Forum Discussion
Jnon
Nimbostratus
NimbostratusVLAN isolation
Currenlty we have several vlans configured behind the f5 for each application, and we are not using snat, I have a need for security reasons, to secure vlans from one another - I have looked into the routing domains, but I'm hoping there is a better solution available in v10 to secure vlans, I do not have asm module, and not sure it would provide that level of security - but I would consider that as an option.
Any comments would be appreciated.
9 Replies
What_Lies_Bene1Cirrostratus
Could you clarify what you mean by 'secure VLANs' please? Do you mean simply that you want to prevent hosts on one VLAN communicating with hosts on another? If so this the default behavior; as long as you don't have a routing VS setup and your VSs and any NATs/SNATs are not enabled on those VLANs no traffic will pass between them.- nitass
Employee
If so this the default behavior; as long as you don't have a routing VS setup and your VSs and any NATs/SNATs are not enabled on those VLANs no traffic will pass between them.i think it might not be applicable because virtual server, for example, is enabled on incoming vlan. that means we might not be able to control outgoing vlan if route is existing. i do not have any idea which is simple and effective besides route domain.
just my 2 cents. - What_Lies_Bene1That's a fair and important point. I guess it'll all come down to the requirements and type of environment.
JnonYes, I am referring to keeping hosted vlans ( pool members ) from being able to route to a pool member of another vlan. You can telnet from a pool members in VLAN_100 to pool members in VLAN_200. I would like to secure that w/o the use of routing domains.- What_Lies_Bene1OK, well that should only be possible if you have some sort of routing wildcard Virtual Server setup on the BIG-IP, do you?
If you do and it can't be removed I'd recommend using Packet Filters to prevent this traffic flow.
If you don't, is the traffic being routed by some other device? A L3 switch or router? - JnonThe LTM is the layer 3 for these vlans, I do not have an any:any listener - if thats what you mean by a wildcard VS. So your saying the default behavior is for the servers to not route from vlan to vlan I was under the assumption that if the ltm was the layer 3 device for the vlans the routing table of the ltm would route to any hosts on any vlan, and have tested this to be the case.
- Laudec_55181
Altostratus
LTM does not forward traffic from one vlan to another, unless you specify a forwarding VS that enables it between VLANs. LTM is a deny-all device, it wont allow traffic to pass through unless you create listeners that allow for it.- The_BhattmanYes but if your forwarding VS hands to be a wildcard then it pretty much has access anywhere.
hoolioIt could be a default SNAT that's pass traffic across VLANs. Or a forwarding virtual server on any destination address/network clients are using.
Aaron
