Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Hello Guys!

I have been given the 172.31.39.0 / 24 network in order to create 4 Subnets to assign to corresponding VLANS


so right now I have :

172.31.39.0 / 26 subnet (VLAN 1)
172.31.39.64 / 26 subnet (VLAN 2)
172.31.39.128 / 27 subnet (VLAN 3)
172.31.39.160 / 27 subnet (VLAN 4)


my problem is that I can not make host on different VLANs (subnets) talk to each other...

I know this should be pretty straight forward but i can´t find the way


thanks in advnced!

22 Answer(s):

I assume your F5 has an IP on those subnets and is the default gateway for those backend systems?
Correct Chris! I have created float IPs for every VLAN and those float ips are the DG for the back end systems...

and the problem is that when server A in VLAN ACS tries to talk to server B in VLAN NAS it just cant....

I though this should be pretty straight forward since all routes are directly connect to the BIG-IPs but for some reason it is not...

I created SNAT for all VLANS with no possitive effect...

This is an extract of the routing table:

root@F5-LTM1(Active)(tmos.net)# show route

Net::Routes
default gw 201.192.246.X static
127.1.1.0/24 interface tmm0 connected
127.10.0.0/16 interface tmm_bp connected
172.31.39.0/26 interface ICE_internal connected
172.31.39.64/26 interface MNG connected
172.31.39.128/27 interface ACS connected
172.31.39.160/27 interface NAS connected
201.192.246.X/28 interface Gestion_CPEs_RAI_Prod connected
201.192.246.X/28 interface Gestion_CPEs_RAI_Test connected

thanks for your response!

can you try ip forwarding virtual server?

sol7595: Overview of IP forwarding virtual servers
http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html
As nitass says the forwarding vs is the answer. remember also that when you are running the F5 as the router you need to think about your security and application dependencis such as idle timeout, arb-mac timeout....
What I mean is that you should setup at least 2 forwarding ws IMHO.
outside-inside, inside-outside(this can also be your vs for inside-outside but also between your vlans).

Some people even does a lot of vs for inside-inside but depending how many vlans you will have that can be unmanage in the end


why is is it nice to have more then 1 vs is that you can tweak a lot of parameters depending of how the traffic will flow.

for example you mabe need to have a idle timeout from external to internal for 1 h but maybe 5 min the opposite direction and so on.

/Beinhard

Setting up the F5 as a router is fairly simple (once you know how to do that ;-)

According to some technotes all you basically needs to do is:

 
ltm virtual /Common/VS_ROUTE {
    destination /Common/0.0.0.0:any
    ip-forward
    mask any
    profiles {
        /Common/FASTL4_ROUTE { }
    }
    translate-address disabled
    translate-port disabled
    vlans-disabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    mask any
    traffic-group /Common/traffic-group-1
}
ltm profile fastl4 /Common/FASTL4_ROUTE {
    app-service none
    defaults-from /Common/fastL4
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}


*se below for udp config*

and voila the F5 will start to behave like a router/L3-switch (looking at its routing table for traffic that doesnt match any other VS). If you need dynamic routing you enable zebos in the ssh and then use vtysh to get cisco-style configuration (unfortunately the dynamic routing config isnt available in the GUI - only in the cli/ssh).

A note regarding the idle timout, its just to clear the flow from the internal statetable (since reset on timeout is disabled) in order to keep the statetable as short (and fast) as possible. One could see the statetable in this case as similar to CEF (Cisco Express Forwarding) if you are used to cisco-lingo.
And here is the UDP tweak (the F5-forum doesnt seem to like two code-blocks after each other with some regular text in between):

and to tweak UDP traffic you also add:

something is broken in the F5-forum... will do a second attempt below...
Lets see if it works this time?


