same subnet lb + SSL

That's not fatal. The only requirement is that the F5 see both flows of the TCP connection. So you then have 2 choices.

 

 

1. Implement policy based routing such that all traffic FROM the poolmember port on the server is routed via the F5 (Floating IP)

 

2. Or simply put the F5's floating selfip as the default router.

 

3. Move the servers off to a dedicated subnet BEHIND the F5...

 

 

Option 1 is cleaner... At the expense of some systems won't let you do this... Linux and iptables are pretty simple (I've done it myself, takes a couple of iptables lines to tag the packets and a tagged packet routing table entry). Option 2 is not as clean and has the disadvantage that hosts on the same subnet (Besides the F5 of course) will be unable to access the load balanced service (That may or may not be a problem for you). Option 2 & 3 also require a wildcard network VS to be created on the F5 and also a route TO the servers via the F5 from the actual router (It starts to get messy on option 2 pretty rapidly).

 

 

 

H