Forum Discussion
SNAT Pool on secondary VLAN
Dear Brandon,
this is more a network design and routing question.
In general if you configure a virtual server, the BIG-IP at least performs a destination-NAT (VS-IP -> Poolmember-IP). But to guarantee that response traffic is also coming back through the BIG-IP, most of the time you also have to configure source-NAT (unless the default gateway of the poolmembers is pointing to the BIG-IP).
For this source-NAT you can either choose between SNAT automap, which means the floating IP of the VLAN, which is used depending on the routing table to reach the poolmember, is used. Or you can create a dedicated SNAT pool and specifiy IPs there. Keep in mind as mentioned above, that you need to guarantee, that response traffic is coming back through the BIG-IP. So as long as the poolmembers for your virtual server are reachable via the secondary VLAN, a SNAT pool with IPs from this VLAN should be fine.
Alternatively you can also work with transfer-/link-VLANs. One of our preferred network designs is as following:
- floating VIP-range
- "clientside" transfer-VLAN, which will be used to route the VIP-range towards the BIG-IP
- "serverside" transfer-VLAN, which will be used to route towards the different nodes/poolmembers using static routes
- default route is pointing to the peer of the clientside transfer-VLAN
So at the end it's important to know, which requirements you have from a network design perspective. Based on this you can define the correct SNAT solution.
Hope that helps, otherwise please provide more details about your requirements (maybe also a small network diagram is useful).
Thank you!
Regards Stefan :)
Hi Stefan,
Thanks for the reply on this. I am attempting to create a dedicated SNAT pool with IPs from that secondary VLAN, which resides within the same route domain as the primary VLAN. All pool members are reachable from the secondary VLAN but when I create a test SNAT pool, apply it to the VS, the application will not load.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com