Manual Chapter :
Initial vCMP Configuration Tasks
Applies To:
Show Versions
BIG-IP AAM
- 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Initial vCMP Configuration Tasks
About vCMP application volume
management
When you provisioned the vCMP®
feature as part of system setup, the BIG-IP® system
allocated most of the total disk space to the vCMP application volume (by default, all but 30
gigabytes). Known as the
reserve disk space
, this 30 gigabytes
of disk space is left available for other uses, such as for installing additional versions of the
BIG-IP system in the future.Do not attempt to change the amount of reserved disk space after you have
provisioned the vCMP feature. Changing the reserved disk space after provisioning produces
unwanted results.
vCMP host administrator tasks
Before you configure the vCMP® host, make sure you
followed the VIPRION setup tasks described in the guide
VIPRION Systems:
Configuration
. After using that guide, you should now have a VIPRION®
system that is provisioned for vCMP, with the standard external, internal, and high-availability
VLANs configured.As a vCMP® host administrator, you have the important task of initially
planning the amount of total system CPU and memory that you want the vCMP host to allocate to
each guest. This decision is based on the resource needs of the particular BIG-IP® modules that guest administrators intend to provision within each guest, as well as
the maximum system resource limits for the relevant hardware platform. Thoughtful resource
allocation planning prior to creating the guests ensures optimal performance of each guest. Once
you have determined the resource allocation requirements for the guests, you are ready to
configure the host.
Overall, your primary duties are to create and manage guests,
ensuring that the proper system resources are allocated to those guests.
Task summary
Accessing the vCMP host
Performing this task allows you to access the vCMP host. Primary reasons to access
the host are to create and manage vCMP guests, manage virtual
disks, and view or manage host and guest properties. You can also view host and
guest statistics.
- From a system on the external network, display a browser window.
- In the URL field, type a management IP address that you previously assigned to the system, as follows:https://<ip_address>The browser displays the login screen for the BIG-IP Configuration utility.
Provisioning the vCMP feature
Before performing this task, ensure that the amount of reserve disk space that the
provisioning process creates is sufficient. Attempting to adjust the reserve disk space
after you have provisioned the vCMP feature produces unwanted
results.
Performing this task creates the vCMP host (the hypervisor) and dedicates most
of the system resources to running vCMP.
If the system currently
contains any BIG-IP module configuration data, this data will
be deleted when you provision the vCMP feature.
- On the Main tab, click.
- Verify that all BIG-IP modules are set toNone.
- From thevCMPlist, selectDedicated.
- ClickUpdate.
After provisioning the vCMP feature, the system reboots TMOS
and prompts you to log in again. This action logs you in to the vCMP host, thereby
allowing you to create guests and perform other host configuration tasks.
Creating a vCMP
guest on an Appliance Platform
Before creating a guest on the system:
- Verify that you have configured the base network on the system to create any necessary trunks, as well as VLANs for guests to use when processing application traffic.
- If you plan to enable theAppliance Modesetting for the guest, verify that the vCMP license on the host does not specify appliance mode; if appliance mode is specified in the vCMP license, the feature is applied system-wide to the host and to all guests on the system, instead of on a per-guest basis.
You create a vCMP guest when you want to create an instance of the BIG-IP software
for the purpose of running one or more BIG-IP modules to process
application traffic. For example, you can create a guest that runs BIG-IP
Local Traffic Manager and BIG-IP
DNS. When creating a guest, you specify the
number of cores that you want the vCMP host to allocate to each guest.
When creating a guest, if you see an error message such as
Insufficient disk
space on /shared/vmdisks. Need 24354M additional space.
, you must delete
existing unattached virtual disks until you have freed up that amount of disk
space.If you are planning to add this guest to a Sync-Failover device
group and enable connection mirroring with a guest on another device, you must
ensure that the two guests are configured identically with respect to core
allocation.
- Use a browser to log in to system, using the vCMP host management IP address.This logs you in to the vCMP host.
- On the Main tab, click.This displays a list of guests on the system.
- ClickCreate.
- From thePropertieslist, selectAdvanced.
- In theNamefield, type a name for the guest.
- In theHost Namefield, type a fully-qualified domain name (FQDN) name for the guest.If you leave this field blank, the system assigns the namelocalhost.localdomain.
- From theCores Per Guestlist, select the number of cores that you want the host to allocate to the guest.
- From theManagement Networklist, select a value:ValueResultBridged(Recommended)Connects the guest to the management network. Selecting this value causes theIP Addresssetting to appear.IsolatedPrevents the guest from being connected to the management network and disables the host-only interface.If you selectIsolated, do not enable theAppliance Modesetting when you initially create the guest. For more information, see the step for enabling theAppliance Modesetting.Host-OnlyPrevents the guest from being connected to the management network but ensures that the host-only interface is enabled.
- For theManagement Portsetting, fill in the required information:
- In theIP Addressfield, type a unique management IP address (IPv4 or IPv6) that you want to assign to the guest.You use this IP address to access the guest when you want to manage the BIG-IP modules running within the guest.
