Forum Discussion
Giorgi_Gujabidz
Cirrus
CirrusAre NTP and DNS traffic management type or not?
Hello everyone, I'm system engineer in integrator company and currently I have one PoC of AWAF project with a customer. I have little experience of working with f5 devices, so I have one questi...
PeteWhite
Employee
EmployeeThis is a good question and is quite fundamental so it makes sense to sort it out in detail.
In short, DNS and NTP are management traffic because they come from the BIG-IP system ie not user-plane traffic. The BIG-IP separates management and user-plane traffic but because they share the same device the routing came become confused. ie you can have a management default route and a tmm default route. As a good design rule, you should keep these strictly separate.
To answer your question directly, you should plan to send these via the management interface, add management routes ( tmsh create sys management-route ntp network x.x.x.x/x gw y.y.y.y ) for those management protocols such as NTP, DNS, SNMP, syslog, authentication server, etc and use the network route for user plan ( tmsh create net route .... )
PS you can only see and create management routes via tmsh, not via the GUI
https://support.f5.com/csp/article/K13284
Giorgi_GujabidzHi Pete,
First of all, thanks for your reply and explanation. You confirmed my thoughts that NTP, DNS and services like that are are part of control plate, not the data plane, so related traffic should go via management interface, not via TMM switch ports.
I already had configured default routes for both TMM and Management interfaces. As I said NTP and DNS servers are located in other subnets, so to get packages there, f5 needs routing. So for example NTP server's IP hits default route 0.0.0.0 as there is no distinct route there and there are no direct path, but f5 chooses TMM default route. I guess it is because of route metric (as management metric has higher metric). I just don't understand why it is designed like that? I think it will be more logical, if programmatically control plane traffic will always choose management default route.
So, if I understand you correctly, you suggest me to create additional static routes via management interfaces, is that correct? I wonder what is the best practice from the Vendor's point of view? As static routes are considered as a poor design by Network Engineers, as it complicates troubleshooting.
- Giorgi_Gujabidz
Hi boneyard,
Thanks for your reply. Not that I really need to do it via management interface, I just wanted to clarify which services use management interface by default and which not. I thought that if particular traffic is defined as management traffic, that should flow via management interface by default, but now I understand that this is not the case. I realized that the only traffic that flows via management interface is only management traffic itself (WebConsole and SSH). All other traffic, is that data or management type, looks at route table first and wins first (of course direct path), then most specific route and the last, default routes with the least metric. So I asked customer to open flows from TMM interfaces for DNS and NTP traffic.
boneyardMVP
the vendor doesnt provide a best practice here. if you want to reach those other networks via the management interface you need those management routes.
- boneyard
good summary indeed, great this works out for you.