Manual Chapter : About Virtual Servers

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0, 14.1.0

BIG-IP PEM

  • 15.0.0, 14.1.0

BIG-IP AFM

  • 15.0.0, 14.1.0

BIG-IP Analytics

  • 15.0.0, 14.1.0

BIG-IP ASM

  • 15.0.0, 14.1.0

BIG-IP AAM

  • 15.0.0, 14.1.0

BIG-IP APM

  • 15.0.0, 14.1.0

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

About Virtual Servers

Introduction to virtual servers

A virtual server is one of the most important components of any BIG-IP® system configuration. A
virtual server
is a traffic-management object on the BIG-IP system that is represented by a virtual IP address and a service, such as
192.168.20.10:80
. When clients on an external network send application traffic to virtual server, the virtual server listens for that traffic and, through destination address translation, directs the traffic according to the way that you configured the settings on the virtual server. A primary purpose of a virtual server is to distribute traffic across a pool of servers that you specify in the virtual server configuration.
To customize the way that the BIG-IP system processes various types of traffic, you can assign profiles to a virtual server. For example, through profile assignment, a virtual server can enable compression on HTTP request data as it passes through the BIG-IP system, or decrypt and re-encrypt SSL connections and verify SSL certificates. For each type of traffic, such as TCP, UDP, HTTP, SSL, SIP, and FTP, you can assign a custom profile to the virtual server or use the default profile.
When you create a virtual server, you specify the pool or pools that you want to use as the destination for any traffic coming from that virtual server. You also configure its general properties, profiles, SNATs, and other resources you want to assign to it, such as iRules or session persistence types.
To ensure that a server response returns through the BIG-IP system, you can either configure the default route on the server to be a self IP address on an internal VLAN, or you can create a SNAT and assign it to a virtual server.

Types of virtual servers

You can create several different types of virtual servers, depending on your particular configuration needs.
Types of virtual servers
Type
Description
Standard
A
Standard
virtual server (also known as a
load balancing
virtual server) directs client traffic to a load balancing pool and is the most basic type of virtual server. When you first create the virtual server, you assign an existing default pool to it. From then on, the virtual server automatically directs traffic to that default pool.
Forwarding (Layer 2)
You can set up a
Forwarding (Layer 2)
virtual server to share the same IP address as a node in an associated VLAN. This type of virtual server has no pool members to load balance. To configure this type of virtual server, you must perform some additional configuration tasks: creating a VLAN group that includes the VLAN in which the node resides, assigning a self-IP address to the VLAN group, and disabling the virtual server on the relevant VLAN. With a forwarding (IP) virtual server, address translation is disabled. When you use a Forwarding (Layer 2) type of virtual server, the BIG-IP system preserves the source MAC address in the header.
Forwarding (IP)
Like a Forwarding (Layer 2) virtual server. A
Forwarding (IP)
virtual server has no pool members to load balance. The virtual server simply forwards a packet directly to the configured destination IP address, based on what's defined in the BIG-IP system's routing table. The virtual server destination address can be either a node address or a network address. With a forwarding (IP) virtual server, address translation is disabled. An example of a Forwarding (IP) virtual server is one that accepts all traffic on an external VLAN and forwards it to the virtual server destination IP address.
Performance (HTTP)
A
Performance (HTTP)
virtual server is a virtual server with which you associate a Fast HTTP profile. Together, the virtual server and profile increase the speed at which the virtual server processes HTTP requests.
Performance (Layer 4)
A
Performance (Layer 4)
virtual server is a virtual server with which you associate a Fast L4 profile. Together, the virtual server and profile increase the speed at which the virtual server processes Layer 4 requests.
Stateless
A
Stateless
virtual server prevents the BIG-IP system from putting connections into the connection table for wildcard and forwarding destination IP addresses. When creating a stateless virtual server, you cannot configure SNAT automap, iRules, or port translation, and you must configure a default load balancing pool. Note that this type of virtual server applies to UDP traffic only.
Reject
A
Reject
virtual server specifies that the BIG-IP system rejects any traffic destined for the virtual server IP address.
DHCP
A
DHCP
virtual server relays Dynamic Host Control Protocol (DHCP) messages between clients and servers residing on different IP networks. Known as a
DHCP relay agent
, a BIG-IP system with a DHCP type of virtual server listens for DHCP client messages being broadcast on the subnet and then relays those messages to the DHCP server. The DHCP server then uses the BIG-IP system to send the responses back to the DHCP client. Configuring a DHCP virtual server on the BIG-IP system relieves you of the tasks of installing and running a separate DHCP server on each subnet.
Internal
An
Internal
virtual server is one that can send traffic to an intermediary server for specialized processing before the standard virtual server sends the traffic to its final destination. For example, if you want the BIG-IP system to perform content adaptation on HTTP requests or responses, you can create an internal virtual server that load balances those requests or responses to a pool of ICAP servers before sending the traffic back to the standard virtual server. An internal virtual server supports both TCP and UDP traffic.
Message Routing
A
Message Routing
virtual server is available for peer-to-peer configurations. Examples of traffic flows that can benefit from this type of virtual server are traffic flows using Diameter and SIP protocols.

