I'm starting a project to separate our F5 into 3 different route domains. One for DMZ, Prod and Non-Prod as I started the planning and sorting what virtual servers would go into what route domains I realized something, what about the VLANs? Do VLANs have to be associated with a route domain? This question comes up because the network that houses all of our VIPs exists on a single VLAN. How can I carve up the VIPs on this network into multiple route domains if I can only associate a VLAN with a single route domain? I'm kind of stuck because I don't really understand how route domains relate and work with VLANs. Thanks in advance everyone! =)

You can have the virtuals reside in route domain 0 and put the various pool members into separate route domains and establish parent-child route domain relationships. I don't know that route domains is what you really want to do though. Think of them like a VRF. They're not so much a security measure (just like routing isn't a security measure).

Route Domains were a compromise with our security team, they really don't like the fact that we only have 1 F5 and when we put in our routes originally to separate the traffic we ran into some asymmetrical routing issues. The idea behind implementing route domains was to get us past the routing issue and allow us to route specific traffic over certain routes to make sure that DMZ traffic never touches Prod traffic and etc. I know the whole thing sounds a little crazy and the way we originally had it setup worked just fine, but security didn't like it.

However I really do like your idea of leaving the virtual servers on common and putting pools into the route domains. That may work for us! I'll do some additional testing.

Route Domains and VLANs

12 Replies

ekaleido
Cirrus
Aug 04, 2016
You can have the virtuals reside in route domain 0 and put the various pool members into separate route domains and establish parent-child route domain relationships. I don't know that route domains is what you really want to do though. Think of them like a VRF. They're not so much a security measure (just like routing isn't a security measure).
- Brad_146558
  Nimbostratus
  Aug 04, 2016
  Route Domains were a compromise with our security team, they really don't like the fact that we only have 1 F5 and when we put in our routes originally to separate the traffic we ran into some asymmetrical routing issues. The idea behind implementing route domains was to get us past the routing issue and allow us to route specific traffic over certain routes to make sure that DMZ traffic never touches Prod traffic and etc.
  
  I know the whole thing sounds a little crazy and the way we originally had it setup worked just fine, but security didn't like it.
- Brad_146558
  Nimbostratus
  Aug 04, 2016
  However I really do like your idea of leaving the virtual servers on common and putting pools into the route domains. That may work for us! I'll do some additional testing.
- ekaleido
  Cirrus
  Aug 04, 2016
  I can sympathize with having make compromises with "security" teams. ;)
ekaleido_26616
Cirrocumulus
Aug 04, 2016
You can have the virtuals reside in route domain 0 and put the various pool members into separate route domains and establish parent-child route domain relationships. I don't know that route domains is what you really want to do though. Think of them like a VRF. They're not so much a security measure (just like routing isn't a security measure).
- Brad_146558
  Nimbostratus
  Aug 04, 2016
  Route Domains were a compromise with our security team, they really don't like the fact that we only have 1 F5 and when we put in our routes originally to separate the traffic we ran into some asymmetrical routing issues. The idea behind implementing route domains was to get us past the routing issue and allow us to route specific traffic over certain routes to make sure that DMZ traffic never touches Prod traffic and etc.
  
  I know the whole thing sounds a little crazy and the way we originally had it setup worked just fine, but security didn't like it.
- Brad_146558
  Nimbostratus
  Aug 04, 2016
  However I really do like your idea of leaving the virtual servers on common and putting pools into the route domains. That may work for us! I'll do some additional testing.
- ekaleido_26616
  Cirrocumulus
  Aug 04, 2016
  I can sympathize with having make compromises with "security" teams. ;)
Jinshu
Cirrus
Aug 04, 2016
Please go through this document and it answers your queries.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-ip-routing-administration-11-2-0/2.html

-Jinshu
Greg_Labelle
Nimbostratus
Aug 04, 2016
Why are you separating out the route domains? Are you looking to truly create separation between the three environments or are you content to let them run in the same context? If it is the former, than you need to go further than just Route Domains. With just route domains in place, it will be posssible on the F5 create configurations that can traverse the zones and potentially bypass external security.

If you are looking for full separation, then you will need to plan individual partitions for each area, with a route domain and vlans associated that have no parent route domain. That is the only true way to create full separation on a common instance.