Manual Chapter : Configuring the Basic BIG-IP Network

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Overview: Configuring basic system settings

You configure the BIG-IP® system to handle traffic from an ECMP-enabled upstream router so that you get all-active BIG-IP clustering. Before you can do that, you need to complete some basic tasks for Traffic Management Operating System® (TMOS). These basic tasks include creating VLANs and self IP addresses, and then specifying your NTP servers. Other tasks involve creating a BIG-IP® device group and then syncing a BIG-IP configuration across all devices.

After finishing these tasks, you can configure LTM® to implement ECMP-based all-active clustering, with connection mirroring between BIG-IP devices.

Task List

Creating VLANs

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN. For this implementation, F5 Networks recommends that you create three VLANs on each BIG-IP® device: a VLAN for the external network, a VLAN for the internal network, and a VLAN for high availability communications. Examples of VLAN names are External, Internal, and HA.

Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the object in administrative partition Common.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the Customer Tag setting to perform the following two steps. If you do not see the Customer Tag setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the Customer Tag list, select Specify.
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface that you want to assign to the VLAN.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  8. In the MTU field, retain the default number of bytes (1500).
  9. From the Configuration list, select Advanced.
  10. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  11. From the Auto Last Hop list, select a value.
  12. From the CMP Hash list, select a value.
  13. To enable the DAG Round Robin setting, select the check box.
  14. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.

Creating static self IP addresses

Self IP addresses enable the BIG-IP® system, and other devices on the network, to route traffic through the associated VLAN. For this implementation, you perform this task on each BIG-IP device to create a unique static self IP address for each of the three VLANs (external, internal, and high availability). The BIG-IP systems within a device group use these self IP addresses to communicate with one another for config sync, failover, and mirroring. In this task, you replace any sample self IP names or IP addresses with the relevant self IP names or addresses for your network.

Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the self IP address in administrative partition Common.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the static self IP address.
    For example, for device BIGIP_A, this name could be ext_static_self_bigipA or int_static_self_bigipA.
  4. In the IP Address field, type an IP address.
    For example, in our sample configuration for device BIGIP_A, the static self IP address for VLAN external could be 20.1.1.6 .
  5. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the Traffic Group list, select traffic-group-local-only (non-floating).
  8. Click Finished.
    The screen refreshes, and displays the new self IP address.
The BIG-IP system can send and receive traffic through the specified VLAN.

Specifying a list of NTP servers

If you use Dynamic Host Configuration Protocol (DHCP) to assign IP addresses to NTP servers, then before you perform this task, verify that you have configured a Domain Name System (DNS) server on the BIG-IP® system.
Network Time Protocol (NTP) synchronizes the clocks on a network of BIG-IP devices by means of a defined NTP server. This clock synchronization is required for successful operation of a BIG-IP device group. You can specify a list of the IP addresses of the defined NTP servers that you want the BIG-IP system to use when updating the time on BIG-IP systems on the network. Alternatively, you can specify a list of fully-qualified domain names.
Important: You must perform this task locally on each BIG-IP device that is to be a member of the BIG-IP device group, and you must create the object in administrative partition Common.
  1. On the Main tab, click System > Configuration > Device > NTP .
    The NTP Device configuration screen opens.
  2. Find the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
  3. From the Partition list, pick partition Common.
  4. For the Time Server List setting, in the Address field, type the IP address of an NTP server that you want to add. Then click Add.
    Note: If you are using Dynamic Host Configuration Protocol (DHCP) to assign IP addresses, then the BIG-IP system automatically populates the Address field with the fully-qualified domain name (FQDN) of the NTP server.
  5. Repeat the preceding step as needed.
  6. Click Update.

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You use this task to establish trust among devices on one or more network segments. Devices that trust each other make up the local trust domain. A device must be a member of the local trust domain before it can be part of a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_A, Bigip_B, and Bigip_C each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can just log in to device Bigip_A and add devices Bigip_B and Bigip_C to the local trust domain; there is no need to repeat this process on devices Bigip_B and Bigip_C.

  1. On the Main tab, click Device Management > Device Trust , and then either Peer List or Subordinate List.
  2. Click Add.
  3. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP® device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is an appliance, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION® device that is not licensed and provisioned for vCMP®, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the management IP address and name of the remote device are correct.
  7. Click Finished.
After you perform this task, the local device is now a member of the local trust domain.

Specifying config sync, failover, and mirroring addresses

Before configuring the config sync, failover, and mirroring addresses on a BIG-IP device, verify that all devices in the device group are running the same version of BIG-IP® system software.

You perform this task to specify IP addresses on the local device that other devices in the device group will use to:

  • Synchronize their configuration objects to the local device.
  • Assess the health status of the local device.
  • Mirror connections to the local device.
Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device Management > Devices .
    This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose ConfigSync.
  5. For the Local Address setting, select the static self IP address for the internal VLAN.
  6. From the Device Connectivity menu, choose Failover Network.
  7. For the Failover Unicast Configuration settings, click Add and specify the static self IP address for VLAN HA. Then repeat the action, specifying the device's management IP address.
  8. For the Primary Local Mirror Address setting, select the static self IP address for VLAN internal.
  9. For the Secondary Local Mirror Address setting, select the static self IP address for VLAN HA.
    This setting is optional. The system uses the selected IP address in the event that the primary mirroring address becomes unavailable.
  10. Click Update.
After you perform this task, the other devices in the device group can sync their configurations, fail over, and mirror their connections to the local device.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP® devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

  1. On the Main tab, click Device Management > Device Groups .
  2. On the Device Groups list screen, click Create.
    The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. From the Configuration list, select Advanced.
  5. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list.
    The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. For the Network Failover setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity. This choice is required for active-active configurations.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  7. For the Automatic Sync setting, select or clear the check box:
    Action Result
    Select (Enable) Select the check box when you want the BIG-IP system to automatically sync configuration data to device group members whenever a change occurs. When you enable this setting, the BIG-IP system automatically syncs, but does not save, the configuration change on each device (this is the default behavior). To save the updated configuration on each device, you can log in to each device and, at the tmsh prompt, type save sys config. Alternatively, you can change the default behavior so that the system automatically saves configuration changes on target devices after an automatic config sync. You make this change by logging in to one of the devices in the device group and, at the tmsh prompt, typing modify cm device-group name save-on-auto-sync true.
    Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
    Clear (Disable) Clear the check box when you want to disable automatic sync. When this setting is disabled, you must manually initiate each config sync operation. F5 Networks® recommends that you perform a config sync whenever configuration data changes on one of the devices in the device group. After you perform a manual config sync, the BIG-IP system automatically saves the configuration change on each device group member.
  8. For the Full Sync setting, specify whether the system synchronizes the entire configuration during synchronization operations:
    • Select the check box when you want all sync operations to be full syncs. In this case, every time a config sync operation occurs, the BIG-IP system synchronizes all configuration data associated with the device group. This setting has a performance impact and is not recommended for most customers.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  9. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value.
    This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  10. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices that are targeted for config sync are members of a Sync-Failover device group.
This task synchronizes the latest BIG-IP® configuration data from the local device to the devices in the device group. This synchronization makes sure that devices in the device group work correctly.
Note: You only need to do this task on one device in the device group.
  1. On the Main tab, click Device Management > Overview .
  2. In the Device Groups area of the screen, from the Name column, select the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, from the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync.
    The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
After you complete this task, the BIG-IP configuration data is synchronized to every device in the device group.