Forum Discussion
STTR_85331
Nimbostratus
Mar 31, 2011LTM DMZ Design Question
Greetings,
We have been running a pair of LTMs in production for several years in what I would consider "one-armed" mode in that the traffic flows as follows:
Internet<-->Firewall...
Joel_Moses
Nimbostratus
Apr 04, 2011@Simon: Hamish has hit the nail on the head as to why the NAT boundary from public to private is good to put at the LTM. It saves the firewall from having to do a relatively expensive NAT and allows the policy to be instantly readable by the folks responsible for setting said policy without having to drill down into boatloads of NAT. Since the LTM is a very capable NAT device -- one of its core functions, in fact -- I'd rather it be performed there and save the CPU at the firewall for more advanced things.
@Hamish: Once again, you've figured it out. We do indeed dynamically size our incoming pools to handle "bursts" of mail traffic. It makes sense because we have periodic "line of business" emails we send out en masse, and it will typically elicit a massive incoming response of the data we end up processing. Add the fact that we also are forcing TLS transport with most of our customers and have specific email gateway processing that needs to occur, and it becomes a no-brainer to spin up 3 or 4 more gateways in the pool for quarterly "events".
Also, we do have "backup" capacity on lower bandwidth links that we like to reserve; the way we operate our gateways is that if we see any incoming mail on the "backup" gateways, we automatically spin up more capacity at the central sites. Yay iControl!
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects