F5 BIG-IP answers with a self-ip that is not associated with that VLAN
Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt. In short: Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and 2.2), the next hop for the traffic is a pool containing a proxy-solution(int 1.1). After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router. But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. And for that reason the connection times out, and the users have no internet access. A tracert from a klient looks like this: 1 <1 ms 156 ms <1 ms 192.168.50.13 - Client 2 1 ms 147 ms <1 ms 192.168.50.1 - Router on the way 3 2 ms 1 ms 1 ms 192.168.1.12 - BIG-IP Local self-ip internal 4 2 ms 2 ms 3 ms 192.168.1.114 - Proxy IP 5 4 ms 211 ms 4 ms 192.168.1.12 - BIG-IP Local self-ip - Now on the vs_proxy_return VLAN (verifed with tcpdump) 6 Host unreachable Internal VLAN local Self-ip: 192.168.1.12 Internal VLAN floating Self-ip: 192.168.1.14 Proxy_return VLAN local Self-ip: 192.168.1.118 Proxy_return VLAN floating Self-ip: 192.168.1.119 The Proxy is connected directly to the F5, no switches involved. One TP into port 1 and out again of port 2. There is no NATing in the proxy, so the packet should be untouched. Config: ltm virtual /Common/vs_proxy { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_proxy profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/internal } vlans-enabled } } ltm virtual /Common/vs_proxy_return { description "" destination /Common/0.0.0.0:0 mask any pool /Common/pool_gateway profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/cp_proxy_return } vlans-enabled } Is this a bug, or am I doing something very very wrong here? This works on a customer I have, but on 1.4.1, this is done on 1.5.1 HF3.
BIP-IP 1600 VLAN bridge performance degradation
Hello, I have a BIP-IP 1600 series setup as part of my thesis work. The setup is as follows: (VLAN=20) Client1 --- F5 --- Server1 (VLAN=10) 572 Mbit/s. Client1 --- Cisco --- Server1 (No VLAN) 937 Mbit/s In the setup I have two VLANs, one public and one private. I do bridge'ing between the VLANs in the BIG-IP, but for some reason that downgrades the performance. In the bridge'ed setup with two machines directly connected to the BIG-IP on two separated VLANs the reported speed is around 572 Mbit/s. For a normal link the iperf reported speed is 937 Mbit/s when the traffic is only directed through a cisco switch. Is this normal behavior for the BIP-IP to degrade the performance, or I am doing something wrong? Thanks!
How to forward traffic to detached vlan?
VLANs are visible in management plane. It makes it possible to run local process that has access to such vlan (it allows to run custom applications on F5 appliance such as nodejs web servers). Is it possible to create vlan interface that is purely virtual (not assigned to any physical interface) and forward traffic to it from eg. ip forwarding vs? Ultimately I'd like to test one L2 analyzer "inline" by running it on F5 and forwarding traffic to it. Final packets flow I'd like to achieve would be something like this: world -> vlan_world -> ip_forward_vs -> vlan_detached_1 -> my_analyzer -> vlan_detached_2 -> vlan_lan -> lan or functional equivalent. my_analyzer app forwards L2 packets in software (behaves like bridge). If necessary I accept solution using iRules. For now the only solution I see is to use 2 conventional vlans assigned to interfaces and make short loop using physical cable but that would be waste of 2 interfaces which I'd prefer to avoid.
Restricting traffic between Vlans.
We have an F5 servicing our DMZ. It hosts the external IPs and acts a router for the DMZ servers. +--- [ VLAN_2110 ] [ Internet ] ---- [ F/W ] ---- [ F5 ] --+ +--- [ VLAN_2310 ] Recently a new requirement has emerged to keep one group of Vlans from talking to another group. A for instance would be that VLAN_2110 and VLAN_2310 in the above sketch would not be allowed to talk to each other. Can the F5 do this?Multiple Route Domains in same partition
Hi all, So my doubt is, if there is anything wrong in creating more than one route domain in partition common? I want to create Route Domain 3 ( 0 is the default and already exists), in order to separate the routing table of a VIP/Network, that will be created for Internet traffic only. For what i know i will have to create: 1 - Vlan 2 - Route Domain 3 - Assign created Vlan to Route Domain 4 - Self IP like 1.1.1.248%3 and assign created Vlan to it. 5 - VIP like 1.1.1.1%3 6 - Nodes - 2.2.2.2%3 7 - Static Route - 1.1.1.0%3 Gateway 1.1.1.254%3 Is this correct or do we got to have anything more in attention? Is it better to create a partition for it, os its fine to just have the 2 route domains in same partition?Viprion: Modify VLAN tags in bigip_base.conf
Hello friends. I unfortunately have no lab viprions to test this. I have two VLAN tag mismatches on one of my hosts, and that VLAN is on all 5 guests that reside on the host. I need to rectify this mismatch in order to deploy BIG-IQ, otherwise I get error conditions and offline guests. My friend gave me this process: Take a backup of the bigip_base.conf Edit the bigip_base.conf tmsh load sys config verify tmsh load sys config Check the results, commit the change with tmsh save sys config My question is, in doing this on the host, what will then happen with the bigip_base.conf on the guests? Does "load sys config" on the host make the guests update their bigip_base.conf file as well?
Adding vlan and selfip to F5 LTM in HA
We have 2 F5 LTM i2600 series physical devices running v13.1.3.2. We have an internal and external vlan. We now need to add an additional vlan for our internal Web servers. Lets call it WebVLAN My question has to do with the fact that we currently have a route added to the F5 for the subnet where these Web Servers live. I would like to know the proper way to switch this subnet from a static route to a VLAN with a corresponding self ip, without any downtime. From my understanding the steps are: Create a Vlan. Tag it to the proper Interface Specify the action as "failover" Create a unique SelfIP on each node and a Floating HA ip Save. Will there be an issue at this point?? Remove the existing static route for this specific Vlan I am not sure however of the order or If I have missed anything. Any advice is appreciated.Do I need a self-ip in the same subnet as my virtual servers, or a VLAN ID?
Hi all. So my external self IP is in the 10.251.12.0/24 subnet and my virtual servers are in the 10.251.10.0/24 subnet. However, I can't ping any of my vIPs from the F5 itself or outside of that network. I noticed that if I put the vIP in the 10.251.12.0/24 subnet I can ping it from the F5 as well as outside of the network. It's like my F5 doesn't want to advertise my virtual servers. Am I missing configuration here? I do not have a VLAN defined for the virtual servers, nor do I have a self-IP in that range. Should I?
