Updating the BIG-IP ASM attack signatures with route domain
Hi, I have one customer with an appliance with Route domains (version 12.1.1). the default route domain is configured only with one VLAN for HA with no other devices in this network. All other VLANs are linked to route domains and I need to configure Attack signature update using VLAN in route domain 1 instead of default RD. I tried to configure Proxy with command: modify /sys db proxy.host value ProxyIP%1 modify /sys db proxy.port value ProxyPort In ASM logs, I can see : Can't connect to call home.f5.com:443 (Bad hostname 'ProxyIP%1') Is there a solution to configure Attack signature update within another RD than default one.
Create IPv6 self-IP with Route Domains on 10.2.3
We need to create IPv6 self-IPs in a non-default Route Domain, but we are getting the following error: The vlan () for the specified self IP () must be one of the vlans in the associated route domain (0). Seems the internal F5 logic interpret this as an IP-address from Route Domain 0, although we are in a partition which is mapped to Route Domain 4 (doing this, you normally don't need to append the <%RD>). I verified this also on version 11.x and there it's not an issue. So is this a bug in version 10.2.3 or do I need to use a special format? Or isn't this kind of setup supported in such an old version? Thank you! Ciao Stefan 🙂
Communication between two route domain not happening
Hi All, I have two route domains configured o the BIG ip system. RD1 is configured as parent for RD2. Strick isolation is enabled for both route domains.The default gateway for both route domains are internet routers on different vlans. There are two different global forwarders for RD1 and RD2 seperately. Now there is no comunication is happening from the server connected on RD1 to the destination server connected on RD2. The routes on F5 looks like below. 10.10.43.0%2/24 10.10.43.0%2/24 interface /Common/F5_Infra_Svcs_APP connected Default_Route_RD1 default%1 gw 10.11.22.254%1 static Traffic is taking the default route rather taking the directly connected route on RD2. Not sure what is the problem. Theoretically it should take the connected route on RD2 and go out but unfortunately not happening here. Any clues?iControl get_static_route_destination inconsistency
On get_static_route_destination on urn iControl:Networking/RouteTableV2 there is missing info regarding route domain on default gateway objects. Works fine on nondefault static routes. For example: root@(f5-test)(cfg-sync Standalone)(Active)(/Common)(tmos) list net route VLAN_99 net route VLAN_99 { gw 192.168.254.214%834 network default%99 } iControl req: <soapenv:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mon="urn:iControl:Networking/RouteTableV2" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ins0="urn:iControl"> <soapenv:Body> <mon:get_static_route_destination> <routes> <item>/Common/VLAN_99</item> </routes> </mon:get_static_route_destination> </soapenv:Body> </soapenv:Envelope> iControl response: <E:Envelope xmlns:E="http://schemas.xmlsoap.org/soap/envelope/" xmlns:A="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://www.w3.org/2001/XMLSchema-instance" xmlns:y="http://www.w3.org/2001/XMLSchema" xmlns:iControl="urn:iControl" E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <E:Body> <m:get_static_route_destinationResponse xmlns:m="urn:iControl:Networking/RouteTableV2"> <return s:type="A:Array" A:arrayType="iControl:Networking.RouteTableV2.RouteDestination[1]"> <item> <address s:type="y:string">0.0.0.0</address> <netmask s:type="y:string">0.0.0.0</netmask> </item> </return> </m:get_static_route_destinationResponse> </E:Body> </E:Envelope> System info Sys::Version Main Package Product BIG-IP Version 11.5.0 Build 2.0.231 Edition Hotfix HF2 Date Thu Apr 10 22:52:27 PDT 2014 So, is there a wy to get info regarding netwrok route domain of default route? On nondefault route iControl returns route domain in address element of response, so I'd expect it to behave the same with default route. Thank you
Multiples Route Domain with OSPF
Hi everyone, We're trying to redistribute 3 differents DNS Listener via OSPF with Multiples Route Domain in a lab environment, in this case "DNS Listener 0" is working with RD0, "DNS Listener 1" with RD1 and "DNS Listener 2" with RD2 but every RD is working with OSPF. We got ARM licensed and each one of the IMI Shell is redistributing his respective Kernel Adress. The RD0 has adyancency with the Router that is directly connected with the F5 BIG-IP, but neither RD1 and RD2 has. We tried with differents OSPF process and areas with no luck whatsoever. It is necessary to do an additional configuration in the F5 BIG-IP? Or this is a problem related to Networking? Here's a "sh run" command of the IMI Shell of RD2: no service password-encryption ! interface lo ! interface /Resolver-IT/VLAN40 ip ospf network non-broadcast ip ospf cost 1 ! router ospf 2 redistribute kernel network 40.0.0.0 0.0.0.255 area 0 neighbor 40.0.0.1 !
