Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
7
bigpipe Command Reference
bigpipe commands
This chapter lists the various bigpipe commands, including syntax requirements and functional descriptions. Table 7.1 outlines the conventions used in the command line syntax.
The following table provides a concise listing of the individual bigpipe commands, along with the page reference where you can find the detailed description.
Command |
Description |
Page |
-? |
Displays online help for an individual bigpipe command. |
|
class |
Displays all classes included with BIG-IP. |
|
config |
Synchronizes the /config/bigip.conf between the two BIG-IP units in a redundant system. |
|
conn |
Shows information about current connections such as the source IP address, virtual server and port, and node. |
|
default_gateway |
Creates a pool of default gateways. |
|
failover |
Sets the BIG-IP as active or standby. |
|
global |
Sets global variable definitions. |
|
-h and help |
Displays online help for bigpipe command syntax. |
|
interface |
Sets options on individual interfaces. |
|
load |
Loads the BIG-IP configuration and resets. |
|
maint |
Toggles the BIG-IP into and out of maintenance mode. |
|
makecookie |
Loads the BIG-IP configuration without resetting the current configuration. |
|
merge |
Loads a saved BIG-IP configuration without resetting the current configuration. |
|
mirror |
Copies traffic from any port or set of ports to a single, separate port. |
|
monitor |
Defines a health check monitor. |
|
-n |
Displays addresses and ports numerically rather than by name. |
|
nat |
Defines external network address translations for nodes. |
|
node |
Defines node property settings. |
|
pool |
Defines load balancing pools. |
|
proxy |
Defines the properties of the SSL gateway for the SSL Accelerator. |
|
ratio |
Sets load-balancing weights and priority levels used in the Ratio and Priority load balancing modes. |
|
reset |
Clears the BIG-IP configuration and counter values. |
|
rule |
Defines load balancing rules. |
|
save |
Writes the current configuration to a file. |
|
self |
Assigns a self IP address for a VLAN or interface. |
|
service |
Defines properties for services. |
|
snat |
Defines and sets options for SNAT (Secure NAT). |
|
stp |
Implements spanning tree protocol (STP). |
|
summary |
Displays summary statistics for the BIG-IP. |
|
trunk |
Aggregates links to form a trunk. |
|
unit |
Displays the unit number assigned to a particular BIG-IP. |
|
verbose |
Used to modify the verbose log level. |
|
verify |
Parses the command line and checks syntax without executing the specified command. |
|
version |
Displays the bigpipe utility version number. |
|
virtual |
Defines virtual servers, virtual server mappings, and virtual server properties. |
|
vlan |
Defines VLANs, VLAN mappings, and VLAN properties. |
|
vlangroup |
Defines VLAN groups. |
b <command> -?
For certain commands, displays online help, including complete syntax, description, and other related information. For example, to see online help for the bigpipe service command, type:
b service -?
b class <class name> { <ip member> <ip member> ... } <ip member> ::= HOST <ip addr> | NETWORK <ip addr> MASK <ip addr>
b class <class name> { <string> <string> ... }
b class <class name> { <num> <num> ... }
b <class name> show
b class ip show
b class string show
b class value show
b class show
b class <class name> delete
Creates, shows, and deletes any classes, such as class AOL. Default classes are also shown.
The BIG-IP includes a number of predefined lists. They are:
- AOL Network
- Image Extensions
- Non-routable addresses
These lists are located in the file /etc/default_classes.txt. When the bigpipe load command is issued, the lists are loaded. Unless modified by a user, these lists are not saved to the file bigip.conf.
The following are examples of class types defined with the class command. Note that string classes require escape characters in the syntax to keep from being interpreted literally by the UNIX system.
b class string_class { \".string\" ... } | '{ ".string" }'
b class numeric_class { <num> <num> ... }
b class host_class { host <ip_addr> }
b class network_class { network <ip_addr> mask <mask_addr> }
b config sync
b config sync all
b config sync running
b config save <file>
b config install <file>
Synchronizes configurations of two BIG-IP units in a redundant system by collecting and copying the configuration file(s) from the active unit to the standby unit (config sync). Also archives configuration files for backup purposes (config save) and installs saved files (config install).
Synchronizing configuration files
config sync without the all option synchronizes only the basic configuration file /config/bigip.conf.
config sync all synchronizes the following configuration files:
- The common BIG/db keys
- All common files in /config
- All common files in /etc
config sync running synchronizes the running version of /config/bigip.conf, which is the image that resides in memory as the system runs. This file is loaded into memory on the standby unit, it is not saved.
Note: The config sync command applies only to BIG-IP and not to 3-DNS.
Saving configuration files to an archive
config save <file> saves all configuration files to a single archive file, <file>.ucs, on the local unit without copying it to the standby unit. By default, <file>.ucs is saved to the directory /user/local/ucs. An alternate location can be specified by expressing <file> as a relative or absolute path. For example:
b config save /user/local/config_backup/my_conf
This writes the file my_conf.ucs to the directory /user/local/config_backup.
Installing an archived configuration file
config install <file> reinstalls the archived configuration files saved as <file>.ucs to their working locations on the local unit.
If you use command line utilities to set configuration options, be sure to save the current configuration to the relevant files before you use the configuration synchronization feature. (Alternatively, if you want to test the memory version on the standby unit first, use bigpipe config sync running.) Use the following bigpipe command to save the current configuration:
b save
Note: A file named /usr/local/ucs/cs_backup.ucs is created prior to installing a UCS from a remote machine.
b conn [ <client_ip>[:<client_service>] ] dump [mirror]
Displays information about current client connections to virtual addresses and virtual servers.
The following command displays all current client connections:
b conn dump
The output shows the source IP address, virtual server IP address, and node to which the client is connected.
Figure 7.1 Formatted output of the conn command
bigip conn dump
from virtual node
100.100.100.30:49152 -> 100.100.100.100:23 -> 200.200.200.10:23
100.100.101.90:49153 -> 100.100.100.100:80 -> 200.200.200.10:80
...
