Forum Discussion
Delete Management Default Route?
- Jan 23, 2023
レザ If you currently have a default route configured for the management interface on the F5 this had to have been added into the configuration because by default the management interface only knows about the network that it resides in. As others have stated, if you remove the default gateway from the management interface routing table everything will not leave through the selfIPs of the F5 except for any routes that you add using the following command in tmsh. This command is based on your servers are in a 10.10.10.0/24 network and your management interface of the F5 is in 10.10.9.0/24 and the gateway for that network is 10.10.9.1.
create sys management-route route_1 network 10.10.10.0/24 gateway 10.10.9.1
Anything that wants to reach the management interface IP you will have to add one of these routes so that the management interface knows how to reach that destination. Also keep in mind that now you will have to look at 2 routing tables when troubleshooting why traffic isn't working on the routed path being the selfIP interfaces. I would recommend adding in /32 routes as often as possible to the management routing table in order to avoid the issue previously described. You cannot have traffic leaving the management interface and the other routed interfaces for the same destination without causing issues. Make sure that the traffic communicating to the management interface will indeed only talk to that interface of the F5. Make sure you have a way to configure these devices locally if for some reason you lose network access to these devices as well as the credentials for the local users on the devices.
Hi レザ ,
Exactly as mihaic said.
I want to add a point :
> Moving the default route to TMM tasks will not impact the performance but you may have to change the status of port lockdown from ( allow none to allow default or specifying some specific ports ) to integrate with some devices for instance monitoring tools which need to collect some statistics from your F5 device, also by removing the management default route , your device will have to use its self ips to get its updates from internet.
So both of opening port lockdown and internet access throughout self ips are a security breaches.
> Moving default route to tmm Is not recommended , but If you have to do this try to specify specific ports in your self ips also use a forward proxy to categorize internet access traffic from f5 and restrict your firewall policies for f5 self ips when accessing internet.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com