Re: [load balancing] Big/IP Usage question

From: tony bourke (tonyIZZATvegan.net)
Date: Mon Nov 11 2002 - 15:30:33 EST

Next message: Cihan Subasi (Garanti Teknoloji): "RE: [load balancing] Alteon and Failing SLB ports"

Previous message: Michael Hyman: "[load balancing] Big/IP Usage question"
Maybe in reply to: Michael Hyman: "[load balancing] Big/IP Usage question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Michael,

> > I currenlty have a PIX firewall in front of the BIG/IP that acts as both a
> > firewall and handles the NAT.
> >
> > I am thinking about moving the BIP to the same level as the PIX and not
> > having the web servers go through the PIX.
> >
> > So, I would use the BIP for NAT.
> >
> > My questions are:
> >
> > 1. Does this kind of config make sense

Yes. Many sites are using their NAT-capable load balancers to double as
firewalls for either cost-cutting or throughput reasons.

> >
> > 2. Is it possible to have return/outbound traffic go around the BIP and
> > straight to the internet? If so, how?

Only if you use Direct Server Return, known to BIG-IP as nPath. It
doesn't make a whole lot of sense to send outbound traffic through the PIX
though, the BIG-IP can handle the traffic and with symetrical routing
you've got much more control on what's going on. The PIX won't be able to
do much security-wise handling only outbound traffic.

> >
> > 3. Are there any security concerns in doing what I mention above?
> >

Obviously check with portscans to make sure you're blocking everything
you're blocking, but many high-profile sites (including ones I've setup)
use this type of methedology.

http://sysadmin.oreilly.com/news/loadbalancing_0801.html

> > 4. Sould I upgrade to 4.x first?

Do you need to? No, probably a good idea, although it's not giving any
functionality that you don't already have in 3.x to do what you propose to
do.

Hope that helps,

Tony

> >
> >
> > ____________________
> > The Load Balancing Mailing List
> > Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
> > Archive: http://vegan.net/lb/archive
> > LBDigest: http://lbdigest.com
> > MRTG with SLB: http://vegan.net/MRTG
> > Hosted by: http://www.tokkisystems.com
> >
>
>
> ____________________
> The Load Balancing Mailing List
> Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
> Archive: http://vegan.net/lb/archive
> LBDigest: http://lbdigest.com
> MRTG with SLB: http://vegan.net/MRTG
> Hosted by: http://www.tokkisystems.com
>

-- -------------- -- ---- ---- --- - - - - - -- - - - - - - Tony Bourke tonyIZZATvegan.net

____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com

Next message: Cihan Subasi (Garanti Teknoloji): "RE: [load balancing] Alteon and Failing SLB ports"
Previous message: Michael Hyman: "[load balancing] Big/IP Usage question"
Maybe in reply to: Michael Hyman: "[load balancing] Big/IP Usage question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 11 2002 - 15:38:00 EST