Inter-VLAN Routing on F5

I disagree :)

 

 

Lets take your primary suspects for why choosing a dedicated router instead of a Viprion:

 

 

Easy migration

 

 

Far easier to migrate the F5 if you ask me. When I setup a VS this VS is automatically (once I click the sync link) synchronized with the failover parter. Using cisco (or any other brand for that matter) and acl you need to manually login to BOTH devices and do the same work twice (with the risk that both devices after a while doesnt have the same config for example regarding acls and stuff).

 

 

Easy to extend to different "sites" (with BGP or similar)

 

 

F5 have builtin support for BGP, IS-IS, OSPF, RIP for both IPv4 and IPv6 so no problem here. Compared to most regular routers your F5 can also inject (and withdraw) these routes based on different monitors (not only based on latency and such which IP-SLA will bring you but also L7 stuff like low latency AND reachable for x numbers of times AND a dnsserver bringing you correct replies etc as a single monitor).

 

 

Only dedicated traffic will hit the f5 (Loadbalancing traffic and not for example backups)

 

 

Well in this case loadbalanced traffic will hit your routers which will be unnecessary. Regarding backups it depends on where you place your backupservers. You can for example place them behind the internal firewall (since the backups contains sensitive data - wont they?) and let this firewall perform QoS for all traffic going to/from the backup-dmz (backup-traffic gets lowest priority) and voila - you can now even perform backups at lunch hours (and not forced to wait until 0200AM).

 

 

There are plenty of other stuff that the F5 can do which an ordinary router most times cannot - but something thats "hot" nowadays is IPv6... with the F5 as corerouter you can easily do 6to4 and 4to6 (and 6to6 along with 4to4 etc :P) which gives that your servers can still be IPv4 only (no need to dualstack) but at the same time you can speak to the rest of the world using IPv6.

 

 

But lets take a look at the capacity for each blade and see if thats enough?

 

 

Viprion 2400 (2100Blade):

 

40Gbps L7/blade

 

 

Viprion 4400 (4200Blade):

 

18Gbps L7/blade

 

 

Rumours says that there are new blades coming for the 4400 series (or if it was 2400 series, cant remember) this spring which will yield 320gbit/s per blade.

 

 

Also what Im speaking about here is not to replace all your routers with F5's (even if that would work but in most cases be somewhat expensive =) but rather instead of using 2xRouters + 2xF5 you can merge these 4 units into just 2xF5.

 

 

Q1: With backends-vlan you mean like server-vlans? In that case I would suggest to place them behind a firewall so I can have control of which traffic will be allowed between the zones (for example DNS-servers in one, AD-servers in another and so on). Preferly a NGFW (application firewall) which will not only look at portnumbers but rather whats actually being transmitted in those packets who is passing by.

 

 

Q2: See above :-) For 150 Vlans one would need a L2-modular switch connected to the firewall with high speed and the firewall would have the SVI (the defgw for each vlan is an ip-address configured on the firewall). Use 802.1Q to separate the networks (and make sure you dont f**k up the config - for example turn off VTP, set interfaces into static trunk or static access mode (not auto) and also set allowed vlan for each and every interface in your L2-modular switch). This also depends on your infosec regulations along with how many interfaces your firewall have.

 

 

Q3: Well its up to you but I prefer to put the firewall close to my golden eggs (so the eggs wont get scrambled =). So if the AD-server from Q1 wish to speak to the DNS-server it will eaither speak directly on the physical ip (this way the traffic goes AD -> L2-switch -> firewall -> L2-switch (another vlan) -> DNS) OR speak to the VS-ip but then the traffic will go out from the firewall to the core-F5 who will then decide which DNS-server your request will actually be sent to (same site or different site, unless the F5 will reply on its own ;-)

 

 

Q4: This will be by design when you put each system in its own VLAN behind the firewall (where the VLAN ip (the defgw for the server) is an ip configured on the firewall as described in Q2). You can also bundle the systems into larger VLANs if you prefer it that way (or the other way around - each server gets its own VLAN so even traffic between DNS1 and DNS2 needs to pass the firewall).

 

 

Regarding your comment on my flow example sure - but having the F5 before the firewalls (meaning client - F5 - firewall - server) is the preffered method if you have multiple sites (this way the core-F5 will send the client to the server which is actually reachable no matter if its the server who is failing or the firewall in front of the server). Using this setup you can then also enable WON (wan acceleration) in your F5 because the setup will basically be: siteA-F5 <-> WAN (MPLS, EVLS, own wavelengths or whatever) <-> siteB-F5