A Some What One Arm Configuration on LTM
I will try to describe this configuration the best I can and sorry if it gets to long. Our current configuration on our LTM's is as follows.
- External and Internal VLANS on LTM. The external VLAN is in 10.1.1.1 (example IP). There are several internal VLANS, 10.1.2.2, 10.1.3.3, 10.1.4.4, etc.
- All virtual servers use the external VLAN for their destination address.
- All nodes use the internal VLANS for their IP's.
- The nodes have two network adapters, one for external connectivity and one for internal connectivity. The default gateway on the nodes is the LTM. The internal network adapter is used to route traffic between the nodes and our internal servers.
The following configuration is what we want to do.
- External and Internal VLANS on LTM remain the same.
- Nodes have a single network adapter. The node IP is not in one of the internal VLAN's on the LTM. The default gateway is our core switch and not the LTM.
- The virtual server has SNAT configured to allow the proper communication between the node and the LTM.
Reasons for the new configuration.
- Use only a single network adapter on the nodes.
- Set default gateway on the nodes to our core switch instead of the LTM to prevent external traffic going outbound from hitting the LTM where the LTM has to act as a router and send that traffic to the core switch. There is a forwarding virtual server that forwards all outbound trraffic to the core switch. The concern here is that the LTM is performing unnecessary routing and using resources.
- No persistent routes needed on the nodes to send internal traffic out the internal network adapter (the nodes are Windows servers).
The problem we have with the new configuration is that the original source IP of the connecting client is removed because of the SNAT needed. It is important that the original source IP is seen by the nodes. I have seen the option to use direct server return, but that is not an option in our environment mainly because Cookie insertion and port translation are not able to be implemented. I know we can make the IP of the single network adapter on the node be one in the internal VLAN of the LTM and set the default gateway to be the LTM. But, then we are passing all traffic through the LTM which goes back to the concern of the LTM performing unnecessary routing and using resources. Is there any other way to use this new configuration without SNAT and maintain the original source IP?