Actually, what I was thinking wouldn't work. For this scenario, it would be great if you could add a VIP as a pool member of another VIP. In 9.4.x you can send a connection to a second VIP using an iRule, but you can't put a VIP in as a pool member by default. You could try to implement load balancing in an iRule, but it gets complicated trying to implement anything but round robin. Trying to maintain a count of connections per pool member would get very difficult and resource intensive.
There has been a workaround mentioned previously which could work for your scenario. You could create a loopback port with five VIPs (VS2 - VS6: one for each pool of servers). There would be one external VIP (VS1) which references the five loopback VIPs in VS1's pool. Ignore the detail on SSL termination as that wouldn't be required.
http://devcentral.f5.com/default.aspx?tabid=28&view=topic&forumid=5&postid=12453
VS1 is on a external vlan
VS2 - VS6 are on a dmz vlan
DEST is on an internal vlan
VS1 accepts and terminates ssl using an ssl profile, then passes traffic to VS2 on port80, via a pool containing VS2's ip.
That traffic goes out the dmz vlan port, but needs to come in on another vlan (either internal or external).
VS2 is listening for requests from all vlans (or the one you link to above).
VS2 then sends to DEST via its pool or irule, etc.
If you have the ports free, you can connect two of them directly, and assign one to a dmz vlan and the other to the internal vlan. (Don't put them both in the same vlan as it will create a broadcast storm). If you don't have the free ports, you'll have to play with your switching fabric to get the loop.
I think the loopback idea in 9.x was originally from unRuleY (
Click here).
Else, what you have now might be the simplest solution. Anyone else have ideas on this?
Aaron