Tuesday 14 July 2020

Big-ip Configuration

There are two types of self IP.
Static Self-IP: This is an address that the BIG-IP uses to identify itself on a given network/vlan. A vlan is then attached to one or more interfaces for connectivity.
Floating IP: This is a shared IP between two or more BIG-IP's to use in fail over scenarios. Each BIG-IP will still have it's own self-ip for presence on the network and then share a 3rd IP address that floats between active and passive systems.
Now that you have BIG-IP talking on your network, you can create virtual servers that will be associated with the vlan you already created. The virtual server will use it's own IP and port assignment (or use a wild card * for all ports on an IP). 

Now, here's where the self IP comes into play. IF you are proxying the connection, the virtual server will need a secure NAT (SNAT). This can be a single address or a pool of addresses that will reside on the destination network. If you chose Auto-snat it will use the self-ip of the BIG-IP on that particular vlan. 
Here's an example:
  • BIG-IP Self IP - 10.1.10.10
  • Virtual server - 10.1.10.20:443
  • Pool Member - 10.1.10.25 - 30
  • SNAT - Automap
  • VLAN10 is defined
Traffic flow => incoming hits 10.1.10.20:443 > Uses Automap-SNAT on VLAN10 => BIG-IP Sends traffic out of 10.1.10.10 to pool member 10.1.10.25
This process allows you to have incoming and outgoing traffic on different vlans, networks, and interfaces. If I had two trunks defined I could have this scenario (which is common).
  • External Network - VLAN10 (192.168.1.0 net) assigned to interface 1.1
  • Internal Network - VLAN20 (10.1.0.0 net) assigned to interface 1.2
  • BIG-IP Self IP 192.168.1.10 on VLAN10 (that self IP becomes BIG-IP's address for that network)
  • BIG-IP Self IP 10.1.0.10 on VLAN20 (BIG-IP now has 2 self-ips. One for each vlan)
  • SNAT Pool Defined on VLAN20 (10.1.0.11,12,13)
  • Virtual Server named sweetapp1 and listens on 192.168.1.100:443
  • Web server pool - 10.1.0.50,51,52 (named webpool1)
  • Virtual server sweetapp1 has VLAN10 and VLAN20 defined and uses the SNAT POOL for VLAN20. This way instead of using the self-ip on VLAN20, it will use address 11,12,13 for outbound traffic.
Here's the flow in this case (a very common two armed configuration):
Incoming Traffic => 192.168.1.100:443 => SNAT POOL => Oubound on 10.1.0.11 => web server 10.1.0.50.
Return traffic would be defined by your web servers gateway.
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...