Manual Chapter : BIG-IP Reference guide v3.1: BIG/pipe Command Reference

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 3.1.1 PTF-01, 3.1.1, 3.1.0
Manual Chapter


2

BIG/pipe Command Reference



BIG/pipe commands

This chapter lists the various BIG/pipe commands with descriptions. Table 2.1 explains the conventions used in the command line syntax described in this chapter.

Command line conventions used in this manual

Item in text Description
\ Continue to the next line without typing a line break.
< > You enter text for the enclosed item. For example, if the command has <your name>, type in your name.
| Separates parts of a command.
[ ] Syntax inside the square brackets is optional.
... Indicates that you can type a series of items.

Some entries contain additional information about using the command. At the end of the chapter is a list of commands from previous versions of the BIG/pipe utility.

Command Description Page
-? Displays online help for an individual bigpipe command. 2-4
alias Defines an IP alias to be pinged on behalf of a specific group of nodes. 2-5
configsync Synchronizes the /etc/bigip.conf between the two BIG/ip Controller units in a redundant system. 2-7
conn Shows information about current connections such as the source IP address, virtual server and port, and node. 2-8
-d Verifies command syntax for the specified command without executing a command. 2-9
-f Resets the BIG/ip Controller and loads a specified configuration file. 2-10
failover Sets the BIG/ip Controller as active or standby. 2-11
gateway Turns the gateway fail-safe feature on and off. 2-12
-h and -help Displays online help for BIG/pipe command syntax. 2-13
interface Sets options on individual interfaces. 2-14
ipalias Configure shared addresses on interfaces. 2-20
-l Loads the BIG/ip Controller configuration without resetting the current configuration. 2-21
lb Sets the load balancing mode. 2-22
maint Toggles the BIG/ip Controller into and out of maintenance mode. 2-23
mirror Sets mirroring of the active BIG/ip Controller to the standby controller. 2-24
-n Displays ports numerically rather than by service name 2-28
nat Defines external network address translations for nodes. 2-25
node Defines node property settings. 2-29
persist Defines and displays persistence settings for simple TCP and UDP persistence. 2-33
pool Defines load balancing pools. 2-34
port Defines properties for virtual ports. 2-42
proxy Defines the properties of the SSL gateway for the SSL Accelerator. 2-44
-r Clears the BIG/ip Controller configuration and counter values. 2-47
ratio Sets load-balancing weights and priority levels used in the Ratio and Priority load balancing modes. 2-48
rule Defines load balancing rules. 2-50
-s Writes the current configuration to a file. 2-54
snat Defines and sets options for SNAT (Secure NAT). 2-55
summary Displays summary statistics for the BIG/ip Controller. 2-59
timeout_node Sets the amount of time node addresses have to respond to a ping issued by the BIG/ip Controller. 2-62
timeout_svc Sets the amount of time services have to respond to a service check issued by the BIG/ip Controller. 2-64
tping_node Sets the interval at which the BIG/ip Controller pings node addresses to determine node status. 2-66
tping_svc Sets the interval at which the BIG/ip Controller issues service checks to nodes to determine node status. 2-67
treaper Sets the timeout for idle TCP connections on ports. 2-69
udp Enables UDP traffic on ports, and sets the timeout for idle UDP connections. 2-71
unit Displays the unit number assigned to a particular BIG/ip Controller. 2-73
-v Displays the BIG/pipe utility version number. 2-74
version Displays the BIG/ip Controller software version number. 2-75
vip Defines virtual servers, virtual server mappings, and virtual server properties. 2-76
Backward-compatible commands Lists the commands from previous versions of the BIG/ip Controller that are compatible with this version. 2-84



-?

  bigpipe <command> -?

Description

For certain commands, displays online help, including complete syntax, description, and other related information. For example, to see online help for the bigpipe port command, type:

  bigpipe port -?


alias

  bigpipe alias [<node ip> [...<node ip>] ] show
  bigpipe alias <node ip> [...<node ip>] delete
  bigpipe alias <node ip> [...<node ip>] pingnode <pingnode ip>

Description

Defines a single node address to represent a group of node addresses which are actually IP aliases on the same physical server. To determine if the nodes associated with the representative node alias are available, the BIG/ip Controller sends a single node ping to the node alias, rather than an individual ping to each node address.

Note that you may also find this feature useful for nodes that are configured for service check, as long as each node uses the same port number.

Defining a node alias

Use the following syntax to define the node alias for one or more node addresses, where <pingnode ip> is the node alias (the node address that represents the group):

  bigpipe alias <node ip> [...<node ip>] pingnode <pingnode ip>

Note: The address that serves as the node alias (<pingnode ip>) must be a node address that is already defined in one or more virtual server mappings.

The following command defines a node alias for two node addresses, 192.168.42.2 and 192.168.42.3. The BIG/ip Controller performs node pings on the alias address 192.168.42.1 to determine the availability of 192.168.42.2 and 192.168.42.3.

  bigpipe alias 192.168.42.2 192.168.42.3 pingnode 192.168.42.1

Deleting a node alias

The following command deletes the node alias defined for the specific node:

  bigpipe alias <node ip> delete

Displaying current node aliases

The following command displays all node aliases defined on the BIG/ip Controller:

  bigpipe alias show

The following command displays the node alias defined for a specific node:

  bigpipe alias <node ip> show


configsync

  bigpipe configsync [all]

Description

Synchronizes configurations of two BIG/ip Controllers in a redundant system by copying the configuration file(s) from the active system to the standby system.

Using the configsync command without the all option synchronizes only the boot configuration file /etc/bigip.conf.

The all option changes the set of configuration files modified when the command is executed. When you synchronize a configuration using configsync all command, the following configuration files are copied to the other BIG/ip Controller:

  • The common BIG/db keys
  • /etc/bigip.conf
  • /etc/bigd.conf
  • /etc/hosts.allow
  • /etc/hosts.deny
  • /etc/ipfw.conf
  • /etc/rateclass.conf
  • /etc/ipfwrate.conf
  • /etc/snmpd.conf
  • rc.sysctl

    Be sure to save the current configuration to the /etc/bigip.conf file before you use the configuration synchronization feature.

Warning: If you are synchronizing a standby controller that already has configuration information defined, we recommend that you back up that controller's original configuration file(s).

conn

  bigpipe conn [ <virt ip>[:<port>] ] dump [mirror]

Description

Displays information about current client connections to virtual addresses and virtual servers.

The following command displays all current client connections:

  bigpipe conn dump

The output shows the source IP, virtual server and port, and node connected to.

Figure 2.1 Formatted output of the conn command

 bigip conn dump
from vip node
100.100.100.30:49152 -> 100.100.100.100:23 -> 200.200.200.10:23
100.100.101.90:49153 -> 100.100.100.100:80 -> 200.200.200.10:80
...

This command can also show connections that are active on the given controller as well as those that are standby connections for the peer BIG/ip Controller. By default, the dump command only shows items that are active on the given unit. To see standby items, you must use the mirror qualifier.

  bigpipe conn dump mirror


-d

  bigpipe -d [-]
  bigpipe -d -f <filename>

Description

Parses the command line and checks syntax without executing the specified command.

This distinguishes between valid and invalid commands, and is particularly useful with the -f option, to validate the configuration file.

Use the -d command followed by a command that you want to validate:

  bigpipe -d vip 10.10.10.100:80 use pool my_pool

The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.

Use the -d command together with the -f <filename> command to validate the specified configuration file. For example, to check the syntax of the configuration file /etc/altbigpipe.conf, use the following command:

  bigpipe -d -f /etc/altbigip.conf


-f

  bigpipe -f <filename>

Description

Resets all of the BIG/ip Controller settings and then loads the configuration settings from the specified file, typically the /etc/bigip.conf file, or another file you specify.

  bigpipe -f /etc/bigip.conf

For testing purposes, you can save a test configuration by renaming it to avoid confusion with the boot configuration file. To load a test configuration, use the -f command with the <filename> parameter. For example, if you renamed your configuration file to /etc/bigtest.conf, the test command would be:

  bigpipe -f /etc/bigtest.conf 


failover

  bigpipe failover standby | show | init | failback 

Description

This group of commands affects the fail-over status of the BIG/ip Controller.

In an active/standby or active-active configuration, run the following command to place a controller in standby mode:

  bigpipe failover standby

Show the status of the controller with the following command:

  bigpipe failover show

The failback command is only applicable if you are running a redundant system in active-active mode.

In an active-active configuration, run the following command after you issue the bigpipe failover standby command. This allows the inactive controller to resume handling connections:

  bigpipe failover failback

You can use the bigpipe failover init command to refresh the parameters of the fail-over daemon (/sbin/sod) with any new configuration data entered in the BIG/db database.

  bigpipe failover init


gateway

  bigpipe gateway failsafe arm | disarm | show 

Description

Turns the gateway fail-safe feature on and off. This command is supported only for redundant systems. To configure gateway pingers, you must first set the IP address of the router, ping interval, and timeout period in BIG/db. For information about configuring gateway fail-safe, see the BIG/ip Controller Administrator Guide, Working with Advanced Redundant System Features.

