cancel
Showing results for 
Search instead for 
Did you mean: 

SNAT Pool on secondary VLAN

mbrandon32
Mist
Mist

Our current SNAT pool resides within the primary VLAN of our LTM - which contains the current default gateway. We have a secondary VLAN configured on the LTM. Virtual servers configured on the secondary VLAN use the SNAT pool that contains IPs from the primary VLAN.

 

We are looking to create another SNAT pool with IPs from the secondary VLAN. When testing a single IP from that VLAN within a SNAT configuration, the test application does not launch.

 

What are the considerations that need to be made when configuring the SNAT pool with IPs from the secondary VLAN - while the default gateway is configured on the primary VLAN...?

3 REPLIES 3

Dear Brandon,

this is more a network design and routing question.

In general if you configure a virtual server, the BIG-IP at least performs a destination-NAT (VS-IP -> Poolmember-IP). But to guarantee that response traffic is also coming back through the BIG-IP, most of the time you also have to configure source-NAT (unless the default gateway of the poolmembers is pointing to the BIG-IP).

For this source-NAT you can either choose between SNAT automap, which means the floating IP of the VLAN, which is used depending on the routing table to reach the poolmember, is used. Or you can create a dedicated SNAT pool and specifiy IPs there. Keep in mind as mentioned above, that you need to guarantee, that response traffic is coming back through the BIG-IP. So as long as the poolmembers for your virtual server are reachable via the secondary VLAN, a SNAT pool with IPs from this VLAN should be fine.

Alternatively you can also work with transfer-/link-VLANs. One of our preferred network designs is as following:

  • floating VIP-range
  • "clientside" transfer-VLAN, which will be used to route the VIP-range towards the BIG-IP
  • "serverside" transfer-VLAN, which will be used to route towards the different nodes/poolmembers using static routes
  • default route is pointing to the peer of the clientside transfer-VLAN

So at the end it's important to know, which requirements you have from a network design perspective. Based on this you can define the correct SNAT solution.

Hope that helps, otherwise please provide more details about your requirements (maybe also a small network diagram is useful).

Thank you!

 

Regards Stefan :)

Hi Stefan,

 

Thanks for the reply on this. I am attempting to create a dedicated SNAT pool with IPs from that secondary VLAN, which resides within the same route domain as the primary VLAN. All pool members are reachable from the secondary VLAN but when I create a test SNAT pool, apply it to the VS, the application will not load.

To add to that, referencing the statement around the default gateway on the F5 from my original post, the return traffic from the server will be returning to the self IP of the secondary VLAN - however, the default route is pointed toward the gateway of the primary VLAN - which is a show-stopper. What are the solutions to get around this?

 

Both VLANs are contiguous so we can always reconfigure the network side to consolidate, which would resolve the issue - however, that's a pretty decent sized undertaking given how many applications we have routing through this LTM...