F5 As a Router
I have a pair of BIG IPs in an active/standby configuration running LTM 10.2.4. We have several LDAP servers configured on an internal VLAN as pool members and are doing basic load balancing to these servers through the F5s. In addition to the basic load balancing for these systems, We also have a number of external systems that need to reach the LDAP servers directly without being load balanced. For this, we've configured Virtual IPs on the LDAP servers on the internal VLAN which are used for this "direct" access. We have static routes for these networks setup in our LAN that point to a floating IP on an external VLAN on the F5 as the next hop. The F5 then forwards/routes this traffic directly to the VIPs on the LDAP pool members preserving the original client source address. The return traffic gets sent from the VIP on the LDAP servers to their default gateway (which is on the F5) and the F5 routes it back out the external VLAN to the client.
This setup has worked fine for years. We recently upgraded our LAN infrastructure to Cisco ACI and have moved all of our servers, as well as the F5s to the ACI fabric. When we migrated the subnet gateways for the external F5 VLANs off of our old Catalyst routers to ACI, we started seeing issues with this LDAP routing. All of a sudden some systems were not able to reach the VIPs on the LDAP servers, even though we had configured the same static routes for these networks in ACI. It seemed as if the F5 was not forwarding this traffic for whatever reason. To resolve the issue, we had to source a ping from the VIPs to an external system in the environment and then all of a sudden the F5 would start routing again and the server VIPs became reachable.
I don't understand much about how the F5 does this type of routing/forwarding. I have read SOL articles on Forwarding IP Virtual Servers as well as Forwarding Layer 2 Virtual Servers, but keep in mind we are not using either of these techniques. We're just pointing traffic to external floating IPs on the F5 and relying on the F5 to route the traffic to the back-end pool member. Perhaps using a forwarding virtual server is the better approach? If not, it would be good to understand a little bit more about how this routing works and why moving to Cisco ACI could caused things to break.
Any feedback on how this type of F5 routing/forwarding works and/or pointing me to some good resources would be extremely helpful! Thanks!
Jon