Multi tenancy design, Route domain

1. You don't need to have a VLAN specifically for VIPs. Just route the IP subnet you want to use for VIPs to a self IP on any appropriate VLAN. So, for instance, create the external VLAN using a /29 or /30 IP subnet as appropriate. Then route say, 10.10.10.0/24 (your VIP range) from the core switch or firewall (or whatever) over that external VLAN, to the relevant self IP on the F5. If you did create 5 VLANs, yes, each one will need a self IP.

    

2. In the F5 world, a trunk is a logical bundling of multiple physical interfaces, independent of L2 VLANs. Whatever you can do with an interface, you can do with a trunk. You can tag multiple VLANs over any kind of interface.

    

3. APs have no direct relation to physical interfaces, but Route Domains do relate to VLANs and they exist within APs. A VLAN (rather than physical interface) can only be present in one RD. Multiple RDs can exist in a single AP. A trunk can carry tagged VLAN traffic for multiple RDs even if they are in different APs.

    

4. See here: https://devcentral.f5.com/articles/v10-a-look-at-route-domains

    

Thanks for your reply,

For your first reply i would like to get further clarification.

100 - 104 VLAN's are the real Server VLANs. 105 VLAN is the VIP VLAN , which will have virtual IP address for all the real IP Server VLANs. I am planning to use the two IP address in the 105 VLAN for the Firewall , and three IP address in my Load balancer for Self IP of the redundant box and Floating address.

My question is do i still need to have a self IP address in the Real server VLANs like 100-104 .. As per my understanding the SNAT Automap is configured thus if any request from Client comes to my Virtual Servers in VLAN 105, then my F5 will do a SNAT for the source IP address with the Virtual IP address and the destination ip address is the real server IP address.

Kindly let me know the best practices ? or should i have Self IP address for the all the internal VLAN for which am doing load balancing.
Since this is the Cloud Setup, may be tomorrow i will get ten more VLAN which has real servers , i dont want to create Self IP address for each Internal Real server VLAN.

Thanks, Arun

Thanks much for your detailed explanation.

The following are my understanding from your replies.

1. I will create a separate VLAN say /28 or /29 for routing between the LoadBalancer and the Firewall.
2. I will have /24 or /23 IP address pool as VIP segment for each Tenant but will not assign it to any VLAN.
3. For each Tenant Internal VLAN say ( 100 - 104 ) i will create an Self IP address, thus SNAT automap is applied.
4. I don't want my Servers to have gateway as F5 , since i have few servers with in the Real Server VLAN which doesn't require Load balancing.

5. Creation of three Administrative Partitions a) Cloud_Provider b) Tenant_Internal c) Tenant_Internet Creation of Default route domain under each partition say I) Cloud_Provider Servers Route Domain under Cloud_Provider (Administrative partition) II) Tenant Internal Server Domain under Tenant_Internal (Administrative partition) III) Tenant Internet Server Domain under Tenant_Internal (Administrative partition)

    

6. Bunding two Physical Interfaces ( 1.1 , 1.2 ) under Trunk for Cloud_Provider and Tenant_Internal

    

7. Seperate External VLAN's will be created for Cloud_Provider and Tenant_Internal Segments for the Users to access the VIPs.
8. Bunding two Physical Interfaces ( 1.3 , 1.4 ) under Trunk for Tenant_Internet.

Regards, Arun

You're welcome.

1. Sounds good

    

2. Correct - just make sure you route those subnets to the F5 on the firewall, over the small routed subnet

    

3. You'll need to specify SNAT Automap in the configuration for each Virtual Server but yes, the SNAT will use the self IP of the relevant VLAN

    

4. OK, shouldn't be an issue as long as you apply the SNAT

    

5. OK

    

6. Sure, in F5 terminology the Trunk is the bundle, VLAN tagging is called, err VLAN tagging (rather than trunking as in the Cisco world)

    

7. If you are going to do that, there's no point in the small routed segment we've discussed in 1) is there?

1. Sure, as per 6)

! Kindly advice if any other changes required

Only information have not informed is the diagram is the Administrative partition. The F5 connecting to Aggregation switch will have two AP .. i.e. Cloud_Internal and TenantA_Internal.