This command can also show connections that are active on the given BIG-IP, as well as those that are standby connections for the peer BIG-IP. By default, the dump command only shows items that are active on the given unit. To see standby items, you must use the mirror qualifier.
b conn dump mirror
b default_gateway use pool <pool_name>
b default_gateway show
b default_gateway delete
This command creates, shows, or deletes a pool of default gateways, with nodes in the pool corresponding to different routes. Connections originating from the system with a destination for which there is no other route choose a route from the default gateway pool. Note that the default gateway pool is not a last-hop pool for services running on the system.
There can be only one default gateway pool at any one time.
Defining a default gateway pool removes the need to define a default route. However, if a default route is defined, that route will be used when all the nodes in the default gateway pool are down.
Since the system performs route lookups on nodes as they are defined, the default gateway pool must be stored at the top of the bigip.conf file. Also, all nodes in the default gateway pool must reside on the same IP network as the system.
We recommend that all nodes in the default gateway pool have the same MTU.
As an alternative to using the default_gateway command, you can use the Setup utility, which allows you to create the default gateway pool at the time that you configure your base network.
b failover active | standby | show | init | failback
This group of commands affects the fail-over status of the BIG-IP or 3-DNS system.
In an active/standby or active-active configuration, run the following command to place a BIG-IP or 3-DNS system in standby mode:
b failover standby
Show the status of the BIG-IP or 3-DNS system with the following command:
b failover show
In an active-active configuration, run the following command after you issue the bigpipe failover standby command. This allows the inactive unit to resume handling connections:
b failover failback
Note: The failback command is only applicable if you are running a redundant system in active-active mode.
You can use the bigpipe failover init command to refresh the parameters of the fail-over mechanism with any new configuration data entered in the BIG/db database.
b failover init
b global auto_lasthop enable | disable | show
b global fastest_max_idle_time <seconds>
b global fastflow_active auto | on | off | show
b global fastflow_active auto | on | off | show
b global gateway failsafe arm | disarm | show
b global ipforwarding enable | disable
b global mirror enable | disable | show
b global memory_reboot_percent <percent>
b global open_3dns_ports enable | disable | show
b global open_corba_ports enable | disable | show
b global open_snmp_ports enable | disable | show
b global open_telnet_port enable | disable
b global open_ftp_ports enable | disable
b global open_ssh_port enable | disable
b global open_rsh_ports enable | disable
b global open_failover_ports enable | disable | show
b global persist_map_proxies enable | disable
b global persist timer limit | timeout | show
b global persist across_services enable | disable
b global persist across_virtuals enable | disable
b global self_conn_timeout enable | disable | show
b global sslproxy serverssl cache timeout <num>
b global sslproxy serverssl cache size <num>
b global sslproxy serverssl failover <enable | disable>
b global sslproxy serverssl unclean shutdown <enable | disable>
b global sslproxy serverssl strict resume <enable | disable>
b global sticky table_limit <max_num> | show
b global verbose_log_level <level>
b global webadmin_port <port>
b global l2_aging_time <seconds>
auto_lasthop
When this variable is enabled, it automatically designates the lasthop router inside IP address as a lasthop route for replies to inbound traffic. If auto_lasthop is disabled, the lasthop router inside IP address must be specified as a lasthop pool. The default setting is enable.
fastest_max_idle_time
Sets the number of seconds a node can be left idle by the fastest load balancing mode. This forces the BIG-IP to send fewer connections to a node that is responding slowly, and also allows the BIG-IP to periodically recalculate the response time of the slow node.
fastflow_active
You can use this variable to control additional enhancements that speed packet flow for TCP connections when the packets are not fragmented. In most configurations these software enhancements are automatically turned on and do not require any additional configuration.
However, you may want to turn off these enhancements for individual virtual servers that use IPFW rate filters. With the speed enhancements on, IPFW only examines the first SYN packet in any given connection. If you want to filter all packets, you should turn the speed enhancements off. To do this, you first set the global state of the system on, and then you turn the feature off for individual virtual servers that use IPFW rate filtering. You can also change the settings for these enhancements from the command line or in the Configuration utility.
There are three global states you can set with fastflow_active. The default state is auto. The global states are:
- off
- auto
- on
The additional speed enhancements are globally disabled if the sysctl variable fastflow_active is off or if fastflow_active is set to auto and an IPFW rate filter exists in the configuration.
To provide the benefits of software acceleration for virtual servers that do not use rate filtering and turn off software acceleration for virtual servers that use IPFW rate filtering, you can set the global variable fastflow_active to on with the following command:
b global fastflow_active on
After you set the sysctl variable, use the following bigpipe command to disable software acceleration for virtual servers that use IPFW rate filtering:
b virtual <ip>:<port> accelerate disable
gateway failsafe
Turns the gateway fail-safe feature on and off. This command is supported only for redundant systems.
The typical use of gateway fail-safe is a setup where active and standby BIG-IP units use different routers as gateways to the Internet. Fail-over is triggered if the gateway for the active unit is unreachable.
To arm fail-safe on the gateway, enter the following command:
b global gateway failsafe arm
To disarm fail-safe on the gateway, enter the following command:
b global gateway failsafe disarm
To see the current fail-safe status for the gateway, enter the following command:
b global gateway failsafe show
For more information about configuring gateway fail-safe, see Health monitors, on page 4-137.
ip forwarding
Enables IP forwarding for the BIG-IP. IP forwarding exposes all of the node IP addresses to the external network, making them routable on that network. The default setting is disabled.
mirror
Enables mirroring functions globally for the BIG-IP. The mirror feature duplicates the active unit's real-time connection or persistence information state on the standby unit for smooth transition to the inactive unit at fail-over. The default setting is enabled.
memory_reboot_percent
The value you type, 80 or higher, is the percentage of memory that is in use before the BIG-IP automatically reboots. The default value for this variable is 95. To disable this feature, set the value to 0.
open_3dns_ports
This variable is required only when running one or more separate 3-DNS Controllers in the network. It does not apply to running the 3-DNS software module on the BIG-IP itself. The variable is disabled on the BIG-IP when the 3-DNS Controller is not present in the network configuration. (See the 3-DNS Administrator Guide for more information.)
open_corba_ports
This variable enables and disables the CORBA ports, which allow administrative CORBA connections. The default setting is disabled.
open_snmp_ports
This variable enables and disables the SNMP ports, which allow administrative SNMP connections. The default setting is disabled.
open_telnet_port
This variable enables or disables ports for Telnet access, and the default setting is disable.
