4

I've been tasked with configuring our F5 Big-IP LTM. It's running 9.4.8.

I've read through the docs a bit and I'm a little confused. It specifies that there are two default VLANs: internal and external. The problem is that the servers that I want to load balance are in our DMZ, which is also where the load balancer is. When running through the configuration wizard, it won't let me specify the DMZ network on the internal interface since it's already defined on another VLAN (the external interface).

In a setup like mine, is the need for internal and external VLANs, as defined by the wizard, unnecessary? Since the load balancer is on the same subnet as the servers that it is balancing, can I just use a single interface?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Have you got support with them? Ask the vendor? – Tom O'Connor Jan 13 '12 at 13:10
  • @TomO'Connor We do have support. I'd like to gather some basic info about if my setup is possible (it can't be unique) before I call them and get told `"ZOMG, DON'T DO IT THAT WAY!"` or `"lol, of course that's fine"`. – MDMarra Jan 13 '12 at 13:38

2 Answers2

2

It is possible even though the Wizard will not let you configure it this way.

To configure it, you just have to set up a single VLAN on your interface that will handle internal and external traffic. F5 support calls this a "one-armed" topology.

SNAT must be enabled on the Virtual Servers that use that VLAN for traffic to flow correctly. That is the only caveat that support made me aware of.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
0

Using internal and external VLANS is a best practice to keep internal network protected, but it's not mandatory.

I don't remember v9 wizard but in any case, just follow it and you'll be able to change everything just after.

You can load balance trafic on a single interface but it's not ideal since you will cumulate client side and server side trafic on the same link and this could be a problem if you have high load.

If possible, keep using internal and external on the same DMZ but with different subnets.

f5 box IP setup don't have to reflect the exact DMZ subnet.

Also note that if you have a DMZ, that means that you have a firewall. You can put the bigip between the firewall and your servers, by creating Forwarding VS that will enable the bigip to work as a gateway for all non load balanced trafic.

Now if you want to have everything on the same subnet (note that management interface can not be on the same subnet thant any other f5 self IP but you can manage the box through a self IP), just create one single VLAN, with a single self IP.

The big IP will access nodes and handle trafic through the same interface but everything will work fine.

Actually, bigip platform allows any network setup (I've never been really limited). Your setup will depend on the security level and network design you need.

A single VLAN design is not a problem in a lab. But if you need to handle public trafic, then you will have to think a little more about where the bigip have to stand.

  • How do the two interfaces keep the network more protected than one in my case? Everything is in the DMZ in this situation. Also, all traffic saturating the same link isn't an issue. We have a 500Mb pipe to the Internet and GBe switches. – MDMarra Jan 13 '12 at 11:53
  • 1
    If your servers are behind the bigip in a private subnet, the only thing that is publicly accessible is virtual servers. A bigip isn't a firewall but it's great to reduce servers exposure. – Gauthier Delacroix Jan 13 '12 at 12:45
  • Every device is in the same DMZ behind the same firewall on the same subnet. The servers won't have any ports open to them on the firewall, so there's no exposure except through the Big-IP anyway. – MDMarra Jan 13 '12 at 13:37