Manual Chapter : Planning a BIG-IQ Centralized Management Deployment

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.1.0
Manual Chapter

Planning a BIG-IQ Centralized Management Deployment

Which type of centralized management solution do you want to deploy?

There are two license types for a centralized management solution, one for BIG-IQ device management and one for a data collection device (DCD).

BIG-IQ device management

F5 BIG-IQ Centralized Management is a platform that you use as a tool to help you manage BIG-IP devices and all of their services (such as LTM, AFM, ASM, and so forth), from one location. BIG-IQ can manage up to 200 (physical, virtual, or vCMP) BIG-IP devices and handle licensing for up to 5,000 unmanaged devices.
Using BIG-IQ helps you more efficiently manage your BIG-IP devices. That means you and your co-workers don't have to log in to individual BIG-IP systems to get your job done. Instead, you can discover, upgrade, deploy policy changes, manage licenses, and more, from just one place.
From BIG-IQ, you can manage a variety of tasks from software updates to health monitoring, and traffic to security. And because permissions for users are role-based, you can limit access to just a few trusted administrators to minimize downtime and potential security issues. You can also allow users to view or edit only those BIG-IP objects that they need to do their job.
Here's an example of how BIG-IQ can fit into a data center. This topology does not include any data collection devices, so statistical analytics, and event or alert management are not supported.
Centralized Management network topology

Data collection device

A
data collection device
(DCD) is a specially provisioned BIG-IQ system that you use to manage and store alerts, events, and statistical data from one or more BIG-IP systems. The next diagram illustrates a simplified example of how DCDs add to your BIG-IQ Centralized Management solution.
Centralized Management network topology with DCDs

BIG-IQ Centralized Management documentation set

BIG-IQ Centralized Management documentation set is located on AskF5 at https://support.f5.com. Click the
Product Manuals
link under Resources, and select
BIG-IQ Centralized Management
from the product list, and select the appropriate version.
Title
Use to:
F5 BIG-IQ Centralized Management Virtual Editions Setup guides
Set up BIG-IQ Virtual Edition (VE) as a guest in a virtual environment using supported hypervisors.
Planning and Implementing an F5 BIG-IQ Centralized Management Deployment
Plan deployment, license, and set up the BIG-IQ system in your network.
F5 BIG-IQ Centralized Management: Core Concepts
Find out more about the concepts about the core functionality included with BIG-IQ Centralized Management.
F5 BIG-IQ Centralized Management DCD Sizing Guide
Determine the resources that are required to handle the data generated by the BIG-IP devices you manage. Requirements vary according to the type and amount of data you generate.
F5 BIG-IQ Centralized Management: Authentication, Roles, and User Management
  • Configure authentication through a 3rd-party provider (LDAP, RADIUS or TACAS+) .
  • Use built-in and custom roles to manage user access.
F5 BIG-IQ Centralized Management: Monitoring and Reports
  • Set up health monitoring and alerts and statistics collections
  • Manage audit logs, run reports, and analyze statistics.
  • Troubleshoot Access reports.
F5 BIG-IQ Centralized Management: Device
  • Discover BIG-IP devices and import F5 services.
  • Deploy software images, licenses, SSL certificates, backup files, and configurations.
F5 BIG-IQ Local Traffic & Network Implementations
Manage:
  • Local Traffic profiles
  • Virtual servers
  • Network objects
  • iRules
  • Applications and application templates
As well as configuring an IPsec tunnel and event viewing.
F5 BIG-IQ Centralized Management: Security
Manage:
  • Object pinning
  • Firewall contexts
  • Address and port lists
  • Rules, rule lists, policies, and rule reports
  • Service, timer, and port misuse policies
  • NAT policies and translations
  • FQDN resolvers
  • Change verifications
  • External logging devices
  • Shared security for virtual servers, DoS profiles, device DoS configurations, network whitelists, logging profiles, and SSH profiles
  • Bot signatures and bot signature categories
  • IP intelligence settings
  • External redirection settings
  • Application Securities Policies
  • Signature files, custom attack signatures and sets
  • Web Application Security event logs
F5 BIG-IQ Centralized Management: Access
  • Configure an Access group, HA pair, and cluster.
  • Manage access groups.
  • View and edit access configurations.
  • Configure authentication for Active Directory, SecuID, HTTP, Oracle Access Manager, OCSP responder, CRLDP, and Kerberos.
  • Manage audit logs
F5 BIG-IQ Centralized Management: Fraud Protection Service
Set up, manage, and monitor alerts for fraud protection. Configuration of DataSafe profiles (data encryption protection), where a single profile can be used on multiple BIG-IP systems.
F5 Platform Guide: BIG-IQ 7000 Series
Set up and manage the BIG-IQ 7000 hardware platform.
F5 BIG-IQ Centralized Management Use Case: Provide Role-Based User Access to an Application
Give role-based user access to a SharePoint application.
F5 BIG-IQ Centralized Management: Auto-Scale in an Azure Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an Azure cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a VMware Environment
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in a VMware environment to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a AWS Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an AWS cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
F5 BIG-IQ Centralized Management: Auto-Scale in a Azure Cloud
  • Setup BIG-IQ to auto-scale BIG-IP VE devices in an Azure cloud to manage applications.
  • Monitor health of BIG-IP VE devices.
  • Manage scaling policies, application templates, and device templates.
BIG-IQ Centralized Management: Monitoring and Managing Application Services
Monitor the health and statistics for your application services.
F5 BIG-IQ Centralized Management upgrade guides
Upgrade BIG-IQ Centralized Management and BIG-IQ Logging Node to the most recent software version.
Release notes
Find information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.
AskF5 Articles and Tech Notes
Read responses and resolutions to known issues. Tech Notes provide additional configuration instructions and how-to information.

