Per-VLAN default gateway ( or, allowing access for hosts behind the LTM )
So I'm looking a way ( Per-VLAN default GW or otherwise ), to allow hosts behind a LTM, with multiple VLANs, to have internet access for updates, etc.
I found this article, and this video, and thought it fits my needs just about perfectly.
Well, I've been through a few iterations of the config and I can't get it to work. So this is what I have (i'm trying to get on VLAN/side working before moving on to configuring the other VLANS):
LTM 5000s (two in active/active HA) BIG-IP 11.4.1 Build 637.0 Hotfix HF3 2 Windows 2008r2 on HP DL380 with 2 intel xenons and gobs of memory running a tomcat powered application.
- Servers are on VLAN-A in subnet 10.31.57.x (57.103, 57.104) with the default gateway being the floating self-IP of the F5 (59.202).
- VLAN-X is a routable network address xxx.xxx.217.xxx, self-IP is 217.181, the GW is 217.129
- Created a wildcard VS on VLAN-A with 217.129 GW as a pool member.
- enabled SNAT using 217.172
- Created forwarding VS on VLAN-X to allow traffic back to the 10.31.57 subnet
tcpdumps on the VLAN-a reveal that the 57.103 attemps to goto yahoo.com, and tcpdumps on VLAN-X show the SNAT going to and from the 217.172 address. Automap gives the same results.
(snippets are not in sync)
08:27:36.005258 IP 98.139.183.24.http > 10.31.57.103.50587: R 0:0(0) ack 1 win 8 192 out slot1/tmm7 lis=/Common/forwarding_vs flowtype=65 flowid=570661B61B00 pee rid=570661B60B00 conflags=400CA4 inslot=3 inport=32 haunit=1 peerremote=00000000 :00000000:0000FFFF:628BB718 peerlocal=00000000:00000000:0000FFFF:97BCD9B5 remote port=80 localport=50587 proto=6 vlan=4090 08:27:36.005884 IP 10.31.57.103.50588 > 98.139.180.149.http: S 1984152259:198415 2259(0) win 8192 in slot1/tmm2 lis= flowt ype=0 flowid=0 peerid=0 conflags=0 inslot=3 inport=32 haunit=0 peerremote=000000 00:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remo teport=0 localport=0 proto=0 vlan=0
08:31:24.393004 IP 98.139.180.149.http > 151.188.217.172.50603: R 0:0(0) ack 1 w in 8192 in slot1/tmm5 lis=/Common/forwarding_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot=3 inport=32 haunit=0 peerremote=0000 0000:00000000:0000FFFF:0A1F3967 peerlocal=00000000:00000000:0000FFFF:628BB495 re moteport=50603 localport=80 proto=6 vlan=4089 08:31:24.907433 IP 151.188.217.172.50603 > 98.139.180.149.http: S 160770431:1607 70431(0) win 8192 out slot1/tmm5 lis=/Common/forwardin g_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot =3 inport=32 haunit=1 peerremote=00000000:00000000:0000FFFF:0A1F3967 peerlocal=0 0000000:00000000:0000FFFF:628BB495 remoteport=50603 localport=80 proto=6 vlan=40 89 08:31:24.907536 IP 98.139.180.149.http > 151.188.217.172.50603: R 0:0(0) ack 1 w in 8192 in slot1/tmm5 lis=/Common/forwarding_vs flowtype=129 flowid=570496B60F00 peerid=570496B60500 conflags=4002A4 inslot=3 inport=32 haunit=0 peerremote=0000 0000:00000000:0000FFFF:0A1F3967 peerlocal=00000000:00000000:0000FFFF:628BB495 re moteport=50603 localport=80 proto=6 vlan=4089 08:31:25.697439 802.1d unknown version
Note: load balancing involving these systems works.
I know I didn't give actual configs, I can give more detail, but I thought this it would be a good start.
Again, I really just need the hosts behind the F5 to have internet access for web and windows updates.
Thanks