Manual Chapter : BIG-IP Reference Guide version 4.5: Post-Setup Tasks

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.9, 4.5.0
Manual Chapter


3

Post-Setup Tasks


Introducing post-setup tasks

Setting up the base network for the BIG-IP system means configuring elements such as the BIG-IP system host name, a default gateway pool, interface media settings, and VLANs and self IP addresses. Configuration tasks for the BIG-IP base network are performed using the BIG-IP Setup utility. For information on using the Setup utility, see Chapter 2, Using the Setup Utility .

Once you have configured the base network elements with the Setup utility, you might want to further enhance the configuration of these elements. This chapter provides the information you need to perform these additional configuration tasks. You can perform these tasks using either the Configuration utility or the bigpipe command.

Elements you might want to further configure after running Setup are:

  • Interfaces
    You can set the media type and the duplex mode for an interface, as well as display interface status.
  • VLANs
    VLAN options include tagging and assigning interfaces to VLANs. In addition, you can group separate VLANs together for the purpose of bridging packets between them.
  • Self IP addresses
    You can change self IP addresses or create any number of additional self IP addresses for a VLAN.
  • Additional host names
    You can insert additional host names and IP addresses for network devices into the /etc/hosts file. For example, you can insert host names for the IP addresses that you will assign to virtual servers, and host names for standard devices such as your routers, network interface cards, and servers.
  • SSH console
    Configuring an SSH console gives you the ability to use a command line interface to securely manage your local BIG-IP system.
  • General networking
    You can configure a default route, as well as dynamic routing, DNS, and email.
  • Serial terminals
    You can add a serial terminal in addition to the console, or you can add a serial terminal as the console.

    If the BIG-IP system is an IP Application Switch, you also have three other BIG-IP system features you can configure:

  • Trunks
    Trunks are aggregated links. In link aggregation, interfaces can be combined into a trunk to increase bandwidth in an additive manner. The other benefit of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.
  • Spanning Tree Protocol (STP)
    STP domains provide for loop resolution in configurations where one or more external switches is connected in parallel with an IP Application Switch.
  • Port mirroring
    This allows you to copy traffic from any interface or set of interfaces on a BIG-IP system Application Switch to a single, separate interface. Typically you would install a sniffer device on the target port for debugging and/or monitoring.

    These features can be configured using either the Configuration utility or the bigpipe command.

Note

Once you have configured the base network, you can configure the high-level network. Examples of elements you configure as part of the high-level network are: Pools, rules, proxies, and network address translation (SNATs and NATs).

Interfaces

A BIG-IP system can have as few as two network interfaces, and as many as twenty-nine. Before performing configuration tasks such as displaying interface status and settings, setting the media type, and setting the duplex mode, it is helpful to understand interface naming conventions.

Interface naming conventions

By convention, the Ethernet interfaces on a BIG-IP system take the name <s>.<p> where s is the slot number of the NIC, and p is the port number on the NIC. As shown in Figure 3.1 , for the 4U platform, slot numbering is left-to-right, and port numbering is top-to-bottom. Note that slot 1 is reserved for the onboard NIC whether or not it is present.

Figure 3.1 Vertical slot and port numbering

For the 2U platform, slot numbering is top-to-bottom and port numbering is left-to-right as shown in Figure 3.2 .

Figure 3.2 Horizontal slot and port numbering

For the Application Switch, slot numbering is left-to-right and port numbering is top-to-bottom as shown in Figure 3.3 . Note that slot 2 is used for the gigabit ports, and slot 3 for a dedicated administrative port.

When a bigpipe command calls for a list of interfaces, the list may consist of one or more interfaces, with multiple interfaces separated by spaces. For example:

2.1 2.2 2.4 2.6

Figure 3.3 Application Switch slot and port numbering

Displaying status and settings for interfaces

Use the following syntax to display the current status and the settings for all installed interface cards:

b interface show

Figure 3.4 is an example of the output you see when you issue this command on an active/standby unit in active mode.

Figure 3.4 The bigpipe interface show command output


interface speed pkts pkts pkts pkts bits bits errors trunk STP
Mb/s in out drop coll in out
5.1 UP 100 HD 0 213 0 0 0 74.2K 0
4.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0
 

Use the following syntax to display the current status and the setting for a specific interface.

b interface <if_name> show

Media type and duplex mode

Properties that are configurable on the interfaces include media type and duplex mode, as shown in Table 3.1 .


 

Interface Properties

Description

media

You may specify a media type or use auto for automatic detection.

duplex

You may specify a full or half duplex mode.

 

Setting the media type

You can set the media type to the specific media type for the interface card or to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface is used, for example 1000BaseTX.

Use the following syntax to set the media type:

b interface <if_name> media <media_type> | auto

(Default media type is auto.)

Note


If the BIG-IP system is inter-operating with an external switch, the media setting should match that of the switch.

Setting the duplex mode

You can set duplex mode to full or half duplex. If the media type does not allow duplex mode to be set, this is indicated by an onscreen message. If setting duplex mode is not supported for the interface, the duplex setting is not saved to bigip_base.conf.

Use the following syntax to set the duplex mode:

b interface <if_name> duplex full | half

VLANs

A VLAN is a grouping of separate networks that allows those networks to behave as if they were a single local area network, whether or not there is a direct ethernet connection between them.

The BIG-IP system offers several options that you can configure for a VLAN. These options are summarized in Table 3.2 .

 

Option

Description

Create a default VLAN configuration

You can use the Setup utility to create a default VLAN configuration.

Create, rename, or delete VLANs

You can create, rename, or delete a VLAN.

Configure packet access to VLANs

Through an option called tagging, you can direct packets from multiple VLANs to a specific BIG-IP interface, or direct traffic from a single VLAN to multiple interfaces.

Manage the L2 forwarding table

You can edit the L2 forwarding table to enter static MAC address assignments.

Create VLAN groups

You can create a VLAN group to allow layer 2 packet forwarding between VLANs.

Set VLAN security

You can set port lockdown by VLAN.

Set fail-safe timeouts

You can set a failsafe timeout on a VLAN. You can use a failsafe timeout to trigger fail-over in a redundant system.

Set self IP addresses

You can set one or more self IP addresses for VLANs.

Set MAC masquerade

You can use the MAC masquerade to set up a media access control (MAC) address that is shared by a redundant system.

Configure VLAN mirroring

You can configure the BIG-IP system to replicate packets received by a VLAN and send them to another VLAN or set of VLANs.

 

Default VLAN configuration

By default, the Setup utility configures each interface on the BIG-IP system as a member of a VLAN. The BIG-IP system identifies the fastest interfaces, makes the lowest-numbered interface in that group a member of the VLAN external, and makes all remaining interfaces members of the VLAN internal. This creates the mapping shown in Figure 3.5 .

