Forum Discussion
NimbostratusF5 BIG-IP vcmp with guests using ltm and afm
Hi, we recently bought a pair of i5800 and we need to configure vcmp with 4 guest, 3 of them using LTM and the last just to configure AFM. This will be done for intranet and the idea is to configure AFM in one guest instance "in front" of the other three instances of LTM to protect traffic coming from intranet and going to server farms behind LTM instances. The AFM guest needs to filter traffic that goes from intranet to some server farms that don't have Virtual Servers configured and to server farms that do have Virtual Servers in LTM instances. This AFM guest needs to be a gateway to these server farms.
Is this aproach possible? How should we configure this? Does the AFM needs to have VS configure to catch traffic and filter out?
Thanks in advance
Simon_BlakelyEmployee
Is this aproach possible?
Yes. It is just a question of correctly configuring the VLANs to handle the traffic.
Remember that your vlans need to link the chassis, as the active guests may swap between the chassis, and you will probably want to distribute the active guests across the two chassis.How should we configure this?
I'm not sure what you are looking for, it would be impossible to provide a configuration guide without a comprehensive network plan and requirements document - if you need design help, talk to your F5 Account team about engaging with F5 Professional Services.
I'd suggest you need an External vlan facing the internet, a DMZ vlan to pass traffic to the Load-balancers, and a Poolmember vlan for the servers. The AFM guests pass traffic from the External to the DMZ/Poolmember vlans through AFM policy rulesets.Does the AFM needs to have VS configure to catch traffic and filter out?
AFM can apply policy rulesets at various levels - Globally, Route-Domain, Self-IP, Virtual Server.
You can use Virtual-Servers to accept specific traffic and apply an AFM policy (firewall ruleset) to that traffic. That's how I would probably do it (for granularity and policy management), but I have seen plenty of different approaches.
It is up to you.
Pepillo_358524Hi S Blakely,
I am newbie in F5 so your orientation helped me to know where I had to look at and focus on how to use a Virtual Server to move all the traffic through the firewall module.
Thanks
- Pepillo_358524
I finally figured it out.
First of all I have to say that I was trying to replace a Cisco Firewall ASA that had two interfaces configured (outside and inside) to protect internal server farms which are located behind inside interface. So We have this two chassis BIG-IP i5800 that were configured in fail-over pair, so just one of them is active at a time.
We use vcmp to configure 3 virtual LTM and 1 virtual AFM. We had these boxes connected by a port-channel to our aggregation datacenter switch. In this port-channel travel all the vlans we use for virtual servers and server farms. So mainly we assigned two vlans for each LTM, one for Virtual Servers and the other for server farms. L3 aggregation switch is each LTM´s default gateway, and in turn, virtual AFM is L3 aggregation switch's default gateway. Core switch is AFM´s default gateway.In order to catch all the traffic from core switch, I used a Virtual Server type of IP FORWARD, one firewall policy and two rulelist, one for outside and one for inside.
I also configured a Virtual Server type of IP FORWARD on each LTM to allow servers to use them as gateways.
Stanislas_Piro2Cumulonimbus
Hi,
Even if your configuration works as expected, I should recommend to enable AFM on LTM guests.
It allow to
- manage per context policy with less rules in each policies —> easier to manage
- configure firewall rules between servers behind each LTM
- manage per virtual server policy for each incoming virtual server —> when you remove an old virtual server, related policy rules are disabled
- create a generic policy for most of virtual servers with rule src=any, dst=any, port=any, action=allow then assign it to all public VS to allow access.