Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.1, 3.3.0
3
bigpipe Command Reference
bigpipe commands
This chapter lists the various bigpipe commands with descriptions. At the end of the chapter is a list of commands from previous versions of the bigpipe utility.
Table 3.1 explains the conventions used in the command line syntax described in this chapter.
Table 3.2 provides a concise listing of the commands discussed in this chapter, along with the page where you can find more details. Refer to the command entry pages for sample syntax and a description of how to use the command. Some entries contain additional information about using the command.
| Command | Description | Page |
| -? | Displays online help for an individual bigpipe command. | 3-4 |
| alias | Defines an IP alias to be pinged on behalf of a specific group of nodes. | 3-5 |
| configsync | Synchronizes the /etc/bigip.conf between the two BIG-IP Controller units in a redundant system. | 3-7 |
| conn | Shows information about current connections such as the source IP address, virtual server and port, and node. | 3-8 |
| -d | Verifies command syntax for the specified command without executing a command. | 3-9 |
| -f | Resets the BIG-IP Controller and loads a specified configuration file. | 3-10 |
| failover | Sets the BIG-IP Controller as active or standby. | 3-11 |
| gateway | Turns the gateway fail-safe feature on and off. | 3-12 |
| -h and -help | Displays online help for bigpipe command syntax. | 3-13 |
| interface | Sets options on individual interfaces. | 3-14 |
| ipalias | Configure shared addresses on interfaces. | 3-21 |
| -l | Loads the BIG-IP Controller configuration without resetting the current configuration. | 3-22 |
| lb | Sets the load balancing mode. | 3-23 |
| maint | Toggles the BIG-IP Controller into and out of maintenance mode. | 3-25 |
| mirror | Sets mirroring of the active BIG-IP Controller to the standby controller. | 3-26 |
| -n | Displays ports numerically rather than by service name | 3-30 |
| nat | Defines external network address translations for nodes. | 3-27 |
| node | Defines node property settings. | 3-31 |
| persist | Defines and displays persistence settings for simple TCP and UDP persistence. | 3-35 |
| pool | Defines load balancing pools. | 3-36 |
| port | Defines properties for virtual ports. | 3-44 |
| proxy | Defines the properties of the SSL gateway for the SSL Accelerator. | 3-46 |
| -r | Clears the BIG-IP Controller configuration and counter values. | 3-50 |
| ratio | Sets load-balancing weights and priority levels used in the Ratio and Priority load balancing modes. | 3-51 |
| rule | Defines load balancing rules. | 3-53 |
| -s | Writes the current configuration to a file. | 3-57 |
| snat | Defines and sets options for SNAT (Secure NAT). | 3-58 |
| summary | Displays summary statistics for the BIG-IP Controller. | 3-62 |
| timeout_node | Sets the amount of time that node addresses have to respond to a ping issued by the BIG-IP Controller. | 3-64 |
| timeout_svc | Sets the amount of time that services have to respond to a service check issued by the BIG-IP Controller. | 3-66 |
| tping_node | Sets the interval at which the BIG-IP Controller pings node addresses to determine node status. | 3-68 |
| tping_svc | Sets the interval at which the BIG-IP Controller issues service checks to nodes to determine node status. | 3-69 |
| treaper | Sets the timeout for idle TCP connections on ports. | 3-71 |
| udp | Enables UDP traffic on ports, and sets the timeout for idle UDP connections. | 3-73 |
| unit | Displays the unit number assigned to a particular BIG-IP Controller. | 3-75 |
| -v | Displays the bigpipe utility version number. | 3-76 |
| version | Displays the BIG-IP Controller software version number. | 3-77 |
| vip | Defines virtual servers, virtual server mappings, and virtual server properties. | 3-78 |
On page 2-87 you can find a list of backward-compatible commands from previous versions of the BIG-IP Controller that are compatible with this version.
-?
bigpipe <command> -?
Description
For certain commands, displays online help, including complete syntax, description, and other related information. For example, to see online help for the bigpipe port command, type:
bigpipe port -?
alias
bigpipe alias [<node ip> [...<node ip>] ] show
bigpipe alias <node ip> [...<node ip>] delete
bigpipe alias <node ip> [...<node ip>] pingnode <pingnode ip>
Description
Defines a single node address to represent a group of node addresses which are actually IP aliases on the same physical server. To determine if the nodes associated with the representative node alias are available, the BIG-IP Controller sends a single node ping to the node alias, rather than an individual ping to each node address.
Note that you may also find this feature useful for nodes that are configured for service check, as long as each node uses the same port number.
Defining a node alias
Use the following syntax to define the node alias for one or more node addresses, where <pingnode ip> is the node alias (the node address that represents the group):
bigpipe alias <node ip> [...<node ip>] pingnode <pingnode ip>
Note: The address that serves as the node alias (<pingnode ip>) must be a node address that is already defined in one or more virtual server mappings.
The following command defines a node alias for two node addresses, 192.168.42.2 and 192.168.42.3. The BIG-IP Controller performs node pings on the alias address 192.168.42.1 to determine the availability of 192.168.42.2 and 192.168.42.3.
bigpipe alias 192.168.42.2 192.168.42.3 pingnode 192.168.42.1
Deleting a node alias
The following command deletes the node alias defined for the specific node:
bigpipe alias <node ip> delete
Displaying current node aliases
The following command displays all node aliases defined on the BIG-IP Controller:
bigpipe alias show
The following command displays the node alias defined for a specific node:
bigpipe alias <node ip> show
configsync
bigpipe configsync [all]
Description
Synchronizes configurations of two BIG-IP Controllers in a redundant system by copying the configuration file(s) from the active unit to the standby unit.
Using the configsync command without the all option synchronizes only the boot configuration file /etc/bigip.conf.
The all option changes the set of configuration files that are modified when the command is executed. When you synchronize a configuration using configsync all command, the following configuration files are copied to the other BIG-IP Controller:
- The common BIG/db keys
- /etc/bigip.conf
- /etc/bigd.conf
- /etc/hosts.allow
- /etc/hosts.deny
- /etc/ipfw.conf
- /etc/rateclass.conf
- /etc/ipfwrate.conf
- /etc/snmpd.conf
- rc.sysctl
Be sure to save the current configuration to the /etc/bigip.conf file before you use the configuration synchronization feature.
Warning: If you are synchronizing a standby controller that already has configuration information defined, we recommend that you back up that controller's original configuration file(s) first.
conn
bigpipe conn [ <virt ip>[:<port>] ] dump [mirror]
Description
Displays information about current client connections to virtual addresses and virtual servers.
The following command displays all current client connections:
bigpipe conn dump
The output shows the source IP, virtual server and port, and node connected to.
Figure 3.1 Formatted output of the conn command
bigip conn dump
from vip node
100.100.100.30:49152 -> 100.100.100.100:23 -> 200.200.200.10:23
100.100.101.90:49153 -> 100.100.100.100:80 -> 200.200.200.10:80
...
This command can also show connections that are active on the given controller as well as those that are standby connections for the peer BIG-IP Controller. By default, the dump command only shows items that are active on the given unit. To see standby items, you must use the mirror qualifier.
bigpipe conn dump mirror
-d
bigpipe -d [-]
bigpipe -d -f <filename>
Description
Parses the command line and checks syntax without executing the specified command.
This distinguishes between valid and invalid commands, and is particularly useful with the -f option, to validate the configuration file.
Use the -d command followed by a command that you want to validate:
bigpipe -d vip 10.10.10.100:80 use pool my_pool
The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.
Use the -d command together with the -f <filename> command to validate the specified configuration file. For example, to check the syntax of the configuration file /etc/altbigpipe.conf, use the following command:
bigpipe -d -f /etc/altbigip.conf
-f
bigpipe -f <filename>
Description
Resets all of the BIG-IP Controller settings and then loads the configuration settings from the specified file, typically the /etc/bigip.conf file, or another file that you specify.
bigpipe -f /etc/bigip.conf
For testing purposes, you can save a test configuration by renaming it to avoid confusion with the boot configuration file. To load a test configuration, use the -f command with the <filename> parameter. For example, if you renamed your configuration file to /etc/bigtest.conf, the command would be:
bigpipe -f /etc/bigtest.conf
failover
bigpipe failover standby | show | init | failback
Description
This group of commands affects the fail-over status of the BIG-IP Controller.
In an active/standby or active-active configuration, run the following command to place a controller in standby mode:
bigpipe failover standby
Show the status of the controller with the following command:
bigpipe failover show
Note: The failback command is only applicable if you are running a redundant system in active-active mode.
In an active-active configuration, run the following command after you issue the bigpipe failover standby command. This allows the inactive controller to resume handling connections:
bigpipe failover failback
You can use the bigpipe failover init command to refresh the parameters of the fail-over daemon (/sbin/sod) with any new configuration data entered in the BIG/db database.
bigpipe failover init
gateway
bigpipe gateway failsafe arm | disarm | show
Description
Turns the gateway fail-safe feature on and off. This command is supported only for redundant systems. To configure gateway pingers, you must first set the IP address of the router, ping interval, and timeout period in BIG/db. For information about configuring gateway fail-safe, see the BIG-IP Controller Administrator Guide, Working with Advanced Redundant System Features.
