Forum Discussion

ed_torres_18109's avatar
ed_torres_18109
Icon for Nimbostratus rankNimbostratus
Feb 11, 2015

Regarding interfacing F5 5250v to an HSRP Pair

Fellows,

 

We have one F5-5250 unit installed in each Data Center (2 DC's). I need to better understand the right way to connect the Bigip interfaces to the Cisco 3550 hsrp pair. SOL9487 explains the issues with hsrp/vrrp very well, but it is not clear on how the Bigip and the Cisco hsrp pair are connected.

 

We are thinking on connecting Bigip 1.1 to Router A, 1.2 to Router B. And then disable auto_last_hop.

 

Is this the right way to connect the hsrp pair or should we connect through a switch in between. That is, Bigip 1.1 to SW1, then SW1 to R A/B.

 

Appreciate your inputs...Thanks...ET

 

APM
application delivery
deployment
design
LTM
performance
security

4 Replies

Sort By
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Feb 11, 2015

    Hi Ed,

     

    AutoLastHop saves the ingress VLAN and peer MAC address in the connection table.

     

    This way responses will be returned to the client exactly the same path the request came in.

     

    It saves routing table lookup and prevents asymmetric traffic flow.

     

    AutoLastHop will cause issues, if the next hop MAC address becomes unavailable.

     

    As far as I understand, a router is not using the virtual MAC address to forward a packet but puts in it´s own MAC address as source. If the router becomes unavailable the virtual server still tries to forward response packets to the disappeared MAC address and the connection will time out.

     

    From my perspective this issue affects primarily long lasting connections.

     

    Turning off AutoLastHop requires to lookup the BIG-IP´s routing table to forward responses and has probably a performance impact.

     

    As the stored MAC address belongs to the router it should not matter, if there are additional layer 2 components between the BIG-IP and your router/firewall gear.

     

    Thanks, Stephan

     

  • ed_torres_18109's avatar
    ed_torres_18109
    Icon for Nimbostratus rankNimbostratus
    Feb 11, 2015

    Hi Stephan, Great information, appreciated, thank you.

     

    When it comes to the right topology, would you think that Best Practice would be:

     

    1) Have a layer 2 switch between the BigIP and the router? For example, just have BigIP 1.1 attached to SW1 g0/1, and then SW1 g0/2, g0/3 attach to Router A/B respectively.

     

    2) Or, have BigIP attached to Routers A/B directly (no devices in between). For example, BigIP 1.1 attached to Router A, and BigIP 1.2 attached to Router B. This topology would utilize 2 interfaces in the BigIP (1.1 & 1.2).

     

    Again, your comments are much appreciated...Thanks...ET

     

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Feb 11, 2015
      Hi Ed, since a couple of infrastructure components support virtual trunks/channels (aggregated links with LACP across multiple physical switches/routers acting as as single virtual switch/router) this becomes a more common approach from my perspective. I.e. this would mean to have a trunk coming from a BIG-IP controller being connected to two physical switches. TMOS currently does not have this virtual switch capability. This way you get redundant uplinks from each BIG-IP controller of your sync-failover device group. Alternatively I see U-shaped connectivity: means there is a trunk (aka Cisco channel) between routers and single trunks to get each load balancer connected. Using trunks provides link redundancy and increased throughput. Make sure to use LACP in active short mode to recognize link failures as soon as possible. Link availability can be used in HA groups to force traffic-group failover. If possible, avoid using spanning tree. Of course it may help in case of two components fail, but it adds complexity and sometimes has interoperability issues. If you still want to mesh, just leave the BIG-IP in spanning tree path through mode. Additional switches are not necessary from my perspective. Thanks, Stephan
  • NikhilB's avatar
    NikhilB
    Icon for Employee rankEmployee
    Feb 12, 2015

    Adding to Stephan's detailed reply: there is a also the concept of "Last Hop Pool" that may consider using if one if your upstream routers fail. This gives the F5 the ability to route back to a backup router. May apply in your case.