Forum Discussion
Arunprabhu_1147
Apr 24, 2014Nimbostratus
Hi Please find my inline replies. I am here tried to close the gaps of understanding.
1. Are the switches just operating at L2 (all the L3 is on the firewall and/or F5) or do they have a L3 interface for each 'internal' VLAN too?
The Aggregation Switch are operating at L3 and having configured as default gateway for all the Internal VLAN's. say ( 100 - 104 ) and planned to create a routed VLAN ( 105 ) especially between Firewall and Load balancer.
Similarly
The DMZ Switch are operating at L3 and having configured as default gateway for all the Internal VLAN's. say ( 200 - 204 ) and planned to create a routed VLAN ( 205 ) especially between Firewall and Load balancer.
2. Rather confusing the VLANs are nearly all called Internal, shouldn't 201 onwards be called external?
This particular loadbalancer will be used for load balancing both internal servers and DMZ Servers.
So thus i have two External VLANs . VLAN 105 as external VLAN for Internal Servers and VLAN 205 as External VLAN for DMZ Servers.
-
I assume you have static routes in place on the firewall for the VIP ranges, pointing to the F5? Yes, as per your comment earlier , i will have seperate VIP range for each tenant and will not assign to any VLAN. I will have a static route in the Firewall pointing to the F5.
-
VRFs operate at layer three don't they? If the switches don't have L3 interfaces surely there is no need for VRFs? I could be wrong, it's been a while since I've used them. Or is there a need to absolutely have a routed subnet for every tenant regardless, even if the seperation is just via VLANs?
Yes , Each Tenant will be assigned with a VRF in L3 ,say all VLAN's under Tenant-A are configured under Tenant-A_VRF in the Aggregation switch. Thus i need to have a seperate routed VLAN between Firewall and Load balancer for each tenant under its respective VRF. In case if i have assigned VLAN 105 for Tenant-A as a routed VLAN between Firewall and Load balancer, then i may have to go for say VLAN 110 as the routed VLAN between Firewall and Loadbalancer for Tenant-B and assign it under Tenant-B VRF thus it is visible in the routing table.
Thanks, Arun