To which VLAN object belongs

Question

Hi,&nbsp;
I am curious how VLAN object relation is working, specifically how VLAN/object inheritance is working for Auto Last Hop (ALH) setting. According to docs VIP, SNAT/NAT objects are inheriting setting from VLAN they belong to. 
My understanding is that object is belonging to given VLAN based on comparison of object IP and VLAN IP/mask.
It is most often quite obvious but what if:&nbsp;

VIP is defined with IP not belonging to any self IP/mask of VLAN - like when VIP is reache by using self IP as destination for given route and not belonging to directly attached network - will ALH setting be inherited from VLAN of self IP via which packet arrived?

For SNAT object - will ALH be inherited from VLAN via which packet with src addr equal to Origin addr arirved?&nbsp;

What about NAT object - it is creating both src and dst listeners - will VLAN it belongs depend on from where packet originating, so when packet match Origin addr one VLAN will be the one defining inheritance and when dst IP equals dst IP other VLAN will be source of ALH setting?

Piotr&nbsp;

hamish · Answer

Auto last hop always saves the inbound interface and src MAC from the packet. It doesn't matter what you have defined for IP's on VLANs. &nbsp;
BigIP also (Unless you disable it) insists on the outbound and return packets for outbound connections (bigip-server) coming over the same interface... And the client-VS connection is a separate connection from BigIP-Server. It's  proxy. Whether you're translating the big-server connection IP's or not... Think of it as two connections and you'll have a better chance of understanding what it's all about.&nbsp;
H&nbsp;

dragonflymr · Answer

Well, I know that ALH is always used, my question was more about how AHL is inherited. If given VIP is not assigned to VLAN because it has different IP that self IP/netmask of VLAN then which VLAN is parent from which ALH is inherited? Or it's dynamic and when packet is arriving via given VLAN and internally passed to given (not VLAN assigned) VIP then VLAN receiving packet becomes VLAN for unassigned VIP, and VIP is inheriting ALH setting from this VLAN (dynamically nor statically)?
That is bout statement in doscs that with when VIP, SNAT or NAT has ALH set to Default, setting for parent VLAN is inherited - but which VLAN is parent?&nbsp;
Piotr&nbsp;

hamish · Answer

I'm not sure what you mean by inherited... A packet comes in... And if the destination mates a VS, and if the VS has auto-last-hop enabled, then when the connection goes into the connection table, the inbound interface and src MAC is saved... There's no inheritance here...&nbsp;
VS's aren't really associated with a VLAN... There's no parent. There may be a VLAN that includes the VS IP address in the network that is configured on it (Depending on how you configure your bigip and your routing), but that's not used for ALH. It has no relationship...&nbsp;
H&nbsp;

stephanmanthey · Answer

Hi Piotr,
it does not matter where a virtual address (used by virtual server or NAT) is located.
It can be a virtual address space on the BIG-IP to be reached via a self IP (used as next hop).
All these addresses don´t need to belong to locally attached networks and it is not necessary to define "loopback" interfaces for them.
As long as you do not disable the Auto Last Hop functionality, the inbound VLAN and MAC address where the initiating packet came from, will be stored in the connection table. 
The connection table dump with the "all-properties" option will show this information as well for NAT and SNAT configurations ("tmsh show sys conn cs-client-addr  all-properties"). 
As mentioned in earlier posts I try to avoid the so called Default SNAT configurations and make very little use of NAT configurations. Whenever possible I´m using virtual servers to handle traffic as they provide much more granular control.
Thanks, Stephan

dragonflymr · Answer

Thanks, Mathey, know that those looks as stupid questions, but I am filling uncorfotable when I can't understand how things are working, will do some tst and try to figure it out.&nbsp;
Piotr&nbsp;

Forum Discussion

To which VLAN object belongs

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM

Duplicating BIG-IP Objects

Using shared object with BigIP

OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM

AS3 referencing objects across applications