Forum Discussion

refra_151287's avatar
refra_151287
Icon for Cirrus rankCirrus
Jul 13, 2015

Urgent: L2 deployment

Hello, Im trying to deploy standard load balancing, but all network component in the same subnet clients,and servers, The issue that the traffic is passing through the f5 but not hitting any VS, also be notted that this subnet in in non default route domain, The more interesting thing to me the traffic is not denyed, it passed but not loadbalanced and using "tcpdump -nni valn:nnn host client_ip" i see that the traffic not hitting at all, Sorry for short notice but I'm in downtime :)

 

application delivery
deployment
LTM

6 Replies

Sort By
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jul 13, 2015

    If the Virtual Server is on one Route Domain, and the pool members are on another, then you must disable "strict-isolation" for the VS RD in order for traffic to traverse between the Route Domains. If the VS and pool members are on the same Route Domain, then nothing special needs to be done in that regard.

    The BIG-IP will forward to a pool member if and only if the pool members are in a netblock that also contains a BIG-IP self-IP (in the same Route Domain) or if the BIG-IP has a route to the pool members (also in the same Route Domain). Moreover, the BIG-IP will not send traffic if ARP fails for the next hop (i.e., the pool member if the member is directly connected, or the next hop gateway if a route is followed).

    Do you have monitors associated with the pool members? If so, are they working (returning an "up" status)? Are the VS and pool members in the same Route Domain? If not, have you disabled strict-isolation?

    Have you verified that ARP is returning successfully for the next hop (using 

    tmsh show net arp
    and 
    tcpdump -nni 0.0 arp
    )?

    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      Jul 13, 2015
      I've monitors (icmp) and it working fine. actually i don't think it's related to the Route Domains, i want give you brief about our setup: |---------Proxy _servers Clients ------SW-----1.1-F5-1.2----SW--------------------------------FW(GW) All these components [one self IP, VS 0.0.0.0%95, pool members(proxy servers)] in the same subnet (and of course in the same RD 95) 192.168.1.0%95/2. the issue I guess the we have two interfaces in wireless VLAN {1.1(connected to clients side), and 1.2(connected to proxy servers side)}, so the traffic goes from the client side through 1.1, and went go out through 1.2 without even path through the VS, so the loadbalance never happens and instead the traffic goes through the FW. Here we see the F5 as a L2 SW, it didn't intercept the traffic, so if you want go to "google.com" the traffic will go to the GW through the F5 instead pass through the proxies.
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account
    Jul 13, 2015

    If the Virtual Server is on one Route Domain, and the pool members are on another, then you must disable "strict-isolation" for the VS RD in order for traffic to traverse between the Route Domains. If the VS and pool members are on the same Route Domain, then nothing special needs to be done in that regard.

    The BIG-IP will forward to a pool member if and only if the pool members are in a netblock that also contains a BIG-IP self-IP (in the same Route Domain) or if the BIG-IP has a route to the pool members (also in the same Route Domain). Moreover, the BIG-IP will not send traffic if ARP fails for the next hop (i.e., the pool member if the member is directly connected, or the next hop gateway if a route is followed).

    Do you have monitors associated with the pool members? If so, are they working (returning an "up" status)? Are the VS and pool members in the same Route Domain? If not, have you disabled strict-isolation?

    Have you verified that ARP is returning successfully for the next hop (using 

    tmsh show net arp
    and 
    tcpdump -nni 0.0 arp
    )?

    • refra_151287's avatar
      refra_151287
      Icon for Cirrus rankCirrus
      Jul 13, 2015
      I've monitors (icmp) and it working fine. actually i don't think it's related to the Route Domains, i want give you brief about our setup: |---------Proxy _servers Clients ------SW-----1.1-F5-1.2----SW--------------------------------FW(GW) All these components [one self IP, VS 0.0.0.0%95, pool members(proxy servers)] in the same subnet (and of course in the same RD 95) 192.168.1.0%95/2. the issue I guess the we have two interfaces in wireless VLAN {1.1(connected to clients side), and 1.2(connected to proxy servers side)}, so the traffic goes from the client side through 1.1, and went go out through 1.2 without even path through the VS, so the loadbalance never happens and instead the traffic goes through the FW. Here we see the F5 as a L2 SW, it didn't intercept the traffic, so if you want go to "google.com" the traffic will go to the GW through the F5 instead pass through the proxies.
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jul 14, 2015

    Are 1.1 and 1.2 attached to the same VLAN, as defined on the BIG-IP? If they are not, then the BIG-IP should not switch traffic between them. Even if they are on a common VLAN, if there is a matching Virtual Server bound to the VLAN, that should handle the traffic (that is, the traffic should not be simply switched between interfaces).

    In your diagram, you list a switch connected to 1.1 and a switch connected to 1.2. Naturally, if they are in fact the same switch (or are interconnected switches) and the client-side and server-side are on a common VLAN, then the traffic will never traverse the BIG-IP. I mean a topology like this:

        CLIENT      BIG-IP
      |           |
    SWITCH ---- SWITCH ---- PROXIES
                  |
                  + ---- FW

    (where each "line" is a segment on the same VLAN as all other "lines").

    If you want to ensure that the traffic is flowing through the BIG-IP at all, you can 

    tcpdump
    on the physical interface (though there is a hard 100 packet-per-second limit, so this will only work when the traffic volume is low):

    You will naturally see any broadcast traffic (particularly ARP) and any flooded traffic (from switches that do not have a mac-forwarding entry), but should see unflooded unicast traffic on both 1.1 and 1.2 only if the BIG-IP is switching or forwarding.

    Incidentally, what is your configuration for handling the client traffic? I would anticipate that you have a wildcard Virtual Server (0.0.0.0:80) listening on the client-side VLAN associated with a pool containing the proxies. I would further anticipate that it is a Standard Virtual Server and that it has address-translation enabled (by this I mean destination translation rather than source/SNAT translation).

  • refra_151287's avatar
    refra_151287
    Icon for Cirrus rankCirrus
    Jul 21, 2015

    Hi Vernon, my customer want to put F5 "inline" between Clients and internet, what i see that the traffic is passing through box (using tcpdump) without hitting any VS, after configuring "VLAN Group" and add interface 1.1 in vlan1 and interface 1.2 in vlan2 and add valn1 and vlan2 in "vlan group" the problem solved and the traffic hits the VS now, actually it's the first i work on same behavior.