Forum Discussion

scarville's avatar
scarville
Icon for Nimbostratus rankNimbostratus
Sep 26, 2022

Restricting traffic between Vlans.

We have an F5 servicing our DMZ. It hosts the external IPs and acts a router for the DMZ servers.

                                        +--- [ VLAN_2110 ]
[ Internet ] ---- [ F/W ] ---- [ F5 ] --+
                                        +--- [ VLAN_2310 ]

Recently a new requirement has emerged to keep one group of Vlans from talking to another group. A for instance would be that VLAN_2110 and VLAN_2310 in the above sketch would not be allowed to talk to each other.

Can the F5 do this?

firewall
security
vlan

3 Replies

Sort By
  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for MVP rankMVP
    Sep 26, 2022

    Hello scarville,

    From my perspective, the easiest way to achieve this is to configure two reject VS to deny the traffic between those vlans.

    1. Configure one reject VS listening on VLAN_2110 and use the IP range of VLAN_2310 as destination.

    2. Configure one reject VS listening on VLAN_2310 and use the IP range of VLAN_2110 as destination.

     

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Sep 27, 2022

    F5 is a default deny deivce, so inter-VLAN routing is denied out-of-the-box unless you explicitly allow it (using something like an IP forwarding Virtual Server). 

    To prevent clients in a VLAN from accessing Virtual Servers on the "Internet" side potentially leading to servers in the other VLAN, you can configure the VS to listen only on Internet VLAN. This is usually common practice. 

    If the requirement is to have completely dedicated VRF's as well, you might want to take a look at F5 Routing domain feature https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/8.html