Overview of port lockdown behavior

SOURCE: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13250.html

Port lockdown exceptions
TCP port 1028: In BIG-IP 11.0.0 – 11.3.0 redundant pair configurations, the system allows tcp:1028 for connection and persistence mirroring, regardless of the port lockdown settings.
TCP port 1029 – 1043: Beginning in BIG-IP 11.4.0, the BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. By default, the BIG-IP system allows TCP ports 1029-1043. For more information, refer to SOL14894: The BIG-IP system establishes a separate mirroring channel for each traffic group.
TCP port 4353: When BIG-IP 11.0.0 and later devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353, regardless of the port lockdown settings.
Note: CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port.
ICMP: ICMP traffic to the self-IP address is not affected by the port lockdown list and is implicitly allowed in all cases.
Note: In most cases, it is not possible to ping self IP addresses across Virtual Local Area Networks (VLANs). For more information, refer to SOL3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address.

Allow Default
This option allows access for a pre-defined set of network protocols and services that are typically required in a BIG-IP deployment.

The Allow Default setting specifies that connections to the self IP address are allowed from the following protocols and services:
Allowed protocol     Service     Service definition
OSPF                     N/A          N/A
TCP                       4353        iQuery
UDP                       4353        iQuery
TCP                       443          HTTPS
TCP                       161          SNMP
UDP                       161          SNMP
TCP                       22            SSH
TCP                       53            DNS
UDP                       53            DNS
UDP                       520          RIP
UDP                       1026        network failover

# tmsh list net self-allownet self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

Allow All
This option specifies that all connections to the self IP address are allowed, regardless of protocol or service.

Allow None
This option specifies that no connections are allowed on the self IP address, regardless of protocol or service.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system.

Allow Custom
This option allows you to specify the protocols and services for which connections are allowed on the self IP address.
However, ICMP traffic is always allowed, and if the BIG-IP systems are configured in a redundant pair, ports that are listed as exceptions are always allowed from the peer system

Using the Configuration utility to modify port lockdown settings for a specific self IP
Log in to the Configuration utility.
Navigate to Network > Self IPs.
Click the relevant self IP address.
From the Port Lockdown box, select the desired setting.
Click Update.

Using the tmsh utility to modify port lockdown settings
#tmsh
#modify /net self 10.10.10.1 allow-service default
#save sys config

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s