Forum Discussion

Danny_Arroyo's avatar
Oct 07, 2014

How to generate traffic from a VIP on the F5

In many cases I am asked if I can generate traffic from a VIP on the F5. In other words, I am asked to initiate a communication from a VIP that exists on the F5. Lets say a VIP on the F5 was actually a Windows Server. I could run "telnet xxx.xxx.xxx.xxx" to initiate traffic from the Windows Server. Is there a way to generate traffic from the F5 and have it "look" like the traffic is coming from a VIP on the F5?

 

  • It is possible to have the source address of node initiated outbound traffic appear to come from a vip . You will need to translate the server (node) source address to the vip on the way out. Nodes are not allowed, by default, to initiate connections out through the bigip.

     

    One way to allow this create a snat where the translation address=vip and address list includes the servers source IP. Enable the snat on the source vlan only (the vlan where the server's outbound connection originates).

     

    Another method which allows outbound connections is the forwarding (ip) virtual server type. You will need a snat pool that contains the vip address. Assign that to the fwd(ip) VS. The fwd virtual allows you to control the destination to which the traffic is allowed and you could use iRules to perform more selective traffic processing. Again enable the fwd VS only on the vlan where the nodes connection is originating.

     

  • The only traffic I can think of that the F5 will generate are health checks but those use the self IP as the source address. I don't know of any way to generate traffic from the F5 using the VIPs IP address as the source IP address, I am curious why you would want to do that?

     

    • Danny_Arroyo's avatar
      Danny_Arroyo
      Icon for Cirrus rankCirrus
      Our networking engineers have several VPN tunnels that go down at times. They prefer to bring the VPN tunnel back up by generating traffic that goes through the tunnel. Many of the VIPs on the F5 are on the allowed list to travel through the VPN tunnel. Therefore, we are looking for a way to generate some traffic from the F5 (bound for a destination on the other side of the VPN tunnel) that appears to be coming from one of the allowed VIPs on the F5.
  • Can't you have them allow the egress self IPs and use a create a dummy pool with a node address for the remote side of he tunnel and send a HTTP get as the probe to the remote side? This would generate traffic.