Setting up the base network for the 3-DNS Controller means configuring elements such as the 3-DNS Controller host name, a default gateway pool, interface media settings, and VLANs and self IP addresses. Configuration tasks for the BIG-IP base network are performed using the Setup utility. For information on using the Setup utility, see Chapter 3, Using the Setup Utility .
Once you have configured the base network elements with the Setup utility, you might want to further enhance the configuration of these elements. This chapter provides the information you need to perform these additional configuration tasks. You can perform these tasks using either the Configuration utility or the bigpipe command line utility.
Elements you might want to further configure after running Setup are:
Typically, a 3-DNS Controller has two network interfaces. The following sections describe the naming convention, displaying the status, setting the media type, and setting the duplex mode for the interfaces in the 3-DNS Controller.
By convention, the Ethernet interfaces on a 3-DNS Controller take the name <s>.<p> where s is the slot number of the NIC, and p is the port number on the NIC. For the 2U platform, slot numbering is top-to-bottom, and port numbering is left-to-right as shown in Figure 4.1 .
Use the following syntax to display the current status and the settings for the installed interface cards:
b interface show
Figure 4.2 is an example of the output you see when you issue this command.
interface speed pkts pkts pkts pkts bits bits errors trunk STP
Mb/s in out drop coll in out
1.1 UP 100 HD 0 213 0 0 0 74.2K 0
2.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0
Use the following syntax to display the current status and the setting for a specific interface.
b interface <if_name> show
You can set the media type for the interface card either to the specific media type or to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface is used, for example 100BaseTX.
Use the following syntax to set the media type:
b interface <if_name> media <media_type> | auto
(Default media type is auto.)
You can set duplex mode to full or half duplex. If the media type does not allow duplex mode to be set, this is indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported for the interface, the duplex setting is not saved to bigip.conf.
Use the following syntax to set the duplex mode:
b interface <if_name> duplex full | half | auto
(Default mode is auto.)
A VLAN is a grouping of separate 3-DNS Controller networks that allows those networks to behave as if they were a single local area network, whether or not there is a direct ethernet connection between them.
The 3-DNS Controller offers several options that you can configure for a VLAN. These options are summarized in Table 4.1 .
Create a default VLAN configuration
You can use the Setup utility to create a default VLAN configuration.
Create, rename, or delete VLANs
You can create, rename, or delete a VLAN.
Configure packet access to VLANs
Through an option called tagging, you can direct packets from multiple VLANs to a specific 3-DNS interface, or direct traffic from a single VLAN to multiple interfaces.
Manage the L2 forwarding table
You can edit the L2 forwarding table to enter static MAC address assignments.
Create VLAN groups
You can create a VLAN group to allow layer 2 packet forwarding between VLANs.
Set VLAN security
You can set port lockdown by VLAN.
Set fail-safe timeouts
You can set a fail-safe timeout on a VLAN. You can use a fail-safe timeout to trigger fail-over in a redundant system.
Set self IP addresses
You can set one or more self IP addresses for VLANs.
Set MAC masquerade
You can use the MAC masquerade to set up a media access control (MAC) address that is shared by a redundant system.
Configure VLAN mirroring
You can configure the 3-DNS Controller to replicate packets received by a VLAN and send them to another VLAN or set of VLANs.
By default, the Setup utility configures each interface on the 3-DNS Controller as a member of a VLAN. The 3-DNS Controller identifies the fastest interfaces, makes the lowest-numbered interface in that group a member of the VLAN external, and makes all remaining interfaces members of the VLAN internal.
VLAN flexibility is such that separate IP networks can belong to a single VLAN, while a single IP network can be split among multiple VLANs. (The latter case allows the 3-DNS Controller to be inserted into an existing LAN without renaming the nodes.) The VLANs named external and internal are separate networks, and in the configuration shown they behave like separate networks. The networks belonging to VLAN internal are also separate networks, but have been made to behave like a single network. This is accomplished using a feature called VLAN bridging.
Your default VLAN configuration is created using the Setup utility. On a typical unit with two interfaces, you create an internal and external VLAN.
Typically, if you use the default configuration, one VLAN is assigned to each interface. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN.
To create a VLAN using the Configuration utility
To rename or delete a VLAN using the Configuration utility
To create, rename, or delete a VLAN from the command line
To create a VLAN from the command line, use the following syntax:
b vlan <vlan name> interfaces add <if name> <if name>
For example, if you want to create a VLAN named myvlan that contains the interfaces 1.1 and 1.2, type the following command:
b vlan myvlan interfaces add 1.1 1.2
To rename an existing VLAN, use the following syntax:
b vlan <vlan name> rename <new vlan name>
For example, if you want to rename the VLAN myvlan to yourvlan, type the following command:
b vlan myvlan rename yourvlan
To delete a VLAN, use the following syntax:
b vlan <vlan name> delete
For example, to delete the VLAN named yourvlan, type the following command:
b vlan yourvlan delete
The 3-DNS Controller supports two methods for sending and receiving packets through an interface that is a member of one or more VLANs. These two methods are:
The sending/receiving method used by a VLAN is determined by the way that you add a member interface to a VLAN. When creating a VLAN or modifying VLAN properties (using the Configuration utility or the bigpipe command), you can add an interface to that VLAN as either an untagged or a tagged interface.
The following two sections describe these two methods of providing packet access to a VLAN.
