Forum Discussion

cmard_195831's avatar
cmard_195831
Icon for Nimbostratus rankNimbostratus
May 14, 2015

is the routing on the F5 the same as on a router ?

Hello,

 

I have an F5 and one of its interfaces is configured on a network e.g. 128.1.1.0 subnet 255.255.255.0. On the same F5, I have another interface which is configured on the network 10.1.1.0 subnet 255.255.255.0 Between these interfaces there are a two firewalls. I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls. Is this feasible or the F5 will act like a router and forward the packet internally to the other interface ? This is why I am asking if the F5 is an expensive router as far as BIG-IP LTM routing is concerned. Tx in advance

 

application delivery
deployment
LTM

18 Replies

Sort By
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, The question I have asked is not treated by the SOL described. On a PC with two adapter (OS is unix), I configure two different subnets i.e. two networks. Also these two interfaces (adapters on the PC) I connect them to a firewall who has rules that allows communication between the two subnets. I want to connect from one subnet to the other. Thus I can communicate from one subnet to the other one Either internally or via the Firewall (longer path). My packets will always STAY within the PC and never travel from the one subnet to the other via the firewall. Basic routing rules. Is the same functionality inherent on the F5 ? That's why I am asking if the F5 is an expensive for of a router. Tx BR
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, The question I have asked is not treated by the SOL described. On a PC with two adapter (OS is unix), I configure two different subnets i.e. two networks. Also these two interfaces (adapters on the PC) I connect them to a firewall who has rules that allows communication between the two subnets. I want to connect from one subnet to the other. Thus I can communicate from one subnet to the other one Either internally or via the Firewall (longer path). My packets will always STAY within the PC and never travel from the one subnet to the other via the firewall. Basic routing rules. Is the same functionality inherent on the F5 ? That's why I am asking if the F5 is an expensive for of a router. Tx BR
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 14, 2015

    I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls.

     

    you are talking about traffic from device in 128.1.1.0 subnet (not traffic from bigip itself), aren't you? the device in 128.1.1.0 subnet's default gateway is bigip, isn't it?

     

    you can create network virtual server (e.g. 10.1.1.0/24) listening on 128.1.1.0 vlan and use firewall as a pool. so, when traffic matches the virtual server, it will be sent to firewall.

     

    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      No. I am referring to the configuration ON the F5 of two interfaces e.g. 1.2 and 1.3. Interface 1.2 will have the IP of 128.1.1.1 (belonging to VLAN X, and interface 1.3 will have the IP of 10.1.1.1 (belonging to VLAN Y). These two interfaces are connected physically by a firewall, which has the needed rules for communication as needed. I want to configure my F5 that the packets leaving interface 1.2 go to interface 1.3 VIA the firewall. Question 1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ? tx Br
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 14, 2015

    I want a packet to travel from the 128.1.1.0 subnet to the 10.1.1.0 subnet VIA the firewalls.

     

    you are talking about traffic from device in 128.1.1.0 subnet (not traffic from bigip itself), aren't you? the device in 128.1.1.0 subnet's default gateway is bigip, isn't it?

     

    you can create network virtual server (e.g. 10.1.1.0/24) listening on 128.1.1.0 vlan and use firewall as a pool. so, when traffic matches the virtual server, it will be sent to firewall.

     

    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      No. I am referring to the configuration ON the F5 of two interfaces e.g. 1.2 and 1.3. Interface 1.2 will have the IP of 128.1.1.1 (belonging to VLAN X, and interface 1.3 will have the IP of 10.1.1.1 (belonging to VLAN Y). These two interfaces are connected physically by a firewall, which has the needed rules for communication as needed. I want to configure my F5 that the packets leaving interface 1.2 go to interface 1.3 VIA the firewall. Question 1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ? tx Br
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 14, 2015

    1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ?

     

    if you are talking about traffic that is initiated from f5 (e.g. on f5 cli, ping 10.1.1.x), f5 will use interface 1.3 (not interface 1.2) to send icmp out.

     

    if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall and also be configured to send traffic to 10.1.1.0 subnet internally (not through firewall).

     

    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, I am talking about : if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall How can this be done ? tx BR
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 14, 2015

    1) Can this be done OR the F5 will act a router and since it knows that the two subnets belong to the device, it will do an internal packet transfer without going to the outside world (i.e. via the firewall) ?

     

    if you are talking about traffic that is initiated from f5 (e.g. on f5 cli, ping 10.1.1.x), f5 will use interface 1.3 (not interface 1.2) to send icmp out.

