Forum Discussion

Cirrus

Jan 23, 2023

Delete Management Default Route?

Hi, I have two bigip v16 running in HA (active/standby), and for security reasons i decided to remove management route default gateway and instead add static route for my management network. my ser...

application delivery

Paulius
Jan 23, 2023
レザ If you currently have a default route configured for the management interface on the F5 this had to have been added into the configuration because by default the management interface only knows about the network that it resides in. As others have stated, if you remove the default gateway from the management interface routing table everything will not leave through the selfIPs of the F5 except for any routes that you add using the following command in tmsh. This command is based on your servers are in a 10.10.10.0/24 network and your management interface of the F5 is in 10.10.9.0/24 and the gateway for that network is 10.10.9.1.

create sys management-route route_1 network 10.10.10.0/24 gateway 10.10.9.1

Anything that wants to reach the management interface IP you will have to add one of these routes so that the management interface knows how to reach that destination. Also keep in mind that now you will have to look at 2 routing tables when troubleshooting why traffic isn't working on the routed path being the selfIP interfaces. I would recommend adding in /32 routes as often as possible to the management routing table in order to avoid the issue previously described. You cannot have traffic leaving the management interface and the other routed interfaces for the same destination without causing issues. Make sure that the traffic communicating to the management interface will indeed only talk to that interface of the F5. Make sure you have a way to configure these devices locally if for some reason you lose network access to these devices as well as the credentials for the local users on the devices.

mihaic

MVP

the management and TMM are different things.

If you remove the management gateway and put instead a route, this route will be in TMM space, let's say.

Then you will have to put a route or do some routing so the management network knows to reach the F5.

Then you will be able to use the self IP to do management stuff. But first, make sure the routing is in place and you have a look at port lockdown on self IP and you allow Default.

https://support.f5.com/csp/article/K17333

レザ

Cirrus

Jan 23, 2023

Hi,

I dont want to access management via self ips. I want to access management only via management interface but without a default route, I know, should i add static entry for my management network.

but the question is, will this static routes affect tmm operation? (for example health checking and etc)?

thanks

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Delete Management Default Route?

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Delete VS

F5 Distributed Cloud – Introducing Distributed Cloud Aggregator Management

Using Ansible to Manage BGP on BIG-IP

Managing Kubernetes Traffic With F5 NGINX: A Practical Guide

Getting Started with BIG-IP Next: Backing Up and Restoring Central Manager

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS