f5 Enterprise Manager

The f5 Enterprise Manager is a tool which can be used for the following:

Search LTM & GTM configurations

Store and deploy OS upgrades
Manage devices and implement configurations
Archive configurations
Monitor certificates, health and status of devices

The f5 Enterprise Manager can be installed as a single unit or in a redundant HA setup with 2 Enterprise
Managers. It can be a standalone unit, or installed as a VMWare virtual device.

Overview:
https://f5.com/products/modules/enterprise-manager

Manual:
http://support.f5.com/kb/en-us/products/em/versions.3-1-1.html?nocache

EHI could utilize the f5 Enterprise Manager (EM) for the following:

Replacement for SLB Authority

The EM can be used to perform searches on any of the current SLB Authority variables with the
exception of Application Owner. Normally the Application Owner is not used as search criteria. The EM
search results can then be filter further for a more defined result, which is a feature that SLB Authority
does not have. Quite often once SLB Authority results are displayed, each result needs to be reviewed in
order to find the desired search criteria.

Since SLB Authority is a data base with manual entries, the information can be outdated and incorrect.
With EM, the actual configuration of the devices is searched and displayed, and the device hostname
along with the specific configuration of the search criteria are displayed.

The EM can search on all devices which it is querying, or it can be used to look at configurations on a
specific device.

SLB Authority has a configuration generator with the output based on the information entered into the
information fields. A similar template/configuration could be set up using the EM.

The above functions are supported on all of the current OS versions that are in use on the network.
Deploying and installing OS upgrades and licenses

The EM can be used as a central point to store and deploy new OS and hotfix files to the devices, and the
EM can also be used to manage the installation of OS and hotfixes to the devices. This function is
supported on the OS version 10 and above.

We do have some non-INET f5’s that are running a version 9 OS, and the EM does not support a version
9 to 10 upgrade, so the devise on version 9 would need to be manually upgraded to version 10.

Device licenses can also be renewed and installed using the EM

Staged configuration deployment

The EM supports a staged configuration deployment. A configuration can be created and saved as a
stage change, and the configuration can be pushed immediately, or manually initiated at a later time.

For changes involving f5’s, Network Administration could create the configuration, and the NOC could
deploy the configuration using the EM. The implementer would need to access the EM, go to the staged
change, and then deploy the configuration.

The staged change also features a verification function, which tests and verifies the configuration
without implementing it. The verification can be done as a separate step prior to the implementation
deployment, or as a part of the deployment, or it can be skipped.

Inventory, Status and Health of devices

Device certificates can be monitored so that certificate approaching expiration can be identified

The EM displays the active / standby status of devices if they are in an HA pair

Reports can be generated that display conditions such as flapping pools and nodes

A devices inventory report can be generated and loaded as an excel spreadsheet with information on
each devices being monitored by the EM
Configuration Archives

The EM can create, compare, and store devices configuration archives (config.ucs), and can also restore
archives to a device.

Custom Lists

The device inventory of the EM can be grouped into specific custom lists (groups), such as SIT, POC,
INET, and the custom list used to narrow down results when identifying devices for upgrades, search for
configurations, and other functions.

A possible option for the SMWeb Load Balancer Manager (LBM) functions for teams such as Windows

The SMWeb LBM is used as a tool for the Windows team to view the status of specific pools, and also
enable and disable pool members of specific pools on specific devices. EM may be able to be used for
similar functions as well.

Network requirements

The EM uses a standard VLAN 250 management connection. A dedicated TTM connection is
recommended for connection to the remote devices.

The EM can communicate with the non-IET devices with little setup required. The EM is used to add
devices to the EM device inventory.
A data collection agent update is required on the remote devices, and this can be done using the EM.
This updated is not service affecting

Firewall ACL updates will be needed for the EM to communicate to the f5’s in the INET space.

All EM testing was performed using the VLAN 250 management interface on lab, SIT and POC devices.

See notes below for recommendations incorporating EM into the network:

About incorporating Enterprise Manager into your network

You incorporate Enterprise Manager™ into your network as you would any F5 Networks device.
However, because it requires bilateral communication with each device for successful management,
Enterprise Manager must have open communication with your devices and be able to translate a device's
IP address into an address it can use. The most common network configurations for address translation
are:

Tiered network, BIG-IP® Local Traffic Manager™ performs address translation

Where a device manages load balance requests for multiple devices and translates the IP
addresses for those devices through a firewall

Tiered network, a SNAT performs network translation

Where a device (located in front of Enterprise Manager) load balances requests for multiple
devices, and a SNAT translates the IP addresses for those devices

Ports required for two-way communication

For Enterprise Manager™ to properly manage devices, the following ports are open by default to allow for
the required two-way communication.

OPEN PURPOSE
PORT
443 For communication between managed devices and the Enterprise Manager system, for the purpose of device
management.
4353 For communication between Enterprise Manager and a managed device's big3d agent, for the purpose of
statistics collection.
3306 For communication between Enterprise Manager and a remote statistics database, for the purpose of storing
and reporting statistics.

About best practices for management network topology

Device communication and management is performed through the following interfaces.

Traffic Management Microkernel (TMM) interfaces

For each of the following processes, you must dedicate a TMM interface to perform:

 Application traffic and load balancing

 Communication between Enterprise Manager™ and managed devices
 Communication between systems in a high availability configuration (for both static and
floating self IP address support)

Management (MGMT) interface

Used by F5 devices for administrative traffic and for the Always-On Management (AOM)
subsystem, which enables you to manage a system remotely using SSH or serial console, even
if the host is powered down. Devices do not forward user application traffic, such as traffic
slated for load balancing, through this interface.
Important: The device's IP address is used for communication between Enterprise Manager and the
device. F5 recommends that you use a self IP address for access to additional functionality that is not
provided through the management port.
Illustration of example management network topology

Tip: Place the Enterprise Manager system on a management subnet that is separate from traffic
management to keep device management and communication independent from traffic management
activities.