Manual Chapter : Self IP Addresses

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP Analytics

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AFM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AAM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP LTM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Self IP Addresses

Introduction to self IP addresses

A
self IP address
is an IP address on the BIG-IP® system that you associate with a VLAN, to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an
address space
, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN groups.
Self IP addresses serve two purposes:
  • First, when sending a message to a destination server, the BIG-IP system uses the self IP addresses of its VLANs to determine the specific VLAN in which a destination server resides. For example, if VLAN internal has a self IP address of
    10.10.10.100
    , with a netmask of
    255.255.255.0
    , and the destination server’s IP address is
    10.10.10.20
    (with a netmask of
    255.255.255.255
    ), the BIG-IP system recognizes that the server’s IP address falls within the range of VLAN internal’s self IP address, and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer2 forwarding table.
  • Second, a self IP address can serve as the default route for each destination server in the corresponding VLAN. In this case, the self IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system.
You normally assign self IP addresses to a VLAN when you initially run the Setup utility on a BIG-IP system. More specifically, you assign one static self IP address and one floating self IP address to each of the default VLANs (internal and external). Later, using the BIG-IP Configuration utility, you can create self IP addresses for other VLANs that you create.
Self IP addresses reside in administrative partitions/folders and are associated with traffic groups. The self IP addresses that you create when you run the Setup utility reside in partition Common (that is folder
/Common
).

Types of self IP addresses

There are two types of self IP addresses that you can create:
  • A
    static self IP address
    is an IP address that the BIG-IP® system does not share with another BIG-IP system. Any self IP address that you assign to the default traffic group
    traffic-group-local-only
    is a static self IP address.
  • A
    floating self IP address
    is an IP address that two BIG-IP systems share. Any self IP address that you assign to the default traffic group
    traffic-group-1
    is a floating self IP address.

Self IP addresses and MAC addresses

For each self IP address that you create for a VLAN, the BIG-IP® system automatically assigns a media access control (MAC) address.
As an alternative, you can globally configure the BIG-IP system to assign the same MAC address to all VLANs. This feature is useful if your network includes a type of switch that does not keep a separate Layer 2 forwarding table for each VLAN on that switch.

Self IP addresses for SNATs

When you configure the BIG-IP® system to manage local area traffic, you can implement a feature known as a secure network address translation (SNAT). A
SNAT
is an object that causes the BIG-IP system to translate the original source IP address of a packet to an IP address that you specify. A SNAT ensures that the target server sends its response back through the BIG-IP system rather than to the original client IP address directly.
When you create a SNAT, you can configure the BIG-IP system to automatically choose a translation address. This ability of the BIG-IP system to automatically choose a translation address is known as
SNAT automapping
, and in this case, the translation address that the system chooses is always an existing self IP address. Thus, for traffic going from the BIG-IP system to a destination server, configuring SNAT automapping ensures that the source IP address in the header of a packet is a self IP address.
When you create an automapped SNAT, the BIG-IP system actually creates a SNAT pool consisting of the system’s internal self IP addresses, and then uses an algorithm to select and assign an address from that SNAT pool.

Self IP address properties

It is when you initially run the Setup utility on a BIG-IP® system that you normally create any static and floating self IP addresses and assign them to VLANs. However, if you want to create additional self IP addresses later, you can do so using the BIG-IP Configuration utility.
Only users with either the Administrator or Resource Administrator user role can create and manage self IP addresses.
A self IP address can be in either IPv4 or IPv6 format.

IP address

A self IP address, combined with a netmask, typically represents a range of host IP addresses in a VLAN. If you are assigning a self IP address to a VLAN group, the self IP address represents the range of self IP addresses assigned to the VLANs in that group.

Netmask

When you specify a netmask for a self IP address, the self IP address can represent a range of IP addresses, rather than a single host address. For example, a self IP address of
10.0.0.100
can represent several host IP addresses if you specify a netmask of
255.255.0.0
.

VLAN/Tunnel assignment

You assign a unique self IP address to a specific VLAN or a VLAN group:
Assigning a self IP address to a VLAN
The self IP address that you assign to a VLAN should represent an address space that includes the self IP addresses of the hosts that the VLAN contains. For example, if the address of one destination server in a VLAN is
10.0.0.1
and the address of another server in the VLAN is
10.0.0.2
, you could assign a self IP address of
10.0.0.100
, with a netmask of
255.255.0.0
, to the VLAN.
Assigning a self IP address to a VLAN group
The self IP address that you assign to a VLAN group should represent an address space that includes the self IP addresses of the VLANs that you assigned to the group. For example, if the self IP address of one VLAN in a VLAN group is
10.0.20.100
and the address of the other VLAN in a VLAN group is
10.0.30.100
, you could assign an address of
10.0.0.100
, with a netmask of
255.255.0.0
, to the VLAN group.
The VLAN/Tunnel list in the BIG-IP Configuration utility displays the names of all existing VLANs and VLAN groups.

