Forum Discussion
NimbostratusDownside of using a single DMZ vlan intead of typical internal/external VLANs?
I'm designing an LTM implementation where web servers in a DMZ need to be load balanced. In the current design, the F5 has a single DMZ VLAN. This VLAN is the same subnet as the web servers. So for example, the network is 10.10.10.0/24....
The web servers are on this same subnet/VLAN -- i.e. 10.10.10.1 and 10.10.10.2 The F5 has a single self-IP, and it's on the DMZ VLAN -- i.e. 10.10.10.100 The F5 has a single Virtual Server, which is also on this same subnet -- i.e. 10.10.10.250
The default gateway of the web servers is NOT the F5; so I would use SNAT auto-map to make sure response traffic from the web servers went back through the F5 on the way to the clients.
Are there any potential issues with this single-VLAN design? What would be the benefits of using a more typical dual-VLAN design with an internal and external VLAN? The one potential issue I can see with the current DMZ-only VLAN design is that a single interface would be handling all traffic and may become saturated.
Thanks in advance for any input
1 Reply
mimlo_61970Cumulonimbus
I can't think of any major problems, but my 2 cents would be:
- Like you said, 1 armed is half the throughput
- You will be using your address space faster since real and virtual servers are in the same subnet
- Helps with potential firewall mistakes. Say you retire a virtual server that has a firewall rule allowing port 443. You forget to remove the fw rule, and put a server on that same address, now you are allowing 443 direct to that server.
- In the case of Internet and public addressing, you can private address your internal DMZ and public address your external F5 DMZ.
