BIG-IP® Reference Guide version 4.
Product Version This manual applies to version 4.2 of the BIG-IP® product family. Legal Notices Copyright Information in this document is subject to change without notice. © 2002 Dell Computer Corporation. All rights reserved. Reproduction in any manner whatsoever without the written permission of Dell Computer Corporation is strictly forbidden. Trademarks used in this text: Dell and PowerEdge are trademarks of Dell Computer Corporation.
Standards Compliance The product conforms to ANSI/UL Std 1950 and Certified to CAN/CSA Std. C22.2 No. 950. Acknowledgments This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by Christopher G.
iv
Table of Contents
Table of Contents Introduction IMPORTANT HARDWARE INFORMATION .................................................................Intro-1 Getting started .........................................................................................................................Intro-1 Choosing a configuration tool .....................................................................................Intro-1 Using the Administrator Kit ................................................................................
Table of Contents Configuring a default gateway pool ...................................................................................2-6 Redundant system settings ..................................................................................................2-6 Setting the interface media type .........................................................................................2-6 Configuring VLANs and IP addresses ...............................................................................
Table of Contents Persistence ........................................................................................................................... 4-21 HTTP redirection ............................................................................................................... 4-37 HTTP header insertion ...................................................................................................... 4-42 Quality of Service (QoS) level .........................................................
Table of Contents Using network-based fail-over .....................................................................................................6-9 Setting a specific BIG-IP to be the preferred active unit .......................................................6-9 Setting up active-active redundant BIG-IP units .................................................................... 6-10 Configuring an active-active system ...............................................................................
Table of Contents vlan .................................................................................................................................................. 7-51 vlangroup ........................................................................................................................................ 7-52 8 Configuring SNMP Introduction .....................................................................................................................................
Table of Contents Removing and returning items to service ............................................................................ 11-14 Removing the BIG-IP from service ............................................................................... 11-15 Removing individual virtual servers, virtual addresses, and ports from service .................................................................................................... 11-16 Removing individual nodes and node addresses from service .......
Introduction • IMPORTANT HARDWARE INFORMATION • Getting started • Using the Administrator Kit • What’s new in version 4.
Introduction IMPORTANT HARDWARE INFORMATION References to hardware and upgrades contained in this document are specific to F5 Networks hardware products. For information concerning the initial deployment of your system, see the Deployment Guide that was shipped with your system. For in-depth Dell-specific hardware information, see the server documentation that is provided on the Resource CD and that shipped with your system if you ordered printed documentation.
Chapter Intro The Configuration utility The Configuration utility is a web-based application that you use to configure and monitor the load balancing setup on the BIG-IP. Once you complete the installation instructions described in this guide, you can use the Configuration utility to perform the configuration steps necessary for your chosen load balancing solution.
Introduction ◆ BIG-IP Reference Guide This guide provides detailed configuration information for the BIG-IP. It also provides syntax information for bigpipe commands, other command line utilities, configuration files, system utilities, and monitoring and administration information. ◆ 3-DNS Administrator and Reference Guides If your BIG-IP includes the optional 3-DNS module, your administrator kit also includes manuals for using the 3-DNS module.
Chapter Intro Identifying command syntax We show complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, the following command shows the configuration of the specified pool name: bigpipe pool show or b pool show Table Intro.1 explains additional special conventions used in command line syntax.
Introduction • Individual bigpipe commands have online help, including command syntax and examples, in standard UNIX man page format. Simply type the command followed by the word help, and the BIG-IP displays the syntax and usage associated with the command. ◆ Third-party documentation for software add-ons The web server on the product contains online documentation for all third-party software, such as GateD. ◆ Technical support through the World Wide Web The Dell | Support website at support.dell.
Chapter Intro New filter for rewriting HTTP redirections This release provides an ISAPI filter, called redirectfilter.dll, which allows IIS servers running Netscape to rewrite HTTP redirections. Rewriting HTTP redirections helps to ensure that SSL connections remain on a secure channel. By installing this filter on your IIS server, you offload the task of rewriting HTTP redirections from your SSL Accelerator proxy to your IIS server. For more information, see Rewriting HTTP redirection, on page 4-41.
Introduction SSL Accelerator proxy enhancements This release includes several important enhancements to the SSL Accelerator proxy. For example, you can now configure options such as specifying ways for an SSL proxy to manage client certificates, inserting headers into HTTP requests, specifying ciphers and protocol versions, and configuring SSL session cache size and timeout values.
Chapter Intro Health monitor enhancements In addition to the standard SNMP health monitor template included in BIG-IP, this release now includes a second SNMP template, which allows users to collect data on elements other than CPU, disk, and memory usage. For more information, see the Health Monitors section in Chapter 4, Configuring the High-Level Network. Support for LDAP and RADIUS logins With this release, BIG-IP can now authenticate SSH users by way of an LDAP or a RADIUS server.
Introduction ◆ The BIG-IP special purpose products The special purpose BIG-IP provides the ability to choose from three different BIG-IP feature sets. When you run the Setup utility, you specify one of three types: • The BIG-IP Load Balancer The BIG-IP Load Balancer provides basic load balancing features. • The BIG-IP FireGuard The BIG-IP FireGuard provides load balancing features that maximize the efficiency and performance of a group of firewalls.
Chapter Intro Intro - 10
1 BIG-IP Overview • Introduction • What is a BIG-IP? • Configuration • Monitoring and administration • The BIG-IP user interface
BIG-IP Overview Introduction This chapter provides a brief overview of the BIG-IP software and the configuration and monitoring tasks associated with it as an introduction to the chapters that follow. (For an overview of BIG-IP functionality with sample solutions, refer to Chapter 1 of the BIG-IP Solutions Guide.
Chapter 1 Figure 1.1 A basic configuration Insertion of the BIG-IP, with its minimum of two interfaces, divides the network into an external VLAN and an internal VLAN. (Both VLANs can be on a single IP network, so that inserting the BIG-IP does not require you to change the IP addressing of the network.) The nodes on the external VLAN are routable. The nodes on the internal VLAN, however, are hidden behind the BIG-IP. What appears in their place is a user-defined virtual server.
BIG-IP Overview Like the physical network itself, you can add software entities like virtual servers and load balancing pools to the BIG-IP, and any properties associated with them (like load balancing methods for pools). Adding hardware and software components to the BIG-IP is referred to collectively as configuration. Configuration Configuration is setting up the BIG-IP to perform its load balancing and other functions on an ongoing basis.
Chapter 1 Router Virutal Servers: 10.11.11.10:http my_pool1 10.11.11.11:http my_pool2 10.11.11.12:http my_pool3 Interface: 4.1 Domain: www.mine.com VLAN: external Self IP:10.11.11.1 mask: 255.255.255.0 bcast: 10.11.11.255 Default route: 10.11.11.2 BIG-IP Interface: 5.1 VLAN: internal1 Self IP:10.12.11.1 Ethernet Interface: 6.1 VLAN: internal2 Self IP:10.12.12.1 Ethernet Interface: 7.1 VLAN: internal3 Self IP:10.12.13.1 Ethernet 10.12.11.20 10.12.11.21 10.12.12.20 10.12.12.21 10.12.13.20 10.12.13.
BIG-IP Overview sharing.) When you run the Setup utility as the last part of your initial hardware installation and fill in the required fields, you are configuring the base network. After you complete the Setup utility, you have, at the minimum, the two default VLANs (external and internal), domain names, and self IP addresses (both one true and floating as required) with netmask and broadcast addresses.
Chapter 1 Global settings and filters Global settings and filters are part of the configuration that belong to neither the base network nor the high-level network. Global settings are settings that are system wide rather than applicable only to specific objects. Global settings are documented in Chapter 4, Configuring the High-Level Network, and under the bigpipe global command in Chapter 7, bigpipe Command Reference. Filters include IP and Rate filters, and are covered in Chapter 5, Configuring Filters.
BIG-IP Overview Figure 1.3 Configuration utility System screen The left pane of the screen, referred to as the navigation pane, contains links to Virtual Servers, Nodes, Pools, Rules, NATs, Proxies, Network, Filters, and Monitors. These screens appear in the right pane. The navigation pane also contains links to screens for monitoring and system administration (Statistics, Log Files, and System Admin). As an example of using the Configuration utility, suppose you wanted to create a pool.
Chapter 1 Figure 1.4 Add Pool screen The Add Pool screen contains fields for all the attributes you can configure for the pool. The bigpipe command line interface You can access the command line interface bigpipe on a BIG-IP with connections for a monitor and keyboard. For a system without a monitor and keyboard attached (headless), like the IP Application Switch, you can access bigpipe through an SSH shell from a remote administrative host.
BIG-IP Overview The bigip.conf file Regardless of how a pool, virtual server, proxy or other object is configured, whether you use the Configuration utility or bigpipe, it is entered into the configuration file /config/bigip.conf. This produces an entry in that file like the one shown in Figure 1.5. As a third configuration option, you can also edit this file directly using a text editor like vi or pico. pool my_pool { member 11.12.11.20:80 member 11.12.11.21:80 member 11.12.11.22:80 } Figure 1.
Chapter 1 1 - 10
2 Using the Setup Utility • Creating the initial software configuration with the Setup utility • Connecting to the BIG-IP for the first time • Using the Setup utility for the first time • Running the Setup utility after creating the initial software configuration
Using the Setup Utility Creating the initial software configuration with the Setup utility Once you install and connect the hardware, the next step in the installation process is to turn the system on and run the Setup utility. The Setup utility defines the initial configuration settings required to install the BIG-IP into the network. You can run the Setup utility remotely from a web browser, or from an SSH or Telnet client, or you can run it directly from the console.
Chapter 2 Running the Setup utility remotely You can run the Setup utility remotely only from a workstation that is on the same LAN as the unit. To allow remote connections for the Setup utility, the BIG-IP comes with two pre-defined IP addresses, and a pre-defined root password. The default root password is default, and the preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the BIG-IP uses an alternate IP address, 192.168.245.245.
Using the Setup Utility If the alternate network is present on the LAN, 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the BIG-IP assigns the alternate IP address 192.168.245.245 to the internal VLAN instead. Starting the utility from a web browser When you start the utility from a web browser, you use the selected default IP address as the application URL. To start the Setup utility in a web browser 1.
Chapter 2 To start the Setup utility from the command line from a remote administrative workstation 1. Start an SSH client on a workstation connected to the same IP network as the internal VLAN of the unit. (See Downloading the SSH client to your administrative workstation, on page 12-3, for information on downloading the SSH client from the BIG-IP.) 2. Type the following command, where is the IP address in use on the BIG-IP internal VLAN. ssh 3.
Using the Setup Utility • US + Cyrillic • US - Standard 101 key (default) • United Kingdom Product selection If you are configuring a BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP LB Controller, you must now select one of these three as your product. When you have made your selection, the features supported by that product will be enabled. Note You may change your product selection at a later time by running command line version of the Setup utility and selecting the Select type of BIG-IP option.
Chapter 2 Configuring a default gateway pool If a BIG-IP does not have a predefined route for network traffic, the unit automatically sends traffic to the pool that you define as the default gateway pool. You can think of the default gateway pool as a pool of default routes. Typically, a default gateway pool is set to two or more gateway IP addresses. If you type more than one default gateway IP address, the additional gateways provide high availability for administrative connections.
Using the Setup Utility Note For best results, choose the auto setting. In some cases, devices configured for the auto media are incompatible, and the proper duplex setting will not be negotiated. In these cases you may need to set the media settings to the same speed and duplex on this device and the corresponding switch or host. Check your switch or hub documentation for this information. The configuration utility lists only the network interface devices that it detects during system boot.
Chapter 2 Associating the primary IP address and VLAN with the host name After you assign interfaces to VLANs, you can choose one VLAN/IP address combination as the primary IP address to associate with the unit host name. Configuring remote web server access The BIG-IP web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based configuration utility through the VLAN.
Using the Setup Utility Setting the time zone Next, you need to specify your time zone. This ensures that the clock for the BIG-IP is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.
Chapter 2 Configuring remote access for noncrypto-enabled versions of the system The Telnet and FTP configuration options are presented only if you do not have a full crypto-enabled version of the BIG-IP. If you have a crypto-enabled version of the software, you are prompted to configure SSH. Configuring Telnet Use this option to configure the Telnet server on a BIG-IP only. The Setup utility prompts you to configure each service independently. This allows you to enable Telnet.
Using the Setup Utility authoritative DNS, and automatically processes changes and updates to the zone files. (You can access the NameSurfer application directly from the Configuration utility for the 3-DNS module.) Running the Setup utility after creating the initial software configuration You normally run the Setup utility when the system is first installed as part of the installation procedure. However, you can also use the command line Setup utility to change existing settings at any time.
Chapter 2 lqq I N I T I A L S E T U P M E N U qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x x x Choose the desired configuration function from the list below.
Using the Setup Utility • You can change the name of the Portal object reference file. • You can specify the Portal PID file name. Configuring RSH This option is available only in the menu after you create the initial software configuration. Use this option to configure the remote shell (rshd) server. This utility prompts you for an IP address from which administrators may access the BIG-IP. You can use wildcard characters (*) to include all addresses from a specific part of the network.
Chapter 2 2 - 14
3 Additional Base Network Configuration • Introduction • Interfaces • VLANs • Self IP addresses • Trunks • Spanning Tree Protocol (STP) • Port Mirroring
Additional Base Network Configuration Introduction Setting up the base network for BIG-IP means configuring elements such as the BIG-IP host name, a default gateway pool, interface media settings, and VLANs and self IP addresses. Configuration tasks for the BIG-IP base network are performed using the BIG-IP Setup utility. For information on using the Setup utility, see Chapter 2, Using the Setup Utility.
Chapter 3 Like interfaces, VLANs, and self IP addresses, these features can be configured using either the Configuration utility or the bigpipe command. Note Once you have configured the base network, you can configure the high-level network. Examples of elements you configure as part of the high-level network are: Pools, rules, proxies, and network address translation (SNATs and NATs). For information on how to configure your high-level network, see Chapter 4, Configuring the High-Level Network.
Additional Base Network Configuration Port 1 2U NIC designations Port 2 1.1 Slot 2 Slot 3 Port designator 1.2 Slot 4 Slot 5 Slot 6 2.1 3.1 2U rear view 4.1 4.2 5.1 6.1 Main board slot Figure 3.2 Horizontal slot and port numbering For the Application Switch, slot numbering is left-to-right and port numbering is top-to-bottom as shown in Figure 3.3. Note that slot 2 is used for the gigabit ports, and slot 3 for a dedicated administrative port.
Chapter 3 Use the following syntax to display the current status and the setting for a specific interface. b interface show Media type and duplex mode Properties that are configurable on the interfaces include media type and duplex mode, as shown in Table 3.1. Interface Properties Description media You may specify a media type or use auto for automatic detection. duplex You may specify a full or half duplex mode, or use auto for automatic selection. Table 3.
Additional Base Network Configuration VLANs A VLAN is a grouping of separate networks that allows those networks to behave as if they were a single local area network, whether or not there is a direct ethernet connection between them. BIG-IP offers several options that you can configure for a VLAN. These options are summarized in Table 3.2. Option Description Create a default VLAN configuration Use the Setup utility to create a default VLAN configuration.
Chapter 3 Default VLAN configuration By default, the Setup utility configures each interface on the BIG-IP as a member of a VLAN. The BIG-IP identifies the fastest interfaces, makes the lowest-numbered interface in that group a member of the VLAN external, and makes all remaining interfaces members of the VLAN internal. This creates the mapping shown in Figure 3.5. Figure 3.5 Default VLAN configuration As Figure 3.
Additional Base Network Configuration Creating, renaming, and deleting VLANs Typically, if you use the default configuration, one VLAN is assigned to each interface. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN. To create a VLAN using the Configuration utility 1. In the navigation pane, click Network. The VLANs screen opens. 2. Click the Add button. 3.
Chapter 3 For example, to delete the VLAN named yourvlan, type the following command: b vlan yourvlan delete Configuring packet access to VLANs The BIG-IP supports two methods for sending and receiving packets through an interface that is a member of one or more VLANs. These two methods are: ◆ Port-based access to VLANs - Packets are accepted for a VLAN because the packets have no tags in their headers and were received on an interface that is a member of a VLAN.
Additional Base Network Configuration When you add an interface to a VLAN as a tagged interface, BIG-IP associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a packet. Note Every VLAN has a VLAN identification number. This identification number is assigned to a VLAN either explicitly by a user, when creating the VLAN, or automatically by BIG-IP, if the user does not supply one.
