Skip to main content

The Big-IP can be configured to use either tmm or mgmt interfaces for remote authentication (LDAP, TACACS, RADIUS, etc.) traffic.

Problem

When you want configure remote authentication on a F5 BIG-IP system you need to decide where the traffic will be routed. You need to specify either tmm or the management interface for remote authentication traffic.

tmm or management interface leads to another source ip and path, this can be set with the right routing configuration.

F5 Architecture

Now the F5 BIG-IP has two network stacks, tmm and linux, the following picture explains the difference:

image.png

So, user processes can communicate over the tmm switch module or over the Mgmt Processor (linux kernel). The decision is made by setting route configuration.

Routing

BIG-IP routing tables

The BIG-IP routing table consists of a combination of routing subtables. A subtable for management routes, and a  subtable for TMM routes. Routes in the TMM subtable are defined with a lower metric than routes in the management subtable. As a result, if an equally specific route exists as both a TMM route and a management route, the system will prefer the TMM route. This also applies if the only defined management route is a default gateway, the system will prefer the TMM default gateway.

TMM switch routes are routes that the BIG-IP system uses to forward traffic through the TMM switch interfaces instead of through the management interface. Traffic sourced from a TMM (self IP) address will always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a management route. When TMM is not running, the TMM addresses are not available, and all TMM routes are removed. As a result, when TMM is not running, all outbound administrative traffic uses the most specific matching management route.

Managing routing parameters

Viewing, deleting, and adding management IP addresses

  • To view the management IP address, type the following command:

    tmsh list /sys management-ip

  • To delete an existing management IP address, use the following command syntax, replacing <address> with the management IP address:

    tmsh delete /sys management-ip <address>

  • To add a new management IP address, use the following command syntax, replacing <address> with the management IP address and <netmask> with the network mask:

    tmsh create /sys management-ip <address>/<netmask>

 

Back to top