BIGIP in a network Edge device role

Question

Hi all, I need some assistance if possible. I'm familiar with F5s in a conventional load balancing role inside the corporate network, but we're building a new environment with a pair of 4000-series devices in a configsync pair. I have a DMZ network behind the corporate firewall, bound via LAGs to the 1Gb ports, and a set of internal VLANs bound via LAGs to the 10G ports which will be used for application services, Hypervisor management etc. We'd like to leverage APM to secure all traffic, essentially making them the edge devices for the internal environment. &nbsp;
I guess all services are going to be presented via VIPs/Pools/Nodes, but I'm not sure how to set up the basic routes/outgoing traffic rules, default gateways. Has anyone got any guidance or resources on how to configure a BIGIP in this sort of role? I've has a look around but couldn't find anything obvious...&nbsp;
Many thanks in advance&nbsp;

kevina_246454 · Accepted Answer

HI &nbsp;
your diagram explains a few things, the routing on the f5 can fairly simple or a bit complex based on your needs &nbsp;
External Facing VLAN AKA vlanexternal give it an ip subnet this vlan will face your firewalls. the vlan will have a floating ip addresses as well to ensure failover to standby. from a default route perspective I am sure you can default route to the firewall ip if your internet breakout is residing that side. you can then launch your vip's from this vlan either create external facing vip's with a new ip subnet or use the external vlan ip subnet to give yourself vip's&nbsp;
Internal vlan/vlan's will be facing the core switch. you can run one vlan/ipsubnet from your f5 10gig lag then route all internal facing networks towards your core network as a next hop,  you might not even require snat because return traffic from internal will flow back to the f5 towards the firewall/internet.  
&nbsp;
Also in this scenario your f5 will have to do routing because your core network needs to reach the internet via the f5 you will most likely require a ip forward virtual server. Hope this helps you.&nbsp;
you can either use static routing or dynamic depending on your requirements.&nbsp;

kevina_246454 · Answer

can you maybe provide some sort of flow/network diagram on how your deployment would like, find it difficult to make out your design or objective in your question.&nbsp;

cgrieves · Answer

I've knocked up the ugly pic below. I've omitted the OOB/management networks.&nbsp;
Essentially we come in from the firewalls (corporate shared services) to two stacked DMZ switches in our "DMZ" with 1Gb aggregated uplinks to the F5s&nbsp;
The F5s are then our edge devices for the hypervisor cluster, with redundant aggregated 10Gb links to a set of stacked fabric switches in our chassis.&nbsp;
The question is simply- are there guides or resources I can use to configure an F5 (without AFM) for the role as an edge device?&nbsp;
Many thanks!&nbsp;
&nbsp;

stanislas_piro2 · Answer

If you want to enable routing feature between interfaces, you must create &nbsp;
one floating ip on every network, this ip is used by other devices as gateway on route configurationforwarding ip virtual server(s). Without a virtual server, the bigip won’t route traffic.

Forum Discussion

BIGIP in a network Edge device role

4 Replies

Recent Discussions

How to Match Dynamic URI Segments in AS3

URI modification

Need help on i-rule to specific uri path

HA Active Directory for F5 authentication

NGINX - Need more details on NGNIX WAF

Related Content

Re: BigIP Report

What is Multi-Cloud Networking?

BigIP Report Old

Device Management

Scaling Stateful Network Devices