Manual Chapter : 3-DNS Admin Guide v4.5.10: Post-Setup Tasks

Applies To:

Show Versions Show Versions

3-DNS Controller versions 1.x - 4.x

  • 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10
Manual Chapter

4

 

Post-Setup Tasks


Introduction

Setting up the base network for the 3-DNS Controller means configuring elements such as the 3-DNS Controller host name, a default gateway pool, interface media settings, and VLANs and self IP addresses. Configuration tasks for the BIG-IP base network are performed using the Setup utility. For information on using the Setup utility, see Chapter 3, Using the Setup Utility .

Once you have configured the base network elements with the Setup utility, you might want to further enhance the configuration of these elements. This chapter provides the information you need to perform these additional configuration tasks. You can perform these tasks using either the Configuration utility or the bigpipe command line utility.

Elements you might want to further configure after running Setup are:

  • Interfaces
    You can set the media type and the duplex mode for an interface, as well as display interface status.

  • VLANs
    VLAN options include tagging, and assigning interfaces to VLANs. In addition, you can group separate VLANs together for the purpose of bridging packets between them.

  • Self IP addresses
    You can change self IP addresses or create any number of additional self IP addresses for a VLAN.

  • Additional host names
    You can insert additional host names and IP addresses for network devices into the /etc/hosts file. For example, you can insert host names for the IP addresses that you will assign to virtual servers, and host names for standard devices such as your routers, network interface cards, and servers.

  • General networking
    You can configure a default route, as well as dynamic routing, DNS, and email.

Note


Once you have configured the base network, you can configure the high-level network. Examples of elements you configure as part of the high-level network are: Pools, rules, proxies, and network address translation (SNATs and NATs).

 

 

Configuring the interfaces

Typically, a 3-DNS Controller has two network interfaces. The following sections describe the naming convention, displaying the status, setting the media type, and setting the duplex mode for the interfaces in the 3-DNS Controller.

Understanding the interface naming convention

By convention, the Ethernet interfaces on a 3-DNS Controller take the name <s>.<p> where s is the slot number of the NIC, and p is the port number on the NIC. For the 2U platform, slot numbering is top-to-bottom, and port numbering is left-to-right as shown in Figure 4.1 .


Figure 4.1 Rear view of a 3-DNS Controller with two interface ports

Displaying status for interfaces

Use the following syntax to display the current status and the settings for the installed interface cards:

b interface show

Figure 4.2 is an example of the output you see when you issue this command.

Figure 4.2 The bigpipe interface show command output


 interface  speed   pkts   pkts   pkts   pkts   bits   bits errors trunk STP 

Mb/s in out drop coll in out
1.1 UP 100 HD 0 213 0 0 0 74.2K 0
2.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0
 

 

Use the following syntax to display the current status and the setting for a specific interface.

b interface <if_name> show

Setting the media type

You can set the media type for the interface card either to the specific media type or to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface is used, for example 100BaseTX.

Use the following syntax to set the media type:

b interface <if_name> media <media_type> | auto

(Default media type is auto.)

Note


If the 3-DNS Controller is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.

 

Setting the duplex mode

You can set duplex mode to full or half duplex. If the media type does not allow duplex mode to be set, this is indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported for the interface, the duplex setting is not saved to bigip.conf.

Use the following syntax to set the duplex mode:

b interface <if_name> duplex full | half | auto

(Default mode is auto.)

Note


If the 3-DNS Controller is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.

 

Working with VLANs

A VLAN is a grouping of separate 3-DNS Controller networks that allows those networks to behave as if they were a single local area network, whether or not there is a direct ethernet connection between them.

The 3-DNS Controller offers several options that you can configure for a VLAN. These options are summarized in Table 4.1 .

 

Option

Description

Create a default VLAN configuration

You can use the Setup utility to create a default VLAN configuration.

Create, rename, or delete VLANs

You can create, rename, or delete a VLAN.

Configure packet access to VLANs

Through an option called tagging, you can direct packets from multiple VLANs to a specific 3-DNS interface, or direct traffic from a single VLAN to multiple interfaces.

