Forum Discussion

cd_312641's avatar
cd_312641
Icon for Nimbostratus rankNimbostratus
Oct 04, 2018

VS with another VS as Pool

Hello,

 

Just wanted to understand why a particular scenario I am testing is not working.

 

We have a F5 with a single Route Domain (0) and two VLANs (external and internal, self and float IPs for each). Routes are like this:

 

0.0.0.0/0 towards external network

 

RFC1918-NETs towards internal network

 

For some applications, we would like to do something like this:

 

VS-External -> Pool-External (VS-Internal member)

 

VS-Internal -> Pool-Internal (Backend server)

 

This is not working. When doing tcpdump, we see that after the client connection is accepted by VS-External, the internal self-IP is ARPing for the VS-Internal MAC Address.

 

First of all, is this supposed to work? If not, why (from a theorical point of view) ?

 

BIG-IP
LTM
security

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2018

    So to be clear, your external pool member is a VIP address?

    I've heard people say that they've gotten this to work in some BIG-IP versions, but technically it isn't intended to work, and it has to do with the internal ARP between the VIPs.

    To get from one VIP to another, your best bet is to VIP target, which is a simple iRule command:

    when CLIENT_ACCEPTED {
    virtual VS-Internal
}

    Also, depending on your BIG-IP version, you can also do this in an LTM CPM policy by configuring the policy to forward traffic to a virtual server.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 05, 2018

    I honestly don't recall the exact reason this doesn't work, but it had something to do with ARP. In any case, VIP targeting (using the 'virtual' command) is the recommended approach.