Forum Discussion
chris_connell_1
Nimbostratus
NimbostratusDesign question regarding layer3/layer2
Hello
We have a current design like this (sorry for the basic diagram)
firewall1 ----> layer2switch------router1 (running hsrp)
|| ----> internet
firewall2 ----> layer2switch------router2 (running hsrp)
The firewalls are tracking the router hsrp address.
We need to implement the F5's between the firewall and the router like this (its a type of firewall sandwich configuration)
firewall1 ----> F5A ---> layer2switch --router1
||
firewall2 ----> F5B ---> layer2switch --router2
After the F5 there is no problem, but before the F5 (on the ingress side) the problem is that the firewalls have layer3 interfaces. If we run floating IP on F5A and it is active then firewall2 will not see the active F5A floating IP which may be a problem since there is no layer2 switch inbetween.
My question is it safe to connect F5A/F5B together on the ingress side (since the F5 ltm is a switch).
its an ltm 11050 or are there any problems with that.
Thanks
- JRahm
Admin
why not plug the firewalls directly into the layer2switches? You can enable stp in the specific vlan, but I prefer to keep l2 functions on the dedicated infrastructure and let BIG-IP do what it does best. 
HamishCirrocumulus
On the layer-2 switch, just create 2 vlans. Then use the F5 to route between them if you want to create a firewall sandwich. The firewalls connect to the fw-f5 vlan and the routers are on the f5-rtr clan...
H
