Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
7
Load Balancing VPNs
- Working with VPN load balancing
- Using VPN and router load balancing
- Additional configuration options
Working with VPN load balancing
You can use the BIG-IP to load balance virtual private network (VPN) gateways used to connect two private networks. Figure 7.1 shows a configuration of this type.
Figure 7.1 An example of a VPN load balancing configuration
Configuring VPN load balancing
There are three tasks required to configure VPN load balancing on the BIG-IP: create a load balancing pool, create two virtual servers, and enable ports 80 and 443.
The following tasks only show how to configure the BIG-IP on network 192.168.13.0 (BIG-IP 2). The configuration for BIG-IP 1 on 192.168.11.0 is the same, only with different network numbers.
- Create a load balancing pool
Create a pool that load balances the inside addresses of the three VPNs. - Create two virtual servers
Create virtual servers to handle inbound and outbound traffic for the VPNs. - Enable service 80 and service 443
Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically allows access to the services.
Defining the pools
First, create two pools, a pool that load balances the content servers and a pool that load balances the VPNs.
To create a pool using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - Click the Add button.
The Add Pool screen opens. - For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)
Configuration notes
For the example in Figure 7.1:
Create pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, <vpn3>.
To define a pool from the command line
Define the pool vpn_insides for the VPNs:
b pool vpn_insides { \
member <vpn1>:* \
member <vpn2>:* \
member <vpn3>:* }
Replace <vpn1>, <vpn2>, and <vpn3> with the internal IP address of the respective router. In this example the routers are service checked on port *.
Defining the virtual servers
After you define the pools for the content servers and inside IP addresses of the VPNs, define the virtual servers.
To define the virtual servers using the Configuration utility
- In the navigation pane, click Virtual Servers.
- Click the Add button.
The Add Virtual Server screen opens. - For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)
Configuration notes
For the example in Figure 7.1:
For the inbound connections, create the network virtual server 192.168.13.0:0. Specify the netmask 255.255.255.0 and turn forwarding on.
For the outbound connections, create the network virtual server 192.168.11.0:0. specify the netmask 255.255.255.0, use pool vpn_insides, and disable address translation.
To define the virtual servers from the command line
First, create a forwarding network virtual server for inbound VPN traffic:
b virtual 192.168.13.0:0 netmask 255.255.255.0 forward
Then, create a virtual server to load balance traffic outbound to the remote machines through VPNs:
b virtual 192.168.11.0:0 netmask 255.255.255.0 use pool vpn_insides
b virtual 192.168.11.0:0 translate addr disable
(This addresses nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that represent the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 7.1.)
Enabling service 80 and service 443
This step is only required if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.
b service 80 443 tcp enable
Using VPN and router load balancing
You can use the transparent device load balancing feature in the BIG-IP to connect to private networks, as well as to load balance Internet connections through multiple routers. Figure 7.2 is an example of this network configuration.
Configuring virtual servers for VPN and router load balancing
The following topics deal with only the VPN configuration for the BIG-IP on network 192.168.13.100 (BIG-IP 2). The configuration for 192.168.11.100 is done the same way, but you use different network numbers.
Figure 7.2 An example of a VPN and multiple router load balancing configuration
Configuring VPN and router load balancing
First, complete the following tasks on the BIG-IP:
- Create load balancing pools
Create load balancing pools for the content servers, the routers, and the three VPNs. - Create four virtual servers
Create four virtual servers. The first virtual server load balances inbound Internet traffic. The second virtual server load balances outbound Internet traffic. The third virtual server forwards inbound VPN connections. The fourth virtual server load balances outbound VPN connections. - Configure network address translation
Configure NATs or SNAT automap for outbound traffic so that replies will arrive though the same VPN the request went out on. - Enable service 80 and service 443
Enable service 80 and 443 for traffic. This step is only required if you configure this solution from the command line. The web-based Configuration utility automatically opens the ports.
Defining the pools for VPN load balancing
Next, create three pools. Create one pool that load balances the content servers, one that load balances the routers, and one that load balances the VPNs. For example:
- Create a server pool named server_pool. This pool contains the following members: <server1> and <server2>
- Create a pool named router_insides with the following members: <router1> and <router2>
- Create a pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, and <vpn3>
To create the pools using the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - Click the Add button.
The Add Pool screen opens. - For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)
Configuration notes
Create a server pool named server_pool. This pool contains the following members: <server1> and <server2>.
Create a pool named router_insides with the following members: <router1> and <router2>.
Create a pool named vpn_insides. This pool contains the following members: <vpn1>, <vpn2>, and <vpn3>.
To define a pool from the command line
First, define the pool server_pool for the content servers:
b pool server_pool { \
member <server1>:80 \
member <server2>:80 \
You will replace <server1>, <server2>, and <server3> with the IP address of each respective server.
