Monitor on Management Interface?

Question

Hello all, 
&nbsp;  
&nbsp; Super-newbie here wanting to know if it is possible to create a LDAP monitor to use the management interface on a BIGIP 6400 LTM using 9.4.5.  All the networks which the self IPs ride are closed, so the management interface is the only one that can communicate with our LDAP server.  Thanks in advance to any replies/feedback!

hooleylist · Answer

Is this LDAP traffic for load balancing or admin authentication?  I'm assuming it's the former.   
&nbsp;  
&nbsp; I assume the load balanced traffic from LTM to the LDAP pool is going out a switch interface and you just can't add the static self IP addresses to the firewalls?  If so, I imagine you could technically create an admin route (b mgmt route from the command line) which points the LDAP destined traffic over the mgmt port.  I'm not sure if you just get warning messages or if the route is ignored.   
&nbsp;  
&nbsp; If you're actually trying to route load balanced traffic out the management port, it's strongly discouraged.  The mgmt port should be isolated from client traffic so the mgmt interface will be available to administrators.  Also, the mgmt port is limited to 100Mb.  I'm sure there are other reasons to avoid this as well. 
&nbsp;  
&nbsp; Are you sure it's not possible to allow monitor traffic via the switch ports?  That's the best practice method for a reason. 
&nbsp;  
&nbsp; Aaron

dennypayne · Answer

Posted By hoolio  on  05/28/2009 11:20 AM 
&nbsp;  I'm sure there are other reasons to avoid this as well.  
&nbsp; &nbsp; 
&nbsp;  
&nbsp; The big one being you don't want client traffic having to traverse in and out of tmm to the Linux kernel.  Major resource penalty for the host and probably not too good for tmm either. 
&nbsp;  
&nbsp; Denny &nbsp;

ryno_110891 · Answer

Is this LDAP traffic for load balancing or admin authentication? I'm assuming it's the former.&nbsp; 
&nbsp;  
&nbsp; Neither. The purpose of the monitor is to intermittently send a request out of the management interface to the AD server to see if it is up and running. The F5s are not loadbalancing the LDAP traffic nor are they using AD for admin authentication. 
&nbsp;  
&nbsp; Are you sure it's not possible to allow monitor traffic via the switch ports?&nbsp; 
&nbsp;  
&nbsp; Yes.  We want no outside traffic from the F5 1.x interfaces to the switch ports. 
&nbsp;  
&nbsp; If you're actually trying to route load balanced traffic out the management port, it's strongly discouraged.&nbsp; 
&nbsp;  
&nbsp; We're not trying to do this. We would like to set up a monitor that would come out of the managment interface that would check to see if the AD/LDAP server is available.  It would not be tied to the load balanced traffic in any way. 
&nbsp;  
&nbsp; Thanks for the replies!

ryno_110891 · Answer

Thanks for the feedback Denny!  The F5s are load balancing to servers who will perform a Kerberos check for incoming users.  The client is requesting that we run a monitor on the F5 to the LDAP server to monitor the LDAP server in the event that the Kerberos check fails. 
&nbsp;  
&nbsp; Thanks again!

Forum Discussion

Monitor on Management Interface?

4 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options

management interface failover

Minimizing Security Complexity: Managing Distributed WAF Policies

Configuring Smart Card Authentication to BIG-IP Management Interface

Application Programming Interface (API) Authentication types simplified