What elements make up a centralized management solution?

An Centralized Management solution can involve a number of different elements. The topology for these elements depends on your needs, and on whether you include data collection devices (DCDs) in your solution. A typical solution can include the following elements:
  • BIG-IQ system(s)
  • BIG-IP devices
  • Data collection devices (optional)
  • Remote storage devices (optional)

BIG-IQ Centralized Management system

Using BIG-IQ Centralized Management, you can centrally manage your BIG-IP devices, performing operations such as backups, licensing, monitoring, and configuration management. And because access to each area of BIG-IQ is role-based, you can limit access to users, thus maximizing work flows while minimizing errors and potential security issues.

BIG-IP device

A BIG-IP device runs a number of licensed components designed around application availability, access control, and security solutions. These components run on top of F5 . This custom operating system is an event driven operating system designed specifically to inspect network and application traffic and make real-time decisions based on the configurations you provide. The BIG-IP software runs on both hardware and virtualized environments.

BIG-IQ data collection device

A
data collection device
(DCD) is a specially provisioned BIG-IQ system that you use to manage and store alerts, events, and statistical data from one or more BIG-IP systems.
Configuration tasks on the BIG-IP system determine when and how alerts or events are triggered on the client. The alerts or events are sent to a BIG-IQ data collection device, and the BIG-IQ system retrieves them for your analysis. When you opt to collect statistical data from the BIG-IP devices, the DCD periodically (at an interval that you configure) retrieves those statistics from your devices, and then processes and stores that data.
The group of data collection devices and BIG-IQ systems that work together to store and manage your data are referred to as the
data collection cluster
. The individual data collection devices are generally referred to as
nodes
.

Remote storage device

The remote storage device is necessary only when your deployment includes a data collection device (DCD) and you plan to store backups of your events, alerts, and statistical data for disaster recovery requirements. Remote storage is also required so that you can retain this data when you upgrade your software.

Network Requirements for a BIG-IQ Centralized Management Deployment

Before you deploy a BIG-IQ Centralized Management

Before you begin to deploy a BIG-IQ® system, you should complete these preparations.
  • Determine the deployment scenario that works best for your needs.
  • Create the interfaces, communications, and networks needed to support your deployment scenario
  • Configure your network (including switches and firewalls) to permit BIG-IQ network traffic to flow based on the deployment scenario you choose.
  • Assemble the passwords, IP addresses, and licensing information needed for the BIG-IQ cluster components.

