For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nathan_67739's avatar
Nathan_67739
Icon for Nimbostratus rankNimbostratus
Jan 15, 2010

Forcing "routed" traffic back to gateway

We currently have a LTM 3600 (running 10.0.1), set up in a router-on-a-stick model (vlan based network with backend servers and VIPs logically, but not physically, behind the LTM).     We a...
config
design
The_Bhattman's avatar
The_Bhattman
Icon for Nimbostratus rankNimbostratus
Jan 18, 2010

Posted By Nathan on 01/16/2010 4:36 PM

 

 

But the servers currently have the self-ip of the LTM as their gateway... If I used a different IP, connections through the load balancer won't work without SNAT since they would respond directly to the client. (Plain TCP might, but certainly nothing that alters the stream with tcp/http profiles, or ssl offloading of any kind since the session is going to be altered by the LTM.)

 

 

Not sure if I'm explaining this clearly or not.

 

 

I saw something in another thread about "auto lasthop" - would that possibly have any applicability here? (Haven't read up on it.)

 

 

 

 

I understand what you mean. However, what I am saying is there might be way to create HSRP addresses on 10.3.0.30 and 10.2.0.20 sub net so servers have a HOP where they can route directly using the core network and not though the LTM - basically VLAN to VLAN traffic. You could either add a static entry on each of your servers so they know which HOP they need to use to access each other's network OR change the gateway to HSRP address - If you have SNAT turned on the VIP then the traffic destined for the LTM will go through the LTM, while all other traffic can bypass the LTM.

 

 

Sorry if this concept is hard to explain.

 

 

 

Bhattman