K13284: Overview of management interface routing

K13284: Overview of management interface routing (11.x - 13.x)
Non-Diagnostic
Original Publication Date: Dec 28, 2011
Update Date: Nov 29, 2017
Topic
This article applies to BIG-IP 11.x through 13.x. For information about other versions, refer to the following
article:
K3669: Overview of management interface routing (9.x - 10.x)
The Traffic Management Microkernel (TMM) controls all of the BIG-IP switch ports (TMM interfaces), and
the underlying Linux operating system controls the BIG-IP management interface. The management
interface processes only administrative traffic. The TMM interfaces process both application traffic and
administrative traffic.
Description
Traffic type
The BIG-IP system can process the following traffic types:
Application traffic
TMM processes inbound application traffic that arrives on a TMM switch interface and is destined for a BIGIP self IP address or a virtual server address.
Administrative traffic
BIG-IP administrative traffic can be defined as follows:
Inbound administrative connections
Inbound connections sent to the BIG-IP management IP address that arrive on the management
interface are processed by the Linux operating system. Inbound connections sent to the BIG-IP self
IP addresses that arrive on a TMM interface are processed by TMM. If the self IP address is
configured to allow a connection to the destination service port, TMM hands the connection off to the
Linux operating system, which then processes the connection request.
Outbound administrative connections
Outbound connections sent from the BIG-IP system by administrative applications (SNMP, SMTP,
SSH, NTP, etc.) are processed by the Linux operating system. These connections may use either the
management address or a self IP address as the source address. The BIG-IP system compares the
destination address to the routing table to determine the interface through which the BIG-IP system
routes the traffic.
Note: This behavior applies to only unsolicited outbound traffic: traffic that is not in response to a
request originated by a remote host. A response to a request originated by a remote host is returned
to the last MAC address traversed by the inbound request.
Note: You can configure a health monitor to send probes using the management network. However,
F5 strongly discourages this configuration because the management network is not intended for
production traffic. F5 recommends that the pool members/nodes reside on a network that is reachable
through TMM interfaces so that health monitor probes are sent through TMM interfaces.
BIG-IP routing tables
The BIG-IP routing table consists of the following routing subtables:
Management routes
The BIG-IP system uses management routes to forward traffic through the management interface. For
traffic sourced from the management address, the system prefers management routes over TMM routes
and uses the most specific matching management route. If no management route is defined or matched, the
system uses the most specific matching TMM route. If only a default gateway is defined as a management
route, the system will prefer the TMM default gateway.
TMM routes
TMM switch routes are routes that the BIG-IP system uses to forward traffic through the TMM switch
interfaces instead of through the management interface. Routes in the TMM subtable are defined with a
lower metric than routes in the management subtable. Traffic sourced from a TMM (self IP) address will
always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a
management route. When TMM is not running, the TMM addresses are not available, and all TMM routes
are removed. As a result, when TMM is not running, all outbound administrative traffic uses the most
specific matching management route.
Managing routing parameters
Use the following commands to manage routing information.
Note: To manage the BIG-IP system routing information, you are required to use an account with
Administrator role credentials.
Viewing, deleting, and adding management IP addresses
To view the management IP address, type the following command:
tmsh list /sys management-ip
To delete an existing management IP address, use the following command syntax, replacing
<address> with the management IP address:
tmsh delete /sys management-ip <address>
To add a new management IP address, use the following command syntax, replacing <address> with
the management IP address and <netmask> with the network mask:
tmsh create /sys management-ip <address>/<netmask>
Viewing, deleting, and adding management routes
To view the management route, type the following command:
tmsh list /sys management-route
To delete an existing static route for the management network, type the following command:
tmsh delete /sys management-route <name>
For example:
tmsh delete /sys management-route lognet
To add a static route for traffic to use the management network, use the following command syntax:
tmsh create /sys management-route <name> network <destination network>/<netmask> gateway
<management gateway>
Replace <name> with the name you want to use to identify this route. Replace <destination network>
/<netmask> with the IP address and netmask of the network you are routing to. Replace
<management gateway> with the IP address of the router used to access the destination network.
For example:
tmsh create /sys management-route lognet network 10.10.10.0/255.255.255.0 gateway 172.16.1.254
To save changes to the static routes for the management network, type the following command:
tmsh save /sys config
Viewing routing tables
To view existing management routes, type the following command:
tmsh list /sys management-route
To view all existing TMM routes, type the following command:
tmsh show /net route
To view all existing routes in the Linux kernel routing table, type the following command:
netstat -rn
Note: The management interface is represented by the netstat command as eth0, in the command
output.
To view routes in the routing table, main, type the following command:
ip route show table main
To view the management routing table routes (table 245), type the following command:
ip route show table 245
Viewing, deleting, adding IP rules
To view existing IP rules, type the following command:
ip rule show
To delete an existing IP rule, use the following command syntax, replacing <address> with the
management IP address:
ip rule del from <address>
To add an IP rule to the management routing table, use the following command syntax, replacing
<address> with the management IP address:
ip rule add from <address> pref 245 table 245
Note: This command adds the management address to the management routing table with a route
metric of 245.
Recommendations
When configuring management traffic, you should consider the following factors:
F5 recommends that you add static routes for management traffic whose destination does not match
the directly-connected management network. This configuration is useful when you handle SNMP
traffic that is directed to an SNMP Manager that resides on another network, which is accessible only
through the management network or other network services that are hosted on networks that are not
accessible by way of the TMM interfaces.
Note: If a destination address does not match that of the management interface network, and no
static route is specified besides a default management gateway, the system uses the default gateway
that the TMM specifies.
A Virtual Clustered Multiprocessing (vCMP) host administrator can reconfigure the
default management gateway for a vCMP guest. The configuration applied will take precedence and
will override the value configured on the vCMP guest.
Note: F5 recommends that you test any such changes during a maintenance window with
consideration to the possible impact on your specific environment.
Supplemental Information
K10239: Traffic originating from management processes may not use the intended management
address or management routes
K15040: Configuring and displaying the management IP address for the BIG-IP system
K7017: The BIG-IP ntpd process is unable to communicate with the NTP server
K9143: The Linux IP routing policy rule for route lookups on the management port is missing
K9188: SNMP startup traps may not always be sent