Dear Techies, For Cloud design The following are the design options considered for the Implementation of F5. we have F5 1600 having Four Gigabit Copper Interfaces. Creation of three Administrative Partitions 1) Cloud_Provider 2) Tenant_Internal 3) Tenant_Internet Creation of Default route domain under each partition say 1) Cloud_Provider Servers Route Domain under Cloud_Provider (Administrative partition) 2) Tenant Internal Server Domain under Tenant_Internal (Administrative partition) 3) Tenant Internet Server Domain under Tenant_Internal (Administrative partition) Bunding two Physical Interfaces ( 1.1 , 1.2 ) under Trunk for Cloud_Provider and Tenant_Internal Seperate External VLAN's will be created for Cloud_Provider and Tenant_Internal Segments for the Users to access the VIPs.Bunding two Physical Interfaces ( 1.3 , 1.3 ) under Trunk for Tenant_Internet. Clarifications: For Cloud_Provider Internal Servers i would like to load balance for five VLANs say ( VLAN 100 - 104 ). I have created one External VLAN say VLAN: 105 for Virtual IP's. Do i have to create five self IP address for the Five VLAN which i am going to loadbalance ? Can i pass both Internal and External VLAN under the same Trunk ? Can two Administrative Partition can be configured under the same trunk say ( Cloud_Provider and Tenant_Internal ) Is there any limitation in creating Administrative partitions in F5 1600.

You don't need to have a VLAN specifically for VIPs. Just route the IP subnet you want to use for VIPs to a self IP on any appropriate VLAN. So, for instance, create the external VLAN using a /29 or /30 IP subnet as appropriate. Then route say, 10.10.10.0/24 (your VIP range) from the core switch or firewall (or whatever) over that external VLAN, to the relevant self IP on the F5. If you did create 5 VLANs, yes, each one will need a self IP. In the F5 world, a trunk is a logical bundling of multiple physical interfaces, independent of L2 VLANs. Whatever you can do with an interface, you can do with a trunk. You can tag multiple VLANs over any kind of interface. APs have no direct relation to physical interfaces, but Route Domains do relate to VLANs and they exist within APs. A VLAN (rather than physical interface) can only be present in one RD. Multiple RDs can exist in a single AP. A trunk can carry tagged VLAN traffic for multiple RDs even if they are in different APs. See here: https://devcentral.f5.com/articles/v10-a-look-at-route-domains

Thanks for your reply, For your first reply i would like to get further clarification. Example 100 - 104 VLAN's are the real Server VLANs. 105 VLAN is the VIP VLAN , which will have virtual IP address for all the real IP Server VLANs. I am planning to use the two IP address in the 105 VLAN for the Firewall , and three IP address in my Load balancer for Self IP of the redundant box and Floating address. My question is do i still need to have a self IP address in the Real server VLANs like 100-104 .. As per my understanding the SNAT Automap is configured thus if any request from Client comes to my Virtual Servers in VLAN 105, then my F5 will do a SNAT for the source IP address with the Virtual IP address and the destination ip address is the real server IP address. Kindly let me know the best practices ? or should i have Self IP address for the all the internal VLAN for which am doing load balancing. Since this is the Cloud Setup, may be tomorrow i will get ten more VLAN which has real servers , i dont want to create Self IP address for each Internal Real server VLAN. Thanks, Arun

Thanks much for your detailed explanation. The following are my understanding from your replies. I will create a separate VLAN say /28 or /29 for routing between the LoadBalancer and the Firewall.I will have /24 or /23 IP address pool as VIP segment for each Tenant but will not assign it to any VLAN.For each Tenant Internal VLAN say ( 100 - 104 ) i will create an Self IP address, thus SNAT automap is applied.I don't want my Servers to have gateway as F5 , since i have few servers with in the Real Server VLAN which doesn't require Load balancing. Creation of three Administrative Partitions a) Cloud_Provider b) Tenant_Internal c) Tenant_Internet Creation of Default route domain under each partition say I) Cloud_Provider Servers Route Domain under Cloud_Provider (Administrative partition) II) Tenant Internal Server Domain under Tenant_Internal (Administrative partition) III) Tenant Internet Server Domain under Tenant_Internal (Administrative partition) Bunding two Physical Interfaces ( 1.1 , 1.2 ) under Trunk for Cloud_Provider and Tenant_Internal Seperate External VLAN's will be created for Cloud_Provider and Tenant_Internal Segments for the Users to access the VIPs.Bunding two Physical Interfaces ( 1.3 , 1.4 ) under Trunk for Tenant_Internet. Regards, Arun

