Load balancing with F5 Big-IP using only a single interface

Question

I've been tasked with configuring our F5 Big-IP LTM. It's running 9.4.8.

I've read through the docs a bit and I'm a little confused. It specifies that there are two default VLANs: internal and external. The problem is that the servers that I want to load balance are in our DMZ, which is also where the load balancer is. When running through the configuration wizard, it won't let me specify the DMZ network on the internal interface since it's already defined on another VLAN (the external interface).

In a setup like mine, is the need for internal and external VLANs, as defined by the wizard, unnecessary? Since the load balancer is on the same subnet as the servers that it is balancing, can I just use a single interface?

Answer 1

It is possible even though the Wizard will not let you configure it this way.

To configure it, you just have to set up a single VLAN on your interface that will handle internal and external traffic. F5 support calls this a "one-armed" topology.

SNAT must be enabled on the Virtual Servers that use that VLAN for traffic to flow correctly. That is the only caveat that support made me aware of.

Answer 2

Using internal and external VLANS is a best practice to keep internal network protected, but it's not mandatory.

I don't remember v9 wizard but in any case, just follow it and you'll be able to change everything just after.

You can load balance trafic on a single interface but it's not ideal since you will cumulate client side and server side trafic on the same link and this could be a problem if you have high load.

If possible, keep using internal and external on the same DMZ but with different subnets.

f5 box IP setup don't have to reflect the exact DMZ subnet.

Also note that if you have a DMZ, that means that you have a firewall. You can put the bigip between the firewall and your servers, by creating Forwarding VS that will enable the bigip to work as a gateway for all non load balanced trafic.

Now if you want to have everything on the same subnet (note that management interface can not be on the same subnet thant any other f5 self IP but you can manage the box through a self IP), just create one single VLAN, with a single self IP.

The big IP will access nodes and handle trafic through the same interface but everything will work fine.

Actually, bigip platform allows any network setup (I've never been really limited). Your setup will depend on the security level and network design you need.

A single VLAN design is not a problem in a lab. But if you need to handle public trafic, then you will have to think a little more about where the bigip have to stand.