Chapter 3 Figure 3.6 Equivalent solutions using untagged and tagged interfaces The configuration on the left shows a BIG-IP unit with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can only accept traffic from its own VLAN. Conversely, the configuration on the right shows a BIG-IP with one internal interface and an external switch.
Additional Base Network Configuration To create a VLAN that supports tag-based access using the Configuration utility Creating a VLAN that supports tag-based access means creating the VLAN and then adding one or more tagged interfaces to it. 1. In the navigation pane, click Network. The VLAN screen opens. 2. Click the Add button. The Add VLAN screen opens. 3. On the Add VLAN screen, type the VLAN name. 4. In the VLAN tag box, you can optionally specify a VLAN ID number.
Chapter 3 2. Add the interfaces to the VLAN external as tagged interfaces. This is done by specifying the VLAN name, the tagged keyword, and the interfaces to be tagged. For example: b vlan external interfaces add tagged 4.1 5.1 5.2 The effect of this command is to associate a tag with interfaces 4.1.and 5.1, which in turn allows packets with that tag access to the external VLAN. The above procedure adds multiple tagged interfaces to a single VLAN.
Additional Base Network Configuration For example: b vlan internal fdb show This produces a display such as the following: Forwarding table -00:40:05:30:cc:94 -> 5.
Chapter 3 Setting the L2 forwarding aging time Entries in the L2 forwarding table have a specified life span, after which they are flushed out if the MAC address is no longer present on the network. This process is called the L2 forward aging time and you can set it using the global variable L2 Aging Time. The default value is 300 seconds. To set the L2 forwarding aging time using the Configuration utility 1. In the navigation pane, click System. The System Properties screen opens. 2.
Additional Base Network Configuration In the example shown in figure 3.5, VLANs external and internal represent separate networks that were originally a single network. You can make them behave like a single network again much like the networks contained in VLAN internal. You accomplish this by grouping them as shown in Figure 3.7. Figure 3.7 VLANs and a VLAN group To configure a VLAN group to use layer 2 forwarding, you must: ◆ Create the VLAN group.
Chapter 3 To assign the self IP address to the VLAN group You can assign a self IP address to the VLAN group using the bigpipe command, as follows: b self vlan To verify that Layer 2 forwarding is enabled Layer 2 forwarding is enabled for the VLAN group using the vlan proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled.
Additional Base Network Configuration To set the fail-over timeout and arm the fail-safe using the Configuration utility 1. In the navigation pane, click Network. The VLAN screen opens. 2. Click the VLAN name in the list. The properties screen for that VLAN opens. 3. Check the Arm Failsafe box and specify the timeout in seconds in the Timeout box.
Chapter 3 Find the MAC address on both the active and standby units, and pick one that is similar but unique. A safe technique for selecting the shared MAC address follows. Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are: Active: 3.1 = 0:0:0:ac:4c:a2 Standby: 3.1 = 0:0:0:ad:4d:f3 In order to avoid packet collisions, you now must choose a unique MAC address.
Additional Base Network Configuration 4. In the IP Address box, type the self IP address to be assigned. 5. In the Netmask box, type an optional netmask. 6. In the Broadcast box, type an optional broadcast address. 7. If you want to configure the self IP address as a floating address, check the Floating box. 8. If you want to enable the address for SNAT auto-mapping, check the SNAT Automap box. 9. In the VLAN box, type the name of the VLAN to which you want to assign the self IP address. 10. Click Done.
Chapter 3 create a single 400 Mbps link. The other advantage of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links. A trunk must have a controlling link, and acquires all the attributes of that controlling link from layer 2 and above. The trunk automatically acquires the VLAN membership of the controlling link but does not acquire its media type and speed.
Additional Base Network Configuration feature to configure two or more interfaces on the unit as an STP domain. For interfaces in the STP domain, the spanning tree algorithm identifies the most efficient path between the network segments, and establishes the switch associated with that path as the root. Links forming redundant paths are shut down, to be re-activated only if the root fails.
Chapter 3 Setting time intervals for an STP domain You can set the time intervals in seconds for hello, max_age, and forward_delay for the STP domain from the command line using the following syntax: b stp hello b stp max_age b stp forward_delay Adding or deleting interfaces in an STP domain To add interfaces to an STP domain from the command line, use the following syntax: b stp interfaces add To delete interfaces fr
Additional Base Network Configuration Restarting stpd The stpd does not automatically restart when you synchronize configurations between units in a BIG-IP redundant pair. In order to restart the stpd, type the following command: bigstart restart stpd Port Mirroring For the IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring.
Chapter 3 To delete interfaces from the port mirror using the command line Use this bigpipe syntax to delete interfaces from the port mirror: b mirror interfaces delete For example: b mirror 3.24 interfaces delete 3.10 To delete the port mirror from the command line Use this bigpipe syntax to delete the port mirror: b mirror delete For example: b mirror 3.
4 Configuring the High-Level Network • Introduction • Pools • Rules • Virtual servers • Proxies • Nodes • Services • Address translation: SNATs, NATs, and IP forwarding • Health monitors
Introduction Introduction This chapter describes the elements that make up the high-level network of BIG-IP. The high-level network is distinct from the base network, which is configured with the Setup utility. Just as the base network is built on the BIG-IP interfaces, the high-level network is built on the load balancing pool. The high-level network includes all of the properties associated with pools, as well as virtual servers, and nodes.
Chapter 4: Configuring the High-Level Network Pools A load balancing pool is the primary object in the high-level network. A pool is a set of devices grouped together to receive traffic according to a load balancing method. When you create a pool, the members of the pool become visible nodes on the high-level network and can acquire the various properties that attach to nodes. Pools can be accessed through a virtual server, either directly or through a rule, which chooses among two or more pools.
Pools Working with pools You can manage pools using either the web-based Configuration utility or the command-line interface. This section describes how to create, delete, modify, or display a pool, using each of these configuration methods. To create a pool using the Configuration utility 1. In the navigation pane, click Pools. The Pools screen opens. 2. Click the Add button. The Add Pool screen opens. 3. In the Add Pool screen, fill in the fields to create the new pool and configure its attributes. 4.
Chapter 4: Configuring the High-Level Network Pool Element Syntax link_qos to client level link_qos to client link_qos to server level link_qos to server ip_tos to client level ip_tos to client ip_tos to server level ip_tos to server snat disable snat disable nat disable nat disable forward forward Table 4.
Pools Pool Name The most basic attribute you can configure for a pool is the pool name. Pool names are case-sensitive and may contain letters, numbers, and underscores (_) only. Reserved keywords are not allowed. Each pool that you define must have a unique name. Member specification For each pool that you create, you must specify the nodes that are to be members of that pool. Nodes must be specified by their IP addresses. Load balancing method Load balancing is an integral part of the BIG-IP.
Chapter 4: Configuring the High-Level Network Round Robin This is the default load balancing mode. Round Robin mode passes each new connection request to the next server in line, eventually distributing connections evenly across the array of machines being load balanced. Round Robin mode works well in most configurations, especially if the equipment that you are load balancing is roughly equal in processing speed and memory.
Pools Least Connections Least Connections mode is relatively simple in that the BIG-IP passes a new connection to the node that has the least number of current connections. Least Connections mode works best in environments where the servers or other equipment you are load balancing have similar capabilities.
Chapter 4: Configuring the High-Level Network Setting the load balancing mode for a pool A load balancing mode is specified as a pool attribute when a pool is defined and may be changed by changing this pool attribute. For information about configuring a pool, see Working with pools, on page 4-3. The following example describes how to configure a pool to use Ratio Member load balancing.
Pools To switch a pool to ratio_member mode from the command line To switch a pool to ratio_member load balancing, use the modify keyword with the bigpipe pool command. For example, if you want to change the pool my_pool, to use the ratio_member load balancing mode and to assign each member its ratio weight, you can type the following command: b pool my_pool modify { lb_method ratio_member member 11.12.1.101:80 ratio 1 member 11.12.1.
Chapter 4: Configuring the High-Level Network b ratio show The command displays the output shown in Figure 4.1. 192.168.200.51 192.168.200.52 ratio = 3 ratio = 1 Figure 4.1 Ratio weights for node addresses To display ratio weight for specific node addresses Use the following syntax to display the ratio setting for one or more node addresses: b ratio [...
Pools To configure a real_server monitor for the server node Using the Configuration utility or the bigpipe command, create a health-check monitor using the real_server monitor template. The real_server monitor template is shown in the Figure 4.2. monitor type real_server { interval 5 timeout 16 dest *.12345 method "GET" cmd "GetServerStats" metrics "ServerBandwidth:1.5,CPUPercentUsage,MemoryUsage, TotalClientCount" agent "Mozilla/4.0 (compatible: MSIE 5.0; Windows NT) } Figure 4.
Chapter 4: Configuring the High-Level Network The metric coefficient is a factor determining how heavily the metric’s value counts in the overall ratio weight calculation. The metric threshold is the highest value allowed for the metric if the metric is to have any weight at all. To understand how to use these values, it is necessary to understand how the overall ratio weight is calculated. The overall ratio weight is the sum of relative weights calculated for each metric.
Pools To set the load balancing method to Dynamic Ratio Create or modify the load balancing pool to which the server belongs to use Dynamic Ratio load balancing: b pool { lb_method dynamic_ratio ... } Configuring Windows servers with WMI For Windows, BIG-IP provides a Data Gathering Agent F5Isapi.dll for the server. Configuring a Windows platform for Dynamic Ratio load balancing consists of four tasks: • Installing the Data Gathering Agent F5Isapi.
Chapter 4: Configuring the High-Level Network To configure a wmi monitor for the server node Using the Configuration utility or the bigpipe command, create a health check monitor using the wmi monitor template. The wmi monitor template is shown in Figure 4.3. monitor type wmi { interval 5 timeout 16 dest *:12346 username "" password "" method "POST" urlpath "/scripts/F5Isapi.dll" cmd "GetCPUInfo, GetDiskInfo, GetOSInfo" metrics "LoadPercentage, DiskUsage, PhysicalMemoryUsage:1.5, VirtualMemoryUsage:2.
Pools Command GetWinMediaInfo Metric Default Coefficient Default Threshold PUTRequestsPerSec 1.0 500 POSTRequestsPerSec 1.0 500 AnonymousUsersPerSec 1.0 500 CurrentAnonymousUsers 1.0 500 NonAnonymousUsersPerSec 1.0 500 CurrentNonAnonymousUser 1.0 500 CGIRequestsPerSec 1.0 500 CurrentCGIRequests 1.0 500 ISAPIRequestsPerSec 1.0 500 CurrentISAPIRequests 1.0 500 AggregateReadRate 1.0 10,000 Kbps AggregateSendRate 1.0 10,000 Kbps ActiveLiveUnicastStreams 1.
Chapter 4: Configuring the High-Level Network Command Metric Default Coefficient Default Threshold HTTPStreamsReadingHeader 1.0 500 HTTPStreamsStreamingBody 1.0 500 LateReads 1.0 100 PendingConnections 1.0 100 PluginErrors 1.0 100 PluginEvents 1.0 100 SchedulingRate 1.0 100 StreamErrors 1.0 100 StreamTerminations 1.0 100 UDPResendRequests 1.0 100 UDPResendsSent 1.0 100 Table 4.
Pools • Associating the health check monitor with the server to gather the metrics • Creating or modifying the server pool to use Dynamic Ratio load balancing BIG-IP provides two templates that you can use to create a health monitor for a server that uses an SNMP agent. These two monitor templates are: • snmp_dca Use this template when you want to use default values or specify new values for CPU, memory, and disk metrics.
Chapter 4: Configuring the High-Level Network Figure 4.5 shows a monitor based on the snmp_dca_base monitor template. This monitor uses the default metric values. monitor my_snmp_dca_base ’{ use snmp_dca_base interval 10 timeout 30 dest *:161 USEROID "" USEROID_COEFFICIENT "1.0" USEROID_THRESHOLD "90" }’ Figure 4.5 A monitor based on the snmp_dca_base template Note Note that in the above examples, the user-defined variables are specified as USEROID, USEROID_COEFICIENT, and USEROID_THRESHOLD.
Pools 7. Retain or change the values for CPU, memory, and disk use. Also note that in the snmp_dca template, the default value for the Agent Type property is UCD. To configure a monitor for a Windows 2000 agent, change this value to WIN2000. 8. Click Next. This displays the Configure EAV Variables screen. 9. If you are specifying user-defined metrics, configure the EAV variables by specifying a unique name and a value for each Name/Value pair.
Chapter 4: Configuring the High-Level Network To configure a monitor for a UC Davis SNMP agent, using default CPU, memory threshold, and disk use values and specifying non-default memory coefficient and user values, use the bigpipe monitor command, as in the following example. b monitor my_snmp_dca ’{ use snmp_dca mem_coefficient "1.5"/ USEROID ".1.3.6.1.4" USEROID_COEFFICIENT "1.
Pools be confined to that group. If the number of available nodes in the highest priority group goes below the minimum number, the BIG-IP also distributes traffic to the next higher priority group, and so on. pool my_pool { lb_mode fastest min_active_members 2 member 10.12.10.1:80 member 10.12.10.2:80 member 10.12.10.3:80 member 10.12.10.4:80 member 10.12.10.5:80 member 10.12.10.6:80 member 10.12.10.7:80 member 10.12.10.8:80 member 10.12.10.
Chapter 4: Configuring the High-Level Network The BIG-IP tracks information about individual persistent connections, and keeps the information only for a given period of time. The way in which persistent connections are identified depends on the type of persistence. Types of persistence The types of persistence are: ◆ Simple persistence Simple persistence supports TCP and UDP protocols, and tracks connections based only on the client IP address.
Pools Simple persistence Simple persistence tracks connections based only on the client IP address. When a client requests a connection to a virtual server that supports simple persistence, the BIG-IP checks to see if that client previously connected, and if so, returns the client to the same node. You may want to use SSL persistence and simple persistence together.
Chapter 4: Configuring the High-Level Network For example, if you want to set simple persistence on the pool my_pool, type the following command: b pool my_pool modify { \ persist_mode simple \ simple_timeout 3600 \ simple_mask 255.255.255.0 } Using a simple timeout and a persist mask on a pool The persist mask feature works only on pools that implement simple persistence.
Pools You can turn off a persist mask for a pool by using the none option in place of the simple_mask mask. To turn off the persist mask that you set in the preceding example, use the following command: b pool my_pool modify { simple_mask none } To display all persistence information for the pool named my_pool, use the show option: b pool my_pool persist show HTTP cookie persistence You can set up the BIG-IP to use HTTP cookie persistence.
Chapter 4: Configuring the High-Level Network To activate Insert mode from the command line To activate Insert mode from the command line, use the following syntax: b pool { \ persist_mode cookie \ cookie_mode insert \ cookie_expiration \ } The value for the cookie is written using the following format: d hh:mm:ss Rewrite mode If you specify Rewrite mode, the BIG-IP intercepts a Set-Cookie, named BIGipCookie, sent from the
Pools 6. Type the timeout value in days, hours, minutes, and seconds. This value determines how long the cookie lives on the client computer before it expires. 7. Click the Apply button.
Chapter 4: Configuring the High-Level Network Alternatively, you can perform the encoding using the following equation for address (a.b.c.d): d*(256^3) + c*(256^2) + b*256 +a The way to encode the port is to take the two bytes that store the port and reverse them. So, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.
Pools To configure the cookie persistence hash option using the Configuration utility Before you follow this procedure, you must configure at least one pool. 1. In the navigation pane, click Pools. The Pools screen opens. 2. In the Pools list, click the pool for which you want to set up hash mode persistence. The properties screen for the pool you clicked opens. 3. Click the Persistence tab. The Persistence screen opens. 4. Click the Cookie Hash button. Set the following values (see the following Table 4.
Chapter 4: Configuring the High-Level Network The , , and values are described in Table 4.5. Hash mode values Description This is the name of an HTTP cookie being set by a Web site. This is the number of bytes in the cookie to skip before calculating the hash value. This is the number of bytes to use when calculating the hash value. Table 4.
Pools 4. Click the SSL button. 5. In the Timeout box, type the number of seconds that the BIG-IP should store SSL session IDs before removing them from the system. 6. Click the Apply button.
Chapter 4: Configuring the High-Level Network packet for one of the different types of SIP final messages. A default timeout value exists, which is usually 32 seconds. This timeout value is the window of time that a stateful proxy maintains state. If you change the timeout value, we recommend that the value be no lower than the default. To activate SIP Call-ID persistence, you can use either the Configuration utility or the bigpipe pool command.
