AskF5 Knowledge Base
- Home
- Supported Products
- BIG-IP LTM / VE
- TMOS Management Guide for BIG-IP Systems
- Configuring Route Domains
Applies To:
Show Versions
Manual Chapter: Configuring Route Domains
As network costs and security concerns increase for enterprise-wide computing organizations, there is a growing need for these organizations to consolidate router resources and implement new access-control policies. The route domains feature of the BIG-IP® system addresses these needs. This feature is optional.
Route domains give you the ability to segment (isolate) network traffic for different applications on the network. The BIG-IP system can process traffic for each application within its own route domain.
Because route domains segment network traffic, they also offer an alternative use--to assign the same IP address or subnet to more than one node on a network. Two nodes on the network can have the same IP address as long as each instance of the IP address resides in a separate routing domain.
You can implement a route domain by creating a route domain object on the BIG-IP system and assigning a unique route domain ID to it. You can then append that ID to various BIG-IP system addresses as you create them (such as self IP addresses, virtual servers, and pool members). This allows you to effectively assign distinct routes to each route domain on the BIG-IP system when you add entries to the routing table. The route domains feature ensures that each set of application traffic passing through the system has dedicated router resources available for processing that traffic.
The format required for specifying a route domain ID in an objects IP address is A.B.C.D%ID, where ID is the ID of the relevant route domain. For example, the local-traffic node object 10.10.10.30%2 pertains to route domain 2.
Note: The BIG-IP system, by default, includes one route domain, with an ID of 0. Route domains other than route domain 0 do not support IPv6 addresses.
You can specify the extent to which you want the system to enforce cross-routing restrictions. By default, routes cannot cross route domain boundaries, unless those route domains have a parent-child relationship, or the Strict Isolation route domain setting is disabled on each route domain.
Finally, route domains reside in administrative partitions, for security reasons. This allows organizations to restrict the management of isolated BIG-IP system objects to those users with an appropriate user role.
As stated previously, the BIG-IP system, by default, includes one route domain, with an ID of 0. Route domain 0 resides in partition Common.
You can use route domain 0 in these ways:
| You can decide not to segment traffic. In this case, all traffic passing through the BIG-IP system uses route domain 0. No special configuration procedures for the route domain feature are required. |
| You can create other route domains and then segment traffic between route domain 0 and each of the other route domains. |
| You can assign route domain 0 as the parent of another route domain. This allows the BIG-IP system to search route domain 0 during a route table lookup. (For more information on parent route domains, see Specifying a parent ID. |
Note that Global Traffic Manager can only process traffic for VLANs associated with route domain 0. Also, dynamic routes reside in route domain 0 only. Dynamic routes cannot reside in other route domains. For more information, see Global Traffic Manager considerations, and Advanced routing module considerations.
Important: You cannot delete route domain 0 from the BIG-IP system, nor can you attempt to recreate it in another partition. This is because route domain 0 must exist on the BIG-IP system, and it must reside in partition Common.
You can create a route domain using the Configuration utility, or you can use either the bigpipe utility or tmsh.
Like other BIG-IP system objects, each route domain object that you create resides in the partition to which the system was set when you created the object. For example, if the current administrative partition is set to partition Customer_A, then any route domain object that you create resides in partition Customer_A. Because route domains reside in partitions, you can control the type of administrative access that BIG-IP system users have with respect to route isolation
To create a route domain object on the BIG-IP system, you must configure some settings. Table 11.1 lists and describes these settings, followed by the procedure for creating a route domain using the Configuration utility. Following the procedure are more detailed descriptions of each route domain setting. Note that to create a route domain, you must have the Administrator or Resource Administrator role assigned to your user account.
