Forum Discussion
Tabish_Mirza_12
Nimbostratus
Now I am confused whether I can use same IP subnet on both interfaces (External & Internal) of single device or not. External interface pointing to client side & internal interface point to node (servers) side.
Pls help me.
Jason_40733
Oct 07, 2013Cirrocumulus
First let me clarify:
One-armed: The F5 has one interface for load balancing.
Two-armed: The F5 has an external and internal interface for load balancing.
Npath: ( previously I errantly used "one armed" in place of this ) The Incoming traffic hits the F5, but the return path from the back end servers does not go through the F5.
Here's an example:
DMZ is the 10.10.10.0/24 subnet
Public IP is 8.8.8.8
Web server A is 10.10.10.8
Web Server B is 10.10.10.9
F5 LB A is 10.10.10.5 for self IP
F5 LB B is 10.10.10.6 for self IP
F5 floating IP is 10.10.10.7.
Back side of your firewall creating the DMZ is 10.10.10.1
Route the traffic for the 8.8.8.8 to the front side of your Firewall.
Have the Firewall forward traffic for 8.8.8.8 to the 10.10.10.7 IP ( as the float it will follow the Active F5 in an Active/passive setup ).
Your virtual would be set as 8.8.8.8 port 443.
From there on, the config depends on your preference.
Npath config: The VIP will NOT SNAT the traffic or terminate SSL. Your webservers would need a loopback of 8.8.8.8. The webservers would have 10.10.10.1 as their gateway. Not all load balancing options available.
Non-NPATH: Virtual does a SNAT on the traffic, terminates SSL, and adds the X-forwarded-for to the clients. ( Use server side SSL if you like/need ).
Other options are available. The F5 is very versatile. As far as one-armed vs two armed the big difference is the requirements of your environment. Npath vs the web server return traffic coming through the F5 ( we'll call that "inline" ) varies the different load balancing methods at your disposal.