Updated Date: 04/27/2026

Tenant Management

Tenants overview

A tenant is a guest system running software on the F5OS platform layer (for example, a BIG-IP system). You can run several tenants on most platforms, although the F5 r2000 Series only supports a single tenant. For more information, see

Note: Information about BIG-IP Next is available on my.f5.com, on clouddocs.f5.com.

The administrator can connect to the tenant’s webUI, CLI, or REST API and have the same experience as on their existing F5 platforms. A tenant on the rSeries platform is managed similarly to how a vCMP guest is managed today on the VIPRION platform. The tenant is assigned dedicated vCPU and memory resources and is restricted to specific VLANs for network connectivity.

The admin is responsible for configuring tenant deployments within the appliance. Once a tenant has been deployed, there is a per-tenant administrator role, whose responsibilities include configuring the services that are available on that tenant.

Important: Tenants inherit certain capabilities, such as the license, VLANs, and management interface speed, from the system. Do not try to install a new license or delete the existing license on the tenants. Tenant admins cannot configure global parameters. You configure these at the platform layer, and values are propagated to all tenants in the system.

Note:

For the F5 r2000/r4000 platforms, you can add same VLAN ID to multiple interfaces. Adding the same VLAN ID to multiple interfaces could result in L2 loops. Special considerations should be made to the network topology to avoid L2 loops.
Before you can assign multi-interface VLAN to the tenant, change the value of the db variable <vlan.macassignment> to <unique> inside the tenant.

Also see knowledge article Overview of the BIG-IP tenant image types.

Tenant data

This table lists tenant data specifications for rSeries systems.

Model	Maximum number of tenants	Maximum vCPUs per tenant	Minimum vCPUs per tenant	System memory	Memory reserved for tenants	Minimum memory per tenant
r2600	1	4	4	32 GB	24 GB	12288 MB
r2800	1 (v1.7.0 or earlier) 2 (v1.8.0 or later)	8	4	32 GB	24 GB	12288 MB
r4600	2	12	4	64 GB	48 GB	12288 MB
r4800	4	16	4	64 GB	48 GB	12288 MB
r5600	8	12	1	128 GB	108 GB	4096 MB
r5800	18	18	1	128 GB	108 GB	4096 MB
r5900	26	26	1	128 GB	108 GB	4096 MB
r10600	24	24	1	256 GB	224 GB	4096 MB
r10800	28	28	1	256 GB	224 GB	4096 MB
r10900	36	36	1	256 GB	224 GB	4096 MB
r12600	44	44	1	512 GB	462 GB	4096 MB
r12800	52	52	1	512 GB	462 GB	4096 MB
r12900	60	60	1	512 GB	462 GB	4096 MB

Tenants example

In this diagram, an rSeries system has eight tenants (red and blue).

Each tenant has its own IP address, set of users, and software. You can access each tenant via the CLI, web-based user interface, or API.

After you have configured and deployed a tenant, you can use the tenant management IP address to connect to the tenant’s web-based user interface, API, or CLI. A BIG-IP tenant is running standard TMOS and is managed like any other BIG-IP instance.

Tenant image overview

BIG-IP tenant images

These BIG-IP tenant images are available to deploy on F5 rSeries systems:

ALL-F5OS
T4-F5OS
T2-F5OS
T1-F5OS (see note)

Note: T1-F5OS has limitations, so using the other images is recommended. Other images must be downloaded from F5 Downloads.

Each image type has different uses so you need to be sure to use the correct type for your tenant needs. For additional information about BIG-IP tenant image types, see K45191957: Overview of the BIG-IP tenant image types.

BIG-IP Next tenant images

Information about BIG-IP Next tenant image types is available on my.f5.com.

Tenant usage

This table lists general use cases for tenant images.

Tenant image	Description of Use
ALL-F5OS	Use case: Needs multi-tenancy, multi-module, and service chaining Supports provisioning rSeries-supported modules * (also called all-instance image) Live-upgradable * The F5 r2000 platform does not support multi-tenancy. See the F5 rSeries data sheet for all currently-supported features.
T4-F5OS	Use case: Single tenant with multiple modules Supports provisioning all modules with increased capacity Live-upgradable
T2-F5OS	Use case: Needs maximum tenant density, maximum tenants per system Supports provisioning LTM or DNS only Live-upgradable
T1-F5OS	Use case: Needs maximum tenant density, maximum tenants per system Supports lightweight LTM or DNS only (also called micro-instance) You cannot upgrade or apply a hotfix to the system

Tenant sizing

Each image has different sizing requirements. You will need to understand the system and the tenant requirements to determine the number and type of tenants you can deploy. The amount of memory and disk space that a tenant actually needs is dependent on the number of modules provisioned and its use.

Tenant image	Disk size	Minimum memory	Minimum # vCPUs	Max tenants per system
T1-F5OS	22GB	4GB	1	36
T2-F5OS	45GB	8GB	2	18
ALL-F5OS	77/82/83 GB	8GB	2	11
T4-F5OS	142GB	8GB	2	6

Important: The minimum virtual disk size for the tenant image category “ALL-F5OS” depends on the BIG-IP tenant image version you deploy.

BIG-IP 17.1.3 and later: 83 GB
BIG-IP 17.1.0 – 17.1.2: 82 GB
BIG-IP 15.1.x: 77 GB

Tenant resource allocation overview

These are recommended resource considerations for determining the amount of memory (RAM) and disk space to allocate when planning tenant deployments on F5 rSeries systems.

Memory allocation

These are recommendations for determining the amount of memory (RAM) to allocate when planning tenant deployments on rSeries systems based on the number of vCPUs assigned.