Creating a virtual server

Before creating a virtual server, verify that you have created the pool to which you want this virtual server to send traffic. If you want to specify a range of IP addresses as the destination IP address and specify multiple service ports, confirm that an address list and port list already exist on the system.
When you create a virtual server, you specify a destination IP address and service port. All other settings on the virtual server have default values. You can change the default values of any settings to suit your needs.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Type
    list, verify that
    Standard
    is selected.
  5. In the
    Destination Address/Mask
    field:
    • If you want to specify a single IP address, confirm that the
      Host
      button is selected, and type the IP address in CIDR format.
    • If you want to specify multiple IP addresses, select the
      Address List
      button, and confirm that the address list that you previously created appears in the box.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address or addresses for this field must be on the same subnet as the external self-IP address.
  6. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  7. Retain the default values for all other settings.
  8. From the
    Default Pool
    list, choose the pool you created.
After performing this task, you have a virtual server that listens for application traffic and acts according to the values configured within the virtual server.

About the destination address

When creating a virtual server, you must specify a destination address. You can specify either a single IP address or a list of of IP addresses, or a range of addresses, in IPv4 or IPv6 format:
  • When you specify a single IP address, a virtual server can listen for client connections that are destined for the address and then direct them to a server in a server pool. If you do not append a prefix (in CIDR notation) to the address, the default prefix is
    /32
    .
  • When you specify a list of addresses, you must have previously created the address list, using the
    Shared Objects
    screens of the BIG-IP Configuration utility. Once created, the address list appears in the
    Address List
    box in the virtual server configuration. The virtual server can then listen for client connections that are destined for any address in the list of IP addresses and then direct the connections to a server in a server pool.
On a virtual server, you can also specify address lists and port lists for source addresses and ports.

About connection rate limiting

When you create a virtual server, you can configure a connection rate limit, in connections per second, that the BIG-IP system will allow for that virtual server. Setting a connection rate limit helps the system detect Denial of Service attacks, where too many connection requests can flood a virtual server.
When the connection rate exceeds the configured connection rate limit, the system handles the excessive connections in different ways, depending on the connection type, either TCP or UDP:
  • When the connection rate limit is exceeded for TCP connections, the BIG-IP system issues TCP resets and logs TCP reset messages, citing the exceeded connection rate limit as the cause for the resets.
  • When the connection rate limit is exceeded for UDP connections, the BIG-IP system simply drops the connections.

About wildcard servers

Besides directing client connections that are destined for a specific network or subnet, a virtual server can also direct client connections that have a specific destination IP address that the virtual server does not recognize, such as a transparent device. This type of virtual server is known as a
wildcard
virtual server. Examples of transparent devices are firewalls, routers, proxy servers, and cache servers.
Wildcard virtual servers are a special type of virtual server that have a network IP address as the specified destination address instead of a host IP address.
When the BIG-IP® system does not find a specific virtual server that matches a client’s destination IP address, the BIG-IP system matches the client’s destination IP address to a wildcard virtual server, designated by an IP address of
0.0.0.0
. The BIG-IP system then forwards the client’s packet to one of the firewalls or routers assigned to that virtual server. Wildcardvirtual servers do not translate the destination IP address of the incoming packet.

