Manual Chapter : Configuring Basic BIG-IP System Settings

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Link Controller

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP PEM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Overview: Configuring basic system settings

Whether you implement an ECMP-based all-active device group using SNAT Auto Map or by creating SNAT pools, you must first perform some basic Traffic Management Operating System (TMOS) tasks. These basic tasks pertain to licensing and DNS confirmation, and NTP server configuration, followed by tasks to create VLANs and self IP addresses. Other tasks pertain to creating a BIG-IP device group along with an administrative partition for local traffic objects.

After configuring these TMOS objects, you can choose to implement either the SNAT Automap or the SNAT pool use case.

Task List

Confirming the contents of the BIG-IP license

On each BIG-IP device that you intend to include in the cluster, you must verify that the license includes the advanced routing modules for dynamic routing.

Important: You must perform this licensing task locally on each device that is to become a member of the device group.
  1. Access the BIG-IP system by logging in to the BIG-IP Configuration utility with your user credentials.
  2. On the Main tab, click System > License.
  3. In the Active Modules division of the properties, verify that Routing Bundle appears in the list of active modules.

Viewing the DNS server configuration

You perform this task to determine whether any DNS servers are specified on the BIG-IP system for communication to other devices on the network.
Important: You must perform this DNS task locally on each device that is to become a member of the device group.
  1. On the Main tab, click System > Configuration > Device > DNS. The DNS Device configuration screen opens.
  2. View the DNS Lookup Server List settings to determine if any DNS servers have been configured on the BIG-IP system.

Specifying a list of NTP servers

If you use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to NTP servers, then before you perform this task, verify that you have configured a Domain Name System (DNS) server on the BIG-IP system.
Network Time Protocol (NTP) synchronizes the clocks on a network of BIG-IP devices by means of a defined NTP server. This clock synchronization is required for successful operation of a BIG-IP device group. You can specify a list of the IP addresses of the defined NTP servers that you want the BIG-IP system to use when updating the time on BIG-IP systems on the network. Alternatively, you can specify a list of fully-qualified domain names.
Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the object in administrative partition Common.
  1. On the Main tab, click System > Configuration > Device > NTP. The NTP Device configuration screen opens.
  2. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, confirm or select partition Common.
  4. For the Time Server List setting, in the Address field, type the IP address of an NTP server that you want to add. Then click Add.
    Note: If you are using Dynamic Host Configuration Protocol (DHCP) to assign IP addresses, then the BIG-IP system automatically populates the Address field with the fully-qualified domain name (FQDN) of the NTP server.
  5. Repeat the preceding step as needed.
  6. Click Update.

Creating VLANs

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN. For this implementation, F5 Networks recommends that you create three VLANs on each BIG-IP device: a VLAN for the external network, a VLAN for the internal network, and a VLAN for high availability communications.

Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the object in administrative partition Common.
  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, confirm or select partition Common.
  4. Click Create. The New VLAN screen opens.
  5. In the Name field, type a unique name for the VLAN.
  6. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN.
  7. If you want to use Q-in-Q (double) tagging, use the Customer Tag setting to perform the following two steps. If you do not see the Customer Tag setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the Customer Tag list, select Specify.
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  8. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged. Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface that you want to assign to the VLAN.
  9. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  10. In the MTU field, retain the default number of bytes (1500).
  11. From the Configuration list, select Advanced.
  12. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  13. From the Auto Last Hop list, select a value.
  14. From the CMP Hash list, select a value.
  15. To enable the DAG Round Robin setting, select the check box.
  16. Click Finished. The screen refreshes, and displays the new VLAN in the list.

Creating self IP addresses

Self IP addresses enable the BIG-IP system, and other devices on the network, to route application traffic through the associated VLAN. For this implementation, you perform this task on each BIG-IP device to create a unique static self IP address for each of the three VLANs (external, internal, and high availability). In this task, you replace any sample self IP names or IP addresses with the relevant self IP names or addresses for your network.

