Applies To:

Show Versions Show Versions

Archived Manual Chapter: BIG-IP Reference Guide v4.5.10: bigpipe Command Reference
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.



A

bigpipe Command Reference


bigpipe commands

This chapter lists the various bigpipe commands, including syntax requirements and functional descriptions. Table A.1 outlines the conventions used in the command line syntax.

 

Item in text

Description

\

Continue to the next line without typing a line break.

< >

You enter text for the enclosed item. For example, if the command has <your name>, type in your name.

|

Separates alternate options for a command.

[ ]

Syntax inside the brackets is optional.

...

Indicates that you can type a series of items.

 

The following table provides a concise listing of the individual bigpipe commands, along with the page reference where you can find the detailed description.

Command

Description

Page

-?

Displays online help for an individual bigpipe command.

A-4

authz

Defines a client authorization model for the SSL proxy.

A-5

class

Displays all classes included with BIG-IP system.

A-7

config

Synchronizes the /config/bigip.conf between the two BIG-IP units in a redundant system.

A-9

conn

Shows information about current connections such as the source IP address, virtual server and port, and node.

A-11

default_gateway

Creates a pool of default gateways.

A-14

failover

Sets the BIG-IP system as active or standby.

A-15

global

Sets global variable definitions.

A-17

-h and help

Displays online help for bigpipe command syntax.

A-30

interface

Sets options on individual interfaces.

A-31

list

Displays the in-memory configuration of the BIG-IP system.

A-34

load

Loads the BIG-IP system configuration and resets.

A-35

maint

Toggles the BIG-IP system into and out of maintenance mode.

A-37

makecookie

Generates a cookie string with encoding automatically added for the Passive mode of cookie persistence.

A-38

merge

Loads a saved BIG-IP system configuration without resetting the current configuration.

A-39

mirror

Copies traffic from any port or set of ports to a single, separate port.

A-40

monitor

Defines a health check monitor.

A-42

-n

Displays addresses and ports numerically rather than by name.

A-49

nat

Defines external network address translations for nodes.

A-50

node

Defines node property settings.

A-52

pool

Defines load balancing pools.

A-54

power

Displays the status of the BIG-IP system's power supplies in a redundant power supply configuration.

A-59

proxy

Defines the properties of the SSL gateway for the SSL Accelerator.

A-60

ratio

Sets load-balancing weights and priority levels used in the Ratio and Priority load balancing modes.

A-66

reset

Clears the BIG-IP system configuration and counter values.

A-67

responder

Sends certificate revocation status to the SSL proxy.

A-68

rule

Defines load balancing rules.

A-70

save

Writes the current configuration to a file.

A-77

self

Assigns a self IP address for a VLAN or interface.

A-78

service

Defines properties for services.

A-80

snat

Defines and sets options for SNAT (Secure NAT).

A-81

stp

Implements spanning tree protocol (STP).

A-83

summary

Displays summary statistics for the BIG-IP system.

A-84

trunk

Aggregates links to form a trunk.

A-85

unit

Displays the unit number assigned to a particular BIG-IP system.

A-87

verbose

Modifies the verbose log level.

A-88

verify

Parses the command line and checks syntax without executing the specified command.

A-89

version

Displays the bigpipe utility version number.

A-90

virtual

Defines virtual servers, virtual server mappings, and virtual server properties.

A-91

vlan

Defines VLANs, VLAN mappings, and VLAN properties.

A-94

vlangroup

Defines VLAN groups.

A-96

 

-?


b <command> -?

 

For certain commands, displays online help, including complete syntax, description, and other related information. For example, to see online help for the bigpipe service command, type:

b service -?


authz


b authz <name> ldap servers <ip>...
[method ldap|...]
[cachetimeout <number>]
[ldap searchtype user|certmap|cert]
[ldap secure enable | disable]
[ldap admindn <string>]
[ldap adminpw <string>]
[ldap user base <string>]
[ldap user key <string>]
[ldap certmap base <string>]
[ldap certmap key <string>]
[ldap certmap useserial enable | disable]
[ldap group base <string>]
[ldap group key <string>]
[ldap group member key <string>]
[ldap valid groups <string list>]
[ldap role key <string>]
[ldap valid roles <string list>]

b authz <name> method [show]
b authz <name> cachetimeout [show]
b authz <name> ldap searchtype [show]
b authz <name> ldap servers [show]
b authz <name> ldap secure [show]
b authz <name> ldap admindn [show]
b authz <name> ldap user base [show]
b authz <name> ldap user key [show]
b authz <name> ldap certmap base [show]
b authz <name> ldap certmap key [show]
b authz <name> ldap certmap useserial [show]
b authz <name> ldap group base [show]
b authz <name> ldap group key [show]
b authz <name> ldap group member key [show]
b authz <name> ldap valid groups [show]
b authz <name> ldap role key [show]
b authz <name> ldap valid roles [show]
b authz <name> delete
b authz <name> list
b authz <name> [show]

b -n authz <options>

 

Creates or displays the parameter values that make up an SSL proxy authorization model.


Options

The <name> variable represents the name of the authorization model being created.

The [method] parameter specifies the type of authorization model. Currently, the only valid value for this parameter is ldap. Note that the command b authz <name> method ldap is valid only when a value for <name> has been assigned to an authorization model.

The ldap servers <ip> parameter specifies the LDAP servers being used for authorization. Note that when creating a new authorization model, this parameter is required.

The [cachetimeout <number>] parameter specifies the length of timeout for the cache.

The [ldap searchtype] parameter specifies the type of search that the proxy will do on the LDAP database in its attempt to authorize a client.

The [ldap adminpw <string>] parameter specifies the administrative password for the LDAP authorization model. Note that this parameter is only valid when a value for <name> has been assigned to an authorization model.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.

Note


Except during creation of a new authorization model, use of all b authz parameters requires that a value for the <name> argument already exists.

class


b class <class name> { host <ip addr> [host <ip addr> ...] }

b class <class name> { network <ip addr> mask <ip addr> [network <ip addr> mask \

<ip addr>...] }

b class <class name> { \"<string>\" [\"<string>\" ...] }

b class <class name> { <num> [<num> ...] }

b class <class name> member add | delete { <value list> }

b class <class name> extern {

filename <pathname>
type ip | string | value
mode read | readwrite
sizing <num>

}

b class <class name> member show <value>

b class [ <class name> ] show

b class ip | string | value show

b class <class name> delete

 

Creates, shows, and deletes classes, such as class AOL. Default classes are also shown.

The BIG-IP system includes a number of predefined classes. They are:

  • AOL Network
  • Image Extensions
  • Non-routable addresses

    These classes are located in the file /etc/default_classes.txt. When the bigpipe load command is issued, the classes are loaded. Unless modified by a user, these classes are not saved to the file bigip.conf.

    The following are examples of class types defined with the class command. Note that string classes require escape characters in the syntax to keep from being interpreted literally by the UNIX system.

    b class string_class { \".abc\" ... } | '{ \".def\" }'

    b class numeric_class { 0 1 ... }

    b class host_class { host 1.2.3.0 }

    b class network_class { network 1.2.3.0 mask 255.255.255.0 }

    Another class type that you can define with the class command is proxy_arp_exclude. Once this class is configured, a BIG-IP unit in a redundant system configuration refrains from forwarding ARP requests coming from any node corresponding to a self-IP address listed in the proxy_arp_exclude class. For more information, see Chapter 3, Post-Setup Tasks .


Options

The <class name> variable specifies the name of a class. When creating a class, arguments to the <class name> variable can either be of type ip member, string, or num.

The host <ip addr> option specifies the IP address of a member that is to be included in the specified class. An IP address can be in the form of either host <ip addr> or network <ip addr> mask <ip addr>. Note that you can specify multiple IP addresses.

The <string> variable specifies a string to be included in the specified class.

The <num> variable specifies a numeric value to be included in the specified class.

The <class name> show option displays the specified class.

The <value list> variable specifies a list of the members that you want to add to, or delete from, a class.

The extern keyword creates an externally-stored class.

The filename <pathname> option specifies the location of the externally-stored class being created. Note that the specified path name must exist before you can create the externally-stored class. <pathname> includes the filename.

The type ip | string | value option specifies whether the externally-stored class being created is an IP address, string, or numeric-value type. Note that you must specify the ip option as lower case.

The mode read | readwrite option specifies a permission value that determines whether the BIG-IP system can write to the specified externally-stored class during a save operation.

The sizing <num> option specifies the expected size of the externally-stored class being created. The BIG-IP system uses the specified number to create the kernel hash table for the class.

The ip show option displays all classes that contain IP address members.

The string show option displays all classes that contain string values.

The value show option displays all classes that contain numeric values.

The show option with no other arguments displays all classes.

The <class name> delete option deletes the specified class.


config


b config save | install <file>

b config sync [all | running]

b -n config <options>

 

Manages user configuration sets. A user configuration set (UCS) is the set of all configuration files that a user may edit to configure a BIG-IP system. A UCS file is an archive that contains all the configuration files in a UCS.

The config command allows you to save the system configuration to a UCS file, install the configuration from a UCS file, and synchronize the configuration with the other BIG-IP units in a redundant system.


Options

The config save <file> option saves the currently running configuration to /config/bigip.conf and /config/bigip_base.conf, and creates the UCS file with the file name specified by <file>.

The config install <file> option unpacks and installs the UCS file specified by <file>, overwriting all configuration files, including the file /config/bigip.conf.

The config sync option saves the currently running configuration to the file /config/bigip.conf and copies the file /config/bigip.conf to the other BIG-IP unit in a redundant system.

The config sync all option creates a temporary UCS file, transfers it to the other BIG-IP unit, and installs the configuration on the unit.

The config sync running option saves the currently-running configuration to a temporary file and copies it to the other BIG-IP unit.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Saving configuration files to an archive

The config save <file> command saves all configuration files to a single archive file, <file>.ucs, on the local unit without copying it to the standby unit. By default, <file>.ucs is saved to the directory /user/local/ucs. An alternate location can be specified by expressing <file> as a relative or absolute path. For example:

b config save /user/local/config_backup/my_conf

This writes the file my_conf.ucs to the directory /user/local/config_backup.


Installing an archived configuration file

config install <file> reinstalls the archived configuration files saved as <file>.ucs to their working locations on the local unit.

If you use command line utilities to set configuration options, be sure to save the current configuration to the relevant files before you use the configuration synchronization feature. (Alternatively, if you want to test the memory version on the standby unit first, use bigpipe config sync running.) Use the following bigpipe command to save the current configuration:

b save

Note


A file named /usr/local/ucs/cs_backup.ucs is created prior to installing any UCS file.

Synchronizing configuration files

config sync without the all option synchronizes only the basic configuration file /config/bigip.conf.

config sync all synchronizes the following configuration files that the two systems have in common:

  • The common bigdb keys
  • All common files in /config
  • All common files in /etc

config sync running synchronizes the running version of /config/bigip.conf, which is the image that resides in memory as the system runs. This file is loaded into memory on the standby unit, it is not saved.

config save <file> saves all configuration files to a single archive file, <file>.ucs, on the local unit without copying it to the standby unit. By default, <file>.ucs is saved to the directory /user/local/ucs. An alternate location can be specified by expressing <file> as a relative or absolute path. For example:

b config save /user/local/config_backup/my_conf

This writes the file my_conf.ucs to the directory /user/local/config_backup.


conn

b conn [client_ip>[:<client_service>]] [dump [mirror] [verbose]]

b conn <client_ip>[:<client_service>] delete

b conn [all] delete

b -n conn <options>

 

Displays information about current client connections to virtual servers and nodes. This command can also show connections that are active on the given BIG-IP system, as well as those that are standby connections for the peer BIG-IP system. By default, the dump command only shows items that are active on the given unit.


Options

The <client_ip>[:<client_service>] option specifies the IP address and optionally the client of the system for which you want to display information.

The verbose option displays all current connection information in verbose mode.

The mirror option displays information on standby connections.

