Administrative Partitions Conventions

Question

What conventions do people use for creating Administrative partitions?  I'm setting up an F5 that will have multiple traffic groups (3 devices) and route domains (two different gateways) and my initial plan is to have a scheme of:
/network-1 (route-domain-0, traffic-group-1, vlan1,2, selfip1.., forward_vs1)
/network-2 (route-domain-1, traffic-group-2, vlan3,4, selfip2.., forward_vs2)
...

/customer-1 (route-domain-0, traffic-group-1, vs1, pool1, policy1..)
/customer-2 (route-domain-1, traffic-group-2, vs2, pool2, policy2..) 
...

Does that look sane or will I get into trouble with how referencing objects behave in partitions?  Is it better to place VLAN/Self IPs in /Common? Any pointers on real world examples of F5 configurations?
Thanks,
Eric

jason_40733 · Answer

We have a multi-tenant setup.  We keep /common and route domain 0 as empty as possible.  That keeps us from having any issues where clients can talk to each other without being directed through their respective firewalls.&nbsp;
If you are doing large scale multi-tenancy be aware there is a limit to the number of objects you can create in an F5.  While doing scale testing we found that we could only get about 10,000 total objects created ( each VIP, pool, node, Irule, profile etc is an object ) before the F5 went tango uniform.  This number of objects varies based on the resources your F5 has. ( Memory essentially ).  &nbsp;
Also,  we went with a single partition for Customer domains ( we manage them so no reason to split the admin partitions ) and put each customer in their own route domain.   When creating a separate admin partition for each customer the bigip will create separate files.  This is not a problem, except that when you save/load a config, it opens a file handle for every single file at once and attempts to write to every single file at once.  The result is that we get massive I/O load on the F5 that brings everything to a crawl and at about 800 ( again on our particular pieces of hardware ) total admin partitions the system failed to return from the I/O load.&nbsp;
Hope this helps, sorry it's so wordy.&nbsp;
Jason&nbsp;

petewhite · Answer

I would definitely say keep route-domain 0 separate and put all HA config in that RD.
I would suggest assigning 10 onwards as customer RDs and keep all figures common eg 
customer-1 RD 10, TG 10, VLANs 10 - 19, self-IPs 10 - 19, VS 10_x, pool 10_x
customer-2 RD 20, TG 20, VLANs 20 - 29, self-IPs 20 - 29, VS 20_x, pool 20_x

Create users and groups using these figures as well and maintain it at all times, otherwise everything will get very confusing.

Forum Discussion

Administrative Partitions Conventions

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Certified Kubernetes Administrator - Study Group

F5 - System Administration

Re: Becoming F5 Certified - BIG-IP Administrator Certification - 101 & 201 Exams

Collect all partition pool member stats with tmsh

BIG-IP Configuration Object Naming Conventions