I am trying to setup F5 VE in ESXi host. Version of F5 VE I am using is VE 13.0.
Issue that I am having right now is from F5 CLI I am unable to get out on the Internet i.e. unable to Telnet to say 126.96.36.199 443.
Error that I am getting is No host to route.
In my ESXi host I have standard vSwitch with two NIC public and private. I have assigned the right public to F5 external interface, created a default gateway and a selfIP with allowed port default. However I am still unable to get on the Internet from the F5.
Is there something I am missing?
Any help will be highly appreciated
Have you configured route on the device ? Can you ping the 188.8.131.52 IP address ?
Yes, I did create an external_GW route and assigned the public IP GW to it... however I am getting destination is unreachable.
Can you ping the gateway?
This the setup
ESXI host with 4 physical NIC ( 2 of them are connected, one of private and other for public)
F5 VE has following interfaces
1.1 ---> not configured
1.2 --> set for external (ESXi Public interface is connected to this F5 1.2 interface, confirmed by looking at the MAC address in Vmware )
1.3 ---> not configured
In F5 I have external_gw route xxx.xxx.xxx.113
vLAN_EXT assigned to interface 1.2
SelftIP for EXT is xxx.xxx.xxx.126/28
There is no forwarding VIP configured.
That's the VE configuration so far.
This is what I found out, it appears that there are two physical NIC configure in ESXI host (private and public)
However the Private NIC has been trunked to carry three subsets ( 10.13x.x.x./26 (MGMT) , 10.4x.0.0/27 and 10.4x.0.0/26 (both private) ).
I can confirm from the ESXI cli I am able ping each Default GW of each subnets however from F5 I am only able to ping 10.13x.x.x./26 as I have added 10.13x.x as default route.
So in f5 VE I have tried to create a trunk with NIC 1.1 (internal) and 1.3 (HA) but unable to assing the trunk to a vLAN getting the an error "vLAN needs to be assign to one interface", after reading through some article it does suggest VE do support trunking however in my case I am unable to do so.
Can someone please tell me whether F5 13.0 VE does support trunking or if I am missing something.
Hi. Do you have management interface configured ? I think cli uses it
Yes I do, that is now I can get on the CLI and or GUI
Hi. Never tried to use vlans on VE, don't know if supported
why don't you start with a simple config ? Management on eth0, public on eth1 and a private network pn eth2 f.ex. ? After it works then you can add vlans and maybe question will be answered itself
What I can give you is a sample routing table of my VE (simple deployment like previous example)
Destination Gateway Genmask Flags Metric Ref Use Iface
127.1.1.0 * 255.255.255.0 U 0 0 0 tmm
192.168.112.0 * 255.255.255.0 U 0 0 0 internal
192.168.113.0 192.168.112.127 255.255.255.0 UG 0 0 0 internal
192.168.113.0 * 255.255.255.0 U 0 0 0 eth0
192.168.111.0 * 255.255.255.0 U 0 0 0 external
127.7.0.0 tmm-shared 255.255.0.0 UG 0 0 0 tmm
127.20.0.0 * 255.255.0.0 U 0 0 0 tmm_bp
default 192.168.111.127 0.0.0.0 UG 0 0 0 external
default 192.168.113.183 0.0.0.0 UG 9 0 0 eth0
In F5, Network adapters mapping is:
In VMware, vlan tagging in VM is only supported is vSWITCH is defined with a VLAN ID 4095
Look at this documentation:
F5 VE does not support Trunks (link aggregation). this feature is only supported on hardware appliances.
I think he talks about Cisco interfaces in trunk mode (vlan tagging)
Nice research about VM, I didn't know tagging could be done this way, directly on VM ethernet
I agree with you about the misunderstanding with trunks. that's why I talked about both features.
even if VMware support VM vlan tagging, I recommend to add network adapters to the virtual appliance instead of using VLAN tagging.
VMWare support up to 10 virtual adapters per VM.
This is what I've done always with generic VM's... So, can be VMnet adapters added to F5 VE ??? Because maybe is an easy way to solve this question, add adapters, one per vlan needed
Of course you can add network adapters.
look at this documentation about how to add new adapters.
Thanks guys, last night I did manged to ping all the private vLAN from F5 CLI after deleting all the NIC from VE downloading form the F5 website and re-adding them. For external it is still not possible as the ESXI host doesnt have any physical connection between ESXI and switch responsible for external traffic.
This is not the only issue I am facing, the bigger issue is infrastructure MGMT network and f5 MGMT network is also sitting on the same and also infrastructure MGMT is used to route traffic to all the MGMT devices i.e. DNS/AD etc. So I am unable add a route for for all internal traffic to use the same default GW because that is also F5 MGMT IP.