Things to consider when planning a deployment

To successfully deploy a BIG-IQ® Centralized Management solution, you may need to coordinate with several people in your company.
If you use BIG-IQ virtual editions, you might need to coordinate with the people who manage your virtual environment, so they can provision the virtual machines with the required amount of CPUs, memory, and network interfaces. Further, you’ll need to coordinate with the people who manage the storage for the virtual machines to make sure each virtual machine is provisioned with the necessary storage to support the BIG-IQ environment. You also might need to provide the virtual environment team a copy of the BIG-IQ virtual machine image (available from https://downloads.f5.com), depending how they operate.
If you use BIG-IQ 7000 devices in your network, you need to coordinate with the people who manage the data center where the BIG-IQ devices are housed to make arrangements for the devices to be racked, powered on, and connected to your network.
There are also several tasks to coordinate with your networking team:
  • IP address allocation for the BIG-IQ nodes, depending on your deployment model.
  • Creation of networks, VLANs, and so on dependent on your deployment model.
  • Any routing configuration required to ensure traffic passes between the BIG-IQ nodes and the BIG-IP devices.
  • Additional networking configuration required to support the BIG-IQ system's operation.
Finally, you may need to coordinate with your network firewall administrators, depending on the network configuration at your company. The BIG-IQ software needs to communicate between BIG-IQ nodes and BIG-IP systems; and, if there are firewalls in the network path, firewall rules probably need to be configured to permit that traffic. For additional detail about required network ports and protocols, refer to
Open ports required for data collection device cluster deployment
on
support.f5.com
.

Determining the network configuration needed for your deployment

There are three common deployment scenarios for the F5BIG-IQ® system. The scenario most appropriate for you depends on what you want to do.
BIG-IQ deployment options
What functions does your deployment need to perform?
Which hardware components and networks do you need?
Which deployment type should you choose?
Manage and configure BIG-IP® devices. For example, take backups, license virtual editions, and configure local traffic and security policies.
Simple management and configuration
All you need is one or more BIG-IQ system and the BIG-IP devices you want to manage. This configuration uses a single management network.
Manage and configure BIG-IP devices.
Collect and view Local Traffic, DNS, and Device statistical data from the BIG-IP devices.
Collect, manage, and view events and alerts from BIG-IP devices provisioned with the APM®, FPS®, or ASM® components.
You need one or more BIG-IQ systems, data collection devices, and an external storage device. This configuration requires a single management network and an internal BIG-IQ cluster network.
Advanced management and configuration
Manage and configure BIG-IP devices.
Collect and view Local Traffic, DNS, and Device statistical data from the BIG-IP devices.
Collect, manage, and view events and alerts from BIG-IP devices provisioned with the APM, FPS, or ASM components.
Separate network traffic to support large, distributed deployments of the F5 BIG-IQ Centralized Management solution for improved performance, security, and interactions in multiple data center environments.
Or, for disaster recovery capability, you could operate multiple data centers, each with its own set of BIG-IQ systems. (For additional detail, refer to
Managing Disaster Recovery Scenarios
.)
You need one or more BIG-IQ systems, data collection devices, and an external storage device. This configuration requires an external network, a management network, and an internal BIG-IQ cluster network.
Large-scale, distributed management and configuration

Network environment for simple management and configuration

To deploy a simple management and configuration environment, all you need is one or more BIG-IQ systems and the BIG-IP devices that you want to manage. The number of BIG-IQ systems you need depends on how much redundancy your business requires. A second system provides high availability failover capability. You can also add data collection devices (DCDs) to this configuration.
The simple management and configuration uses a single management network. The BIG-IQ system uses traffic on the management network to do these things:
  • Enable bidirectional traffic between the BIG-IQ systems and the BIG-IP devices.
  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use it to access the BIG-IQ system using SSH if you need to use the command line interface.
The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the
BIG-IQ Sizing Guidelines
on
support.f5.com
for details.
This figure illustrates the network topology required for a simple management and configuration deployment and includes the optional DCDs needed for analytics or alert and event monitoring.
Centralized Management network topology
Use the form to record the IP address for each device in the BIG-IQ deployment.
Device type
Management IP address(es)
Primary BIG-IQ system
Secondary BIG-IQ system
BIG-IP devices

