Forum Discussion
NimbostratusRoute Domains and Parent Domain
Hi,
I want to setup a scenario similar to the one described in LTM Implementations manual chapter "Web Hosting Multiple Customers Using Route Domains", but with a third route domain which could forward traffic in and out the other two route domains (something like a Primary Vlan concept when implementing CISCO Private Vlans ).
My lab setup is the following (see attachement for network diagram):
I have three route domains and three administrative partitions.
One partition is Partition Common with Default Route Domain 0, the others two are Partition 1 and partition 2 with RD1 and RD2 as Default Route Domains, respectively.
RD0 is the Parent route domain of RD1 and RD2, and Strict Isolation is enabled in all route domains.
Partion1 has two VLANs, VLAN 37 and VLAN 41. VLAN 37 is something like a DMZ and VLAN 41 the corresponding backend vlan.
Partition 2 is the same with VLAN 38 and VLAN 42.
Traffic between Partition1/RD1 an Partition2/RD2 should be isolated, but traffic must flow between RD0 and RD1, and between RD0 and RD2.
LTM1 is the default gateway for VLAN_41 and VLAN_42, and the default route for both VLANs point to L3 Switch through Transit VLAN, so there is a Forwarding Virtual Server (Layer 3) in each partition.
There is only one default route in RD0, as is with a Parent-Child relationship the system is supposed to search routes in the parent route domain.
This is the configuration:
shell write partition Common
route default inet {
gateway 20.1.33.67
}
virtual address any {
mask 0.0.0.0
}
virtual VS_FORWARDiNG_COMMON {
ip forward
destination any:any
mask 0.0.0.0
}
shell write partition DMZ_1
virtual address any%1 {
mask 0.0.0.0
}
virtual VS_FORWARDING_DMZ1 {
ip forward
destination any%1:any
mask 0.0.0.0
vlans {
VLAN_36
VLAN_37
VLAN_41
} enable
}
shell write partition DMZ_2
virtual address any%2 {
mask 0.0.0.0
}
virtual VS_FORWARDING_DMZ2 {
ip forward
destination any%2:any
mask 0.0.0.0
vlans {
VLAN_36
VLAN_38
VLAN_42
} enable
}
virtual VS_RD2 {
snat automap
pool pool_rd2
destination 20.1.33.211%2:http
ip protocol tcp
}
The problem is that traffic between RD0 and RD1, or RD0 and RD2, is not flowing. I thought this should work:
"Forwarding of traffic between route domains is by default enabled between route domains in a parent-child relationship only. (That is, traffic received in a child route domain can be forwarded to a parent route domain and the reverse.)" (TMOS: IP Routing Administration; Chapter: Working with Route Domains)
¿Is there something wrong with the config or the concepts?
LTM version is 10.2.3.
Thank's a lot.
Best Regards.
12 Replies
- boneyard
MVP
with not flowing do you mean no traffic flows or that it only goes in one direction? have you done any tcpdump to see how far traffic gets? 
adiezma_1656Hi!,
Disable "Strict Isolation" on Route Domains. With R. D. the routes do not cross.
"You can specify the extent to which you want the system to enforce cross-routing restrictions. By default, routes cannot cross route domain boundaries, unless those route domains have a parent-child relationship, or the Strict Isolation route domain setting is disabled on each route domain.Finally, route domains reside in administrative partitions, for security reasons. This allows organizations to restrict the management of isolated BIG-IP system objects to those users with an appropriate user role."
Kind Regards. A. Diezma
- boneyardi dont believe that is the answer, he doesn't want traffic between RD 1 and RD 2, he wants traffic between RD 0 and RD 1 or RD 0 and RD 2, which should be possible because of the parent child relation like you mention: "unless those route domains have a parent-child relationship".
Got_SPAM_Employee
Did you ever get this to work? If so, can you share the secret?
the parent child relationship in route domains is typically used when a route can not be found in the child route domain. did you test this without a default route in your child route domains?
aj1Hi Zoe. Did you ever get this to work? We have a similar setup. A default RD and two non-default RDs - 1 and 2, although all RDs are in the Common partition. Each RD has one vlan - RD0 has the internet-facing vlan and RD1/RD2 have a client-facing vlan each. RD0 has a default route to the upstream router.
From what I can see in tcpdump (and virtual server statistics), client traffic is hitting RD1's interface (that has a wildcard virtual server for accepting anything), but traffic never leaves the internet-facing vlan that's in RD0.
Would appreciate any pointers.
- hi aaaa... do you still need a solution for this? I can help you if necessary.
- aj1Hi schwiddy, thanks for getting back, but we're all set. IIRC we had to change the "cmp-hash" setting under vlans.
aaaa_138357Hi Zoe. Did you ever get this to work? We have a similar setup. A default RD and two non-default RDs - 1 and 2, although all RDs are in the Common partition. Each RD has one vlan - RD0 has the internet-facing vlan and RD1/RD2 have a client-facing vlan each. RD0 has a default route to the upstream router.
From what I can see in tcpdump (and virtual server statistics), client traffic is hitting RD1's interface (that has a wildcard virtual server for accepting anything), but traffic never leaves the internet-facing vlan that's in RD0.
Would appreciate any pointers.
- hi aaaa... do you still need a solution for this? I can help you if necessary.
- aaaa_138357Hi schwiddy, thanks for getting back, but we're all set. IIRC we had to change the "cmp-hash" setting under vlans.
- Helena_101649
Hi,
No, finally we dismiss the idea. We achived a sort of routing isolation between backends using differents Forwarings Virtual Servers for each VLAN, and restricting the inbound vlan to the Internet facing vlan. This is a simplified example:
VLAN1 10.10.10.0 | | -----------| | VLAN_FRONT | | |LTM|-------------|Router |--> Outside VLAN2 | | 30.30.30.0 |30.30.30.1| 20.20.20.0 | | | | -----------| | ltm virtual /Common/FORWARDING_IN_VLAN1 { destination /Common/10.10.10.0:0 ip-forward mask 255.255.255.0 profiles { /Common/fastL4_NoReset { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN_FRONT } vlans-enabled } ltm virtual /Common/FORWARDING_IN_VLAN2{ destination /Common/20.20.20.0:0 ip-forward mask 255.255.255.0 profiles { /Common/fastL4_NoReset { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN_FRONT } vlans-enabled } ltm virtual /Common/FORWARDING_OUT_VLAN1 { destination /Common/any:0 ip-forward mask any profiles { /Common/fastL4_NoReset { } } rules { /Common/RUTAS_OUT_VLAN1 } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN_1 } vlans-enabled } ltm virtual /Common/FORWARDING_OUT_VLAN2 { destination /Common/any:0 ip-forward mask any profiles { /Common/fastL4_NoReset { } } rules { /Common/RUTAS_OUT_VLAN2 } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/VLAN_2 } vlans-enabled } ltm rule /Common/RUTAS_OUT_VLAN1 { when CLIENT_ACCEPTED { node 30.30.30.1 } ltm rule /Common/RUTAS_OUT_VLAN2 { when CLIENT_ACCEPTED { node 30.30.30.1 }We use different iRules for outbound routing because actually we have more than one Internet facing network. All objects reside in partition Common. Next step will be to use vCMP to implement two different virtual LTMs, but we are not in a hurry since we don't have any issue with current configuration.
Regards
