F5 Traffic


 I have F5 load balancers deployed in HA in bridge mode, connected to AGG pair of switchesA and B. The AGG pairs are in turn connected to Access Routers as thier upstream.

     Access Router1                                           Access Router2
                 |                                                                     |
                 |                                                                     |
                 |                                                                     |
      AGG SW1...................... Port Ch-------------  AGG SW2
      |          |                                                                      |     |
AF5LB      |                                                                      |     PF5LB
                 |                                                                      |
      L2Host SW1                                                   L2HostSW2
                |                                                                       |
         ServerPool1                                                 Serverpool2                                        

i wanted to understand and know how F5 processes inbound and outbound traffic in bridge mode.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I don't think your diagram came through as you intended.  I am assuming you have your config something like what is documented here:


Meaning that the F5's are physically in-line between between the AGG and L2Host switches.  

If so, the F5 basically processes the data the same way it would in routed mode.  The difference is that there is no routing take place.  The F5's act just like a switch for any traffic that is not to/from one of its its VIP  or SNAT addresses.


Also, the F5 becomes root bridge for the internal vlan, this is critical,  this way you force all traffic through the F5 device for that vlan, otherwise you could potentially forward traffic around the F5.

harbor235 ;}
genseekAuthor Commented:
All servers connected L2Host TOR switches have thier default Gwy pointed to F5 floating IP, i guess, so that all return traffic frm server go via F5 and not around it, directly to Access router at the edge.

How is that F5 is in routed mode but no routing taking place? How does then F5 exchange packets between VLANs?

Does the def gwy defined in the F5 is then only to forward all outbound traffic via F5 to be pushed to the next hop?

please elaborate?
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

--> How is that F5 is in routed mode but no routing taking place?

If the F5 is in routing mode and devices are using it as a default gateway then routing is taking place.

Now just to make sure you understand a root bridge, mentioned by harbor235, is not the same thing as a router.

--> How does then F5 exchange packets between VLANs?

If the VLAN's are two different IP subnets, then it routes the traffic.  However, in bridged mode there should only be one VLAN.

--> Does the def gwy defined in the F5 is then only to forward all outbound traffic via F5 to be pushed to the next hop?


If possible could you obfuscate private information in your F5 config and then post it here.  We can take a look at it and give you a better idea of what is going on.

I'm getting a bit confused as you stated the F5 was running in bridged mode, but now you are talking like it is setup to be a router.
genseekAuthor Commented:
Thank you for the response giltjr.

Actually, i have worked with Cisco CSM but new to F5. In my new job now, I'm required to support 1000's of F5 LBs already deployed..and also to deploy new F5 LBs. I did a quick technical study of F5 to understand how it works and how it can be deployed.

As i see it..

a. It has trunk to the AGG-A

b. it has 5 VLANs created

c. it has a default gwy to next hop.

d. it is setup in HA mode.

e. It has multiple Virtual servers, SNAT pool for few of them.

While i sanitize the configs and send it to you shortly, can you tell me what is strict rule for Bridge and Routed mode?
There is no real strict rule for bridged vs. routed mode that I am aware of.  It depends on your LAN/IP Subnet setup.

We use routed mode so we can use seperate VLAN's behind and in front of the F5's.

Iin bridged mode the F5 looks like a switch and so the VLAN goes through the F5.  One disadvantage of this is that it may need to switch traffic that is not part of its load balancing function, like broadcasts and/or multicast packets.

Take your setup.  In bridged mode if any host/device (the servers, the L2Host switches, the AGG switches, the access routers) send out a broadcast the F5 has to forward that packet to the other side. In routed mode everything in front of the F5 (AGG switches and access routers) would be on a separate VLAN than everything behind (L2Host switches and the servers) and so any broadcasts packets would never cross the F5.  The F5 would be doing less work.

Although EE is great you may want to go to Big-IP users community site, http://devcentral.f5.com/.    There are people there that know way more than I could ever know about the F5's.  

I would personally would only use bridge mode if I were tasked with inserting F5's into an environment were the servers and routers were in the same IP subnet and I could not re-address them.  You would be forced to put the F5's inline and use them in bridged mode.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
genseekAuthor Commented:
Sorry, i was down and sick and hence could not respond back earlier than this.

your updates did help me to understand my requirement and meet the expectation.

Hence, awarding the point.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.