The delete option searches for connections in which the specified IP address and service match the client-side source, and then deletes the connection.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Displaying all current connections

The following command displays all current client connections:

b conn dump

The following output shows the client IP address, virtual server IP address, and node to which the client is connected.

Figure A.1 Formatted output of the conn command


bigip conn dump

from virtual node
100.100.100.30:49152 -> 100.100.100.100:23 -> 200.200.200.10:23
100.100.101.90:49153 -> 100.100.100.100:80 -> 200.200.200.10:80
...
 

If you add the mirror option, this command shows connections that are active on the current BIG-IP system, as well as those that are standby connections for the peer BIG-IP system. By default, the dump command only shows items that are active on the current unit.


Using verbose mode

The following command displays all current client connections in verbose mode for the given virtual server, or for all virtual servers if no virtual server is given:

b conn dump verbose

The following figure shows sample output from this command.

Figure A.2 Formatted output of the conn dump verbose command


client side client address: 10.253.220.2:3889
client side server address: 10.253.220.80:80
server side client address: 10.253.220.2:3889
server side server address: 10.253.100.100:80
virtual address: 10.253.220.80:0
node box address: 10.253.100.100:80
protocol: tcp
bytes in: 360
bytes out: 543
packets in: 5
packets out: 5
 

Displaying connections for a specific client

Use the following syntax to display the current connections for a specific client:

b conn <client_ip>[:<client_service>] dump

Note that the argument <client_service> typically refers to a number (for example, 80 or 443) displayed in the output of this command.


Displaying standby connections

To view standby items, you must use the mirror qualifier, as follows.

b conn dump mirror

or

b conn dump verbose mirror


Deleting connections

To delete all current connections, you use the delete option as follows:

b conn delete

or

b conn all delete

When the delete option is specified, the b conn command searches for connections in which the specified address and service match the client-side source and then deletes the connection. The b conn command deletes the connection by sending a reset to both the client and the server.

If no service is specified, all connections in which the client-side source matches the IP address are deleted. If no IP address is specified, all connections are deleted.

The delete option does not differentiate between mirrored and normal connections. Thus, the option deletes any connections that were mirrored from an active unit.

Note


The delete option does not delete connections managed by the BIG-IP system hardware.

default_gateway

b default_gateway use pool <pool_name>

b default_gateway show

b default_gateway delete

 

This command creates, shows, or deletes a pool of default gateways, with nodes in the pool corresponding to different routes. Connections originating from the system with a destination for which there is no other route choose a route from the default gateway pool. Note that the default gateway pool is not a last-hop pool for services running on the system.

There can be only one default gateway pool at any one time.

Defining a default gateway pool removes the need to define a default route. However, if a default route is defined, that route will be used when all the nodes in the default gateway pool are down.

Since the system performs route lookups on nodes as they are defined, the default gateway pool must be stored at the top of the bigip.conf file. Also, all nodes in the default gateway pool must reside on the same IP network as the system.

We recommend that all nodes in the default gateway pool have the same MTU.

As an alternative to using the default_gateway command, you can use the Setup utility, which allows you to create the default gateway pool at the time that you configure your base network.


Options

The use pool <pool_name> option specifies the name of the default gateway pool and must be 1-31 characters in length. Example: my_pool.

The show option shows the members of the default gateway pool.

The delete option deletes the default gateway pool.


failover


b failover standby | init | failback | linkdown <seconds>

b failover [show] | [linkdown show]

b [-n] <options>

 

Switches the BIG-IP system or 3-DNS Controller to be the standby unit in a redundant configuration. You should use this command with care; it is provided only for special situations. The BIG-IP system or 3-DNS Controller automatically switches between active and standby states, without operator intervention.


Options

The standby option switches the BIG-IP system to the standby unit.

The init option reloads failure-related configuration options from the bigdb database.

The failback option restores an active-active configuration after a failure. This option is only valid when the BIG/store key Common.Bigip.Failover.ManFailBack has been created and set to a value of 1.

The linkdown <seconds> option specifies the amount of time to bring the interfaces down when the unit fails over to the standby unit. Used to prompt peer switch appliances into resetting and relearning their ARP tables after a failover.

The show option displays the state (standby or active) of the BIG-IP system on which you typed the command.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Changing failover state

Before you switch the current state, first determine the current state of the BIG-IP system or 3-DNS Controller using the failover command with the show option.

In an active/standby or active-active configuration, use the following command to switch the system to be the standby unit:

b failover standby


Displaying failover state

Show the state of the BIG-IP system or 3-DNS Controller with the following command:

b failover show

Initializing failover state

You can use the bigpipe failover init command to refresh the parameters of the failover mechanism with any new configuration data entered into the bigdb database.

b failover init


Restoring an active-active configuration after failure

This command will only work when the BIG/store key Common.Bigip.Failover.ManFailBack has been created and set to a value of one.

In an active-active configuration, run the following command after you issue the bigpipe failover standby command. This allows the inactive unit to resume handling connections:

b failover failback

Note


The failback command is only applicable if you are running a redundant system in active-active mode.

global

b global show
b global audit enable | disable | verbose | debug | [show]
b global auto_lasthop enable | disable | [show]
b global broadcast accept | discard | [show]
b global fastest_max_idle_time <seconds> | [show]
b global fastflow_active auto | on | off | [show]
b global gateway failsafe arm | disarm | [show]
b global ipforwarding enable | disable | [show]
b global l2_aging_time <num> | [show]
b global l7_validate_checksums enable | disable | [show]
b global memory_reboot_percent <percentage> | [show]
b global mirror enable | disable | [show]
b global mirror_vlan_forwarding enable | disable | [show]
b global msrdp no_session_dir enable | disable | [show]
b global net_reboot enable | disable | [show]
b global open_3dns_ports enable | disable | [show]
b global open_corba_ports enable | disable | [show]
b global open_failover_ports enable | disable | [show]
b global open_ftp_ports enable | disable | [show]
b global open_radius_ports enable | disable | [show]
b global open_rsh_ports enable | disable | [show]
b global open_snmp_port enable | disable | [show]
b global open_ssh_port enable | disable | [show]
b global open_telnet_port enable | disable | [show]
b global persist across_services enable | disable | [show]
b global persist across_virtuals enable | disable | [show]
b global persist map_proxies enable | disable | [show]
b global persist timer limit | timeout | [show]
b global quiet_boot enable | disable | [show]
b global reaper hiwater <percent> | [show]
b global reaper lowater <percent> | [show]
b global self_conn_timeout <num> | [show]
b global snats any_ip enable | disable | [show]
b global sslhardware failover enable | disable | [show]
b global sslproxy failover enable | disable | [show]
b global sslproxy serverssl cache size <num> | [show]
b global sslproxy serverssl cache timeout <num> | [show]
b global sslproxy strict resume enable | disable | [show]
b global sslproxy unclean shutdown enable | disable | [show]
b global sticky table_limit <max_num> | [show]
b global summary
b global syncookie_threshold <num> | [show]
b global verbose_log_level <num> | [show]
b global vlangroups opaque | translucent | transparent | [show]
b global vlans lookup enable | disable
b global vlans unique_mac enable | disable | [show]
b global webadmin_port <port> | [show]
b global web aggregate all | ip | port | none | [show]
b global web aggregate timeout <seconds> | [show]
b global web escapes decode | ignore | [show]
b global web parse first | all | [show]
b -n global <options>

 

audit

This variable logs all create, delete, and modify actions on the BIG-IP system.


auto_lasthop

When this variable is enabled, it automatically designates the lasthop router inside IP address as a lasthop route for replies to inbound traffic. If auto_lasthop is disabled, the lasthop router inside IP address must be specified as a lasthop pool. The default setting is enable.


broadcasts

This variable controls the acceptance or rejection of IP broadcast packets by the BIG-IP system.


fastest_max_idle_time

Sets the number of seconds a node can be left idle by the fastest load balancing mode. This forces the BIG-IP system to send fewer connections to a node that is responding slowly, and also allows the BIG-IP system to periodically recalculate the response time of the slow node.


fastflow_active

You can use this variable to control additional enhancements that speed packet flow for TCP connections when the packets are not fragmented. In most configurations, these software enhancements are automatically turned on, and do not require any additional configuration.

However, you may want to turn off these enhancements for individual virtual servers that use IPFW rate filters. With the speed enhancements on, IPFW only examines the first SYN packet in any given connection. If you want to filter all packets, you should turn the speed enhancements off. To do this, you first set the global state of the system on, and then you turn the feature off for individual virtual servers that use IPFW rate filtering. You can also change the settings for these enhancements from the command line or in the Configuration utility.

There are three global states you can set with fastflow_active. The default state is auto. The global states are:

  • off
  • auto
  • on

The additional speed enhancements are globally disabled if the variable fastflow_active is off or if fastflow_active is set to auto and an IPFW rate filter exists in the configuration.

To provide the benefits of software acceleration for virtual servers that do not use rate filtering and turn off software acceleration for virtual servers that use IPFW rate filtering, you can set the global variable fastflow_active to on with the following command:

b global fastflow_active on

After you set the fastflow_active variable, use the following bigpipe command to disable software acceleration for virtual servers that use IPFW rate filtering:

b virtual <ip>:<port> accelerate disable


gateway fail-safe

Turns the gateway fail-safe feature on and off. This command is supported only for redundant systems.

The typical use of gateway fail-safe is a setup where active and standby BIG-IP units use different routers as gateways to the Internet. Failover is triggered if the gateway for the active unit is unreachable.

To arm fail-safe on the gateway, enter the following command:

b global gateway failsafe arm

To disarm fail-safe on the gateway, enter the following command:

b global gateway failsafe disarm

To see the current fail-safe status for the gateway, enter the following command:

b global gateway failsafe show


ipforwarding

Enables IP forwarding for the BIG-IP system. IP forwarding exposes all of the node IP addresses to the external network, making them routable on that network. The default setting is disabled.


l2_aging_time

Specifies a time period after which dynamic entries in the L2 forwarding table are flushed out if the MAC address is no longer present on the network. The default value is 300 seconds.


memory_reboot_percent

The value you type, 80 or higher, is the percentage of memory that is in use before the BIG-IP system automatically reboots. The default value for this variable is 97. To disable this feature, set the value to 0.

mirror

Enables mirroring functions globally for the BIG-IP system. The mirror feature duplicates the active unit's real-time connection or persistence information state on the standby unit for smooth transition to the inactive unit at fail-over. The default setting is enabled.


mirror_vlan_forwarding

This variable is used to forward packets from a mirror-target VLAN to a source VLAN, after an intrusion detection system has attempted to terminate a connection.


msrdp no_session_dir

This variable is used to implement Windows Terminal Server persistence for those Windows servers on which the Session Directory service is not available.


open_3dns_ports

This variable is required only when running one or more separate 3-DNS Controllers in the network. It does not apply to running the 3-DNS software module on the BIG-IP system itself. The variable is disabled on the BIG-IP system when the 3-DNS Controller is not present in the network configuration. (See the 3-DNS Administrator Guide for more information.)


open_corba_ports

This variable enables and disables the CORBA ports that allow administrative CORBA connections. The default setting is disabled.


open_failover_ports

This variable enables or disables network failover when a VLAN has port lockdown enabled.

The following command enables network failover:

b global open_failover_ports enable

The following command disables network failover:

b global open_failover_ports disable


open_ftp_ports

This variable enables or disables ports for FTP access, and the default setting is disable.

The following command opens the FTP ports (20 and 21) to allow administrative FTP connections, which is useful for BIG-IP units that do not support encrypted communications.

b global open_ftp_ports enable

The following command closes FTP ports:

b global open_ftp_ports disable


open_radius_ports

This variable is required for RADIUS authentication. Enabling this variable allows the kernel to safely send UDP traffic on external, locked-down ports, without compromising the shared RADIUS secret sent between client and server.


open_rsh_ports

This variable enables or disables ports for RSH access, and it is useful for BIG-IP units that do not support encrypted communications, or for connecting to 3-DNS Controllers that do not support encrypted communication. (See the 3-DNS Administrator Guide for more information.)

The default setting is disable.

The following command opens the RSH ports (512, 513, and 514) to allow RSH connections:

b global open_rsh_ports enable

The following command closes RSH ports:

b global open_rsh_ports disable


open_snmp_port

This variable enables and disables the SNMP ports that allow administrative SNMP connections. The default setting is disabled.


open_ssh_ports

This variable enables or disables ports for SSH access on BIG-IP units that support encrypted communication. The default setting is enable.

The following command opens the SSH port (22) to allow encrypted administrative connections:

b global open_ssh_port enable

The following command closes the SSH port:

b global open_ssh_port disable


open_telnet_port

This variable enables or disables ports for Telnet access, and the default setting is disable.

The following command sets this variable to open the Telnet port (23) to allow administrative Telnet connections. This is useful for BIG-IP units that do not support encrypted communications, or for a unit that needs to communicate with the 3-DNS software. (See the 3-DNS Administrator Guide for more information.)

The following command opens the Telnet port:

b global open_telnet_port enable

The following command closes the Telnet port:

b global open_telnet_port disable


persist across_services

When this variable is enabled, all simple persistence connections from a client IP address that go to the same virtual address also go to the same node (matches the client address and the virtual IP address but not the virtual port).

The default setting for this variable is disabled.


persist across_virtuals

When this variable is enabled, all simple persistent connections from the same client IP address are sent to the same node (matches the client IP address but not the virtual address or virtual port the client is using). The default setting for this variable is disabled.


persist map_proxies

The default setting for the map proxies for the persistence variable is enable. The AOL proxy addresses are hard-coded. This enables you to use client IP address persistence with a simple persist mask, but forces all AOL clients to persist to the same server. All AOL clients will persist to the node that was picked for the first AOL client connection received.

The class B networks, 195.93 and 205.188, are mapped to 152.163 for persistence. For example, client 195.93.3.4 would map to 152.63.3.4 for persistence records only. This mapping is done prior to applying the persist mask. Use bigpipe pool persist dump to verify that the mapping is working.

We recommend that in addition to setting this variable, you set a persist mask of 255.255.0.0 so that all the AOL addresses map to a common address. For example, Table A.2 is an example of how setting this variable and a persist mask of 255.255.0.0 would map a sample set of client addresses.


 

Sample Client Address

Persist Address

152.44.12.3

195.93.0.0

152.2.99.7

195.93.0.0

170.11.19.22

195.93.0.0

202.67.34.11

195.93.0.0

205.188.11.2

195.93.0.0

208.33.23.4

208.33.0.0 (non AOL address is not mapped)

 

persist timer

The following command forces the persistent connection timer to reset on each packet for persistent sessions. This is the default value.

b global persist timer timeout

The following command resets the timer only when the persistent connection is initiated.

b global persist timer limit

Note


For SSL persistence, the timer is always reset on each packet.

quiet boot

This variable suppresses the output that one normally sees when starting the system.

reaper hiwater

Used to prevent denial-of-service attacks, this variable specifies a high-water mark threshold for determining when unestablished connections through the BIG-IP system will no longer be allowed. The value of this variable represents a percentage of memory utilization. Once memory utilization has reached this mark, connections are disallowed until the available memory has been reduced to the low-water mark threshold. For example, the following command specifies that connections will no be allowed when memory utilization reaches 95%:

b global reaper hiwater 95

Setting this value to 100 disables the feature. See also reaper lowater .


reaper lowater

Used to prevent denial-of-service attacks, this variable specifies a low-water mark threshold for determining at what point adaptive reaping becomes more aggressive. For example:

b global reaper lowater 85

The default setting for this variable is 85. Setting this value to 100 disables the feature. See also reaper hiwater .


self_conn_timeout

This variable is used as a tracking mechanism for UDP connections. After the number of seconds specified by this variable has expired, the UDP connection terminates. The default value for this variable is 5.


snats any_ip

When this variable is enabled, the BIG-IP system attempts to forward an any-IP packet originating from a member of a SNAT, instead of rejecting that packet.


sslproxy failover

This variable causes the SSL proxy to initiate an automatic failover, in the event of a fatal failure of a cryptographic hardware module. Two settings are allowed: enable and disable. The default setting is disable.

Note that the use of this variable depends on the type of hardware module, as not all hardware modules respond to failures in the same way.


sslproxy serverssl cache size

This variable specifies the maximum size of the server-side SSL session cache. The default value is 20,000 entries. A value of 0 disallows session caching. Note that this value is for server-side cache size only. Client-side cache size is configured on a per-proxy basis, using the bigpipe proxy command.


sslproxy serverssl cache timeout

This variable specifies a timeout value for the server-side SSL session cache. Note that this value is for the server-side cache timeout only. Client-side cache timeout is configured on a per-proxy basis, using the bigpipe proxy command. The default value is 300.


sslproxy strict resume

This variable allows the SSL proxy to either resume or not resume the SSL sessions after an unclean shutdown. The two settings are enable and disable. The default setting is disable, which causes the SSL proxy to allow uncleanly shut down SSL sessions to be resumed.


sslproxy unclean shutdown

This variable causes the SSL proxy to perform either a clean or an unclean shutdown of all SSL connections. The default setting is enable, which causes the SSL proxy to perform unclean shutdowns. To force the SSL proxy to perform clean shutdowns, you use the disable option.


sticky table_limit

This is the maximum number of sticky entries allowed to accumulate on the BIG-IP system when using destination address affinity (sticky persistence). When the maximum value is reached, the BIG-IP system stops accumulating sticky entries. The default value for this entry is 2048.


summary

This variable prints a summary of BIG-IP system statistics.


syncookie_threshold

This variable activates the SYN Check feature when some threshold of connections has been reached on all virtual servers. The default value for the SYN Check threshold is 150,000.


verbose_log_level

This variable specifies logging levels for both TCP and UDP traffic. To set this logging level, specify a number. The default setting is 0, representing no logging. Table A.3 shows the result of providing various values on the command line.


 

b global verbose_log_level command

Result

b global verbose_log_level 1

This option logs attempts by a client to connect to an unauthorized UDP port on the BIG-IP system.

b global verbose_log_level 2

This option logs attempts by a client to connect to an unauthorized TCP port on the BIG-IP system.

b global verbose_log_level 4

This option logs attempts by a client to connect to an unauthorized UDP port on a virtual address.

b global verbose_log_level 8

This option logs attempts by a client to connect to an unauthorized TCP port on a virtual address.

b global verbose_log_level 16

This option turns on logging for statistics reset requests for NATS, nodes, and virtual servers.

b global verbose_log_level 64

This option logs messages regarding FTP connection diagnostics.

b global verbose_log_level 128

This option logs security messages regarding denial of general IP connections.These messages are not specific to TCP or UDP connections.

b global verbose_log_level 256

This option logs messages regarding SSL connection diagnostics.

b global verbose_log_level 512

This option enables a log message that tells the user when the syncookie_threshold has been exceeded. (For information on syncookie_threshold, see Configuring SYN Check activation, on page 6-21 .)

 

To enable the system to log requests that have been made to an unauthorized UDP port, type the following command.

b global verbose_log_level 1

To enable the system to log multiple levels simultaneously, add up the desired log levels. The following command enables both log_level 1 and log_level 2.

b global verbose_log_level 3

For example, to turn on port denial logging for both TCP and UDP traffic, which logs TCP and UDP port denials to the virtual server address and the BIG-IP system address, type the following command.

b global verbose_log_level 15

To turn off logging altogether:

b global verbose_log_level 0


vlangroups

Enables layer 2 operation for VLAN groups. By default, VLAN groups are a hybrid of layer 2 proxy ARP with layer 3 forwarding. Using this variable, you can change the way that VLAN groups operate. Available settings for this variable are:

opaque
A proxy ARP with layer 3 forwarding. The command line syntax for enabling this setting is:

b global vlangroups opaque

translucent
Layer 2 forwarding with locally-unique bit, toggled in ARP response across VLANs. This is the default setting.

transparent
Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs. The command-line syntax for enabling this setting is:

b global vlangroups transparent


vlans lookup

Enables VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the BIG-IP system several times, on multiple pairs of VLANs (or in different VLAN groups). The default setting is enable. To disable this feature, use the following command:

b global vlans lookup disable


vlans unique_mac

This variable is used to circumvent problems caused by problematic switch appliances that do not keep per-VLAN L2 forwarding tables. When set to enable, this variable causes VLANs to assume the MAC address of the first non-hidden member interface. When set to disable, a single MAC address is used for all VLANs.

The default setting for server appliances is enable. The default setting for switch appliances is disable.

If a non-default setting is used, you must set the variable before you load any VLANs. Also, you must reload the base configuration after changing the setting of this variable.


webadmin_port

Specifies the port number used for administrative web access. The default port for web administration is port 443.


web aggregate

This variable provides fine-grained control of client aggregation. Possible settings are:

all
Causes all clients, regardless of IP address, to be piggy-backed on established idle connections to servers.

ip
This is the default setting. Causes all clients with the same IP address to be piggy-backed on established idle connections to servers.

port
Causes only requests from both the same client source IP address and source port to be aggregated. This behavior is required for enabling non-compliant HTTP implementations to use keep-alives.

none
Establishes a connection to back-end servers with each new request in the front-end stream, regardless of the viability of idle connections.


web aggregate timeout

This variables allows you to configure a timeout value, in seconds, for the idle HTTP connection reaper. The minimum timeout value allowed is 1. The maximum timeout value is INT_MAX, currently defined as 4294967295. The default timeout value is 5.


web escapes

This variable decodes "%" escape characters in URIs before comparison, using a rule. The variable can be set to decode or ignore. The default setting is ignore.


web parse

The first option to this variable disables both aggregation and keep-alive parsing, reverting the BIG-IP system to its pre-4.0 behavior. The default setting is all.


-n

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


-h and -help

b [<command>][-h | -help ]

 

Displays the bigpipe command syntax or usage text for all current commands, or for the given command.

Note


More detailed man pages are available for some individual bigpipe commands. To display detailed online help for the bigpipe command, type: man bigpipe. To display detailed online help for an individual bigpipe command, type: man <command>.

interface

b interface [<interface_name>] show [verbose]

b interface [<interface_name>] media [show]

b interface [<interface_name>] duplex [show]

b interface <interface_name> media <media_type>

b interface <interface_name> duplex full | half | auto

b interface [<interface_name>] stats reset

b interface <interface_name> enable | disable

 

For each installed network interface card, displays the name of the interface; sets properties of the interface, such as MAC address, media options, duplex mode, and status; resets interface statistics; enables or disables the interface; and changes driver name mappings.


Options

The <interface_name> variable is a name such as 3.1, where 3 is the physical slot number holding the network interface hardware and 1 is the physical port number on that interface on that hardware.

The show [verbose] option displays the current status, settings, and network statistics for the specified interface. The verbose argument provides more detailed information. If no interface is specified, this option displays information for all interfaces.

The media show option displays information about the media type for the specified interface.

The duplex show option displays the duplex mode of the specified interface.

The media <media_type> option is a valid media type for the specified interface. Examples include auto, 100baseTX, and 10baseT. Note that only certain combinations of media type and duplex mode are valid for any particular type of interface.

The duplex full | half | auto option sets the duplex mode of the specified interface. Note that each option is valid only if the specified interface supports that media type.

The stats reset option resets the statistics for the specified interface.

The enable | disable option enables or disables the specified interface.


Displaying interface information

To display the status, settings, and statistics for all interfaces on the BIG-IP system, use the following command.

b interface show [verbose]

To display the status, settings, and statistics for a specific interface on the BIG-IP system, use the following command-line syntax.

b interface <interface_name> show [verbose]

Note that if the verbose argument is used, the output provides additional information on status. If the verbose argument is not used, the output focuses on statistics.

