Forum Discussion

tolinrome_13817's avatar
tolinrome_13817
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014

one arm setup and two vlans

I recently setup a bigip virtual and have it as a one arm setup. The bigip is off he dmz interface and then goes back out the same interface to the internal interface (all via the firewall). I do tho...
application delivery
deployment
design
LTM
management
  • Robin_Mordasie1's avatar
    Robin_Mordasie1
    Feb 13, 2014

    Typically when people refer to a "one-armed" configuration, it usually means that the virtual-address is on the same vlan and subnet as the application servers, and the application servers are not configured to use the F5 as their default gateway. When the F5 is not the default gateway we have to SNAT client traffic to maintain route symmetry. On the other side of the coin, a "routed", or "dual arm" configuration usually means that application servers are on a different vlan than the virtual-address, and that the F5 has been configured as the default gateway for application servers, which then means we do not need to SNAT client traffic. In either case the F5 is a full proxy and maintains both client side and server side connections regardless of the ingress/egress path.

     

jgranieri's avatar
jgranieri
Icon for Nimbostratus rankNimbostratus
Feb 13, 2014

From my perspective dual arm setup is more of standard deployment and makes understanding the traffic flow much easier. Whether you use the LTM as a forward or backward proxy is up to you. I have used a one arm design when migrated from another vendor onto the F5 to keep the initial migration simple.

 

If you need an IDS or a sniffer with a dual arm you need additional taps and or span monitor setups.