NHLD Publics IP

I want to perform an NHLD to be able to balance the Internet traffic of my internal users through three ISP links, but in the perimeter FW that is in front of the A10 there is the publication of their services.

That is to say, there is a NAT which publishes its servers.

What considerations should be taken to avoid moving that NAT from the FW to the A10?

Or if anyone has any experience with this type of deployment

Tagged:

Comments

  • mdunnmdunn Member, A10ers ✭✭✭

    Typically NHLD is used for outbound internet connections. The configuration often consists of Wildcard VIPs with ACLs, and we can use the ACLs to select which traffic we are intercepting. If we only intercept outbound traffic, then there should be no distribution for inbound traffic such as the NAT you described. Then, you can keep the NAT on your FW configuration. Would that work for you?

    For further discussion, could you post a sanitized network diagram and your NHLD configuration?

  • sevrensevren Member, A10ers

    NHLD is used to distribute traffic between multiple ISP links accordingly. In that perspective, having NHLD device behind your perimeter firewall would require you to isolate those 3 ISPs virtually inside your firewall and create three different L3 domains between your perimeter firewall and NHLD device so that it can load balance traffic between 3 different end points.

    Normally NHLD is deployed at the edge where it will allow A10 device to balance traffic between multiple service providers links. In your case you are having another L3 device in the middle which makes NHLD device basically useless since all traffic flow is going to same device regardless.

    So to be able to make this approach working, if your firewall supports vdoms or vrfs regardless, terminate each ISP on different vdom / vrf on your firewall and make isolated L3 connection between NHLD device & your firewall. This way would allow NHLD device to assume that there are three different gateways and balance traffic accordingly. Basically perform its task as it supposed to be :)

    As commented above, for further discussion if you could share a sanitized network diagram, it could be helpful to discuss further.

Sign In or Register to comment.