NimbostratusHi,
I have multipl zone like dmz1 and dmz2 and inside ,
If I want to load balance web servers from all these zones with one active /standby device ,
where should I keep the device (I mean which one )
How is the data plane ,control plane , Management plane works
What should be the ip addressing scheme
Please share any design
Thanks
EmployeeThe Management plane and the data plane are totally separate; data will never cross.
KB Link: https://support.f5.com/csp/article/K13284
-The standby device will be created as a HA pair, with Mac Masquerading, in the event of a network issue where all VLANs fail, the BIGIP will failover to the standby device. Traffic will be maintained by the Mac Masqueraded MAC address(Cisco term: HSRP), so traffic does not have to rebroadcast(ARP) to find an alternate route/path.
HA KB Link: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-12-1-0/4.html
& OR this KB: https://support.f5.com/csp/article/K14977
==============================
The following is only one example("50 thousand foot perspective"), with multiple layers of security via FW rules that can be configured. Unfortunately, it is difficult to architect out an idea for you. I also may have missed a few details of the text network layout, while multi-tasking other daily duties, ha!. It is best to work with your network team and System Infrastructure team to understand the network & application topology. I don't want to lead you in the wrong direction. :)
----------------------
BIGIP-DNS - "External" Perimeter DMZ DNS A/PTR Records
---DDOS profile configured globally
|
|
DMZ1 FW with IPS
|
|
BIGIP DMZ1 (public access)
-Self IPs
--Public VIP IP subnet(s)
--DMZ1 IP accessible application subnet(s)
--DMZ 2 VIP IP subnet(s)
"default route" to layer 3 gateway IP of DMZ core network or "DMZ 1 / DMZ2 FW" configured with a VSI
-The FW rules will allow or deny Layer 2 or 3 traffic based on the rules created.
|
|
DMZ1 / DMZ2 Core Router or Switch. ---switch-port or LACP port channel with a Layer 3 VSI(virtual switch interface)
|
|
DMZ1 / DMZ2 FW
--Fw configuration to restrict ports & interfaces("burbs") only allowed to DMZ2 & DMZ1 ingress/egress
|
|
BIGIP DMZ2
-Self IPs
--DMZ1 VIP IP subnet(s)
--DMZ 2 VIP IP subnet(s)
"default route" to DMZ 2 Layer 3 Core Router or Layer 2 Core or NAT that routes traffic that does not match your Self IPs
|
|
DMZ2 / Internal FW
--FW configuration to restrict ports & interfaces("burbs") only allowed to "Inside" & "DMZ2" ingress/egress
|
|
Internal BIGIP-DNS "Internal Only DNS records"
|
|
Inside BIGIP
Self IPs
--DMZ2 VIP IP subnet(s)
--Inside Network of applications IP subnet(s)
-"default route" to "Inside" Core Router or NAT that routes from the FW
DMZ Applications: 192.168.99/24
-VLAN 10
Internal Applications: 192.168.10/24
-VLAN 5
-DMZ1: 192.168.101.0/24
-VLAN 20
-DMZ2: 192.168.51.0/24
-VLAN 30
-Internal: 192.168.26.0/24
-VLAN 40
Switches
-DMZ1: 192.168.100.0/24
-switchport VLAN(s) 20 / 30 / public vlan
-DMZ2: 192.168.50.0/24
-switchport VLAN(s): 30/40
-Internal 192.168.25.0/24
Routers
-DMZ1: 192.168.100.2-15
-DMZ2: 192.168.50.2-15
-Internal: 192.168.25.2-15
NimbostratusHi,
Thank you for finding time from your daily tasks to answer the question
It would be great if you draw a rough diagram in a paper and upload here , So I do get better understanding
Thanks