Simple Question about Traffic Flow - Simple Answer Required

Question

Ok, quick question. Its been about 5yrs since I worked on load balancers. I've done Cisco CSS, ACE and NetScaler before it was acquired by Citrix in the past. I'm just trying to verify something in my mind. When you do a simple VIP with real servers behind it with L4 Port load balancing; does the traffic go through/get pinned through the load balancer. I'm not talking about a url redirect off box. I'm talking about servers that are behind the balancer.&nbsp;
Only reason I'm asking is. Think about a VIP in the DMZ (say port 80 for a super simple example), the servers themselves aren't directly exposed to the internet. Only the VIP is NAT'ed so server traffic would have to flow back through the balancer, to return to the client. But on the LAN someone is trying to convince me that no.. if the VIP is on the same subnet as the real servers, the VIP balances it off to lets say one of 2 servers and the client talks directly to it.. that make no sense to me. Especially thinking about methods of persistence. What would facilitate that if the balancer said here's your server now leave me out it... &nbsp;
I'm only asking because I am a long time networking dude and in one case that I know of a Cisco voice gateway can do that, with a feature called "Media Flow Around" but thats in the case of the voice packets. The gateway says to the phone here is your other phone now move me out of the path of the direct flow of the conversation. But in my mind thats a special case. &nbsp;
Can someone please confirm, and PLEASE don't send me a link to some gigantic F5 flow chart.&nbsp;
Thanks everyone!&nbsp;

vijay_e · Answer

In the vast majority of cases, the flow of traffic for standard VS is like this:
Client &lt;&gt; VS &lt;&gt; Pool&nbsp;
The request from the client goes through the F5 and then to the pool and the response from the server goes through the F5 to the client. &nbsp;
You seem to be referencing some kind of npath routing when you say the server talks directly to the client. &nbsp;

niels_van_sluis · Answer

If both the F5 and the real servers are in the same network, but the clients reside on another network, you have te following options to keep the F5 in the traffic flow to prevent asymmetric routing.&nbsp;
the real servers have their default gateway pointing towards the F5.the F5 uses SNAT to keep itself in the flow between the client and real servers. Remember that the F5 is a full proxy. It will use a clientside and serverside connection. When using SNAT it will use it own (floating) self ip address in the serverside connection towards the real servers. This results in the real servers responding to towards the self ip address of the F5.
If both the clients and realservers are in the same network, they will not use their default gateway address to route traffic towards each other. In this case you'll need to use SNAT on the F5.&nbsp;

Forum Discussion

Simple Question about Traffic Flow - Simple Answer Required

2 Replies

Recent Discussions

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Related Content

Reminder: MFA now required to log in to DevCentral

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

F5 BIG-IP Sizing Requirement

fellow traffic

Health monitor question