L2 port security

Hi Zafer,

 

 

Maybe I'm misunderstanding, but if you want to add two ports to the same VLAN, wouldn't you expect that the traffic would be mixed between the two ports? If you want isolation of the traffic on the two ports, why not add them to separate VLANs?

 

 

By default LTM won't route between different VLANs.

 

 

Aaron

private vlans offer the ability to provide another layer of access control, such as in a DMZ environment, where all the web servers might be in same vlan, but you don't want them to be able to talk to each other. The LTM doesn't have this capability. That said, you could build packet filters to disallow traffic at l3/l4 level between hosts on a vlan if all their traffic flows through the LTM (ie, they're both directly connected to the switch plane). If they aren't directly connected, intra-vlan traffic won't flow to the LTM anyway. I've always used access switches for this kind of control, where there are quite a few more l2 tricks availalble.

Thanks for the info, Citizen. I didn't get the use case.

 

 

Aaron

Application and DB server on same subnet, we want send traffic to Firewall for monitor traffic and give block or accept

 

 

for this reason you can do pvlan and they can not talk each other but their we have multiple cisco switch and server on different switch

 

 

at this time

 

 

host a 1.1.1.1 connected switch1

 

host b 1.1.1.2 connected switch2

 

 

cisco has pvlan they can not talk directly but each switch connected on bigip and bigip does not touch traffic. they are on same vlan. when i opened tcpdump i dont see anything.

 

traffic pass over switch fabric level.

 

 

for the solution i created created multiple vlan for each port and i put them in vlan group

 

why i configured like this if see on TMM level i can block this but still working on L2 level.

 

they not hitted on 0.0.0.0/0 L2 or L3 vip

 

 

zafer

 

Can you provide a drawing of what you're trying to accomplish? I'm not sure I follow what you're saying. For the LTM to receive traffic from your pvlan hosts, it will need to be connected as a promiscous port since your two hosts are (I assume) configured in isolation mode. I personally prefer the vACL approach for controlling intra-subnet traffic for two reasons. 1) configuration is straight forward, making it easy to troubleshoot, and 2) there are some serious holes in pvlan from security perspective.

If I understand correctly I think the best way to accomplish what you want is to use forwarding virtual servers with gateway pools that point to your firewall for policy enforcement. I've used this design with success in the past. Note that this is L3 and up. If you're binding multiple vlans to your port you won't get crosstalk across vlans with this design, so vlan hopping will be avoided.

 

 

Also, I'd avoid vlan groups, as a matter of preference.

 

 

-Matt

Hello

 

i attached the topology,

 

vip 0.0.0.0/0.0.0.0:0 with irule (chek ip subnets with vlan id then send firewall else forward)

 

1.14 in external vlan

 

1.1 and 1.2 in internal vlan (the problem is here)

 

host A and host B in same network 192.168.254.0/24

 

in this topology host A can access the host B (if they have not spesific route) they have default gw and its bigip

 

when i look the tcpdump i dont see any packet because bigip forward packet between 1.1 and 1.2 in switch fabric level

 

 

i moved switch 2 behind switch1 and only 1.1 port active on bigip and everything is fine but we dont want move all switch behind 1 switch

 

 

another option ;

 

i tested vlan group like this;

 

1.1 on Vlan A

 

1.2 on Vlan B

 

vlangroup=Vlan+VlanB then created proxy exclutions bla bla

 

 

then i can see packed when i opened tcpdum but this traffic does not hit L3-VIP, also tried L2-Vip still not hits

 

 

any idea?

 

 

zafer

 

 

Is there a trunk between s1 and s2? Can you mirror packets from s1 and/or s2 to a laptop with wireshark on it so you can see if the packets are leaving the switches and heading for the BIG-IP ports? If hostA and hostB are in the same subnet, why would a route impact their ability to connect to each other directly?

 

 

I'd remove as much extra configuration as possible surrounding this architecture so you can get it working, then add the other stuff back one at a time. I second L4L7's suggestion to avoid the vlan groups if possible.

Hi citizen,

 

 

i found solution and it worked.

 

the solution ; creating multiple vlan for each ports then assign all vlans to the vlangroup. At this time we can see packets with tcpdump but they dont hit vip 0.0.0.0/0.

 

still L2 working on TMM but not hits L3 vip. i found the bigdb command and we can disable L2 forwarding. After this settings all packets goes to L3 vip and i can forward to the firewall or drop them

 

 

thats the solution it works

 

 

Regards

 

 

Zafer