Forum Discussion

tolinrome_13817's avatar
tolinrome_13817
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014
Solved

one arm setup and two vlans

I recently setup a bigip virtual and have it as a one arm setup. The bigip is off he dmz interface and then goes back out the same interface to the internal interface (all via the firewall). I do though have two vlans created with the bigip, the vlan associated with the inside interface on the firewall and obviously the dmz interface. First I want to make sure that this is the correct setup in this scenario, meaning these two vlans and th eway traffic flows is the one arm setup. Traffic comes in the firewall on the dmz to the bigip, exits the bigip to the firewall and to the inside interface. Can someone please confirm this?

 

Secondly, if I put the Big with dual arm, directly connected to the inside and dmz what would the pros and cons and options be? Is there documentation on 1 and 2 arm setups for the bigip? Thanks.

 

  • Typically when people refer to a "one-armed" configuration, it usually means that the virtual-address is on the same vlan and subnet as the application servers, and the application servers are not configured to use the F5 as their default gateway. When the F5 is not the default gateway we have to SNAT client traffic to maintain route symmetry. On the other side of the coin, a "routed", or "dual arm" configuration usually means that application servers are on a different vlan than the virtual-address, and that the F5 has been configured as the default gateway for application servers, which then means we do not need to SNAT client traffic. In either case the F5 is a full proxy and maintains both client side and server side connections regardless of the ingress/egress path.

     

9 Replies

  • tolinrome,

     

    Your setup sounds very typical and is what is called the default setup. You have two vlans, an external, and internal. Your Vips are on the external (ingress), and usually Pool members on the internal (egress). The only caveat to your design is that both vlans are running over the same physical interface. The most common deployment would have the two vlans on thier own physical interface: example: interface 1.1 = vlan-external , interface 1.2 - vlan-internal Your design should work, BUT, I would recommend breaking those vlans to separate interfaces AND possibly setup LACP for redundancy in case a physical port dies. This would eliminate a single point of failure.

     

  • From my perspective dual arm setup is more of standard deployment and makes understanding the traffic flow much easier. Whether you use the LTM as a forward or backward proxy is up to you. I have used a one arm design when migrated from another vendor onto the F5 to keep the initial migration simple.

     

    If you need an IDS or a sniffer with a dual arm you need additional taps and or span monitor setups.

     

  • Thanks for your response. Can you confirm what I wrote in the first paragraph of my understanding of how I have it currently setup as a one arm?

     

  • If you want use one arm scenario, you don't need 2 vlans. Besides, if you use 1 fisical interface that may doesn't mean one arme deployment, because of using vlans on it. I think using one arm depends where you virtual servers will be presented and nodes will be located.

     

  • Robin_Mordasie1's avatar
    Robin_Mordasie1
    Historic F5 Account

    Typically when people refer to a "one-armed" configuration, it usually means that the virtual-address is on the same vlan and subnet as the application servers, and the application servers are not configured to use the F5 as their default gateway. When the F5 is not the default gateway we have to SNAT client traffic to maintain route symmetry. On the other side of the coin, a "routed", or "dual arm" configuration usually means that application servers are on a different vlan than the virtual-address, and that the F5 has been configured as the default gateway for application servers, which then means we do not need to SNAT client traffic. In either case the F5 is a full proxy and maintains both client side and server side connections regardless of the ingress/egress path.

     

  • Robin, thanks that was a clear response. So is my setup that I explained typical? I understand what you wrote but I have it where the F5 is not the default gateway for the application servers, all the vips are on a different subnet than the application servers, am I am using autopmap. So its a little different than how you explained it. I don't know if its then considered a one arm or not.

     

  • Robin_Mordasie1's avatar
    Robin_Mordasie1
    Historic F5 Account

    I don't know if I would get too hung up on trying define your configuration as "one-armed" or "two-armed", as much as I would look at your ingress and egress path. Also this definition of one-armed versus routed, or two-armed is not a global setting. You have the ability to have configurations where the egress path for some application servers happens to be on the same ingress path, and other configurations on the same device that follow a different data flow. The biggest differentiator in your topology is going to be wether or not you need to apply SNAT(automap or a snat-pool) to a virtual server.

     

  • automap is snat with the (floating) selfIP used as source address. snat can also be used with a snat pool where you determine yourself which IP is used a source.