Forum Discussion
zafer
Nimbostratus
NimbostratusL2 port security
Hi
i want make secure port on Bigip, terminology name on Cisco pvlan (private vlan)
like this ;
i have 1 internal vlan and assigned port 1.1 and 1.2 to this vlan
each port communicate on switch fabric level but idont want this. How can i want block traffic between port 1.1 and 1.2
regards
zafer
hoolioCirrostratus
Hi Zafer,
Maybe I'm misunderstanding, but if you want to add two ports to the same VLAN, wouldn't you expect that the traffic would be mixed between the two ports? If you want isolation of the traffic on the two ports, why not add them to separate VLANs?
By default LTM won't route between different VLANs.
Aaron- JRahm
Admin
private vlans offer the ability to provide another layer of access control, such as in a DMZ environment, where all the web servers might be in same vlan, but you don't want them to be able to talk to each other. The LTM doesn't have this capability. That said, you could build packet filters to disallow traffic at l3/l4 level between hosts on a vlan if all their traffic flows through the LTM (ie, they're both directly connected to the switch plane). If they aren't directly connected, intra-vlan traffic won't flow to the LTM anyway. I've always used access switches for this kind of control, where there are quite a few more l2 tricks availalble. - hoolioThanks for the info, Citizen. I didn't get the use case.
Aaron 
zaferApplication and DB server on same subnet, we want send traffic to Firewall for monitor traffic and give block or accept
for this reason you can do pvlan and they can not talk each other but their we have multiple cisco switch and server on different switch
at this time
host a 1.1.1.1 connected switch1
host b 1.1.1.2 connected switch2
cisco has pvlan they can not talk directly but each switch connected on bigip and bigip does not touch traffic. they are on same vlan. when i opened tcpdump i dont see anything.
traffic pass over switch fabric level.
for the solution i created created multiple vlan for each port and i put them in vlan group
why i configured like this if see on TMM level i can block this but still working on L2 level.
they not hitted on 0.0.0.0/0 L2 or L3 vip
zafer- JRahmCan you provide a drawing of what you're trying to accomplish? I'm not sure I follow what you're saying. For the LTM to receive traffic from your pvlan hosts, it will need to be connected as a promiscous port since your two hosts are (I assume) configured in isolation mode. I personally prefer the vACL approach for controlling intra-subnet traffic for two reasons. 1) configuration is straight forward, making it easy to troubleshoot, and 2) there are some serious holes in pvlan from security perspective.
L4L7_53191If I understand correctly I think the best way to accomplish what you want is to use forwarding virtual servers with gateway pools that point to your firewall for policy enforcement. I've used this design with success in the past. Note that this is L3 and up. If you're binding multiple vlans to your port you won't get crosstalk across vlans with this design, so vlan hopping will be avoided.
Also, I'd avoid vlan groups, as a matter of preference.
-Matt- zaferHello
i attached the topology,
vip 0.0.0.0/0.0.0.0:0 with irule (chek ip subnets with vlan id then send firewall else forward)
1.14 in external vlan
1.1 and 1.2 in internal vlan (the problem is here)
host A and host B in same network 192.168.254.0/24
in this topology host A can access the host B (if they have not spesific route) they have default gw and its bigip
when i look the tcpdump i dont see any packet because bigip forward packet between 1.1 and 1.2 in switch fabric level
i moved switch 2 behind switch1 and only 1.1 port active on bigip and everything is fine but we dont want move all switch behind 1 switch
another option ;
i tested vlan group like this;
1.1 on Vlan A
1.2 on Vlan B
vlangroup=Vlan+VlanB then created proxy exclutions bla bla
then i can see packed when i opened tcpdum but this traffic does not hit L3-VIP, also tried L2-Vip still not hits
any idea?
zafer - JRahmIs there a trunk between s1 and s2? Can you mirror packets from s1 and/or s2 to a laptop with wireshark on it so you can see if the packets are leaving the switches and heading for the BIG-IP ports? If hostA and hostB are in the same subnet, why would a route impact their ability to connect to each other directly?
I'd remove as much extra configuration as possible surrounding this architecture so you can get it working, then add the other stuff back one at a time. I second L4L7's suggestion to avoid the vlan groups if possible. - zaferHi citizen,
i found solution and it worked.
the solution ; creating multiple vlan for each ports then assign all vlans to the vlangroup. At this time we can see packets with tcpdump but they dont hit vip 0.0.0.0/0.
still L2 working on TMM but not hits L3 vip. i found the bigdb command and we can disable L2 forwarding. After this settings all packets goes to L3 vip and i can forward to the firewall or drop them
thats the solution it works
Regards
Zafer
