Manual Chapter :
About Virtual Servers
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
About Virtual Servers
Introduction to virtual servers
A virtual server is one of the most important components of any BIG-IP®
system configuration. A
virtual server
is a traffic-management object on the BIG-IP
system that is represented by a virtual IP address and a service, such as
192.168.20.10:80
. When clients on an external network send application
traffic to virtual server, the virtual server listens for that traffic and, through destination
address translation, directs the traffic according to the way that you configured the settings on
the virtual server. A primary purpose of a virtual server is to distribute traffic across a pool
of servers that you specify in the virtual server configuration.To customize the way that the BIG-IP system processes various types of traffic, you can assign
profiles to a virtual server. For example, through profile assignment, a virtual server can
enable compression on HTTP request data as it passes through the BIG-IP system, or decrypt and
re-encrypt SSL connections and verify SSL certificates. For each type of traffic, such as TCP,
UDP, HTTP, SSL, SIP, and FTP, you can assign a custom profile to the virtual server or use the
default profile.
When you create a virtual server, you specify the pool or pools that you want to use as the
destination for any traffic coming from that virtual server. You also configure its general
properties, profiles, SNATs, and other resources you want to assign to it, such as iRules or
session persistence types.
To ensure that a server response returns through the BIG-IP system, you can
either configure the default route on the server to be a self IP address on an internal VLAN, or
you can create a SNAT and assign it to a virtual server.
Types of virtual servers
You can create several different types of virtual servers, depending on your particular
configuration needs.
Type |
Description |
---|---|
Standard |
A Standard virtual server (also known as a load
balancing virtual server) directs client traffic to a load balancing pool and
is the most basic type of virtual server. When you first create the virtual server,
you assign an existing default pool to it. From then on, the virtual server
automatically directs traffic to that default pool. |
Forwarding (Layer 2) |
You can set up a Forwarding (Layer 2) virtual server to share the
same IP address as a node in an associated VLAN. This type of virtual server has no pool members to load balance. To configure this type of virtual server, you must perform some additional configuration tasks: creating a VLAN group that
includes the VLAN in which the node resides, assigning a self-IP address to the VLAN
group, and disabling the virtual server on the relevant VLAN. With a forwarding (IP) virtual server, address
translation is disabled. When you use a Forwarding (Layer 2) type of virtual server, the BIG-IP system preserves the source MAC address in the header. |
Forwarding (IP) |
Like a Forwarding (Layer 2) virtual server. A Forwarding (IP)
virtual server has no pool members to load balance. The virtual server simply forwards
a packet directly to the configured destination IP address, based on what's defined in
the BIG-IP system's routing table. The virtual server destination address can be
either a node address or a network address. With a forwarding (IP) virtual server, address
translation is disabled. An example of a Forwarding (IP) virtual
server is one that accepts all traffic on an external VLAN and forwards it to the
virtual server destination IP address. |
Performance (HTTP) |
A Performance (HTTP) virtual server is a virtual server with which
you associate a Fast HTTP profile. Together, the virtual server and profile increase
the speed at which the virtual server processes HTTP requests. |
Performance (Layer 4) |
A Performance (Layer 4) virtual server is a virtual server with
which you associate a Fast L4 profile. Together, the virtual server and profile
increase the speed at which the virtual server processes Layer 4 requests. |
Stateless |
A Stateless virtual server prevents the BIG-IP system from putting
connections into the connection table for wildcard and forwarding destination IP
addresses. When creating a stateless virtual server, you cannot configure SNAT
automap, iRules, or port translation, and you must configure a default load balancing
pool. Note that this type of virtual server applies to UDP traffic only. |
Reject |
A Reject virtual server specifies that the BIG-IP system rejects any
traffic destined for the virtual server IP address. |
DHCP |
A DHCP virtual server relays Dynamic Host Control Protocol (DHCP)
messages between clients and servers residing on different IP networks. Known as a
DHCP relay agent , a BIG-IP system with a DHCP type of virtual server
listens for DHCP client messages being broadcast on the subnet and then relays those
