Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.1, 3.3.0
5
Essential Configuration Tasks
Determing which configuration tasks to do
Before you follow the instructions in this chapter, you need to browse through the prior chapters to find the specific load balancing solution you want to set up. Each load balancing chapter describes the configuration tasks you need to complete to set up the solution, but it points you to this chapter for the actual configuration steps.
This chapter covers the essential configuration tasks that all users must complete, regardless of the chosen load balancing solution. The chapter also includes optional configuration tasks that most users find they want to do. In the individual load balancing solution chapters, you can find information about which optional configuration tasks and advanaced features may be right for you.
Basic configuration tasks
- Allow access to ports and services
The services and ports on a BIG-IP Controller are locked down and cannot accept connections until you specifically open them to network access. For each service that one or more of your virtual servers supports, you need to open the corresponding port number for network access. However, ports are automatically enabled when you use them in virtual server definition in the Configuration utility. - Configure the timer settings
The BIG-IP Controller supports several timer settings, but for a simple configuration, there are only two that you need to set. First, you need to set the amount of time that idle connections are allowed to remain open. Second, you need to set the frequency at which the BIG-IP Controller checks nodes to make sure they are up and available to accept connections passed on by a virtual server.
Optional configuration tasks
This chapter also covers additional configuration options that users typically add to a simple configuration, including:
- Configure NATs or IP forwarding
You can set up network address translation (NAT) or IP forwarding to allow direct connections to and from nodes.
Warning: When you set configuration options in the Configuration utility, they are immediately saved to the appropriate configuration file. However, when you set configuration options using the bigpipe command line utility, they are temporarily stored in system memory, and are not saved to a configuration file unless you execute the bigpipe -s command. For more information about this command, see the BIG-IP Controller Reference Guide, bigpipe Command Reference.
Table 5.1 describes the different types of connection configurations available on the BIG-IP Controller.
Note: Although IP forwarding does not require setup for specific hosts, the BIG-IP Controller supports IP filters that you can configure to restrict traffic.
Allowing access to ports and services
One of the security features of the BIG-IP Controller is that all ports on the controller are locked down and unavailable for service unless you specifically open them to network access. Before clients can use the virtual servers you have defined, you must allow access to each port that the virtual servers use.
This is the third task of the four essential tasks you must complete for a basic configuration. You must perform this task after you create a pool and a virtual server that references the pool, and before you configure the timer settings.
Tip: Virtual servers using the same service actually share a port on the BIG-IP Controller. This command is global, you only need to open access to a port once; you do not need to open access to a port for each instance of a virtual server that uses it.
To allow access to services using the Configuration utility
Any time you create a virtual server and define a port or service with the Configuration utility, the port or service is automatically enabled.
To allow access to services from the command line
Using the bigpipe port command, you can allow access to one or more ports at a time.
bigpipe port <port>... <port> enable
For example, in order to enable HTTP (port 80) and Telnet (port 23) services, you can enter the following bigpipe port command:
bigpipe port 80 23 443 enable
Warning: In order for FTP to function properly, you must allow both ports 20 and 21 (or ftp-data and ftp).
Configuring the timer settings
Configuring timer settings is the fourth task of the four essential tasks you must complete for a basic configuration. You must perform this task after you configure virtual servers and after you allow access to services and ports.
There are two essential timer settings that you need to configure:
- The node ping timer defines how often the BIG-IP Controller will ping node addresses to verify whether a node is up or down. It also defines how long the BIG-IP Controller waits for a response from a node before determining that the node is unresponsive and marking the node down.
- The idle connection timer defines how long an inactive connection is allowed to remain open before the BIG-IP Controller deletes the record of the connection, closing it and disconnecting the client.
The service check timer is optional, and you need to set it only if you want the BIG-IP Controller to check to see if a service, or even specific content, is available on a particular node.
Note: If you plan to use simple service checks, or ECV or EAV service checks, you need to set the service check timer.
Setting the node ping timer
The node ping timer is an essential setting on the BIG-IP Controller that determines how often the BIG-IP Controller checks node addresses to see whether they are up and available or down and unavailable. The node ping timer setting applies to all nodes configured for use by the BIG-IP Controller, and it is part of the BIG-IP Controller system properties.
