We are soon putting our newly purchased BIG-IP 3400's into production is a redundant configuration. I have used Cisco LB's before, and the inside interface where the servers are only supports one subnet. As we are using these LB's in a firewalled and highly secure environment, can we securely use the same LB pair for multiple DMZ's? Regards, Steve

Hi Steve, This is one of those areas where certain camps will say yes it's secure enough and other camps will say "not really". As a former government IT employee, I wouldn't put F5 LTMs on multiple DMZs, simply becasue they are not designed to be firewalls and were designed to bring networks together ala load balancing. Those are my 2 cents and I am sure others will come in with thiers. So I wecome anyone into this discussion.

We have a secure, firewalled hosting environment as well. I am using our BigIPs to do LB on several different applications in several DMZs. What I've done is isolate our BigIPs in their own DMZ and route to the subnets where our load balanced servers sit. I've had no problems with this setup either in terms of security or reliability. It also has the added bonus of making the BigIPs incredibly scalable. The one thing to keep in mind that is different than the Cisco load balancer in that you don't have the distinction of an outside and inside interface. You can have a single interface as the connection point and then just create vlans on the BigIP for your virtual servers. As long as routing is in place, all monitoring, proxying and load balancing can be done via a single interface. Let me know if you want more specific info on our setup and I will give you some tips, pointers and what not. Regards, Jacob

Steve, The short answer is yes, you can make this a secure solution. You will need to properly configure your VLANs and routing on your firewall and your VLANs, routing, and network forwarding Virtual Servers on your LTM to ensure that traffic from one DMZ routes back up to the firewall instead of directly via the LTM. Chris

Hi everyone, I'm new to the f5 scene, as this post will make obvious, and have searched for an answer to my question for a couple of hours before tagging this question onto a likely thread: sorry if it's misplaced. Tacking onto the above: we have a cluster of BIG-IP 6400s which have multiple VLANs on a single internal interface. The problem is that the boxes were purchased and set up with the VLANs "sold" as DMZs. Unfortunately the f5s route between the so called DMZs via the trunk interface, therefore making the whole setup unsafe. We are considering purchasing firewalls to put behind the f5s to separate the VLANs, which seems a little expensive. Thus to my question: is there an easy configuration which switches off all routing between VLANS on the same internal interface of the f5? If there is a more complicated way, could someone give me a pointer so that I can go and talk to our networkers (me, I'm just a project manager, so the answer I received that there's no way to switch of the routing or limit it simply stands unless I receive information to qualify it). As far as the boxes go, I'm pretty pleased with the result, but the possible purchase of additional firewalls certainly questions the economic viability of investing in further boxes. Best regards and thanks for all suggestions in advance les

I'll try and roll some feedback up in a way that will contribute to both questions in this thread. I'll not get into the "what is secure?" question, as this really depends on organizational/business policy at the end of the day. There are a couple of general configuration ideas that will hopefully help. First, a couple of points to address: 1) Does BigIP always route between multiple VLANS? No - this is a common misunderstanding. You can bind your configuration objects to specific VLANS to allow specific traffic flows. 2) Do I need to have a default route on the BigIP? No. BigIP has a feature called auto-lasthop that maps a request back out the same path as it came in. This can be extremely useful for scenarios like this. 3) Can I have multiple routes on the BigIP? Yes, using gateway pools. These three ideas combined can create some pretty flexible and powerful architectures, and it's an extremely useful design pattern to get familiar with. Here's a hypothetical example that will hopefully help clarify a potential use: -- You have 2 different segments for your virtual servers, on different IP blocks. We'll call these virtual servers VS_A and VS_B. -- You've got 2 different VLANS with servers in them. You don't want servers in VLAN A to talk to VLAN B, and you want these servers to go out different gateways (assuming you want to grant them outbound access). Here's One Way to Do It (assuming your vlans are all set up etc): Inbound traffic: -- Create your server pools for VLAN A and B. -- Create your virtual servers on their respective networks and bind them to specific vlans: VS_A binds to VLAN A, and VS_B binds to VLAN B. -- The VLAN bindings prevent hopping vlans through the box, and auto-lasthop will ensure that response traffic goes back out the same path it came in on. Outbound traffic (originating from the servers): -- Create two pools: one with VLAN A's gateway address, and one with VLAN B's gateway address. -- Create two "wildcard forwarding" virtual servers. Bind one 0.0.0.0 virtual server to VLAN A gateway pool A, the other 0.0.0.0 to VLAN B, gateway pool B. The nice bit here is that the gateways for VLAN A and B could be an upstream firewall with access policies, etc. - whatever fits your environment. So now you've got your major traffic flows covered and their paths enforced. Very handy! Hope it helps. -Matt

