How does the IP forwarding works ?

Question

Hi everyone,&nbsp;
&nbsp;I got a BIGIP LTM VE working after countless hours, however I still don't quite understand how come it works in terms of routing ... I hope some one can help me to understand the IP forwarding of this platform.&nbsp;
&nbsp;Here is my setup, all the VM are on a single ESX server with vswitch&nbsp;
&nbsp; Web_server1------vlan 52-----BIGIP --------Vlan 52--------IP cloud -----------Vlan 100 -------Testing Client
&nbsp;                                                |
&nbsp; Web_server1------vlan52---------&nbsp;
&nbsp;All the three NIC on BIGIP is in Vlan 52 network.&nbsp;
&nbsp;I configured 192.168.1.1 as the selfip on 1.1 interface, and two web servers are using it as the default gateway, it is working, but how come it works ?&nbsp;
&nbsp;1. All the web servers and self IP are in 192.168.1.0/24 network
&nbsp;2. the virtual IP is in 10.0.0.0/24 network, there is no other route configured
&nbsp;3. the management IP is in 10.0.0.0/24 network, with a default route&nbsp;
&nbsp;When I send a HTTP request to the webserver, my source IP is not in any of the subnet that BIGIP is aware of, so I guess it needs a default route to return to me, but I didn't configure it anywhere, the only default route configuration is for the management port.&nbsp;
&nbsp;How come it works ?&nbsp;
&nbsp;Thanks a lot&nbsp;
&nbsp;Harry.&nbsp;

hooleylist · Answer

Hi Harry, 
&nbsp;  
&nbsp; If all of the NICs are on the same subnet, you should be able to define a single VLAN and add the port(s) to the VLAN.  You probably don't need to use multiple VM interfaces unless that's somehow adding resilience on the physical network. 
&nbsp;  
&nbsp; On a normal LTM appliance, you wouldn't be able to define a virtual server on the management subnet.  I assumed that would also be the case for the LTM virtual edition.  I'd guess your scenario is working because TMM is using the management default route. 
&nbsp;  
&nbsp; I would suggest defining the virtual servers on a switch port (vlan 52) and not using the management subnet.  You can define a TMM route via the GUI under Networking &gt;&gt; Routes.  For details on mgmt and TMM routing, you can check SOL 
&nbsp;  
&nbsp; SOL3669: Overview of management interface routing  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html 
&nbsp;  
&nbsp; Aaron

superblue1999_8 · Answer

Hi Aron, 
&nbsp;  
&nbsp; Thanks for the reply. 
&nbsp;  
&nbsp; I modified my lab, now I have separate VLANs for internal, external and management, now my lab is broken if I access the virtual IP from another subnet other than the external VLAN. 
&nbsp;  
&nbsp; I configured the default route, and now the routing table look like this: 
&nbsp;  
&nbsp; [root@test-f5:Active] config  bigpipe route show 
&nbsp; ROUTE default inet 
&nbsp; |     VLAN External   static 
&nbsp; ROUTE 10.0.0.0/24 
&nbsp; |     VLAN External   connected 
&nbsp; ROUTE 127.1.1.0/24 
&nbsp; |     VLAN tmm0   connected 
&nbsp; ROUTE 192.168.1.0/24 
&nbsp; |     VLAN Internal   connected 
&nbsp; ROUTE fe80::/64 
&nbsp; |     VLAN tmm0   connected 
&nbsp; ROUTE fe80::%vlan4093/64 
&nbsp; |     VLAN External   connected 
&nbsp; ROUTE fe80::%vlan4094/64 
&nbsp; |     VLAN Internal   connected 
&nbsp; ROUTE ff02::/64 
&nbsp; |     VLAN tmm0   auto 
&nbsp; ROUTE ff02::%vlan4093/64 
&nbsp; |     VLAN External   auto 
&nbsp; ROUTE ff02::%vlan4094/64 
&nbsp; |     VLAN Internal   auto 
&nbsp;  
&nbsp;  
&nbsp; if it is a Cisco router, I expect the default route should have a next-hop IP, so when it forwards the traffic, it knows where to forward to, in F5 routing table, it looks there is no next hop, only the VLAN, how can the F5 box knows the mac-address to encap the packet ? 
&nbsp;  
&nbsp; Sorry if this question is too obvious, I am digging F5 from scratch,  and have no background what so ever : -0 
&nbsp;  
&nbsp; Harry.

superblue1999_8 · Answer

hmm, it looks it can work without any routing configured, I removed all the routing and only leave with connected interface, and I can still access the VIP from outside. 
&nbsp;  
&nbsp; is this some kind of F5 magic ? 
&nbsp;  
&nbsp; [root@test-f5:Active] config  bigpipe route show 
&nbsp; ROUTE 10.0.0.0/24 
&nbsp; |     VLAN External   connected 
&nbsp; ROUTE 127.1.1.0/24 
&nbsp; |     VLAN tmm0   connected 
&nbsp; ROUTE 192.168.1.0/24 
&nbsp; |     VLAN Internal   connected 
&nbsp; ROUTE fe80::/64 
&nbsp; |     VLAN tmm0   connected 
&nbsp; ROUTE fe80::%vlan4093/64 
&nbsp; |     VLAN External   connected 
&nbsp; ROUTE fe80::%vlan4094/64 
&nbsp; |     VLAN Internal   connected 
&nbsp; ROUTE ff02::/64 
&nbsp; |     VLAN tmm0   auto 
&nbsp; ROUTE ff02::%vlan4093/64 
&nbsp; |     VLAN External   auto 
&nbsp; ROUTE ff02::%vlan4094/64 
&nbsp; |     VLAN Internal   auto 
&nbsp;  
&nbsp; there is no management route configured, but it seems still work.

viks_96432 · Answer

Did you manage to crack this ? I am also in a similar fix. I can't understand how F5 is routing requests for subnets that it's not aware of :(

Forum Discussion

How does the IP forwarding works ?

4 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

monitor does not work https

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

How does F5 AS3 really work under the hood?

APM - Software Check Antivirus does not work on Linux platforms

Does Big-IP forward layer 4 to pool servers?