Default and port-specific wildcard virtual servers

There are two kinds of wildcard virtual servers that you can create:
Default wildcard virtual servers
A
default wildcard virtual server
is a wildcard virtual server that uses port 0 and handles traffic for all services. A wildcard virtual server allows traffic from all external VLANs by default. However, you can specifically disable any VLANs that you do not want the default wildcard virtual server to support. Disabling VLANs for the default wildcard virtual server is done by creating a VLAN disabled list. Note that a VLAN disabled list applies to default wildcard virtual servers only. You cannot create a VLAN disabled list for a wildcard virtual server that is associated with one VLAN only.
Port-specific wildcard virtual servers
A
port-specific wildcard virtual server
handles traffic for a particular service only, and you define the virtual server using a service name or a port number. You can use port-specific wildcard virtual servers for tracking statistics for a particular type of network traffic, or for routing outgoing traffic, such as HTTP traffic, directly to a cache server rather than a firewall or router.
If you use both a default wildcard virtual server and port-specific wildcard virtual servers, any traffic that does not match either a standard virtual server or one of the port-specific wildcard virtual servers is handled by the default wildcard virtual server.
F5 Networks recommends that when you define transparent nodes that need to handle more than one type of service, such as a firewall or a router, you specify an actual port for the node and turn off port translation for the virtual server.

About multiple wildcard servers

You can define multiple wildcard virtual servers that run simultaneously. Each wildcard virtual server must be assigned to an individual VLAN, and therefore accepts packets from that VLAN only.
In some configurations, you need to set up a wildcard virtual server on one side of the BIG-IP system to distribute connections across transparent devices. You can create another wildcard virtual server on the other side of the BIG-IP system to forward packets to virtual servers receiving connections from the transparent devices and forwarding them to their destination.

About virtual addresses

A
virtual address
is the specific node or network IP address with which you associate a virtual server. For example, if a virtual server's destination address and service port are
192.168.20.10:80
, then the IP address
192.168.20.10
is a virtual address.
You can create a many-to-one relationship between virtual servers and a virtual address. For example, you can create the three virtual servers
192.168.20.10:80
,
192.168.20.10:443
, and
192.168.20.10:161
for the same virtual address,
192.168.20.10
.
You cannot explicitly create a virtual address; the BIG-IP system creates a virtual address whenever you create a virtual server, if the virtual address has not already been created. However, you can modify the properties of a virtual address, and you can enable and disable a virtual address. When you disable a virtual address, none of the virtual servers associated with that address can receive incoming network traffic.
When you create a virtual server, BIG-IP® internally associates the virtual address with a MAC address. This in turn causes the BIG-IP® system to respond to Address Resolution Protocol (ARP) requests for the virtual address, and to send gratuitous ARP requests and responses with respect to the virtual address. As an option, you can disable ARP activity for virtual addresses, in the rare case that ARP activity affects system performance. This most likely occurs only when you have a large number of virtual addresses defined on the system.

About virtual address creation

You create a virtual address indirectly when you create the first virtual server with a destination address that includes the virtual address. You do not explicitly create a virtual address.
For example, if you create a virtual server with a destination address of
192.168.30.22:80
, the BIG-IP® system automatically creates the virtual address
192.168.30.22
.

Viewing virtual address properties

Using the BIG-IP Configuration utility, you can view the properties of an existing virtual address on the BIG-IP system.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen displays a list of existing virtual servers.
  2. On the menu bar, click
    Virtual Address List
    .
    This displays the list of virtual addresses.
  3. In the Name column, click the name of the relevant virtual address.
    This displays the properties of the virtual address.
  4. Click the
    Cancel
    button.

