DIFFERENCE BETWEEN ONE ARM and ROUTED DEPLOYMENT OF F5?

Hi Vineet,

"One-armed" configuration typically means an application servers you are load balancing is not configured on the network that is facing the VIP. Where the application server is not configured to use the F5 as their default gateway. When the F5 is not the default gateway, you have to SNAT client traffic to maintain route symmetry. The disadvantage is that you loose the ability to view the client IP address on the application server either through logs or troubleshooting . You would then need to deploy indirect methods to keep track of IP addresses. However, the power is that it can be inserted in an existing network where you cannot make network changes.

Routed is basically traffic that goes through the F5 either via load balancing or as a layer 3 hop. This is the preferred setup, but requires the application servers to be in position where the gateway is the F5.

I hope that clears things up

You also need to keep in mind that "one armed" configurations change your available bandwidth through the BigIP. If you have a single interface to your LAN, you will only get half of the throughput in theory. Make sure you scale links using LACP appropriately to ensure that you have enough bandwidth.

Client -> VIP = Ingress on BigIP Port SNAT -> Server = Egress on BigIP Port Server -> SNAT = Ingress on BigIP Port VIP -> Client = Egress on BigIP Port.

Hi Bhattman,

I was assuming earlier as the virtual servers and the pool members are on the same VLAN in one-arm deployment and in this deployment we use SNAT to force the source to look like BigIP and keep the flows symmetric. So, it is wrong if I assume so?

Hi Chris,

Am I correct to say that in one arm deployment, the ingress and egress traffic on F5 travels the same path?

Correct. Additionally, the "arms" used to be typically referred to as physical interfaces. Prior to 802.1Q, IP addresses were allocated to single interfaces. In actuality, "arms" refer to VLANs with an associated IP. You can have a one armed config with more than one physical interface. You can also have multiple one-armed configs with more than one VLAN on the same BigIP. But the implication would be that the interface which the vlan is associated to will be used for both ingress and egress traffic. If that is an LACP trunk, then traffic will get hashed and distributed on the trunk.

My F5 is in routed mode without SNAT. But strange is I can see pool member IP communicating with client in packet capture. 

Captured packet in client machine

Need help