Big ip network design

Employee

May 19, 2020

The Management plane and the data plane are totally separate; data will never cross.

KB Link: https://support.f5.com/csp/article/K13284

-The standby device will be created as a HA pair, with Mac Masquerading, in the event of a network issue where all VLANs fail, the BIGIP will failover to the standby device. Traffic will be maintained by the Mac Masqueraded MAC address(Cisco term: HSRP), so traffic does not have to rebroadcast(ARP) to find an alternate route/path.

HA KB Link: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-12-1-0/4.html

& OR this KB: https://support.f5.com/csp/article/K14977

==============================

The following is only one example("50 thousand foot perspective"), with multiple layers of security via FW rules that can be configured. Unfortunately, it is difficult to architect out an idea for you. I also may have missed a few details of the text network layout, while multi-tasking other daily duties, ha!. It is best to work with your network team and System Infrastructure team to understand the network & application topology. I don't want to lead you in the wrong direction. :)

----------------------

BIGIP-DNS - "External" Perimeter DMZ DNS A/PTR Records

---DDOS profile configured globally

DMZ1 FW with IPS

BIGIP DMZ1 (public access)

-Self IPs

--Public VIP IP subnet(s)

--DMZ1 IP accessible application subnet(s)

--DMZ 2 VIP IP subnet(s)

"default route" to layer 3 gateway IP of DMZ core network or "DMZ 1 / DMZ2 FW" configured with a VSI

-The FW rules will allow or deny Layer 2 or 3 traffic based on the rules created.

DMZ1 / DMZ2 Core Router or Switch. ---switch-port or LACP port channel with a Layer 3 VSI(virtual switch interface)

DMZ1 / DMZ2 FW

--Fw configuration to restrict ports & interfaces("burbs") only allowed to DMZ2 & DMZ1 ingress/egress

BIGIP DMZ2

-Self IPs

--DMZ1 VIP IP subnet(s)

--DMZ 2 VIP IP subnet(s)

"default route" to DMZ 2 Layer 3 Core Router or Layer 2 Core or NAT that routes traffic that does not match your Self IPs

DMZ2 / Internal FW

--FW configuration to restrict ports & interfaces("burbs") only allowed to "Inside" & "DMZ2" ingress/egress

Internal BIGIP-DNS "Internal Only DNS records"

Inside BIGIP

Self IPs

--DMZ2 VIP IP subnet(s)

--Inside Network of applications IP subnet(s)

-"default route" to "Inside" Core Router or NAT that routes from the FW

If you have a /24 Internal Subnet: ie. 192.168.0.0/16, you could "carve" up the /16 into smaller networks to separate subnets for applications, users, switches, routers, FWs, the same should be done for VLANs.

DMZ Applications: 192.168.99/24

-VLAN 10

Internal Applications: 192.168.10/24

-VLAN 5

-DMZ1: 192.168.101.0/24

-VLAN 20

-DMZ2: 192.168.51.0/24

-VLAN 30

-Internal: 192.168.26.0/24

-VLAN 40

Switches

-DMZ1: 192.168.100.0/24

-switchport VLAN(s) 20 / 30 / public vlan

-DMZ2: 192.168.50.0/24

-switchport VLAN(s): 30/40

-Internal 192.168.25.0/24

Routers

-DMZ1: 192.168.100.2-15

-DMZ2: 192.168.50.2-15

-Internal: 192.168.25.2-15

Forum Discussion

Big ip network design

Recent Discussions

Reporting Help Needed

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Related Content

BIG IP VE on a single network

F5 Networks - Silverline WAF Express overview

Deployment Design

one-arm scenario, external network?

Meet F5 Networks @ CiscoLive Berlin 2016

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS