Forum Discussion
HA Active/Standby add 2nd Floating IP from a different Vlan
I have 1 HA Active/Standby pair, I am looking to add a second floating IP for management access from our Management Vlan. We are wanting to access the configuration GUI from an internal URL and get to the Active F5 no matter which one is the active F5 Currently we have a floating self IP and a non floating IP on each of the pairs.
What considerations do I need to take to accomplish this?
Is this feasible?
Do I need to add/change the SNAT pool?
Will this affect config-sync or failover?
SNAT pool:
internal-snatpool
10.1.20.20
Current setup Example.
prd1
10.1.20.1 - traffic-group-local-only, internal
10.20.30.213 - traffic-group-local-only, external
10.20.30.215 - traffic-group-1, external, port lockdown set to None
192.168.1.22 - traffic-group-local-only, HA
prd2
10.1.20.2 - traffic-group-local-only, internal
10.20.30.214 - traffic-group-local-only, external
10.20.30.215 - traffic-group-1, external, port lockdown set to None
192.168.1.23 - traffic-group-local-only, HA
possible setup example.
prd1
10.1.20.1 - traffic-group-local-only, internal
10.20.30.213 - traffic-group-local-only, external
10.30.30.213 - traffic-group-local-only, external
10.20.30.215 - traffic-group-1, external, port lockdown set to None
10.30.30.215 - traffic-group-1, external, port lockdown set to default
192.168.1.22 - traffic-group-local-only, HA
prd2
10.1.20.2 - traffic-group-local-only, internal
10.20.30.214 - traffic-group-local-only, external
10.30.30.214 - traffic-group-local-only, external
10.20.30.215 - traffic-group-1, external, port lockdown set to None
10.30.30.215 - traffic-group-1, external, port lockdown set to default
192.168.1.23 - traffic-group-local-only, HA
randallk - please consider "Mark As Solution" if any reply/replies helped you to resolve your issue.
I would not configure management of your F5 through the TMM switch interfaces and rather use the management IP of the respective F5. I would worry about accessing the active F5 if this is for configuration purposes because you can always push the configuration changes from the standby unit to the active unit or the other way around. If you're doing this for the purpose of looking at utilization, you might consider configuring SNMP monitors for applications similar to SolarWinds and looking at that to see which is the active unit. What is the reason for having to access the active unit? If this is simply because you don't want to take the extra time to figure out which unit is active then the security risk of using the TMM switch interfaces isn't really worth it.
- randallkNimbostratus
Mainly for management of pools, and a couple of other things. As an example, We have a setup that has many servers in a pool. These servers sometimes have issues that cannot be remedies via a monitor to disable them. They need to be disabled manually.
If your intent is to disable pool members you can log into either the active or standby unit, make the change, and then sync the change between the devices, no need to log into the active unit for this.
- amine-elhijaziAltocumulus
Hi ,
To achieve your goal ,am thinking of two ways :
1. creat a VS that has a node as 127.0.0.1 443
you can use this kind of Irul :
when CLIENT_ACCEPTED { node 127.0.0.1 443 }
I ve seen this method used for VPN access to GUI :
https://my.f5.com/manage/s/article/K13299
depends of the version you may need to be aware of :
https://my.f5.com/manage/s/article/K054130102. create a new vlan or use an existing vlan and have in the floating IP address the portLockdown set to : Default .
more info about the port lockdown feature :
https://my.f5.com/manage/s/article/K17333
hope it helps :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com