Note: The ping interval should be set to occur about three times during every timeout period. For example, if you set the ping value to 5 seconds, we recommend that you set the timeout to 16 seconds.
To set the node ping timer using the Configuration utility
- In the navigation pane, click the BIG-IP Controller icon.
The BIG-IP System Properties screen opens. - In the Node Ping section of the table, in the Ping box, type the frequency (in seconds) at which you want the BIG-IP Controller to ping each node address it manages. A setting of 5 seconds is adequate for most configurations.
- In the Node Ping section of the table, in the Timeout box, type the number of seconds you want the BIG-IP Controller to wait to receive a response to the ping.
Configuration notes· If the BIG-IP Controller does not receive a response to the ping before the node ping timeout expires, the BIG-IP Controller marks the node down and does not use it for load balancing. A setting of 16 seconds is adequate for most configurations
· For additional information about the options on this screen, click the Help button.
To set the node ping timer from the command line
To define node ping settings, you use two commands. First, you set the node ping frequency using the bigpipe tping_node command, and then you set the node ping timer using the bigpipe timeout_node command.
bigpipe tping_node <seconds>
bigpipe timeout_node <seconds>
For example, the following commands sets the ping frequency at 5 seconds, and the timer to 16 seconds, which should be adequate for most configurations.
bigpipe tping_node 5
bigpipe timeout_node 16
Setting the timer for reaping idle connections
The BIG-IP Controller supports two timers for reaping idle connections, one for TCP traffic and one for UDP traffic. These timers are essential, and if they are set too high, or not at all, the BIG-IP Controller may run out of memory. Each individual port on the BIG-IP Controller has its own idle connection timer settings.
Warning: The BIG-IP Controller accepts UDP connections only if you set the UDP idle connection timer.
To set the inactive connection timer using the Configuration utility
- In the navigation pane, click the expand button (+) next to Virtual Servers.
The Virtual Server tree opens and displays the Ports option. - Click Ports.
The Global Virtual Ports screen opens. - In the Global Virtual Ports screen, click the port number or service name for which you want to configure the idle connection timeout.
Configuration notes· For the HTTP connections, we recommend setting the Idle Connection Timeout TCP to 60 seconds. For other services such as Telnet, higher settings may be necessary.
· In the Idle Connection Timeout UDP box, type the number of seconds you want to elapse before the BIG-IP Controller drops UDP connections.
· For additional information about the options on this screen, click the Help button.
To set TCP idle connection timers from the command line
Use the bigpipe treaper to define a TCP idle connection timeout for one or more ports at a time. For HTTP connections we recommend only 60 seconds, but for other services such as Telnet we recommend higher settings. The default setting for this timer is 16 minutes (1005 seconds). Use the following syntax for this command:
bigpipe treaper <port>... <port> <seconds>
For example, the following command sets a 120 second time limit for idle connections on port 443:
bigpipe treaper 443 120
To set UDP idle connection timers from the command line
You can define a UDP idle connection timeout for one or more ports at a time using the bigpipe udp command.
bigpipe udp <port>... <port> <seconds>
For example, the following command sets a 120-second time limit for idle connections on port 53:
bigpipe udp 53 120
Setting the service check timer
The service check feature is similar to node ping, but instead of testing the availability of a server, it tests the availability of a particular service running on a server. The service check timer affects the three different types of service checks: simple service check, ECV service check, and EAV service check. To set up simple service check, you need only set the service check timer as described below.
Note that each individual service managed by the BIG-IP Controller has its own service check timer settings.
To set the service check timer using the Configuration utility
- In the navigation pane, click the expand button (+) next to Nodes.
The Nodes tree opens and displays the Ports option. - Click Ports.
The Global Node Ports screen opens. - In the Global Node Port Properties screen, click the port for which you want to configure the service check timer
Configuration notes· For the Frequency setting, we recommend 5 seconds for most configurations.
· For the Timeout setting, we recommend 16 seconds for most configurations.
· For additional information about the options on this screen, click the Help button.
