There are two basic tasks you need required to get the BIG/ip Controller installed and set up. First, you need to connect the peripheral hardware and connect the BIG/ip Controller to the network, and then you need to turn the system on and run the First-Time Boot utility. The First-Time Boot utility is a wizard that helps you configure basic system elements such as administrative passwords, IP addresses, and host names for both the root system and for the BIG/ip web server. Once you complete the First-Time Boot utility, you can continue the configuration process either from a remote administrative workstation, or from the console itself.
The BIG/ip Controller comes with the separate hardware pieces that you need for installation and maintenance. However, you must provide standard peripheral hardware, such as a keyboard or serial terminal.
When you unpack the BIG/ip Controller, you should make sure that the following components are included:
If you purchased a hardware-based redundant system, you also receive one fail-over cable to connect the two controller units together (network-based redundant systems do not require a fail-over cable). Additionally, if you purchased a US BIG/ip Controller that supports encryption, you receive the F-Secure SSH Client manual, published by Data Fellows.
For each BIG/ip Controller in the system, you need to provide the following peripheral hardware:
If you plan on doing remote administration from your own PC workstation as most users do, we recommend that you have your workstation already in place. Keep in mind that the First-Time Boot utility prompts you to enter your workstation's IP address when you set up remote administrative access.
Before you begin to install the BIG/ip Controller, you may want to quickly review the following figures that illustrate the controls and ports on both the front and the back of a standard BIG/ip Controller. If you have a special hardware configuration, such as those that include more than two interface cards, the ports on the back of your unit will differ slightly from those shown below.
|1. Fan filter 2. Keyboard lock 3. Reset button 4. Keyboard lock LED 5. Hard disk drive LED||6. Power LED 7. On/off button 8. 3.5 floppy disk drive 9. CD-ROM drive|
Figure 3.1 illustrates the front of a BIG/ip Controller with the access panel open. On the front of the unit, you can turn the unit off and on, or you can reset the unit. You can also view the indicator lights for hard disk access and for the keyboard lock.
Figure 3.2, the following figure, illustrates the back of a BIG/ip Controller. Note that all ports are labeled, even those which are not intended to be used with the BIG/ip Controller. Ports marked with an asterisk (*) in the list following are not used by the BIG/ip Controller, and do not need to be connected to any peripheral hardware.
|1. Fan 2. Power in 3. Voltage selector 4. Mouse port* 5. Keyboard port 6. Universal serial bus ports* 7. Serial terminal port||8. Printer port* 9. Fail-over port 10. Video (VGA) port 11. Internal interface (RJ-45) 12. External interface (RJ-45) 13. Interface indicator LEDs 14. Watchdog card*|
*Not to be connected to any peripheral hardware.
A BIG/ip Controller is an industrial network appliance, designed to be mounted in a standard 19-inch rack. To ensure safe installation and operation of the unit, be sure to consider the following before you install the unit in the rack:
Warning: The BIG/ip Controller contains a lithium battery. There is danger of an explosion if you replace the lithium battery incorrectly. We recommend that you replace the battery only with the same type of battery originally installed in the unit, or with an equivalent type recommended by the battery manufacturer. Be sure to discard all used batteries according to the manufacturer's instructions.
There are six basic steps to installing the hardware. You simply need to install the controller in the rack, connect the peripheral hardware and the external and internal interfaces, and then connect the fail-over and power cables. If you have a unit with three or more network interface cards (NICs), be sure to check step 3.
· If you are using a VGA monitor and keyboard, connect the monitor connector cable to the video port (number 10 in Figure 3.2, on page 3-5) and the keyboard connector cable to the keyboard port (number 5 in Figure 3.2, on page 3-5). Note that a PC/AT-to-PS/2 keyboard adapter is included with each BIG/ip Controller (see the component list on page 3-2).
· Optionally, if you are using a serial terminal as the console, connect the serial cable to the terminal serial port (number 7 in Figure 3.2). Also, you should not connect a keyboard to the BIG/ip Controller. When there is no keyboard connected to the BIG/ip Controller, the BIG/ip Controller defaults to using the serial port as the console.
