Forum Discussion

Nimbostratus

Jan 04, 2018

Physical LTM migration to VE and design

Hello, We are currently in the design phase of migrating off of BIG-IP 6900s to 1Gb-VEs. My question is regarding "collapsing" internal and DMZ functionality onto one single pair. Our existing...

LTM

security

Chris_Grant

Employee

Jan 04, 2018

Be aware that route domains is not a security feature. Route domains is simply a way to have the same IP exist on two VLANs on the same BigIP. There is no intrinsic problem with having internal and DMZ traffic on the same BigIP. It's certainly no worse than having the DMZ and internal networks on the same firewall.

If you aren't comfortable with the traffic from the internal and DMZ networks flowing over the same chips, then you will want additional BigIPs. If you're running them over VEs then it doesn't make any difference.

If you want additional separation you can add administrative partitions and place your DMZ objects and your internal objects in different partitions. This makes it much harder to make a mistake. You would then create your objects in the relevant partition.

This should help https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/3.html

Forum Discussion

Physical LTM migration to VE and design

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Migration from physical Device 5000 series to F5 VE

Getting Started with BIG-IP Next: Migrating an Application Workload

Migrate configuration from physical LTM to virtual

F5 BIG-IP per application Red Hat OpenShift cluster migrations

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options