two different route domains for the vserver lan and pool lan

Valeghi I have not seen this before so I wouldn't assume it's best practice. As you stated, it adds a lot of complexity to the configuration that really doesn't need to be there. Typically someone cannot use the VS to enter the environment on anything other than the port and protocol that the VS is listening on and if your servers are vulnerable on that port then the attacker is getting in either way because that information is just passed onto the pool members associated to that VS. Now what I normally see is the F5 is placed out of path in its own segment with SNAT enabled on all VSs and then the servers are place into their own subnets based on function, so web servers together, and DB servers together in their own segment. You do run into instances where SNAT can't be used which causes an issue and then you have to put the F5 in path with multiple segments off of it which then you use other F5 modules such as AFM to reduce the security risk to each of those segments. Overall you can achieve additional security with other devices or just on the F5 with other modules rather than introducing your much more complex setup.