· If you have purchased a unit with three or more network interface cards (NICs), be sure to note or write down how you connect the cables to the internal and external interfaces. When you run the First-Time Boot utility, it automatically detects the number of interfaces that are installed and prompts you to configure more external interfaces, if you want. It is important to select the correct external interface based on the way you have connected the cables to the back of the unit.
If you want to configure a serial terminal for the BIG/ip Controller in addition to the standard console, you need to follow the configuration steps below. Note that if you are using a serial vt100 connection, you must edit both the /etc/ttys and bash_profile files on the BIG/ip Controller.
- 9600 baud
- 8 bits
- 1 stop bit
- No parity
The First-Time Boot utility is a wizard that walks you through a brief series of required configuration tasks, such as defining a root password, and configuring IP addresses for the external and internal interfaces. Once you complete the First-Time Boot utility, you can connect to the BIG/ip Controller from a remote workstation and begin configuring your load balancing set up.
The First-Time Boot utility is organized into three phases: configure, confirm, and commit. Each phase walks you through a series of screens, presenting the information in the following order:
First, you configure all of the required information, then you have the opportunity to confirm each individual setting or correct it if necessary, and then your confirmed settings are committed and saved to the system. Note that the screens you see are tailored to the specific hardware and software configuration that you have. If you have a stand-alone system, for example, the First-Time Boot utility skips the redundant system screens.
Before you run the First-Time Boot utility on a specific BIG/ip Controller, you should have the following information ready to enter:
You run the First-Time Booty utility directly on the console, using the VGA monitor and keyboard. Once you turn on the power switch (located on the front of the BIG/ip Controller as shown in Figure 3.1, number 7), the BIG/ip Controller displays the License Agreement screen. You must scroll through the screen, read it and accept the agreement before you can move to the next screen. If you agree to the license statement, the next screen you see is the Welcome screen. From this screen, simply press any key on the keyboard, and then follow the instructions on the subsequent screens to complete the process.
A root password allows you administrative access to the BIG/ip Controller system. The password must contain a minimum of 6 characters, but no more than 128 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper and lowercase characters, as well as punctuation characters. Once you enter a password, the First-Time Boot utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, you receive an error message and are asked to re-enter your password.
Warning: The root password is the only setting that is saved immediately, rather than confirmed and committed at the end of the First-Time Boot utility process. You cannot change the root password until the First-Time Boot utility completes and you reboot the BIG/ip Controller (see Chapter 6). Note that you can change other system settings when the First-Time Boot utility prompts you to confirm your configuration settings.
The host name identifies the BIG/ip Controller itself. Host names must start with a letter or number, and must be at least two characters. They may contain numbers, letters, and the symbols for dash ( - ), underscore ( _ ), and period ( . ) if you like. There are no additional restrictions on host names, other than those imposed by your own network requirements.
If a BIG/ip Controller does not have a predefined static route for network traffic, the unit automatically sends traffic to the IP address that you define as the default route. Typically, a default route is set to a router's IP address.
Next, you need to specify your time zone. This ensures that the clock for the BIG/ip Controller is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the system file to find the time zone closest to your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press Enter to continue.
On the Configure BIG/ip Interfaces screen, select Yes if you have a redundant system. Next, select the version of system that you have, such as HA, HA+, or LB. Your answers affect the subsequent screens that display.
You must configure at least one external interface, and at least one internal interface. The external interface is the one on which the BIG/ip Controller receives connection requests. The internal interface is the one that houses the servers, firewalls, or other equipment that the BIG/ip Controller load balances. The utility prompts you for each interface, and asks you to provide the IP address, netmask, broadcast address, and the interface media type.
If you have a redundant system, you are also prompted to provide the IP address that serves as an alias for both BIG/ip Controllers. The IP alias is shared between the units, and is used only by the currently active machine. Each unit also uses unique internal and external IP addresses. The First-Time Boot utility guides you through configuring the interfaces, based on your configuration:
You should set the internal alias as the default route for the node servers. Note that for each IP address or alias that you assign to an interface, you have the option of assigning a custom netmask and broadcast address as well.
