Default Gateway at Server level versus SNAT-AutoMap at VIP level

Question

Hi, 
&nbsp;  
&nbsp; I have what I hope to be a simple (and maybe a "duh") question.  How expensive is it, in terms of CPU cycles, to assign a SNAT Pool of Automap to every VIP to enforce traffic to egress back through the LTM?  The thought is to take this approach as opposed to changing the default gateway of all pool members to be the floating self IP address of the LTM. 
&nbsp;  
&nbsp; Why do you ask? We are in a switched environment and in almost all cases, the LTM is not acting as the gateway for any VLAN (rather, a switch is relegated this task). Going the default gateway route, we end up with a lot of asynchronous routing. Sure, we can address the routing issue by adding static routes to all pool member servers to use the VLAN's "normal" default gateway.  This has started to become a headache to manage though, and is why I am here. 
&nbsp;  
&nbsp; So, to boil it down, it would be easier for us to put the default gateways back to the VLAN's "normal" gateway for all pool member servers.  In addition, we would assign a SNAT-Automap to all VIPs to make sure that any traffic initiated from the LTM would egress back through the LTM.   
&nbsp;  
&nbsp; What are the consequences of doing this?

jrahm · Answer

We have several hundred mb/s flowing through a 3400 on 400 different virtuals (development box), all of which have their own snat address.  CPU and memory are barely registering... 
&nbsp;  
&nbsp; Snat automap is fine unless you are going to exceed 64k connections/second, at which point you'll need a snatpool.  We match the 4th octet of the virtual IP address to the snat address so we can track connections through the F5 more easily.

dennypayne · Answer

The other consequence is that you will no longer see the client's source address in the server logs, all the traffic will appear to come from the SNAT address.  If this is not a concern for you then you're OK.  But it tends to mess up WebTrends and such.  You can insert the original client address in an X-Forwarded-For header (in the http profile), and depending on what the server is, you would have to configure it to log that as the client IP (there is an ISAPI plugin for IIS here on DevCentral). 
&nbsp;  
&nbsp; Denny

joe_willis_4776 · Answer

Thank you both for your replies; great information on how SNAT taxes (or rather, how it does not at all) the LTM; we have no where near 64k connections/second, so I think we should be in good shape. 
&nbsp;  
&nbsp;  
&nbsp; On the client IP: Yep, already have thought of that and plan to do exactly what you are talking about.  We actually have to do it further up stream as all traffic that flow to the application VIPS come from a pair of Web reverse proxy server (Apache). So, as it stands now, in the application server logs you only ever see the reverse proxy IPs. We'll configure and assign a proper HTTP profile to the front facing VIPs that tie to DNS and that feed the traffic to the reverse proxy servers (and configure Apache accordingly). 
&nbsp;  
&nbsp; In general, the flow is CLIENT -&gt; VIP (ties to DNS) -&gt; Reverse Proxy -&gt; VIP (application) -&gt; application server -&gt; database server. 
&nbsp;  
&nbsp;  
&nbsp; Thanks again for your help. 
&nbsp; Joe

Forum Discussion

Default Gateway at Server level versus SNAT-AutoMap at VIP level

3 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

API Gateway Mapping - Gartner - F5

Kill SNAT AutoMap!

LTM: Per-VLAN Default Gateways

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Whats new in NGINX Gateway Fabric 1.2?