Firewall Load Balancing

Hi Richie,

 

Yes that is the purpose however there are limitations on where and when you can use them

 

 

You can find more about by going to the following link (requires you have an account - if not then sign-up)

 

 

https://support.f5.com/kb/en-us/search_results.advanced.html?productList=big-ip_ltm&versionList=9_3_1&searchType=advanced&query=auto+last+hop&submit_form=Search&product=big-ip_ltm&documentType=kb%3A&productVersion=9_3_1&dateFilter=&num=10&advSyntax=

 

 

I hope this helps

 

 

Bhattman

Thanks Bhattman

 

 

So from what I understand, the biggest issue I probably would face is during a failure within the firewall pair that could cause a confusion on the MAC address if not setup correctly?

 

 

In our situation we're not as much concerned with a small group of sessions getting dropped if a firewall failover occured.

 

 

From what I also read, auto last hop is on by default and will work regardless of the routing table?

 

 

Thanks for the info.

Hopefully someone can help me with this now that I have the hardware to set it up.

 

 

I have a BigIP 1600 that I'm looking have accomplish the follow goal(s):

 

 

I have three firewalls that I want to use for all my application traffic and one firewall that I need to use for my VPN traffic.

 

 

My goal is to put the F5 directly above these three firewalls and have it correctly distribute/route traffic across the firewalls and into my LAN.

 

 

I need to either NAT or forward all traffic for one public IP address straight to my VPN firewall and then have traffic for all other IPs on my public subnet go to my three primary firewalls.

 

 

Thank you for any help that can be given.

 

 

Posted By Richie on 07/11/2010 06:46 AM

 

Hopefully someone can help me with this now that I have the hardware to set it up.

 

 

I have a BigIP 1600 that I'm looking have accomplish the follow goal(s):

 

 

I have three firewalls that I want to use for all my application traffic and one firewall that I need to use for my VPN traffic.

 

 

My goal is to put the F5 directly above these three firewalls and have it correctly distribute/route traffic across the firewalls and into my LAN.

 

 

I need to either NAT or forward all traffic for one public IP address straight to my VPN firewall and then have traffic for all other IPs on my public subnet go to my three primary firewalls.

 

 

Thank you for any help that can be given.

 

 

 

 

Richie - are you looking to handle outbound traffic or inbound? This seems very feasible using iRules.

I'm trying to have all my traffic go through the external LTM and get load balanced across my three ASA 5540 firewalls. Some of the traffic is going to go to my internal LTM which load balances to some of my web servers and other traffic just goes straight to other internal servers.

Posted By Richie on 07/13/2010 09:16 AM

I'm trying to have all my traffic go through the external LTM and get load balanced across my three ASA 5540 firewalls. Some of the traffic is going to go to my internal LTM which load balances to some of my web servers and other traffic just goes straight to other internal servers.

Gotcha, you'll likely want to do the following: 1. Have 1 pool that contains all your ASAs. 2. Have 1 pool that contains the VPN-specific ASA. Let's call this pool "pool_vpn" 3. Create your VS and set the default pool to be the pool containing all your ASAs. 4. Create an iRule and apply it to your VS. The iRule will be something like this:

when CLIENT_ACCEPTED {
if { [ IP::addr [ IP::client_addr]] eq x.x.x.x } { 
pool pool_vpn }
}

This is an example, not-optimized...but hopefully addresses what you're trying to do.

A small update to move the close square brace for IP::addr to the end of the IP address instead of at the end of [IP::client_addr]:

when CLIENT_ACCEPTED {
   if { [ IP::addr [ IP::client_addr] eq x.x.x.x] } { 
      pool pool_vpn
   }
}

Aaron