Help needed to Explain what Vlan and Tunnel Traffic is for?
Hi, I am new to F5 and I am trying to configure a new virtual server. One of the parameters is the vlan and tunnel traffic, which by default is enabled on. help needed here to explain what is this for? If I configure my virtual server to have virtual address in VLAN_3, and I enable vlan traffic only on VLAN-3, does this mean only requests sourced from VLAN-3 network will be accepted by F5 ltm? Thank You
Do I need a self-ip in the same subnet as my virtual servers, or a VLAN ID?
Hi all. So my external self IP is in the 10.251.12.0/24 subnet and my virtual servers are in the 10.251.10.0/24 subnet. However, I can't ping any of my vIPs from the F5 itself or outside of that network. I noticed that if I put the vIP in the 10.251.12.0/24 subnet I can ping it from the F5 as well as outside of the network. It's like my F5 doesn't want to advertise my virtual servers. Am I missing configuration here? I do not have a VLAN defined for the virtual servers, nor do I have a self-IP in that range. Should I?
Multiple Route Domains in same partition
Hi all, So my doubt is, if there is anything wrong in creating more than one route domain in partition common? I want to create Route Domain 3 ( 0 is the default and already exists), in order to separate the routing table of a VIP/Network, that will be created for Internet traffic only. For what i know i will have to create: 1 - Vlan 2 - Route Domain 3 - Assign created Vlan to Route Domain 4 - Self IP like 1.1.1.248%3 and assign created Vlan to it. 5 - VIP like 1.1.1.1%3 6 - Nodes - 2.2.2.2%3 7 - Static Route - 1.1.1.0%3 Gateway 1.1.1.254%3 Is this correct or do we got to have anything more in attention? Is it better to create a partition for it, os its fine to just have the 2 route domains in same partition?F5 BIG-IP answers with a self-ip that is not associated with that VLAN
Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt. In short: Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and 2.2), the next hop for the traffic is a pool containing a proxy-solution(int 1.1). After the traffic has passed the proxy, it returns to the F5 on a different interface(1.2) and is Auto Mapped before being sent to the pool containing the internet facing router. But for some reason it all stops when the proxy tries to send the traffic back to the F5 on Int 1.2. In the tcpdump I can see that the F5 is responding to requests from the proxy with the same self-IP that is defined on the internal VLAN that is assigned to the fiber trunk. And for that reason the connection times out, and the users have no internet access. A tracert from a klient looks like this: 1 <1 ms 156 ms <1 ms 192.168.50.13 - Client 2 1 ms 147 ms <1 ms 192.168.50.1 - Router on the way 3 2 ms 1 ms 1 ms 192.168.1.12 - BIG-IP Local self-ip internal 4 2 ms 2 ms 3 ms 192.168.1.114 - Proxy IP 5 4 ms 211 ms 4 ms 192.168.1.12 - BIG-IP Local self-ip - Now on the vs_proxy_return VLAN (verifed with tcpdump) 6 Host unreachable Internal VLAN local Self-ip: 192.168.1.12 Internal VLAN floating Self-ip: 192.168.1.14 Proxy_return VLAN local Self-ip: 192.168.1.118 Proxy_return VLAN floating Self-ip: 192.168.1.119 The Proxy is connected directly to the F5, no switches involved. One TP into port 1 and out again of port 2. There is no NATing in the proxy, so the packet should be untouched. Config: ltm virtual /Common/vs_proxy { description destination /Common/0.0.0.0:0 mask any pool /Common/pool_proxy profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/internal } vlans-enabled } } ltm virtual /Common/vs_proxy_return { description "" destination /Common/0.0.0.0:0 mask any pool /Common/pool_gateway profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/cp_proxy_return } vlans-enabled } Is this a bug, or am I doing something very very wrong here? This works on a customer I have, but on 1.4.1, this is done on 1.5.1 HF3.
Restricting traffic between Vlans.
We have an F5 servicing our DMZ. It hosts the external IPs and acts a router for the DMZ servers. +--- [ VLAN_2110 ] [ Internet ] ---- [ F/W ] ---- [ F5 ] --+ +--- [ VLAN_2310 ] Recently a new requirement has emerged to keep one group of Vlans from talking to another group. A for instance would be that VLAN_2110 and VLAN_2310 in the above sketch would not be allowed to talk to each other. Can the F5 do this?Two Networks in the same VLAN? Is it possible?
At a technical perspective, it seems like it would be simple to do. Create a new self-IP from a new subnet, but just assign it in the same VLAN and have your servers set their default GW to that self-IP. The only issue I'm running into now, is getting the servers from the old network, talk to the new. I have static routes built out on the OEs, but wasn't sure if there were any additional configurations that were needed on the F5. Thanks
Adding vlan and selfip to F5 LTM in HA
We have 2 F5 LTM i2600 series physical devices running v13.1.3.2. We have an internal and external vlan. We now need to add an additional vlan for our internal Web servers. Lets call it WebVLAN My question has to do with the fact that we currently have a route added to the F5 for the subnet where these Web Servers live. I would like to know the proper way to switch this subnet from a static route to a VLAN with a corresponding self ip, without any downtime. From my understanding the steps are: Create a Vlan. Tag it to the proper Interface Specify the action as "failover" Create a unique SelfIP on each node and a Floating HA ip Save. Will there be an issue at this point?? Remove the existing static route for this specific Vlan I am not sure however of the order or If I have missed anything. Any advice is appreciated.Renaming VLANs on a Viprion chassis and vCMP Guests
I'm in the unenviable position of having to rename a dozen+ VLANs on a Vipreon chassis and vCMP guests. The reason stems from having to combine guests from 2 pairs of chassis where one pair is being decommissioned. Unfortunately the original admin who set up the chassis did not use the same VLAN naming convention for both sets of chassis, and the same VLAN tags exist in both places. This results in guests that are brought over from the old chassis not being able to access the network as the VLAN names do not match up. The destination is 2 chassis where the LTMs are in an active-standby pair with the members of the pair being split between the 2 chassis. (Same situation on the chassis I'm migrating from.) Can I get a sanity check on what I'd like to do here? Force the guests offline on the secondary chassis. Shut down the guests. Rename the VLANs on the Vipreon by editing bigip.conf and bigip_base.conf load sys config verify load sys config (or just reboot the chassis to be thorough) Bring up one guest offline, repeat the same procedure on the guest. Failover during a maintenance window and test. Repeat for other guests. If everything works there, repeat the same procedure on the primary chassis. Resync the configs once all changes are made and tested. At this point the guests that are migrated over should be able to access the newly renamed VLANs as well. Am I missing anything here?