iRule for combination of FQDN pool member and route domains
I'm trying to configure an FQDN pool member for consuming a web service. The FQDN changes it's IP addreses resolution periodically. I configured the pool member inside its non-default Partition and Route Domain. That means the pool member is not in the default 'Common' partition and not in the default route domain '0'. As soon as I created the FQDN pool member, I noticed that the dynamically created node, created as a result of the FQDN resolution IP, was assigned the default route domain '0'. I opened a case with support to get some clarification on this and got the following response: "Unfortunately, Route domains are not supported with fqdn. We have logged in a Request For Enhancement, this, however, has no release date as of yet. 522465 RFE: Route domain support for FQDN nodes The most I can offer you is to request that this service request be added to that RFE. This will let our product development team that another customer is requesting this. Please let me know if you are interested in this." After doing some research I found the following iRules on Codeshare: https://devcentral.f5.com/s/articles/dynamic-ephemeral-node-fqdn-resolution-with-route-domains-with-dns-caching-irule-1148 https://devcentral.f5.com/s/question/0D51T00006j3E1I/fqdn-node-with-route-domains I've tried both iRules on versions 12.1.2 and 14.1.2, but am getting different TCL errors. Has anyone been able to get the combination of FQDN pool members with a non-default route domain?Migrating older F5 BIG-IP has 3 partitions & Route Domains (RD) to new F5 BIG-IP with 2 partion & RD
Hi everyone, I have an old appliance with 3 partitions and each partition has its own route domain. I want to terminate one of the partitions in the new appliance due to a change in the design. Is there any way to remove the partition before moving it to the new appliances? Rather than migrating the configuration to the new appliance and starting deleting the configuration for a specific partition.Change default Route Domain for a Partition - Python F5-SDK
I am trying to change the default route domain for a partition using the F5-SDK. Here's my code to create the partition and route domain from f5.bigip import ManagementRoot bigip = ManagementRoot('ipaddress', 'user', 'password') newpart = bigip.tm.sys.folders.folder.create(name='mypartition',subPath='/') newrd = bigip.tm.net.route_domains_route_domain.create(name='myrd', id='1', partition='mypartition') After running the script my partition is created and my route domain is created now I need to change the default route domain for my new partition. By default the partition gets assigned the default route domain 0. Here's what I've tried newpart.update(default_rd_id='1') If I browse the API https:/localhost/mgmt/tm/sys/folderI can't find the value to modify { kind: "tm:sys:folder:folderstate", name: "mypartition", subPath: "/", fullPath: "/mypartition", generation: 38, selfLink: "https://localhost/mgmt/tm/sys/folder/~mypartition?ver=12.1.2", deviceGroup: "none", hidden: "false", inheritedDevicegroup: "true", inheritedTrafficGroup: "true", noRefCheck: "false", trafficGroup: "/Common/traffic-group-1", trafficGroupReference: { link: "https://localhost/mgmt/tm/cm/traffic-group/~Common~traffic-group-1?ver=12.1.2" }
Multiple Route Domains in same partition
Hi all, So my doubt is, if there is anything wrong in creating more than one route domain in partition common? I want to create Route Domain 3 ( 0 is the default and already exists), in order to separate the routing table of a VIP/Network, that will be created for Internet traffic only. For what i know i will have to create: 1 - Vlan 2 - Route Domain 3 - Assign created Vlan to Route Domain 4 - Self IP like 1.1.1.248%3 and assign created Vlan to it. 5 - VIP like 1.1.1.1%3 6 - Nodes - 2.2.2.2%3 7 - Static Route - 1.1.1.0%3 Gateway 1.1.1.254%3 Is this correct or do we got to have anything more in attention? Is it better to create a partition for it, os its fine to just have the 2 route domains in same partition?