Hi, We have recently purchased pair of BIG-IP 4200V (LTM & ASM) for our https based web servers load balancing. Web servers are located in DMZ of firewall. Web serves wants to see original source IP of the clients. We would like to know what is the best way to deploy BIG-IP whether Inline-Routed Mode or One-Arm. If we have to deploy it in Inline-Routed Mode. Do we have to use two different IP subnet or same? one for external & one for internal.

We have deployed Virtuals with both the one-armed and the inline mode. How you do it is based off your specifics. You need to retain the original IP address of the clients, if your web servers can examine the X-Forwarded-For or XFF identifier in the header, then doing an in-line will work well. You can offload the SSL to the F5 and still use all load balancing methods. If you cannot look at the X-forwarded-for method, you can still use the in-line, but would need to have routes to the F5 for return public traffic. ( server default routes would point to the F5, any RFC-1918 routes would point to another gateway in our environment ). The One Arm method works well for many things, but will remove your ability to offload the SSL and limit the load balancing choices ( no cookies.. someone correct me if I'm wrong here ). Typically each web server will need a loopback of the public IP to accept the One Armed traffic. The Inline method does not require you to use different subnets. We do an inline method for many instances with all IPs in the same RFC-1918 subnet. We just have the firewall forward traffic for the public IP address of the load balanced web traffic to the failover RFC-1918 IP address of our LTM pair. Hope this helps. Jason

As per my knowledge X-forwarded-for method only work for HTTP & SMTP traffic. It won't work for HTTPS traffic. As you said we can use same IP subnets on both interfaces (external & internal) of BIG-IP if we are deploying in Inline-Routed Mode. What is the pros & cons of using BIG-IP with same IP subnets or different ?

Sorry but you are wrong Jason :) - most designs (exceptions are layer two only and nPath) do not limit your ability to offload SSL or the choice of load balancing or persistence methods available. Loopbacks are not required for One Arm mode, only for nPath. A single device cannot have multiple interfaces in the same IP subnet (but a single interface can have multiple IPs in the same subnet). There are quite a few variations where One Arm and Routed mode are concerned. Apologies Tabish but I don't have time to describe them here. I'd suggest you read the TMOS Implementations guide from support.f5.com for more detail.

You are correct if you're not terminating the SSL with the F5. However, If the F5 terminates the SSL connection from the client, it can insert the XFF header. This solution document gives some specifics. http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html There are no set pros or cons of keeping the F5 in the same subnet. It all depends on your specific environment. Since the web servers are already in the DMZ in this case, it saves IPs, subnets and VLANs to have it in the same subnet doing the inline. Simpler config, fewer problems is my standard goal. Other people may have more information, but this has worked well for us over many years. No problems thus far. Keep in mind, the F5 doesn't treat traffic any different when it sends it out on the wire. An IP is an IP and an interface is an interface to the F5.

Now I am confused whether I can use same IP subnet on both interfaces (External & Internal) of single device or not. External interface pointing to client side & internal interface point to node (servers) side. Pls help me.

how to deploy F5 BIG-IP 4200 V HA Pair for Web Application

21 Replies

What_Lies_Bene1

Cirrostratus

Oct 07, 2013

By the way, here's some general notes around installations;

Preparation & Design - Device

•   Confirm support is in place
•   Management NIC, TMM Interface and VLAN design and general numbering, tagging, trunking etc.
•   TMOS Software selection
•   Hostname
•   Management service details (DNS, NTP etc.)
•   Authentication methods, remote server details
•   Configuration backup schedule and method
•   Failover and mirroring methods and interfaces
•   Security policies
•   IP Addressing
•   Routing requirements for management and TMM interfaces
Services/Applications
•   Other global settings
•   NATting
•   Service implementations;
o   SSL Certificate requirements and parameters
o   SSL Profile security requirements and parameters
o   Compression requirements and parameters
o   Caching requirements and parameters

What_Lies_Bene1

Cirrostratus

Oct 07, 2013

Device Configuration

•   Hypervisor stuff if VE – like what???
•   Management network interface IP address and route via LCD or serial
•   Licensing
•   Provisioning
•   Management IP, default account passwords, timezone, Hostname etc.
•   Disk partitions, TMOS upgrades and hotfix installations
•   Administrative Partitions
•   Local user accounts, remote authentication and user roles
•   local host file
•   DNS, NTP, SNMP, SMTP, Logging, log rotation etc.
•   Management tasks such as configuration backups and management routes, service failure actions and time zone
•   Security (password policy, banners, timeouts, source address persistence)
•   Physical Interfaces and Trunks
•   VLANs, STP (not on the 2000s, 2200s, 4000s, or 4200v platforms) , LLDP
•   Route Domains
•   Self IPs, ARP and NDP
•   LTM Routing
•   Failover and Configsync etc.
•   Global settings such as PMTUD, Auto Last Hop and L2 cache aging time

What_Lies_Bene1

Cirrostratus

Oct 07, 2013

Services/Applications

•   Nodes
•   Health Monitors
•   Pools
•   S/NATs
•   SSL Certificate installation
•   Profiles;
o   Persistence
o   Protocol
o   SSL
o   HTTP
o   HTTP Compression
o   Web Acceleration
•   iRules, Data Groups, iFiles
•   Virtual Servers

Tabish_Mirza_12
Nimbostratus
Oct 07, 2013
We are managing the server through different interface. So you are suggesting to go for one-arm without using SNAT means change servers gateway to F5 floating IP & configured default route on F5 pointing DMZ interface IP. All will be in same subnet.

Is it the best way to deploy it? Is it the recommended method by F5? We don't have any issue to change server IP's, mask & gateway. We are in the design phase. We don't want any issue or limitation after implementation.

I know I am keep repeating the same question again & again but I wanna make sure that things go smooth so sorry for that

Your kind help highly appropriate

Many thanks indeed.

Awaiting for your prompt response
Tabish_Mirza_12
Nimbostratus
Oct 07, 2013
Could you pls have a look enclosed attached diagram & advise
Tabish_Mirza_12
Nimbostratus
Oct 07, 2013
Could you pls have a look enclosed attached diagram & advise
What_Lies_Bene1
Cirrostratus
Oct 07, 2013
That's exactly it although you are restricting yourself to using the F5s only with traffic flows that involve that DMZ.

Don't forget that you can also load balance between the Web and Application servers.

Forum Discussion

how to deploy F5 BIG-IP 4200 V HA Pair for Web Application

21 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5OS VLAN naming length restrictions

Strict header Insertion

Profile ssl server using pass phrase

error code 503 redirect irule

AST Configuration Assistance

Related Content

System Prerequisites for Deploying the Application Study Tool

Workshop: Deploy BIG-IP Cloud through Automation

Automating Certificate Management on F5 BIG-IP

What's new in BIG-IP v21.0?

Simplifying Application Health Monitoring with F5 BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS