Inter-VLAN Routing on F5

0) Dont use the quote "feature" on this forum - its really hard to answer each individual claim by requoting the requote who is a quote and so on...

 

 

1) Im pretty sure the PCI requirements wont allow you to have the loadbalancer between the firewall and the server because this way you are breaking your security zones.

 

 

2) Do you perhaps have some more information regarding zebos (since there are plenty out there using both zebos and zebra as RR and other features)?

 

 

3) As I see it there is no need for router + F5 when F5 alone can do the work very well. Having the F5 as core will also make you able to loadbalance between sites without involving BGP etc. Also perform a loadbalance at L7 level.

 

 

You wont leak backuptraffic since the firewall will separate the flows. How will you otherwise perform backups?

 

 

The backups in this case can be server -> firewall -> backupserver, the clients on their own have no need to perform backups towards the backupservers. Also backups from servers at site A will be to the backupservers at site A. In case backupservers at site A fails for the servers at site A the servers at site A can do their backup to the backupservers at site B if you wish. In this case the QoS will throttle the traffic but you can of course apply the same QoS rules in the F5 aswell to also shape the backuptraffic which might go over the WAN-links.

 

 

Using an internal firewall will protect your golden eggs where you can have one DMZ for servers (lets say one vlan per system or per server), one DMZ for backupservers, one DMZ for logservers, one DMZ for pki-servers and so on.

 

 

4) Firewalling and firewalling. One great feature that F5 brings you (which most firewalls wont) is the ASM feature with for example xml-gateway firewalling (to protect soap/webservices stuff). When you have F5 inline I see no reason for why not using the ASM for the flows where it can be used for :)

 

 

Q1: One design can be as follows (just an example, in real life one would use smaller netblocks and so on):

 

 

Zones behind the firewall:

 

DMZ1: 10.x.1.0/24

 

DMZ2: 10.x.2.0/24

 

DMZ3: 10.x.3.0/24

 

 

where x is which site (well datacenter that is).

 

 

and then let 10.0.0.0/24 to be the virtual range where you put individual VS's.

 

 

The firewall in this case will be all transparent (only nexthop will be visible and perhaps if one do a traceroute).

 

 

So to reach each physical dns-server the client can either address 10.1.1.1 / 10.2.1.1 / 10.3.1.1 OR the client can just address 10.0.0.1 and let the F5 decide which DNS server the request will be forwarded to.

 

 

The VS in this case would look like:

 

 

10.0.0.1:53/255.255.255.255

 

->

 

10.1.1.1:53

 

10.2.1.1:53

 

10.3.1.1:53

 

 

Q2: The firewall is the defgw for the servers (one vlan per system or server depending on your needs). The switches which the servers can be attached do only need to do L2 (vlan-802.1Q) so no need for expensive L3 devices here. So yes the firewall will do routing but only routing for the DMZ's directly attached (L3-interfaces on the firewall). The defgw for the firewall will be pointing to the F5.

 

 

Q3: The F5 is outside the firewall from the server point of view. But of course this is up to you where you choose to place your F5.

 

 

Q4: No, the client address the VS in the F5 which sits close to the clients. The F5 will then decide which server at which site your request will be sent to. Because the server sits behind the internal firewall the F5 will not only take care of if a server is failing but also if the internal firewall is failing. If the internal firewall at the local site is failing the client request will be sent to another site (where the F5 addresses the physical ip of the server otherwise you would end up with a routingloop if your local F5 addresses VS at the other site).

 

 

The physical design can be:

 

 

External net

 

|

 

External firewall

 

|

 

Client(s) - F5 - WAN (to other sites)

 

|

 

Internal firewall

 

|

 

Server(s)

 

 

(both external and internal firewall is connected to the F5 which acts corerouter and loadbalancer even if my ascii drawing skillz is failing ;)

 

 

But how your design looks like depends on many parameters. The above will be robust against DDoS arriving from the external net because you might expect the external firewall to go offline which will then protect the internal resources (comparing to if you would connect all the networks to a single firewall - even if the external firewall is offline the internal firewall is still functioning and can serve your clients).