Forum Discussion
Misty_Spillers
Nimbostratus
NimbostratusSeparating APM traffic from LTM traffic
I posted this on the APM forum months ago and didn't get a response. So I'm going to try here since it really isn't an APM thing. Original question:
---
I need a little guidance on how I should deploy APM in our environment.
Having Firepass and the LTM in separate environments today, I'm trying to figure out what to do now they reside on the same box.
Our LTM always pointed traffic to the DMZ burb or zone, while Firepass always sent traffic to a special VPN zone.
How would I do this with APM? As long as I could lock down traffic sourcing from APM to one IP and LTM traffic to another I think that would be fine.
----
My F5 sale rep told me that "Route Domains" are my answer. I have read the manual entries on "Route Domains" and it is very confusing (So if there are other docs/tutorials on it please let me know. I'm a "learn by example" type of person and I'm missing an example of what I'm trying to do)
Today the Firepass's just have a VIP on the LB, APM sounds like the same thing but we need that traffic to be routed differently. So, frontend/external/Internet can be shared between the LTM/APM. Backend everything but APM related traffic needs to be directed to the DMZ. APM traffic needs to go to another DMZ we have just for VPN use.
Do I need a partition(s) for this? I guess I'll start there, if that is a yes or a no, then i'll try to ask about what is confusing me in the manuals. I am running version 11.2
I hope that this makes sense,
Thank for any help,
Misty
HamishCirrocumulus
I'm not sure you have to use RD's... Have to have a think about it. However it's probably easier than trying to do it any other way. (I'm not sure the other way I'm thinking of would work, so I won't talk about it :)
However at least RD's are easy. They're essentially very simple VRF's... And can be strict (i.e. you can't have a VS on one RD using a pool with poolmembers in another) or loose.
H
Misty_SpillersSo just to be clear, you can do routing domains without partitions? I saw this: https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/1179315/showtab/groupforums/Default.aspx
And thought we are kind of like this setup. One customer, only 2 admin, no overlapping IPs (and like this customer, we would to merge our set of inside LTM's and our external LTM's but we also have APM to throw in there)
Thanks!!- HamishYeah sure. No problems. FWIW I don't much like partitions either... They're very annoying (To me) when administering a bigip
H 
Grayson_149410We are in the same predicament. Did you ever figure this out? We have our LTM doing everything just like you, but we want to APM to use a different default route.- Grayson_149410
We are in the same predicament. Did you ever figure this out? We have our LTM doing everything just like you, but we want to APM to use a different default route.
- Misty_SpillersI ended up using 3 partitions and 3 route domains. The partitions are Internal, External and VPN. It's a bit of a learning curve and more complex but it has worked well for us. You start with the partitions and the network settings will go under those. If you are a command line troubleshooter with pings, telnets, tcpdumps, etc. These articles are must have: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13472.html?sr=41029849 https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html?sr=41029849 https://support.f5.com/kb/en-us/solutions/public/10000/400/sol10467.html?sr=41029925
- Kyle_S
We have implemented Route Domains to isolate our SSL VPN users. It works very well and in our APM Access Policy we use the object Route Domain and SNAT selection. You will have to create self-ip addresses, routes, and pool selections. The trick is to remember to use the % with everything. So the route domain you create is SSL_VPN Route ID 1, everything associated in that route domain needs to end with %1. The default route would be destination 0.0.0.0%1 use gateway 192.168.1.1%1. A self-ip for this domain would be 192.168.2.1%1. Even nodes can have the same IP addresses as long as they are placed in the correct route domain. I hope this helps.
Kyle_S_52590We have implemented Route Domains to isolate our SSL VPN users. It works very well and in our APM Access Policy we use the object Route Domain and SNAT selection. You will have to create self-ip addresses, routes, and pool selections. The trick is to remember to use the % with everything. So the route domain you create is SSL_VPN Route ID 1, everything associated in that route domain needs to end with %1. The default route would be destination 0.0.0.0%1 use gateway 192.168.1.1%1. A self-ip for this domain would be 192.168.2.1%1. Even nodes can have the same IP addresses as long as they are placed in the correct route domain. I hope this helps.
- Grayson_149410So I assume the Vs we have for the VPN would also need the %1 correct? Right now we have our DMZ as the core default route (192.168.0.0) And we want to use our other network 10.80.x.x for the VPN.
- Kyle_S_52590You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.
- Kyle_SYou can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.
- Grayson_149410
Would you happen to have an example on how yours is setup? I tried creating a route domain and then creating a new self IP and virtual server with the %1 for my route domain but I am no longer able to get access to it.
Since this is going to be on our production LTM, do we have to create another server vlan and run it as tagged to interface 1.1 and leave the current server vlan untagged on 1.1?