The following command sets this variable to open the Telnet port (23) to allow administrative Telnet connections. This is useful for BIG-IP units that do not support encrypted communications, or for a unit that needs to communicate with the 3-DNS software. (See the 3-DNS Administrator Guide for more information.)
The following command opens the Telnet port:
b global open_telnet_port enable
The following command closes the Telnet port:
b global open_telnet_port disable
open_ftp_ports
This variable enables or disables ports for FTP access, and the default setting is disable.
The following command open the FTP ports (20 and 21) to allow administrative FTP connections, which is useful for BIG-IP units that do not support encrypted communications.
b global open_ftp_ports enable
The following command closes FTP ports:
b global open_ftp_ports disable
open_ssh_ports
This variable enables or disables ports for SSH access on BIG-IP units that support encrypted communication. The default setting is enable.
The following command opens the SSH port (22) to allow encrypted administrative connections:
b global open_ssh_port enable
The following command closes the SSH port:
b global open_ssh_port disable
open_rsh_ports
This variable enables or disables ports for RSH access, and it is useful for BIG-IP units that do not support encrypted communications, or for connecting to 3-DNS Controllers that do not support encrypted communication. (See the 3-DNS Administrator Guide for more information.)
The default setting is disable.
The following command opens the RSH ports (512, 513, and 514) to allow RSH connections:
b global open_rsh_ports enable
The following command closes RSH ports:
b global open_rsh_ports disable
open_failover_ports
This variable enables or disables network failover when a VLAN has port lockdown enabled.
The following command enables network failover:
b global open_failover_ports enable
The following command disables network failover:
b global open_failover_ports disable
persist map_proxies
The default setting for the map proxies for the persistence variable is enable. The AOL proxy addresses are hard-coded. This enables you to use client IP address persistence with a simple persist mask, but forces all AOL clients to persist to the same server. All AOL clients will persist to the node that was picked for the first AOL client connection received.
The class B networks, 195.93 and 205.188, are mapped to 152.163 for persistence. For example, client 195.93.3.4 would map to 152.63.3.4 for persistence records only. This mapping is done prior to applying the persist mask. Use bigpipe pool persist dump to verify that the mapping is working.
We recommend that in addition to setting this sysctl variable, you set a persist mask of 255.255.0.0 so that all the AOL addresses map to a common address. For example, Table 7.2 is an example of how setting this variable and a persist mask of 255.255.0.0 would map a sample set of client addresses.
persist timer
The following command forces the persistent connection timer to reset on each packet for persistent sessions. This is the default value.
b global persist timer limit
The following command resets the timer only when the persistent connection is initiated.
b global persist timer timeout
Note: For SSL persistence, the timer is always reset on each packet.
persist across_services
When this variable is enabled, all simple persistence connections from a client IP address that go to the same virtual address also go to the same node (matches the client address and the virtual IP address but not the virtual port).
The default setting for this variable is disabled.
persist across_virtuals
When this variable is enabled, all simple persistent connections from the same client IP address are sent to the same node (matches the client IP address but not the virtual address or virtual port the client is using). The default setting for this variable is disabled.
self_conn_timeout
This variable is used as a tracking mechanism for UDP connections. After the number of seconds specified by this variable has expired, the UDP connection terminates. The default value for this variable is 5.
sticky table_limit
This is the maximum number of sticky entries allowed to accumulate on the BIG-IP when using destination address affinity (sticky persistence). When the maximum value is reached, the BIG-IP stops accumulating sticky entries. The default value for this entry is 2048.
verbose_log_level
This variable sets logging levels for both TCP and UDP traffic. Each log level is identified by a level number used in place of the <level> parameter.
The following command turns on port denial logging for both TCP and UDP traffic. This logs TCP and UDP port denials to the virtual server address and the BIG-IP address.
b global verbose_log_level 15
The following command turns logging off altogether:
b global verbose_log_level 0
Setting log levels only for TCP traffic
The following command turns on only TCP port denial logging, which logs TCP port denials to the BIG-IP address.
b global verbose_log_level 2
The following command turns on virtual TCP port denial logging, which logs TCP port denials to the virtual server address.
b global verbose_log_level 8
Setting log levels for UDP traffic
The following command turns on only UDP port denial logging, which logs UDP port denials to the BIG-IP address.
b global verbose_log_level 1
The following command turns on only virtual UDP port denial logging, which logs UDP port denials to the virtual server address.
b global verbose_log_level 4
webadmin_port
Specifies the port number used for administrative web access. The default port for web administration is port 443.
l2_aging_time
Specifies a time period after which dynamic entries in the L2 forwarding table are flushed out if the MAC address is no longer present on the network. The default value is 300 seconds.
b [-h | -help ]
Displays the bigpipe command syntax or usage text for all current commands.
Note: More detailed man pages are available for some individual bigpipe commands. To display detailed online help for the bigpipe command, type: man bigpipe.
b interface <if_name> media <media_type> | show
b interface <if_name> duplex full | half | auto | show
b interface [<if_name>] show [verbose]
b interface [<if_name>] stats reset
Displays names of installed network interface cards and allows you to set properties for each network interface card.
Setting the media type
The media type may be set to the specific media type for the interface card or it may be set to auto for auto detection. If the media type is set is set to auto and the card does not support auto detection, the default type for that interface will be used, for example 1000BaseTX.
Setting the duplex mode
Duplex mode may be set to full or half duplex. If the media type does not allow duplex mode to be set, this will be indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported, the duplex setting will not be saved to the bigip.conf file.
b [verify] load [ <filename> | - ]
b [-log] load [ <filename> | - ]
Resets all of the BIG-IP settings and then loads the configuration settings, by default from the /config/bigip.conf and /config/bigip_base.conf files.
