For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gavin84_31753's avatar
gavin84_31753
Icon for Nimbostratus rankNimbostratus
Jan 04, 2018

Physical LTM migration to VE and design

Hello,   We are currently in the design phase of migrating off of BIG-IP 6900s to 1Gb-VEs. My question is regarding "collapsing" internal and DMZ functionality onto one single pair. Our existing...
LTM
security
Chris_Grant's avatar
Chris_Grant
Icon for Employee rankEmployee
Jan 04, 2018

Be aware that route domains is not a security feature. Route domains is simply a way to have the same IP exist on two VLANs on the same BigIP. There is no intrinsic problem with having internal and DMZ traffic on the same BigIP. It's certainly no worse than having the DMZ and internal networks on the same firewall.

 

If you aren't comfortable with the traffic from the internal and DMZ networks flowing over the same chips, then you will want additional BigIPs. If you're running them over VEs then it doesn't make any difference.

 

If you want additional separation you can add administrative partitions and place your DMZ objects and your internal objects in different partitions. This makes it much harder to make a mistake. You would then create your objects in the relevant partition.

 

This should help https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/3.html