cancel
Showing results for 
Search instead for 
Did you mean: 

one-arm mode load balancing without snat?

symtex_22198
Nimbostratus
Nimbostratus

Hi,

 

 

I have a customer that wants to deploy one-arm mode due to high demand in management traffic of the nodes. the nodes would have static routes to management networks and a default route to the F5 BIG-IP.

 

the nodes would still receive load balanced traffic from the internet. which would go through the BIG-IP. return traffic to the internet would also go through the BIG-IP because the nodes have a DG going to the BIG-IP self IP.

 

I guess a good way to describe this is a "hybrid" topology

 

one-arm mode because the virtual server is on same vlan as NODES.

 

routed mode because the nodes use the BIG-IP as the default gateway.

 

 

I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool. is snat required one using one VLAN for all traffic?

 

10 REPLIES 10

What_Lies_Bene1
Cirrostratus
Cirrostratus
Yes, SNAT is required for one-arm mode. However, I'm not sure what you've described is one-armed mode. Are the Virtual Server and the connecting clients (from the Internet) all in the same VLAN/IP subnet. Are the client source IPs source NATted before they reach the VS?

nitass
F5 Employee
F5 Employee
I have somewhat attempted this configuration but I see traffic is not forwarded from virtual server to the pool. you should see traffic (e.g. syn) to pool even snat is not enabled. the problem will happen if client is in the same vlan/subnet as virtual server/node because return traffic will be sent directly from node to client.

symtex_22198
Nimbostratus
Nimbostratus
the connecting clients are in remote networks they are not local.

 

 

the client IPs are not source NATted before they reach the VS. The VS will only have to send the traffic to the default gateway.

 

 

nitass:

 

 

I don't SYNs being forwarded to the pool which is kind of confusing. seems to be configured correctly. I ran it through ihealth and it looks ok. none of the app requests are local they are from remote networks.

nitass
F5 Employee
F5 Employee
don't SYNs being forwarded to the pool which is kind of confusing. seems to be configured correctly. I ran it through ihealth and it looks ok. none of the app requests are local they are from remote networks.what tcpdump command did you run to verify? was it something like this?

 

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

 

x.x.x.x is virtual server ip

 

y.y.y.y is pool member ip

symtex_22198
Nimbostratus
Nimbostratus

I used

 

 

 

tcpdump -n -i appvlan host x.x.x.x or host y.y.y.y

 

even though SNAT was disabled I still should have seen the traffic to the pool member.

 

What_Lies_Bene1
Cirrostratus
Cirrostratus
Can we just clarify, the Virtual Server and the Pool Members are on the same VLAN/subnet yes?

symtex_22198
Nimbostratus
Nimbostratus
yes

What_Lies_Bene1
Cirrostratus
Cirrostratus

You should of seen the Health Monitor traffic when you did the tcpdump. Can I assume you have health monitors and they are marking the pool members as up?

 

symtex_22198
Nimbostratus
Nimbostratus
yes the health monitors are configured. there is one basic icmp health monitor associated with the node. and there is a TCP health monitor that is associated with the pool. both are showing as up.

nitass
F5 Employee
F5 Employee
i suggest you open a support case and let them assist to check. you should see syn packet to pool member anyway. it must have something missing there.