Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Initial network config for one-armed deployment

Hi,

I have a Big-IP 2000 (ver 11.2.1) in our lab that I need to setup the initial networking on. I plan on using this in one-armed mode where the Internal and External vlans are the same.

Can someone point me to an initial config guide for this setup? All the guides I've seen walk through the Routed mode it seems where the Internal and External vlans are different. No so in my case.

If not, would someone be able to walk me through the steps at a high level? Once I understand the high level steps, chances are I can figure out the details myself.

Thank you -Steve

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

One-arm mean that you have only a single physical or logical connection to a network (I do not include the management interface).

In your case we are no longer talking about internal or external because outboud and inbound traffic will pass trough the same interface (one interface: one-armed).

To talk simply, in order to deployed this architecture, you have to connect only one interface on a wanted vlan. You need one IP for your equipement (self-IP) and set the GW (your routeur or FW where your equipement is connected). there is no real difficulty in this type of architecture...

what do you want to know more?

regards

0
Comments on this Answer
Comment made 06-Jun-2018 by ryderse 3

Hi Youssef

I understand the idea of one-armed, my questions are more F5 related than being one-armed. I should have been more specific. I was not certain if I needed two Self-IPs but I see your answer says only one. I assume I need to place the interface (on the BigIP) into the correct vlan (vlan 102) as tagged. I am connecting to a cisco 2960.

Now my issue is setting the gateway. I added the SIP (10.4.11.110), tagged this vlan (vlan 102) for interface 1.1 and then added a default route but I cannot ping the 10.4.11.1 GW. I am getting !H, host unreachable.

When I look in the route table, I see 10.4.11.0/24 set to use v102 so this should be good yes? I may have an external network issue that I will have to test. Based I this, I should be able to ping the 10.4.11.1 GW yes?

Thank you for your input.

The mgmt network is 10.4.96.0/21.

[admin@f5:Active] ~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 127.1.1.0 * 255.255.255.0 U 0 0 0 tmm0 127.3.0.0 * 255.255.255.0 U 0 0 0 mgmt_bp 127.2.0.0 * 255.255.255.0 U 0 0 0 eth0.1 10.4.11.0 * 255.255.255.0 U 0 0 0 v102 10.4.96.0 * 255.255.248.0 U 0 0 0 eth0

[admin@f5:Active] ~ # ping -I v102 10.4.11.1 PING 10.4.11.1 (10.4.11.1) from 10.4.11.110 v102: 56(84) bytes of data. From 10.4.11.110 icmp_seq=2 Destination Host Unreachable From 10.4.11.110 icmp_seq=3 Destination Host Unreachable

0
Comment made 06-Jun-2018 by ryderse 3

I should add that I know the above only shows a route and not a default GW but I assume that it should still work for the 10.4.11.0/24 subnet.

Also, I just now plugged in a laptop to the switchport that the BigIP connects to. From there, I can ping 10.4.11.1 so my cfg must not be correct.

0
Comment made 07-Jun-2018 by youssef 4046

Hi,

So tu sump UP. that's right, You need only one self IP.

You have to create a Tagged Vlan (102) as you specified below. In this condition you can't connect your Laptop an try to ping your interface if you tagged your Vlan.

Just be carreful, you have to tag the cisco 2960 (vlan102) in interface where you connect your F5 or it can't work.

Then once you have created your vlan, create your self IP and don't forget to set your vlan in this selfIP and set traffic group to traffic-group-local-only.

An create your route.

  • Destination: 0.0.0.0
  • Netmask : 0.0.0.0
  • Resource: Use Gateway
  • Gateway address, your GW.

I think that your problem is only network (Tagged or not), you have 2 possibilies:

  • IF you tagged your VLAN F5, you have to do the same in Cisco side.
  • If you don't tagged your vlan in F5, you have to set in Cisco side (unttaged and specify the vlan 102)

Keep me in touch. Regards

0
Comment made 07-Jun-2018 by ryderse 3

Hi Youssef

Bingo, that was it. I untagged the interface on the F5 (as opposed to tagged) and that did it. I tried that once before but I may not have had the GW set correctly at that time. Anyway, it's working now.

Thank you again for your time.

[admin@f5:Active] ~ # ping 10.4.11.1
PING 10.4.11.1 (10.4.11.1) 56(84) bytes of data.
64 bytes from 10.4.11.1: icmp_seq=1 ttl=255 time=1.08 ms
64 bytes from 10.4.11.1: icmp_seq=2 ttl=255 time=3.97 ms

admin@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net route
net route Default {
gw 10.4.11.1
network default
}

[admin@f5:Active] ~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.1.1.0 * 255.255.255.0 U 0 0 0 tmm0
127.3.0.0 * 255.255.255.0 U 0 0 0 mgmt_bp
127.2.0.0 * 255.255.255.0 U 0 0 0 eth0.1
10.4.11.0 * 255.255.255.0 U 0 0 0 v102
10.4.96.0 * 255.255.248.0 U 0 0 0 eth0
default 10.4.11.1 0.0.0.0 UG 0 0 0 v102

0
Comment made 08-Jun-2018 by ryderse 3

Sorry to deviate from the original question but I can not seem to post a new thread, even in another browser. The link to post a new question takes me to Code Share for some reason.

Now that I have this setup in one-armed fashion, I discovered that my app does not like direct server return. I need to setup the VS so that the Real Servers respond to the VIP IP and not directly to the Client. This should be a simple change but I cannot seem to find how to set this up. How do I configure this VS to proxy all connections in and out?

Thank you.

0
Comment made 08-Jun-2018 by youssef 4046

Hi I believe that you forget snat automap.

Please set snat automap and keep me update

0
Comment made 08-Jun-2018 by ryderse 3

That is correct. I set SNAT to automap and it's confirmed to be working.

Thanks again.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi ryderse

In one-armed topology, client-IP verifying problem could be occured.

If you app is web-base, using 'X-forwarded-for' help verify real client IP.

have a good day.

0
Comments on this Answer
Comment made 11-Jun-2018 by ryderse 3

Hi @swjo

Thank you for the info. I will keep that in mind and will test it out later. Right now, this is working for me once I untagged the vlan on the interface.

0