The F5 Connecting to DMZ switch will have two AP Cloud_DMZ and TenantA_DMZ.

Let me know how to map the VLAN's for the AP.. and also like to understand the Routed VLAN has to be seperate for each tenant since i will bind each tenant under different VRF.

Thanks Arun

A few questions so I fully understand before I comment;

1. Are the switches just operating at L2 (all the L3 is on the firewall and/or F5) or do they have a L3 interface for each 'internal' VLAN too?

    

2. Rather confusing the VLANs are nearly all called Internal, shouldn't 201 onwards be called external?

    

3. I assume you have static routes in place on the firewall for the VIP ranges, pointing to the F5?

    

4. VRFs operate at layer three don't they? If the switches don't have L3 interfaces surely there is no need for VRFs? I could be wrong, it's been a while since I've used them. Or is there a need to absolutely have a routed subnet for every tenant regardless, even if the seperation is just via VLANs?

    

Hi Please find my inline replies. I am here tried to close the gaps of understanding.

1. Are the switches just operating at L2 (all the L3 is on the firewall and/or F5) or do they have a L3 interface for each 'internal' VLAN too?

The Aggregation Switch are operating at L3 and having configured as default gateway for all the Internal VLAN's. say ( 100 - 104 ) and planned to create a routed VLAN ( 105 ) especially between Firewall and Load balancer.
Similarly 
The DMZ Switch are operating at L3 and having configured as default gateway for all the Internal VLAN's. say ( 200 - 204 ) and planned to create a routed VLAN ( 205 ) especially between Firewall and Load balancer.


2. Rather confusing the VLANs are nearly all called Internal, shouldn't 201 onwards be called external?
This particular loadbalancer will be used for load balancing both internal servers and DMZ Servers.
So thus i have two External VLANs .  VLAN 105 as external VLAN for Internal Servers and VLAN 205 as External VLAN for DMZ Servers.

1. I assume you have static routes in place on the firewall for the VIP ranges, pointing to the F5? Yes, as per your comment earlier , i will have seperate VIP range for each tenant and will not assign to any VLAN. I will have a static route in the Firewall pointing to the F5.

2. VRFs operate at layer three don't they? If the switches don't have L3 interfaces surely there is no need for VRFs? I could be wrong, it's been a while since I've used them. Or is there a need to absolutely have a routed subnet for every tenant regardless, even if the seperation is just via VLANs?

     Yes , Each Tenant will be assigned with a VRF in L3 ,say all VLAN's under Tenant-A  are configured under Tenant-A_VRF in the Aggregation switch. Thus i need to have a seperate routed VLAN between Firewall and Load balancer for each tenant under its respective VRF. 
     In case if i have assigned VLAN 105 for Tenant-A as a routed VLAN between Firewall and Load balancer, then i may have to go for say VLAN 110 as the routed VLAN between Firewall and Loadbalancer for Tenant-B and assign it under Tenant-B VRF thus it is visible in the routing table.
   

Thanks, Arun

Hey, sorry for the delay, real life is always intruding :-)

1. OK, so the switches are layer three. So the inbound traffic MUST go via the routed VLAN from firewall to F5. The firewall doesn't 'see' traffic from the F5 to the servers. That's good and explains the VRFs for the internal VLANs.

    

2. OK.

    

3. Static Routes: sounds good.

    

4. VRFs: again, sounds good.

    

I think you're there but would be good to see a diagram that includes the APs and RDs. Entirely your choice of course.

Thanks for all your responses, PFA the updated snapshot... Regarding RD, am going to have default RD under each Administrative partition.

Thus i can avoid % symbol.. :)

Suggest me if am wrong.

Regards,

Arun

Looks awesome and correct. I'd agree regarding the default RD. Obviously, if you have any issues implementing, post back. Cheers