What is wrong with this design?

Question

I'm trying to implement our F5 that we've had shelved for 3 years now. I have been unable to find the support and assistance needed from those who are tasked with providing it, so I figure that I'd ask the professionals here.  
&nbsp;    
&nbsp;  So I have a Cisco switching network with several VLAN's consecutively in range. Starting from VLAN 95 going to VLAN 105. Our servers are located on VLAN 100, with clients on the rest of the VLAN's. The F5 is intended to ballance internal network traffic from our 10.6 network. So the server would be at 10.6.100.xx with a client who needs access from 10.6.95.xx.  
&nbsp;    
&nbsp;  The network is built, everything is routing, but my problem is that I can assign an IP to the Management port where I can configure the F5, but I cannot get traffic to pass through the interfaces 1.1 - 1.4. I figured that I'd start with a simple test and use ports 1.3 and 1.4 in my test. These interfaces show that they're up. I've trunked my port to the switch on 1.4. And tagged VLAN 100 to the server on 1.3. But I cannot ping from the client to the server. Nor can the server ping to the gateway. So what could be the problem?

dennypayne · Answer

The management port cannot be on the same network as load-balanced traffic.  It is a NIC and not part of the switch fabric.  So that's the first problem.  You'll need to move the mgmt IP off the 10.6.100.x network. 
&nbsp;  
&nbsp; Ideally, you should have the LTM set up as a Layer 3 device with it having an external and an internal VLAN, with the servers on the internal VLAN, and the LTM's internal self-IP as the server's gateway. 
&nbsp;  
&nbsp; If that is not possible due to the need to re-IP servers and such, you could tag VLAN 100 on one of the switch ports (1.1 - 1.4) and set it up as a "one-armed" configuration, such that the virtual servers are also on the 10.6.100.x network with the real servers.  However you will need to SNAT to get the routing to work in that configuration (SNAT Automap is usually easiest). 
&nbsp;  
&nbsp; That should get you started, take a look on AskF5 for more configuration guides or post back if you need more help from that point. 
&nbsp;  
&nbsp; Denny

chuck_334 · Answer

Thank-you Thank-you Thank-you! 
&nbsp;  
&nbsp; That gets me started in the right direction. I can't believe that I missed that mistake! I've read through the installation and quickstart guides at AskF5, but there must have been a chapter missing in my PDF's because nothing came close to explaining this tiny pearl of wisdom!

Forum Discussion

What is wrong with this design?

2 Replies

Recent Discussions

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

F5 BIGIP showing wrong time

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1