Note:
Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the self IP address in administrative partition Common.
  1. On the Main tab, click Network > Self IPs.
  2. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, confirm or select partition Common.
  4. Click Create. The New Self IP screen opens.
  5. In the Name field, type a unique name for the self IP address. For example, for device Bigip_1, this name could be ext_self_bigip1, int_self_bigip1, or ha_self_bigip1.
  6. In the IP Address field, type an IPv4 or IPv6 address. In our sample configuration for Bigip_1, this IP address is either 20.1.1.2, 20.1.1.3, or 20.1.1.5.
  7. In the Netmask field, type the full network mask for the specified IP address.

    For example, you can type ffff:ffff:ffff:ffff:0000:0000:0000:0000 or ffff:ffff:ffff:ffff::.

  8. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  9. If you are creating an external self IP address, use the Port Lockdown setting to add TCP 179 to your current list of allowed ports for this self IP address. Port 179 represents the Border Gateway Protocol (BGP). Selecting port 179 gives BGP traffic coming from the ECMP router access to the BIG-IP device.
  10. Click Add.
  11. From the Traffic Group list, select traffic-group-local-only (non-floating).
  12. Click Finished. The screen refreshes, and displays the new self IP address.
The BIG-IP system can send and receive traffic through the specified VLAN.

Sample self IP addresses for BIG-IP devices

This table shows sample IP addresses for BIG-IP devices, along with explanatory information.

BIG-IP device Self IP address Associated VLAN Purpose
Bigip_1 20.1.1.2 External The upstream ECMP router uses this address to load balance traffic to the virtual server on Bigip_1.
  10.1.1.2 Internal This is the address that other device group members use when synchronizing a configuration to Bigip_1.
  10.1.2.2 High availability This the address that other device group members use for high availability communications with Bigip_1.
       
Bigip_2 20.1.1.3 External The upstream ECMP router uses this address to load balance traffic to the virtual server on Bigip_2.
  10.1.1.3 Internal This is the address that other device group members use when synchronizing a configuration to Bigip_2.
  10.1.2.3 High availability This the address that other device group members use for high availability communications with Bigip_2.
       
Bigip_3 20.1.1.4 External The upstream ECMP router uses this address to load balance traffic to the virtual server on Bigip_3.
  10.1.1.4 Internal This is the address that other device group members use when synchronizing a configuration to Bigip_3.
  10.1.2.4 High availability This the address that other device group members use for high availability communications with Bigip_3.

Enabling dynamic routing protocols for route domain 0

You perform this task to enable Border Gateway Protocol and any other dynamic routing protocols for route domain 0.
Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and the current administrative partition must be set to Common.
  1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens.
  2. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, confirm or select partition Common.
  4. In the Name column, click 0.
  5. For the Dynamic Routing Protocols setting, from the Available list, select one or more protocol names and move them to the Enabled list. You can enable any number of listed protocols for this route domain.
    Important: You must enable the BGP protocol.
  6. Click Update. The system displays the list of route domains on the BIG-IP system.
The dynamic routing protocols, including BGP, are enabled on the BIG-IP system.

Specifying an IP address for config sync

Before configuring the config sync address, verify that all devices in the device group are running the same version of BIG-IP system software.
You perform this task to specify the IP address on the local device that other devices in the device group will use to synchronize their configuration objects to the local device.
Note: You must perform this task locally on each device in the device group, and the current administrative partition must be set to Common.
  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  4. From the Partition list, confirm or select partition Common.
  5. In the Name column, click the name of the device to which you are currently logged in.
  6. From the Device Connectivity menu, choose ConfigSync.
  7. For the Local Address setting, retain the displayed IP address or select another address from the list. F5 Networks recommends that you use the default value, which is the self IP address for the internal VLAN. This address must be a non-floating self IP address and not a management IP address.
    Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the internal self IP address that you select must be an internal private IP address that you configured for this EC2 instance as the Local Address.
  8. Click Update.
After performing this task, the other devices in the device group can sync their configurations to the local device whenever a sync operation is initiated.