For testing purposes, you can save a test configuration by renaming it to avoid confusion with the boot configuration file. To load a test configuration, use the load command with the <filename> parameter. For example, if you renamed your configuration file to /config/bigtest.conf, the command would be:
b load /config/bigtest.conf
The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.
You can type b load - in place of a file name, to display the configuration on the standard output device.
b save -
Use the load command together with the verify command to validate the specified configuration file. For example, to check the syntax of the configuration file /config/altbigpipe.conf, use the following command:
b verify load /config/altbigip.conf
The -log option will cause any error messages to be written to /var/log/bigip in addition to the terminal.
b maint
Toggles a BIG-IP into and out of Maintenance mode. When in Maintenance mode, a BIG-IP accepts no new connections, but it does allow existing connections to complete.
The maint command interactively prompts you to enter or exit the maintenance mode.
b maint
If the BIG-IP is already in maintenance mode, the maint command takes the BIG-IP out of maintenance mode. If the BIG-IP is in maintenance mode for more than 20 minutes, that BIG-IP immediately begins to accept new connection requests.
If the BIG-IP has been in maintenance mode for more than 20 minutes, it automatically updates all network ARP caches; this process normally takes a few seconds. However, you can speed the process up by reloading the configuration file, using the following command:
b -f /config/bigip.conf
b makecookie <ip_addr:service>
Generates a cookie string with encoding automatically added for cookie persistence Passive mode:
b makecookie <server_address:service> [ > <file>]
This command prints a cookie template similar to the templates shown in Figure 7.2 and Figure 7.3.
Figure 7.2 Sample cookie template
Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; path=/
Figure 7.3 Sample cookie template with additional information
Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/
To create your cookie using the sample string above, simply enter the actual pool names and the desired expiration date and time.
b [-log] merge [<file_name>]
Use the merge command to load the BIG-IP configuration from <file_name> without resetting the current configuration.
b mirror <mirror_to_if> interfaces add <if_list>
b mirror <mirror_to_if> interfaces delete <if_list>
For the BIG-IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring. You should attach a sniffer device to the target port, called the mirror-to port, for debugging and/or monitoring.
Creating a port mirror
Creating a port mirror consists of specifying a mirror-to port and adding to it one or more ports (that is, a port list) to be mirrored. The bigpipe syntax for setting up port mirroring is:
b mirror <mirror_to_if> interfaces add <if_list>
For example, you could type the following command:
b mirror 3.24 interfaces add 3.1 3.3 3.10
Deleting interfaces from a port mirror or deleting a port mirror
The bigpipe syntax for deleting interfaces from the port mirror is:
b mirror <mirror_to_if> interfaces delete <if_list>
For example, you could type the following command:
b mirror 3.24 interfaces delete 3.10
The bigpipe syntax for deleting the port mirror is:
b mirror <mirror_to_if> delete
For example, you could type the following command:
b mirror 3.24 delete
b monitor <monitor_name> '{ use <monitor_template> [<attr> <attr_value>]... }'
b monitor show [all]
b monitor dump [all]
b monitor <name> show
b monitor <name> delete
b monitor <name> enable | disable
b monitor instance <ip>:<service> enable | disable
b monitor instance <ip> enable | disable
Defines a health monitor. A health monitor is a configuration object that defines how and at what intervals a node is pinged to determine if it is up or down. Once a monitor is defined, instances of the monitor are created for a node or nodes, one instance per node, using the bigpipe node command.
Monitor template attributes
Table 7.3 lists the monitor templates and shows the template-specific attribute sets for each.
Table 7.4 defines the attributes used in the templates.
b -n
Use the -n option in combination with other commands, such as bigpipe virtual, to display services and IP addresses numerically rather than by service name and host name, respectively. For example, type the following command to display services numerically:
b -n virtual
Figure 7.4 shows an example of output that uses IP address instead of host names.
Figure 7.4 The output of bigpipe -n virtual
virtual +------> 11.100.1.1 UNIT 1
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+---+--> SERVICE 80 UP
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
MEMBER 11.12.1.100:80 UP
(cur, max, limit, tot) = (0, 0, 0, 0)
(pckts,bits) in = (0, 0), out = (0, 0)
b nat <orig_addr> to <trans_addr> [unit <unit ID>]
b nat <orig_addr> [...<orig_addr>] delete
b nat [<trans_addr> [...<trans_addr>] ] show | delete
b nat [<orig_addr> [...<orig_addr>] ] show | delete
b nat [<orig_addr>...] stats reset
b nat <orig_addr> vlans <vlan_list> enable | disable
b nat <orig_addr> vlans delete all
b nat <orig_addr> vlans show
b nat <orig_addr> arp [enable | disable | show]
Defines an IP address, routable on the external network, that a node can use to initiate connections to hosts on the external network and receive direct connections from clients on the external network. The NAT (Network Address Translation) command defines a mapping between the IP address of a server behind the BIG-IP <orig_addr> and an unused routable address on the network in front of the BIG-IP <trans_addr>.
b node <node_ip>[:<service>]... enable | disable
b node <node_ip>[:<service>... show
b node <node_ip>[:<service>]... limit <max_conn>
b node [<node_ip>:<service>]... stats reset
b node <node_ip>[:service] up | down
b node <node_ip>[:<service>] monitor use <monitor_name> [and <monitor_name>]...
b node [<node_ip>[:<service>]] monitor show | delete
b node <node_ip>[<node_ip>]... virtual | actual
Displays information about nodes and allows you to set properties for nodes, and node addresses. Nodes may be identified using wildcard notation. Thus * represents all nodes on the network, *.80 represents all port 80 nodes, 11.11.11.1:* represents all nodes with address 11.11.11.1.
