Forum Discussion
NAT or Native IP address for Administrative Connections
Hello,
I have several pool members that are that are reachable/available through with their native IP addresses or NAT'ed addresses configured on the LTM (v11.4.1).
For non-load balanced connections (backups, monitoring etc), is it best/more efficient to connect to the native or NAT addresses?
Thanks in advance.
Cheers, Jeremy
- James_ThomsonEmployee
Short answer, no it doesn't matter. Long answer: To the BIG-IP, it's pretty much the same. It still needs to track the flow, it has to build a connection. The fact that the IP address changes it immaterial. I've done performance tests (on version 11.X and later) which show that whether BIG-IP is doing NAT, VIP/NAT, SNAT, forwarding, doesn't really matter to the overhead. The only thing that changes it would be if there was a function you had configured which would stop the ASIC from running, like doing Layer7 inspection on a virtual server.
Now, me personally, if I have the option to run non-NAT'd traffic through, then I do that to make things easier for troubleshooting. It usually just depends on where my security perimeter is.
- Jeremy_Keen_133NimbostratusHi James, thanks for getting back to me with an answer - and what you're saying makes sense. Cheers, Jeremy
- James_Thomson_1Historic F5 Account
Short answer, no it doesn't matter. Long answer: To the BIG-IP, it's pretty much the same. It still needs to track the flow, it has to build a connection. The fact that the IP address changes it immaterial. I've done performance tests (on version 11.X and later) which show that whether BIG-IP is doing NAT, VIP/NAT, SNAT, forwarding, doesn't really matter to the overhead. The only thing that changes it would be if there was a function you had configured which would stop the ASIC from running, like doing Layer7 inspection on a virtual server.
Now, me personally, if I have the option to run non-NAT'd traffic through, then I do that to make things easier for troubleshooting. It usually just depends on where my security perimeter is.
- Jeremy_Keen_133NimbostratusHi James, thanks for getting back to me with an answer - and what you're saying makes sense. Cheers, Jeremy
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com