messages to the DHCP server. The DHCP server then uses the BIG-IP system to send the
responses back to the DHCP client. Configuring a DHCP virtual server on the BIG-IP
system relieves you of the tasks of installing and running a separate DHCP server on
each subnet. |
Internal |
An Internal virtual server is one that can send traffic to an
intermediary server for specialized processing before the standard virtual server
sends the traffic to its final destination. For example, if you want the BIG-IP system
to perform content adaptation on HTTP requests or responses, you can create an
internal virtual server that load balances those requests or responses to a pool of
ICAP servers before sending the traffic back to the standard virtual server. An
internal virtual server supports both TCP and UDP traffic. |
Message Routing |
A Message Routing virtual server is available for peer-to-peer
configurations. Examples of traffic flows that can benefit from this type of virtual
server are traffic flows using Diameter and SIP protocols. |
Creating a virtual server
Before creating a virtual server, verify that you have created the pool to which you
want this virtual server to send traffic. If you want to specify a range of IP addresses
as the destination IP address and specify multiple service ports, confirm that an
address list and port list already exist on the system.
When you create a virtual server, you specify a destination IP address and service
port. All other settings on the virtual server have default values. You can change the
default values of any settings to suit your needs.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, verify thatStandardis selected.
- In theDestination Address/Maskfield:
- If you want to specify a single IP address, confirm that theHostbutton is selected, and type the IP address in CIDR format.
- If you want to specify multiple IP addresses, select theAddress Listbutton, and confirm that the address list that you previously created appears in the box.
The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address or addresses for this field must be on the same subnet as the external self-IP address. - In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- Retain the default values for all other settings.
- From theDefault Poollist, choose the pool you created.
After performing this task, you have a virtual server that listens for application
traffic and acts according to the values configured within the virtual server.
About the destination address
When creating a virtual server, you must specify a destination address. You
can specify either a single IP address or a list of of IP addresses, or a range of addresses, in
IPv4 or IPv6 format:
- When you specify a single IP address, a virtual server can listen for client connections that are destined for the address and then direct them to a server in a server pool. If you do not append a prefix (in CIDR notation) to the address, the default prefix is/32.
- When you specify a list of addresses, you must have previously created the address list, using theShared Objectsscreens of the BIG-IP Configuration utility. Once created, the address list appears in theAddress Listbox in the virtual server configuration. The virtual server can then listen for client connections that are destined for any address in the list of IP addresses and then direct the connections to a server in a server pool.
On a virtual server, you can also specify address lists and port lists for source addresses and ports.
About connection rate limiting
When you create a virtual server, you can configure a connection rate limit, in connections per
second, that the BIG-IP system will allow for that virtual server. Setting a connection rate
limit helps the system detect Denial of Service attacks, where too many connection requests can
flood a virtual server.
When the connection rate exceeds the configured connection rate limit,
the system handles the excessive connections in different ways, depending on the connection type,
either TCP or UDP:
- When the connection rate limit is exceeded for TCP connections, the BIG-IP system issues TCP resets and logs TCP reset messages, citing the exceeded connection rate limit as the cause for the resets.
- When the connection rate limit is exceeded for UDP connections, the BIG-IP system simply drops the connections.
About wildcard servers
Besides directing client connections that are destined for a specific network or subnet, a
virtual server can also direct client connections that have a specific destination IP address
that the virtual server does not recognize, such as a transparent device. This type of virtual
server is known as a
wildcard
virtual server. Examples of transparent devices are firewalls, routers, proxy servers, and cache servers.Wildcard virtual servers are a special type of virtual server that have a network IP address
as the specified destination address instead of a host IP address.