The typical use of gateway fail-safe is where active and standby BIG/ip Controllers use different routers as gateways to the internet. Fail-over is triggered if the gateway for the active controller is unreachable. Note that this is not a condition that is reliably detected by the interface fail-safe feature, but is reliably detected by gateway fail-safe.

To arm fail-safe on the gateway:

  bigpipe gateway failsafe arm 

To disarm fail-safe on the gateway, enter the following command:

  bigpipe gateway failsafe disarm

To see the current fail-safe status for the gateway, enter the following command:

  bigpipe gateway failsafe show


-h and -help

  bigpipe [-h | -help ] 

Description

Displays the bigpipe command syntax or usage text for all current commands.

Note: More detailed man pages are available for some individual bigpipe commands. To display detailed online help for the bigpipe command, type: man bigpipe



interface

  bigpipe interface <ifname> show
  bigpipe interface <ifname> source enable | disable
  bigpipe interface <ifname> dest enable | disable
  bigpipe interface <ifname> adminport open | lockdown
  bigpipe interface <ifname> failsafe arm | disarm | show
  bigpipe interface <ifname> timeout <seconds> | show 
  bigpipe interface <ifname> mac_masq <mac_addr> | show 
  bigpipe interface <ifname> vlans enable | disable | show 

Description

Displays names of installed network interface cards and allows you to set properties for each network interface card.

Note: Interface fail-safe is not designed for gateway or node failure detection, as it cannot detect router or node failures in instances where other sources of Ethernet traffic are active on the interface.

Designating an internal or external interface

With BIG/ip Controller version 3.0, you can define interfaces using three new parameters: source, dest, and adminport. You can mix and match these options to streamline the performance of the BIG/ip Controllers in the network. The attributes that determine the way an interface handles connections are described in Table 2.2.

Attributes of internal and external interfaces

Interface type Attributes
Internal Process source addresses
Administrative ports open
External Process destination addresses
Administrative ports locked down

Use the following syntax to designate an interface as an internal or external interface.

  bigpipe interface <ifname> source enable | disable
  bigpipe interface <ifname> dest enable | disable
  bigpipe interface <ifname> adminport open | lockdown

The <ifname> parameter takes a valid interface name such as:

  • exp0
    This is the first Intel NIC
  • fpa1
    This is the second FDDI NIC
  • de2
    This is the third DEC/SMC NIC
  • sk0
    This is the first SysKonnect Gigabit Ethernet NIC

Note: Dual port Ethernet NICs show up as two distinct interfaces

The following example syntax configures the interface exp0 as an internal interface on the BIG/ip Controller:

  bigpipe interface exp0 source enable
  bigpipe interface exp0 dest disable
  bigpipe interface exp0 adminport open

The following example syntax configures the interface exp1 as an external interface on the BIG/ip Controller:

  bigpipe interface exp1 source disable
  bigpipe interface exp1 dest enable
  bigpipe interface exp1 adminport lockdown

Warning: Use caution when redefining interfaces. When you reconfigure interfaces, make sure that you have set up the interfaces you need for operation. It is possible to accidentally take the controller out of network service by redefining interfaces.

Displaying status for interfaces

Use the following syntax to display the current status and the settings for all installed interface cards:

  bigpipe interface show

Figure 2.2 is an example of the output you see when you issue this command on an active/standby controller in active mode.

Figure 2.2 The bigpipe interface show command output

 exp0         11.11.11.2, dest enable, source disable, disarmed, timeout 30 
shared alias 11.11.11.3 netmask 255.0.0.0 broadcast 11.255.255.255 unit 1
exp1 11.12.11.2, dest disable, source enable, disarmed, timeout 30
shared alias 11.12.11.3 netmask 255.0.0.0 broadcast 11.255.255.255 unit 1

Use the following syntax to display the current status and the setting for a specific interface.

  bigpipe interface <ifname> show

Arming and disarming the fail-safe mode

Use the following command to activate the BIG/ip Controller interface fail-safe mode.

  bigpipe interface <ifname> failsafe arm

When armed, the active controller automatically fails over to the standby controller whenever the active controller detects that there is no activity on the specified interface, and subsequently detects no activity on the interface in response to ARP requests. The default fail-safe mode is set to disarm.

Warning: You should arm the fail-safe mode only after you configure the BIG/ip Controller, and both the active and standby units are ready to be placed into a production environment.

Note that you must specify a default route before using the bigpipe interface failsafe command. You specify the default route in the /etc/hosts and /etc/netstart files.

Use the following command to deactivate the BIG/ip Controller interface fail-safe mode.

  bigpipe interface <ifname> failsafe disarm

Setting the fail-safe timeout

Use the following syntax to set the amount of time, in seconds, that an interface will be monitored for activity in response to a BIG/ip Controller ARP request, in order to be designated operational.

  bigpipe interface <ifname> timeout <seconds>

If no activity is detected on the interface within the specified time, the BIG/ip Controller assumes that the interface is down. Note that the default setting is 30 seconds.

Warning messages and ARP requests are generated after half of the specified time-out period. In the case of an armed BIG/ip Controller in a BIG/ip redundant system, traffic is switched from the active unit to the standby unit at the end of the time-out period. Note that the fail-safe timeout is used only if the fail-safe option is armed on the interface.

Viewing the timeout setting

Use the following syntax to view the fail-over timeout setting for a specific interface:

  bigpipe interface <ifname> timeout show

Displaying the current fail-safe status

Use the following syntax to display the current status and settings for the BIG/ip Controller fail-safe mode:

bigpipe interface failsafe show

Setting the MAC masquerade address

Sharing the MAC masquerade address makes it possible to use BIG/ip Controllers in a network topology using secure hubs. You can view the media access control (MAC) address on a given controller using the following command:

  /sbin/ifconfig -a

Use the following syntax to set the MAC masquerade address that will be shared by both BIG/ip Controllers in the redundant system.

  bigpipe interface <ifname> mac_masq <MAC addr>

Warning: You must specify a default route before using the mac_masq command. You specify the default route in the /etc/hosts and /etc/netstart files.

Find the MAC address on both the active and standby units and choose one that is similar but unique. A safe technique for choosing the shared MAC address follows:

Suppose you want to set up mac_masq on the external interfaces. Using the ifconfig -a command on the active and standby units, you note that their MAC addresses are:

 Active: exp0 = 0:0:0:ac:4c:a2

Standby: exp0 = 0:0:0:ad:4d:f3

In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses and logically OR the first byte with 0x40. This makes the MAC address a locally administered MAC address.

In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both BIG/ip Controllers in the redundant system.

The shared MAC address is used only when the BIG/ip Controller is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.

If you do not configure mac_masq, on startup, or when transitioning from standby mode to active mode, the BIG/ip Controller sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.

Note: You can use the same technique to configure a shared MAC address for each interface.

Enabling VLAN communication for an interface

To use IEEE 802.1q VLAN Trunk mode, you must first set up VLAN tags in /etc/netstart and the shared IP in BIG/db. For detailed information about setting up VLAN tags, see the BIG/ip Controller Administrator Guide, Using Advanced Network Configurations.

Use the following syntax to enable, disable, or show the VLAN status of the specified internal interface:

  bigpipe interface <ifname> vlans enable | disable | show 


ipalias

  ipalias <ifname> <if address> netmask <ip mask> [ broadcast <ip 
address> ] [ unit <id> ] [ tag <vlan tag> ]

Description

Configure shared IP addresses on installed network interface cards. The configuration you create with this command is stored in the BIG/db. If you use VLAN tags in your configuration, you can use this command to set the VLAN tag for the shared IP alias.

You must issue this command for each interface that you want configure with the same IP alias. For example, if you want to configure the IP alias 192.168.100.100 for the interfaces exp0 and exp1, type the following comands:

  bigpipe ipalias exp0 192.168.100.100 netmask 255.255.0.0
  bigpipe ipalias exp1 192.168.100.100 netmask 255.255.0.0


-l

  bigpipe -l <file_name>

Description

Use the -l command to load the BIG/ip Controller configuration from <file_name> without resetting the current configuration.



lb

  bigpipe lb show 
  bigpipe lb round_robin | rr
  bigpipe lb ratio
  bigpipe lb priority
  bigpipe lb fastest 
  bigpipe lb least_conn
  bigpipe lb predictive 
  bigpipe lb observed

Description

Sets the global load balancing mode for all node list virtual servers.

Note: Pools are configured with their own load balancing method.

Setting the load balancing mode

Use the following syntax to set the load balancing mode:

  bigpipe lb <mode name>

The mode names allowed are displayed in the syntax section above.

The command below sets the load balancing mode to Least Connections, which routes new connections to the node which currently maintains the least number of connections.

  bigpipe lb least_conn

Viewing the currently selected load balancing mode

The following command displays the currently selected load balancing mode.

  bigpipe lb show


maint

  bigpipe maint

Description

Toggles a BIG/ip Controller into and out of Maintenance mode. When in Maintenance mode, a BIG/ip Controller accepts no new connections, but it does allow existing connections to complete.

The maint command interactively prompts you to enter or exit the maintenance mode.

  bigpipe maint

If the BIG/ip Controller is already in maintenance mode, the maint command takes the BIG/ip Controller out of maintenance mode. If the BIG/ip Controller is in maintenance mode for more than 20 minutes, the BIG/ip Controller immediately begins to accept new connection requests.

If the BIG/ip Controller has been in maintenance mode for more than 20 minutes, it automatically updates all network ARP caches; this process normally takes a few seconds. However, you can speed the process up by reloading the configuration file, using the following command:

  bigpipe -f /etc/bigip.conf


mirror

  bigpipe mirror enable | disable | show

Description

Enables and disables mirroring between active and standby BIG/ip Controllers. Mirroring ensures that persistence and connection information on the active controller is duplicated on the standby controllers. This command enables and disables mirroring for all virtual servers.

To enable mirroring on a redundant system:

  bigpipe mirror enable

To disable mirroring on a redundant system:

  bigpipe mirror disable

To show the current status of mirroring on a redundant system:

  bigpipe mirror show


nat

  bigpipe nat <orig_addr> to <trans_addr>[/<bitmask>] [<ifname>] 
[unit <unit ID>]
  bigpipe nat <orig_addr> to <trans_addr> netmask <netmask> \
[broadcast <broadcast_ip>] [<ifname>] [unit <unit ID>]
  bigpipe nat <orig_addr> [...<orig_addr>] delete
  bigpipe nat <trans_addr> [...<trans_addr>] delete
  bigpipe nat [<trans_addr> [...<trans_addr>] ] show
  bigpipe nat [<orig_addr> [...<orig_addr>] ] show 
  bigpipe nat [<orig_addr>] stats reset

Description

Defines an IP address, routable on the external network, that a node can use to initiate connections to hosts on the external network and receive direct connections from clients on the external network. The NAT command defines a mapping between the IP address of a server behind the BIG/ip Controller <orig_addr> and an unused routable address on the network in front of the BIG/ip Controller <trans_addr>.

Defining a NAT

A NAT definition maps the IP address of a node <orig_addr> to a routable address on the external interface <trans_addr>, and can include an optional interface and netmask specification. Use the following syntax to define a NAT:

  bigpipe nat <orig_addr> to <trans_addr>[/<bitmask>] [<ifname>] 
[unit <unit ID>]

The <ifname> parameter is the internal interface of the BIG/ip Controller through which packets must pass to get to the destination internal address. The BIG/ip Controller can determine the interface to configure for the NAT in most cases. The <ifname> parameter is useful, for example, where there is more than one internal interface. You can use the unit <unit ID> parameter to specify the controller to which this NAT applies in an active-active redundant system.

The following example shows a NAT definition:

  bigpipe nat 10.10.10.10 to 10.12.10.10/24 exp1

Deleting NATs

Use the following syntax to delete one or more NATs from the system:

  bigpipe nat <orig_addr> [...<orig_addr>] delete

Displaying status of NATs

Use the following command to display the status of all NATs included in the configuration:

  bigpipe nat show

Use the following syntax to display the status of one or more selected NATs (see the following figure, 2.3):

  bigpipe nat <orig_addr> [...<orig_addr>] show


Figure 2.3 Output when you display the status of a NAT.


NAT { 10.10.10.3 to 9.9.9.9 }
(pckts,bits) in = (0, 0), out = (0, 0)
NAT { 10.10.10.4 to 12.12.12.12
netmask 255.255.255.0 broadcast 12.12.12.255 }
(pckts,bits) in = (0, 0), out = (0, 0)

Resetting statistics for a NAT

Use the following command to reset the statistics for an individual NAT:

  bigpipe nat [<orig_addr>] stats reset

Use the following command to reset the statistics for all NATs:

  bigpipe nat stats reset

Additional Restrictions

The nat command has the following additional restrictions:

  • The IP address defined in the <orig_addr> parameter must be routable to a specific server behind the BIG/ip Controller.
  • You must delete a NAT before you can redefine it.
  • The interface for a NAT may only be configured when the NAT is first defined.


-n

  bigpipe -n

Description

Use the -n option in combination with other commands, such as bigpipe vip, to display ports numerically rather than by service name. For example, type the following command to display ports numerically:

  bigpipe -n vip

Notice the ports are listed numerically rather than by service name. See Figure 2.4.

Figure 2.4 The output of bigpipe -n vip

 VIP +------> 11.100.1.1          UNIT 1  
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+---+--> PORT 80 UP
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0) br /> MEMBER 11.12.1.100:80 UP
(cur, max, limit, tot) = (0, 0, 0, 0)
(pckts,bits) in = (0, 0), out = (0, 0)


node

  bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
enable | disable
  bigpipe node [<node ip>[:<port>][...<node ip>[:<port>]] ] show
  bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
limit <max conn>
  bigpipe node <node ip>[:port] up | down
  bigpipe node [<node ip>:<port>] stats reset

Description

Displays information about nodes and allows you to set properties for nodes, and node addresses.

Enabling and disabling nodes and node addresses

To enable a node address, use the node command with a node address and the enable option:

  bigpipe node 192.168.21.1 enable

To disable a node address, use the node command with the disable option:

  bigpipe node 192.168.21.1 disable

To enable one or more node addresses, use the node command with a node address and port, and the enable option:

  bigpipe node 192.168.21.1:80 enable

To disable one or more node addresses, use the node command with disable option:

  bigpipe node 192.168.21.1:80 disable

Marking nodes and node ports up or down

To mark a node address down, use the node command with a node address and the down option (Note that marking a node down prevents the node from accepting new connections. Existing connections are allowed to complete):

  bigpipe node 192.168.21.1 down

To mark a node address up, use the node command with the up option:

  bigpipe node 192.168.21.1 up

To mark a particular port down, use the node command with a node address and port, and the down option (Note that marking a port down prevents the port from accepting new connections. Existing connections are allowed to complete):

  bigpipe node 192.168.21.1:80 down

To mark a particular port up, use the node command with up option:

  bigpipe node 192.168.21.1:80 up

Setting connection limits for nodes

Use the following command to set the maximum number of concurrent connections allowed on a node:

  bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
limit <max conn>

Note that to remove a connection limit, you also issue the preceding command, but set the <max conn> variable to 0 (zero). For example:

  bigpipe node 192.168.21.1:80 limit 0

Setting connection limits for node addresses

The following example shows how to set the maximum number of concurrent connections to 100 for a list of node addresses:

  bigpipe node 192.168.21.1 192.168.21.1 
192.168.21.1 limit 100

To remove a connection limit, you also issue this command, but set the <max conn> variable to 0 (zero).

Displaying status of all nodes

  bigpipe node show

When you issue the node show command, the BIG/ip Controller displays the node status (up or down, or unchecked), and a node summary of connection statistics, which is further broken down to show statistics by port. The report shows the following information:

  • current number of connections
  • total number of connections made to the node since last boot
  • maximum number of concurrent connections since the last boot
  • concurrent connection limit on the node
  • the total number of connections made to the node since last boot
  • total number of inbound and outbound packets and bits

    Figure 2.5 shows the output of this command:

    Figure 2.5 Node status and statistics

     bigpipe node 192.168.200.50:20 
    NODE 192.168.200.50 UP
    | (cur, max, limit, tot) = (0, 0, 0, 0)
    | (pckts,bits) in = (0, 0), out = (0, 0)
    +- PORT 20 UP
    (cur, max, limit, tot) = (0, 0, 0, 0)
    (pckts,bits) in = (0, 0), out = (0, 0)

Displaying the status of individual nodes and node addresses

Use the following command to display status and statistical information for one or more node addresses:

  bigpipe node 192.168.21.1 show

The command reads the status of each node address, the number of current connections, total connections, and connections allowed, and the number of cumulative packets and bits sent and received.

Use the following command to display status and statistical information for one or more specific nodes:

  bigpipe node 192.168.21.1:80 show

Resetting statistics for a node

Use the following command to reset the statistics for an individual node address:

bigpipe node [<node ip>:<port>] stats reset



persist

  bigpipe persist <port> [...<port>] <seconds>
  bigpipe persist dump

Description

Enables or disables simple persistence on one or more virtual ports. Persistence tracks the source IP addresses of all incoming requests, and the nodes and ports that hosted the request. It forces new connections from the source address to use the same node as used by the prior connection from that source IP address. A configurable time limit determines how long the BIG/ip Controller retains persistent connection information. By default, persistence is disabled on all ports. Persistence is affected by certain system control variables.

Setting a persistence timeout

Use the following syntax to set the number of seconds for which the BIG/ip Controller maintains persistent connection information on a specific virtual port:

  bigpipe persist <port> <seconds>

Set <seconds> to 0 to turn persistence off for a specific virtual port.

Displaying persistent connections

Use the following syntax to display information about current persistent connections:

  bigpipe persist [<port>] [...port] dump


pool

  bigpipe pool <pool name> { lb_mode <lb_mode_specification> 
[persist_mode <persist_mode_specification>] <member
definition>... }
  bigpipe pool <pool name> add { <member definition>... }
  bigpipe pool <pool name> delete { <member definition>... }
  bigpipe pool <pool name> modify { [lb_mode <lb_mode_specification>] 
[persist_mode <persist_mode_specification>] <member
definition>... }
  bigpipe pool <pool name> delete
  bigpipe pool [<pool name>] show
  bigpipe pool <pool name> lb_mode show
  bigpipe pool <pool name> persist show

Description

Use the pool command to create, delete, modify, or display the pool definitions on the BIG/ip Controller. Use pools to group members together with a common load balancing mode and persistence mode. For additional information about configuring pools, see the BIG/ip Controller Administrator Guide, Working with Intelligent Traffic Control.

