Forum Discussion

rafaelbn_305907's avatar
rafaelbn_305907
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

Design - SNAT vs. Inline (kind of philosophical)

Hello Devs! Hows everybody doing?

 

I'm new to BIG-IP and I'm currently studying for the 301a exam. I came from the networking world.

 

I'm a big fan of letting routers "route", firewalls "firewall" and loadbalancers "load balance". So looking at a SNAT design vs an inline design I tend to prefer the first.

 

The thing is I read KB7820 and under the best practice it stated that SNAT demotes PVA. And that got me thinking about the whole SNAT process and how much resources (as in RAM) each SNAT consumes.

 

I searched askF5 and couldn't find any numbers on that. And besides that, in my humble opinion, making the BIG-IP the gateway of every load balanced server can be a hassle when you're not on a green field project.

 

So my questions are:

 

1- How much resources SNAT consumes of BIG-IP? Do I have to worry about it? Or the only downside of it is PVA and application/end user "trackability"?

 

2- On green field projects, should I go inline or SNAT design? What you BIG-IP ninjas prefer?

 

Many thanks! Rafael

 

  • Hi,

     

    First, BigIP is not only a load balancer... but also a firewall, a reverse proxy, a SSL VPN gateway, a DNS server, a Web Application Firewall...

     

    Reading K12837, SNAT does not demote PVA in version 11.2.1 and later.

     

    There is not really best practice but configuration without SNAT is better to keep client IP on server side connection.

     

    HTTP connections support X-Forwarded-For header to insert client IP even if SNAT is enabled.

     

    for all other protocols, SNAT may cause some limitations. for example, if you load balance SMTP connection with SNAT, AntiSPAM feature may be limited.