Forum Discussion

chris_connell_1's avatar
Icon for Nimbostratus rankNimbostratus
Aug 17, 2011

Design question regarding layer3/layer2




We have a current design like this (sorry for the basic diagram)



firewall1 ----> layer2switch------router1 (running hsrp)


|| ----> internet


firewall2 ----> layer2switch------router2 (running hsrp)



The firewalls are tracking the router hsrp address.



We need to implement the F5's between the firewall and the router like this (its a type of firewall sandwich configuration)



firewall1 ----> F5A ---> layer2switch --router1




firewall2 ----> F5B ---> layer2switch --router2



After the F5 there is no problem, but before the F5 (on the ingress side) the problem is that the firewalls have layer3 interfaces. If we run floating IP on F5A and it is active then firewall2 will not see the active F5A floating IP which may be a problem since there is no layer2 switch inbetween.



My question is it safe to connect F5A/F5B together on the ingress side (since the F5 ltm is a switch).


its an ltm 11050 or are there any problems with that.








2 Replies

  • why not plug the firewalls directly into the layer2switches? You can enable stp in the specific vlan, but I prefer to keep l2 functions on the dedicated infrastructure and let BIG-IP do what it does best.
  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    On the layer-2 switch, just create 2 vlans. Then use the F5 to route between them if you want to create a firewall sandwich. The firewalls connect to the fw-f5 vlan and the routers are on the f5-rtr clan...