Creating a pool

To create a pool use the following syntax:

  bigpipe pool <pool_name> {lb_mode <lb_mode_specification> 
[persist_mode <persist_mode_specification>]
<member_definition>... member <member_definition>}

Each of these elements is described in Table 2.4, on page 2-40.

Note: For detailed information about setting up persistence with pools, see the BIG/ip Controller Administrator Guide, Working with Advanced Persistence Options.

To activate Insert HTTP cookie persistence from the command line

If you specify Insert mode, the information about the server to which the client connects is inserted in the header of the HTTP response from the server as a cookie. The cookie is named BIGipServer <pool_name>, and it includes the address and port of the server handling the connection. The expiration date for the cookie is set based on the timeout configured on the BIG/ip Controller.

To activate Insert mode from the command line, use the following syntax:

  bigpipe pool <pool_name> { <lb_mode_specification> persist_mode 
cookie cookie_mode insert cookie_expiration <timeout> <member
definition> }

The <timeout> value for the cookie is written using the following format:

  <days>d hh:mm:ss

To activate Rewrite mode cookie persistence from the command line

If you specify Rewrite mode, the BIG/ip Controller intercepts a Set-Cookie, named BIGipCookie, sent from the server to the client and overwrites the name and value of the cookie. The new cookie is named BIGipServer <pool_name> and it includes the address and port of the server handling the connection.

Rewrite mode requires you to set up the cookie created by the server. In order for Rewrite mode to work, there needs to be a blank cookie coming from the web server for the BIG/ip Controller to rewrite. With Apache variants, the cookie can be added to every web page header by adding an entry in the httpd.conf file:

  Header add Set-Cookie 
BIGipCookie=0000000000000000000000000000000000
00000000...

(The cookie should contain a total of 120 zeros.)

Warning: For backward compatibility the blank cookie can contain only 75 zeros. However, cookies of this size do not allow you to use rules and persistence together.

To activate Rewrite mode from the command line, use the following syntax:

  bigpipe pool <pool_name> { <lb_mode_specification> persist_mode 
cookie cookie_mode rewrite cookie_expiration <timeout> <member
definition> }

The <timeout> value for the cookie is written using the following format:

  <days>d hh:mm:ss

To activate Passive mode cookie persistence from the command line

If you specify Passive mode, the BIG/ip Controller does not insert or search for blank Set-Cookies in the response from the server. It does not try to set up the cookie. In this mode, it is assumed that the server provides the cookie formatted with the correct node information and timeout.

In order for Passive mode to work, there needs to be a cookie coming from the web server with the appropriate node information in the cookie. With Apache variants, the cookie can be added to every web page header by adding an entry in the httpd.conf file:

  Header add Set-Cookie: "BIGipServer my_pool=184658624.20480.000; 
expires=Sat, 19-Aug-2000 19:35:45 GMT; path=/"

In this example, my_pool is the name of the pool that contains the server node, 184658624 is the encoded node address and 20480 is the encoded port.

The equation for an address (a.b.c.d) is:

d*256^3 + c*256^2 + b*256 +a

The way to encode the port is to take the two bytes that store the port and reverse them. So, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.

After you set up the cookie created by the web server, you must activate Passive mode on the BIG/ip Controller. To activate HTTP cookie persistence from the command line, use the following syntax:

  bigpipe pool <pool_name> { <lb_mode_specification> persist_mode 
cookie cookie_mode passive <member definition> }

Note: The <timeout> value is not used in Passive mode.

To configure the hash cookie persistence option from the command line

If you specify hash mode, the hash mode consistently maps a cookie value to a specific node. When the client returns to the site, the BIG/ip Controller uses the cookie information to return the client to a given node. With this mode, the web server must generate the cookie. The BIG/ip Controller does not create the cookie automatically like it does with insert mode.

Use the following syntax to configure the hash cookie persistence option:

  bigpipe pool <pool_name> { <lb_mode_specification> persist_mode 
cookie cookie_mode hash cookie_hash_name <cookie_name>
cookie_hash_offset <cookie_value_offset> cookie_hash_length
<cookie_value_length> <member definition> }

The <cookie_name>, <cookie_value_offset>, and <cookie_value_length> values are described in Table 2.3:

The cookie hash mode values

Hash mode values Description

<cookie_name>

This is the name of an HTTP cookie being set by a Web site.

<cookie_value_offset>

This is the number of bytes in the cookie to skip before calculating the hash value.

<cookie_value_length>

This is the number of bytes to use when calculating the hash value.

To activate sticky persistence from the command line

Use the following command to enable sticky persistence for a pool:

  bigpipe pool <pool_name> modify { persist_mode sticky <enable | 
disable> sticky_mask <ip address> }

Use the following command to disable sticky persistence for a pool:

  bigpipe pool <pool_name> modify { persist_mode sticky disable 
sticky_mask <ip address> }

Use the following command to delete sticky entries for the specified pool:

  bigpipe pool <pool_name> sticky clear

To activate SSL persistence from the command line

Use the following syntax to activate SSL persistence from the command line:

  bigpipe pool <pool_name> modify { persist_mode ssl ssl_timeout 
<timeout> simple_mask <ip_mask> }

For example, if you want to set SSL persistence on the pool my_pool, type the following command:

  bigpipe pool my_pool modify { persist_mode ssl ssl_timeout 3600 
simple_mask 255.255.255.0 }

To apply a simple timeout and persist mask from the command line

The complete syntax for the command is:

  bigpipe pool <pool_name> modify { [<lb_mode_specification>] 
persist_mode simple simple_timeout <timeout> simple_mask
<dot_notation_longword> }

For example, the following command would keep persistence information together for all clients within a C class network that connect to the pool classc_pool:

  bigpipe pool classc_pool modify { persist_mode simple 
simple_timeout 1200 simple_mask 255.255.255.0 }

You can turn off a persist mask on a pool by using the none option in place of the simple_mask mask. To turn off the persist mask that you set in the preceding example, use the following command:

  bigpipe pool classc_pool modify { simple_mask none }

Display persistence information for a pool

To show the persistence configuration for the pool:

  bigpipe pool <pool_name> persist show

To display all persistence information for the pool named classc_pool, use the show option:

  bigpipe pool classc_pool persist show

Options

Use the following elements to construct pools:

The elements you can use to construct a pool.

Pool Element Description
Pool name A string from 1 to 31 characters, for example: new_pool
Member definition member <ip address>:<port> [ratio <value>] [priority <value>]
lb_mode_specificaton lb_mode [ rr | ratio | priority | fastest | least_conn | predictive | observed | ratio_member | priority_member | least_conn_member ]
persist_mode_specification persist_mode [ cookie | simple | ssl | sticky ]

Deleting a pool

To delete a pool use the following syntax:

  bigpipe pool <pool_name> delete

All references to a pool must be removed before a pool can be deleted.

Modifying pools

You can use the command line to add or delete members from a pool. You can also modify the load balancing mode for a pool from the command line. To add a new member to a pool use the following syntax:

  bigpipe pool <pool_name> add { 1.2.3.2:telnet }

To delete a member from a pool use the following syntax:

  bigpipe pool <pool_name> delete { 1.2.3.2:telnet }

Display pools

Use the following syntax to display all pools:

  bigpipe pool show

Use the following syntax to display a specific pool:

  bigpipe pool <pool_name> show


port

  bigpipe port <port> [...<port>] limit <max conn>
  bigpipe port <port> [...<port>] enable | disable | show

Description

Enables and disables network traffic on virtual ports, and also sets connection limits on ports. You can use standard port numbers, service or port names (for example, www, http, or 80) for the <port> parameter. Note that the port settings you define with this command control the port service for all virtual servers that use the port. By default, all ports are disabled.

A port is any valid port number, between 0 and 65535, inclusive, or any valid service name in the /etc/services file.

Allowing and denying virtual ports

You can enable or disable traffic to specific virtual ports. The default setting for all virtual ports is disabled. Use the following syntax to allow one or more virtual ports:

  bigpipe port <port> [...<port>] enable

To deny access to one or more virtual ports:

  bigpipe port <port> [...<port>] disable 

Setting connection limits on ports

Use the following syntax to set the maximum number of concurrent connections allowed on a virtual port. Note that you can configure this setting for one or more virtual ports.

  bigpipe port <port> [...<port>] limit <max conn>

To turn off a connection limit for one or more ports, use the preceding command, setting the <max conn> parameter to 0 (zero):

  bigpipe port <port> [...<port>] limit 0

Displaying the status of all virtual ports

Use the following syntax to display the status of virtual ports included in the configuration:

  bigpipe port show

Displaying the status for specific virtual ports

Use the following syntax to display the status of one or more virtual ports:

  bigpipe port <port> [...<port>] show

Figure 2.6 shows a sample of formatted output of the port command.