ltm virtual /Common/VS_ROUTE_UDP {
    destination /Common/0.0.0.0:any
    ip-forward
    ip-protocol udp
    mask any
    profiles {
        /Common/FASTL4_ROUTE_UDP { }
    }
    translate-address disabled
    translate-port disabled
    vlans-disabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    mask any
    traffic-group /Common/traffic-group-1
}
ltm profile fastl4 /Common/FASTL4_ROUTE_UDP {
    app-service none
    defaults-from /Common/fastL4
    idle-timeout 5
    loose-close enabled
    loose-initialization enabled
    reset-on-timeout disabled
}
 
Posted By mikand on 01/14/2012 02:31 PM
And here is the UDP tweak (the F5-forum doesnt seem to like two code-blocks after each other with some regular text in between):

and to tweak UDP traffic you also add:

something is broken in the F5-forum... will do a second attempt below...

Hi Mikand,

The quick reply feature doesn't handle two code blocks (or quote blocks?) in the same post.  The main reply functionality does though.  So either use the reply button instead of quick reply, or you can use quick reply and then click edit and save.

Aaron
mikand:
i guess you don´t have any firewalls between your subnets?
because of loose option... 

/Beinhard
The loose open/close is because the entry will go away from the internal statetable in the F5.

If you dont enable loose open/close the F5 will step in and tell the client that there is no current state available (since F5 nowadays is default deny).

There is a pdf somewhere on the F5 site that better explains why these settings is needed.
Det "document" I had in mind:

http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html (the stuff regarding PVA can be ignored on modern F5 appliances).



I agree that loose option can be good, but only if you have a plain network without some security zones, what I mean is that if you have firewalls between you point A and B the firewall will be stateful and because of that it will block the traffic before the F5 so the loose option will not be in use.

IMHO a firewall should do firewalling, a router should do routing and a ADC should do loadbalancing as far as you can.
Some service I know by myself can´t be used with SNAT so then the F5 will be the router.
SNAT is also not so fun for server administration guys but they can be learned =)

Good though that this topic came up =) 

Regards,

Beinhard
IMHO there is (in most cases) no need for a cisco (or whatever brand you like ;-) router if you already have a viprion 2x00/4x00 in your datacenter. Specially if your trafficflows are so that 99% or so of them will pass the F5 anyway. The VS used for routing (forwarding ip) wont do any SNAT on the traffic, it will just shuffle the packets (that is packets that doesnt match any other better matching VS). Also when the F5 sits inline the need for SNAT will in many cases go away aswell (compared to when it sits on a stick).

Compare the following flows as example:

client -> switch -> F5 -> firewall -> server

vs

client -> switch -> ciscorouter -> F5 -> ciscorouter -> firewall -> server

and it can be even worse if the netadmin didnt think at all like:

client -> switch -> ciscorouter -> switch -> F5 -> switch -> ciscorouter -> firewall -> server

and so on ;-)
If 99% should anyway flow trough a F5 i say you have a really optimized loadbalancing Data Center


About forwarding vs and SNAT i know this and it is downsides of both but what I mean is that routing should be done in a router, not in a ADC primary.

Having non-loadbalancing traffic should be avoided in a ADC.
firstly because it´s eating up your capacity/performance and also because to implement different security zones is far far more difficult.

Using a router (whatever brand) is primary because of:
# Easy migration 
# Easy to extend to different "sites" (with BGP or similar)
# Only dedicated traffic will hit the f5 (Loadbalancing traffic and not for example backups)


So how should you try to solve below example (f5 as a router and L2 between F5 and backends vlans is the setup in my mind but feel free to change):

Q1: Let´s say you have 3 "backends vlan" and you want to ensure that they can´t talk directly to each other before they hit an Firewall?

Q2: Same as above but you have 150 vlans?

Q3: The backends servers needs to talk to they own VS and also to different vs but needs to go trough a FW before?

Q4: you want to have different partitions and to use different gateways on these partitions. Segmentation with FW should be possibly between backends vlans and also between partitions.


Regarding your flow example I think that connecting the F5 with L2 towards the backends vlans is prefered so firewalling will be before the F5.

