Forum Discussion

Ernesto_27816's avatar
Ernesto_27816
Icon for Nimbostratus rankNimbostratus
Mar 18, 2012

Inter-Vlan Security

Hello,

 

 

I have a very simple scen

 

 

Vlan A: Server vlan with BIGIP as default gateway

 

Vlan B: Server vlan with BIGIP as default gateway

 

Vlan C: Interconection vlan between Firewall an BIGIP. Firewall is default gateway for BIGIP

 

 

My custoner want that all traffic to and from server vlans (including inter-vlan traffic) go to firewall for security control. Can i do it with IP Fordwarding virtual servers?. How i must configure them?.

 

 

I don't want configure route domains or iRules for this if is possible.

 

 

Regards.
  • Hi Ernesto,

     

    If I understand you correctly you want VLAN A and B to go through firewall on VLAN C even when VLAN A and B need to communicate with each other. Is that correct?

     

     

    Bhattman

     

  • Hi Bhattman,

     

     

    You are ok, i need traffic to go through firewall on VLAN C even whe VLAN A and B need communicate with each other. I have management traffic directly to real serves on VLAN A and B coming throung VLAN C.

     

     

    Regards.
  • Hi Ernesto,

     

    You would then need to look at creating another Firewall DMZ and use Partitions

     

     

    You should go to ask.f5.com and search about partitions.

     

     

     

    thanks,

     

    Bhattman
  • Hi Bhattman,

     

     

    Can you talk me more about how partitions can help me and what i must search?. I think that partitions permit administrative control over objects but i dont see how i can use it for implementing my scen.

     

     

    I have 11.1 version

     

     

    Regards.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Posted By Ernesto on 03/18/2012 05:59 AM

     

    Hello,

     

     

    I have a very simple scen

     

     

    Vlan A: Server vlan with BIGIP as default gateway

     

    Vlan B: Server vlan with BIGIP as default gateway

     

    Vlan C: Interconection vlan between Firewall an BIGIP. Firewall is default gateway for BIGIP

     

     

    My custoner want that all traffic to and from server vlans (including inter-vlan traffic) go to firewall for security control. Can i do it with IP Fordwarding virtual servers?. How i must configure them?.

     

     

    I don't want configure route domains or iRules for this if is possible.

     

     

    Regards.

     

    Answer. 3 VS's.

     

     

    One network VS of type forwarding. Destination VlanA. Enabled on VLAN C only.

     

    One network VS of type forwarding. Destination VlanB. Enabled on VLAN C only.

     

     

     

    And then

     

     

     

    One network VS of type STANDARD. Destination default (0.0.0.0/0). The default pool has one pool member, the firewall IP address on port 0. Enabled on VLAN A and VLAN B.

     

     

     

    Traffic from VLAN A or B hits VS 0.0.0.0. It's forwarded to the pool member (Firewall). The firewall checks the traffic. Assuming it's allowed, the firewall forwards the packet BACK to the BigIP (Using the firewall routing table) via the floating IP address.

     

    This traffic from the firewall hits VS(A) or VS(B) depending on destination (Because they are enabled only on VLAN C). It's forwarded direct to the attached VLAN.

     

     

     

    H

     

  • If you have a PIX Firewall versions prior to 7.2(1) you cannot send packets in and out from the same interface. However, starting in version 7.2(1) you can do this via command "same-security-traffic permit intra-interface"

     

     

     

    If you the firewall does not permit this then you need create another interface on the BIGIP and another interface on the firewall.

     

     

    Bhattman
  • HI both,

     

     

    I have tested and all work ok, but i have one more question. With standard VS i can manage TCP or UDP traffic (one VS for each) but not other traffic as icmp, it's correct?.

     

     

    Regards.