Forum Discussion
Ty__Trabosh_946
Nimbostratus
NimbostratusMultiple VLAN Groups
I've been working on a deployment with a pair of 6400's in a layer2 deployment. There is a requirement that SNAT not be used or the LTM become the gateway. It is being deployed directly connected to a firewall for DMZ services. Also a pair of switches (3750 stack) for internal servers to add more port density.
I'm wondering what a best practice design for this would be with it all being layer2 at the LTM. The current plan is as follows.
Each of the LTM's will connect to one firewall. These connections will be tagged for (Vlans 140,141). Then there will be one connection to each of the two inside switches (VLAN 240,241) that will also be tagged. Since the two 3750's are connected VIA the stack cable all is good at this point.
My question is should I break the Stack cable and just build tagged interface between the two LTM's for the Firewalls to see each other. Or should I leave the interconnection on the inside stack for the flow.
9 Replies
- 2 questions
1) do the firewalls have an available port that can be used ?
2) What do the firiewalls need to communicate back and forth that can't be routed? ie state tables, etc. 
Ty__Trabosh_946Yes the firewall has some free interfaces on it.
The firewalls will be using VRRP so they need to be on the same layer 2 network. The reason this is being depolyed as a layer2 option with F5 is that the security team at this customer site will not allow them to be installed in Layer3.- so they're using VRRP to present 1 address to the LTM's to use as an external gateway?
- Ty__Trabosh_946That is correct. There is an VRRP session running between the firewalls. In this deployment since we are tagging to the interfaces there are 2 VRRP sessions. One in VLAN 240 and one in 241
- Would adding another physical connection to the LTM's and tagging it for 241 and 240 accomplish what you're looking for ?
Otherwise, if the FW's don't require VRRP internally and could depend on the LTM to LB for them they could point to the 240/241 floating ip's on the LTM's as a gateway to the internal network and you'd set up gateway pools on the LTM's for outbound traffic to either load balance between the 2 FW's or prefer 1 or the other based on an irule or a monitor testing which of the fw's is active on the "outside" VRRP address. - sorry I meant 140 and 141...I just read back and noticed that 240/241 were internal...
- also, is there a security problem with setting up a 3rd isolated switch, not the 3750(s) and plugging the LTM / FW's into it ? that's certainly the simplest solution
- I'd consider trunking the LTMs only on the external VLAN over a dedicated link, and leave the internal trunk in place on the existing switches:
/debfw fw |--------------| <<< trunk external vlan between LTMs ltm ltm | | switch---------switch <<< leave existing switch trunk in place | | | | | | | | | | servers servers - Ty__Trabosh_946Deb thanks for the input on that.
Thats what I was thinking of doing. One concern I thought of is that it will create a loop in the Layer two. The Vlan Group is what is part of my concern.
fw fw
|--------------| <<< trunk external vlan between LTMs Trunk (Vlan140 and 141)
ltm ltm
| | *****Dont forget VLAN Groups here Group1=140,240 Group2=(141,241)
switch---------switch <<< leave existing switch trunk in place Trunk (VLAN 240 and 241)
| | | | | | | | | |
servers servers
