Forum Discussion

Nfordhk_66801's avatar
Nfordhk_66801
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

LTM Design - BIGIP on a Stick

Hi,

 

We are having some weird routing issues I'm hoping you all can help with our design.

 

We have two F5's (5000) in a redundant pair. Each of the F5's has one internal and one external link connecting to our CORE switches as a trunk.

 

We wanted to put local VLANs on the F5. We created one for external [VIPs] and two internal [WEB & APP]. The two internal VLANs are assigned to one trunk, the external VIP vlan assigned to the other. We created self and floating IPs for each VLAN.

 

We assigned the server IPs with their gateway as the floating IP. But we were unable to reach them.

 

We found this article: http://packetpushers.net/stateless-routing-f5-ltm/ and created a virtual forwarding server as they discuss. This allowed us to reach the servers and ping floating IPs.

 

Odd issue was, the servers could ping other networks. But all the applications on the servers were failing because they couldn't connect to any servers on TCP ports. I thought this was related to the selfIPs port lockdown and I went ahead and allowed all but no changes.

 

We had a static route on our core switch pointing at the F5 external floating IP. The traffic was getting to the F5 we saw in the TCPdump but we couldn't reach anything.

 

Ultimately, we had to create SVIs on our CORE switches for the servers to connect to other networks with more than ping connectivity. Weird thing is now I cant ping self IPs. And I feel the SVIs should not be needed in this design.

 

I hope I explained this well...and help be greatly appreciated.

 

application delivery
BIG-IP
design
LTM
svi

8 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 04, 2014

    An F5 is a deny by default device, hence your need for the 'routing' VIP which I assume allowed you to manage the servers 'behind' the F5 from somewhere else on the network.

    You obviously need at least one SVI on your core to allow traffic to be routed to the F5 via the external VLAN.

    What routing have you setup within LTM.

    I don't see why you would have issues with the server connectivity from a application perspective:

    Client > network device > Core SVI > F5 external floating IP > server on internal VLAN
    • This would require the core to route your VS range to the F5 (and perhaps the 'real server ranges' for your other (management?) traffic
    • The F5 would need a default route back to the core
    • The servers would need a default route back to the F5 internal floating IP

    The 'routing' Virtual would be required only for traffic not handled by a Virtual Server or S/NAT - in other words, outbound server traffic for patches, inbound management traffic etc.

    Hope this makes some sense.

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 04, 2014

    I didn't suggest static routes! :-)

     

    You are correct, you should not need SVIs for the internal VLANs. What didn't work when you didn't have them?

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 04, 2014

    Sorry for adding my 2c worth here WLB!

     

    So it sounds like the forwarding VS is working as you can ping through the BIG-IP to and from the servers. Is it the application VIPs that are not working then?

     

    If so, a shot in the dark here. Could it be the auto-lasthop feature getting in the way? See http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9487.html

     

    If not what happens if you disable your application VIP and access the application server directly (over whatever protocol you're using e.g. HTTP)? This way the forwarding VIP would match the traffic and deliver the traffic to the backend server direct.

     

    Just thoughts.

     

    N

     

  • Nfordhk_66801's avatar
    Nfordhk_66801
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2014

    This is our current design. We have a VIP with IP Forwarding. 0.0.0.0/0 with all ports, all services, and all vlans.

     

     

    This is the design we were trying. The servers could ping outside their network but could not communicate TCP ports.

     

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Sep 04, 2014
      web server telnet on 1433 to sql server, do you see traffic exit the external VLAN? Do you get an ACK?
    • Nfordhk_66801's avatar
      Nfordhk_66801
      Icon for Nimbostratus rankNimbostratus
      Sep 05, 2014
      at this time our QA team is testing and performing demos with the application, so I can't bring it down for a few days. Do you see anything wrong with our design though?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 08, 2014

    Please confirm that the default gateway you've listed is configured in LTM.

     

    If I understand the diagrams correctly it all looks good to me, with just the x.x.103.x SVI on the core.

     

    Can you give us the CLI output of the configuration for the 'routing VS' please?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 08, 2014

    Was a successful trip thanks.

     

    The config looks OK. Sorry but could you also list the config for the route as well please?