Incorporating Enterprise Manager into your network is as simple as adding any F5 Networks device. You can use the Enterprise Manager Quick Start Instructions included with the system to get started with the physical installation and initial network configuration. See Chapter 3, Licensing and Configuring the System for detailed information on licensing, platform configuration, and basic default settings.
This chapter describes how to configure devices in your network to work with Enterprise Manager.
Depending on your network topology, you may have to configure a SNAT, NAT, or multiple virtual servers external to the Enterprise Manager device in order to ensure proper communication between Enterprise Manager and managed devices.
Enterprise Manager is designed to work within virtually any network configuration and can adapt to the management configuration you already use for F5 Networks devices in your network. You connect Enterprise Manager to devices in the network through the interfaces available on both the Enterprise Manager device and the F5 Networks devices in the network. The interfaces on the Enterprise Manager or other F5 Networks system are the physical ports that you use to connect each system to other devices on the network.
Enterprise Manager can work with the network topology of your choice in two distinct ways:
We recommend that, whenever possible, you create a management network that you administer through the management interface on each managed device and the Enterprise Manager system. The management interface is a special port on the BIG-IP system, used for managing administrative traffic. Named MGMT, the management interface does not forward user application traffic, such as traffic slated for load balancing.
This type of configuration requires the least amount of additional configuration when you discover and begin to manage devices. Additionally, when you add new devices to a management network, you do not need to perform extensive configuration to manage the new device with Enterprise Manager when you add a new device to the network, as long as all devices on the management network exist on the same subnet.
This type of configuration keeps traffic management communication separate from enterprise management communications, and does not require you to dedicate a TMM switch interface to device management traffic.
You can use Enterprise Manager to communicate with managed devices through one of the managed device's TMM switch interfaces. TMM switch interfaces are those interfaces that the BIG-IP system uses to send or receive application traffic, that is, traffic slated for load balancing. However, this type of network setup frequently requires some additional configuration in order to maintain a two-way connection between Enterprise Manager and managed devices.
If you want to connect to a managed device through a TMM switch interface, you must associate the interface on the managed device with a VLAN and a self IP address so that Enterprise Manager can recognize and connect to the device in the network (through its own MGMT interface or through a self IP and VLAN that you configure on Enterprise Manager). If you choose to use a TMM switch interface on managed devices, Enterprise Manager uses this interface for sending software upgrades to the managed device and we recommend that you do not use the interface for managing traffic. When you are deciding on which interface to use for the connection to Enterprise Manager, we recommend that you use the same interface that you currently use for device administration.
For information on how to configure and use the management interface, see Chapter 4, Configuring the BIG-IP Platform and General Properties in the BIG-IP Network and System Management Guide.
When you initially configured the F5 Networks devices in your network, you made a decision to administer each device through the MGMT interface or through a TMM switch interface. Your previous device management choice generally determines how you configure Enterprise Manager to work as your enterprise management system, but you can use this opportunity to build separate management networks that will keep device administration separate from traffic management.
Because Enterprise Manager communicates with managed devices on a regular interval, you must keep a two-way communication open between Enterprise Manager and managed devices. On each managed device, you must ensure that device management traffic does not interfere with traffic management activity.
Whether this means configuring your managed devices to use virtual servers to communicate through a multi-tiered device configuration or, configuring a firewall NAT to translate IP addresses depends on your existing network topology.
The following sections outline three of the most common network topology scenarios:
Enterprise Manager can work well in any of these configurations, or in configurations that combine some of the scenarios described.
In many cases, you may have already completed some of the required tasks while configuring your network for traffic management.
If you use a firewall with a NAT to translate IP addresses, you must ensure that the NAT is properly configured for Enterprise Manager to use for device management. Usually, if your NAT works well for your traffic management, you may not have to perform any additional configuration other than ensuring that Enterprise Manager recognizes devices in the network at the IP addresses you expect, and that each device can properly communicate back to Enterprise Manager.
In this common configuration, a NAT translates the IP addresses of managed devices through the firewall into addresses that Enterprise Manager can use to talk to a managed device.
After you discover devices in this kind of configuration, you must configure the device general properties so that each managed device can initiate communications with Enterprise Manager.
To open a two-way connection between each managed device and Enterprise Manager, ensure that you perform the following tasks:
Another common network deployment involves placing multiple F5 Networks devices behind a BIG-IP system in order to load balance requests to multiple devices. For example, if you use ten BIG-IP systems to load balance requests to multiple servers, you may add another tier to the load balancing by using another BIG-IP system to load balance requests to the ten BIG-IP systems.
In this configuration, virtual servers provide a route through the multiple tiers for network requests. For Enterprise Manager to work properly in this configuration, you must set up multiple virtual servers on the top traffic management tier to properly send device management traffic through each tier. Additionally, you must configure one virtual server on each managed device exclusively for enterprise management traffic.
Like a NAT in the previous example, you should use the BIG-IP system that balances requests to the other systems to translate enterprise management traffic through virtual server addresses. Alternately, you can configure a SNAT on the top tier BIG-IP system to send communications back to Enterprise Manager. See Working with a tiered configuration using SNAT for more information on using a SNAT in a tiered configuration.
On the top tier device in your tiered configuration, you must configure two virtual servers, each using port 443. Enterprise Manager uses the first virtual server to communicate to the managed devices on the lower tier, and the managed devices use the second virtual server to initiate communication with Enterprise Manager.
When you discover devices, you should discover the virtual server addresses that you configured for device management. After you discover devices, you must configure the device general properties on the Enterprise Manager system so that managed devices can properly communicate with the Enterprise Manager system.
To open a two-way connection between each managed device and Enterprise Manager in a tiered network configuration, ensure that you perform the following tasks:
Another network configuration involves using the tiered approach described in the previous section in addition to using a SNAT for secure address translation on the top tier BIG-IP system.
In this configuration, virtual servers provide a route through the top tier for Enterprise Manager to contact managed devices, while a SNAT allows the managed device to contact the Enterprise Manager system. For Enterprise Manager to work properly in this configuration, you must set up multiple virtual servers and configure a SNAT to properly translate the IP addresses of these virtual servers for outbound communications to the Enterprise Manager system.
To open a two-way connection between each managed device and Enterprise Manager in a tiered network configuration with a SNAT, ensure that you perform the following tasks: