For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GajAnna's avatar
GajAnna
Icon for Nimbostratus rankNimbostratus
Jul 14, 2019

LTM and internal vlans and external routing

Hi, I have a situation where there are two internal vlans in an LTM. The vlan names are Internal and Servers with relevant self IPs. The LTM routes traffic via the external vlan to an upstream route...
LTM
security
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Jul 14, 2019

Have you considered using route domains? If you put the server vlan and internal vlan in different route domains, the F5 BIG-IP will not route traffic between both VLANs internally when using the default route domain settings.

 

 

  • GajAnna's avatar
    GajAnna
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2019

    Thanks Niels for pointing this out.

    I did consider using a seperate RD for the server vlan however was not sure if LTM can route traffic via the external vlan which is part of the default RD 0 anyway. Example, can LTM route the RD 1 traffic via the RD 0 external vlan (defualt external gateway) or any specific config required on the RD1 to achieve this?

     

    Also the nodes in the server VLAN has a virtual server VIP for incoming traffic for an application. Moving server vlan to another RD will have an impact on this too?

     

    Regards,

    • Niels_van_Sluis's avatar
      Niels_van_Sluis
      Icon for MVP rankMVP
      Jul 14, 2019

      It's probably best to have each route domain connected to the upstream router/gateway directly. I think in this setup using parent route domains will not work, because then the F5 will again route the traffic internally. These are things that are best to tested in a test environment before making changes on the production environment. Then you also get an idea what the impact will be on the current setup.