Network environment for advanced management and configuration

To deploy the advanced management and configuration environment, you need BIG-IQ systems, data collection devices (DCDs), and an optional external storage device for backing up alert, event, and statistical data. The optimal topology for this configuration uses a single management network and a DCD cluster network.
With the addition of the DCD cluster, you can manage alerts and events on your managed devices as well as monitor performance analytics.
The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the
BIG-IQ Sizing Guidelines
on
support.f5.com
for details.
The BIG-IQ system uses traffic on the management network to do these things:
  • Enable bidirectional traffic between the BIG-IQ systems and the BIG-IP devices.
  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use it to access the BIG-IQ system using SSH if you need to run manual commands.
The DCD cluster network is used to replicate data to maintain the BIG-IQ Centralized Management cluster.
It is best practice to isolate the traffic between BIG-IQ cluster nodes for performance and improved security.
This figure illustrates the optimal network topology for an advanced management and configuration deployment.
Centralized management and enhanced monitoring network topology
Use the form to record the IP addresses for the devices in the BIG-IQ deployment.
Device type
Management IP addresses
DCD cluster IP addresses
Primary BIG-IQ system
Secondary BIG-IQ system
Data collection device management IP addresses
BIG-IP devices
Remote storage device

Network environment for large-scale, distributed management and configuration

To deploy a large-scale, distributed management and configuration environment, you need BIG-IQ systems, data collection devices, and an optional external storage device for backing up alert, event, and statistical data. This configuration needs a management network, a DCD cluster network, and an internal (or traffic) network.
The BIG-IQ system uses traffic on the management network to do these things:
  • Enable traffic between the BIG-IQ systems. If you use a secondary high availability BIG-IQ system, this traffic keeps the state information synchronized.
  • Provide access to the BIG-IQ user interface. You can also use it to access the BIG-IQ system using SSH if you need to run manual commands.
The DCD cluster network is used to provide communication between the BIG-IQ system and the DCD nodes, and to replicate data that maintains the BIG-IQ Centralized Management cluster.
It is best practice to isolate the traffic between BIG-IQ cluster nodes for performance and improved security.
The internal (traffic) network is used to route bidirectional traffic between the BIG-IQ Centralized Management cluster and the BIG-IP devices.
With the addition of the DCD cluster, you can manage alerts and events on your managed devices as well as monitor performance analytics.
The number of devices of each type that will best meet your company's needs depends on a number of factors. Refer to the
BIG-IQ Sizing Guidelines
on
support.f5.com
for details.
This figure illustrates the network topology required for this deployment.
Centralized management, enhanced monitoring, and improved performance network topology
Use the form to record the IP addresses for the devices in the BIG-IQ deployment.
Device type
Management IP addresses
DCD cluster network IP addresses
Internal network IP addresses
Primary BIG-IQ system
Secondary BIG-IQ system
Data collection device management IP addresses
BIG-IP devices
Remote storage device

