Virtual Server placement with LTM

6 of one... Half dozen of the other... I could probably justify either way. Except when it comes to support and troubleshooting.

 

 

The important thing is what do you want to do with the traffic, and how you want to present client IP's to the servers. And how easy you want support to be.

 

 

Generally if you treat the LTM like a proxy it works better for understanding what's happening. The clever thing about it as a proxy is that it can make the connection opened to the servers appear as the client IP. To do that you have to think of the LTM as a router...

 

 

The important thing is that to manipulate traffic you have to see both directions of traffic...

 

 

Then consider SNAT... In order to be able to tcpdump a server connection at the server and be able to differentiate clients, you need to NOT SNAT the serverside connection... To do that, the route back to the client needs to be via the LTM. Which if the service IP address is on the inside of the LTM may mean routing changes to the internal network. YMMV...

 

 

Generally to make things EASIER... Put the VS IP on one side of the LTM and the servers on the other... And don't SNAT. If servers want to use a VS, then you need an iRUle to SELECTIVELY enable SNAT for servers that are also clients... You may also have some fun with routing back to clients for non-SNAT'ed traffic. (Where your servers aren't on a VLAN directly connected to the LTM... Policy routing is your fried there.

 

 

Sorry... No short answer for all that. But consider carefully what you're trying to achieve, and what you want to debug in the future and how you're going to doit... There's no WRONG way... Just some ways that are a little easier than others.