Forum Discussion

Nom_55811's avatar
Nom_55811
Icon for Nimbostratus rankNimbostratus
Aug 09, 2011

iRule for Inter-VLAN Security?

Hi Guys,

 

 

We're looking at migrating all our existing server IP ranges behind an F5 8900 to take advantage of the ability to offload compression & SSL onto the F5 itself, instead of doing it on each server, amonst other features.

 

 

 

The question that's come up is how do we manage security between VLANs going forward. For example:

 

 

 

Web Server A - 10.1.1.1/24

 

Application Server B - 10.1.2.1/24

 

Database Server C - 10.1.3.1/24

 

All servers use the F5 as their default gateway.

 

 

 

Now imaging this is your average run of the mill 3 tier application. As the F5 will be doing all the routing between the three networks here (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24), how do we limit what can talk to what.

 

 

 

As an example:

 

A can talk to B on port 6969

 

B can talk to C on port 3306

 

ICMP is allowed globally for ping debugging, etc.

 

No other communication between servers is allowed.

 

 

 

How would I do this in an iRule? Has anyone done something like this? Does it scale to large lists?

 

 

 

Thanks

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 09, 2011
    is this applicable?

     

     

    Access Control Based On Network Or Host

     

    http://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 09, 2011
    The F5 BIG-IP is a default-deny device. Unless you configure a 0.0.0.0/0 forwarding virtual and enable on all vlans, only the traffic you configure to flow from vlan a->vlan b->vlan c will do so.
  • Nom_55811's avatar
    Nom_55811
    Icon for Nimbostratus rankNimbostratus
    Aug 11, 2011
    Thanks, nitass... I think that's exactly what I wanted.

     

     

    @Jason, we've configured a forwarding virtual, as you would when routing through the F5 is the only way you can reach your servers for management. I'm not sure that's a very helpful response (and I've seen it several times), but either way I think I have my answer :)