To display the media type for an interface, use the following command-line syntax,

b interface <interface_name> media show

To display the duplex mode for an interface, use the following command-line syntax.

b interface <interface_name> duplex show


Setting the media type

The media type may be set to the specific media type for the interface card or it may be set to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface will be used, for example 1000BaseTX.

To set the media type, use the following command-line syntax.

b interface <interface_name> media <media_type>


Setting the duplex mode

Duplex mode may be set to full, half duplex, or auto. If the media type does not allow duplex mode to be set, this will be indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported, the duplex setting will not be saved to the bigip.conf file.

To set the duplex mode, use the following command-line syntax.

b interface <interface_name> duplex full | half | auto


Resetting statistics

You can reset interface statistics for all interfaces or for a specific interface.

To reset statistics for all interfaces, use the following command.

b interface stats reset

To reset statistics for a specific interface, use the following command-line syntax:

b interface <interface_name> stats reset


Enabling or disabling an interface

Enabling or disabling an interface allows you to control whether the interface receives and sends packets. If an interface begins to behave strangely, you disable and then enable the interface to effectively reset it.

To enable or disable an interface, use the following command-line syntax.

b interface <interface_name> enable | disable


-n

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


list


b list

 

Displays the in-memory configuration of the BIG-IP system.

b list


load

b [verify] load [ <filename> | - ]

b [verify] base load [ <filename> | - ]

b [-log] load [ <filename> | - ]

b -n load <options>

 

Resets all of the BIG-IP system settings and then loads the configuration settings, by default, from the /config/bigip.conf and /config/bigip_base.conf files.

For testing purposes, you can save a test configuration by renaming it to avoid confusion with the boot configuration file. To load a test configuration, use the load command with the <filename> parameter. For example, if you renamed your configuration file to /config/bigtest.conf, the command would be:

b load /config/bigtest.conf

You can also use the load - command to replace the current configuration, with the configuration you typed from the keyboard. The load of the commands occurs as soon as the <CTRL-D> is entered. For example, the following sequence of commands loads the configuration from the standard input device and defines a pool named test:

b load -
pool test { member 10.1.1.108:80 }
<CTRL-D>


Options

The verify option validates the specified configuration file. For example, to check the syntax of the configuration file /config/altbigpipe.conf, use the following command:

b verify load /config/altbigip.conf

The base option loads base-level configurations from /config/bigip_base.conf.

The -log option causes any error messages to be written to /var/log/bigip in addition to the terminal.

The - option specifies that the BIG-IP system should load configuration commands from the standard input device after loading the base configuration.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Customizing the load and base load commands

You can specify a user-defined script to run before and after a load or base load command. You can use the following bigpipe db variables to configure this functionality:

Common.Bigip.Load.Pre (Executes before load.)
Common.Bigip.Load.Post (Executes after load.)
Common.Bigip.BaseLoad.Pre (Executes before base load.)
Common.Bigip.BaseLoad.Post (Executes after base load.)

For example, to run the script /root/base_pre.sh before loading the base configuration, you would type the following:

b db set Common.Bigip.BaseLoad.Pre = "/root/base_pre.sh"

Note


The load command causes the base load command to run before the load command. This means that BaseLoad.Pre/Post scripts are run for both load and base load commands.

maint

b [-n] maint

 

Toggles a BIG-IP system into and out of maintenance mode. When in maintenance mode, a BIG-IP system accepts no new connections, but it does allow existing connections to complete.

The maint command interactively prompts you for confirmation to put the system into or out of maintenance mode.

b maint

When taking the BIG-IP system out of maintenance mode, there are two possible behaviors.

  • If the BIG-IP system has been in maintenance mode for less than 20 minutes, the BIG-IP system immediately begins to accept new connection requests.
  • If the BIG-IP system has been in maintenance mode for more than 20 minutes, it automatically updates all network ARP caches; this process normally takes a few seconds. However, you can speed up the process by reloading the configuration file, using the following command:

    b load /config/bigip.conf

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


makecookie

b makecookie <ip_addr:service> [ > <file>]

 

Creates a cookie template similar to the templates shown in Figure A.3 and Figure A.4 . The command generates a cookie string with encoding automatically added for the Passive mode of cookie persistence. As an option, you can specify the > symbol and a file name to redirect the output of the command to a file.

The command-line syntax is as follows, where <ip_addr> is the server IP address:

b makecookie <ip_addr:service> [ > <file>].

Figure A.3 Sample cookie template


Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; path=/
 

Figure A.4 Sample cookie template with additional information


Set-Cookie:BIGipServer[poolname]=336268299.20480.0000; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/
 

To create your cookie using the sample string above, simply enter the actual pool names and the desired expiration date and time.


merge

b [-log] merge <file_name> | -

 

Loads the BIG-IP system configuration from the file specified in the <file_name> variable, without resetting the current configuration.


Options

The -log option causes any error messages to be written to /var/log/bigip, as well as to the terminal.

The - option specifies that the BIG-IP system should load a configuration file from the standard input. Unlike the - option for the bigpipe load command, however, the - option for the bigpipe merge command does not reset the current configuration.


mirror

b mirror [<mirror_to_interface>] [show]

b mirror <mirror_to_interface> interfaces add <interface_list>

b mirror <mirror_to_interface> interfaces delete <interface_list>

b mirror <mirror_to_interface> delete

b -n mirror <options>

 

For the BIG-IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring. Note that the term port mirroring refers to a physical port, rather than a logical port.

You should attach a sniffer device to the target port, called the mirror-to port, for debugging and/or monitoring.


Options

The <mirror_to_interface> variable specifies the port to which you want one or more ports to be mirrored.

The show option displays a specific mirror-to interface. If no interface is specified, this option displays all mirror-to interfaces.

The interfaces add <interface_list> variable specifies one or more ports that you want to mirror to the mirror-to port.

The interfaces delete <interface_list> variable specifies one or more ports that you want to delete from a port mirror.

The delete option deletes the specified mirror-to interface.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Displaying port mirroring

Using the show argument, you can display all mirror-to interfaces or a specific mirror-to interface.

To display all mirror-to interfaces, type the following command:

b mirror show

To display a specific mirror-to interface, use the following command-line syntax:

b mirror <mirror_to_interface> show


Creating a port mirror

Creating a port mirror consists of specifying a mirror-to port and adding to it one or more ports (that is, a port list) to be mirrored. The bigpipe syntax for setting up port mirroring is:

b mirror <mirror_to_interface> interfaces add <interface_list>

For example, you could type the following command:

b mirror 3.24 interfaces add 3.1 3.3 3.10


Deleting interfaces from a port mirror

The bigpipe syntax for deleting interfaces from a port mirror is:

b mirror <mirror_to_interface> interfaces delete <interface_list>

For example, you could type the following command:

b mirror 3.24 interfaces delete 3.10


Deleting a port mirror

The bigpipe syntax for deleting a port mirror is:

b mirror <mirror_to_interface> delete

For example, you could type the following command:

b mirror 3.24 delete


monitor

b monitor <monitor_name> '{ use <monitor_template> [<attr> <attr_value>]... }'

b monitor <monitor_name> '{ interval <seconds> timeout <seconds> }'

b monitor show all

b monitor <monitor_name> show

b monitor <monitor_name> delete

b monitor <monitor_name> enable | disable

b monitor instance <ip>:<service> ... enable | disable

b monitor instance <ip> ... enable | disable

 

Defines a health monitor. A health monitor is a configuration object that defines how and at what intervals a node is pinged to determine if it is up or down. Once a monitor is defined, instances of the monitor are created for a node or nodes, one instance per node, using the bigpipe node command.

Monitors verify services and connections of node servers. The icmp or tcp_echo monitors may be used to monitor node addresses. If the node server or node address fails to respond in the specified timeout period, it will be marked as down. When a node server or node address is marked as down, traffic is no longer directed to it.

Several steps are needed to create a monitor and associate it with a node server or node address. A monitor must be created, based on a monitor template that the BIG-IP system provides. In some cases, a monitor template is directly usable. Once a monitor is created, the node address or node server is associated with the monitor, creating a monitor instance.

Options

The <monitor_name> variable specifies the name you want to use for the monitor you are creating or managing.

The <monitor_template> variable specifies the health monitor template you want to use to create your monitor. For a list of templates that you can specify, see Monitor templates . See Table A.5 for attributes used in the monitor templates.

The <attr> variable specifies an attribute of the monitor to which you want to assign a value. For a list of monitor attributes, see Monitor templates and Monitor attributes .

The <attr_value> variable specifies the value of the attribute specified with the <attr> option.

The show all option displays all existing monitors.

The show option displays the specified monitor.

The delete option deletes the specified monitor.

The enable | disable option enables or disables the specified monitor.

The instance <ip address>:<service> option enables or disables a monitor instance for the specified IP address and port.

The instance <ip address> option enables or disables a monitor instance for the specified IP address.


Creating a monitor

Creating a monitor simply names and sets the options for a monitor, based on a monitor template. The options may be obtained from a predefined set of default options or the option values may be specified on the command line during creation.

Options include destination address, interval time, timeout value, send string, and receive string, and so on. Options can be changed later using the modify option. See Table A.5 for attributes used in the monitor templates.

The following is an example of a command to create an http monitor:

b monitor my_http '{ use http send "GET /my.html" recv "TESTING" }'

The command above creates a monitor with the name my_http, based on the http template. The send and recv strings are modified from the default values. The interval, timeout, destination address, username, and passwd configuration options are not specified on the command line because the monitor will use the default values.

Note that single quotes are used when entering monitor commands on the command line, to prevent the command shell from attempting to interpret the double quotes within the monitor definition.


Modifying a monitor

If you want to change the default values of certain options, such as interval and timeout, you can use syntax as in the following example:

b monitor my_http '{ interval <seconds> timeout <seconds> }'


Creating a monitor instance

Creating a monitor instance simply associates a monitor or group of monitors with a node address or node server.

Each monitor template contains a destination address option. Almost always, this is the meta character string "*:*", which causes the BIG-IP system to create the monitor instance using the IP address and port supplied on the command line. For example, the destination address option dest in the tcp monitor template looks as follows:

monitor tcp {

# type tcp
interval 5
timeout 16
dest *:*
send ""
recv ""

}

We can create two instances of this monitor by entering the following command:

b node 10.10.10.10:80 10.10.10.12:80 monitor use tcp

The dest *:* attribute in the tcp monitor causes the two monitor instances to be created, substituting the IP address and port combination supplied on the command line into the destination address. In other words, there are two monitor instances created, one that communicates with address 10.10.10.10:80, and one that communicates with 10.10.10.12:80. The node 10.10.10.10:80 depends on the monitor instance 10.10.10.10:80. If the monitor instance cannot get a response from node 10.10.10.10:80, then the node is marked as down. The same is true for node 10.10.10.12:80.

It is also possible to enter explicit addresses into a monitor. For example, the following shows a monitor called exp_tcp that specifies an explicit destination address:

monitor exp_tcp {

# type tcp
use "tcp"
interval 5
timeout 16
dest 10.10.10.24:80
send ""
recv ""

}

In this case, the following command causes one monitor instance to be created, one that communicates with address 10.10.10.24:80:

b node 10.10.10.10:80 10.10.10.12:80 monitor use exp_tcp

In this case, the nodes 10.10.10.10:80 and 10.10.10.12:80 depend on the health of node 10.10.10.24:80. If that node does not respond, both 10.10.10.10:80 and 10.10.10.12:80 are marked as down.

The following is another example of specifying a destination address on the command line:

b node '*:http' monitor use my_http

The command above creates a monitor instance for all node addresses with a service of http. Note that it is necessary to enter the single quotes when entering this command on the command line to prevent the shell from interpreting the special character *.


Modifying a monitor instance

The enable/disable attribute can be changed within a monitor instance. For example:

b monitor instance 10.20.3.2:http disable

This command disables a monitor instance for a node server. The monitor will not attempt to establish a connection with the service until it is later enabled.


