Manual Chapter : Initial vCMP Configuration Tasks

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0, 14.1.0, 14.0.0

BIG-IP ASM

  • 15.0.0, 14.1.0, 14.0.0

BIG-IP AAM

  • 15.0.0, 14.1.0, 14.0.0

BIG-IP APM

  • 15.0.0, 14.1.0, 14.0.0

BIG-IP LTM

  • 15.0.0, 14.1.0, 14.0.0
Manual Chapter

Initial vCMP Configuration Tasks

About vCMP application volume management

When you provisioned the vCMP® feature as part of system setup, the BIG-IP® system allocated most of the total disk space to the vCMP application volume (by default, all but 30 gigabytes). Known as the
reserve disk space
, this 30 gigabytes of disk space is left available for other uses, such as for installing additional versions of the BIG-IP system in the future.
Do not attempt to change the amount of reserved disk space after you have provisioned the vCMP feature. Changing the reserved disk space after provisioning produces unwanted results.

vCMP host administrator tasks

Before you configure the vCMP® host, make sure you followed the VIPRION setup tasks described in the guide
VIPRION Systems: Configuration
. After using that guide, you should now have a VIPRION® system that is provisioned for vCMP, with the standard external, internal, and high-availability VLANs configured.
As a vCMP® host administrator, you have the important task of initially planning the amount of total system CPU and memory that you want the vCMP host to allocate to each guest. This decision is based on the resource needs of the particular BIG-IP® modules that guest administrators intend to provision within each guest, as well as the maximum system resource limits for the relevant hardware platform. Thoughtful resource allocation planning prior to creating the guests ensures optimal performance of each guest. Once you have determined the resource allocation requirements for the guests, you are ready to configure the host.
Overall, your primary duties are to create and manage guests, ensuring that the proper system resources are allocated to those guests.

Task summary

Accessing the vCMP host

Performing this task allows you to access the vCMP host. Primary reasons to access the host are to create and manage vCMP guests, manage virtual disks, and view or manage host and guest properties. You can also view host and guest statistics.
  1. From a system on the external network, display a browser window.
  2. In the URL field, type a management IP address that you previously assigned to the system, as follows:
    https://
    <ip_address>
    The browser displays the login screen for the BIG-IP Configuration utility.

Provisioning the vCMP feature

Before performing this task, ensure that the amount of reserve disk space that the provisioning process creates is sufficient. Attempting to adjust the reserve disk space after you have provisioned the vCMP feature produces unwanted results.
Performing this task creates the vCMP host (the hypervisor) and dedicates most of the system resources to running vCMP.
If the system currently contains any BIG-IP module configuration data, this data will be deleted when you provision the vCMP feature.
  1. On the Main tab, click
    System
    Resource Provisioning
    .
  2. Verify that all BIG-IP modules are set to
    None
    .
  3. From the
    vCMP
    list, select
    Dedicated
    .
  4. Click
    Update
    .
After provisioning the vCMP feature, the system reboots TMOS and prompts you to log in again. This action logs you in to the vCMP host, thereby allowing you to create guests and perform other host configuration tasks.

