Forum Discussion

STTR_85331's avatar
STTR_85331
Icon for Nimbostratus rankNimbostratus
May 09, 2011

Virtual Server placement with LTM

Greetings,

 

 

We have traditionally located LTM virtual server IPs on the network associated with the outside interface of our LTMs.

 

 

I'm wondering if there is any reason that the virtual server IPs shouldn't exist on the Inside Network or whatever other networks exist on the other LTM interfaces?

 

 

The advantage of this would seem to be that servers on the inside network(s) can then access virtual servers without having to traverse the LTM. Or maybe it doesn't matter since in my original example internal servers could reach the Virtual Server network via a route on the F5?

 

 

Or yet again maybe it's better to have a 3rd network that only the F5 can reach that hosts all the virtual servers:

 

 

[Firewall/Internet/Outside Network]

 

|

 

F5-[Virtual Server Network]

 

|

 

[Inside Network(s)]

 

 

Or again maybe it just doesn't matter?

 

 

Thanks in advance for any comments/suggestions.

 

 

-ST

 

config
design

1 Reply

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 09, 2011
    6 of one... Half dozen of the other... I could probably justify either way. Except when it comes to support and troubleshooting.

     

     

    The important thing is what do you want to do with the traffic, and how you want to present client IP's to the servers. And how easy you want support to be.

     

     

    Generally if you treat the LTM like a proxy it works better for understanding what's happening. The clever thing about it as a proxy is that it can make the connection opened to the servers appear as the client IP. To do that you have to think of the LTM as a router...

     

     

    The important thing is that to manipulate traffic you have to see both directions of traffic...

     

     

    Then consider SNAT... In order to be able to tcpdump a server connection at the server and be able to differentiate clients, you need to NOT SNAT the serverside connection... To do that, the route back to the client needs to be via the LTM. Which if the service IP address is on the inside of the LTM may mean routing changes to the internal network. YMMV...

     

     

    Generally to make things EASIER... Put the VS IP on one side of the LTM and the servers on the other... And don't SNAT. If servers want to use a VS, then you need an iRUle to SELECTIVELY enable SNAT for servers that are also clients... You may also have some fun with routing back to clients for non-SNAT'ed traffic. (Where your servers aren't on a VLAN directly connected to the LTM... Policy routing is your fried there.

     

     

    Sorry... No short answer for all that. But consider carefully what you're trying to achieve, and what you want to debug in the future and how you're going to doit... There's no WRONG way... Just some ways that are a little easier than others.