Deleting a monitor

To delete a monitor, use the bigpipe monitor command with the delete option, as in the following example:

b monitor my_http delete


Deleting a monitor instance

To delete a monitor instance, use the bigpipe node command with the delete option, as in the following example:

b node '*:http' monitor delete


Displaying monitor templates

To display a specific monitor template, use the following command-line syntax:

b monitor <monitor template> show

When you issue the above command, the BIG-IP system displays the specified template.

To display all monitor templates, use the following command:

b monitor show all


Displaying monitor instances

Using the bigpipe node command, you can display the status of a monitor instance, along with the corresponding node status. For example:

bigpipe node 192.168.200.50:http monitor show

To see this information for all monitor instances, use the following command:

b node monitor show


Monitor templates

Table A.4 lists the monitor templates and shows the template-specific attribute sets for each.


 

Name/Type

Template-Specific Attribute Set

icmp

none

tcp_echo

transparent (optional)

tcp

send ""
recv ""
transparent (optional)

reverse (optional)

http

username ""
password ""
send "GET /index.html"
recv ""
get (optional)
url (optional)
transparent (optional)
reverse (optional)

https

username ""
password ""
send "GET /index.html"
recv ""
get (optional)
url (optional)
transparent (optional)
reverse (optional)

external

run ""
args ""

ftp

username "anonymous"
password "bigip1@internal"
get "/README"
url (optional)

nntp

username ""
password ""
newsgroup "local"

pop3

username ""
password ""

smtp

domain "bigip1@internal"

snmp_dca

CPU coefficient ""
CPU threshold ""
memory coefficient ""
memory threshold ""
disk coefficient ""
disk threshold ""
useroid ""
useroid coefficient ""
useroid threshold ""

snmp_dca_base

useroid ""
useroid coefficient ""
useroid threshold ""

imap

username ""
password ""
folder "INBOX"
message_num (optional)

radius

username "username"
password "password"
secret "12345678"

ldap

base "o=Org, c=US"
filter "sn=Doe"

sql

username ""
password ""
database ""

https_443

dest *:443

 

Table A.5 on the next page defines the attributes used in the monitor templates.

 

Attribute

Definition

interval <seconds>

Ping frequency time interval in seconds.

timeout <seconds>

Ping timeout in seconds.

dest <node_addr>

Ping destination node. <node_address> Usually *:* for simple monitors, *:* for all others, causing the monitor instance to ping the address or address:port for which it is instantiated. Specifying address and/or port forces the destination to that address/port.

send <string>

Send string for ECV. Default send and recv values are empty (""), matching any string.

recv <string>

Receive expression for ECV. Default send and recv values are empty (""), matching any string.

get <string>

For the http and https monitors get replaces the recv statement, automatically filling in "GET". For the ftp monitor get can be used to specify a full path to a file. This will automatically fill in dest.

url <string>

For the http, https, and ftp monitors, url replaces the recv statement, supplying a URL and automatically fill in dest with the URL address.

reverse

A mode that sets the node down if the received content matches the recv string.

transparent

A mode that forces pinging through the node to the dest address for transparent nodes, such as firewalls.

run <program>

An external user-added EAV program.

args <program_args>

List of command line arguments for external program. args are quoted strings set apart by spaces.

username <username>

User name for services with password security. For ldap this is a distinguished name (an LDAP-format user name).

password <password>

Password for services with password security.

newsgroup <newsgroup>

Newsgroup, for type nntp EAV checking only

database <database>

Database name, for type sql EAV checking only.

domain <domain_name>

Domain name, for type smtp EAV checking only

secret <string>

Shared secret for radius EAV checking only.

folder <string>

Folder name for imap EAV checking only.

message_num <num>

Optional message number for imap EAV checking only

base <string>

Starting place in the LDAP hierarchy from which to begin the query, for ldap EAV checking only.

filter <string>

LDAP- format key of what is to be searched for, for ldap EAV checking only.

 

-n

b -n

 

Used with some bigpipe commands, such as bigpipe virtual, to display services and IP addresses numerically rather than by service name and host name, respectively. For example, type the following command to display services numerically:

b -n virtual

Figure A.5 shows an example of output that uses IP addresses instead of host names.

Figure A.5 The output of bigpipe -n virtual


virtual +------> 11.100.1.1 UNIT 1
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
+---+--> SERVICE 80 UP
| (cur, max, limit, tot) = (0, 0, 0, 0)
| (pckts,bits) in = (0, 0), out = (0, 0)
MEMBER 11.12.1.100:80 UP
(cur, max, limit, tot) = (0, 0, 0, 0)
(pckts,bits) in = (0, 0), out = (0, 0)
 

The -n command can be used with the following bigpipe commands:

  • authz
  • config
  • conn
  • failover
  • global
  • load
  • maint
  • mirror
  • nat
  • node
  • pool
  • power
  • proxy
  • reset
  • save
  • self
  • service
  • verify
  • version
  • virtual
  • vlan
  • vlangroup

nat

b nat <orig_addr> to <trans_addr> [unit <unit ID>] [arp disable | enable] [vlans <vlan name> [<vlan name>...] disable]

b nat [<orig_addr>...] stats reset

b nat <orig_addr> vlans <vlan_name> [<vlan name>...] enable | disable

b nat [show]

b nat <orig_addr> vlans show

b nat <orig_addr> [<orig_addr>...] show

b nat <orig_addr> arp enable | disable | show

b nat <orig_addr> [<orig_addr>...] delete

b nat <trans_addr> [<trans_addr>...] delete

b -n nat <options>

 

Defines a network address translation (NAT), which is an IP address, routable on the external network, that a node can use to initiate connections to hosts on the external network and receive direct connections from clients on the external network. The nat command defines a mapping between the IP address of a server behind the BIG-IP system <orig_addr> and an unused routable address on the network in front of the BIG-IP system <trans_addr>.

The primary reason to define a NAT is to allow one of the servers in the server array behind the BIG-IP system to initiate communication with a computer in front of or external to the BIG-IP system.


Options

The <orig_addr> variable is the originating IP address.

The <trans_addr> variable is the translated IP address.

The unit <unit ID> option specifies a unit ID, currently 1 or 2. The default unit ID is set to 1.

The delete option deletes a NAT from the BIG-IP system.

The stats reset option resets statistics for the specified NAT.

The vlans <vlan_name> option allows control of access through a NAT on a per-VLAN basis. A NAT is accessible on all VLANs by default.

The vlans show option displays the VLANs on which the specified NAT is enabled.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.

Defining a NAT

Use the following syntax to define a NAT:

b nat <orig_addr> to <trans_addr> [unit <unit ID>][arp disable \ | enable] [vlans <vlan name> [<vlan name>...] disable]

The node behind the BIG-IP system with the IP address specified by <orig_addr ip> has a presence in front of the BIG-IP system as IP address <trans_addr ip>.

For example:

b nat 11.0.0.100 to 10.0.140.100


Deleting a NAT

Use either of the following commands to permanently delete one or more NATs from the BIG-IP system configuration:

b nat <orig_addr> [<orig_addr>...] delete

b nat <trans_addr> [<trans_addr>...] delete


Additional Restrictions

The nat command has the following additional restrictions:

  • A virtual server cannot use the IP address defined in the <trans ip> parameter.
  • A NAT cannot use the IP address of a BIG-IP system.
  • The IP address defined in the <orig ip> parameter must be routable to a specific server behind the BIG-IP system.
  • A NAT cannot use an originating or translated IP address defined for and used by a SNAT or another NAT.
  • You must delete a NAT before you can redefine it.

node

b node <node_ip>... enable | disable

b node <node_ip>:<service>... enable | disable

b node [<node_ip>[:<service>]...] show

b node <node_ip>... limit <max_conn>

b node <node_ip>:<service>... limit <max_conn>

b node <node_ip>... stats reset

b node <node_ip>[:service]... stats reset

b node <node_ip>[:<service>]... up | down

b node <node_ip>[:<service>] monitor use <monitor_name> [and <monitor_name>]...

b node [<node_ip>[:<service>]] monitor show

b node <node_ip>[:<service>] monitor delete

b node <node_ip> dynamic_ratio <num>

b node <node_ip> dynamic_ratio show

b -n node <options>

 

Displays information about nodes and allows you to set properties for nodes, and node addresses. Nodes may be identified using wildcard notation. Thus * represents all nodes on the network, *.80 represents all port 80 nodes, 11.11.11.1:* represents all nodes with address 11.11.11.1.


Options

The <node_ip>[:<service>] variable is an IP address and optional service of the node to display or modify.

The enable | disable options enable or disable traffic for one or more specified IP addresses.

The limit <max_conn> option defines the maximum number of connections allowed for one or more specified nodes.

The stats reset option resets statistics for one or more specified nodes.

The up | down option causes one or more nodes to change to the forced up or forced down state.

The monitor use <monitor_name> option associates one or more specified monitors with the specified node.

The monitor show | delete option shows or deletes a monitor instance running on the specified node.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Displaying nodes

You can display information about a specified node. For example, the following command displays information about node 192.168.200.50:20:

b node 192.168.200.50:20 show

Note that the show keyword is optional.

The resulting information displayed is as follows:

NODE 192.168.200.50 UP CHECKED

| (cur, max, limit, tot) = (0, 0, 0, 0)

| (pckts,bits) in = (0, 0), out = (0, 0)

+- PORT 20 UP CHECKED

(cur, max, limit, tot) = (0, 0, 0, 0)

(pckts,bits) in = (0, 0), out = (0, 0)


Modifying nodes

Use the following syntax to set the maximum number of connections allowed for one or more nodes:

b node <node_ip>:<service>... limit <max_conn>>

Note that to remove a connection limit, you also issue the above command, but you set the <max_conn> variable to zero.

Use the following syntax to set the maximum number of connections allowed for one or more IP addresses:

b node <node_ip>... limit <max_conn>

Note that to remove a connection limit, you also issue the above command, but you set the <max_conn> variable to zero.

Use the following syntax to enable or disable traffic for one or more IP addresses:

b node <node_ip>... enable

b node <node_ip>... disable

Note


For information on using the bigpipe node command to associate a node with a health monitor, see monitor .

pool

b pool <pool name> {
member <ip>:<service> [ratio <num>] [priority <num>]...

[lb_method (rr | ratio | ratio_member | least_conn_member | observed_member | predictive_member | fastest | least_conn | predictive | observed | dynamic_ratio)]

[min_active_members <1-65535>]

[persist none |

persist simple simple_timeout <num> [simple_mask <ip mask> | none] |

persist sticky sticky_mask <ip mask> | none | (persist cookie cookie_mode insert | rewrite | passive [cookie_expiration [<num>d <hh>:<mm>:<ss>]] |

persist cookie cookie_mode hash cookie_name <cookie name> [cookie_hash_offset <num> cookie_hash_length <length>] |

persist ssl ssl_timeout <num> |

persist sip [sip_timeout <num>] |

persist msrdp |

persist <expr> persist_timeout <timeout> | [persist_mirror enable | disable]

]

[fallback [<protocol>://]<ip addr | hostname>[:<port>][<URI path>]]

[ip_tos to client <num> | pass] [ip_tos to server <num> | pass] [link_qos to client <num> | pass] [link_qos to server <num> | pass]

[forward] [snat | nat disable]

}

b pool <pool name> modify { select <expr> }

b pool <pool name> modify { persist <expr> persist_timeout <timeout> }

b pool <pool name> select none

b pool <pool name> modify { clone before pool < pool name> | clone after pool <pool name> }

b pool <pool name> [<pool name>...] delete

b pool <pool name> delete { member <ip>:<service> [member <ip>:<service>...] }

pool show

b pool [<pool name>] show

b pool [<pool name>] persist show

b pool [<pool name>] select show

b pool [<pool name>] lb_method show

b pool <pool name> persist dump [mirror]

b pool [<pool name>] ip_tos to client | server show

b pool [<pool name>] link_qos to client | server show

b -n pool <options>

}

 

Displays, creates, modifies, or deletes a pool definition. You can use pools to group nodes together with a common load-balancing mode and persistence mode.