The typical use of gateway fail-safe is a setup where active and standby BIG-IP Controllers use different routers as gateways to the internet. Fail-over is triggered if the gateway for the active controller is unreachable. Note that this is not a condition that is reliably detected by the interface fail-safe feature, but is reliably detected by gateway fail-safe.
To arm fail-safe on the gateway, enter the following command:
bigpipe gateway failsafe arm
To disarm fail-safe on the gateway, enter the following command:
bigpipe gateway failsafe disarm
To see the current fail-safe status for the gateway, enter the following command:
bigpipe gateway failsafe show
-h and -help
bigpipe [-h | -help ]
Description
Displays the bigpipe command syntax or usage text for all current commands.
Note: More detailed man pages are available for some individual bigpipe commands. To display detailed online help for the bigpipe command, type: man bigpipe.
interface
bigpipe interface <ifname> show
bigpipe interface <ifname> source enable | disable
bigpipe interface <ifname> dest enable | disable
bigpipe interface <interface> source_translation \ [ enable | disable ]
bigpipe interface <ifname> adminport open | lockdown
bigpipe interface <ifname> failsafe arm | disarm | show
bigpipe interface <ifname> timeout <seconds> | show
bigpipe interface <ifname> mac_masq <mac_addr> | show
bigpipe interface <ifname> vlans enable | disable | show
Description
Displays names of installed network interface cards and allows you to set properties for each network interface card.
Note: Interface fail-safe is not designed for gateway or node failure detection, as it cannot detect router or node failures in instances where other sources of Ethernet traffic are active on the interface.
Designating an internal or external interface
With BIG-IP Controller version 3.0 and later, you can define interfaces using three new parameters: source, dest, and adminport. You can mix and match these options to streamline the performance of the BIG-IP Controllers in the network. Table 3.3 describes the attributes that determine the way an interface handles connections.
Use the following syntax to designate an interface as an internal or external interface.
bigpipe interface <ifname> source enable | disable
bigpipe interface <ifname> dest enable | disable
bigpipe interface <ifname> adminport open | lockdown
The <ifname> parameter takes a valid interface name such as:
- exp0
This is the first Intel NIC - fpa1
This is the second FDDI NIC - de2
This is the third DEC/SMC NIC - sk0
This is the first SysKonnect Gigabit Ethernet NICNote: Dual port Ethernet NICs show up as two distinct interfaces
The following sample syntax configures the interface exp0 as an internal interface on the BIG-IP Controller:
bigpipe interface exp0 source enable
bigpipe interface exp0 dest disable
bigpipe interface exp0 adminport open
The following sample syntax configures the interface exp1 as an external interface on the BIG-IP Controller:
bigpipe interface exp1 source disable
bigpipe interface exp1 dest enable
bigpipe interface exp1 adminport lockdown
Warning: Use caution when redefining interfaces. When you reconfigure interfaces, make sure that you have set up the interfaces you need for operation. It is possible to accidentally take the controller out of network service by redefining interfaces.
Source translation processing
When source translation processing is enabled on an interface, then the BIG-IP Controller processes packets arriving at the interface when those packets are coming from a node, SNAT, or NAT internal address. In this situation, the interface rewrites the source address of the IP packet, changing it from the real server's IP address, or original NAT address, to the virtual server or translated NAT address, respectively. Also, when the last hop feature is enabled on a virtual server, the packet is routed back to the network device that first transmitted the connection request to the virtual server.
To configure source and destination processing from the command line
Use the following syntax to configure source and destination processing on the specified interface:
bigpipe interface <interface> source_translation [ enable | disable ]
Displaying status for interfaces
Use the following syntax to display the current status and the settings for all installed interface cards:
bigpipe interface show
Figure 3.2 is an example of the output you see when you issue this command on an active/standby controller in active mode.
Figure 3.2 The bigpipe interface show command output
exp0 11.11.11.2, dest enable, source disable, disarmed, timeout 30
shared alias 11.11.11.3 netmask 255.0.0.0 broadcast 11.255.255.255 unit 1
exp1 11.12.11.2, dest disable, source enable, disarmed, timeout 30
shared alias 11.12.11.3 netmask 255.0.0.0 broadcast 11.255.255.255 unit 1
Use the following syntax to display the current status and the setting for a specific interface.
bigpipe interface <ifname> show
Arming and disarming the fail-safe mode
Use the following command to activate the BIG-IP Controller interface fail-safe mode.
bigpipe interface <ifname> failsafe arm
When armed, the active controller automatically fails over to the standby controller whenever the active controller detects that there is no activity on the specified interface, and subsequently detects no activity on the interface in response to ARP requests. The default fail-safe mode is set to disarm.
Warning: You should arm the fail-safe mode only after you configure the BIG-IP Controller, and both the active and standby units are ready to be placed into a production environment.
Before using the bigpipe interface failsafe command, you must specify the default route in the /etc/hosts and /etc/netstart files.
Use the following command to deactivate the BIG-IP Controller interface fail-safe mode.
bigpipe interface <ifname> failsafe disarm
Setting the fail-safe timeout
To set the amount of time (in seconds) that an interface is monitored for activity in response to a BIG-IP Controller ARP request, use the following syntax:
bigpipe interface <ifname> timeout <seconds>
If no activity is detected on the interface within the specified time, the BIG-IP Controller assumes that the interface is down. Note that the default setting is 30 seconds.
Warning messages and ARP requests are generated after half of the specified time-out period. In the case of an armed BIG-IP Controller in a BIG-IP redundant system, traffic is switched from the active unit to the standby unit at the end of the time-out period. Note that the fail-safe timeout is used only if the fail-safe option is armed on the interface.
Viewing the timeout setting
Use the following syntax to view the fail-over timeout setting for a specific interface:
bigpipe interface <ifname> timeout show
Displaying the current fail-safe status
Use the following syntax to display the current status and settings for the BIG-IP Controller fail-safe mode:
bigpipe interface failsafe show
Setting the MAC masquerade address
Sharing the MAC masquerade address makes it possible to use BIG-IP Controllers in a network topology using secure hubs. You can view the media access control (MAC) address on a given controller using the following command:
/sbin/ifconfig -a
Use the following syntax to set the MAC masquerade address that will be shared by both BIG-IP Controllers in the redundant system.
bigpipe interface <ifname> mac_masq <MAC addr>
Warning: You must specify a default route before using the mac_masq command. You specify the default route in the /etc/hosts and /etc/netstart files.
Find the MAC address on both the active and standby units and choose one that is similar but unique. A safe technique for choosing the shared MAC address follows.
Suppose you want to set up mac_masq on the external interfaces. Using the ifconfig -a command on the active and standby units, you note that their MAC addresses are:
Active: exp0 = 0:0:0:ac:4c:a2
Standby: exp0 = 0:0:0:ad:4d:f3
In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses and logically OR the first byte with 0x40. This makes the MAC address a locally administered MAC address.
In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both BIG-IP Controllers in the redundant system.
The shared MAC address is used only when the BIG-IP Controller is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.
If you do not configure mac_masq on startup, or when transitioning from standby mode to active mode, the BIG-IP Controller sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.
Note: You can use the same technique to configure a shared MAC address for each interface.
Enabling VLAN communication for an interface
To use IEEE 802.1q VLAN Trunk mode, you must first set up VLAN tags in /etc/netstart and in the shared IP in BIG/db. For detailed information about setting up VLAN tags, see the BIG-IP Controller Administrator Guide, Using Advanced Network Configurations.
Use the following syntax to enable, disable, or show the VLAN status of the specified internal interface:
bigpipe interface <ifname> vlans enable | disable | show
ipalias
ipalias <ifname> <if address> netmask <ip mask> [ broadcast <ip
address> ] [ unit <id> ] [ tag <vlan tag> ]
Description
Configures shared IP addresses on installed network interface cards. The configuration you create with this command is stored in the BIG/db. If you use VLAN tags in your configuration, you can use this command to set the VLAN tag for the shared IP alias.
You must issue this command for each interface that you want configure with the same IP alias. For example, if you want to configure the IP alias 192.168.100.100 for the interfaces exp0 and exp1, type the following comands:
bigpipe ipalias exp0 192.168.100.100 netmask 255.255.0.0
bigpipe ipalias exp1 192.168.100.100 netmask 255.255.0.0
-l
bigpipe -l <file_name>
Description
Use the -l command to load the BIG-IP Controller configuration from <file_name> without resetting the current configuration.
lb
bigpipe lb show
bigpipe lb round_robin | rr
bigpipe lb ratio
bigpipe lb priority
bigpipe lb fastest
bigpipe lb least_conn
bigpipe lb predictive
bigpipe lb observed
Description
Sets the global load balancing mode for all node list virtual servers.
Note: Pools are configured with their own load balancing method. For more information on this, see Setting up persistence for a pool, on page 2-65.
Setting the load balancing mode
Use the following syntax to set the load balancing mode:
bigpipe lb <mode name>
The mode names are displayed at the top of the page.
