Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

LTM as L3 gateway

Should I use LTM as a L3 gateway for back end server?

If yes then what need to configure at LTM end and what amount of resource need to run reserved for route demon.

Also discus about advantages

and drawback.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can use big-ip as gw for your back-end servers and in many cases this is required.

Can you answer a question: what you are trying to reach by this? What is your goal?

Please keep in mind that ltm is not router. It can route the traffic but it is not a router.

0
Comments on this Answer
Comment made 28-Mar-2018 by Raja_Singh 1

I am trying to create one device solution in dev environment. This is just for an experimental posepure. The backend server are directly connected with big IP and no snat or auto map will applied.

Scenario

Edge route Edge firewall L3 ASM LTM Switch L3 Servers

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

For security purpose, all your VMs are already guaranteed to have 2 or more IP addresses in different VLANs. The interface of a web server (or other service) that terminates untrusted requests must be completely segregated from the interface that accepts SSH connections. In a typical design scenario that considers good network security practices, there are even more, usually 3 IP addresses, all in different VLANs, per VM. First one is for Management. Second is for front-end (listener of untrusted requests), and third is for back-end - interface that the VM itself uses to communicate to external dependencies such as database or authentication server. It's also not a bad idea to configure that back-end interface as a secondary listener which accepts trusted requests that bypass BigIP (Your app developers will be forever grateful)

Assuming a Linux Web Server as VM, you can use iproute2 software to create multiple default gateways and map them to specific interfaces. If you use BigIP, there are no valid drawbacks to have the front-end interface of a VM use BigIP as its Default Gateway.

0
Comments on this Answer
Comment made 28-Mar-2018 by Raja_Singh 1

Hannes thanks for the info.But I am trying to implement some different senario which is not that much enhanced .

0
Comment made 28-Mar-2018 by Hannes Rapp 3890

Well, whether it's a production design or lab environment you're going for, you will have to use BigIP as the gateway (either default or IP rule) for the client-side interface, OR use SNAT to avoid asymmetric routing problems.

I just recommend you follow the initial setup guide and you're done. After that, it's a matter of creating a LTM Virtual Server and a Pool according to standard procedures. There are no fancy steps required that defer from defaults. If your servers require outbound connectivity to internet via BigIP (i.e. access to Linux repositories or Github), also set up a 0.0.0.0/0 Virtual Server as pointed out by Stanislas.

Gl

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Of course you can configure routing with BIGIP. This is required for both link controller and AFM products sharing same OS than LTM.

To support routing from vlan Internal to internet, create a virtual server with properties

  • type : forwarding ip
  • destination 0.0.0.0/0
  • protocol : any
  • enabled on vlan Internal
0
Comments on this Answer
Comment made 28-Mar-2018 by Raja_Singh 1

Thanks for the information

0