Manage the L2 forwarding table

You can edit the L2 forwarding table to enter static MAC address assignments.

Create VLAN groups

You can create a VLAN group to allow layer 2 packet forwarding between VLANs.

Set VLAN security

You can set port lockdown by VLAN.

Set fail-safe timeouts

You can set a fail-safe timeout on a VLAN. You can use a fail-safe timeout to trigger fail-over in a redundant system.

Set self IP addresses

You can set one or more self IP addresses for VLANs.

Set MAC masquerade

You can use the MAC masquerade to set up a media access control (MAC) address that is shared by a redundant system.

Configure VLAN mirroring

You can configure the 3-DNS Controller to replicate packets received by a VLAN and send them to another VLAN or set of VLANs.

 

 

Default VLAN configuration

By default, the Setup utility configures each interface on the 3-DNS Controller as a member of a VLAN. The 3-DNS Controller identifies the fastest interfaces, makes the lowest-numbered interface in that group a member of the VLAN external, and makes all remaining interfaces members of the VLAN internal.

Figure 4.3 Simple VLAN configuration for a 3-DNS Controller

VLAN flexibility is such that separate IP networks can belong to a single VLAN, while a single IP network can be split among multiple VLANs. (The latter case allows the 3-DNS Controller to be inserted into an existing LAN without renaming the nodes.) The VLANs named external and internal are separate networks, and in the configuration shown they behave like separate networks. The networks belonging to VLAN internal are also separate networks, but have been made to behave like a single network. This is accomplished using a feature called VLAN bridging.

Your default VLAN configuration is created using the Setup utility. On a typical unit with two interfaces, you create an internal and external VLAN.

Creating, renaming, and deleting VLANs

Typically, if you use the default configuration, one VLAN is assigned to each interface. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN.

To create a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.

  2. Click the Add button.

  3. Type the attributes for the VLAN.

  4. Click Done.

To rename or delete a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.

  2. In the VLANs screen, use one of the following options:

    • To rename a VLAN, click the VLAN name you want to change. The VLAN properties screen opens. Type the new name in the VLAN name box.

    • To delete a VLAN, click the Delete button for the VLAN you want to delete.

  3. Click Done.

To create, rename, or delete a VLAN from the command line

To create a VLAN from the command line, use the following syntax:

b vlan <vlan name> interfaces add <if name> <if name>

For example, if you want to create a VLAN named myvlan that contains the interfaces 1.1 and 1.2, type the following command:

b vlan myvlan interfaces add 1.1 1.2

To rename an existing VLAN, use the following syntax:

b vlan <vlan name> rename <new vlan name>

For example, if you want to rename the VLAN myvlan to yourvlan, type the following command:

b vlan myvlan rename yourvlan

To delete a VLAN, use the following syntax:

b vlan <vlan name> delete

For example, to delete the VLAN named yourvlan, type the following command:

b vlan yourvlan delete

     

Configuring packet access to VLANs

The 3-DNS Controller supports two methods for sending and receiving packets through an interface that is a member of one or more VLANs. These two methods are:

  • Port-based access to VLANs
    Packets are accepted for a VLAN because the packets have no tags in their headers and were received on an interface that is a member of a VLAN. With this method, an interface is configured as an untagged member of the VLAN. Packets sent out through untagged interfaces contain no tag in their header.

  • Tag-based access to VLANs
    Packets are accepted for a VLAN because the packets have tags in their headers and the tag matches the VLAN identification number for the VLAN. With this method, an interface is configured as a tagged member of the VLAN. Packets sent out through tagged interfaces contain a tag in their header.

The sending/receiving method used by a VLAN is determined by the way that you add a member interface to a VLAN. When creating a VLAN or modifying VLAN properties (using the Configuration utility or the bigpipe command), you can add an interface to that VLAN as either an untagged or a tagged interface.

The following two sections describe these two methods of providing packet access to a VLAN.

Port-based access to VLANs

Port-based access to VLANs occurs when an interface is added to a VLAN as an untagged interface. In this case, the interface can be added only to that VLAN and to no others. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. To solve this problem, 3-DNS Controller allows you to configure a feature known as tagging, described in the following section.

