Manual Chapter :
Common Elements for Self IP tasks
Applies To:
Show VersionsBIG-IP LTM
- 15.0.1, 15.0.0, 14.1.3, 14.1.2, 14.1.0
Common Elements for Self IP tasks
Before you create a self IP address, ensure that you have
created at least one VLAN or VLAN group.
A self IP address enables the BIG-IP system and other devices on the network to route application traffic
through the associated VLAN or VLAN group.
- On the Main tab, click.
- On the Main tab, click.The Self IP screen opens.
- On the Main tab of the BIG-IP Configuration utility, click.
- From the vCMP host, access theBashshell and typevconsole.guest_nameprimary_slot_numberThe system prompts you to enter a user name and password.
- Log in using therootaccount.A system prompt is displayed on the primary slot of the named guest.
- Type the commandtmsh create net self address.ip_address/netmaskvlanvlan_nameallow-service defaultThis creates the specified IP address on the guest and makes required adjustments to the port lockdown settings.
- ClickCreate.The New Self IP screen opens.
- In theNamefield, type a unique name for the self IP address.For this example, typeVLAN1.
- In theNamefield, type a unique name for the self IP address.
- In theNamefield, type a unique name for the static self IP address.For example, for deviceBIGIP_A, this name could beext_static_self_bigipAorint_static_self_bigipA.
- In theNamefield, type a unique name for the floating self IP address.For example, for the floating external self IP address for deviceBigip_A, this name could befloat_ext_self_bigipA.
- In the Name column, click the self IP address corresponding to VLANexternal.This displays the properties of that self IP address.
- In the Name column, click the floating self IP address assigned to VLANinternal.This displays the properties of that self IP address.
- In the Name column, click the self IP address that you want to modify.This displays the properties of the self IP address.
- In the Name column, click a self IP address associated with a VLAN on the public network.This displays the properties of that self IP address.
- In theIP Addressfield, type the self IP address for the system that applies to the VLAN.
- In theIP Addressfield, type the self IP address for the system that applies to the VLAN.For this example, type one of the following:
- If you are configuringlc1.siterequest.com, type10.1.1.20
- If you are configuringlc2.siterequest.com, type10.1.1.21
- In theIP Addressfield, type an IP address.This IP address represents the address of the SNMP agent.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type the private IP address that is assigned to the ETH1 network interface.
- In theIP Addressfield, type an IPv4 or IPv6 address.This IP address should represent the address space of the VLAN that you specify with theVLAN/Tunnelsetting.
- In theIP Addressfield, type an IP address.For example, in our sample configuration for deviceBIGIP_A, the static self IP address for VLANexternalcould be20.1.1.6.
- In theIP Addressfield, type an IPv4 or IPv6 address.This IP address should represent the address space of the VLAN group that you specify with theVLAN/Tunnelsetting.
- In theIP Addressfield, type an IPv4 address.This IP address should represent the address space of the VLAN group that you specify with theVLAN/Tunnelsetting.
- In theIP Addressfield, type the IP address of the system.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type the private IP address that is assigned to the ETH2 network interface.
- In theIP Addressfield, type an IP address.This IP address should represent the network of the router.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type the IP address of the legacy DNS server.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type the IP address of the primary DNS server.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type a self IP address to assign to the VLAN for DNS requests.The system accepts IPv4 and IPv6 addresses.
- In theIP Addressfield, type an IP address.This IP address must represent a self IP address in a route domain. Use the formatx.x.x.x%n, wherenis the route domain ID, for example, 10.1.1.1%1.The system accepts IPv4 and IPv6 addresses.
- In theNetmaskfield, type the network mask for the specified IP address.For example, you can type255.255.255.0.
- In theNetmaskfield, type the full network mask for the specified IP address.
- In theNetmaskfield, type the full network mask for the specified IP address.
- In theNetmaskfield, type the network mask for the specified IP address.
- In theNetmaskfield, type the network mask for the specified IP address.For this example, type255.255.255.0.
- From theVLAN/Tunnellist, select VLANHA.
- From theVLAN/Tunnellist, select the VLAN to associate with this self IP address.
- On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
- On the external network, select the external VLAN that is associated with an external interface or trunk.
- From theVLAN/Tunnellist, select the VLANs that you want to associate with this self IP address.The VLANs you select are those that you moved from partitionCommonto the current administrative partition.
- From theVLAN/Tunnellist, select eitherexternalorinternal.
- From theVLAN/Tunnellist, selectinternal.
- From theVLAN/Tunnellist, selectexternal.
