Forum Discussion

Jeremy_Keen_133's avatar
Jeremy_Keen_133
Icon for Nimbostratus rankNimbostratus
Aug 13, 2015

NAT or Native IP address for Administrative Connections

Hello,

 

I have several pool members that are that are reachable/available through with their native IP addresses or NAT'ed addresses configured on the LTM (v11.4.1).

 

For non-load balanced connections (backups, monitoring etc), is it best/more efficient to connect to the native or NAT addresses?

 

Thanks in advance.

 

Cheers, Jeremy

 

  • Short answer, no it doesn't matter. Long answer: To the BIG-IP, it's pretty much the same. It still needs to track the flow, it has to build a connection. The fact that the IP address changes it immaterial. I've done performance tests (on version 11.X and later) which show that whether BIG-IP is doing NAT, VIP/NAT, SNAT, forwarding, doesn't really matter to the overhead. The only thing that changes it would be if there was a function you had configured which would stop the ASIC from running, like doing Layer7 inspection on a virtual server.

     

    Now, me personally, if I have the option to run non-NAT'd traffic through, then I do that to make things easier for troubleshooting. It usually just depends on where my security perimeter is.

     

    • Jeremy_Keen_133's avatar
      Jeremy_Keen_133
      Icon for Nimbostratus rankNimbostratus
      Hi James, thanks for getting back to me with an answer - and what you're saying makes sense. Cheers, Jeremy
  • James_Thomson_1's avatar
    James_Thomson_1
    Historic F5 Account

    Short answer, no it doesn't matter. Long answer: To the BIG-IP, it's pretty much the same. It still needs to track the flow, it has to build a connection. The fact that the IP address changes it immaterial. I've done performance tests (on version 11.X and later) which show that whether BIG-IP is doing NAT, VIP/NAT, SNAT, forwarding, doesn't really matter to the overhead. The only thing that changes it would be if there was a function you had configured which would stop the ASIC from running, like doing Layer7 inspection on a virtual server.

     

    Now, me personally, if I have the option to run non-NAT'd traffic through, then I do that to make things easier for troubleshooting. It usually just depends on where my security perimeter is.

     

    • Jeremy_Keen_133's avatar
      Jeremy_Keen_133
      Icon for Nimbostratus rankNimbostratus
      Hi James, thanks for getting back to me with an answer - and what you're saying makes sense. Cheers, Jeremy