Figure 3.5 Default VLAN configuration

As Figure 3.5 shows, VLAN flexibility is such that separate IP networks can belong to a single VLAN, while a single IP network can be split among multiple VLANs. (The latter case allows the BIG-IP system to be inserted into an existing LAN without renaming the nodes.) The VLANs named external and internal are separate networks, and in the configuration shown they behave like separate networks. The networks belonging to VLAN internal are also separate networks, but have been made to behave like a single network. This is accomplished using a feature called VLAN bridging.

Your default VLAN configuration is created using the Setup utility. On a typical unit with two interfaces, you create an internal and external VLAN.

Creating, renaming, and deleting VLANs

Typically, if you use the default configuration, one VLAN is assigned to each interface. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN.

To create a VLAN using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button.
  3. Type the attributes for the VLAN.
  4. Click Done.
To rename or delete a VLAN using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. In the VLANs screen, use one of the following options:

    • To rename a VLAN, click the VLAN name you want to change. The VLAN properties screen opens. Type the new name in the VLAN name box.
    • To delete a VLAN, click the Delete button for the VLAN you want to delete.
  3. Click Done.
To create, rename, or delete a VLAN from the command line

To create a VLAN from the command line, use the following syntax:

b vlan <vlan name> interfaces add <if name> <if name>

For example, if you want to create a VLAN named myvlan that contains the interfaces 1.1 and 1.2, type the following command:

b vlan myvlan interfaces add 1.1 1.2

To rename an existing VLAN, use the following syntax:

b vlan <vlan name> rename <new vlan name>

For example, if you want to rename the VLAN myvlan to yourvlan, type the following command:

b vlan myvlan rename yourvlan

To delete a VLAN, use the following syntax:

b vlan <vlan name> delete

For example, to delete the VLAN named yourvlan, type the following command:

b vlan yourvlan delete

Configuring packet access to VLANs

The BIG-IP system supports two methods for sending and receiving packets through an interface that is a member of one or more VLANs. These two methods are:

  • Port-based access to VLANs - Packets are accepted for a VLAN because the packets have no tags in their headers and were received on an interface that is a member of a VLAN. With this method, an interface is configured as an untagged member of the VLAN. Packets sent out through untagged interfaces contain no tag in their header.
  • Tag-based access to VLANs - Packets are accepted for a VLAN because the packets have tags in their headers and the tag matches the VLAN identification number for the VLAN. With this method, an interface is configured as a tagged member of the VLAN. Packets sent out through tagged interfaces contain a tag in their header.

The method used by a VLAN is determined by the way that you add a member interface to a VLAN. When creating a VLAN or modifying VLAN properties (using the Configuration utility or the bigpipe command), you can add an interface to that VLAN as either an untagged or a tagged interface.

The following two sections describe these two methods of providing packet access to a VLAN.

Port-based access to VLANs

Port-based access to VLANs occurs when an interface is added to a VLAN as an untagged interface. In this case, the interface can be added only to that VLAN and to no others. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. To solve this problem, BIG-IP system allows you to configure a feature known as tagging, described in the following section.

Tag-based access to VLANs

Tag-based access to VLANs occurs when an interface is added to a VLAN as a tagged interface. A tagged interface can be added to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN of which the interface is a member.

When you add an interface to a VLAN as a tagged interface, the BIG-IP system associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a packet.

Note


Every VLAN has a VLAN identification number. This identification number is assigned to a VLAN either explicitly by a user, when creating the VLAN, or automatically by the BIG-IP system, if the user does not supply one.

Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.

The result is that whenever a packet comes into that interface, the interface reads the tag that is embedded in a header of the packet. If the tag in the packet matches any of the tags associated with the interface, the interface accepts the packet. If the tag in the packet does not match any of the tags associated with the interface, the interface rejects the packet.

Example

Figure 3.6 shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one tagged interface (which belongs to multiple VLANs).

Figure 3.6 Equivalent solutions using untagged and tagged interfaces

The configuration on the left shows a BIG-IP unit with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can only accept traffic from its own VLAN.

Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration on the left.

Not only can you add a single, tagged interface to multiple VLANs, as shown in the above example, you can also add multiple tagged interfaces to a single VLAN.

Configuration procedures

You configure tag-based access to VLANs using either the Configuration utility or the bigpipe vlan command. You can configure tag-based access either when you create a VLAN and add member interfaces to it, or by modifying the properties of an existing VLAN. In the latter case, you simply change the status of one or more member interfaces from untagged to tagged.

To create a VLAN that supports tag-based access using the Configuration utility

Creating a VLAN that supports tag-based access means creating the VLAN and then adding one or more tagged interfaces to it.

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the Add button.
    The Add VLAN screen opens.
  3. On the Add VLAN screen, type the VLAN name.
  4. In the VLAN tag box, you can optionally specify a VLAN ID number. If you do not provide one, the BIG-IP system assigns a default number.
  5. In the Resources box, specify any tagged interfaces by selecting the appropriate interface numbers from the Interface Number list and clicking tagged >>.
  6. Configure the other VLAN options.
  7. Click Done.
To configure tag-based access on an existing VLAN using the Configuration utility

Configuring tag-based access on an existing VLAN means changing the existing status of one or more member interfaces from untagged to tagged.

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. In the Resources box, move any untagged interfaces from the Current Interfaces list to the Interface Number list.
  4. Specify any tagged interfaces by selecting the appropriate interface numbers from the Interface Number list and clicking tagged >>.
  5. Click Done.
To create a VLAN that supports tag-based access from the command line
  1. Type the bigpipe vlan command, specifying a VLAN name, the tag keyword, and a VLAN ID number. The following example creates the VLAN external with a VLAN ID of 1209.

    b vlan external tag 1209

  2. Add the interfaces to the VLAN external as tagged interfaces. This is done by specifying the VLAN name, the tagged keyword, and the interfaces to be tagged. For example:

    b vlan external interfaces add tagged 4.1 5.1 5.2

    The effect of this command is to associate a tag with interfaces 4.1 and 5.1, which in turn allows packets with that tag access to the external VLAN.

The preceding procedure adds multiple tagged interfaces to a single VLAN. However, you can also add a single tagged interface to multiple VLANs (similar to the scenario presented in Figure 3.6 ). This results in a single interface having more than one tag associated with it. For example, the following commands add the tagged interface 4.1 to the two VLANs external and internal:

b vlan external interfaces add tagged 4.1

b vlan internal interfaces add tagged 4.1

Managing the Layer 2 forwarding table

Layer 2 forwarding is the means by which packets are exchanged directly between nodes on separate VLANs that are members of the same VLAN group, as described in Configuring VLAN groups . This is accomplished using a simple forwarding table for each VLAN with proxy forward enabled. The forwarding table has an entry for each node in the VLAN and associates the MAC address of that node with the BIG-IP system interface using the following format:

<MAC address> -> <if>

For example:

00:a0:c9:9e:1e:2f -> 4.1

Viewing and editing the L2 forwarding table

You can view the L2 forwarding table, delete entries, and add static entries. The entries that appear in the table automatically are learned and periodically updated and are called dynamic entries. Entries that you add to the table manually are called static entries. Static entries are not automatically updated. Entering static entries is useful if you have network devices that do not advertise their MAC addresses.

