Forum Discussion

Altostratus

Nov 12, 2013

Disabling Snat

Hello, I have a question about disabling snat on a virtual server. Currently in this environment when there is a need to disable snat, we point the gateway on the server to use the F5 floating self...

design

IheartF5_45022

Nacreous

Nov 12, 2013

The most obvious response is that you should change your topology so that the server and F5 are in one subnet (with the F5 the default route for the server), and the F5/router in another subnet, with the router the default route for the F5, and a network route to the server subnet pointing to the F5, on the router.

To answer the question you actually asked, I think yes, that will work, although you have to try it in your particular network - this is because the router will get arp responses for the server IP from the server MAC, but will see incoming packets from the server IP with another MAC (the F5) - this may confuse some router types or those who have some sort of security lockdowns (like IP Source Guard). I would seriously consider changing your topology if that's possible.

Also, be careful about "timeout indefinite" settings - can lead to session table filling up with zombie sessions.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)