Route Domains

Question

I have an LTM HA Pair v10.1.0 in a one-armed configuration.
My goal is to be able to load balance nodes from a new subnet/VLAN 10.104.2.0/24 VLAN 2, and have the VIP reside on the existing subnet/vlan 10.104.1.0/24 VLAN 1, but I want the new subnet to be isolated from any nodes on the existing subnet from reaching it.&nbsp;
My current VIPs, nodes, self and floating IP's are in the 10.104.1.0 subnet on VLAN 1.
The new subnet 10.104.2.0 is on VLAN 2.
My default route domain is 0 for all of my 10.104.1.0 address space.
I created the route domain 1 for 10.104.2.0 on a separate physical interface.
I don't want any of the nodes, nor VIPs, nor self/floating IP's to cross domains and communicate with one another other than a particular VIP in the 10.104.1.0 that I specify.&nbsp;
I've created the new self IP and floating IP with %1.&nbsp;
I get an error when I try to add the new gateway 10.104.2.1.
Error:
01070330:3: Static route gateway 10.104.2.1 is not directly connected via an interface.
Though I can ping this gateway and the new floating IP from my desk and the router, but not the LTM.  The floating IP is in the ARP table of the router, and the router configuration for VLAN 2 is similar to VLAN 1.&nbsp;
So if adding the gateway would have worked, my next step would have been to create the VIP as 10.104.1.X%1 with pool member 10.104.2.X%1:80.&nbsp;
Is there another way to make this cross domain communication happen, or is this implementation not possible?  Maybe a GTM is the only way to solve this.&nbsp;
Thanks in advance.&nbsp;

kunjan · Answer

For the routing issue, have you tried specifying the route domain when you were adding the route? 
&nbsp; &nbsp;
Didn't really get the purpose of adding '10.104.1.X%1' VIP. But if your intention is to create VS in RD0 and Pool member in RD1, you need to disable the strict isolation.&nbsp;

ltmbanter_43291 · Answer

Thanks Kunjan.&nbsp;
When you say specify the route domain you mean:
10.104.2.1%1 as the gateway?&nbsp;
I didn't think it through with the 10.104.1.X%1 VIP.  The application engineers want to load balance nodes from both the 10.104.1.0 subnet and the 10.104.2.0 subnet, and they have a DNS entry tied to the 10.104.1.X VIP.  So if I did a %1, then the nodes from %0 wouldn't be reached.  I suppose that's why you recommended disabling Strict Isolation.
Also, if I disable strict isolation, that will allow the 10.104.1.0/24 nodes to be able to communicate with the 10.104.2.0/24 nodes.&nbsp;
So, what I am trying to accomplish doesn't quite make sense.  If I need strict isolation, then all nodes/VIPs will have to be in the same subnet.&nbsp;
And if I get the nodes all over to the 10.104.2.0 subnet, then I can enable strict isolation and %1 route domain where necessary.&nbsp;
Thanks so much.&nbsp;

kunjan · Answer

When you say specify the route domain you mean: 10.104.2.1%1 as the gateway?&nbsp;

Yes, correct.&nbsp;
It might be useful to know in 11.5 onwards, you can have DNS server specific to a RD. Not sure it will address your limitation with RD0.&nbsp;

Forum Discussion

Route Domains

3 Replies

Recent Discussions

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

CGNAT with DS-lite and LSN

Related Content

FQDN nodes in non-default route domains

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

How to find route domain OID

Enriching AFM with public domain Threat Intelligence

BIG-IP BGP Routing Protocol Configuration And Use Cases