Forum Discussion

marsmann_58298's avatar
marsmann_58298
Icon for Nimbostratus rankNimbostratus
Sep 30, 2008

Advantages and Disadvantages to trunk LTMs

Hi all,

 

 

First time poster. Relatively new to F5's. Did some searching but found nothing conclusive so far.

 

 

What are the advantages and/or disadvantages with using trunks on two LTM 1500s to a Cisco switch for passing all vlans/tagging?

 

 

Our environment is pretty straightforward and we run an internal/external config. Currently we run dedicated vlans on each interface for eg:

 

 

vlan 128 on int 1.1

 

vlan 129 on int 1.2

 

vlan 130 on int 1.3

 

 

the previous network admin was against trunking and the new guy is strongly for it and I don't see any strong argument either way other than not needing to pass all of the layer 2 traffic that you get in a trunk to the F5's.

 

 

What benefits do I gain by trunking all interfaces to pass along tagged traffic? Or, what am I losing/what disadvantages will I see doing this? Even from a Security perspective I would just put an intermediary switch in between the segments.

 

 

Our setup is

 

 

client

 

|

 

cisco 4503

 

|

 

F5 VIP

 

|

 

same cisco 4503

 

|

 

Web Servers

 

 

 

the design I am working on to re-architect our environment consists of multi-homing the web servers with a dedicated subnet (non routable, no gateway) which would hang off of a dedicated vlan behind the F5's only. That way a request would come in, hit the F5 and it would route right to the server and back without traversing the rest of the network. Only the flat L2 switch it would be connected to. Seems easier and more logical to me than all of the tagging through the rest of our core network using the L3 capable cores.

 

 

any insight appreciated. thanks.

 

 

config
design

6 Replies

Sort By
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 01, 2008
    The main 2 advantages of trunking are 1) you are more protected against cable/port failures, that is, you won't lose a whole VLAN if one of the cables fail, and 2) you are currently limited to 1GB of bandwidth on each VLAN, whereas if you trunk the interfaces you have the full amount of bandwidth of the trunk available for each VLAN (not all at once of course, the aggregate remains the same).

     

     

    Be careful with multi-homed servers behind the LTM. If LTM is not their gateway then you will have to use SNAT for all of the virtual servers or the routing won't work. There's plenty of previous posts on the caveats for using SNAT, primarily you will lose visibility of client IP addresses in server logs.

     

     

    Denny
  • marsmann_58298's avatar
    marsmann_58298
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2008
    Thanks Denny.

     

     

    I hear you on the SNAT deal although I thought there was an option to pass through the client IP addressing.

     

     

    Unless someone else can recommend why I shouldn't use trunking I guess I will go with this config and abandon my previous multi-home scenario.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 01, 2008
    You can pass the client IP in headers if the protocol you are load balancing supports it.
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 01, 2008
    Yes, as citizen_elah says you can use the X-Forwarded-For header in the http profile, assuming that your servers will know how to log that to get the client IP. For protocols other than http there isn't much that can be done for preserving client IP in a SNAT scenario.

     

     

    Denny
  • marsmann_58298's avatar
    marsmann_58298
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2008
    I was initially concerned with isolating the traffic between client and web servers.

     

     

    With trunking on front and back of the F5 I thought that the clients could bypass the F5 on our main switch by going directly to the servers since nothing would be forcing them through the F5. But, my final working design now puts the F5s in trunks on the front and back end but only through a dedicated physical switch on each side. That's the only place where the trunks will be configured. This way I can gain all the benefits of trunking but not cause any issues on the actual network.

     

     

    Any gotchas with that?
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 01, 2008
    You can dedicate a layer3 network to the front & back sides of the LTM, isolating it from all your traffic unless you specifically desire to send traffic that way. In a few of our environments we hang the LTM's in isolated layer3 networks off the core switches so no distro-distro hopping is necessary, but any direct client->server traffic that is necessary is not reliant on the LTM in any way.