You can view and edit the L2 forwarding table using the bigpipe vlan <vlan_name> fdb command. The <vlan_name> may be either a VLAN or a VLAN group.


To view the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb show

For example:

b vlan internal fdb show

This produces a display such as the following:

Forwarding table --

00:40:05:30:cc:94 -> 5.1)


To view L2 forwarding table static entries from the command line

Type the following command:

b vlan <vlan name> fdb show static

For example:

b vlan internal fdb show static


To view L2 forwarding table dynamic entries from the command line

Type the following command:

b vlan <vlan name> fdb show dynamic

For example:

b vlan internal fdb show dynamic


To add an entry to the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb add <MAC address> interface <ifname>

For example:

b vlan internal fdb add <MAC address> interface <ifname>


To delete an entry from the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb delete <MAC address> interface <ifname>

For example:

b vlan <vlan name> fdb delete 00:a0:c9:9e:1e:2f interface 4.1

vlan <vlan name> fdb show static

vlan <vlan name> fdb show dynamic

vlan <vlan name> fdb show


Setting the L2 forwarding aging time

Entries in the L2 forwarding table have a specified life span, after which they are flushed out if the MAC address is no longer present on the network. This process is called the L2 forward aging time and you can set it using the global variable L2 Aging Time. The default value is 300 seconds.

To set the L2 forwarding aging time using the Configuration utility
  1. In the navigation pane, click System.
    The System Properties screen opens.
  2. Click the Advanced Properties tab.
  3. In L2 Aging Time box, enter the aging time in seconds.
  4. Click Done.
To set the L2 forwarding aging time from the command line

Type the following command:

b global l2_aging_time <time_in_seconds>

For example:

b global l2_aging_time 200

Configuring VLAN groups

A VLAN group is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing layer 2 packet forwarding, also known as L2 forwarding, between those VLANs. L2 forwarding is the equivalent of bridging where you want communication between VLANs. By creating a VLAN group, nodes on the separate VLANs can exchange packets directly.

In the example shown in figure 3.5 , VLANs external and internal represent separate networks that were originally a single network. You can make them behave like a single network again much like the networks contained in VLAN internal. You accomplish this by grouping them as shown in Figure 3.7 .

Figure 3.7 VLANs and a VLAN group

To configure a VLAN group to use layer 2 forwarding, you must:

  • Create the VLAN group.
  • Assign a self IP address to the VLAN group, for routing purposes.
  • Verify or change L2 forwarding (also known as proxy forwarding).

    The following sections describe these procedures.


To create a VLAN group

You can create a VLAN group from the command line using the vlangroup command. For example:

b vlangroup network11 vlans add internal external


To assign the self IP address to the VLAN group

You can assign a self IP address to the VLAN group using the bigpipe self command. The syntax is as follows:

b self <ip address> vlan <vlangroup name>


To verify that L2 forwarding is enabled

L2 forwarding is enabled for the VLAN group using the VLAN proxy_forward attribute. By default, this attribute is enabled when you create a VLAN group.

To verify that L2 forwarding is enabled, type the following command:

b vlangroup show


To change the operation of L2 forwarding

If you want to manage L2 forwarding for a specific VLAN group or groups, use the bigpipe vlangroup command. Enabling the proxy_forward attribute with this command results in a combination of L2 proxy ARP with L3 forwarding. You can either use this default type of L2 forwarding (default value = 0), or change the value. Table 3.3 lists the allowed values.


 

Value

Description

0

The default L2 proxy ARP with L3 forwarding.

1

L2 forwarding with locally-unique bit, toggled in ARP response across VLANs.

2

L2 forwarding with the original MAC address of the remote system preserved across VLANs.

 

If you want to manage L2 forwarding globally for all VLAN groups, use the bigpipe global command as follows:

b global vlangroups [value]

Table 3.4 lists the allowed values.


 

Value

Description

opaque

A proxy ARP with layer 3 forwarding. The command line syntax for enabling this setting is:

b global vlangroups opaque

translucent

Layer 2 forwarding with locally-unique bit, toggled in ARP response across VLANs. This is the default setting.

transparent

Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs. The command-line syntax for enabling this setting is:

b global vlangroups transparent

 

To prevent L2 proxy ARP forwarding

In some cases, you might not want the active unit to forward proxy ARP requests to the standby unit, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxy ARP requests, you can define a proxy_arp_exclude class that specifies the self IP addresses that you want to exclude. For example:

b class proxy_arp_exclude {host <self IP 1> host <self IP 2> host <self IP N>}


To specify a value for downed links

You can specify the length of time that a BIG-IP unit in a VLAN group keeps its links down when they are dropped during a switch from active to standby mode. A BIG-IP unit drops its links so that any connected switches will recognize that all proxy ARPed MAC addresses are on the currently-active BIG-IP system and not on the standby unit.

The value is specified in tenths of seconds. Thus, a value of 50 is equivalent to 5 seconds. By default, this feature is disabled, with a value of 0.

For example, the following command specifies a value of 5 seconds:

b global set standby_link_down_time = 50


Setting up security for VLANs

You can lock down a VLAN to prevent direct connection to the BIG-IP system through that VLAN. You can override this lockdown for specific services by enabling the corresponding global variable for that service. For example:

b global open_ssh_port enable


To enable or disable port lockdown using the Configuration utility
  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. To enable port lockdown, check the Port Lockdown box.
    To disable port lockdown, clear the Port Lockdown check box.
  4. Click Done.

To enable or disable port lockdown from the command line

To enable port lockdown, type:

b vlan <vlan_name> port_lockdown enable

To disable port lockdown, type:

b vlan <vlan_name> port_lockdown disable


Setting fail-safe timeouts for VLANs

For redundant BIG-IP pairs, you can enable a failsafe mechanism that will fail over when loss of traffic is detected on a VLAN, and traffic is not restored during the fail-over timeout period for that VLAN. You can enable a fail-safe mechanism to attempt to generate traffic when half the timeout has elapsed. If the attempt is successful, the fail-over is stopped.


To set the fail-over timeout and arm the fail-safe using the Configuration utility
  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. Check the Arm Failsafe box and specify the timeout in seconds in the Timeout box.