Figure 2.6 Formatted output of port command showing the Telnet port statistics

 bigpipe port telnet show 

PORT 23 telnet enable
(cur, max, limit, tot, reaped) = (37,73,100,691,29)
(pckts,bits) in = (2541, 2515600), out = (2331, 2731687)


proxy

  bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] [<unit id>] target 
<server | vip> <ip>:<port> ssl enable key <key> cert <cert>
  bigpipe proxy <ip>:<port> [<ifname>] [<unit id>] netmask <ip> 
[broadcast <ip>] target <server | vip> <ip>:<port> ssl enable
key <key> cert <cert>
  bigpipe proxy <ip>:<port> enable
  bigpipe proxy <ip>:<port> disable
  bigpipe proxy <ip>:<port> delete
  bigpipe proxy <ip>:<port> show
  bigpipe proxy <ip>:<port> lasthop pool <pool_name>

Description

Use the proxy command to create, delete, modify, or display the SSL gateway definitions on the BIG/ip Controller. For detailed information about setting up the SSL Accelerator feature, see the BIG/ip Administrator Guide, Configuring an SSL Accelerator.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway by specifying a bitmask instead of a netmask and broadcast address:

  bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] [<unit id>] target 
<server | vip> <ip>:<port> ssl enable key <key> cert <cert>

Use this syntax if you want to configure a gateway by specifying a netmask and broadcast address instead of a bitmask:

  bigpipe proxy <ip>:<port> [<ifname>] [<unit id>] netmask <ip> 
[broadcast <ip>] target <server | vip> <ip>:<port> ssl enable
key <key> cert <cert>

For example, you can create an SSL gateway from the command line that looks like this:

  bigpipe proxy 10.1.1.1:443 exp0 unit 1 { netmask 255.255.255.0     
broadcast 10.1.1.255 target vip 20.1.1.1:80 ssl enable key
my.server.net.key cert my.server.net.cert }

Note that when the configuration is written out in the bigip.conf file, the line ssl enable is automatically added. When the SSL gateway is written in the /etc/bigip.conf file, it looks like this:

Figure 2.7 An example SSL gateway configuration

 proxy 10.1.1.1:443 exp0 unit 1 { 
netmask 255.255.255.0
broadcast 10.1.1.255
target vip 20.1.1.1:80
ssl enable
key my.server.net.key
cert my.server.net.cert
}

Enabling, disabling, or deleting an SSL gateway from the command line

You can enable, disable, or delete an SSL gateway with the following syntax:

  bigpipe proxy <ip>:<port> enable
  bigpipe proxy <ip>:<port> disable
  bigpipe proxy <ip>:<port> delete

For example, if you want to enable the SSL gateway 209.100.19.22:443, type the following command:

  bigpipe proxy 209.100.19.22:443 enable

For example, if you want to disable the SSL gateway 209.100.19.22:443, type the following command:

  bigpipe proxy 209.100.19.22:443 disable

For example, if you want to delete the SSL gateway 209.100.19.22:443, type the following command:

  bigpipe proxy 209.100.19.22:443 delete

Displaying configuration information for an SSL accelerator gateway from the command line

Use the following syntax to view the configuration for the specified SSL gateway:

  bigpipe proxy <ip>:<port> show

For example, if you want to view configuration information for the SSL gateway 209.100.19.22:80, type the following command:

  bigpipe proxy 209.100.19.22:80 show

Figure 2.8 Output from the bigpipe proxy show command

 SSL PROXY +---> 11.12.1.200:443 -- Originating Address -- Enabled   Unit 1  
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.100:80 -- Destination Address -- Server


SSL PROXY +---> 11.12.1.120:443 -- Originating Address -- Enabled Unit 1
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.111:80 -- Destination Address -- Vip

Adding a last hop pool to an SSL gateway from the command line

Use the following syntax to reference a last hop pool from an SSL gateway:

  bigpipe proxy <ip>:<port> lasthop pool <pool_name>

For example, if you want to assign the last hop pool named ssllasthop_pool to the SSL gateway 11.12.1.200:443, type the following command:

  bigpipe proxy 11.12.1.200:443 lasthop pool 
ssllasthop_pool


-r

  bigpipe -r

Description

Use the following syntax to clear the configuration and counter values from memory:

  bigpipe -r

Warning: This command should be used with caution. All network traffic stops when you run this command.

Typically, this command is used on a standby BIG/ip Controller prior to loading a new /etc/bigip.conf file that contains new tping and treaper values.

For example, you can execute the following commands on a standby BIG/ip Controller:

  bigpipe -r
  bigpipe -f <filename>

This sequence of commands ensures that only the values set in the <filename> specified are in use.



ratio

  bigpipe ratio [<node ip>] [node ip> ...] show
  bigpipe ratio <node ip> [<node ip>...] <weight>

Description

This command provides two functions related to load balancing:

  • For the Ratio load balancing mode, the command sets the weight or proportions for one or more node addresses.
  • For the Priority load balancing mode, the command sets the priority level. Note that multiple node addresses can have the same priority level setting.

Setting ratio weight for one or more node addresses

The default ratio setting for any node address is 1. If you use the Ratio or Priority load balancing modes, you must set a ratio other than 1 for at least one node address in the configuration. If you do not change at least one ratio setting, the load balancing modes have the same affect as the Round Robin load balancing mode.

Use the following syntax to set the ratio for one or more node addresses:

  bigpipe ratio <node ip> [...<node ip>] <weight>

For example, the following command sets the ratio weight to 3 for a specific node address:

  bigpipe ratio 192.168.103.20 3

Displaying the ratio weights for node addresses

The following command displays the current ratio weight settings for all node addresses.

  bigpipe ratio show

The command displays the following output:


192.168.200.51 ratio = 3

192.168.200.52 ratio = 1

Displaying ratio weight for specific node addresses

Use the following syntax to display the ratio setting for one or more node addresses:

  bigpipe ratio <node ip> [...<node ip>] show

Note: The <weight> parameter must be a whole number, greater than or equal to 1.



rule

  bigpipe rule <rule name> ' { <if statement> | <use statement> } '
  bigpipe rule <rule name> delete
  bigpipe rule [<rule name>] show

Description

Use the rule command to create, delete, or display the rules on the BIG/ip Controller. Rules allow a virtual server to access any number of pools on the BIG/ip Controller. For more detailed information about using rules, see the BIG/ip Administrator Guide, Working with Intelligent Traffic Control.

Note: Before you define a rule, you must define the pool or pools that you want the rule to reference.

Create a rule

You can add rules by manually typing them into an existing /etc/bigip.conf file. However, you can use the bigpipe rule command to create, delete, or display rules. To create a rule with bigpipe, type the complete rule on the command line without line breaks. For example, you can type in this rule:

  bigpipe rule cgi_rule ' {if (http_uri ends_with 
"cgi") {use ( cgi_pool )} else {use (
default_pool )}} '

If the http_uri string ends with "cgi" then the members from cgi_pool are used for load balancing. If the http_uri string does not end with "cgi", then the members of default_pool are used for load balancing.

Associating a rule with Virtual Server

You can associate a rule with a virtual server by using the following syntax:

  bigpipe vip <virt ip>:<port> use rule <rule_name>

For example, if you want to associate the rule cgi_rule to the virtual server 10.20.2.101:http, type in the following command:

  bigpipe vip 10.20.2.101:http use rule cgi_rule

Deleting a rule

You can delete a rule using the following syntax:

  bigpipe rule <rule_name> delete

Display rules

Use the following syntax to display all rules:

  bigpipe rule show

Use the following syntax to display a specific rule:

  bigpipe rule <rule_name> show

Definitions

You can create a rule by combining a number of different elements. A simple rule could contain the following elements:

  rule <rule_name> { if ( <variable> 
<binary_operator> "<literal>" ) { use (
<pool_name> ) } else { use (
<another_pool_name> ) } }

For example, a rule named cgi_rule that sends CGI connections to a load balancing pool named cgi_pool, or HTTP connections to a pool named http_pool looks like this:

  bigpipe rule cgi_rule ' {if (http_uri ends_with 
"cgi") {use ( cgi_pool )} else {use ( http_pool
)}} '

Use the elements in Table 2.5 to create rules.

The elements you can use to construct rules.

Element Description
A rule definition is

rule { <statement> }

A statement is

<use_statement
<if_statement>
discard

A use statement

use ( <pool_name> )

An if statement

if ( <expression> ) { <statement> }
[ { else <statement> } ]

An expression

<literal>
<variable>
( <expression> )
exist <variable>
not <expression>
<expression> <binary_operator> <expression>

literal

<regex_literal>
<string_literal>
<address_literal>

A regular expression literal Is a string of 1 to 63 characters enclosed in quotes that may contain regular expressions
A string literal Is a string of 1 to 63 characters enclosed in quotes
An address literal

<dot_notation_longword> [netmask <dot_notation_longword>]

Dot notation longword

<0-255>.<0-255>.<0-255>.<0-255>

variable

http_method
http_header
http_version
http_uri
http_host
http_cookie <cookie_name>
client_addr

binary operator

or
and
contains
matches
equals
starts_with
ends_with
matches_regex



-s

  bigpipe -s [ <filename> | - ]

Description

Writes the current BIG/ip Controller configuration settings from memory to the default boot configuration file named /etc/bigip.conf.