This command sets the load balancing mode to Least Connections, which routes new connections to the node that currently maintains the least number of connections.
bigpipe lb least_conn
Viewing the currently selected load balancing mode
The following command displays the currently selected load balancing mode.
bigpipe lb show
maint
bigpipe maint
Description
Toggles a BIG-IP Controller into and out of Maintenance mode. When in Maintenance mode, a BIG-IP Controller accepts no new connections, but it does allow existing connections to complete.
The maint command interactively prompts you to enter or exit the maintenance mode.
bigpipe maint
If the BIG-IP Controller is already in maintenance mode, the maint command takes the BIG-IP Controller out of maintenance mode. If the BIG-IP Controller is in maintenance mode for more than 20 minutes, that the BIG-IP Controller immediately begins to accept new connection requests.
If the BIG-IP Controller has been in maintenance mode for more than 20 minutes, that it automatically updates all network ARP caches; this process normally takes a few seconds. However, you can speed the process up by reloading the configuration file, using the following command:
bigpipe -f /etc/bigip.conf
mirror
bigpipe mirror enable | disable | show
Description
Enables and disables mirroring between active and standby BIG-IP Controllers. Mirroring ensures that persistence and connection information on the active controller are duplicated on the standby controllers. This command enables and disables mirroring for all virtual servers.
To enable mirroring on a redundant system:
bigpipe mirror enable
To disable mirroring on a redundant system:
bigpipe mirror disable
To show the current status of mirroring on a redundant system:
bigpipe mirror show
nat
bigpipe nat <orig_addr> to <trans_addr>[/<bitmask>] [<ifname>]
[unit <unit ID>]
bigpipe nat <orig_addr> to <trans_addr> netmask <netmask> \
[broadcast <broadcast_ip>] [<ifname>] [unit <unit ID>]
bigpipe nat <orig_addr> [...<orig_addr>] delete
bigpipe nat <trans_addr> [...<trans_addr>] delete
bigpipe nat [<trans_addr> [...<trans_addr>] ] show
bigpipe nat [<orig_addr> [...<orig_addr>] ] show
bigpipe nat [<orig_addr>] stats reset
Description
Defines an IP address, routable on the external network, that a node can use to initiate connections to hosts on the external network and receive direct connections from clients on the external network. The NAT (Network Address Translation) command defines a mapping between the IP address of a server behind the BIG-IP Controller <orig_addr> and an unused routable address on the network in front of the BIG-IP Controller <trans_addr>.
Defining a NAT
A NAT definition maps the IP address of a node <orig_addr> to a routable address on the external interface <trans_addr>, and can include an optional interface and netmask specification. Use the following syntax to define a NAT:
bigpipe nat <orig_addr> to <trans_addr>[/<bitmask>] [<ifname>]
[unit <unit ID>]
The <ifname> parameter is the internal interface of the BIG-IP Controller through which packets must pass to get to the destination internal address. The BIG-IP Controller can determine the interface to configure for the NAT in most cases. The <ifname> parameter is useful, for example, where there is more than one internal interface. You can use the unit <unit ID> parameter to specify the controller to which this NAT applies in an active-active redundant system.
The following example shows a NAT definition:
bigpipe nat 10.10.10.10 to 10.12.10.10/24 exp1
Deleting NATs
Use the following syntax to delete one or more NATs from the system:
bigpipe nat <orig_addr> [...<orig_addr>] delete
Displaying status of NATs
Use the following command to display the status of all NATs included in the configuration:
bigpipe nat show
See figure 3.3 for the output when you display the status of a NAT. Use the following syntax to display the status of one or more selected NATs:
bigpipe nat <orig_addr> [...<orig_addr>] show
NAT { 10.10.10.3 to 9.9.9.9 } (pckts,bits) in = (0, 0), out = (0, 0) NAT { 10.10.10.4 to 12.12.12.12 netmask 255.255.255.0 broadcast 12.12.12.255 } (pckts,bits) in = (0, 0), out = (0, 0) |
| |
Resetting statistics for a NAT
Use this command to reset the statistics for an individual NAT:
bigpipe nat [<orig_addr>] stats reset
Use the following command to reset the statistics for all NATs:
bigpipe nat stats reset
Additional Restrictions
The nat command has the following additional restrictions:
- The IP address defined in the <orig_addr> parameter must be routable to a specific server behind the BIG-IP Controller.
- You must delete a NAT before you can redefine it.
- The interface for a NAT may only be configured when the NAT is first defined.
-n
bigpipe -n
Description
Use the -n option in combination with other commands, such as bigpipe vip, to display ports numerically rather than by service name. For example, type the following command to display ports numerically:
bigpipe -n vip
Notice that the ports are listed numerically rather than by service name. See Figure 3.4 for an example of the output.
Figure 3.4 The output of bigpipe -n vip
VIP +------> 11.100.1.1 UNIT 1
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+---+--> PORT 80 UP
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
MEMBER 11.12.1.100:80 UP
(cur, max, limit, tot) = (0, 0, 0, 0)
(pckts,bits) in = (0, 0), out = (0, 0)
node
bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
enable | disable
bigpipe node [<node ip>[:<port>][...<node ip>[:<port>]] ] show
bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
limit <max conn>
bigpipe node <node ip>[:port] up | down
bigpipe node [<node ip>:<port>] stats reset
Description
Displays information about nodes and allows you to set properties for nodes, and node addresses.
Enabling and disabling nodes and node addresses
To enable a node address, use the node command with a node address and the enable option:
bigpipe node 192.168.21.1 enable
To disable a node address, use the node command with the disable option:
bigpipe node 192.168.21.1 disable
To enable one or more node addresses, use the node command with a node address and port, and the enable option:
bigpipe node 192.168.21.1:80 enable
To disable one or more node addresses, use the node command with the disable option:
bigpipe node 192.168.21.1:80 disable
Marking nodes and node ports up or down
To mark a node address down, use the node command with a node address and the down option. (Note that marking a node down prevents the node from accepting new connections. Existing connections are allowed to complete.):
bigpipe node 192.168.21.1 down
To mark a node address up, use the node command with the up option:
bigpipe node 192.168.21.1 up
To mark a port down, use the node command with a node address and port, and the down option. (Note that marking a port down prevents the port from accepting new connections. Existing connections are allowed to complete.):
bigpipe node 192.168.21.1:80 down
To mark a port up, use the node command with up option:
bigpipe node 192.168.21.1:80 up
Setting connection limits for nodes
Use the following command to set the maximum number of concurrent connections allowed on a node:
bigpipe node <node ip>[:<port>][...<node ip>[:<port>]] \
limit <max conn>
Note that to remove a connection limit, you also issue the preceding command, but set the <max conn> variable to 0 (zero). For example:
bigpipe node 192.168.21.1:80 limit 0
Setting connection limits for node addresses
The following example shows how to set the maximum number of concurrent connections to 100 for a list of node addresses:
bigpipe node 192.168.21.1 192.168.21.1
192.168.21.1 limit 100
To remove a connection limit, you also issue this command, but set the <max conn> variable to 0 (zero).
Displaying status of all nodes
bigpipe node show
When you issue the node show command, the BIG-IP Controller displays the node status (up or down, or unchecked), and a node summary of connection statistics, which is further broken down to show statistics by port. The report shows the following information:
- current number of connections
- total number of connections made to the node since last boot
- maximum number of concurrent connections since the last boot
- concurrent connection limit on the node
- total number of connections made to the node since last boot
- total number of inbound and outbound packets and bits
Figure 3.5 shows the output of this command.
Figure 3.5 Node status and statistics
bigpipe node 192.168.200.50:20
NODE 192.168.200.50 UP
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+- PORT 20 UP
(cur, max, limit, tot) = (0, 0, 0, 0)
(pckts,bits) in = (0, 0), out = (0, 0)
Displaying the status of individual nodes and node addresses
Use this command to display status and statistical information for one or more node addresses:
bigpipe node 192.168.21.1 show
The command reads the status of each node address, the number of current connections, total connections, and connections allowed, and the number of cumulative packets and bits sent and received.
Use the following command to display status and statistical information for one or more specific nodes:
bigpipe node 192.168.21.1:80 show
Resetting statistics for a node
Use the following command to reset the statistics for an individual node address:
bigpipe node [<node ip>:<port>] stats reset
persist
bigpipe persist <port> [...<port>] <seconds>
bigpipe persist dump
Description
Enables or disables simple persistence on one or more virtual ports. Persistence tracks the source IP addresses of all incoming requests, and the nodes and ports that hosted the request. It forces new connections from the source address to use the same node as used by the prior connection from that source IP address. A configurable time limit determines how long the BIG-IP Controller retains persistent connection information. By default, persistence is disabled on all ports. Persistence is affected by certain system control variables.
Setting a persistence timeout
Use the following syntax to set the number of seconds for which the BIG-IP Controller maintains persistent connection information on a specific virtual port:
bigpipe persist <port> <seconds>
Set <seconds> to 0 to turn persistence off for a specific virtual port.
