Forum Discussion

Nimbostratus

Sep 11, 2012

Separating APM traffic from LTM traffic

I posted this on the APM forum months ago and didn't get a response. So I'm going to try here since it really isn't an APM thing. Original question: --- I need a little guidance on how I sh...

config

design

Kyle_S_52590

Nimbostratus

We have implemented Route Domains to isolate our SSL VPN users. It works very well and in our APM Access Policy we use the object Route Domain and SNAT selection. You will have to create self-ip addresses, routes, and pool selections. The trick is to remember to use the % with everything. So the route domain you create is SSL_VPN Route ID 1, everything associated in that route domain needs to end with %1. The default route would be destination 0.0.0.0%1 use gateway 192.168.1.1%1. A self-ip for this domain would be 192.168.2.1%1. Even nodes can have the same IP addresses as long as they are placed in the correct route domain. I hope this helps.

Kyle_S

Nimbostratus

Oct 16, 2014

You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Separating APM traffic from LTM traffic

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

fellow traffic

Block traffic

Traffic Intelligence in AFM through Categories

Use topology labels to reduce cross-AZ ingress traffic with F5 CIS and EKS

Managing Kubernetes Traffic With F5 NGINX: A Practical Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS