Forum Discussion
Steve_M__153836
Nimbostratus
NimbostratusWhat is the impact of adding a floating IP to an active HA LTM pair?
Hello. I have recently started a new position and while going through the environment I've found a couple pairs of LTMs in HA config with floating IPs for some networks and not for others. I generally follow the best practice of creating a floating IP for any network on any pair of devices. To my knowledge we are not using the LTMs as the default gateway on any of the servers that are load balanced by the F5s. In this case I would think there would be no impact to adding a floating IP and then synching each pair, but since they are production devices I'd like to get some confirmation from the community. Please let me know if you need some more details. Thanks.
I.e. or outbound traffic (outgoing requests for DNS, NTP, whatever) it may be necessary to have a virtual address (floating self IP for SNAT automap). (Perhaps your external firewall is applying the source NAT?)
If this is not the case, you can simply save it.
Often people try to save routable IP addresses that way.
Btw, there is an alternative:
Use a transfer network with non-routable IP addresses. The external floating self IP will be used to act as next hop for your firewall to forward traffic to a virtual address space on your BIG-IPs.
Indeed your virtual IPs do not need to belong to a locally attached network. Theoretically they can be reached through all attached VLANs, as long as you are not disabling/enabling it specifically in your virtual server settings.
Steve_M__153836We are planning to configure network mirroring and network failover. I was under the impression a floating IP was required on all traffic VLANs to support a seamless failover with those configured. Please correct me if I am wrong. We had a F5 consultant do a review of our devices and he stated we are at risk of an outage in the event of a failover without that floating IP configured (having some trouble getting further info out of him).
What_Lies_Bene1Cirrostratus
That is correct, without floating IPs you will suffer in the event of a failover and it would be pointless to user mirroring and failover without them. I'd also recommend you use MAC Masquerade too.
Cory_50405Noctilucent
Unless you have something egressing your network through the BIG-IP using an SNAT auto map, you should be good. Based on your scenario though, why would you need to add a floating IP address to your external vlan?
- Steve_M__153836
This is great feedback. Thank you all. So let me be more specific. This is only Active/Standby; no active/active config. There are self IPs and a floating IP for the egress VLAN (server side), but only self IPs for the ingress VLAN (client side). In this situation traffic server-side should not be effected because there is already a floating IP address for that VLAN. In this situation my only concern would be firewall/access control mechanisms as stated by Cory, correct?
Modifying floating IPs will also have an impact to active/active deployments. Make sure, to add a floating IP per traffic group.
Have a look as well to your virtual IP address settings, please. After upgrading from v10 to v11 sometimes the VIPs are not assigned to traffic-group-1. A typical symptom are "duplicate address" errors in your /var/log/ltm when applying config changes.
As written before, a floating self IP will be used i.e. for SNAT automap. Perhaps you need to adjust firewall settings accordingly.- Cory_50405
One consideration to keep in mind:
When adding a floating IP address to an existing vlan that's processing traffic, traffic could immediately begin using that floating IP, so your backend resources could see a change in the IP address they are receiving traffic from. Rather than sourcing from the non-floating self IP, requests would begin sourcing from the floating self IP. Certainly a consideration when taking into account any firewall/access control mechanisms.
kunjanIf LTM is currently using automap for SNAT, then need to watch out.
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7336.html
DomaiAltostratus
I am assuming if you don't define the floating address for the network when it fails over that particular subnet vips will not be reachable because there is no one to handover or repoint to the stby ltm...where as the vips on the subnet where floating is enabled will not have any issues. In my environment we make sure that floating is defined on all the subnets we are using.
