F5 Forwarding IP VS fun…

I have been recently spending lots of time with our F5 Big IP 2000s. We have been working on deploying a new private network behind the F5 with nodes that admin’s would like to directly access from their secure admin workstations. Our current setup has the nodes behind the load balancers using basic Virtual servers that forward the traffic from external routable IP’s to internal non-routable IP’s. Therefore I would need to create multiple VS’s per each node that admins wanted to access. That would be a lot of VS’s.

There are a few other clever ways to get around this, well maybe not necessarily clever. The first is using a jump server. The admins would access one VS that would forward to one pool member with one node in it. Then they could then access the other private nodes from this “jump” server. The other option would be adding another NIC to the admin workstations and put that NIC on the same VLAN that the private nodes sit on. Both of these are not the greatest ideas.

I therefore convened with an F5 tech guru and passed this idea by him. Could I have a router with a routed interface within the F5 private VLAN that has the F5 private nodes? I could then take the private non-routable network and make it routable protected by an ACL on the router. The nodes would still point to the F5 for the default gateway. When an admin workstation would communicate to the node, it would send the traffic through the router; the router would then forward packets to the node. The issue then lies with the node sending the traffic back to the F5 because it’s the default gateway and that creates issues. I found out from the tech that there’s a way to get this to work by using an IP forwarding VS that listens on the F5 private VLAN.

You will first need to make sure that your current nodes are not in an SNAT, as SNATs along with an IP forwarding VS configured on the same interface don’t work, as the SNAT listens over the IP forwarding VS. Within the VS, the source network would be the private node network and the destination would be the network where the secure admin workstations sit, which would be accessible across the router that I placed on the private node VLAN. Now, in order to get the F5 to forward to the router on the private node VLAN instead of using its routing table, you have to create an iRule as the Forwarding (IP) resource within the VS. Here’s the iRule syntax:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] }   {

nexthop internalvlannum 10.1.1.254

}

}

The 10.1.1.0/24 is the internal private node network that sits on the F5. The 10.1.1.254 address is the gateway of the router that’s sitting on the F5 private node network. This iRule forwards the traffic to the router instead of using the F5 to forward the traffic. You also have to assign a protocol profile (client)  Fast L4 profile to the forwarding (IP) VS as well with Loose initiate and loose close enabled to allow the tcp packets to flow correctly.

F5 monitors

I successfully completed the 4 day F5 LTM configuring v11 course. I am very happy with the amount of information covered and the teacher was very knowledgeable. Now that I’m back at work, I have already applied some of the knowledge I’ve obtained.

I was assisting another individual with setting up an http monitor that was using a send/receive string. We were having issues in getting the monitor to work. We struggled in where the CR/LF characters needed to be and how many to use. Each version of LTM seems to operate a little different and we found that out from the SOL10655 publication on the askf5 knowledge base. After going through some additional docs, we still couldn’t get the monitor to work. After trial and error, the monitor finally started working after we changed the HTTP version from 1.1 to 1.0.

V.10.2.4

Send String: GET /your/page/page.html HTTP/1.0\r\n Host: anynamewilldo\r\n\r\n

F5 Training

Today I’m starting a 4 day F5 online training course. The course will be going over how to setup and configure their BIG-IP LTM (local traffic manager) product. The LTM main feature is load balancing application traffic. For those of you who aren’t familiar with F5, they offer an extensive line of application delivery service products. The LTM is just one of their many product offerings. F5 offers some great introductory study material on their F5 support site. I would recommend starting there if you’re interested on learning about LTM.