     

    if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall and also be configured to send traffic to 10.1.1.0 subnet internally (not through firewall).

     

    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, I am talking about : if you are talking about traffic which is initiated from device (not f5) in 128.1.1.0 subnet, f5 can be configured to send traffic to 10.1.1.0 subnet via firewall How can this be done ? tx BR
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 14, 2015

    Indeed this is what I mean. Can you pls be more explicit as how to configure this ?

    bigip has 2 vlans; one is external which is in 172.28.24.0/24 and the other one is v423 which is in 200.200.200.0/24. virtual server bar is network, 200.200.200.0/24, virtual server listening on external vlan. pool is 172.28.24.254 which is gateway in external vlan.

    when traffic matches the virtual server bar, it will be forwarded to the gateway. you can check mac address in tcpdump.

     selfip

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self
net self 172.28.24.14/24 {
    address 172.28.24.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan external
}
net self 200.200.200.14/24 {
    address 200.200.200.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan v423
}

 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 200.200.200.0:0
    mask 255.255.255.0
    pool foo
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 8
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        172.28.24.254:0 {
            address 172.28.24.254
        }
    }
}

 test

[root@ve11c:Active:In Sync] config  tcpdump -e -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:43.064595 00:50:56:b3:59:8d > 00:50:56:93:16:39, ethertype 802.1Q (0x8100), length 85: vlan 4093, p 0, ethertype IPv4, 172.28.24.1.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840  in slot1/tmm1 lis=
17:42:43.064682 00:50:56:93:16:39 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 96: vlan 4093, p 0, ethertype IPv4, 172.28.24.14.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840  out slot1/tmm1 lis=/Common/bar

 arp

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) show net arp 172.28.24.254
------------------------------------------------------------------------------------------
Net::Arp
Name           Address        HWaddress          Vlan              Expire-in-sec  Status
------------------------------------------------------------------------------------------
172.28.24.254  172.28.24.254  00:01:e8:d5:d4:47  /Common/external  127            resolved
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, I will try this out and come back to you for any further clarification. BR
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 15, 2015
      Hello Nitass, Finally the penny drop as how the networking on the F5 works. Basically you need to attach to the interface where initiator traffic is coming a VS in order to receive the data, and then the static routing will take care from which interface and where the packets will go. tx
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 14, 2015

    Indeed this is what I mean. Can you pls be more explicit as how to configure this ?

    bigip has 2 vlans; one is external which is in 172.28.24.0/24 and the other one is v423 which is in 200.200.200.0/24. virtual server bar is network, 200.200.200.0/24, virtual server listening on external vlan. pool is 172.28.24.254 which is gateway in external vlan.

    when traffic matches the virtual server bar, it will be forwarded to the gateway. you can check mac address in tcpdump.

     selfip

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list net self
net self 172.28.24.14/24 {
    address 172.28.24.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan external
}
net self 200.200.200.14/24 {
    address 200.200.200.14/24
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan v423
}

 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 200.200.200.0:0
    mask 255.255.255.0
    pool foo
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans {
        external
    }
    vlans-enabled
    vs-index 8
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        172.28.24.254:0 {
            address 172.28.24.254
        }
    }
}

 test

[root@ve11c:Active:In Sync] config  tcpdump -e -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:43.064595 00:50:56:b3:59:8d > 00:50:56:93:16:39, ethertype 802.1Q (0x8100), length 85: vlan 4093, p 0, ethertype IPv4, 172.28.24.1.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840  in slot1/tmm1 lis=
17:42:43.064682 00:50:56:93:16:39 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 96: vlan 4093, p 0, ethertype IPv4, 172.28.24.14.52133 > 200.200.200.101.80: S 75537079:75537079(0) win 5840  out slot1/tmm1 lis=/Common/bar

 arp

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) show net arp 172.28.24.254
------------------------------------------------------------------------------------------
Net::Arp
Name           Address        HWaddress          Vlan              Expire-in-sec  Status
------------------------------------------------------------------------------------------
172.28.24.254  172.28.24.254  00:01:e8:d5:d4:47  /Common/external  127            resolved
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 14, 2015
      Hello Nitass, I will try this out and come back to you for any further clarification. BR
    • cmard_195831's avatar
      cmard_195831
      Icon for Nimbostratus rankNimbostratus
      May 15, 2015
      Hello Nitass, Finally the penny drop as how the networking on the F5 works. Basically you need to attach to the interface where initiator traffic is coming a VS in order to receive the data, and then the static routing will take care from which interface and where the packets will go. tx