Displaying persistent connections
Use the following syntax to display information about current persistent connections:
bigpipe persist [<port>] [...port] dump
pool
bigpipe pool <pool name> { lb_method <lb_method_specification>
[persist_mode <persist_mode_specification>] <member
definition>... }
bigpipe pool <pool name> add { <member definition>... }
bigpipe pool <pool name> delete { <member definition>... }
bigpipe pool <pool name> modify { [lb_method
<lb_method_specification>] [persist_mode
<persist_mode_specification>] <member definition>... }
bigpipe pool <pool name> delete
bigpipe pool [<pool name>] show
bigpipe pool <pool name> lb_method show
bigpipe pool <pool name> persist show
Description
Use the pool command to create, delete, modify, or display the pool definitions on the BIG-IP Controller. Use pools to group members together with a common load balancing mode and persistence mode. For additional information about configuring pools, see the BIG-IP Controller Administrator Guide, Working with Intelligent Traffic Control.
Creating a pool
To create a pool use the following syntax:
bigpipe pool <pool_name> {lb_method <lb_method_specification>
[persist_mode <persist_mode_specification>]
<member_definition>... member <member_definition>}
Each of these elements is described in Table 3.5, on page 3-42.
For detailed information about setting up persistence with pools, see the Administrator Guide, Setting up persistence for a pool, on page 2-65.
To activate Insert HTTP cookie persistence from the command line
If you specify Insert mode, the BIG-IP Controller inserts a cookie from the server in the header of the HTTP response with information about the server to which the client connects. The cookie is named BIGipServer<pool_name>, and it includes the address and port of the server handling the connection. The expiration date for the cookie is set based on the timeout configured on the BIG-IP Controller.
To activate Insert mode from the command line, use the following syntax:
bigpipe pool <pool_name> { <lb_method_specification> persist_mode
cookie cookie_mode insert cookie_expiration <timeout> <member
definition> }
The <timeout> value for the cookie is written using the following format:
<days>d hh:mm:ss
To activate Rewrite mode cookie persistence from the command line
If you specify Rewrite mode, the BIG-IP Controller intercepts a Set-Cookie, named BIGipCookie, sent from the server to the client and overwrites the name and value of the cookie. The new cookie is named BIGipServer<pool_name> and it includes the address and port of the server handling the connection.
To use rewrite mode, you must set up the cookie created by the server. For Rewrite mode to work, the BIG-IP Controller needs a blank cookie coming from the web server to rewrite. With Apache variants, you can add the cookie to every web page header by adding an entry in the httpd.conf file:
Header add Set-Cookie BIGipCookie=
000000000000000000000000000000000000000000...
The cookie should contain a total of 120 zeros.
Warning: For backward compatibility the blank cookie can contain only 75 zeros. However, cookies of this size do not allow you to use rules and persistence together.
To activate Rewrite mode from the command line, use the following syntax:
bigpipe pool <pool_name> { <lb_method_specification> persist_mode
cookie cookie_mode rewrite cookie_expiration <timeout> <member
definition> }
The <timeout> value for the cookie is written using the following format:
<days>d hh:mm:ss
To activate Passive mode cookie persistence from the command line
If you specify Passive mode, the BIG-IP Controller does not insert or search for blank Set-Cookies in the response from the server. It does not try to set up the cookie. In this mode, BIG-IP Controller assumes that the server provides the cookie formatted with the correct node information and timeout.
In order for Passive mode to work, a cookie needs to come from the web server with the appropriate node information in the cookie. With Apache variants, you can add the cookie to every web page header by adding an entry in the httpd.conf file:
Header add Set-Cookie: "BIGipServerMY_POOL=184658624.20480.000;
expires=Sat, 19-Aug-2000 19:35:45 GMT; path=/"
In this example, my_pool is the name of the pool that contains the server node, 184658624 is the encoded node address and 20480 is the encoded port.
The equation for an address (a.b.c.d) is:
d*256^3 + c*256^2 + b*256 +a
The way to encode the port is to take the two bytes that store the port and reverse them. So, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.
After you set up the cookie created by the web server, you must activate Passive mode on the BIG-IP Controller. To activate HTTP cookie persistence from the command line, use the following syntax:
bigpipe pool <pool_name> { <lb_method_specification> persist_mode
cookie cookie_mode passive <member definition> }
Note: The <timeout> value is not used in Passive mode.
To configure the hash cookie persistence option from the command line
If you specify hash mode, the hash mode consistently maps a cookie value to a specific node. When the client returns to the site, the BIG-IP Controller uses the cookie information to return the client to a given node. With this mode, the web server must generate the cookie. The BIG-IP Controller does not create the cookie automatically like it does with insert mode.
Use the following syntax to configure the hash cookie persistence option:
bigpipe pool <pool_name> { <lb_method_specification> persist_mode
cookie cookie_mode hash cookie_hash_name <cookie_name>
cookie_hash_offset <cookie_value_offset> cookie_hash_length
<cookie_value_length> <member definition> }
The <cookie_name>, <cookie_value_offset>, and <cookie_value_length> values are described in Table 3.4:
To activate sticky persistence from the command line
Use the following command to enable sticky persistence for a pool:
bigpipe pool <pool_name> modify { persist_mode sticky <enable | disable> sticky_mask <ip address> }
Use the following command to disable sticky persistence for a pool:
bigpipe pool <pool_name> modify { persist_mode sticky disable
sticky_mask <ip address> }
Use the following command to delete sticky entries for the specified pool:
bigpipe pool <pool_name> sticky clear
To activate SSL persistence from the command line
Use the following syntax to activate SSL persistence from the command line:
bigpipe pool <pool_name> modify { persist_mode ssl ssl_timeout
<timeout> simple_mask <ip_mask> }
For example, if you want to set SSL persistence on the pool my_pool, type the following command:
bigpipe pool my_pool modify { persist_mode ssl ssl_timeout 3600
simple_mask 255.255.255.0 }
To apply a simple timeout and persist mask from the command line
The complete syntax for the command is:
bigpipe pool <pool_name> modify { [<lb_method_specification>]
persist_mode simple simple_timeout <timeout> simple_mask
<dot_notation_longword> }
For example, the following command would keep persistence information together for all clients within a C class network that connect to the pool classc_pool:
bigpipe pool classc_pool modify { persist_mode simple
simple_timeout 1200 simple_mask 255.255.255.0 }
You can turn off a persist mask on a pool by using the none option in place of the simple_mask mask. To turn off the persist mask that you set in the preceding example, use the following command:
bigpipe pool classc_pool modify { simple_mask none }
Display persistence information for a pool
To show the persistence configuration for the pool:
bigpipe pool <pool_name> persist show
To display all persistence information for the pool named classc_pool, use the show option:
bigpipe pool classc_pool persist show
Options
Use the following elements to construct pools:
Deleting a pool
To delete a pool, use the following syntax:
bigpipe pool <pool_name> delete
All references to a pool must be removed before a pool can be deleted.
Modifying pools
You can use the command line to add or delete members from a pool. You can also modify the load balancing mode for a pool from the command line. To add a new member to a pool use the following syntax:
bigpipe pool <pool_name> add { 1.2.3.2:telnet }
To delete a member from a pool use the following syntax:
bigpipe pool <pool_name> delete { 1.2.3.2:telnet }
Display pools
Use the following syntax to display all pools:
bigpipe pool show
Use the following syntax to display a specific pool:
bigpipe pool <pool_name> show
port
bigpipe port <port> [...<port>] limit <max conn>
bigpipe port <port> [...<port>] enable | disable | show
Description
Enables and disables network traffic on virtual ports, and also sets connection limits on ports. You can use standard port numbers, service or port names (for example, www, http, or 80) for the <port> parameter. Note that the port settings you define with this command control the port service for all virtual servers that use the port. By default, all ports are disabled.
A port is any valid port number, between 0 and 65535, inclusive, or any valid service name in the /etc/services file.
Allowing and denying virtual ports
You can enable or disable traffic to specific virtual ports. The default setting for all virtual ports is disabled. Use the following syntax to allow one or more virtual ports:
bigpipe port <port> [...<port>] enable
To deny access to one or more virtual ports, use this syntax:
bigpipe port <port> [...<port>] disable
Setting connection limits on ports
Use the following syntax to set the maximum number of concurrent connections allowed on a virtual port. Note that you can configure this setting for one or more virtual ports.
bigpipe port <port> [...<port>] limit <max conn>
To turn off a connection limit for one or more ports, use the same command, setting the <max conn> parameter to 0 (zero) like this:
bigpipe port <port> [...<port>] limit 0
Displaying the status of all virtual ports
Use the following syntax to display the status of virtual ports included in the configuration:
bigpipe port show
Displaying the status for specific virtual ports
Use the following syntax to display the status of one or more virtual ports:
bigpipe port <port> [...<port>] show
Figure 3.6 shows a sample of formatted output from the port command.