Using same LB for servers on multiple subnets

24 Replies

JRahm
Admin
Apr 24, 2009
All traffic needs a virtual server in order to traverse the BIG-IP, so traffic from INSIDE2 will be blocked until it is added as an enabled vlan to your existing forwarding virtual or you create a new one for it. Keep in mind this carries the potentially unintended consequence of allowing traffic between INSIDE and INSIDE2. If your forwarding virtual is 0.0.0.0/0, and you don't want the traffic between INSIDE and INSIDE2 to occur, you can create more specific virtual servers:

INSIDE/n disabled on INSIDE2

INSIDE2/n disabled on INSIDE
Josh_41258
Nimbostratus
Apr 24, 2009
I don't currently have any forwarding virtual server, which is why this confuses me. All traffic is going out the BIG-IP's default gateway without the forwarding server.
L4L7_53191
Nimbostratus
Apr 24, 2009
You've probably got a default SNAT defined, which actually behaves like a forwarding VS. Traffic sourced from the internal side will be allowed out and will be tagged with the egress self IP address of the BigIP on the way out.

-MC
Josh_41258
Nimbostratus
Apr 24, 2009
Correct.. all of my virtual servers are using the "Auto SNAT" SNAT pool. All traffic is tagged with the floating IP address of the pair.

I would probably continue to use Auto SNAT for the INSIDE2 vlan. However, I would specify at the VS level which VLAN to bind to.. INSIDE or INSIDE2. Do you see this as being a security risk? The VLAN binding should prevent the VLAN's from talking to one another, right?.. although they would be leaving via the same SNAT pool which could pose as a risk?

Thanks again.
Josh_41258
Nimbostratus
May 08, 2009
Is there a way to bind a pool to a specific VLAN? Or can I only bind the virtual server to a specific VLAN? I realize that binding the Virtual Server prevents them from talking to each other.. but what about the actual servers? Is there any mechanism in place to keep pool members from VLAN1 talking to pool members from VLAN2?

Thanks again!
dennypayne
Employee
May 08, 2009
There's not a way to bind pools or servers to a VLAN, but since the LTM is default deny, if you haven't configured a way for the pool members to talk to each other (via a forwarding virtual server or SNAT), then they shouldn't be able to.

Denny
Josh_41258
Nimbostratus
May 08, 2009
OK, thanks for the answer. I guess the most secure way to do things here, is to stop using Auto SNAT, and to configure separate SNAT pools for each VLAN. I see this as the only way to keep servers from both VLAN's going out the floating IP addresses (via Auto Snat), thus preventing chatter. Does this sound reasonable?
Josh_41258
Nimbostratus
Sep 23, 2009
Posted By L4L7 on 02/06/2009 7:02 AM

Outbound traffic (originating from the servers):

-- Create two pools: one with VLAN A's gateway address, and one with VLAN B's gateway address.

-- Create two "wildcard forwarding" virtual servers. Bind one 0.0.0.0 virtual server to VLAN A gateway pool A, the other 0.0.0.0 to VLAN B, gateway pool B.

The nice bit here is that the gateways for VLAN A and B could be an upstream firewall with access policies, etc. - whatever fits your environment.

So now you've got your major traffic flows covered and their paths enforced. Very handy!

Hope it helps.

-Matt

You can't assign a normal pool to IP forwarding virtual servers. Should this gateway pool be assigned as the "Last Hop" pool?

Josh
L4L7_53191
Nimbostratus
Sep 23, 2009
Good catch. Set it up as a "normal" 0.0.0.0:0 virtual server, and use the fastl4 profile with all protocols selected. Then bind it to your vlan in question and point it to a port 0 pool containing your router's IP address(es).

-Matt
Kevin_Bozman_15
Nimbostratus
Apr 20, 2015
Old Thread but I'm trying to do the same thing in 11.6 I need to have my forwarding virtual server traffic use a different route for egress traffic.

Is Josh correct in that you set the gateway pool under the "Last Hop"? And what is a "normal" virtual server. I assume Matt means a "Forwarding IP" VS

-Kevin