To set the fail-over timeout and arm the fail-safe from the command line

Using the vlan command, you may set the timeout period and also arm or disarm the fail-safe.

To set the timeout, type:

b vlan <vlan_name> timeout <timeout_in_seconds>

To arm the fail-safe, type:

b vlan <vlan_name> failsafe arm

To disarm the fail-safe, type:

b vlan <vlan_name> failsafe disarm


Setting the MAC masquerade address

You can share the media access control (MAC) masquerade address between BIG-IP units in a redundant system. This has the following advantages:

  • Increased reliability and failover speed, especially in lossy networks
  • Interoperability with switches that are slow to respond to the network changes
  • Interoperability with switches that are configured to ignore network changes

Note


For sensible operation, you must set the MAC masquerade address to be the same on both the active and standby units. To do this, configure the shared MAC address manually, by editing the bigip_base.conf file on both units. Do not use the bigpipe config sync command.

The MAC address for a VLAN is the MAC address of the first interface to be mapped to the VLAN, typically 4.1 for external and 5.1 for internal. You can view the interfaces mapped to a VLAN using the following command:

b vlan show

You can view the MAC addresses for the interfaces on the BIG-IP system using the following command:

b interface show verbose

Use the following syntax to set the MAC masquerade address that will be shared by both BIG-IP units in the redundant system.

b vlan <vlan_name> mac_masq <MAC_addr>

Find the MAC address on both the active and standby units, and pick one that is similar but unique. A safe technique for selecting the shared MAC address follows.

Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are:

Active: 3.1 = 0:0:0:ac:4c:a2

Standby: 3.1 = 0:0:0:ad:4d:f3

In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses and logically OR the first byte with 0x40. This makes the MAC address a locally administered MAC address.

In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both BIG-IP units in the redundant system.

The shared MAC address is used only when the BIG-IP system is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.

If you do not configure mac_masq on startup, or when transitioning from standby mode to active mode, the BIG-IP system sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.

Note


The MAC masquerade information is stored in the bigip_base.conf file.

Configuring VLAN mirroring

VLAN mirroring is an element of the Probe Control feature. Probe Control allows the BIG-IP system to replicate packets and send them to another network device. Typically, Probe Control is useful when deploying intrusion detection systems, which passively inspect all packets going through a network.

VLAN mirroring is similar to port mirroring, in that packets received by a VLAN are copied and sent to another VLAN or set of VLANs. In a VLAN mirroring configuration, this occurs for all traffic received on the source VLAN, regardless of the destination MAC address on the packet. Note that VLAN mirroring applies to Out-of-Band configurations only, which means that packets sent from the BIG-IP system, out through a specific VLAN, are not mirrored.

A VLAN configured to receive replicated packets is known as a mirror-target VLAN.

Once you have configured a mirror-target VLAN, you cannot use any IP addresses on that VLAN. Thus, you cannot use IP addresses such as virtual servers, SNATs, and self IP addresses on a VLAN configured for mirroring.

Figure 3.8 shows an example of entries in the bigip.conf file that enable VLAN mirroring.

Figure 3.8 Example of a VLAN mirroring configuration


vlan external {
interfaces 1.1

mirror vlans ids1 and ids2
}
 

In the preceding example, the VLAN external replicates packets and sends them to VLANs ids1 and ids2. VLANs ids1 and ids2 are the mirror-target VLANs.


To configure VLAN mirroring using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button or click on an existing VLAN name to view its properties.
  3. In the Mirrored VLANs box, select a VLAN name in the Existing VLANs box and move it to the Mirrored VLANs box, using the arrows (>>).
  4. Click Done or Apply.

To configure VLAN mirroring from the command line

The following command syntax shows how to configure VLAN mirroring on two VLANs.

b vlan <vlan_name> mirror vlans <vlan1> <vlan2>

When using VLAN mirroring for load balancing, you can enable hash mode. The next section describes hash mode, followed by a description of VLAN mirroring as used by intrusion detection systems.


Hash mode

When you configure VLAN mirroring for hash mode, you can choose from two settings--Enabled or Port Enabled.

Enabled


When hash mode is set to Enabled, the replicated packets are not sent to every VLAN in the mirror list. Instead, the BIG-IP system hashes the IP addresses on the packet and sends the packet to only one of the mirrored VLANs, based on the computed hash.

Figure 3.9 shows the same mirrored VLAN configuration as above, with hash mode set to Enabled.

Figure 3.9 Example of hash mode set to Enabled


vlan external {
interfaces 1.1

mirror vlans ids1 and ids2
mirror hash enable
}
 

To set hash mode to Enabled using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button or click on an existing VLAN name to view its properties.
  3. In the Mirror Hash box, choose Enabled.
  4. Click Done or Apply.

To set hash mode to Enabled from the command line

The following command syntax shows how to set hash mode to Enabled when you configure VLAN mirroring.

b vlan <vlan_name> mirror vlans <vlan1> <vlan2> hash enable


Port Enabled


Similar to the Enabled setting, the Port Enabled setting causes TCP or UDP ports to be included in the computed hash.

Figure 3.10 shows the same mirrored VLAN configuration as above, with hash mode set to Port Enabled.

Figure 3.10 Example of hash mode set to Port Enabled


vlan external {
interfaces 1.1

mirror vlans ids1 and ids2
mirror hash port enable
}
 

Note


Setting the hash mode to Port Enabled can increase the granularity of load balancing, However, this mode is incompatible with IP fragmentation. If your network traffic includes IP fragments, it is recommended that you set the hash mode to Enabled.
To set hash mode to Port Enabled using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button or click on an existing VLAN name to view its properties.
  3. In the Mirror Hash box, choose Port Enabled.
  4. Click Done or Apply.

To set hash mode to Port Enabled from the command line

The following command syntax shows how to set hash mode to Port Enabled when you configure VLAN mirroring.

b vlan <vlan_name> mirror vlans <vlan1> <vlan2> hash port enable


Handling traffic from Intrusion Detection Systems

Typically, the VLAN mirroring feature is used to send packets to a passive intrusion detection system (IDS). An IDS inspects packets and looks for threatening content.

If the IDS detects a packet to be part of a network attack, the IDS might attempt to send one or more TCP resets to the client and server as a way to terminate the connection. When this happens, it is a mirror-target VLAN that receives the packets instead of the original source VLAN.

By default, once the mirror-target VLAN receives the packets, it forwards the packets to the source VLAN (in our example, VLAN external). You can disable this behavior by resetting the mirror_vlan_forwarding variable, using the bigpipe global command. Disabling this variable causes any packets received on a mirror-target VLAN to be discarded.


