Currently i have one VIP which has 2 members in its pool. The members are 192.168.0.22:443 & 192.168.0.23:443. The IP of my VIP is a private IP address and the NAT translation happens on the firewall which is fine. Now, i need to create a new VIP for https with a different IP address and use the same members 192.168.0.22:443 & 192.168.0.23:443. Is that possible? I think i can use the same nodes but different ports. Please advise. Thanks in advance.

Now, i need to create a new VIP for https with a different IP address and use the same members 192.168.0.22:443 & 192.168.0.23:443. Is that possible? why not? :)

How will the return traffic know which VIP to go to? Suppose i have 2 VIP's with different IP addresses with same pool and pool members. What i think is that the nodes in the pool can be same i.e 192.168.0.22 & 192.168.0.23 but they need to communicate on different ports i.e. other than 443. I am not sure if using the same will work.

How will the return traffic know which VIP to go to? source port on serverside (between bigip and pool member) will be different.

Can we configure same members in different VIP's

16 Replies

nitass
Employee
Jun 29, 2014
Now, i need to create a new VIP for https with a different IP address and use the same members 192.168.0.22:443 & 192.168.0.23:443. Is that possible?

why not? :)
- Ajit
  Altostratus
  Jun 29, 2014
  How will the return traffic know which VIP to go to? Suppose i have 2 VIP's with different IP addresses with same pool and pool members. What i think is that the nodes in the pool can be same i.e 192.168.0.22 & 192.168.0.23 but they need to communicate on different ports i.e. other than 443. I am not sure if using the same will work.
nitass_89166
Noctilucent
Jun 29, 2014
Now, i need to create a new VIP for https with a different IP address and use the same members 192.168.0.22:443 & 192.168.0.23:443. Is that possible?

why not? :)
- Ajit
  Altostratus
  Jun 29, 2014
  How will the return traffic know which VIP to go to? Suppose i have 2 VIP's with different IP addresses with same pool and pool members. What i think is that the nodes in the pool can be same i.e 192.168.0.22 & 192.168.0.23 but they need to communicate on different ports i.e. other than 443. I am not sure if using the same will work.
nitass
Employee
Jun 29, 2014
How will the return traffic know which VIP to go to?

source port on serverside (between bigip and pool member) will be different.

nitass

Employee

Jun 29, 2014

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar1
ltm virtual bar1 {
    destination 172.28.24.201:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 44
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar2
ltm virtual bar2 {
    destination 172.28.24.202:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 45
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

// bar1

12:25:16.007296 IP 172.28.24.1.38806 > 172.28.24.201.80: S 1487006438:1487006438(0) win 5840  in slot1/tmm0 lis=
12:25:16.007383 IP 172.28.24.201.80 > 172.28.24.1.38806: S 521107622:521107622(0) ack 1487006439 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.021530 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar1
12:25:16.023088 IP 172.28.24.1.38806 > 172.28.24.201.80: P 1:157(156) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar1
12:25:16.023246 IP 172.28.24.201.80 > 172.28.24.1.38806: . ack 157 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:16.024639 IP 200.200.200.14.38806 > 200.200.200.101.80: S 2841845909:2841845909(0) win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.378735 IP 200.200.200.101.80 > 200.200.200.14.38806: S 533865806:533865806(0) ack 2841845910 win 5792  in slot1/tmm0 lis=/Common/bar1
12:25:16.378767 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 1 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.378788 IP 200.200.200.14.38806 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.584536 IP 200.200.200.101.80 > 200.200.200.14.38806: . ack 157 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.780423 IP 200.200.200.101.80 > 200.200.200.14.38806: P 1:244(243) ack 157 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.780494 IP 172.28.24.201.80 > 172.28.24.1.38806: P 1:244(243) ack 157 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:23.780503 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 244 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:23.782055 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 244 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 172.28.24.1.38806 > 172.28.24.201.80: F 157:157(0) ack 244 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 172.28.24.201.80 > 172.28.24.1.38806: . ack 158 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 200.200.200.14.38806 > 200.200.200.101.80: F 157:157(0) ack 244 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:23.849842 IP 200.200.200.101.80 > 200.200.200.14.38806: . ack 158 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:24.382187 IP 200.200.200.101.80 > 200.200.200.14.38806: F 244:244(0) ack 158 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:24.382248 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 245 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:24.382260 IP 172.28.24.201.80 > 172.28.24.1.38806: F 244:244(0) ack 158 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:24.383288 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 245 win 6432  in slot1/tmm0 lis=/Common/bar1