When the BIG-IP® system does not find a specific virtual server that
matches a client’s destination IP address, the BIG-IP system matches the client’s destination IP
address to a wildcard virtual server, designated by an IP address of
0.0.0.0
. The BIG-IP system then forwards the client’s packet to one of
the firewalls or routers assigned to that virtual server. Wildcardvirtual servers do not
translate the destination IP address of the incoming packet.Default and port-specific wildcard virtual servers
There are two kinds of wildcard virtual servers that you can create:
- Default wildcard virtual servers
- Adefault wildcard virtual serveris a wildcard virtual server that uses port 0 and handles traffic for all services. A wildcard virtual server allows traffic from all external VLANs by default. However, you can specifically disable any VLANs that you do not want the default wildcard virtual server to support. Disabling VLANs for the default wildcard virtual server is done by creating a VLAN disabled list. Note that a VLAN disabled list applies to default wildcard virtual servers only. You cannot create a VLAN disabled list for a wildcard virtual server that is associated with one VLAN only.
- Port-specific wildcard virtual servers
- Aport-specific wildcard virtual serverhandles traffic for a particular service only, and you define the virtual server using a service name or a port number. You can use port-specific wildcard virtual servers for tracking statistics for a particular type of network traffic, or for routing outgoing traffic, such as HTTP traffic, directly to a cache server rather than a firewall or router.
If you use both a default wildcard virtual server and port-specific wildcard virtual servers, any traffic that does not match either a standard virtual server or one of the port-specific wildcard virtual servers is handled by the default wildcard virtual server.
F5 Networks recommends that when you define transparent nodes that need to handle more than one type of service, such as a firewall or a router, you specify an actual port for the node and turn off port translation for the virtual server.
About multiple
wildcard servers
You can define multiple wildcard virtual servers that run simultaneously.
Each wildcard virtual server must be assigned to an individual VLAN, and therefore accepts
packets from that VLAN only.
In some configurations, you need to set up a wildcard virtual server on one
side of the BIG-IP system to distribute connections across transparent devices. You can create
another wildcard virtual server on the other side of the BIG-IP system to forward packets to
virtual servers receiving connections from the transparent devices and forwarding them to their
destination.
About virtual addresses
A
virtual address
is the specific node or network IP address with which you
associate a virtual server. For example, if a virtual server's destination address and service
port are 192.168.20.10:80
, then the IP address
192.168.20.10
is a virtual address.You can create a many-to-one relationship between virtual servers and a virtual address. For
example, you can create the three virtual servers
192.168.20.10:80
,
192.168.20.10:443
, and 192.168.20.10:161
for the same
virtual address, 192.168.20.10
.You cannot explicitly create a virtual address; the BIG-IP system creates a virtual address
whenever you create a virtual server, if the virtual address has not already been created.
However, you can modify the properties of a virtual address, and you can enable and disable a
virtual address. When you disable a virtual address, none of the virtual servers associated with
that address can receive incoming network traffic.
When you create a virtual server, BIG-IP® internally associates the
virtual address with a MAC address. This in turn causes the BIG-IP® system
to respond to Address Resolution Protocol (ARP) requests for the virtual address, and to send
gratuitous ARP requests and responses with respect to the virtual address. As an option, you can
disable ARP activity for virtual addresses, in the rare case that ARP activity affects system
performance. This most likely occurs only when you have a large number of virtual addresses
defined on the system.
About virtual address creation
You create a virtual address indirectly when you create the first virtual server with a destination address that includes the virtual address. You do not explicitly create a virtual address.
For example, if you create a virtual server with a destination address of
192.168.30.22:80
, the BIG-IP® system automatically
creates the virtual address 192.168.30.22
.Viewing virtual address properties
Using the BIG-IP Configuration utility, you can view the
properties of an existing virtual address on the BIG-IP system.
- On the Main tab, click.The Virtual Server List screen displays a list of existing virtual servers.
- On the menu bar, clickVirtual Address List.This displays the list of virtual addresses.