Above is something a think about just quickly =)


/Beinhard

I disagree :)

Lets take your primary suspects for why choosing a dedicated router instead of a Viprion:

# Easy migration

Far easier to migrate the F5 if you ask me. When I setup a VS this VS is automatically (once I click the sync link) synchronized with the failover parter. Using cisco (or any other brand for that matter) and acl you need to manually login to BOTH devices and do the same work twice (with the risk that both devices after a while doesnt have the same config for example regarding acls and stuff).

# Easy to extend to different "sites" (with BGP or similar)

F5 have builtin support for BGP, IS-IS, OSPF, RIP for both IPv4 and IPv6 so no problem here. Compared to most regular routers your F5 can also inject (and withdraw) these routes based on different monitors (not only based on latency and such which IP-SLA will bring you but also L7 stuff like low latency AND reachable for x numbers of times AND a dnsserver bringing you correct replies etc as a single monitor).

# Only dedicated traffic will hit the f5 (Loadbalancing traffic and not for example backups)

Well in this case loadbalanced traffic will hit your routers which will be unnecessary. Regarding backups it depends on where you place your backupservers. You can for example place them behind the internal firewall (since the backups contains sensitive data - wont they?) and let this firewall perform QoS for all traffic going to/from the backup-dmz (backup-traffic gets lowest priority) and voila - you can now even perform backups at lunch hours (and not forced to wait until 0200AM).

There are plenty of other stuff that the F5 can do which an ordinary router most times cannot - but something thats "hot" nowadays is IPv6... with the F5 as corerouter you can easily do 6to4 and 4to6 (and 6to6 along with 4to4 etc :P) which gives that your servers can still be IPv4 only (no need to dualstack) but at the same time you can speak to the rest of the world using IPv6.

But lets take a look at the capacity for each blade and see if thats enough?

Viprion 2400 (2100Blade):
40Gbps L7/blade

Viprion 4400 (4200Blade):
18Gbps L7/blade

Rumours says that there are new blades coming for the 4400 series (or if it was 2400 series, cant remember) this spring which will yield 320gbit/s per blade.

Also what Im speaking about here is not to replace all your routers with F5's (even if that would work but in most cases be somewhat expensive =) but rather instead of using 2xRouters + 2xF5 you can merge these 4 units into just 2xF5.

Q1: With backends-vlan you mean like server-vlans? In that case I would suggest to place them behind a firewall so I can have control of which traffic will be allowed between the zones (for example DNS-servers in one, AD-servers in another and so on). Preferly a NGFW (application firewall) which will not only look at portnumbers but rather whats actually being transmitted in those packets who is passing by.

Q2: See above :-) For 150 Vlans one would need a L2-modular switch connected to the firewall with high speed and the firewall would have the SVI (the defgw for each vlan is an ip-address configured on the firewall). Use 802.1Q to separate the networks (and make sure you dont f**k up the config - for example turn off VTP, set interfaces into static trunk or static access mode (not auto) and also set allowed vlan for each and every interface in your L2-modular switch). This also depends on your infosec regulations along with how many interfaces your firewall have.

Q3: Well its up to you but I prefer to put the firewall close to my golden eggs (so the eggs wont get scrambled =). So if the AD-server from Q1 wish to speak to the DNS-server it will eaither speak directly on the physical ip (this way the traffic goes AD -> L2-switch -> firewall -> L2-switch (another vlan) -> DNS) OR speak to the VS-ip but then the traffic will go out from the firewall to the core-F5 who will then decide which DNS-server your request will actually be sent to (same site or different site, unless the F5 will reply on its own ;-)

Q4: This will be by design when you put each system in its own VLAN behind the firewall (where the VLAN ip (the defgw for the server) is an ip configured on the firewall as described in Q2). You can also bundle the systems into larger VLANs if you prefer it that way (or the other way around - each server gets its own VLAN so even traffic between DNS1 and DNS2 needs to pass the firewall).

