The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.
Problem
When you want configure remote authentication on a F5 BIG-IP system you need to decide where the traffic will be routed. You need to specify either tmm or the management interface for remote authentication traffic.
tmm or management interface leads to another source ip and path, this can be set with the right routing configuration.
F5 Architecture
Now the F5 BIG-IP has two network stacks, tmm and linux, the following picture explains the difference:
So, user processes can communicate over the tmm switch module or over the Mgmt Processor (linux kernel). The decision is made by setting route configuration.
Routing
BIG-IP routing tables
The BIG-IP routing table consists of a combination of routing subtables. A subtable for management routes, and a subtable for TMM routes. Routes in the TMM subtable are defined with a lower metric than routes in the management subtable. As a result, if an equally specific route exists as both a TMM route and a management route, the system will prefer the TMM route. This also applies if the only defined management route is a default gateway, the system will prefer the TMM default gateway.
TMM switch routes are routes that the BIG-IP system uses to forward traffic through the TMM switch interfaces instead of through the management interface. Traffic sourced from a TMM (self IP) address will always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a management route. When TMM is not running, the TMM addresses are not available, and all TMM routes are removed. As a result, when TMM is not running, all outbound administrative traffic uses the most specific matching management route.
The BIG-IP system maintains two kinds of routes:
Management routes
Management routes are routes that the BIG-IP system uses to forward traffic through the special management interface. The BIG-IP system stores management routes in the Linux (that is, kernel) routing table.
Management routing parameters
Viewing, deleting, and adding management IP addresses
- To view the management IP address, type the following command:
tmsh list /sys management-ip
- To delete an existing management IP address, use the following command syntax, replacing <address> with the management IP address:
tmsh delete /sys management-ip <address>
- To add a new management IP address, use the following command syntax, replacing <address> with the management IP address and <netmask> with the network mask:
tmsh create /sys management-ip <address>/<netmask>
TMM routes
TMM routes are routes that the BIG-IP system uses to forward traffic through the Traffic Management Microkernel (TMM) interfaces instead of through the management interface. The BIG-IP system stores TMM routes in both the TMM and kernel routing tables.
TMM routing parameters
- To view all routes on the system, type:
tmsh show /net route
- To view all configured static routes on the system, type:
tmsh list /net route
- To create a static route, use the following command syntax:
create /net route <route destination/mask> <gw|pool|interface|blackhole> <IP address|pool name|VLAN/Tunnel name>
Examples:To create a static route to the 10.10.22.0/24 network using gateway 30.30.30.158, you enter the following command:
tmsh create /net route 10.10.22.0/24 gw 30.30.30.158
To create a static route to a single destination host 10.10.99.111 using the gateway 30.99.99.254, you enter the following command:
tmsh create /net route 10.10.99.111/32 gw 30.99.99.254
Links
Further information can you get on this excellent F5 documentation:
No Comments