Configuring Route Domains in F5 Big-IP LTM 11.x

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello guys I believe creating a route domain video tutorial could help you guys understand better about our domain since I had difficulty understanding rel domains before a few years so I start off with a few minutes of introduction about rel domain and then I've start configuring the route to me so if you're not interested listening to the intro about rel domain you can skip and go after six minutes I will start configuring the route domain imagine that you are a service provider and you have multiple clients and you are providing big-ip as a service and you killed some certain VLANs to certain clients and some set of VLANs to some other clients and you do not have control over what are the IPS that they use and you want big IP to handle both the traffic in that scenario route domain would help you since route domain will isolate the traffic between set of VLANs and another one of the main reason why you need domain is is when when the for example if you are a very big company very big corporate and you have multiple departments and certain departments will end it is geographically located in different places as well and and you have different sets of VLAN and you reuse the IP address one of the advantages of using VLANs is to reuse IP address and you when it comes to being IP big idea is not it is quite expensive so if you want all this traffic all the VLANs to handle by a single big IP and how would the guy P differentiate IP address for each and individual VLANs that is the reason why you need route domain this man will chapter as you can I will put this link on my website this manual chapter explains about route domain so those are route domains or configuration object as I mentioned before if you have same or same IP address or same subnets and you want to be likely to handle the traffic on different different VLANs you need to route domain and there you could actually go ahead and read this document it's quite informative and the images are not very clear but you could make some idea out of it and most of the service provider what they do is they would create a user and associate a partition and they would obtain a partition a router main so you could there is an option to add route domain for a partition I will show that at the end of this video if for instance say this is a network diagram even though it doesn't look like a network diagram just imagine that it is our network diagram okay so here these different colors represent different departments and this is a single big IP which is handling all the traffic and one thing that they have in common is the subnet date that they have its 10.2 dot - dot 0 tender - that I mean everything has the same subnet and however they have different VLANs so if you want big IP to handle their traffic for example HR wants to use it because I didn't want to deliver applications they want to enhance the speed or they want to distribute the load you want HR want to use the big IP they could use it you could isolate the traffic completely for the hash are completely for the say this is the Sahara Department and say this is a sales and you want to isolate the traffic and you want them to use the big IP nd and you want to utilize the big IP as much as you can so you need to use route domain to to isolate the traffic in the big IP and they use same subnets but different VLANs you could do it however imagine the sales people want to communicate to a web server which is located in HR department now of course they may need it for probably take a holiday or to check their bare eyes I mean it could be any reason so they want to get get access to the HR this particular subnet or these VLANs where it has the same IP address so if you want sales department to contact HR web server what you would generally do is say it depends on your configuration of your network and how the web servers are configured you would have a virtual server in sales listening on sale site and you have full members for that in the heart side so in order to communicate from one route domain to another domain you need to have strict isolation disabled so by default strict isolation is enabled whenever you create a route to main so if you want to communicate from one element to another out to me you need to need to disable on both route domains I will show that you in the upcoming configuration how to do that I will set up the similar labs and I will show that to you you I believe creating a lab would help us understand the route domain better so this is my lab setup I have a big IP and this is a Windows XP machine so change the pin color that is a Windows XP machine and which is an IP address gender 2.2.1 and 24 subnet and this again I have a web server this is a web server and that is a Windows XP machine so that will be our client and this will be our web server so and this is on a VLAN 100 which everything green here it's in be 100 and everything here in blue is VLAN 200 so I will show you where I have the big IP so this is this BT backtrack and I'm running up a tree there so these are the IP address so to simulate multiple pull members I created some virtual interfaces and put multiple IP addresses here and my big IP exercise session is here believe it's still up now okay so that is my big IP and it is running version 11.4 so this is the SSH and I will show you the web GUI so just logging into the battery yeah this is this is about Greek music yep it is running 11.4 dot 1 or 2 X 2 and I have the client machine which connection has been already timed at let