Pools To activate destination address affinity using the Configuration utility You can only activate destination address affinity on pools directly or indirectly referenced by wildcard virtual servers. For information on setting up a wildcard virtual server, see the Wildcard virtual servers, on page 4-71. Follow these steps to configure destination address affinity: 1. In the navigation pane, click Pools. The Pools screen opens. 2.
Chapter 4: Configuring the High-Level Network Hash mode When configured in hash mode, a WTS server does not participate in a session directory; that is, the server cannot share sessions with other WTS servers. Hash mode ensures that WTS clients provide data to the BIG-IP to allow the BIG-IP to consistently connect that client to the same WTS server.
Pools To create a virtual server from the command line To create a virtual server that uses the pool my_cluster_pool, use the bigpipe virtual command as in the following example: b virtual 192.200.100.
Chapter 4: Configuring the High-Level Network 3. Click the Allow Persistence Across All Ports for Each Virtual Address check box. (To disable this persistence mode, clear the check box). 4. Click the Apply button. To activate persistence for virtual servers that use the same address from the command line The global variable persist_across_services turns this mode on and off.
Pools To activate persistence across all virtual servers using the Configuration utility 1. In the navigation pane, click the System icon. The Network Map screen opens. 2. Click the Advanced Properties tab. The BIG-IP System Control Variables screen opens. 3. Click the Allow Persistence Across All Virtual Servers check box to activate this persistence mode. 4. Click the Apply button.
Chapter 4: Configuring the High-Level Network Using IP addresses and Fully Qualified Domain Names When redirecting traffic to a fallback host, you can specify the fallback host as an IP address or as a fully qualified domain name (FQDN). In either case, it may include a port number. The example in Figure 4.7 redirects the request to http://redirector.sam.com. pool my_pool { member 10.12.10.1:80 member 10.12.10.2:80 member 10.12.10.3:80 fallback redirector.sam.com } Figure 4.
Pools Using format strings (expansion characters) To allow HTTP redirection to be fully configurable with respect to target URI, the following format strings are available. These strings can be used within both pools and rules. (For more information on using HTTP redirection format strings within rules, see Pool selection based on HTTP header data, on page 4-56.) Table 4.7 lists and defines the format strings that you can use to specify HTTP redirection.
Chapter 4: Configuring the High-Level Network Table 4.8 shows some sample redirection specifications, their explanations, and their resulting redirection. Redirection string Explanation Resulting redirection %h:%p/%u No redirection (preserve host name, port, and path) http://www/example.com:8080/sample %h/unavailable change path, remove port http://www/example.com/unavailable https://%h/unavailable Specify https as protocol, remove port, change path https://www/example.com/unavailable www.
Pools Rewriting HTTP redirection Sometimes, a client request is redirected from the HTTPS protocol to the HTTP protocol, which is a non-secure channel. If you want to ensure that the request remains on a secure channel, you can cause that redirection to be rewritten so that it is redirected back to the HTTPS protocol. Also, through the rewriting of redirections, you can rewrite a port number or a URI path.
Chapter 4: Configuring the High-Level Network 11. Start the World Wide Web Publishing Service by typing net start w3svc at a command prompt, or by using the Services applet that is located in Control Panel (in Windows NT 4.0) or Administrative Tools (in Windows 2000). 12. Repeat the previous step for any other services that were stopped in step 11. 13. Browse back to the ISAPI Filters tab (by following steps 1-5) and verify that the filter is loaded properly.
Pools The rule variables that can be used for header insertion are: • client_addr • client_port • server_addr • server_port • link_qos • ip_qos Figure 4.11 shows a pool that inserts a header, using all of the above rule variables. pool my_pool { header insert "ClientSide:${client_addr}:${client_port} -> ${server_addr}:${server_port} tos=${ip_tos} qos=${link_qos}" member 10.0.0.1:80 member 10.0.0.2:80 member 10.0.0.3:80 } Figure 4.
Chapter 4: Configuring the High-Level Network Quality of Service (QoS) level Another attribute of a pool is the Quality of Service (QoS) level. The QoS level is a means by which network equipment can identify and treat traffic differently based on an identifier. As traffic enters the site, the BIG-IP can set the QoS level on a packet, based on the QoS level defined in the pool to which the packet is sent.
Pools Figure 4.14 shows how to configure a pool so that a ToS level is set for a packet sent to that pool. In this example, the ToS tag, represented by the ip_tos variable, is set to 16 when sending packets to the client, and set to 16 when packets are sent to the server. pool http_pool { ip_tos to client 16 ip_tos to server 16 } Figure 4.
Chapter 4: Configuring the High-Level Network To disable a SNAT or NAT connection for a pool from the command line b pool modify { snat disable } One case in which you might want to configure a pool to disable SNAT or NAT connections is when you want the pool to disable SNAT or NAT connections for a specific service. In this case, you could create a separate pool to handle all connections for that service, and then configure the snat disable or nat disable attribute on that pool.
Pools Figure 4.16 shows the resulting entries in the /config/bigip.conf file. # self IP addresses self 192.168.33.14 { vlan my_vlan netmask 255.255.255.0 broadcast 192.168.33.255 snat automap enable } # server pools pool snat_disable_pool { snat disable forward } # virtual servers virtual servers:162 unit 1 { use pool snat_disable_pool translate addr disable Figure 4.16 Sample entries in the /config/bigip.conf file Figure 4.
Chapter 4: Configuring the High-Level Network Forwarding pools are typically used with wildcard virtual servers or network virtual servers only. When you enable forwarding on a pool, you can apply any feature that can be configured on a pool to a forwarding connection. A pool configured for forwarding has no members. Also, this type of pool cannot be the default gateway pool. Figure 4.18 shows an example of a pool configured for forwarding.
Rules Rules As described in the Pools section, a pool may be referenced directly by the virtual server, or indirectly through a rule, which chooses among two or more load balancing pools. In other words, a rule selects a pool for a virtual server. A rule is referenced by a 1- to 31-character name. When a packet arrives that is destined for a virtual server that does not match a current connection, the BIG-IP can select a pool by evaluating a virtual server rule.
Chapter 4: Configuring the High-Level Network Rule-based pool selection Table 4.9 lists the various criteria you can use when creating a rule to select a pool. Pool-selection criteria Description Pool selection based on HTTP request data You can send connections to a pool or pools based on HTTP header information you specify.
Rules Rules normally run right after the BIG-IP receives a packet that does not match a current connection. However, in the case of an HTTP request, the first packet is a TCP SYN packet that does not contain the HTTP request. In this case, the BIG-IP proxies the TCP handshake with the client and begins evaluating the rule again when the packet containing the HTTP request is received.
Chapter 4: Configuring the High-Level Network IP addresses You can specify the client_addr or the server_addr variable within a rule to select a pool. For example, if you want to load balance based on part of the client’s IP address, you might want a rule that states: “All client requests with the first byte of their source address equal to 206 will load balance using a pool named clients_from_206 pool. All other requests will load balance using a pool named other_clients_pool.” Figure 4.
Rules To configure a rule to select a pool based on an IP protocol number, use the syntax shown in the example in Figure 4.22. rule my_rule { if (ip_protocol == 6) { use (tcp_pool) } else { use (slow_pool) } } Figure 4.22 A rule based on an IP protocol number Quality of Service (QoS) level The Quality of Service (QoS) standard is a means by which network equipment can identify and treat traffic differently based on an identifier.
Chapter 4: Configuring the High-Level Network To configure a rule to select a pool based on the ToS level of a packet, you can use the ip_tos rule variable, as shown in the example in Figure 4.24. rule my_rule { if (ip_tos == 16) { use (telnet_pool) } else { use (slow_pool) } } Figure 4.24 A rule based on a Type of Service (ToS) level For information on setting ToS values on packets based on the pool selected for that packet, see Type of Service (ToS) level, on page 4-44.
Rules Using the one of operator instead, you can cause BIG-IP to load balance all incoming AOL connections to the pool aol_pool, if the value of the client_addr variable is a member of the class AOL. Figure 4.26 shows this type of rule. In this case, the one of operator indicates that the variable client_addr is actually a list of values (that is, a class). rule my_rule { if (client_addr equals one of aol) { use (aol_pool) } else { use (all_pool) } } Figure 4.
Chapter 4: Configuring the High-Level Network Figure 4.28 shows the resulting numeric type of class: class my_protos { 27 38 93 } Figure 4.28 An example of a numeric type of class • IP addresses - The following command creates a class containing IP addresses: b class my_ntwk { network 10.2.2.0 mask 255.255.255.0 } Figure 4.29 shows the resulting IP address type of class: class my_netwk { network 10.2.2.0 mask 255.255.255.0 } Figure 4.
Rules indicated node address and port. When a rule returns both a pool and a node, the BIG-IP does not do any additional load balancing or persistence processing. Figure 4.30 shows an example of a rule containing a cache statement.
Chapter 4: Configuring the High-Level Network The preceding rule applies the format string to the URL. In this case, the format string sets the protocol to https, strips the requested port number (if any), and changes it to 8080, and applies a trailing slash (/) to the end of the URI, if the URI ends with the string baz. Note The %u format string strips the first character of the URI path. This is usually a slash (/), and this modification is done purely for aesthetic reasons.
Rules • Subjects that stay the same are called constant operands. A question, or expression, asks questions about variable operands by comparing their current value to constant operands with relational operators. Constant operands Possible constant operands are: ◆ IP protocol constants, for example: UDP or TCP ◆ IP addresses expressed in masked dot notation, for example: 206.0.0.0 netmask 255.0.0.0 ◆ Strings of ASCII characters, for example: pictures/bigip.
Chapter 4: Configuring the High-Level Network case of a rule containing questions about an HTTP request, the rule is evaluated in the context of the triggering TCP SYN packet until the first HTTP request question is encountered. After the proxy, the rule continues evaluation in the context of the HTTP request packet, and variables may refer to this packet. Before a variable is compared to the constant in a relational expression, it is replaced with its current value.
Rules Operators In a rule, relational operators compare two operands to form relational expressions. Possible relational operators and expressions are described in Table 4.10.
Chapter 4: Configuring the High-Level Network Cache statements A cache statement may be either the only statement in a rule or it may be nested within an if statement. Rules with cache statements are used to select pools based on HTTP header data. Table 4.12 describes the cache statement syntax. Rule Syntax Description expression A Boolean expression setting the condition or conditions under which the rule applies.
Rules 2. Click the Add button. The Add Rule screen opens. 3. In the Add Rule screen, fill in the fields to add a rule. You can type in the rule as an unbroken line, or you can use the Enter key to add line breaks. 4. Click Done. To define a rule from the command line To define a rule from the command line, use the following syntax: b rule ’{ |
Chapter 4: Configuring the High-Level Network Element Description variable http_method http_header http_version http_uri http_host http_cookie link_qos ip_tos client_addr server_addr client_port server_port ip_protocol binary operator or and contains matches equals starts_with ends_with matches_regex one of redirect to Table 4.
Rules Additional rule examples This section contains additional examples of rules including: • Cookie rule • Language rule • Cache rule • AOL rule • Protocol specific rule Cookie rule Figure 4.32 shows a cookie rule that load balances based on the user ID that contains the word VIRTUAL. if ( exists http_cookie "user-id" and http_cookie "user-id" contains "VIRTUAL" ) { use ( virtual_pool ) } else { use ( other_pool ) } Figure 4.32 Cookie rule example Language rule Figure 4.
Chapter 4: Configuring the High-Level Network Cache rule Figure 4.34 shows an example of a rule that you can use to send cache content, such as .gifs, to a specific pool. if ( http_uri ends_with "gif" or http_uri ends_with "html" ) { use ( cache_pool ) } else { use ( server_pool ) } Figure 4.34 An example of a cache rule AOL rule Figure 4.35 is an example of a rule that you can use to load balance incoming AOL connections. port 80 443 enable pool aol_pool { min_active_members 1 member 12.0.0.
Rules rule aol_rule_https { if ( client_addr equals 152.163.128.0 netmask 255.255.128.0 or client_addr equals 195.93.0.0 netmask 255.255.254.0 or client_addr equals 205.188.128.0 netmask 255.255.128.0 ) { use ( aol_pool_https ) } else { use ( other_pool_https) } } virtual 15.0.140.1:80 { use rule aol_rule } virtual 15.0.140.1:443 { use rule aol_rule_https special ssl 30 } Figure 4.35 An example of an AOL rule Rule using the ip_protocol variable Figure 4.36 shows a rule that uses the ip_protocol variable.
Chapter 4: Configuring the High-Level Network Rule using the one of operator A good use of the one of operator in a rule is when you have a class such as that shown in Figure 4.38. class images { ".gif" ".jpg" ".bmp" } Figure 4.38 An example of a class Given the above class, you could create a rule that uses the one of operator to select a pool based on whether the value of the variable http_uri ends with a member of the class images. Figure 4.39 shows this rule.
Virtual servers Virtual servers A virtual server with its virtual address is the visible, routable entity through which nodes in a load balancing pool are made available to a client, either directly or indirectly through a rule. (The exception is the forwarding virtual server, which simply forwards traffic and has no associated pools.) You must configure a pool of servers before you can create a virtual server that references the pool.
Chapter 4: Configuring the High-Level Network Standard virtual servers A standard virtual server represents a specific site, such as an Internet web site or an FTP site, and it load balances content servers that are members of a pool. The IP address that you use for a standard virtual server should match the IP address that DNS associates with the site’s domain name.
Virtual servers creating VLAN groups and assigning self IP addresses to them, see Chapter 3, Creating VLAN groups, on page 3-14. For information on disabling a virtual server for a specific VLAN, see Enabling or disabling a virtual server, on page 4-84. Wildcard virtual servers Wildcard virtual servers are a special type of virtual server designed to manage network traffic for transparent network devices, such as transparent firewalls, routers, proxy servers, or cache servers.
Chapter 4: Configuring the High-Level Network VLAN disabled list applies to default wildcard virtual servers only. You cannot create a VLAN disabled list for a wildcard virtual server that is associated with one VLAN only. You can use port-specific wildcard virtual servers for tracking statistics for a particular type of network traffic, or for routing outgoing traffic, such as HTTP traffic, directly to a cache server rather than a firewall or router.
Virtual servers To turn off port translation for a wildcard virtual server using the Configuration utility After you define the wildcard virtual server with a wildcard port, you must disable port translation for the virtual server. 1. In the navigation pane, click Virtual Servers. The Virtual Servers screen opens. 2. In the virtual server list, click the virtual server for which you want to turn off port translation. The Virtual Server Properties screen opens. 3.
Chapter 4: Configuring the High-Level Network To create a default wildcard virtual server from the command line To create a default wildcard virtual server from the command line, use the bigpipe virtual command with the following syntax: b virtual *:* use pool Creating multiple wildcard servers In previous releases, BIG-IP supported one wildcard virtual server only, designated by the IP address 0.0.0.0.
Virtual servers For example, the following commands define two wildcard virtual servers, the first for VLAN internal, and the second for VLAN external: b virtual internal use pool my_pool b virtual external use pool my_pool Network virtual servers You can configure a network virtual server to handle a whole network range, instead of just one IP address, or all IP addresses (a wildcard virtual server). For example, the virtual server in Figure 4.40 handles all traffic addresses in the 192.168.1.0 network.
Chapter 4: Configuring the High-Level Network Forwarding virtual servers A forwarding virtual server is just like other virtual servers, except that the virtual server has no nodes to load balance. It simply forwards the packet directly to the node. Connections are added, tracked, and reaped just as with other virtual servers. You can also view statistics for forwarding virtual servers. To configure forwarding virtual servers using the Configuration utility 1.
Virtual servers other side of the BIG-IP to forward packets to virtual servers receiving connections from the transparent devices and forwarding them to their destination. Tip If you do not want BIG-IP to load balance your traffic but do want to take advantage of certain pool attributes, you can instead use a feature called a forwarding pool. For more information on forwarding pools, see Forwarding pools, on page 4-47.
Chapter 4: Configuring the High-Level Network Option Description Rules You can configure a virtual server to reference a rule. Rules are primarily used for selecting pools during load balancing. Software acceleration You can speed up packet flow for TCP connections when the packets are not fragmented. Table 4.
Virtual servers The following example shows the two commands used to enable mirroring for virtual server v1 on the FTP control and data ports: b virtual v1:21 mirror conn enable b virtual v1:20 mirror conn enable Displaying information about virtual servers You can display information about all virtual servers in your configuration, or you can display information about one or more specific virtual servers.