Platform	Memory	Default memory allocation formula
r2000	32 GB	`min-memory = (3 * 1024 * vcpu-cores-per-node)`
r4000	64 GB	`min-memory = (3 * 1024 * vcpu-cores-per-node)`
r5000	128 GB	`min-memory = (3.5 * 1024 * vcpu-cores-per-node) + 512`
r10000	256 GB	`min-memory = (3.5 * 1024 * vcpu-cores-per-node) + 512`
r12000	512 GB	`min-memory = (3.5 * 1024 * vcpu-cores-per-node) + 512`

Note: The formula for finding vcpu-cores-per-node is: multiples of 4 in range of [4, max-cores]. The default value for vcpu-cores-per-node is 4, and the default value for memory is 12288.

There is also an advanced setting through which additional memory can be assigned out of the pool to a tenant. You can specify more than the minimum amount of memory when configuring a tenant, if needed.

Disk space

These are recommendations for determining the amount of disk space when planning tenant deployments on rSeries systems.

The amount of disk space that a tenant actually needs is dependent on the number of modules provisioned and its use.
As the aggregate disk usage within deployed tenants increases, the host disk can start to reach capacity on systems with many large tenants. The administrator will need to monitor disk usage to make sure there is sufficient space for the tenants.

Tenant management from the webUI

Manage tenant images from the webUI

You can add or delete tenant images from the webUI. You must use HTTPS image import or export. Note that tenant images are specific to the rSeries system, and the software version must be compatible with it.

Log in to the webUI using an account with admin access.
On the left, click TENANT MANAGEMENT > Tenant Images.
To upload an image, click Upload and browse to the image location.
To import an image:
1. Click Import.
  
  A popup opens.
2. For URL, enter the URL of the remote image server.
  
  F5 recommends that the remote host be an HTTPS server with PUT/POST enabled and have a valid CA-signed certificate. You can opt to select the Ignore Certificate Warnings check box if you want to skip the certificate check.
3. For Username, type the user name for an account on the remote image server, if required.
4. For Password, type the password for the account, if required.
5. Select Ignore Certificate Warnings to skip the certificate check.
6. Click Import Image.
Note:
- Depending on the image file size and network availability, the import might take a few minutes. You can view progress of the file transfer under the Image Transfer Status area. When the import is successful, the software image is listed in the webUI.
- If you want to cancel an in-progress file transfer operation, click Cancel button.
To delete a tenant image, select the image and click Delete.

After you have added the tenant images that you want to use to the system, you can create and deploy tenants that will use that software image. The tenant image must be one that is listed as compatible with the rSeries system.

Create and deploy tenants from the webUI

You must have imported the tenant images that you want to use for the tenant deployments into the system. You must also have previously created any required VLANs. Before you can create and deploy tenants, you also need to estimate resource requirements so you know how many vCPUs, memory, and other resources to assign to the tenant.

An administrator can deploy tenants from the webUI. You can open a preview pane with tenant details by clicking anywhere in a row. You can resize the preview pane to show more or less information. To close the preview pane, click Close or click again anywhere in the row.

Log in to the webUI using an account with admin access.
On the left, click TENANT MANAGEMENT > Tenant Deployments.

The Tenant Deployment screen displays showing the existing tenant deployments and associated details.
To add a tenant deployment, click Add.

The Add Tenant Deployment screen displays.
For Name, enter a name for the tenant deployment (up to 49 characters).

Note: The first character in the name cannot be a number. After that, only lowercase alphanumeric characters and hyphens are allowed.
For Type, select the tenant type: BIG-IP, BIG-IP Next, Generic.
- If you select BIG-IP Next, the Deployment file field displays. Select the deployment file.
- If you select Generic, the DHCP field displays. Select Enabled, if the management port is getting addresses from a DHCP server or select Disabled to configure the addresses manually. Note: Generic tenant type is supported only on the F5 r5000/r10000/r12000 platforms.
For Image, select the software image that was previously imported onto the system.

Ensure that the image you selected meets your tenant deployment needs.
For IP Address, enter the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN) for the tenant.
For Prefix Length, enter a number for the length of the prefix.

The maximum prefix length is 32 for IPv4 and 128 for IPv6.
For Gateway, enter the IPv4 address or IPv6 address of the gateway.
For VLANs, select one or more VLANs that are available to the tenant.

You can assign VLANs to more than one tenant.
For Virtual Wires, select configured virtual wires for the tenant.

Note:
- This field displays only when virtual wires are configured on the system.
- Virtual Wires configuration is only supported for BIG-IP tenant types.
For MAC Data/MAC Block Size, select one of these options:

|Option|Description| |——|———–| |One|Represents a block with one MAC. This is used when a contiguous block of MAC addresses is needed. This is the default value.| |Small|Represents a block of 8 MACs. When this value is used, the tenant gets a block of 8 contiguous MACs.| |Medium|Represents a block of 16 MACs. When this value is used, the tenant gets a block of 16 contiguous MACs.| |Large|Represents a block of 32 MACs. When this value is used, the tenant gets a block of 32 contiguous MACs.|

Note:
- For optimized performance, you can select option “One” for BIG-IP Next tenants.
- If you select Generic tenant type, then you must select the option larger than “One” for valid MAC Data/MAC Block Size.
For DAG IPv6 Prefix Length, enter the prefix length used by disaggregator algorithms.

The range is from 1 to 128, with a default value of 128.

For more information about the prefix length, see Configure DAG IPv6 prefix length from the CLI.
For Resource Provisioning, select one of these options:

|Option|Description| |——|———–| |Recommended|Recommended values for vCPUs and memory for the tenant.| |Advanced|Enables you to configure custom values for vCPUs and memory on the tenant. For example, if you want to configure a single vCPU tenant, or a tenant that uses more than the recommended amount of memory.|
For vCPUs, select the number of vCPUs to provide to the tenant

The minimum recommended number of vCPUs per typical tenant is two (one vCPU is sufficient only for lightweight tenants that cannot be updated). The number of vCPUs needed depends on the amount of traffic the tenant will be handling. More vCPUs provide faster throughput.

Note: If you select Generic or BIG-IP Next tenant type, then the minimum recommended number of vCPUs is four.
For Memory, specify the amount of RAM, in MB, to allocate to the tenant.

