Forum Discussion
Craig_17766
Nimbostratus
NimbostratusHA Pair for Inside and DMZ?
HA Pair for Inside and DMZ?
We’re looking at using F5’s in our DR environment to replace old Cisco CSS’s, we’d like HA pair but the budget is not there for two HA Pairs one each for DMZ and Inside. Can we use a single F5 HA Pair for both DMZ and Inside?
Thanks,
Craig.
hooleylistCirrostratus
Hi Craig,
That depends on your security requirements. Many customers use the same BIG-IP with separate VLANs to isolate networks. You could further isolate networks using route domains. Or for newer Viprions on 11.x, you could use vCMP to create virtual BIG-IP instances.
It might be worth talking with your F5 or partner SE to go over your exact scenario.
Aaron
Josh_41258Craig - we host both DMZ and internal applications on a single pair. As Aaron stated, you can simply trunk multiple VLAN's to your BIG-IPs (one for your DMZ, one for your internal stuff, etc).
Josh
HamishCirrocumulus
You can... But I wouldn't... Unless it's a Viprion and you're using separate vCMP guests for DMZ and internal.
You have firewalls between DMZ and internal for a reason. One of those is a single point of control. Having a single system 'bridge' the firewall like this can lead to security leaks.
H
nitassEmployee
You have firewalls between DMZ and internal for a reason. One of those is a single point of control. Having a single system 'bridge' the firewall like this can lead to security leaks. thinking if route domain is helpful in migitgating the security leak.- HamishIt helps. But i still wouldnt bridge different levels of security like that. Bridging between zones of the same level i have done in the past. But dmz to internal is one i wouldnt do... Especially if a different team admin the firewall and bigip...
H