Manual Chapter :
Self IP Addresses
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Self IP Addresses
Introduction to self IP addresses
A
self IP address
is an IP address on the BIG-IP® system that you associate with a VLAN, to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space
, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN groups.Self IP addresses serve two purposes:
- First, when sending a message to a destination server, the BIG-IP system uses the self IP addresses of its VLANs to determine the specific VLAN in which a destination server resides. For example, if VLAN internal has a self IP address of10.10.10.100, with a netmask of255.255.255.0, and the destination server’s IP address is10.10.10.20(with a netmask of255.255.255.255), the BIG-IP system recognizes that the server’s IP address falls within the range of VLAN internal’s self IP address, and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer2 forwarding table.
- Second, a self IP address can serve as the default route for each destination server in the corresponding VLAN. In this case, the self IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system.
You normally assign self IP addresses to a VLAN when you initially run the Setup utility on a BIG-IP system. More specifically, you assign one static self IP address and one floating self IP address to each of the default VLANs (internal and external). Later, using the BIG-IP Configuration utility, you can create self IP addresses for other VLANs that you create.
Self IP addresses reside in administrative partitions/folders and are associated with traffic
groups. The self IP addresses that you create when you run the Setup utility reside in partition
Common (that is folder
/Common
).Types of self IP addresses
There are two types of self IP addresses that you can create:
- Astatic self IP addressis an IP address that the BIG-IP® system does not share with another BIG-IP system. Any self IP address that you assign to the default traffic grouptraffic-group-local-onlyis a static self IP address.
- Afloating self IP addressis an IP address that two BIG-IP systems share. Any self IP address that you assign to the default traffic grouptraffic-group-1is a floating self IP address.
Self IP addresses and MAC addresses
For each self IP address that you create for a VLAN, the BIG-IP® system
automatically assigns a media access control (MAC) address.
As an alternative, you can globally configure the BIG-IP system to assign the same MAC address to all VLANs. This feature is useful if your network includes a type of switch that does not keep a separate Layer 2 forwarding table for each VLAN on that switch.
Self IP addresses for SNATs
When you configure the BIG-IP® system to manage local area traffic, you
can implement a feature known as a secure network address translation (SNAT). A
SNAT
is an object that causes the BIG-IP system to translate the original source IP address of a
packet to an IP address that you specify. A SNAT ensures that the target server sends its
response back through the BIG-IP system rather than to the original client IP address
directly.When you create a SNAT, you can configure the BIG-IP system to automatically choose a
translation address. This ability of the BIG-IP system to automatically choose a translation
address is known as
SNAT automapping
, and in this case, the translation address that
the system chooses is always an existing self IP address. Thus, for traffic going from the BIG-IP
system to a destination server, configuring SNAT automapping ensures that the source IP address
in the header of a packet is a self IP address.When you create an automapped SNAT, the BIG-IP system actually creates a SNAT pool consisting of the system’s internal self IP addresses, and then uses an algorithm to select and assign an address from that SNAT pool.
Self IP address properties
It is when you initially run the Setup utility on a BIG-IP® system that
you normally create any static and floating self IP addresses and assign them to VLANs. However,
if you want to create additional self IP addresses later, you can do so using the BIG-IP
Configuration utility.
Only users with either the Administrator or Resource Administrator user role can create and manage self IP addresses.
A self IP address can be in either IPv4 or IPv6 format.
IP address
A self IP address, combined with a netmask, typically represents a range of host IP addresses in a VLAN. If you are assigning a self IP address to a VLAN group, the self IP address represents the range of self IP addresses assigned to the VLANs in that group.
Netmask
When you specify a netmask for a self IP address, the self IP address can represent a range of IP addresses, rather than a single host address. For example, a self IP address of
10.0.0.100
can represent several host IP addresses if you specify a netmask of 255.255.0.0
.VLAN/Tunnel assignment
You assign a unique self IP address to a specific VLAN or a VLAN group:
- Assigning a self IP address to a VLAN
- The self IP address that you assign to a VLAN should represent an address space that includes the self IP addresses of the hosts that the VLAN contains. For example, if the address of one destination server in a VLAN is10.0.0.1and the address of another server in the VLAN is10.0.0.2, you could assign a self IP address of10.0.0.100, with a netmask of255.255.0.0, to the VLAN.
- Assigning a self IP address to a VLAN group
- The self IP address that you assign to a VLAN group should represent an address space that includes the self IP addresses of the VLANs that you assigned to the group. For example, if the self IP address of one VLAN in a VLAN group is10.0.20.100and the address of the other VLAN in a VLAN group is10.0.30.100, you could assign an address of10.0.0.100, with a netmask of255.255.0.0, to the VLAN group.
The VLAN/Tunnel list in the BIG-IP Configuration utility displays the names of all existing
VLANs and VLAN groups.
Port lockdown
Each self IP address has a feature known as port lockdown.
