F5 (1 ARM Mode + Default Gateway for Servers) vs VLAN Group
I am seeking for a design recommendation to meet the following restrictions and requirements
Restrictions 1- Changing the IP addresses for servers is very hard at this stage as they are hard coded in applications (instead of FQDN names) 2- Changing the IP addresses for Virtual servers is very hard at this stage as they are hard coded in applications (instead of FQDN names) 3- Virtual servers and nodes are on the same Layer 3 subnet for each zone 3-Servers must see the clients IP address. This applies for HTTP and non HTTP services so XFF is not an option 4- The servers belong to different security zones and must be kept segregated 5- Failover should be smooth and non-disruptive
Requirements 1- Servers belonging to zone X (need to be load balanced) are X1, X2 and X3 Servers belonging to zone X (no need for load balancing) are X4, X5 Currently, default gateway for zone X is firewall. F5 is deployed in one arm mode with source NAT (to ensure return traffic passes by the F5)
2- Servers belonging to zone Y (need to be load balanced) are Y1, Y2 and Y3 Servers belonging to zone Y (no need for load balancing) are Y4, Y5 Currently, default gateway for zone Y is firewall.
The requirement is to let the servers see the real client IP. Non-load balanced servers must be reached directly No change in IP for VS or Nodes is possible. Only default gateway can be changed if required.
Proposed Solution (1) 1- Create two partitions each with its associated route domain 2- Place zone X in route domain 1 and zone Y in route domain 2 3- For zone X, create two virtual servers (1 VS - Type Standard LB and 1 VS Type IP Forwarding 0.0.0.0/0) 4- Change the default gateway for servers to be load balanced to F5 VIP 5- For non-load balanced servers, keep their gateway as the firewall 5- Repeat steps (2 to 5) for zone Y Problem: I didn't find any 1 ARM mode documentation on F5 that states that it is recommended/discouraged to have such design. I demoed it on a F5 VE and it worked properly but I am not sure if there are any limitations that I am not aware of.
Proposed Solution (2) 1- Create two partitions each with its associated route domain 2- Place zone X in route domain 1 and zone Y in route domain 2 3- For zone X, create two vlans (internal and external) and make them part of VLAN_GROUP_X 4- Create a self IP associated with this group 5- Keep the default gateway for servers as the firewall 6- Repeat similar steps (2-5) for zone Y servers Problem: I can't find any resource on VLAN Groups with F5 Active/Standby pair. I am afraid of some STP convergence issues. Also, I am afraid that no PVA acceleration exists.
For both cases, the two F5 boxes will be installed in active/standby pair.