Regarding your comment on my flow example sure - but having the F5 before the firewalls (meaning client - F5 - firewall - server) is the preffered method if you have multiple sites (this way the core-F5 will send the client to the server which is actually reachable no matter if its the server who is failing or the firewall in front of the server). Using this setup you can then also enable WON (wan acceleration) in your F5 because the setup will basically be: siteA-F5 <-> WAN (MPLS, EVLS, own wavelengths or whatever) <-> siteB-F5
Posted By mikand on 01/19/2012 07:10 AM
I disagree :)

Lets take your primary suspects for why choosing a dedicated router instead of a Viprion:

# Easy migration

Far easier to migrate the F5 if you ask me. When I setup a VS this VS is automatically (once I click the sync link) synchronized with the failover parter. Using cisco (or any other brand for that matter) and acl you need to manually login to BOTH devices and do the same work twice (with the risk that both devices after a while doesnt have the same config for example regarding acls and stuff). 

I didn´t meant manageability but when you took this up that the answer of this in big datacenters is of course a management tool that push configuration to devices. 
And that management tool should push configurations changes to whatever brand, F5,Cisco,VMware and so on. 

What I meant with migration was that having a lot of "golden eggs in the golden basket" is always harder to migrate or maybe because of some PCI requirements you need to move some part of your network to some other security zone/hardware and whatever.   



# Easy to extend to different "sites" (with BGP or similar)

F5 have builtin support for BGP, IS-IS, OSPF, RIP for both IPv4 and IPv6 so no problem here. Compared to most regular routers your F5 can also inject (and withdraw) these routes based on different monitors (not only based on latency and such which IP-SLA will bring you but also L7 stuff like low latency AND reachable for x numbers of times AND a dnsserver bringing you correct replies etc as a single monitor). 
mmm , BGP with ZebOS is of course an option but what I have heard some issues is there and also lacking of features if you compare to a dedicated router. If I dont remember wrong one example was multicast that was not so great for example.


# Only dedicated traffic will hit the f5 (Loadbalancing traffic and not for example backups)

Well in this case loadbalanced traffic will hit your routers which will be unnecessary. Regarding backups it depends on where you place your backupservers. You can for example place them behind the internal firewall (since the backups contains sensitive data - wont they?) and let this firewall perform QoS for all traffic going to/from the backup-dmz (backup-traffic gets lowest priority) and voila - you can now even perform backups at lunch hours (and not forced to wait until 0200AM). 
IMHO a router is there to just route traffic, so you shouldn´t try to classify what types of data a router should do routing decision on, it´s just doing routing between subnets. Also depending of you your network size also use security zones with vrf:s and then towards the firewall for decision. But the later is of course a design question,if you want to have thousands of l3 interface in the firewall or not. And it´s here also here you can "leak" backup traffic so that particularly traffic can leak between vrf with no FW/ADC and so on.

Where did the internal firewall come from? I really don´t understand?
I haven´t say that we talked DMZ nor restricted, just design flows but if play with the thought, putting QOS as far from the client is maybe not the best way.
But you can solve capacity problem either with qos or putting more bandwidth...
i like the bandwidth option.





There are plenty of other stuff that the F5 can do which an ordinary router most times cannot - but something thats "hot" nowadays is IPv6... with the F5 as corerouter you can easily do 6to4 and 4to6 (and 6to6 along with 4to4 etc :P) which gives that your servers can still be IPv4 only (no need to dualstack) but at the same time you can speak to the rest of the world using IPv6.
Agree, using F5 for proto 41 is really good.
But lets take a look at the capacity for each blade and see if thats enough?

Viprion 2400 (2100Blade):
40Gbps L7/blade

Viprion 4400 (4200Blade):
18Gbps L7/blade

Rumours says that there are new blades coming for the 4400 series (or if it was 2400 series, cant remember) this spring which will yield 320gbit/s per blade.

