cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Routing application traffic through management interface

phowes
Nimbostratus
Nimbostratus

Hello all,

 

I have a PoC setup in our lab with a management, internal and DMZ network and have a problem with routing. The F5 always sends the connection to the ADFS backend out from its DMZ interface, even though it's management interface is in the same subnet as the ADFS.

 

MGMT: 10.x.250.0/24

DMZ: 10.x.251.128/25

Internal: 10.x.251.0/25 (not used here)

 

I read this information which seems to suggest that application traffic must always be separate from management traffic, TMM handles the application traffic and the underlying linux handles the management traffic:

 

https://clouddocs.f5.com/cli/tmsh-reference/latest/modules/sys/sys-management-route.html

 

 

The management interface is available on all switch platforms and is designed for management purposes. You can access the browser-based Configuration utility and command line configuration utility through the management port. You cannot use the management interface in traffic management VLANs.

 

So I understand from that that the MGMT is completely separate and I cannot make a routing hack to use the management interface for the ADFS application traffic.

 

I can't change the location of the AD FS server. I could just open the firewall for the F5 connection from the DMZ to the management network but this is quite annoying as the F5 management and AD FS are directly connected on the same subnet.

 

Is there anyway to instruct the F5 to use it's management interface 10.x.250.150 to contact the AD FS?

 

Thanks,

Peter

 

1 ACCEPTED SOLUTION

cjunior
Nacreous
Nacreous

Hi dude,

The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.

But sometimes, infrastructure limits and force us to adapt on it.

In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan, 

I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.

In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.

It's just a little case opinion.

 

Kind regards.

View solution in original post

2 REPLIES 2

cjunior
Nacreous
Nacreous

Hi dude,

The out-of-band mgmt interface has a real benefits, especially for security and when you face issues on BIG-IP data plane controller.

But sometimes, infrastructure limits and force us to adapt on it.

In some cases, I used to set an "mgmt" address on traffic interfaces due to a mgmt network absent. So, I left the mgmt port/vlan unplugged from network cable or vlan, 

I put a dummy/or default ip address to it, and then I created a selfip with default services allowed to manage that from traffic interface.

In your case, I think is better to route traffic through firewall and keep all things working as default as you can't change de server addresses or mgmt network range.

It's just a little case opinion.

 

Kind regards.

phowes
Nimbostratus
Nimbostratus

hi cjunior,

 

sure, I see the benefits of OOB management and this will definitely be noted for the project itself. I had a think and an extra firewall rule is not the end of the world, I'll keep things as they are.

 

Thanks for your opinion!