F5 BIG-IP mac address wrong

最近在追查Cisco與BIG-IP的Phyical連接路徑, 在Cisco switch和BIG-IP裏查看一番, 以為是這樣, 結果完全不一樣, 搞得自己很混亂

上圖看到Gi0/2的mac address是0ac6, Gi0/4的mac address是0ac4

下圖看到Gi0/2對應的應該是接1.5, Gi0/4的是接1.3, 但經過Layer 1的追查結果完全不同

在F5的資料看到原來設定vLan後, mac address會重新分配到vLan, 在F5 BIG-IP執行以下command就可以看到正確interface和mac address的分配

tmsh show net vlan | grep -i "Mac\|Net::Vlan"

正確的是這樣

Cisco interface Gi0/2 =0ac6 = F5 BIG-IP interface 1.2

Cisco interface Gi0/4 =0ac4 = F5 BIG-IP interface 1.4

https://support.f5.com/csp/article/K14513

Cisco GRE tunnel with Encryption

基本Topology設定

PC1

no ip routing
ip default-gateway 192.168.0.254
int e0/0
no shut
ip add 192.168.0.11 255.255.255.0

PC2

no ip routing
ip default-gateway 192.168.2.254
int e0/0
no shut
ip add 192.168.2.11 255.255.255.0

Internet

int e0/0
no shut
ip add 202.80.1.2 255.255.255.0
int e0/1
no shut
ip add 202.100.1.2 255.255.255.0

router eigrp 1
no auto
network 202.80.1.0 0.0.0.255
network 202.100.1.0 0.0.0.255

R1

int e0/0
no shut
ip add 202.80.1.1 255.255.255.0
int e0/1
no shut
ip add 192.168.0.254 255.255.255.0

router eigrp 1
no auto
network 202.80.1.0 0.0.0.255

R2

int e0/0
no shut
ip add 202.100.1.1 255.255.255.0
int e0/1
no shut
ip add 192.168.2.254 255.255.255.0

router eigrp 1
no auto
network 202.100.1.0 0.0.0.255

設定好以上的IP和Routing後 R1已經可以ping 202.100.1.1, R2可以ping 202.80.1.1, 下面再設定沒有加密的Tunnel

R1

int t0
ip add 10.0.0.1 255.255.255.252
tunnel source 202.80.1.1
tunnel destination 202.100.1.1

ip route 192.168.2.0 255.255.255.0 t0

R2

int t0
ip add 10.0.0.2 255.255.255.252
tunnel source 202.100.1.1
tunnel destination 202.80.1.1

ip route 192.168.0.0 255.255.255.0 t0

設定好之後PC1可以ping到PC2, 之後我們再設定加密的部份
1. 先設定一個Transform-set
2. 再設定ikev2 profile
3. ipsec profile
4. 使Tunnel0使用ipsec profile

R1

crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac

crypto ikev2 keyring VPN_test_keyring
 peer 202.100.1.1
  address 202.100.1.1
  pre-shared-key 0987654321

crypto ikev2 profile VPN_test_profile
 match address local interface e0/0
 match identity remote address 202.100.1.1 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN_test_keyring

crypto ipsec profile VPN_test
 set transform-set VPN_test_transform-set
 set pfs group2
 set ikev2-profile VPN_test_profile

interface Tunnel0
 ip unnumbered e0/0
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 202.100.1.1
 tunnel protection ipsec profile VPN_test

R2

crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac

crypto ikev2 keyring VPN_test_keyring
 peer 202.80.1.1
  address 202.80.1.1
  pre-shared-key 0987654321

crypto ikev2 profile VPN_test_profile
 match address local interface e0/0
 match identity remote address 202.80.1.1 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN_test_keyring

crypto ipsec profile VPN_test
 set transform-set VPN_test_transform-set
 set pfs group2
 set ikev2-profile VPN_test_profile

interface Tunnel0
 ip unnumbered e0/0
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 202.80.1.1
 tunnel protection ipsec profile VPN_test

發生問題時, 我曾試用下面指令尋找原因

debug tunnel
show crypto ikev2 sa
show crypto ipsec sa
show crypto session detail

