ok, i followed the guide and set up the load balancer for iis. i need some help with creating vlans and self ips. our network is pretty simple:
2811 t1 router with large block of public ips for each server. a /26 i think.
5510 cisco asa
dell 6248 switch(no config on it)
25 servers(including the 5 webservers)
all the servers are on a 10.1.100.x/24 network, with the gateway being the firewall at .1. the web servers are part of the internal network and cannot be isolated on thier own. i sent an email to f5 tech support but its too damn complicated. here was his response:
A run-down of the simplest setup I can imagine; Given the scenario you describe, I would:
create vlans and self IPs on the first LTM, the documentation is pretty clear on how to go about this. If you need to look things up, the knowledge base has lots:
https://support.f5.com/kb/en-us.html I notice you list the version as 9.1.2, this is an OK version but very old, when you get this configured I strongly suggest you look into version 9.3.1, and whatever HF is current at that time.
For a simple network, an 'external' vlan and an 'internal' vlan will suffice- be perfect, actually. You will want two self-IPs for each vlan, a floating and a non-floating. The floating self IP will be the same on both LTMs - whups, forgot to say, we usually refer to the BigIPs as 'LTMs', Local Traffic Manager is the name of the load balancer product.
OK, floating self IP is same on active and standby LTMs, in a fail-over the standby will assume traffic for the active on the floating IPs.
Non-floating self IPs are where monitors and other traffic specific to each unit will go, needs to be unique to each unit.
You will assign the 'external' vlan to the self IPs you create, appropriate to where traffic is arriving and leaving. This external self IP needs to be useful on your ingress network, - where you will receive traffic for the web servers. Let's say, your real world web server address is 192.193.194.195, you would want a self IP on that network to 'listen' for traffic on that address, port 80, so 192.193.194.10 for instance would work for the floating self IP.
The 'internal' vlan can have a completely different IP network, that doesn't need to relate to anything outside, as the LTM will load balance to the addresses it has in the pool of web servers. These can all have private space IPs, give the LTM floating IP on the internal network an address on that network - what ever it is. I would ensure that the web servers are set to the LTM as their default gateway, and that the webservers / internal network not route to the outside except through the LTM. Routing around the LTM causes all kinds of entertainment we don't need today.
As far as the Dell switch is concerned, as you are not doing tagged vlans you don't need to tag - just assign an interface on the LTM, say 1.1, untagged to the external vlan, plug it into the switch if the switch has gateway access, into the firewall/gateway router if not.
Now assign, lets say 1.2 to the internal vlan, untagged. Plug 1.2 into the switch, along with the web servers, and if you have connected your ingress network - the client side, right?- to the external vlan/iface 1.1, and the web servers and LTM can see each other over on 1.2 , then -
1) Incoming traffic (client requests) will go to the LTM (it will receive on it's floating external self IP)
2) LTM will make a load balancing decision based upon how you tell it to do that, and send the traffic to one of the web servers via the internal self IP. 3) Web server will reply, the LTM will collect that reply and
4) send it back out the external vlan /self IP the way it came in.
Make sense?
One thing to keep in mind, the OS does not allow traffic on the mgmt port - the physical port itself. Common setup is to either allocate a separate IP network for mgmt traffic only, or use one of the traffic networks to ssh and GUI into the LTM for management.
When you get all this configured and tested, then configure the second LTM as far as naming, licensing and setting up vlans and self IPs. Then you can pull the configuration over from it's 'peer' with a config sync, and you will have an HA pair.
I hope this gives you a solid base to work from, check back with me via email if I can clarify -
thank you for using F5!
any help would be appreciated. thanks
Facebook
Twitter