Forum Discussion

F5_Freek_243545's avatar
F5_Freek_243545
Icon for Nimbostratus rankNimbostratus
Jan 14, 2016

Route domain Question- Please help

We have two enviornment env-A and env-B which needs to configure in same F5 device which has LTM, GTM and AFM enabled. We are planning to implement different route domains for these two enviornment which is not sharing the routes.

 

  1. Since we have separate IP subnet for env-A and env-B, Do we need to mention %id on GTM and AFM to allow traffic?
  2. Env-A has all rules allowed for AFM and Env-B should be blocked and allow only for specefic IP address. Is it possible?
  3. Do we need different GTM listeners for different route domains?

-Freeky

 

AFM
BIG-IP
devops
route domains

6 Replies

Sort By
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Jan 14, 2016
    1. Yes, you would need to use %id, unless you create partition for each and change the default route domain for the partition(
      tmsh  modify auth partition env-A default-route-domain
      ). That will automatically append the %id in the background for you so you don't have to worry about it provided you create the objects in the partition.
    2. Yes, you can add policy to the route domain scope if you so wish.
    3. Only if you enable strict isolation on your route domains.
  • F5_Freek_243545's avatar
    F5_Freek_243545
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2016

    Thanks Brad. That helps a lot.

     

    One more question.

     

    My L3 router forwards traffic for 10.1.1.0/24 to F5. How does F5 decide which route domain to recieve the traffic if we are using the same subnet for both route domains?

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Jan 15, 2016
      The route domain will be determined by the VLAN the packet arrives on. A VLAN can only be part of one route domain, so whatever the VLAN it arrives on determines the route domain.
  • F5_Freek_243545's avatar
    F5_Freek_243545
    Icon for Nimbostratus rankNimbostratus
    Jan 15, 2016

    I have GTM used to create www.myapp.com as wideip. This will be pointed to the LTM created in route domain 2.

     

    But in the F5 documentation it says 'For systems that include both BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM), you can configure route domains on internal interfaces only.'

     

    What does it mean? Can't we have VIP configured with route domain 2 and add to GTM wide ip pool?

     

    • Chris_Grant's avatar
      Chris_Grant
      Icon for Employee rankEmployee
      Feb 04, 2016
      Bear in mind that the GTM is handing out IP addresses to DNS resolvers which won't know anything about your route domains. So it doesn't make sense to have a route domain on a GMT object.
    • Deep_287674's avatar
      Deep_287674
      Icon for Nimbostratus rankNimbostratus
      Sep 08, 2016

      Well as per my understanding we can create two separate route Domain One for F5 AFM and another for F5 GTM and % can be used to determine the particular route domain and separate the traffic.