Forum Discussion

sachin_80710's avatar
sachin_80710
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

Link Controller - Create Link(ISP) object

Hi All,   I have to install LC, Need your suggestions and help on configuration. I don't want to do any changes(no NAT changes) on existing customer firewall.   1) My LC deployment architecture...
application delivery
availability
deployment
design
LTM
sachin_80710's avatar
sachin_80710
Icon for Nimbostratus rankNimbostratus
Sep 12, 2014

Stephan, ISP routers are directly connected to f5. Destination NAT is disabled. Instead of SNAT automap we are doing SNAT using irule, like LB::server addr is ISP1/2 then use SNAT pool from that router subet. My only concern is. After load balancing request using pool(default_gw_pool) assigned to virtual server , same request will again get load balanced by default_gw_pool that is again used as default route pool in network-->route. If, default route pool select different ISP router instead of one that was selected by virtual server pool this will create problem for me.

 

  • sachin_80710's avatar
    sachin_80710
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2014
    Also we are using destination affinity persistence. Thanks you Stephan and devcentral members for your suggestion and help.
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 12, 2014
    Hi Sachin, I´m sure the load balancing decission will overrule the default gateway configuration in your setup. This way it´s possible as well, to select a completely different path for specific traffic. Destination based persistence makes sense, if you want to make sure the target will always be reached by same link (and same source IP). Some servers tend to reject connections if a client IP is changing as they assume the session is going to be captured by an attacker. Destination address affinity is table based and limited in size by default. You can try to modify the hash method to CARP to avoid using table based persistency. (I have used this feature for source address affinity by now.) Thanks, Stephan