Forum Discussion

trevor_94079's avatar
trevor_94079
Icon for Nimbostratus rankNimbostratus
Nov 14, 2013

BIG IP LTM TWO DEFAULT GATEWAY WITH THE SAME VLAN

Hi everyone,

 

Im a bit new with the F5 ltm. The unit we have is previously facing a vip for the fw which is in active-standby mode, however due to some capacity issue they decided to have it work into an active-active, where both FW will now handle traffic from F5. We're proposing to use the two IPs of the firewall as Default Gateway using pool member.But the thing is, what they wanted to do is only process a particular ip for FW1 and another set of IP blocks for the other unit.

 

Im not sure if we can have it separated since it uses the same VLAN. Can someone advise on how can i approach this?

 

APM
application delivery
deployment
design
performance
security

2 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 14, 2013

    Sorry to get on my high horse but this is a bad idea. Sure they can split the connections across the two firewalls but what happens when one fails? Presumably the remaining device will then suffer the same capacity issue you're suffering from now?

     

    What type of Virtual Server is configured? Am I correct in my understanding that the Virtual Server is currently sending connections to the active firewall, which is configured as a Pool Member? Are you using Priority Group Activation to do that?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 14, 2013

    OK, understood, so, you could switch to a Performance L4 VS and make each firewall a Pool member and simply use round robin load balancing to distribute the connections. This should work fairly well for inbound connections.

     

    Assuming you have outbound connections too I'd suggest you stick with the IP Forwarding VS.

     

    So, create a new Perf VS only enabled on the external VLAN, change the existing Forwarding VS so it's only enabled on the internal VLAN.

     

    On the internal side of the firewall, what handles the failover at present? If you're using VRRP I'd imagine with my plan above a connection could pass inbound through one firewall and outbound via another? Do they share state?