RE: [load balancing] F5 BigIP HA Questions

From: Michael Ferraro (mikeIZZATmyvest.com)
Date: Tue Jan 06 2004 - 12:29:35 EST

  • Next message: Winter, R. Stephen: "RE: [load balancing] F5 BigIP HA Questions"

    Hi, Stephen

    If I have the F5 performing NAT to get the client traffic to a pool
    member, then I shouldn't need to have the internal IP of the F5 be the
    default gateway for the pool members, right? That's what I'm trying to
    avoid, because I plan to have the F5 and pool members on different
    VLANS, and it'd be a shame to have, for example, SSH traffic destined
    for the pool members have to go through the F5 in the DMZ to get back to
    me.

    If I'm NAT'ing the incoming HTTPS traffic, I'm going to lose the
    original client IP address, so there's no way I can have Apache log that
    info. How is the logging on the F5 itself? Can it log to a syslogd
    server? That'd be really helpful for reconciling the logs between (1)
    the F5, (2) Apache, and (3) my application server.

    Thank you, all, for your responses...they're helping me a great deal!

    Regards,
    Mike

    On Mon, 2004-01-05 at 18:31, Winter, R. Stephen wrote:
    > Mike, A quick caution before you but a second-hand pair. There is a license file on the BigIP's that is required for the software to work. If that's not there, you will need to "register" with F5 (we paid about 5k for an HA pair I think, but we wanted maintenance and everything) If you lose the hard-drive, you will need that license file, so make sure you copy it somewhere safe. Also, if you ever change the NIC, you'll have problems. The license is tied to the MAC address...
    >
    > Ok.. Without the SSL card you will not be able to terminate the SSL on the Big IP. But, you can still load balance by passing the packets directly to an SSL Server. I don't remember if the F5 can read the SSL ID, but I know we did have some issues with the renegotiating of the SSL ID's, so you will need to setup a different type of persistence (mabye by source address will work for your situation)
    >
    > The source address of the original packet can be retained (default unless you add the Natting). In a "normal" config, you usually only re-write the destination address to the pool member. You can NAT the source address if you want to. (and sometimes you need to). If you don't NAT, you will need the BigIP to be the default gateway. You can setup the BigIP to NAT on the way or (or not) for the pool member initiating traffic out pas the BigIP if you do have it as the default gateway... (If you don't NAT, you can set it to forward as well...)
    >
    > I hope I wrote this as clearly as I saw it in my head...

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com

    ____________________
    The Load Balancing Mailing List
    Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
    Archive: http://vegan.net/lb/archive
    LBDigest: http://lbdigest.com
    MRTG with SLB: http://vegan.net/MRTG
    Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Tue Jan 06 2004 - 14:54:16 EST