Managing Route Domains in Shared Security

About route domains

The Route Domains panel lists route domains configured from BIG-IQ Shared Security.

On BIG-IP devices, network objects such as route domains, virtual servers, self IP addresses, the management IP address, and the global firewall, all have firewalls attached to them. On BIG-IQ systems, an instance of one of these network objects is called a firewall context.

Using a BIG-IQ Security system, you can discover all firewall contexts on a BIG-IP device, and edit the firewall rules and/or policies attached to the firewall context.

Note: The BIG-IQ Security system only supports a default route domain with the Common partition, and an ID of 0 (/Common/0).

From the Route Domains panel, you can create and edit route domain configurations that have VLANs, tunnels, or both, attached to them.

To close the New Route Domain properties panel without saving, click Cancel.

To get help on any panel, click the (?) icon in the upper right corner.

Adding route domains

Hover over the Route Domains header and click the (+) icon when it appears, then select New Route Domain. The panel expands to display properties on the New Route Domain screen.

Editing route domains

Hover over the name of the route domain that you want to edit and click the gear icon, then select Properties to expand the panel.

Removing route domains

Removing route domains defined on the BIG-IQ system is complex, and so a Remove button is not available for route domains as it is for other BIG-IQ Security components. To remove a route domain defined on a BIG-IQ system, reimport the route domain data to overwrite the data of the existing route domain. The configuration data to be overwritten must not have been deployed to a BIG-IP system.

Adding route domains

Use the New Route Domain screen to add and configure a new route domain. Using route domains, you can assign the same IP address to more than one device on a network, as long as each instance of the IP address resides in a separate route domain.

Note: Depending on the settings you configure, you might see only some of the screen elements described.

Note: Configure and deploy route domains one at a time, when the BIG-IQ is not also configuring other components. Configuring and deploying route domains in this way lessens the chance that a failed route domain deployment will require you to reimport BIG-IP device configuration data.

Adding route domains

Hover over the Route Domains header, click the + icon when it appears, and click New Route Domain. The panel expands to display the New Route Domain properties.

In the General Properties area of the New Route Domain screen, review and modify the properties as needed.

Property	Description
Device	Specifies the BIG-IP device. Select the BIG-IP device from the list.
Name	Specifies the unique name of the route domain.
Description	Specifies optional descriptive text that identifies the route domain.
Partition	Although pre-populated with Common (default), you can set the partition when creating route domains by entering a unique name for the partition. Note: The partition with that name must already exist on the BIG-IP device. No white space is allowed in the partition name.
Id	Type the identifying integer representing the route domain. The integer must be unique on the BIG-IP device, and be between 1 and 65534, including those values. An Id value of 0 is the default and indicates that all VLANs on a system pertain to this route domain. When you create new route domains, you can assign VLANs to those route domains and then move the VLANs out of the default route domain.

In the Configuration area, review or modify the configuration.

Configuration	Description
Strict Isolation	Specifies whether the system enforces cross-routing restrictions. Select either Disabled or Enabled. When enabled, routes cannot cross route domain boundaries (so they are strictly isolated to the current route domain). The default is enabled. When disabled, a route can cross route domains.
VLANs	Select the VLANs, including tunnels, that you want to be members of the route domain by moving them from the Available area to the Selected area. Available: Lists defined VLANs not added to the route domain. Selected: Lists defined VLANs that have been added to the route domain. When adding VLANs to a route domain, be aware that deployment errors will occur if the same VLAN is assigned to two or more route domains at the same time, or if a VLAN is not assigned to any route domain. To prevent these deployment errors, add and remove VLANs from route domains as follows. To add a VLAN to a route domain: Remove the VLAN from the route domain currently assigned to it (typically the default route domain), and save that route domain. Add that VLAN to a new route domain, and save the new route domain containing the VLAN. To remove a VLAN from a route domain: Remove the VLAN from the route domain currently assigned to it, and save that route domain. Add that VLAN to another route domain (typically the default route domain), and save the route domain containing the VLAN.

Configuration

Description

Strict Isolation

Specifies whether the system enforces cross-routing restrictions. Select either Disabled or Enabled. When enabled, routes cannot cross route domain boundaries (so they are strictly isolated to the current route domain). The default is enabled. When disabled, a route can cross route domains.

VLANs

Select the VLANs, including tunnels, that you want to be members of the route domain by moving them from the Available area to the Selected area.

Available: Lists defined VLANs not added to the route domain.
Selected: Lists defined VLANs that have been added to the route domain.

When adding VLANs to a route domain, be aware that deployment errors will occur if the same VLAN is assigned to two or more route domains at the same time, or if a VLAN is not assigned to any route domain. To prevent these deployment errors, add and remove VLANs from route domains as follows. To add a VLAN to a route domain:

Remove the VLAN from the route domain currently assigned to it (typically the default route domain), and save that route domain.
Add that VLAN to a new route domain, and save the new route domain containing the VLAN.

