Loadbalancing Two Environments Internal/External?

Question

Hello all, we just got a pair of new 8400's 9.x and we are trying to consolidate our 2 CSM loadbalancing environments Internal/External on this new LTM platform. We have a total of 16 vlans and subnets on this box (4 VIPS/RIPS each external &amp; 4 VIPS/RIPS each Internal respectively). On the external we are hanging off of several DMZ's on our FWSM and used as one gateway. On the internal we are using our core MSFC as our other gateway. The Servers are not able to initiate connections from behind the loadbalancer to talk to our DNS servers internally. I then realized that I have routes to consider, but are wondering how will I be able to route to multiple gateways (FWSM or MSFC) based on source IP or network? For example if a server initiates a connection in the Prod-External (10.1.24.100) it's gateway will always be FWSM (10.1.22.1) respective to its VIP. Not sure where to begin, hope this makes sense or if theres an easier way to accomplish this??? Please Help! &nbsp;
&nbsp;EXTERNAL:&nbsp;
&nbsp;Prod-External
&nbsp;VIP 10.1.22.0/23 =&gt; Gateway 10.1.22.1 (FWSM)
&nbsp;RIP 10.1.24.0/23&nbsp;
&nbsp;UAT-External
&nbsp;VIP 10.1.32.0/23 =&gt; Gateway 10.1.32.1 (FWSM)
&nbsp;RIP 10.1.34.0/23&nbsp;
&nbsp;QA-External
&nbsp;VIP 10.1.42.0/23 =&gt; Gateway 10.1.42.1 (FWSM)
&nbsp;RIP 10.1.44.0/23&nbsp;
&nbsp;DEV-External
&nbsp;VIP 10.1.52.0/23 =&gt; Gateway 10.1.52.1 (FWSM)
&nbsp;RIP 10.1.54.0/23&nbsp;
&nbsp;INTERNAL:&nbsp;
&nbsp;Prod-Internal
&nbsp;VIP 172.16.22.0/23 =&gt; Gateway 172.16.22.1 (MSFC)
&nbsp;RIP 172.16.24.0/23&nbsp;
&nbsp;UAT-Internal
&nbsp;VIP 172.16.32.0/23 =&gt; Gateway 172.16.32.1 (MSFC)
&nbsp;RIP 172.16.34.0/23&nbsp;
&nbsp;QA-Internal
&nbsp;VIP 172.16.42.0/23 =&gt; Gateway 172.16.42.1 (MSFC)
&nbsp;RIP 172.16.44.0/23&nbsp;
&nbsp;DEV-Internal
&nbsp;VIP 172.16.52.0/23 =&gt; Gateway 172.16.52.1 (MSFC)
&nbsp;RIP 172.16.54.0/23

jrahm · Answer

Consider this thread and post back with your questions:&nbsp;
&nbsp;http://devcentral.f5.com/default.aspx?tabid=53&amp;forumid=5&amp;postid=7784&amp;view=topic Click here

jcmattos_41723 · Answer

Thx Citizen! I saw that posting earlier, but if im not doing SNAT can I still use this script to potentially create 8 different gateways, sourcing from 8 different source addresses? Not sure how to get started, sorry for being new to the whole irules thing?&nbsp;
&nbsp;class snat_gw {
&nbsp;"snat_IP1 gw_IP1"
&nbsp;"snat_IP2 gw_IP2"
&nbsp;"snat_IP3 gw_IP3"
&nbsp;"........ ......"
&nbsp;"snat_IP12 gw_IP12"
&nbsp;}&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;set my_gw [findclass [IP::client_addr] $::snat_gw " "]
&nbsp;if { $my_gw ne "" } {
&nbsp;node $my_gw
&nbsp;} else { discard }
&nbsp;}&nbsp;&nbsp;

jrahm · Answer

yeah, those snat refs can just as easily be the source subnets...&nbsp;
&nbsp;You could do some string manipulation on the client_addr so that you could utilize a single class, otherwise you'll need something a little more sophisticated like Hoolio's suggestion in this post:&nbsp;
&nbsp;http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;tpage=1&amp;view=topic&amp;postid=1637616376 Click here

jcmattos_41723 · Answer

Awesome! Does this irule look good citizen? And do I still need a class statement or Data group list for this? Just to confirm I just apply this irule to a wildcard virtual server to all ports and lock down the vlans to inside vlans only? I'm trying to do everything thru the GUI not much of CLI guy...Thx a bunch!&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;if { [IP::addr [IP::remote_addr] equals "10.0.24.0/23"] ne 0} {node 10.0.22.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "10.0.34.0/23"] ne 0} {node 10.0.32.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "10.0.44.0/23"] ne 0} {node 10.0.42.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "10.0.54.0/23"] ne 0} {node 10.0.52.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "172.24.24.0/23"] ne 0} {node 172.24.22.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "172.24.34.0/23"] ne 0} {node 172.24.32.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "172.24.44.0/23"] ne 0} {node 172.24.42.1}
&nbsp;elseif { [IP::addr [IP::remote_addr] equals "172.24.54.0/23"] ne 0} {node 172.24.52.1}
&nbsp;else { discard }
&nbsp;}&nbsp;

jcmattos_41723 · Answer

Thx Citizen it looks like it worked! However, now I am not able to ping the loadbalanced servers from the rest of the network? How do I still continue to gain all port access to the servers directly from the anywhere? Is there something Im missing? Please Help!

Forum Discussion

Loadbalancing Two Environments Internal/External?

8 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Create isolated environment for internal and external networks

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

Redirecting to an external site when the internal site is down

Multi-Stores Citrix environment BIG-IP APM

iRules Development Environment