To disable forwarding of packets to a source VLAN using the Configuration utility
  1. In the navigation pane, click System.
  2. Click the Advanced Properties tab.
  3. In the mirror_vlan_forwarding box, click on the check box to remove the check.
  4. Click Apply.

To disable forwarding of packets to a source VLAN from the command line

The command syntax for disabling packet forwarding in a mirrored configuration is as follows:

b global mirror_vlan_forwarding disable


Self IP addresses

A self IP address is an IP address mapping to one or more VLANs and their associated interfaces on a BIG-IP system. You assign a self IP address to each interface on the unit as part of Setup configuration, and you also assign a floating (shared) alias for units in a redundant system. (A floating self IP address is the address to which the servers behind the BIG-IP system route traffic). You can create additional self IP addresses for health checking, gateway failsafe, routing, or other purposes. You can create these additional self IP addresses using the Configuration utility or the bigpipe self command.


To add a self IP address to a VLAN using the Configuration utility
  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Self IP Addresses tab.
  3. Click the Add button.
  4. In the IP Address box, type the self IP address to be assigned.
  5. In the Netmask box, type an optional netmask.
  6. In the Broadcast box, type an optional broadcast address.
  7. If you want to configure the self IP address as a floating address, check the Floating box.
  8. If you want to enable the address for SNAT auto-mapping, check the SNAT Automap box.
  9. In the VLAN box, type the name of the VLAN to which you want to assign the self IP address.
  10. Click Done.

To add a self IP address to a VLAN from the command line

Use the following syntax:

b self <addr> vlan <vlan_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]

You can add any number of additional self IP addresses to a VLAN to create aliases. For example:

b self 11.11.11.4 vlan external

b self 11.11.11.5 vlan external

b self 11.11.11.6 vlan external

b self 11.11.11.7 vlan external

Also, any one self IP address may have floating enabled to create a floating alias that is shared by both units of a BIG-IP redundant system:

b self 11.11.11.8 floating enable

Assigning a self IP address to an interface automatically maps it to the VLAN of which it is a member. Assigning a self IP address to an interface not mapped to an untagged VLAN produces an error message.


Enabling or disabling SNAT automap

The self IP addresses you enable on the external VLAN determine the translation address for SNAT auto-mapping. For more information about SNAT auto-mapping, see Chapter 10, Address Translation: SNATs, NATs, and IP Forwarding .


Defining additional host names

Once you complete the Setup utility, you may want to insert additional host names and IP addresses for network devices into the /etc/hosts file to allow for more user-friendly system administration. In particular, you may want to create host names for the IP addresses that you will assign to virtual servers. You may also want to define host names for standard devices such as your routers, network interface cards, and the servers or other equipment that you are load balancing.

The /etc/hosts file, as created by the Setup utility, is similar to the example shown in Figure 3.11 .

Figure 3.11 The /etc/hosts file created by the Setup utility


# BIG-IP(R) Hosts Table Generated by Setup utility on Thu May 16 11:03:03 PDT 2002

# localhost entry
127.1 localhost

# default gateway entry
11.11.11.10 router


# Local name
11.11.11.2 bigip1.mynet.net

# Peer name (state mirror)
11.12.11.1 peer

#
# vlans
#
11.11.11.2 external
11.12.11.2 internal

#
# VIPS and NODES ( add below - do not delete this line )
#
 

This sample hosts file lists the IP addresses for the default router, the internal VLAN, and the external VLAN, and it contains placeholders for both the virtual servers and the content servers that the BIG-IP system will manage.

Warning


If you have modified the /etc/hosts file with something other than the Setup utility, such as vi or pico, be aware that your changes may be lost when you run the Setup utility (config). The Setup utility overwrites the /etc/hosts file and openssl.conf, but it does not warn you before doing so.

Managing the SSH Console

An SSH console gives you the ability to use a command line interface to securely manage your local BIG-IP system. You can either use the MindTerm SSH console that is available through the Configuration utility, or you can download a different SSH console, using the initial screen of the BIG-IP browser interface.


Using the MindTerm SSH Console

With the MindTerm SSH Console, you can open an SSH session for the BIG-IP system from the Configuration utility. Use the MindTerm SSH client to enable secure command line administration. You can perform any of the command line tasks in a popup console screen.

Warning


The MindTerm SSH client requires a Java virtual machine to operate. If you are unable to run the MindTerm SSH client, make sure that you have a Java virtual machine installed and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.
To open the MindTerm SSH Console using the Configuration utility
  1. In the navigation pane, click MindTerm SSH Console.
    A popup console opens.
  2. When you see the command prompt, press Enter.
  3. Log in to the BIG-IP system as you normally would.

Note


When you use the MindTerm SSH Console, you can only administer the local BIG-IP system. If you wish to administer remote systems, you do so using an SSH or Telnet session from the command line. For information about installing an SSH client on the administrative workstation, see the following section.

Downloading an SSH client to your administrative workstation

From BIG-IP units that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running BIG-IP command line utilities, you can also use the SSH suite for file transfer to and from the BIG-IP system, as well as for remote backups.

The SSH client is available for both Windows and UNIX platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the documentation provided on the web server or on the Documentation and Software CD-ROM.

Note


If your BIG-IP system does not support encrypted connections, you can use a Telnet shell for remote command line access.
Downloading the SSH client from the web server
  1. Connect to the BIG-IP system using https:// rather than http:// in the URL.
  2. In the Additional Software Downloads section, click the SSH Clients link.
  3. From the SSH Clients page, you can choose the SSH Client appropriate to your operating system.

Setting up an SSH client on a Windows 95 or Windows NT workstation

The SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.


To unzip and install the SSH client
  1. Log on to the Windows workstation.
  2. Navigate to the directory to which you transferred the installation file. Run PKZip or WinZip to extract the files.
  3. The set of files extracted includes a Setup program. Run the Setup program to install the client.
  4. Start the SSH client.
  5. In the SSH Client window, from the Edit menu choose Properties.
    The Properties dialog box opens.
  6. In the Connection tab, in the Remote Host section, type the following items:

    • In the Host Name box, type the BIG-IP system IP address or host name.
    • In the User Name box, type the root user name.
  7. In the Options section, check Compression and set the Cipher option to Blowfish.
  8. Click the OK button.

Setting up an SSH client on a UNIX workstation

The installation file for UNIX platforms is compressed in tar/gzip format.