The Select External Interface screen shows a list of the installed interfaces. Select the one you want to use for the external network, and press Enter. The utility prompts you for the following information, in many cases offering you a default:
Note: The IP address of the external network interface is not the IP address of your site or sites. The IP addresses of the sites themselves are specified by the virtual IP addresses associated with each virtual server you configure.
Warning: The configuration utility lists only the network interface devices that it detects during boot up. If the utility lists only one interface device, the network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they have detected the available BIG/ip Controller media.
Once you select the interface, you need to enter the following information:
If you are configuring a BIG/ip Controller that has more than two network interface cards installed, the First-Time Boot utility prompts you to configure more external interfaces. If you choose to configure an additional external interface, you return to the previous screen and repeat the steps described above. When you have finished configuring all external interfaces, you move on to the internal interface configuration.
When you configure the interface that connects the BIG/ip Controller to the internal network (the servers and other network devices that sit behind the BIG/ip Controller), the First-Time Boot utility prompts you for the following information:
If you have a redundant system, you need to enter specific configuration information at this point. If you do not have a redundant system, the First-Time Boot utility goes directly to the next step in the configuration process where you define an administrative IP address (see Configuring remote administration, on page 3-16).
Each BIG/ip Controller in a redundant system configuration uses unique internal and external IP addresses. However, in order for connections to be routed to the active BIG/ip Controller in the redundant system, you need to define two IP aliases that are shared between the two BIG/ip Controllers in the redundant system:
The shared IP aliases are actually used only by the active unit in the redundant system. When a fail-over occurs, the IP alias is switched to the newly active machine.
Each network device behind the BIG/ip redundant system should have the internal IP alias set as the default route, which again guarantees that the network devices always communicate via the active BIG/ip Controller in the redundant system.
For administration purposes, you can connect to the BIG/ip Controller IP alias, which always connects you to the active machine. To connect to a specific controller, simply connect directly to the external or internal IP address of that BIG/ip Controller.
To configure the external IP alias, you need to provide the following information:
To configure the internal IP alias, you need to provide the following information:
The screens that you see for configuring remote administration vary, depending on whether you have a US BIG/ip Controller, or an international BIG/ip Controller. On a US BIG/ip Controller, the first screen you see is the Configure SSH screen, which prompts you to type in an address for SSH command line access. On international and BIG/ip LB Controllers that do not have SSH, the First-Time Boot utility skips this screen.
Next, the First-Time Boot utility prompts you to enter a single IP address or a range of IP addresses, from which the BIG/ip Controller will accept administrative connections (either remote shell connections, or connections to the BIG/ip web server). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.
The following example allows remote administration from all hosts on the 192.168.2.0 network:192.168.2.*
The BIG/ip web server requires you to define a domain name for the server on both the internal and the external interfaces. The BIG/ip web server configuration also requires that you define a user ID and password. On US products, the configuration also generates certificates for authentication.
The First-Time Boot utility guides you through three screens to set up web server access. The first screen prompts you to type and enter a fully qualified domain name for both the external and the internal interfaces. The certification screen prompts you first for country, and as you enter that, it prompts for state, city, and company. The last web server screen prompts you for user name and a password, which you enter twice. Once you have completed this screen, the First-Time Boot utility moves into the confirmation phase.
Note that if you ever change the IP addresses or host names on the BIG/ip Controller interfaces, you need to reconfigure the BIG/ip web server to reflect your new settings. You can run the re-configuration utility from the command line using the following command:reconfig-httpd
If you wish to create a new password for the BIG/ip web server, delete the /var/f5/httpd/basicauth/users file before running the reconfig-httpd utility. If this file is missing from the configuration, the utility prompts you for both user ID and password information.
You can also add users to the existing password file, change a password for an existing user, or recreate the password file, without actually going through the BIG/ip web server configuration process. For more information, see Chapter 6.
