In-Line or One-Arm LTM Placement

When the F5 is configured as the default gateway for backend nodes there are advantages as well as disadvantages. When deploying an F5 unit as a router, or gateway for pool members they see the real client ip address. One problem organizations face with deploying in routed mode is that management traffic for nodes also traverse the F5. The nature of management traffic can represent more bandwidth limiting the capacity of the F5. There are two solutions to this; one is to deploy large enough F5 devices to deal with the additional traffic, or to deploy a dedicated network for management traffic.

 

 

Generally organizations with mature networks tend to deploy F5 units as routers or gateways for members, however if management traffic represents a significant amount of bandwidth, and a deploying a dedicated management network, or deploying F5 units with higher throughput capacity is not an option, then a one armed configuration can be deployed.

 

 

Deploying an F5 in a one armed configuration also has its own set of advantages as well as disadvantages. Since members never see the real client ip address, locally configuring security rules based on ip addresses is not possible, and application logs never show the real client ip address. There are mechanisms in place to compensate for this such as inserting an X-Forwarded-For Header, but this is only possible with HTTP and SMTP traffic. One of the major concerns with organizations that deploy on a one armed, or sNAT'ed configuration is that network troubleshooting becomes more difficult.

 

 

The decision to configure the F5 as a router or one armed device is not a global setting. Organizations can configure a hybrid of sNAT'ed vips as well as non sNAT'ed vips on the same F5 unit. Organizations that are new to the concept of load balancing generally deploy the F5 in a one armed configuration, as this means there are no changes that need to be made to the infrastructure to fit the F5 in the network. Until the organization is comfortable with the concepts of load balancing it is comforting for them to know they can easily "rip it out" and revert to a non load balanced environment.

 

 

As organizations mature with the concept of load balancing they can phase in non-sNAT'ed vips alongside the sNAT'ed vips, as they become more willing to make the F5 the default gateway for nodes on their network, and deal with management traffic.