Figure 3.6 Formatted output of port command showing the Telnet port statistics
bigpipe port telnet show
PORT 23 telnet enable
(cur, max, limit, tot, reaped) = (37,73,100,691,29)
(pckts,bits) in = (2541, 2515600), out = (2331, 2731687)
proxy
bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] [<unit id>] target
<server | vip> <ip>:<port> ssl enable key <key> cert <cert>
bigpipe proxy <ip>:<port> [<ifname>] [<unit id>] netmask <ip>
[broadcast <ip>] target <server | vip> <ip>:<port> ssl enable
key <key> cert <cert>
bigpipe proxy <ip>:<port> enable
bigpipe proxy <ip>:<port> disable
bigpipe proxy <ip>:<port> delete
bigpipe proxy <ip>:<port> show
bigpipe proxy <ip>:<port> lasthop pool <pool_name>
Description
Use the proxy command to create, delete, modify, or display the SSL gateway definitions on the BIG-IP Controller. For detailed information about setting up the SSL Accelerator feature, see the BIG-IP Administrator Guide, Configuring an SSL Accelerator.
Creating an SSL gateway from the command line
Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway by specifying a bitmask instead of a netmask and broadcast address:
bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] [<unit id>] target
<server | vip> <ip>:<port> ssl enable key <key> cert <cert>
Use this syntax if you want to configure a gateway by specifying a netmask and broadcast address instead of a bitmask:
bigpipe proxy <ip>:<port> [<ifname>] [<unit id>] netmask <ip>
[broadcast <ip>] target <server | vip> <ip>:<port> ssl enable
key <key> cert <cert>
For example, from the command line you can create an SSL gateway that looks like this:
bigpipe proxy 10.1.1.1:443 exp0 unit 1 { netmask 255.255.255.0
broadcast 10.1.1.255 target vip 20.1.1.1:80 ssl enable key
my.server.net.key cert my.server.net.cert }
Note that when the configuration is written out in the bigip.conf file, the line ssl enable is automatically added. When the SSL gateway is written in the /etc/bigip.conf file, it looks like the sample in Figure 3.7:
Figure 3.7 An example SSL gateway configuration
proxy 10.1.1.1:443 exp0 unit 1 {
netmask 255.255.255.0
broadcast 10.1.1.255
target vip 20.1.1.1:80
ssl enable
key my.server.net.key
cert my.server.net.cert
}
Enabling, disabling, or deleting an SSL gateway from the command line
You can enable, disable, or delete an SSL gateway with the following syntax:
bigpipe proxy <ip>:<port> enable
bigpipe proxy <ip>:<port> disable
bigpipe proxy <ip>:<port> delete
If you want to enable the SSL gateway 209.100.19.22:443, you might type the following command:
bigpipe proxy 209.100.19.22:443 enable
If you want to disable the SSL gateway 209.100.19.22:443, you could type the following command:
bigpipe proxy 209.100.19.22:443 disable
For example, if you want to delete the SSL gateway 209.100.19.22:443, type the following command:
bigpipe proxy 209.100.19.22:443 delete
Displaying configuration information for an SSL gateway from the command line
Use the following syntax to view the configuration for the specified SSL gateway:
bigpipe proxy <ip>:<port> show
For example, if you want to view configuration information for the SSL gateway 209.100.19.22:80, type the following command:
bigpipe proxy 209.100.19.22:80 show
Figure 3.8 is a sample output from the bigpipe proxy show command.
Figure 3.8 Output from the bigpipe proxy show command
SSL PROXY +---> 11.12.1.200:443 -- Originating Address -- Enabled Unit 1
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.100:80 -- Destination Address -- Server
SSL PROXY +---> 11.12.1.120:443 -- Originating Address -- Enabled Unit 1
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.111:80 -- Destination Address -- Vip
Adding a last hop pool to an SSL gateway from the command line
Use the following syntax to reference a last hop pool from an SSL gateway:
bigpipe proxy <ip>:<port> lasthop pool <pool_name>
For example, if you want to assign the last hop pool named ssllasthop_pool to the SSL gateway 11.12.1.200:443, type the following command:
bigpipe proxy 11.12.1.200:443 lasthop pool
ssllasthop_pool
-r
bigpipe -r
Description
Use the following syntax to clear the configuration values and counter values from memory:
bigpipe -r
Warning: Use this command with caution. All network traffic stops when you run this command.
Typically, this command is used on a standby BIG-IP Controller prior to loading a new /etc/bigip.conf file that contains new tping and treaper values.
For example, you can execute the following commands on a standby BIG-IP Controller:
bigpipe -r
bigpipe -f <filename>
This sequence of commands ensures that only the values set in the <filename> specified are in use.
ratio
bigpipe ratio [<node ip>] [node ip> ...] show
bigpipe ratio <node ip> [<node ip>...] <weight>
Description
This command provides two functions related to load balancing:
- For the Ratio load balancing mode, the command sets the weight or proportions for one or more node addresses.
- For the Priority load balancing mode, the command sets the priority level. Note that multiple node addresses can have the same priority level setting.
Setting ratio weight for one or more node addresses
The default ratio setting for any node address is 1. If you use the Ratio or Priority load balancing modes, you must set a ratio other than 1 for at least one node address in the configuration. If you do not change at least one ratio setting, the load balancing modes have the same affect as the Round Robin load balancing mode.
Use the following syntax to set the ratio for one or more node addresses:
bigpipe ratio <node ip> [...<node ip>] <weight>
For example, the following command sets the ratio weight to 3 for a specific node address:
bigpipe ratio 192.168.103.20 3
Displaying the ratio weights for node addresses
The following command displays the current ratio weight settings for all node addresses.
bigpipe ratio show
The command displays this output:
192.168.200.51 ratio = 3
192.168.200.52 ratio = 1
Displaying ratio weight for specific node addresses
Use the following syntax to display the ratio setting for one or more node addresses:
bigpipe ratio <node ip> [...<node ip>] show
Note: The <weight> parameter must be a whole number, equal to or greater than 1.
rule
bigpipe rule <rule name> ' { <if statement> | <use statement> } '
bigpipe rule <rule name> delete
bigpipe rule [<rule name>] show
Description
Use the rule command to create, delete, or display the rules on the BIG-IP Controller. Rules allow a virtual server to access any number of pools on the BIG-IP Controller. For more detailed information about using rules, see Rule, on page 2-114.
Note: Before you define a rule, you must define the pool or pools that you want the rule to reference.
Create a rule
You can add rules by manually typing them into an existing /etc/bigip.conf file. However, you can also use the bigpipe rule command to create, delete, or display rules. To create a rule with bigpipe, type the complete rule on the command line, without line breaks. For example, you can type in this rule:
bigpipe rule cgi_rule ' {if (http_uri ends_with "cgi") {use (
cgi_pool )} else {use ( default_pool )}} '
If the http_uri string ends with "cgi" then the members from cgi_pool are used for load balancing. If the http_uri string does not end with "cgi", then the members of default_pool are used for load balancing.
Associating a rule with virtual server
You can associate a rule with a virtual server by using the following syntax:
bigpipe vip <virt ip>:<port> use rule <rule_name>
For example, if you want to associate the rule cgi_rule to the virtual server 10.20.2.101:http, type in the following command:
bigpipe vip 10.20.2.101:http use rule cgi_rule
Deleting a rule
You can delete a rule using the following syntax:
bigpipe rule <rule_name> delete
Display rules
Use the following syntax to display all rules:
bigpipe rule show
Use the following syntax to display a specific rule:
bigpipe rule <rule_name> show
Definitions
You can create a rule by combining a number of different elements. A simple rule could contain the following elements:
rule <rule_name> { if ( <variable> <binary_operator> "<literal>" )
{ use ( <pool_name> ) } else { use ( <another_pool_name> ) } }
For example, a rule named cgi_rule that sends CGI connections to a load balancing pool named cgi_pool, or HTTP connections to a pool named http_pool looks like this:
bigpipe rule cgi_rule ' {if (http_uri ends_with "cgi") {use (
cgi_pool )} else {use ( http_pool )}} '
Use the elements in Table 3.6 to create rules.
Note: For more detailed information about using rules, see Rule, on page 2-114.
-s
bigpipe -s [ <filename> | - ]
Description
Writes the current BIG-IP Controller configuration settings from memory to the default boot configuration file named /etc/bigip.conf.
You can type bigpipe -s, or a hyphen character (-) in place of a file name, to display the configuration on the standard output device.
bigpipe -s -
Or you can type the following command:
bigpipe -s
If you are testing and integrating BIG-IP Controllers into a network, you may want to use multiple test configuration files. Use the following syntax to write the current configuration to a file name that you specify:
bigpipe -s <filename>
For example, the following command saves the current configuration from memory to an alternate configuration file named /etc/bigip.conf2.
bigpipe -s /etc/bigip.conf2
snat
bigpipe snat map <node ip> [...<node ip>] to \
<SNAT ip> [netmask <ip>] [<ifname>] [unit <unit ID>]
bigpipe snat map default to <SNAT ip> [<ifname>] \
[unit <unit ID>] [netmask <ip>]
bigpipe snat <SNAT ip> [...<SNAT ip>] delete
bigip snat default delete
bigpipe snat default dump [verbose]
bigpipe snat [<node ip> [...<node ip>] ] dump [verbose]
bigpipe snat globals show
bigpipe snat default show
bigpipe snat [<node ip> [...<node ip>] ] show
bigpipe snat limit <max conn>
bigpipe snat default limit <max conn>
bigpipe snat <node ip> [...<node ip>] limit \
<max conn>
bigpipe snat <node ip> [...<node ip>] mirror \
enable | disable
bigpipe snat default mirror enable | disable
bigpipe snat <node ip> [...<node ip>] timeout tcp | udp \
<seconds>
bigpipe snat [default] timeout tcp | udp <seconds>
bigpipe snat <SNAT ip> [...<SNAT ip>] stats reset
bigpipe snat default stats reset
Description
Defines one or more addresses that nodes can use as a source IP address when initiating connections to hosts on the external network. Note that clients cannot use SNAT addresses to connect directly to nodes.