The amount of memory needed depends on the number of vCPUs assigned. The minimum amount of memory needed is determined by the formula [(3.5 * 1024 * #ofvCPUs) + 512].

Note:
- If you do not allocate sufficient memory, you may receive a warning message.
- If you select Generic tenant type, then the amount of memory needed is 14 GB
For Virtual Disk Size, specify the storage quota, in GB, for the tenant virtual disk.

Default size depends on the image type used. The default size for the ALL image is 82GB.

The minimum recommended disk size is 45 GB.
For Metadata, enter the metadata.

This field only displays when you select Generic tenant type.The metadata consists of a list of key-value pairs, with each entry following the key:value format. Spaces must be included between each entry.

Note:
- For the primary-vlan, the VLANs must be chosen from the list of VLANs configured in Step 10.
- For the token, enter the token obtained from the Secure Mesh Sites .
For State, select one of these options:

Options	Description
Configured	The tenant configuration exists on the system, but the tenant is not running, and no hardware resources (CPU, memory) are allocated to it. This is the initial state and the default.
Provisioned	Moves the tenant into the Provisioned state, which causes the system to install the software, assign the tenant to nodes, and create virtual disks for the tenant on those nodes. If you choose this option, it takes a few minutes to complete the provisioning. The tenant does not run while in this state.
Deployed	Changes the tenant to the Deployed state. The tenant is set up, resources are allocated to the tenant, the image is moved onto the system, the software is installed, and after those tasks are complete, the tenant is fully deployed and running. If you choose this option, it takes a few minutes to complete the deployment and bring up the system. Note: Once a tenant is Deployed (and is up and running), changing its state back to Configured or Provisioned stops the tenant. You will receive a warning message before this occurs.

For Crypto/Compression Acceleration, select Enabled if the tenant requires high-performance crypto processing and compression.

When this option is enabled, the tenant receives dedicated crypto devices proportional to the number of vCPU cores. Crypto processing and compression are off-loaded to the hardware. When the option is disabled, the tenant receives no crypto devices.
To restrict usage of the Bash shell for tenant administrators, set Appliance Mode to Enabled (this is Disabled by default.)
Click Save & Close.

The tenant is now configured and in the Deployed state. When the status says Running, the tenant administrator can log in to the tenant webUI or CLI using the management IP address (with HTTPS or SSH) and continue configuring the tenant system.

Note: If the Status says Pending instead of Running, this may mean that there are not enough resources (vCPUs, memory, or other resources) for the tenant to be deployed. See the Tenant Details screen in the webUI for more information about the specific tenant.

Modify tenant deployments from the webUI

Depending on the state that the tenant is in, you can change certain tenant settings from the webUI. The settings which cannot be modified will be grayed out.

Deployed: Tenants must be active and running to modify the State.

Note: Once a tenant is Deployed (and is up and running), changing its state back to Configured or Provisioned stops the tenant. You will receive a warning message before this occurs.
Provisioned: You can change all settings except Image.
Configured: You can change all settings except Image.

Note: If the selected Generic tenant type and tenant is in deployed state,

You cannot modify the dhcp-enabled flag.
You cannot modify the metadata.

Log in to the webUI using an account with admin access.
On the left, click TENANT MANAGEMENT > Tenant Deployments.

The Tenant Deployment screen displays showing the existing tenant deployments and associated details.
Click the name of the tenant deployment you want to modify.

The Edit Tenant Deployment screen displays.
For Image, only BIG-IP Next Tenant image can be modifed when the tenant is in deployed state, which essentially upgrades the tenant.
You can change the IP Address, Prefix Length (1-32), and Gateway for the tenant, if in Configured or Provisioned state. Enter an IPv4 address or IPv6 address.
For VLANs, you can select different VLANs for the tenant, if in Configured or Provisioned state.
For Virtual Wires, select configured virtual wires for the tenant.

Note:
- This field displays only when virtual wires are configured on the system.
- Virtual Wires configuration is only supported for BIG-IP tenant types.
For MAC Data/MAC Block Size, select One, Small, Medium, or Large.

|Option|Description| |——|———–| |One|Represents a block with one MAC. This is used when l2-inline-device functionality is not needed. This is the default value.| |Small|Represents a block of 8 MACs. When this value is used, the l2-inline-device is enabled, and the tenant gets a block of 8 contiguous MACs.| |Medium|Represents a block of 16 MACs. When this value is used, the l2-inline-device is enabled, and the tenant gets a block of 16 contiguous MACs.| |Large|Represents a block of 32 MACs. When this value is used, the l2-inline-device is enabled, and the tenant gets a block of 32 contiguous MACs.|
For Resource Provisioning, if changing resources, select either: Recommended (to use recommended values) or Advanced (to customize values), if in Configured or Provisioned state.
For vCPUs, select the number of vCPUs for the tenant, if in Configured or Provisioned state.

The minimum recommended number of vCPUs per typical tenant is two (one vCPU is sufficient only for lightweight tenants that cannot be updated). The number of vCPUs needed depends on the amount of traffic the tenant will be handling. More vCPUs provide faster throughput.

Note: If you select Generic or BIG-IP Next tenant type, then the minimum recommended number of vCPUs is four.
For Memory, specify the amount of RAM in MB to allocate to the tenant, if in Configured or Provisioned state.

The amount of memory needed depends on the number of vCPUs assigned. The minimum amount of memory needed is determined by the formula [(3.5 * 1024 * #ofvCPUs) + 512], so a two vCPU tenant needs a minimum of 7680 MB, and a four vCPU tenant needs a minimum of 14,848MB.
Change State (with caution!):

|Option|Description| |——|———–| |Configured|If Deployed, this option stops the tenant from running, but maintains the configuration.| |Provisioned|If Deployed, this option stops the tenant from running, but maintains the configuration. If Configured, causes the system to install the software, assign the tenant to nodes, and create virtual disks for the tenant on those nodes. The tenant does not run, consume resources, or pass traffic.| |Deployed|Directly deploys the tenant. This sets up the tenant, allocates resources, moves the image onto the system, and installs the software. When these tasks are complete, the tenant is fully deployed and running.|
Change Crypto/Compression Acceleration only if the tenant is in either the Configured or Provisioned state.
To restrict usage of the Bash shell for tenant administrators, set Appliance Mode to Enabled (this is Disabled by default.)
Click Save & Close.

