Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Dec 14, 2017

F5 LTM HA Link Best Practices

Hi Team, I want to know about the Best Practices related to the F5:

 

  1. Related to the HA LINK: Currently two interfaces configured in Port-Channel are connected back to back between the LTM-1 and LTM-2.

Can we connect or plan this HA-Link instead connecting via the Network by connecting to a switch ? Kindly suggest.

 

  1. Regarding GTM: I am planning to configure VIP as the Public IPs INSTEAD of Private IPs into my LTMs which will basically be peering it up with the GTM.

But what if I configure the devices as Private IPs and doing the translation at the Firewall end , do we have any problem with the translation related to GTM.

 

kindly guide.

 

  1. Do we really need to configure MAC Masquerading in Active-Standby environment ?

Regards Parveez

 

LTM
security

1 Reply

Sort By
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Dec 14, 2017

    Your HA link can either be connected directly to the peer device or using a switch. If your devices are close enough then there is no problem using directly connected cables. The benefit of the switch is that you can have each device in a different rack location - which is good from a datacentre design perspective. Functionally they are the same.

     

    With regards to your GTM - when you say VIP I presume this is this on the LTM. GTM and LTM peer using a self IP address, not a VIP address, this is done over iQuery. The only consideration you need when using internal IP addresses for a GTM listener, is that when configuring your DCs, you specify the real Public IP as well as the NAT address. GTM will resolve to a client a routable (generally public) IP address for name resolution. If GTM answers with a public IP address and LTM VIPs are using internal addressing, you just need to make sure requests are translated on an external firewall as they ingress the environment.

     

    MAC Masquerading is not mandatory but can can make failover events happen more quickly