Forum Discussion
レザ
Cirrus
CirrusDisable Inter-VLAN Routing?
Hello I was searching for my problem when I came across this topic, but unfortunately, there was no complete answer to this question. Therefore, I wanted to know how to prevent bigip from bypassing...
レザ As long as the servers sit in a different VLAN it would be up to your routing to not allow them to reach each other. Example, if you have VLANs 1-5 and the F5 and the firewall sit in each VLAN with the F5 being in 1 arm mode then each server should have the firewall as their gateway. As long as the switch seperating each VLAN doesn't performing any routing then those servers should not be able to reach each other without going through the firewall. They could technically reference the F5 as their gateway but if the F5 doesn't not have a forwarding virtual server configured with SNAT enabled on that virtual server they will not be able to communicate with each other without using the firewall.
Hi レザ ,
What do you mean by routing between Vlans on Bigip ?
Also clarify your words regards bigip bypass Firewall ?
Do you mean servers' vlans separated but can reach other through Bigip ?
レザCirrus
Cirrus
What do you mean by routing between Vlans on Bigip ?
Also clarify your words regards bigip bypass Firewall ?
Each of my servers are inside their own vlan and the gateway of all these servers is the firewall, and any communication between these servers should only be through this firewall. since the load balancer has one arm inside each vlan, is it possible that the servers of different vlan communicate with each other without passing through the firewall?
Do you mean servers' vlans separated but can reach other through Bigip ?
YESSSSSSSSSSSSSSSS 🙂
Thanks
- Paulius
MVP
レザ As long as the servers sit in a different VLAN it would be up to your routing to not allow them to reach each other. Example, if you have VLANs 1-5 and the F5 and the firewall sit in each VLAN with the F5 being in 1 arm mode then each server should have the firewall as their gateway. As long as the switch seperating each VLAN doesn't performing any routing then those servers should not be able to reach each other without going through the firewall. They could technically reference the F5 as their gateway but if the F5 doesn't not have a forwarding virtual server configured with SNAT enabled on that virtual server they will not be able to communicate with each other without using the firewall.
wtwiggsAltocumulus
just to add to Paullus correct answer, another option to consider dependng on your security or other architectural requirements, is to use "route domains" to partition your F5 system such that the VLANs behind the firewall are in separate F5 route domains, with no parent-child relationship and strict isolation enabled... in this case, there is no way the F5 could forward any packets between the VLANs even if a virtual server (such as a "forwarding" virtual server) were created, since there is full isolation between the VLANs due to the separate (and isolated) route domains. more info here:
Hi レザ ,
Let we assume :
Servers A in Vlan 5
Servers B in Vlan 10
you ask , Servers A will communicate / reach Servers B through Bigip ( Loadbalancer )
The answer no , Even if you you deploy One ARM with different and separate Vlans.
The only way to make Servers A communicate with Servers B is to create a listner ( for ex Virtual server ) to listen ServerA connections and forward traffic to Servers B.
So without this Listner Traffic will be dropped if it initiated from Servers A to Servers B and Vica-versa.
You as a Client send request to bigip >> Virtual server recieve your connection >> forward to pool of servers.
I want to say you as a Client in a different Vlan , and If you remover the virtual server that serves your traffic , you couldn't reach your pool of servers.
Did you get this point ?- レザ
Yup, Thank you.