Creating a vCMP guest on an Appliance Platform

Before creating a guest on the system:
  • Verify that you have configured the base network on the system to create any necessary trunks, as well as VLANs for guests to use when processing application traffic.
  • If you plan to enable the
    Appliance Mode
    setting for the guest, verify that the vCMP license on the host does not specify appliance mode; if appliance mode is specified in the vCMP license, the feature is applied system-wide to the host and to all guests on the system, instead of on a per-guest basis.
You create a vCMP guest when you want to create an instance of the BIG-IP software for the purpose of running one or more BIG-IP modules to process application traffic. For example, you can create a guest that runs BIG-IP Local Traffic Manager and BIG-IP DNS. When creating a guest, you specify the number of cores that you want the vCMP host to allocate to each guest.
When creating a guest, if you see an error message such as
Insufficient disk space on /shared/vmdisks. Need 24354M additional space.
, you must delete existing unattached virtual disks until you have freed up that amount of disk space.
If you are planning to add this guest to a Sync-Failover device group and enable connection mirroring with a guest on another device, you must ensure that the two guests are configured identically with respect to core allocation.
  1. Use a browser to log in to system, using the vCMP host management IP address.
    This logs you in to the vCMP host.
  2. On the Main tab, click
    vCMP
    Guest List
    .
    This displays a list of guests on the system.
  3. Click
    Create
    .
  4. From the
    Properties
    list, select
    Advanced
    .
  5. In the
    Name
    field, type a name for the guest.
  6. In the
    Host Name
    field, type a fully-qualified domain name (FQDN) name for the guest.
    If you leave this field blank, the system assigns the name
    localhost.localdomain
    .
  7. From the
    Cores Per Guest
    list, select the number of cores that you want the host to allocate to the guest.
  8. From the
    Management Network
    list, select a value:
    Value
    Result
    Bridged
    (Recommended)
    Connects the guest to the management network. Selecting this value causes the
    IP Address
    setting to appear.
    Isolated
    Prevents the guest from being connected to the management network and disables the host-only interface.
    If you select
    Isolated
    , do not enable the
    Appliance Mode
    setting when you initially create the guest. For more information, see the step for enabling the
    Appliance Mode
    setting.
    Host-Only
    Prevents the guest from being connected to the management network but ensures that the host-only interface is enabled.
  9. For the
    Management Port
    setting, fill in the required information:
    1. In the
      IP Address
      field, type a unique management IP address (IPv4 or IPv6) that you want to assign to the guest.
      You use this IP address to access the guest when you want to manage the BIG-IP modules running within the guest.
    2. In the
      Network Mask
      field, type the network mask for the management IP address.
    3. In the
      Management Route
      field, type a gateway address for the management IP address.
    Assigning an IP address that is on the same network as the host management port has security implications that you should carefully consider.
  10. From the
    Initial Image
    list, select an ISO image file for installing TMOS software onto the guest's virtual disk.
  11. From the
    FIPS Partition
    list, select a FIPS partition name.
    Use this setting to assign SSL resources from a hardware security module (HSM) to the guest, when the guest needs to process FIPS-related SSL application traffic. F5 strongly recommends that if the guest is a member of a high-availability device group, then the SSL resources allocated to this FIPS partition should match the SSL resources allocated to the partitions assigned to the other members of the device group.
    This setting is available on certain BIG-IP platforms only. If you do not see this setting, your platform does not contain an HSM that supports FIPS multi-tenancy.
    For information on creating and managing FIPS partitions, see the documents titled
    F5 Platforms: FIPS Administration
    and
    vCMP Systems: Multi-tenant FIPS Configuration
    on
    http://support.f5.com
    .
  12. In the
    Virtual Disk
    list, retain the default value of
    None
    .
    Note that if an unattached virtual disk file with that default name already exists, the system displays a message, and you must manually attach the virtual disk. You can do this using the
