RE: [load balancing] VRRP and Big-IP

From: Paul Huckaby <Paul.Huckaby [izzat] citrix.com>
Date: Thu Apr 27 2006 - 20:23:39 EDT

IIRC is an acronym (if I recall/remember correctly), its not part of the
command.

 

________________________________

From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of
Computer Guy
Sent: Thursday, April 27, 2006 10:14 AM
To: lb-l@vegan.net
Subject: Re: [load balancing] VRRP and Big-IP

 

Hamish: VMAC mode VRRP IIRC? What version of IPSO are you running? I
only see VMAC modes VRRP, Static, Extended and Interface. We've tested
each of these modes and they all produce the same result. From what I
understand the only way to resolve the MAC address usage issue in
checkpoint is to use clustering.

Nicolas: "We didn't enable IP forwarding because when we have 2
different vlansfor servers, we want traffic between these vlans to go
through firewalls"
I was assuming you had one uplink from the big-ip to the firewall
(through a VLAN) and one downlink to the server VLAN. Assuming you are
running this big-ip pair in the typical layer 3 mode (i.e. Netblock A
to the firewall, Netblock B to server VLAN X and Netblock C to server
VLAN Y) with your server default routes pointing to the big-ip self-ip,
I don't see how your inter-server-VLAN communication will go through the
firewall.

Hamish Marson <hamish@travellingkiwi.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolas Maury wrote:

> Hi,
>
> We didn't enable IP forwarding because when we have 2 different
> vlans for servers, we want traffic between these vlans to go
> through firewalls. Thanks for the tip about fastL4, I'm gonna have
> a look at it.
>
> After reading all answers, I think I may have 2 choices :
>
> 1 - Use a lasthop pool containing real firewalls IP addresses and
> not the VRRP IP address.

That's only going to work correctly if you're using a firewall
sandwhich and syncing the traffic between them. Autolasthop is going
to be easier. Because the lasthop MAC will be filled in using the MAC
address of the packet that created the connection table entry. If it's
not, then it's a bug. Although I have yet to see it be a proper bug yet.
Using explicit lasthop pools is IMO a hack. And if your replies beat
the checkpoint table syncing between firewalls you will drop traffic
when the connection table entry chooses the wrong firewall to send the
traffic back.

Of course you can solve this by using VMAC mode in the VRRP config
(Set it to VRRP IIRC). You are using Nokia's aren't you (Sorry, small
assumption there).

> Cons : apparently, several comments indicate that lasthop pool is
> not a good option.
>
> 2 - Globally disable auto lasthop Add a default route with the
> configuration utility Add routes to networks that are behind the
> management interface using the "bigpipe mgmt route" command.
>
> Cons : - Is it a good practice to mix virtual forwarding server and
> routes ? Documentation always presents forwarding virtual server
> but information about routes is a little scarce.

I have done. But routes shouldn't be needed across the public
interfaces...

> - SSH connection to management interface takes much more time to be
> established (!)
>

That sounds like a name resolution problem. Usually because
connections initiated by the F5 device (e.g. DNS lookups) follow the
normal routing table entries, and not the management port default
entry. IIUC the management port default entry is only used by
connections initiated TO the F5 device's management port (e.g. the
actual ssh connection). Not sure why... I find it a bit
annoying/confusing too...

> In the research of the "best" option, has anybody hints or comments
> that could influence my choice ? :)
>

[deleted]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEULjU/3QXwQQkZYwRAgswAKCbu47vgAWAyN1gbdj0nEjl4arwVQCgqCzS
NLL4MWcQ0VEVBKiPYC/EC5E=
=X0jo
-----END PGP SIGNATURE-----

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

 

________________________________

Yahoo! Mail goes everywhere you do. Get it on your phone
<http://us.rd.yahoo.com/evt=31132/*http:/mobile.yahoo.com/services?promo
te=mail> .

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Thu Apr 27 20:23:44 2006

This archive was generated by hypermail 2.1.8 : Thu Apr 27 2006 - 20:45:57 EDT