Tag-based access to VLANs

Tag-based access to VLANs occurs when an interface is added to a VLAN as a tagged interface. A tagged interface can be added to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN of which the interface is a member.

When you add an interface to a VLAN as a tagged interface, the 3-DNS Controller associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a packet.

Note


Every VLAN has a VLAN identification number. This identification number is assigned to a VLAN either explicitly by a user when creating the VLAN, or automatically by the 3-DNS Controller if the user does not supply one.

 

Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.

The result is that whenever a packet comes into that interface, the interface reads the tag that is embedded in a header of the packet. If the tag in the packet matches any of the tags associated with the interface, the interface accepts the packet. If the tag in the packet does not match any of the tags associated with the interface, the interface rejects the packet.

Important: You should use VLAN tagging only if you are running the 3-DNS Controller in bridge mode.

Configuration procedures

You configure tag-based access to VLANs using either the Configuration utility or the bigpipe vlan command. You can configure tag-based access either when you create a VLAN and add member interfaces to it, or by modifying the properties of an existing VLAN. In the latter case, you simply change the status of one or more member interfaces from untagged to tagged.

To create a VLAN that supports tag-based access using the Configuration utility

Creating a VLAN that supports tag-based access means creating the VLAN and then adding one or more tagged interfaces to it.

  1. In the navigation pane, click Network.
    The VLAN screen opens.

  2. Click the Add button.
    The Add VLAN screen opens.

  3. On the Add VLAN screen, type the VLAN name.

  4. In the Tag box, you can optionally specify a VLAN ID number. If you do not provide one, the 3-DNS Controller assigns a default number.

  5. In the Resources box, specify any tagged interfaces by selecting the appropriate interface numbers from the Interface Number list and clicking tagged >>.

  6. Configure the other VLAN options.

  7. Click Done.

To configure tag-based access on an existing VLAN using the Configuration utility

Configuring tag-based access on an existing VLAN means changing the existing status of one or more member interfaces from untagged to tagged.

  1. In the navigation pane, click Network.
    The VLAN screen opens.

  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.

  3. In the Resources box, move any untagged interfaces from the Current Interfaces list to the Interface Number list.

  4. Specify any tagged interfaces by selecting the appropriate interface numbers from the Interface Number list and clicking tagged >>.

  5. Click Done.

To create a VLAN that supports tag-based access from the command line

  1. Type the bigpipe vlan command, specifying a VLAN name, the tag keyword, and a VLAN ID number. The following example creates the VLAN external with a VLAN ID of 1209.

    b vlan external tag 1209

  2. Add the interfaces to the VLAN external as tagged interfaces. This is done by specifying the VLAN name, the tagged keyword, and the interfaces to be tagged. For example:

    b vlan external interfaces add tagged 4.1 5.1 5.2

The effect of this command is to associate a tag with interfaces 4.1 and 5.1, which in turn allows packets with that tag access to the external VLAN.

The above procedure adds multiple tagged interfaces to a single VLAN. However, you can also add a single tagged interface to multiple VLANs. This results in a single interface having more than one tag associated with it. For example, the following commands add the tagged interface 4.1 to the two VLANs external and internal:

b vlan external interfaces add tagged 4.1

b vlan internal interfaces add tagged 4.1


Setting up security for VLANs

You can lock down a VLAN to prevent direct connection to the 3-DNS Controller through that VLAN. You can override this lockdown for specific services by enabling the corresponding global variable for that service. For example:

b global open_ssh_port enable

To enable or disable port lockdown using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.

  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.

  3. To enable port lockdown, click a check in the Port Lockdown box.
    To disable port lockdown, clear the Port Lockdown check box.

  4. Click Done.

To enable or disable port lockdown from the command line

To enable port lockdown, type:

b vlan <vlan_name> port_lockdown enable

To disable port lockdown, type:

b vlan <vlan_name> port_lockdown disable

     

Setting fail-safe timeouts for VLANs

For redundant 3-DNS units, you can enable a failsafe mechanism that will fail over when loss of traffic is detected on a VLAN, and traffic is not restored during the fail-over timeout period for that VLAN. You can enable a fail-safe mechanism to attempt to generate traffic when half the timeout has elapsed. If the attempt is successful, the fail-over is stopped.

