As network costs and security concerns increase for enterprise-wide
computing organizations, there is a growing need for these organizations to consolidate router resources and implement new access-control policies. The route domains feature of the BIG-IP®
system addresses these needs. Use of this feature is optional.
give you the ability to segment (isolate) network traffic for different applications on the network. The BIG-IP system can process traffic for each application within its own route domain.
Because route domains segment network traffic, they also offer an
alternative use--to assign the same IP address or subnet to more than one node on a network. Two nodes on the network can have the same IP address as long as each instance of the IP address resides in a separate routing domain.
You can implement a route domain by creating a route domain object on the
BIG-IP system and assigning a unique route domain ID
to it. You can then append that ID to various BIG-IP system addresses as you create them (such as self IP addresses, virtual servers, and pool members). This allows you to effectively assign distinct routes to each route domain on the BIG-IP system when you add entries to the routing table. The route domains feature ensures that each set of application traffic passing through the system has dedicated router resources available for processing that traffic.
The format required for specifying a route domain ID in an objects IP
address is A.B.C.D%ID
, where ID
is the ID of the relevant route domain. For example, the local-traffic node object 10.10.10.30%2
pertains to route domain 2
You can specify the extent to which you want the system to enforce
cross-routing restrictions. By default, routes cannot cross route domain boundaries, unless those route domains have a parent-child relationship, or the Strict Isolation
route domain setting is disabled on each route domain.
Finally, route domains reside in administrative partitions, for security
reasons. This allows organizations to restrict the management of isolated BIG-IP system objects to those users with an appropriate user role.
| || |You can assign route domain 0
as the parent of another route domain. This allows the BIG-IP system to search route domain 0
during a route table lookup. (For more information about parent route domains, see Parent IDs
Note that Global Traffic ManagerTM
can only process traffic for VLANs associated with route domain 0
. Also, dynamic routes reside in route domain 0
only. Dynamic routes cannot reside in other route domains.
Important: You cannot delete route domain 0
from the BIG-IP system, nor can you attempt to recreate it in another partition. This is because route domain 0
must exist on the BIG-IP system, and it must reside in partition Common
Because route domains reside in partitions, you can control the type of
administrative access that BIG-IP system users have with respect to route isolation.
Each route domain object that you create requires a unique integer ID. When
you subsequently create local traffic objects such as a virtual server and pool members, you sometimes need to append a route domain ID to those IP addresses, to indicate the specific route domain to which you want the objects to apply.
The format required for specifying a route domain ID in an objects IP
address is A.B.C.D%ID
, where ID
is the ID of the relevant route domain. For example, if you want node 10.10.10.30
to process traffic pertaining to route domain 2
, you create the node object by specifying the address 10.10.10.30%2
. If the node has a pool member associated with it, such as 10.10.10.30:80
, then you create the pool member by specifying the address 10.10.10.30%2:80
When you create a route domain, you can assign a parent ID to the route
domain, using the Parent ID
setting within the Configuration utility. The parent ID identifies another existing route domain on the system that the system can search to find a route. Assigning a parent ID to a route domain is optional.
During a route table lookup, if the system cannot find a route in the current
route domain, and the route domain has a parent ID assigned to it, the system then searches the routes in the parent route domain. If no route is found in the parent route domain, the system searches the parent route domains parent, and so on, until the system finds either a match or a parent ID with a value of None
For example, suppose you create route domain 1
with a parent ID of 0
. If traffic needs to egress the BIG-IP system on route domain 1
, the system looks within route domain 1
for a route for the specified destination. If no route is found, the system searches the routes in the specified parent route domain (in this case, route domain 0
You can set the parent ID to the ID of any route domain that exists on the
BIG-IP system, or you can specify the default Parent ID
value, which is None
. Continuing with our example, if you set the parent ID to None
and the system looks within route domain 1
and cannot find a matching route, the system refrains from searching any other route domain (including route domain 0
) to find a match. Setting the parent ID to None
thus prevents the system from using a route from another route domain when you did not intend for the system to do so.
