cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Big ip network design

sims
Nimbostratus
Nimbostratus

Hi,

 

I have multipl zone like dmz1 and dmz2 and inside ,

 

If I want to load balance web servers from all these zones with one active /standby device ,

where should I keep the device (I mean which one )

How is the data plane ,control plane , Management plane works

What should be the ip addressing scheme

Please share any design

Thanks

2 REPLIES 2

Shaun_Simmons
F5 Employee
F5 Employee

The Management plane and the data plane are totally separate; data will never cross.

KB Link: https://support.f5.com/csp/article/K13284

-The standby device will be created as a HA pair, with Mac Masquerading, in the event of a network issue where all VLANs fail, the BIGIP will failover to the standby device. Traffic will be maintained by the Mac Masqueraded MAC address(Cisco term: HSRP), so traffic does not have to rebroadcast(ARP) to find an alternate route/path.

HA KB Link: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-12-1-0/4.h...

& OR this KB: https://support.f5.com/csp/article/K14977

 

==============================

The following is only one example("50 thousand foot perspective"), with multiple layers of security via FW rules that can be configured. Unfortunately, it is difficult to architect out an idea for you. I also may have missed a few details of the text network layout, while multi-tasking other daily duties, ha!. It is best to work with your network team and System Infrastructure team to understand the network & application topology. I don't want to lead you in the wrong direction. 🙂

----------------------

BIGIP-DNS - "External" Perimeter DMZ DNS A/PTR Records

---DDOS profile configured globally

|

|

DMZ1 FW with IPS

|

|

BIGIP DMZ1 (public access)

-Self IPs

--Public VIP IP subnet(s)

--DMZ1 IP accessible application subnet(s)

--DMZ 2 VIP IP subnet(s)

"default route" to layer 3 gateway IP of DMZ core network or "DMZ 1 / DMZ2 FW" configured with a VSI

-The FW rules will allow or deny Layer 2 or 3 traffic based on the rules created.

|

|

DMZ1 / DMZ2 Core Router or Switch. ---switch-port or LACP port channel with a Layer 3 VSI(virtual switch interface)

|

|

DMZ1 / DMZ2 FW

--Fw configuration to restrict ports & interfaces("burbs") only allowed to DMZ2 & DMZ1 ingress/egress

|

|

BIGIP DMZ2

-Self IPs

--DMZ1 VIP IP subnet(s)

--DMZ 2 VIP IP subnet(s)

"default route" to DMZ 2 Layer 3 Core Router or Layer 2 Core or NAT that routes traffic that does not match your Self IPs

|

|

DMZ2 / Internal FW

--FW configuration to restrict ports & interfaces("burbs") only allowed to "Inside" & "DMZ2" ingress/egress

|

|

Internal BIGIP-DNS "Internal Only DNS records"

|

|

Inside BIGIP

Self IPs

--DMZ2 VIP IP subnet(s)

--Inside Network of applications IP subnet(s)

-"default route" to "Inside" Core Router or NAT that routes from the FW

 

  • If you have a /24 Internal Subnet: ie. 192.168.0.0/16, you could "carve" up the /16 into smaller networks to separate subnets for applications, users, switches, routers, FWs, the same should be done for VLANs.

DMZ Applications: 192.168.99/24

-VLAN 10

Internal Applications: 192.168.10/24

-VLAN 5

-DMZ1: 192.168.101.0/24

-VLAN 20

-DMZ2: 192.168.51.0/24

-VLAN 30

-Internal: 192.168.26.0/24

-VLAN 40

Switches

-DMZ1: 192.168.100.0/24

-switchport VLAN(s) 20 / 30 / public vlan

-DMZ2: 192.168.50.0/24

-switchport VLAN(s): 30/40

-Internal 192.168.25.0/24

Routers

-DMZ1: 192.168.100.2-15

-DMZ2: 192.168.50.2-15

-Internal: 192.168.25.2-15

 

 

 

sims
Nimbostratus
Nimbostratus

Hi,

Thank you for finding time from your daily tasks to answer the question

 

It would be great if you draw a rough diagram in a paper and upload here , So I do get better understanding

 

Thanks