Forum Discussion

Bhavik_1402's avatar
Bhavik_1402
Icon for Nimbostratus rankNimbostratus
Apr 12, 2021

Self IP in different subnet and VS and pool members are in same subnet then Self ip

Hi Team,

 

I'm working on one of the installation where the requirement is that VS - e.g 10.10.10.X and pool members are in same subnet 10.10.10.X whereas F5 Self IPs will be in different subnet e.g 10.10.20.X and would like to understand how the routing will work for traffic hitting to VS (We need switch/router to point the route to F5 self IP e.g 10.10.20.1 for the subnet 10.10.10.X ) and from VS to pool members and return traffic from pool members to client.

 

Can someone help?

  • In my view, following should work -

     

    Option#1

     

    • You would have to cut the new network for VIP from 10.10.10.0/24. ( e.g.10.10.10.64/27) and it should be dedicated to the F5 VIPs only. so on the network you can have a route to reach VIP network 10.10.10.64/27 pointing to floating selfIP on F5 (lets assume 10.10.20.2)
    • Since F5 has only 1 leg in 10.10.20.X (lets assume 10.10.20.1/25) , default gateway on F5 should be in that subnet. Default gateway of F5 should have routing to the server network or should be directly connected network to the server farm.
    • You would have to use SNAT on F5. So all source traffic from F5 to the server will originate from selfIP (lets assume 10.10.20.2 is floating selfIP). Sever's gateway should have route to reach F5 network (e.g 10.10.20.1/25) pointing to floating selfIP 10.10.20.2.
    • There is no need of return route from F5 to the client as auto last hop feature would take care of it.

     

    Option#2:

     

    • Since you have SelfIP network (lets assume 10.10.20.1/25). you can host VIPs in this network and network would have route to reach this subnet pointing the floating selfIP.
    • All other settings would be same as above.

     

     I would suggest to go with option#2 as a recommended way of having selfIP in the VIP network

    • Bhavik_1402's avatar
      Bhavik_1402
      Icon for Nimbostratus rankNimbostratus

      Thank you Sanjay ...We are going to use now a one-arm where VIP, Self IP and pool members are in same subnet.

  • Will F5 be the router for the 10.10.10.0/24 network? Will it provide the default gateway for the servers?

     

    If this is the case then traffic hitting the VS will be sent on to the server without going by the switch-router. No significant difference compared to a setup with the gateway on a switch-router. The benefit of having the default gateway on F5 is that you don't have to snat the client requests. Instead of using automap or snat pool you can use the original client IP. This is very useful for loadbalancing radius requests.

    • Bhavik_1402's avatar
      Bhavik_1402
      Icon for Nimbostratus rankNimbostratus

      Thanks Heino,

       

      F5 will not be router for 10.10.10.0/24 network as it will be on switch and pool members(servers) gateway will be switch so we need to use SNAT. I am still not clear on how the routing/switching or traffic will flow.

      • Heino's avatar
        Heino
        Icon for Cirrus rankCirrus

        I seriously hope that SanjayP's answer works foryou, because I can't recommend what I'm about to reply. Absolutely avoid the following if possible. It will only give you a headache.

         

        I've had to resolve a similar problem previously on a competing platform. It wasn't the same though. My VS was in a different subnet, I just had to SNAT to a subnet that would route differently that standard.

        Traffic flow:

        1. I used SNAT to map the communication from reverse-proxy to the server.
        2. Then I used Policy Based Routing, based on source address (your SNAT pool) to ensure that that network segment is routed through your desired gateway address (10.10.20).