How to control routing between multiple internal VLANs ?

Hello,

 

I've an open question about the following: We have a setup with multiple internal VLANS (hosting different 'type' of webservers) and one external VLAN (where all VIPs for the different 'type' of webservers are created).

 

Let's assume that

 

• servers deployed in the internal VLANs have only one interface, and F5 is their only available gateway. VLANs ID will be 1, 2, 3.

   

• The external VLAN is sitting between the F5 (of course) and a firewall as upstream device. VLAN ID will be 100.

   

On the F5, I have so, as virtual servers:

 

• 'Standard' type for the application VIPs, configured in VLAN 100

   

• 'Forward IP' type for the routing TO the servers. Servers must be administrated via SSH, RDP... from Management machines which are not hosted behind the F5. One per internal subnet I want to reach, each enabled for VLAN 100

   

• 'Forward IP' type for the routing FROM the servers. Servers must reach NTP, DNS, LDAP servers/appliances which are not hosted behind the F5. One per internal subnet I want traffic to go from, each enabled per VLAN (1, 2, 3)

   

Basically, this setup works fine :)

 

But I'd like to go in a direction where I'm able to prevent VLAN 1 to talk to VLAN 2 or 3, same for VLAN 2 to talk to VLAN 1 or 3, same for VLAN 3 to talk to VLAN 1 or 2. And the 'problem' here is that as VLANs are directly connected, F5 acts basically as a router (which I'm happy with).

 

So to achieve this, my ideas are potentially:

 

• to force any traffic initiated by VLAN 1, 2, 3 to go via VLAN 100 and so the disruptive device (the firewall). Even if on it, I've rules to allow VLAN 1 to talk to VLAN 2 with any any accept :)
• to locally manage 'something' to help me filtering traffic between internal VLANs

I've identified various approaches:

 

1/ AFM. I don't have the license :)

 

2/ RD. We already use them for other needs. My 'problem' here is that I have only 1 external VLAN. I guess it would be the solution if I would have one external subnet for each internal one. One RD per pair of external/internal and that's it.

 

3/ Packet Filter. Why not, but I'm not sure it's going to be easy to manage on a daily basis. Never tried, and it seems to be global, not per VS.

 

4/ Playing with a standard VS with the internal subnet as source, 0.0.0.0 as destination and a pool composed of the firewall IP as default pool. This one catched the traffic but the destination IP is changed to the Firewall IP. I can understand it but maybe I missed an obvious option ?

 

5/ Static route with maybe a VLAN as next hop. Did not try yet, afraid to break something. (I'm in a live environment)

 

--> So voilà, any help or comment will be appreciated :)

 

thanks in advance for contributing.