Forum Discussion
Leslie_South_55
Nimbostratus
Apr 22, 2008In-Line or One-Arm LTM Placement
OK, so this may be a little "BigIP 101" but I wanted to ask the question anyway. I have been using v9 bigip for about 2 years now, and during the first implementation, we put the LTM smack dab in the...
Robin_Mordasie1
May 10, 2010Historic F5 Account
When the F5 is configured as the default gateway for backend nodes there are advantages as well as disadvantages. When deploying an F5 unit as a router, or gateway for pool members they see the real client ip address. One problem organizations face with deploying in routed mode is that management traffic for nodes also traverse the F5. The nature of management traffic can represent more bandwidth limiting the capacity of the F5. There are two solutions to this; one is to deploy large enough F5 devices to deal with the additional traffic, or to deploy a dedicated network for management traffic.
Generally organizations with mature networks tend to deploy F5 units as routers or gateways for members, however if management traffic represents a significant amount of bandwidth, and a deploying a dedicated management network, or deploying F5 units with higher throughput capacity is not an option, then a one armed configuration can be deployed.
Deploying an F5 in a one armed configuration also has its own set of advantages as well as disadvantages. Since members never see the real client ip address, locally configuring security rules based on ip addresses is not possible, and application logs never show the real client ip address. There are mechanisms in place to compensate for this such as inserting an X-Forwarded-For Header, but this is only possible with HTTP and SMTP traffic. One of the major concerns with organizations that deploy on a one armed, or sNAT'ed configuration is that network troubleshooting becomes more difficult.
The decision to configure the F5 as a router or one armed device is not a global setting. Organizations can configure a hybrid of sNAT'ed vips as well as non sNAT'ed vips on the same F5 unit. Organizations that are new to the concept of load balancing generally deploy the F5 in a one armed configuration, as this means there are no changes that need to be made to the infrastructure to fit the F5 in the network. Until the organization is comfortable with the concepts of load balancing it is comforting for them to know they can easily "rip it out" and revert to a non load balanced environment.
As organizations mature with the concept of load balancing they can phase in non-sNAT'ed vips alongside the sNAT'ed vips, as they become more willing to make the F5 the default gateway for nodes on their network, and deal with management traffic.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects