Forum Discussion

Erich_Rockman_1's avatar
Erich_Rockman_1
Icon for Cirrus rankCirrus
Jan 30, 2015

Network Topology Assistance

More and more I am coming across network topologies that don't fit the traditional 1-arm or 2-arm design. I am seeing more "nontraditional deployments" that make me think twice about the best practices. I am going to highlight two situations I came across recently and I hope to get your thoughts.

 

Topology 1 - LTM to deliver applications in both the DMZ and the Internal networks

 

EXT | FW---DMZ (F5%1 - 2 vlans) | INT (F5%2 - 2 vlans)

 

Assume a firewall deparating these 3 different zones. The easy solution is to deploy a LTM in each zone and call it a day, but these things ain't cheap.

 

Traffic flow to DMZ pool from EXT: Public IP (NAT on FW) -> VIP on F5%1 in DMZ (VLAN 1) -> LB to server on F5%1 in DMZ (VLAN 2)

 

Traffic flow to DMZ pool from INT: Private IP (NAT on FW) -> VIP on F5%1 in DMZ (VLAN 1) -> LB to server on F5%1 in DMZ (VLAN 2)

 

Traffic flow to DMZ pool from DMZ: VIP on F5%1 in DMZ (VLAN 1) -> LB to server on F5%1 in DMZ (VLAN 2)

 

Traffic flow to INT pool from EXT: Public IP (NAT on FW) -> VIP on F5%2 in INT (VLAN 3) -> LB to server on F5%2 in INT (VLAN 4)

 

Traffic flow to INT pool from DMZ: Private IP (NAT on FW) -> VIP on F5%2 in INT (VLAN 3) -> LB to server on F5%2 in INT (VLAN 4)

 

Traffic flow to INT pool from INT: VIP on F5%2 in INT (VLAN 3) -> LB to server on F5%2 in INT (VLAN 4)

 

2 route domains with 4 vlans

 

Topology 2 - LTM to deliver applications in the Internal network with the LTM in the DMZ. VIP in DMZ, servers on INT (The servers cannot be moved to the DMZ)

 

EXT | FW---DMZ (F5 - 1 vlan) | INT (F5 - 1 vlan)

 

Assume a firewall deparating these 3 different zones. This one troubles me because if the traffic comes into the VIP on the DMZ through the firewall, it should have to go back through the firewall to get to the INT pool members (Option 2), rather than going direct to the directly connected INT network.

 

Traffic flow to INT pool from EXT:

 

Option 1: Public IP (NAT on FW) -> VIP on F5%1 in DMZ (VLAN 1) -> LB to server on F5%2 in INT (VLAN 2)

 

or:

 

Option 2: Public IP (NAT on FW) -> VIP on F5%1 in DMZ (VLAN 1) -> Route through firewall to get to INT pool (VLAN 2)

 

0 route domains with 2 vlans

 

Thanks in advance.

 

2 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2015

    Hi Erich,

     

    Would it be entirely possible to take all this information and present it into a Visual diagram (like Visio). It's much easier for us to look at it visually and help you from there.

     

    -=Bhattman=-

     

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Feb 02, 2015

    Hi Erich,

     

    a diagram would be great.

     

    Using routing domains to isolate the different security zones is a common and proven approach and available since TMOS v10.

     

    By default the routing domains are "isolated" and there is no cross-traffic allowed. And I would leave it this way.

     

    That´s why traffic from one security zone to another will always have to pass the firewall. And from my perspective this is the only clean approach to track and control traffic.

     

    Defining a virtual server in a different route domain as a resource (as pool member with "local" routing domain index) to be reached via firewall as next hop is absolutely fine from my perspective.

     

    I recently deployed it this way for a client on TMOS v11.5.1.

     

    Thanks, Stephan