Determine the resources required for deployment

The CPU, RAM, and disk space requirements for the devices in your BIG-IQ deployment are determined by a number of factors, including:
  • How many BIG-IP devices your BIG-IQ deployment manages, and which services are provisioned on the managed BIG-IP devices?
  • Does your BIG-IQ deployment collect statistics data from your managed BIG-IP devices??
  • Does your BIG-IQ deployment collect alerts and events data, from the managed BIG-IP devices?
When you deploy the BIG-IQ software, you can choose 95 GB or 500 GB of disk space. If you choose 500 GB, only 95 GB of the 500 GB is allocated initially. You must allocate extra disk space beyond 95 GB before you can use it. Usually, the extra storage space is for DCDs. However, there are also situations in which BIG-IQ devices can use the extra space. For example, you might want to store a large number of UCS backups. Or, your business needs might require you to store multiple versions of the BIG-IQ software so you can upgrade back and forth between BIG-IQ versions.
Minimum resource requirements per BIG-IQ deployment
Deployment type
Device Type
CPU
RAM
Disk Space
BIG-IQ deployment with statistics collection enabled, as well as alerts and events.
BIG-IQ
8
See
When do the BIG-IQ devices need additional resources?
32 GB
See
When do the BIG-IQ devices need additional resources?
Generally, 95 GB; or 500GB if extra space is needed.
DCD
8
32 GB
Initially, 500 GB. VE disk space can be extended further as needed.
BIG-IQ deployment with alerts and events enabled.
BIG-IQ
4
See
When do the BIG-IQ devices need additional resources?
16 GB
See
When do the BIG-IQ devices need additional resources?
Generally, 95 GB; or 500GB if extra space is needed.
DCD
4
See
When do the DCDs need additional resources?
16 GB
See
When do the DCDs need additional resources?
Initially, 500 GB. VE disk space can be extended further as needed.
BIG-IQ deployment without statistics collection, alerts, or events.
BIG-IQ
4 or 8
See
When do the BIG-IQ devices need additional resources?
16, 32, or 64 GB
See
When do the BIG-IQ devices need additional resources?
Generally, 95 GB; or 500GB if extra space is needed.
CPU and RAM pairings other than those listed above have not been tested.

When do the BIG-IQ devices need additional resources?

When the number of managed BIG-IP devices in your BIG-IQ deployment exceeds the specified thresholds, F5 recommends that you allocate 8 CPUs and either 32 or 64 GB of RAM to your BIG-IQ devices.
The following table lists the threshold for each BIG-IP service. For example, if your BIG-IQ deployment manages more than 32 BIG-IP devices provisioned with Access, allocate additional resources to your BIG-IQ devices.
A BIG-IQ managing devices...
Needs 32 GB to manage more than:
provisioned with Access
32 devices
provisioned with ADC
80 devices
provisioned with ASM
40 devices
provisioned with DNS
100 devices
provisioned with FPS
50 devices
deployed in a VMware service scaling group
100 devices
deployed in an AWS or Azure service scaling group
50 devices
This is a rough approximation. Depending on the number of objects on each BIG-IP device. When your managed BIG-IP devices are provisioned with multiple modules, the RAM requirement increases.

When do the DCDs need additional resources?

For a broader consideration of the factors that can impact the CPU, RAM, and disk space requirements for DCD devices, refer to the
BIG-IQ Centralized Management DCD Sizing Guide
.
For work flows that describe how to manage your disk space, refer to the
BIG-IQ Centralized Management: Data Collection Device Disk Space Management Guide
on
support.f5.com
.

Port requirements for a BIG-IQ solution

The BIG-IQ systems and data collection devices require bidirectional communication with the BIG-IP devices in your network to successfully manage them. The ports required must be open to allow for this required two-way communication. You might have to contact a firewall or network administrator to verify that these ports are open, or to have them opened if they are not.
The ports required for your BIG-IQ solution depend on a number of factors such as the services running on the devices you manage, the BIG-IP version running on those devices, and the number of subnets configured on your network.
For further information on how to configure ports for BIG-IP interfaces, refer to: https://support.f5.com/csp/article/K15612

