Forum Discussion
NimbostratusLC DESIGN QUERY
DEAR ALL,
Appreciate your comments and recommendation on the below LC Design query.
Customer has two internet links. One is ADSL link which has dynamic public IP address. Another one is leased line link which has static public IP address. Current setup is indicated in the Network diiagram1.
Current Setup traffic flow.
· Internal LANs Subnets : 10.10.X.X
· All LAN subnets which has internet permit are natted on FW as : 1XX.16X.2XX.114
· MAIL and other application which used public IPs are natted on FW from 1XX.16X.2XX.112/29 pool using static NAT.
· Once traffic is reached internet router which has now ADSL & L.L interfaces will check if source is 1XX.16X.2XX.114 will send to ADSL and natted it again using ADSL dynamic IP ( double nat here) otherwise it will go direct to L.L ( in this case source might be from 10.10.X.X or from subnet 1XX.16X.2XX.112/29 excluding the 1XX.16X.2XX.114 which goes to ADSL)
· Site to Site VPN are terminated on FW outside (external) interface direct.
Customer bought Big-IP link controller to load balance outbound internet traffic between ADSL and Leased Line Links.
New setup with Big-IP is indicated in the diagram2
New setup with LC required traffic flow should be as follows
LC must do load balancing between the two routers if traffic coming from Firewall of source 1XX.16X.2XX.114
1. LC must route all other traffic sourced by Firewall to 3945 router which allocate the L.L since its VPN & applications which need public mapping which only have routing from outside through the Leased line.
2. F5 must not do any modification or natting on source and destination for incoming and outgoing traffic.
3. F5 should route all incoming traffic from routers direct to its next hop at firewall ip address.
F5 LC configuration as follows
ADSL_Vlan
Self-IP : 1.1.2.1/24
Leased_Vlan
Self_IP:1.1.1.1/24
FW_VLAN
Self_IP:1XX.16X.2XX.113/29
GW_Pool
Members
1.1.2.2:0
1.1.1.2:0
Http_Pool
Members
1.1.2.2:0 ratio 5
1.1.1.2:0 ratio 1
route default inet {
pool GW_Pool
}
1. LC must do load balancing between the two routers if traffic coming from Firewall of source 1XX.16X.2XX.114
Shall this outbound_http_Vs load_balance outbound http traffic with source IP 1XX.16X.2XX.114 if SNAT is set as None or I have to write specific irule to achive this result. please specify the irule if it is required
virtual outbound_http_vs {
destination any:80
mask any
pool Default-gateway-pool
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
FW_VLAN
}
vlans-enabled
Pool Config
pool http_pool {
allow-nat yes
allow-snat yes
load-balancing-mode dynamic-ratio-member
members {
1.1.2.2:0 ratio 5
1.1.1.2:0 ratio 1
{
session monitor-enabled
}
}
monitor gateway_icmp
}
1. LC must route all other traffic sourced by Firewall to 3945 router which allocate the L.L since its VPN & applications which need public mapping which only have routing from outside through the Leased line.
2. F5 must not do any modification or natting on source and destination for incoming and outgoing traffic.
3. F5 should route all incoming traffic from routers direct to its next hop at firewall ip address.
Shall these virtual meet the points mentioned above or I have to create specific service based inbound and outbound ip forwarding vituals
virtual ADSL_VLAN_VS_Outbound {
ip forward
destination 1.1.2.0:any
mask 255.255.255.0
vlans {
ADSL_Vlan
Leased_Vlan
FW_VLAN
}
}
virtual Leased_VLAN_VS_Outbound {
ip forward
destination 1.1.1.0:any
mask 255.255.255.0
vlans {
ADSL_Vlan
Leased_Vlan
FW_VLAN
}
}
virtual FW_VLAN_VS_Inbound {
ip forward
destination 1XX.16X.2XX.0:any
mask 255.255.255.248
vlans {
ADSL_Vlan
Leased_Vlan
FW_VLAN
}
}
Last hop pool
{
GW_Pool
}
Appreciate your comment and recommendation for the best possible configuration.
Regards
INSITHA