Port-based access to VLANs occurs when an interface is added to a VLAN as an untagged interface. In this case, the interface can be added only to that VLAN and to no others. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. To solve this problem, 3-DNS Controller allows you to configure a feature known as tagging, described in the following section.
Tag-based access to VLANs occurs when an interface is added to a VLAN as a tagged interface. A tagged interface can be added to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN of which the interface is a member.
When you add an interface to a VLAN as a tagged interface, the 3-DNS Controller associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a packet.
Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.
The result is that whenever a packet comes into that interface, the interface reads the tag that is embedded in a header of the packet. If the tag in the packet matches any of the tags associated with the interface, the interface accepts the packet. If the tag in the packet does not match any of the tags associated with the interface, the interface rejects the packet.
You configure tag-based access to VLANs using either the Configuration utility or the bigpipe vlan command. You can configure tag-based access either when you create a VLAN and add member interfaces to it, or by modifying the properties of an existing VLAN. In the latter case, you simply change the status of one or more member interfaces from untagged to tagged.
To create a VLAN that supports tag-based access using the Configuration utility
Creating a VLAN that supports tag-based access means creating the VLAN and then adding one or more tagged interfaces to it.
To configure tag-based access on an existing VLAN using the Configuration utility
Configuring tag-based access on an existing VLAN means changing the existing status of one or more member interfaces from untagged to tagged.
To create a VLAN that supports tag-based access from the command line
b vlan external tag 1209
b vlan external interfaces add tagged 4.1 5.1 5.2
The effect of this command is to associate a tag with interfaces 4.1 and 5.1, which in turn allows packets with that tag access to the external VLAN.
The above procedure adds multiple tagged interfaces to a single VLAN. However, you can also add a single tagged interface to multiple VLANs. This results in a single interface having more than one tag associated with it. For example, the following commands add the tagged interface 4.1 to the two VLANs external and internal:
b vlan external interfaces add tagged 4.1
b vlan internal interfaces add tagged 4.1
You can lock down a VLAN to prevent direct connection to the 3-DNS Controller through that VLAN. You can override this lockdown for specific services by enabling the corresponding global variable for that service. For example:
b global open_ssh_port enable
To enable or disable port lockdown using the Configuration utility
To enable or disable port lockdown from the command line
To enable port lockdown, type:
b vlan <vlan_name> port_lockdown enable
To disable port lockdown, type:
b vlan <vlan_name> port_lockdown disable
For redundant 3-DNS units, you can enable a failsafe mechanism that will fail over when loss of traffic is detected on a VLAN, and traffic is not restored during the fail-over timeout period for that VLAN. You can enable a fail-safe mechanism to attempt to generate traffic when half the timeout has elapsed. If the attempt is successful, the fail-over is stopped.
To set the fail-over timeout and arm the fail-safe using the Configuration utility
To set the fail-over timeout and arm the fail-safe from the command line
Using the vlan command, you may set the timeout period and also arm or disarm the fail-safe.
To set the timeout, type:
b vlan <vlan_name> timeout <timeout_in_seconds>
To arm the fail-safe, type:
b vlan <vlan_name> failsafe arm
To disarm the fail-safe, type:
b vlan <vlan_name> failsafe disarm
You can share the media access control (MAC) masquerade address between 3-DNS units in a redundant system. This option has the following advantages:
The MAC address for a VLAN is the MAC address of the first interface to be mapped to the VLAN, typically 4.1 for external, and 5.1 for internal. You can view the interfaces mapped to a VLAN using the following command:
b vlan show
You can view the MAC addresses for the interfaces on the 3-DNS Controller using the following command:
b interface show verbose
Use the following syntax to set the MAC masquerade address to be shared by both 3-DNS units in the redundant system.
b vlan <vlan_name> mac_masq <MAC_addr>
Find the MAC address on both the active and standby units, and pick one that is similar but unique. A safe technique for selecting the shared MAC address follows.
Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are:
Active: 3.1 = 0:0:0:ac:4c:a2
Standby: 3.1 = 0:0:0:ad:4d:f3
In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses, and convert the MAC address to a locally administered address using 0x40 for the first byte. (The 0x40 byte indicates the logical operator OR.)
In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both 3-DNS units in the redundant system.
The shared MAC address is used only when the 3-DNS Controller is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.
If you do not configure mac_masq on startup, or when transitioning from standby mode to active mode, the 3-DNS Controller sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.
A self IP address is an IP address mapping to one or more VLANs and their associated interfaces on a 3-DNS Controller. You assign a self IP address to each interface on the unit as part of the initial configuration, and you also assign a floating (shared) alias for units in a redundant system. You can create additional self IP addresses for health checking, gateway failsafe, routing, or other purposes. You create additional self IP addresses using either the Configuration utility or using the self command in the bigpipe utility. (See the 3-DNS Reference Guide , Appendix C, bigpipe Command Reference , for more information on the self command.)
To add a self IP address to a VLAN using the Configuration utility
To add a self IP address to a VLAN from the command line
Use the following syntax:
b self <addr> vlan <vlan_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]
You can add any number of additional self IP addresses to a VLAN to create aliases. For example:
b self 126.96.36.199 vlan external
b self 188.8.131.52 vlan external
b self 184.108.40.206 vlan external
b self 220.127.116.11 vlan external
Also, any one self IP address may have floating enabled to create a floating alias that is shared by both units of a redundant system:
b self 18.104.22.168 floating enable
Assigning a self IP address to an interface automatically maps it to the VLAN of which it is a member. Assigning a self IP address to an interface not mapped to an untagged VLAN produces an error message.