Chapter 4: Configuring the High-Level Network Again, even when you define a custom netmask and broadcast in a specific network virtual server definition, the settings apply to all virtual servers that use the same virtual address. The following sample command shows a user-defined netmask and broadcast: b virtual www.SiteOne.com:http \ netmask 255.255.0.0 \ broadcast 10.0.140.255 \ use pool my_pool The /bitmask option shown in the following example applies network and broadcast address masks.
Virtual servers To enable or disable port translation Use the following syntax to enable or disable port translation for a virtual server: b virtual : translate port enable | disable | show To enable or disable address translation Use the following syntax to enable or disable address translation for a virtual server: b virtual : translate addr enable | disable | show Setting dynamic connection rebinding Dynamic connection rebinding is a feature for those virtual server
Chapter 4: Configuring the High-Level Network To set dynamic connection rebinding from the command line To manage dynamic connection rebinding using the bigpipe virtual command, type one of the following commands.
Virtual servers Each of these elements is described in Table 4.16. Rule element Description A virtual server key definition: : [unit ] Virtual server options. For more information, see Virtual server options, on page 4-77. A rule name reference. Rule names are strings of 1 to 31 characters. use rule Table 4.
Chapter 4: Configuring the High-Level Network For example, if you want to define the virtual server 10.10.10.50:80 with the pool IPFW_pool and acceleration turned off, type the following command: b virtual 10.10.10.50:80 use pool IPFW_pool accelerate disable Additional virtual server tasks Once you have created a virtual server and configured options for it, you can perform the following tasks.
Virtual servers If you want to disable or enable a virtual server for one or more specific VLANs only, use the following syntax: b virtual : vlans disable | enable Use the following syntax to return a virtual server to network service: b virtual : enable Note If you do not specify a VLAN name with the b virtual command, the virtual server is enabled or disabled on all VLANs.
Chapter 4: Configuring the High-Level Network Using other BIG-IP features with virtual servers After you create a pool and define a virtual server that references the pool, you can set up additional features, such as network address translation (NATs) or extended content verification (ECV). For details on network address translations, see NATs, on page 4-132. For details on persistence for connections that should return to the node to which they last connected, see Persistence, on page 4-21.
Proxies Proxies BIG-IP supports two types of proxies--An SSL Accelerator proxy, and a content converter proxy. Using either the Configuration utility or the bigpipe proxy command, you can create, delete, modify, or display the SSL or content converter proxy definitions on the BIG-IP. For detailed information about setting up the SSL Accelerator feature, see the BIG-IP Solutions Guide, Chapter 9, Configuring an SSL Accelerator.
Chapter 4: Configuring the High-Level Network Table 4.17 lists the configurable SSL proxy options. Options Description SSL-to-Server configuration Causes the BIG-IP to re-encrypt decrypted requests before sending them to the server, as a way to maintain server-side security. Client-side authentication Allows you to configure the SSL proxy to either request, require, or ignore certificates presented by a client.
Proxies To create an SSL proxy using the Configuration utility 1. In the navigation pane, click Proxies. The Proxies screen opens. 2. Click the ADD button. The Add Proxy screen opens. 3. In the Proxy Type field, check the box labeled SSL. 4. Configure the remaining attributes that you want to use with the proxy 5. Click Done.
Chapter 4: Configuring the High-Level Network Configuring SSL-to-Server Once the SSL Accelerator proxy has decrypted a client request, you might want the BIG-IP to re-encrypt that request before it sends the request to the server, to maintain server-side security. This feature is known as SSL-to-Server. To implement this feature, you can use either the Configuration utility or the command line.
Proxies Figure 4.43 shows the state of the /config/bigip.conf file, after creating an SSL proxy with SSL-to-Server enabled. Note that the certificate and key files for client-side SSL connections have also been configured. proxy 10.1.1.1:443 unit 1 { target virtual 20.1.1.1:https clientssl enable clientssl key my.server.net.key clientssl cert my.server.net.crt serverssl enable } Figure 4.43 SSL proxy entries in /config/bigip.
Chapter 4: Configuring the High-Level Network serverssl enable \ serverssl key my.client.net.key \ serverssl cert my.client.net.crt Figure 4.44 shows the state of the /config/bigip.conf file, after both creating an SSL proxy with SSL-to-Server enabled and configuring the certificates and keys for both client-side and server-side SSL connections. proxy 10.1.1.1:443 unit 1 { target virtual 20.1.1.1:https clientssl enable clientssl key my.server.net.key clientssl cert my.server.net.
Proxies To verify server certificates from the command line This option is specified as serverssl server cert on the bigpipe proxy command line. The following command shows an example. b proxy : serverssl server cert require Specifying traversal of certificate chains In addition to the option to require or ignore a certificate presented by the server, SSL-to-Server has an option to specify the maximum number of certificates that can be traversed in a server certificate chain.
Chapter 4: Configuring the High-Level Network Basic authentication options You can configure an SSL proxy to handle authentication of clients in three ways: • You can configure the proxy to request and verify a client certificate. In this case, the SSL proxy always grants access regardless of the status or absence of the certificate. • You can configure the proxy to require a client to present a valid and trusted certificate before granting access.
Proxies To modify per-session authentication using the Configuration utility You can modify the SSL proxy to require authentication not only once per session, but also upon each subsequent reuse of an SSL session. 1. In the navigation pane, click Proxies. 2. Click the Add button. 3. Click on the Client Authenticate Once box. This changes the setting from once to always. 4. Click Done.
Chapter 4: Configuring the High-Level Network • Client certificate fields • Client session IDs An example of when you might want to insert a header into an HTTP request is when the proxy is configured to request, rather than require, a certificate during client authentication.
Proxies To insert a custom header from the command line To insert a custom header into an HTTP request using the command line, specify the header insert argument with the bigpipe proxy command, as follows: b proxy : header insert \"quoted string\" A cipher specification When adding an SSL proxy, you can configure the proxy to insert information about the negotiated SSL cipher into an HTTP request.
Chapter 4: Configuring the High-Level Network To insert a cipher specification from the command line Specify the cipher insert argument with the bigpipe proxy command, as follows: b proxy : [clientssl] cipher insert Client certificate fields When adding an SSL proxy, you can configure the proxy to insert into an HTTP request a header for each field of a client certificate.
Proxies Header Name Required Format Description Certificate validity dates SSLClientCert: [before] SSLClientCert: [after] The validity dates for the certificate. The certificate is not valid before or after the dates represented by [before] and [after], respectively. Certificate subject SSLClientCert: [subject] The subject of the certificate. Public key of the subject SSLClientCert: [key] The type of public key type. The allowed types are "RSA ([size] bit)", "DSA", or "Unkown public key".
Chapter 4: Configuring the High-Level Network • A header in which the session ID is the current session ID. The proper format of this header is SSLClientCurrentSessionID:X, where X represents the current SSL session ID. If you enable the insertion of session ID headers, but specify neither of these two types of session IDs, the SSL proxy inserts the session ID initially negotiated with the client. To insert a session ID header using the Configuration utility 1. In the navigation pane, click Proxies. 2.
Proxies the client connection being closed. If the client is using a browser, the user will likely receive an error message indicating that the web page failed to load. The following sections describe how to configure cipher lists and protocol versions for the SSL proxy. Configuring cipher lists You can configure the list of SSL ciphers that are available for both client-side and server-side SSL connections.
Chapter 4: Configuring the High-Level Network To specify invalid protocol versions using the Configuration utility 1. In the navigation pane, click Proxies. 2. Click the Add button. 3. In the Client-side Connections Do Not Use These SSL Versions box or the Server-side Connections Do Not Use These SSL Versions box, check the appropriate check boxes. 4. Click Done.
Proxies 4. If the file is still not found, the proxy uses the same file name as that of the configured certificate. For example, the proxy might take the file name www.dot.com.crt, replace the .crt file name extension with the .chain extension, and search on the file name www.dot.com.chain. 5. If unable to build the certificate chain using the preceding procedure, the proxy attempts to build the chain through certificate verification, described in the following section.
Chapter 4: Configuring the High-Level Network configure the proxy to generate these symbolic links. If you do not specify a Trusted CA path, or the Trusted CA path is not accessible to the proxy, the proxy uses the default path name /config/bigconfig/ssl.crt/. Note that each certificate file should contain only one certificate. This is because only the first certificate in the file is used. To specify the Trusted CA file and Trusted CA path using the Configuration utility 1.
Proxies To advertise a list of trusted CAs using the Configuration utility 1. In the navigation pane, click Proxies. 2. Click the Add button. 3. In the Client Certificate CA File box, select a file name from the box, or type the certificate CA file name. 4. Click Done.
Chapter 4: Configuring the High-Level Network Rewriting the protocol name This feature allows the SSL proxy to rewrite the HTTP protocol name to HTTPS. For example, a client might send a request to https://www.sample.com/bar and be initially redirected to http://www.sample.com/bar/, which is a non-secure channel. If you want the client request to remain on a secure channel, you can configure the SSL proxy to rewrite the redirected URI to go to https://www.sample.com/bar/ instead.
Proxies To configure the rewrite feature using the Configuration utility 1. In the navigation pane, click Proxies. 2. Click the Add button. 3. In the Rewrite Redirects box, if you want to enable the feature, select either Matching or All. from the list. To disable the feature, do not select an option from the box. By default, the feature is disabled. 4. Click Done.
Chapter 4: Configuring the High-Level Network Server-side timeout values. A single, server-side timeout value is configured globally. This timeout value cannot be set to zero. For optimal performance, the timeout value should be set to the minimum SSL session cache timeout value used by the servers to which the proxy makes server-side SSL connections. Under certain conditions, the proxy attempts to efficiently negotiate a new server-side SSL session prior to its expiration.
Proxies The client-side values for the maximum size of the session cache are configured on a per-proxy basis. A single, server-side value for the maximum size of the session cache is configured globally. To set the maximum size of the client-side SSL session cache using the Configuration utility 1. In the navigation pane, click Proxies. 2. Click the Add button. 3. In the Client Session Cache Size box, type an integer or use the default value. 4. Click Done.
Chapter 4: Configuring the High-Level Network This option is configured globally, and by default is set to disable. Note In redundant configurations, connections handled by the SSL proxy are not mirrored, and therefore cannot be resumed by the peer unit upon failover. To configure SSL proxy failover using the Configuration utility 1. In the navigation pane, click System. 2. Click the Advanced Properties tab. 3. In the Failover on SSL Accelerator Failure box, check the Enable or Disable check box. 4.
Proxies To configure SSL shutdowns using the Configuration utility 1. In the navigation pane, click System. 2. Click the Advanced Properties tab. 3. In the Force Unclean Shutdown Of All SSL Connections box, check or clear the check box. 4. Click Done.
Chapter 4: Configuring the High-Level Network Adding a last hop pool to an SSL proxy In cases where you have more than one router sending connections to a BIG-IP, connections are automatically sent back through the same router from which they were received when the auto_lasthop global variable is enabled, as it is by default.
Proxies To configure the on-the-fly conversion software 1. On the BIG-IP, bring up the Akamai configuration file /config/akamai.conf in an editor like vi or pico. 2. Under the heading [CpCode] you will find the text default=XXXXX. Replace the Xs with the CP code provided by your Akamai Integration Consultant. (If contacting your consultant, specify that you are using the BIG-IP on-the-fly akamaizer based on Akamai's 1.0 source code.) Example: default=773 3.
Chapter 4: Configuring the High-Level Network When the content converter proxy is written in the /config/bigip.conf file, it looks like the example in Figure 4.47. proxy 10.1.1.1:http unit 1 { target virtual 20.1.1.1:http akamaize enable } Figure 4.
Proxies For example, if you want to view configuration information for the SSL proxy 209.100.19.22:443, type the following command: b proxy 209.100.19.
Chapter 4: Configuring the High-Level Network Nodes Nodes are the network devices to which the BIG-IP passes traffic. A network device becomes a node when it is added as a member to a load balancing pool. You can display information about nodes and set properties for nodes. The attributes you can configure for a node are listed in Table 4.21. Node Attributes Description Enable/Disable nodes You can enable or disable nodes independent of a load balancing pool.
Nodes To mark a node up, use the node command with the up option: b node 192.168.21.1 up To mark a particular service down, specify the node command with a node address and port, and the down option. (Note that marking a port down prevents the port from accepting new connections. Existing connections are allowed to complete.) b node 192.168.21.1:80 down To mark a particular port up, use the node command with up option: b node 192.168.21.
Chapter 4: Configuring the High-Level Network The report shows the following information: • Current number of connections • Total number of connections made to the node since last boot • Maximum number of concurrent connections since the last boot • Concurrent connection limit on the node • The total number of connections made to the node since last boot • Total number of inbound and outbound packets and bits Figure 4.48 shows the output of this command. bigpipe node 192.168.200.50:20 NODE 192.168.200.
Services Services Services are the standard Internet applications supported by BIG-IP, such as HTTP, HTTPs, FTP, and POP3. Each service is known by its name and also by its well-known or reserved port number such as 80 or 443. (Specifically, a service is any valid service name in the /etc/services file or any valid port number between 0 and 65535.) The bigpipe service command allows you to enable and disable network traffic on services, and also set connection limits and timeouts.
Chapter 4: Configuring the High-Level Network To set connection limits on services Use the following syntax to set the maximum number of concurrent connections allowed on a service. Note that you can configure this setting for one or more services. b service [...] limit To turn off a connection limit for one or more services, use the same command, setting the parameter to 0 (zero) like this: b service [...
Services For example, the following command sets the UDP timeout to 300 seconds for port 53: b service 53 timeout udp 300 To turn off UDP timeout for a service, use the above command, setting the parameter to zero: b service 53 timeout udp 0 To display service settings Use the following command to display the settings for all services: b service show Use the following syntax to display the settings for a specific service of services: b service [...
Chapter 4: Configuring the High-Level Network Address translation: SNATs, NATs, and IP forwarding The BIG-IP uses address translation and forwarding in various ways to make nodes accessible that would otherwise be hidden on its internal VLAN. ◆ A virtual server translates the destination address of an inbound packet from its own address (the virtual server’s) to the address of the node to which it load balances the packet.
Address translation: SNATs, NATs, and IP forwarding The attributes you can configure for a SNAT are shown in Table 4.23. Attributes Description Global SNAT properties Before you configure a SNAT, you can configure global properties for all SNATs on the BIG-IP. Configuring global properties for a SNAT is optional. Manual SNAT mapping You can define a specific translation address to be mapped to an individual host. SNAT automapping You can configure BIG-IP to automatically map a translation address.
Chapter 4: Configuring the High-Level Network To configure SNAT global properties from the command line Configuring global properties for a SNAT requires that you enter three bigpipe commands. The following command sets the maximum number of connections you want to allow for each node using a SNAT.
Address translation: SNATs, NATs, and IP forwarding To add a default SNAT manually using the Configuration utility 1. In the navigation pane, click NATs. The NATs screen displays. 2. Click the SNATs tab. 3. Click the Add Default button. The Add Default SNAT screen opens. 4. In the Translation Address field, select the IP button, and type the IP address that you want BIG-IP to assign as a translation address. 5. Click Done.
Chapter 4: Configuring the High-Level Network To add a manual SNAT from the command line The bigpipe snat command defines one SNAT for one or more original IP addresses, where the original IP address can be either a specific node address or a VLAN name. To manually add a SNAT using the bigpipe snat command, use the following syntax. b snat map ... to For example, to define a SNAT for two specific nodes: b snat map 192.168.75.50 192.168.75.51 to 192.168.100.
Address translation: SNATs, NATs, and IP forwarding • When the equivalent of a default SNAT, that is, a SNAT that continues to work in the event of a failure in one BIG-IP, is required for BIG-IP units in active-active mode. (The conventional default SNAT does not work in active-active mode.) Adding an automapped default SNAT The BIG-IP allows you to take advantage of the SNAT automapping feature when adding a default SNAT.
Chapter 4: Configuring the High-Level Network • If you enable snat automap on more than one self IP address, (implying more than one IP network), the following rules apply: • If the connection is handled by a non-forwarding virtual server, the translation address is the self IP address that matches the IP network of the node selected by load balancing.
Address translation: SNATs, NATs, and IP forwarding 2. Click the SNATs tab. 3. Click the Add button. The Add SNAT screen opens. 4. In the Translation Address dialog area, click the Automap button. 5. If you want to map the translation address from one or more specific nodes, enter each node’s IP address into the Original Address: box and move the address to the Current List: box, using the right arrows (>>). Also, verify that the option choose appears in the VLAN box. 6.
