Forum Discussion

MarkB_125162's avatar
MarkB_125162
Icon for Nimbostratus rankNimbostratus
Jan 04, 2013

F5 Inter VLAN routing / forwarding

Hi,

 

My question relates to the basic functionality of the F5s when used with Layer 2 VLANs. Here’s the configuration I have to which the following questions relate:

 

Remote clients (network 1.1.1.0) -> Firewall -> (Layer 2 VLAN 1) -> F5 -> (Layer 2 VLAN 2) -> Servers (network 2.2.2.0)

 

The remote clients target the VIP address configured on VLAN 1. The F5 then load balances to the servers situated on VLAN 2.

 

On the client -> server leg, the destination IP address is changed to one of the server addresses (network 2.2.2.0), as a function of load balancing, when exiting the F5 at VLAN 2. As no SNATs are in use here, does the source address of the outbound packet also get changed to an F5 interface address or does it remain as set by the originating client (network 1.1.1.0)? I’m assuming that in the absence of SNAT, the source addresses should remain unchanged, as is typically the case with IP.

 

On the server -> client leg (return journey), and assuming the source address was not changed at the F5 on the inbound leg, how will the F5 forward traffic between VLANs 1 and 2? I’ve read a little about IP and MAC Forwarding VSs, but only in the context of the inbound traffic, where specific servers are to be targeted. Static routes may also be the answer to forward traffic destined for network 1.1.1.0 that originates at the server network 2.2.2.0, though I’d prefer no to treat the F5 as a router.

 

I’d probably be able to work most of this out with a bit of trial and error, coupled with some network captures. However, the environment in which I work is particularly locked down making it difficult to investigate.

 

Any help much appreciated.

 

Thanks, Mark

 

basic
getting started
new to f5

2 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 04, 2013
    Yes, the source IP for the server side connection will be the client IP if no SNAT is used. This creates a connection table entry. Assuming the device has a Self IP in VLAN1 and VLAN2, it'll route between the two just like a router, as long as a Virtual Server or NAT/SNAT has been created to handle the traffic.

     

     

    You only need a routing/forwarding VS if you want to route traffic not handled by a VS.

     

     

    For packets back to the client, the reverse occurs with everything changed back based on the connection table entry. Note that although it's easier to think of it that way no NAT or PAT is occurring. The client connection is terminated and a new one created server-side, with a different destination address and possibly port.

     

     

    Note that as long as Auto Last Hop is enabled (which is the default) the return packets are sent to the originating MAC address. No route lookup is done.

     

     

    This all applies whether the client is on a VLAN configured on the F5 or ten hops away.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 04, 2013
    this is askf5 solution about auto last hop Steve mentioned.

    sol11796: Overview of the Auto Last Hop setting (9.x - 10.x)

    http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11796.html 

    [root@ve10:Active] config  b virtual bar80 list
virtual bar80 {
   pool foo
   destination 172.28.19.252:80
   ip protocol 6
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}

 on bigip, no routing is configured

[root@ve10:Active] config  b route list
No Routing Table Entries were found.

 on client (172.28.20.11), you can see although no routing is configured on bigip, bigip is able to send return traffic back to client properly. this is done by using auto last hop feature.

client  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Fri, 04 Jan 2013 17:32:38 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8

 tcpdump on bigip

line (1) - (4) is on client-side (between client and bigip). line (5) - (8) is on server-side (between bigip and server).

this solution might be helpful to understand how tcp is set up.

sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html

[root@ve10:Active] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
(1) 01:08:06.556968 IP 172.28.20.11.44684 > 172.28.19.252.80: S 2710000848:2710000848(0) win 14600 
(2) 01:08:06.557007 IP 172.28.19.252.80 > 172.28.20.11.44684: S 3779632336:3779632336(0) ack 2710000849 win 4380 
(3) 01:08:06.559934 IP 172.28.20.11.44684 > 172.28.19.252.80: . ack 1 win 115 
(4) 01:08:06.559976 IP 172.28.20.11.44684 > 172.28.19.252.80: P 1:157(156) ack 1 win 115 
(5) 01:08:06.560015 IP 172.28.20.11.44684 > 200.200.200.101.80: S 3998985522:3998985522(0) win 4380 
(6) 01:08:06.560998 IP 200.200.200.101.80 > 172.28.20.11.44684: S 1193331176:1193331176(0) ack 3998985523 win 5792 
(7) 01:08:06.561015 IP 172.28.20.11.44684 > 200.200.200.101.80: . ack 1 win 4380 
(8) 01:08:06.561026 IP 172.28.20.11.44684 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380

    hope this helps.