Manual Chapter : Route Domains

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Route Domains

What is a route domain?

A
route domain
is a configuration object that isolates network traffic for a particular application on the network.
Because route domains segment network traffic, you can assign the same IP address or subnet to multiple nodes on a network, provided that each instance of the IP address resides in a separate routing domain.
Route domains are compatible with both IPv4 and IPv6 address formats.
On a BIG-IP® system that includes both Local Traffic Manager (LTM) and Global Traffic Manager (now BIG-IP ® DNS), all IP addresses that BIG-IP DNS references (virtual IP addresses, link addresses, and so on) must be associated with route domain
0
.

Benefits of route domains

Using the route domains feature of the BIG-IP® system, you can provide hosting service for multiple customers by isolating each type of application traffic within a defined address space on the network.
With route domains, you can also use duplicate IP addresses on the network, provided that each of the duplicate addresses resides in a separate route domain and is isolated on the network through a separate VLAN. For example, if you are processing traffic for two different customers, you can create two separate route domains. The same node address (such as
10.0.10.1
) can reside in each route domain, in the same pool or in different pools, and you can assign a different monitor to each of the two corresponding pool members.

Sample partitions with route domain objects

This illustration shows two route domain objects on a BIG-IP system, where each route domain corresponds to a separate customer, and thus resides in its own partition. Within each partition, the customer created the network objects and local traffic objects required for that customer's application (
AppA
or
AppB
).
Sample partitions with route domains
sample partitions with route domains

Sample route domain deployment

A good example of the use of route domains is a configuration for an ISP that services multiple customers, where each customer deploys a different application. In this case, the BIG-IP system isolates traffic for two different applications into two separate route domains. The routes for each application's traffic cannot cross route domain boundaries because cross-routing restrictions are enabled on the BIG-IP system by default.
A sample route domain deployment
sample route domain deployment

About route domain IDs

A
route domain ID
is a unique numerical identifier for a route domain. You can assign objects with IP addresses (such as self IP addresses, virtual addresses, pool members, and gateway addresses) to a route domain by appending the %
ID
to the IP address.
The format required for specifying a route domain ID in an object’s IP address is
A.B.C.D%ID
, where
ID
is the ID of the relevant route domain. For example, both the local traffic node object
10.10.10.30%2
and the pool member
10.10.10.30%2:80
pertain to route domain
2
.
The BIG-IP system includes a default route domain with an ID of
0
. If you do not explicitly create any route domains, all routes on the system pertain to route domain
0
.
A route domain ID must be unique on the BIG-IP system; that is, no two route domains on the system can have the same ID.

Traffic forwarding across route domains

You can create a parent-child relationship between two route domains, and configure strict isolation, to control the extent to which the BIG-IP® system can forward traffic from one route domain to another.

About parent IDs

When you create a route domain, you can specify the ID of another route domain as the parent route domain. The
parent ID
identifies another route domain that the system can search to find a route if the system cannot find the route within the child route domain.
For example, using the BIG-IP® Configuration utility, suppose you create route domain
1
and assign it a parent ID of
0
. For traffic pertaining to route domain
1
, the system looks within route domain
1
for a route for the specified destination. If no route is found, the system searches the routes in route domain
0
.
By default, if the system finds no route in the parent route domain, the system searches the parent route domain’s parent, and so on, until the system finds either a match or a route domain with no parent. In the latter case, the system refrains from searching any other route domains to find a match, thus preventing the system from using a route from another route domain.
You can disable this behavior on a route domain.

About strict isolation

You can control the forwarding of traffic across route domain boundaries by configuring the
strict isolation
feature of a route domain:
  • If strict isolation is enabled, the BIG-IP® system allows traffic forwarding from that route domain to the specified parent route domain only. This is the default behavior. Note that for successful isolation, you must enable the strict isolation feature on both the child and the parent route domains.
  • If strict isolation is disabled, the BIG-IP system allows traffic forwarding from that route domain to any route domain on the system, without the need to define a parent-child relationship between route domains. Note that in this case, for successful forwarding, you must disable the strict isolation feature on both the forwarding route domain and the target route domain (that is, the route domain to which the traffic is being forwarded).
If you connect to a virtual server in a route domain (e.g. RD0), but create another route domain assignment (e.g. RD1), and run the resources option, you might see the behavior for network access and AppTunnel resources differ. The following scenarios can occur:
  • With a network access resource, you can reach the backend in RD1.
  • With an AppTunnel resource, you cannot reach the backend in RD1. To reach the backend, you must either disable the strict isolation option for both route domains (RD0 and RD1) or set RD0 as the parent route domain of RD1.