Defining the default SNAT
Use the following syntax to define the default SNAT. If you use the netmask parameter and it is different from the external interface default netmask, the command sets the netmask and derives the broadcast address. You can use the unit <unit ID> parameter to specify a unit in an active-active redundant configuration.
bigpipe snat map default to <SNAT ip> [<ifname>] [unit <unit ID>]
[netmask <ip>]
Creating individual SNAT addresses
Use the following command syntax to create a SNAT mapping:
bigpipe snat map <node ip> [...<node ip>] to \
<SNAT ip> [<ifname>] [unit <unit ID>] [netmask <ip>]
If the netmask is different from the external interface default netmask, the command sets the netmask and derives the broadcast address.
Deleting SNAT Addresses
The following syntax deletes a specific SNAT:
bigpipe snat <SNAT ip> | default delete
Showing SNAT mappings
The following bigpipe command shows mappings:
bigpipe snat [<SNAT ip>] [...<SNAT ip>] show
bigpipe snat default show
The following command shows the current SNAT connections:
bigpipe snat [<SNAT ip>] [...<SNAT ip>] dump [ verbose ]
bigpipe snat default dump [ verbose ]
The optional verbose keyword provides more detailed output.
The following command prints the global SNAT settings:
bigpipe snat globals show
Limiting connections
Use the following commands to set the maximum number of concurrent connections allowed for one or more SNAT addresses. Zero indicates no limit.
bigpipe snat <SNAT ip> limit <max conn>
The default SNAT address connection limit is set with the following command:
bigpipe snat default limit <max conn>
Set the global concurrent connection limit with this command:
bigpipe snat limit <max conn>
Enabling mirroring for redundant systems
The following example sets SNAT mirroring for all SNAT connections originating at 192.168.225.100:
bigpipe snat 192.168.225.100 mirror enable
Setting idle connection timeouts
Use the following command to set the timeout for idle TCP connections:
bigpipe snat timeout tcp <seconds>
Use the following command to set the timeout for idle UDP connections. Note that you must have a timeout set for UDP connections; zero is not allowed:
bigpipe snat timeout udp <seconds>
Use the following command to set the timeout for idle TCP connections originating at this node address. Set <seconds> to 0 (zero) to disable TCP timeout for these nodes.
bigpipe snat <node ip> [...<node ip>] timeout tcp <seconds>
Use the following command to set the timeout for idle TCP connections originating at the default node address. Set <seconds> to 0 (zero) to disable TCP timeout for these nodes.
bigpipe snat default timeout tcp <seconds>
Use the following syntax to set the timeout for idle UDP connections originating at this node address. Note that you must have a timeout set for UDP connections; zero is not allowed:
bigpipe snat <node ip> [...<node ip>] timeout udp <seconds>
Use the following syntax to set the timeout for idle UDP connections originating at the default SNAT address. Note that you must have a timeout set for UDP connections; zero is not allowed:
bigpipe snat default timeout udp <seconds>
Clearing statistics
You can reset statistics by node or by SNAT address. Use the following syntax to clear all statistics for one or more nodes:
bigpipe snat <node ip> [ ...<node ip> ] stats reset
Use the following syntax to clear all statistics for one or more SNAT addresses:
bigpipe snat <SNAT ip> [ ...<SNAT ip> ] stats reset
Use the following command to reset the statistics to zero for the default:
bigpipe snat default stats reset
summary
bigpipe summary
Description
Displays a summary of current usage statistics.
The output display format for the summary command is shown in Figure 3.9.
For detailed descriptions of each of statistic displayed by the summary command, refer to the BIG-IP Controller Administrator Guide, Monitoring and Administration.
Figure 3.9 The summary output display
BIG-IP total uptime = 1 (day) 4 (hr) 40 (min) 8 (sec)
BIG-IP total uptime (secs) = 103208
BIG-IP total # connections = 0
BIG-IP total # pkts = 0
BIG-IP total # bits = 0
BIG-IP total # pkts(inbound) = 0
BIG-IP total # bits(inbound) = 0
BIG-IP total # pkts(outbound) = 0
BIG-IP total # bits(outbound) = 0
BIG-IP error no nodes available = 0
BIG-IP tcp port deny = 0
BIG-IP udp port deny = 0
BIG-IP vip tcp port deny = 0
BIG-IP vip udp port deny = 0
BIG-IP max connections deny = 0
BIG-IP vip duplicate syn ssl = 0
BIG-IP vip duplicate syn wrong dest = 0
BIG-IP vip duplicate syn node down = 0
BIG-IP vip maint mode deny = 0
BIG-IP virtual addr max connections deny = 0
BIG-IP virtual path max connections deny = 0
BIG-IP vip non syn = 0
BIG-IP error not in out table = 0
BIG-IP error not in in table = 0
BIG-IP error vip fragment no port = 0
BIG-IP error vip fragment no conn = 0
BIG-IP error standby shared drop = 0
BIG-IP dropped inbound = 0
BIG-IP dropped outbound = 0
BIG-IP reaped = 0
BIG-IP ssl reaped = 0
BIG-IP persist reaped = 0
BIG-IP udp reaped = 0
BIG-IP malloc errors = 0
BIG-IP bad type = 0
BIG-IP mem pool total 96636758 mem pool used 95552 mem percent used 0.10
timeout_node
bigpipe timeout_node show
bigpipe timeout_node <seconds>
bigpipe timeout_node 0
Description
Sets the amount of time that a server has to respond to a BIG-IP Controller ping in order for the server to be marked up. If a server fails to respond within the specified time, the BIG-IP Controller assumes that the server is down, and the BIG-IP Controller no longer sends packets to the services hosted by the server. If the server responds to the next ping, or to subsequent pings, the BIG-IP Controller then marks the server up, and resumes sending packets to those services.
The default is 15 seconds.
Note: If the timeout_node interval is shorter than the timeout_svc setting, a node can be marked down before the services on the node are marked down.
Displaying the current timeout value
Use the following command to display the current timeout setting for node ping:
bigpipe timeout_node show
Setting a timeout value for node ping
Use the following syntax to set the timeout setting for node ping:
bigpipe timeout_node <seconds>
The sample command below sets the timeout to 33 seconds.
bigpipe timeout_node 33
Disabling node ping
To disable node ping, you simply set the node ping timeout value to 0 (zero):
bigpipe timeout_node 0
Warning: Node ping is the only form of verification that the BIG-IP Controller uses to determine status of node addresses. If you turn node ping off while one or more node addresses are currently down, the node addresses remain marked down until you turn node ping back on and allow the BIG-IP Controller to verify the node addresses again.
timeout_svc
bigpipe timeout_svc [<port>] show
bigpipe timeout_svc <port> <seconds>
bigpipe timeout_svc <port> 0
Description
Sets the amount of time that a specific node has to respond to a service check issued by the BIG-IP Controller. This setting affects three types of service checks:
- Simple service check, where the BIG-IP Controller attempts to establish a connection to the service hosted by the node
- Extended content verification, where the BIG-IP Controller requests specific content from the node
- Extended application verification, where the BIG-IP Controller executes an external service check program that verifies whether or not specific content is available on the node
If a node fails to respond to any type of service check within the specified time, the BIG-IP Controller assumes that the service is down and no longer sends client requests to the service. If the node responds to the next service check, or to subsequent service checks, the BIG-IP Controller marks the service up, and resumes sending requests to the service.
Warning: The BIG-IP Controller does not attempt to detect the status of a node if node ping is turned off (bigd -n) and the timeout_svc and tping_svc values are set to 0 for a particular node.
The timeout_svc default for each port is set to 0, which disables service checks on the port.
Note that the BIG-IP Controller monitors only those services that have a timeout_svc and tping_svc value greater than 0.
Setting the service check timeout
Use the following syntax to set the service check timeout for a specific node port. Note that this setting applies to all nodes that use the port.
bigpipe timeout_svc <port> <seconds>
For example, the following command sets the service check timeout on port 80 to 120 seconds:
bigpipe timeout_svc 80 120
Disabling the service check
To disable service check on a specific port, use the above command, but set the <seconds> parameter to zero:
bigpipe timeout_svc <port> 0
Displaying service check timeouts
Use the following command to display the current service check timeout settings for all ports:
bigpipe timeout_svc show
The system displays the following output:
port 80 timeout after 120 seconds
The system displays only ports that have a timeout set to a value other than 0.
Use the following syntax to display the current service check timeout setting for a specific port:
bigpipe timeout_svc <port> [show]
tping_node
bigpipe tping_node show
bigpipe tping_node <seconds>
Description
Sets the interval (in seconds) at which a BIG-IP Controller issues a ping to each server managed by the BIG-IP Controller. If a specific server responds to the ping within a set time, the server is marked up and the BIG-IP Controller sends connections to the services hosted by that server. If a server fails to respond to a ping within the specified time, the BIG-IP Controller assumes that the server is no longer available, and it marks the node down.
