LTM source based routing, different default gateway for each Vlan
Hi all, I would like to get my routing assumptions confirmed by somebody who already has the experience with source based routing on LTM. Or in case the assumption is not correct, I would be happy to get help with it. Imagine following situation. Servers reside in Vlan A and Vlan B behind a firewall. Each Vlan has a subinterface on the firewall and the firewall's IP is the default gateway for particular Vlan. This is clear, no need for any special routing: | | ----------------------------------- | FIREWALL | | | | 10.0.1.1 10.0.2.1 | ----------------------------------- | | | | VLAN A VLAN B | | | | SERVERS SERVERS 10.0.1.60 10.0.2.60 10.0.1.61 10.0.2.61 Now I need to be able to do some load balancing in both Vlans so I introduce LTM in the following way: | | ----------------------------------- | FIREWALL | | | | 10.0.1.1 10.0.2.1 | ----------------------------------- | | | | VLAN A VLAN B | | | | --------------------------------------- | VIP:10.0.1.15 VIP:10.0.2.15 | | F5 LTM | | | | SNAT:10.0.1.25 SNAT:10.0.2.25 | --------------------------------------- | | | | VLAN A VLAN B | | | | SERVERS SERVERS 10.0.1.60 10.0.2.60 10.0.1.61 10.0.2.61 So the LTM (VIP, SNAT) shares the same subnet with backend servers. This allows clients to reach the backend servers either way: directly from the firewall: client->firewall->server and on the way back it's server's default gateway which points the packet from the server back to firewall. via LTM through VIP: client->firewall->VIP->SNAT->server. On the way back the server sends the packet back to SNAT, so it's: server->SNAT->VIP->firewall->client. Now to my routing question. I don't know the IPs of our clients, they can come from any subnet. So on the F5 I need a default route towards firewall for each Vlan, but response packet must adhere to the same Vlan through which the request came in, otherwise the firewall will drop the response packet (anti-spoofing). Basically I need to achieve the following, for example: REQUEST: client 123.1.1.1 -> firewall 10.0.1.1 -> F5 VIP 10.0.1.15 -> F5 SNAT 10.0.1.25 -> SRV 10.0.1.60 RESPONSE: 10.0.1.60 -> 10.0.1.25 -> 10.0.1.15 -> !!! 10.0.1.1 !!! -> 123.1.1.1 REQUEST: client 123.1.1.1 -> firewall 10.0.2.1 -> F5 VIP 10.0.2.15 -> F5 SNAT 10.0.2.25 -> SRV 10.0.2.60 RESPONSE: 10.0.2.60 -> 10.0.2.25 -> 10.0.2.15 -> !!! 10.0.2.1 !!! -> 123.1.1.1 Does the Auto Last Hop feature solves this 'source based routing' problem? If it does, do I still need anything else in F5 routing table, for example to reach the backend servers? Or can I leave the routing table empty (assuming F5 should be able to reach directly attached networks)? Thanks. Martin
iRule to Redirect to Another VS on the same LTM
Hi guys - I'm trying to get the following scenario working: My domain "; maps to a public IP "1.1.1.1" and I have a virtual server configured on my F5 with "1.1.1.1:443" I have two unrelated applications with competing requirements running on different URIs on the same domain , one is a HR application (/abc) and the other is a inventory application (/def) I need to create a design which accomodates both applications with a single domain name, and find a way to accomodate both their conflicting requirements under the same domain name To solve this problem, I thought that I should do something like this, on the main virtual server 1.1.1.1:443, I put in an iRule with the following code: when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/abc" } { virtual VS2 } else if { [string tolower [HTTP::uri]] starts_with "/def" } { virtual VS3 } else { HTTP::respond 200 content "Unrecognised URI, please recheck your address" } } This would redirect incoming requests with "/abc" in the URI string to VS2 and incoming requests with "/def" in the URI string to VS3. Then I could create customised solutions for both applications in their respective virtual servers. So drawing this flow out, I think this is how it would look: But what I don't understand is how the Return Traffic and the Persistence Profiles work in this scenario. How do I make sure that the traffic flows this way: User to Server: User > VS1 > VS2 > Pool 2 (Server) Server to User: Pool 2 (Server) > VS2 > VS1 > User Do I do SNAT Auto Map on both VS1 and VS2 or do I just do SNAT Auto Map on VS2 with Auto Last Hop enabled? And on the question of persistence, if I intend to use source_addr persistence - I would definitely not be able to do a SNAT Auto Map on VS1, how do I then ensure that when the server responds, VS2 sends the traffic back to the user via VS1?
Issues with auto last hop, HSRP and peer-gateway
Hello Devs! How's everybody today? I'm trying to solve an issue we're having with a pair o viprions dual attached to two Cisco Nexus 7000. The thing is that both Nexus run HSRP and peer-gateway. Big-Ip has a transit network with nexus and both nexus have another transit network to a firewall. What is happening is some returnig traffic is coming from N7K-2 instead of N7K-1 (because of vPC and peer-gateway). And since auto last hop is enabled, F5 is complaining a lot and some connections are being reset. Which is bad. I read through KB9487, KB2211 and KB8290. Disabling auto last hop seems to fix the issue but it seems very drastic. What got my attention is that Last Hop Pool takes precedence over Auto Last Hop when one of the last hop pool members have died. But my question is: Considering all last hop pool members are UP, what would happen if auto last hop was expecting traffic from last hop pool member 1 and received traffic from last hop pool member 2. Would it accept it (since it's a valid last hop pool member) or it would revert back to auto last hop behavior? Thanks! Rafael
