Forum Discussion
In-Line or One-Arm LTM Placement
One more thing that nobody stated here , remember that F5's are not having full-state failover. From my 7 year experience I've seen situations and environments that this setup was a disaster since applications were not able to reconnect sessions after failover of F5 cluster. For me having inline is the last resort (i would run cluster in hybrid mode so we just use inline for particular vips when necassary).
- ltmbanter_43291Dec 05, 2013
Nimbostratus
Cluster in Hybrid mode, never considered that. Thanks! When we upgrade our 6400's, I'll consider that. - Robin_Mordasie1Dec 06, 2013Historic F5 AccountReally there is no distinction between inline or one armed. In both cases the f5 is a full proxy so wether the egress is on the same vlan as the ingress or if they are in different vlans there isn't a difference to how the traffic is processed. The question really comes down to wether or not we need to snat traffic. If the F5 is not the default gateway for the application servers. If it is, then we do not need to snat.
- Austin_Geraci_3Jan 13, 2017
Cirrus
Just an update to Barts' Reply above - full state failover has been supported via connection mirroring for quite a long time now - with a few limitatinos. Bart was probably referencing connection mirroring for SSL - which is indeed supported now in v12, see here:
Overview of connection and persistence mirroring (11.x - 12.x)
Configuring SSL connection mirroring
- Bart_18836Jan 13, 2017
Nimbostratus
Austin,
I am fully aware of connection mirroring but it's not a lightweight solution in terms of performance especially when you run hundreds of thousands of connections. It can be used in some exceptions but I never threat this as a standard configuration.
- Jan 14, 2017
Definitely not lightweight, but with the proper gear you can accomidate the numbers you reference.
Check out the iseries datasheets, some impressive numbers. Connection mirriroring is one of the first things im going to beat up in a lab when I get my hands on one.
- Bart_18836Jan 19, 2017
Nimbostratus
Sure , have fun testing , especially with ssl virtual servers ;) I've been there few years ago. In my career I started with BigIP version 4 and I believe version 9 or 10 introduced mirroring but I never recommended using it unless there is no other way. At the end its all about business (costs) versus security requirements on the design which we are discussing here.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com