    tmsh
    command line interface, or use the Configuration utility to view and select from a list of available unattached virtual disks.
    The BIG-IP system creates a virtual disk with a default name (the guest name plus the string
    .img
    , such as
    guestA.img
    ).
  13. For the
    VLAN List
    setting, subscribe to host-based VLANs:
    1. Select the external and internal VLANs from the
      Available
      list.
    2. Use the Move button to move the VLANs to the
      Selected
      list.
    After you create the guest, the guest will use the selected VLANs to process application traffic. As an option, the guest administrator can create additional VLANs later from within the guest.
  14. If you want to enable Appliance mode for the guest, select the
    Appliance Mode
    check box.
    Before enabling this feature on an isolated guest, you must perform some prerequisite tasks, such as creating a self IP address on the guest. Failure to perform these prerequisite tasks will make the guest unreachable by all host and guest administrators. Therefore, you must create the isolated guest with Appliance mode disabled, perform the prerequisite tasks, and then modify the guest to enable this setting. For more information, see the relevant appendix of this guide.
    When you enable
    Appliance Mode
    for a guest, the system enhances security by denying access to the
    root
    account and the
    Bash
    shell for all administrators.
  15. If the guest is processing application traffic that is non-FIPS-related, then from the
    SSL-Mode
    list, select an option to configure the way that the SSL acceleration processor manages SSL resources for the guest. If the guest's traffic is FIPS-related, skip this step.
    Option
    Description
    Dedicated
    Dedicates SSL acceleration resources to the guest. Note that the BIG-IP device might contain a type of SSL acceleration processor that prevents you from configuring a combination of
    Dedicated
    guests and
    Shared
    guests on the system. In this case, if any guest is set to
    Dedicated
    mode, all other guests must be set to
    None
    .
    Shared
    In
    Shared
    mode, the guest shares an SSL acceleration processor with all guests that are also in
    Shared
    mode. This option can impact SSL performance for the guest, depending on use of SSL resources by other guests. Note that the BIG-IP device might contain a type of SSL acceleration processor that prevents you from configuring a combination of
    Dedicated
    guests and
    Shared
    guests for a single SSL processor. In this case, if any guest is set to
    Shared
    mode, all other guests must be set to
    Shared
    or
    None
    .
    None
    Prevents the guest from accessing any hardware SSL resources. When you select
    None
    , the guest has no access to SSL hardware resources, but can access SSL software resources.
    Certain F5 hardware platforms include both an HSM and an SSL acceleration processor. When you use this setting to assign SSL resources to the guest, the system assigns SSL acceleration processor resources for non-FIPS traffic only. For more information, see the section of this guide titled
    About SSL resource allocation for appliance platforms
    on
    http://support.f5.com
    .
    If you do not see the
    SSL-Mode
    setting, your hardware platform does not support this feature.
  16. From the
    Guest Traffic Profile
    list:
    • Select
      None
      if you do not want to meter network traffic using a Single Rate Three Color Marker (srTCM) policer.
    • Select the name of an existing srTCM policer if you want the BIG-IP system to classify network traffic as green, yellow, or red using the srTCM standard.
  17. From the
    Requested State
    list, select
    Provisioned
    .
    Once the guest is created, the vCMP host allocates all necessary resources to the guest, such as cores and virtual disk.
  18. Click
    Finish
    .
    The system installs the selected ISO image onto the guest's virtual disk and displays a status bar to show the progress of the resource allocation.
You now have a new vCMP guest on the system in the Provisioned state with an ISO image installed.
After you create the guest, if an administrator needs to change the maximum transmission unit (MTU) size on a host-based VLAN to optimize the guest's application traffic, the administrator can (and must) change the MTU value from within the guest. An administrator for a specific guest should never try to change the MTU value of a host-based VLAN when logged into the vCMP host.

