does vlan need interface assigned?

Question

I have a VE LTM that is on the DMZ interface of the firewall but listens on two vlans (DMZ and inside). The self-IP is assigned to the inside vlan. The inside vlan has interface 1.1 assigned to it. The DMZ vlan has no interface assigned to it.
Traffic comes from outside to the Big-IP in the DMZ then back through that interface to the ASA to the inside network.&nbsp;
Now I am setting up a physical cluster with the intention of the VE going away. I have more physical interfaces with the physical devices, should I setup the interfaces as the same as is on the VE as described above, or something different? I was thinking that on the Big-IP I could now have an interface assigned to each the DMZ and the inside but what purpose or benefit would that server since traffic would have to leave the Big-IP on the DMZ interface anyway and always traverse the firewall?
Any suggestions? Thanks.&nbsp;

thomas_gobet_91 · Answer

Hi,&nbsp;
Bests deployment are when you use at least 2 arms (best on security).&nbsp;
For example with a single arm deployment, imagine if you're under DDoS attack. Even if you're F5 can protect your server from this attack, your monitors will be impacted because they use the same interface.&nbsp;
What you can do if you want to keep this 802.1q tag as a DMZ separator is to use trunk with two interfaces.&nbsp;
Keep in mind that if you want to use a cluster it's recommended to use a vlan dedicated for synchronization.&nbsp;
When I have to deploy new BIG-IPs for my customers, I usually use 3 interfaces or 4 if it's a cluster (1 for the MGMT, 1 for DMZ network, 1 for inside, 1 for HA).&nbsp;

thomas_gobet · Answer

Hi,&nbsp;
Bests deployment are when you use at least 2 arms (best on security).&nbsp;
For example with a single arm deployment, imagine if you're under DDoS attack. Even if you're F5 can protect your server from this attack, your monitors will be impacted because they use the same interface.&nbsp;
What you can do if you want to keep this 802.1q tag as a DMZ separator is to use trunk with two interfaces.&nbsp;
Keep in mind that if you want to use a cluster it's recommended to use a vlan dedicated for synchronization.&nbsp;
When I have to deploy new BIG-IPs for my customers, I usually use 3 interfaces or 4 if it's a cluster (1 for the MGMT, 1 for DMZ network, 1 for inside, 1 for HA).&nbsp;

cory_50405 · Answer

You can technically do it both ways with no issues.&nbsp;
This comes down to a matter of personal (or company) preference/policy.  Whether you separate vlans via tagging on a trunk or untagged on their own physical ports, the result will be the same.  One advantage to dedicated interfaces is dedicated bandwidth.  Could be a concern based on the utilization of the links.&nbsp;

el_jefe · Answer

You can have VLANs that just live on the BigIP if that is your intention. Also, as you're switching to a physical box, remember that you can use LACP and team the interfaces to get more bandwidth.&nbsp;
Jeff&nbsp;

tolinrome_13817 · Answer

So for my understanding the way you set up the interfaces is with each their own vlan and no trunking on the interfaces?

Forum Discussion

does vlan need interface assigned?

8 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Application Programming Interface (API) Authentication types simplified

Re: Mitigation of OWASP API6: 2019 Mass Assignment vulnerability using F5 Distributed Cloud Platform

vCMP logical interfaces throughput

Symmetric routing on NGINX Plus with multiple interfaces

MAC address assignment in F5