Important: For an example of a complete implementation of route domains, including the configuration of VLANs, self IP addresses, pool members, and virtual servers for each route domain, see the guide titled BIG-IP® Local Traffic Manager: Implementations.
| Specifies an integer that the system uses to identify the route domain. The allowed range is 1 through 65534. No two route domains can have the same ID. | ||
| Specifies an existing route domain that you want the system to use to search for a route that matches the packets destination. The system searches the parent route domain when a search of the current route domain reveals no match. A value of 65535 is equivalent to a value of None, | ||
| Specifies the existing VLANs that you want to include in the route domain. | ||
| Partition Default Route Domain | Specifies that this route domain is to be the default route domain in the current partition. This setting is unavailable if the current partition is Common. | Another route domain (0) is the Partition Default Route Domain |
| 1. |
Note: If the Create button is unavailable, you do not have permission to create a route domain.
| 3. | In the ID box, type an integer for the route domain ID. The integer must in the range of 1 through 65534. |
| 4. |
| 5. | From the Parent ID list, specify a value. You must either: |
| Select an existing route domain. Choose this option if you want the system to recursively search ancestor route domains to find a destination IP address. |
| 6. | For the VLANs setting, in the Available box, select a VLAN to include in the route domain, and using the Move button (<<), move the VLAN to the Members box. Repeat this step for additional VLANs. |
| 7. | For the Strict Isolation box, verify that the box is checked (enabled). |
| 8. | If you want this route domain to be the default route domain in the partition, select Make this route domain the Partition Default Route Domain from the list. |
| 9. | Click Finished. |
You implement a route domain by creating a route domain object on the BIG-IP system, using either the Configuration utility or a BIG-IP system command line interface. A route domain object has several settings that you can configure.
Each route domain object that you create requires a unique integer ID. When you subsequently create local traffic objects such as a virtual server and pool members, you sometimes need to append a route domain ID to those IP addresses, to indicate the specific route domain to which you want the objects to apply. For information on when to use the %ID notation in BIG-IP system addresses, see Assigning BIG-IP system addresses to route domains.
The format required for specifying a route domain ID in an objects IP address is A.B.C.D%ID, where ID is the ID of the relevant route domain. For example, if you want node 10.10.10.30 to process traffic pertaining to route domain 2, you create the node object by specifying the address 10.10.10.30%2. If the node has a pool member associated with it, such as 10.10.10.30:80, then you create the pool member by specifying the address 10.10.10.30%2:80.
When you create a route domain, you can assign a parent ID to the route domain, using the Parent ID setting within the Configuration utility. The parent ID identifies another existing route domain on the system that the system can search to find a route. Assigning a parent ID to a route domain is optional.
During a route table lookup, if the system cannot find a route in the current route domain, and the route domain has a parent ID assigned to it, the system then searches the routes in the parent route domain. If no route is found in the parent route domain, the system searches the parent route domains parent, and so on, until the system finds either a match or a parent ID with a value of None.
For example, suppose you create route domain 1 with a parent ID of 0. If traffic needs to egress the BIG-IP system on route domain 1, the system looks within route domain 1 for a route for the specified destination. If no route is found, the system searches the routes in the specified parent route domain (in this case, route domain 0).
You can set the parent ID to the ID of any route domain that exists on the BIG-IP system, or you can specify the default Parent ID value, which is None. Continuing with our example, if you set the parent ID to None and the system looks within route domain 1 and cannot find a matching route, the system refrains from searching any other route domain (including route domain 0) to find a match. Setting the parent ID to None thus prevents the system from using a route from another route domain when you did not intend for the system to do so.
If you are using dynamic routing and you set the parent ID of a user-created route domain to 0, the user-created route domain can make use of any dynamic routes defined for route domain 0. (For more information on using route domains with dynamic routing, see Advanced routing module considerations.)
Note: There are some restrictions related to specifying a parent route domain. For more information, see Enabling or disabling strict isolation.
You use the VLANs setting to assign one or more VLANs to the route domain. The VLANs that you assign are those pertaining to the particular traffic that you want to isolate in that route domain.
Table 11.2 shows the various ways you can assign a VLAN to a route domain and the corresponding action you must perform.
| You can assign a VLAN that is currently assigned to another route domain. | |
| You can assign a VLAN that currently resides in another administrative partition. | |
| You can create a VLAN in a partition other than Common, where the partition does not contain a partition default route domain. | None. The BIG-IP system automatically assigns the VLAN to route domain 0 in partition Common. (VLAN assignments to route domains can cross the boundary between a user-created partition and partition Common.) |
| You can create a VLAN in a partition other than Common, where the partition contains a partition default route domain. | None. The BIG-IP system automatically assigns the VLAN to the partition default route domain. |
You can also assign a VLAN group to a route domain. When you assign a VLAN group to a route domain, the BIG-IP system automatically assigns the VLAN group members to the route domain.