To set the fail-over timeout and arm the fail-safe using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.

  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.

  3. Check the Arm Failsafe box, and specify the timeout in seconds in the Timeout box.

To set the fail-over timeout and arm the fail-safe from the command line

Using the vlan command, you may set the timeout period and also arm or disarm the fail-safe.

To set the timeout, type:

b vlan <vlan_name> timeout <timeout_in_seconds>

To arm the fail-safe, type:

b vlan <vlan_name> failsafe arm

To disarm the fail-safe, type:

b vlan <vlan_name> failsafe disarm


Setting the MAC masquerade address

You can share the media access control (MAC) masquerade address between 3-DNS units in a redundant system. This option has the following advantages:

  • Increased reliability and failover speed, especially in lossy networks

  • Interoperability with switches that are slow to respond to the network changes

  • Interoperability with switches that are configured to ignore network changes

 

Note


For sensible operation, you must set the MAC masquerade address to be the same on both the active and standby units. To do this, configure the shared MAC address manually, by editing the bigip_base.conf file on both units. Do not use the bigpipe config sync command.

 

The MAC address for a VLAN is the MAC address of the first interface to be mapped to the VLAN, typically 4.1 for external, and 5.1 for internal. You can view the interfaces mapped to a VLAN using the following command:

b vlan show

You can view the MAC addresses for the interfaces on the 3-DNS Controller using the following command:

b interface show verbose

Use the following syntax to set the MAC masquerade address to be shared by both 3-DNS units in the redundant system.

b vlan <vlan_name> mac_masq <MAC_addr>

Find the MAC address on both the active and standby units, and pick one that is similar but unique. A safe technique for selecting the shared MAC address follows.

Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are:

Active: 3.1 = 0:0:0:ac:4c:a2

Standby: 3.1 = 0:0:0:ad:4d:f3

In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses, and convert the MAC address to a locally administered address using 0x40 for the first byte. (The 0x40 byte indicates the logical operator OR.)

In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both 3-DNS units in the redundant system.

The shared MAC address is used only when the 3-DNS Controller is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.

If you do not configure mac_masq on startup, or when transitioning from standby mode to active mode, the 3-DNS Controller sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.

Note


The MAC masquerade information is stored in the bigip_base.conf file.

 


Configuring a self IP address

A self IP address is an IP address mapping to one or more VLANs and their associated interfaces on a 3-DNS Controller. You assign a self IP address to each interface on the unit as part of the initial configuration, and you also assign a floating (shared) alias for units in a redundant system. You can create additional self IP addresses for health checking, gateway failsafe, routing, or other purposes. You create additional self IP addresses using either the Configuration utility or using the self command in the bigpipe utility. (See the 3-DNS Reference Guide, Appendix C, bigpipe Command Reference , for more information on the self command.)

To add a self IP address to a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.

  2. Click the Self IP Addresses tab.

  3. Click the Add button.

  4. In the IP Address box, type the self IP address to be assigned.

  5. In the Netmask box, type an optional netmask.

  6. In the Broadcast box, type an optional broadcast address.

  7. If you want to configure the self IP address as a floating address, check the Floating box.

  8. If you want to enable the address for SNAT auto-mapping, check the SNAT Automap box.

  9. In the VLAN box, type the name of the VLAN to which you want to assign the self IP address.

  10. Click Done.

To add a self IP address to a VLAN from the command line

Use the following syntax:

b self <addr> vlan <vlan_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]

You can add any number of additional self IP addresses to a VLAN to create aliases. For example:

b self 11.11.11.4 vlan external

b self 11.11.11.5 vlan external

b self 11.11.11.6 vlan external

b self 11.11.11.7 vlan external

Also, any one self IP address may have floating enabled to create a floating alias that is shared by both units of a redundant system:

b self 11.11.11.8 floating enable

Assigning a self IP address to an interface automatically maps it to the VLAN of which it is a member. Assigning a self IP address to an interface not mapped to an untagged VLAN produces an error message.