You can just type bigpipe -s, or a hyphen character (-) in place of a file name, to display the configuration on the standard output device.

  bigpipe -s -

Or you can simply type the following command:

  bigpipe -s

If you are testing and integrating BIG/ip Controllers into a network, you may want to use multiple test configuration files. Use the following syntax to write the current configuration to a file name that you specify:

  bigpipe -s <filename>

For example, the following command saves the current configuration from memory to an alternate configuration file named /etc/bigip.conf2.

  bigpipe -s /etc/bigip.conf2


snat

  bigpipe snat map <node ip> [...<node ip>] to \
<SNAT ip> [netmask <ip>] [<ifname>] [unit <unit ID>]
  bigpipe snat map default to <SNAT ip> [<ifname>] \
[unit <unit ID>] [netmask <ip>]
  bigpipe snat <SNAT ip> [...<SNAT ip>] delete
  bigip snat default delete
  bigpipe snat default dump [verbose]
  bigpipe snat [<node ip> [...<node ip>] ] dump [verbose]
  bigpipe snat globals show
  bigpipe snat default show
  bigpipe snat [<node ip> [...<node ip>] ] show
  bigpipe snat limit <max conn>
  bigpipe snat default limit <max conn>
  bigpipe snat <node ip> [...<node ip>] limit \
<max conn>
  bigpipe snat <node ip> [...<node ip>] mirror \
enable | disable
  bigpipe snat default mirror enable | disable
  bigpipe snat <node ip> [...<node ip>] timeout tcp | udp \
<seconds>
  bigpipe snat [default] timeout tcp | udp <seconds>
  bigpipe snat <SNAT ip> [...<SNAT ip>] stats reset
  bigpipe snat default stats reset

Description

Defines one or more addresses that nodes can use as a source IP address when initiating connections to hosts on the external network. Note that clients cannot use SNAT addresses to connect directly to nodes.

Defining the default SNAT

Use the following syntax to define the default SNAT. If you use the netmask parameter and it is different from the external interface default netmask, the command sets the netmask and derives the broadcast address. You can use the unit <unit ID> parameter to specify a unit in an active-active redundant configuration.

  bigpipe snat map default to <SNAT ip> [<ifname>] [unit <unit ID>] 
[netmask <ip>]

Creating individual SNAT addresses

Use the following command syntax to create a SNAT mapping:

  bigpipe snat map <node ip> [...<node ip>] to \
<SNAT ip> [<ifname>] [unit <unit ID>] [netmask <ip>]

If the netmask is different from the external interface default netmask, the command sets the netmask and derives the broadcast address.

Deleting SNAT Addresses

The following syntax deletes a specific SNAT:

  bigpipe snat <SNAT ip> | default delete

Showing SNAT mappings

The following bigpipe command shows mappings:

  bigpipe snat [<SNAT ip>] [...<SNAT ip>] show
  bigpipe snat default show

The following command shows the current SNAT connections:

  bigpipe snat [<SNAT ip>] [...<SNAT ip>] dump [ verbose ]
  bigpipe snat default dump [ verbose ]

The optional verbose keyword provides more detailed output.

The following command prints the global SNAT settings:

  bigpipe snat globals show

Limiting connections

Use the following commands to set the maximum number of concurrent connections allowed for one or more SNAT addresses. Zero indicates no limit.

  bigpipe snat <SNAT ip> limit <max conn> 

The default SNAT address connection limit is set with the following command:

  bigpipe snat default limit <max conn> 

Set global concurrent connection limit:

  bigpipe snat limit <max conn>

Enabling mirroring for redundant systems

The following example sets SNAT mirroring for all SNAT connections originating at 192.168.225.100:

  bigpipe snat 192.168.225.100 mirror enable

Setting idle connection timeouts

Use the following command to set the timeout for idle TCP connections:

  bigpipe snat timeout tcp <seconds>

Use the following command to set the timeout for idle UDP connections. Note that you must have a timeout set for UDP connections; zero is not allowed:

  bigpipe snat timeout udp <seconds>

Use the following command to set the timeout for idle TCP connections originating at this node address. Set <seconds> to 0 (zero) to disable TCP timeout for these nodes.

  bigpipe snat <node ip> [...<node ip>] timeout tcp <seconds>

Use the following command to set the timeout for idle TCP connections originating at the default node address. Set <seconds> to 0 (zero) to disable TCP timeout for these nodes.

  bigpipe snat default timeout tcp <seconds>

Use the following syntax to set the timeout for idle UDP connections originating at this node address. Note that you must have a timeout set for UDP connections; zero is not allowed:

  bigpipe snat <node ip> [...<node ip>] timeout udp <seconds>

Use the following syntax to set the timeout for idle UDP connections originating at the default SNAT address. Note that you must have a timeout set for UDP connections; zero is not allowed:

  bigpipe snat default timeout udp <seconds>

Clearing statistics

You can reset statistics by node or by SNAT address. Use the following syntax to clear all statistics for one or more nodes:

  bigpipe snat <node ip> [ ...<node ip> ] stats reset

Use the following syntax to clear all statistics for one or more SNAT addresses:

  bigpipe snat <SNAT ip> [ ...<SNAT ip> ] stats reset

Use the following command to reset the statistics to zero for the default:

bigpipe snat default stats reset



summary

  bigpipe summary 

Description

Displays a summary of current usage statistics.

The output display format for the summary command is shown in Figure 2.9.

Figure 2.9 Summary output display

 BIG/ip total uptime           = 1 (day) 4 (hr) 40 (min) 8 (sec)  BIG/ip total uptime (secs)    = 103208  BIG/ip total # connections    = 0  BIG/ip total # pkts           = 0  BIG/ip total # bits           = 0  BIG/ip total # pkts(inbound)  = 0  BIG/ip total # bits(inbound)  = 0  BIG/ip total # pkts(outbound) = 0  BIG/ip total # bits(outbound) = 0  BIG/ip error no nodes available          = 0  BIG/ip tcp port deny                     = 0  BIG/ip udp port deny                     = 0  BIG/ip vip tcp port deny                 = 0  BIG/ip vip udp port deny                 = 0  BIG/ip max connections deny              = 0  BIG/ip vip duplicate syn ssl             = 0  BIG/ip vip duplicate syn wrong dest      = 0  BIG/ip vip duplicate syn node down       = 0  BIG/ip vip maint mode deny               = 0  BIG/ip virtual addr max connections deny = 0  BIG/ip virtual path max connections deny = 0  BIG/ip vip non syn                       = 0  BIG/ip error not in out table            = 0  BIG/ip error not in in table             = 0  BIG/ip error vip fragment no port        = 0  BIG/ip error vip fragment no conn        = 0  BIG/ip error standby shared drop         = 0  BIG/ip dropped inbound                   = 0  BIG/ip dropped outbound                  = 0  BIG/ip reaped                            = 0  BIG/ip ssl reaped                        = 0  BIG/ip persist reaped                    = 0  BIG/ip udp reaped                        = 0  BIG/ip malloc errors                     = 0  BIG/ip bad type                          = 0  BIG/ip mem pool total 96636758 mem pool used 95552 mem percent  used   0.10 

For detailed descriptions of each of statistic displayed by the summary command, refer to the BIG/ip Controller Administrator Guide, Monitoring and Administration.



timeout_node

  bigpipe timeout_node show
  bigpipe timeout_node <seconds>
  bigpipe timeout_node 0

Description

Sets the amount of time that a server has to respond to a BIG/ip Controller ping in order for the server to be marked up. If a server fails to respond within the specified time, the BIG/ip Controller assumes that the server is down, and the BIG/ip Controller no longer sends packets to the services hosted by the server. If the server responds to the next ping, or to subsequent pings, the BIG/ip Controller then marks the server up, and resumes sending packets to those services.

The default is 15 seconds.

Note: If the timeout_node interval is shorter than the timeout_svc setting, a node can be marked down before the services on the node are marked down.

Displaying the current timeout value

Use the following command to display the current timeout setting for node ping:

  bigpipe timeout_node show

Setting a timeout value for node ping

Use the following syntax to set the timeout setting for node ping:

  bigpipe timeout_node <seconds>

The sample command below sets the timeout to 33 seconds.

  bigpipe timeout_node 33

Disabling node ping

To disable node ping, you simply set the node ping timeout value to 0 (zero):

  bigpipe timeout_node 0

Warning: Node ping is the only form of verification that the BIG/ip Controller uses to determine status of node addresses. If you turn node ping off while one or more node addresses are currently down, the node addresses remain marked down until you turn node ping back on and allow the BIG/ip Controller to verify the node addresses again.



timeout_svc

  bigpipe timeout_svc [<port>] show
  bigpipe timeout_svc <port> <seconds>
  bigpipe timeout_svc <port> 0

Description

Sets the amount of time that a specific node has to respond to a service check issued by the BIG/ip Controller. There are three types of service checks, each of which is affected by this setting:

  • Simple service check where the BIG/ip Controller attempts to establish a connection to the service hosted by the node
  • Extended content verification where the BIG/ip Controller requests specific content from the node
  • Extended application verification where the BIG/ip Controller executes an external service check program that verifies whether or not specific content is available on the node

    If a node fails to respond to any type of service check within the specified time, the BIG/ip Controller assumes that the service is down and no longer sends client requests to the service. If the node responds to the next service check, or to subsequent service checks, the BIG/ip Controller marks the service up, and resumes sending requests to the service.