b pool <pool-_name> { lb_method <lb_method_specification> <member_definition> }
b pool <pool-_name> { lb_method <lb_method_specification> persist_mode <persist_mode_specification> <member definition>... }
b pool <pool-_name> { lb_method <lb_method_specification> min_active_members <min_value> <member definition>... }
b pool <pool-_name> { lb_method <lb_method_specification> <member_definition> fallback <host> <protocol> <port> <URI path> }
b pool <pool_name> { forward }
b pool <pool_name> add { <member definition>... }
b pool <pool_name> delete { <member definition>... }
b pool <pool_name> modify { [lb_method <lb_method_specification>] [persist_mode <persist_mode_specification>] <member definition>... }
b pool <pool_name> { snat disable }
b pool <pool_name> header insert <quoted string>
b pool <pool_name> delete
b pool [<pool_name>] show
b pool <pool_name> lb_method show
b pool <pool_name> persist dump
b pool <pool_name> persist dump mirror
b pool <pool_name> { persist_mode simple | cookie | ssl | sip [sip_timeout <timeout>] | sticky | msrdp }
b pool sip dump
b pool <pool_name> sticky clear
b pool <pool_name> stats reset
Creates, deletes, modifies, or displays pool definitions. You can use pools to group members together with a common load balancing mode and persistence mode.
Specifying load balancing mode
The load balancing modes are specified as values of the attribute lb_mode. The lb_mode values are shown in Table 7.5.
For more information about the load balancing modes, refer to Load balancing method, on page 4-5.
b proxy <ip>:<service> [unit <id>][{] target <virtual|server>> <ip>:<service>
[clientss] <enable|disable>
[[clientssl] key <clientside key file name>]
[[clientssl] cert <clientside certificate file name>]
[[clientssl] chain <clientside chain file name>]
[[clientssl] ca file <clientside CA file name>]
[[clientssl] ca path <clientside CA path>]
[[clientssl] client cert ca <clientside client certificate CA file name>]
[[clientssl] cipher insert [<enable | disable>]
[[clientssl] client cert insert <([versionnum][serial][sigalg][issuer][validity]
[subject][subpubkey][x509ext][whole][hash])+|disable>]
[[clientssl] sessionid insert <([initial][current])+|disable>]
[[clientssl] ciphers \"quoted string\"]
[[clientssl] invalid [SSLv2][SSLv3][TLSv1]]
[[clientssl] client cert <request | require | ignore>]
[[clientssl] authenticate <once | always>]
[[clientssl] authetnicate depth <num>]
[serverssl <enable|disable>]
[serverssl key <serverside key file name>]
[serverssl cert <serverside certificate file name>]
[serverssl chain <serverside chain file name>]
[serverssl ca file <serverside CA file name>]
[serverssl ca path <serverside CA path>]
[serverssl \"quoted string\"]
[serverssl invalid [SSLv2][SSLv3][TLSv1]]
[serverssl server cert <require | ignore>]
[serverssl authenticate depth <num>]
[akamaize <enable|disable>
[header insert \"quoted string\"]
[redirects rewrite <<matching | all> [enable] | [disable>]
[lasthop pool <none|lasthop pool name>]
[arp <enable|disable>]
[vlans <vlan name>[<vlan name>...] disable]
[}]
b proxy <ip>:<service> unit show
b proxy <ip>:<service> target show
b proxy <ip>:<service> clientssl show
b proxy <ip>:<service> [clientssl] key show
b proxy <ip>:<service> [clientssl] cert show
b proxy <ip>:<service> [clientssl] chain showb proxy <ip>:<service> [clientssl] ca file show
b proxy <ip>:<service> [clientssl] ca path show
b proxy <ip>:<service> [clientssl] client cert ca show
b proxy <ip>:<service> [clientssl] cipher insert show
b proxy <ip>:<service> [clientssl] sessionid insert show
b proxy <ip>:<service> [clientssl] ciphers show
b proxy <ip>:<service> [clientssl] invalid show
b proxy <ip>:<service> [clientssl] client cert show
b proxy <ip>:<service> [clientssl] authenticate show
b proxy <ip>:<service> [clientssl] authenticate depth show
b proxy <ip>:<service> [clientssl] cache size show
b proxy <ip>:<service> [clientssl] cache timeout show
b proxy <ip:service> vlans show
b proxy <ip>:<service> serverssl show
b proxy <ip>:<service> serverssl key show
b proxy <ip>:<service> serverssl cert show
b proxy <ip>:<service> serverssl chain show
b proxy <ip>:<service> serverssl ca file show
b proxy <ip>:<service> serverssl ca path show
b proxy <ip>:<service> serverssl ciphers show
b proxy <ip>:<service> serverssl invalid show
b proxy <ip>:<service> serverssl server cert show
b proxy <ip>:<service> serverssl authenticate depth show
b proxy <ip>:<service> akamaize show
b proxy <ip>:<service> header insert show
b proxy <ip>:<service> redirects rewrite show
b proxy <ip>:<service> lasthop pool show
b proxy <ip:service> arp show
b proxy <ip:service> vlans show
b proxy [<ip:service>...] show
Creates, deletes, modifies, or displays the SSL or content converter proxy definitions on the BIG-IP. For detailed information about setting up the SSL Accelerator feature, see the BIG-IP Solutions Guide, Chapter 9, Configuring an SSL Accelerator. For detailed information about setting up the content converter feature, see the BIG-IP Solutions Guide, Chapter 14, Configuring a Content Converter.
ratio
b ratio [<node_ip>] [node_ip> ...] show
b ratio <node_ip> [<node_ip>...] <weight>
For the Ratio load balancing mode, this command sets the weight or proportions for one or more node addresses.
b reset
Use the following syntax to clear the configuration values and counter values from memory:
b reset
Warning: Use this command with caution. All network traffic stops when you run this command.
Typically, this command is used on a standby BIG-IP prior to loading a new /config/bigip.conf file that contains new service enable and timeout values.
