Friday, 2 March 2012

F5 Big-IP Auto Last Hop

Here is a quick note on a not very well understood Big-IP feature

Auto Last Hop maintains a connection table recording the interface and MAC address of the upstream device which sent the flow to the Big-IP and sends reply packets to this interface/MAC address.   This feature can also be called “reverse persistence”.

So when Auto Last Hop is enabled the folowing occurs:

  1. A South bound flow comes into the Big-IP
  2. The Big-IP records the ingress interface and source MAC address of the flow
  3. The Big-IP then load balances the flow and routes the packet towards the web server using the routing table
  4. Next a North bound packet comes into the Big-IP (ie a reply packet from the web server)
  5. The Big-IP ignores the routing table and uses the interface/MAC pair recorded in step 2 to switch the traffic

If we disable Auto Last Hop then we use the routing table in step 5 instead.

This is designed to be used on the second layer of load balancers in a firewall sandwich (ie LB/FW/LB).  The goal is to load balance traffic to a bank of firewalls and on the second layer of load balancers send the reply packet back to the same firewall.  This is to maintain the load distribution and avoid asymmetric routing.  With IP routing this isn’t possible, so auto last hop enables this by using Layer 2 information.  It can also be useful if you are using a single physical Big-IP to load balance multiple environments, each with their own internet gateway via different physical interfaces.

However in some circumstances it can cause issues.  If the upstream device is a resilient pair of routers/firewalls and we have a failover you may find the upstream MAC address changes.  Therefore we get an outage as the Big-IP is sending traffic to an old MAC and every session through the Big-IP needs to be rebuilt.

So some more specific examples.  If the upstream device is an ASA we are OK as the MAC address will fail across with the IP.  If the upstream device is a HSRP address then the MAC address will change (remember the HSRP MAC is in response to ARP requests to the HSRP IP, the Big-IP is just recording the MAC it received  from the inbound flow, which is the physical MAC of the routers egress interface).

Auto last hop is enabled by default and can be disabled under System -> Configuration -> Local Traffic

No comments:

Post a Comment