Forum Discussion

Piet_72251's avatar
Piet_72251
Icon for Nimbostratus rankNimbostratus
Jun 28, 2011

How safe are route domains?

Hi,

 

 

We're in the process of introducing a F5 LTM cluster in our network. We want to have loadbalancing in our production network, as well in our DMZ.

 

 

Can anyone point out if it is advisable to use one pair of LTM's, with one route domain for the production network, and one route domain for the DMZ? Is it safe enough? Are there any other things to look after witih this setup?

 

 

Regards,

 

 

Piet

 

  • Hi Piet,

     

    yes go forward with this design, there are no security issues known to me yet (works like VRFs on Cisco devices).

     

    For a better overview of all you configurations, please create an own partition for each route domain, then you will see only the affected items of each route domain and you don't need to put the %1 or %2 behind each IP-address (very recommended!!!).

     

    Things you need to know with the current route domain implementation:

     

    - IPv6 is NOT possible, because the route domains will internally mapped to IPv6 addresses

     

    - telnet or ssh on the command line will only work with such a IPv6 address (there is an article how to create this address from the IPv4 address)

     

    - if you are using iRules, you need to keep track of this %1 stuff as well

     

    - naming of configuration items still must be different in both partitions/route domains

     

    We are using route domains for several customer environments and have good experiences with it so far.

     

     

    Ciao Stefan :)

     

  • There are plenty of customers out there who just use VLANs to separate production and test traffic. As long as you ensure that LTM objects don't allow passing of traffic between the VLANs, you can save yourself from dealing with the limitations that Stefan detailed.

     

     

    Aaron
  • Thanks for both your replies.

     

     

    The IPv6 thing is interesting, as that's one of the things my customers wants to be able to do. So this might be a good consideration to take when deciding what we're gonna do.

     

     

    Thanks again!

     

     

    Piet
  • I would like to come back on this ...

     

    I see many customers using routing domain to have some kind of "dmz" idea

     

     

    it's only one customer, one partition, but I guess they have the feeling that routing domain is better than simple vlan ... which is not if i understand correctly.

     

     

    Could you explain me what the benefit of routing domain in a non-multi-tenant situation (also no overlapping ip) ?
  • For a single tenant without overlapping IP space I don't think the extra complexity and configuration required is worth it. Proper configuration of VLANs and load balancing objects is sufficient to guarantee separation of traffic.

     

     

    Aaron
  • That's what i thought too ...

     

    but I see a awful lot of companies implementing routing domains anyway ... so many that i feel i'm missing something

     

     

    i mean, the whole idea of partition and routing domains is when you really have multiple clients right ?

     

    Using that to split production and testing isn't logic. It isn't more split with routing domains than without (again, if i understand correctly)
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Routing domains with overlapping addresses? Or simply using VRF's to virtualise their routing functionality?

     

     

    I dislike overlapping address spaces... Especially in a single organisation. It just leads to complexity and problems... I know that sometiems you just HAVE to doit (Thinking about mergers here), but there's ways to work out of that too...

     

     

    Roll on IPv6!

     

     

    H
  • I mean, who has overlapping ip ? When you have that, the only goal of your life is to get rid of it :)
  • I think the main goal of Route Domains is ability to define multiple default routes.

     

    • seriously why drag up a topic of almost 4 years old. things have changed since then, i.e. IPv6 support. this is just confusing.
    • Hamish's avatar
      Hamish
      Icon for Cirrocumulus rankCirrocumulus
      Looks like email notifications of old discussions are being sent out again... Either that or we're hitting the good old duplicate conversations with the same title bug again... I got hit and replied to an old JSESSIONID persistence by iRule one the other day... I have to confess I don't always notice the really old dates on conversations when I'm typing a reply either... H
  • I think the main goal of Route Domains is ability to define multiple default routes.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      seriously why drag up a topic of almost 4 years old. things have changed since then, i.e. IPv6 support. this is just confusing.
    • Hamish's avatar
      Hamish
      Icon for Cirrocumulus rankCirrocumulus
      Looks like email notifications of old discussions are being sent out again... Either that or we're hitting the good old duplicate conversations with the same title bug again... I got hit and replied to an old JSESSIONID persistence by iRule one the other day... I have to confess I don't always notice the really old dates on conversations when I'm typing a reply either... H