work.

My understanding was as Giorgi explained it, Virtual Server should have the same IP with external self-IP address for the route to work.

James_Thomson
F5 Employee
F5 Employee

Yes, Giorgi, I agree, that document is a bit confusing. My only guess is that they are going through a very basic example of a BIG-IP configuration. If the BIG-IP receives traffic destined for an IP address, it goes through this process to determine which Virtual Server it will use. As long as something matches, it will work. The example in that documentation is assuming there's no external routers that have specific routes for "Virtual Server Subnets". There are many people using, for example BGP on the BIG-IP, to advertise certain subnets that the BIG-IP uses for virtual servers, but the BIG-IP does not have VLAN self-ip's for. As long as you have routing set up correctly to get traffic to the BIG-IP, it will use any matching virtual servers.

You can even create virtual servers that listen for an entire subnet and have the BIG-IP do intelligent traffic routing. These are called wildcard virtual servers. You could also have a virtual server listen for traffic on 0.0.0.0/0 and if you routed all outbound traffic to the internet through the BIG-IP it could provide Firewall services with BIG-IP AFM, or Carrier Grade Source NAT'ing or source based routing.

Those are a little advanced topics, but used as an example to show you that virtual servers do not need to have a /32 address the same as a self-IP on a VLAN.

Thank James for great explanation, now it became more clear to me.