Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

vCMP + AVR + Direct Connect + No SNAT

  • We are leveraging a pair of VIPRION chassis, with dedicated VCMP provisioning.
  • We are creating an AirGap between VCMP guests.
  • We have a directly connected interface on the VIPRION chassis to an in-line tool, and back to the VIPRION (VIPRION port 1/1.4 --> inline tool 1x/x/1 --> inline tool 1x/x/2 --> VIPRION port 1/1.8 - essentially a loopback).
  • We are using unique route domains per tenant to separate/segment tenant constructs.

Image Text

The challenge is routing across this direct-connect link. We need to be able to BGP peer between the vCMP guests. I cannot share the same VLAN (no L2 adjacency) because of sharing the same hypervisor host. We need the in-line tool to be able to establish what VLAN/network it's coming from so it can steer traffic to various tool ports. I've tried Q-in-Q across the link, I've tried L3 interface/routing across, and various other tagging/untagging configurations on this direct link.

Has anyone looked at a similar design? 1. VCMP dedicated on hypervisor 2. Advanced Routing Module (using BGP) 3. Route domains

Requirements: 1. Create an inbound, and outbound, airgap between F5s, feeding in-line tools the decrypted data. 2. The public-facing F5 hosts the VIPs and terminates the SSL sessions. 3. Re-encrypting data before sending traffic to pool resource 4. No SNAT 5. BGP routing/peering between the various networking components (Router <--> F5 <--> F5 <--> Firewall)

0
Rate this Discussion

Replies to this Discussion