The tenant is reconfigured according to the changes made.

Display tenant status and statistics from the webUI

You can monitor data and metrics related to the usage, performance, and behavior of the tenant from the webUI. These statistics are crucial for monitoring, managing, and optimizing the tenant. You can monitor the following tenant details:

Tenant CPU Usage: Shows the measurement of CPU utilization by the tenant.
Tenant Memory Usage: Shows the measurement of memory utilization by the tenant.
Tenant Disk Usage: Shows the measurement of disk utilization by the tenant.

Log in to the webUI using an account with admin access.
On the left, click TENANT MANAGEMENT > Tenant Details.
Select a tenant from the Tenant Name dropdown to see the tenant status and statistics.

You can now see the following statistics and status of the tenant.
- Tenant CPU Usage: Displays the tenant’s vCPU’s current utilization by default. However, if multiple vCPUs are available, you can select a vCPU and change the time series to view the historical data and analyze the vCPU utilization.
- Tenant Memory Usage: Displays the tenant’s current memory utilization by default. However, you can change the time series to view ‌historical data and analyze ‌memory utilization.
- Tenant Disk Usage: Displays the overall tenant disk current utilization by default. However, if you need the utilization stats of a specific disk, select the disk, data type, and change the time series to view the historical data and analyze the disk utilization.
- Tenant Status: Shows the overall status of the tenant image such as Node, Instance ID, Phase, Pod name, Creation time, Ready time, Status, and Management MAC details.
Select the interval from the Auto Refresh dropdown to refresh the data displayed or click the refresh icon to update the tenant data immediately.

Note: The utilization data does not depend on the refresh interval. It will continue to collect utilization statistics for the tenant regardless of the selected reload interval

Tenant management from the CLI

Display tenant resources from the CLI

Before creating a tenant, you can display total and available tenant resources, such as vCPUs, memory, and disk space from the CLI. You can also display storage and tenant volume size from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Show the total and available tenant resources.

show cluster nodes node

This example displays the storage and tenant volume size:

appliance-1# show cluster nodes node
cluster nodes node node-1
 state name         node-1
 state enabled      true
 state node-running-state running
 state slot-number  1
 state node-info creation-time 2023-07-20T15:56:57Z
 state node-info cpu     12
 state node-info pods    250
 state node-info memory  14680284Ki
 state node-info available-tenant-vcpu 0
 state node-info available-tenant-memory 0MB
 state node-info available-tenant-disk 0GB

Show the storage and tenant volume size.

show components component storage

This example displays the storage and tenant volume size:

appliance-1# show components component storage
components component platform
storage state disks disk nvme0n1
  state model Micron_7300_MTFDHBA480TDF
  state vendor Micron
  state version 954300T0
  state serial-no 213931BC1153
  state size 480.00GB

Import a tenant image from the CLI

Before you get started, you might want to upload the tenant image you want to use to a local Linux server that uses HTTPS, so you can more easily import it to the rSeries system.

You can import a tenant image onto the system from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Import a tenant image to the system.

file import remote-port <*port-number*> username <*user*> password <*password*> remote-host <*ip-address-or-fqdn*> remote-file <*remote-file-path*> remote-url <*full-remote-url*> local-file images

This example imports a BIG-IP tenant image from server.company.com:
appliance-1(config)# file import username admin password remote-url https://server.company.com/images/BIGIP-1x.x.x-x.x.x.ALL-F5OS.qcow2.zip.bundle local-file images

Create and deploy tenants from the CLI

Before you get started, import the tenant images you want to use for the tenant deployments. You must already have created VLANs on the system. Before you can create and deploy tenants, you also need to estimate resource requirements so you know how many vCPUs, memory, and other resources to assign to the tenant.

You can create and deploy tenants from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Create and deploy the tenant.

tenants tenant <*name*> config <*options*>

For more information about CLI options, see Tenant CLI command syntax.

This example creates a GENERIC tenant called generic-tenant that is in the configured running-state, by default:
appliance-1(config)# tenants tenant generic-tenant config type GENERIC image CE-9.2024.22-20240716023339.qcow2.326f42c0.tar.bundle dhcp-enabled false vlans [ 1052 ] mac-data mac-block-size small running-state deployed nodes 1 vcpu-cores-per-node 4 memory 14848 storage size 55 metadata [ primary-vlan:1052 token:1234sajfskjfhasdhgdkfsejweir.skdhf ]
For more information about DAG IPv6 prefix length, see Configure DAG IPv6 prefix length from the CLI.
Commit the configuration changes.

commit
Return to user (operational) mode.

end
You can monitor the operational state of the tenant and move the tenant into the provisioned running-state.

tenants tenant big-ip config running-state provisioned

This causes the system to assign the tenant to nodes and create virtual disks for the tenant on those nodes.

Show the current status for the tenant:

show tenants tenant big-ip

When the system is creating the virtual disk and installing the image on a disk, the operational state of the tenant shows this information:

PHASE – Allocating resources to the tenant is in progress
status – Provisioning A summary similar to this example displays:

