Self IP in different subnet and VS and pool members are in same subnet then Self ip
Hi Team, I'm working on one of the installation where the requirement is that VS - e.g 10.10.10.X and pool members are in same subnet 10.10.10.X whereas F5 Self IPs will be in different subnet e.g 10.10.20.X and would like to understand how the routing will work for traffic hitting to VS (We need switch/router to point the route to F5 self IP e.g 10.10.20.1 for the subnet 10.10.10.X ) and from VS to pool members and return traffic from pool members to client. Can someone help?
Source based routing (Policy based routing) on BIG-IP F5
I've multiple DHCP pools for different VPN profiles (Different subnets) on BIG-IP APM, and I want to route internet traffic for the users through VPN (Force all traffic through VPN), I have multiple self IPs through which I have connectivity to different sub-interfaces on perimeter firewall and core firewall. My current routing table is as below Internal subnet > Core Firewall Default Route> Perimeter Firewall (DMZ Interface) My default route on the BIG-IP F5 is the sub-interface of perimeter firewall which is in DMZ to entertain the requests from internet coming to the DMZ. By default, all the internet traffic coming from VPN users take default route and hit's DMZ interface on the perimeter, but I want to forward all VPN users traffic to another sub-interface of the perimeter firewall (using another self IP), how I can achieve this? I want to do routing as below Source = VPN_SUBNET > NEXT_HOP (DEFAULT ROUTE) = PERIMETER LAN_INTERFACEHealth Monitor being sourced from Management interface causing async routing
I have a health monitor that is being sourced from the management interface - this was discovered by accident when i was doing a TCPDUMP on the vlan interface the traffic should have been sourced from. example vlan 10 interface on f5 10.0.0.1 destination ip address of device being monitored = 10.0.0.6 when i did a tcpdump on the vlan to troubleshoot a separate problem i didnt see the traffic - i could see other health monitor traffic using the vlan for devices on the subnet and i know the routing and connectivity is working fine. Wondering what reason there would be for the health monitor not to use the vlan associated with the subne t and use the management ip address to source the health traffic. FYI the health monitor is working and responding as expected but would just like the traffic to use the correct path - via the connected vlan instead of sending around the world and through various firewalls to reach its destination (lucky the firewalls are permitting the traffic. Thanks
inline configuration
Hi, I have configuration: NET => FW => F5 => SRV I have VS1 which forwards traffic to SRV (no SNAT used, not possible to do XFF so source address of client is seen). F5 is def gw for SRV. On F5 there is also forwarding IP VS 0/0 and def route to FW. FW also have static route for SRV subnet poiting to F5. Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0? Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5. If point 1 is true (so when return traffic is automatically SNATed back to VS1 IP) what determines that traffic is SNATed or not? Is it previously created session/entry for DNAT when traffic originating from Net hits VS1?