me try it connects again okay so you can see it's the Windows XP machine and the IP address is standard 2.2.1 so this is the client machine and client machine is here big IP SSH session is here this is our web server which is a backtrack and running Apache in it and this is the web GUI again for the same big-ip so this is how it looks 7s XP web server and big IP so now let's go ahead and configure the setting so one of the main thing that you need to notice is the IP address of the Windows XP is actually 10.2 de 2.1 and the web server IP address is to that one i have multiple IP address that I mentioned before I'm sure that to you so they both are in the same subnet so our goal is to communicate from Windows XP to that to this observer I mean it's not exactly a communication but we are the big IP need to handle both the client-side traffic and the web server traffic separately so we will see how we do it let me go to the web GUI and let me go to the VLANs so the first thing that you need to have the VLANs in place and I already created three VLANs here so we learn 100 we learn 200 and relent 300 so as I mentioned in the diagram the windows XP we will put it in VLAN 100 and the webserver we put it in gender 2.2.1 so so this is we learn hundred where we will have our XP machine and this is where we will have our web server so here it's under Network is where you see route domains configuration so you might have seen it before didn't pay attention so as soon as you click on rhythm and you will see 0 by default the system creates it so all the VLANs even if you haven't configured used route domain before you will see the out domain 0 in your unit by default and all the VLANs and all the IP address that you used before configuring route domain will automatically come inside real and all the villains will come come inside route domain 0 so let's go ahead and create one route domain let's see how it looks like I'm going to mention this name say I'll just put client or the name doesn't matter and then and the ID is important so a good practice is to start with one two three four you could actually go do not put weird numbers like 200 300 I do not know what is a maximum number you could put there but the best practice is charged with two three four five six so I will just start with one and description I don't want to give any and the VLAN what I put here is hunted which is where our client machine our XP will be connected to so I put this so you see here you actually see the available VLANs so the available balance or the villains which are in drought domain zero and this dynamic routing protocol we are not going to cover this today because since it's a very broad topic if I'm going to explain about dynamic routing so but do not worry about it for basic setup you don't need it so I will leave that early leave that as default I won't configure anything there and the bandwidth controller as well I am NOT to modify anything I will just leave it as it is and then let me click on finish and let me create another one Vina so server to go to me and here I will give to router main ID to and put VLAN 200 here okay so we have 100 200 and 300 so these are the VLANs that we can have and remember you cannot have actually more than a single back VLAN you cannot have in multiple route domains but in a thing but in a single route domain you can have multiple VLANs so it so so a single VLAN can have one lis one route domain but the route domain can have multiple VLANs if I try to create we another one route domain and put already an existing VLAN it would actually move let me actually create one let's just Geordie put three row domain ID three-level put 200 remember we have the T we have this VLAN already associated to route domain - so if I actually I sent it here it should move from route domain - to route them entry let me try it see it actually moved from route domain - too rudimentary so as I mentioned before a single VLAN can present in one leave one domain if I delete this one it will go to the default round domain that is route domain 0 try to delete it and then I could just go there and add it okay after creating the route domain now we need to create self IP address for the unit so let me go to self IP address okay so we need to create self IP address one for the client side another one for the web server let me put it in the diagram so where big-ip we already created - router me so this one belongs to or rel domain one and the web server belongs to this the site traffic it doesn't really belong there with the traffic for the big IP it belongs to route them in one ok so we need to create a self IP I think it's better for me to put the arrived domain near the big IP because we don't associate it there so okay it's all the one and let's put itself IP or just put itself IP 10.5 queue my handwriting please 10.2.32 a two hundred and one and in so this side belongs to VLAN 200 belongs to route domain 2 and let's put a self IP should I write written it there self IP hmm not just for just to make things interesting let me put the self IP address the same ip address look under that one if you remember but previously when I was explaining with the solution article and saying something about trout domain I mentioned we need to suffix it with percentage when we create the IP address I just put one here and I will put sorry about the messy the IP addresses and it could be bit confusing sorry about it okay let's go and configure the IP self IP address you create and that would self yeah I'll just put self VLAN I'm going 100 that's fine IP address tender 2.2 dot two zero one and model a