For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_25776's avatar
Brian_25776
Icon for Nimbostratus rankNimbostratus
May 15, 2014

Noob management IP troubles...

I'm trying to change my management IP address of my 2 BIGIP 6900s (in HA pair) to an IP that is part of the "External" VLAN IP space.

 

Very long story short, I wonder if I am violating the laws of LTM with the following setup....

 

EXTERNAL VLAN:

 

Network: 10.1.1.0/25 Self IP: 10.1.1.120 (static) 10.1.1.121 (static on stby device) 10.1.1.122 (floating) GW: 10.1.1.1

 

INTERNAL VLAN:

 

Network: 10.1.1.129/25 Self IP: 10.1.1.130 (static) 10.1.1.131 (static) GW: 10.1.1.129

 

The management IPs that I am trying to assign to the management ports are 10.1.1.118 & .119/25. That would make them technically a part of the EXTERNAL VLAN. When I attempt to change the management IPs on the front LCD of the appliances, they always revert to the former IPs (10.1.49.0/24). What is going on here?

 

BIG-IP 11.4.1 Build 625.0 Hotfix HF1

 

availability
BIG-IP Access Policy Manager (APM)
deployment
design
management
security

4 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 15, 2014

    Your management interface cannot be in the same subnet as your external vlan, or any other TMM routable vlan/interface.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 15, 2014

    Basically, you can't have an IP on the management interface that overlaps a VLAN subnet. If you were to try to do it in the management GUI but in reverse, assign a VLAN subnet that's in the same space as the management interface, it would actually generate a error message. Assuming you're doing this because you only have one subnet to work with, here are two potential options:

     

    1. You've basically taken a /24 and cut it in half (1-127 and 128-254), so if you were to cut one of those in half, say the internal VLAN, such that the internal and management are on /26 subnets, then that should work. It's probably a huge waste of addresses, but there shouldn't be any overlap.

       

    2. Don't use the management interface for management. You can define a self-IP to allow management traffic. If you were going to do this, you'd probably want to do it on the internal VLAN. Once you've established management access to the self-IP, you can set the management interface IP to something outside the subnet and then disconnect it.

       

  • Brad_146558's avatar
    Brad_146558
    Icon for Nimbostratus rankNimbostratus
    May 15, 2014

    Typically management has it's own network. I'm not sure if your organization already had a network dedicated for this but you could carve out a small 8 IP network for this. I know in the GUI when I've tried to troubleshoot NIC issues I've run into errors trying to put the management IP on anything other than the management network.