Chetan Bhatt (aka The Bhattman over at DevCentral) is the author of the blog post below.  Thank you for your contributions to the community Chetan!

From time to time, I usually receive a request that goes something like this.

“I have a pair of F5 ADC in an Internet DMZ, where the servers behind the load balancer need to access NAS system(s) on a VLAN located in the same network on another VLAN that is not behind the load balancer.

The problem is that in my current design I have to route through the F5 Load balancer to access the NAS system(s).  Unfortunately the amount of bandwidth it takes supersedes the F5 ADC’s total throughput.  I would like to by pass this without adding extra network cards or recreating a new VLAN and would like preserve the IP addresses as much as possible.”

For the purposes of the blog we will call the person requesting this Keyser Söze

Based on this description above you extrapolate a high-level logical network design as shown in Figure 1.

Figure 1

In the figure 1, we VLAN 10 which is a routable VLAN. VLAN 12 is an empty VLAN, which is strictly Layer 2, and no other traffic allowed to it from the router itself.  Finally we have VLAN13 which is where the NAS servers is connected to .  In order to access VLAN12 you need to route through the F5 that is also connected on VLAN10. This is done by a static route pointing to .11 on VLAN10 which is the F5 floating address on VLAN 10 to reach VLAN12 address block. In figure 1 you also have all servers in VLAN12 pointing to .1 as their default gateway which is the floating address of the F5. The F5’s default gateway is .1 on VLAN10. Now that we have described the current behavior of Figure 1, we can start looking at making some changes.

So how do we change the network to accommodate the result that Kyser is looking for? It is actually much easier then you might think.

For the purposes of this explanation, let us assume the switches are connected on Cisco Switch routers

The first item you want to remove is the the static route on the switch pointing to point to .11 on VLAN10 to access VLAN12. You will not need this since the end result is to allow VLAN 12 and VLAN 11 to communicate directly via the Cisco Switch router.

Next you will need to change VLAN11 from a non-routable network to a routable network. Thus, VLAN 11 will have a gateway of .1 on the switch router. The F5 will then change its own floating address to say .11 and subsequently change the self-addresses. All the servers will continue to use .1 on VLAN11 as their default gateway.

Thus the network will now look more like Figure 2

Figure 2

At this point, you are thinking well if that is the case then how do we get traffic back to the F5 for Load balancing traffic. Well the easy way is to apply SNAT Automap across all the Virtual addresses. Which works, but then you run into another problem where you lose the client IP address. Normally this might be work, BUT if you are tracking clients for statistical purposes, this is not going to work.

The short answer to this is utilizing a Cisco’s Policy Based Route. How does that work?

On a Cisco switch you can do the following configuration (IOS Syntax):

ip access-list extended from_vlan11
Deny y.y.y.0 z.z.z.0
Permit y.y.y.0 any
route map to_lb_vlan11
Match ip address from_vlan11
ip default next-hop y.y.y.11
interface Vlan11
ip policy route-map to_lb_vlan11

What these statements mean is that any traffic from VLAN11 is destined to addresses on VLAN12, skip the route-map statement and use the internal routing table of the switch. Thus allowing VLAN11 to communicate directly to VLAN12 and vice versa. Subsequently, if traffic from VLAN11 is attempting to talk to the internet then it will match the permit statement in the IP access list “from_vlan11” then apply the route map statement and thus your next hope is .11, which is hosted on VLAN11.

That pretty much sums up how to use the switches throughput for VLAN to VLAN traffic and the F5 ADC continues to do what it does best while Kyser can go home happy.




1 comment so far

Add Your Comment
  1. this post is very usefull thx!