`appliance-1# show tenants tenant generic-tenant` `tenants tenant generic-tenant` ` state unit-key-hash    Ty/O6vvAshr8tQxueHtmodmmCBBIPEeorcSO+60xweYgK7cm/3Als0Iiu89lqStAqhW1e5FhZ5nnsjYsgfSzBg==` ` state type             GENERIC` ` state image            CE-9.2024.22-20240716023339.qcow2.326f42c0.tar.bundle` ` state dhcp-enabled     false` ` state mgmt-ip          1.1.1.1` ` state prefix-length    24` ` state gateway          1.1.1.254` ` state dag-ipv6-prefix-length 128` ` state vlans            [ 1052 ]` ` state cryptos          enabled` ` state vcpu-cores-per-node 4` ` state qat-vf-count     6` ` state memory           14848` ` state storage size 55` ` state running-state    provisioned` ` state appliance-mode disabled` ` state feature-flags stats-stream-capable false` ` state namespace        default` ` state status           Provisioning` ` state metadata         [ primary-vlan:1052 token:1234sajfskjfhasdhgdkfsejweir.skdhf ]` ` state mac-data base-mac 00:94:a1:69:47:3f` ` state mac-data mac-pool-size 8` `MAC                ` `-------------------` `00:94:a1:69:47:3f  ` `00:94:a1:69:47:40  ` `00:94:a1:69:47:41  ` `00:94:a1:69:47:42  ` `00:94:a1:69:47:43  ` `00:94:a1:69:47:44  ` `00:94:a1:69:47:45  ` `00:94:a1:69:47:46  ``                         INSTANCE  TENANT                                                                                                           ` `NODE  POD NAME           ID        SLOT    PHASE            CREATION TIME         READY TIME            STATUS                   MGMT MAC           ` `----------------------------------------------------------------------------------------------------------------------------------------------------` `1     generic-tenant-1   1         -       Allocating resources to the tenant is in progress                                                                       -                  ` `1     generic-tenant-ha  1         -       Running          2024-07-24T04:31:22Z  2024-07-24T04:31:25Z  Started tenant instance  00:94:a1:69:47:2e`

When the system completes the virtual disk creation, the operational state shows this information:

PHASE – Ready to deploy
status – Provisioned A summary similar to this example displays:

`appliance-1# show tenants tenant generic-tenant` `tenants tenant generic-tenant` ` state unit-key-hash    Ty/O6vvAshr8tQxueHtmodmmCBBIPEeorcSO+60xweYgK7cm/3Als0Iiu89lqStAqhW1e5FhZ5nnsjYsgfSzBg==` ` state type             GENERIC` ` state image            CE-9.2024.22-20240716023339.qcow2.326f42c0.tar.bundle` ` state dhcp-enabled     false` ` state mgmt-ip          1.1.1.1` ` state prefix-length    24` ` state gateway          1.1.1.254` ` state dag-ipv6-prefix-length 128` ` state vlans            [ 1052 ]` ` state cryptos          enabled` ` state vcpu-cores-per-node 4` ` state qat-vf-count     6` ` state memory           14848` ` state storage size 55` ` state running-state    provisioned` ` state appliance-mode disabled` ` state feature-flags stats-stream-capable false` ` state namespace        default` ` state status           Provisioned` ` state metadata         [ primary-vlan:1052 token:1234sajfskjfhasdhgdkfsejweir.skdhf ]` ` state mac-data base-mac 00:94:a1:69:47:3f` ` state mac-data mac-pool-size 8` `MAC                ` `-------------------` `00:94:a1:69:47:3f  ` `00:94:a1:69:47:40  ` `00:94:a1:69:47:41  ` `00:94:a1:69:47:42  ` `00:94:a1:69:47:43  ` `00:94:a1:69:47:44  ` `00:94:a1:69:47:45  ` `00:94:a1:69:47:46  ``                         INSTANCE  TENANT                                                                                                           ` `NODE  POD NAME           ID        SLOT    PHASE            CREATION TIME         READY TIME            STATUS                   MGMT MAC           ` `----------------------------------------------------------------------------------------------------------------------------------------------------` `1     generic-tenant-1   1         -       Ready to deploy                                                                       -                  ` `1     generic-tenant-ha  1         -       Running          2024-07-24T04:31:22Z  2024-07-24T04:31:25Z  Started tenant instance  00:94:a1:69:47:2e  `

Change to config mode.

config

The CLI prompt changes to include (config).
You can then deploy the tenant.

tenants tenant big-ip config running-state deployed

This example moves the tenant into the deployed state, which causes the system to start and maintain VMs on each node to which the tenant is assigned.
Commit the configuration changes.

commit
Return to user (operational) mode.

end

You can check the status of the tenant.

show tenants tenant generic-tenant state instances

A summary similar to this example displays:

appliance-1# show tenants tenant generic-tenant state instances
                         INSTANCE  TENANT                                                                                                   
NODE  POD NAME           ID        SLOT    PHASE    CREATION TIME         READY TIME            STATUS                   MGMT MAC           
--------------------------------------------------------------------------------------------------------------------------------------------
1     generic-tenant-1   1         -       Running  2024-07-24T05:09:43Z  2024-07-24T05:10:05Z  Started tenant instance  00:94:a1:69:47:41  
1     generic-tenant-ha  1         -       Running  2024-07-24T05:08:42Z  2024-07-24T05:08:43Z  Started tenant instance  00:94:a1:69:47:2e

Once you configure and deploy the tenant, and the Status is updated to Running, then you can use the management IP address to access the tenant system using SSH, the web-based interface, or TMOS Shell (tmsh).

Note: Once a tenant is Deployed (and is up and running), changing its state back to Configured or Provisioned stops the tenant. You will receive a warning message before this occurs.

Note: If the Status is Pending instead of Running, this might mean that there are not enough resources (vCPUs, memory, or other resources) for the tenant to be deployed. See the Tenant Details screen in the webUI for more information about the specific tenant.

Configure DAG IPv6 prefix length from the CLI

You can configure the DAG IPv6 prefix length from the CLI. DAG IPv6 prefix length is a configuration field on each tenant that is used by disaggregator algorithms as a networking mask. The valid configuration value is from 1 to 128. The default value is 128. You can configure the value from either the system or the tenant.

When you configure the value at the system level, it is pushed automatically to the tenant. When you configure the prefix length at the tenant level, future configuration at the system level is disabled and must be re-enabled from the tenant.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Configure DAG IPv6 prefix length while creating a tenant.

This propagates the value to the tenant. See Create and deploy tenants from the CLI.
Configure DAG IPv6 prefix length from the system after the tenant is created.

