Our deployment now is one Arm by using SNAT AutoMAP , the VS and Pool members on the same subnet but the clients are in different subnet ... We have only one Self IP in the same subnet of Pool members We need to change this deployment to be F5 as DGW for backend servers ... What is the exactly needed to deploy that ? Should configure the VS on different subnet? Should I configure Forwarding IP VS with Source IP any and Destination IP any on all VLANS ? should I configure another VLAN with other Self IP (External to clients)? And if there are admins should access directly the backend server, should i change FW rules to allow access to self IP ?

If you intend to have the F5 act as a router/firewall type device in front of all your servers and you do not want to use SNAT, so the servers see the client IP address in requests, then you need to do the following: Configure at least two VLANs, one clientside and one serverside.Configure either a single IP Forwarding Virtual Server with a destination of 0.0.0.0:* or configure an IP Forwarding Virtual Server per VLAN you want to route via.Ensure all backend Servers to client traffic routes via the F5, via the appropriate Self IP or IP Forwarding Virtual Server destination IP.Configure Virtual Servers to listen on the clientside VLAN/VLANs The most important thing in this setup is to ensure the routing via the F5 in the rest of your network and servers is correct. Also in this type of setup remember your F5 is also going to be the routing device for the backend servers, at least to/from some client subnet, and so recommend reviewing a few areas: F5 AFM - F5's firewall module, if you have it licensed recommend enabling it and using it to provide some ACL/firewall protection. Review your HA/redundancy setup, as you could end up with all access to the servers routing via the F5 you don't want to find during a failover it takes a long time for traffic to start routing correctly. Look at your Traffic Group failover method, recommend HA GroupsIf using MAC Masquerade will help or hinder failover in your environment If you have multiple switches connected to the F5 you may need to review your Spanning Tree and see if the F5 needs to be part of it (STP can be a pain with an F5) My final point, make sure this is the solution you need because the applications you a delivering via the F5 need to see the Client IP in the network packet (not just in some HTTP header) and/or you want to use the F5 for as a network firewall/router for security etc. Remember this will turn your application delivery F5 device into a router and application delivery F5 device so resource will be taken up by routing etc. instead of doing it primary purpose of app delivery. Hope this helps in someway

Change from One ARM to DGW mode

3 Replies

MR_Freddy
Nimbostratus
Jul 05, 2018
Anyone can help me
MR_Freddy
Nimbostratus
Jul 06, 2018
Anyone can help me
Andy_McGrath
Cumulonimbus
Jul 06, 2018
If you intend to have the F5 act as a router/firewall type device in front of all your servers and you do not want to use SNAT, so the servers see the client IP address in requests, then you need to do the following:

Configure at least two VLANs, one clientside and one serverside.
Configure either a single IP Forwarding Virtual Server with a destination of 0.0.0.0:* or configure an IP Forwarding Virtual Server per VLAN you want to route via.
Ensure all backend Servers to client traffic routes via the F5, via the appropriate Self IP or IP Forwarding Virtual Server destination IP.
Configure Virtual Servers to listen on the clientside VLAN/VLANs

The most important thing in this setup is to ensure the routing via the F5 in the rest of your network and servers is correct.

Also in this type of setup remember your F5 is also going to be the routing device for the backend servers, at least to/from some client subnet, and so recommend reviewing a few areas:

F5 AFM - F5's firewall module, if you have it licensed recommend enabling it and using it to provide some ACL/firewall protection.
Review your HA/redundancy setup, as you could end up with all access to the servers routing via the F5 you don't want to find during a failover it takes a long time for traffic to start routing correctly.
Look at your Traffic Group failover method, recommend HA Groups
If using MAC Masquerade will help or hinder failover in your environment

If you have multiple switches connected to the F5 you may need to review your Spanning Tree and see if the F5 needs to be part of it (STP can be a pain with an F5)

My final point, make sure this is the solution you need because the applications you a delivering via the F5 need to see the Client IP in the network packet (not just in some HTTP header) and/or you want to use the F5 for as a network firewall/router for security etc. Remember this will turn your application delivery F5 device into a router and application delivery F5 device so resource will be taken up by routing etc. instead of doing it primary purpose of app delivery.

Hope this helps in someway

Forum Discussion

Change from One ARM to DGW mode

3 Replies

Recent Discussions

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Need advise to setup a policy on F5

Web acceleration

Related Content

F5 TCP Proxy mode

Explanation of F5 DDoS threshold modes

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

Understanding F5's Transparent Mode vs Blocking Mode with a Focus on Geo-Blocking

One-Arm Mode Migration