F5CAB1 BIG-IP Administration Install, Initial Configuration, and Upgrade Questions and Answers

By default,management-plane trafficuses themanagement routing table, whiledata-plane trafficuses theTMM routing table.

Remote Syslog traffic ismanagement-planetrafficunlessa management route exists.

If noManagement Routematches the Syslog server’s destination IP, the BIG-IP will instead:

UseTMM routes, and

Source the packets from aSelf IP

This is exactly what the administrator is observing.

To force Syslog traffic out the management port:

You must create aManagement Route, which is configured using:

tmsh create /sys management-route gateway network

This sends syslog traffic:

Out of themanagement interface

Using theManagement IPas the source

Thus,Option Bis correct.

Why the other options are incorrect:

A. Set the Management IP as the source address

Source address selection is overridden by routing.

Without a management route, traffic still goes out the data plane.

C. Create a new Self IP using a route domain

Unnecessary and not related to management-plane routing.

Syslog traffic should not rely on data-plane Self IPs.

D. Modify port lockdown on Self IP to allow UDP/514

This would allow Syslog trafficintothe BIG-IP over a Self IP, not forceoutboundtraffic via management.

The exhibit shows aSelf IPwith:

VLAN:Data

Port Lockdown:Allow None

Impact of “Allow None” on SNMP

When a Self IP is configured with:

Port Lockdown: Allow None

the BIG-IP blocksallservices and ports except a few hardcoded HA communication ports.

This means:

UDP/161 (SNMP)is blocked

UDP/162 (SNMP traps)is blocked

The SNMP server cannot poll or receive data from the BIG-IP through this Self IP

SNMP relies on access through the Self IP if out-of-band (mgmt interface) is not used.

Thus, the issue is directly caused byPort Lockdown = Allow None, which prevents SNMP communication.

Why the other options are incorrect:

B. Traffic Group must use a floating Traffic Group

SNMP polling doesnotrequire floating Self IPs.

Floating groups apply to HA failover IPs, not SNMP functionality.

C. VLAN/Tunnel must allow All VLANs

Self IPs are always bound to a VLAN; SNMP doesnotrequire All VLANs.

As long as the Self IP belongs to a reachable VLAN, SNMP can work.

D. Configuration is correct

It is not correct:Allow Noneblocks SNMP and is the problem.

BIG-IP allocates CPU and memory resources based on module provisioning levels.

To view how much CPU a module is assigned, administrators must check provisioning information from:

C. GUI — System » Resource Provisioning

This page visually displays CPU allocation via color-coded bars.

Hovering over the CPU bar shows:

CPU usage percent per module

Which modules share CPU cycles

The system’s total resource allocation

This is the primary GUI method.

D. tmsh show /sys provision

This command displays detailed module provisioning information including:

Provisioned modules

Their provisioning level

CPU and memory allocation data

It is the authoritative CLI method for resource provisioning status.

Why the other options are incorrect:

A. top

Shows real-time process usage, notprovisionedCPU allocation.

B. tmsh show /sys cpu

Displays CPU runtime utilization, not per-module provisioning.

E. Statistics Dashboard

Only shows traffic / system runtime metrics, not provisioning resource allocations.

Therefore,C and Dare correct.

When logged into thebash shellof a BIG-IP system, there are two valid ways to view themanagement-ipaddress:

A. tmsh list /sys management-ip

Even from the bash shell, the administrator can enter a tmsh command by typing:

tmsh list /sys management-ip

This displays:

Management IP address

Netmask

Any configured management routes

This is theofficial tmsh methodfor viewing the management-ip configuration.

C. ifconfig mgmt

In the underlying Linux OS, the management interface maps to themgmtinterface.

Running:

ifconfig mgmt

displays:

Assigned management IP

Netmask

Link-level status

This is a valid Linux-level method used frequently for troubleshooting.

Why the other options are incorrect:

B. show mgmt ip

Not a valid bash or tmsh command on BIG-IP.

D. list / sys management-ip

Missing thetmshprefix.

In bash, this will generate a syntax error.

The correct form requires:

tmsh list /sys management-ip

When a TMOS ISO file is transferred to/shared/images/, the BIG-IP automatically performs a validation step:

Checksum Verification

Before the image becomes visible in the GUI, the systemverifies the internal checksumembedded inside the ISO.

This ensures:

The file was fully transferred

The image is not corrupted

It matches the official F5 release signature

Only after passing this verification does the GUI display the ISO under “Available Images.”

Why the other options are incorrect:

A. Reboot into a new partition

No reboot occurs simply from uploading an image.

C. Copying into /var/local/images/

This directory isnotused for ISO storage.