To remove a VLAN from a route domain:

Remove the VLAN from the route domain currently assigned to it, and save that route domain.
Add that VLAN to another route domain (typically the default route domain), and save the route domain containing the VLAN.

When finished, click Add.

Editing route domains

Use the Route Domains Properties screen to edit route domain configurations.

Editing route domains

From the Route Domains panel, you can edit the route domain configuration.

Note: Depending on the settings you configure, you might see only some of the screen elements described.

Hover over the route domain that you want to edit, click the gear icon, and select Properties to expand the panel.
Click Edit to establish the lock and make it possible to edit the values.
Edit the properties.

In the General Properties area of the expanded Route Domains screen, review and modify the properties as needed.

Property	Description
Device	Specifies the BIG-IP device. Select the BIG-IP device from the list.
Name	Specifies the unique name of the route domain.
Description	Specifies optional descriptive text that identifies the route domain.
Partition	Although pre-populated with Common (default), you can set the partition when creating route domains by entering a unique name for the partition. Note: The partition with that name must already exist on the BIG-IP device. No white space is allowed in the partition name.
Id	Type the identifying integer representing the route domain. The integer must be unique on the BIG-IP device, and be between 1 and 65534, including those values. An Id value of 0 is the default and indicates that all VLANs on a system pertain to this route domain. When you create new route domains, you can assign VLANs to those route domains and then move the VLANs out of the default route domain.

In the Configuration area, review or modify the configuration.

Configuration	Description
Strict Isolation	Specifies whether the system enforces cross-routing restrictions. Select either Disabled or Enabled. When enabled, routes cannot cross route domain boundaries (so they are strictly isolated to the current route domain). The default is enabled. When disabled, a route can cross route domains.
VLANs	Select the VLANs, including tunnels, that you want to be members of the route domain by moving them from the Available area to the Selected area. Available: Lists defined VLANs not added to the route domain. Selected: Lists defined VLANs that have been added to the route domain. When adding VLANs to a route domain, be aware that deployment errors will occur if the same VLAN is assigned to two or more route domains at the same time, or if a VLAN is not assigned to any route domain. To prevent these deployment errors, add and remove VLANs from route domains as follows. To add a VLAN to a route domain: Remove the VLAN from the route domain currently assigned to it (typically the default route domain), and save that route domain. Add that VLAN to a new route domain, and save the new route domain containing the VLAN. To remove a VLAN from a route domain: Remove the VLAN from the route domain currently assigned to it, and save that route domain. Add that VLAN to another route domain (typically the default route domain), and save the route domain containing the VLAN.

Configuration

Description

Strict Isolation

Specifies whether the system enforces cross-routing restrictions. Select either Disabled or Enabled. When enabled, routes cannot cross route domain boundaries (so they are strictly isolated to the current route domain). The default is enabled. When disabled, a route can cross route domains.

VLANs

Select the VLANs, including tunnels, that you want to be members of the route domain by moving them from the Available area to the Selected area.

Available: Lists defined VLANs not added to the route domain.
Selected: Lists defined VLANs that have been added to the route domain.

When adding VLANs to a route domain, be aware that deployment errors will occur if the same VLAN is assigned to two or more route domains at the same time, or if a VLAN is not assigned to any route domain. To prevent these deployment errors, add and remove VLANs from route domains as follows. To add a VLAN to a route domain:

Remove the VLAN from the route domain currently assigned to it (typically the default route domain), and save that route domain.
Add that VLAN to a new route domain, and save the new route domain containing the VLAN.

To remove a VLAN from a route domain:

Remove the VLAN from the route domain currently assigned to it, and save that route domain.
Add that VLAN to another route domain (typically the default route domain), and save the route domain containing the VLAN.

Click Save to save changes as you go.
When you are finished, click Save and Close to save the changes, release the lock, and exit the screen.

Removing route domains

Removing route domains defined on the BIG-IQ system is complex, and so a Remove button is not available for route domains as it is for other BIG-IQ Security components. To remove a route domain defined on a BIG-IQ system, reimport the route domain data to overwrite the data of the existing route domain. The configuration data to be overwritten must not have been deployed to a BIG-IP system.

Review the configuration of the BIG-IP system from which you plan to reimport the data, to make sure that you will not overwrite other configuration information you want to retain.
Reimport the data from the BIG-IP system to overwrite the existing route domain data on the BIG-IQ system, using the BIG-IQ Network Security Overview Devices panel.
Note: Use care when reimporting, since it causes existing data to be overwritten.

Note: Configure and deploy route domains one at a time when no other portions of the system are being configured. Configuring and deploying route domains in this way lessens the chance that a failed route domain deployment will require you to reimport BIG-IP system configuration data.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Security

About route domains

Adding route domains

Editing route domains

Removing route domains

Adding route domains

Adding route domains

Editing route domains

Editing route domains

Removing route domains

Have a Question?

About F5

Education

F5 Sites

Support Tasks

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Security

About route domains

Adding route domains

Editing route domains

Removing route domains

Adding route domains

Adding route domains

Editing route domains

Editing route domains

Removing route domains

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks