Forum Discussion

Ken_51674's avatar
Ken_51674
Icon for Nimbostratus rankNimbostratus
Oct 15, 2013

Question on traffic sourced from a multiple interface LTM

LTM Experts,

     I will be adding a second “VIP” type interface as well as corresponding “pool” interface to an existing LTM.  My question revolves around where the LTM will send traffic (which interface does it select) when it is sourced from a “pool” member who’s VIP is on this new interface.

Currently my LTM VIP interface is 10.10.10.X and has an internal interface where the pool members reside.  I need to add a second interface 10.50.50.x as well as another interface where it’s pool members will reside 10.27.27.X (this LTM will now have 4 interfaces).  When this new pool member 10.27.27.X(who’s VIP is on 10.50.50.x) initiates a connection to another host how does the LTM decide which interface to send it on?  Will it look in the route table for a route for the network or will it use the interface the VIP is on (10.50.50.X)? I understand for inbound connections the LTM will maintain state and send it on the interface it received it on but I’m wondering how traffic initiated from this new pool (whose default gateway is the LTM) will get forwarded?

Thanks!

12 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    The short answer is that it'll send it wherever the VS that matches the destination tells it to send it.

     

    The longer one is that there's several options to tune this to be the same for both pool vlans or different. Including just using different VS's to match the destination, all the way to separate routing-domains.

     

    H

     

  • ..packet should go through the VLAN (thus its associated interface) where the destination server is reachable.

     

    If destination server is on 10.10.10.x/10.50.50.x then big-ip will put the packets on that net.

     

    If destination IP(server) is not directly connected to an already-configured vlan, then it has to look at its static routes or default gateway in order to make a decision.

     

    Finally, as Hamish noted, you have several options to manipulate the route the packet should follow (iRules, NAT/SNAT, etc.)

     

    Regards, hheredia

     

  • Thanks for the responses.

     

    I'll give you a bit more information so that it might make more sense as to what I need it to do. Each of my VIP interfaces will be connecting to a firewall interface. Today my 10.10.10.X VIP's use the firewall as their default gateway. There is a static default gateway on the LTM as well pointing to the 10.10.10.1 (FW) address. Each "pool server" that has a corresponding VIP on 10.10.10.X uses the 10.10.10.1 route to reach both internal and external networks.

     

    Now I'm adding this second 10.50.50.x network to the LTM as well as to a new Firewall Interface. For inbound connections I'm fine as the FW will have a directly connected network for 10.50.50.x traffic. These 10.50.50.X VIPs will get translated to a backend 10.27.27.x bunch of servers. Internal hosts get to these 10.27.27.x servers via their 10.50.50.x VIP address as well as external hosts use a NAT entry on the FW to get to these same 10.27.27.X machines.

     

    What I need to ensure happens (and I don't know if it's possible or how to do it) is that when a 10.27.27.x machine wants to send traffic to the internal network that it uses the 10.50.50.x FW address (and not the 10.10.10.x address). Since the LTM has a default static route of 10.10.10.1 initially I thought that the LTM would just send it to it's default gateway. If that is how it will do it (traffic sourced from 10.27.27.x will use the 10.10.10.1 gateway after being changed to it's VIP addr of 10.50.50.x) pretty much everything will break.

     

    There were a few options mentioned above that I'd like to explore if you could point me to some documentation as well as giving me your opinion on the cleanest (i.e. easiest) way to accomplish what I need.

     

    In a nutshell: All pools associated with 10.50.50.X VIP's use the 10.50.50.1 gateway and not the default route on the LTM to ensure the traffic goes out the correct interface on the Firewall.

     

    All other pools can use the LTM default to find their way to internal or external netblocks.

     

    Thanks again for helping!

     

  • Denny_Payne_218's avatar
    Denny_Payne_218
    Historic F5 Account

    Sounds like you just need a wildcard Performance L4 virtual server 0.0.0.0:0 defined specifically on the VLAN where the 10.27.27.x servers reside that uses a pool with the 10.50.50.1 gateway in it.

     

    • Ken_51674's avatar
      Ken_51674
      Icon for Nimbostratus rankNimbostratus
      Denny, Thanks for your comment. Would you have a link or something to that type of definition and/or configuration? What you are describing is currently past my level of expertise with LTMs. If I could get some additional information I might be able to have a clearer picture of this. Thanks again!
  • Sounds like you just need a wildcard Performance L4 virtual server 0.0.0.0:0 defined specifically on the VLAN where the 10.27.27.x servers reside that uses a pool with the 10.50.50.1 gateway in it.

     

    • Ken_51674's avatar
      Ken_51674
      Icon for Nimbostratus rankNimbostratus
      Denny, Thanks for your comment. Would you have a link or something to that type of definition and/or configuration? What you are describing is currently past my level of expertise with LTMs. If I could get some additional information I might be able to have a clearer picture of this. Thanks again!
  • Just the manual: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html?sr=32543245

     

    Basically just create a pool, put the 10.50.50.1 address in it with port 0. Don't worry about monitoring it, just leave it unknown. Or ping it if you really must have it green :-)

     

    Create a virtual server, select Performance L4 instead of Standard, network type instead of host, destination address 0.0.0.0 mask 0.0.0.0 port 0, select All Protocols instead of TCP. Instead of All VLAN's make it enabled only on the VLAN where the 10.27.27.x servers live (the ingress VLAN for your outbound traffic from 10.27.27.x). Point it to the pool you just created with the firewall address in it.

     

    Now any traffic initiated from that VLAN will be processed by that virtual server rather than the routing table on the box.

     

    • dennypayne's avatar
      dennypayne
      Icon for Employee rankEmployee
      I tried this as another comment but it wouldn't format paragraphs....ugh....
  • Denny_Payne_218's avatar
    Denny_Payne_218
    Historic F5 Account

    Just the manual: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html?sr=32543245

     

    Basically just create a pool, put the 10.50.50.1 address in it with port 0. Don't worry about monitoring it, just leave it unknown. Or ping it if you really must have it green :-)

     

    Create a virtual server, select Performance L4 instead of Standard, network type instead of host, destination address 0.0.0.0 mask 0.0.0.0 port 0, select All Protocols instead of TCP. Instead of All VLAN's make it enabled only on the VLAN where the 10.27.27.x servers live (the ingress VLAN for your outbound traffic from 10.27.27.x). Point it to the pool you just created with the firewall address in it.

     

    Now any traffic initiated from that VLAN will be processed by that virtual server rather than the routing table on the box.

     

    • Denny_Payne_218's avatar
      Denny_Payne_218
      Historic F5 Account
      I tried this as another comment but it wouldn't format paragraphs....ugh....
  • configure a SNAT. Should be something like this:

     

    SNAT address: 10.50.50.x <- any IP addr available Origin: 10.27.27.x <- those IP addr corresponding to your servers/pool members

     

    good luck!