I'm system engineer in integrator company and currently I have one PoC of AWAF project with a customer. I have little experience of working with f5 devices, so I have one question and it'll help me a lot in future to analyze how BIG-IP devices. I've done some research in documentations but I couldn't find clear answer on topics, which type of traffic is considered as Data Traffic and which one is Management? For example NTP and DNS traffic should use management route or TMM route (I mean the case when there is no direct path to the destination DNS/NTP servers)?
I thought that BIG-IP devices will use management route (management gateway) to do DNS queries and time synchronization, so I asked customer to grant access on firewall from management interface to the destination servers, but it didn't work. Then I've captured traffic via tcpdump and I realized that BIG-IP devices try to use TMM default route instead. But I've read in this article - https://support.f5.com/csp/article/K13284 that NTP is management traffic. Also this article - https://support.f5.com/csp/article/K7017 says that during the device boot, ntpd daemon is starting before TMM, so if it has no route via management interface, time synchronization will fail.
So, I'm a little confused, what should I ask customer, open access from TMM interface for DNS, NTP, also for Signature Updates? I just do not understand logically, why NTP, DNS and system update do not use management routes? If all of them are considered as a data traffic, than what is management route used for? Only for accessing management GUI and SSH, is that correct?
Sorry for a long question, but I really want to understand the platform's logic of traffic routing, to be able to operate it and correctly implement it with the customer.
Thanks in advance.
This is a good question and is quite fundamental so it makes sense to sort it out in detail.
In short, DNS and NTP are management traffic because they come from the BIG-IP system ie not user-plane traffic. The BIG-IP separates management and user-plane traffic but because they share the same device the routing came become confused. ie you can have a management default route and a tmm default route. As a good design rule, you should keep these strictly separate.
To answer your question directly, you should plan to send these via the management interface, add management routes ( tmsh create sys management-route ntp network x.x.x.x/x gw y.y.y.y ) for those management protocols such as NTP, DNS, SNMP, syslog, authentication server, etc and use the network route for user plan ( tmsh create net route .... )
PS you can only see and create management routes via tmsh, not via the GUI
First of all, thanks for your reply and explanation. You confirmed my thoughts that NTP, DNS and services like that are are part of control plate, not the data plane, so related traffic should go via management interface, not via TMM switch ports.
I already had configured default routes for both TMM and Management interfaces. As I said NTP and DNS servers are located in other subnets, so to get packages there, f5 needs routing. So for example NTP server's IP hits default route 0.0.0.0 as there is no distinct route there and there are no direct path, but f5 chooses TMM default route. I guess it is because of route metric (as management metric has higher metric). I just don't understand why it is designed like that? I think it will be more logical, if programmatically control plane traffic will always choose management default route.
So, if I understand you correctly, you suggest me to create additional static routes via management interfaces, is that correct? I wonder what is the best practice from the Vendor's point of view? As static routes are considered as a poor design by Network Engineers, as it complicates troubleshooting.
Thanks for your reply. Not that I really need to do it via management interface, I just wanted to clarify which services use management interface by default and which not. I thought that if particular traffic is defined as management traffic, that should flow via management interface by default, but now I understand that this is not the case. I realized that the only traffic that flows via management interface is only management traffic itself (WebConsole and SSH). All other traffic, is that data or management type, looks at route table first and wins first (of course direct path), then most specific route and the last, default routes with the least metric. So I asked customer to open flows from TMM interfaces for DNS and NTP traffic.