F5 Lab 1.19: Configuring Route-Domain
After I make an update to my lab topology on my last article here, I start to configure route domain in F5 for advertising the virtual address and self IPs to the client segment. The goals of the lab is to separating resources between transactional and non-transactional service. For brief, route domain in F5 is object for segmenting network traffic. In sort, it can be called VRF (Virtual Routing and Forwarding) but in F5 universe. The route domain will have separated process and isolated network traffic between each route domain. But for traffic forwarding between route domain you can control the behavior by enabling/disabling strict isolation option on route domain configuration.
The use case of configuring different route domain it can be used for service separation or dealing with multi tenancy. For example there are some services in F5 which belong to different company, so the resource will be grouped into each route domain representing the company and only corresponding company can access the resource in the same route domain and it has its own routing process. Because it has different network segment so the administrator can reused the same IP address but reside on different route domain. The implementation of multi tenancy often combined route-domain and partition for make more control over the user access .
By default, on the F5 only one route domain exists. The default route domain is referenced by route domain ID 0 and when creation of the object in F5 with no route domain ID defined will be belongs to default route domain (ID 0) and reside on Common partition. The route domain ID is unique. To define the route domain ID during object creation is by adding %ROUTE_DOMAIN_ID in the back. For example, when self IP creation you want self IP 192.168.1.254 reside on route domain 1 so when configuring the self IP you should add 192.168.1.254%1 and make sure the reference VLAN has been added to route domain ID 1 configuration. Referencing route domain in the object is not necessary if the route domain combined with partition. In the route domain you can add VLAN ID and runs some supported routing protocols. The supported routing protocols are BFD, BGP, IS-IS, OSPFv2, OSPFv3, PIM, RIP, and RIPng.
Let's design the logical view for route domain of F5-HA1.
The picture above is the route-domain logical diagram for F5-HA1, it will have two route-domains with route-domain ID 1 and route-domain ID 2. All transaction application related objects are reside in RD 1 while non-transactional application are reside in RD 2. Both route-domain is located at Common partition. The route-domains run ospfv2 routing protocol and form neighborship with N9K-CORE-1 switch.
Let's design the logical view for route domain of F5-HA2.
The picture above is the route-domain logical diagram for F5-HA2, same as F5-HA1 it will have two route-domains with route-domain ID 1 and route-domain ID 2. All transaction application related objects are reside in RD 1 while non-transactional application are reside in RD 2. Both route-domain is located at Common partition. The route-domains run ospfv2 routing protocol and form neighborship with N9K-CORE-2 switch.
Using addressing scheme on last article, let's start to configure the route-domain.
1. Navigate to Network => Route Domains. Click "Create".
2. On route-domain creation, there are some parameters to be configured and then click "Finished".
Parameters:
Verify the route-domain using TMSH:
3. Create the self IPs for each VLAN. Don't forget to add %1 on the IP address of each self IP to identify which route-domain belongs to.
4. Create the pool and virtual server for payment application. Don't forget to add %1 on the end of node address, source address and virtual address. Also choose the correct profile and make sure it enabled on external VLAN.
5. Modify routing configuration on the route-domain using IMI (Integrated Management Interface) Shell or imish. Switch to IMI Shell from TMOS shell using command:
run util imish -r <route_domain_ID>
And then the prompt will changed to ZebOS:
The prompt will show the device hostname, the route-domain ID and user mode which identified by ">" sign. The ZebOS is Cisco like commands, to enter to privileged mode type "enable" then the prompt will change to "#". To start configure the routing, type "configure terminal" for entering global configuration mode.
Configure the OSPF and advertise the virtual address by redistributing kernel route to OSPF.
router ospf 1
ospf router-id 3.3.3.3
redistribute kernel
passive-interface VLAN_12_WEB_TRANS
network 10.10.101.0/30 area 0
network 192.0.102.0 0.0.0.255 area 0
!
Save configuration by typing "copy run start".
Then show all route-domain configuration by executing "show running-config".
