Forum Discussion

ndubey2's avatar
ndubey2
Icon for Altostratus rankAltostratus
Feb 29, 2024

Routing between two traffic group

Hello All, 

I got a situation where I have a VIP configured in traffic group1 and backend server configured in traffic group2, is there a way we can get this work? 

its a two arm mode deployment. VIP is part of a partition traffic group1 (partition A) and backend server is part of traffic group2 (partition2) backend server VLAN is not available in partition A. 

Please share your opinion.

 

Thanks,  

application delivery

5 Replies

Sort By
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Feb 29, 2024

    Hi,

     

    I assume you mean route domains instead of traffic groups, as the latter are not involved in forwarding decisions to the backend servers.

    Please, make sure you understand route domains isolations and check the section "Traffic forwarding across route domains" from Route Domains (f5.com)

  • ndubey2's avatar
    ndubey2
    Icon for Altostratus rankAltostratus
    Feb 29, 2024

    Yes, it is route domain. Even if there are two route domain available. Suppose if I call route domain2 backend server under VIP1 which is part of route domain1, will it be able to communicate when traffic hit VIP1, will it be able to redirect those traffic to backend server?

     

    • Amine_Kadimi's avatar
      Amine_Kadimi
      Icon for MVP rankMVP
      Mar 01, 2024

      You can either disable strict isolation on both route domains or use the parent-child relationship between route domains. While this resolves the problem, it may break your business logic for which you implemented route domains, so depending on your needs it may be better to use an external routing node.  

      Quoting the doc:

      About parent IDs:

      When you create a route domain, you can specify the ID of another route domain as the parent route domain. The parent ID identifies another route domain that the system can search to find a route if the system cannot find the route within the child route domain.

      About strict isolation:

      You can control the forwarding of traffic across route domain boundaries by configuring the strict isolation feature of a route domain:

      • If strict isolation is enabled, the BIG-IP® system allows traffic forwarding from that route domain to the specified parent route domain only. This is the default behavior. Note that for successful isolation, you must enable the strict isolation feature on both the child and the parent route domains.
      • If strict isolation is disabled, the BIG-IP system allows traffic forwarding from that route domain to any route domain on the system, without the need to define a parent-child relationship between route domains. Note that in this case, for successful forwarding, you must disable the strict isolation feature on both the forwarding route domain and the target route domain (that is, the route domain to which the traffic is being forwarded).

       

  • lnxgeek's avatar
    lnxgeek
    Icon for MVP rankMVP
    Mar 01, 2024

    ndubey2 If you have strict isolation set on the route domains you can only move from VS to backend via a external routing device (firewall, router etc.). Traffic will leave the device, get routed back to the vlan sitting in the other route domain, and then reach the backend.

    I know you can shortcircuit between two route domains, but I have never done it myself.

  • ndubey2's avatar
    ndubey2
    Icon for Altostratus rankAltostratus
    Mar 02, 2024

    lnxgeekAmine_Kadimi

    Yes, I have strict isolation in place. when I am checking route (using command ip r g) for backend server which is part of route domain2, it going via default route and default route is configured on distribution switch. Hope, this will allow VIP which is part of route domain1 to communicate with backend server which is part of route domain2