Forum Discussion

Eric_27403's avatar
Eric_27403
Icon for Nimbostratus rankNimbostratus
Mar 31, 2014

Routing isolation with vlans

Looking for a little help here, I have this design I need to setup on our LTM's (11.3HF8) and a bit stuck on routing. On the LTM front side coming from a Cisco ASA trunk are multipal DMZ vlans (dot1q) going to vlans behind the LTM. I need to make sure that each vlan behind the LTM routes back up to the ASA and then back down to the LTM but will hit any ACL's. Basicly I can't have a back end vlan going to another vlan using the F5 without routing up through the ASA first.

 

8 Replies

  • Also each LTM has a failover LTM (not shown) and setup as active/standby
  • Hi!

     

    We have solved this by using virtual forwarding servers that only listen to the VLAN we want them to.

     

    To create a virtual Forwarding server for ie. VLAN 633:

     

    1. Create virtual server.
    2. Set type Forwarding.
    3. Destination: Network, Network address + Mask
    4. Replace the default value of listening to all VLANs to only listen to the external VLAN.

    Now, providing that your default route would go to the ASA the F5 would forward all internal traffic hitting the internal interfaces to the ASA according to its routing table.

     

    Note that you need one forwarding server per VLAN and that the external forwarding server would have to listen to all internal VLAN's.

     

    /Patrik

     

  • so a VFS for each vlan but I cant use a default route as that would use only one interface up when there are more then one on the external?

     

  • Then you can create a Virtual server FastL4 for each outgoing VLAN and route, and make it listen to only the internal VLANs that's supposed to use this particular route.

     

    Maybe not the best explanation, but you you understand what I mean?

     

    /Patrik

     

  • Sure, here you go:

    Pool containing the fw
    ltm pool /Routing/FW-10.10.13.1 {
        members {
            /Common/ENV-FW_VLAN13:0 {
                address 10.10.13.1
            }
        }
        monitor /Common/gateway_icmp
    }
    
    The "Virtual Router" for "outbound traffic"
    Listens to all internal VLANs and forwards traffic on to the firewall
    ltm virtual /Routing/VirtualRouter13 {
        destination /Routing/any:0
        mask any
        pool /Routing/FW-10.10.13.1
        profiles {
            /Routing/fastL4 { }
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vlans {
            /Common/VLAN30
            /Common/VLAN60
            /Common/VLAN70
            /Common/VLAN80
            /Common/VLAN90
            /Common/VLAN100
            /Common/VLAN150
        }
        vlans-enabled
    }
    Forwarding for internal VLANs for "inbound" traffic
    ltm virtual /Routing/virtualrouter-30 {
        destination /Routing/10.10.30.0:0
        ip-forward
        ip-protocol tcp
        mask 255.255.255.255
        profiles {
            /Common/fastL4 { }
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vlans {
            /Common/VLAN13
        }
        vlans-enabled
    }
    

    VLAN13 in this example is the external VLAN, and VLAN30 is an internal VLAN. We have one forwarding server for each VLAN. Any inter-VLAN communications passes through the firewall. Forgot to remind you to disable port and address translation for the FastL4.

    Sorry about that. 🙂

    /Patrik

  • After numerous threads, finally one that explains exactly what I needed. As a side note for people who might be searching for this: Except what's mentioned above You need a floating self ip if You're running F5's in HA mode and route from Your firewall/router (depends where You're doing l3 routing) pointing to F5's self IP.

     

    After that follow exact steps above and it'll work like charm.

     

    Thanks a lot Patrik!