Warning: If you have modified the BIG/ip web server configuration outside of the configuration utility, be aware that some changes may be lost when you run the reconfig-httpd utility. This utility overwrites the httpd.conf file, and several other files, but it does warn you before doing so.
At this point, you have entered all the configuration information, and now you simply have to confirm each setting. Each confirmation screen displays a setting, and prompts you to accept or re-enter it. If you choose to edit it, the utility displays the original configuration screen in which you defined the setting the first time. When you finish editing the item, you return directly to the Confirmation screen for that item, and continue the confirmation process. Note that once you accept a setting in the Confirmation screen, you do not have another opportunity to review it.
You confirm or edit the settings in the same order that you configured them:
Once you have confirmed the last setting, the First-Time Boot utility moves directly into the commit phase, where you are not able to make any changes.
Once you confirm all of the configuration settings, the configuration utility saves the configuration settings. During this commit process, the First-Time Boot utility creates the following files and tables:
If you want to change any information in these files at a later time, you can edit the files directly, you can change the information in the web-based Configuration utility, or for certain settings, you can change them using command line utilities. If necessary, you can also re-run the First-Time Boot utility.
Once you complete the First-Time Boot utility, you may want to insert additional host names and IP addresses for network devices into the /etc/hosts file to allow for more user-friendly system administration. In particular, you may want to create host names for the IP addresses that you will assign to virtual servers. You may also want to define host names for standard devices such as your routers, network interface cards, and the servers or other equipment that you are load balancing.
The /etc/hosts file, as created by the First-Time Boot utility, is similar to the following example, shown in Figure 3.3.
#bigip host table ( default )
127.0.0.1 localhost localhost.host.domain
# add your default gateway here
# real - external interface
184.108.40.206 bigip ext
# real - internal interface
# VIPs ( add as necessary )
# nodes ( add as necessary )
This sample hosts file lists the IP addresses for the default router, the internal network interface, and the external network interface, and it contains place holders for both the virtual servers and the content servers that your BIG/ip Controller will manage.
The type of system you have determines the options you have for remote command line administration:
If you are working with a US BIG/ip Controller, you probably want to install the F-Secure SSH client on your workstation. The BIG/ip platform includes a version of the F-Secure SSH client for each of the following platforms: Windows, UNIX, and Macintosh. You can download the F-Secure client using your web browser, or you can download the client using an FTP server on the administrative workstation.
Note that the F-Secure license agreement allows you to download two copies of the F-Secure SSH client. If you require additional licenses, you need to contact Data Fellows. For information about contacting Data Fellows, as well as information about working with the SSH client, refer to the F-Secure manual included with your BIG/ip Controller.
Note: You can also use the F-Secure SSH suite for file transfer to and from the BIG/ip Controller, as well as for remote backups. An F-Secure SSH client is pre-installed on the BIG/ip Controller to assist with file transfer activities. Please refer to the F-Secure User's Manual for more information.
The F-Secure SSH client is available in the Downloads section of the BIG/ip web server. For US products, you connect to the BIG/ip web server via SSL on port 443 (use https:// rather than http:// in the URL). Once you connect to the BIG/ip web server, click the Downloads link. From the Downloads page, you can select the SSH Client.
The BIG/ip Controller has an FTP client installed, which allows you to transfer the F-Secure SSH Client using FTP (note that your destination workstation must also have an FTP server installed). After you transfer the installation file, you simply decompress the file and run the F-Secure installation program.
You initiate the transfer from the BIG/ip Controller itself, using the monitor and keyboard, or the serial terminal, attached directly to the BIG/ip Controller.
a) Go to the /usr/contrib/fsecure directory where the F-secure SSH clients are stored.
b) List the directory, noting the file name that corresponds to the operating system of your administration workstation.
open <IP address>
Once you connect to the administrative workstation, the FTP server on the administrative workstation prompts you for a password.
The F-Secure SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.
a) BIG/ip Controller IP address or host name
b) The root user name
c) The root password
The F-Secure installation file for UNIX platforms is compressed in TAR/Gzip format.