If you are using dynamic routing and you set the parent ID of a user-created
route domain to 0
, the user-created route domain can make use of any dynamic routes defined for route domain 0
You use the VLANs
setting to assign one or more VLANs to the route domain. The VLANs that you assign are those pertaining to the particular traffic that you want to isolate in that route domain.
shows the various ways you can assign a VLAN to a route domain and the corresponding action you must perform.
You can also assign a VLAN group to a route domain. When you assign a
VLAN group to a route domain, the BIG-IP system automatically assigns the VLAN group members to the route domain.
You can specify whether you want the system to enforce cross-routing
restrictions. By default, strict isolation is enabled, which means that routes cannot cross route domain boundaries.
If you disable strict isolation, a route for that route domain can cross route
domains. That is, when you add a static route to the TMM routing table, the IP addresses in the static route entry can pertain to multiple route domains. For example, you can add a route to the routing table where the destination is 10.0.10.10%20
(route domain 20
) and the gateway is 10.0.10.1%32
(route domain 32
If you choose to assign a parent route domain, strict isolation on the child
route domain affects strict isolation on the parent route domain as shown in Table 23.2
A common configuration in which a route might cross route domains is
when a Global Traffic ManagerTM
device sends traffic to a Local Traffic ManagerTM
device, and then the Local Traffic Manager device load balances the traffic. In this case, the external VLAN that receives the Global Traffic Manager traffic is assigned to the default route domain (a requirement for this configuration). Then, the internal VLANs on the Local Traffic Manager device are assigned to two non-default route domains (for example, route domains 1
), to allow the use of duplicate IP addresses for servers in the load balancing pools.
The result is that a specific connection crosses either route domains 0
, or route domains 0
, depending on the location of the server to which the traffic is sent for processing.
A partition default route domain
is a route domain within a partition other than Common
that serves as the default route domain for the partition. The BIG-IP system, by default, defines route domain 0
in partition Common
as the default route domain for any partition that you create. Therefore, the default value for the Partition Default Route Domain
setting is Another route domain (0) is the Partition Default Route Domain
Alternatively, you can use the Partition Default Route Domain
setting to specify that the route domain you are creating, rather than route domain 0
, will function as the default route domain in the current administrative partition.
Once you have designated a route domain as the default route domain in the
partition, any BIG-IP system IP addresses that pertain to that route domain do not need to include the pertinent route domain ID (that is, the %ID
When you designate a route domain as the default route domain in the
partition, you do not need to include the %ID
notation in any BIG-IP system addresses (virtual servers, self IP addresses, pool members, and so on) that you create in that partition.
To minimize the need for specifying the %ID
notation, the route domains feature includes the concept of default route domains.
The BIG-IP system, by default, includes one route domain, named route
. Route domain 0
is known as the default route domain
on the BIG-IP system, and this route domain resides in administrative partition Common
. If you do not create any other route domains on the system, all traffic automatically pertains to route domain 0
. (For more information on route domain 0
, see About route domain 0
If you want to segment traffic into multiple route domains, however, you
can create additional route domains in a partition and then segment application traffic between all route domains. For example, you can create route domain 1
and then segment application traffic between route domain 0
and route domain 1
. Any BIG-IP addresses that do not include the route domain ID notation are automatically associated with the default route domain. Any BIG-IP addresses that include the %1
notation are associated with route domain 1
Note that any VLANs that reside in partition Common
are automatically assigned to the default route domain.
Administrative partitions other than Common
can contain a partition default route domain. A partition can contain one partition default route domain only.
The benefit of having a partition default route domain is that when you
create other objects such as a virtual server and pool members within that partition, and you want to associate them with the route domain that is the partition default route domain, you do not need to specify the ID of that route domain within the addresses for those objects.
To summarize, when object addresses do not include a %ID
notation, the BIG-IP system automatically associates those addresses with the partition default route domain. If no partition default route domain exists within the partition, the system associates those addresses with route domain 0
in partition Common
Once you have created route domain objects and any associated VLANs,
self IP addresses, and so on, you can add static route entries to the BIG-IP system. Each static route that you add resides in an administrative partition and is associated with a route domain.
Important: Only users with either the Administrator
or Resource Administrator
user role can create and manage route domains and route entries on the BIG-IP system.
