Forum Discussion
NimbostratusLTM: Moving from one armed setup to fire-walled interfaces
Hey all, question for you regarding the arhtecture of the F5 and ways to set it up. In my current role, I didn't setup our LTM VE. Our LTM sits off an ASA and has multiple VLANs behind it. The problem with this approach is we have other servers on those vlans that aren't load balanced and route through the F5 which eats up the bandwidth license. The other problem is, there's no firewall in between these VLANs with the current setup.
My plan is to create these vlans on the ASA as well and make sure non load balanced traffic goes through the firewall (default gateway) and not the F5. I'm curious if I need to make any changes on the F5 for this. I'm assuming I will need to leave the VLANs there but just change the servers default gateway to the firewall. Then make sure all the virtual servers are setup to use Automap so they route back through the LB if they receive traffic that was load balanced.
Is there anything I'm missing?
Lee_SutcliffeNacreous
your solution will work but you’ve built your self an overly complex network with servers having different default gateways not being ideal.
If I were you, I would move the three VLANs to the FW, and route to them using a transit VLAN.
Your F5 doesn’t need to be directly connected to a VLAN in order to connect to your pool members.
Simply add routes to the three VLANs on the F5, pointing towards the FW and ensure auto-snat is enabled and that’s all you need to do.
With this solution your servers will all have the same default gateway of your firewall.
Return traffic to your F5 will route via the transit VLAN as source IP would be a self-IP of the F5 on the transit VLAN.