To set the service check timer on the command line
To define service check settings, you actually use two commands. First, you set the service check frequency using the bigpipe tping_svc command, and then set the service check timer using the bigpipe timeout_svc command.
bigpipe tping_svc <port> <seconds>
bigpipe timeout_svc <port> <seconds>
For example, the following sequence of commands sets the service check frequency at 5 seconds, and the timer to 16 seconds, which is adequate for most configurations.
bigpipe tping_svc 80 5
bigpipe timeout_svc 80 16
Configuring NATs and IP forwarding for nodes
Configuring NATs and IP forwarding are optional tasks you can configure after you have completed the three main tasks of a basic configuration. This means you already have:
- Configured virtual servers
- Configured access to ports and services
- Configured the timer settings
After you complete the basic tasks, you can configure network address translation and IP forwarding on the BIG-IP Controller.
The IP addresses that identify nodes on the BIG-IP Controller's internal network need not be routable on the external network. This protects nodes from illegal connection attempts, but it also prevents nodes (and other hosts on the internal network) from receiving direct administrative connections, or from initiating connections to clients, such as mail servers or databases, on the BIG-IP Controller's external interface (destination processing).
Using network address translation resolves this problem. Network address translations (NATs) assign to a particular node a routable IP address that the node can use as its source IP address when connecting to servers on the BIG-IP Controller's external interface. You can use the NAT IP address to connect directly to the node through the BIG-IP Controller, rather than having the BIG-IP Controller send you to a random node according to the load balancing mode. IP forwarding provides functionality similar to a NAT. If your network does not support NATs, you may want to consider using IP forwarding.
Note: In addition to these options, you can set up forwarding virtual servers which allow you to selectively forward traffic to specific addresses. The BIG-IP Controller maintains statistics for forwarding virtual servers. For more information about forwarding virtual servers, see the BIG-IP Controller Reference Guide.
There are three configuration options on the BIG-IP Controller that you can use to control network access, and you need to identify which method is suitable for your needs:
- Network Address Translation (NAT)
A network translation address provides a routable alias IP address that a node can use as its source IP address when making or receiving connections to clients on the external network. You can configure a unique NAT for each node address included in a virtual server mapping.
NATs do not support port translation, and are not appropriate for FTP. You cannot define a NAT if you configure a default SNAT. - Secure Network Address Translation (SNAT)
A secure network address translation provides functionality similar to that of firewalls. A SNAT defines a routable alias IP address that one or more nodes can use as a source IP address only when making connections to hosts on the external network. SNAT addresses support port translation, and they also prevent hosts on the external network from connecting directly to the node.
SNAT only supports TCP and UDP. SNAT also features support for both passive and active FTP. You cannot define a NAT if you define a default SNAT. - IP forwarding
IP forwarding does not translate node addresses. Instead, it simply exposes the node's IP address to the BIG-IP Controller's external network so that clients can use it as a standard routable address. When you turn IP forwarding on, the BIG-IP Controller acts as a router when it receives connection requests for node addresses. IP forwarding itself does not provide security features, but you can use the IP filter feature to implement a layer of security (see Setting up IP forwarding on page 5-15) that can help protect your nodes.
Warning: NATs and SNATs do not support the NT Domain or CORBA IIOP. Instead of using NATs or SNATs, you need to configure IP forwarding (see Setting up IP forwarding on page 5-15).
Defining a standard network address translation (NAT)
When you define standard network address translations (NATs), you need to create a separate NAT for each node that requires a NAT. You also need to use unique IP addresses for NAT addresses; a NAT IP address cannot match an IP address used by any virtual or physical servers in your network. You can configure a NAT with the Configuration utility or from the command line.
To configure a NAT using the Configuration utility
- In the navigation pane, click NATs.
The Network Address Translations screen opens. - On the toolbar, click Add NAT.
The Add Nat screen opens. - Use the fields provided on the Add Nat screen to configure a NAT.
Configuration note· For additional information about the options on this screen, click the Help button.
To configure a NAT from the command line
The bigpipe nat command defines one NAT for one node address.
bigppipe nat <node addr> to <NAT addr>
Defining a secure network address translation (SNAT)
When you define secure network address translations (SNATs), you can assign a single SNAT address to multiple nodes. Note that a SNAT address does not necessarily have to be unique; for example, it can match the IP address of a virtual server.
SNAT addresses have global properties that apply to all SNATs that you define in the BIG-IP Controller configuration as well as to the SNAT mappings you define. You can configure SNATs in the Configuration utility or from the command line.
