For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brad_146558's avatar
Brad_146558
Icon for Nimbostratus rankNimbostratus
Jun 08, 2016

Implementing Route Domains on an existing Production F5

Hi everyone,

 

Our security team is wanting us to keep the data flowing through the F5 separated. Basically in short they have some complicated routing they want me to do in the F5. Route domains appear to be the answer to this because it will allow me to set different routes for different virtual servers. The story is a bit more complicated than that but the gist of it is the normal routing tables won't suffice.

 

I guess I don't have a question so much as I am looking for input from people who have implemented route domains on an existing F5 setup.

 

application delivery
LTM
security

3 Replies

  • Brad_146558's avatar
    Brad_146558
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2016
    I have also considered moving the virtual servers into individual partitions but this seems like a lot of work as it looks like I would have to delete and recreate everything in the new partitions to make it work.
  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Jun 08, 2016

    I have implemented route domains to address two issues:

     

    1 - Allow a separate "vrf" or route domain to function across a specific set of physical interfaces and self contained routing domain separate from other different trust zones through the F5.

     

    1. Route domain allows us to have use an 11.5 feature called HA active-active traffic groups... what this does is allows a traffic-group fail over to the secondary F5 and not impact another traffic-group. Using route domains we can keep one set of vs/self-ips contained and isolated so that any link failure in one route domain does not cause all other route-domain/traffic groups to experience a failure as well.
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jun 08, 2016

    Route domain provides VRF like feature as noted earlier. My only concern is the lack of easy troubleshooting method. Traditionally, you can utilize curl or tcpdump easily from the F5. With route domain the "%" sign makes it a bit more complicated and you would have to engage in workarounds to troubleshoot. In short, it is easy to set up but tougher to troubleshoot. The troubleshooting part may have been addressed in later 11.x code and 12.x code. I mainly worked with 10.x and early 11.x code for Route Domains.