If you delete a VLAN group from the system, the VLAN group members remain assigned to the route domain.
You can use the Strict Isolation setting to specify whether you want the system to enforce cross-routing restrictions. By default, the Strict Isolation setting is enabled, which means that routes cannot cross route domain boundaries.
If you disable the Strict Isolation setting, a route for that route domain can cross route domains. That is, when you add a static route to the TMM routing table, the IP addresses in the static route entry can pertain to multiple route domains. For example, you can add a route to the routing table where the destination is 10.0.10.10%20 (route domain 20) and the gateway is 10.0.10.1%32 (route domain 32).
If you choose to assign a parent route domain, the Strict Isolation setting on the child route domain affects the Strict Isolation setting on the parent route domain as shown in Table 11.3.
| You must also enable the Strict Isolation setting on the parent route domain. In this case, you cannot disable the Strict Isolation setting on the parent route domain at a later time. | |
| You can enable or disable the Strict Isolation setting on the parent route domain. However, if you want to prevent routes from crossing route domains, you must enable the Strict Isolation setting on the parent route domain. |
A common configuration in which a route might cross route domains is when a Global Traffic Manager device sends traffic to a Local Traffic Manager device, and then the Local Traffic Manager device load balances the traffic. In this case, the external VLAN that receives the Global Traffic Manager traffic is assigned to the default route domain (a requirement for this configuration). Then, the internal VLANs on the Local Traffic Manager device are assigned to two non-default route domains (for example, route domains 1 and 2), to allow the use of duplicate IP addresses for servers in the load balancing pools.
The result is that a specific connection crosses either route domains 0 and 1, or route domains 0 and 2, depending on the location of the server to which the traffic is sent for processing.
For more information using route domains with Global Traffic Manager, see Global Traffic Manager considerations.
A partition default route domain is a route domain within a partition other than Common that serves as the default route domain for the partition. The BIG-IP system, by default, defines route domain 0 in partition Common as the default route domain for any partition that you create. Therefore, the default value for the Partition Default Route Domain setting is Another route domain (0) is the Partition Default Route Domain.
Alternatively, you can use the Partition Default Route Domain setting to specify that the route domain you are creating, rather than route domain 0, will function as the default route domain in the current administrative partition.
Once you have designated a route domain as the default route domain in the partition, any BIG-IP system IP addresses that pertain to that route domain do not need to include the pertinent route domain ID (that is, the %ID notation).
When you designate a route domain as the default route domain in the partition, you do not need to include the %ID notation in any BIG-IP system addresses (virtual servers, self IP addresses, pool members, and so on) that you create in that partition.
To minimize the need for specifying the %ID notation, the route domains feature includes the concept of default route domains.
The BIG-IP system, by default, includes one route domain, named route domain 0. Route domain 0 is known as the default route domain on the BIG-IP system, and this route domain resides in administrative partition Common. If you do not create any other route domains on the system, all traffic automatically pertains to route domain 0. (For more information on route domain 0, see About route domain 0.)
If you want to segment traffic into multiple route domains, however, you can create additional route domains in a partition and then segment application traffic between all route domains. For example, you can create route domain 1 and then segment application traffic between route domain 0 and route domain 1. Any BIG-IP addresses that do not include the route domain ID notation are automatically associated with the default route domain. Any BIG-IP addresses that include the %1 notation are associated with route domain 1.
Note that any VLANs that reside in partition Common are automatically assigned to the default route domain.
Administrative partitions other than Common can contain a partition default route domain. A partition can contain one partition default route domain only.
The benefit of having a partition default route domain is that when you create other objects such as a virtual server and pool members within that partition, and you want to associate them with the route domain that is the partition default route domain, you do not need to specify the ID of that route domain within the addresses for those objects.
To summarize, when object addresses do not include a %ID notation, the BIG-IP system automatically associates those addresses with the partition default route domain. If no partition default route domain exists within the partition, the system associates those addresses with route domain 0 in partition Common.
Once you have created route domain objects and any associated VLANs, self IP addresses, and so on, you can add static route entries to the BIG-IP system. Each static route that you add resides in an administrative partition and is associated with a route domain.
