Forum Discussion

gavin84_31753's avatar
gavin84_31753
Icon for Nimbostratus rankNimbostratus
Jan 04, 2018

Physical LTM migration to VE and design

Hello,

 

We are currently in the design phase of migrating off of BIG-IP 6900s to 1Gb-VEs. My question is regarding "collapsing" internal and DMZ functionality onto one single pair. Our existing environment had two pairs of F5 LTMS, one in the DMZ, and one in the Core. I'm trying to wrap my mind around bringing it all into one pair of LTMs. I've heard about route domains, I know we can have multiple NICs on a VE. I don't want to sacrifice security in any way, but I have to imagine many engineers have deployed LTMs doing both DMZ web and Core only Web.

 

We have the DMZ and CORE VLANS broken out into different VRFs. The DMZ LTMS tie off our DMZ firewall. Then the DMZ firewall routes back to our top of rack switch, which does the layer 3 routing. The DMZ and the CORE VRFs are separated by an ASA firewall.

 

Hoping someone offer some guidance here. My preference would be to keep the DMZ off of the Core and vice versa, which would mean doubling the amount of F5 VE best bundle licenses we'll require.

 

Thanks

 

LTM
security

1 Reply

Sort By
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Jan 04, 2018

    Be aware that route domains is not a security feature. Route domains is simply a way to have the same IP exist on two VLANs on the same BigIP. There is no intrinsic problem with having internal and DMZ traffic on the same BigIP. It's certainly no worse than having the DMZ and internal networks on the same firewall.

     

    If you aren't comfortable with the traffic from the internal and DMZ networks flowing over the same chips, then you will want additional BigIPs. If you're running them over VEs then it doesn't make any difference.

     

    If you want additional separation you can add administrative partitions and place your DMZ objects and your internal objects in different partitions. This makes it much harder to make a mistake. You would then create your objects in the relevant partition.

     

    This should help https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/3.html