is a configuration object that isolates network traffic for a
particular application on the network.
Because route domains segment network traffic, you can assign the same IP address or subnet to
multiple nodes on a network, provided that each instance of the IP address resides in a separate
routing domain.
Route domains are compatible with both IPv4 and IPv6 address formats.
On a BIG-IP® system that includes both Local Traffic Manager (LTM) and Global Traffic
Manager™ (now BIG-IP ® DNS), all IP addresses that BIG-IP DNS
references (virtual IP addresses, link addresses, and so on) must be associated with route domain
0
.
Benefits of route domains
Using the route domains feature of the BIG-IP® system, you can provide
hosting service for multiple customers by isolating each type of application traffic within a
defined address space on the network.
With route domains, you can also use duplicate IP addresses on the network, provided that each of the duplicate addresses resides in a separate route domain and is isolated on the
network through a separate VLAN. For example, if you are processing traffic for two different
customers, you can create two separate route domains. The same node address (such as
10.0.10.1
)
can reside in each route domain, in the same pool or in different pools, and you can assign a
different monitor to each of the two corresponding pool members.
Sample partitions with route domain objects
This illustration shows two route domain objects on a BIG-IP system, where each route domain
corresponds to a separate customer, and thus resides in its own partition. Within each partition,
the customer created the network objects and local traffic objects required for that customer's
application (
AppA
or
AppB
).
Sample partitions with route domains
Sample route domain deployment
A good example of the use of route domains is a configuration for an ISP that services multiple
customers, where each customer deploys a different application. In this case, the BIG-IP system isolates traffic for two different
applications into two separate route domains. The routes for each application's traffic cannot
cross route domain boundaries because cross-routing restrictions are enabled on the BIG-IP system
by default.
A sample route domain deployment
About route domain IDs
A
route domain ID
is a unique numerical identifier for a route domain. You can
assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and
gateway addresses) to a route domain by appending the %
ID
to the IP
address.
The format required for specifying a route domain ID in an object’s IP address is
A.B.C.D%ID
, where
ID
is the ID of the relevant route domain. For example, both the local traffic node object
10.10.10.30%2
and the pool member
10.10.10.30%2:80
pertain to route domain
2
.
The BIG-IP system includes a default route domain with an ID of
0
. If you
do not explicitly create any route domains, all routes on the system pertain to route domain
0
.
A route domain ID must be unique on the BIG-IP system; that is, no two
route domains on the system can have the same ID.
Traffic forwarding across route domains
You can create a parent-child relationship between two route domains, and configure strict
isolation, to control the extent to which the BIG-IP® system can forward
traffic from one route domain to another.
About parent IDs
When you create a route domain, you can specify the ID of another route domain as the parent
route domain. The
parent ID
identifies another route domain that the system can
search to find a route if the system cannot find the route within the child route domain.
For example, using the BIG-IP® Configuration utility, suppose you create
route domain
1
and assign it a parent ID of
0
. For
traffic pertaining to route domain
1
, the system looks within route domain
1
for a route for the specified destination. If no route is found, the
system searches the routes in route domain
0
.
By default, if the system finds no route in the parent route domain, the system searches the
parent route domain’s parent, and so on, until the system finds either a match or a route domain
with no parent. In the latter case, the system refrains from searching any other route domains to
find a match, thus preventing the system from using a route from another route domain.
You can disable this behavior on a route domain.
About strict isolation
You can control the forwarding of traffic across route domain boundaries by configuring the
strict isolation
feature of a route domain:
If strict isolation is enabled, the BIG-IP® system allows traffic
forwarding from that route domain to the specified parent route domain only. This is the default
behavior. Note that for successful isolation, you must enable the strict isolation feature on
both the child and the parent route domains.
If strict isolation is disabled, the BIG-IP system allows traffic forwarding from that route
domain to any route domain on the system, without the need to define a parent-child relationship
between route domains. Note that in this case, for successful forwarding, you must disable the
strict isolation feature on both the forwarding route domain and the target route domain (that
is, the route domain to which the traffic is being forwarded).
If you connect to a virtual server in a route domain (e.g. RD0), but create another route
domain assignment (e.g. RD1), and run the resources option, you might see the behavior for
network access and AppTunnel resources differ. The following scenarios can occur:
With a network access resource, you can reach the backend in RD1.
With an AppTunnel resource, you cannot reach the backend in RD1. To reach the backend, you
must either disable the strict isolation option for both route domains (RD0 and RD1) or set RD0
as the parent route domain of RD1.
About default route
domains for administrative partitions
The route domains feature includes the concept of default route domains, to
minimize the need for you to specify the %ID notation. When you designate a route domain as the
default route domain
in a partition, any BIG-IP system
objects in that partition that do not include the %ID notation in their IP addresses are
automatically associated with the default route domain.
