Spanning tree/ connecting single LTM to 2 different redundant networks

Question

All,   
&nbsp; can someone give me some pointers on how to get from where I am currently to when I need to be per the below?  
&nbsp; I have one LTM connected to a redundnant network (2 switches each with 2 interfaces on the LTM connected to them with all the VLAN's trunked in. LACP is configured and RSTP is on.  
&nbsp; I've been requested to connect to the LTM on addtional interfaces to a completely seperate redundant network with a similar setup to above without letting traffic route between the two networks. I personally not overly happy about this from a security standpoint but can anyone with some switching knowledge enlighten me on how to get this achieved?  
&nbsp; ...just got the feeling I'lll end up either linking the spanning tree of the two networks and take them both out or destroy the world in some other fashion 
&nbsp; thanks in advance for any help you can give  
&nbsp; W60

the_bhattman · Answer

Hi W60, 
&nbsp;    It's possible to connect to 2 separate and different network and not allow traffic to go through.   The easiest way is use the LTMs packet filters or even irule that blocks any traffic from source to destination.  Therefore not allowing traffic to traverse the F5 to reach the other side of the network.   Other way is also fairly simple but less secure.  I call this "Security by Ignorance" - simply no other routes to reach the other side of the network. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; CB 
&nbsp;  &nbsp;

mw1 · Answer

Hi CB, 
&nbsp;      thanks for the reply. I was actually trying to figure out more of the spanning tree config for the F5 and switches here as both networks are redundant (A/B switches in each network). It sounds like your settings work fine in single networks where spanning tree isn't an issue, which I might have to go for but currently I have the F5 connected to the A and B switch in the one network and ideally I need to connect the F5 LTM to the other network exactly the same so there would be 4 network links with the trunked in VLAN's connected to the F5, one going to the A switch of the existing network, one to the B switch of the existing, then additionally one link connected to the A switch of the new network and one to the B switch of the new network.  
&nbsp;  
&nbsp; As per currently I'm using LACP with rapid spanning tree however I'm concerned that trying to do exactly the same for the connections to the new network would mean the spanning tree of the two networks would 'see each other'. Its more of a routing and switching question than F5 LTM I guess. 
&nbsp;  
&nbsp; cheers 
&nbsp;  &nbsp;

rajesh1 · Answer

Do the following 
&nbsp; Configure the network devices with more prirority for the vlans defined on the LTM's 
&nbsp; On the interfaces connected to the F5 LTM's -  
&nbsp; 1)enable rootguard - so the LTM's cant be the root 
&nbsp; 2)Disable bpduguard on the interfaces (If you enable on the devices globally 
&nbsp; IN LTM 
&nbsp; From the spanning tree options select the RSTP. 
&nbsp; In the interface - 
&nbsp; you need to enable the spanning tree .  
&nbsp; STP link type - p2p 
&nbsp; Uncheck(disable) the STP egdeport ans STP edgeport detection 
&nbsp; once you are done - you will see a forwarding and blocking(alternate) in the LTM 
&nbsp; Regards, 
&nbsp; Rajesh

Forum Discussion

Spanning tree/ connecting single LTM to 2 different redundant networks

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

Copper SFP Differences

GTM Redundant pair Listener IP address

Troubeshooting website connection

F5 Connection Mirroring question

DevCentral Connects hosts Capture the Flag!