Access Control Between VLANs On BigIP

Hi,

 

 

LTM is a default deny device, so you would need to specifically configure objects to pass traffic between the VLANs. You can configure specific routing using wildcard virtual servers enabled on a specific ingress VLAN pointing to the default gateway on the egress VLAN.

 

 

Here is a fairly comprehensive post on this:

 

 

Using same LB for servers on multiple subnets

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=22639

 

 

Aaron

Each web vlan has a wildcard virtual server setup. Does this null any security I want to put in place?

Yep. Are there routers on each VLAN that you can specify in a pool? If so you could define them individually in pools and then change the forwarding VIPs to performance layer4 VIPs which reference the next hop router only for the allowed egress VLAN. Each ingress VLAN would only be able to route to the specific egress router.

 

 

Aaron

Unfortunately, the bigip is the only router in the vlan.

So which paths do you want to allow?

 

 

Maybe something like internet to all three web LANs, all three web LANs to internet, but no traffic between the web VLANs?

 

 

If so, you should be able to define a single performance layer 4 VIP pointing to a pool containing the firewall IP (the default gateway of the BIG-IP?) enabled only on the three web LANs.

 

 

You'd then configure specific IP:port VIPs on the internet VLAN to only allow access to the defined IP:ports of the load balancing VIPs.

 

 

The web servers from one VLAN would then not be able to reach the web servers in any other VLAN except the internet.

 

 

You could lock down which ports are actually allowed out to the internet on the firewall.

 

 

Aaron

Vlan 1 sits between the bigip and the firewall. I have security here and control who can hit the web server vlans. I wanted to setup something up in between the web vlans.

That's good, but the "internal" to internet connectivity was just one part of my last comment. Can you take a look at the rest and see if it might work for you? The general idea is that if you don't define one or more forwarding virtual servers, LTM won't route between the VLANs.

 

 

Thanks,

 

Aaron

Sorry Aaron, I should have read your response slower. What you describe, internet to all three web, all three web to internet but no traffic between the web vlans is exactly what I would want.

Aaron,

 

 

Wondering if you could give me a bit of advice regarding this... I also have several VLAN's configured on my LTM's. Each VLAN has its own router (172.26.90.1 for example). I would like to prevent chatter between the different "internal" VLAN's on my F5. I already bind each virtual server to a specific "external" VLAN.

 

 

For servers that use the LTM's as their default gateway, I had a wildcard forwarding virtual server (0.0.0.0) which worked, but if I understand correctly, allowed inner-VLAN communication that I don't necessarily need. I see that you recommended creating a pool for each VLAN containing the router as a pool member and then create a performance layer 4 VIP. I am confused on how to create this VIP, and what address it should use?

 

 

Thanks,

 

 

Josh

OK, the thread that you linked answered my question (I think). I created a wildcard forwarding virtual bound to 0.0.0.0, and bound it to the specific internal VLAN.