Note that the member definition (that is, the member keyword with an IP address and service) is the only required option for the bigpipe pool command.


Options

The <pool name> variable is a string from 1 to 31 characters, for example, new_pool.

The member keyword and <ip>:<service> variable specify the IP address of the member node being added to the pool.

The ratio <num> option specifies a ratio number that you want the BIG-IP system to use in conjunction with the ratio load balancing method. The default ratio number is 1.

The priority <num> option specifies a priority that you want to assign to a pool member, to ensure that traffic is directed to that member before being directed to a member of a lower priority.

The lb_method <lb_method_specification> option specifies the load balancing mode that the BIG-IP system is to use for the specified pool.

The min_active_members <min_value> option specifies the minimum number of members that must remain available for traffic to be confined to a priority group when using priority-based activation.

The persist <persist_mode_specification> option specifies the persistence type that BIG-IP system is to use for the specified pool.

The <cookie name> variable specifies a cookie name, which must be 1-31 characters in length.

The persist_mirror option enables or disables mirroring of a persistence record to a standby unit. The persistence record identifies the connections to be persisted.

The fallback option specifies HTTP redirection, using a set of format strings. You can use these strings to indicate unchanged host names, ports, and URI paths. For more information, see Specifying HTTP redirection .

The ip_tos to client and ip_tos to server options specify the Type of Service (ToS) level to use when sending packets to a client or to a server.

The link_qos to client and link_qos to server options specify the Quality of Service (QoS) level to use when sending packets to a client or to a server.

The forward option specifies that the pool is to be a forwarding pool.

The snat disable option specifies that SNAT connections are to be disabled for that pool.

The nat disable option specifies that NAT connections are to be disabled for that pool.

The select <expr> option specifies the expression to be used to directly select a node in the pool.

The select none option removes a select statement from an existing pool.

The clone before pool and clone after pool attributes replicate traffic sent to a pool and sends it to a member of the clone pool.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Displaying a pool

Using the bigpipe pool command, you can display specific pools or all pools, and display persistence within a pool.

Use the following syntax to display all pools:

bigpipe pool show

Use the following syntax to display a specific pool, such as cgi_pool:

bigpipe pool cgi_pool show

Use a command such as the following to display persistence within a pool:

bigpipe pool cgi_pool persist show

Creating a pool

To create a pool, use command-line syntax such as the following:

bigpipe pool cgi_pool { lb_method rr member 10.2.3.11:http \
member 10.2.3.12:http }

This command creates a pool with two members 10.2.3.11:http and 10.2.3.12:http, which uses the round robin load balancing method.

If the lb_method option is not set, it defaults to round robin.

To create a pool using simple persistence, use command-line syntax such as the following:

bigpipe pool cgi_pool { lb_method rr persist_mode simple \
simple_timeout 100 simple_mask 255.255.255.0 \
member 10.20.3.11:http member 10.20.3.12:http }

This command creates a pool with two members, 10.20.3.11:http and 10.20.3.12:http, which uses the round robin load balancing method. Also, a simple persistence timeout of 100 seconds will be used with this pool. Note that an optional persistence mask may be specified with simple persistence.


Modifying a pool

You can modify a pool to change the defined attributes, such as adding or deleting members, changing the load balancing method, or changing the type of persistence being used.

The following example adds a new member to the existing pool cgi_pool:

bigpipe pool cgi_pool add { member 10.20.3.2:http }

The following example deletes a member from the existing pool cgi_pool:

bigpipe pool cgi_pool delete { member 10.20.3.2:http }


Deleting a pool

You can delete a pool altogether. For example, the following command deletes the pool cgi_pool:

bigpipe pool cgi_pool delete

Note that all references to a pool must be removed before a pool can be deleted.


Specifying HTTP redirection

To specify HTTP redirection (also known as fallback), you can use a set of format strings to indicate unchanged host names, ports, and URI paths. These format strings are as follows:

  • %h
    Host name, as obtained from the Host: header of the client
  • %p
    Port, from the virtual server listening port
  • %u
    URI path, as obtained from a GET/POST request

For example, the following command configures a pool to redirect an HTTP request from http://www.siterequest.com:8080/sample.html to https://www.siterequest.com:443/sample.html:

bigpipe pool my_pool fallback https://%h:443/%u

To indicate that the host name, port, and URI path remain unchanged, you would use the following command:

bigpipe pool my_pool fallback %h:%p/%u


Specifying a load balancing mode

The load balancing modes are specified as values of the attribute lb_mode. The lb_mode values are shown in Table A.6 .


 

Mode Name

lb_mode attribute value

Round Robin

rr (default)

Ratio

ratio

Ratio Member

ratio_member

Fastest

fastest

Fastest Member

fastest_member

Least Connections

least_conn

Least Connections Member

least_conn_member

Observed

observed

Observed Member

observed_member

Predictive

predictive

Predictive Member

predictive_member

Dynamic Ratio

dynamic_ratio

 

For more information about the load balancing modes, see Chapter 4, Pools .


power

b [-n] power [show]

 

Allows the user to query for the status of two power supplies in a redundant power supply configuration. Failover from one power supply to the other occurs transparently to the user.

Options

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.

The [show] option displays the status of the two power supplies, as follows:

b power [show]
top power supply: active
bottom power supply: down!


proxy

b proxy <ip>:<service> [unit <id>][{] target <virtual|server>> <ip>:<service>
[[clientssl] enable|disable
[clientssl] key <clientside key file name>
[[clientssl] cert <clientside certificate file name>]
[[clientssl] chain <clientside chain file name>]
[[clientssl] ca file <clientside CA file name>]
[[clientssl] ca path <clientside CA path>]
[[clientssl] client cert ca <clientside client certificate CA file name>]
[[clientssl] cipher insert [<enable | disable>]
[[clientssl] client cert insert <([versionnum][serial][sigalg][issuer][validity]
[subject][subpubkey][x509ext][whole][hash])+|disable>]
[[clientssl] sessionid insert <([initial][current])+ | disable>]
[[clientssl] ciphers \"quoted string\"]
[[clientssl] invalid [SSLv2][SSLv3][TLSv1]]
[[clientssl] client cert <request | require | ignore>]
[[clientssl] authenticate <once | always>]
[[clientssl] authenticate depth <num>]
[[clientssl] crl file <clientside CRL file name>]
[[clientssl] crl path <clientside CRL path>]
[clientssl] cachesize <num>
[clientssl] cache timeout <num>

[serverssl <enable|disable>]
[serverssl key <serverside key file name>]
[serverssl cert <serverside certificate file name>]
[serverssl chain <serverside chain file name>]
[serverssl ca file <serverside CA file name>]
[serverssl ca path <serverside CA path>]
[serverssl crl file <serverside CRL file name>]
[serverssl crl path <serverside CRL path>]
[serverssl ciphers \"quoted string\"]
[serverssl invalid [SSLv2][SSLv3][TLSv1]]
[serverssl server cert <require | ignore>]
[serverssl authenticate depth <num>]
[header insert \"quoted string\"]
[redirects rewrite matching [enable] | all [enable] | disable]
[lasthop pool none|<lasthop pool name>]
[arp enable|disable]
[vlans <vlan name>[<vlan name>...] disable]
[tcp connlimit <limit>]
[}]

b proxy <ip>:<service> authz set auth hdr enable | disable

b proxy <ip>:<service> authz set remoteuser hdr enable | disable

b proxy <ip>:<service> authz models <model name>

b proxy <ip>:<service> authz onfailure mode accept | reject

b proxy <ip addr>:<service> OCSP responders <list of responders>

 

proxy

b proxy <ip>:<service> unit show
b proxy <ip>:<service> target show
b proxy <ip>:<service> clientssl show
b proxy <ip>:<service> [clientssl] key show
b proxy <ip>:<service> [clientssl] cert show
b proxy <ip>:<service> [clientssl] chain show
b proxy <ip>:<service> [clientssl] ca file show
b proxy <ip>:<service> [clientssl] ca path show
b proxy <ip>:<service> [clientssl] client cert ca show
b proxy <ip>:<service> [clientssl] cipher insert show
b proxy <ip>:<service> [clientssl] sessionid insert show
b proxy <ip>:<service> [clientssl] ciphers show
b proxy <ip>:<service> delete
b proxy <ip>:<service> [clientssl] invalid show
b proxy <ip>:<service> [clientssl] client cert show
b proxy <ip>:<service> [clientssl] authenticate show
b proxy <ip>:<service> [clientssl] cache size show
b proxy <ip>:<service> [clientssl] cache timeout show
b proxy <ip>:<service> serverssl show
b proxy <ip>:<service> serverssl key show
b proxy <ip>:<service> serverssl cert show
b proxy <ip>:<service> serverssl chain show
b proxy <ip>:<service> serverssl ca file show
b proxy <ip>:<service> serverssl ca path show
b proxy <ip>:<service> serverssl ciphers show
b proxy <ip>:<service> serverssl invalid show
b proxy <ip>:<service> serverssl server cert show
b proxy <ip>:<service> serverssl authenticate depth show
b proxy <ip>:<service> header insert show
b proxy <ip>:<service> redirects rewrite show
b proxy <ip>:<service> lasthop pool show
b proxy <ip>:<service> arp show
b proxy <ip>:<service> vlans show
b proxy [<ip>:<service>...] show
b proxy <ip>:<service> tcp connlimit show
b proxy <ip>:<service> authz set auth hdr show
b proxy <ip>:<service> authz set remoteuser hdr show
b proxy <ip>:<service> authz models show
b -n proxy <options>

 

Creates, deletes, modifies, or displays the SSL or content converter proxy definitions on the BIG-IP system. For detailed information about setting up the SSL Accelerator feature, see the BIG-IP Solutions Guide, Chapter 11, Configuring an SSL Accelerator. For detailed information about setting up the content converter feature, see the BIG-IP Solutions Guide, Chapter 16, Configuring a Content Converter.

Options

The clientssl <enable | disable> option enables and disables the client-side SSL connection feature for the proxy being defined. If this option is omitted, the default is to have SSL enabled for all client-side connections.

The [clientssl] key <clientside key file name> option specifies a key file to be used as the private key corresponding to the clientside cert file specified by the <clientssl cert> option. This option is required when clientside SSL is enabled.

The [clientssl] cert <clientside cert file name> option specifies a certificate file to be used as the public key corresponding to the client-side key file specified by the <clientssl key> option. This certificate is used as a server certificate when the proxy authenticates itself to clients. This option is required when client-side SSL is enabled.

The [clientssl] chain <clientside chain file name> option specifies a chain file to be used to complete the certificate chain corresponding to the clientside cert file specified by the [clientssl] cert option. Certificates from this file are used as necessary to build up the certificate chain. This option is not required, even when client-side SSL is enabled.

The [clientssl] ca file <clientside CA file name> option specifies a CA file to be used primarily to authenticate client certificates, but also to complete the certificate chain corresponding to the client-side certificate file specified by the [clientssl] cert option. See also the [clientssl] chain option. The CA file may contain more than one certificate. This option is not required, even when client-side SSL is enabled.

The [clientssl] ca path <clientside CA path> option specifies a path to a directory with certificate files to be used primarily to authenticate client certificates, but also to complete the certificate chain corresponding to the clientside cert file specified by the [clientssl] cert option. See also the [clientssl] chain and [clientssl] ca file options. Unlike the [clientssl] ca file> option, only the first certificate in certificate files with valid symbolic links generated by the make option will be examined (the Makefile in the /config/bigconfig/ssl.crt/ directory should be used). This option is not required, even when client-side SSL is enabled.

The [clientssl] client cert ca <clientside client cert CA file name> option specifies a CA file containing one or more certificates to be advertised to clients as those CAs trusted for client authentication. Note that this list of CAs has no effect on and can be completely different from those actually used to authenticate clients; see the [clientssl] ca file option. If this option is not specified, no list of trusted CAs will be advertised to clients, which may prevent some clients from connecting when client certificates are requested or required.

