Could you please help me to know the use cases of Routing domain and Partition?
Does the new partition other than comman partition needs a separate routing domina other than default routing domain?
Route domains are primarily used where you need to use the same IP address space for separate environments, and control/restrict traffic flow between them.
This is useful for lab/test environments (as the address space can be the same as live), or for multi-tenanted environments.
Partitions used to separate ans delegate administrative permissions. It has nothing common with route domains.
E.g. You have 2 admins and you have 2 vips. You want admin 1 to manage vip1 and has no access to vip2. Admin 2 need to manage vip2 and should not has access to manage vip1.
In that case you create 2 partitions and assigned deferent privileges for admins.
Admin1 has full access to objects in partition1 and has no access to partition2
Asmin2 has full access to objects in partition2 and has no access to partition1
You create VIP1 under P1 and VIP2 under P2. Now you achieved your initial goals
Route domains are designed to create separate network segment where you can you same IP subnet as in other domains. Route domains has more common with VRF from routing point of view.
Let say due to some reason you have 2 customers/departments who uses the same IP subnet and you want big-ip to server requests coming from these subnets but you do not want customer1 access resources in subnet of customer2 and vice versa. In that case you create two route domains. You still can use the same subnet to create VIPs but traffic from subnet of customer1 will not be mixed with traffic from subnet of customer2
Partitions designed for administration purposes
Route domains for routing purposes.
That is probably stupid simple but can't figure it out. How can I create user with admin like privileges only in given partition?
Administrator and Resource Administrator has access to All partitions
Operator, Manager, FW manager can have specific partition set. However when logging with those roles I cant't create self IPs.
Is there any role other than Administrator or Resource Administrator allowed to configure Self IPs?
I am asking because from description here https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/vcmp-administration-viprion-12-1-1/15.html it seems like there is role that limits such tasks to given partition:
Creating floating self IP addresses
As a customer administrator, you create two floating self IP addresses for each customer route domain, one address for the internal network and one address for the external network.
Customer administrator seems to be limited to only specific partition (as opposite to guest administrator with access to all).
Partition was first created to manage administrative roles.
In the real world, partitions are used to split configuration of different environnements even if there are managed by the same admin team.
Route domains are used to configure bigip interfaces and prevent routing.
You can use both features without the other but it’s recommended to use partition when using route domains to prevent the use of %rd in ip addresses.
If we are using the same IP in different Routing Domanin, won't it conflict in the upstream router or switch where the SVI of F5 VLANs are also configured?
In other words could you please help me to know how the IP conflict is avoided in the upstream Network where RD is configured on LB?
Hi Thiyagu, this question need to be address to the vendor of your router and device has to support vrf option.
VRF is nothing but RD in F5. There is no IP conflicts happen here.
Example. you have a two web servers, one at vlan100 and other at vlan200. let us say if you are using a firewall acting a default GW for F5 then for users in VLAN 100 return traffic should go via vlan100 interface in Firewall and for the same situation for vlan 200 users as well. if you do not use VRF (Route domains in F5) routing, then firewall will block return traffic from F5. So in this scenario we should use RD in F5 to solve this problem.