Setting a vCMP guest to the Deployed state

Setting a guest to the Deployed state enables a guest administrator to then provision and configure the BIG-IP modules within the guest.
For any isolated guest with Appliance mode enabled, you must first perform some additional tasks before deploying the guest. For more information, see the relevant appendix of this guide.
  1. Ensure that you are logged in to the vCMP host.
  2. On the Main tab, click
    vCMP
    Guest List
    .
    This displays a list of guests on the system.
  3. In the Name column, click the name of the vCMP guest that you want to deploy.
  4. From the
    Requested State
    list, select
    Deployed
    .
  5. Click
    Update
    .
After moving a vCMP guest to the Deployed state, a guest administrator can provision and configure the BIG-IP modules within the guest so that the guest can begin processing application traffic.

vCMP guest administrator tasks

The primary duties of a vCMP® guest administrator are to provision BIG-IP® modules within the guest and configure any self IP addresses that the guest needs for processing application traffic. The guest administrator must also configure all BIG-IP modules, such as creating virtual servers and load balancing pools within BIG-IP Local Traffic Manager (LTM).
Optionally, a guest administrator who wants a redundant system configuration can create a device group with the peer guests as members.

Provisioning BIG-IP modules within a guest

Before a guest administrator can access a guest to provision licensed BIG-IP modules, the vCMP guest must be in the Deployed state.
To run BIG-IP modules within a guest, the guest administrator must first provision them. For example, a guest administrator for
guestA
who wants to run LTM and DNS must log into
guestA
and provision the LTM and BIG-IP DNS modules.
For guests that are isolated from the management network, you must access them using a self IP address instead of a management IP address.
  1. Open a browser, and in the URL field, specify the management IP address that the host administrator assigned to the guest.
  2. At the login prompt, type the default user name
    admin
    , and password
    admin
    , and click
    Log in
    .
    The Setup utility screen opens.
  3. Click
    Next
    .
    This displays the Resource Provisioning screen.
  4. For each licensed BIG-IP module in the list, select the check box and select
    Minimal
    ,
    Nominal
    , or
    Dedicated
    .
  5. Click
    Next
    .
    This displays the Certificate Properties screen.
  6. Click
    Next
    .
    This displays some general properties of the guest.
  7. Click
    Next
    .
    This displays the screen for specifying the guest's cluster member IP addresses.
  8. Click
    Next
    .
  9. Click
    Finished
    .

Creating a self IP address for application traffic

A vCMP guest administrator creates a self IP address within a guest, assigning a VLAN to the address in the process. The self IP address serves as a hop for application traffic destined for a virtual server configured within the guest. On a standalone system, the self IP address that a guest administrator creates is a static (non-floating) IP address. Note that the administrator does not need to create VLANs within the guest; instead, the VLANs available for assigning to a self IP address are VLANs that a host administrator previously created on the vCMP host.
  1. On the Main tab of the BIG-IP Configuration utility, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    Name
    field, type a unique name for the self IP address.
  4. In the
    IP Address
    field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the
    VLAN/Tunnel
    setting.
  5. In the
    Netmask
    field, type the network mask for the specified IP address.
    For example, you can type
    255.255.255.0
    .
  6. From the
    VLAN/Tunnel
    list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the
    Port Lockdown
    list, select
    Allow Default
    .
  8. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
After creating a self IP address, the BIG-IP system can send and receive traffic destined for a virtual server that allows traffic through the specified VLAN.

Changing the MTU value on a VLAN (optional)

Do this task when you need to adjust the maximum transmission unit (MTU) size on a VLAN for the vCMP guest that you are logged into. Changing a VLAN's MTU size can help to optimize application traffic for the guest. You can do this task for either a host-based VLAN or a VLAN that you created from within the guest.
Always do this task when you're logged into the guest and not the host.
  1. Log into the guest using the guest's management IP address.
    The BIG-IP Configuration utility opens.
  2. On the Main tab of the BIG-IP Configuration utility, click
    Network
    VLAN
    .
    A list of VLANs appears.
  3. In the Name column, double-click the name of the VLAN you want to modify.
    This displays the properties of the VLAN.
  4. In the
    MTU
    field, change the value to whatever is appropriate for the guest.
  5. Click Update.

Next steps

After all guests are in the Deployed state, each individual guest administrator can configure the appropriate BIG-IP modules for processing application traffic. For example, a guest administrator can use BIG-IP® Local Traffic Manager (LTM) to create a standard virtual server and a load-balancing pool. Optionally, if guest redundancy is required, a guest administrator can set up device service clustering (DSC®).
Another important task for a guest administrator is to create other guest administrator accounts as needed.
If the guest has an isolated (rather than bridged) management network, you must grant access to the Traffic Management Shell (
tmsh
) to all guest administrator accounts. Otherwise, guest administrators have no means of logging in to the guest, due to the lack of access to the management network.

Configuration results

After you and all guest administrators have completed the initial configuration tasks, you should have a system provisioned for vCMP, with one or more guests ready to process application traffic.
When logged in to the vCMP host, you can see the VLANs and trunks configured on the system, as well as all of the guests that you created, along with their virtual disks. You can also see the number of cores that the host allocated to each guest.
When logged in to a guest, the guest administrator can see one or more BIG-IP® modules provisioned and configured within the guest to process application traffic. If the guest administrator configured device service clustering (DSC®), the guest is a member of a device group.