If you have explicitly created one or more route domains, then when you
add route entries, you might or might not need to specify the route domain to which each route pertains:
Tip: F5 Networks®
highly recommends that you define a default route for each route domain on the system. Otherwise, certain types of administrative traffic that would normally use a TMM switch interface might instead use the management interface.
If you have created one or more route domains, you can define a default
route for each route domain on the BIG-IP system (recommended). This results in multiple default routes being defined on the system.
shows an example of using the Configuration utility to specify a default route for route domain 2
If you have created one or more route domains, you can define standard
(that is, non-default) routes for each route domain on the BIG-IP system. Otherwise, any standard route that you define pertains to route domain 0
, the default route domain.
If the route you are adding pertains to a partition default route domain, you
do not need to indicate the relevant route domain in the routes IP addresses (using the %ID
notation). If the route you are adding pertains to a route domain other than the partition default route domain, you must include the relevant route domain ID.
shows an example of using the Configuration utility to specify a standard route for route domain 2
, where route domain 2
is a route domain other than the partition default route domain.
When you view static routes on the BIG-IP system, the system shows only
those routes that you are allowed to view based on your assigned user role.
If you have the Administrator
or Resource Administrator
role, you can view all static routes on the BIG-IP system, regardless of either the partition in which they reside or the route domain to which they apply.
shows a sample list of routes that you might see when you navigate to the Partition
drop-down list on any screen of the Configuration utility and select All [Read Only]
Note: In the specific case where you are viewing all of the static routes on the
BIG-IP system in a single list (as in Figure 23.3
), any route domain ID that appears as Partition Default Route Domain
signifies that the route pertains to route domain 0
. This is because the Configuration utility presents this list of routes from the perspective of partition Common
, in which route domain 0
is always the default route domain for that partition.
You can view routes associated with a specific partition by setting the
current partition to that partition (using the Partition
drop-down box on each Configuration utility screen).
Continuing with the example from the previous section, Figure 23.4
shows the result of setting the current partition to Partition_A
and listing the routes that reside in that partition.
| || |The first two routes are associated with Partition_A
s partition default route domain, which happens to be route domain 1
. The route domain ID of 1
is not shown; instead, the route domain ID appears as Partition Default Route Domain
. This is because the current partition is set to Partition_A
. In this case, the system recognizes that route domain 1
is the default route domain for that partition and so displays it as such in the Route Domain ID column.
This is in contrast to the list of routes in Figure 23.3
, generated when the current partition was set to All [Read Only]
. In this case, the route domain ID Partition Default Route Domain
represents route domain 0
, the default route domain for partition Common
, and the route domain ID for Partition_A
s routes appears as 1
| || |Because route domain 1
is the default route domain for Partition_A
, the %1
route domain notation does not appear as part of the destination IP address (10.2.1.101
| || |For any route that is not
associated with Partition_A
s default route domain (such as the route for destination 18.104.22.168
), the BIG-IP system includes the %ID
notation when displaying the route (in this case, %0
Continuing again with our example, Figure 23.5
shows the result of setting the current partition to Partition_C
and listing the routes that reside in that partition (and in partition Common
). In this case, the default route domain for Partition_C
is route domain 0
(in partition Common
| || |The routes with destination addresses Default IPv4
are associated with route domain 0
, which is Partition_C
s default route domain. (Route domain 0
in partition Common
is, by default, the default route domain for partition C
because no other route domain in Partition_C
is designated as the default route domain for that partition.)
| || |Destination address 10.2.1.100
does not show the %ID
notation because the route is associated with the partition default route domain, which in this case is 0
| || |The route with destination address 10.2.1.250
is associated with route domain 3
. Because route domain 3
is specifically configured not
to be the default route domain for Partition_C
, the destination address shows the %3
notation, to indicate the specific route domain to which that route applies.
If you are using the ZebOS®
advanced routing modules, it is important to consider the following:
| || |Route domains and the advanced routing modules (ZebOS)
Dynamic routing is supported on interfaces in route domain 0
. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in other route domains. A static route is considered as belonging to a route domain other than 0
if either the destination or the next hop gateway address belongs to a route domain other than route domain 0
| || |Advertising routes, virtual addresses, and self IP addresses
With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in route domain 0
. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.