NimbostratusShould I use LTM as a L3 gateway for back end server?
If yes then what need to configure at LTM end and what amount of resource need to run reserved for route demon.
Also discus about advantages
and drawback.
You can use big-ip as gw for your back-end servers and in many cases this is required.
Can you answer a question: what you are trying to reach by this? What is your goal?
Please keep in mind that ltm is not router. It can route the traffic but it is not a router.
NimbostratusFor security purpose, all your VMs are already guaranteed to have 2 or more IP addresses in different VLANs. The interface of a web server (or other service) that terminates untrusted requests must be completely segregated from the interface that accepts SSH connections. In a typical design scenario that considers good network security practices, there are even more, usually 3 IP addresses, all in different VLANs, per VM. First one is for Management. Second is for front-end (listener of untrusted requests), and third is for back-end - interface that the VM itself uses to communicate to external dependencies such as database or authentication server. It's also not a bad idea to configure that back-end interface as a secondary listener which accepts trusted requests that bypass BigIP (Your app developers will be forever grateful)
Assuming a Linux Web Server as VM, you can use iproute2 software to create multiple default gateways and map them to specific interfaces. If you use BigIP, there are no valid drawbacks to have the front-end interface of a VM use BigIP as its Default Gateway.
NimbostratusHannes thanks for the info.But I am trying to implement some different senario which is not that much enhanced .
NimbostratusWell, whether it's a production design or lab environment you're going for, you will have to use BigIP as the gateway (either default or IP rule) for the client-side interface, OR use SNAT to avoid asymmetric routing problems.
I just recommend you follow the initial setup guide and you're done. After that, it's a matter of creating a LTM Virtual Server and a Pool according to standard procedures. There are no fancy steps required that defer from defaults. If your servers require outbound connectivity to internet via BigIP (i.e. access to Linux repositories or Github), also set up a 0.0.0.0/0 Virtual Server as pointed out by Stanislas.
Gl
NacreousFor security purpose, all your VMs are already guaranteed to have 2 or more IP addresses in different VLANs. The interface of a web server (or other service) that terminates untrusted requests must be completely segregated from the interface that accepts SSH connections. In a typical design scenario that considers good network security practices, there are even more, usually 3 IP addresses, all in different VLANs, per VM. First one is for Management. Second is for front-end (listener of untrusted requests), and third is for back-end - interface that the VM itself uses to communicate to external dependencies such as database or authentication server. It's also not a bad idea to configure that back-end interface as a secondary listener which accepts trusted requests that bypass BigIP (Your app developers will be forever grateful)
Assuming a Linux Web Server as VM, you can use iproute2 software to create multiple default gateways and map them to specific interfaces. If you use BigIP, there are no valid drawbacks to have the front-end interface of a VM use BigIP as its Default Gateway.
NimbostratusHannes thanks for the info.But I am trying to implement some different senario which is not that much enhanced .
NacreousWell, whether it's a production design or lab environment you're going for, you will have to use BigIP as the gateway (either default or IP rule) for the client-side interface, OR use SNAT to avoid asymmetric routing problems.
I just recommend you follow the initial setup guide and you're done. After that, it's a matter of creating a LTM Virtual Server and a Pool according to standard procedures. There are no fancy steps required that defer from defaults. If your servers require outbound connectivity to internet via BigIP (i.e. access to Linux repositories or Github), also set up a 0.0.0.0/0 Virtual Server as pointed out by Stanislas.
Gl
CumulonimbusOf course you can configure routing with BIGIP. This is required for both link controller and AFM products sharing same OS than LTM.
To support routing from vlan Internal to internet, create a virtual server with properties