I have F5 Big-IP currently performing WAF functions for multiple servers that are in DMZ VLAN. I have a new requirement to load-balance internal servers on a datacenter VLAN.
My question is:
1.Can I load-balance without additional licensing?
2.I don't want backend Internal servers taking connections from DMZ VLAN so the plan is to create self-Ips and FLoating-IPs in the new VLAN. If I do that, how does F5 know which Def. Gateway/VLAN to route the traffic? How do I tackle this challenge?
For your first question Which type of license or device do you have? license is limited for the throughput in each device.
for your second question, by default F5 use Auto last hop feature to return all traffic so by default you don´t need routes to return the traffic, if you need to return the traffic and use the F5 as a router, you must use Route Domains to separate the traffic inside the device.
Additionally, If you have a VLAN configured, the F5 tag the traffic and difference from one network to another.
1. Yes you can. You will allways have a small LTM implementation running on your BIG-IP. (With AWAF only LTM will have some limitations).
2. For split routing it is better to create seperate route domain for your internal load balacing.
1. LTM will still do the basic LB features as already said so you're all good.
2. Be careful of auto last hop when on a routes network if it could change like in the case where you have to balance default routes on the network with the direction the traffic came from it can give you a headache. Not saying anything is wrong just consider your networking before making changes.
If you put your servers on the same vlans as you put the f5 then by default the f5 will know where to send the traffic as it looks at layer 2 before layer 3. (So no routing needed it'll just know)
Then after that basic routing or route domains will help you sort out the layer 3 path if needed.
Again just consider the network you're working with and adapt as you need.
Thanks all for your replies. I am little confused as I am new to F5. Currently, I have no IP routes as the self-IPs,Floating IPs, and the backend servers all reside in same VLAN. If I create any new self-Ips in new VLAn and new routes, would it cause any issue for the exisiting servers?
Without seeing your network the only answer i think we can give is "it depends"
If for example you have a default route set somewhere. netstat -rn i think from cli will confirm this, don't worrk about the MGMT route, its the other ones that are important for traffic flow. Then if you add more specific routes to and from your internal servers then in theory you shouldn't affect your current flows.
To try to help, this might be more of a networking question rather than a f5 one.
If you have a network guy you can talk it through with it could really help you!
As said above, look up auto last hop as this can help a lot but also cause you a headache depending on your network.