source routing
1 TopicLTM source based routing, different default gateway for each Vlan
Hi all, I would like to get my routing assumptions confirmed by somebody who already has the experience with source based routing on LTM. Or in case the assumption is not correct, I would be happy to get help with it. Imagine following situation. Servers reside in Vlan A and Vlan B behind a firewall. Each Vlan has a subinterface on the firewall and the firewall's IP is the default gateway for particular Vlan. This is clear, no need for any special routing: | | ----------------------------------- | FIREWALL | | | | 10.0.1.1 10.0.2.1 | ----------------------------------- | | | | VLAN A VLAN B | | | | SERVERS SERVERS 10.0.1.60 10.0.2.60 10.0.1.61 10.0.2.61 Now I need to be able to do some load balancing in both Vlans so I introduce LTM in the following way: | | ----------------------------------- | FIREWALL | | | | 10.0.1.1 10.0.2.1 | ----------------------------------- | | | | VLAN A VLAN B | | | | --------------------------------------- | VIP:10.0.1.15 VIP:10.0.2.15 | | F5 LTM | | | | SNAT:10.0.1.25 SNAT:10.0.2.25 | --------------------------------------- | | | | VLAN A VLAN B | | | | SERVERS SERVERS 10.0.1.60 10.0.2.60 10.0.1.61 10.0.2.61 So the LTM (VIP, SNAT) shares the same subnet with backend servers. This allows clients to reach the backend servers either way: directly from the firewall: client->firewall->server and on the way back it's server's default gateway which points the packet from the server back to firewall. via LTM through VIP: client->firewall->VIP->SNAT->server. On the way back the server sends the packet back to SNAT, so it's: server->SNAT->VIP->firewall->client. Now to my routing question. I don't know the IPs of our clients, they can come from any subnet. So on the F5 I need a default route towards firewall for each Vlan, but response packet must adhere to the same Vlan through which the request came in, otherwise the firewall will drop the response packet (anti-spoofing). Basically I need to achieve the following, for example: REQUEST: client 123.1.1.1 -> firewall 10.0.1.1 -> F5 VIP 10.0.1.15 -> F5 SNAT 10.0.1.25 -> SRV 10.0.1.60 RESPONSE: 10.0.1.60 -> 10.0.1.25 -> 10.0.1.15 -> !!! 10.0.1.1 !!! -> 123.1.1.1 REQUEST: client 123.1.1.1 -> firewall 10.0.2.1 -> F5 VIP 10.0.2.15 -> F5 SNAT 10.0.2.25 -> SRV 10.0.2.60 RESPONSE: 10.0.2.60 -> 10.0.2.25 -> 10.0.2.15 -> !!! 10.0.2.1 !!! -> 123.1.1.1 Does the Auto Last Hop feature solves this 'source based routing' problem? If it does, do I still need anything else in F5 routing table, for example to reach the backend servers? Or can I leave the routing table empty (assuming F5 should be able to reach directly attached networks)? Thanks. Martin366Views0likes1Comment