Forum Discussion
NimbostratusInter-Vlan Security
I have a very simple scen
Vlan A: Server vlan with BIGIP as default gateway
Vlan B: Server vlan with BIGIP as default gateway
Vlan C: Interconection vlan between Firewall an BIGIP. Firewall is default gateway for BIGIP
My custoner want that all traffic to and from server vlans (including inter-vlan traffic) go to firewall for security control. Can i do it with IP Fordwarding virtual servers?. How i must configure them?.
I don't want configure route domains or iRules for this if is possible.
Regards.
7 Replies
- The_BhattmanHi Ernesto,
If I understand you correctly you want VLAN A and B to go through firewall on VLAN C even when VLAN A and B need to communicate with each other. Is that correct?
Bhattman 
Ernesto_27816Hi Bhattman,
You are ok, i need traffic to go through firewall on VLAN C even whe VLAN A and B need communicate with each other. I have management traffic directly to real serves on VLAN A and B coming throung VLAN C.
Regards.- The_BhattmanHi Ernesto,
You would then need to look at creating another Firewall DMZ and use Partitions
You should go to ask.f5.com and search about partitions.
thanks,
Bhattman - Ernesto_27816Hi Bhattman,
Can you talk me more about how partitions can help me and what i must search?. I think that partitions permit administrative control over objects but i dont see how i can use it for implementing my scen.
I have 11.1 version
Regards. 
HamishCirrocumulus
Posted By Ernesto on 03/18/2012 05:59 AM
Hello,
I have a very simple scen
Vlan A: Server vlan with BIGIP as default gateway
Vlan B: Server vlan with BIGIP as default gateway
Vlan C: Interconection vlan between Firewall an BIGIP. Firewall is default gateway for BIGIP
My custoner want that all traffic to and from server vlans (including inter-vlan traffic) go to firewall for security control. Can i do it with IP Fordwarding virtual servers?. How i must configure them?.
I don't want configure route domains or iRules for this if is possible.
Regards.
Answer. 3 VS's.One network VS of type forwarding. Destination VlanA. Enabled on VLAN C only.
One network VS of type forwarding. Destination VlanB. Enabled on VLAN C only.
And then
One network VS of type STANDARD. Destination default (0.0.0.0/0). The default pool has one pool member, the firewall IP address on port 0. Enabled on VLAN A and VLAN B.
Traffic from VLAN A or B hits VS 0.0.0.0. It's forwarded to the pool member (Firewall). The firewall checks the traffic. Assuming it's allowed, the firewall forwards the packet BACK to the BigIP (Using the firewall routing table) via the floating IP address.
This traffic from the firewall hits VS(A) or VS(B) depending on destination (Because they are enabled only on VLAN C). It's forwarded direct to the attached VLAN.
H
- The_BhattmanIf you have a PIX Firewall versions prior to 7.2(1) you cannot send packets in and out from the same interface. However, starting in version 7.2(1) you can do this via command "same-security-traffic permit intra-interface"
If you the firewall does not permit this then you need create another interface on the BIGIP and another interface on the firewall.
Bhattman - Ernesto_27816HI both,
I have tested and all work ok, but i have one more question. With standard VS i can manage TCP or UDP traffic (one VS for each) but not other traffic as icmp, it's correct?.
Regards.
