[c-nsp] F5 BIG IP and FWSM

[Max Reid]

> That looks backwards...why not have the DG for internal hosts be the
> BigIP, and DG the BigIP to the inside of the FWSM?
>
> The BigIP does a good job of performing NAT, and doesn't need to be
> directly connected to the nodes in its pools...in fact, I would highly
> recommend against connecting nodes directly to the BigIP - you should
> utilize a core switch block for that and default route to a floating
> internal ip on the BigIP, from there, upstream to the FWSM and let it
> handle security out front.

I concur with this advice, esp. the note about having an L3 connected
network between the back end hosts and the 'Inside' interface of the big
IP.


Main Benefit is failover (no arp issues on clients or F5); when dealing
with large load balanced farms.

~Max


>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
> Sent: Thursday, September 11, 2008 11:08 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] F5 BIG IP and FWSM
>
> Hi,
>
> Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As
> this point I wanted to know BIG IP and how it should be conected to
> fwsm,
> specially in routed mode.
>
> My understanding -
>
> 6509 (MSFC) --> outside interface of LB --> Inside interface of LB ->
> FWSM
> context (multiple context)
>
> How bigip will be able to do loadbalancing, when it is not directly
> connected to servers. All servers d/g is fwsm context.
>
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>