From: Michael Ferraro (mikeIZZATmyvest.com)
Date: Tue Jan 06 2004 - 12:29:35 EST
If I have the F5 performing NAT to get the client traffic to a pool
member, then I shouldn't need to have the internal IP of the F5 be the
default gateway for the pool members, right? That's what I'm trying to
avoid, because I plan to have the F5 and pool members on different
VLANS, and it'd be a shame to have, for example, SSH traffic destined
for the pool members have to go through the F5 in the DMZ to get back to
If I'm NAT'ing the incoming HTTPS traffic, I'm going to lose the
original client IP address, so there's no way I can have Apache log that
info. How is the logging on the F5 itself? Can it log to a syslogd
server? That'd be really helpful for reconciling the logs between (1)
the F5, (2) Apache, and (3) my application server.
Thank you, all, for your responses...they're helping me a great deal!
On Mon, 2004-01-05 at 18:31, Winter, R. Stephen wrote:
> Mike, A quick caution before you but a second-hand pair. There is a license file on the BigIP's that is required for the software to work. If that's not there, you will need to "register" with F5 (we paid about 5k for an HA pair I think, but we wanted maintenance and everything) If you lose the hard-drive, you will need that license file, so make sure you copy it somewhere safe. Also, if you ever change the NIC, you'll have problems. The license is tied to the MAC address...
> Ok.. Without the SSL card you will not be able to terminate the SSL on the Big IP. But, you can still load balance by passing the packets directly to an SSL Server. I don't remember if the F5 can read the SSL ID, but I know we did have some issues with the renegotiating of the SSL ID's, so you will need to setup a different type of persistence (mabye by source address will work for your situation)
> The source address of the original packet can be retained (default unless you add the Natting). In a "normal" config, you usually only re-write the destination address to the pool member. You can NAT the source address if you want to. (and sometimes you need to). If you don't NAT, you will need the BigIP to be the default gateway. You can setup the BigIP to NAT on the way or (or not) for the pool member initiating traffic out pas the BigIP if you do have it as the default gateway... (If you don't NAT, you can set it to forward as well...)
> I hope I wrote this as clearly as I saw it in my head...
The Load Balancing Mailing List
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Tue Jan 06 2004 - 12:44:47 EST