Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.0 PTF-04, 4.0 PTF-03, 4.0 PTF-02, 4.0 PTF-01, 4.0.0
6
Load Balancing VPNs
- Working with VPN load balancing
- Using VPN and router load balancing
- Additional configuration options
Working with VPN load balancing
You can use the BIG-IP Controller to load balance virtual private network (VPN) gateways used to connect two private networks. Figure 6.1 shows a configuration of this type.
Figure 6.1 An example of a VPN load balancing configuration
Configuring VPN load balancing
The following tasks show only how to configure the BIG-IP Controller on network 192.168.13.100 (BIG-IP 2). The configuration for BIG-IP 1 on 192.168.11.100 is the same, only with different network numbers.
- Create two load balancing pools
One pool load balances the content servers and the other handles the inside addresses of the three VPNs. - Create three virtual servers
One virtual server references the pool that load balances the content servers. The others handle inbound and outbound traffic for the VPNs. - Enable service 80 and service 443
Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically allows access to the services.
Defining the pools
First, create two pools. Create one pool that load balances the content servers and another pool for load balancing the VPNs.
To create pools using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - Click the Add button.
The Add Pool screen opens. - In the Add Pool screen, configure the attributes you want to use for the pool. For additional information about this screen, click the Help button.
Configuration notes
· Create a server pool named server_pool. This pool contains the following members: <server1>, <server2>.
· Create pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, <vpn3>.
To define pools from the command line
Define the pool server_pool for the content servers.
b pool server_pool { member <server1>:80 member <server2>:80 member <server3>:80 }
Replace <server1>, <server2>, and <server3> with the IP address of the respective server.
Define the pool vpn_insides for the VPNs:
b pool vpn_insides { member <vpn1>:* member <vpn2>:* member <vpn3>:* }
Replace <vpn1>, <vpn2>, and <vpn3> with the internal IP address of the respective router. In this example the routers are service checked on port *.
Defining the virtual servers
After you define the pools for the content servers and inside IP addresses of the VPNs, define the following virtual servers for controller BIG-IP 2. You need to define the following three virtual servers.
- A virtual server to load balance the content servers
- A virtual server to forward inbound VPN traffic
- A virtual server to load balance outbound traffic across the VPNs
To define the virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
- Click the Add button.
The Add Virtual Server screen opens. - Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
Configuration notes
· For the content servers, create the virtual server 205.100.19.22:80 and use the pool server_pool.
· For the inbound connections, create the network virtual server 192.168.13.0:0. Turn forwarding on.
· For the outbound connection, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable address translation.
To define the virtual servers from the command line
First, create a virtual server for the content server pool:
b virtual 205.100.19.22:80 use pool server_pool
Then, create a forwarding network virtual server for inbound VPN traffic:
b virtual 192.168.13.0:0 forward
Last, create a virtual server to load balance traffic outbound to the remote machines through VPNs:
b virtual 192.168.11.0:0 use pool vpn_insides
b virtual 192.168.11.0:0 translate addr disable
This addresses nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that represent the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 6.1.
Enabling service 80 and service 443
This step is only required if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.
b service 80 443 tcp enable
Using VPN and router load balancing
You can use the transparent device load balancing feature in the BIG-IP Controller to connect to private networks, as well as to load balance Internet connections through multiple routers. Figure 6.2 is an example of this network configuration. Note that this configuration uses three interfaces on the BIG-IP Controller. The interface connected to the routers and the interface connected to the servers must be on different VLANs.
Configuring virtual servers for VPN and router load balancing
The following topics deal with only the VPN configuration for the BIG-IP Controller on network 192.168.13.100 is shown (BIG-IP 2). The configuration for 192.168.11.100 is done the same way, but you use different network numbers.
Figure 6.2 An example of a VPN and multiple router load balancing configuration
Configuring VPN and router load balancing
First, complete the following tasks on the BIG-IP Controller:
- Create load balancing pools
Create load balancing pools for the content servers, the routers, and the three VPNs. - Create four virtual servers
Create four virtual servers. The first virtual server load balances inbound Internet traffic. The second virtual server load balances outbound Internet traffic. The third virtual server forwards inbound VPN connections. The fourth virtual server load balances outbound VPN connections. - Configure network address translation
Configure NATs or SNAT automap for outbound traffic so that replies will arrive though the same VPN the request went out on. - Enable service 80 and service 443
Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically opens the ports.
Defining the pools for VPN load balancing
First, create three pools. Create one pool that load balances the content servers, one that load balances the routers, and one that load balances the VPNs.
To create a pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - Click the Add button.
The Add Pool screen opens. - In the Add Pool screen, configure the attributes you want to use for the pool. For additional information about this screen, click the Help button.
