Forum Discussion
NimbostratusRoute Domains and VLANs
CirrocumulusYou can have the virtuals reside in route domain 0 and put the various pool members into separate route domains and establish parent-child route domain relationships. I don't know that route domains is what you really want to do though. Think of them like a VRF. They're not so much a security measure (just like routing isn't a security measure).
Brad_146558Route Domains were a compromise with our security team, they really don't like the fact that we only have 1 F5 and when we put in our routes originally to separate the traffic we ran into some asymmetrical routing issues. The idea behind implementing route domains was to get us past the routing issue and allow us to route specific traffic over certain routes to make sure that DMZ traffic never touches Prod traffic and etc.
I know the whole thing sounds a little crazy and the way we originally had it setup worked just fine, but security didn't like it.
- Brad_146558
However I really do like your idea of leaving the virtual servers on common and putting pools into the route domains. That may work for us! I'll do some additional testing.
- ekaleido_26616
I can sympathize with having make compromises with "security" teams. ;)
Mike_Dayton_108Assigning VIPs to VLANs limits you. Try to assign separate network ranges for the VIPs in each RD. Point the route for the VIPs in each RD, via the router in each VRF, to the floating IP in the corresponding RD.
