Manual Chapter : Common Elements for Self IP tasks

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common Elements for Self IP tasks

Before you create a self IP address, ensure that you have created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. On the Main tab, click
    Network
    Self IPs
    .
    The Self IP screen opens.
  3. On the Main tab of the BIG-IP Configuration utility, click
    Network
    Self IPs
    .
  4. From the vCMP host, access the
    Bash
    shell and type
    vconsole
    guest_name
    primary_slot_number
    .
    The system prompts you to enter a user name and password.
  5. Log in using the
    root
    account.
    A system prompt is displayed on the primary slot of the named guest.
  6. Type the command
    tmsh create net self address
    ip_address/netmask
    vlan
    vlan_name
    allow-service default
    .
    This creates the specified IP address on the guest and makes required adjustments to the port lockdown settings.
  7. Click
    Create
    .
    The New Self IP screen opens.
  8. In the
    Name
    field, type a unique name for the self IP address.
    For this example, type
    VLAN1
    .
  9. In the
    Name
    field, type a unique name for the self IP address.
  10. In the
    Name
    field, type a unique name for the static self IP address.
    For example, for device
    BIGIP_A
    , this name could be
    ext_static_self_bigipA
    or
    int_static_self_bigipA
    .
  11. In the
    Name
    field, type a unique name for the floating self IP address.
    For example, for the floating external self IP address for device
    Bigip_A
    , this name could be
    float_ext_self_bigipA
    .
  12. In the Name column, click the self IP address corresponding to VLAN
    external
    .
    This displays the properties of that self IP address.
  13. In the Name column, click the floating self IP address assigned to VLAN
    internal
    .
    This displays the properties of that self IP address.
  14. In the Name column, click the self IP address that you want to modify.
    This displays the properties of the self IP address.
  15. In the Name column, click a self IP address associated with a VLAN on the public network.
    This displays the properties of that self IP address.
  16. In the
    IP Address
    field, type the self IP address for the system that applies to the VLAN.
  17. In the
    IP Address
    field, type the self IP address for the system that applies to the VLAN.
    For this example, type one of the following:
    • If you are configuring
      lc1.siterequest.com
      , type
      10.1.1.20
    • If you are configuring
      lc2.siterequest.com
      , type
      10.1.1.21
  18. In the
    IP Address
    field, type an IP address.
    This IP address represents the address of the SNMP agent.
    The system accepts IPv4 and IPv6 addresses.
  19. In the
    IP Address
    field, type the private IP address that is assigned to the ETH1 network interface.
  20. In the
    IP Address
    field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the
    VLAN/Tunnel
    setting.
  21. In the
    IP Address
    field, type an IP address.
    For example, in our sample configuration for device
    BIGIP_A
    , the static self IP address for VLAN
    external
    could be
    20.1.1.6
    .
  22. In the
    IP Address
    field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN group that you specify with the
    VLAN/Tunnel
    setting.
  23. In the
    IP Address
    field, type an IPv4 address.
    This IP address should represent the address space of the VLAN group that you specify with the
    VLAN/Tunnel
    setting.
  24. In the
    IP Address
    field, type the IP address of the system.
    The system accepts IPv4 and IPv6 addresses.
  25. In the
    IP Address
    field, type the private IP address that is assigned to the ETH2 network interface.
  26. In the
    IP Address
    field, type an IP address.
    This IP address should represent the network of the router.
    The system accepts IPv4 and IPv6 addresses.
  27. In the
    IP Address
    field, type the IP address of the legacy DNS server.
    The system accepts IPv4 and IPv6 addresses.
  28. In the
    IP Address
    field, type the IP address of the primary DNS server.
    The system accepts IPv4 and IPv6 addresses.
  29. In the
    IP Address
    field, type a self IP address to assign to the VLAN for DNS requests.
    The system accepts IPv4 and IPv6 addresses.
  30. In the
    IP Address
    field, type an IP address.
    This IP address must represent a self IP address in a route domain. Use the format
    x.x.x.x%n
    , where
    n
    is the route domain ID, for example, 10.1.1.1%1.
    The system accepts IPv4 and IPv6 addresses.
  31. In the
    Netmask
    field, type the network mask for the specified IP address.
    For example, you can type
    255.255.255.0
    .
  32. In the
    Netmask
    field, type the full network mask for the specified IP address.
  33. In the
    Netmask
    field, type the full network mask for the specified IP address.
  34. In the
    Netmask
    field, type the network mask for the specified IP address.
  35. In the
    Netmask
    field, type the network mask for the specified IP address.
    For this example, type
    255.255.255.0
    .
  36. From the
    VLAN/Tunnel
    list, select VLAN
    HA
    .
  37. From the
    VLAN/Tunnel
    list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  38. From the
    VLAN/Tunnel
    list, select the VLANs that you want to associate with this self IP address.
    The VLANs you select are those that you moved from partition
    Common
    to the current administrative partition.
  39. From the
    VLAN/Tunnel
    list, select either
    external
    or
    internal
    .
  40. From the
    VLAN/Tunnel
    list, select
    internal
    .