Modifying a virtual address

You can modify the properties of a virtual address. For example, you might want to assign a virtual address to a different traffic group, or change the conditions under which the system advertises the virtual address to dynamic routing protocols.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    Virtual Address List
    .
    The Virtual Address List screen opens.
  2. Click the virtual address that you want to modify.
    This displays the properties of that virtual address.
  3. From the
    Traffic Group
    list, select the traffic group that you want the virtual address to belong to.
  4. Select or clear the
    Availability
    check box to speciy the availability of the virtual address with respect to service checking.
  5. From the
    State
    list, select the state of the virtual address, that is, enabled or disabled.
  6. Check or clear the
    Auto Delete
    check box to configure whether the system should automatically delete the virtual address with the deletion of the last associated virtual server.
    When cleared (disabled), this setting specifies that the system should retain the virtual address, even when all associated virtual servers have been deleted.
  7. To specify when the virtual address is considered available for route advertisement, select an option from the
    Availability Calculation
    list:
    • When any virtual server is available
    • When all virtual server(s) are available
    • Always
    When the virtual address is available and the
    Route Advertisement
    setting is set to
    Enabled
    , the BIG-IP system advertises the route for the virtual address.
  8. Verify that the
    ARP
    check box is selected.
  9. From the
    ICMP Echo
    list, select an option:
    Option
    Description
    Disabled
    Does not send ICMP responses.
    Always
    Always sends ICMP responses, regardless of availability status. This requires an enabled virtual address.
    Selective
    Internally enables or disables responses based on virtual server state: any virtual server, all virtual servers, or always, regardless of the state of any virtual server.
    For
    Selective
    , you must configure each relevant virtual server to notify the virtual address of its status.
    Any
    Responds when any virtual server is available.
    All
    Responds only when all virtual servers are available.
  10. From the
    Route Advertisement
    list, select an option:
    Option
    Description
    Disabled
    Does not advertise the route for the virtual address, regardless of the availability status.
    Enabled
    Advertises the route for the available virtual address, based on the calculation method selected in the
    Availability Calculation
    list.
    Always
    Always advertises the route for the virtual address, regardless of availability status. This requires an enabled virtual address.
    Selective
    You can also selectively enable ICMP echo responses, which causes the BIG-IP system to internally enable or disable responses based on virtual server state: any virtual server, all virtual servers, or always, regardless of the state of any virtual server.
    Any
    Advertises the route for the virtual address when any virtual server is available.
    All
    Advertises the route for the virtual address when all virtual servers are available.
  11. Click
    Update
    .

Virtual address settings

Lists and describes the configuration settings of a virtual address.
Property
Description
Default Value
Name
The name that you assign to the virtual address. This name can match the virtual IP address itself.
No default value
Partition / Path
The pathname indicating the partition/folder in which the virtual address resides.
/Common
Address
The IP address of the virtual server, excluding the service.
No default value
Traffic Group
The traffic group that contains this virtual IP address.
traffic-group-1 or traffic-group-local-only
Availability
The availability of the virtual address with respect to service checking.
No default value
State
The state of the virtual address, that is,
enabled
or
disabled
.
Enabled
Auto Delete
A directive that the system should automatically delete the virtual address with the deletion of the last associated virtual server. When cleared (disabled), this setting specifies that the system should retain the virtual address even when all associated virtual servers have been deleted.
Enabled
Availability Calculation
The virtual-server conditions for which the BIG-IP system should advertise this virtual address to an advanced routing module. This setting only applies when the
Route Advertisement
setting is enabled (checked). Possible values are:
  • When any virtual server is available
  • When all virtual server(s) are available
  • Always
When any virtual server is available
Connection Limit
The number of concurrent connections that the BIG-IP system allows on this virtual address.
0
ARP
A setting that enables or disables ARP requests for the virtual address. When this setting is disabled, the BIG-IP system ignores ARP requests that other routers send for this virtual address.
Enabled (checked)
ICMP Echo
A setting that enables, selectively enables, or disables responses to ICMP echo requests on a per-virtual address basis. When this setting is disabled, the BIG-IP system drops any ICMP echo request packets sent to virtual addresses, including standard statistics and logging. Note that the resulting behavior is affected by the value you configure for the
Availability Calculation
setting.
Enabled
Route Advertisement
A setting that inserts a route to this virtual address into the kernel routing table so that an advanced routing module can redistribute that route to other routers on the network. Possible values are:
Disabled
Does not advertise the route for the virtual address, regardless of the availability status
Enabled
Advertises the route for the available virtual address, based on the calculation method selected in the Availability Calculation list.
Always
Always advertises the route for the virtual address, regardless of availability status. This requires an enabled virtual address.
Selective
You can also selectively enable ICMP echo responses, which causes the BIG-IP system to internally enable or disable responses based on virtual server state: any virtual server, all virtual servers, or always, regardless of the state of any virtual server.
Any
Advertises the route for the virtual address when any virtual server is available.
All
Advertises the route for the virtual address when all virtual servers are available.
Disabled