About default route domains for administrative partitions

The route domains feature includes the concept of default route domains, to minimize the need for you to specify the %ID notation. When you designate a route domain as the
default route domain
in a partition, any BIG-IP system objects in that partition that do not include the %ID notation in their IP addresses are automatically associated with the default route domain.

The default route domain for partition Common

The BIG-IP system, by default, includes one route domain, named route domain
0
. Route domain
0
is known as the
default route domain
on the BIG-IP system, and this route domain resides in administrative partition
Common
. If you do not create any other route domains on the system, all traffic automatically pertains to route domain
0
.
If you want to segment traffic into multiple route domains, you can create additional route domains in partition
Common
and then segment application traffic among those route domains. Any BIG-IP addresses that do not include the route domain ID notation are automatically associated with the default route domain.
Any VLANs that reside in partition
Common
are automatically assigned to the default route domain.

The default route domain for other partitions

For administrative partitions other than
Common
, you can create a route domain and designate it as a
partition default route domain
. A partition can contain one partition default route domain only.
The benefit of having a partition default route domain is that when you create objects such as a virtual server and pool members within that partition, you do not need to specify the ID of that default route domain within the addresses for those objects. For example, if you create a partition default route domain with an ID of
2
in partition
A
, the system automatically assigns any partition
A
object IP addresses without a route domain ID to route domain
2
.
If no partition default route domain exists within the partition, the system associates those addresses with route domain
0
in partition
Common
.

About VLAN and tunnel assignments for a route domain

You can assign one or more VLANs, VLAN groups, or tunnels to a route domain. The VLANs, VLAN groups, or tunnels that you assign to a route domain are those pertaining to the particular traffic that you want to isolate in that route domain. Each VLAN, VLAN group, or tunnel can be a member of one route domain only.
When you assign a VLAN group to a route domain, the BIG-IP system automatically assigns the VLAN group members to the route domain.
Please note the following facts:
  • If you delete a VLAN group from the system, the VLAN group members remain assigned to the route domain.
  • If a VLAN is assigned to a non-default route domain and you delete that route domain, the BIG-IP system automatically assigns the VLAN to the default route domain for that partition.
  • When you create VLANs, VLAN groups, and tunnels, the BIG-IP system automatically assigns them to the default route domain of the current partition. You can change this assignment when you create other route domains in the partition.
You cannot assign a VLAN that resides in partition
Common
to a route domain in another partition.

About advanced routing modules for a route domain

For each route domain that you configure, you can enable one or more dynamic routing protocols, as well as the network protocol Bidirectional Forwarding Detection (BFD). Use of dynamic routing and BFD for route domain
0
or any other route domain is optional.

About throughput limits on route domain traffic

When you configure more than one route domain on the BIG-IP system, the traffic from one particular route domain can potentially consume an inordinate amount of BIG-IP system resource. To prevent this, you can define the amount of BIG-IP system resource that traffic for each route domain can consume.
You do this by assigning a different throughput limit to each route domain. This throughput limit is defined in a
bandwidth controller policy
. For example, for route domain
1
, you can assign a static bandwidth controller policy that specifies a throughput limit of 10 Gbps, while for route domain
2
, you can assign a static bandwidth controller policy that specifies a throughput limit of 20 Gbps. When you assign a different bandwidth controller policy to each route domain, traffic for one route domain does not cross the boundary into another route domain on the system.
Applying a bandwidth controller policy to a route domain affects all traffic transmitted by the BIG-IP system to VLANs in the route domain, including health monitors and DNS queries.
The BIG-IP system applies a bandwidth controller policy to a route domain's egress traffic only, that is, the traffic that the BIG-IP system transmits. Ingress traffic into the BIG-IP system is processed before the BIG-IP system applies the bandwidth controller policy, as it forwards the traffic.

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP system.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. Click
    Create
    .
    The New Route Domain screen opens.
  3. In the
    Name
    field, type a name for the route domain.
    This name must be unique within the administrative partition in which the route domain resides.
  4. In the
    ID
    field, type an ID number for the route domain.
    This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
    An example of a route domain ID is
    1
    .
  5. For the
    Parent Name
    setting, retain the default value.
  6. For the
    VLANs
    setting, from the
    Available
    list, select a VLAN name and move it to the
    Members
    list.
    Select the VLAN that processes the application traffic relevant to this route domain.
    Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  7. Click
    Finished
    .
    The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.