IIS, LTM, and a Flat Network

physically separated in 2 different buildings, so keeping them on an isolated switch would prove rather challenging.

 

 

 

I do not think the idea is to keep them on the same switch, but on the same VLAN (which could be propoagated between Your Ciscos) - the problem with this setup is that You have to trust the F5 in the same way as the switches, because any packet to and from the physical server in this setup goes via F5, which will be acting as another switch in the way (For example management and monitoring of Your precious servers).

 

 

This means to me, that if You can put the servers in separate VLAN (beware of using more than 3 VLANs in VLAN Group - we have run to bunch of other problems while trying this setup), You can create a VLAN group containing two VLANs: v_my_precious_servers and v_all_other_stuff. F5 will take care of bridging non-balanced traffic, while You do not need to have SNAT active on the VS. Anyway some sort of segmentation, which will force the packet to return via F5 seems to be the only way how to get rid of SNAT. And it does not matter if it is done on L2 or L3.

 

 

Anyway I would be very carefull about why the hell does pool member need to know the real client IP for. If it will try some sort of call back or something, IMHO You may get very unexpected results.