The [clientssl] cipher insert [<enable | disable>] option enables and disables the prepending of an HTTP header containing the negotiated client cipher information. This header takes the form of "SSLClientCipher: <cipher>, version=<SSL-protocol-version>, bits=<cipher-strength-bits>". If this option is omitted, the default is to have client cipher insertion disabled.

The options [clientssl] client cert insert ([versionnum] [serial] [sigalg] [issuer] [validity] [subject] [subpubkey] [x509ext] [whole] [hash])+ enable the prepending of HTTP headers containing the client certificate information.

The [clientssl] sessionid insert ([initial] [current])+ option enables the prepending of HTTP headers containing the initial and/or current SSL session ID. These headers take the form of "SSLClientSessionID: <InitialSessionID>" and "SSLClientCurrentSessionID: <CurrentSessionID>" respectively, where the <InitialSessionID> and <CurrentSessionID> options are the hexadecimal representation of the corresponding SSL session ID. If this option is omitted, the default is to have client session ID insertion disabled.

The [clientssl] ciphers <list> option uses the <list> option to determine the set of ciphers available for client-side SSL negotiation. See <http://www.openssl.org/docs/apps/ciphers.html> for the format of <list>.

The [clientssl] invalid [SSLv2] [SSLv3] [TLSv1] option specifies the SSL protocol versions that should not be used for client-side SSL negotiation.

If the [clientssl] client cert request|require|ignore option is set to request or require, all clients will be asked for a client certificate. If this option is omitted or set to ignore, the default is to disable requesting a client certificate. If this option is set to require, clients not presenting a valid and trusted client certificate will not be permitted to establish a SSL connection. See also the [clientssl] ca file> and [clientssl] client cert ca options.

If the [clientssl] authenticate <once|always> option is omitted or set to once, clients will be authenticated at most once for each SSL session. If this option is set to always, clients will be required to authenticate themselves (as directed by the [clientssl] client cert option) with each connection to the proxy.

The [clientssl] authenticate depth <num> option specifies the maximum number of certificates that will be traversed in a client certificate chain. If the certificate has not been verified in <num> steps, it will fail authentication. If this option is omitted, the default value is 9.

The [clientssl] cache size <num> option specifies the maximum number of entries in the client-side SSL session cache. If this option is omitted, the default value is 20000.

The [clientssl] cache timeout <num> option specifies the maximum lifetime of entries in the client-side SSL session cache in seconds. If this option is omitted, the default value is 300.

The serverssl enable | disable option enables and disables the server-side SSL connection feature for the proxy being defined. If this option is omitted, the default is to have SSL disabled for all server-side connections.

The serverssl key <serverside key file name> option specifies a key file to be used as the private key corresponding to the server-side certificate file specified by the serverssl cert option. This option is not required, even when server-side SSL is enabled.

The serverssl cert <serverside cert file name> option specifies a certificate file to be used as the public key corresponding to the server-side key file specified by the serverssl key option. This certificate will be used as a client certificate when the proxy is asked to authenticate itself to servers. This option is not required, even when server-side SSL is enabled.

The serverssl chain <serverside chain file name> option specifies a chain file to be used to complete the certificate chain corresponding to the server-side certificate file specified by the serverssl cert option Certificates from this file will be used as necessary to build up the certificate chain. This option is not required, even when server-side SSL is enabled.

The serverssl ca file <serverside CA file name> option specifies a CA file to be used primarily to authenticate server certificates, but also to complete the certificate chain corresponding to the server-side certificate file specified by the serverssl cert option. See also the serverssl chain option. The CA file may contain more than one certificate. This option is not required, even when server-side SSL is enabled.

The serverssl ca path <serverside CA path> option specifies a path to a directory with certificate files to be used primarily to authenticate server certificates, but also to complete the certificate chain corresponding to the server-side certificate file specified by the serverssl cert options. See also the serverssl chain and serverssl ca file options. Unlike the serverssl ca file option, only the first certificate in certificate files with valid symbolic links generated by the make option are examined (the Makefile in the /config/bigconfig/ssl.crt/ directory should be used). This option is not required, even when server-side SSL is enabled.

The serverssl ciphers <list> option determines the set of ciphers available for server-side SSL negotiation. See the file http://www.openssl.org/docs/apps/ciphers.html for the format of <list>.

The serverssl invalid [SSLv2] [SSLv3] [TLSv1] option specifies the SSL protocol versions that should not be used for server-side SSL negotiation.

The serverssl server cert require|ignore option determines whether server certificates will be verified. If this option is set to require, all server certificates will be verified. If this option is set to ignore, server authentication only fails when a server presents an expired or malformed certificate. If this option is omitted, the default is to require verified server certificates. See also the serverssl ca file option.

The serverssl authenticate depth <num> option specifies the maximum number of certificates that will be traversed in a server certificate chain. If the certificate has not been verified in <num> steps, it fails authentication. If this option is omitted, the default value is 9.

The header insert \"quoted string\"> option specifies a string to be prepended to the block of HTTP headers supplied with each client request. This string should take the standard HTTP header form of "<field>:<value>".

The redirects rewrite matching [enable] | all [enable] | disable option enables the rewriting of HTTP 301, 302, 303, 305, or 307 redirects Location field to "Location: https://...". When matching is specified, only a redirect with a URI in the Location field matching the URI requested by the client will be rewritten. When all is specified, redirects are rewritten whether or not the URIs match. The port number specified in the redirect is also rewritten when it does not match the port of the proxy.

The lasthop pool none | <lasthop pool name> option specifies a lasthop pool to be used for the proxy. If this option is omitted, the default is to have no lasthop pool.

The arp enable | disable option enables and disables the arp for this proxy address. If this option is omitted, the default is to have arp enabled.

The vlans <vlan name> [<vlan name>...] enable|disable option enables and disables proxy access on existing VLANs. A proxy is accessible on all VLANs by default.

The authz models <model name> option specifies one or more authorization models that are to be associated with the specified proxy.

The [ocsp responders <list of responders>] option assigns a list of responders to the proxy.

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


Creating a proxy server

The following example creates an SSL proxy:

bigpipe proxy 10.2.3.1:https target virtual 12.2.3.1:http \
key my.key cert my.crt

In this example, the BIG-IP system creates an SSL proxy, along with the key my.key and the certificate my.crt. As shown in the syntax listed above, many options are available when creating an SSL proxy, such as the server-side SSL proxy option and features related to client authentication.


Deleting a proxy server

You can delete an existing proxy server, using the following command-line syntax:

bigpipe proxy <ip>:<service> delete

ratio

b ratio <node_ip> [<node_ip> ...] <weight> | show

 

For the ratio load-balancing mode, this command sets the weight or proportions for one or more node addresses. For the priority load balancing mode, the command sets the priority level. Note that multiple node addresses can have the same priority level setting.


Options

The <node_ip> variable specifies an IP address of a specific node.

The <weight> variable is a whole number that specifies the weight or priority of the node. The default weight for any node address is 1.

The show option displays the ratio weights for the specified node addresses.


Displaying ratio settings

To display the ratio settings for specific node addresses, use the following command-line syntax:

b ratio <node ip> [<node ip>...] show

The following shows some sample output:

192.168.200.51 ratio = 3

192.168.200.52 ratio = 1


Modifying ratio settings

The following command sets the ratio to 3 for the node address specified:

b ratio 192.168.103.20 3


reset

b [-n] reset

 

Clears the configuration values and counter values from memory.

Warning


Use this command with caution. All network traffic stops when you run this command.

Typically, this command is used on a standby BIG-IP system prior to loading a new /config/bigip.conf file that contains new service enable and timeout values.

For example, you can execute the following commands on a standby BIG-IP systems:

b reset

b load <filename>

This sequence of commands ensures that only the values set in the <filename> specified are in use.

Note


This command does not delete any externally-stored classes. For information on how to delete externally-stored classes, see Chapter 5, iRules .

The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


responder

b responder <name> calist file <filename>

b responder <name> url <url>

b responder <name> valperiod <number>

b responder <name> respcert file <filename>

b responder <name> signcert file <filename>

b responder <name> signkey file <filename>

b responder <name> req sign digest sha1 | md5

b responder <name> req certid digest sha1 | md5

b responder <name> ignore aia enable | disable

b responder <name> trust signer enable | disable

 

Sends certificate revocation status to the SSL proxy. Until the SSL proxy receives this status from the Online Certificate Status Protocol (OCSP) responder, the proxy blocks the connection. If the OCSP responder rejects the certificate, the proxy denies the connection.


Options

The responder <name> option specifies a name that identifies a responder definition.

The calist file <filename> option specifies an X509 store containing the certificates of the certificate authorities (CAs) that are to be serviced by this particular responder. The CAs in this store must match the issuer of the certificate currently being validated with OCSP. The match is determined by inspecting the subject field of the issuing certificate. You populate this store by specifying a bundle-type .crt file, which contains all necessary CA certificates.

The url <url> option specifies the URL used to contact the OCSP service on the responder.

The valperiod <number> option specifies a number of seconds that is used to indicate an acceptable error range. This parameter is used when the OCSP responder clock and a client clock are not synchronized, which could cause a certificate status check to fail. This value must be a positive number. The default setting is 300.

The respcert file <filename> option specifies a certificate that verifies the signature of the response from the responder. This parameter is needed in the event that the responder is not covered by the certificates already loaded into the responder's CA store.

The signcert file <filename> and signkey file <filename> options specify a certificate and key used to sign an OCSP request.

  • If the certificate is specified but the key is not specified, then the private key is read from the same file as the certificate.
  • If neither the certificate nor the key is specified, then the request is not signed.
  • If the certificate is not specified and the key is specified, then the configuration is considered to be invalid.

The req sign digest sha1 | md5 option specifies the algorithm for signing the request, using the signing certificate and key.

This parameter has no meaning if request signing is not in effect (that is, both the request signing certificate and request signing key parameters are empty).

This parameter is required only when request signing is in effect. The default setting is sha1.

The req certid digest sha1 | md5 option specifies the algorithm for hashing the certificate information used to create the certificate ID that is sent to the responder. The default setting is sha1.

The ignore aia enable | disable variable specifies an instruction to ignore the URL contained in the certificate's AIA fields and to always use the URL specified by the responder instead.

If not defined, this value is assumed to be zero (0). The default setting is disable.

The trust signer enable | disable variable specifies an instruction to:

  • Search the SSL proxy's list of trusted CAs for the certificate used to sign the response.
  • Refrain from constructing a chain.

    If not defined, this value is assumed to be zero (0). The default setting is disable.


    Viewing responder definition parameters

    Use the following commands, specifying a responder name, to show responder parameter values.

    b responder <name> calist file [show]
    b responder <name> url [show]
    b responder <name> valperiod [show]
    b responder <name> respcert file [show]
    b responder <name> signcert file [show]
    b responder <name> signkey file [show]
    b responder <name> req sign digest [show]
    b responder <name> req certid digest [show]
    b responder <name> ignore aia [show]
    b responder <name> trust signer [show]


    rule

    b rule <rule_name> '{ if ( <expression> ) { <if statement> | <use pool statement> | <discard statement> | <cache statement> | <redirect statement> | <log statement> | <accumulate statement> | <hash statement> <if statement> } [ { else <statement> } ] [ { else if <statement> } ] }'

    b rule <rule_name> '{ discard }'

    b rule <rule_name> '{ use pool <pool_name> }'

    b rule <rule_name> '{ cache ( <expression> ) { origin_pool <pool_name> cache_pool <pool_name> [ hot_pool <pool_name> ] [ hot_threshold <hit_rate> ] [ cool_threshold <hit_rate> ] [ hit_period <seconds> ][ content_hash_size <sets_in_content_hash> ] [ persist <expression> ]} }'

    b rule <rule_name> '{ redirect <redirect URL> }'

    b rule <rule name> '{ hash ( variable ) }'

    b rule <rule_name> { if '( <statement> ) { use pool ( <statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <discard_statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <redirect_statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <cache_statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <log_statement> )' } }

    b rule <rule_name> { if '( <statement> )' { use pool '( <statement> )' } else { '( <accumulate_statement> )' } }

    b rule <rule_name> delete

    b rule <rule_name> show

     

    Creates, deletes, or displays the rules on the BIG-IP system. Rules allow a virtual server to access any number of pools on the BIG-IP system. Based upon a simple or complex expression a pool can be selected through a rule. For more detailed information about using rules, see Chapter 5, iRules .

