why internal and external

Thomas: To elaborate a bit on Eric's response, there are a several modes that the BigIP can operate in. Note that the terms 'external' and 'internal' really only mean the client-facing or server facing vlans in question. At least that's the definition I'm using for the examples below. Onward...

 

 

1) In line, routed mode. This is the impetus for the internal and external vlan setup for the most part. The idea here is you've got two (or more) distinct vlans - 'external' facing and 'internal' facing, although this is an arbitrary distinction. For in line routed mode your servers point to the floating IP on the internal facing vlan as their default route. The BigIP will process the flows like this:

 

 

client-> VIP (external) -> DNAT/DPAT -> Servers

 

 

Then the servers will respond out their default route, in this case the float, and the BigIP will reverse the translations and respond to the client.

 

 

2) One-armed mode. This is defined by having the VIPs and the destination pool members on the same VLAN. The servers point to another default route (usually, although not strictly required in one-armed-mode). In order to avoid route asymmetry, the BigIP will source the traffic from a SNAT that you define, or the default of the floating IP address on the VLAN in question.

 

 

3) N-Path or direct server return. This is a rare edge case that used to make sense but rarely does anymore. I won't go into it here.

 

 

4) "L3" mode, which is one of my favorites and I consider it to be best practice, particularly in large environments. On the one hand it seems advanced, but on the other it simplifies things, especially during fail over events. The idea is to have a Self-IP on the external facing side. You've got a normal 'internal' vlan setup. The trick with this deployment is all in the virtual server setup. The virtual servers can be bound to any addresses that you want, as you disable ARP on them. They won't advertise themselves to the network at all. The only address (or object, in BigIP parlance) that knows about them is the Self-IP address. It'll forward to them correctly and generally do the right thing. Your upstream routers should be setup to know to forward traffic destined for the VIP address(es) to the Self-IP of the LTM, hence the "L3" deployment. The advantage of this particular design is that it dramatically reduces the amount of GARP that happens during failover - the only IPs that GARP are now the Self-IPs - and it allows you to handle your VIP addressing in much more creative ways than being on a real network :)

 

 

Anyhow, I hope this helps.

 

 

--Matt