Forum Discussion

A-MIX_129604's avatar
A-MIX_129604
Icon for Nimbostratus rankNimbostratus
Mar 29, 2015

F5 (1 ARM Mode + Default Gateway for Servers) vs VLAN Group

I am seeking for a design recommendation to meet the following restrictions and requirements

 

Restrictions 1- Changing the IP addresses for servers is very hard at this stage as they are hard coded in applications (instead of FQDN names) 2- Changing the IP addresses for Virtual servers is very hard at this stage as they are hard coded in applications (instead of FQDN names) 3- Virtual servers and nodes are on the same Layer 3 subnet for each zone 3-Servers must see the clients IP address. This applies for HTTP and non HTTP services so XFF is not an option 4- The servers belong to different security zones and must be kept segregated 5- Failover should be smooth and non-disruptive

 

Requirements 1- Servers belonging to zone X (need to be load balanced) are X1, X2 and X3 Servers belonging to zone X (no need for load balancing) are X4, X5 Currently, default gateway for zone X is firewall. F5 is deployed in one arm mode with source NAT (to ensure return traffic passes by the F5)

 

2- Servers belonging to zone Y (need to be load balanced) are Y1, Y2 and Y3 Servers belonging to zone Y (no need for load balancing) are Y4, Y5 Currently, default gateway for zone Y is firewall.

 

The requirement is to let the servers see the real client IP. Non-load balanced servers must be reached directly No change in IP for VS or Nodes is possible. Only default gateway can be changed if required.

 

Proposed Solution (1) 1- Create two partitions each with its associated route domain 2- Place zone X in route domain 1 and zone Y in route domain 2 3- For zone X, create two virtual servers (1 VS - Type Standard LB and 1 VS Type IP Forwarding 0.0.0.0/0) 4- Change the default gateway for servers to be load balanced to F5 VIP 5- For non-load balanced servers, keep their gateway as the firewall 5- Repeat steps (2 to 5) for zone Y Problem: I didn't find any 1 ARM mode documentation on F5 that states that it is recommended/discouraged to have such design. I demoed it on a F5 VE and it worked properly but I am not sure if there are any limitations that I am not aware of.

 

Proposed Solution (2) 1- Create two partitions each with its associated route domain 2- Place zone X in route domain 1 and zone Y in route domain 2 3- For zone X, create two vlans (internal and external) and make them part of VLAN_GROUP_X 4- Create a self IP associated with this group 5- Keep the default gateway for servers as the firewall 6- Repeat similar steps (2-5) for zone Y servers Problem: I can't find any resource on VLAN Groups with F5 Active/Standby pair. I am afraid of some STP convergence issues. Also, I am afraid that no PVA acceleration exists.

 

For both cases, the two F5 boxes will be installed in active/standby pair.

 

application delivery
availability
design
LTM
performance

1 Reply

Sort By
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2015

    Hi,

     

    Not an expert here but this is what I think: Better solution is solution 1. That is quite standard setup and is not messing around with L2 (like solution 2), so no problems with STP and other L2 related issues. Only possible problem is that F5 can be bypassed by users if server IP will be entered instead of VIP (for LB servers). Could be kind of security risk. Question is as well if you really need separate RDs here. You will need to separate VLANs on F5 via which servers can be reached - VLAN can be assigned to only one RD.

     

    I think VLAN Group approach will be much more complicated, servers has to be in other VLAN (tagged switch VLAN) than traffic from clients. If not both F5 and servers will see ARP request and reply - not a good situation. That could as well pose a problem with direct access to servers without LB need. Some VLAN routing will have to exist.

     

    Again I am not a pro so maybe I messed things around.

     

    Piotr