Configuration notes
· Create a server pool named server_pool. This pool contains the following members: <server1> and <server2>
· Create a pool named router_insides with the following members: <router1> and <router2>
· Create a pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, and <vpn3>
To define a pool from the command line
First, define the pool server_pool for the content servers:
b pool server_pool { member <server1>:80 member <server2>:80 member <server3>:80 }
You will replace <server1>, <server2>, and <server3> with the IP address of each respective server.
Next, define the pool router_insides for the internal addresses of the routers:
b pool router_insides { member <router1>:0 member <router2>:0 }
Replace <router1> and <router2> with the internal IP address of each respective router.
Finally, define the pool vpn_insides for the internal addresses of the VPN routers:
b pool vpn_insides { member <vpn1>:0 member <vpn2>:0 member <vpn3>:0 }
Replace <vpn1>, <vpn2>, and <vpn3> with the external IP address of each respective router.
Defining the virtual servers for VPN and router load balancing
After you define the pools for the inside IP addresses of the routers, you need to define the following virtual servers for the controller BIG-IP 2.
- A virtual server to load balance the content servers
- A virtual server to load balance the routers
- A virtual server to forward inbound connections for the VPNs
- A virtual server to load balance outbound connections for the VPNs
To define the virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - Click the Add button.
The Add Virtual Server screen opens. - Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
Configuration notes
· For the inbound Internet connection, configure the virtual server 205.100.92.22:80 using server_pool.
· For the outbound Internet connection, configure the wildcard virtual server 0.0.0.0:0 using router_insides.
· For the inbound VPN connections, create the forwarding network virtual server 192.168.13.0:0. Turn forwarding on.
· For the outbound VPN connections, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable port and address translation.
To define virtual servers from the command line
First, configure the controller to handle inbound traffic from the remote network.
Create the virtual server for controller BIG-IP 2 with the following commands:
b virtual 192.168.13.0:0 forward
Then, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the VPN routers (vpn_insides). Use the following commands to create virtual servers for connecting to the machines on the remote network:
b virtual 192.168.11.0:0 use pool vpn_insides
b virtual 192.168.11.0:0 translate addr disable
This addresses the nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that correspond to the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 6.2, on page 6-6.
Then, create a virtual server to handle inbound traffic:
b virtual 205.100.92.22:80 use pool server_pool
Finally, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the routers (router_insides). Use the following command to create the virtual server:
b virtual 0.0.0.0:0 use pool router_insides
Configuring network address translation on routers
For outbound traffic you must now set up address translation so that replies will arrive though the same router the request went out on. Specifically, you must either configure your routers so that they perform network address translation (NAT), or you must configure SNAT automapping.
For instructions on NAT configuration, refer to your router documentation.
To perform the SNAT automap you must perform three steps:
- Assign IP-specific self addresses to the external VLAN corresponding the IP networks of the two routers
- Enable SNAT automap for each of the self addresses.
- Enable SNAT automap for the internal VLAN.
To create self addresses and enable SNAT automap to the router inside interfaces using the Configuration utility
- In the navigation pane, click Network.
The VLANs screen opens. - On the VLANs screen, click the Self IP Addresses tab.
The Self IP Addresses screen opens. - Click the Add button.
The Add Self IP Address screen opens. - In the Add Self IP Address screen, for each router, add a new self IP address with the inside IP network address of the router and SNAT Automap enabled.
- On the Network screen, click the VLANs tab.
The VLANs screen opens. - On the VLANS screen, click the internal VLAN.
The VLAN Internal screen opens. - In the VLAN Internal screen, enable SNAT Automap.
For additional information about adding a VLAN, click the Help button.
To create VLAN mappings with SNAT auto mapping to the router inside interfaces from the command line
Create IP-specific self addresses on the third VLAN:
b self <ip_addr1> vlan <vlan_name> snat automap enable
b self <ip_addr2> vlan vlan_name> snat automap enable
Enable snat automap on the internal VLAN:
b vlan <int_vlan> snat automap enable
For example:
b self 11.11.11.5 vlan external snat automap enable
b self 11.11.12.5 vlan external snat automap enabl
b vlan internal snat automap enable
Enabling service 80 and service 443
This step is required only if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.
b service 80 443 tcp enable
Additional configuration options
Whenever a BIG-IP Controller is configured, a number of options are available to the user:
- You have the option in all configurations to configure a redundant BIG-IP Controller for fail-over. Refer to Redundant Systems in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
- All configurations have health monitoring options. Refer to Health Monitors in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
- When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the BIG-IP Reference Guide, Chapter 1, Configuring the BIG-IP Controller.
