- We are leveraging a pair of VIPRION chassis, with dedicated VCMP provisioning.
- We are creating an AirGap between VCMP guests.
- We have a directly connected interface on the VIPRION chassis to an in-line tool, and back to the VIPRION (VIPRION port 1/1.4 --> inline tool 1x/x/1 --> inline tool 1x/x/2 --> VIPRION port 1/1.8 - essentially a loopback).
- We are using unique route domains per tenant to separate/segment tenant constructs.
The challenge is routing across this direct-connect link. We need to be able to BGP peer between the vCMP guests. I cannot share the same VLAN (no L2 adjacency) because of sharing the same hypervisor host. We need the in-line tool to be able to establish what VLAN/network it's coming from so it can steer traffic to various tool ports. I've tried Q-in-Q across the link, I've tried L3 interface/routing across, and various other tagging/untagging configurations on this direct link.
Has anyone looked at a similar design?
1. VCMP dedicated on hypervisor
2. Advanced Routing Module (using BGP)
3. Route domains
Requirements:
1. Create an inbound, and outbound, airgap between F5s, feeding in-line tools the decrypted data.
2. The public-facing F5 hosts the VIPs and terminates the SSL sessions.
3. Re-encrypting data before sending traffic to pool resource
4. No SNAT
5. BGP routing/peering between the various networking components (Router <--> F5 <--> F5 <--> Firewall)