// bar2

12:25:35.223999 IP 172.28.24.1.60353 > 172.28.24.202.80: S 383028358:383028358(0) win 5840  in slot1/tmm1 lis=
12:25:35.224070 IP 172.28.24.202.80 > 172.28.24.1.60353: S 3453733638:3453733638(0) ack 383028359 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.225749 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 1 win 5840  in slot1/tmm1 lis=/Common/bar2
12:25:35.225923 IP 172.28.24.1.60353 > 172.28.24.202.80: P 1:157(156) ack 1 win 5840  in slot1/tmm1 lis=/Common/bar2
12:25:35.225985 IP 200.200.200.14.60353 > 200.200.200.101.80: S 3760426868:3760426868(0) win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.225993 IP 172.28.24.202.80 > 172.28.24.1.60353: . ack 157 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:35.305729 IP 200.200.200.101.80 > 200.200.200.14.60353: S 1256281240:1256281240(0) ack 3760426869 win 5792  in slot1/tmm1 lis=/Common/bar2
12:25:35.305756 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 1 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.305775 IP 200.200.200.14.60353 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.318241 IP 200.200.200.101.80 > 200.200.200.14.60353: . ack 157 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.095816 IP 200.200.200.101.80 > 200.200.200.14.60353: P 1:244(243) ack 157 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.095872 IP 172.28.24.202.80 > 172.28.24.1.60353: P 1:244(243) ack 157 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.095881 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 244 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.097815 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 244 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.098165 IP 172.28.24.1.60353 > 172.28.24.202.80: F 157:157(0) ack 244 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.098186 IP 172.28.24.202.80 > 172.28.24.1.60353: . ack 158 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.098194 IP 200.200.200.14.60353 > 200.200.200.101.80: F 157:157(0) ack 244 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.106357 IP 200.200.200.101.80 > 200.200.200.14.60353: F 244:244(0) ack 158 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.106393 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 245 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.106402 IP 172.28.24.202.80 > 172.28.24.1.60353: F 244:244(0) ack 158 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.108395 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 245 win 6432  in slot1/tmm1 lis=/Common/bar2

Ajit
Altostratus
Jun 29, 2014
Thanks a lot Nitass. You have answered my doubt perfectly. I only need to know if i need to enable SNAT automap in my VIP for this to work?
nitass
Employee
Jun 29, 2014
snat is not needed as long as pool member sends return traffic to bigip (e.g. bigip is its default gateway). in my lab, pool member default gateway is not bigip. so, i have to enable snat automap.
Ajit
Altostratus
Jun 29, 2014
Got it. Thanks a lot for your time & help. Appreciate it :)

nitass_89166

Noctilucent

Jun 29, 2014

e.g.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar1
ltm virtual bar1 {
    destination 172.28.24.201:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 44
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar2
ltm virtual bar2 {
    destination 172.28.24.202:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 45
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes

// bar1

12:25:16.007296 IP 172.28.24.1.38806 > 172.28.24.201.80: S 1487006438:1487006438(0) win 5840  in slot1/tmm0 lis=
12:25:16.007383 IP 172.28.24.201.80 > 172.28.24.1.38806: S 521107622:521107622(0) ack 1487006439 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.021530 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 1 win 5840  in slot1/tmm0 lis=/Common/bar1
12:25:16.023088 IP 172.28.24.1.38806 > 172.28.24.201.80: P 1:157(156) ack 1 win 5840  in slot1/tmm0 lis=/Common/bar1
12:25:16.023246 IP 172.28.24.201.80 > 172.28.24.1.38806: . ack 157 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:16.024639 IP 200.200.200.14.38806 > 200.200.200.101.80: S 2841845909:2841845909(0) win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.378735 IP 200.200.200.101.80 > 200.200.200.14.38806: S 533865806:533865806(0) ack 2841845910 win 5792  in slot1/tmm0 lis=/Common/bar1
12:25:16.378767 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 1 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.378788 IP 200.200.200.14.38806 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380  out slot1/tmm0 lis=/Common/bar1
12:25:16.584536 IP 200.200.200.101.80 > 200.200.200.14.38806: . ack 157 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.780423 IP 200.200.200.101.80 > 200.200.200.14.38806: P 1:244(243) ack 157 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.780494 IP 172.28.24.201.80 > 172.28.24.1.38806: P 1:244(243) ack 157 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:23.780503 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 244 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:23.782055 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 244 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 172.28.24.1.38806 > 172.28.24.201.80: F 157:157(0) ack 244 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 172.28.24.201.80 > 172.28.24.1.38806: . ack 158 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:23.782329 IP 200.200.200.14.38806 > 200.200.200.101.80: F 157:157(0) ack 244 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:23.849842 IP 200.200.200.101.80 > 200.200.200.14.38806: . ack 158 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:24.382187 IP 200.200.200.101.80 > 200.200.200.14.38806: F 244:244(0) ack 158 win 6432  in slot1/tmm0 lis=/Common/bar1
12:25:24.382248 IP 200.200.200.14.38806 > 200.200.200.101.80: . ack 245 win 4623  out slot1/tmm0 lis=/Common/bar1
12:25:24.382260 IP 172.28.24.201.80 > 172.28.24.1.38806: F 244:244(0) ack 158 win 4536  out slot1/tmm0 lis=/Common/bar1
12:25:24.383288 IP 172.28.24.1.38806 > 172.28.24.201.80: . ack 245 win 6432  in slot1/tmm0 lis=/Common/bar1

