Forum Discussion

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jun 07, 2023
Solved

Disable Inter-VLAN Routing?

Hello I was searching for my problem when I came across this topic, but unfortunately, there was no complete answer to this question. Therefore, I wanted to know how to prevent bigip from bypassing...
application delivery
  • Paulius's avatar
    Paulius
    Jun 07, 2023

    レザ As long as the servers sit in a different VLAN it would be up to your routing to not allow them to reach each other. Example, if you have VLANs 1-5 and the F5 and the firewall sit in each VLAN with the F5 being in 1 arm mode then each server should have the firewall as their gateway. As long as the switch seperating each VLAN doesn't performing any routing then those servers should not be able to reach each other without going through the firewall. They could technically reference the F5 as their gateway but if the F5 doesn't not have a forwarding virtual server configured with SNAT enabled on that virtual server they will not be able to communicate with each other without using the firewall.

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP

Hi レザ , 

What do you mean by routing between Vlans on Bigip ? 
Also clarify your words regards bigip bypass Firewall ? 

Do you mean servers' vlans separated but can reach other through Bigip ? 

レザ's avatar
レザ
Icon for Cirrus rankCirrus
Jun 07, 2023

Hi Mohamed_Ahmed_Kansoh 

 

What do you mean by routing between Vlans on Bigip ?

Also clarify your words regards bigip bypass Firewall ?

Each of my servers are inside their own vlan and the gateway of all these servers is the firewall, and any communication between these servers should only be through this firewall. since the load balancer has one arm inside each vlan, is it possible that the servers of different vlan communicate with each other without passing through the firewall?

 

Do you mean servers' vlans separated but can reach other through Bigip ?

YESSSSSSSSSSSSSSSS 🙂

Thanks

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jun 07, 2023

    レザ As long as the servers sit in a different VLAN it would be up to your routing to not allow them to reach each other. Example, if you have VLANs 1-5 and the F5 and the firewall sit in each VLAN with the F5 being in 1 arm mode then each server should have the firewall as their gateway. As long as the switch seperating each VLAN doesn't performing any routing then those servers should not be able to reach each other without going through the firewall. They could technically reference the F5 as their gateway but if the F5 doesn't not have a forwarding virtual server configured with SNAT enabled on that virtual server they will not be able to communicate with each other without using the firewall.

    • wtwiggs's avatar
      wtwiggs
      Icon for Altocumulus rankAltocumulus
      Jun 11, 2023

      just to add to Paullus correct answer, another option to consider dependng on your security or other architectural requirements, is to use "route domains" to partition your F5 system such that the VLANs behind the firewall are in separate F5 route domains, with no parent-child relationship and strict isolation enabled... in this case, there is no way the F5 could forward any packets between the VLANs even if a virtual server (such as a "forwarding" virtual server) were created, since there is full isolation between the VLANs due to the separate (and isolated) route domains.  more info here:

      https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-tmos-routing-administration-14-1-0/route-domains.html

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Jun 07, 2023

    Hi レザ , 
    Let we assume : 
    Servers A in Vlan 5 
    Servers B in Vlan 10 

    you ask , Servers A will communicate / reach Servers B through Bigip ( Loadbalancer ) 
    The answer no , Even if you you deploy One ARM with different and separate Vlans.

    The only way to make Servers A communicate with Servers B is to create a listner ( for ex Virtual server ) to listen ServerA connections and forward traffic to Servers B. 

    So without this Listner Traffic will be dropped if it initiated from Servers A to Servers B and Vica-versa. 

    You as a Client send request to bigip >> Virtual server recieve your connection >> forward to pool of servers. 
    I want to say you as a Client in a different Vlan , and If you remover the virtual server that serves your traffic , you couldn't reach your pool of servers. 

    Did you get this point ? 

    • レザ's avatar
      レザ
      Icon for Cirrus rankCirrus
      Jun 07, 2023

      Yup, Thank you.