Also what Im speaking about here is not to replace all your routers with F5's (even if that would work but in most cases be somewhat expensive =) but rather instead of using 2xRouters + 2xF5 you can merge these 4 units into just 2xF5. 
I have not complaining about performance of a F5 , I´m just saying that mixing routing/ADC and to have that in the same box is not something I can say it´s good if you see to all aspects that a modern network demands.
Do you later wants to add firewalling as well to the F5 because soon it´s also certified?

But below I like:
ADC==> Dealing with ADC traffic and also ASM,APM is wise because usually the F5 is the termination point and is sitting "right" in the traffic flow because of that so having the WAF there seems smart

Q1: With backends-vlan you mean like server-vlans? In that case I would suggest to place them behind a firewall so I can have control of which traffic will be allowed between the zones (for example DNS-servers in one, AD-servers in another and so on). Preferly a NGFW (application firewall) which will not only look at portnumbers but rather whats actually being transmitted in those packets who is passing by. 
So how do you do this, do you have the server pointing to the FW and then the FW has point-point links to the F5 or do you have forwarding vs for every and each server vlan and then to the last pool that is the FW. And because of WC VS all needs to be in common partition if you do that.  

Q2: See above :-) For 150 Vlans one would need a L2-modular switch connected to the firewall with high speed and the firewall would have the SVI (the defgw for each vlan is an ip-address configured on the firewall). Use 802.1Q to separate the networks (and make sure you dont f**k up the config - for example turn off VTP, set interfaces into static trunk or static access mode (not auto) and also set allowed vlan for each and every interface in your L2-modular switch). This also depends on your infosec regulations along with how many interfaces your firewall have. 
So what you are saying now is that the firewall is the router or should I assume that you have point to point links to the F5 that then have a WC vs for all vlans?
Q3: Well its up to you but I prefer to put the firewall close to my golden eggs (so the eggs wont get scrambled =). So if the AD-server from Q1 wish to speak to the DNS-server it will eaither speak directly on the physical ip (this way the traffic goes AD -> L2-switch -> firewall -> L2-switch (another vlan) -> DNS) OR speak to the VS-ip but then the traffic will go out from the firewall to the core-F5 who will then decide which DNS-server your request will actually be sent to (same site or different site, unless the F5 will reply on its own ;-) 
" this way the traffic goes AD -> L2-switch -> firewall -> L2-switch (another vlan) -> DNS)"
Where is the F5?  
How is your servers setup, with dual legged and a huge routing table?
I mean to avoid asymmetric routing.

Q4: This will be by design when you put each system in its own VLAN behind the firewall (where the VLAN ip (the defgw for the server) is an ip configured on the firewall as described in Q2). You can also bundle the systems into larger VLANs if you prefer it that way (or the other way around - each server gets its own VLAN so even traffic between DNS1 and DNS2 needs to pass the firewall). 
For me it feels that you routing in both F5 and the FW if I read all of what you have said.
Usually I think that a lot of implementation is done by using the defGW pointing at the F5 floating IP for servers.
However, in your example I believe that if a client wants to reach some system vs, lets say exchange. First you will have a firewall to do firewalling for what is allowed to reach that vs. Then you reach the F5. The F5 sends the traffic again to the FW (because your servers has the FW as the defGW) and then the FW will forward the request to the exchange server.
Is that correct? 




Regarding your comment on my flow example sure - but having the F5 before the firewalls (meaning client - F5 - firewall - server) is the preffered method if you have multiple sites (this way the core-F5 will send the client to the server which is actually reachable no matter if its the server who is failing or the firewall in front of the server). Using this setup you can then also enable WON (wan acceleration) in your F5 because the setup will basically be: siteA-F5 <-> WAN (MPLS, EVLS, own wavelengths or whatever) <-> siteB-F5
Seems really unsecured.

i guess a lot can be misunderstood when trying to explain with only text but sometimes I don´t understand the red line in your design when the F5 shall be the router and because of that asymmetric routing needs to be avoided.

i´m sorry about the messy layout in this post so I´m using the bold style of text... =)


Regards,

Beinhard
0) Dont use the quote "feature" on this forum - its really hard to answer each individual claim by requoting the requote who is a quote and so on...

