Forum Discussion
Fawad_29089
Nimbostratus
Nimbostratusnew setup of F5 LTM
Hi,
I have a few questions regarding LTM setup.
What type of certificates are required for LTM. Is it Device Certificate for LTMs to communicate and also the SSL certificate for SSL clients? Is there any other certificate?
Are there two pre-defined internal and external VLANs that cannot be changed? Can you associate any number of interfaces with those VLANs?
What is the difference b/w floatg IP and self IPs. Do we need both?
My LTM external interface will have multiple IPs for VIPs. It will connect to the firewall interface. Say my firewall interface has an IP 10.0.0.1/24. Can I create multiple VIPs on F5 on the same external VLAN using IPs 10.0.0.2, 10.0.0.3 and so on. Are these going to be Self IPs?
Would appreciate response!
Thanks,
Fawad
er_sandy_27437Hello Fawad,
let's go 1 on 1 on your questions.
1. Certificates on F5 will depend on the requirement. You can have 2 type of Certificates 1 generated from Certificate authorities(Entrust, Verisign etc.) or generated from self.
2.Yes you can assosiate any no. of interfaces in a perticular VLAN. But Why would you need to do that?
3. Self IP is the IP of your LTM box in that interface. Floating IP is the common IP which floats in case of Failover(Similar to the HSRP).
4. Yes you can have Multiple VIPs in that VLAN. They will not be the self IPs but act as virtual servers running particular services on them.
I hope i was able to resolve your answer. Please write in case of any query.
Fawad_29089Hi,
Thanks for your reply. I have the following comment:
1. To my understanding there is a device certificate and there is an ssl certificate. I guess both can be either self generated or through CA.
Are these certs necessary for ssl connections through the LTM?
Thanks
Cory_50405Noctilucent
Self signed certificates will work, but users will likely be presented with a browser warning that the certificate may not be trusted. It is best practice to obtain SSL certificates from an approved certificate authority. In most cases you'll have a separate certificate for each application/URL, but technically it isn't necessary.