Forum Discussion

F5F5_50518's avatar
F5F5_50518
Icon for Nimbostratus rankNimbostratus
Nov 02, 2012

Why adding self-IP broken the communication between VLANs

I am trying to understand why the communication between VLANs are broken after a new self-ip is added. Very appreciate your help.

 

Here is F5 setup

 

================

 

F5 is a one-arm deployment, it is connected to Cisco switch directly via 4 physical interfaces which are configured as a port-channel. This port-channel link is a trunk with all related VLAN allowed.

 

Vlan 15 10.1.15.0/24 is the external vlan, where all VIPs are in this subnet

 

Vlan11 10.1.11.0/24 is one of server Vlans, where all servers are configured to use F5 as default-GW

 

Vlan10 10.1.10.0/24 is the other server Vlan, where all servers are configured to use Cisco layer 3 switch as defaut-gw. SNAT is enabled on VIP if the real servers are in VLAN10 to make sure the return traffic will back to F5.

 

F5 is configured to use the IP address of Vlan 15 on cisco switch as the default-GW

 

Self-IP/floating-IP is configured for Vlan15 and Vlan11 only.

 

We have "VS IP forwarding" configured for all VLANs as well.

 

 

Here is the problem

 

===================

 

Since there is self-ip/floating-ip in vlan 10, SNAT will use the self-ip in the other VLANs to translate source IP. So I added the self/floating-IP in Vlan 10. But after that, we found server in Vlan11 could not communicate with the server in Vlan 10. I tried to understand why and if there is a way to fix this.

 

 

Here is my questions

 

===================

 

1. Based on our setup, when server in vlan11 sends SYNC to server in vlan10, the SYNC packet will be routed directly from Vlan11 to Vlan10 on F5. But the Sync ACK from server Vlan10 back to Vlan11 will come into F5 from Vlan15 and need to be sent out on Vlan11. It looks like F5 will drop this packet. I did the packet capture on F5, I did not see SYNC packet but I did see SYNC ACK and then a RST packet. So, in the above scenario, should F5 drop the packet because the packet came back from Vlan15 instead of Vlan10?

 

2. In our setup, is it possible to let SNAT to use a ip in Vlan 10 when the packet will be load-balanced to the servers in Vlan10?

 

Thanks for your help.

 

-Kevin

 

 

 

config
design

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 03, 2012
    have you tried this?

     

     

    sol13558: Allowing asymmetric routed connections across multiple VLANs (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13558.html
  • F5F5_50518's avatar
    F5F5_50518
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2012
    Thanks a lot Nitass.

     

    I took a look at the link you provided. It sounds like the solution which I am looking for.

     

    Could you please take a look at my following questions regarding to this solution.

     

    1. Which VS should I apply FastL4 profile?

     

    The asymmetric routed connections in our scenario does not need load-balancing. F5 here is more like a router for the traffic between Vlan 10 and Vlan 11. Should I apply "FastL4 Profile" to "ip forwarding VS" only?

     

    2. Since the solution required to disable "Packet Velocity ASIC", is there any performance impact here?

     

    3. Is it a best practice to allowing asymmetric routed connection across multiple VLANs whenever F5 will be the default gateway for real servers and route the traffic across multiple VLAN? (it is very likely to have asymmetric routing in this case)

     

     

    Very appreciate your help.

     

     

    -Kevin