Manual Chapter : Additional Tasks for Isolated Guests in Appliance Mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Additional Tasks for Isolated Guests in Appliance Mode

Additional tasks for isolated guests in Appliance mode

To ensure that guest administrators can access an isolated guest and manage the BIG-IP® software within the guest, you must create the isolated guest with Appliance mode disabled, perform some additional tasks, and then modify the guest to enable Appliance mode. These additional tasks are:

  • Creating a self IP address for guest administrators to use to access the guest, and granting tmsh access to the guest's admin user account.
  • Enabling Appliance mode on the guest.

After performing these tasks, administrators for an isolated guest are restricted to using either the BIG-IP® Configuration utility or tmsh to manage BIG-IP modules within the guest (when port lockdown settings on the self IP address allow such traffic).

Preparing an isolated guest for Appliance mode

You use this task to prepare an isolated guest to operate in Appliance mode. Specifically, you use this task to:

  • Grant access to the Traffic Management Shell (tmsh) for the admin user account within a vCMP® guest. By default, the admin account for a guest has no access to tmsh.
  • Create a self IP address for guest administrators to use to access the guest. This is necessary because an isolated guest is not connected to the management network and therefore has no management IP address assigned to it.

You perform this task by accessing the guest from the vCMP® host.

  1. From the vCMP host system prompt, type vconsole guest_name any_guest_slot_number .
    In this syntax, the variable any_guest_slot_number refers to any slot on which the guest is running. Note that for single-slot guests, the slot number is not required.
    For example, you can type vconsole guest_A 1, where 1 represents slot 1 of the guest.
    The system prompts you to enter a user name and password.
  2. Log in to the guest using the root account and the password default.
    A system prompt is displayed.
  3. At the prompt, determine the primary slot number by typing tmsh show sys cluster and locating the Primary Slot ID.
  4. If the system output indicates that you are not currently logged into the primary slot of the cluster, type ssh primary_slot_and_number .
    For example, if the primary slot is slot 2, you can type ssh slot2.
    Typing this command logs you into the primary slot of the cluster.
  5. Type the command tmsh modify auth user admin shell tmsh.
    This command grants tmsh access to the admin user account.
  6. Type the command tmsh create net self address ip_address/netmask vlan vlan_name allow-service default.
    This creates the specified IP address on the guest and makes required adjustments to the port lockdown settings.
  7. At the prompt, exit the guest by typing exit.
  8. Exit the vConsole utility by typing the key sequence ctrl-].
    This displays the prompt telnet>.
  9. Type q.

Enabling Appliance mode on an isolated guest

You use this task to enable Appliance mode on an existing guest that is isolated from the management network.

Note: You can perform this task while the guest is in the Deployed or Provisioned state; there is no need to set the guest state to Configured prior to performing this task.
  1. Use a browser to log in to the vCMP® host, using the primary cluster management IP address.
    Note: If you provisioned the system for vCMP®, this step logs you in to the vCMP host.
  2. On the Main tab, click vCMP > Guest List .
    This displays a list of vCMP guests on the system.
  3. In the Name column, click the name of the guest that you want to modify.
    This displays the configured properties of the guest.
  4. For the Appliance Mode setting, select the check box.
    When you enable Appliance Mode for an isolated guest, the system enhances security by denying access to the root account and the Bash shell for all guest administrators.
  5. Click Update.
The guest is now running in Appliance mode. All guest administrators are restricted to using the BIG-IP® Configuration utility and tmsh to manage the guest.