Forum Discussion
mjaved_62370
Nimbostratus
NimbostratusGTM/LTM Active Active 3400s
Hi
Need some help on the below.
We have 2 3400s running LTM/GTM feature set.
Both are configured in one sync group and running GTM function. Recently we want to achieve firewall load balancing via the LTM funtion on both boxes only having 1 vip as a default gateway to half of servers in dmz and remaining servers have other vip as default gateway.
So for half of servers in dc1 traffic goes out via gtm/ltm_dc1 - vip 10.1.1.1
and for other half of servers in dc2 traffic goes out via gtm/ltm_dc2 - vip 10.1.1.2
Incase of failure of gtm/ltm_dc1 all traffic routes via gtm/ltm_dc2 - takes vip 10.1.1.1
both 3400 will have a transparent virtual server 0.0.0.0 pointing to firewalls_pool
To accomplish this we are thinking of running active/active on both 3400s hosting gtm/ltm functionality.
Just wandering is this a good idea?
And once done how does the gtm function gets impacted by this?
Thanks.
- The_BhattmanI have never ran a GTM and LTM feature set on a single redundant unit. My reasons were unique to my situation because the GTM served not only as a relay but a lookup for other servers outside LTM. Thus I didn't want them to be mutually exclusive for the sake of redundancy and scalability.
That being said I can only speak about the LTM. Active/Active was not recommended by my local F5 enginee sand I chose to run active/passive for 2 main reasons.
- on the LTM side you lose the ability to run in redundancy. It may not be apparent now, but over time if both units can become busy enough it can mean that one unit cannot take the load from another in the event of a failure.
- Decrease stability of a upgrade path. When you upgrade you are affecting production and thus in your case half you servers. if there is a catastrophe where you can't roll back you are faced with single unit. If you are running at high load levels for both LBs then the single active LB is going to be under strain.
Of course you may not run into this as your business may accept those risks but hopefully my reasons may help you decide which way you want to go.
Thanks,
CB 
mjaved_62370Many thanks guys makes perfect sense. 1 down 1 more problem to go. Please help.
Hi there!
Need some help please.
We are running GTM/LTM on 3400s in 2 datacenters. Both GTM/LTM is on 1 box each.
GTM with Public ip address range works like a charm.
Now want to use GTM function in private ip addressing, meaning GTM will be behind the firewall in DMZ, hosting DMZ servers from Internet.
However GTM has prviate ip add e-g 10.1.1.1 and has a static mapping on firewall 202.202.202.202 to a public ip.
1- There is a tranaslation option on GTM GlobalTraffic >>> Servers. Mapped 10.1.1.1 to 202.202.202.202 - How does this help.
2- Should i define Vs in real ip addresses or private ip addresses? All Vs are in 1 subnet 10.1.1.x/24 - If i define vs in private ip addresses GTM starts handing out private ip add to udp query. If i define public it hands out public ip add.
3- defining Vs in private ip add say 10.1.1.3 will conflict with actual server in dmz as the same server exists with ip add 10.1.1.3. Can this be loadbalanced without conflicts?
There is a tranalation feature in Vs as well. Was wandering if in LTM can define servers in private ip add say 10.1.1.2 and add in GTM 10.1.1.2 translate to 202.202.202.203 in GlobalTraffic>Servers>Vs
3- Also if i add vs in GTM translation services are limited to http/s, ftp/telnet/smtp/snmp/ssh only - how can i allow all services?- dennypayne
Employee
Yes you need to use the translation option...keep in mind on GTM you're not actually adding the IP's to that device when you define virtual servers, you're just defining the resources that it knows about so it can hand out a DNS resolution. So it needs to know the private IP so it can monitor the availability of the virtual server, but it needs to hand out the public address. The translation option just correlates the private with the public so that GTM knows it's the same object.
Denny - dennypayneOh, and as far as services go, again, GTM is handing out a DNS resolution. It doesn't care about ports. The only reason there are port definitions on the virtual servers is to make it easier to manage a long list of them when you add a Wide-IP (ie, if you tell GTM the port is 80 in the WIP definition, it will only show you virtuals also listed on port 80 in the config).
Denny - mjaved_62370Many Thanks Denny so what you are saying - Just to clarify
GTM /LTM can run behind a firewall on the same box, using private ip address space with the translation feature.
There are 2 things. As below
Translation to Wide IP
Server Real IP Internet 202.202.202.202
Server Priv IP on DMZ 10.1.1.1
which Vs should i define in ltm (which is on the same box) and add in GTM for wide ip?
Should it be 202.202.202.202 (vs defined in ltm) with translation to 10.1.1.1 (defined in gtm when adding vs for wide ip)
or 10.1.1.1 (vs defined in ltm) with Translation to 202.202.202.202 (defined in gtm when adding vs for wide ip)
& should i leave services/ports to 0 in GTM.
------------------------------------------------------------------------------------------------
Actual Servers to run same ip as vs in DMZ - Is it possible? will there be duplicate ip address issues?
Also we run the same ip addressing as servers in dmz e-q 10.1.1.1 is a server and can its vs be same as 10.1.1.1
Secondly with services should i just leave it too e-g 0 in Vs option for gtm and on ltm config bind it to port 443?
gtm vs 10.1.1.1 = 0
ltm vs 10.1.1.1=443
does it really matter. As GTm offers only a few services?
Thanks.
