Forum Discussion

Josh_41258's avatar
Icon for Nimbostratus rankNimbostratus
Sep 18, 2013


I am new to ASM here, and I'm looking for some advice on best practices for an ASM deployment using vCMP.


Is it recommended to run separate vCMP guests for ASM and LTM, or run both LTM and ASM on the same vCMP guest? Are there advantages/disadvantages to either method?


There may already be some documentation on this, but I couldn't find it. If so, please point me in the right direction!




8 Replies

  • if you're going to have multiple guests all using ASM policies, maybe it makes sense to dedicate a guest or two specifically to handling policy, but personally I like having the policy local to the ASM so I can control all traffic flow more simply with less hops.


  • Jason,


    Sorry to resurrect such an old thread. Are you aware of any design documentation around the integration of ASM+LTM?


    If we do put ASM on it's own vCMP guest, what is the preferred method for integration between the LTM and ASM? Create VServers on the ASM box, and then use those as pool members for the LTM pools? I would think it is also a good idea to put the actual pool members in the LTM pool(s) as well and use priority group activation to send traffic directly to them (thus bypassing the ASMs) if the ASMs become unavailable.


    Any suggestions or thoughts would be greatly appreciated!


  • JRahm_128324's avatar
    Historic F5 Account

    bypassing ASM would indicate that security is not really a requirement for doing business, but that is a business problem, not a technical problem. I have seen deployments exactly as you are describing them, just looping through ASM but all control is handled in the LTM. I've also seen client->LTM->ASM->server, and client->LTM/ASM->server. I prefer less hops when scale isn't an issue.


  • there are a few ways of doing it, but it depends on what hardware you are using for vcmp.


    if on same guest, ltm/asm combo, you need the right blades/hw, simpler to configure/manage.


    if separated (more conplicated to do initial config), it would use pools on ltm to talk to ASM, and vice versa. a VIP on ASM for the app/service, and some internetworking between LTM and ASM instances using some dedicated vlans ideally...


    I've done both configs.


    let me know what hardware you are using.




    • Josh_41258's avatar
      Icon for Nimbostratus rankNimbostratus
      We are using a C2400 chassis with B2100 blades (2 in each chassis at the moment). LTM guests are active on one chassis, and standby on the other. If LTM and ASM are on the same chassis, but separate vCMP guests, all of the traffic between the two SHOULD be routed over the internal backplane of the blades if I understand correctly. Alternatively, we could remain active/standby on the LTM side (between chassis), but do ASM active/active.
  • True, but ASM would only be bypassed if it absolutely had to. I'll have ASM running on another chassis as well. Maybe do active/active between the ASM vCMP guests? Both would be pool members on the LTM side. If one became unavailable, the LTM would mark it down and send all requests directly to the other ASM.


    I just wanted to see if there was a "newer" type of integration between ASM/LTM in v11 that I was not aware of. I guess the answer to that is no?




  • You would want anything in an HA pair at a minimum ideally, or two active active instances like you mentioned accessed via a pool from ltm.


    Not sure it will use backplane, thats more for vlan/network visibility between blades physically.


    Not sure if b2100 blades can support asm/ltm combo, thats the easiest solution, but from a scalability perspective it makes more sense to have it on separate guests.


    I am about to try the asm/ltm/wa combo on some guests soon, but it's on the new 2150 blades with SSD, etc.. I think triple combos require the new blades...


    I am also using 2 x 2400 chassis with 3 2150 blades in each chassis, I have HA instances across the two chassis.


  • Ah yes, 2150s. Of course they come out right after we purchased the 2100s. You can't mix-match 2100/2150 either.


    We are already going to be running LTM+AAM (the new WA) on one guest, so I think we should stick with ASM on it's own. Besides that, we will have multiple LTM guests sharing the same ASM policies; so, I think it makes sense to put them on dedicated guests.