You're welcome. Sounds good Correct - just make sure you route those subnets to the F5 on the firewall, over the small routed subnet You'll need to specify SNAT Automap in the configuration for each Virtual Server but yes, the SNAT will use the self IP of the relevant VLAN OK, shouldn't be an issue as long as you apply the SNAT OK Sure, in F5 terminology the Trunk is the bundle, VLAN tagging is called, err VLAN tagging (rather than trunking as in the Cisco world) 7. If you are going to do that, there's no point in the small routed segment we've discussed in 1) is there? Sure, as per 6)

! Kindly advice if any other changes required Only information have not informed is the diagram is the Administrative partition. The F5 connecting to Aggregation switch will have two AP .. i.e. Cloud_Internal and TenantA_Internal. The F5 Connecting to DMZ switch will have two AP Cloud_DMZ and TenantA_DMZ. Let me know how to map the VLAN's for the AP.. and also like to understand the Routed VLAN has to be seperate for each tenant since i will bind each tenant under different VRF. Thanks Arun

Forum Discussion

Arunprabhu_1147

Nimbostratus

Apr 21, 2014

Multi tenancy design, Route domain

Dear Techies,

For Cloud design The following are the design options considered for the Implementation of F5. we have F5 1600 having Four Gigabit Copper Interfaces.

Creation of three Administrative Partitions

1) Cloud_Provider 2) Tenant_Internal 3) Tenant_Internet
Creation of Default route domain under each partition say

1) Cloud_Provider Servers Route Domain under Cloud_Provider (Administrative partition) 2) Tenant Internal Server Domain under Tenant_Internal (Administrative partition) 3) Tenant Internet Server Domain under Tenant_Internal (Administrative partition)
Bunding two Physical Interfaces ( 1.1 , 1.2 ) under Trunk for Cloud_Provider and Tenant_Internal
Seperate External VLAN's will be created for Cloud_Provider and Tenant_Internal Segments for the Users to access the VIPs.
Bunding two Physical Interfaces ( 1.3 , 1.3 ) under Trunk for Tenant_Internet.

Clarifications:

For Cloud_Provider Internal Servers i would like to load balance for five VLANs say ( VLAN 100 - 104 ). I have created one External VLAN say VLAN: 105 for Virtual IP's. Do i have to create five self IP address for the Five VLAN which i am going to loadbalance ?
Can i pass both Internal and External VLAN under the same Trunk ?
Can two Administrative Partition can be configured under the same trunk say ( Cloud_Provider and Tenant_Internal )
Is there any limitation in creating Administrative partitions in F5 1600.

cloud

design

virtualization

15 Replies

Arunprabhu_1147
Nimbostratus
Apr 29, 2014
Thanks dude.... I will come back to you if i have any challenge while implementing the same..
- What_Lies_Bene1
  Cirrostratus
  Apr 29, 2014
  You're welcome, hope it goes well. Cheers

Arunprabhu_1147

Nimbostratus

Jun 25, 2014

Hi Dude,

I have an Internal VLAN - 50 having Default gateway as F5, thus i have configured Forwarding VIP for the Entire VLAN 50.

The issue I am facing right now is , the traffic originating from the external VLANs  are able to access the Internal VLAN - 50 ( For Internal VLAN 50 , F5 is the gateway ) but any traffic originating from the Internal VLAN to the external VLAN is not working.

Can you pls confirm in addition to Forwarding VIP should i configure any additional things to enable traffic from the Internal Server to the External world.

Thanks, Arun

Arunprabhu_1147
Nimbostratus
Jun 25, 2014
The Forwarding IP is created for the Management traffic like ICMP, DNS and other related traffic from the Internal VLANs 50 to the Externnal world.
Arunprabhu_1147
Nimbostratus
Aug 01, 2014
Hi Dude,

Am very much happy here to inform you that crossed most of the milestones from the deployment and design front after having proper guidance from the forum. 🙂 🙂 :) In the configuration perspective am facing a challenge the following is the details on the same. I have Cisco ACE load balancer in my Existing Network, now they are migrating to the F5. I am facing a challenge in one of the configuration as detailed below. Also This Virtual Server is configured with SNAT automap
ACE Current Configuration
sticky ip-netmask 255.255.255.255 address both ABC_VIP timeout 30

The "both" keyword above to specify both the source IP address and the destination IP address to stick the client to a server.

As per my understanding the persistance configuration in F5 is either Source IP or destination IP and not both . Is there any method available to achieve this configuration.

As of now have configured only the Source IP persistance but it is not working as similar to the existing Network setup.

Regards, Arun

Forum Discussion

Multi tenancy design, Route domain

15 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Enriching AFM with public domain Threat Intelligence

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1