Port lockdown

Each self IP address has a feature known as port lockdown.
Port lockdown
is a security feature that allows you to specify particular UDP and TCP protocols and services from which the self IP address can accept traffic.
You can determine the supported protocols and services by using the
tmsh
command
tmsh list net self-allow defaults
.
If you do not want to use the default setting (
Allow None
), you can configure port lockdown to allow either all UDP and TCP protocols and services (
Allow All
) or only those that you specify (
Allow Custom
).
High availability-related traffic from configured peer devices in a device group might not be subject to port lockdown settings.

Traffic groups

If you want the self IP address to be a
floating IP address
, that is, an address shared between two or more BIG-IP devices in a device group, you can assign a floating traffic group to the self IP address. A floating traffic group causes the self IP address to become a floating self IP address.
A floating self IP address ensures that application traffic reaches its destination. More specifically, a floating self IP address enables a source node to successfully send a request, and a destination node to successfully send a response, when the relevant BIG-IP device is unavailable.
If you want the self IP address to be a static (non-floating) IP address (used mostly for standalone devices), you can assign a non-floating traffic group to the self IP address. A non-floating traffic group causes the self IP address to become a non-floating self IP address. An example of a non-floating self IP address is the address that you assign to the default VLAN named HA, which is used strictly to process failover communications between BIG-IP devices, instead of processing application traffic.

Creating a self IP address

Before you create a self IP address, ensure that you have created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    Name
    field, type a unique name for the self IP address.
  4. In the
    IP Address
    field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the
    VLAN/Tunnel
    setting.
  5. In the
    Netmask
    field, type the full network mask for the specified IP address.
  6. From the
    VLAN/Tunnel
    list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the
    Port Lockdown
    list, select
    Allow Default
    .
  8. For the
    Traffic Group
    setting, choose one of the following actions:
    Action
    Result
    Retain the default setting,
    traffic-group-local-only (non-floating)
    .
    The system creates a non-floating self IP address that becomes a member of
    traffic-group-local-only
    .
    Select the check box labeled
    Inherit traffic group from current partition / path
    .
    The system creates a floating self IP address that becomes a member of
    traffic-group-1
    .
    Select a traffic group from the
    Traffic Group
    list.
    The system creates a floating self IP address that becomes a member of the selected traffic group.
  9. From the
    Service Policy
    list, retain the default value of
    None
    , or select a policy to associate with the self IP address.
    A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
  10. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. If the self IP address is member of a floating traffic group and you configure the system for redundancy, the self IP address can fail over to another device group member if necessary.
After creating the self IP address, ensure that you repeat this task to create as many self IP addresses as needed.

About VLANs with identical names and different tags

Sometimes a host administrator might publish a VLAN to a guest, but the guest administrator has already created, or later creates, a VLAN with the same name but with a different VLAN tag. In this case, the guest VLAN always overrides the host VLAN. The VLAN can still exist on the host (for other guests to subscribe to), but it is the guest VLAN that is used.
Whenever host and guest VLANs have the same names but different tags, traffic cannot flow between the identically-named VLANs at Layer 2. That is, when the tags do not match, the underlying Layer 2 infrastructure of the VLANs does not match, thereby preventing the host from reaching the guest.
The example here shows the
tmsh
command sequence for creating two separate VLANs with the same names and different tags, and the resulting traffic flow issue.
# While logged into the guest, create a VLAN: [root@G1:/S1-green-P:Active:Standalone] config #
tmsh create net vlan
VLAN_A
tag
1000
# Show that no VLANs exist on the host: [root@host_210:/S1-green-P:Active:Standalone] config #
tmsh list net vlan all
[root@host_210:/S1-green-P:Active:Standalone] config # # On the host, create a VLAN with the same name as the guest VLAN but with a unique tag on the host: [root@host_210:/S1-green-P:Active:Standalone] config #
tmsh create net vlan
VLAN_A
tag
1001
# Publish the host VLAN to the guest: [root@host_210:/S1-green-P:Active:Standalone] config #
tmsh modify vcmp guest
guest1
vlans add {
VLAN_A
}
# Within the guest, show that the guest still has its own VLAN only, and not the VLAN published from the host: [root@G1:/S1-green-P:Active:Standalone] config #
tmsh list net vlan all
net vlan VLAN_A { if-index 192 tag 1000 }
# Within the guest, create a self IP address for the VLAN: [root@G1:/S1-green-P:Active:Standalone] config #
tmsh create net self 10.1.1.1/24 vlan
VLAN_A
# On the host, create a self IP address for the identically-named VLAN: [root@host_210:/S1-green-P:Active:Standalone] config #
tmsh create net self 10.1.1.2/24 vlan
VLAN_A
# From the host, open a connection to the guest, and notice that because the two VLANs have different tags, the connection fails: [root@host_210:/S1-green-P:Active:Standalone] config #
ping -c2 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. From 10.1.1.2 icmp_seq=1 Destination Host Unreachable From 10.1.1.2 icmp_seq=2 Destination Host Unreachable --- 10.1.1.1 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 3000ms pipe 2