- In the Name column, click the name of the relevant virtual address.This displays the properties of the virtual address.
- Click theCancelbutton.
Modifying a virtual address
You can modify the properties of a virtual address. For example, you might want to
assign a virtual address to a different traffic group, or change the conditions
under which the system advertises the virtual address to dynamic routing
protocols.
- On the Main tab, click.The Virtual Address List screen opens.
- Click the virtual address that you want to modify.This displays the properties of that virtual address.
- From theTraffic Grouplist, select the traffic group that you want the virtual address to belong to.
- Select or clear theAvailabilitycheck box to speciy the availability of the virtual address with respect to service checking.
- From theStatelist, select the state of the virtual address, that is, enabled or disabled.
- Check or clear theAuto Deletecheck box to configure whether the system should automatically delete the virtual address with the deletion of the last associated virtual server.When cleared (disabled), this setting specifies that the system should retain the virtual address, even when all associated virtual servers have been deleted.
- To specify when the virtual address is considered available for route advertisement, select an option from theAvailability Calculationlist:
- When any virtual server is available
- When all virtual server(s) are available
- Always
When the virtual address is available and theRoute Advertisementsetting is set toEnabled, the BIG-IP system advertises the route for the virtual address. - Verify that theARPcheck box is selected.
- From theICMP Echolist, select an option:OptionDescriptionDisabledDoes not send ICMP responses.AlwaysAlways sends ICMP responses, regardless of availability status. This requires an enabled virtual address.SelectiveInternally enables or disables responses based on virtual server state: any virtual server, all virtual servers, or always, regardless of the state of any virtual server.ForSelective, you must configure each relevant virtual server to notify the virtual address of its status.AnyResponds when any virtual server is available.AllResponds only when all virtual servers are available.
- From theRoute Advertisementlist, select an option:OptionDescriptionDisabledDoes not advertise the route for the virtual address, regardless of the availability status.EnabledAdvertises the route for the available virtual address, based on the calculation method selected in theAvailability Calculationlist.AlwaysAlways advertises the route for the virtual address, regardless of availability status. This requires an enabled virtual address.SelectiveYou can also selectively enable ICMP echo responses, which causes the BIG-IP system to internally enable or disable responses based on virtual server state: any virtual server, all virtual servers, or always, regardless of the state of any virtual server.AnyAdvertises the route for the virtual address when any virtual server is available.AllAdvertises the route for the virtual address when all virtual servers are available.
- ClickUpdate.
Virtual address settings
Lists and describes the configuration settings of a virtual address.
Property |
Description |
Default Value |
---|---|---|
Name |
The name that you assign to the virtual address. This name can match the virtual
IP address itself. |
No default value |
Partition / Path |
The pathname indicating the partition/folder in which the virtual address
resides. |
/Common |
Address |
The IP address of the virtual server, excluding the service. |
No default value |
Traffic Group |
The traffic group that contains this virtual IP address. |
traffic-group-1 or traffic-group-local-only |
Availability |
The availability of the virtual address with respect to service checking. |
No default value |
State |
The state of the virtual address, that is, enabled or
disabled . |
Enabled |
Auto Delete |
A directive that the system should automatically delete the virtual address with
the deletion of the last associated virtual server. When cleared (disabled), this
setting specifies that the system should retain the virtual address even when all
associated virtual servers have been deleted. |
Enabled |
Availability Calculation |
The virtual-server conditions for which the BIG-IP system should advertise this
virtual address to an advanced routing module. This setting only applies when the
Route Advertisement setting is enabled (checked). Possible
values are:
|
When any virtual server is available |
Connection Limit |
The number of concurrent connections that the BIG-IP system allows on this
virtual address. |
0 |
ARP |
A setting that enables or disables ARP requests for the virtual address. When
this setting is disabled, the BIG-IP system ignores ARP requests that other routers
