Forum Discussion
phowes
Nimbostratus
NimbostratusRouting application traffic through management interface
Hello all,
I have a PoC setup in our lab with a management, internal and DMZ network and have a problem with routing. The F5 always sends the connection to the ADFS backend out from its DMZ interface, even though it's management interface is in the same subnet as the ADFS.
MGMT: 10.x.250.0/24
DMZ: 10.x.251.128/25
Internal: 10.x.251.0/25 (not used here)
I read this information which seems to suggest that application traffic must always be separate from management traffic, TMM handles the application traffic and the underlying linux handles the management traffic:
https://clouddocs.f5.com/cli/tmsh-reference/latest/modules/sys/sys-management-route.html
The management interface is available on all switch platforms and is
designed for management purposes. You can access the browser-based
Configuration utility and command line configuration utility through
the management port. You cannot use the management interface in traffic
management VLANs.So I understand from that that the MGMT is completely separate and I cannot make a routing hack to use the management interface for the ADFS application traffic.
I can't change the location of the AD FS server. I could just open the firewall for the F5 connection from the DMZ to the management network but this is quite annoying as the F5 management and AD FS are directly connected on the same subnet.
Is there anyway to instruct the F5 to use it's management interface 10.x.250.150 to contact the AD FS?
Thanks,
Peter
Hi dude,
The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.
But sometimes, infrastructure limits and force us to adapt on it.
In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan,
I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.
In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.
It's just a little case opinion.
Kind regards.
cjuniorNacreous
Hi dude,
The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.
But sometimes, infrastructure limits and force us to adapt on it.
In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan,
I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.
In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.
It's just a little case opinion.
Kind regards.
phoweshi cjunior,
sure, I see the benefits of OOB management and this will definitely be noted for the project itself. I had a think and an extra firewall rule is not the end of the world, I'll keep things as they are.
Thanks for your opinion!