Forum Discussion
NimbostratusRouting isolation with vlans
Looking for a little help here, I have this design I need to setup on our LTM's (11.3HF8) and a bit stuck on routing. On the LTM front side coming from a Cisco ASA trunk are multipal DMZ vlans (dot1q) going to vlans behind the LTM. I need to make sure that each vlan behind the LTM routes back up to the ASA and then back down to the LTM but will hit any ACL's. Basicly I can't have a back end vlan going to another vlan using the F5 without routing up through the ASA first.
8 Replies
Eric_27403Also each LTM has a failover LTM (not shown) and setup as active/standbyHi!
We have solved this by using virtual forwarding servers that only listen to the VLAN we want them to.
To create a virtual Forwarding server for ie. VLAN 633:
- Create virtual server.
- Set type Forwarding.
- Destination: Network, Network address + Mask
- Replace the default value of listening to all VLANs to only listen to the external VLAN.
Now, providing that your default route would go to the ASA the F5 would forward all internal traffic hitting the internal interfaces to the ASA according to its routing table.
Note that you need one forwarding server per VLAN and that the external forwarding server would have to listen to all internal VLAN's.
/Patrik
Eric88_149306so a VFS for each vlan but I cant use a default route as that would use only one interface up when there are more then one on the external?
Then you can create a Virtual server FastL4 for each outgoing VLAN and route, and make it listen to only the internal VLANs that's supposed to use this particular route.
Maybe not the best explanation, but you you understand what I mean?
/Patrik
- Eric88_149306
you wouldn't happen to have a sample config of these VS's by chance?
Sure, here you go:
Pool containing the fw ltm pool /Routing/FW-10.10.13.1 { members { /Common/ENV-FW_VLAN13:0 { address 10.10.13.1 } } monitor /Common/gateway_icmp } The "Virtual Router" for "outbound traffic" Listens to all internal VLANs and forwards traffic on to the firewall ltm virtual /Routing/VirtualRouter13 { destination /Routing/any:0 mask any pool /Routing/FW-10.10.13.1 profiles { /Routing/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN30 /Common/VLAN60 /Common/VLAN70 /Common/VLAN80 /Common/VLAN90 /Common/VLAN100 /Common/VLAN150 } vlans-enabled } Forwarding for internal VLANs for "inbound" traffic ltm virtual /Routing/virtualrouter-30 { destination /Routing/10.10.30.0:0 ip-forward ip-protocol tcp mask 255.255.255.255 profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN13 } vlans-enabled }VLAN13 in this example is the external VLAN, and VLAN30 is an internal VLAN. We have one forwarding server for each VLAN. Any inter-VLAN communications passes through the firewall. Forgot to remind you to disable port and address translation for the FastL4.
Sorry about that. 🙂
/Patrik
TSMITOps_164434After numerous threads, finally one that explains exactly what I needed. As a side note for people who might be searching for this: Except what's mentioned above You need a floating self ip if You're running F5's in HA mode and route from Your firewall/router (depends where You're doing l3 routing) pointing to F5's self IP.
After that follow exact steps above and it'll work like charm.
Thanks a lot Patrik!
- I live to serve. :) /Patrik
