Network VS

Question

Hi,&nbsp;
I just tested VS with Destination set to 10.128.80.40/29.
According to subnet calc it gives me:
Network Address:10.128.80.40/29
Broadcast Address:10.128.80.47
First host:10.128.80.41
Last host:10.128.80.46&nbsp;
First of all by default VIP has ARP unchecked so no ARP replies and not possible to connect from client - why it's default setting? In what scenario this VS can be reached? When selfIP of LTM is set as default gateway on connecting host (or last hop), so for example we have route 10.128.20.40    255.255.255.248     10.128.10.10       1  where 10.128.10.10 is self IP on LTM?&nbsp;
Second I tried to access VS using 10.128.80.40 (network) and 10.128.80.47 (broadcast) and still can connect to http server behind LTM.&nbsp;
Is that by design? I was pretty sure that net and broadcast IPs would be excluded from host ip range?&nbsp;
One last issue - when network VS is created then in Virtual Address List there is no info that it's net ip not host ip, in case of example above I see only 10.128.80.40 entry without any mask specified - a bit misleading and making it hard to discern between host and net addresses.&nbsp;
Tested on 11.6.0HF4 VE.&nbsp;
Piotr&nbsp;

alex_rosier_197 · Answer

Hi Piotr, &nbsp;
I hope this is of some use to you. Here is my input... &nbsp;

First of all by default VIP has ARP unchecked so no ARP replies and not possible to connect from client - why it's default setting? &nbsp;

ICMP should be enabled by default and ARP is disabled. ICMP requires ARP so ARP is enabled regardless of whether the option is checked. I came across this is in the past and I am sure there is a good explanation for it on askF5. Can you ping the VIP IP  and if not, maybe worth taking a tcpdump to see what is happening at arp and icmp level.  &nbsp;

In what scenario this VS can be reached? &nbsp;

The VIP is reachable if the routing is in place whether you are connecting directly or via a route you defined. Remember the BIG-IP also needs to be able to reach the source host... &nbsp;

Second I tried to access VS using 10.128.80.40 (network) and 10.128.80.47 (broadcast) and still can connect to http server behind LTM. Is that by design? I was pretty sure that net and broadcast IPs would be excluded from host ip range?&nbsp;

Not sure how you have your VIP and self's configured. &nbsp;
Alex&nbsp;

dragonflymr · Answer

My Destination for VS is set to 10.128.80.40/29, with default setting for VIP (ARP unchecked, ICMP echo disabled) I can't ping IPs in defined subnet (10.128.80.41 - 46, at least excluding net and broadcast because as I mentioned both 10.128.80.40 and 47 can be reached), even if I have route to LTM self IP. However I can reach http site in this configuration - so for me it's working as hind of loopback network configured on LTM.

For above config (using LTM self IP as default gateway for defined subnet - on client computer) after setting ICMP Echo to Enabled and ARP unchecked IPs can be pinged. Of course when only ARP is enabled ping won't work.

When subnet is defined as part of network assigned via self IP then with ARP checked http can be reached, of course with ICMP Echo Enabled ping is working as well.

So only issues left is why net and broadcast IP (us of subnet definition) can be used to both access http and ping? Bug or by design?
Other flaw in GUI is that there is no indication that given VIP is network or host, no other way to figure out than looking at VS definition :-(

BTW, default setting for network VIP is both ARP unchecked and ICMP Echo disabled.

Piotr

P.S. Seems that Auto Delete setting for VIP is not working (11.6.0HF4 VE), after changing VS IP (no other VSs are using this IP) VIP is not deleted but set to Offline (Enabled) - The virtual address has no virtual servers. I assume that auto delete only works when VS is deleted and not when IP is changed - I think a bit incoherent, in both cases there is no VS using given VIP.

dragonflymr · Answer

I wonder what do they mean in description for Disabled ICMP Echo provided in GUI help:

Enables or disables responses to Internet Control Message Protocol (ICMP) echo requests on a per-virtual address basis. When enabled, the BIG-IP system intercepts ICMP echo request packets and responds to them directly. When disabled, the BIG-IP system passes ICMP echo requests through to the backend servers.

If for Disabled it passes ping to backend servers why it's never working for me - no ping replies with this setting? VS is using Auto Map for SNAT so I assume that ping should go to back end server and back via LTM to client? Anything special have to be set so pings will be passed to backend server?
There is as well option Selective for which there is no explanation in help (I found docs however) but it seems to not work. I set it and then Advertise Route to When all virtual servers for that virtual address are available. Then disabled only VS using this VIP - still I can ping VIP, same for When any virtual server for that virtual address is available. I assume that with both this settings and VS disabled ping should stop to work?

Piotr

Forum Discussion

Network VS

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

What is Multi-Cloud Networking?

Demo Guide & Video Series for F5 Distributed Cloud Network Connect (Multi-Cloud Networking)

Community Learning Path: Multi-Cloud Networking

A complete Multi-Cloud Networking walkthrough with F5 Distributed Cloud

F5 BIG-IP deployment with OpenShift - platform and networking options