vserver
3 TopicsBIG-IP in DMZ - Reverse traffic to public subnets clarification
Hi guys, Please help with understanding routing on BIG-IP LTM device. We are using quite old version on the box - 10.2.4. The problem we are having is related to traffic flows from border firewall which is connected to public subnet and F5 load balancer. We are experiencing connectivity problems from outside to server pool behind the load balancer after we perform switch over operation on firewall cluster from primary to secondary node. Both firewall devices are in sync so they are using the same configuration and during switchover the secondary device just taking VIPs from primary. I suspect that the issue lies on the LTM side. What I can't understand right now is how BIG-IP is returning traffic back from the pool to the clients in the Internet if the load-balancer is in the DMZ already (it doesn't have public IPs assigned). Border firewall perform NAT translation for destination IP address leaving the clients public IPs unchanged. This changed packet is reaching LTM vServer in the VLAN20 (please take a look on the attached diagram) and based on the vServer settings traffic is directed to POOL of Web servers with source changed to self-IP of LTM (because of SNAT automap config). But the reverse path is not clear. Traffic is forwarder to LTM which in its turn will substitute original public IP address of the Internet's client. What then? Traffic will be directed based on routing table? But in that case asymmetric routing will happen because in our case default route is pointing to different VLAN. Here is our vserver config ltm virtual VS_VSERVER { destination 10.0.20.150:https ip-protocol tcp mask 255.255.255.255 partition APP20 persist { TST_cookiePersistence { default yes } } pool POOL_WEB1 profiles { TST_http_headerSource { } example.com { context clientside } tcp { } } rules { TST_redir } snat automap } Thank you very much!599Views0likes1CommentIs an entire /24 network typically used for vIPs in an F5 deployment?
Hi all, I was wondering what the typical amount of IPs everyone allocates for vIPs in their F5 deployment was. The way I understand it, each Service Graph (Virtual Server) will use at least one virtual IP address. Is it standard practice to have all of your vIPs in one subnet on the F5? If I'm load balancing DNS, Web, Oracle, etc. all of those virtual servers use different IP addresses but they can all be on the same subnet, correct? Thanks all!Solved404Views0likes4CommentsForwarding VSERVER (nodes and VSERVER in same subnet)
I have seen in ISE deployment guide they mentioned two different subnet to have Forwarding VSERVER for PSN node. as shown in below snapshoot: But if we have ISE PSN node in same subnet as VSERVER how we would achieve forwarding VIP? I have assign same IP as ISE PSN node on FORWARDING VSERVER and point PSN node to F5 SelfIP it worked, but when I restart PSN it wouldn't comeup since it tries to check if there is an existing IP in the network?348Views0likes1Comment