Mgmt Auth Traffic on external VLAN

Create a static host route from the command line using the 'b mgmt route ' command. e.g.

 

 

b mgmt route destip/32 gateway

 

 

where destip == the IP of the authentication sever and is the gateway off the management network back to the auth server.

 

 

H

Thanks...I guess that makes sense. But it also worries me a bit, given we have not used the MGMT interface until now. Since authentication to the admin GUI seems to be an obvious management function (obvious to me anyway, apparently not F5), intuitively I expected the LTM to send this traffic over the MGMT interface. If I have to tell the LTM this, I am asking myself what other traffic will I need to manually force over the MGMT interface...

Anything that is not locally significant to the mgmt interface will need a route. An option if this is a concern is to place a linux box locally in the F5 management interface subnet and set up openvpn or similar to bind local interfaces to remote destinations. That way you won't need any routes on your LTM. I've used this in the past in DMZ environments, though supporting far more than just a few devices given the additional complexity.

Wait a second...I am using Active Directory in the auth configuration, and I have to specify the IP of a domain controller. So in order to authenticate with this DC in a situation where the external VLAN is not accessible (which was the case that generated this question in the first place), you are advising me that I need to create a additional route to ensure this auth traffic is routed through the MGMT interface.

 

 

But this DC is also used in Pools. Won't this new route force Virtual Server traffic with the DC Pool Member through the MGMT interface?

No, don't do that. Is your mgmt interface gateway device capabale of natting source/destination? I'd highly recommend that approach so you don't need to change anything else.

 

 

BTW, data traffic will not flow from TMM -> Mgmt interface. The mgmt interface can be used, however, for monitor traffic, so be careful how much routing you put in place on the mgmt interface. I'm not sure why that is allowed, if my data interfaces are down, why do I need monitoring of my resources? Anyway, found this nugget a while back during an outage and our mgmt network infrastructure spiked like crazy.

Don't do what - create a static route for the auth traffic? My mgmt interface gateway is a router, in fact it is the same router as the external VLAN. All I am trying to do here is segment the MGMT traffic from the application traffic. Today we are managing the LTMs using the self IPs of the external VLAN.

don't create same or more specific route on mgmt interface that also exists on tmm. some will weigh in that this is ok, but I've not had good experiences with this.

 

 

If your device management auth is pointing to the same place as your app auth, either keep them inline on the data path, or create a nat for your mgmt interface to target. My $.02.

Thanks, your input has been valuable. Can you clarify a bit more the two options you suggested? I'm not clear on what you described, or how it would help.

Option 1) Leave your configuration as is, with mgmt auth traffic riding your production data path. This isn't necessarily bad, but might conflict with security policies if in DMZ environment. I've seen many environments with this exact configuration as it is simpler and more cost effective than standing up additional infrastructure for management traffic.

 

 

Option 2) Define a nat on your gateway that you can point to as your mgmt auth target, which will then translate the destination to your real AD address, and translate the source of your mgmt IP to the gateway/nat so the traffic is returned correctly