Forum Discussion

Gabriel_V_13146's avatar
Gabriel_V_13146
Icon for Cirrus rankCirrus
Oct 24, 2013

Basic network configuration with BIGIP VE

Hello all,

one thing is to physically plug wires into the network plugs, however having possibility to run BIGIP as a Virtual Edition is great. I'm trying to run it in the AWS VPC network and having little problems to access backend servers.

I've followed the F5 documentation http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-amazon-ec2-11-4-0.html

As far I understand I allowed all traffic between the backend server and BIGIPin the AWS VPC level

Maybe it has nothing to do with BIGIP itself, but I hope somebody more experienced will notice

AWS VPC network configuration: https://dl.dropboxusercontent.com/u/44802047/images/F5%20LTM.png

trying to access the backend server: [root@f5:Active:Standalone] ~ ping 10.0.2.102 PING 10.0.2.102 (10.0.2.102) 56(84) bytes of data. From 10.0.2.64 icmp_seq=2 Destination Host Unreachable

is anything what I apparently forgot? if I run another EC2 instance with multiple network cards, I can ping the backned server with no problems.

Apparently I just forgot to configure something very stupidly simple. Any advice?

BIG-IP network configuration:

Interfaces

    Status  Name    MAC Address Media Speed VLAN Count Trunk
    UP  1.1     16:25:72:97:d3:6d   10000   1   
    UP  1.2     16:25:72:a2:fb:fa   10000   1 
`


Self IP

`Name    Application     IP Address  Netmask     VLAN / Tunnel   Traffic Group   Partition / Path
    10.0.1.101      10.0.1.101  255.255.255.0   external    none    Common
    10.0.1.27       10.0.1.27   255.255.255.0   external    none    Common
    10.0.2.101      10.0.2.101  255.255.255.0   internal    none    Common
    10.0.2.64       10.0.2.64   255.255.255.0   internal    none    Common 
`

VLAN

`Name        Application     Tag     Untagged Interfaces     Partition / Path
external                4093        1.1     Common
internal              4094        1.2     Common 
`

Kernel IP routing table


`Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
127.1.1.0       *               255.255.255.0   U     0      0        0 tmm0
127.3.0.0       *               255.255.255.0   U     0      0        0 mgmt_bp
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
10.0.1.0        *               255.255.255.0   U     0      0        0 external
10.0.2.0        *               255.255.255.0   U     0      0        0 internal
AWS
cloud
deployment
virtualization
  • Egor_33493's avatar
    Egor_33493
    Nov 06, 2013

    Hi. Good to hear that you resolved your problems.

     

    Yes, you can't just configure an BIG-IP with IP address from a valid amazon subnet and start using it. Any IP address you use should be configured on amazon side via Manage Private IP Addresses. What about BIG-IP floating self-ips or failover? It works for me and afaik it's officially supported.

     

    src/dest check is a good point. Personally I prefer to use source address translation set to Auto Map for a virtual server if possible.

     

  • Gabriel_V_13146's avatar
    Gabriel_V_13146
    Icon for Cirrus rankCirrus
    Oct 25, 2013
    really, the AWS VPC network configuration is at https://dl.dropboxusercontent.com/u/44802047/images/F5%20LTM.png if it helps
  • Egor_33493's avatar
    Egor_33493
    Historic F5 Account
    Nov 05, 2013

    I think using this ip addressing scheme your backends and the BIG-IP instance should be placed within the same VPC. Is this what you did?

     

  • Gabriel_V_13146's avatar
    Gabriel_V_13146
    Icon for Cirrus rankCirrus
    Nov 05, 2013

    Hello Egor, indeed, it's all in the same VPC (well, I am pretty sure it is how it should be) :) I'm installing it clean again, I and see if it helps.

     

    Gabriel

     

  • Gabriel_V_13146's avatar
    Gabriel_V_13146
    Icon for Cirrus rankCirrus
    Nov 06, 2013

    Ok, now it works. Apparently BIGIP cannot enforce it's settings to the AWS network interfaces, we have to live with what we get from the infrastructure. So what helped:

     

    • disable the src/dest check on the network interfaces (The LTM translates only destination by default, n'est pas?)
    • NIC secondary IP addresses (used as a virtual server address) removed from the SelfIP list
    • stop / start the BIGIP instance

    I am not aware I did anything different.

     

    Carpe diem Gabriel

     

  • Egor_33493's avatar
    Egor_33493
    Historic F5 Account
    Nov 06, 2013

    Hi. Good to hear that you resolved your problems.

     

    Yes, you can't just configure an BIG-IP with IP address from a valid amazon subnet and start using it. Any IP address you use should be configured on amazon side via Manage Private IP Addresses. What about BIG-IP floating self-ips or failover? It works for me and afaik it's officially supported.

     

    src/dest check is a good point. Personally I prefer to use source address translation set to Auto Map for a virtual server if possible.