For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Sep 30, 2013

LTM+ASM On DIfferent BIG-IPs

Is there a deployment guide for v11 that discusses the best practices when deploying LTM and ASM on separate BIG-IP devices?

 

I see this for v10: http://www.f5.com/pdf/deployment-guides/big-ip-ltm-wa-asm-dg.pdf

 

What is the preferred way to integrate the two? Do you create a pool on the LTM that contains the VIP's living on the ASM? In the event of an ASM failure, I'm thinking you would also want to put the real server's in the LTM pool and use priority group activation to prefer the "ASM pool members"?

 

Thanks

 

design

6 Replies

  • Sec-Enabled_658's avatar
    Sec-Enabled_658
    Icon for Cirrostratus rankCirrostratus
    Sep 30, 2013

    I have configured a ASM deployment that is similar to your scenario.

     

    The traffic flow is like this:

     

    1. Client initiates a request.
    2. The LTM receives the request on external vip and load balances it to an ASM pool member (VIP on ASM unit) within the farm.
    3. ASM analyzes the traffic.
    4. ASM sends the request to an internal (different) VIP back on the same LTM the request came in on .
    5. The internal VIP then load balances to a backend pool member.
    6. The response returns back through the internal vip, back through ASM, back through external vip and back to the client.

    I haven't found a best practice document, but this seems to be working fine.

     

    • Josh_41258's avatar
      Josh_41258
      Icon for Nimbostratus rankNimbostratus
      Sep 30, 2013
      Nathan, Does your external pool on the LTM contain only one VIP (the ASM VIP). I'm assuming you are using ASM in active/standby? Do you also throw in the actual server pool members in case ASM becomes unavailable? Not knowing ASM at all, I'm assuming that you configure ASM to send the request to another VIP (internal VIP). This is done in the ASM configuration directly? Thanks
  • Sec-Enabled_658's avatar
    Sec-Enabled_658
    Icon for Cirrostratus rankCirrostratus
    Sep 30, 2013

    The external pool actually has two pool members, as the ASMs are running as standalone asm devices. So either asm can process the traffic at any time. The asm vip LB's to a pool that has one member as the LTM is running as active/standby mode.

     

    • Josh_41258's avatar
      Josh_41258
      Icon for Nimbostratus rankNimbostratus
      Sep 30, 2013
      Ok, gotcha. So, if your ASM's go down, you won't be able to process traffic, correct? That is why I was considering using priority groups on the external LTM to send directly to the LTM if ASM goes boom.
  • Sec-Enabled_658's avatar
    Sec-Enabled_658
    Icon for Cirrostratus rankCirrostratus
    Sep 30, 2013

    True, but in this setup, GTM is involved, so If your ASM farm goes down, your external vip on the ltm will go down and GTM will resolve to Datacenter 2 instead of Datacenter 1

     

  • Mohammed_M_Irfa's avatar
    Mohammed_M_Irfa
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2018

    Hi Sec/Josh,

     

    Can you please share the links for configuration of LTM and ASM on different devices.

     

    I am aware of LTM configuration and LTM+ASM but on different device i am not!

     

    So can you guide as i am new in this architecture.