For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Approxee's avatar
Approxee
Icon for Nimbostratus rankNimbostratus
May 04, 2014

Route Domains and AFM module

Hi Forum,

 

I want to be able to have 2 parent route domains to contain the public IPs and VLANs and to have 4 child domains two per parent domains.

 

Is it possible to position the AFM between the parent route domains, so disabling strict isolation, but still make sure the child route domains cant talk to each other directly.

 

I read somewhere that if strict isolation is enabled on the childs then it must be enabled on the parents, and if this is done how can they talk to each other.

 

Is it possible if the parents are rd1 and rd2, then I just put routes in rd1 for rd2 and rd2 for rd1 and they will reach each other.

 

My requirement is to have the parent route domains be able to get to each other, but but not the child domains.

 

G

 

design

4 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 04, 2014

    You may need to create a parent route domain rd0 for rd1 and rd2 which can front the virtual servers on the public side and still maintain the strict isolation on the child domains.

     

    • Approxee's avatar
      Approxee
      Icon for Nimbostratus rankNimbostratus
      May 06, 2014
      Hi Kunjan, I read in the documentation that if the child rd's are configured for strict isolation, then the parents must also be the same. If I configure Strict Issolation on the childs then also on the rd1 and rd2, then do I have to also configure it rd0. The problem I have is a have two parent RD's each with two child RDs each. This is strict isolation, so that the childs can see each others routing tables. I was to position the AFM between the parent route domains, so access can be given based on the policy. If I switch off Strict Issolation, then the childs have visibility of each other and then I need to position the AFM policys between the childs and the parents.
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    May 04, 2014

    You may need to create a parent route domain rd0 for rd1 and rd2 which can front the virtual servers on the public side and still maintain the strict isolation on the child domains.

     

    • Approxee's avatar
      Approxee
      Icon for Nimbostratus rankNimbostratus
      May 06, 2014
      Hi Kunjan, I read in the documentation that if the child rd's are configured for strict isolation, then the parents must also be the same. If I configure Strict Issolation on the childs then also on the rd1 and rd2, then do I have to also configure it rd0. The problem I have is a have two parent RD's each with two child RDs each. This is strict isolation, so that the childs can see each others routing tables. I was to position the AFM between the parent route domains, so access can be given based on the policy. If I switch off Strict Issolation, then the childs have visibility of each other and then I need to position the AFM policys between the childs and the parents.