iRule for Inter-VLAN Security?
We're looking at migrating all our existing server IP ranges behind an F5 8900 to take advantage of the ability to offload compression & SSL onto the F5 itself, instead of doing it on each server, amonst other features.
The question that's come up is how do we manage security between VLANs going forward. For example:
Web Server A - 10.1.1.1/24
Application Server B - 10.1.2.1/24
Database Server C - 10.1.3.1/24
All servers use the F5 as their default gateway.
Now imaging this is your average run of the mill 3 tier application. As the F5 will be doing all the routing between the three networks here (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24), how do we limit what can talk to what.
As an example:
A can talk to B on port 6969
B can talk to C on port 3306
ICMP is allowed globally for ping debugging, etc.
No other communication between servers is allowed.
How would I do this in an iRule? Has anyone done something like this? Does it scale to large lists?