simple of the person a symbol and put one since this belongs to route the main one this villain we 100 belong throughout the main one so you put it and the subnet mask if you remember it was twenty four so I just put twenty four and this is a self low self IP address it's not a floating and then I now port lockdown settings I will choose default since I were able to perform something and other test so I know the port is listening so I'll just finish it okay and I will do the same for the wheel and towards the web server side at Wheeling okay and interestingly we will have the same ip address with a little change here we put percentage - it belongs to route them into and make sure that you choose relent 200 so you don't actually choose any route them in here the only way the IP address North this belongs to route domain what route dominant belongs to is by mentioning person - - and here you you you a la default I mean it depends on your network but I always recommend to use allowed none or choose custom and include the port's that you'd like to open on that interface okay so we got the IP address here having the self IP address configured to the unit let's actually go ahead and check whether there's a connectivity between big IP and Windows XP and big IP and the web server so let me go to the SSH session in big IP so this is a big IP thing 10.2 dot to dot 2 0 1 not 2 0 1 2 0 1 into self IP address and the windows XP IP address is 1 and it belongs to route them in 1 so I need to put person to H 1 and it will ping brilliant and to ping to the web server all I need to do this put an ampersand & to okay and this is a customized thing for big IP that's why it understood Amberson - if you try to do it in your Linux machine it may not understand I think we'll open BSD supports route domain to associate to an interface not for real ends just remembering seeing some video in youtube yeah I don't know whether they have a customized thing like EF 5 but you have 5 has this but however you will have issues testing applications such as if you want to say for instance if you want to curl since it is a web server this suburbs our IP address and if I try to curl it I should get some information but mostly I won't because curl doesn't understand what is this person - - so in order to for use of land applications to use the route domain there is a command called audio domain shell and you mentioned that our domain ID and you go inside let me actually show you the solution article where it's actually there's a five solution article not new can open in your tab guys can 5d search now we'll put the solution article yet here we go this is the one so user land application on big IP can now connect a host in non default route domains and this one Lee applies to version 11 in version 10 you need to convert the ipv4 IP address to ipv6 that you may actually I think it is here yeah the solution logic will explain how in version 10 prior to version 11 how to use that so what you do is you actually there are two comments when it's RDS such an audio executes or D it or the execute if you already know what come and you are going to use you could use audio always use audio so she that was very easy to me let me actually show you how it works so you go to big IP so and then become in the bash prompt type or DSS and the route domain that you like to go inside so for for this instance I like to go to the web server out domain that is route them into and I put them into and now let me try curl own tender to that to that one and see what happens see I get the result from the web page that is good and even here if I ping then that I I don't need to mention this IP address with the previous suffix percentage - like I could just go 10.10.5.3 the web server because we are in drought amines but you need to be you need to remember which audiences that you are in so just to get out of audio search you just need to type audio that 0 would actually bring you to the default route domain that is route domain 0 so if we're on the same ping command tender 2.1 I will not go because in route domain 0 we don't have that IP address tender tora tora 1 so we've only this type errors which is our client IP address in route domain 1 and steps our IP address in route domain 2 so let's go ahead and create a pool on the web server side that is route domain - let me get a pool create and i'll just name it as HTTP pool that domain 2 and I'll put the hedge to be Motor Centre so I should it be web server just an Apache running in backtrack so I'll just quote ID and just give a couple of pool members just one is enough for testing I actually know what this won't work because I need to queue they're our domain so I need to put that out them in which the spool number belongs to the percentage to saying here it's good to add three okay and finish say wow it is green now okay that's brilliant so let's create a virtual server in yes in in flying blind side so that is the Windows X beside that is flow domain one this could all be one standard which is over the virtual server IP address so I'll just give tender to that to that let's give hundred and setp will enable high steepy profile since it's a high-speed be traffic and I will use automat yes I have to use automatic because both sides the IP address are the same and then profile that yeah I'll leave everything else remaining the same and the default pool I will choose ICT people so and again here I need to pinch an individual server destination address which route domain this which also verb wants to go ready so let me click on finish okay it shows screen the virtual server short