This propagates the value to the tenant.

tenants tenant <*tenant-name*> config dag-ipv6-prefix-length <value>

This example changes the DAG IPv6 prefix length of a tenant named “rseries-bigip” to 120.
appliance-1(config)# tenants tenant rseries-bigip config dag-ipv6-prefix-length 120
Commit the configuration changes.

commit

If you configure the DAG IPv6 prefix length, but the value is not propagated to the tenant, you might have previously configured this value externally (such as from the tenant’s webUI, CLI, or REST APIs). This disables configuration at the system level. On a BIG-IP tenant, run this command sequence to re-enable configuration:

tmsh mod sys db dag.userconfigipv6prefixlen value false

Display tenant information from the CLI

You can display detailed information about configured tenants from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Show the tenants that are currently configured.

show tenants

This example displays the operational data for a BIG-IP tenant. It uses one VLAN, no cryptos, two vCPU cores, and appliance mode is not enabled. The Instance table in the output displays the live health of the tenant running on the rSeries system.

appliance-1# show tenants tenant big-ip
tenants tenant bigip
 state unit-key-hash oa9gv8VYHcSoApv1234GQMn2uM9UzNKiDz78cIbqKv26LVjlIo9TCdp56z5UnXcVvr3hj0/ym2kbdWyBhPbkLA==
 state type          BIG-IP
 state image         BIGIP-15.1.6-0.0.3.ALL-F5OS.qcow2.zip.bundle
 state mgmt-ip       192.0.2.59
 state prefix-length 24
 state gateway       192.0.2.254
 state cryptos       enabled
 state vcpu-cores-per-node 2
 state memory       7680
 state storage size 77
 state running-state deployed
 state mac-data base-mac 00:12:a1:8e:70:0a
 state mac-data mac-pool-size 1
 state appliance-mode disabled
 state status        Starting
                INSTANCE                                                 CREATION  READY          MGMT
NODE  POD NAME  ID        PHASE                                          TIME      TIME   STATUS  MAC
--------------------------------------------------------------------------------------------------------
1     big-ip-1  1         Allocating resources to tenant is in progress                           - 

Show the running configuration of the tenants.

show running-config tenants tenant

A summary similar to this example displays:

appliance-1# show running-config tenants tenant
tenants tenant big-ip
 config name         big-ip
 config type         BIG-IP
 config image        BIGIP-15.1.6-0.0.3.ALL-F5OS.qcow2.zip.bundle
 config nodes        [ 1 ]
 config mgmt-ip      192.0.2.59
 config prefix-length 24
 config gateway      192.0.2.254
 config cryptos      enabled
 config vcpu-cores-per-node 2
 config memory       7680
 config storage size 77
 config running-state deployed
 config appliance-mode disabled
!

Display tenant status and statistics from the CLI

You can monitor data and metrics related to the usage, performance, and behavior of a tenant from the CLI. These statistics, tenant CPU usage, memory usage, and disk usage, are crucial for monitoring, managing, and optimizing the tenant.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).

Show ‌tenants status and statistics.

tenants tenant <*tenant name*> state <*action*>

This example displays the tenant status and statistics for a BIG-IP tenant running on the rSeries system.

For CPU stats:

appliance-1(config)# tenants tenant cbip state cpu-thread-stats average 1m-avg         
averages {
        unix-seconds 1717588320
        cpu-threads {
            cpu-thread {
                thread-index 0
                busy-percent 1
            }
            cpu-thread {
                thread-index 1
                busy-percent 0
            }
            cpu-thread {
                thread-index 2
                busy-percent 0
            }
            cpu-thread {
                thread-index 3
                busy-percent 4
            }
            cpu-thread {
                thread-index 4
                busy-percent 4
            }
            cpu-thread {
                thread-index 5
                busy-percent 4
            }
            cpu-thread {
                thread-index 6
                busy-percent 4
            }
            cpu-thread {
                thread-index 7
                busy-percent 12
            }
            cpu-thread {
                thread-index 8
                busy-percent 4
            }
            cpu-thread {
                thread-index 9
                busy-percent 1
            }
            cpu-thread {
                thread-index 10
                busy-percent 4
            }
            cpu-thread {
                thread-index 11
                busy-percent 4
            }
            cpu-thread {
                thread-index 12
                busy-percent 4
            }
appliance-1(config)#

For disk stats:

appliance-1(config)# tenants tenant cbip state disk-stats average 1m-avg
averages {
        unix-seconds 1717588260
        used-percent 88
        disk-list {
            disk {
                disk-name nvme0n1
                total-iops 0
                read-iops 0
                read-bytes 148
                write-iops 154
                write-bytes 1691163
            }
        }
    }
appliance-1(config)#

For interface stats:

appliance-1(config)# tenants tenant cbip state interface-stats average 1m-avg
averages {
        unix-seconds 1717588380
        interface-list {
            interface {
                interface-name 1.0
                ifc-bytes-in 1466
                ifc-bytes-out 0
                ifc-packets-in 0
                ifc-packets-out 0
            }
            interface {
                interface-name 2.0
                ifc-bytes-in 135
                ifc-bytes-out 0
                ifc-packets-in 0
                ifc-packets-out 0
            }
        }
    }
appliance-1(config)#

For memory stats:

appliance-1(config)# tenants tenant cbip state memory-stats average 1m-avg
averages {
        unix-seconds 1717588440
        available 8493508881
        free 1060426615
        used-percent 93
        platform-total 16107667456
        platform-used 8114811835
    }
appliance-1(config)#

Modify tenant configuration from the CLI

You can modify a tenant configuration from the CLI.