For example, you can execute the following commands on a standby BIG-IP:
b reset
b load <filename>
This sequence of commands ensures that only the values set in the <filename> specified are in use.
b rule <rule_name> '{ if ( <expression> ) { <if statement> | <use statement> | discard | <cache statement> | <redirect statement> | <hash statement> <if statement> } [ { else <statement> } ] [ { else if <statement> } ] }'
b rule <rule_name> '{ discard }'
b rule <rule_name> '{ use <pool_name> }'
b rule <rule_name> '{ cache ( <expression> ) { origin_pool <pool_name> cache_pool <pool_name> [ hot_pool <pool_name> ] [ hot_threshold <hit_rate> ] [ cool_threshold <hit_rate> ] [ hit_period <seconds> ][ content_hash_size <sets_in_content_hash> ] } }'
b rule <rule_name> '{ redirect <redirect URL> }'
b rule <rule name> '{ hash ( variable ) }'
b rule <rule_name> { if '( <statement> ) { use ( <statement> )' } }
b rule <rule_name> { if '( <statement> )' { use '( <statement> )' } else { '( <statement> )' } }
b rule <rule_name> { if '( <statement> )' { use '( <statement> )' } else { '( <discard_statement> )' } }
b rule <rule_name> { if '( <statement> )' { use '( <statement> )' } else { '( <redirect_statement> )' } }
b rule <rule_name> { if '( <statement> )' { use '( <statement> )' } else { '( <cache_statement> )' } }
b rule <rule_name> delete
b rule <rule_name> show
Creates, delete, or display the rules on the BIG-IP. Rules allow a virtual server to access any number of pools on the BIG-IP. Based upon a simple or complex expressio,n a pool can be selected through a rule. For more detailed information about using rules, see Rules, on page 4-49.
Note: Before you define a rule, you must define the pool or pools that you want the rule to reference.
Creating a rule
Rules are generally added to an existing bigip.conf file. Note that the rule body should not be enclosed with single quotes in the bigip.conf file. For example:
Figure 7.5 A rule typed into the bigip.conf
rule cgi_rule {
if ( http_uri ends_with "cgi" ) { use ( cgi_pool ) }
else { use ( another_pool ) }
}
In this example, if the http_uri string ends with "cgi", then the members of pool cgi_pool are used. Otherwise, the members of pool another_pool are used.
If the rule is defined on the bigpipe command line, you can either surround each pair of parentheses in single quotation marks ('), or place a pair of single quotation marks around the braces. These two methods of defining a rule on the command line are shown as follows:
b rule <name> if '{ <if_stmt> | <use_stmt> | <discard_stmt> | <redirect_stmt> | <cache> }'
Or, you can type the same rule using the following syntax:
b rule <name> if { '(<if_stmt>)' | '(<use_stmt>)' | '(<discard_stmt>)' | '(<redirect>)' | '(<cache>)' }
For example:
b rule simply_red { if '(client_addr == 10.12.12.10)' { use '(pool_A80)' } }
b rule simply_redder '{ if (client_addr == 10.12.12.10) { use (pool_B80) } }'
Associating a rule with virtual server
Associate a rule with a virtual server using the following format:
bigpipe virtual 10.20.2.101:http use rule cgi_rule
Delete a rule
Delete a rule using the following format:
bigpipe rule cgi_rule delete
Display rules
Display all rules using the following syntax:
bigpipe rule show
Or to display a specific rule:
bigpipe rule <rule name> show
b save [ <filename> | - ]
b base save [ <filename> | - ]
Writes the current BIG-IP configuration settings from memory to the configuration files named /config/bigip.conf and /config/bigip_base.conf. (/config/bigip.conf stores high level configuration settings, such as pools, virtual servers, NATs, SNATs, and proxies. /config/bigip_base.conf stores low level configuration settings, like, VLANs, non-floating self IP addresses, and interface settings.)
You can type b save <filename>, or a hyphen character (-) in place of a file name, to display the configuration on the standard output device.
b [base] save -
If you are testing and integrating BIG-IP units into a network, you may want to use multiple test configuration files. Use the following syntax to write the current configuration to a file name that you specify:
b [base] save <filename>
For example, the following command saves the current configuration from memory to an alternate configuration file named /config/bigip.conf2.
b save /config/bigip.conf2
b self <addr> vlan <vlan_name | vlangroup_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]
b self <addr> floating enable | disable
b self <addr> delete
b self <addr> show
b self show
b self <addr> snat automap enable | disable
Defines a self IP address on a BIG-IP or 3-DNS system. A self IP address is an IP address mapping to a VLAN or VLAN group and their associated interfaces on a BIG-IP or 3-DNS system. A one true self IP address is assigned to each interface on the unit as part of first time boot configuration, and also a floating (shared) self IP address for units in a redundant pair. Additional self addresses may be created for health checking, gateway failsafe, routing, or other purposes. These additional self addresses are created using the self command.
b service <service> [<service>...] limit <limit>
b service <service> [<service>...] tcp enable | disable
b service <service> [<service>...] timeout tcp <timeout>
b service <service> [<service>...] udp enable | disable
b service <service> [<service>...] timeout udp <timeout>
b service [<service>... ] show
b service [<service>... ] stats reset
Enables and disables network traffic on services, and also sets connection limits and timeouts. You can use port numbers or service names (for example, www, http, or 80) for the <service> parameter. Note that the settings you define with this command control the service for all virtual servers that use it. By default, all services are disabled.
