Forum Discussion

jafar_39850's avatar
jafar_39850
Icon for Nimbostratus rankNimbostratus
Feb 03, 2010

Routing Issue

Not really urgent, but I was wondering if this can be done.

 

 

This is our current setup:

 

 

We have a DMZ switch, which the external interface of our Big IP LTM is attached to. The address is, lets say, 200.x.x.x (accessible from the Internet), and there are few other servers here on the same range.

 

 

The internal interface of the LTM is plugged into another switch, and the servers that we want to load-balance are here. They have internal ip addresses (10.x.x.x) and the servers are only accessible from the Internet via their external IP address on F5 Virtual server lists.

 

 

Currently, the servers on the DMZ cannot connect to the servers behind F5. Which is good.

 

If I manually add the routing table in each of the servers on DMZ though, (something like route add -net 10.x.x.x gw theipaddressoftheltm in Linux), I can gain access to it.

 

 

How do I turn off this routing issue? I don't care if it's turned off or blocked, just don't see how I can do it on LTM.
config
design

3 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2010
    HI Jafar,

     

    The one thing you could do as add an iRule to the forwarding virtual server to block any L3 connectivity into the internal IP address.

     

    There is also a setting in the virtual server forwarding that you can apply the vs for ONLY specific VLANS, so it basically you can apply it for internal segment but exclude DMZ side.

     

     

    I hope this helps

     

     

    Bhattman

     

  • jafar_39850's avatar
    jafar_39850
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2010
    OK stupid question here then.

     

    How do I apply an iRule to one of Big-IP's self-IPs?

     

    At this stage, none of the self-IPs are virtual servers.

     

    I suppose the other thing I could do is set the firewall rules on each of the boxes in the pool instead and not worry about Big-IP's routing.
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2010
    Hi Jafar,

     

    Not a stupid question. Self-IPs are not virtual servers. iRules can only be applied on virtual servers. When you create a Wild Card Forwarding VS, it will basically be passing traffic between the external side of the LTM and backend side of the LTM and vice versa.