Forum Discussion

James_Price_485's avatar
James_Price_485
Icon for Nimbostratus rankNimbostratus
Jul 21, 2015

route between vlans with snat

We want to setup vlan4 , 5 , 6 on the F5. But currently we have snats in vlan4 that are set up to provide a unique ip for outgoing traffic from each of our internal servers. If we setup vlan 5 and 6 we can no longer get to vlan 5 and 6. I've considered using a forwarding server but that will not give us a unique outside address ip coming from the internal server. Is it possible to route snated traffic to another vlan? Simple case be able to ping vlan 6 when your snats on vlan4? One of our cases is DNS in in vlan 6 but the snats in vlan 4. Another case is internal server needs to reach a database on vlan6. Thanks for any help.

 

APM
application delivery
deployment
LTM
security

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jul 22, 2015
    i don't quite get the problem. could you perhaps draw a picture or such? you have servers in VLAN4 that go out to the internet with a specific SNAT IP per server? how is the SNAT done? then you add VLAN5, where does the problem start? what do you want to do with VLAN5, reach the internet from there or get into it from VLAN4? if it is the last you might be able to do only do SNAT if you go to the big bad internet but not when you stay internal.
  • James_Price's avatar
    James_Price
    Icon for Nimbostratus rankNimbostratus
    Jul 23, 2015

    snat setup: translation address in vlan4, address list has server in vlan905 vlan traffic enabled on vlan905

     

    The problem starts when we add a vlan on the f5 that the internal (vlan905) server needs to contact.

     

    I guess what im asking is there a way to get vlan4,vlan5,vlan6 on the f5 to communicate with each other like the way our network switch will pass traffic between vlans 4, 5, 6?

     

    We need to add vlan5 and vlan6 so we can use those ips in virtual servers. We are running out of ips in vlan4

     

  • arpydays's avatar
    arpydays
    Icon for Nimbostratus rankNimbostratus
    Jul 23, 2015

    couple of suggestions;

     

    1. couldn't you put vlan 905 on the switch and let the internal servers route direct to other internal services, like DB etc. Then for traffic leaving the network, NAT on the external firewall. Vlan905 will then be able to talk to vlan6 servers or F5 VSs via the switch g/w.

       

    2. stick to one vlan if you can, i.e. vlan4 for the client side traffic and just use other address space for the VSs and a route on the switch for them via vlan4 self-ip.

       

    3. if the above doesn't work for you then I guess you do selective snat based on egress vlan but you solution is going to get more complex. For this you would use a irule and something like [LINK::lasthop name] to grab the egress vlan then use that to determine what SNAT to use based on class lookup or similar..

       

    cheers