A port is any valid port number, between 0 and 65535, inclusive, or any valid service name in the /etc/services file.
b snat map <orig_ip> [...<orig_ip>] to <snat_ip><snat_ip> [unit <unit ID>] [netmask <ip>] [arp disable] [vlan <vlan_name_list> disable]
b snat map default to <snat_ip> [unit <unit ID>] [netmask <ip>]
b snat <snat_ip> [...<snat_ip>] delete | show
b snat default delete | show
b snat default dump [verbose]
b snat [<snat_ip> [...<snat_ip>] ] dump [verbose]
b snat globals show
b snat default show
b snat [<snat_ip> [...<snat_ip>] ] show
b snat [<snat_ip> [...<snat_ip>] ] delete
b snat [<snat_ip> [...<snat_ip>] ] arp show
b snat [<orig_ip> [...<orig_ip>] limit <max_conn>
b snat limit <max_conn>
b snat default limit <max conn>
b snat <orig_ip> [...<orig_ip>] mirror enable | disable
b snat default mirror enable | disable
b snat <orig_ip> [...<orig_ip>] timeout tcp | udp <seconds>
b snat default timeout tcp | udp <seconds>
b snat <orig_ip> [...<orig_ip>] stats reset
b snat default stats reset
b snat <orig_ip> [...<orig_ip>]> disable | enable
b snat <snat_ip> [...<snat_ip>] vlans <vlan_list> disable | enable
b snat <snat_ip> [...<snat_ip>] vlans enable all
b snat <snat_ip> [...<snat_ip>] vlans show
b snat map <vlan_name> to auto
b snat <snat_ip> [...<snat_ip>] arp [enable|disable]
Defines one or more addresses that nodes can use as a source IP address when initiating connections to hosts on the external network. Note that clients cannot use SNAT addresses to connect directly to nodes.
b stp <stp_name> interfaces add <if_list> | all
b stp <stp_name> hello <interval>
b stp <stp_name> max_age <interval>
b stp <stp_name> forward_delay <interval>
b stp <stp_name> interfaces delete <if _list>
b stp <stp_name> enable|disable
The BIG-IP IP Application Switch provides Spanning Tree Protocol (STP) implementation for loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP. This feature allows you to configure two or more interfaces on the platform as an STP domain. For interfaces in the STP domain, the spanning tree algorithm identifies the most efficient path between the network segments, and establishes the switch associated with that path as the root. Links forming redundant paths are shut down, to be re-activated only if the root fails.
The STP domain should contain all ports that are connected in parallel to an external switch where there are nodes on the link capable of generating or receiving traffic. You will want a second domain if there is an additional switch or switches connected in parallel with additional BIG-IP interfaces.
b summary
Displays a summary of current usage statistics. The output display format for the summary command is shown in Figure 7.6. You can find detailed descriptions of each of statistic displayed by the summary command in Monitoring the BIG-IP, on page 11-2.
Figure 7.6 The summary output display
BIG-IP total uptime = 1 (day) 4 (hr) 40 (min) 8 (sec)
BIG-IP total uptime (secs) = 103208
BIG-IP total # connections = 0
BIG-IP total # pkts = 0
BIG-IP total # bits = 0
BIG-IP total # pkts(inbound) = 0
BIG-IP total # bits(inbound) = 0
BIG-IP total # pkts(outbound) = 0
BIG-IP total # bits(outbound) = 0
BIG-IP error no nodes available = 0
BIG-IP tcp port deny = 0
BIG-IP udp port deny = 0
BIG-IP virtual tcp port deny = 0
BIG-IP virtual udp port deny = 0
BIG-IP max connections deny = 0
BIG-IP virtual duplicate syn ssl = 0
BIG-IP virtual duplicate syn wrong dest = 0
BIG-IP virtual duplicate syn node down = 0
BIG-IP virtual maint mode deny = 0
BIG-IP virtual addr max connections deny = 0
BIG-IP virtual path max connections deny = 0
BIG-IP virtual non syn = 0
BIG-IP error not in out table = 0
BIG-IP error not in in table = 0
BIG-IP error virtual fragment no port = 0
BIG-IP error virtual fragment no conn = 0
BIG-IP error standby shared drop = 0
BIG-IP dropped inbound = 0
BIG-IP dropped outbound = 0
BIG-IP reaped = 0
BIG-IP ssl reaped = 0
BIG-IP persist reaped = 0
BIG-IP udp reaped = 0
BIG-IP malloc errors = 0
BIG-IP bad type = 0
BIG-IP mem pool total 96636758 mem pool used 95552 mem percent used 0.10
b trunk <controlling_if> define <if_list>
b trunk [<controlling_if>] show [verbose]
b trunk [<controlling_if>] stats reset
The trunk command aggregates links (individual physical interfaces) to form a trunk. This link aggregation increases the bandwidth of the individual NICs in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mb/s link. The other advantage of link aggregation is link failover. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.
A trunk must have a controlling link and acquires all the attributes of that controlling link from Layer 2 and above. Thus, the trunk automatically acquires the VLAN membership of the controlling link but does not acquire its media type and speed. Outbound packets to the controlling link are load balanced across all of the known-good links in the trunk. Inbound packets from any link in the trunk are treated as if they came from the controlling link.
A maximum of eight links may be aggregated. For optimal performance, links should be aggregated in powers of two. Thus ideally you will aggregate two, four, or eight links. Gigabit and fast ethernet links cannot be placed in the same trunk.
For more information on interface naming, refer to Interface naming conventions, on page 3-2.
b unit [show]
b unit peer [show]
The unit number on a system designates which virtual servers use a particular unit in an active-active redundant configuration. You can use the bigpipe unit command to display the unit number assigned to a particular BIG-IP. For example, to display the unit number of the unit you are on, type the following command:
b unit show
To display the unit number of the other unit in a redundant system, type in the following command:
b unit peer show
Note: If you use this command on a redundant system in active/standby mode, the active unit shows as unit 1 and 2, and the standby unit has no unit numbers.
Tip: The bigpipe unit peer show command is the best way to determine whether the respective state mirroring mechanisms are connected.
b verbose virtual_server_udp_port_denial
b verbose virtual_server_tcp_port_denial
b verbose bigip_udp_ort_denial
b verbose bigip_tcp_port_denial
Used to modify the verbose log level. This command is an alternative to using the bigpipe global verbose command.
Table 7.6 defines the command and shows the equivalencies.
b [log] verify <command...]
verify load [<filename> | -]
Parses the command line and checks syntax without executing the specified command. This distinguishes between valid and invalid commands
Use the verify command followed by a command that you want to validate:
b verify virtual 10.10.10.100:80 use pool my_pool
The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.
Use the verify command together with the load <filename> command to validate the specified configuration file. For example, to check the syntax of the configuration file /config/altbigpipe.conf, use the following command:
b verify load /config/altbigip.conf
b version
Displays the version of the BIG-IP operating system and the features enabled.
