Forum Discussion

Valeghi's avatar
Icon for Altostratus rankAltostratus
Nov 29, 2023

two different route domains for the vserver lan and pool lan


In order to reduce a possible attack from the internet where a remote client could enter the server LAN through the vserver IP and from there attack the private LANs, it was decided to separate the vserver LAN and the real nodes LAN through two different route domains in a parent-child relationship. I don’t understand how this can actually reduce the risk, since at the application level, you still get to the final servers, but I can clearly understand that it increases the complexity of configuration and troubleshooting on the F5 in case of problems. Also, the nodes are virtual machines and are accessed through trunk interfaces. In addition, the F5 is not directly connected to the internet, but behind a FW. I wanted to ask you if this can be considered a best practice for implementing F5 or not. Thank you in advance for any possible answer.

2 Replies

  • Valeghi I have not seen this before so I wouldn't assume it's best practice. As you stated, it adds a lot of complexity to the configuration that really doesn't need to be there. Typically someone cannot use the VS to enter the environment on anything other than the port and protocol that the VS is listening on and if your servers are vulnerable on that port then the attacker is getting in either way because that information is just passed onto the pool members associated to that VS. Now what I normally see is the F5 is placed out of path in its own segment with SNAT enabled on all VSs and then the servers are place into their own subnets based on function, so web servers together, and DB servers together in their own segment. You do run into instances where SNAT can't be used which causes an issue and then you have to put the F5 in path with multiple segments off of it which then you use other F5 modules such as AFM to reduce the security risk to each of those segments. Overall you can achieve additional security with other devices or just on the F5 with other modules rather than introducing your much more complex setup.