Important: If you do not explicitly create any route domains, then all route entries pertain to route domain 0, the default route domain on the BIG-IP system. In this case, use Chapter 10, Configuring Routes instead of this section to add routes to the system.
Important: Only users with either the Administrator or Resource Administrator user role can create and manage route domains and route entries on the BIG-IP system.
If you have explicitly created one or more route domains, then when you add route entries, you might or might not need to specify the route domain to which each route pertains:
| If the route you are adding pertains to a partition default route domain, you simply define the IP addresses for the route, without using the %ID notation in those addresses. In this case, the BIG-IP system automatically associates the route entry with the partition default route domain. |
| If the route you are adding pertains to a route domain other than the partition default route domain, you must include the relevant route domain ID in the addresses within the route, using the %ID notation. |
Tip: F5 Networks® highly recommends that you define a default route for each route domain on the system. Otherwise, certain types of administrative traffic that would normally use a TMM switch interface might instead use the management interface.
If you have created one or more route domains, you can define a default route for each route domain on the BIG-IP system (recommended). This results in multiple default routes being defined on the system.
If you have not created any route domains, the BIG-IP system associates this default route with the default route domain, which is route domain 0.
| 1. |
Note: If the Add button is unavailable, you do not have permission to add a route. You must have an appropriate user role assigned to your user account.
| 3. |
| 4. | From the Route Domain ID list, select the route domain ID. This setting appears only when you set the Type setting to Default Gateway. This setting specifies the route domain to which you want the default route to pertain. |
| 5. | From the Resource list, select a resource: |
| 6. | Click Finished. |
Figure 11.1 shows an example of using the Configuration utility to specify a default route for route domain 2.
If you have created one or more route domains, you can define standard (that is, non-default) routes for each route domain on the BIG-IP system. Otherwise, any standard route that you define pertains to route domain 0, the default route domain.
If the route you are adding pertains to a partition default route domain, you do not need to indicate the relevant route domain in the routes IP addresses (using the %ID notation). If the route you are adding pertains to a route domain other than the partition default route domain, you must include the relevant route domain ID. (For more information, see Viewing static routes.)
| 1. |
Note: If the Add button is unavailable, you do not have permission to add a route. You must have an appropriate user role assigned to your user account.
| 3. |
| If the route pertains to the partition default route domain, then the Destination box, simply type an IP address. You do not need to include the %ID notation in the address. |
| If the route pertains to a route domain that is not the partition default route domain, then in the Destination box, type an IP address, including the %ID notation. An example of a destination address for a route in route domain 2 is 10.10.10.12%2, where route domain 2 is not the partition default route domain. |
| 5. | In the Netmask box, type a network mask for the destination address. |
| 6. | From the Resource list, select a resource: |
| If you select Use Gateway, type a gateway IP address, including the pertinent route domain, such as 10.10.10.1%2. |
| 7. | Click Finished. |
Figure 11.2 shows an example of using the Configuration utility to specify a standard route for route domain 2, where route domain 2 is a route domain other than the partition default route domain.
When you view static routes on the BIG-IP system, the system shows only those routes that you are allowed to view based on your assigned user role.
Important: The way that routes appear on the Routes screen varies depending on the Partition drop-down setting in the upper-right corner of any Configuration utility screen. Be sure to view or adjust this setting before viewing a list of routes.
On the Main tab of the navigation pane, expand Network and click Routes. The Configuration utility displays the list of static routes that you have permission to view.
If you have the Administrator or Resource Administrator role, you can view all static routes on the BIG-IP system, regardless of either the partition in which they reside or the route domain to which they apply.
Figure 11.3 shows a sample list of routes that you might see when you navigate to the Partition drop-down list on any screen of the Configuration utility and select All [Read Only].
This sample screen shows routes for four different route domains, where each route domain resides in a separate partition. The screen shows:
| A standard route that resides in partition Common and pertains to route domain 0, which is the default route domain for that partition. |
| A default route and a standard route that reside in Partition_A. In this case, the routes pertain to route domain 1. |
| A default route and a standard route that reside in Partition_B. In this case, the routes pertain to route domain 2. |
| A default route and two standard routes that reside in Partition_C. In this case, the first two routes pertain to route domain 0, while the third route pertains to route domain 3. |
Note: In the specific case where you are viewing all of the static routes on the BIG-IP system in a single list (as in Figure 11.3), any route domain ID that appears as Partition Default Route Domain signifies that the route pertains to route domain 0. This is because the Configuration utility presents this list of routes from the perspective of partition Common, in which route domain 0 is always the default route domain for that partition.