I will have do something like this - https://devcentral.f5.com/questions/management-external-networks-on-same-subnet-physical-network which will be time consuming unless anyone else any other ideas?
I have done three setups and two work without using mgmt interface (one of these two is an HA pair). Is not a problem. You can manage through any other interface self ip. All you need to do is allow ports on port lockdown I think
Hi Sergi Munyoz thanks for that, what is what I am trying to do now, if I can get to MGMT using one of the private vLAN i can then change F5 MGMT network.
Do you know whether I will need to create forwarding VIP? after I have created the vLAN, assigning the SelfIP with Allow Default option?
No VIP needs to be envolved.
You have interfaces, then create internal vlan linked to that interface, and then self ip linked to vlan. On this self ip put the option to allow default or allow any and you can get into GUI or cli. Of course you need to add a route to reach real mgmt network from this ip to get traffic between them
Thanks, so this is what I tried. CLI into F5 VE from ESXI,
Set F5 MGMT to 192.168.1.2/24 network ( this network is unreachable )
TMSH into F5 and ran the following commands:
tmsh create net self Internal address 10.xx.xx.245/26 traffic-group traffic-group-local-only vlan internal allow-service all
and created a route
create /net route 10.0.0.0/8 gw 10.xx.xx.193
However I am unable to ping 10.xx.xx.245 or unable to ping out of the F5 ...
Am i doing something wrong ?
please note gw 10.xx.xx.193 is the real MGMT gw for the infrastructure.
why did you delete all the existing NIC?
I advised you to create new NIC, not to delete the existing ones.
depending of the version you downloaded, you may be in "Single NIC" mode.
The best solution is to re-import the OVA.
In VMWare, create as many VLANs as required and link it to the ESXi physical Interface
Then, in the F5 VM parameters, create X new Adapters as required and map to:
In F5 Configuration, create VLAN with properties:
This part is wrong!!!!!!!
In VE, do not assign same Interface for multiple VLANS
follow my previous comment to create new VMWARE vlans, and assign them to F5 VE vNIC
create /net route 10.0.0.0/8 gw 10.xx.xx.193
Maybe is a problem with mask... /8 seems to overlap with
tmsh create net self Internal address 10.xx.xx.245/26
Or directly a problem with vlans and interfaces as Stanislas says
Looks like I have manged to this working - Thanks to you all for your inputs, I am able to ping the Internal Private vlANs.
Why did I have all these confusions? Unfortunately I am helping a site without much knowledge about the network (remotely helping out).
Start all over again after re-importing the OVF file, assigned right v NIC ( only have two physical nics, Private trunked at the router, Public nic ) MGMT, Internal and HA assigned with Private and External with public
Assigned MGMT IP to the F5 VE
GUI into F5 using MGMT IP, activate license and installed additional modules.
Create vLANs as follows:
vLAN_Private_1 assigned to int 1.1
vLAN_Private_2 assigned to int 1.1
vLAN_External_1 assigned to int 1.2
vLAN_Others_1 assigned to int 1.3 ----> technically this isn't in use
Create selfIP for Private vLANs
vLAN_Private_1_selfIP 10.xxx.xxx.66/27 vLAN_Private_1 port lockdown default
vLAN_Private_2_selfIP 10.xxx.xxx.226/27 vLAN_Private_2 port lockdown default
vLAN_External_2_selfIP xxx.xxx.xxx.124/28 vLAN_Extrenal_1 port lockdown none
At this point I am able to ping vLAN_Private_1 and vLAN_Private_2 from F5 CLI
Create VIPs for internal network to get to vLAN_Private_1 and vLAN_Private_2 - this is important to have else wont be able to ping from outside F5 into F5, and this will also allow to get to f5 MGMT portal
src 10.0.0.0/8 dst 10.xxx.xxx.64/27 enable vlan vLAN_Private_1
src 10.0.0.0/8 dst 10.xxx.xxx.224/27 enable vlan vLAN_Private_2
At this point I was able to ping 10.xxx.xxx.66 and 10.xxx.xxx.226 from MGMT network i.e. 10.xxx.xxx.218 - self_ip for each private vLANs, I also did a TCP dump to make sure that the traffic is getting into F5 from 10.xxx.xxx.218
Now moving into external traffic out from F5
Create default route
External_route src 0.0.0.0 mask 0.0.0.0 gw xxx.xxx.xxx.113
At this point I have tried to ping the GW xxx.xxx.xxx.113 - I am unable to do so.
Does anyone know how to resolve this?