AppDirector defines a type of logical network entity known as a segment where a single AppDirector load balances the traffic for all segments, but traffic between segments is always inspected by an external inspection device (for example, firewalls, anti-virus device and so on)
These logical entities (segments) can be associated either with physical ports (including VLANs and Trunks) or with VLAN Tags. A NHR must be associated with each segment; typically this would be the Firewall interface of that segment. A backup NHR can also be configured for each segment.
Layer 4 policies are also associated with segments, to define the logical location of each VIP. Segmentation is performed when there is a conflict between the segment to which the client belongs and the segment to which the Layer 4 policy belongs. AppDirector directly redirects traffic for a Layer 4 Policy’s VIP only when the traffic arrives from a client in the same segment where this policy resides.
Using Segmentation, a single AppDirector platform connects to multiple segments around the firewall (see Figure 37 - Physical Port Segmentation). AppDirector forces the traffic originating in one firewall segment and destined to a different segment, to pass through the firewall. This also applies when the Destination IP address is a VIP of the Layer 4 Policy residing on the same AppDirector.