- From theVLAN/Tunnellist, selectwan.
- From theVLAN/Tunnellist, select the VLAN that you assigned to the route domain that contains this self IP address.
- From theVLAN/Tunnellist, select the VLAN group with which to associate this self IP address.
- From theVLAN/Tunnellist, select the tunnel with which to associate this self IP address.
- From theVLAN/Tunnellist, select the appropriate VLAN.
- From theVLAN/Tunnellist, select the appropriate VLAN.For this example, selectlink1.
- From thePort Lockdownlist, selectAllow Default.
- From thePort Lockdownlist, select9004.
- From thePort Lockdownlist, select a level of security for the self IP address.SelectingAllow Noneblocks administrative traffic only, for this self IP address. Specifically, a user is blocked from accessing the BIG-IP system through the BIG-IP Configuration utility or SSH.
- From thePort Lockdownlist, selectAllow None.This selection avoids potential conflicts (for management and other control functions) with other TCP applications. However, to access any of the services typically available on a self IP address, selectAllow Custom, so that you can open the ports that those services need.
- From thePort Lockdownlist, selectAllow Custom.
- If you are creating an external self IP address, use thePort Lockdownsetting to addTCP 179to your current list of allowed ports for this self IP address.Port179represents the Border Gateway Protocol (BGP). Selecting port179gives BGP traffic coming from the ECMP router access to the BIG-IP device.
- Use thePort Lockdownsetting to addTCP 179to your current list of allowed ports for this self IP address.Port179represents the Border Gateway Protocol (BGP). Selecting port179gives BGP traffic coming from the ECMP router access to the BIG-IP device.
- ClickAdd.
- SelectUDP.
- SelectPort, and in the field, type161(the well-known port number for SNMP).
- If this self IP address is the shared (floating) IP address for a redundant system, select theFloating IPcheck box .
- Select theFloating IPcheck box.
- From theTraffic Grouplist, selecttraffic-group-1 (floating).
- For theTraffic Groupsetting, choose one of the following actions:ActionResultRetain the default setting,traffic-group-local-only (non-floating).The system creates a non-floating self IP address that becomes a member oftraffic-group-local-only.Select the check box labeledInherit traffic group from current partition / path.The system creates a floating self IP address that becomes a member oftraffic-group-1.Select a traffic group from theTraffic Grouplist.The system creates a floating self IP address that becomes a member of the selected traffic group.
- For theTraffic Groupsetting, clear theInherit traffic group from current partition / pathcheck box and from the list, selectNone.
- From theTraffic Grouplist, selecttraffic-group-2 (floating).
- From theTraffic Grouplist, selecttraffic-group-local-only (non-floating).
- From theTraffic Grouplist, select the name of a floating traffic group.For example, for IP address20.1.1.2, selectTraffic-group-1. For address20.1.1.3, selectTraffic-group-2, and so on.
- From theTraffic Grouplist, select the floating traffic group that you want to assign to this self IP address.Continuing with our example, if you are logged in toBigip_B, you would display the properties for the external floating IP address20.1.1.3and selecttraffic-group-2.
- From theTraffic Grouplist, change the floating traffic group fromtraffic-group-1to the name of the unique traffic group you previously created on this device.Continuing with our example, if you are logged in toBigip_B, you would display the properties for the external floating IP address20.1.1.3and selecttraffic-group-2.
- If the BIG-IP system is part of a redundant system configuration, select the corresponding traffic group from theTraffic Grouplist.
- From theUnit IDlist, select the unit of the redundant system with which to initially associate the floating self IP address.
- ClickDelete.
- ClickAdd.
- ClickUpdate.
- ClickFinished.The screen refreshes, and displays the new self IP address.
- ClickFinished.
- To enforce rules from a firewall policy on the self IP: In the Network Firewall area, from theEnforcementlist, selectEnabled, and then from thePolicylist, select the firewall policy to enforce.
- To enforce any inline rules that apply to the self IP, and not apply a firewall policy: in the Network Firewall area, from theEnforcementlist, selectInline Rules.
- To stage rules from a firewall policy on the self IP: In the Network Firewall area, from theStaginglist, selectEnabled, and then from thePolicylist, select the firewall policy to stage.
- From theService Policylist, retain the default value ofNone, or select a policy to associate with the self IP address.A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
- Exit the vConsole utility by typing the key sequencectrl-].This displays the prompttelnet>.
- Typeq.
The BIG-IP system can send and receive traffic through the
specified VLAN or VLAN group.