VLAN segmenting

Without having much information about your network, take a look at auto last hop and see if that may help you out. If not, please feel free to post more information about your network so we can better understand.

http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13876.html

Auto last hop will definitely take care of all reply traffic, but anything originated by the servers would be subject to be routed by the system. That would most likely require route domains configured without a parent domain, and strict isolation per VRF.

This does assume that you want the F5 to be inside of the security zone for each VRF. You could also do your load balancing outside of those VRFs, and allow the load balancer to communicate into the security zone to the server. This would require the use of SNAT, and some firewall admission.

A third option would be to use VCMP to host separate BigIP instances per VRF. You may not have hardware capable of doing this, but depending on the requirement you are looking to fulfill could be a viable option. I added this in case others are looking to do something similar, but have a clean slate to work with.

CW

Auto last hop will definitely take care of all reply traffic, but anything originated by the servers would be subject to be routed by the system. That would most likely require route domains configured without a parent domain, and strict isolation per VRF.

This does assume that you want the F5 to be inside of the security zone for each VRF. You could also do your load balancing outside of those VRFs, and allow the load balancer to communicate into the security zone to the server. This would require the use of SNAT, and some firewall admission.

A third option would be to use VCMP to host separate BigIP instances per VRF. You may not have hardware capable of doing this, but depending on the requirement you are looking to fulfill could be a viable option. I added this in case others are looking to do something similar, but have a clean slate to work with.

CW

If the F5 is inline (in the routing path with forwarding virtuals to route traffic through) then you would need route domains as CW says, however if the F5 is only being used for host virtuals, then you don't need route domains - the traffic is naturally segregated. Of course, route domains do add an extra layer of protection against 'accidental' misconfiguration.

Would you guys setup a route domain for each VLAN or for each VRF?

Not for each VLAN as presumably you will have an ingress and egress vlan if the F5 is inline, so the self-ips for those vlans would all need to be in the same route domain.

So I already have all my VLAN's, Self IP's, nodes, Virtual Servers, etc into Partitions. Can I create a route domain and make that route domain the default one for that partition? Will it update all those to that route domain?