Forum Discussion

wwylie_122896's avatar
wwylie_122896
Icon for Nimbostratus rankNimbostratus
Jan 16, 2013

LTM Clarifications

I'm working on the design to implement two 4200V's into our datacenter with a minimum amount of changes to either the nodes or the network.

 

From the research I've done, we are looking at using a hybrid of "Routed Mode" and "One-Arm" (correct me if i'm wrong). At this point, I've decided to place these connected to our Core Switches in a port channel across both 10Gb interfaces, with all required VLAN's trunked. We do have the luxury of being able to dedicate a new subnet to move certain nodes logically behind the LTM's using the LTM as a default gateway. However, we also have some nodes on a "flat" VLAN which we cannot move, primarily, Exchange CAS.

 

A couple of questions, I'm not 100% clear on these (forgive my ignorance).

 

  1. If we were to make the LTM the default gateway for the nodes, do we still need to SNAT? Since traffic will be forced to traverse the LTM to get to any clients, is it necessary?
  2. In "routed" mode, are the client IP's preserved? We don't want to expose ourselves as an open SMTP relay, so we have SMTP secured to specific client IP's on our CAS servers. If we do not SNAT, will the CAS see the client IP as the LTM?
  3. What is the best way to provide SMTP load balancing in a flat network? We have an old NLB address configured for many devices/servers to send to that would be difficult to update across the organization. How can we preserve the client IP with a virtual server on the same VLAN?
  4. Are the Management and TMOS routing tables seperate? For example, the management interface is on a subnet with other hosts that send email to a Load Balance SMTP gateway, will the return traffic route through the management interface?

Any help appreciated.

 

5 Replies

  • Hi.

     

     

    1) No SNAT required.

     

    2) Yes, client IPs are preserved. The CAS will see the original client IP. If you had to SNAT for some reason you could use a simple iRule or packet filter to provide the security instead anyway.

     

    3) You can't I'm afraid. Perhaps a series of one to one NATs would help? Laborious but perhaps useful?

     

    4) Yes they are separate. No traffic is routed out via the management interface unless it arrived on it or originates from the F5 itself.
  • Thanks for the answers.

     

     

    For question 3, can we restrict the traffic allowed at the LTM? I can export the list of approved servers from the relay, and I'm assuming that I could use some sort of iRule on the LTM to restrict it there, then, only allowing the LTM's IP's on the actual relay.
  • I think you meant for 2. Yes you could quite easily, it's a pretty simple iRule;

    
    This rule checks the source IP address against the a Data Group and rejects traffic not in it (you could use 'drop' to silently drop it);
    Create a Data Group (called source-ips below) with just the IP addresses 
    of the hosts you’d like to accept
    
    when CLIENT_ACCEPTED {
     if { not [class match [IP::client_addr] equals source-ips] } {
       reject }
    }
    
  • Actually, I'd be using this in the "flat" topology. Since we wouldn't see the client IP at the node level, I could use that rule to restrict it at the LTM.

     

     

    Thanks for that.