6. Configure Interface, VLAN, HSRP and OSPF on the N9K-CORE-1 switch.
#### Feature Configuration ####
feature ospf
feature interface-vlan
feature hsrp
#### VLAN Config ####
vlan 1,198,3000-3005
vlan 198
name USER-SEGMENT
vlan 3001
name TRANSACTION-RD1
vlan 3002
name TRANSACTION-RD2
vlan 3003
name TRANSACTION-RD3
vlan 3004
name TRANSACTION-RD4
vlan 3005
name TRANSACTION-RD5
#### Interface and HSRP Config ####
interface Vlan198
description USER-SEGMENT
no shutdown
ip address 192.168.100.2/24
ip router ospf 1 area 0.0.0.0
hsrp 198
preempt
priority 110
ip 192.168.100.1
interface Vlan3001
no shutdown
ip address 10.10.101.2/30
no ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
interface Vlan3002
no shutdown
ip address 10.10.102.2/30
no ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
interface port-channel1
description CONNECT TO F5-HA1
switchport mode trunk
switchport trunk allowed vlan 3001-3005
interface Ethernet1/1
switchport mode trunk
switchport trunk allowed vlan 3001-3005
channel-group 1
interface Ethernet1/2
description INTERLINK-CORE
switchport mode trunk
switchport trunk allowed vlan 198
interface Ethernet1/3
description CONNECT TO SW-ACCESS
switchport mode trunk
interface Ethernet1/4
switchport mode trunk
switchport trunk allowed vlan 3001-3005
channel-group 1
#### OSPF Configuration ####
router ospf 1
router-id 1.1.1.1
passive-interface default
7. Verify OSPF adjacency and routing table on the F5 via ZebOS.
From the verification by using command "show ip ospf neighbor", the OSPF adjacency is successfully performed with identified by the Full state. If we see from the output of the command "show ip route", the F5 route domain ID 1 is received the user prefix 192.168.100.0/24 route and install it to the routing table.
8. Verify OSPF adjacency and routing table on the core switch.
From the verification by using command "show ip ospf neighbor", the OSPF adjacency is successfully performed with identified by the Full state. If we see from the output of the command "show ip route", the N9K-CORE-1 switch is received the self IP prefix 192.0.102.0/24 and install it to the routing table.
But if you noticed, there's no virtual IP address in the switch's routing table, so the user segment has no reachability to the virtual IP. Why it happens? The virtual IP address is sourced by F5 from kernel and it will be identified as kernel routes. On the route domain OSPF configuration it's already redistribute the kernel route to the OSPF but why it's not advertised to OSPF. Let's see on the F5 routing table, the route for the virtual IP is not exist so nothing redistributed to the OSPF. To make the virtual address exist in the routing table, the virtual address should be advertised. Let's jump in to virtual address configuration.
As you can see on the picture above, the route advertisement is disabled on the virtual address configuration, that's why the virtual ip address is not existed in the routing table, let's change to enabled and then verify the routing table.
After changing the route advertisement in the virtual address configuration to Enabled, the virtual IP address of PAYMENT_WEB_VS 198.51.100.102/32 immediately exist on the routing table and it will redistributed to OSPF. Let's take a look on the N9K-CORE-1 routing table again, make sure the virtual address is existed.
As you can see on the output of the switch's routing table, the virtual address of the PAYMENT_WEB_VS 198.51.100.102/32 is now received and installed to the routing table so the user segment can reach the web service. With the output of the verification, the route domain ID 1 and routing reachability using OSPF is successfully implemented. Then we can do the same way for non transaction traffic on route domain ID 2.
There are some key points of the lab:
1. Accessing the route domain routing configuration is done on ZebOS via IMI Shell
2. To configure routing protocol on the route domain, always make sure the routing protocol has been chosen on the route domain configuration. F5 supports some protocol like BFD, BGP, IS-IS, OSPFv2, OSPFv3, PIM, RIP, and RIPng.
3. Virtual IP address will be sourced as Kernel routes in TMM with flag "K" in the routing table
4. If the virtual address need to be advertised, always check the route advertisement setting on the virtual address configuration. Make sure the setting is not disabled.
5. When advertising the kernel route to OSPF, make sure the redistribute kernel command is existed on OSPF configuration.
Reference:
Sr.Supervisor Corporate DN&Security at Orange Egypt | CCIE EI#67756
4 个月It’s an amazing article and discuss route-domain in details. Thanks