- In theNetwork Maskfield, type the network mask for the management IP address.
- In theManagement Routefield, type a gateway address for the management IP address.
Assigning an IP address that is on the same network as the host management port has security implications that you should carefully consider. - From theInitial Imagelist, select an ISO image file for installing TMOS software onto the guest's virtual disk.
- From theFIPS Partitionlist, select a FIPS partition name.Use this setting to assign SSL resources from a hardware security module (HSM) to the guest, when the guest needs to process FIPS-related SSL application traffic. F5 strongly recommends that if the guest is a member of a high-availability device group, then the SSL resources allocated to this FIPS partition should match the SSL resources allocated to the partitions assigned to the other members of the device group.For information on creating and managing FIPS partitions, see the documents titledThis setting is available on certain BIG-IP platforms only. If you do not see this setting, your platform does not contain an HSM that supports FIPS multi-tenancy.F5 Platforms: FIPS AdministrationandvCMP Systems: Multi-tenant FIPS Configurationonhttp://support.f5.com.
- In theVirtual Disklist, retain the default value ofNone.Note that if an unattached virtual disk file with that default name already exists, the system displays a message, and you must manually attach the virtual disk. You can do this using thetmshcommand line interface, or use the Configuration utility to view and select from a list of available unattached virtual disks.The BIG-IP system creates a virtual disk with a default name (the guest name plus the string.img, such asguestA.img).
- For theVLAN Listsetting, subscribe to host-based VLANs:
- Select the external and internal VLANs from theAvailablelist.
- Use the Move button to move the VLANs to theSelectedlist.
After you create the guest, the guest will use the selected VLANs to process application traffic. As an option, the guest administrator can create additional VLANs later from within the guest. - If you want to enable Appliance mode for the guest, select theAppliance Modecheck box.Before enabling this feature on an isolated guest, you must perform some prerequisite tasks, such as creating a self IP address on the guest. Failure to perform these prerequisite tasks will make the guest unreachable by all host and guest administrators. Therefore, you must create the isolated guest with Appliance mode disabled, perform the prerequisite tasks, and then modify the guest to enable this setting. For more information, see the relevant appendix of this guide.When you enableAppliance Modefor a guest, the system enhances security by denying access to therootaccount and theBashshell for all administrators.
- If the guest is processing application traffic that is non-FIPS-related, then from theSSL-Modelist, select an option to configure the way that the SSL acceleration processor manages SSL resources for the guest. If the guest's traffic is FIPS-related, skip this step.OptionDescriptionDedicatedDedicates SSL acceleration resources to the guest. Note that the BIG-IP device might contain a type of SSL acceleration processor that prevents you from configuring a combination ofDedicatedguests andSharedguests on the system. In this case, if any guest is set toDedicatedmode, all other guests must be set toNone.SharedInSharedmode, the guest shares an SSL acceleration processor with all guests that are also inSharedmode. This option can impact SSL performance for the guest, depending on use of SSL resources by other guests. Note that the BIG-IP device might contain a type of SSL acceleration processor that prevents you from configuring a combination ofDedicatedguests andSharedguests for a single SSL processor. In this case, if any guest is set toSharedmode, all other guests must be set toSharedorNone.NonePrevents the guest from accessing any hardware SSL resources. When you selectNone, the guest has no access to SSL hardware resources, but can access SSL software resources.Certain F5 hardware platforms include both an HSM and an SSL acceleration processor. When you use this setting to assign SSL resources to the guest, the system assigns SSL acceleration processor resources for non-FIPS traffic only. For more information, see the section of this guide titledAbout SSL resource allocation for appliance platformsonhttp://support.f5.com.If you do not see theSSL-Modesetting, your hardware platform does not support this feature.
- From theGuest Traffic Profilelist:
- SelectNoneif you do not want to meter network traffic using a Single Rate Three Color Marker (srTCM) policer.
- Select the name of an existing srTCM policer if you want the BIG-IP system to classify network traffic as green, yellow, or red using the srTCM standard.
- From theRequested Statelist, selectProvisioned.Once the guest is created, the vCMP host allocates all necessary resources to the guest, such as cores and virtual disk.
- ClickFinish.The system installs the selected ISO image onto the guest's virtual disk and displays a status bar to show the progress of the resource allocation.
You now have a new vCMP guest on the system in the Provisioned state with an ISO
image installed.
After you create the guest, if an administrator needs to change the maximum
transmission unit (MTU) size on a host-based VLAN to optimize the guest's application
traffic, the administrator can (and must) change the MTU value from within the guest. An
administrator for a specific guest should never try to change the MTU value of a
host-based VLAN when logged into the vCMP host.
Setting a vCMP guest to the Deployed state
Setting a guest to the Deployed state enables a guest administrator to then
provision and configure the BIG-IP modules within the guest.
