For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Jun 05, 2009

Spanning tree/ connecting single LTM to 2 different redundant networks

All,

 

can someone give me some pointers on how to get from where I am currently to when I need to be per the below?

 

I have one LTM connected to a redundnant network (2 switches each with 2 interfaces on the LTM connected to them with all the VLAN's trunked in. LACP is configured and RSTP is on.

 

I've been requested to connect to the LTM on addtional interfaces to a completely seperate redundant network with a similar setup to above without letting traffic route between the two networks. I personally not overly happy about this from a security standpoint but can anyone with some switching knowledge enlighten me on how to get this achieved?

 

...just got the feeling I'lll end up either linking the spanning tree of the two networks and take them both out or destroy the world in some other fashion

 

thanks in advance for any help you can give

 

W60
config
design

3 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2009
    Hi W60,

     

    It's possible to connect to 2 separate and different network and not allow traffic to go through. The easiest way is use the LTMs packet filters or even irule that blocks any traffic from source to destination. Therefore not allowing traffic to traverse the F5 to reach the other side of the network. Other way is also fairly simple but less secure. I call this "Security by Ignorance" - simply no other routes to reach the other side of the network.

     

     

    Thanks,

     

    CB

     

     

  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Jun 09, 2009
    Hi CB,

     

    thanks for the reply. I was actually trying to figure out more of the spanning tree config for the F5 and switches here as both networks are redundant (A/B switches in each network). It sounds like your settings work fine in single networks where spanning tree isn't an issue, which I might have to go for but currently I have the F5 connected to the A and B switch in the one network and ideally I need to connect the F5 LTM to the other network exactly the same so there would be 4 network links with the trunked in VLAN's connected to the F5, one going to the A switch of the existing network, one to the B switch of the existing, then additionally one link connected to the A switch of the new network and one to the B switch of the new network.

     

     

    As per currently I'm using LACP with rapid spanning tree however I'm concerned that trying to do exactly the same for the connections to the new network would mean the spanning tree of the two networks would 'see each other'. Its more of a routing and switching question than F5 LTM I guess.

     

     

    cheers

     

     

  • rajesh1's avatar
    rajesh1
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2009
    Do the following

     

    Configure the network devices with more prirority for the vlans defined on the LTM's

     

    On the interfaces connected to the F5 LTM's -

     

    1)enable rootguard - so the LTM's cant be the root

     

    2)Disable bpduguard on the interfaces (If you enable on the devices globally

     

    IN LTM

     

    From the spanning tree options select the RSTP.

     

    In the interface -

     

    you need to enable the spanning tree .

     

    STP link type - p2p

     

    Uncheck(disable) the STP egdeport ans STP edgeport detection

     

    once you are done - you will see a forwarding and blocking(alternate) in the LTM

     

    Regards,

     

    Rajesh