F5 Lab 1.20: Configuring Forwarding Virtual Server

F5 by default is an device which block all traffic until the administrator explicitly allow it. Based on the lab, I have created two virtual servers and it reside between different route-domain. I created PAYMENT_WEB_VS and MARKETING_WEB_VS and then the user can access the service by it's virtual IP on the browser. But what if the server administrator wants to access directly to the backend server for maintenance on IP address 192.0.2.1 using SSH, how we can accomplish that?

To accomplish this type of traffic, forwarding virtual server is comes into play. The forwarding virtual server is different than the standard virtual server which doesn't have resource pool assigned. The forwarding virtual server is simply forward the defined traffic from the source to the destination, there's no load balancing process.

Let's prove that the F5 block the traffic:

I tried connect to the server on IP address 192.0.2.1 using SSH it shows an error connection refused. It proves that the connection is failed. Let's do tracert verification do figure out where the traffic is blocked.

When tracert command is executed, the last hop is 192.168.100.2 and then the IP address 10.10.102.1 sends ICMP message Destination net unreachable. Based on the topology, the IP address 192.168.100.2 is the active HSRP device for the gateway on N9K-CORE-1 and the IP address 10.10.102.1 is the IP address of the self IP of the F5 for OSPF route domain 2. From the trace result, it shows that the F5 reject the traffic and sends the ICMP message.

Let's create the forwarding virtual server on the F5 for allowing the traffic.

1. Same as standard virtual server, navigate to Local Traffic => Virtual Servers. Then click "Create"

On the new virtual server general properties configuration, configure some parameters:

• Name: The name of forwarding virtual server.
• Type: Virtual server type, choose Forwarding (IP) for this case.
• Source Address: Source address of the traffic, I make it all address.
• Destination Address/Mask: IP address of the virtual server. In this case, I add all IP address on the route domain ID 2.
• Service Port: The listening port for the forwarding virtual server. In this case, it will test for allowing SSH traffic only.
• State: Status of the virtual server. Make sure it on enabled state.

• Protocol: Choose the protocol. SSH is run based on TCP so I choose TCP.
• VLAN and Tunnels: On which VLAN the virtual server will be enabled. In this case it should be enabled on external VLAN and the internal VLAN.

2. Test the SSH traffic from the server admin PC to the backend server on IP address 192.0.2.1 again.

The test result shows that we can login to the backend server on IP address 192.0.2.1 using SSH protocol but how about the ICMP traffic. Let's test by pinging the IP address 192.0.2.1.

The ping result shows request timed out, it means the ICMP traffic is blocked. This result is expected because remember, the protocol configured on the forwarding virtual server is TCP. Let's modify the protocol to All protocol and listening port set to all port then test again.

The test result for pinging the backend server 192.0.2.1 below is success after changing the service port and the protocol.

The tracert also allowed.

With the new configuration, it will allow all incoming traffic to all segment which reside in route domain ID 2. If you need more granular only some service it can be done by modifying the service port, protocol and the destination IP to the specific address of the virtual server.

Take away:

1. Forwarding virtual server doesn't have pool assigned and no load balancing process.

2. Forwarding virtual server can be used for allowing traffic to the backend server.

• F5-Forwarding Virtual Server