How do you handle Route Domains?
Through time, I've solved a million unique issues with route domains, as they allow you to lock down portions of your network, but more importantly, they allow you to overlap IP addresses. Some people find them scary. To me, I find that a simple organization plan at the beginning helps me to get things situated. I'm looking to see how other people approach design here. Firstly, Route Domain 0 is special. I try to reserve that for 'on-box' communication, or critical data plane communication for services like DNS or upstream / downstream routes, depending on your use for the box, in general. I avoid putting any VIPs (besides SelfIPs or maybe a forwarding VS, if the need were there) on RD0 at all, as it is shared. If you think of your other route domains as 'tennants' of 0's 'host' services, you should succeed. Community, if you've got a second, I'd love to hear your thoughts on this. How do you feel about route domains? Do you use IP overlap? Why or why not?
Route domain / partition problem
We're having an ltm cluster running 14.1.4.1 and we have configured a number of route domains and partitions on it. All but one route domains have been separated from the Common partition and live in their own partition. The odd one seems to reside both in its own partition as well as in Common. As a number of virtual servers are active in this route domain (and are working fine), I'm reluctant to delete the partition and route domain, and start again from scratch. I've tried editing the bigip.conf and bigip_base.conf files for both the Common and this partition, taking another partition as a template. However, when I issue "load sys config verify" I get the following error message: 01070973:3: The specified route domain (66) does not exist for address (<ip address>%66). Unexpected Error: Loading configuration process failed. The first item to be defined in bigip_base.conf is the route domain with this very id... Any clues as to what's causing this?
Problem when attempting to route between two route domains.
Hello, I have this scenario A front-end vlan (vlan_one), belonging to Route Domain #1 A back-end vlan (vlan_two), belonging to Route Domain #2 Some virtual servers in between, to balance traffic from the front-end users to the back-end servers. Now, some administrators behind a firewall connected to the front-end (vlan_one) need to reach the back-end servers directly. So that routing between Routing Domains #1 & #2 should be enabled. How can I perform the routing between both Route Domains? I disabled the "strict isolation" on both Route Domains, plus within the Route Domain #1 (Front-End) I set the Route Domain #2 (Back-End) as his parent Domain. But the routing does not seems to work. Do you think this is the right way to do that? Or did I left something? Regards in advance.Problem when attempting to route between two route domains.
Hello, I have this scenario A front-end vlan (vlan_one), belonging to Route Domain #1 A back-end vlan (vlan_two), belonging to Route Domain #2 Some virtual servers in between, to balance traffic from the front-end users to the back-end servers. Now, some administrators behind a firewall connected to the front-end (vlan_one) need to reach the back-end servers directly. So that routing between Routing Domains #1 & #2 should be enabled. How can I perform the routing between both Route Domains? I disabled the "strict isolation" on both Route Domains, plus within the Route Domain #1 (Front-End) I set the Route Domain #2 (Back-End) as his parent Domain. But the routing does not seems to work. Do you think this is the right way to do that? Or did I left something? Regards in advance.
Route Domain Traffic logs
Hi all, So, I have a question about checking for traffic coming through the BigIP. The customer has two route domains set up on their network, adding %1 & %2 on the respective networks. How would I capture the traffic coming into the BigIP, and the same traffic leaving, with the %1 or %2, attached to the IP address? I need to demonstrate to the customer what is happening to the traffic
vCMP route-domain issue
Having a strange issue. F5 is logically inline between a firewall and the servers. I attempted to migrate from a virtual edition to vCMP guest and ran into a few issues. The main issue I am struggling with is that the vCMP guest, configured with partitions and route-domains is not reachable on the server facing Self-IP from the client side. Code 12.1.2 Let's say we have 2 VLANs in one parition/route-domain. VLAN 10, 192.168.10.0/24 client facing VLAN 20, 192.168.20.0/24 server facing The route-domain in question has a default route with the gateway being a layer 3 VLAN on the firewall. The servers have a default gateway of the Floating Self-IP on the F5. Virtual Edition: VLAN 10 and VLAN 20 Self-IP addresses are pingable from user networks through the firewall F5 can ping servers in VLAN 10 from VLAN 10 Self-IP Users can ping servers in VLAN 10 through the firewall vCMP Guest: VLAN 10 Self IP addresses are pingable from the user networks through the firewall VLAN 20 Self IP addresses are unresponsive F5 can ping servers in VLAN 10 from VLAN 10 Self-IP Users CANNOT ping server in VLAN 10 through the firewall bigip.conf file objects were copied from Virtual Edition partition to vCMP guest partition. All bigip_base.conf objects were created manually. 4 partitions/route-domains in total each setup similarly, all have the same issue. Per F5 instructions: - inherited VLANs from host - deleted VLANs in guest - created route-domains - created partitions with appropriate route-domain set as default for partition - re-created VLANs inside appropriate paritions Not really sure where to begin. Probably should have restarted MCPD, but didn't get a chance before rollback. Am I missing something, or could it have just been an MCPD issue?Route domain Question- Please help
We have two enviornment env-A and env-B which needs to configure in same F5 device which has LTM, GTM and AFM enabled. We are planning to implement different route domains for these two enviornment which is not sharing the routes. Since we have separate IP subnet for env-A and env-B, Do we need to mention %id on GTM and AFM to allow traffic? Env-A has all rules allowed for AFM and Env-B should be blocked and allow only for specefic IP address. Is it possible? Do we need different GTM listeners for different route domains? -Freeky
Provide internet access for servers behind the LTM configured with 2 different route domains (Outside/Inside)
Hello everybody, Would you please help me provide internet access for one of my servers behind the LTM. I know how to do it without route domains but because of IPS Passthrough design I configured to different route domains. traffic from outbound (route domain outside) to inbound (route domain inside) is working fine but from inside to outside is not working. Any ideas appreciated.
OCSP with Route Domains
At the moment I don't know exactly which heading best to use for my problem. So let me explain my current pain. We are migrating an existing F5-configuration from a different service provider. One of the VS is using client certs with OCSP checking. In addition to that they are using Route Domains. They don't use the APM, but standard LTM features. For their OCSP-URL they used another internal VS (10.1.1.1), I assume as a workaround due to Route Domain restrictions. The original VS is in RD3 and the workaround VS is in RD0 (Common). This workaround VS has an iRule assigned with the command "node %3". I also found out that all their Route Domains have the "strict isolated" option disabled (but I don't know if this comes from an older version, where this was the default or if it was required to get it working). I migrated all the config 1:1 to our new F5 and my current problem is, that I don't see any outgoing traffic towards the OCSP-URL with tcpdump. And as I'm not really familiar with OCSP, I don't know how to further troubleshot this. The new F5 has also the APM licensed, so an implementation via an APM-policy could also be an option if this is maybe easier. And we are running on 11.5.3. So one of my questions is, are there any restrictions with OCSP and Route Domains? And as I already mentioned, how can I further troubleshot this. It would also be fine to built it from scratch or even using the APM. Any additional hints and tips would be very helpful. Thank you! Ciao Stefan :)