The administrator is able to modify only these fields while the tenant is running:

Running-state
VLANS
Nodes

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show configuration information for the tenant you want to update.

show tenants tenant <*name*>
Change to config mode.

config

The CLI prompt changes to include (config).
You can modify these options while the tenant is running: vlans, nodes, running-state, or virtual-wires.

tenants tenant <*name*> config [ vlans <*vlan-id*> | nodes { 1 | 2 } | running-state { configured | provisioned | deployed } ]
To modify any of the other options, first change the running state of the tenant to provisioned.

tenants tenant <*name*> config running-state provisioned

Make the desired changes. For more information, see Tenant CLI command syntax.
Commit the configuration changes.

commit

Resize tenant virtual disk from the CLI

You can resize the storage quota for a tenant virtual disk from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Display configuration information for the tenant you want to update.

show tenants tenant <*name*>
Change to config mode.

config

The CLI prompt changes to include (config).
Change the storage quota, in GB, for the virtual disk for a specified tenant.

The default size is 77 GB.

tenants tenant big-ip config storage size 80

Note: You cannot modify the size of the virtual disk when the tenant is in the deployed running-state. The tenant must be in a configured or provisioned running-state.
Commit the configuration changes.

commit

Delete a tenant from the CLI

You can delete tenant configurations from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Show the tenants that are currently configured in the system to check the names of the tenants.

show tenants
Change to config mode.

config

The CLI prompt changes to include (config).
Remove a tenant configuration.

no tenants tenant <*tenant-name*>
Commit the configuration changes.

commit

The tenant deployment is removed from the system.

Note: When you delete a Big-IP tenant, the K3s server requires an average of 20 to 30 seconds to delete each tenant. For Big-IP Next tenant, it requires an average of 100 to 120 seconds to delete each tenant.

Tenant CLI command syntax

Use the tenants command from the CLI to configure tenants on the system.

The tenant command includes this syntax and these options:

tenants tenant <*options*>

Option	Value	Description
appliance-mode	enabled or disabled (default)	When enabled, appliance-mode disallows root and Bash access for the tenant.
cryptos	enabled or disabled (default)	Specifies the crypto device support for the tenant. When enabled, the tenant receives dedicated crypto devices proportional to the number of vCPU cores. When disabled, the tenant receives no crypto device support.
gateway	IP address	Specifies the IPv4/IPv6 address of the default gateway for the management network. This IP address can be changed on the tenant itself. This field is required.
image	Image name for the tenant	Specifies which software image to install on newly-created virtual disks for this tenant. This field is required.
mac-data	Available options are: - one - Represents a block with one MAC. small - Represents a contiguous block of 8 MACs. medium - Represents a contiguous block of 16 MACs. large - Represents a contiguous block of 32 MACs.	Specifies configuration data for MAC block size per tenant.
memory	Memory allocated for the tenant	Specifies the memory in MBs for the tenant. For the commit to succeed, tenant configuration requires the minimum MBs depending on the number of cores specified for the tenant. The administrator must decide what amount of dedicated memory is needed to satisfy the requirements of the modules that will be provisioned within the tenant. For more information on resource allocation, see Tenant resource allocation overview.
mgmt-ip	IP address	Specifies the management IP address to the tenant. This address applies to the primary node of the tenant. The address can be changed on the tenant. This field is required.
nodes	Node numbers in square brackets separated by a space. For example, [1 2]	Lists the nodes to which the tenant can be assigned. This field is required.
prefix-length	Decimal value	Specifies the prefix length of the management network. This field is required.
running-state	Configured (default), provisioned, or deployed	Specifies the state of a tenant: configured, provisioned, or deployed. Tenants are in the configured state by default. Configured means the tenant exists but has no hardware resources (CPU or memory) allocated to it and is not running. When the tenant is provisioned, the system assigns the tenant to nodes and creates virtual disks for the tenant on those nodes. In the deployed state, allocated resources are used to launch the tenant VM. Note that specifying deployed causes the actions that occur in the configured and provisioned states. To shut down the tenant VM without removing the virtual disk, change the running-state from deployed to provisioned. Changing the tenant running-state to configured from provisioned or deployed stops the tenant, but maintains the configuration.
storage	Storage quota in GB for the tenant	Specifies how much storage quota a tenant is allocated. The default size is 77 GB. You cannot modify the size of the virtual disk when the tenant is in the deployed running-state. You can modify the storage size when the tenant is in configured or provisioned running-states. For information on determining minimum disk size, see Tenant sizing.
tenant-auth-storage
trust-mode (F5 r2000/r4000 platforms only)	false or true (default)	Specifies whether a tenant is trusted. MAC masquerade (MM) is required for high availability (HA) on F5 r2000/r4000 platforms, and only between trusted tenants. Important: This option is available only on F5 r2000/r4000 platforms. For more information about configuring MM, see K13502: Configuring MAC masquerade (11.x - 17.x). Note: Enabling trust mode might reduce the security profile of the platform.
type	BIG-IP (default)	Specifies the supported tenants on the system. The field is not required.
vcpu-cores-per-node	Decimal number	Specifies how many cores a tenant is allocated from each node to which it is assigned. Use tab completion to see a list of possible values on the current rSeries system. The default value is 2
virtual-wires	Virtual wire name	Specifies which user-specified virtual-wires to use for the tenant.
vlans	VLAN ID	Specifies the VLAN ID to be used for tenant traffic. To process the traffic through the tenant, make sure the VLAN is configured on the system.

Transmission Control Protocol-Connection Overload Protection (TCP-COP) Overview

In certain scenarios, the tenant can get overwhelmed by the number of new TCP connections requests. To address this, TCP-COP is designed to protect the tenant from this overload and helps reduce the high CPU use in the TMM process caused by the high concurrent flows. By enabling TCP-COP, you can drop new connections from being established at the platform level when the queue size exceeds a configured threshold, thus maintaining stable TMM CPU usage.

When the number of concurrent flows increases, the TMM experiences a rise in CPU consumption as a result of flow table expansion. This can lead to transaction failures to the inability of the TMM to handle the packets due to high look up times caused by the huge connection flow table entries. By enabling this feature, you can effectively manage the situation by preventing new connections from being established at the platform level, thereby maintaining stable TMM CPU usage. This approach allows for a boost in overall performance, as only new connections are affected, and any dropped connections can be successfully reattempted in subsequent efforts. As a result, this implementation leads to improved performance and consistent CPU utilization.