Chapter 4: Configuring the High-Level Network To create the equivalent of a default SNAT, it is necessary to assign each unit its own floating self IP address on the external VLAN. This is done for the same reason that separate aliases are assigned to the internal network as part of routine active-active setup. (See Configuring an active-active system, on page 6-11.
Address translation: SNATs, NATs, and IP forwarding • If multiple external interfaces are not available, the ISP routers or firewalls are assigned to different IP networks. This will already be the case for ISPs. • For firewalls, the separate IP address ranges must be established on the inside and outside interfaces of each firewall. The separate networks are then assigned separate self addresses, for example, 10.0.0.1 and 11.0.0.1.
Chapter 4: Configuring the High-Level Network To enable mirroring for redundant systems The following example sets SNAT mirroring for all SNAT connections originating at 192.168.225.100: b snat 192.168.225.100 mirror enable To clear statistics You can reset statistics by node address, SNAT address, or VLAN name. Use the following syntax to clear all statistics for one or more nodes: b snat ...
Address translation: SNATs, NATs, and IP forwarding The IP addresses that identify nodes on the BIG-IP internal network need not be routable on the external network. This protects nodes from illegal connection attempts, but it also prevents nodes (and other hosts on the internal network) from receiving direct administrative connections, or from initiating connections to clients, such as mail servers or databases, on the BIG-IP external interface. Using network address translation resolves this problem.
Chapter 4: Configuring the High-Level Network The following example shows a NAT definition: b nat 10.10.10.10 to 10.12.10.10 To delete NATs Use the following syntax to delete one or more NATs from the system: b nat [...] delete To display status of NATs Use the following command to display the status of all NATs included in the configuration: b nat show Use the following syntax to display the status of one or more selected NATs (see Figure 4.50). b nat [...
Address translation: SNATs, NATs, and IP forwarding • You must delete a NAT before you can redefine it. • The interface for a NAT can only be configured when the NAT is first defined. IP forwarding IP forwarding is an alternate way of allowing nodes to initiate or receive direct connections from the BIG-IP external network. IP forwarding directly exposes all of the node IP addresses to the external network, making them routable on that network.
Chapter 4: Configuring the High-Level Network Enabling IP forwarding globally IP forwarding is a global property of the BIG-IP system. To set up IP forwarding globally, you need to complete two tasks: • Turn IP forwarding on The BIG-IP uses a system control variable to control IP forwarding, and its default setting is off. • Verify the routing configuration You probably have to change the routing table for the router on the BIG-IP external network.
Health monitors Health monitors Health monitors verify connections and services on nodes that are members of load balancing pools. The monitor checks the node at a set interval. If the node does not respond within a specified timeout period, the node is marked down and traffic is no longer directed to it. By default, an icmp (Internet Control Message Protocol) monitor is associated with every node that is a member of a load balancing pool.
Chapter 4: Configuring the High-Level Network This creates a new monitor in /config/bigip.conf, as shown in Figure 4.52. You can display this monitor using the command b monitor my_icmp show. monitor my_icmp{ #type icmp "icmp" interval 5 timeout 20 } Figure 4.52 Custom icmp monitor Once the custom monitor exists, you associate it with a node or nodes using the Configuration utility or the bigpipe node command as follows. b node 11.11.11.1 11.11.11.2 11.11.11.
Health monitors Selecting the monitor template Selecting a template is straightforward. Like icmp, each of the templates has a type based on the type of service it checks, for example, http, https, ftp, pop3, and takes that type as its name. (Exceptions are port-specific templates, like https_443, and the external template, which calls a user-supplied program.) To select a template, simply select the one that corresponds in name and/or type to the service you want to check.
Chapter 4: Configuring the High-Level Network Using tcp_echo The tcp_echo template uses Transmission Control Protocol. The check is successful if a response to a TCP ECHO message is received. tcp_echo also supports transparent mode. In this mode, the node with which the monitor is associated is pinged through to the destination node. (For more information about transparent mode, refer to Using transparent and reverse modes, on page 4-150.
Health monitors Both transparent and reverse modes are options. (For more information about transparent and reverse modes, refer to Using transparent and reverse modes, on page 4-150.) monitor tcp { #type tcp interval 5 timeout 16 dest *:* send "" recv "" //reverse //transparent } Figure 4.56 The tcp monitor template Using http The http template is for HyperText Transfer Protocol.
Chapter 4: Configuring the High-Level Network Using https The https template is for Hypertext Transfer Protocol Secure. An https monitor attempts to receive specific content from a web page protected by SSL security. The check is successful when the content matches the recv expression. An https monitor uses a send string, a recv expression, and a username and password (If there is no password security, use blank strings [""] for username and password.
Health monitors URL as a value and automatically fills in the dest value with the address the URL resolves to. (For more information about the get and url statements, refer to Using send, receive, url, and get statements, on page 4-150.) monitor ftp { #type ftp interval 5 timeout 16 dest *:* username "" password "" get "" //url } Figure 4.59 The ftp monitor template Using pop3 The pop3 template is for Post Office Protocol.
Chapter 4: Configuring the High-Level Network Using snmp_dca The snmp_dca template is used for load balancing traffic to servers that are running an SNMP agent, such as UC Davis or Windows 2000. In addition to defining ratio weights for CPU, memory, and disk use, you can also define weights for use by users. Figure 4.62 shows the snmp_dca monitor template. monitor type snmp_dca { #type snmp_dca interval 10 timeout 30 dest *:161 agent_type "UCD" cpu_coefficient "1.5" cpu_threshold "80" mem_coefficient "1.
Health monitors Using nntp The nntp template is for Usenet News. The check is successful if the monitor retrieves a newsgroup identification line from the server. An nntp monitor requires a newsgroup name (for example, "alt.cars.mercedes") and, if necessary, username and password. monitor nntp { #type nntp interval 5 timeout 16 dest *:* username "" password "" newsgroup "" } Figure 4.
Chapter 4: Configuring the High-Level Network if the specified message number is retrieved. An imap monitor requires username, password, and a folder. It also takes an optional message number, message_num. monitor imap { #type imap interval 5 timeout 16 dest *:* username "" password "" folder "" /message_num "" } Figure 4.66 The imap monitor template Using radius The radius template is for Remote Access Dial-in User Service servers. The check is successful if the server authenticates the requesting user.
Health monitors Note Servers to be checked by an imap monitor typically require special configuration to maintain a high level of security while also allowing for monitor authentication. monitor ldap { #type ldap interval 5 timeout 16 dest *:* username "" password "" base "" filter "" } Figure 4.68 A Sample monitor template Using external The external template is for a user-supplied monitor.
Chapter 4: Configuring the High-Level Network 3. In the Add Monitor screen, type in the name of your monitor (it must be different from the monitor template name), and select the monitor template you want to use. 4. Click the Next button and you are guided through the configuration of your monitor. 5. When you have finished configuring the monitor, click Done. To configure a monitor from the command line Use the bigpipe monitor command to configure the monitor at the command line.
Health monitors Attribute Definition send Send string for ECV. Default send and recv values are empty (""), matching any string. recv Receive expression for ECV. Default send and recv values are empty (""), matching any string. get For the http and https monitors get replaces the recv statement, automatically filling in "GET". For the ftp monitor get can be used to specify a full path to a file. This automatically fills in dest.
Chapter 4: Configuring the High-Level Network Setting destinations By default, all dest values are set to the wildcard "*" or "*:*". This causes the monitor instance created for a node to take that node’s address or address and port as its destination. An explicit dest value is used only to force the instance destination to a specific address and/or port which may not be that of the node. For more information about setting destinations, refer to Associating the monitor with a node or nodes, on page 4-154.
Health monitors In transparent mode, the monitor is forced to ping through the node it is associated with, usually a firewall, to the dest node. (In other words, if there are two firewalls in a load balancing pool, the destination node will always be pinged through the one specified and not through the one picked by the load balancing method.) In this way, the transparent node is tested as well: if there is no response, the transparent node is marked down.
Chapter 4: Configuring the High-Level Network user name and password for the new login, as well as which databases the login is allowed to access. You must grant the test account access to the database you specify in the EAV configuration. Running user-added EAVs You may add your own monitors to those contained in /user/local/lib/pingers. For running these added programs, the monitor template external is used. The executable program is specified as the value of the attribute run.
Health monitors To show or delete a monitor using the Configuration utility 1. In the navigation pane, click Monitors. A screen opens that lists monitors in two columns, System Supplied and User Defined. 2. To show a monitor, simply click the monitor name. 3. To delete a monitor, click the Delete button for the monitor. Note that only user-defined monitors can be deleted.
Chapter 4: Configuring the High-Level Network This has the effect of disabling all instances of the monitor, as shown in Figure 4.71. +- NODE 11.12.11.20:80 | | | +- http | 11.12.11.20:80 up | +- NODE 11.12.11.21:80 | | | +- http | 11.12.11.21:80 up | +- NODE 11.12.11.22:80 | +- http 11.12.11.22:80 ip UP disabled UP disabled UP disabled Figure 4.
Health monitors This creates a monitor instance of http for each of these nodes. You can verify this association using the bigpipe monitor show command: b node monitor show This would produce the output shown in Figure 4.72. +- NODE 11.12.11.20:80 | | | +- http | 11.12.11.20:80 up | +- NODE 11.12.11.21:80 | | | +- http | 11.12.11.21:80 up | +- NODE 11.12.11.22:80 | +- http 11.12.11.22:80 ip UP enabled UP enabled UP enabled Figure 4.
Chapter 4: Configuring the High-Level Network value of *:*. Either or both wildcard symbols can be replaced by an explicit dest value by creating a new monitor based on http. This is referred to as node and port aliasing, described in the following section. Using node and port aliasing Usually the health of a node is checked by pinging that node. For this reason the dest attribute in the monitor template is always set to "*" or "*:*".
Health monitors 11.12.11.20:80, 11.12.11.21:80, and 11.12.11.21:80 it would produce the following instances, (which are in fact one instance associated with three different nodes) as shown in Figure 4.74. +- NODE 11.12.11.20:80 ADDR | | | +- my_http | 11.11.11.1:80 checking | +- NODE 11.12.11.21:80 ADDR | | | +- my_http | 11.11.11.1:80 checking | +- NODE 11.12.11.22:80 ADDR | +- my_http 11.11.11.1:80 checking UP enabled UP enabled UP enabled Figure 4.
Chapter 4: Configuring the High-Level Network The monitors themselves must be configured with the grouping in mind. For example, if the dest values of both monitors were set to *:*, then both monitor instances would try to ping the default port 80. This would both defeat the purpose of the HTTPS monitor and cause an automatic failure, since two monitors would be trying to ping the same address and port simultaneously.
Health monitors 4. If you want to associate more than one monitor, click the Move >> button to add the monitor name to the Monitor Rule box. 5. Repeat the previous two steps for each monitor you want to associate with a node. 6. Click Apply to associate the monitor(s). For additional information associating a monitor, click the Help button. Showing and deleting associations There are node commands for showing, and deleting node associations.
Chapter 4: Configuring the High-Level Network In deleting specific monitor instances, it is important to consider how the association was made. If a monitor instance was created using a wildcard address, the wildcard must be deleted.
5 Configuring Filters • Introduction • IP filters • Rate filters and rate classes
Configuring Filters Introduction Filters control network traffic by setting whether packets are accepted or rejected at the external network interface. Filters apply to both incoming and outgoing traffic. When creating a filter, you define criteria which are applied to each packet that is processed by the BIG-IP. You can configure the BIG-IP to accept or block each packet, based on whether or not the packet matches the criteria. The BIG-IP supports two types of filters, IP filters and rate filters.
Chapter 5 IP filters Typical criteria that you define in IP filters are packet source IP addresses, packet destination IP addresses, and upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined. For a single filter, you can define multiple criteria in multiple, separate statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same filter.
Configuring Filters Rate filters and rate classes In addition to IP filters, you can also define rate filters. Rate filters consist of the basic filter and a rate class. Rate classes define how many bits per second are allowed per connection, and the number of packets in a queue. Configuring rate filters and rate classes Rate filters are a type of extended IP filter. They use the same IP filter method, but they apply a rate class which determines the volume of network traffic allowed through the filter.
Chapter 5 To configure a rate filter using the Configuration utility 1. In the navigation pane, click Filters. The IP Filters screen opens. 2. Click the Rate Filters tab. The Rate Filters screen opens. 3. Click the Add Filter button. The Add Rate Filter screen opens. 4. Type the necessary information to configure a new rate filter. For additional information about configuring a rate filter, click the Help button.
6 Configuring a Redundant System • Introduction • Synchronizing configurations between units • Configuring fail-safe settings • Mirroring connection information • Using gateway fail-safe • Using network-based fail-over • Setting a specific BIG-IP to be the preferred active unit • Setting up active-active redundant BIG-IP units
Configuring a Redundant System Introduction A BIG-IP redundant system consists of two identically configured BIG-IP units, only one of which is active at a given time (unless a special active-active configuration is chosen). The inactive unit serves as a standby which becomes active only in case of failure of the active system, a process called failover. BIG-IP redundant systems have special settings that you need to configure, such as VLAN fail-safe settings.
Chapter 6 Attributes Description Setting a dominant BIG-IP You can set up one unit in a pair to be the dominant active BIG-IP. The unit you set up as the dominant BIG-IP will always attempt to be active. Active-active configuration The default mode for a BIG-IP redundant system is Active/Standby. However, you can configure both units to run in active mode. Table 6.
Configuring a Redundant System The bigpipe config sync all command synchronizes the following configuration files: • The common BIG/db keys • All files in /config (except bigip_base.conf) The config sync running command synchronizes the running version of /config/bigip.conf, which is the image that resides in memory as the system runs. This file is written only to memory on the standby unit, it is not saved.
Chapter 6 5. If you are arming fail-safe, in the Timeout box, type the maximum time allowed for a loss of network traffic before a fail-over occurs. 6. Click the Apply button.
Configuring a Redundant System The mirror feature is intended for use with long-lived connections, such as FTP, Chat, and Telnet sessions. Mirroring is also effective for HTTP persistence connections. If you attempt to mirror all connections, it may degrade the performance of the BIG-IP. Commands for mirroring Table 6.2 contains the commands that support mirroring capabilities. For complete descriptions, syntax, and usage examples, see Chapter 7, bigpipe Command Reference.
Chapter 6 Mirroring virtual server state Mirroring provides seamless recovery for current connections when a BIG-IP fails. When you use the mirroring feature, the standby BIG-IP maintains the same state information as the active unit. Transactions such as FTP file transfers continue as though uninterrupted. Since mirroring is not intended to be used for all connections, it must be specifically enabled for each virtual server.
Configuring a Redundant System Using gateway fail-safe Fail-safe features on the BIG-IP provide network failure detection based on network traffic. Gateway fail-safe monitors traffic between the active BIG-IP and the gateway router, protecting the system from a loss of the internet connection by triggering a fail-over when the gateway is unreachable for a specified duration. You can configure gateway fail-safe in the Configuration utility or in BIG/db.
Chapter 6 To configure gateway fail-safe in BIG/db To enable gateway fail-safe in BIG/db, you need to change the settings of three specific BIG/db database keys using the bigpipe db command. The keys set the following values: • The IP address of the router • The ping interval • The timeout period To set the IP address of the router, type the following entry, where is the IP address, or host name, of the router you want to ping: b db set Local.Bigip.GatewayPinger.
Configuring a Redundant System Using network-based fail-over Network-based fail-over allows you to configure your redundant BIG-IP to use the network to determine the status of the active unit. Network-based fail-over can be used in addition to, or instead of, hard-wired fail-over. To configure network-based fail-over using the Configuration utility 1. In the navigation pane, click System. The Network Map screen opens. 2. Click the Redundant Properties tab. The Redundant Properties screen opens. 3.
Chapter 6 To clarify how this differs from default behavior, contrast the basic behavior of a BIG-IP in the following description. Each of the two BIG-IP units in a redundant system has a built-in tendency to try to become the active unit. Each unit attempts to become the active unit at boot time; if you boot two BIG-IP units at the same time, the one that becomes the active unit is the one that boots up first.
Configuring a Redundant System MAC masquerading is not supported in active-active mode. Configuring an active-active system The default mode for BIG-IP redundant systems is active/standby. To use active-active mode on the BIG-IP redundant system, you must perform the following tasks, in order. Each task included below is outlined in the following sections. • Enable active-active on the BIG-IP. • Configure an additional floating self IP address on the internal VLAN for each unit.