Warning: The BIG/ip Controller does not attempt to detect the status of a node if node ping is turned off (bigd -n) and the timeout_svc and tping_svc values are set to 0 for a particular node.

The timeout_svc default for each port is set to 0, which disables service checks on the port.

Note that the BIG/ip Controller monitors only those services that have a timeout_svc and tping_svc value greater than 0.

Setting the service check timeout

Use the following syntax to set the service check timeout for a specific node port. Note that this setting applies to all nodes that use the port.

  bigpipe timeout_svc <port> <seconds>

For example, the following command sets the service check timeout on port 80 to 120 seconds:

  bigpipe timeout_svc 80 120

Disabling the service check

To disable service check on a specific port, use the above command, but set the <seconds> parameter to zero:

  bigpipe timeout_svc <port> 0

Displaying service check timeouts

Use the following command to display the current service check timeout settings for all ports:

  bigpipe timeout_svc show

The system displays the following output:


port 80 timeout after 120 seconds

The system only displays ports that have a timeout set to a value other than 0.

Use the following syntax to display the current service check timeout setting for a specific port:

  bigpipe timeout_svc <port> [show]


tping_node

  bigpipe tping_node show
  bigpipe tping_node <seconds>

Description

Sets the interval (in seconds) at which a BIG/ip Controller issues a ping to each server managed by the BIG/ip Controller. If a specific server responds to the ping within a set time, the server is marked up and the BIG/ip Controller sends connections to the services hosted by that server. If a server fails to respond to a ping within the specified time, the BIG/ip Controller assumes that the server is no longer available, and it marks the node down.

Note that the timeout_node setting determines the number of seconds that a server has to respond to the ping issued by the BIG/ip Controller.

The default setting for tping_node is 5 seconds.

Setting a node ping interval

Use the following syntax to set the number of seconds which a server has to respond to a ping issued by the BIG/ip Controller:

  bigpipe tping_node <seconds>

Disabling node ping

To turn node ping off, set the interval to 0 seconds:

  bigpipe tping_node 0

Displaying the current node ping setting

Use the following command to display the current node ping setting:

  bigpipe tping_node show


tping_svc

  bigpipe tping_svc show
  bigpipe tping_svc <port> <seconds>
  bigpipe tping_svc <port> 0

Description

Sets the interval (in seconds) at which BIG/ip Controller issues a service check to one or more specific nodes included in the configuration. There are three types of service check, each of which is affected by this setting:

  • Simple Service check where the BIG/ip Controller attempts to establish a connection to the service hosted by the node
  • Extended content verification where the BIG/ip Controller requests specific content from the node
  • Extended application verification where the BIG/ip Controller executes an external service check program that verifies whether or not specific content is available on the node

    If a node fails to respond to a service check within the time specified by the timeout_svc setting, the BIG/ip Controller marks the service down, and no longer routes client requests to it.

Warning: The BIG/ip Controller does not attempt to detect the status of a node if node ping is turned off (bigd -n) and the timeout_svc and tping_svc values are set to 0 for a node.

Setting global service check intervals for a node port

Use the following syntax to set a service check interval for a specific node port.

  bigpipe tping_svc <port> <seconds>

Use the following syntax to turn service check off for a specific node port.

  bigpipe tping_svc <port> 0

Displaying the current service check interval

Use the following syntax to display the intervals at which the BIG/ip Controller issues service checks to all nodes configured for service check:

  bigpipe tping_svc show


treaper

  bigpipe treaper show
  bigpipe treaper <port> <seconds>
  bigpipe treaper <port> 0

Description

Sets the expiration time for idle TCP connections on a specific port. An idle connection is one in which no data has been received or sent for the number of seconds specified by the treaper command. The treaper default value is 1005 seconds. For treaper to be effective, you should set its value to be greater than the configured timeout for the service daemons installed on your nodes.

The treaper command clears the connection tables, avoiding memory problems due to the accumulation of dead, but not terminated, connections.

Setting the idle TCP connection timeout for a virtual port

Use the following syntax to set an inactive connection timeout for one or more virtual ports:

  treaper <port> <seconds>

To turn the inactive connection timeout off, use the same command but set the number of seconds to zero:

  treaper <port> 0

Note: Typical settings include 120 seconds for 25/SMTP, 120 seconds for 80/www, 300-600 seconds for 20/ftp-data and 21/ftp-data.

Displaying the current inactive connection timeout

Use the following syntax to display the current number of seconds that connections are allowed to remain idle before being dropped:

  bigpipe treaper show


udp

  bigpipe udp [<port> [...<port>] ] show
  bigpipe udp <port> [...<port>] <seconds>
  bigpipe udp <port> 0

Description

The udp command enables UDP traffic on virtual ports and also sets a timeout for idle UDP connections. UDP traffic is enabled only when the timeout is set to a value greater than 0 (zero). You can disable UDP traffic on a port by setting the idle connection timeout to 0 (zero). By default, UDP is disabled on all ports.

Setting the idle connection timeout for UDP traffic

Use the following syntax to set the UDP timeout on one or more virtual ports, where the <seconds> parameter is the number of seconds before an idle connection is dropped:

  bigpipe udp <port> <seconds>

For example, the following command sets the UDP timeout to 300 seconds for port 53:

  bigpipe udp 53 300

To turn UDP timeout off for a virtual port, use the above command, setting the <seconds> parameter to zero:

  bigpipe udp <port> 0

Displaying UDP settings

Use the following command to display the UDP timeout setting for all ports that allow UDP:

  bigpipe udp show

Use the following syntax to display the timeout setting for a specific virtual port that allows UDP:

  bigpipe udp <port> show

The system displays the output:

 port 53 idle udp connections expire after 300  seconds <$startrange> BIG/pipe commands: udp;  


unit

  unit [show]
  unit peer [show]

Description

The unit number on a BIG/ip Controller designates which virtual servers use a particular controller in an active-active redundant configuration. You can use the bigpipe unit command to display the unit number assigned to a particular BIG/ip Controller. For example, to display the unit number of the unit you are on, type the following command:

  bigpipe unit show

To display the unit number of the other controller in a redundant system, type in the following command:

  bigpipe unit peer show

Note: If you use this command on a redundant system in active/standby mode, the active controller shows as unit 1 and 2, the standby controller has no unit numbers.

Note: The bigpipe unit peer show command is the best way to determine whether the respective state mirroring daemons are connected.



-v

  bigpipe -v 

Description

Displays version number of the BIG/pipe command utility.

For example, bigpipe -v displays the following output:


bigpipe: 3.0


version

  bigpipe version

Description

Displays the version number of the BIG/ip Controller's operating system.

The bigpipe version command outputs the following version information:


BIG/ip: version 3.0


vip

  bigpipe vip <virt ip>[:<port>] [<ifname>] [unit <ID>] \
[netmask <ip>] [broadcast <ip>] use pool <pool_name>
  bigpipe vip <virt ip>:<port>[/<bitmask>] [<ifname>] [unit <ID>] \
use pool <pool_name>
  bigpipe vip <virt ip>[:<port>] [<ifname>] [unit <ID>] \
[netmask <ip>] [broadcast <ip>] use rule <rule_name>
  bigpipe vip <virt ip>:<port>[/<bitmask>] [<ifname>] [unit <ID>] \
use rule <rule_name>
  vip [<virt ip>[:<port>]] [...<virt ip>[:<port>] ] show
  vip <virt ip>[:<port>] [<ifname>] [ ... <virt ip>[:<port>] ]  \
enable | disable | delete
  vip <virt ip>[:<port>] [... <virt ip>[:<port>]] limit \
<max conn>
  vip <virt ip>:<port> translate port enable | disable | show
  vip <virt ip>:<port> translate addr enable | disable | show
  vip <virt ip>:<port> lasthop pool <pool_name> | none | show
  vip <virt ip>:<port> mirror conn enable | disable | show
  vip [<virt ip:port>] stats reset

Description

Creates, deletes, and displays information about virtual servers. This command also sets connection mirroring, connection limits, and timeouts on a virtual server.

Defining a virtual server

Virtual servers are port-specific, and if you are configuring a site that supports more than one service, you need to configure one virtual server for each service offered by the site. Use the following syntax to define the pools or rules to which a virtual server maps. The unit <ID> parameter specifies which unit handles the virtual server in an active-active redundant configuration. You can associate pools or rules with a virtual server. The following sections describe the syntax for associating a pool or a rule with a virtual server.

