Delete Management Default Route?

Question

Hi,I have two bigip v16 running in HA (active/standby), and for security reasons i decided to remove management route default gateway and instead add static route for my management network.my servers and management interface are in two separate network, will deleting the management default route somehow affect the performance of the TMM ?&nbsp;thanks.

paulius · Accepted Answer

レザ If you currently have a default route configured for the management interface on the F5 this had to have been added into the configuration because by default the management interface only knows about the network that it resides in. As others have stated, if you remove the default gateway from the management interface routing table everything will not leave through the selfIPs of the F5 except for any routes that you add using the following command in tmsh. This command is based on your servers are in a 10.10.10.0/24 network and your management interface of the F5 is in 10.10.9.0/24 and the gateway for that network is 10.10.9.1.
create sys management-route route_1 network 10.10.10.0/24 gateway 10.10.9.1
Anything that wants to reach the management interface IP you will have to add one of these routes so that the management interface knows how to reach that destination. Also keep in mind that now you will have to look at 2 routing tables when troubleshooting why traffic isn't working on the routed path being the selfIP interfaces. I would recommend adding in /32 routes as often as possible to the management routing table in order to avoid the issue previously described. You cannot have traffic leaving the management interface and the other routed interfaces for the same destination without causing issues. Make sure that the traffic communicating to the management interface will indeed only talk to that interface of the F5. Make sure you have a way to configure these devices locally if for some reason you lose network access to these devices as well as the credentials for the local users on the devices.

mihaic · Answer

the management and TMM are different things.
If you remove the management gateway and put instead a route, this route will be in TMM space, let's say.
Then you will have to put a route or do some routing so the management network knows to reach the F5.
Then you will be able to use the self IP to do management stuff. But first, make sure the routing is in place and you have a look at port lockdown on self IP and you allow Default.
https://support.f5.com/csp/article/K17333
&nbsp;

mohamed_ahmed_kansoh · Answer

Hi レザ&nbsp;,&nbsp;
Exactly as mihaic&nbsp;said.
I want to add a point :&nbsp;
&gt; Moving the default route to TMM tasks will not impact the performance but you may have to change the status of port&nbsp; lockdown from ( allow none to allow default or specifying some specific ports ) to integrate with some devices for instance monitoring tools which need to collect some statistics from your&nbsp; F5 device,&nbsp; also by removing the management default route , your device will have to use its self ips to get its updates from internet.&nbsp;
So both of opening port lockdown and internet access throughout self ips are a security breaches.
&gt; Moving default route to tmm Is not recommended , but If you have to do this try to specify specific ports in your self ips also use a forward proxy to categorize internet access traffic from f5 and restrict your firewall policies for f5 self ips when accessing internet.&nbsp;
&nbsp;

mihaic · Answer

management and TMM are different things.
If you don't have a default gateway on the management interface , you will not be able to reach anything besides that network.
As far as I know, you can not add routes in management plane using GUI. Maybe from bash. But I never tried.
When you add routes from GUI , you add them in TMM plane(space).
Static routes affect the network that they are routing.&nbsp;
If you add a route and have pool members pointing to servers in that network. Of course the traffic and monitors will go that way.
It really depends on what you have on networks that you plan to add routes to.
When you have HA, you usually use an ip from the same network for each device. So adding routes should not affect this.
&nbsp;

レザ · Answer

Hi,I dont want to access management via self ips. I want to access management only via management interface but without a default route, I know, should i add static entry for my management network.but the question is, will this static routes affect tmm operation? (for example health checking and etc)?&nbsp;thanks&nbsp;

Forum Discussion

Delete Management Default Route?

5 Replies

Recent Discussions

Advise on setting up IRULE

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Minimizing Security Complexity: Managing Distributed WAF Policies

Deleting an AS3 Tenant

Delete VS

NGINX Management Suite API Connectivity Manager - Modern API driven Applications

iControl REST Authentication Token Management