Forum Discussion
NimbostratusiRule for Inter-VLAN Security?
We're looking at migrating all our existing server IP ranges behind an F5 8900 to take advantage of the ability to offload compression & SSL onto the F5 itself, instead of doing it on each server, amonst other features.
The question that's come up is how do we manage security between VLANs going forward. For example:
Web Server A - 10.1.1.1/24
Application Server B - 10.1.2.1/24
Database Server C - 10.1.3.1/24
All servers use the F5 as their default gateway.
Now imaging this is your average run of the mill 3 tier application. As the F5 will be doing all the routing between the three networks here (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24), how do we limit what can talk to what.
As an example:
A can talk to B on port 6969
B can talk to C on port 3306
ICMP is allowed globally for ping debugging, etc.
No other communication between servers is allowed.
How would I do this in an iRule? Has anyone done something like this? Does it scale to large lists?
Thanks
- nitass
Employee
is this applicable?
Access Control Based On Network Or Host
http://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx - JRahm
Admin
The F5 BIG-IP is a default-deny device. Unless you configure a 0.0.0.0/0 forwarding virtual and enable on all vlans, only the traffic you configure to flow from vlan a->vlan b->vlan c will do so. 
Nom_55811Thanks, nitass... I think that's exactly what I wanted.
@Jason, we've configured a forwarding virtual, as you would when routing through the F5 is the only way you can reach your servers for management. I'm not sure that's a very helpful response (and I've seen it several times), but either way I think I have my answer :)
