Two Arm Deployment mode using PBR

Question

i am planning to deploy an BIG-IP VE on two-arm deployment on NDFC fabric using PBR. Could you share your insights and thoughts on it.. or relevant source information i can go through if it address some queries or my assumptions in mind

nikoolayy1 · Answer

WCCP could be nice in this case WCCP

nikoolayy1 · Answer

I now saw your picture as I did not see that you attached one. For the VIP as it is on interface 1&nbsp; with ip address 192.168.10.x , so PBR or SNAT should be only for the return traffic.
&nbsp;
Using SNAT to change the traffic to be sourced from 192.168.11.x will be easier but maybe you want the servers to see the original client ip address and this is why you look at PBR. Keep in mind that F5 can add XFF header for HTTP/HTTPS traffic or use option TCP 28 or proxy protocol for tcp traffic but then you need to sync with the server team if they are ok with this.
&nbsp;
Using the X-Forwarded-For (XFF) HTTP header to preserve the original client IP address for traffic translated by a SNAT object
Inserting X-Forwarded-Host HTTP header
Original IP address sent to backend servers for non HTTP traffic when SNAT configured
Proxy protocol for the BIG-IP
&nbsp;
&nbsp;
For PBR to be used for the return traffic if SNAT is not enabled then with PBR you can configure the router to send the traffic to the F5 192.168.11.1 or just modify routing on the router with a static route maybe. What I see as issue is the server intiated traffic (server upgrade or app upgrade, ntp etc.) that is not reply of a client traffic may be redirected to F5 . You can have F5 Layer 3 forwarding VIP to capture that traffic and send it to the router if you can't exclude it from being send to the F5 device. If you know the client source ip addresses (if only internal clients use the servers) as if it not the entire internet then it will be easier as PBR or static route can send the server traffic that is just the client subnet to the F5 device. You can use WCCP as a replacement of PBR but it depends on your topology. Try&nbsp; SNAT if the server team agrees and then PBR and if you need more control WCCP.
&nbsp;
Overview of IP forwarding virtual servers
Configuring a One-Arm Deployment Using WCCPv2

zamroni777 · Answer

the overhead of snat in f5 is negligible.as reverse proxy, things will be much easier if you install f5 in one arm mode

former member · Answer

Do you think we use&nbsp; the same methodology in two-arm deployment, is there any relevant docs which i can refer on this. If you share it would great

anish_6190 · Answer

Thanks for the broader view and perspective on this

Forum Discussion

Two Arm Deployment mode using PBR

5 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

F5 Container Ingress Services (CIS) deployment using Cilium CNI and static routes

Implementing SSL Orchestrator - L2 Mode Deployment

Implementing SSL Orchestrator - L3 Mode Deployment

Where are F5's archived deployment guides?

F5 BIG-IP deployment with OpenShift - per-application 2-tier deployments