SNAT vs Inline in high performance scenario
We are thinking about moving from SNAT to Inline Source Address Translation (we can control default gateway of the pool nodes either way) due port exhaustion and "general" feeling that this is much faster way to terminate HTTP/HTTPS VPS. Port exhaustion was addressed with adding more IPs to the SNAT Pool list, but expanding it with more and more IPs is just not a elegant solution. Peak traffic is around 200K/s of small http/https requests. Thus we are wondering about should we go with inline or not? Removing one iRule (x-forward) would be enough for small speed improvements, but what are others? TIA!
Design - SNAT vs. Inline (kind of philosophical)
Hello Devs! Hows everybody doing? I'm new to BIG-IP and I'm currently studying for the 301a exam. I came from the networking world. I'm a big fan of letting routers "route", firewalls "firewall" and loadbalancers "load balance". So looking at a SNAT design vs an inline design I tend to prefer the first. The thing is I read KB7820 and under the best practice it stated that SNAT demotes PVA. And that got me thinking about the whole SNAT process and how much resources (as in RAM) each SNAT consumes. I searched askF5 and couldn't find any numbers on that. And besides that, in my humble opinion, making the BIG-IP the gateway of every load balanced server can be a hassle when you're not on a green field project. So my questions are: 1- How much resources SNAT consumes of BIG-IP? Do I have to worry about it? Or the only downside of it is PVA and application/end user "trackability"? 2- On green field projects, should I go inline or SNAT design? What you BIG-IP ninjas prefer? Many thanks! Rafael
inline configuration
Hi, I have configuration: NET => FW => F5 => SRV I have VS1 which forwards traffic to SRV (no SNAT used, not possible to do XFF so source address of client is seen). F5 is def gw for SRV. On F5 there is also forwarding IP VS 0/0 and def route to FW. FW also have static route for SRV subnet poiting to F5. Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0? Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5. If point 1 is true (so when return traffic is automatically SNATed back to VS1 IP) what determines that traffic is SNATed or not? Is it previously created session/entry for DNAT when traffic originating from Net hits VS1?Inline load balancing and "Loose Initiation" & "Loose Close"
Hi People, We have a inline load balancing design for Lync (and other applications) where we configure the Lync_edge servers inline (behind the LTM). Therefore this demands a fastl4 profile with Reset on Timeout enabled, ok. But i was suggested to enable also "Loose Initiation" & "Loose Close" but not really sure if we need it. topology is as follow: Internet ---- Checkpoint FW --- extLAN --- LTM (11.4.1) --- intVLAN (with Lync_edge servers) ---- Cisco router---- Internal subets I read this statement in the forum and i got more confused...becasue in the extVLAN there is also a Cisco Router 6500 which leads to a bunch of other internal subnets.. If a different router exists on any directly connected network, you may need to create a custom fastL4 profile with "Loose Initiation" & "Loose Close" enabled to prevent LTM from interfering with forwarded conversations traversing an asymmetrical path.
ASM inline scanning
does anyone know if it is possible to use ASM with a general policy to scan traffic to many http servers without having to define all these as a virtual server? with 11.4 i don't see the option to attach a policy to anything (IP forward, performance L4) except a standard virtual server.Inline HA and Traffic Group Setup
Hello All, Somewhat new to the version 11 setup and traffic groups and want to ensure that we have the proper setup. We have a HA LTM setup in inline mode with internal and external floating IPs on each side. Is it OK to have one traffic group with mac masquerade configured and associating the two floating self IPs with that traffic group? I wasn't sure if having the same mac on both the internal and external side would pose a problem. Or is best to have two traffic groups - one for external and one for internal? Thanks, Brian