For example, for a BIG-IP HA, the bigpipe version command displays the output shown in Figure 7.7
Figure 7.7 The version output display
Product Code:
BIG-IP HA
Enabled Features:
SSL Gateway Gateway Failsafe
Static Load Balancing Snat
Nat Pools
Akamaizer Full Proxy
Late Binding HTTP Rules
Mirroring Failover
Node HA Dynamic Load Balancing
Destination Address Affinity Cookie Persistence
SSL Persistence Simple Persistence
EAV ECV SSL
ECV ECV Transparent
Health Check Filter
b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip>] [broadcast <ip>] use pool <pool_name>
b virtual <virt_ip>:<service> [/<bitmask>][unit <ID>] use pool <pool_name>
b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip>] use rule <rule_name>
b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip>] forward
b virtual <virt_ip>:<service> translate port enable | disable | show
b virtual <virt_ip>:<service> svc_down_reset enable | disable | show
b virtual <virt_ip>:<service> translate addr enable | disable | show
b virtual <virt_ip>:<service> lasthop pool <pool_name> | none | show
b virtual <virt_ip>:<service> mirror conn enable | disable | show
b virtual <virt_ip>:<service> conn rebind enable | disable | show
b virtual [<virt_ip:service>] stats reset
b virtual <virt_ip>:<service> accelerate enable | disable | show
b virtual <virt_ip>:<service> use pool <pool_name> accelerate disable
b virtual <virt_ip>:<service> vlans <vlan_list> disable | enable
b virtual <virt_ip>:<service> vlans show
b virtual <virt_ip> arp enable|disable|show
b virtual <virt_ip> any_ip enable | disable
b virtual <virt_ip> any_ip timeout <seconds>
b virtual <virt_ip> [:<service>] [...<virt_ip>[:<service>]] show
b virtual <virt_ip> [:<service>] [...<virt_ip>[:<service>]] enable|disable
b virtual <virt_ip>[:<service>] [ ... <virt_ip>[:<service>]] delete
b virtual <virt_ip>[:<service>] [... <virt_ip>[:<service>]] limit <max_conn>
b virtual <vlan_name>[:service>]
b virtual <vlan_name> use pool <pool_name>
Creates, deletes, and displays information about virtual servers. This command also sets connection mirroring, connection limits, and timeouts on a virtual server.
b vlan <name> rename <new_name>
b vlan <vlan_name> delete
b vlan <vlan_name> tag <tag_number>
b vlan <vlan_name> interfaces add [tagged] <if_list>
b vlan <vlan_name> interfaces delete <if_list>
b vlan <vlan_name> interfaces delete all
b vlan <vlan_name> interfaces show
b vlan <vlan_name> port_lockdown enable | disable
b vlan <vlan_name> bridging enable | disable
b vlan <vlangroup_name> proxy_forward enable | disable
b vlan <vlan_name> failsafe arm | disarm | show
b vlan <vlan_name> timeout <seconds> | show
b vlan <vlan_name> snat automap
b vlan show
b vlan <vlan_name> show
b vlan <vlan_name> interfaces show
b vlan <vlan_name> rename <new_vlan_name>
b vlan <if_name> mac_masq <mac_addr> | show
b vlan <if_name> mac_masq 0:0:0:0:0
vlan <vlan name> l2_agingtime <seconds>
vlan <vlan name> fdb add <MAC address> interface <ifname>
vlan <vlan name> fdb delete <MAC address> interface <ifname>
vlan <vlan name> fdb static show
vlan <vlan name> fdb dynamic show
vlan <vlan name> fdb show
The vlan command defines VLANs, VLAN mappings, and VLAN properties. By default, each interface on a BIG-IP or 3-DNS system is an untagged member of a VLAN. The lowest-numbered interface is assigned to the external VLAN, the interface on the main board is assigned to the admin VLAN, and all other interfaces are assigned to the internal VLAN.
If the tag number specified when defining a VLAN is 0, the vlan command creates an empty VLAN.
vlangroup [<vlan name list>] [show]
vlangroup [<vlan name list>] list
vlangroup <vlan name list> delete
vlangroup <vlan name> tag <number>
vlangroup [<vlan name list>] tag [show]
vlangroup [<vlan name list>] interfaces [show]
vlangroup <vlan name> vlans add <vlan if name list>
vlangroup <vlan name list> vlans delete <vlan if name list>
vlangroup <vlan name list> vlans delete all
vlangroup [<vlan name list>] vlans [show]
vlangroup <vlan name list> port_lockdown enable | disable
vlangroup [<vlan name list>] port_lockdown [show]
vlangroup <vlan name list> proxy_forward enable | disable
vlangroup [<vlan name list>] proxy_forward [show] vlangroup <vlan name list> failsafe arm
vlangroup <vlan name list> failsafe disarm
vlangroup [<vlan name list>] failsafe [show]
vlangroup <vlan name list> timeout <number>
vlangroup [<vlan name list>] timeout [show] vlangroup <vlan name list> snat automap enable (deprecated)
vlangroup <vlan name list> snat automap disable (deprecated)
vlangroup <vlan name list> mac_masq <MAC addr>
vlangroup [<vlan name list>] mac_masq [show]
vlangroup <vlan name list> fdb add <MAC addr> interface <if name>
vlangroup <vlan name list> fdb delete <MAC addr> interface <if name>
vlangroup [<vlan name list>] fdb [show]
vlangroup [<vlan name list>] fdb show static
vlangroup [<vlan name list>] fdb show dynamic
vlangroup <vlan name> rename <vlan name>
The vlangroup command defines a VLAN group, which is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing L2 packet forwarding between those VLANs.
The VLANs between which the packets are to be passed must be on the same IP network, and they must be grouped using the vlangroup command. For example:
b vlangroup network11 { vlans add internal external }
A self IP address must be assigned to the VLAN group using the following command:
b self <ip_addr> vlan network11
L2 forwarding must be enabled for the VLAN group using the VLAN proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled.