“I have a pair of F5 ADC in an Internet DMZ, where the servers behind the load balancer need to access NAS system(s) on a VLAN located in the same network on another VLAN that is not behind the load balancer.
The problem is that in my current design I have to route through the F5 Load balancer to access the NAS system(s). Unfortunately the amount of bandwidth it takes supersedes the F5 ADC’s total throughput. I would like to by pass this without adding extra network cards or recreating a new VLAN and would like preserve the IP addresses as much as possible.”
For the purposes of the blog we will call the person requesting this Keyser Söze. Yes I have to call him Keyser.
Based on this description above you can extrapolate a high-level logical network design as shown in Figure 1.
Figure 1
In the figure 1, we have the following VLANS
- VLAN 10 - Which is for VIPs (Virtual IP addresses). The VLAN is routable via Cisco HSRP. Gateway is .1. The F5's floating address will be .11. The floating address is used as the NEXT HOP to get to VLAN 11.
- VLAN 11 - Where the Servers that will be load balanced - is a non Cisco routable VLAN. From Cisco's perspective it's simply a VLAN without HSRP. The gateway for this segment is on the F5 which is .1
- VLAN 12 - This is a routable VLAN similar to VLAN 10, except there are physical servers on this segment. In our case this is where the NAS will sit. The gateway is .1 for the NAS.
- VLAN 12 is accessible by any part of this network
- VLAN 10 has a floating IP address which is the shared address between F5. It is used in scenario to be the gateway to the segment in VLAN 11
- In order for a Web server in VLAN 11 to access the NAS server in VLAN12 and vice versa, the F5 is the router.
There is nothing entirely wrong with this done and it most cases this works. However, Keyser is worried that multiple web servers in VLAN 11 will request so much content from the NAS server in VLAN 12 that there is a throughput concern.
So how do we change the network to accommodate the result that Kyser is looking for?
It is actually much easier then you might think.
For the purposes of this explanation, let us assume the switches are connected on Cisco Switch routers
The first item you want to remove is the the static route on the switch pointing to point to .11 on VLAN10 to access VLAN12. You will not need this since the end result is to allow VLAN 12 and VLAN 11 to communicate directly via the Cisco Switch router.
Next you will need to change VLAN11 from a non-routable network to a routable network. Thus, VLAN 11 will have a gateway of .1 on the switch router. The F5 will then change its own floating address to say .11 and subsequently change the self-addresses. All the servers will continue to use .1 on VLAN11 as their default gateway.
Thus the network will now look more like Figure 2
Figure 2
At this point, you are thinking well if that is the case then how do we get traffic back to the F5 for Load balancing traffic. Well the easy way is to apply SNAT Automap across all the Virtual addresses. Which works, but then you run into another problem where you lose the client IP address. Normally this might be work, BUT if you are tracking clients for statistical purposes, this is not going to work.
The short answer to this is utilizing a Cisco’s Policy Based Route. How does that work?
On a Cisco switch you can do the following configuration (IOS Syntax):
ip access-list extended from_vlan11Deny y.y.y.0 0.0.0.255 z.z.z.0 0.0.0.255Permit y.y.y.0 0.0.0.255 anyroute map to_lb_vlan11Match ip address from_vlan11ip default next-hop y.y.y.11interface Vlan11ip policy route-map to_lb_vlan11What these statements mean is that any traffic from VLAN11 is destined to addresses on VLAN12, skip the route-map statement and use the internal routing table of the switch. Thus allowing VLAN11 to communicate directly to VLAN12 and vice-versa.
Subsequently, if traffic from VLAN11 is attempting to talk to the internet then it will match the permit statement in the IP access list “from_vlan11” then apply the route map statement and thus your next hope is .11, which is hosted on VLAN11.
That pretty much sums up how to use the switches throughput for VLAN-to-VLAN traffic and the F5 ADC continues to do what it does best while Kyser can go home happy.
No comments:
Post a Comment