Forum Discussion

phowes's avatar
phowes
Icon for Nimbostratus rankNimbostratus
Feb 12, 2020

Routing application traffic through management interface

Hello all,

I have a PoC setup in our lab with a management, internal and DMZ network and have a problem with routing. The F5 always sends the connection to the ADFS backend out from its DMZ interface, even though it's management interface is in the same subnet as the ADFS.

MGMT: 10.x.250.0/24

DMZ: 10.x.251.128/25

Internal: 10.x.251.0/25 (not used here)

I read this information which seems to suggest that application traffic must always be separate from management traffic, TMM handles the application traffic and the underlying linux handles the management traffic:

https://clouddocs.f5.com/cli/tmsh-reference/latest/modules/sys/sys-management-route.html

The management interface is available on all switch platforms and is
       designed for management purposes. You can access the browser-based
       Configuration utility and command line configuration utility through
       the management port. You cannot use the management interface in traffic
       management VLANs.

So I understand from that that the MGMT is completely separate and I cannot make a routing hack to use the management interface for the ADFS application traffic.

I can't change the location of the AD FS server. I could just open the firewall for the F5 connection from the DMZ to the management network but this is quite annoying as the F5 management and AD FS are directly connected on the same subnet.

Is there anyway to instruct the F5 to use it's management interface 10.x.250.150 to contact the AD FS?

Thanks,

Peter

  • Hi dude,

    The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.

    But sometimes, infrastructure limits and force us to adapt on it.

    In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan, 

    I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.

    In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.

    It's just a little case opinion.

     

    Kind regards.

  • Hi dude,

    The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.

    But sometimes, infrastructure limits and force us to adapt on it.

    In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan, 

    I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.

    In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.

    It's just a little case opinion.

     

    Kind regards.

  • phowes's avatar
    phowes
    Icon for Nimbostratus rankNimbostratus

    hi cjunior,

     

    sure, I see the benefits of OOB management and this will definitely be noted for the project itself. I had a think and an extra firewall rule is not the end of the world, I'll keep things as they are.

     

    Thanks for your opinion!