About virtual servers and route domain IDs

Whenever you configure the
Source Address
and
Destination Address
settings on a virtual server, the BIG-IP system requires that the route domain IDs match, if route domain IDs are specified. To ensure that this requirement is met, the BIG-IP system enforces specific rules, which vary depending on whether you are modifying an existing virtual server or creating a new virtual server.
Modifying an existing virtual server
User action
Result
In the destination address, you change an existing route domain ID.
The system automatically changes the route domain ID on the source address to match the new destination route domain ID.
In the source address, you change an existing route domain ID.
If the new route domain ID does not match the route domain ID in the destination address, the system displays an error message stating that the two route domain IDs must match.
Creating a new virtual server
User action
Result
You specify a destination IP address only,with a route domain ID, and do not specify a source IP address.
The source IP address defaults to
0.0.0.0
and inherits the route domain ID from the destination IP address.
You specify both source and destination addresses but no route domain IDs.
The BIG-IP system uses the default route domain.
You specify both source and destination addresses and a route domain ID on each of the IP addresses.
The BIG-IP system verifies that both route domain IDs match. Otherwise, the system displays an error message.
You specify both source and destination addresses and a route domain ID on one of the addresses, but exclude an ID from the other address.
The system verifies that the specified route domain ID matches the ID of the default route domain. Specifically, when one address lacks an ID, the only valid configuration is one in which the ID specified on the other address is the ID of a default route domain. Otherwise, the system displays an error message.

About virtual server and virtual address status

At any time, you can determine the status of a virtual server or virtual address, using the BIG-IP® Configuration utility. You can find this information by displaying the list of virtual servers or virtual addresses and viewing the Status column, or by viewing the
Availability
property of the object.
The BIG-IP Configuration utility indicates status by displaying one of several icons, distinguished by shape and color:
  • The shape of the icon indicates the status that the monitor has reported for that node.
  • The color of the icon indicates the actual status of the node.
Whenever the state of a virtual address changes, the state change generates a set of log messages. If a virtual address changes its state multiple times rapidly (such as from UP to DOWN to UP), the logging of the messages from the second state change can be unexpectedly delayed by a few seconds (typically, 3 to 4 seconds).

About clustered multiprocessing

The BIG-IP system includes a performance feature known as Clustered Multiprocessing, or CMP. CMP is a traffic acceleration feature that creates a separate instance of the Traffic Management Microkernel (TMM) service for each central processing unit (CPU) on the system. When CMP is enabled, the workload is shared equally among all CPUs.
Whenever you create a virtual server, the BIG-IP system automatically enables the CMP feature. When CMP is enabled, all instances of the TMM service process application traffic.
When you view standard performance graphs using the BIG-IP Configuration utility, you can see multiple instances of the TMM service (
tmm0
,
tmm1
, and so on).
When CMP is enabled, be aware that:
  • While displaying some statistics individually for each TMM instance, the BIG-IP system displays other statistics as the combined total of all TMM instances.
  • Connection limits for a virtual server with CMP enabled are distributed evenly across all instances of the TMM service.
F5 recommends that you disable the CMP feature if you set a small connection limit on pool members (for example, a connection limit of 2 for the 8400 platform or 4 for the 8800 platform).
You can enable or disable CMP for a virtual server, or you can enable CMP for a specific CPU.