F5 ltm inter-vlan not working
hi all , I have two servers vlan and FW as GW for those vlan and F5 LTM with snat mode , we have issue with FW and we need to move GW from fw to F5 , when we config GW in severs to F5 self IP its work fine in same vlan but the two vlans can't communicate with each , from F5 we can reach all servers we have configure wild VS IP and L2 but still not working , what is the issue ?NAT Exemption / Next-Hop Routing
Hey there, I got a tricky situation here, let me try to outline it as simple as possible. I do have a BigIP LTM running 10.2.4HF7 here which has one Uplink-VLAN (public ip space), several internal VLANs (private ip space divided up into /24s) and one link VLAN which goes directly to a Cisco ASA firewall used for remote dialin and IPSEC site2site connections. I'd like to have local connections (from one VLAN to the other) being routed and not NATed, that is, the source IP should stay intact, so if vlan1 wants to connect to vlan2, this should be possible and the source ip should not be changed. If the inside vlans try to access the internet, they should be NATed of course for internet access and if the inside vlans try to access a remote subnet which is behind an IPSEC site2site tunnel, the packets should also not be NATed and forwarded to the next hop which then takes care about throwing these packets into the IPSEC tunnel. I've tried so many things now that I don't even recall them all, but basically, I think I have a misconception of how routing works on the BigIP. Let's assume the following subnets: outside (internet facing) vlan: 110.0.0.0/24 inside vlans: 192.168.1.0/24 192.168.2.0/24 link subnet to the Cisco ASA firewall: 192.168.99.0/24 remote subnets: 192.168.100.0/24 I have added a route on the BigIP which routes traffic to 192.168.100.0/24 via 192.168.99.0/24 to specify the next hop. I've also added an automap SNAT for my internal vlans and things seemed to work just fine until I realized, that connections to the remote subnets did not keep their source IP, instead they were NATed to the ip on the link subnet (which is what automap does essentially) and thefore the packets did not find its way into the tunnel because the link subnet is not part of the IPSEC site2site tunnel configuration. I've played with several irule examples I've found here in the forums but couldn't make it work, things like conditional SNAT, etc. and I think I must have a design flaw somewhere in my configuration and am hoping for some valuable input here. If you have any questions, please feel free to ask. Thanks in Advance, Alex
BGP Route redistribution
Hi Guys, I'm playing around with BGP between F5 and Cisco and RHI and I have a quick question regarding route-maps matching. F5 config: router bgp 1000 bgp graceful-restart restart-time 120 redistribute kernel route-map F5-JUN neighbor 172.24.101.6 remote-as 35000 neighbor 172.24.101.6 soft-reconfiguration inbound neighbor 172.24.101.6 capability graceful-restart ! ip prefix-list PREFIX seq 5 permit 192.168.200.0/24 ! route-map F5-JUN permit 10 match ip address prefix-list PREFIX Cisco: router bgp 35000 bgp log-neighbor-changes neighbor 172.24.101.5 remote-as 1000 Configuration is quite simple, my VIP address is 192.168.200.1. My goal is to advertise /32s to cisco neighbor, without manipulating prefix-list every time there is new /32 from this subnet . When I'm using 192.168.200.0/24 in the prefix list, VS route is not being advertised to neighbor, which shouldn't be an issue as prefix-list is configured to match first 3 octets. Is this expected behavior in F5? Then when I reconfigure prefix list to exactly match that VIP (ip prefix-list PREFIX seq 5 permit 192.168.200.1/32) , route advertisement is working fine. I'm using BIG-IP v11.4.1HF3.
BIG-IQ device discovery issue - no route
Hi guys, trying to discover BIG-IP devices via a mgmt interface of the BIG-IQ and getting the "no route to host" error. I have only the mgmt interface on this big-iq VE with default mgmt route and specific mgmt route to the big-ip device. ping and trace work fine but 443 and 22 fail with "no route to host". [root@bigiq1:Active:Standalone] config tmsh list sys management-route sys management-route ccnet { description configured-statically gateway 10.10.10.1 mtu 1500 network 10.20.20.0/24 } sys management-route default { description configured-statically gateway 10.10.10.1 mtu 1500 network default } [root@bigiq1:Active:Standalone] config ping 10.20.20.130 PING 10.20.20.130 (10.20.20.130) 56(84) bytes of data. 64 bytes from 10.20.20.130: icmp_seq=1 ttl=54 time=1.09 ms 64 bytes from 10.20.20.130: icmp_seq=2 ttl=54 time=0.947 ms ^C --- 10.20.20.130 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1776ms rtt min/avg/max/mdev = 0.947/1.023/1.099/0.076 ms [root@bigiq1:Active:Standalone] config curl -k -v -X GET https://admin:admin@10.20.20.130/mgmt/shared/echo * About to connect() to 10.20.20.130 port 443 (0) * Trying 10.20.20.130... No route to host * couldn't connect to host * Closing connection 0 curl: (7) couldn't connect to host [root@bigiq1:Active:Standalone] config ssh 10.20.20.130 ssh: connect to host 10.20.20.130 port 22: No route to host Any advice will be appreciated. Mike