10 April 2013

F5 Diaries - Episode 2 ISP Redundancy

Having more than one ISP for your corporate is essential. If one ISP fails for whatever reason the show must go on.  Similarly if one of the ISPs becomes congested and start to run slowly traffic needs to automatically be routed to the other faster ISP.

This is called outbound load balancing since the connection is initiated form the internal and is requesting an external public resource.  For this functionality you only need F5 LTM you do not need GTM or Link Controller

This lab is going to build on the standard lab from Episode 1 http://fixmyitsystem.com/2013/04/f5-diaries-episode-1-building-lab.html

As a guide I am going to use this F5 doc http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-3-0/2.html#unique_2145903433

How it works
To be able to test this  you will need to a machine that uses an F5 external Virtual server as it's default gateway.  All request are received by the F5 and then load balanced to the external ISPs.  The response is then received by the F5 and routed back to the original client source.

Configure the F5
Summary of what need to be done

  • Create ISP nodes
  • Create an ISP pool
  • Create a virtual server to act as default gateway
  • Enable SNAT automap

Create ISP nodes
You need to create a node for each ISP's ROUTER address

  • Local Traffic
  • Nodes
  • Create
  • ISP1 (Name:  Telkom; Address:
  • ISP2 (Name:  IS; Address:

Create ISP Pool
Use the nodes to create a pool for the virtual server

  • Local traffic
  • Pools
  • Create and name it default_gateway_pool
  • Add the gateway_icmp as the health monitor
  • Load balancing method Round Robin
  • Add the two ISP nodes for * All services
  • Finish

Create Virtual Server
You need to create a wildcard virtual server to act as the default gateway for all connection outbound to the Internet.

  • Local traffic
  • Virtual Servers
  • Create with the following
  • Name: vs_default_gateway
  • Type: Performance (Layer 4)
  • Source:
  • Destination: Network
  • Address
  • Mask
  • Service * All Ports
  • VLAN and Tunnel Traffic : Enabled on Internal VLAN
  • Source Address Translation: Auto Map
  • Default Pool: default_gateway_pool

Enable SNAT Auto Map
This allows traffic to rounte correct between the VLANS

  • Local traffic
  • Address translation
  • SNAT list
  • Creat and call it SNAT
  • Translation Automap
  • VLAN Enabled on External & Internal

Configure the Test PC
The test PC now needs to use the F5 as it default gatway to the Internet

  • Connect the Test PC's NIC the the Internal virtual Switch
  • Configure the Network with a static IP details:
  • IP
  • MASK
  • Gateway (This is the self IP of the F5's Internal VLAN)
  • DNS (Google Public)

At this point everything should be working.  One the test PC open a browser and connect to http://www.whatismyip.com.  This should give you a public IP.

To check that you have failover disconnect one of the physical DSL routers.  You should now see the pool members being flagged as down, but your internet browsing should still be working.  I did notice a little delay as things were cutting over.  Do the reverse now with the other DSL router. You should observe that the public IP has changed

If your browser is not returning any pages check the following

Problem: F5 Returns traffic but no DNS, sites work on IP but not name

  • Open a command prompt and do an nslookup www.google.com
  • You should get a list of IP's if you don't get the list of IP's form another machine.
  • Use the IP in the browser instead of www.google.com
  • If the page loads you know that DNS look up is broken
  • This happens because the SNAT auto map for the Internal And External VLANS has not been defined.
  • Configure the SNAT as described above

No comments:

Post a Comment