Forum Discussion

Greg_Ryan_33844's avatar
Greg_Ryan_33844
Icon for Nimbostratus rankNimbostratus
Aug 23, 2011

Best practice for implementing f5's on internal and external vlans

I am looking for best practices as well as use cases to use 1 pair of f5's to load balance both external (dmz) and internal traffic. Currently I have 2 pairs, one for the dmz and one for internal traffic - both are on version 9.3.1 and upgrading has proven extremely difficult as there are many groups using them. What I have been contemplating is purchasing two 8900's for failover but using them to load balance traffic both on the dmz, and for internal traffic coming from the dmz machines. Is this best practice? Is there any downside to this? Any feedback would be greatly appreciated.
config
design

2 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 24, 2011
    it really comes down to your company's security policy. Some require the physical separation of devices in different security zones. I've seen it both ways, and the LTM is more than capable to handle the collapsed dmz/internal infrastructure.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 24, 2011
    If you're going down the route of a single device, I'd recommend something like a virprion with vCMP... Best of both worlds :)

     

     

    Although the 8900 is perfectly capable of doing the segregation between DMZ and internal itself, I would tend not to... There's too much chance of mis-configurations leaving yourself open... With separate devices, you have to misconfigure a lot more before opening yourself up. Which is important when the people who may be doing the config later may not be in full knowledge of the design decisions made to ensure your security.

     

     

    H