Forum Discussion

js_168189's avatar
js_168189
Icon for Nimbostratus rankNimbostratus
Sep 25, 2015

vip in different route domains that node

Our F5 LTM is set up in two different route domains %1 is internal and %30 is DMZ. Each route domain goes to its own security interface on our firewall. The firewall blocks or allows traffic between the route domains. We have a request to set up a VIP in %30 and then have the nodes in %1 route domain. So client request would come through the client----->VIP---->Firewall---->node---->firewall--->VIP----client. I have the VIP set up and traffic is reaching it but traffic does not go out to the nodes. The nodes and VIP are for HTTPS. client and server profiles are correct and tested with a VIP in the same subnet. 443 is allowed on the firewall between the two different route domains. Does anyone have a configuration example of this or is it possible? SNAT automap is configured on the VIP. route domains are strict isolation. Firewall is an ASA. Thanks.

 

2 Replies

  • This is not possible the way you describe. Your nodes need to be in the same route domain as the VIP with strict isolation turned on. However, if you are using RD%1 just to route to your servers/nodes in that network it is perfectly valid to create your nodes in RD%30 as it will route out to the firewall and back to your RD%1 provided you don't add a self IP in RD%30 for your subnet that lives in RD%1. We do this now for some services. Hope this helps.

     

  • If you dont need strict isolation you can configuration one route domain to use a parent route domain if required. In this case it will check the routing to see where to send the traffic to the nodes in RD%1..