For any isolated guest with Appliance mode enabled, you must first
perform some additional tasks before deploying the guest. For more information, see
the relevant appendix of this guide.
- Ensure that you are logged in to the vCMP host.
- On the Main tab, click.This displays a list of guests on the system.
- In the Name column, click the name of the vCMP guest that you want to deploy.
- From theRequested Statelist, selectDeployed.
- ClickUpdate.
After moving a vCMP guest to the Deployed state, a guest
administrator can provision and configure the BIG-IP modules within the guest so that
the guest can begin processing application traffic.
vCMP guest administrator tasks
The primary duties of a vCMP® guest administrator are to provision BIG-IP® modules within the guest and configure any self IP addresses that the
guest needs for processing application traffic. The guest administrator must also configure all
BIG-IP modules, such as creating virtual servers and load balancing pools within BIG-IP Local Traffic Manager (LTM).
Optionally, a guest administrator who wants a redundant system configuration can create a
device group with the peer guests as members.
Provisioning BIG-IP modules within a guest
Before a guest administrator can access a guest to provision licensed BIG-IP modules, the vCMP guest must be in
the Deployed state.
To run BIG-IP modules within a guest, the guest administrator must first provision
them. For example, a guest administrator for
guestA
who wants to
run LTM and DNS must log into
guestA
and provision the LTM and BIG-IP DNS modules.For guests that are isolated from the management network, you must
access them using a self IP address instead of a management IP
address.
- Open a browser, and in the URL field, specify the management IP address that the host administrator assigned to the guest.
- At the login prompt, type the default user nameadmin, and passwordadmin, and clickLog in.The Setup utility screen opens.
- ClickNext.This displays the Resource Provisioning screen.
- For each licensed BIG-IP module in the list, select the check box and selectMinimal,Nominal, orDedicated.
- ClickNext.This displays the Certificate Properties screen.
- ClickNext.This displays some general properties of the guest.
- ClickNext.This displays the screen for specifying the guest's cluster member IP addresses.
- ClickNext.
- ClickFinished.
Creating a self IP address for application traffic
A vCMP guest administrator creates a self IP address within a
guest, assigning a VLAN to the address in the process. The self IP address serves as a
hop for application traffic destined for a virtual server configured within the guest.
On a standalone system, the self IP address that a guest administrator creates is a
static (non-floating) IP address. Note that the administrator does not need to create
VLANs within the guest; instead, the VLANs available for assigning to a self IP address
are VLANs that a host administrator previously created on the vCMP host.
- On the Main tab of the BIG-IP Configuration utility, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type an IPv4 or IPv6 address.This IP address should represent the address space of the VLAN that you specify with theVLAN/Tunnelsetting.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- From theVLAN/Tunnellist, select the VLAN to associate with this self IP address.
- On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
- On the external network, select the external VLAN that is associated with an external interface or trunk.
- From thePort Lockdownlist, selectAllow Default.
- ClickFinished.The screen refreshes, and displays the new self IP address.
After creating a self IP address, the BIG-IP system can send and receive traffic
destined for a virtual server that allows traffic through the specified VLAN.
Changing the MTU
value on a VLAN (optional)
Do this task when you need to adjust the maximum transmission unit
(MTU) size on a VLAN for the vCMP guest that you are logged into. Changing a VLAN's
MTU size can help to optimize application traffic for the guest. You can do this
task for either a host-based VLAN or a VLAN that you created from within the
guest.
Always do this task when you're logged into the guest and not
the host.
- Log into the guest using the guest's management IP address.The BIG-IP Configuration utility opens.
- On the Main tab of the BIG-IP Configuration utility, click.A list of VLANs appears.
- In the Name column, double-click the name of the VLAN you want to modify.This displays the properties of the VLAN.
- In theMTUfield, change the value to whatever is appropriate for the guest.
- Click Update.
Next steps
After all guests are in the Deployed state, each individual guest administrator can configure
the appropriate BIG-IP modules for processing application traffic. For example, a guest
administrator can use BIG-IP®
Local Traffic Manager (LTM) to create a standard
virtual server and a load-balancing pool. Optionally, if guest redundancy is required, a guest
administrator can set up device service clustering (DSC®).
Another important task for a guest administrator is to create other guest administrator
accounts as needed.
If the guest has an isolated (rather than bridged) management network, you
must grant access to the Traffic Management Shell (
tmsh
) to all guest
administrator accounts. Otherwise, guest administrators have no means of logging in to the guest,
due to the lack of access to the management network.Configuration results
After you and all guest administrators have completed the initial configuration tasks, you
should have a system provisioned for vCMP, with one or more guests ready to process
application traffic.
When logged in to the vCMP host, you can see the VLANs and trunks configured on the system, as
well as all of the guests that you created, along with their virtual disks. You can also see
the number of cores that the host allocated to each guest.
When logged in to a guest, the guest administrator can see one or more BIG-IP® modules provisioned and configured within the guest to process application
traffic. If the guest administrator configured device service clustering (DSC®), the guest is a member of a device group.