1) Im pretty sure the PCI requirements wont allow you to have the loadbalancer between the firewall and the server because this way you are breaking your security zones.

2) Do you perhaps have some more information regarding zebos (since there are plenty out there using both zebos and zebra as RR and other features)?

3) As I see it there is no need for router + F5 when F5 alone can do the work very well. Having the F5 as core will also make you able to loadbalance between sites without involving BGP etc. Also perform a loadbalance at L7 level.

You wont leak backuptraffic since the firewall will separate the flows. How will you otherwise perform backups?

The backups in this case can be server -> firewall -> backupserver, the clients on their own have no need to perform backups towards the backupservers. Also backups from servers at site A will be to the backupservers at site A. In case backupservers at site A fails for the servers at site A the servers at site A can do their backup to the backupservers at site B if you wish. In this case the QoS will throttle the traffic but you can of course apply the same QoS rules in the F5 aswell to also shape the backuptraffic which might go over the WAN-links.

Using an internal firewall will protect your golden eggs where you can have one DMZ for servers (lets say one vlan per system or per server), one DMZ for backupservers, one DMZ for logservers, one DMZ for pki-servers and so on.

4) Firewalling and firewalling. One great feature that F5 brings you (which most firewalls wont) is the ASM feature with for example xml-gateway firewalling (to protect soap/webservices stuff). When you have F5 inline I see no reason for why not using the ASM for the flows where it can be used for :)

Q1: One design can be as follows (just an example, in real life one would use smaller netblocks and so on):

Zones behind the firewall:
DMZ1: 10.x.1.0/24
DMZ2: 10.x.2.0/24
DMZ3: 10.x.3.0/24

where x is which site (well datacenter that is).

and then let 10.0.0.0/24 to be the virtual range where you put individual VS's.

The firewall in this case will be all transparent (only nexthop will be visible and perhaps if one do a traceroute).

So to reach each physical dns-server the client can either address 10.1.1.1 / 10.2.1.1 / 10.3.1.1 OR the client can just address 10.0.0.1 and let the F5 decide which DNS server the request will be forwarded to.

The VS in this case would look like:

10.0.0.1:53/255.255.255.255
->
10.1.1.1:53
10.2.1.1:53
10.3.1.1:53

Q2: The firewall is the defgw for the servers (one vlan per system or server depending on your needs). The switches which the servers can be attached do only need to do L2 (vlan-802.1Q) so no need for expensive L3 devices here. So yes the firewall will do routing but only routing for the DMZ's directly attached (L3-interfaces on the firewall). The defgw for the firewall will be pointing to the F5.

Q3: The F5 is outside the firewall from the server point of view. But of course this is up to you where you choose to place your F5.

Q4: No, the client address the VS in the F5 which sits close to the clients. The F5 will then decide which server at which site your request will be sent to. Because the server sits behind the internal firewall the F5 will not only take care of if a server is failing but also if the internal firewall is failing. If the internal firewall at the local site is failing the client request will be sent to another site (where the F5 addresses the physical ip of the server otherwise you would end up with a routingloop if your local F5 addresses VS at the other site).

