How safe are route domains?

Hi Piet,

 

yes go forward with this design, there are no security issues known to me yet (works like VRFs on Cisco devices).

 

For a better overview of all you configurations, please create an own partition for each route domain, then you will see only the affected items of each route domain and you don't need to put the %1 or %2 behind each IP-address (very recommended!!!).

 

Things you need to know with the current route domain implementation:

 

- IPv6 is NOT possible, because the route domains will internally mapped to IPv6 addresses

 

- telnet or ssh on the command line will only work with such a IPv6 address (there is an article how to create this address from the IPv4 address)

 

- if you are using iRules, you need to keep track of this %1 stuff as well

 

- naming of configuration items still must be different in both partitions/route domains

 

We are using route domains for several customer environments and have good experiences with it so far.

 

 

Ciao Stefan :)

 

There are plenty of customers out there who just use VLANs to separate production and test traffic. As long as you ensure that LTM objects don't allow passing of traffic between the VLANs, you can save yourself from dealing with the limitations that Stefan detailed.

 

 

Aaron

Thanks for both your replies.

 

 

The IPv6 thing is interesting, as that's one of the things my customers wants to be able to do. So this might be a good consideration to take when deciding what we're gonna do.

 

 

Thanks again!

 

 

Piet

I would like to come back on this ...

 

I see many customers using routing domain to have some kind of "dmz" idea

 

 

it's only one customer, one partition, but I guess they have the feeling that routing domain is better than simple vlan ... which is not if i understand correctly.

 

 

Could you explain me what the benefit of routing domain in a non-multi-tenant situation (also no overlapping ip) ?

For a single tenant without overlapping IP space I don't think the extra complexity and configuration required is worth it. Proper configuration of VLANs and load balancing objects is sufficient to guarantee separation of traffic.

 

 

Aaron

That's what i thought too ...

 

but I see a awful lot of companies implementing routing domains anyway ... so many that i feel i'm missing something

 

 

i mean, the whole idea of partition and routing domains is when you really have multiple clients right ?

 

Using that to split production and testing isn't logic. It isn't more split with routing domains than without (again, if i understand correctly)

Routing domains with overlapping addresses? Or simply using VRF's to virtualise their routing functionality?

 

 

I dislike overlapping address spaces... Especially in a single organisation. It just leads to complexity and problems... I know that sometiems you just HAVE to doit (Thinking about mergers here), but there's ways to work out of that too...

 

 

Roll on IPv6!

 

 

H

I mean, who has overlapping ip ? When you have that, the only goal of your life is to get rid of it :)