Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Feb 24, 2015

Address Translation and LB VSs

Hi,

 

I am a bit puzzled what could be scenario when VS using pool has Address Translation disabled. If there is pool with members behind then without Address Translation those members can not be reached. So when disabling this option makes sense?

 

Piotr

 

application delivery
availability
design
LTM
TMOS

3 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Feb 24, 2015

    It makes sense when you want the BigIP to be 'transparent' to the traffic. Two scenarios are

     

    1. When building a firewall-sandwich
    2. Acting as a router (effectively the same as 1)
    3. When running a VS and the pool members can't handle NAT'ing (Specific to the protocol usually). The VS IP is usually configured on the loopback address of the pool member, and is sometimes termed n-path

    H

     

  • cjbarr1234's avatar
    cjbarr1234
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2015

    I'm also a little puzzled by this. Some of my VS's are showing dns entries while others show the IP. Not sure how to disable this, since all of the VS's have DNS entries. Let me know if you figure that out at all!

     

  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2015

    Hi,

     

    I hope I finally figured it out, but if somebody with experience can confirm I will appreciate it a lot. Here is my idea based on link text - L2 nPath routing.

     

    1. Incoming packet, src.ip some external client, dst.ip 172.16.1.1
    2. Router has route setting 10.1.1.10 as gateway for 172.16.1.1
    3. Router is doing ARP for 10.1.1.10 and sending packet to selfIP on BIG-IP
    4. Internally BIG-IP routes packet to VIP 172.16.1.1 (address and port translation disabled)
    5. Now I am not sure what IPs are defined for pool members, but I assume that 10.1.1.11 and 10.1.1.12
    6. If above is true BIG-IP is treating both pool members as gateway and based on IP-MAC address mapping is sending packet to one of pool members using defined LB method - so src.ip and dst.ip is still as in original packet but dst.mac is one of mac used by pool member
    7. Receiving server is internally routing packet to loopback with 172.16.1.1 assigned
    8. Then server is responding using 172.16.1.1 as src.ip (dst.ip from incoming packet) and client ip as des.ip (src.ip from original packet)
    9. So for client, traffic is coming from correct source address and connection is established

    What I do not understand in the mentioned docs is:

     

    1. Is really loopback interface not participating in ARP protocol - from docs I found on the Internet it looks like physical interface receiving ARP request for ip defined on loopback will reply with it's own MAC

       

    2. Why Auto Last Hop should be enabled (Connection.Autolasthop enable) - my understanding is that this setting is related to returning packets and for nPath returning packets are not going back via BIG-IP

       

    3. Is that possible to configure nPath when VIP and router are on the same network (then target serves has to be as well on the same network) - there is such note in docs. But I can't imagine how dst.ip of original packet can be preserved as src.ip for returning packet?

       

    Piotr