Next, define the pool router_insides for the internal addresses of the routers:
b pool router_insides { \
member <router1>:0 \
member <router2>:0 }
Replace <router1> and <router2> with the internal IP address of each respective router.
Finally, define the pool vpn_insides for the internal addresses of the VPN routers:
b pool vpn_insides { \
member <vpn1>:0 \
member <vpn2>:0 \
member <vpn3>:0 }
Replace <vpn1>, <vpn2>, and <vpn3> with the external IP address of each respective router.
Defining the virtual servers for VPN and router load balancing
After you define the pools for the inside IP addresses of the routers, you need to define the following virtual servers for the BIG-IP 2. For example:
- For the inbound Internet connection, configure the virtual server 172.100.12.20:80 using server_pool.
- For the outbound Internet connection, configure the wildcard virtual server 0.0.0.0:0 using router_insides.
- For the inbound VPN connections, create the forwarding network virtual server 192.168.13.0:0. Turn forwarding on.
- For the outbound VPN connections, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable port and address translation.
To define the virtual server using the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - Click the Add button.
The Add Virtual Server screen opens. - For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)
Configuration notes
For the inbound Internet connection, configure the virtual server 172.100.12.20:80 using server_pool.
For the outbound Internet connection, configure the wildcard virtual server 0.0.0.0:0 using router_insides.
For the inbound VPN connections, create the forwarding network virtual server 192.168.13.0:0. Turn forwarding on.
For the outbound VPN connections, create the network virtual server 192.168.11.0:0. Use pool vpn_insides and disable port and address translation.
To define virtual servers from the command line
First, configure the BIG-IP to handle inbound traffic from the remote network.
Create the virtual server for BIG-IP 2 with the following commands:
b virtual 192.168.13.0:0 forward
Then, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the VPN routers (vpn_insides). Use the following commands to create virtual servers for connecting to the machines on the remote network:
b virtual 192.168.11.0:0 use pool vpn_insides
b virtual 192.168.11.0:0 translate addr disable
This addresses the nodes 192.168.11.1, 192.168.11.2, and 192.168.11.3 that correspond to the IBM Compatible, Tower box, and MacIntosh on the remote network in Figure 7.2, on page 7-5.
Then, create a virtual server to handle inbound traffic:
b virtual 172.100.12.20:80 use pool server_pool
Finally, configure BIG-IP 2 to handle outbound traffic. Create a virtual server that sends traffic to the pool you created for the internal interfaces of the routers (router_insides). Use the following command to create the virtual server:
b virtual 0.0.0.0:0 use pool router_insides
Configuring network address translation on routers
For outbound traffic you must now set up address translation so that replies will arrive through the same router the request went out on. Specifically, you must either configure your routers so that they perform network address translation (NAT), or you must configure SNAT automap.
For instructions on NAT configuration, refer to your router documentation.
To perform the SNAT automap you must perform three steps:
- Assign IP-specific self addresses to the external VLAN corresponding the IP networks of the two routers
- Enable SNAT automap for each of the self addresses.
- Enable SNAT automap for the internal VLAN.
To create self addresses and enable SNAT automap to the router inside interfaces using the Configuration utility
- In the navigation pane, click Network.
The VLANs screen opens. - Click the Self IP Addresses tab.
The Self IP Addresses screen opens. - Click the Add button.
The Add Self IP Address screen opens. - For each router, add a new self IP address with the inside IP network address of the router and SNAT Automap enabled.
- On the Network screen, click the VLANs tab.
The VLANs screen opens. - Click the internal VLAN.
The VLAN Internal screen opens. - In the VLAN Internal screen, click a check in the SNAT Automap box.
For additional information about adding a VLAN, click the Help button.
To create VLAN mappings with SNAT auto mapping to the router inside interfaces from the command line
Create IP-specific self addresses on the third VLAN with these commands:
b self <ip_addr1> vlan <vlan_name> snat automap enable
b self <ip_addr2> vlan vlan_name> snat automap enable
Enable snat automap on the internal VLAN using this command:
b vlan <int_vlan> snat automap enable
For example:
b self 11.11.11.5 vlan external snat automap enable
b self 11.11.12.5 vlan external snat automap enabl
b vlan internal snat automap enable
Enabling service 80 and service 443
This step is required only if you configure this solution from the command line. If you use the web-based Configuration utility for this solution, the services are automatically enabled. Use the following command to enable service 80 and service 443.
b service 80 443 tcp enable
Additional configuration options
Whenever a BIG-IP is configured, you have a number of options:
- You have the option in all configurations to configure a BIG-IP redundant system for fail-over. Refer to Chapter 5, Configuring a Redundant System, in the BIG-IP Reference Guide.
- All configurations have health monitoring options. Refer to Health Monitors in Chapter 3, Configuring the High-Level Network, in the BIG-IP Reference Guide.
- When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the Chapter 3, Configuring the High-Level Network, in the BIG-IP Reference Guide.