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.

  1. On the Main tab, click Device Management > Device Trust, and then either Peer List or Subordinate List.
  2. Click Add.
  3. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is an appliance, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the management IP address and name of the remote device are correct.
  7. Click Finished.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.

Creating a Sync-Only device group

You perform this task to create a Sync-Only type of device group. When you create a Sync-Only device group, the BIG-IP system can then automatically synchronize configuration data (such as security policies and acceleration applications) to the other devices in the group, even when some of those devices reside in another network.
Note: You perform this task on any one BIG-IP device within the local trust domain; there is no need to repeat this process on the other devices in the device group.
  1. On the Main tab, click Device Management > Device Groups.
  2. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, confirm or select partition Common.
  4. On the Device Groups list screen, click Create. The New Device Group screen opens.
  5. Type a name for the device group, select the device group type Sync-Only, and type a description for the device group.
  6. From the Configuration list, select Advanced.
  7. For the Members setting, select an IP address and host name from the Available list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the Includes list. The list shows any devices that are members of the device's local trust domain.
  8. For the Automatic Sync setting, select or clear the check box:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever a config sync operation is required. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  9. For the Full Sync setting, select or clear the check box:
    • Select the check box when you want all sync operations to be full syncs. In this case, the BIG-IP system syncs the entire set of BIG-IP configuration data whenever a config sync operation is required.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  10. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value. This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  11. Click Finished.
You now have a Sync-Only type of device group containing BIG-IP devices as members.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust is established.
This task synchronizes the BIG-IP configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly.
Note: You perform this task on only one device in the device group.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group. The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync. The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
The BIG-IP configuration data is replicated on each device in the device group.

Creating an administrative partition

You perform this task to create an administrative partition that is associated with a BIG-IP Sync-Only device group. An administrative partition creates an access control boundary for users and applications. When you create a partition for this implementation, you assign the Sync-Only device group as an attribute of the folder that corresponds to the partition. For example, you can create a partition named Spanned_VIP and set its Device Group setting to my_sync_only_dg. In this case, the system automatically creates a folder named /Spanned_VIP, and any local traffic objects that you create in that folder will be synchronized to the devices in device group my_sync_only_dg, whenever a config sync operation occurs.
Note: You perform this task on only one device in the device group; there is no need to repeat this process on the other device group members.
  1. On the Main tab, expand System and click Users. The Users List screen opens.
  2. On the menu bar, click Partition List.
  3. Click Create. The New Partition screen opens.
  4. In the Partition Name field, type a unique name for the partition. An example of a partition name is Spanned_VIP.
  5. Type a description of the partition in the Description field. This field is optional.
  6. For the Device Group setting, clear the Inherit device group from root folder check box and from the list, select the name of the Sync-Only device group.
  7. From the Traffic Group list, choose None.
  8. Click Finished.
After creating the partition, you can create local traffic objects within the partition that the BIG-IP system will synchronize to the other devices in the BIG-IP device group.

Changing the current partition

You perform this task to change the current administrative partition on the BIG-IP system. You change the partition when you want BIG-IP configuration objects that you create to reside in the folder that corresponds to the partition. For example, if the current partition is set to Common, but you want to create a load balancing pool and virtual server in folder /Spanned_VIP instead of /Common, you can switch the current partition to partition Spanned_VIP. Any configuration objects you subsequently create will reside in folder /Spanned_VIP and will be synchronized to the Sync-Only device group defined as an attribute of that folder.
  1. Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  2. From the Partition list, select the partition in which you want to create local traffic objects.
After you perform this task, any configuration objects that you create reside in the folder corresponding to the selected partition. For example, if you selected partition Spanned_VIP, subsequent objects such as a load balancing pool and a virtual server will reside in folder /Spanned_VIP.