To untar and install the SSH client
  1. Log on to the workstation and navigate to the directory into which you transferred the SSH client tar file.
  2. Untar the file and follow the instructions in the install file to build the SSH client for your workstation.
  3. Start the SSH client.
  4. Open a connection to the BIG-IP system:

    ssh -l root [BIG-IP IP address]

  5. Type the root password and press the Enter key.

Addressing general networking issues

You must address several network issues when you place a BIG-IP system in your network. These networking issues include routing, DNS configuration, and special e-mail considerations. You need to address these issues based on the type of hardware and software in your network. This section describes the following networking issues:

  • Addressing routing issues
    There are a variety of routing configuration issues that you need to address. If you did not create a default route with the Setup utility, you must now configure a default route for the BIG-IP system. You also must set up routes for the nodes that the BIG-IP system manages. You may also want to configure the BIG-IP so that dynamic routing information can automatically be updated on the BIG-IP system.
  • Configuring DNS on the BIG-IP system
    You may need to configure the BIG-IP system for DNS resolution or for DNS proxy, and you may even need to convert from rotary or round robin DNS.
  • Configuring email on the BIG-IP system
    There are some special requirements that you need to take into account when configuring email on the BIG-IP system.

Addressing routing issues

The BIG-IP system must communicate properly with network routers, as well as with the servers, firewalls, and other routers that it manages. Because there is a variety of router configurations, and varying levels of direct control an administrator has over each router, you need to carefully review the router configurations in your own network. You may need to change some routing configurations before you put the BIG-IP system into production.

The BIG-IP system supports static route configurations, dynamic routing (by way of BGP4, RIP1, RIP2, and OSPF), and subnetting. However, the BIG-IP system is also designed to eliminate the need for you to modify routing tables on a router that routes to a BIG-IP system. Instead, the BIG-IP system uses Address Resolution Protocol (ARP) to notify routers of the IP addresses that it uses on each interface, as well as on its virtual servers.

The following sections address these common routing issues:

  • Routing from a BIG-IP system to a gateway to the external network
  • Routing from content servers to the BIG-IP system
  • Routing between a BIG-IP system to content servers that are on different logical networks
  • Setting up dynamic routing with GateD
  • Configuring static routes in /config/routes

Routing from a BIG-IP system to a gateway to the external network

The BIG-IP system needs a route to the external network. For most configurations, this should be configured as the default gateway pool on the BIG-IP system.

During installation, you were prompted to configure a default route for the BIG-IP system. If you need to change the default route at this time, you can set a new default route by editing the default gateway pool.


To change the default route from the Setup utility
  1. From the command line, type config.
    The Setup utility menu opens.
  2. Choose the Default Gateway Pool option.
  3. Type the IP address of the gateway you want to add to the default gateway pool.
  4. Save and exit.

To change the default route using the Configuration utility
  1. In the navigation pane, click System.
    The System Properties screen opens.
  2. Click the System tab.
    Look in the Default Gateway Pool list for the name of the default gateway pool. Make sure you have the pool name before proceeding to step 3.
  3. In the navigation pane, click Pools.
    The Pools screen opens.
  4. In the list of pools, click the name of the default gateway pool.
    The pool properties page for that pool opens.
  5. In the Resources section of the screen, add or remove gateway IP addresses.
  6. Click the Apply button.

Routing from content servers to the BIG-IP system

The content servers being load balanced by the BIG-IP system need to have a default route set to the internal shared floating IP alias of the BIG-IP system. For most configurations, this should be configured as the default route on the content server.

For information about setting the default route for your content servers, refer to the product documentation for your server.


Routing between a BIG-IP system and content servers on different logical networks

If you need to configure the BIG-IP system to use one or more nodes that actually sit on a different logical network from the BIG-IP system, you need to assign one or more additional routes to get to those nodes. Set each node's default route so that traffic goes back through the BIG-IP system internal interface.

In the following examples, the nodes are on 192.168.6.0/24 and the BIG-IP system internal interface is on 192.168.5.0/24. There are two possible situations which you may have to address:

  • 192.168.5.0/24 and 192.168.6.0/24 are on the same LAN (either sharing media or with a switch or hub between them).
  • 192.168.5.0/24 and 192.168.6.0/24 are on two different LANs with a router between them.

Case 1: Same LAN

If the nodes are on the same LAN as the BIG-IP system, you need to add an interface route for 192.168.6.0/24 to an interface on the internal network. You can add this route to the bottom of the /etc/rc.local file using this syntax, where <ip addr> is the IP address on the internal interface:

route add -net 192.168.6 -interface <ip addr>

Note


Make sure that you have defined the interface correctly in the /etc/hosts file.
Case 2: Different LANs

If you have nodes on different LANs from the BIG-IP system, you need to add a static gateway route on the BIG-IP system itself. If, for example, the router that connects the 192.168.5 network and the 192.168.6 network has IP addresses 192.168.5.254 and 192.168.6.254, then you could use the following command to create the necessary static route on the BIG-IP system:

route add -net 192.168.6.0 -gateway 192.168.5.254

You should add this command to the end of the file /etc/netstart so that it runs each time the BIG-IP system boots.

You may also need to set the default route on the nodes to point to the router between the LANs. For example:

route add default -gateway 192.168.6.254

Finally, you need to set the default route on the router between the LANs to the shared alias on the BIG-IP system. For example, type the command:

route add default -gateway 192.168.5.200

Note


These examples assume you are using a UNIX-based router. The exact syntax for your router may be different.

It is not necessary to set the default route for nodes directly to the BIG-IP system, as long as the default path eventually routes through the BIG-IP system.


Setting up dynamic routing with the Advanced Routing Modules

You can configure dynamic routing using Advanced Routing Modules (ARMs). ARMs correspond to the following protocols or modules: Border Gateway Protocol (BGP), network services module, Open Shortest Path First (OSPF) Protocol, and Router Information Protocol (RIP).

For information on setting up dynamic routing using the ARMs, see the Command Reference guide that corresponds to the appropriate module. Available guides are:

  • BGP Command Reference
  • NSM Command Reference
  • OSPF Command Reference
  • RIP Command Reference

Configuring static routes in /config/routes

You can create the file /config/routes on the BIG-IP system for configuring static route information. The information you add to /config/routes is synchronized between units in a BIG-IP redundant system. When you upgrade, the route information is saved and reinstalled when the upgrade is complete.

You can add routes to /config/routes using the format in Figure 3.12 .

Figure 3.12 Example entries in /config/routes


route add -net 10.1.10.0 -netmask 255.255.255.0 -gateway 10.1.30.254
route add -net 10.1.20.0 -netmask 255.255.255.0 -gateway 10.1.30.254
 

Configuring DNS on the BIG-IP system

If you plan to use DNS in your network, you can configure DNS on the BIG-IP system. There are three different DNS issues that you may need to address when setting up the BIG-IP system:

  • Configuring DNS resolution on the BIG-IP system
  • Configuring DNS proxy
  • Converting from rotary or round robin DNS

Configuring DNS resolution

When entering virtual addresses, node addresses, or any other addresses on the BIG-IP system, you can use the address, host name, or fully qualified domain name (FQDN).