The default route domain
for partition Common
The BIG-IP system, by default, includes one route domain, named route
domain
0
. Route domain
0
is known as the
default route domain
on the BIG-IP system, and this route domain resides in
administrative partition
Common
. If
you do not create any other route domains on the system, all traffic automatically pertains to
route domain
0
.
If you want to segment traffic into multiple route domains, you can create
additional route domains in partition
Common
and then segment application traffic among those route domains. Any BIG-IP
addresses that do not include the route domain ID notation are automatically associated with the
default route domain.
Any VLANs
that reside in partition
Common
are
automatically assigned to the default route domain.
The default route domain
for other partitions
For administrative partitions other than
Common
, you can create a route domain and
designate it as a
partition default route domain
. A partition
can contain one partition default route domain only.
The benefit of having a partition default route domain is that when you
create objects such as a virtual server and pool members within that partition, you do not need
to specify the ID of that default route domain within the addresses for those objects. For
example, if you create a partition default route domain with an ID of
2
in partition
A
, the system automatically assigns any
partition
A
object IP addresses
without a route domain ID to route domain
2
.
If no partition default route domain exists within the partition, the
system associates those addresses with route domain
0
in partition
Common
.
About VLAN and tunnel assignments for a route domain
You can assign one or more VLANs, VLAN groups, or tunnels to a route domain. The VLANs, VLAN
groups, or tunnels that you assign to a route domain are those pertaining to the particular
traffic that you want to isolate in that route domain. Each VLAN, VLAN group, or tunnel can be a
member of one route domain only.
When you assign a VLAN group to a route domain, the BIG-IP system automatically assigns the VLAN group members to the route domain.
Please note the following facts:
If you delete a VLAN group from the system, the VLAN group members remain assigned to the route domain.
If a VLAN is assigned to a non-default route domain and you delete
that route domain, the BIG-IP system automatically assigns the VLAN to the default route domain for that partition.
When you create VLANs, VLAN groups, and tunnels, the BIG-IP system automatically assigns them to the default route domain of the current partition. You can change this assignment when you create other route domains in the partition.
You cannot assign a VLAN that resides in partition
Common
to a route domain in another partition.
About advanced routing
modules for a route domain
For each route domain that you configure, you can enable one or more dynamic
routing protocols, as well as the network protocol Bidirectional Forwarding Detection (BFD). Use
of dynamic routing and BFD for route domain
0
or any other route domain is optional.
About throughput limits on route domain traffic
When you configure more than one route domain on the BIG-IP system, the traffic from one
particular route domain can potentially consume an inordinate amount of BIG-IP system resource.
To prevent this, you can define the amount of BIG-IP system resource that traffic for each route
domain can consume.
You do this by assigning a different throughput limit to each route domain. This throughput
limit is defined in a
bandwidth controller policy
. For example, for route domain
1
, you can assign a static bandwidth controller policy that specifies a
throughput limit of 10 Gbps, while for route domain
2
, you can assign a
static bandwidth controller policy that specifies a throughput limit of 20 Gbps. When you assign
a different bandwidth controller policy to each route domain, traffic for one route domain does
not cross the boundary into another route domain on the system.
Applying a bandwidth controller policy to a route domain affects all
traffic transmitted by the BIG-IP system to VLANs in the route domain, including health monitors
and DNS queries.
The BIG-IP system applies a bandwidth controller policy to a route domain's
egress traffic only, that is, the traffic that the BIG-IP system transmits. Ingress traffic into
the BIG-IP system is processed before the BIG-IP system applies the bandwidth controller policy,
as it forwards the traffic.
Creating a route domain on the BIG-IP system
Before you create a route domain:
Ensure that an external and an internal VLAN exist on the BIG-IP system.
Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your
network. Route domains are useful for multi-tenant configurations.
On the Main tab, click
Network
Route Domains
.
The Route Domain List screen opens.
Click
Create
.
The New Route Domain screen opens.
In the
Name
field, type a name for the route
domain.
This name must be unique within the administrative partition in which the
route domain resides.
In the
ID
field, type an ID number for the route
domain.
This ID must be unique on the BIG-IP system; that is, no other route domain on
the system can have this ID.
An example of a route domain ID is
1
.
For the
Parent Name
setting, retain the default
value.
For the
VLANs
setting, from the
Available
list, select a VLAN name and move it to the
Members
list.
Select the VLAN that processes the application traffic relevant to this route
domain.
Configuring this setting ensures that the BIG-IP system immediately associates
any self IP addresses pertaining to the selected VLANs with this route domain.
Click
Finished
.
The system displays a list of route domains on the BIG-IP
system.
You now have another route domain on the BIG-IP system.