Chapter 6 To enable active-active from the command line Set the Common.Bigip.Failover.ActiveMode key to 1. Use the following commands on each unit to enable active-active mode: b db set Common.Bigip.Failover.ActiveMode = 1 b failover init The default for this entry is 0 which indicates that the unit is in active/standby mode.
Configuring a Redundant System Task 4: Checking the BIG-IP unit number Using the bigpipe db get *unit* command, check the value of the BIG/db key Local.Bigip.Failover.UnitId. This value should be 1 for one of the units, and 2 for the other. Each BIG-IP in an active-active configuration requires a unit number: either a 1 or a 2. The Setup utility allows a user to specify a unit number for each BIG-IP.
Chapter 6 Each BIG-IP in an active-active configuration requires a unit number: either a 1 or a 2. Use the Setup utility to specify a unit number for each BIG-IP. If you do not specify a unit number, the unit number for the virtual server defaults to 1. Note You must specify the unit number when defining virtual servers, NATs, and SNATs. You cannot add the unit number at a later time without redefining the virtual server, NAT, or SNAT. Note The default SNAT is not compatible with an active-active system.
Configuring a Redundant System To synchronize the configuration using the Configuration utility 1. In the navigation pane, click System. The Network Map screen opens. 2. Click the Redundant Properties tab. The Redundant Properties screen opens. 3. Click the Synchronize Configuration button.
Chapter 6 Disabling automatic fail back In some cases, you may not want connections to automatically failback. The fact that a machine has resumed operation may not be reason enough to disrupt connections that are running on the BIG-IP serving as both units. Note that because of addressing issues, it is not possible to slowly drain away connections from the machine that was running as both units, giving new requests to the recently rebooted machine.
Configuring a Redundant System ◆ Local.Bigip.Failover.UnitId This is the default unit number of the BIG-IP. This value is set by the Setup utility or when you upgrade your units to this version of the BIG-IP software. ◆ Common.Bigip.Failover.ManFailBack This is set to 1 so that manual intervention is required (the bigpipe failover failback command is issued) before a BIG-IP running both unit numbers surrenders a unit number to its peer. This feature is off by default, fail-back is automatic.
Chapter 6 Reviewing specific active-active bigpipe commands There are several specific commands included in bigpipe to support active-active configurations. One of these commands is the bigpipe failover init command. You can use the bigpipe failover init command to read the BIG/db database and refresh its parameters. To do this, type the following command: b failover init Another command specifically designed for active-active configurations is the bigpipe failover failback command.
7 bigpipe Command Reference
bigpipe commands bigpipe commands This chapter lists the various bigpipe commands, including syntax requirements and functional descriptions. Table 7.1 outlines the conventions used in the command line syntax. Item in text Description \ Continue to the next line without typing a line break. < > You enter text for the enclosed item. For example, if the command has , type in your name. | Separates alternate options for a command. [ ] Syntax inside the brackets is optional. ...
Chapter 7: bigpipe Command Reference Command Description Page makecookie Loads the BIG-IP configuration without resetting the current configuration. 7-21 merge Loads a saved BIG-IP configuration without resetting the current configuration. 7-22 mirror Copies traffic from any port or set of ports to a single, separate port. 7-23 monitor Defines a health check monitor. 7-24 -n Displays addresses and ports numerically rather than by name.
-? -? b -? For certain commands, displays online help, including complete syntax, description, and other related information.
Chapter 7: bigpipe Command Reference class b class { ... } ::= HOST | NETWORK MASK b class { ... } b class { ... } b show b class ip show b class string show b class value show b class show b class delete Creates, shows, and deletes any classes, such as class AOL. Default classes are also shown. The BIG-IP includes a number of predefined lists.
config config b config sync b config sync all b config sync running b config save b config install Synchronizes configurations of two BIG-IP units in a redundant system by collecting and copying the configuration file(s) from the active unit to the standby unit (config sync). Also archives configuration files for backup purposes (config save) and installs saved files (config install).
Chapter 7: bigpipe Command Reference Installing an archived configuration file config install reinstalls the archived configuration files saved as .ucs to their working locations on the local unit. If you use command line utilities to set configuration options, be sure to save the current configuration to the relevant files before you use the configuration synchronization feature. (Alternatively, if you want to test the memory version on the standby unit first, use bigpipe config sync running.
conn conn b conn [ [:] ] dump [mirror] Displays information about current client connections to virtual addresses and virtual servers. The following command displays all current client connections: b conn dump The output shows the source IP address, virtual server IP address, and node to which the client is connected. bigip conn dump fromvirtual node 100.100.100.30:49152 ->100.100.100.100:23 ->200.200.200.10:23 100.100.101.90:49153 ->100.100.100.100:80 ->200.200.200.10:80 ...
Chapter 7: bigpipe Command Reference default_gateway b default_gateway use pool b default_gateway show b default_gateway delete This command creates, shows, or deletes a pool of default gateways, with nodes in the pool corresponding to different routes. Connections originating from the system with a destination for which there is no other route choose a route from the default gateway pool. Note that the default gateway pool is not a last-hop pool for services running on the system.
failover failover b failover active | standby | show | init | failback This group of commands affects the fail-over status of the BIG-IP or 3-DNS system. In an active/standby or active-active configuration, run the following command to place a BIG-IP or 3-DNS system in standby mode: b failover standby Show the status of the BIG-IP or 3-DNS system with the following command: b failover show In an active-active configuration, run the following command after you issue the bigpipe failover standby command.
Chapter 7: bigpipe Command Reference global b global auto_lasthop enable | disable | show b global fastest_max_idle_time b global fastflow_active auto | on | off | show b global fastflow_active auto | on | off | show b global gateway failsafe arm | disarm | show b global ipforwarding enable | disable b global mirror enable | disable | show b global memory_reboot_percent b global open_3dns_ports enable | disable | show b global open_corba_ports enable | disable | show b global open_snmp_
global fastest_max_idle_time Sets the number of seconds a node can be left idle by the fastest load balancing mode. This forces the BIG-IP to send fewer connections to a node that is responding slowly, and also allows the BIG-IP to periodically recalculate the response time of the slow node. fastflow_active You can use this variable to control additional enhancements that speed packet flow for TCP connections when the packets are not fragmented.
Chapter 7: bigpipe Command Reference To disarm fail-safe on the gateway, enter the following command: b global gateway failsafe disarm To see the current fail-safe status for the gateway, enter the following command: b global gateway failsafe show For more information about configuring gateway fail-safe, see Health monitors, on page 4-137. ip forwarding Enables IP forwarding for the BIG-IP. IP forwarding exposes all of the node IP addresses to the external network, making them routable on that network.
global The following command sets this variable to open the Telnet port (23) to allow administrative Telnet connections. This is useful for BIG-IP units that do not support encrypted communications, or for a unit that needs to communicate with the 3-DNS software. (See the 3-DNS Administrator Guide for more information.
Chapter 7: bigpipe Command Reference open_failover_ports This variable enables or disables network failover when a VLAN has port lockdown enabled. The following command enables network failover: b global open_failover_ports enable The following command disables network failover: b global open_failover_ports disable persist map_proxies The default setting for the map proxies for the persistence variable is enable. The AOL proxy addresses are hard-coded.
global The following command resets the timer only when the persistent connection is initiated. b global persist timer timeout Note For SSL persistence, the timer is always reset on each packet. persist across_services When this variable is enabled, all simple persistence connections from a client IP address that go to the same virtual address also go to the same node (matches the client address and the virtual IP address but not the virtual port). The default setting for this variable is disabled.
Chapter 7: bigpipe Command Reference Setting log levels only for TCP traffic The following command turns on only TCP port denial logging, which logs TCP port denials to the BIG-IP address. b global verbose_log_level 2 The following command turns on virtual TCP port denial logging, which logs TCP port denials to the virtual server address.
-h and -help -h and -help b [-h | -help ] Displays the bigpipe command syntax or usage text for all current commands. Note More detailed man pages are available for some individual bigpipe commands. To display detailed online help for the bigpipe command, type: man bigpipe.
Chapter 7: bigpipe Command Reference interface b interface media | show b interface duplex full | half | auto | show b interface [] show [verbose] b interface [] stats reset Displays names of installed network interface cards and allows you to set properties for each network interface card. Setting the media type The media type may be set to the specific media type for the interface card or it may be set to auto for auto detection.
load load b [verify] load [ | - ] b [-log] load [ | - ] Resets all of the BIG-IP settings and then loads the configuration settings, by default from the /config/bigip.conf and /config/bigip_base.conf files. For testing purposes, you can save a test configuration by renaming it to avoid confusion with the boot configuration file. To load a test configuration, use the load command with the parameter. For example, if you renamed your configuration file to /config/bigtest.
Chapter 7: bigpipe Command Reference maint b maint Toggles a BIG-IP into and out of Maintenance mode. When in Maintenance mode, a BIG-IP accepts no new connections, but it does allow existing connections to complete. The maint command interactively prompts you to enter or exit the maintenance mode. b maint If the BIG-IP is already in maintenance mode, the maint command takes the BIG-IP out of maintenance mode.
makecookie makecookie b makecookie Generates a cookie string with encoding automatically added for cookie persistence Passive mode: b makecookie [ > ] This command prints a cookie template similar to the templates shown in Figure 7.2 and Figure 7.3. Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; path=/ Figure 7.2 Sample cookie template Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/ Figure 7.
Chapter 7: bigpipe Command Reference merge b [-log] merge [] Use the merge command to load the BIG-IP configuration from without resetting the current configuration.
mirror mirror b mirror interfaces add b mirror interfaces delete For the BIG-IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring. You should attach a sniffer device to the target port, called the mirror-to port, for debugging and/or monitoring.
Chapter 7: bigpipe Command Reference monitor b monitor ’{ use [ ]... }’ b monitor show [all] b monitor dump [all] b monitor show b monitor delete b monitor enable | disable b monitor instance : enable | disable b monitor instance enable | disable Defines a health monitor. A health monitor is a configuration object that defines how and at what intervals a node is pinged to determine if it is up or down.
monitor Name/Type Template-Specific Attribute Set external run "" args "" ftp username "anonymous" password "bigip1@internal" get "/README" url (optional) nntp username "" password "" newsgroup "local" pop3 username "" password "" smtp domain "bigip1@internal" snmp_dca CPU coefficient "" CPU threshold "" memory coefficient "" memory threshold "" disk coefficient "" disk threshold "" useroid "" useroid coefficient "" useroid threshold "" snmp_dca_base useroid "" useroid coefficient "" useroid
Chapter 7: bigpipe Command Reference Table 7.4 defines the attributes used in the templates. Attribute Definition interval Ping frequency time interval in seconds. timeout Ping timeout in seconds. dest Ping destination node. Usually *:* for simple monitors, *:* for all others, causing the monitor instance to ping the address or address:port for which it is instantiated. Specifying address and/or port forces the destination to that address/port.
monitor Attribute Definition secret Shared secret for radius EAV checking only. folder Folder name for imap EAV checking only. message_num Optional message number for imap EAV checking only base Starting place in the LDAP hierarchy from which to begin the query, for ldap EAV checking only. filter LDAP- format key of what is to be searched for, for ldap EAV checking only. Table 7.
Chapter 7: bigpipe Command Reference -n b -n Use the -n option in combination with other commands, such as bigpipe virtual, to display services and IP addresses numerically rather than by service name and host name, respectively. For example, type the following command to display services numerically: b -n virtual Figure 7.4 shows an example of output that uses IP address instead of host names. virtual +------> 11.100.1.
nat nat b nat to [unit ] b nat [...] delete b nat [ [...] ] show | delete b nat [ [...] ] show | delete b nat [...
Chapter 7: bigpipe Command Reference node b node [:]... enable | disable b node [:... show b node [:]... limit b node [:]... stats reset b node [:service] up | down b node [:] monitor use [and ]... b node [[:]] monitor show | delete b node []...
pool pool b pool { lb_method } b pool { lb_method persist_mode ... } b pool { lb_method min_active_members ...
Chapter 7: bigpipe Command Reference Mode Name lb_mode attribute value Fastest Member fastest_member Least Connections least_conn Least Connections Member least_conn_member Observed observed Observed Member observed_member Predictive predictive Predictive Member predictive_member Dynamic Ratio dynamic_ratio Table 7.5 Load balancing modes For more information about the load balancing modes, refer to Load balancing method, on page 4-5.
proxy proxy b proxy : [unit ][{] target > : [clientss] [[clientssl] key ] [[clientssl] cert ] [[clientssl] chain ] [[clientssl] ca file ] [[clientssl] ca path ] [[clientssl] client cert ca ] [[clientssl] cipher insert [] [[clientssl] client cert insert
Chapter 7: bigpipe Command Reference b b b b b b b b b b b b b b b b b b proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy proxy vlans show : serverssl show : serverssl key show : serverssl cert show : serverssl chain show : serverssl ca file show : serverssl ca path show : serverssl ciphers show : serverssl invalid show : se
ratio ratio b ratio [] [node_ip> ...] show b ratio [...] For the Ratio load balancing mode, this command sets the weight or proportions for one or more node addresses.
Chapter 7: bigpipe Command Reference reset b reset Use the following syntax to clear the configuration values and counter values from memory: b reset Use this command with caution. All network traffic stops when you run this command. Typically, this command is used on a standby BIG-IP prior to loading a new /config/bigip.conf file that contains new service enable and timeout values.
rule rule b rule ’{ if ( ) { |
Chapter 7: bigpipe Command Reference If the rule is defined on the bigpipe command line, you can either surround each pair of parentheses in single quotation marks (’), or place a pair of single quotation marks around the braces.
save save b save [ | - ] b base save [ | - ] Writes the current BIG-IP configuration settings from memory to the configuration files named /config/bigip.conf and /config/bigip_base.conf. (/config/bigip.conf stores high level configuration settings, such as pools, virtual servers, NATs, SNATs, and proxies. /config/bigip_base.conf stores low level configuration settings, like, VLANs, non-floating self IP addresses, and interface settings.
Chapter 7: bigpipe Command Reference self b self vlan [ netmask ][ broadcast ] [unit ] b self floating enable | disable b self delete b self show b self show b self snat automap enable | disable Defines a self IP address on a BIG-IP or 3-DNS system. A self IP address is an IP address mapping to a VLAN or VLAN group and their associated interfaces on a BIG-IP or 3-DNS system.
service service b service [...] limit b service [...] tcp enable | disable b service [...] timeout tcp b service [...] udp enable | disable b service [...] timeout udp b service [... ] show b service [... ] stats reset Enables and disables network traffic on services, and also sets connection limits and timeouts.
Chapter 7: bigpipe Command Reference snat b snat map [...] to [unit ] [netmask ] [arp disable] [vlan disable] b snat map default to [unit ] [netmask ] b snat [...] delete | show b snat default delete | show b snat default dump [verbose] b snat [ [...] ] dump [verbose] b snat globals show b snat default show b snat [ [...] ] show b snat [ [...
stp stp b stp interfaces add | all b stp hello b stp max_age b stp forward_delay b stp interfaces delete b stp enable|disable The BIG-IP IP Application Switch provides Spanning Tree Protocol (STP) implementation for loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP.
Chapter 7: bigpipe Command Reference summary b summary Displays a summary of current usage statistics. The output display format for the summary command is shown in Figure 7.6. You can find detailed descriptions of each of statistic displayed by the summary command in Monitoring the BIG-IP, on page 11-2.
trunk trunk b trunk define b trunk [] show [verbose] b trunk [] stats reset The trunk command aggregates links (individual physical interfaces) to form a trunk. This link aggregation increases the bandwidth of the individual NICs in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mb/s link. The other advantage of link aggregation is link failover.
Chapter 7: bigpipe Command Reference unit b unit [show] b unit peer [show] The unit number on a system designates which virtual servers use a particular unit in an active-active redundant configuration. You can use the bigpipe unit command to display the unit number assigned to a particular BIG-IP.
verbose verbose b verbose virtual_server_udp_port_denial b verbose virtual_server_tcp_port_denial b verbose bigip_udp_ort_denial b verbose bigip_tcp_port_denial Used to modify the verbose log level. This command is an alternative to using the bigpipe global verbose command. Table 7.6 defines the command and shows the equivalencies. b verbose command b global verbose command b verbose bigip_udp_port_denial Turns UDP port denial logging on. This logs UDP port denials to the BIG-IP address.