The physical design can be:

External net
|
External firewall
|
Client(s) - F5 - WAN (to other sites)
|
Internal firewall
|
Server(s)

(both external and internal firewall is connected to the F5 which acts corerouter and loadbalancer even if my ascii drawing skillz is failing ;)

But how your design looks like depends on many parameters. The above will be robust against DDoS arriving from the external net because you might expect the external firewall to go offline which will then protect the internal resources (comparing to if you would connect all the networks to a single firewall - even if the external firewall is offline the internal firewall is still functioning and can serve your clients).
Hi Mikand,
Sorry for the delay, have been on a vacation without internet (how that now is possibly)

1) If you using snat and server pointing to the routers svi (can also be x couple of svi in vrf:s) and that "zone" is firewalled, either between every vlan or if you using fw rules between vrf:s, it´s depending of your zoning model. So with snat only loadbalanced traffic is hitting the f5 and becasue of that the f5 can sit with L2 to the loadbalanced servers. You will not breaking any rules and why would you dual firewall traffic that hits first the VS and then loadbalanced to the server. Should be enough with vs firewalling and server to servers is of coursed firewalled because that traffic will not go to the f5, it´s goes to the router/fw. SNAT has a limitations but also without SNAT and using F5 as a router have "downsides".

2) I checked this out for maybe 1-2 years ago and then you couldn´t use routing domains and some nasty bugs was there, like scratching the bgp/ospf configuration. Don´t remember the SOL number but hitting new bugs was more expected with Zebos than maybe juniper or Cisco. More I don´t now.

3) What i meant with "leak traffic" is that sometimes you want to have some sort of traffic just pass trough without a FW and a F5, it can be backups traffic.
Depending of the size of your backups traffic it can be a nice thing just to "leak" between vrf:s just that specific flow (dest ip to the backup ip:s).

In your example "server -> firewall -> backupserver" it´s quite understandable that you also use the FW as a router.... Clients can of course be another servers also so yes, they will need to do backups. But above I guess is some misunderstanding from your/my side... what we talk about.

I like firewalling so having all zones protected is of course mandatory.


4) AS I said, ASM is nice.

One thing that I don´t really like is that every forwarding vs needs to be in the common partition. I guess also that if we don´t want to bridge vlan traffics a lot of vs need to be made, for example 2500 vlans we need 5000 vs:s. But that is of course depending if you use the FW or F5 as the DefGW for the systems.
But some upsides is that it can maybe be easier  to have that in a gui instead of a routers cli. Haven´t thought so much about that 


Regarding DDoS IMHO the only thing to solve that (big one) is to have your own AS and distribute the attackers subnets to the ISP becasue if not, we will fill our internet pipe pretty fast so ISP should take care about that. Smaller one, the FW or dedicated equipment is OK. 


So what I mean is that if using the F5 as a router, future migration, flexibility in some ways and to avoid asymmetric routing can be tough so I repeat that what I think:
# a router should do routing
# a Fw should do firewalling
# a ADC should do loadbalancing (and WAF for ADC services)

Maybe i´m getting old, not seeing the + with having so much in 1 box.

What is the performance numbers for routing on the big f5 boxes.
A ASR1006 has 40 gbit sales specification to compare against, not so much but that is a pretty enterprise router.


/Beinhard
Hey guys I guess enough said and alot of suggestions given ... which are all wonderful... but what was initially asked was something pretty straight fwd and simple... why do we have to go to the level of VS of different kinds just to make the two vlans talk to each other.... can't we achieve it by simply giving the static routes on the LTM box????????

Regards,
The quick answer is because the LTM isn't a Router... However only 1 (Default) network VS is REQUIRED for it to forward traffic. Your requirement to policy route that via the firewall leads to a more complex solution.

H

I have combed this thread to know how inter-vlan was accomplished not clear. Understood the via off tangent.

Scenario:
I have two internal VLANs. All configure with Vs for external incoming traffic. Now, I want a server in VLAN A to communicate to a server in VLAN B. No Firewall


| VS
LTM
/ \
/ \
/ \
Vlan A VLAN B
Server A Server B

I can ping both servers from LTM. Both VLANs shows connected to the LTM #/tmsh.net/show route.

Do I need to create a VS for these two servers to talk to each other?

Do I need to create a VS for these two servers to talk to each other?
yes, object listner (virtual server, snat or nat) is required.

Your answer:

You must be logged in to reply. You can login here.