Cisco Private vLAN

PC1

no ip routing
int e0/0
no shut
ip add 192.168.0.1 255.255.255.0

PC2

no ip routing
int e0/0
no shut
ip add 192.168.0.2 255.255.255.0

PC3

no ip routing
int e0/0
no shut
ip add 192.168.0.3 255.255.255.0

PC4

no ip routing
int e0/0
no shut
ip add 192.168.0.4 255.255.255.0

Server1

no ip routing
int e0/0
no shut
ip add 192.168.0.254 255.255.255.0

Private vLan首先要注意的是必須更改VTP, 不清楚的就要先了解啦

SW1

vtp mode transparent

vlan 500
private-vlan primary
private-vlan association 501-502

vlan 501
private-vlan community

vlan 502
private-vlan isolated

interface range g0/0-1
switchport mode private-vlan host
switchport private-vlan host-association 500 501

interface range g0/2-3
switchport mode private-vlan host
switchport private-vlan host-association 500 502

interface g1/0
switchport mode private-vlan promiscuous
switchport private-vlan mapping 500 501-502

由於PC1和PC2在community vLan 501, 所以可以互通, 另外還可以連通在promiscuous的Server1

結果和PC1一樣

PC3和PC4在isolated vLan 502, 所以不能連接, 包括PC1和PC2, 但是可以連通在promiscuous的Server1

結果和PC3一樣

Server1在promiscuous的vLan 500, 所以可以全部PC互通

useful command

show interfaces fastEthernet 0/1 switchport
show interface fa0/24 switchport
show vlan private-vlan
show vlan private-vlan type

Cisco GRE Tunnel

R1

int f0/0
no shut
ip add 202.80.1.1 255.255.255.0

int f0/1
no shut
ip add 192.168.0.254 255.255.255.0

int t0
ip add 10.0.0.1 255.255.255.252
tunnel source 202.80.1.1
tunnel destination 202.80.1.2
ip route 192.168.2.0 255.255.255.0 t0

R2

int f0/0
no shut
ip add 202.80.1.2 255.255.255.0

int f0/1
no shut
ip add 192.168.2.254 255.255.255.0

int t0
ip add 10.0.0.2 255.255.255.252
tunnel source 202.80.1.2
tunnel destination 202.80.1.1
ip route 192.168.0.0 255.255.255.0 t0

PC1

no ip routing

ip default-gateway 192.168.0.254

int f0/0
no shut
ip add 192.168.0.11 255.255.255.0

PC2

no ip routing

ip default-gateway 192.168.2.254

int f0/0
no shut
ip add 192.168.2.11 255.255.255.0

GRE over IPSec 加密

R1

crypto isakmp policy 10
encryption 3des
hash md5
group 5
authentication pre-share
crypto isakmp key YourKey123 address 202.80.1.2

crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile YourTunnel
set transform-set YourTunnel

int t0
tunnel mode ipsec ipv4
tunnel protection ipsec profile YourTunnel

R2

crypto isakmp policy 10
encryption 3des
hash md5
group 5
authentication pre-share
crypto isakmp key YourKey123 address 202.80.1.1

crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile YourTunnel
set transform-set YourTunnel

int t0
tunnel mode ipsec ipv4
tunnel protection ipsec profile YourTunnel

F5 Big-IP NAT session reset

有時在測試的時候 覺得修改好的NAT設定, 不是預期的效果, 好大機會是還未生效

tmsh show /sys connection

注意, 如果在production裏刪除session有可能用戶會發生連接中斷, 登入了的網站需要重新登入

tmsh delete /sys connection

或者指定某個IP session

tmsh delete /sys connection cs-client-addr 192.168.0.11

F5 BIG-IP NAT load balancer

預設路由10.0.0.254

設定2個SNAT

設定2個Pool, 留意優先次序

when CLIENT_ACCEPTED {
if { [IP::addr [LB::server addr] equals "8.8.8.8"] } {
pool Pool_10
snatpool SNAT_10
}
elseif { [IP::addr [LB::server addr] equals "8.8.4.4"] } {
pool Pool_20
snatpool SNAT_20
}
else {
snat automap
}
}



除了8.8.8.8和8.8.4.4, 其他的走預設路由