Chapter 7: bigpipe Command Reference verify b [log] verify | -] Parses the command line and checks syntax without executing the specified command. This distinguishes between valid and invalid commands Use the verify command followed by a command that you want to validate: b verify virtual 10.10.10.100:80 use pool my_pool The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.
version version b version Displays the version of the BIG-IP operating system and the features enabled. For example, for a BIG-IP HA, the bigpipe version command displays the output shown in Figure 7.7.
Chapter 7: bigpipe Command Reference virtual b virtual [:] [unit ] [netmask ] [broadcast ] use pool b virtual : [/][unit ] use pool b virtual [:] [unit ] [netmask ] use rule b virtual [:] [unit ] [netmask ] forward b virtual : translate port enable | disable | show b virtual : svc_down_reset enable | disable | show b virtual
vlan vlan b vlan rename b vlan delete b vlan tag b vlan interfaces add [tagged] b vlan interfaces delete b vlan interfaces delete all b vlan interfaces show b vlan port_lockdown enable | disable b vlan bridging enable | disable b vlan proxy_forward enable | disable b vlan failsafe arm | disarm | show b vlan timeout
Chapter 7: bigpipe Command Reference vlangroup vlangroup [] [show] vlangroup [] list vlangroup delete vlangroup tag vlangroup [] tag [show] vlangroup [] interfaces [show] vlangroup vlans add vlangroup vlans delete vlangroup vlans delete all vlangroup [] vlans [show] vlangroup port_lockdown
vlangroup L2 forwarding must be enabled for the VLAN group using the VLAN proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled.
Chapter 7: bigpipe Command Reference 7 - 54
8 Configuring SNMP • Introduction • Downloading the MIBs • Configuring SNMP using the Configuration utility • SNMP configuration files • Configuring snmpd to send responses out of different ports or addresses
Configuring SNMP Introduction This chapter covers the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the BIG-IP. Note On a BIG-IP with a 3-DNS module installed, you must configure the SNMP agent in order to use the SEE-IT Network Manager.
Chapter 8 ◆ Etherlike-MIB.txt This is a standard MIB which describes statistics for the collection of ethernet interfaces attached to the system. It is fully documented in RFC-2665. ◆ If-MIB.txt This MIB supports an extended version of the ifTable including 64-bit counters. ◆ RMON-MIB.txt This is a standard MIB that describes real-time and historical statistics for the ethernet systems in the interface.
Configuring SNMP Configuring SNMP using the Configuration utility To configure SNMP for a remote network management station, you must perform the following tasks: ◆ Set up client access Configure the BIG-IP to allow administrative access to the SNMP agent. ◆ Configure system information Set the system information variables. ◆ Configure Traps Enable traps and specify by community, port, and sink. All three tasks are performed using the SNMP Administration screen, shown in Figure 8.1.
Chapter 8 To allow access to the SNMP agent using the Configuration utility 1. In the top of the SNMP Administration screen, check the Enable box to allow access to the BIG-IP SNMP agent. 2. In the Client Access Allow List section, type the following information: • IP Address or Network Address Type in an IP address or network address from which the SNMP agent can accept requests. Click the Add (>>) button to add the address to the Current List. For a network address, type in a netmask.
Configuring SNMP 3. In the Community String box, type a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage. Configuring traps To configure traps, you provide three pieces of information: ◆ trapcommunity This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0). ◆ trapport This sets the port on which traps are sent.
Chapter 8 SNMP configuration files The SNMP options that you specify in the SNMP Administration screen are written to one or more of the following configuration file or files. If you prefer, you can configure SNMP by directly editing the appropriate files with a text editor rather than using the Configuration utility. ◆ hosts.deny This file denies all UDP connections to the SNMP agent. ◆ hosts.allow This file specifies which hosts are allowed to access the SNMP agent. ◆ snmpd.
Configuring SNMP For example, you can type the following line which sets the SNMP agent to accept connections from the IP addresses specified: bigsnmpd: 128.95.46.5 128.95.46.6 128.95.46.7 For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and IP/MASK specifies the network that is allowed access. The IP must be a network address: daemon: IP/MASK For example, you might use the following line which sets the bigsnmpd daemon to allow connections from the 128.95.
Chapter 8 • trapcommunity This sets the community string (password) to use for sending traps. If set, it also sends a trap upon startup: coldStart(0). • authtrapenable Setting this variable to 1 enables traps to be sent for authentication warnings. Setting it to 2 disables it. • data_cache_duration This is the time in seconds during which data is cached. The default value for this setting is one second.
Configuring SNMP You may, however, insert your own regular expressions and map them to the 110.1 OID. The /etc/snmptrap.conf file contains two examples for mapping your own OIDs: • Unknown error • Unknown failure By default, the lines for these files are commented out. Use these OIDs for miscellaneous events. When lines match your expression, they are sent to your management software with the 110.2.1 OID.
Chapter 8 Use this command to make the agent list on the specified list of sockets instead of the default port, which is port 161. Separate multiple ports by commas. You can specify transports by prepending the port number with the transport name (udp or tcp) followed by a colon. To bind to a particular interface, you can specify the address you want it to bind with.
9 BIG/db Configuration Keys • Supported BIG/db configuration keys
BIG/db Configuration Keys Supported BIG/db configuration keys The BIG/db is a database that contains configuration elements for the BIG-IP. Configuration options that BIG/db supports include: • Fail-over • State mirroring • Gateway failsafe pingers • Configuration synchronization • Interface related settings • Health monitor settings The BIG/db keys for each of these features are described in the following series of tables. The keys are viewed and set using the bigpipe db command.
Chapter 9 To unset a BIG/db configuration key To unset a BIG/db configuration key, use the following syntax: b db unset b db unset For example, the following command unsets Local.Bigip.FTB.HostNumber: b db unset Local.Bigip.FTB.HostNumber The following command unsets all local keys: b db unset set Local.* Failover and cluster keys The failover and cluster keys (Table 9.1) control failover from the active to the standby unit in a BIG-IP redundant system.
BIG/db Configuration Keys Fail-Over Key Name Description Common.Bigip.Failover.PrintPeerState = 0 The default value for this key is 0. Fail-over daemon (/sbin/sod) writes the state of its connection to its peer, hardwire and/or network. This information is written to the fail-over daemon's debug log file. Common.Bigip.Failover.UseTty00 = 0 Failover daemon uses /dev/tty00 for hardwired failover. Common.Bigip.Failover.UseTty01 = 1 Failover daemon uses /dev/tty01 for hardwired failover. Local.Bigip.
Chapter 9 State Mirroring Key Name Description Common.Bigip.StateMirror.NoGC = 0 By default, state mirroring causes mirrored data structures to be deleted when it receives a new connection. This key is brought up to date by the unit’s peer. This can cause a delay if the system is absolutely loaded. Turning off the GC is provided as an option. Common.Bigip.StateMirror.ActiveFile Enables writing of data from the active unit's kernel into the ActiveFile file.
BIG/db Configuration Keys Bigd keys The Bigd keys (Table 9.4) control the health monitors. If you change one of these values, you must re-initialize the system as follows: bigstart reinit bigd Bigd Key Name Description Common.Bigip.Bigd.Verbose = 0 Set to non-zero to cause bigd to generate output to debug file. Common.Bigip.Bigd.SimulatePings = 0 Set to non-zero to cause bigd to generate pings but not report results to the kernel. Common.Bigip.Bigd.
Chapter 9 Key Names Description Common.Bigip.CORBA.AddrResolveNumeric="true" Set to "true" causes the CORBA portal to resolve client addresses numerically Common.Bigip.CORBA.IIOPPort ="683" Default CORBA IIOP port used for LINK-IT BIG/api Table 9.
10 Configuration Files • BIG-IP configuration files
Configuration Files BIG-IP configuration files The following table includes a list of the configuration files on the BIG-IP. File Description /config/bigip.conf Stores virtual server and node definitions and settings, including node ping settings, the load balancing mode, and NAT and SNAT settings. /config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. /config/bigip.license Stores authorization information for the BIG-IP. /etc/bigconf.
Chapter 10 10 - 2
11 Monitoring and Administration • Monitoring and administration utilities • Using the bigpipe utility as a monitoring tool • Using the Configuration utility for administration and monitoring • Working with the BIG/top utility • Working with the Syslog utility • Powering down the BIG-IP • Removing and returning items to service • Viewing system statistics and log files • Printing the connection table • Changing passwords • Working with the BIG/db database • Working with the BIG/stat utility
Monitoring and Administration Monitoring and administration utilities The BIG-IP platform provides several utilities for monitoring and administration of the BIG-IP. You can monitor system statistics, as well as statistics specific to virtual servers and nodes, such as the number of current connections, and the number of packets processed since the last reboot.
Chapter 11 Monitoring the BIG-IP The bigpipe summary command displays performance statistics for the BIG-IP itself. This display summary includes current usage statistics, such as the amount of time a BIG-IP has been running since the last reboot. To display a summary of the performance statistics for the BIG-IP, type the following command: b summary The performance statistics display in the format shown in Figure 11.1 (the output has been truncated for this example).
Monitoring and Administration Table 11.1 contains descriptions of each individual statistic included in the summary display screen. Statistic Description total uptime Total time elapsed since the BIG-IP was last booted. total uptime (secs) Total uptime displayed in seconds. total # connections Total number of connections handled. total # pkts Total number of packets handled. total # bits Total number of bits handled. total # pkts (inbound) Total number of incoming packets handled.
Chapter 11 Statistic Description virtual path max connections deny The number of virtual path connections dropped because the maximum number of connections was exceeded. virtual non syn The number of packets received which are not connection requests, and are destined to a virtual address, but not a valid virtual server (port). error virtual fragment no port The number of IP fragments for which there is no port.
Monitoring and Administration • Secure network address translations (SNATs) • Global statistics When you reset one of these items, the packets in, packets out, bytes in, and bytes out counters of the target item are reset to zero. The maximum connection count counter is also reset. The current connections counter is not reset, and the total connections counter is set equal to the number of current connections. Note The statistics are reset for the specified items only.
Chapter 11 To reset statistics for node servers and node addresses Use the following syntax to reset statistics for all node addresses and node servers: b node stats reset You can reset statistics for the node address specified by the IP address : b node stats reset For example, to reset the statistics for the node address 10.1.1.1, use the following syntax: b node 10.1.1.
Monitoring and Administration Use the following syntax to reset statistics for the NAT for the IP address . b nat stats reset For example, to reset the statistics for the NAT 172.20.3.101, use the following command: b nat 172.20.3.101 stats reset To reset the statistics for a list of origin IPs, use the following command where addresses are separated by spaces: b nat 172.20.3.101 172.20.3.
Chapter 11 Monitoring virtual servers, virtual addresses and services You can use different variations of the bigpipe virtual command, as well as the bigpipe port command, to monitor information about virtual servers, virtual addresses, and services managed by the BIG-IP.
Monitoring and Administration Displaying information about services The bigpipe port show command allows you to display information about specific virtual ports managed by the BIG-IP. You can use the command to display information about all virtual services, or you can specify one or more particular virtual services.
Chapter 11 To display NAT status from the command line Use the following command to display the status of all NATs included in the configuration: b nat show Use the following syntax to display the status of one or more selected NATs: b nat [...] show An example of the output for this command is shown in Figure 11.4. NAT { 10.10.10.3 to 9.9.9.9 } (pckts,bits) in = (0, 0), out = (0, 0) NAT { 10.10.10.4 to 12.12.12.12 netmask 255.255.255.0 broadcast 12.12.12.
Monitoring and Administration Using the Configuration utility for administration and monitoring You can use the Configuration utility System Admin screen to add users, customize the user interface, configure SNMP, and save and restore a current configuration. You can use the Configuration utility to allow access to the SNMP agent and to set SNMP properties. For more information on configuring SNMP, refer to Chapter 8, Configuring SNMP.
Chapter 11 Working with the BIG/top utility BIG/top™ is a real-time statistics display utility. The display shows the date and time of the latest reboot and lists activity in bits, bytes, or packets. Similar to BIG/stat, the BIG/top utility accepts options which allow you to customize the display of information. For example, you can set the interval at which the data is refreshed, and you can specify a sort order. The BIG/top displays the statistics as shown in Figure 11.5, following.
Monitoring and Administration Option Description -pkts Displays the counts in packets (the default is bits). -scroll Disables full-screen mode. -virtuals Sets the number of virtual servers to print (the default is to print all virtual servers). Table 11.2 BIG/top command options Using runtime commands in BIG/top Unless you specified the -once option, the BIG/top utility continually updates the display at the rate indicated by the -delay option.
Chapter 11 Sample log messages Table 11.3 shows sample log messages to give you an idea of how the Syslog utility tracks events that are specific to the BIG-IP. Sample message Description bigd: allowing connections on port 20 A user specifically allowed connections on virtual port 20. bigd: node 192.168.1.1 detected up The 192.168.1.1 node address was successfully pinged by the BIG-IP. bigd: added service port 20 to node 192.168.1.1 A user defined a new node, 192.168.1.1:20.
Monitoring and Administration eventually determine that the nodes associated with the server are down, specifically removing the nodes from service can prevent interruptions on long duration client connections.
Chapter 11 Removing individual virtual servers, virtual addresses, and ports from service The BIG-IP also supports taking only selected virtual servers, addresses, or ports out of service, rather than removing the BIG-IP itself from service. Each bigpipe command that defines virtual servers and their components supports enable and disable keywords, which allow you to remove or return the elements from service.
Monitoring and Administration To enable and disable nodes and node addresses from the command line The bigpipe node command allows you to enable or disable individual nodes, as well as node addresses.
Chapter 11 • Rate filter statistics, including the number of bits passed through, delayed, and dropped by individual rate filters • Information about illegal connection attempts, such as the source IP addresses from which the illegal connection is initiated Statistics are displayed in real-time. You can specify the update frequency by setting an interval (in seconds), and then clicking Update.
Monitoring and Administration The user accounts you create in the Configuration utility can have full, partial, or read-only access to the BIG-IP. To create user accounts in the Configuration utility 1. In the navigation pane, click User Admin. The User Administration screen opens. 2. In the Add User section, type the following information. • User ID Type the user ID you want to assign the user. • Password Type the password you want to assign the user.
Chapter 11 Working with the BIG/db database The BIG/db™ database holds certain configuration information for the BIG-IP. Most BIG-IP utilities currently use the configuration stored in BIG/db. The bigpipe db is provided for loading configuration information into BIG/db. An additional default.txt file is included with the BIG-IP which contains default information you can load into the BIG/db database. Using the bigpipe db command The keys are viewed and set using the bigpipe db command.
Monitoring and Administration b db unset b db unset For example, the following command unsets Local.Bigip.FTB.HostNumber: b db unset Local.Bigip.FTB.HostNumber The following command unsets all local keys: b db unset set Local.* Working with the default.txt file The default.txt file documents the keys that are valid in the BIG/store database. This file is located at /config/default.txt.
Chapter 11 You can customize the BIG/stat utility statistics display. For example, you can customize your output to display statistics for a single element, or for selected elements. You can set the display to automatically update at time intervals you specify. The bigstat command accepts one or more options, which allow you to customize the statistical display.
Monitoring and Administration bigip springbank (cur, max, tot) = (0, 8, 374) (pckts,bits) in = (15310, 10860064), out = (28363, 313009048) virtual 11.11.11.50 (cur, max, limit, tot) = (0, 8, 370, 370) (pckts,bits) in = (10704, 8744872), out = (21480, 230874016) virtual 11.11.11.50:http UP (cur, max, limit, tot) = (0, 8, 370, 370) (pckts,bits) in = (10704, 8744872), out = (21480, 230874016) virtual 11.11.11.
Chapter 11 BIG/stat Item Description BIG-IP cur - Shows the number of current connections handled by the BIG-IP max - Shows the maximum number of connections handled by the BIG-IP tot - Shows the total number of connections handled by the BIG-IP pckts,bits in - Shows the total number of packets and bits coming into the BIG-IP pckts,bits out - Shows the total number of packets and bits going out of the BIG-IP virtual server cur - Shows the number of current connections handled by the virtual server max
12 Additional Setup Options • Overview of additional setup options • Defining additional host names • Using the MindTerm SSH Console • Downloading the SSH client to your administrative workstation • Addressing general networking issues • Using a serial terminal with the BIG-IP • Configuring RADIUS or LDAP authentication
Additional Setup Options Overview of additional setup options This chapter contains details about additional setup options you may want to configure for the BIG-IP.
Chapter 12 This sample hosts file lists the IP addresses for the default router, the internal VLAN, and the external VLAN, and it contains placeholders for both the virtual servers and the content servers that the BIG-IP will manage. If you have modified the /etc/hosts file with something other than the Setup utility, such as vi or pico, be aware that your changes may be lost when you run the Setup utility (config). The Setup utility overwrites the /etc/hosts file and openssl.
