Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Mar 29, 2017

Network type virtual server

Hi,

 

Probably obvious for network gurus but I can't figure it out. How network VS can be used?

 

I can see how when Standard or PerformanceL4 type is used because they have pool attached. What I can't figure out is if using network VS has any sense for ForwardingIP VS.

 

Lets say I have:

 

  • SelfIP 192.168.1.1/24
  • Network VSNet with 192.168.2.1/24
  • Upstream router configured to route 192.168.2.1/24 to 192.168.1.1

So packets with dst IP in 192.168.2.1/24 will be send to SelfIP 192.168.1.1. Then processed by VSNet (dst IP match).

 

But what next? Subnet 192.168.2.1/24 is local to BIG-IP so there is no outside route BIG-IP can send such traffic. So what happens next? Drop, Reject, some loop created.

 

Piotr

 

  • Hi,

    BigIP appliance can have multiple appliance but never route between interfaces. IP forwarding is disabled in the linux OS.

    The only solution to route traffic between interfaces is to configure the TMOS to handle the traffic.

    To handle the traffic, TMOS require a

    listener
    object.Listener objects are be:

    • NAT
    • SNAT
    • Virtual server

    in a topology with:

    Net_A (192.168.1.0/24) - F5 Self IP (192.168.1.1) - TMOS - F5 Self IP (192.168.2.1) - Net_B (192.168.2.0/24)
    

    to route connection from 192.168.1.10 to 192.168.2.20, you must create a virtual server with:

    • Destination : 192.168.2.0/24 Port 0
    • Translate destination : disabled
    • Translate port : disabled
    • Enable on VLAN Net_A
  • Hi,

     

    After testing (v13 VE) here is behavior of ICMP Echo setting for Virtual Address (hope will be of some help for others):

     

    • VS set with IP on the same subnet as SelfIP (most common configuration I guess):
      • ICMP Echo Disabled: no answer to ping no matter what is status of VS or VIP
      • ICMP Echo Enabled: ping reply send from BIG-IP no matter what is status of VS or VIP
    • VS set with IP not on any SelfIP subnet (to reach VS, traffic has to be directed to SelfIP), ARP Disabled:
      • ICMP Echo Disabled: ping is send to node (BIG-IP is not answering ping). Of course both VS and Pool Members has to be configured in a way allowing ping to be accepted (like any port/any protocol). If Pool is down ICMP net "VS IP" unrechable – admin prohibited is send from BIG-IP
      • ICMP Echo Enabled: same behavior as for first VS above - ping always answered by BIG-IP

    Of course there is one more option Selective, I think it's the best one if someone would like to use ping to monitor state of VIP. Provides results that are closely related to state of both VS and VIP.

     

    Piotr