Forum Discussion
CirrostratusNew self IP
Adminthis is not problematic at all. You have three functions in play here. Routing, PERMISSION to pass traffic, and translation. Let's take them one at a time
Routing
Your route table will establish where BIG-IP sends traffic to next hops. It acts like any router does, connected networks establish routes by default, any transit route will need to be defined (statically or dynamically if you have that need and licensed for it) One caveat: auto-last-hop. If this is enabled (and it is by default, traffic will be returned from where it came, so be aware if this is a security zone)
PERMISSION to pass traffic
This is where your virtual servers come into play. BIG-IP by default is a default-deny device, you have to explicitly allow traffic to flow. So traffic won't automatically flow between your internal zones even if routes are there, you need to configure it that way, and you can specify which vlans are allowed to source traffic on each virtual server.
Translation
You can translate the traffic from zone to zone if you need to, but you don't have to. Some security postures don't want any routes established on servers in DMZs except to push all traffic north to a security boundary. So you may need to snat traffic between internal zones, but if routes to BIG-IP are allowed, then transiation between internal zones may not be required.