// bar2

12:25:35.223999 IP 172.28.24.1.60353 > 172.28.24.202.80: S 383028358:383028358(0) win 5840  in slot1/tmm1 lis=
12:25:35.224070 IP 172.28.24.202.80 > 172.28.24.1.60353: S 3453733638:3453733638(0) ack 383028359 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.225749 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 1 win 5840  in slot1/tmm1 lis=/Common/bar2
12:25:35.225923 IP 172.28.24.1.60353 > 172.28.24.202.80: P 1:157(156) ack 1 win 5840  in slot1/tmm1 lis=/Common/bar2
12:25:35.225985 IP 200.200.200.14.60353 > 200.200.200.101.80: S 3760426868:3760426868(0) win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.225993 IP 172.28.24.202.80 > 172.28.24.1.60353: . ack 157 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:35.305729 IP 200.200.200.101.80 > 200.200.200.14.60353: S 1256281240:1256281240(0) ack 3760426869 win 5792  in slot1/tmm1 lis=/Common/bar2
12:25:35.305756 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 1 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.305775 IP 200.200.200.14.60353 > 200.200.200.101.80: P 1:157(156) ack 1 win 4380  out slot1/tmm1 lis=/Common/bar2
12:25:35.318241 IP 200.200.200.101.80 > 200.200.200.14.60353: . ack 157 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.095816 IP 200.200.200.101.80 > 200.200.200.14.60353: P 1:244(243) ack 157 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.095872 IP 172.28.24.202.80 > 172.28.24.1.60353: P 1:244(243) ack 157 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.095881 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 244 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.097815 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 244 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.098165 IP 172.28.24.1.60353 > 172.28.24.202.80: F 157:157(0) ack 244 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.098186 IP 172.28.24.202.80 > 172.28.24.1.60353: . ack 158 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.098194 IP 200.200.200.14.60353 > 200.200.200.101.80: F 157:157(0) ack 244 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.106357 IP 200.200.200.101.80 > 200.200.200.14.60353: F 244:244(0) ack 158 win 6432  in slot1/tmm1 lis=/Common/bar2
12:25:36.106393 IP 200.200.200.14.60353 > 200.200.200.101.80: . ack 245 win 4623  out slot1/tmm1 lis=/Common/bar2
12:25:36.106402 IP 172.28.24.202.80 > 172.28.24.1.60353: F 244:244(0) ack 158 win 4536  out slot1/tmm1 lis=/Common/bar2
12:25:36.108395 IP 172.28.24.1.60353 > 172.28.24.202.80: . ack 245 win 6432  in slot1/tmm1 lis=/Common/bar2

Ajit
Altostratus
Jun 29, 2014
Thanks a lot Nitass. You have answered my doubt perfectly. I only need to know if i need to enable SNAT automap in my VIP for this to work?
nitass_89166
Noctilucent
Jun 29, 2014
snat is not needed as long as pool member sends return traffic to bigip (e.g. bigip is its default gateway). in my lab, pool member default gateway is not bigip. so, i have to enable snat automap.
Ajit
Altostratus
Jun 29, 2014
Got it. Thanks a lot for your time & help. Appreciate it :)

nitass
Employee
Jun 30, 2014
will they be able to communicate with each other locally. i.e. If there is another PC/server in the same network 200.200.200.0/24 wants to access the websites bar1 & bar2.

in that case, you need snat (e.g. snat automap) to force return traffic from pool member going to bigip. otherwise, return traffic from pool member will go directly to client which will break a connection (asymmetric traffic).

How the internal return traffic will flow from loadbalancer? How will it identify which website to go to using the member 200.200.200.101:80 in this case?

it is the same concept i.e. source port on serverside will be different.

Forum Discussion

Can we configure same members in different VIP's

16 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

google autenticator broken barcode

Related Content

Differences between Disabled vs. Force Offline (Pool Member)

DevCentral's Featured Member for February - Edouard Zorrilla

Copper SFP Differences

DevCentral's Featured Member for March - Thomas Dahlmann

DevCentral's Featured Member for April - Mihai Cziraki