Setting SNAT global properties
The SNAT feature supports three global properties that apply to all SNAT addresses:
- Connection limits
The connection limit applies to each node that uses a SNAT, and each individual SNAT can have a maximum of 50,000 simultaneous connections. - TCP idle connection timeout
This timer defines the number of seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. - UDP idle connection timeout
This timer defines the number of seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. This value should not be set to 0.
To configure SNAT global properties from the Configuration utility
- In the navigation pane, click Secure NATs.
The Secure Network Address Translations screen opens. - In the Secure Network Address Translation screen, configure a SNAT.
Configuration notes· To turn connection limits off, type 0 in the Connection Limit box to turn connection limits off. If you turn connection limits on, keep in mind that each SNAT can support only 50,000 simultaneous connections.
· The UDP Idle Connections value should not be set to 0.
· For additional information about the options on this screen, click the Help button.
To configure SNAT global properties from the command line
Configuring global properties for a SNAT requires that you enter three bigpipe commands. The following command sets the maximum number of connections you want to allow for each node using a SNAT.
bigpipe snat limit <value>
The following commands set the TCP and UDP idle connection timeouts:
bigpipe snat timeout tcp <seconds>
bigpipe snat timeout udp <seconds>
Configuring SNAT address mappings
Once you have configured the SNAT global properties, you can configure SNAT address mappings. The SNAT address mappings define each SNAT address, and also define the node or group of nodes that uses the SNAT address. Note that a SNAT address does not necessarily have to be unique; for example, it can match the IP address of a virtual server. A SNAT address cannot match an address already in use by a NAT or another SNAT address.
To configure a SNAT mapping using the Configuration utility
- In the navigation pane, click Secure NATs.
The Secure Network Address Translations screen opens. - On the toolbar, click Add SNAT.
The Add SNAT screen opens. - To Configure the SNAT, fill in the fields on the screen.
Configuration note· For additional information about the options on this screen, click the Help button.
To configure a SNAT mapping from the command line
The bigpipe snat command defines one SNAT for one or more node addresses.
bigpipe snat map <node addr>... <node addr> to <SNAT addr>
For example, the command below defines a secure network address translation for two nodes:
bigpipe snat map 192.168.75.50 192.168.75.51 to 192.168.100.10
Setting up IP forwarding
If you do not want to translate addresses with a NAT or SNAT, you can use the IP forwarding configuration option. IP forwarding is an alternate way of allowing nodes to initiate or receive direct connections from the BIG-IP Controller's external network. IP forwarding exposes all of the node IP addresses to the external network, making them routable on that network. If your network uses the NT Domain or CORBA IIOP, IP forwarding is an option for direct access to nodes.
To set up IP forwarding, you need to complete two tasks:
- Turn IP forwarding on
The BIG-IP Controller uses a system control variable to control IP forwarding, and its default setting is off. - Verify the routing configuration
You probably have to change the routing table for the router on the BIG-IP Controller's external network. The router needs to direct packets for nodes to the BIG-IP Controller, which in turn directs the packets to the nodes themselves.
Turning on IP forwarding
IP forwarding is a property of the BIG-IP Controller system, and it is controlled by the system control variable net.inet.ip.forwarding.
To set the IP forwarding system control variable using the Configuration utility
- In the navigation pane, click the BIG-IP Controller icon.
The BIG-IP System Properties screen opens. - On the toolbar, click Advanced Properties.
The BIG-IP System Control Variables screen opens. - Check the Allow IP Forwarding box.
Configuration note· For additional information about the options on this screen, click the Help button.
To set the IP forwarding system control variable from the command line
Use the standard sysctl command to set the variable. The default setting for the variable is 0, which is off. You want to change the setting to 1, which is on:
sysctl -w net.inet.ip.forwarding=1
To permanently set this value, you can use a text editor, such as vi or pico, to manually edit the /etc/rc.sysctl file. For additional information about editing this file, see the BIG-IP Controller Reference Guide, BIG-IP Controller System Control Variables.
Addressing routing issues for IP forwarding
Once you turn on IP forwarding, you probably need to change the routing table on the default router. Packets for the node addresses need to be routed through the BIG-IP Controller. For details about changing the routing table, refer to your router's documentation.