send for this virtual address. |
Enabled (checked) |
ICMP Echo |
A setting that enables, selectively enables, or disables responses to ICMP echo
requests on a per-virtual address basis. When this setting is disabled, the BIG-IP
system drops any ICMP echo request packets sent to virtual addresses, including
standard statistics and logging. Note that the resulting behavior is affected by the
value you configure for the Availability Calculation
setting. |
Enabled |
Route Advertisement |
A setting that inserts a route to this virtual address into the kernel routing
table so that an advanced routing module can redistribute that route to other routers
on the network. Possible values are:
|
Disabled |
About virtual servers and route domain IDs
Whenever you configure the
Source Address
and Destination
Address
settings on a virtual server, the BIG-IP system requires that the route
domain IDs match, if route domain IDs are specified. To ensure that this requirement is met, the
BIG-IP system enforces specific rules, which vary depending on whether you are modifying an
existing virtual server or creating a new virtual server.User action |
Result |
---|---|
In the destination address, you change an existing route domain ID. |
The system automatically changes the route domain ID on the source address to match the
new destination route domain ID. |
In the source address, you change an existing route domain ID. |
If the new route domain ID does not match the route domain ID in the destination address, the system displays an error message stating that the two route domain IDs must match. |
User action |
Result |
---|---|
You specify a destination IP address only,with a route domain ID, and do not specify a
source IP address. |
The source IP address defaults to 0.0.0.0 and inherits the route domain ID from the destination IP address. |
You specify both source and destination addresses but no route domain IDs. |
The BIG-IP system uses the default route domain. |
You specify both source and destination addresses and a route domain ID on each of the
IP addresses. |
The BIG-IP system verifies that both route domain IDs match. Otherwise, the system
displays an error message. |
You specify both source and destination addresses and a route domain ID on one of the
addresses, but exclude an ID from the other address. |
The system verifies that the specified route domain ID matches the ID of the default
route domain. Specifically, when one address lacks an ID, the only valid configuration is one
in which the ID specified on the other address is the ID of a default route domain.
Otherwise, the system displays an error message. |
About virtual server and virtual address status
At any time, you can determine the status of a virtual server or virtual address, using the BIG-IP® Configuration utility. You can find this information by displaying the
list of virtual servers or virtual addresses and viewing the Status column, or by viewing the
Availability
property of the object.
The BIG-IP Configuration utility indicates status by displaying one of several icons, distinguished by shape and color:
- The shape of the icon indicates the status that the monitor has reported for that node.
- The color of the icon indicates the actual status of the node.
Whenever the state of a virtual address changes, the state
change generates a set of log messages. If a virtual address changes its state multiple times
rapidly (such as from UP to DOWN to UP), the logging of the messages from the second state change
can be unexpectedly delayed by a few seconds (typically, 3 to 4 seconds).
About clustered
multiprocessing
The BIG-IP system includes a
performance feature known as Clustered Multiprocessing,
or CMP. CMP is a traffic acceleration feature that
creates a separate instance of the Traffic Management Microkernel (TMM) service for each central
processing unit (CPU) on the system. When CMP is enabled, the workload is shared equally among
all CPUs.
Whenever you create a virtual server, the BIG-IP system automatically
enables the CMP feature. When CMP is enabled, all instances of the TMM service process
application traffic.
When you view standard performance graphs using the BIG-IP Configuration
utility, you can see multiple instances of the TMM service (
tmm0
, tmm1
, and so on).When CMP is enabled, be aware that:
- While displaying some statistics individually for each TMM instance, the BIG-IP system displays other statistics as the combined total of all TMM instances.
- Connection limits for a virtual server with CMP enabled are distributed evenly across all instances of the TMM service.
F5
recommends that you disable the CMP feature if you set a small connection limit on pool members
(for example, a connection limit of 2 for the 8400 platform or 4 for the 8800 platform).
You can enable or disable CMP for a virtual server, or you can enable CMP
for a specific CPU.