Forum Discussion
NimbostratusF5 LTM network placement
What is usually the best practices for LTM placement within the network? Internet Edge? Behind the firewall at the edge? It between internal and external firewalls? Hanging off the edge firewall?
5 Replies
Greg_Robinson_1Cirrus
If you are strictly deploying LTM, you'd really want to put it behind your perimeter security devices. If you enable AFM, you will have a rich stateful firewall that can be placed on the Internet edge. If you are going to use load balancing on the F5, I personally like to have the F5 "present" on the server VLAN so that F5-to-pool-member communications are strictly layer 2. This helps to eliminate any MTU, tagging, etc. that could happen to load balanced traffic before it actually gets to the back end server, which greatly helps when troubleshooting.
Steven_J__WilliLooks like we are looking at a one arm deployment. which will hang off out DMZ switches that are connected to the ASA firewall. So In this case is external vlan not a concept with this design?
arpydaysIf you go with 1 arm in a DMZ then you do not necessarily need 2 vlans as pool member traffic will route back over the vlan connected to your DMZ Switch.
cheers
- Steven_J__Willi
Right, so this is why i didnt use the setup wizard because it always assumes inline and wants internal and external vlans. Also with one arm, SNAT is going to be needed correct?
- Greg_Robinson_1Yep!
