Forum Discussion
NimbostratusAccessing Pool members directly
Is there a way to prevent people to access pool members directly that sit behind the LTM? They must use the VIP?
13 Replies
Brad_Parker_139Nacreous
Yes, if you don't have a wildcard listener, the traffic will not route through the LTM without going through a VIP.
Steven_J__WilliWhere can I find info on this?- Brad_Parker_139Its kinda just how LTM works. Its a default deny device and will not pass traffic unless there is a configured listener. A listener is a virtual address which usually has a configured virtual server. A self-IP itself will not forward packets without these listeners.
- Steven_J__WilliWell I have VIP created on the same subnet as the nodes. I assume its a network as the unit is one armed. and not inline so the servers dont sit behind the F5 per say.
Brad_ParkerCirrus
Yes, if you don't have a wildcard listener, the traffic will not route through the LTM without going through a VIP.
- Steven_J__WilliWhere can I find info on this?
- Brad_ParkerIts kinda just how LTM works. Its a default deny device and will not pass traffic unless there is a configured listener. A listener is a virtual address which usually has a configured virtual server. A self-IP itself will not forward packets without these listeners.
- Steven_J__WilliWell I have VIP created on the same subnet as the nodes. I assume its a network as the unit is one armed. and not inline so the servers dont sit behind the F5 per say.
Henrik_GyllkranThat depends on your network layout. Is the BIG-IP the only way to access the VLAN where the servers reside? If so, then the solution is already in place, because the BIG-IP doesn't forward any traffic that we haven't specifically allowed by way of creating a listener (Virtual Servers in most cases) for that traffic.
However if the server network is accessible through other devices such as routers/firewalls and so on, then you will also need to make sure that path is blocked.
