RE: [load balancing] BigIP 4.5 and Dot1q interface mode

From: Drumm, Dan (ddrummIZZATball.com)
Date: Thu Apr 22 2004 - 11:59:38 EDT


1. If you can, make your external VLAN on a separate interface than the
dot1q trunk. This is just good security practice. In theory, it's not
possible to send VLAN tags over a WAN link or the Internet, but no
security manager would suggest you do that.

2. You can if you VLSM it. The bigip works on L3, it routes each packet,
even between virtual sub-interfaces on a dot1q trunk. The VIPs will be
processed if the packet contains the VIP in the destination field of the
packet. No matter which interface it came in on. If there is a way to
make a VIP only "face" some interfaces, I'd like to know how. You could
maybe use ACLs (filters) to stop some VIPs from being reached on some
sub-ints.

3. Trunk both F5 switches to the core etherswitch using dot1q, create
floaters for each virtual sub-interface. Sync the two. The nature of the
failover subsystem is such that you can't make some of the virtuals
primary and some backup, one box needs to be the VRRP primary for all
sub-ints.

4. It would be best to set up some sort of MRTG graph of your gig port
on the etherswitch, to determine this. Traffic will come up the trunk
with one VLAN tag, get stripped, routed, and a new VLAN tag pushed onto
the frame as the packets arrive, are ordered and processed. The BIGIP
2000 class can't route a gig worth of traffic between two gig
interfaces, using an average of 64 byte packets. If the # of flows don't
kill the state table, the sheer amount of traffic will. On ours, I've
seen about 500k flows run about 500Mb sustained, which is pretty good,
but that had the box humming. I'd need a Smartbits or IXIA to generate
more traffic than our production net.

-----Original Message-----
From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net] On Behalf Of
alpash
Sent: Thursday, April 22, 2004 8:22 AM
To: lb-lIZZATvegan.net
Subject: [load balancing] BigIP 4.5 and Dot1q interface mode

Hello,

We are in the process of implementing bigip in our data center
environment.
I have few questions about design and performance of the bigip in dot1q
tag
interface mode. Can some one please help in few issue?

Design consideration:

1. We have three Internal VLANs to which we are connecting our real
servers.
Web tier/middle tier and Database tier
2. There is one external VLAN with virtual IP. Majority of VIP are
mapped to
the front-end web servers. Middle tier and database tier servers are not
talking to Internet at all, but web tier talks to middle tier and,
middle
tier talks to database tier.
3. All servers are connected to two layer 2 switches, and that switch is
has
trunk connection (Dot1q) to the F5 big-IP gigabit port.

Issue:
1. How Can I configure the load balancing between the tiers?
2. Can I use the same IP subnet for all three VLANs?
3. How do I configure this design with dual F5 in redundant mode?
4. Any performance issue on gigabit port since all traffic is passing
through it?

Any input from all Guru's are appreciated.

---------------------------

Alpesh Patel
Network Analyst
KSU
785-532-6197

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com



This archive was generated by hypermail 2.1.4 : Wed Jun 16 2004 - 17:28:58 EDT