Forum Discussion

anish6190's avatar
anish6190
Icon for Nimbostratus rankNimbostratus
May 11, 2025

Two Arm Deployment mode using PBR

i am planning to deploy an BIG-IP VE on two-arm deployment on NDFC fabric using PBR. Could you share your insights and thoughts on it.. or relevant source information i can go through if it address some queries or my assumptions in mind

application delivery

5 Replies

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    May 14, 2025

    the overhead of snat in f5 is negligible.
    as reverse proxy, things will be much easier if you install f5 in one arm mode

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    May 14, 2025

    I now saw your picture as I did not see that you attached one. For the VIP as it is on interface 1  with ip address 192.168.10.x , so PBR or SNAT should be only for the return traffic.

     

    Using SNAT to change the traffic to be sourced from 192.168.11.x will be easier but maybe you want the servers to see the original client ip address and this is why you look at PBR. Keep in mind that F5 can add XFF header for HTTP/HTTPS traffic or use option TCP 28 or proxy protocol for tcp traffic but then you need to sync with the server team if they are ok with this.

     

    Using the X-Forwarded-For (XFF) HTTP header to preserve the original client IP address for traffic translated by a SNAT object

    Inserting X-Forwarded-Host HTTP header

    Original IP address sent to backend servers for non HTTP traffic when SNAT configured

    Proxy protocol for the BIG-IP

     

     

    For PBR to be used for the return traffic if SNAT is not enabled then with PBR you can configure the router to send the traffic to the F5 192.168.11.1 or just modify routing on the router with a static route maybe. What I see as issue is the server intiated traffic (server upgrade or app upgrade, ntp etc.) that is not reply of a client traffic may be redirected to F5 . You can have F5 Layer 3 forwarding VIP to capture that traffic and send it to the router if you can't exclude it from being send to the F5 device. If you know the client source ip addresses (if only internal clients use the servers) as if it not the entire internet then it will be easier as PBR or static route can send the server traffic that is just the client subnet to the F5 device. You can use WCCP as a replacement of PBR but it depends on your topology. Try  SNAT if the server team agrees and then PBR and if you need more control WCCP.

     

    Overview of IP forwarding virtual servers

    Configuring a One-Arm Deployment Using WCCPv2

  • anish6190's avatar
    anish6190
    Icon for Nimbostratus rankNimbostratus
    May 13, 2025

    Do you think we use  the same methodology in two-arm deployment, is there any relevant docs which i can refer on this. If you share it would great