Additional Setup Options Downloading the SSH client to your administrative workstation From BIG-IP units that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running BIG-IP command line utilities, you can also use the SSH suite for file transfer to and from the BIG-IP, as well as for remote backups.
Chapter 12 6. In the Connection tab, in the Remote Host section, type the following items: • In the Host Name box, type the BIG-IP IP address or host name. • In the User Name box, type the root user name. 7. In the Options section, check Compression and set the Cipher option to Blowfish. 8. Click the OK button. Setting up the SSH client on a UNIX workstation The installation file for UNIX platforms is compressed in tar/gzip format. To untar and install the SSH client 1.
Additional Setup Options ◆ Configuring email on the BIG-IP There are some special requirements that you need to take into account when configuring email on the BIG-IP. Addressing routing issues The BIG-IP must communicate properly with network routers, as well as with the servers, firewalls, and other routers that it manages.
Chapter 12 2. Click the System tab. Look in the Default Gateway Pool list for the name of the default gateway pool. Make sure you have the pool name before proceeding to step 3. 3. In the navigation pane, click Pools. The Pools screen opens. 4. In the list of pools, click the name of the default gateway pool. The pool properties page for that pool opens. 5. In the Resources section of the screen, add or remove gateway IP addresses. 6. Click the Apply button.
Additional Setup Options Case 2: Different LANs If you have nodes on different LANs from the BIG-IP, you need to add a static gateway route on the BIG-IP itself. If, for example, the router that connects the 192.168.5 network and the 192.168.6 network has IP addresses 192.168.5.254 and 192.168.6.254, then you could use the following command to create the necessary static route on the BIG-IP: route add -net 192.168.6.0 -gateway 192.168.5.
Chapter 12 online documentation (in the Configuration utility home screen, under the Online Documentation section, click GateD). Note that the GateD configuration guide details the process of creating the GateD configuration file, and also provides samples of common protocol configurations.
Additional Setup Options In place of the parameter, use the IP address of a properly configured name server that has access to the Internet. You can specify additional name servers as backups by inserting an additional nameserver line for each backup name server. If you configure the BIG-IP itself as a DNS proxy server, then we suggest that you choose its loopback address (127.0.0.1) as the first name server in the /etc/resolv.conf file.
Chapter 12 Converting from rotary or round robin DNS If your network is currently configured to use rotary DNS, your node configuration may not need modification. However, you need to modify your DNS zone tables to map to a single IP address instead of to multiple IP addresses. For example, if you had two Web sites with domain names of www.SiteOne.com and www.SiteTwo.com, and used rotary DNS to cycle between two servers for each Web site, your zone table might look like the one in Figure 12.5. www.SiteOne.
Additional Setup Options Setting up Sendmail When you actually set up Sendmail, you need to open and edit a couple of configuration files. Note that the BIG-IP does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator. To set up and start Sendmail 1. Copy /config/sendmail.cf.off to /config/sendmail.cf. 2. To set the name of your mail exchange server, open the /config/sendmail.
Chapter 12 A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor. ◆ To connect the serial terminal to the BIG-IP Connect a serial line cable between the terminal device and the BIG-IP. On the back of BIG-IP is a male, 9-Pin RS232C connector labeled Terminal. (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.
Additional Setup Options Configuring a serial terminal in addition to the console You can configure a serial terminal for the BIG-IP in addition to the standard console. To configure the serial terminal in addition to the console 1. Connect the serial terminal to the BIG-IP. 2. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows: • 9600 baud • 8 bits • 1 stop bit • No parity 3. Open the /etc/ttys file and find the line that reads tty00 off.
Chapter 12 Forcing a serial terminal to be the console In the case where you have not yet connected the serial terminal or it is not active when the BIG-IP is booted, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console. To force a serial terminal to be the console 1. Edit the /etc/boot.default file.
Additional Setup Options 2. Create the file /etc/raddb/servers. Each line should contain the host name of the radius server to connect to, and the secret used by that server (see Figure 12.7). For security reasons, we recommend that you use IP addresses instead of host names for the entries in this file. If you specify a host name for an entry, we recommend that you add the host name to the /etc/hosts file. # this is the /etc/raddb/server file # format is radius.test.
Chapter 12 To configure an LDAP server that stores encrypted passwords In some LDAP servers, passwords are stored encrypted with DES, or stored as MD5 hashes. On these systems, it is best to bind to the server directly in order to let the LDAP server match the passwords. The login_ldap utility can be configured to bind directly to the server with the following settings in the /etc/login.conf file. 1. Edit /etc/login.conf. Locate these lines at the top of the file.
Additional Setup Options ldap-defaults:auth=passwd:\ :auth-ssh=ldap,passwd:\ :ldap-server=my_ldap_server:\ :ldap-server-user=cn=Manager,dc=test,dc=net:\ :ldap-basedn=dc=test,dc=net:\ :ldap-user-bind=no: Figure 12.12 Example excerpt from the /etc/login.conf for an LDAP server that stores plain text passwords 2. Locate the default authentication type. Change the tc value to point to the new ldap-defaults type (see Figure 12.13).
Chapter 12 name. This is useful because you need to be able to log in even if the authentication server is down (or if its name gets changed and the /etc/login.conf file needs to be updated). # login davidh:passwd or # ssh bigip -l "davidh:passwd" Only the styles that you specify are accepted. For example, davidh:ldap would fail, since that style was not specified.
Glossary
Glossary Any IP Traffic Any IP Traffic is a feature that allows the BIG-IP to load balance protocols other than TCP and UDP. ARL (Akamai Resource Locator) An ARL is a URL that is modified to point to content on the Akamai Freeflow NetworkTM. In content conversion (akamaization), the URL is converted to an ARL, which retrieves the resource from a geographically nearby server on the Akamai Freeflow Network for faster content delivery.
Glossary cacheable content expression The cacheable content expression determines, based on evaluating variables in the HTTP header of the request, whether a BIG-IP Cache Controller directs a given request to a cache server or to an origin server. Any content that does not meet the criteria in the cacheable content expression is deemed non-cacheable. cache pool The cache pool specifies a pool of cache servers to which requests are directed in a manner that optimizes cache performance.
Glossary If you specify a value for hot pool, but do not specify a value for this variable, the cache statement uses a default hash size of 10 subsets. See also cool, hot, and hot content subset. content stripes In products that support caching, content stripes are cacheable content subsets distributed among your cache servers. cookie persistence Cookie persistence is a mode of persistence where the BIG-IP stores persistent connection information in a cookie.
Glossary platforms equipped with Windows Management Instrumentation (WMI), or on a server equipped with either the UC Davis SNMP agent or Windows 2000 Server SNMP agent. dynamic site content Dynamic site content is site content that is automatically generated each time a user accesses the site. Examples are current stock quotes or weather satellite images. EAV (Extended Application Verification) EAV is a health check that verifies an application on a node by running that application remotely.
Glossary FDDI (Fiber Distributed Data Interface) FDDI is a multi-mode protocol used for transmitting data on optical-fiber cables at speeds up to 100 Mbps. floating self IP address A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system.
Glossary content subsets used for content striping. Requests for hot content are redirected to a cache server in the hot pool, a designated group of cache servers. This feature maximizes the use of cache server processing power without significantly affecting the memory efficiency gained by cacheable content determination. See also hot, hot content subset, and hot pool.
Glossary internal VLAN The internal VLAN is a default VLAN on the BIG-IP. In a basic configuration, this VLAN has the administration ports open. In a normal configuration, this is a network interface that handles connections from internal servers. IPSEC IPSEC (Internet Security Protocol) is a communications protocol that provides security for the network layer of the Internet without imposing requirements on applications running above it.
Glossary MAC (Media Access Control) MAC is a protocol that defines the way workstations gain access to transmission media, and is most widely used in reference to LANs. For IEEE LANs, the MAC layer is the lower sublayer of the data link layer protocol. MAC address A MAC address is used to represent hardware devices on an Ethernet network. member Member is a reference to a node when it is included in a particular pool. Pools typically include multiple member nodes.
Glossary specific to a service type, for example, HTTP and FTP. The template has a template type that corresponds to the service type and is usually the name of the template. named Named is the name server utility, which manages domain name server software. NAT (Network Address Translation) A NAT is an alias IP address that identifies a specific node managed by the BIG-IP to the external network.
Glossary Observed mode Observed mode is a dynamic load balancing mode that bases connection distribution on a combination of two factors: the server that currently hosts the fewest connections and also has the fastest response time. origin pool The origin pool specifies a pool of servers that contain original copies of all content.
Glossary Predictive mode Predictive mode is a dynamic load balancing mode that bases connection distribution on a combination of two factors: the server that currently hosts the fewest connections, and also has the fastest response time. Predictive mode also ranks server performance over time, and passes connections to servers which exhibit an improvement in performance rather than a decline. rate class You create a rate filter from the Configuration utility or command line utility.
Glossary RFC 1918 addresses An RFC 1918 address is an address that is within the range of non-routable addresses described in the IETF RFC 1918. Round Robin mode Round Robin mode is a static load balancing mode that bases connection distribution on a set server order. Round Robin mode sends a connection request to the next available server in the order. self IP address Self IP addresses are the IP addresses owned by the BIG-IP that you use to access the internal and external VLANs.
Glossary spanning tree protocol (STP) Spanning tree protocol is a protocol that provides loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP. SSL gateway An SSL gateway is a gateway for decrypting HTTP requests to an HTTP server and encrypting the reply. standby unit A standby unit in a redundant system is a unit that is always prepared to become the active unit if the active unit fails.
Glossary transparent node A transparent node appears as a router to other network devices, including the BIG-IP. trunk A trunk is a combination of two or more interfaces and cables configured as one link. See also link aggregation. user-defined monitor A user-defined monitor is a custom monitor configured by a user, based on a system-supplied monitor template. For some monitor types, you must create a user-defined monitor in order to use them.
Glossary wildcard virtual server A wildcard virtual server is a virtual server that uses an IP address of 0.0.0.0, * or "any". A wildcard virtual server accepts connection requests for destinations outside of the local network. Wildcard virtual servers are included only in Transparent Node Mode configurations.
Glossary Glossary - 16
Index
Index /config/aliases file 12-11 /config/bigip.conf 7-39 /config/gated.conf file 12-7 /config/routes file 12-8 /config/sendmail.cf file 12-11 /etc/hosts file 12-1, 12-2, 12-9 /etc/hosts.allow file 8-6 /etc/irs.conf file 12-9 /etc/resolv.conf file 12-9 /etc/services file 4-119, 7-41 /etc/snmptrap.conf file 8-8 /etc/syslog.
Index bigpipe 4-9 bigpipe commands 7-1 and active-active mode 6-18 config 7-5 conn 7-7 displaying active data 6-17 failover 7-8, 7-9 global 7-10 help 7-3, 7-17 interface 7-18 maint 7-20 mirror 7-23 mirroring 6-5 monitor 7-24 -n 7-28 nat 7-29 node 7-30 ratio 7-35 reset 7-36 rule 7-37 save 7-39 self 7-40 service 7-41 snat 7-42 stp 7-43 summary 7-44 trunk 7-45 unit 7-46 verbose 7-47 virtual 7-50 vlan 7-51 bigpipe utility Intro-2, 11-1 bigstat command See BIG/stat utility bigtop command See BIG/top utility bit
Index client certificate authentication 4-91 client certificate fields inserting as headers 4-95, 4-98 client certificates verifying 4-102 client IP addresses and load balancing 4-52 and rules 4-49 in headers 4-42 preserving 4-42 tracking connections for 4-23 client requests redirecting 4-105 client session IDs 4-95 client_addr variable 4-43, 4-52, 4-59 client_port variable 4-43, 4-59 clients and secure connections 4-41 client-side authentication 4-93 client-side connections and certificate verification 4-
Index default IP addresses alternate address 2-2 and IP alias 2-2 overview 2-1 preferred address 2-2 default root password 2-1 default route for content servers 12-6 for external gateways 12-5 default route configuration 2-6 default routers 4-136 default routes 6-3 See also default gateway pool 12-5 default SNATs automapped 4-127 defined 4-124 manual 4-127 default.
Index G GateD configuration file 12-7 documentation 12-7 dynamic routing 12-7 gateway command 7-11 gateway fail-safe 6-7 gateway pinger key names 9-4 gateways deleting 4-112 global command 7-10, 11-7 global statistics, resetting 11-4 H -h command 7-17 hardware failure and SSL proxy failover 4-109 hardware maintenance, performing 11-15 hard-wired fail-over 6-9 hash mode 4-28, 4-34 hash mode values listed 4-30 hash table displaying contents of 4-32 header data and pool selection 4-56 header format 4-96, 4-9
Index I icmp monitor 4-139 iControl 2-12 IDs inserting 4-99 if statements 4-58 IIS servers and redirection 4-105 for rewriting redirections 4-41 illegal connection attempt statistics, viewing 11-18 Image Extensions list 4-56 imap monitor 4-145 inbound traffic accepting 4-122 Insert mode 4-25 for HTTP cookie persistence 4-25 interface access methods 3-8 interface cards 6-3, 11-10 interface command 7-18 interface media settings 2-7 interface media type 3-4 interface mode 3-4 interface naming convention 3-2 i
Index M MAC addresses 3-17 MAC masquerade 3-17 maint command 7-20, 11-15 Maintenance mode, activating 11-15 masked dot notation and constant operands 4-59 masks for simple persistence 4-23, 4-24 MD5 hash 4-99 media access control. See MAC addresses media types 3-4 member node status, displaying 11-8 memory metrics gathering 4-17, 4-19 messages gateway fail-safe 6-8 MIB.
Index P packet activity, displaying 11-12 packet counters, resetting 11-5 packet header variables 4-59 packet statistics 11-1 packet status 11-9 packets access to VLANs 3-8 forwarding and rejecting 5-1 monitoring 11-1 viewing 11-17 pager notifications, activating 11-13 Partial Read/Write access level 11-19 Passive mode 4-27 passive mode 4-27, 4-34 passwords 2-1 and BIG-IP web server 11-18 changing 11-18 default configuration 2-2 peer authentication 4-103 performance statistics displaying 11-2 summary table
Index Quality of Service level See QoS level R RADIUS authentication 12-14 challenge-response authentication 12-18 radius monitor 4-146 rate classes 5-3 rate filter statistics, viewing 11-18 rate filters 5-3, 5-4 rates of access 5-3 ratio command 7-35 Ratio mode 4-21, 7-35 ratio weights 4-9, 4-10 setting 4-9 Read Only access level 11-19 RealServer configuring for dynamic ratio load balancing 4-10 real-time statistics, displaying 11-12 reconfig-httpd utility, running 11-19 redirect statements 4-58 redirect
Index creating 4-62 defined 4-1, 4-49, 7-37 elements 4-63 example 4-52 load balancing pools 7-37 referencing pools 4-50 S save command 7-39 saving 7-39 secure network address translation (SNAT) See SNATs secure shell 7-13 security and illegal connection attempts 11-18 changing passwords 11-18 self command 7-40 self IP addresses 7-40 enabling snat automap on 4-128 for target devices 2-7 sendmail 12-11 serial terminal configured as console 12-12, 12-13 configured as terminal 12-11 configuring in addition to
Index connection limits 4-123 defined 4-122 defining 4-122 disabling 4-45 global properties 4-123 TCP idle connection timeout 4-123 UDP idle connection timeout 4-123 uses for 4-122 SNMP /etc/hosts.
Index T Table 4-63 tagged interfaces defined 3-8 tags embedding in packet headers 3-9 target IP addresses See destination IP addresses TCP connections and shutdown alerts 4-110 TCP handshakes proxying 4-51 tcp monitor 4-140 TCP SYN packets 4-51 tcp_echo monitor 4-140 technical support Intro-5 templates selecting 4-18 terminal.
Index variable operands and rules 4-59 defined 4-58 types 4-59 variables 4-51, 4-59 verbose command 7-47 verbose keyword 11-10 virtual address statistics 11-1 resetting 11-4, 11-5 viewing 11-17 virtual addresses defining a netmask 4-79 displaying information 4-85 enabling and disabling 11-16 monitoring 11-8 removing from service 11-15, 11-16 statistics 4-85 translation properties 4-80 virtual command 4-69, 7-50, 11-5 virtual port statistics from bigpipe utility 11-1 resetting 11-4, 11-6 viewing 11-9, 11-17
Index Index - 14