You can view routes associated with a specific partition by setting the current partition to that partition (using the Partition drop-down box on each Configuration utility screen).
Continuing with the example from the previous section, Figure 11.4 shows the result of setting the current partition to Partition_A and listing the routes that reside in that partition.
| The first two routes are associated with Partition_As partition default route domain, which happens to be route domain 1. The route domain ID of 1 is not shown; instead, the route domain ID appears as Partition Default Route Domain. This is because the current partition is set to Partition_A. In this case, the system recognizes that route domain 1 is the default route domain for that partition and so displays it as such in the Route Domain ID column. This is in contrast to the list of routes in Figure 11.3, generated when the current partition was set to All [Read Only]. In this case, the route domain ID Partition Default Route Domain represents route domain 0, the default route domain for partition Common, and the route domain ID for Partition_As routes appears as 1. |
| Because route domain 1 is the default route domain for Partition_A, the %1 route domain notation does not appear as part of the destination IP address (10.2.1.101). |
| For any route that is not associated with Partition_As default route domain (such as the route for destination 12.2.1.200), the BIG-IP system includes the %ID notation when displaying the route (in this case, %0). |
Continuing again with our example, Figure 11.5 shows the result of setting the current partition to Partition_C and listing the routes that reside in that partition (and in partition Common). In this case, the default route domain for Partition_C is route domain 0 (in partition Common).
| The route with destination address 12.2.1.200 resides in partition Common and is associated with route domain 0. |
| The routes with destination addresses Default IPv4 and 10.2.1.100 are associated with route domain 0, which is Partition_Cs default route domain. (Route domain 0 in partition Common is, by default, the default route domain for partition C because no other route domain in Partition_C is designated as the default route domain for that partition.) |
| Destination address 10.2.1.100 does not show the %ID notation because the route is associated with the partition default route domain, which in this case is 0. |
| The route with destination address 10.2.1.250 is associated with route domain 3. Because route domain 3 is specifically configured not to be the default route domain for Partition_C, the destination address shows the %3 notation, to indicate the specific route domain to which that route applies. |
If you are using either a Global Traffic Manager device on the network or the Global Traffic Manager product module on the BIG-IP system, you should not use route domains for gtmd- or big3d-related traffic. That is, when creating a route domain object and assigning one or more VLANs to that object, you should not assign any VLAN that processes traffic to or from the gtmd or big3d daemons.
An exception to this is the default route domain (route domain 0). Any VLAN assigned to route domain 0 successfully interoperates with Global Traffic Manager daemons.
If you are using the ZebOS® advanced routing modules, it is important to consider the following:
 | Route domains and the advanced routing modules (ZebOS) Dynamic routing is supported on interfaces in route domain 0. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in other route domains. A static route is considered as belonging to a route domain other than 0 if either the destination or the nexthop gateway address belongs to a route domain other than route domain 0. |
| | Routes learned by way of dynamic routing protocols The BIG-IP system inserts all routes learned by way of dynamic routing protocols into the routing table for route domain 0. |
| | Advertising routes, virtual addresses, and self IP addresses With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in route domain 0. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains. |
Search AskF5
- Supported Products
- BIG-IP LTM / VE
- BIG-IP AFM / VE
- BIG-IP Analytics / VE
- BIG-IP APM / VE
- BIG-IP ASM / VE
- BIG-IP Edge Gateway / VE
- BIG-IP GTM / VE
- BIG-IP Link Controller
- BIG-IP PEM / VE
- BIG-IP PSM / VE
- BIG-IP WebAccelerator / VE
- BIG-IP WOM / VE
- ARX / VE
- ARX Cloud Extender
- Data Manager
- Enterprise Manager / VE
- F5 Monitoring Pack
- FirePass / VE
- BIG-IQ Cloud
- BIG-IQ Security
- BIG-IP Edge Apps
- End-of-Life Products
- Recent Additions
- About AskF5