screen and you think it should work but it won't I will show you why so let me actually go ahead and put we added a new IP address here so I'll just go ahead and put the virtual server IP address here so virtual server is 10.2.32 percentage one okay let's go ahead and test it like I don't have the Windows XP is already timed out Oh slow so let me pretend that toda 22.1 hundred it should fail yeah that page is not available the reason for it is as I mentioned before at the very beginning of this video when I mentioned about drought domain and why do we need a router when I mentioned drought domain one reason is to isolate the traffic and also I mentioned by default the route domain is tricked enabled strict isolation enables and we saw that when we create their own domains as well so in order to communicate between one drought domain to another domain I need to disable strict isolation so let me go to client domain wrap them in one and I uncheck strict isolation enables and let me go to low domain too and do the same okay it's time and this time the website should load let me see wow it works so it went to the second pool that I mean it's it's all the virtual IP address all in the same web server but I have multiple IP address configured there so yes it works so we were able to communicate from Windows XP to big IP that is a virtual server 100 and then it goes to the big IP and automap changes the source IP address to this 1 to 2 0 1 and it communicates to the web server here so it is actually the the source and the destination is the same I mean we wouldn't see it in the packet captures because here it's a different source and destination here it's a different source and destination we are at the end of the lab so let's if you remember I mentioned at the beginning of the video we could assign a default route domain for a partition let's go ahead and see how we could do that you need to go to system users this is the same way how we create a partition and click on partition let's see what so by default the system creates a common partition let me create another one partition let me say this is a char partition okay and I will leave everything else as default and click on finish so as soon as I create you may notice here in the right-hand side I see partition default route domain 0 so how do we how do i edit it so I think that I click here and I will have a option to edit it but unfortunately I don't so the way how we can edit as it is you need to go under Network created out domain and assign it to it so it's not very user friendly and I will show you how so go to route domain create the same as like as we previously see I'll just put a char Rotem a three and an output the available VLAN that is 300 and I will leave the rest everything as it is and click on finish okay brilliant so we have router main three here that is HR router main however in the partition default I don't see anything so if you want to outline this route domain to the newly created partition you need to call inside partition and then a char now to me and then choose make this route to me make this no domain the partition default route domain and let's click on update so this is how it is not very user friendly and this is the way that I figured out maybe there are I'm sure there is a TA message comment but in truth agreed is the only way that I know if you find any other way please let me know so now if we actually see let's check the route domains so I'm in actually hajar partition now and you could see the default partition it says yes and if I go to common it goes here that's wonderful is now let me choose also a whole doesn't show that one but anyway at least for this partition it shows and if I go here again to user and partition there we should see the default position yes we do see here so now you can go ahead and go to the high PR IT department and you could create a new username choose what role they are administrator say for instance not administrator operator and you could actually choose what partitioned they are allowed to use so you just give it to them and I don't think it is operator maybe that is manager I'm not I not very good at the user roles I always been an administrator I I didn't bother to use any other roles but yeah you just choose and the whole point is you could assigned certain partitions so so what happened to the HR department f5 administrator logs into the unit and by default he will be redirect to hotshot partition and they will have a router main and they could use any IP address they could years and that will not conflict with any other IP address in any other departments since its in drought domain and it is strict isolation enabled thank you thanks for watching the video I'm not very good at explaining things on destroying and newbie so I highly appreciate your comments and suggestions please put it in my website I I disabled the Google comments in YouTube since YouTube Ricker's Google+ account and I do not have one and I don't like to have one so please put a comment in my website and I will get back to you guys if you need if you have any questions or any follow-up questions please feel free to ask me I will get back to you thank you thanks for watching the video and you all have a great day
Info
Channel: f5fpc
Views: 32,027
Rating: undefined out of 5
Keywords: isolates network traffic, same IP address, same subnet, administrative partitions, vlan, appending ID, partition default route domain, F5 Networks
Id: vS8ZV7M-W3s
Channel Id: undefined
Length: 38min 46sec (2326 seconds)
Published: Tue May 06 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.