A Some What One Arm Configuration on LTM

Question

I will try to describe this configuration the best I can and sorry if it gets to long. Our current configuration on our LTM's is as follows.

External and Internal VLANS on LTM. The external VLAN is in 10.1.1.1 (example IP). There are several internal VLANS, 10.1.2.2, 10.1.3.3, 10.1.4.4, etc.
All virtual servers use the external VLAN for their destination address.
All nodes use the internal VLANS for their IP's.
The nodes have two network adapters, one for external connectivity and one for internal connectivity. The default gateway on the nodes is the LTM. The internal network adapter is used to route traffic between the nodes and our internal servers.

The following configuration is what we want to do.

External and Internal VLANS on LTM remain the same.
Nodes have a single network adapter. The node IP is not in one of the internal VLAN's on the LTM. The default gateway is our core switch and not the LTM.
The virtual server has SNAT configured to allow the proper communication between the node and the LTM.

Reasons for the new configuration.

Use only a single network adapter on the nodes.
Set default gateway on the nodes to our core switch instead of the LTM to prevent external traffic going outbound from hitting the LTM where the LTM has to act as a router and send that traffic to the core switch. There is a forwarding virtual server that forwards all outbound trraffic to the core switch. The concern here is that the LTM is performing unnecessary routing and using resources.
No persistent routes needed on the nodes to send internal traffic out the internal network adapter (the nodes are Windows servers).

The problem we have with the new configuration is that the original source IP of the connecting client is removed because of the SNAT needed. It is important that the original source IP is seen by the nodes. I have seen the option to use direct server return, but that is not an option in our environment mainly because Cookie insertion and port translation are not able to be implemented. I know we can make the IP of the single network adapter on the node be one in the internal VLAN of the LTM and set the default gateway to be the LTM. But, then we are passing all traffic through the LTM which goes back to the concern of the LTM performing unnecessary routing and using resources. Is there any other way to use this new configuration without SNAT and maintain the original source IP?

kevin_stewart · Answer

There are 3 generally accepted options:

SNAT
Set the servers' default GW to the BIG-IP, and optionally create static routes for things that need to go direct to the core switch
Insert an X-Forwarded-For HTTP header

ca_valli · Answer

If you need to see clientIP, you could perform no-nat on F5 and insert a static route on the core switch in order to forward clientIP network back to F5. If your clients are all on the same network this might be the best option.

I don't understand if your servers need to contact external resources via the default Gateway. If this is the case and the external resources are on the same network as your clients (eg. public/internet), with no-nat on F5 and only 1 NIC on the servers your options are either having F5 as a router for outboud traffic or performing asymmetric return/DSR.

For web applications, you can also perform a SNAT on BIG-IP and insert client IP in XFF HTTP header for the web servers to retireve.

mayur_sutare · Answer

kend&nbsp;
As mentioned by&nbsp;&nbsp;Kevin_Stewart&nbsp;, one of the way is to use&nbsp;X-Forwarded-For HTTP header, so F5 will insert true client IP in the header and pass it to the backend server. With this, you will see requests from F5 IP only but in the header, you will find true client IP.
Second option which is not possible in most of internet facing applications. But if you have specific list of client source IP addresses who are going to access your site from internet, then on the server, you can put those IPs routes pointing to F5 and rest default route will go to core switch as you want. I know this is not an option for all the sites but just thought of it so shared. Ty!
Hope it helps!

leslie_hubertus · Answer

Had to feature this one in this week's Highlights article, because I love the detail you gave,&nbsp;kend, and the responses you got from some great members of the community. 🙂

Forum Discussion

A Some What One Arm Configuration on LTM

4 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

BIG-IP BGP Routing Protocol Configuration And Use Cases

Getting Started with BIG-IP Next: Configuring Instance High Availability

Certificate Expiry Email alert configuration

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

Virtual-wire Configuration and Troubleshooting