This functionality is enabled at the tenant level. Once enabled, a specific threshold must be set, determining the point at which the platform will cease accepting new connections (SYN packets). This allows the TMM to prioritize the handling of existing connections

Configuring TCP-COP from the CLI

You can configure TCP-COP from the CLI.

Log in to the command line interface (CLI) of the system using an account with admin access.

When you log in to the system, you are in user (operational) mode.
Change to config mode.

config

The CLI prompt changes to include (config).
Enable TCP-COP and provide the threshold value.

tenants tenant <*tenant-name*> config tcp-cop [ disabled | enabled ] threshold <*threshold value*>

This example shows enabling TCP-COP and applying the threshold:
appliance-1(config)# tenants tenant cbip config tcp-cop enabled threshold 10.5
Note: You must set the threshold value if ‌TCP-COP is enabled.
Commit the configuration changes.

commit
Return to user (operation) mode.

end

Verify the TCP-COP configuration.

A summary of the example displays:

appliance-1# show tenants tenant
tenants tenant cbip1
 state unit-key-hash    bItHjJgS6U90HGRq2Tj64fYJB4cvbcntoqetgRcWbwLdtKWEJerORYatSEP2Ah/W3B7JvdE2O1FLIR3lbw+qvg==
 state type             BIG-IP
 state image            BIGIP-17.1.1.3-0.0.5.ALL-F5OS.qcow2.zip.bundle
 state nodes            [ 1 ]
 state mgmt-ip          10.0.11.53
 state prefix-length    24
 state gateway          10.0.11.1
 state dag-ipv6-prefix-length 128
 state vlans            [ 11 ]
 state cryptos          enabled
 state tenant-auth-support disabled
 state vcpu-cores-per-node 4
 state qat-vf-count     6
 state memory           14848
 state storage size 82
 state running-state    deployed
 state appliance-mode disabled
 state feature-flags stats-stream-capable true
 state status           Running
 state primary-slot     1
 state image-version    "BIG-IP 17.1.1.3 0.0.5"
 state tcp-cop enabled
 state tcp-cop threshold 10.5
 state mgmt-vlan        11
 state mgmt-vlan-accessible true
 state mac-data base-mac 00:94:a1:8e:b8:0a
 state mac-data mac-pool-size 1
MAC              
-------------------
00:94:a1:8e:b8:0a


NODE  CPUS         
---------------------
1     [ 21 7 22 8 ]


 state instances instance 1 cbip1-1
  instance-id   1
  tenant-slot   1
  phase         Running
  creation-time 2024-09-12T11:38:16Z
  ready-time    2024-09-12T11:38:59Z
  status        "Started tenant instance"
  mgmt-mac      6e:32:c2:23:b8:86

Verify if the TCP-COP is applied when the tenant is running.

A summary of the example displays:

appliance-1# show tenants tenant tcp-cop tcp-cop
                            TOTAL  TOTAL  
       OPERATING OPERATING  RX     RX SYN  
NAME   STATUS    THRESHOLD  SYN    DROPPED
---------------------------------------------
cbip1  enabled   61.9       4      0      

Tenant high availability (HA) overview

You can configure tenants for high-availability (HA) on an rSeries system similar to how it is done on a BIG-IP system or for vCMP guests. To implement high-availability, you set up device service clustering or DSC. DSC provides synchronization and failover of BIG-IP configuration data and traffic groups on two or more tenants. The tenant administrator sets up DSC on the tenants.

For information on BIG-IP Next tenant configuration, see my.f5.com.

If you plan to set up mirroring, you must use an additional system. Connection mirroring requires that both rSeries systems have identical hardware platforms.

Important: Tenants must have identical resources to ensure seamless HA failover. F5 does not support HA between tenants on disparate platforms.

For more information, see these guides at K000130285: F5 Product Manuals Index:

Configure high availability (HA) for BIG-IP tenants

Before you begin, you must set up two rSeries systems with initial configuration, management IP addresses, gateways, DNS servers, and licensing. For more information, see F5 rSeries Systems: Software Installation and Upgrade and other sections in this guide.

Note:

The F5 r2000/r4000 systems require that MAC masquerade (MM) is configured for high availability (HA). MAC masquerade can only be configured on trusted tenants. Ensure that you have enabled trust-mode for any tenant on which you plan to configure HA (seeCreate and deploy tenants from the CLI.

You can set up high availability for two BIG-IP tenants that reside on two separate rSeries systems.

Log in to the system and deploy a BIG-IP tenant.

Note: Make sure that both tenants are running the same BIG-IP software version and that it is compatible with rSeries systems.
On the tenants, set up L2 network connectivity between the two tenants including setting up VLANs and self-IPs for ConfigSync, failover, and mirroring.

For example, create the same VLAN on both tenants with management IP addresses that can communicate with each other.
Log in to each tenant and set the failover ConfigSync address to the self IP addresses on both sides.
Establish device trust: On one of the tenants, go to Device Management > Device Trust, create a device trust, and add the management IP of the other tenant.
Create a Sync-Failover device group: On the tenants, go to Device Management > Device Group and create a device group with the Group Type option set to Sync-Failover.

For more information, see the “Working with Device Groups” section in BIG-IP Device Service Clustering: Administration at K000130285: F5 Product Manuals Index).
On the tenants, go to Device Management > Devices, select the device and initiate the first ConfigSync manually.
For tenants on the F5 r2000/r4000 platforms, configure MAC masquerade.

For more information, see the “Managing Failover” section in BIG-IP Device Service Clustering: Administration at K000130285: F5 Product Manuals Index).

For information about configuring MAC masquerade, see K13502: Configuring MAC masquerade (11.x - 17.x).

After setting up HA for tenants, you can optionally create traffic groups, enable mirroring on the virtual servers, and sync the configurations.

Understand that there are many ways to configure HA, and this summary explains the general work flow for how to approach tenant HA. Your environment might require additional steps.

Applies To:

F5OS-A

Tenant Management

Follow Us