Forum Discussion
Nimbostratusdoes vlan need interface assigned?
I have a VE LTM that is on the DMZ interface of the firewall but listens on two vlans (DMZ and inside). The self-IP is assigned to the inside vlan. The inside vlan has interface 1.1 assigned to it. The DMZ vlan has no interface assigned to it. Traffic comes from outside to the Big-IP in the DMZ then back through that interface to the ASA to the inside network.
Now I am setting up a physical cluster with the intention of the VE going away. I have more physical interfaces with the physical devices, should I setup the interfaces as the same as is on the VE as described above, or something different? I was thinking that on the Big-IP I could now have an interface assigned to each the DMZ and the inside but what purpose or benefit would that server since traffic would have to leave the Big-IP on the DMZ interface anyway and always traverse the firewall? Any suggestions? Thanks.
8 Replies
Thomas_Gobet_91Cirrostratus
Hi,
Bests deployment are when you use at least 2 arms (best on security).
For example with a single arm deployment, imagine if you're under DDoS attack. Even if you're F5 can protect your server from this attack, your monitors will be impacted because they use the same interface.
What you can do if you want to keep this 802.1q tag as a DMZ separator is to use trunk with two interfaces.
Keep in mind that if you want to use a cluster it's recommended to use a vlan dedicated for synchronization.
When I have to deploy new BIG-IPs for my customers, I usually use 3 interfaces or 4 if it's a cluster (1 for the MGMT, 1 for DMZ network, 1 for inside, 1 for HA).
tolinrome_13817So for my understanding the way you set up the interfaces is with each their own vlan and no trunking on the interfaces?
- Thomas_Gobet
Hi,
Bests deployment are when you use at least 2 arms (best on security).
For example with a single arm deployment, imagine if you're under DDoS attack. Even if you're F5 can protect your server from this attack, your monitors will be impacted because they use the same interface.
What you can do if you want to keep this 802.1q tag as a DMZ separator is to use trunk with two interfaces.
Keep in mind that if you want to use a cluster it's recommended to use a vlan dedicated for synchronization.
When I have to deploy new BIG-IPs for my customers, I usually use 3 interfaces or 4 if it's a cluster (1 for the MGMT, 1 for DMZ network, 1 for inside, 1 for HA).
- tolinrome_13817So for my understanding the way you set up the interfaces is with each their own vlan and no trunking on the interfaces?
Cory_50405Noctilucent
You can technically do it both ways with no issues.
This comes down to a matter of personal (or company) preference/policy. Whether you separate vlans via tagging on a trunk or untagged on their own physical ports, the result will be the same. One advantage to dedicated interfaces is dedicated bandwidth. Could be a concern based on the utilization of the links.
- tolinrome_13817I think I like the idea having their own physical ports, dedicated bandwidth, the tagging will take place on the core switch then.
- Cory_50405One vlan per physical port means untagged interfaces on the BIG-IP, and access ports (vice trunk ports) at the switch level (assuming Cisco standard terminology). This is probably the easiest way to go.
El_JefeYou can have VLANs that just live on the BigIP if that is your intention. Also, as you're switching to a physical box, remember that you can use LACP and team the interfaces to get more bandwidth.
Jeff