All valid images remain in/shared/images/.

Thus, the correct system action ischecksum verification.

The BIG-IP has two distinct planes:

Management-plane→ handled entirely by the management interface (MGMT)

Data-plane (TMM)→ handles Self IPs, VLAN interfaces, and traffic processing

To capture traffic on the management interface, only the management-side NICs may be used:

mgmt→ Logical name for the management interface

eth0→ Physical Linux interface mapped to the management port on most BIG-IP platforms

Both of these correctly capture inbound/outbound WebUI (HTTPS/443) traffic on the management port.

Why the correct answers are A and B

A. tcpdump -i eth0 -n port 443

On BIG-IP appliances and VMs, the management port maps toeth0at the Linux OS level.

Capturing on eth0 correctly shows HTTPS traffic to the WebUI.

B. tcpdump -i mgmt -n port 443

mgmtis the BIG-IP alias for the management interface.

This is thepreferredand most explicit capture interface for management-plane packet captures.

Why the other options are incorrect:

C. tcpdump -i 0.0

Interface0.0is the TMM switch interface used for data-plane packet captures.

Itdoes NOTcapture management-plane traffic.

D. tcpdump -i tun0

Used for tunnel interfaces (IPsec, VXLAN, etc.)

Not related to management access.

E. tcpdump -i management

There isnointerface named management on BIG-IP.

The correct names are mgmt or eth0.

The BIG-IPmanagement interface (MGMT port)is controlled throughSystem settings, not through the Network menu.

SSH access on the management interface is configured here:

System → Configuration → Device → General → SSH Access / SSH IP Allow

This section allows the administrator to:

Enable or disable SSH service

Restrict SSH access to specific IP addresses or subnets

Apply security policies to the management interface

Why the other options are incorrect:

A. Network > Interfaces

Used for data-plane physical interface settings, not management plane SSH restrictions.

B. Network > Self IPs

Controls in-band management or data-plane access, not the dedicated management port.

D. System > Platform

Used for hostname, time zone, LCD contrast, hardware settings — not SSH security on the management port.

Therefore, restricting SSH access to themanagement interfacemust be done under:

✔System → Configuration → Device → General

Which corresponds toOption C.

When installing a software upgrade with a HotFix on BIG-IP, the correct workflow requires:

Install the base TMOS imageon an unused boot volume

Install the corresponding HotFixonto that same boot volume

Activate the updated boot volumeto boot into the new software

This method ensures:

The existing active system (HD1.1) is untouched

The upgrade occurs in a new, clean volume (HD1.2)

The HotFix applies properly to the same base image

The administrator can revert to HD1.1 if issues occur

OptionCmatches the correct F5 upgrade sequence:

1. Install base image on HD1.2

2. Install HotFix on HD1.2

3. Activate HD1.2

Why the other options are incorrect:

A. Install HotFix before base image

HotFixes must be appliedafterthe base image; not valid.

B. Installing a HotFix on the active boot location (HD1.1)

Not recommended and does not use a clean new volume.

Also does not involve installing the base image.

D. Activating HD1.2 before installing anything

Cannot activate an empty or invalid boot volume.

Thus,Option Cis the correct sequence.

For BIG-IP high-availability (HA) pairs, F5’s recommended upgrade workflow prioritizesservice continuity,predictable failover, andminimal downtime. The established best-practice sequence is:

Upgrade the standby unit first

Because the standby device is not passing traffic, upgrading and rebooting it does not impact production.

Boot the standby unit into the newly installed version

Once online, the administrator verifies basic health, device sync status, cluster communication, and module functionality.

Perform a controlled failover to the upgraded unit

Traffic shifts to the newly upgraded device, allowing validation of the configuration and operational behavior under real traffic loads.

Upgrade the second device (now standby)

The previously active device becomes standby after failover, allowing it to be safely upgraded and rebooted without interruption.

This phased approach ensures only one device is unavailable at a time, allowing continuous traffic flow throughout the upgrade process.

Why the Correct Answer is C

OptionCexactly matches F5’s documented production-safe upgrade method:

Upgrade thestandbynode first

Reboot into new image

Failover to upgraded device

Validate

Upgrade the remaining (now-standby) device

This procedure minimizes risk and traffic disruption.

Why the other options are incorrect:

A. Upgrade the active node first

Upgrading the active device requires removing it from service and failing over abruptly. This is not recommended and increases service disruption risk.

B. Resetting device trust

Resetting trust is unnecessary and can disrupt configuration sync, peer communication, and cluster operation. It is not part of any standard upgrade workflow.

D. Upgrading and rebooting both nodes simultaneously

This would causetotal outage, because both HA members would be unavailable at the same time.