Note that the timeout_node setting determines the number of seconds that a server has in which to respond to the ping issued by the BIG-IP Controller.
The default setting for tping_node is 5 seconds.
Setting a node ping interval
Use the following syntax to set the number of seconds which a server can take to respond to a ping issued by the BIG-IP Controller:
bigpipe tping_node <seconds>
Disabling node ping
To turn node ping off, set the interval to 0 seconds:
bigpipe tping_node 0
Displaying the current node ping setting
Use the following command to display the current node ping setting:
bigpipe tping_node show
tping_svc
bigpipe tping_svc show
bigpipe tping_svc <port> <seconds>
bigpipe tping_svc <port> 0
Description
Sets the interval (in seconds) at which BIG-IP Controller issues a service check to one or more specific nodes included in the configuration. This setting affects three types of service check:
- Simple Service check where, the BIG-IP Controller attempts to establish a connection to the service hosted by the node
- Extended Content Verification where, the BIG-IP Controller requests specific content from the node
- Extended Application Verification where, the BIG-IP Controller executes an external service check program that verifies whether or not specific content is available on the node
If a node fails to respond to a service check within the time specified by the timeout_svc setting, the BIG-IP Controller marks the service down, and no longer routes client requests to it.
Warning: The BIG-IP Controller does not attempt to detect the status of a node if node ping is turned off (bigd -n) and the timeout_svc and tping_svc values are set to 0 for a node.
Setting global service check intervals for a node port
Use the following syntax to set a service check interval for a specific node port:
bigpipe tping_svc <port> <seconds>
Use the following syntax to turn service check off for a specific node port:
bigpipe tping_svc <port> 0
Displaying the current service check interval
Use the following syntax to display the intervals at which the
BIG-IP Controller issues service checks to all nodes configured for service check:
bigpipe tping_svc show
treaper
bigpipe treaper show
bigpipe treaper <port> <seconds>
bigpipe treaper <port> 0
Description
Sets the expiration time for idle TCP connections on a specific port. An idle connection is one in which no data has been received or sent for the number of seconds specified by the treaper command. The treaper default value is 1005 seconds. For treaper to be effective, you should set its value to be greater than the configured timeout for the service daemons installed on your nodes.
The treaper command clears the connection tables, avoiding memory problems due to the accumulation of dead, but not terminated, connections.
Setting the idle TCP connection timeout for a virtual port
To set an inactive connection timeout for one or more virtual ports, use the following syntax:
treaper <port> <seconds>
To turn off the inactive connection timeout, use the same command, but set the number of seconds to zero:
treaper <port> 0
Note: Typical settings include 120 seconds for 25/SMTP, 120 seconds for 80/www, 300-600 seconds for 20/ftp-data and 21/ftp-data.
Displaying the current inactive connection timeout
To display the current number of seconds that connections are allowed to remain idle before being dropped, use the following syntax:
bigpipe treaper show
udp
bigpipe udp [<port> [...<port>] ] show
bigpipe udp <port> [...<port>] <seconds>
bigpipe udp <port> 0
Description
The udp command enables UDP traffic on virtual ports and also sets a timeout for idle UDP connections. UDP traffic is enabled only when the timeout is set to a value greater than 0 (zero). You can disable UDP traffic on a port by setting the idle connection timeout to 0 (zero). By default, UDP is disabled on all ports.
Setting the idle connection timeout for UDP traffic
To set the UDP timeout on one or more virtual ports, where the <seconds> parameter is the number of seconds before an idle connection is dropped, use the following syntax:
bigpipe udp <port> <seconds>
For example, the following command sets the UDP timeout to 300 seconds for port 53:
bigpipe udp 53 300
To turn off UDP timeout for a virtual port, use the above command, setting the <seconds> parameter to zero:
bigpipe udp <port> 0
Displaying UDP settings
Use the following command to display the UDP timeout setting for all ports that allow UDP:
bigpipe udp show
Use the following syntax to display the timeout setting for a specific virtual port that allows UDP:
bigpipe udp <port> show
The system displays the output:
port 53 idle udp connections expire after 300 seconds <$startrange> bigpipe commands: udp;
unit
bigpipe unit [show]
bigpipe unit peer [show]
Description
The unit number on a BIG-IP Controller designates which virtual servers use a particular controller in an active-active redundant configuration. You can use the bigpipe unit command to display the unit number assigned to a particular BIG-IP Controller. For example, to display the unit number of the unit you are on, type the following command:
bigpipe unit show
To display the unit number of the other controller in a redundant system, type in the following command:
bigpipe unit peer show
Note: If you use this command on a redundant system in active/standby mode, the active controller shows as unit 1 and 2, and the standby controller has no unit numbers.
Tip: The bigpipe unit peer show command is the best way to determine whether the respective state mirroring daemons are connected.
-v
bigpipe -v
Description
Displays the version number of the bigpipe command utility.
For example, bigpipe -v displays the following output:
bigpipe: 3.3
version
bigpipe version
Description
Displays the version number of the BIG-IP Controller's operating system.
The bigpipe version command provides the following version information:
BIG-IP: version 3.3
vip
bigpipe vip <virt ip>[:<port>] [<ifname>] [unit <ID>] \
[netmask <ip>] [broadcast <ip>] use pool <pool_name>
bigpipe vip <virt ip>:<port>[/<bitmask>] [<ifname>] [unit <ID>] \
use pool <pool_name>
bigpipe vip <virt ip>[:<port>] [<ifname>] [unit <ID>] \
[netmask <ip>] [broadcast <ip>] use rule <rule_name>
bigpipe vip <virt ip>:<port>[/<bitmask>] [<ifname>] [unit <ID>] \
use rule <rule_name>
bigpipe vip [<virt ip>[:<port>]] [...<virt ip>[:<port>] ] show
bigpipe vip <virt ip>[:<port>] [<ifname>] [ ... <virt ip>[:<port>]\
] enable | disable | delete
bigpipe vip <virt ip>[:<port>] [... <virt ip>[:<port>]] limit \
<max conn>
bigpipe vip <virt ip>:<port> translate port enable | disable | show
bigpipe vip <virt ip>:<port> translate addr enable | disable | show
bigpipe vip <virt ip>:<port> lasthop pool <pool_name> | none | show
bigpipe vip <virt ip>:<port> mirror conn enable | disable | show
bigpipe vip [<virt ip:port>] stats reset
bigpipe vip <ip>:<port> accelerate disable
bigpipe vip <ip>:<port> use pool the_pool accelerate disable
Description
Creates, deletes, and displays information about virtual servers. This command also sets connection mirroring, connection limits, and timeouts on a virtual server.
Defining a virtual server
Virtual servers are port-specific, and if you are configuring a site that supports more than one service, you need to configure one virtual server for each service offered by the site. Use the following syntax to define the pools or rules to which a virtual server maps. The unit <ID> parameter specifies which unit handles the virtual server in an active-active redundant configuration. You can associate pools or rules with a virtual server. The following sections describe the syntax for associating a pool or a rule with a virtual server.
Configuring a virtual server to use a load balancing pool
Use the following syntax to create a virtual server that references a load balancing pool. Note that you must create a pool before you can create a virtual server that references the pool. For information about creating a pool, see Creating a pool, on page 3-36.
bigpipe vip <virt ip>:<port> [ifname] [unit <ID>] use pool
<pool_name>
For example, if you want to create a virtual server that references the pool my_pool, the command might look like this:
bigpipe vip 11.12.1.53:80 use pool my_pool
Configuring a virtual server to use a load balancing rule
Use the following syntax to create a virtual server that references a load balancing rule. Note that you must create a rule before you can create the virtual server that references the rule. For information about creating a rule, see Associating a rule with a virtual server, on page 3-53.
bigpipe vip <virt ip>:<port> [ifname] [unit <ID>] use rule
<rule_name>
For example, if you want to create a virtual server that references the rule my_rule, the command might look like this:
bigpipe vip 11.12.1.53:80 use pool my_rule
Displaying information about virtual servers
Use the following syntax to display information about all virtual servers included in the configuration:
bigpipe vip show
Use the following syntax to display information about one or more virtual servers included in the configuration:
bigpipe vip <virt ip>:<port> [...<virt ip>:<port>] show
The command displays information such as the nodes associated with each virtual server, the nodes' status, and the current, total, and maximum number of connections managed by the virtual server since the BIG-IP Controller was last rebooted.
Defining an interface for a virtual server
If you have multiple external (destination processing) interfaces, you can specify one of them when you define a virtual server.
- If you specify an interface name, the BIG-IP Controller responds to ARP requests for the virtual address on that interface.
- If you do not specify an interface name, the BIG-IP Controller responds to ARP requests for the virtual server on the default interface.
- If you do not want the BIG-IP Controller to respond to ARP requests on any interface, use the option none in place of the an <ifname> parameter.
All virtual servers that share a virtual address must use the same external interface. Changing the interface for a virtual server changes the interface for all virtual servers that have the same virtual address.