The BIG-IP system looks up host names and FQDNs in the /etc/hosts file. If it does not find an entry in that file, then it uses DNS to look up the address. In order for this to work, you need to create an /etc/resolv.conf file. The file should have the following format:

nameserver <DNS_SERVER_1>

search <DOMAIN_NAME_1> <DOMAIN_NAME_2>

In place of the <DNS_SERVER_1> parameter, use the IP address of a properly configured name server that has access to the Internet. You can specify additional name servers as backups by inserting an additional nameserver line for each backup name server.

If you configure the BIG-IP system itself as a DNS proxy server, then we suggest that you choose its loopback address (127.0.0.1) as the first name server in the /etc/resolv.conf file.

Replace the <DOMAIN_NAME_1> and <DOMAIN_NAME_2> parameters with a list of domain names to use as defaults. The DNS uses this list to resolve hosts when the connection uses only a host name, and not an FQDN. When you enter domain names in this file, separate each domain name with a space, as shown in Figure 3.13 .

Figure 3.13 Sample /etc/resolv.conf file


; example /etc/resolv.conf
nameserver 127.0.0.1
nameserver 127.16.112.2 ;ip address of main DNS server
search mysite.com store.mysite.com
 

You can also configure the order in which name resolution checks are made by configuring the /etc/irs.conf file. You should set this file so that it checks the /etc/hosts file first, and then checks for DNS entries. See Figure 3.14 , for an example of how to make the entry in the /etc/irs.conf file.

Figure 3.14 Sample entry for the /etc/irs.conf file


hosts local continue
hosts dns
 

Configuring DNS proxy

The BIG-IP system is automatically configured as a DNS proxy or forwarder. This is useful for providing DNS resolution for servers and other equipment load balanced by the BIG-IP system. This can be set in the Setup utility.

To re-configure DNS proxy, you simply edit the /etc/named.boot file that contains these two lines:

forwarders <DNS_SERVERS>

options forward-only

In place of the <DNS_SERVERS> parameter, use the IP addresses of one or more properly configured name servers that have access to the Internet.

You can also configure the BIG-IP system to be an authoritative name server for one or more domains. This is useful when DNS is needed in conjunction with internal domain names and network addresses for the servers and other equipment behind the BIG-IP system. Refer to the BIND documentation for more details.


Converting from rotary or round robin DNS

If your network is currently configured to use rotary DNS, your node configuration may not need modification. However, you need to modify your DNS zone tables to map to a single IP address instead of to multiple IP addresses.

For example, if you had two Web sites with domain names of www.SiteOne.com and www.SiteTwo.com, and used rotary DNS to cycle between two servers for each Web site, your zone table might look like the one in Figure 3.15 .

Figure 3.15 Sample zone table with two Web sites and four servers


www.SiteOne.com IN A 192.168.1.1
IN A 192.168.1.2
www.SiteTwo.com IN A 192.168.1.3
IN A 192.168.1.4
 

In the BIG-IP system configuration, the IP address of each individual node used in the original zone table becomes hidden from the Internet. We recommend that you use the Internet reserved address range as specified by RFC 1918 for your nodes. In place of multiple addresses, simply use a single virtual server associated with your site's domain name.

Using the above example, the DNS zone table might look like the zone table shown in Figure 3.16 .

Figure 3.16 Sample zone table with two Web sites and two servers


www.SiteOne.com IN A 192.168.100.231
www.SiteTwo.com IN A 192.168.100.232
 

Configuring email

Another optional feature you can set up when you configure the BIG-IP system is email. You can configure the BIG-IP system to send email notifications to you, or to other administrators. The BIG-IP system uses Sendmail as its mail transfer agent. The BIG-IP system includes a sample Sendmail configuration file that you can use to start with, but you will have to customize the Sendmail setup for your network environment before you can use it.

Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, continue with the following section, Setting up Sendmail .


Setting up Sendmail

When you actually set up Sendmail, you need to open and edit a couple of configuration files. Note that the BIG-IP system does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.


To set up and start Sendmail
  1. Copy /config/sendmail.cf.off to /config/sendmail.cf.
  2. To set the name of your mail exchange server, open the /config/sendmail.cf and set the DS variable to the name of your mail exchanger. The syntax for this entry is:

    DS<MAILHUB_OR_RELAY>

  3. Save and close the /config/sendmail.cf file.
  4. If you want to allow Sendmail to flush outgoing messages from the queue for mail that cannot be delivered immediately:

    • Open the /config/crontab file, and change the last line of the file to read:

      0,15,30,45 * * * * root /usr/sbin/sendmail -q > /dev/null 2>&1

    • Save and close the /config/crontab file.
  5. To prevent returned or undelivered email from going unnoticed:

  6. Open the /config/aliases file and create an entry for root to point to you or another administrator at your site:

    root: networkadmin@SiteOne.com

  7. Save and close the /config/aliases file.
  8. Run the newaliases command to generate a new aliases database that incorporates the information you added to the /config/aliases file.

  9. To turn Sendmail on, either reboot the system or type this command:

    /usr/sbin/sendmail -bd -q30m


Using a serial terminal with the BIG-IP system

There are a couple of different ways to add a serial terminal to the BIG-IP system. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:

  • A serial terminal configured as a terminal displays a simple login. You can log in and run commands and edit files. In this case, you can use the serial terminal in addition to the keyboard and monitor.
  • A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor.

To connect the serial terminal to the BIG-IP system

Connect a serial line cable between the terminal device and the BIG-IP system. On the back of BIG-IP system is a male, 9-Pin RS232C connector labeled Terminal. (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)

Warning


Do not use the fail-over cable to connect the serial terminal to the BIG-IP system. A null modem cable is required.

The connector is wired as a DTE device, and uses the signals described in Table 3.5 .


 
Pin Source Usage
1 External Carrier detect
2 External Received data
3 Internal Transmitted data
4 Internal Data terminal ready
5 Both Signal ground
7 Internal Request to send
8 External Clear to send
 

The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the BIG-IP system. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you need a null modem cable with the wiring to generate the signals shown in Table 3.5 .

Note


You can achieve acceptable operation by wiring pins 7 to 8 and pins 1 to 4 at the back of the BIG-IP system (and turning hardware flow control off in your terminal or terminal emulator).

Configuring a serial terminal in addition to the console

You can configure a serial terminal for the BIG-IP system in addition to the standard console.


To configure the serial terminal in addition to the console
  1. Connect the serial terminal to the BIG-IP system.
  2. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  3. Open the /etc/ttys file and find the line that reads tty00 off. Modify it as shown here:

    # PC COM ports (tty00 is DOS COM1)

    tty00 "/usr/libexec/getty default" vt100 in secure

  4. Save the /etc/ttys file and close it.
  5. Reboot the BIG-IP system.

Configuring a serial terminal as the console

You can configure the serial terminal as the console.