Port lockdown
is a
security feature that allows you to specify particular UDP and TCP protocols and services from
which the self IP address can accept traffic.You can determine the supported protocols and services by using the
tmsh
command tmsh list net
self-allow defaults
.If you do not want to use the default
setting (
Allow None
), you can configure port lockdown to allow either all UDP and TCP protocols
and services (Allow All
) or only those that you specify (Allow Custom
).High availability-related traffic from configured peer devices in a device
group might not be subject to port lockdown settings.
Traffic groups
If you want the self IP address to be a
floating IP address
, that is, an address
shared between two or more BIG-IP devices in a device group, you can assign a floating traffic
group to the self IP address. A floating traffic group causes the self IP address to become a
floating self IP address. A floating self IP address ensures that application traffic reaches its destination. More specifically, a floating self IP address enables a source node to successfully send a request, and a destination node to successfully send a response, when the relevant BIG-IP device is unavailable.
If you want the self IP address to be a static (non-floating) IP address (used mostly for standalone devices), you can assign a non-floating traffic group to the self IP address. A non-floating traffic group causes the self IP address to become a non-floating self IP address. An example of a non-floating self IP address is the address that you assign to the default VLAN named HA, which is used strictly to process failover communications between BIG-IP devices, instead of processing application traffic.
Creating a self IP address
Before you create a self IP address, ensure that you have
created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic
through the associated VLAN or VLAN group.
- On the Main tab, click.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.
- In theIP Addressfield, type an IPv4 or IPv6 address.This IP address should represent the address space of the VLAN that you specify with theVLAN/Tunnelsetting.
- In theNetmaskfield, type the full network mask for the specified IP address.
- From theVLAN/Tunnellist, select the VLAN to associate with this self IP address.
- On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
- On the external network, select the external VLAN that is associated with an external interface or trunk.
- From thePort Lockdownlist, selectAllow Default.
- For theTraffic Groupsetting, choose one of the following actions:ActionResultRetain the default setting,traffic-group-local-only (non-floating).The system creates a non-floating self IP address that becomes a member oftraffic-group-local-only.Select the check box labeledInherit traffic group from current partition / path.The system creates a floating self IP address that becomes a member oftraffic-group-1.Select a traffic group from theTraffic Grouplist.The system creates a floating self IP address that becomes a member of the selected traffic group.
- From theService Policylist, retain the default value ofNone, or select a policy to associate with the self IP address.A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
- ClickFinished.The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic
through the specified VLAN or VLAN group. If the self IP address is member of a floating
traffic group and you configure the system for redundancy, the self IP address can fail
over to another device group member if necessary.
After creating the self IP address, ensure that you repeat this task to create as many self IP addresses as needed.
About VLANs with identical names and different tags
Sometimes a host administrator might publish a VLAN to a guest, but the guest administrator has
already created, or later creates, a VLAN with the same name but with a different VLAN tag. In
this case, the guest VLAN always overrides the host VLAN. The VLAN can still exist on the host
(for other guests to subscribe to), but it is the guest VLAN that is used.
Whenever host and guest VLANs have the same names but different tags, traffic cannot flow between
the identically-named VLANs at Layer 2. That is, when the tags do not match, the underlying Layer
2 infrastructure of the VLANs does not match, thereby preventing the host from reaching the
guest.
The example here shows the
tmsh
command sequence for creating two separate VLANs with the same names and different tags, and the resulting traffic flow issue.# While logged into the guest, create a VLAN: [root@G1:/S1-green-P:Active:Standalone] config #tmsh create net vlan# Show that no VLANs exist on the host: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atag1000tmsh list net vlan all[root@host_210:/S1-green-P:Active:Standalone] config # # On the host, create a VLAN with the same name as the guest VLAN but with a unique tag on the host: [root@host_210:/S1-green-P:Active:Standalone] config #tmsh create net vlan# Publish the host VLAN to the guest: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atag1001tmsh modify vcmp guest# Within the guest, show that the guest still has its own VLAN only, and not the VLAN published from the host: [root@G1:/S1-green-P:Active:Standalone] config #guest1vlans add {VLAN_A}tmsh list net vlan allnet vlan VLAN_A { if-index 192 tag 1000 }# Within the guest, create a self IP address for the VLAN: [root@G1:/S1-green-P:Active:Standalone] config #tmsh create net self 10.1.1.1/24 vlan# On the host, create a self IP address for the identically-named VLAN: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Atmsh create net self 10.1.1.2/24 vlan# From the host, open a connection to the guest, and notice that because the two VLANs have different tags, the connection fails: [root@host_210:/S1-green-P:Active:Standalone] config #VLAN_Aping -c2 10.1.1.1PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. From 10.1.1.2 icmp_seq=1 Destination Host Unreachable From 10.1.1.2 icmp_seq=2 Destination Host Unreachable --- 10.1.1.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 3000ms pipe 2