Configuring a virtual server to use a load balancing pool

Use the following syntax to create a virtual server that references a load balancing pool. Note that you must create a pool before you can create a virtual server that references the pool. For information about creating a pool, see Creating a pool, on page 2-34.

  bigpipe vip <virt ip>:<port> [ifname] [unit <ID>] use pool 
<pool_name>

For example, if you want to create a virtual server that references the pool my_pool, the command might look like this:

  bigpipe vip 11.12.1.53:80 use pool my_pool

Configuring a virtual server to use a load balancing rule

Use the following syntax to create a virtual server that references a load balancing rule. Note that you must create a rule before you can create the virtual server that references the rule. For information about creating a rule, see Associating a rule with a virtual server, on page 2-50.

  bigpipe vip <virt ip>:<port> [ifname] [unit <ID>] use rule 
<rule_name>

For example, if you want to create a virtual server that references the rule my_rule, the command might look like this:

  bigpipe vip 11.12.1.53:80 use pool my_rule

Displaying information about virtual servers

Use the following syntax to display information about all virtual servers included in the configuration:

  bigpipe vip show

Use the following syntax to display information about one or more virtual servers included in the configuration:

  bigpipe vip <virt ip>:<port> [...<virt ip>:<port>] show

The command displays information such as the nodes associated with each virtual server, the nodes' status, and the current, total, and maximum number of connections managed by the virtual server since the BIG/ip Controller was last rebooted.

Defining an interface for a virtual server

If you have multiple external (destination processing) interfaces, you can specify one of them when you define a virtual server. If you specify an interface name, the BIG/ip Controller responds to ARP requests for the virtual address on that interface. If you do not specify an interface name, the BIG/ip Controller responds to ARP requests for the virtual server on the default interface. If you do not want the BIG/ip Controller to respond to ARP requests on any interface, use the option none in place of the an <ifname> parameter.

All virtual servers that share a virtual address must use the same external interface. Changing the interface for a virtual server changes the interface for all virtual servers having the same virtual address.

Setting a user-defined netmask and broadcast

The default netmask for a virtual address, and for each virtual server hosted by that virtual address, is determined by the network class of the IP address entered for the virtual server. The default broadcast is automatically determined by the BIG/ip Controller, and it is based on the virtual address and the current netmask. You can override the default netmask and broadcast for any virtual address.

All virtual servers hosted by the virtual address use the netmask and broadcast of the virtual address, whether they are default values or they are user-defined values.

Note that if you want to use a custom netmask and broadcast, you define both when you define the virtual server:

  bigpipe vip <virt ip>[:<port>] [<ifname>] [netmask <ip>] \
[broadcast <ip>] use pool <pool_name>

Note: The BIG/ip Controller calculates the broadcast based on the IP address and the netmask. A user-defined broadcast address is not necessary.

Again, even when you define a custom netmask and broadcast in a specific virtual server definition, the settings apply to all virtual servers that use the same virtual address. The following sample command shows a user-defined netmask and broadcast:

  bigpipe vip www.SiteOne.com:http netmask 255.255.0.0 \
broadcast 10.0.140.255 use pool my_pool

The /bitmask option shown in the following example applies network and broadcast address masks. In this example, a 24-bit bitmask sets the network mask and broadcast address for the virtual server:

  bigpipe vip 206.168.225.1:80/24 use pool my_pool

You can generate the same broadcast address by applying the 255.255.255.0 netmask. The effect of the bitmask is the same as applying the 255.255.255.0 netmask. The broadcast address is derived as 206.168.225.255 from the network mask for this virtual server.

Setting a connection limit

The default setting is to have no limit to the number of concurrent connections allowed on a virtual server. You can set a concurrent connection limit on one or more virtual servers using the following command:

  bigpipe vip <virt ip>[:<port>] [...<virt ip>[:<port>] ] limit \ 
<max conn>

The following example shows two virtual servers set to have a concurrent connection limit of 5000 each:

  bigpipe vip www.SiteOne.com:http www.SiteTwo.com:ssl limit 5000

To turn the limit off, set the <max conn> variable to zero:

  bigpipe vip <virt ip>[:<port>] [...<virt ip>[:<port>] ] limit 0

Setting translation properties for virtual addresses and ports

Turning port translation off for a virtual server is useful if you want to use the virtual server to load balance connections to any service. Use the following syntax to enable or disable port translation for a virtual server.

  bigpipe vip <virt ip>:<port> translate port enable | disable | show

You can also configure the translation properties for a virtual server address. This option is useful when the BIG/ip Controller is load balancing devices which have the same IP address. This is typical with the nPath routing configuration where duplicate IP addresses are configured on the loopback device of several servers. Use the following syntax to enable or disable address translation for a virtual server.

  bigpipe vip <virt ip>:<port> translate addr enable | disable | show

Setting up last hop pools for virtual servers

In cases where you have more than one router sending connections to a BIG/ip redundant system, you may want to route connections back through the same router from which they were received. To configure a last hop pool, you must first create a pool that contains the routers for the BIG/ip redundant system. After you create a router pool, use the following syntax to configure a last hop pool for a virtual server.

  bigpipe vip <virt ip>:<port> lasthop pool <pool_name> | none | show

Mirroring connection information

Mirroring provides seamless recovery for current connections and when a BIG/ip Controller fails. When you use the mirroring feature, the peer controller maintains the same current connection and persistence information as its partner controller. Transactions such as FTP file transfers continue as though uninterrupted.

To control mirroring for a virtual server, use the mirror command to enable or disable mirroring of connections. The syntax of the command is:

  bigpipe vip <virt ip>:<port> mirror conn enable | disable 

To print the current mirroring setting for a virtual server:

  bigpipe vip <virt ip>:<port> mirror conn show

If you do not specify conn, the BIG/ip Controller displays all mirrored connection information.

Note: If you set up mirroring on a virtual server that supports FTP connections, you need to mirror the control port virtual server, and the data port virtual server.

The following example shows the two commands used to enable mirroring for virtual server v1 on the FTP control and data ports:

  bigpipe vip v1:21 mirror conn enable
  bigpipe vip v1:20 mirror conn enable

Removing and returning a virtual server to service

You can remove an existing virtual server from network service, or return the virtual server to service, using the disable and enable keywords. When you disable a virtual server, the virtual server no longer accepts new connection requests, but it allows current connections to finish processing before the virtual server goes down. Use the following syntax to remove a virtual server from network service:

  bigpipe vip <virt ip>:<port> [...<virt ip>:<port>] 
disable

Use the following syntax to return a virtual server to network service:

  bigpipe vip <virt ip>:<port> enable

Removing and returning a virtual address to service

You can remove an existing virtual address from network service, or return the virtual address to service, using the disable and enable keywords. Note that when you enable or disable a virtual address, you inherently enable or disable all of the virtual servers that use the virtual address.

  bigpipe vip <virt ip> disable

Use the following syntax to return a virtual address to network service:

  bigpipe vip <virt ip> enable

Displaying information about virtual addresses

You can also display information about the virtual addresses that host individual virtual servers. Use the following syntax to display information about one or more virtual addresses included in the configuration:

  bigpipe vip <virt ip> [... <virt ip> ] show

The command displays information such as the virtual servers associated with each virtual address, the status, and the current, total, and maximum number of connections managed by the virtual address since the BIG/ip Controller was last rebooted, or since the BIG/ip Controller became the active unit (redundant configurations only).

Deleting a virtual server

Use the following syntax to permanently delete one or more virtual servers from the BIG/ip Controller configuration:

  bigpipe vip <virt ip>:<port> [... <virt ip>:<port>] delete

Resetting statistics for a virtual server

Use the following command to reset the statistics for an individual virtual server:

  bigpipe vip [<vip ip:port>] stats reset

Backward-compatible commands

The following BIG/pipe commands have been included for users of previous versions.

  dt [<ip>[:<port> ] ]
  port <port> [<port>... ] [allow | deny] [ limit <limit> ]
  vip <virt ip>:<port> persistmask [ <IP address mask> ]
  vip <virt ip>:<port> persistmask [ none | show ]
  vip <virt ip>[:<port>] [<ifname>] netmask <ip> \
[ broadcast <ip> ] define <node ip>[:<port> \
[ <node ip>[:<port>... ] [ special ssl <value> <value> ]
  nat <node ip> to <NAT ip> [<ifname>] netmask <ip> \
[ broadcast <ip> ]
  fo [ master | slave ]
  vip <virt ip>[:<port>] [/<bitmask>] [<ifname>|none ] \
[unit <unit ID>] define <node ip>[:<port>] \
[..<node ip>[:<port>] ] [special ssl <seconds> <seconds>]
  vip <virt ip>[:<port>] netmask <ip> [broadcast <ip>] \
[<ifname> | none ] [unit <unit ID>] define <node ip>[:<port>] \
[...<node ip>[:<port>] ] [special ssl <seconds> <seconds>] \ [special cookie insert | rewrite | passive <days>d <hh:mm:ss>]]
  vip <virt ip>[:<port>] netmask <ip> [broadcast <ip>] \
[<ifname> | none ] [unit <unit ID>] define <node ip>[:<port>] \
[...<node ip>[:<port>] ] [special cookie hash <name> <offset> <length>]
  vip <virt ip>:<port> mirror persist enable | disable | show
  vip <virt ip>:<port> persist show | dump | <value>
  vip <virt ip>:<port> persist mask <ip> | none | show
  vip 0.0.0.0:<port> sticky [ enable | disable | show | clear | dump ]
  vip 0.0.0.0:<port> sticky mask [ <ip> | none | show ]
  vip sticky dump
  vip sticky clear