F5 route domains

[killabee]

I know F5 has an awesome forum and resources for its questions, but I also know there's a lot of smart guys/gals here too that may be able to answer my question  ...

Are any of you using route domains on your F5s or familiar with RDs? I've read this and my take is that it basically acts like VRFs and provides a means of segmenting traffic.  If that's the case, then my question is:

If you're already segmenting traffic with the use of a firewall and VLANs (assuming not doing interVLAN routing), you're not doing dynamic routing, and you don't have VRFs on your enterprise network, then what are you gaining by using route domains?

[Fred]

If you're already segmenting traffic with the use of a firewall and VLANs (assuming not doing interVLAN routing), you're not doing dynamic routing, and you don't have VRFs on your enterprise network, then what are you gaining by using route domains?

We're using it, along with APM, to do a proof-of-concept of using the F5's as our VPN concentrators.  It lets us put the authenticated users on an "internal" segment which is firewalled separately from the virtual servers on the F5.

It's just POC right now, but is working very well.

[Reggle]

Yes and no. I use it in multi-customer deployments (so: with VRFs already present in the data center). But in a single-customer environment I don't bother with it, even if it's multiple applications or security levels. You can specify allowed VLANs on a per-VIP basis anyway.
Like you said, leaving dynamic routing out of the question there's not much to gain it seems.

[AnthonyC]

You use route-domain in a multi-tenant environment where you can have overlapping IP address space, so VRF-lite will be involved; without it there is not much point.

[killabee]

Cool.  Just wanted to confirm.

Thanks guys!