Setting a user-defined netmask and broadcast
The default netmask for a virtual address, and for each virtual server hosted by that virtual address, is determined by the network class of the IP address entered for the virtual server. The default broadcast is automatically determined by the BIG-IP Controller, and it is based on the virtual address and the current netmask. You can override the default netmask and broadcast for any virtual address.
All virtual servers hosted by the virtual address use the netmask and broadcast of the virtual address, whether they are default values or they are user-defined values.
If you want to use a custom netmask and broadcast, you define both when you define the virtual server:
bigpipe vip <virt ip>[:<port>] [<ifname>] [netmask <ip>] \
[broadcast <ip>] use pool <pool_name>
Note: The BIG-IP Controller calculates the broadcast based on the IP address and the netmask. A user-defined broadcast address is not necessary.
Again, even when you define a custom netmask and broadcast in a specific virtual server definition, the settings apply to all virtual servers that use the same virtual address. The following sample command shows a user-defined netmask and broadcast:
bigpipe vip www.SiteOne.com:http netmask 255.255.0.0 \
broadcast 10.0.140.255 use pool my_pool
The /bitmask option shown in the following example applies network and broadcast address masks. In this example, a 24-bit bitmask sets the network mask and broadcast address for the virtual server:
bigpipe vip 206.168.225.1:80/24 use pool my_pool
You can generate the same broadcast address by applying the 255.255.255.0 netmask. The effect of the bitmask is the same as applying the 255.255.255.0 netmask. The broadcast address is derived as 206.168.225.255 from the network mask for this virtual server.
Setting a connection limit
The default setting is to have no limit to the number of concurrent connections allowed on a virtual server. You can set a concurrent connection limit on one or more virtual servers using the following command:
bigpipe vip <virt ip>[:<port>] [...<virt ip>[:<port>] ] limit \
<max conn>
The following example shows two virtual servers set to have a concurrent connection limit of 5000 each:
bigpipe vip www.SiteOne.com:http www.SiteTwo.com:ssl limit 5000
To turn off the limit, set the <max conn> variable to zero:
bigpipe vip <virt ip>[:<port>] [...<virt ip>[:<port>] ] limit 0
Setting translation properties for virtual addresses and ports
Turning port translation off for a virtual server is useful if you want to use the virtual server to load balance connections to any service. Use the following syntax to enable or disable port translation for a virtual server.
bigpipe vip <virt ip>:<port> translate port enable | disable | show
You can also configure the translation properties for a virtual server address. This option is useful when the BIG-IP Controller is load balancing devices that have the same IP address. This is typical with the nPath routing configuration where duplicate IP addresses are configured on the loopback device of several servers. Use the following syntax to enable or disable address translation for a virtual server.
bigpipe vip <virt ip>:<port> translate addr enable | disable | show
Setting up last hop pools for virtual servers
In cases where you have more than one router sending connections to a BIG-IP redundant system, you may want to route connections back through the same router from which they were received. To configure a last hop pool, you must first create a pool that contains the routers for the BIG-IP redundant system. After you create a router pool, use the following syntax to configure a last hop pool for a virtual server.
bigpipe vip <virt ip>:<port> lasthop pool <pool_name> | none | show
Mirroring connection information
Mirroring provides seamless recovery for current connections and for when a BIG-IP Controller fails. When you use the mirroring feature, the peer controller maintains the same current connection and persistence information as its partner controller. Transactions such as FTP file transfers continue as though uninterrupted.
To control mirroring for a virtual server, use the mirror command to enable or disable mirroring of connections. The syntax of the command is:
bigpipe vip <virt ip>:<port> mirror conn enable | disable
To print the current mirroring setting for a virtual server:
bigpipe vip <virt ip>:<port> mirror conn show
If you do not specify conn, the BIG-IP Controller displays all mirrored connection information.
Note: If you set up mirroring on a virtual server that supports FTP connections, you need to mirror the control port virtual server, and the data port virtual server.
The following example shows the two commands used to enable mirroring for virtual server v1 on the FTP control and data ports:
bigpipe vip v1:21 mirror conn enable
bigpipe vip v1:20 mirror conn enable
Removing and returning a virtual server to service
You can remove an existing virtual server from network service, or return the virtual server to service, using the disable and enable keywords. When you disable a virtual server, the virtual server no longer accepts new connection requests, but it allows current connections to finish processing before the virtual server goes down. Use the following syntax to remove a virtual server from network service:
bigpipe vip <virt ip>:<port> [...<virt ip>:<port>] disable
Use the following syntax to return a virtual server to network service:
bigpipe vip <virt ip>:<port> enable
Removing and returning a virtual address to service
You can remove an existing virtual address from network service, or return the virtual address to service, using the disable and enable keywords. Note that when you enable or disable a virtual address, you inherently enable or disable all of the virtual servers that use the virtual address.
bigpipe vip <virt ip> disable
Use the following syntax to return a virtual address to network service:
bigpipe vip <virt ip> enable
Displaying information about virtual addresses
You can also display information about the virtual addresses that host individual virtual servers. Use the following syntax to display information about one or more virtual addresses included in the configuration:
bigpipe vip <virt ip> [... <virt ip> ] show
The command displays information such as the virtual servers associated with each virtual address, the status, and the current, total, and maximum number of connections managed by the virtual address since the BIG-IP Controller was last rebooted, or since the BIG-IP Controller became the active unit (redundant configurations only).
Deleting a virtual server
Use the following syntax to permanently delete one or more virtual servers from the BIG-IP Controller configuration:
bigpipe vip <virt ip>:<port> [... <virt ip>:<port>] delete
Resetting statistics for a virtual server
Use the following command to reset the statistics for an individual virtual server:
bigpipe vip [<vip ip:port>] stats reset
Turning software acceleration off for virtual servers using IPFW rate filters
Additional enhancements are included in this release that speed packet flow for TCP connections when the packets are not fragmented. In most configurations these software enhancements are automatically turned on and do not require any additional configuration.
However, you may want to turn off these enhancements for individual virtual servers that use IPFW rate filters. With the speed enhancements on, IPFW only examines the first SYN packet in any given connection. If you want to filter all packets, you should turn off the speed enhancements. To do this, you must first set the global state of the system on, and then you must turn off the feature for individual virtual servers that use IPFW rate filtering. You can change the settings for these enhancements from the command line or in the Configuration utility.
Setting software acceleration controls from the command line
Before you can turn off software acceleration for a virtual server, you must set the sysctl variable bigip.fastpath_active to on (2) with the following command:
sysctl -w bigip.fastpath_active=2
After you set the sysctl variable, use the following bigpipe commands to disable software acceleration for existing virtual servers that use IPFW rate filtering:
bigpipe vip <ip>:<port> accelerate disable
For example, if you want to turn acceleration off for the virtual server 10.10.10.50:80, type the following command:
bigpipe vip 10.10.10.50:80 accelerate disable
You can define a virtual server with acceleration disabled using the following syntax:
bigpipe vip <ip>:<port> use pool the_pool accelerate disable
For example, if you want to define the virtual server 10.10.10.50:80 with the pool IPFW_pool and acceleration turned off, type the following command:
bigpipe vip 10.10.10.50:80 use pool IPFW_pool accelerate disable
Backward-compatible commands
The following bigpipe commands from previous versions of the BIG-IP Controller are compatible with this version and have been included here for users of previous versions of the product.
dt [<ip>[:<port> ] ]
port <port> [<port>... ] [allow | deny] [ limit <limit> ]
vip <virt ip>:<port> persistmask [ <IP address mask> ]
vip <virt ip>:<port> persistmask [ none | show ]
vip <virt ip>[:<port>] [<ifname>] netmask <ip> \
[ broadcast <ip> ] define <node ip>[:<port> \
[ <node ip>[:<port>... ] [ special ssl <value> <value> ]
nat <node ip> to <NAT ip> [<ifname>] netmask <ip> \
[ broadcast <ip> ]
fo [ master | slave ]
vip <virt ip>[:<port>] [/<bitmask>] [<ifname>|none ] \
[unit <unit ID>] define <node ip>[:<port>] \
[..<node ip>[:<port>] ] [special ssl <seconds> <seconds>]
vip <virt ip>[:<port>] netmask <ip> [broadcast <ip>] \
[<ifname> | none ] [unit <unit ID>] define <node ip>[:<port>] \
[...<node ip>[:<port>] ] [special ssl <seconds> <seconds>] \ [special cookie insert | rewrite | passive <days>d <hh:mm:ss>]]
vip <virt ip>[:<port>] netmask <ip> [broadcast <ip>] \
[<ifname> | none ] [unit <unit ID>] define <node ip>[:<port>] \
[...<node ip>[:<port>] ] [special cookie hash <name> <offset> <length>]
vip <virt ip>:<port> mirror persist enable | disable | show
vip <virt ip>:<port> persist show | dump | <value>
vip <virt ip>:<port> persist mask <ip> | none | show
vip 0.0.0.0:<port> sticky [ enable | disable | show | clear | dump ]
vip 0.0.0.0:<port> sticky mask [ <ip> | none | show ]
vip sticky dump
vip sticky clear