Daemons running on BIG-IQ

Before you upgrade BIG-IQ Centralized Management, it's important to take inventory of the status of the running daemons. Then after you upgrade, you can verify that they're in the same state, and make any necessary modifications. To view the daemons, type the following command:
admin@(ip-10-1-1-4)(cfg-sync Standalone)(Active)(/Common)(tmos)# show /sys service
.
Daemon
Example of status
admd
down, Not provisioned
alertd
run (pid 6579) 22 hours
apmd
down, Not provisioned
asm
down, Not provisioned
autodosd
down, Not provisioned
avrd
down, Not provisioned
bigd
run (pid 5338) 22 hours
bigiqsnmpd
run (pid 5035) 22 hours
captured
down, Not provisioned
cbrd
run (pid 6117) 22 hours
chmand
run (pid 5678) 22 hours
clusterd
down, not required
csyncd
run (pid 5038) 22 hours
datasyncd
down, Not provisioned
dnscached
down, Not provisioned
dosl7d
down, Not provisioned
dosl7d_attack_monitor
down, Not provisioned
dwbld
down, Not provisioned
elasticsearch
run (pid 5041) 22 hours
errdefsd
run (pid 6112) 22 hours
eventd
run (pid 5043) 22 hours
evrouted
run (pid 6583) 22 hours
f5_update_checker
down, No action required
fpuserd
down, Not provisioned
fslogd
down, Not provisioned
grafana
run (pid 6107) 22 hours
gtmd
down, Not provisioned
guiserver
run (pid 6105) 22 hours
gunicorn
run (pid 6587) 22 hours
hwpd
down 22 hours, normally up
icontrolportald
run (pid 5337) 22 hours
iprepd
run (pid 6113) 22 hours
istatsd
run (pid 6109) 22 hours
lacpd
down, not required
lind
run (pid 6116) 22 hours
mcpd
run (pid 6110) 22 hours
merged
run (pid 6938) 22 hours
mgmt_acld
down, Not provisioned
monpd
run (pid 6578) 22 hours
named
run (pid 4855) 22 hours
nokiasnmpd
down, not enabled
ntlmconnpool
run (pid 6111) 22 hours
pabnagd
down, Not logging node
pccd
down, Not provisioned
pgadmind
run (pid 7310) 22 hours
pkcs11d
down, not required
restjavad
run (pid 4853) 22 hours
rethinkdb
run (pid 15058) 21 hours, 1 start
scriptd
run (pid 5344) 22 hours
sdmd
down, sdmd is not provisioned
searchd
run (pid 5343) 22 hours
sflow_agent
run (pid 6937) 22 hours
shmmapd
down, Not provisioned
snmpd
run (pid 5674) 22 hours
sod
run (pid 4810) 22 hours
statsd
run (pid 5336) 22 hours
syscalld
run (pid 6939) 22 hours
tamd
run (pid 5679) 22 hours
tmipsecd
run (pid 5341) 22 hours
tmm
run (pid 6581) 22 hours
tmrouted
run (pid 6581) 22 hours
tokumond
run (pid 7311) 22 hours
tokumx
run (pid 6580) 22 hours
webd
run (pid 6941) 22 hours
wr_urldbd
down, Not provisioned
zrd
down, Not provisioned
zxfrd
run (pid 5034) 22 hours

Passwords required for BIG-IQ system deployment

To install and configure a BIG-IQ system or data collection device (DCD) cluster, you use the default passwords for all of the devices. For DCD clusters, if you intend to schedule regular snapshots of your logging data (as recommended), you need root access credentials for the machine on which you plan to store these snapshots.
Passwords for data collection device cluster deployment
User Name
Default Password
Access Rights/Role
admin
admin
This user type can access all aspects of the BIG-IQ system from the system's user interface.
root
default
This user has access to all aspects of the BIG-IQ system from the system's console command line.

Licenses required for BIG-IQ system deployment

To install and configure a BIG-IQ system or data collection device cluster, you need a license for each device.

BIG-IP device configuration requirements for viewing statistics in BIG-IQ

Before you can enable statistics collection for centralized management, you must ensure that the BIG-IP device has the proper configuration. The proper configuration varies depending on the version of the BIG-IP device. The minimum supported BIG-IP device is version 12.1.0. BIG-IQ has limited visibility for BIG-IP devices prior to 13.1.0.5.
For details about how to configure statistics visibility, based on the BIG-IP version, see
Enabling statistics collection during device discovery
.
For details on how to access statistic information, based on the BIG-IP version and service, refer to
Statistics compatibility and visibility
.