Forum Discussion

Sumanta_88744's avatar
Sep 07, 2014

Creating an active-active DSC configuration with OSPF routing on 11.x

Hi Experts

 

I have to do a deployment of active/active VIPRION 2400 chassis, running 2250 blades. As per below link, we need to create two traffic groups for each VLAN. How will the default routing work from the server pool if there are two VLAN floating gateways? Can the two different floating VIPs be part of the same subnet?

 

Also, is it mandatory to have the OSPF self IP peer, part of any floating traffic group? Will it also receive traffic, even if it is part of local traffic group, instead?

 

(http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-11-2-1/3.html)

 

  • In order to use active-active you must use SNAT. Then default routing does not come into play. The return address will be the server side floating IP address of whichever traffic group passed the traffic. The return path to the client will use auto-lasthop feature.

     

    Each traffic group must have a unique floating IP address assigned to it. They can be consecutive addresses in the same subnet. When traffic passes through a VS using an virtual address assigned to a traffic group then address translation will use the floating IP address assigned to that traffic group as the SNAT address for traffic on the way to the servers.

     

    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Thanks Kevin, I was wondering how server pool would behave in case of two different VIPs (default gateway of the servers) in two Traffic Groups. Also, I was thinking if the F5 OSPF peer (both for upstream/downstream routers) has to be on self IP (part of local traffic group) or has to be on VIP in one of the floating traffic groups (traffic group - 1 or traffic group - 2)? As per doc, Active/active DSC mandates creation of more than one traffic groups and then shifting the second traffic group to be active on the F5 LB unit 2. So, shall we create the self IPs (running OSPF) and make it part of traffic groups or keep it as local traffic group only? In case of /30 segment, we can only create local traffic group (single self IP per LB). For floating traffic groups, we need /29 or more IP subnet for including self and the floating VIPs. The network design is such that both units receive traffic from OSPF neighbors. We also have VCMP enabled, if needed at all in this scenario. There is also the consideration of internal server pool having two gateways for 2 different TG.
    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Also, Kevin, SNAT can not be enabled since we need to preserve source IP information for logging purposes.
    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      I believe Kevin is correct that you must use SNAT for active/active configurations. It is the only way to ensure the response traffic returns through the same LTM. If these are http/https websites, you can use the x-forwarded-for header to pass the original IP information to the server for logging purposes
  • Sumanta, You said: "*There is also the consideration of internal server pool having two gateways for 2 different TG."

     

    That is what the SNAT is for, it is a requirement when setting up an active-active HA config. For http traffic you can enable XForwared-For header in LTM http profile to retain the clients source IP.

     

    Also be aware that auto lasthop is enabled by default and overrides L3 routing decisions on LTM. See: SOL13876

     

  • Sumanta,

     

    Regarding the OSPF config, I am not 100% sure however I believe that since you are in active-active mode both LTMs will need to advertise their VIPs as host routes which would mean using the non-floating self-ip on each LTM for OSPF adjacency.

     

  • Sumanta,

     

    You should not have to advertise any routes for virtual servers. The router attached to that VLAN where the virtual's are listening should automatically advertise the attached network if its participating in OSPF. When the traffic arrives at the router then it will forward the incoming traffic to the virtual server. Which F5 it goes to will depend entirely on which BIGIP is currently hosting that virtual servers address. This is determined by which BIGIP is active for the traffic group. This will automatically change when a failover occurs.

     

    Again on the server side of the BIGIP the the adjacent router will advertise the attached network through OSPF. Traffic leaving the BIGIP towards the server will use SNAT to change the source address to the floating IP address of the traffic group (assumes SNAT automap). Again this address is currently hosted by whichever BIGIP is currently hosting the that floating IP address. This is determined by which BIGIP is active for the traffic group. This will automatically change when a failover occurs.

     

    There is no need to advertise specific routes for BIGIP traffic. The adjacent routers should look after all of that for you. The BIGIP's will respond based on which traffic group's they are currently hosting. This is all done at the MAC level in the attached VLANS.

     

    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Thanks Kevin, for detailed explanation. I will be using static routing in the internal server pool segment. I will have two floating VIPs per LB in the same VLAN. Servers will forward traffic to default gateway of the traffic group active on LB1. Reverse traffic will flow based on the SNAT as you mentioned. Auto last hop needs to be enabled?
    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      Yes, auto last hop should always be enabled. It means you do not have to provide routes back to the client. I am surprised you have any routes at all if the servers are in the same VLAN. You only need routes if your servers are in a network elsewhere. If servers are talking to a VIP they will go to that VIP's address. If there is return traffic from a server it will go to the SNAT address. If however, your are doing forwarding virtual servers then you need to tell us as they have special requirements.
    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Yes, I have forwarding vs. One for default next-hop, non-http traffic. It should follow the path received by OSPF routing protocol. The other one is for redirecting http traffic to internal server pool.