  41. From the
    VLAN/Tunnel
    list, select
    external
    .
  42. From the
    VLAN/Tunnel
    list, select
    wan
    .
  43. From the
    VLAN/Tunnel
    list, select the VLAN that you assigned to the route domain that contains this self IP address.
  44. From the
    VLAN/Tunnel
    list, select the VLAN group with which to associate this self IP address.
  45. From the
    VLAN/Tunnel
    list, select the tunnel with which to associate this self IP address.
  46. From the
    VLAN/Tunnel
    list, select the appropriate VLAN.
  47. From the
    VLAN/Tunnel
    list, select the appropriate VLAN.
    For this example, select
    link1
    .
  48. From the
    Port Lockdown
    list, select
    Allow Default
    .
  49. From the
    Port Lockdown
    list, select
    9004
    .
  50. From the
    Port Lockdown
    list, select a level of security for the self IP address.
    Selecting
    Allow None
    blocks administrative traffic only, for this self IP address. Specifically, a user is blocked from accessing the BIG-IP system through the BIG-IP Configuration utility or SSH.
  51. From the
    Port Lockdown
    list, select
    Allow None
    .
    This selection avoids potential conflicts (for management and other control functions) with other TCP applications. However, to access any of the services typically available on a self IP address, select
    Allow Custom
    , so that you can open the ports that those services need.
  52. From the
    Port Lockdown
    list, select
    Allow Custom
    .
  53. If you are creating an external self IP address, use the
    Port Lockdown
    setting to add
    TCP 179
    to your current list of allowed ports for this self IP address.
    Port
    179
    represents the Border Gateway Protocol (BGP). Selecting port
    179
    gives BGP traffic coming from the ECMP router access to the BIG-IP device.
  54. Use the
    Port Lockdown
    setting to add
    TCP 179
    to your current list of allowed ports for this self IP address.
    Port
    179
    represents the Border Gateway Protocol (BGP). Selecting port
    179
    gives BGP traffic coming from the ECMP router access to the BIG-IP device.
  55. Click
    Add
    .
  56. Select
    UDP
    .
  57. Select
    Port
    , and in the field, type
    161
    (the well-known port number for SNMP).
  58. If this self IP address is the shared (floating) IP address for a redundant system, select the
    Floating IP
    check box .
  59. Select the
    Floating IP
    check box.
  60. From the
    Traffic Group
    list, select
    traffic-group-1 (floating)
    .
  61. For the
    Traffic Group
    setting, choose one of the following actions:
    Action
    Result
    Retain the default setting,
    traffic-group-local-only (non-floating)
    .
    The system creates a non-floating self IP address that becomes a member of
    traffic-group-local-only
    .
    Select the check box labeled
    Inherit traffic group from current partition / path
    .
    The system creates a floating self IP address that becomes a member of
    traffic-group-1
    .
    Select a traffic group from the
    Traffic Group
    list.
    The system creates a floating self IP address that becomes a member of the selected traffic group.
  62. For the
    Traffic Group
    setting, clear the
    Inherit traffic group from current partition / path
    check box and from the list, select
    None
    .
  63. From the
    Traffic Group
    list, select
    traffic-group-2 (floating)
    .
  64. From the
    Traffic Group
    list, select
    traffic-group-local-only (non-floating)
    .
  65. From the
    Traffic Group
    list, select the name of a floating traffic group.
    For example, for IP address
    20.1.1.2
    , select
    Traffic-group-1
    . For address
    20.1.1.3
    , select
    Traffic-group-2
    , and so on.
  66. From the
    Traffic Group
    list, select the floating traffic group that you want to assign to this self IP address.
    Continuing with our example, if you are logged in to
    Bigip_B
    , you would display the properties for the external floating IP address
    20.1.1.3
    and select
    traffic-group-2
    .
  67. From the
    Traffic Group
    list, change the floating traffic group from
    traffic-group-1
    to the name of the unique traffic group you previously created on this device.
    Continuing with our example, if you are logged in to
    Bigip_B
    , you would display the properties for the external floating IP address
    20.1.1.3
    and select
    traffic-group-2
    .
  68. If the BIG-IP system is part of a redundant system configuration, select the corresponding traffic group from the
    Traffic Group
    list.
  69. From the
    Unit ID
    list, select the unit of the redundant system with which to initially associate the floating self IP address.
  70. Click
    Delete
    .
  71. Click
    Add
    .
  72. Click
    Update
    .
  73. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
  74. Click
    Finished
    .
  75. To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to enforce.
  76. To enforce any inline rules that apply to the self IP, and not apply a firewall policy: in the Network Firewall area, from the
    Enforcement
    list, select
    Inline Rules
    .
  77. To stage rules from a firewall policy on the self IP: In the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , and then from the
    Policy
    list, select the firewall policy to stage.
  78. From the
    Service Policy
    list, retain the default value of
    None
    , or select a policy to associate with the self IP address.
    A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
  79. Exit the vConsole utility by typing the key sequence
    ctrl-]
    .
    This displays the prompt
    telnet>
    .
  80. Type
    q
    .
The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.