Forum Discussion

rcheeks_75965's avatar
Icon for Nimbostratus rankNimbostratus
Feb 01, 2011

Configuration management

I would like to restrict configuration changes to a single LTM unit in a HA pair. Is this possible and if so could anyone point me in the right direction on where to start?





3 Replies

  • Do you want to only allow changes to the active unit in a pair? Or do you want changes to only be made to one unit in the pair regardless of which is active? For the former, you could always use a floating self IP address. For the latter, you could always use the same static self IP address. You could use httpd allow statements in the bigip_sys.conf, packet filters or firewall to enforce the restriction.



  • Ideally I would only like to allow changes on the primary node when it is in an active state. I think the httpd allow statements should meet my needs.



  • To restrict config changes to the active unit only, you could enforce an ACL that only allows access to the floating self IP(s) on the VLAN(s) you want admin traffic on. This wouldn't account for direct access to the management port, but you could optionally lock that down to specific source networks.