To configure the serial terminal as the console
  1. Disconnect the keyboard from the BIG-IP system.
  2. Connect the serial terminal to the BIG-IP system. When there is no keyboard connected to the BIG-IP system, the BIG-IP system defaults to using the serial port for the console.
  3. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  4. Reboot the BIG-IP system.

Forcing a serial terminal to be the console

In the case where you have not yet connected the serial terminal or it is not active when the BIG-IP system is booted, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.


To force a serial terminal to be the console
  1. Edit the /etc/boot.default file.
    Find the entry -console auto. Change this entry to -console com.
  2. Save the /etc/boot.default file and exit the editor.
  3. Plug the serial terminal into the serial port on the BIG-IP system.
  4. Turn on the serial terminal.
  5. Reboot the BIG-IP system.

Warning


Once you configure a serial terminal as the console for the BIG-IP system, the following conditions apply:

Keyboard/monitor access is disabled, and logging in is only possible via Secure Telnet (SSH), if configured, or the serial line.

If the boot.default file is corrupted, the system does not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.

The boot.default file must contain either the line: -console com or the line: -console auto. Do not configure both settings. This could cause problems when you attempt to boot the system.

Trunks

Link aggregation is the grouping of links (individual physical interfaces) to form a trunk. Link aggregation increases the bandwidth of the individual links in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mbps link. The other advantage of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.

A trunk must have a controlling link, and acquires all the attributes of that controlling link from layer 2 and above. The trunk automatically acquires the VLAN membership of the controlling link but does not acquire its media type and speed. Outbound packets to the controlling link are load balanced across all of the known-good links in the trunk. Inbound packets from any link in the trunk are treated as if they came from the controlling link.

A maximum of eight links may be aggregated. For optimal performance, links should be aggregated in powers of two. Thus, you ideally will aggregate two, four, or eight links.


To configure a trunk using the Configuration utility
  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the Trunks tab.
    The Trunks screen opens.
  3. Click the Add button.
  4. Select the link that is to be the controlling link from the Available Interfaces list, and click controlling >>.
    The interface appears at the top of the Aggregated Interfaces list.
  5. Select the remaining link(s) from the Available Interfaces list and click aggregated >>.
    The interface(s) appears in the Aggregated Interfaces list below the controlling link.
  6. Click Done.

To configure a trunk from the command line

Use the following syntax to configure a trunk from the command line:

b trunk <controlling_if> define <if_list>

Interfaces are specified using the s.p convention, where s is slot number and p is port number. An <if_list> is one or more such interfaces, with multiple interfaces separated by spaces.

For more information on interface naming, refer to Interface naming conventions .


Spanning Tree Protocol (STP)

The BIG-IP Application Switch provides Spanning Tree Protocol (STP) implementation for loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP system. You can use this feature to configure two or more interfaces on the unit as an STP domain. For interfaces in the STP domain, the spanning tree algorithm identifies the most efficient path between the network segments, and establishes the switch associated with that path as the root. Links forming redundant paths are shut down, to be re-activated only if the root fails.

The STP domain should contain all ports that are connected in parallel to an external switch where there are nodes on the link capable of generating or receiving traffic. A second domain is called for if there is an additional switch or switches connected in parallel with additional BIG-IP system interfaces.

Warning


Use of STP may slow performance significantly, particularly if more than one STP domain is created, and may have unforeseen effects on complex networks. It is important to test your STP configuration before placing it online.

Creating and deleting STP domains

You can create or delete STP domains using the Configuration utility or from the command line.


To create an STP domain using the Configuration utility
  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the STP tab.
    The Trunks screen opens.
  3. Click the Add button.
  4. Configure the STP domain attributes.
  5. Click Done.

To create or delete an STP domain from the command line

To create an STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces add <if _list> | all

For example, if you want to create an STP domain named mystp that contains the interfaces 1.1 and 1.2, type the following command.

b stp mystp interfaces add 1.1 1.2

If you want to create an STP domain named mystp that contains all interfaces on the BIG-IP system, type:

b stp <stp_name> interfaces add all

To delete an STP domain, use the following syntax:

b stp <stp_name> delete


Setting time intervals for an STP domain

You can set the time intervals in seconds for hello, max_age, and forward_delay for the STP domain from the command line using the following syntax:

b stp <stp_name> hello <interval>

b stp <stp_name> max_age <interval>

b stp <stp_name> forward_delay <interval>


Adding or deleting interfaces in an STP domain

To add interfaces to an STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces add <if _list>

To delete interfaces from an STP domain, use the following syntax.

b stp <stp_name> interfaces delete <if _list>


Disabling and re-enabling an STP domain

To disable an STP domain from the command line, use the following syntax:

b stp <stp_name> disable

To re-enable interfaces on an STP domain, use the following syntax:

b stp <stp_name> enable

Note


Disabling or deleting all interfaces on an STP domain disables the domain. You cannot re-enable the domain without adding interfaces.

Disabling and re-enabling interfaces in an STP domain

To disable specific interfaces in the STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces disable <if_list>

To re-enable interfaces in an STP domain, use the following syntax:

b stp <stp_name> interfaces enable <if_list>


Restarting stpd

The stpd daemon does not automatically restart when you synchronize configurations between units in a BIG-IP redundant system. In order to restart the stpd, type the following command:

bigstart restart stpd


Port Mirroring

For the IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring. You should attach a sniffer device to the target port (called the mirror-to port) for debugging and/or monitoring.


Setting up a port mirror

Port mirroring consists of specifying a mirror-to port and adding to it one or more ports (that is, a port list) to be mirrored. You can set up port mirroring using the Configuration utility or from the command line.


To set up port mirroring using the Configuration utility
  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the Interfaces tab.
  3. Click the Port Mirroring subtab.
  4. In the Port Mirroring screen, configure the port mirror attributes.
  5. Click Done.

To set up port mirroring from the command line

Use this bigpipe syntax for setting up port mirroring:

b mirror <mirror_to_if> interfaces add <if_list>

Example:

b mirror 3.24 interfaces add 3.1 3.3 3.10


Deleting interfaces from a port mirror or deleting a port mirror

You can delete individual interfaces from a port mirror, or you can completely delete a port mirror.

To delete interfaces from the port mirror using the command line

Use this bigpipe syntax to delete interfaces from the port mirror:

b mirror <mirror_to_if> interfaces delete <if_list>

For example:

b mirror 3.24 interfaces delete 3.10


To delete the port mirror from the command line

Use this bigpipe syntax to delete the port mirror:

b mirror <mirror_to_if> delete

For example:

b mirror 3.24 delete