    Note


    Before you define a rule, you must define the pool or pools that you want the rule to reference.

    Rule statements

    The <rule_name> variable specifies the name of a rule.

    The <if statement> variable asks a true or false question and, depending on the answer, takes some action.

    A <use pool statement> variable uses a selected pool for load balancing. This statement must be conditionally associated with an if statement.

    A <discard statement> variable discards the request. This statement must be conditionally associated with an if statement.

    A <cache statement> variable uses a selected pool for load balancing. This statement can be conditionally associated with an if statement. For attributes that you can use within a cache statement, see Cache statement attributes .

    A <redirect statement> variable sends traffic to a specific destination, rather than to a pool for load balancing.

    A <log statement> variable logs a message to the Syslog facility. The statement does this by performing variable expansion on the message as defined for header_insert.

    An <accumulate statement> variable terminates rules processing until another packet containing additional data is received from the originating client. This statement is useful with the http_content and tcp_content rule variables, when not enough data has been received to be successfully evaluated.

    The <pool_name> variable specifies the name of a pool to be associated with the specified rule.


    Cache statement attributes

    Table A.7 shows the attributes that can be used as arguments within cache statements.

     

    Attribute

    Description

    origin_pool <pool_name>

    This required attribute specifies a pool of servers with all the content to which requests are load balanced when the requested content is not cacheable or when all the cache servers are unavailable or when you use a BIG-IP system to redirect a miss request from a cache.

    cache_pool <pool_name>

    This required attribute specifies a pool of cache servers to which requests are directed to optimize cache performance.

    hot_pool <pool_name>

    This optional attribute specifies a pool of servers that contain content to which requests are load balanced when the requested content is frequently requested (hot). If you specify any of the following attributes in this table, the hot_pool attribute is required.

    hot_threshold <hit_rate>

    This optional attribute specifies the minimum number of requests for content that cause the content to change from cool to hot at the end of the period (hit_period).

    cool_threshold <hit_rate>

    This optional attribute specifies the maximum number of requests for specified content that cause the content to change from hot to cool at the end of the period.

    hit_period <seconds>

    This optional attribute specifies the period in seconds over which to count requests for particular content before deciding whether to change the hot or cool state of the content.

    content_hash_size <sets_in_content_hash>

    This optional attribute specifies the number subsets into which the content is divided when calculating whether content is hot or cool. The requests for all content in the same subset are summed and a single hot or cool state is assigned to each subset. This attribute should be within the same order of magnitude as the actual number of requests possible. For example, if the entire site is composed of 500,000 pieces of content, a content_hash_size of 100,000 would be typical.

    persist <expression>

    This optional attribute specifies an expression that will be evaluated and used to persist to the same node within the cache pool.

     

    Functions

    The iRules feature offers a set of functions that you can use within rule expressions. You can specify two kinds of functions within rules--functions that return a string, and functions that return a node name.


    Functions that return a string

    The following functions within expressions are used primarily to implement persistence within a pool. These functions therefore return a string that you specify. Table A.8 lists and describes these functions.

     
    Function Name Description
    findstr()

    Finds a string, <expr>, within another string and returns the string starting at the offset specified from the match. The findstr() function takes the following arguments:

    findstr(<expr>, <string>, <offset>)

    findstr(<expr>, <string>, <offset>, <length>)

    findstr(<expr>, <string>, <offset>, <termchr>)

    substr()

    Returns the string starting at the offset specified. The substr() function takes the following arguments:

    substr(<expr>, <offset>)
    substr(<expr>, <offset>, <length>)
    substr(<expr>, <offset>, <termchr>)

    getfield()

    Splits a string, <expr>, on a character, <split>, and returns the string corresponding to the specific field. The getfield() function takes the following arguments:

    getfield(<expr>, <split>, <fieldnum>)

    findclass()

    Finds the member of a class that contains the result of the specified expression and returns that class member. The findclass() function takes the following arguments:

    findclass(<expr>, <classname>)

    decode_uri()

    Evaluates the expression and returns a string with any %XX escape sequences decoded as per HTTP escape sequences defined in RFC2396. The decode_uri() function takes the following arguments:

    decode_uri(<expr>)

    domain()

    Parses and returns up to the specified number, <count>, of trailing parts of a domain name from the specified expression. The domain() function takes the following arguments:

    domain(<expr>, <count>)

    imid()

    Used to parse the http_uri variable for an i-mode identifier string that can be used for i-mode persistence. The imid() function takes no arguments and simply returns the string representing the i-mode identifier.

     

    Functions that return a node name

    The following functions within expressions are used to directly select a particular node (pool member) within a pool. Table A.9 lists and describes these functions.

     
    Function Name Description
    node()

    Returns a literal node address converted from either a string representation of an address and port or a literal number representing the node address as an integer. The node() function is designed primarily to be used with the persist expressions for selecting a node on which to persist.

    The node() function takes the following arguments:

    node(<expr>)

    mappclass2node()

    Represents a short-hand combination of the functions findclass(), findstr(), and node(). The mapclass2node() function takes the following arguments:

    mapclass2node(<expr>, <classname>, [<delim>])

    wlnode()

    Returns a literal node address converted from either a string representation of an address and port, a literal number representing the node address as an interger, or a literal node address. The wlnode() function is designed primarily to be used with the persist expressions for selecting a node to which to persist.

    The wlnode() function takes the following arguments:

    wlnode(<expr>)

     

    Variable operands

    Table A.10 lists the variable operands that can be used within rule statements. For more information, see Chapter 5, iRules .

     

    IP Packet Header Variables

    client_addr

    Used by a client to represent a source IP address. This variable is replaced with an unmasked IP address.

    server_addr

    Used to represent a destination IP address. This variable is replaced with an unmasked IP address. The server_addr variable is used to represent the destination address of the packet. This variable is useful when load balancing traffic to a wildcard virtual server.

    client_port

    Used to represent a client port number.

    server_port

    Used to represent a server port number.

    ip_protocol

    Used to represent an IP protocol. This variable is replaced with a numeric value representing an IP protocol such as TCP, UDP, or IPSEC.

    link_qos

    Used to represent the Quality of Service (QoS) level.

    ip_tos

    Used to represent that Type of Service (ToS) level.

    vlan_id

    Used to represent a VLAN ID.

    HTTP Request String Variables

    http_method

    The http_method variable is the action of the HTTP request. Common values are GET or POST.

    http_uri

    The http_uri variable is the URL, but does not include the protocol and the fully qualified domain name (FQDN). For example, if the URL is http://www.url.com/buy.asp, then the URI is /buy.asp.

    http_version

    The http_version variable is the HTTP protocol version string. Possible values are "HTTP/1.0" or "HTTP/1.1".

    http_content [(<minlength>)]

    The http_content variable evaluates the string following an HTTP content tag that you specify.

    http_content_collected

    The http_content_collected variable returns the amount of content that has currently been collected.

    http_host

    The http_host is the value in the Host: header of the HTTP request. It indicates the actual FQDN that the client requested. Possible values are a FQDN or a host IP address in dot notation.

    http_cookie <cookie_name>

    The HTTP cookie header is the value in the Cookie: header for the specified cookie name. An HTTP cookie header line can contain one or more cookie name value pairs. The http_cookie <cookie name> variable evaluates to the value of the cookie with the name <cookie name>. For example, given a request with the following cookie header line:

    Cookie: green-cookie=4; blue-cookie=horses

    The variable http_cookie blue-cookie evaluates to the string horses. The variable http_cookie green-cookie evaluates to the string 4.

    http_header <header_tag_string>

    The variable http_header evaluates the string following an HTTP header tag that you specify. For example, you can specify the http_host variable with the http_header variable. In a rule specification, if you wanted to load balance based on the host name andrew, the rule statement might look as follows:

    if ( http_header "Host" starts_with "andrew" ) { use ( andrew_pool ) } else { use ( main_pool ) }

    TCP Request String Variables

    tcp_content

    The tcp_content variable allows you to create a basic expression that load balances traffic based on arbitrary data within a TCP/IP connection.

    tcp_bytes_collected

    The tcp_bytes_collected variable returns the amount of content that has currently been collected.

     

    Binary Operators

    The binary operators that can be used within rule statements are as follows:

    • or
    • and
    • contains
    • matches
    • equals
    • starts_with
    • ends_with
    • matches_regex
    • one of
    • redirect to

    Creating a rule

    Rules are generally added to an existing bigip.conf file. Note that the rule body should not be enclosed with single quotes in the bigip.conf file. For example:

    Figure A.6 A rule typed into the bigip.conf


    rule cgi_rule {
    if ( http_uri ends_with "cgi" ) { use pool ( cgi_pool )}
    else { use pool ( another_pool ) }
    }
     

    In this example, if the http_uri string ends with "cgi", then the members of pool cgi_pool are used. Otherwise, the members of pool another_pool are used.

    If the rule is defined on the bigpipe command line, you can either surround each pair of parentheses in single quotation marks ('), or place a pair of single quotation marks around the braces. These two methods of defining a rule on the command line are shown as follows:

    b rule <name> if '{ <if_stmt> | <use_stmt> | <discard_stmt> | <redirect_stmt> | <log_stmt> | <accumulate_stmt> | <cache_stmt> }'

    For example:

    b rule my_rule { if '(client_addr == 10.12.12.10)' { use pool pool_A80 } }

    b rule my_rule '{ if (client_addr == 10.12.12.10) { use pool pool_B80 } }'


    Associating a rule with virtual server

    Associate a rule with a virtual server using the following format:

    bigpipe virtual 10.20.2.101:http use rule cgi_rule


    Deleting a rule

    Delete a rule using the following format:

    bigpipe rule cgi_rule delete


    Displaying a rule

    Display all rules using the following syntax:

    bigpipe rule show

    Or to display a specific rule:

    bigpipe rule <rule name> show


    save

    b save [ <filename> | - ]

    b base save [ <filename> | - ]

    b -n save <options>

     

    Writes the current BIG-IP system configuration settings from memory to the configuration files named /config/bigip.conf and /config/bigip_base.conf. (config/bigip.conf stores high level configuration settings, such as pools, virtual servers, NATs, SNATs, and proxies. /config/bigip_base.conf stores low level configuration settings, like, VLANs, non-floating self IP addresses, and interface settings.)

    To write the config to a file, you can type b save <filename>, or a hyphen character (-) in place of a file name, to display the configuration on the standard output device.

    b [base] save -

    If you are testing and integrating BIG-IP units into a network, you may want to use multiple test configuration files. Use the following syntax to write the current configuration to a file name that you specify:

    b [base] save <filename>

    For example, the following command saves the current configuration from memory to an alternate configuration file named /config/bigip.conf2.

    b save /config/bigip.conf2

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


    self

    b self <ip_addr> vlan <vlan_name> [netmask <ip_mask> [broadcast <broadcast_addr>]] [unit <id>] [floating enable | disable] [snat automap enable | disable ]

    b self <ip_addr> vlan <vlangroup_name>

    b self <ip_addr> floating enable | disable

    b self <ip_addr> delete

    b self <ip_addr> show

    b self [<ip_addr>] vlan show

    b self show

    b self <ip_addr> snat automap enable | disable

    b -n self <options>

     

    Defines a self IP address on a BIG-IP system or 3-DNS Controller. A self IP address is an IP address mapping to a VLAN or VLAN group and their associated interfaces on a BIG-IP system or 3-DNS Controller. A one true self IP address is assigned to each interface on the unit as part of first time boot configuration, and also a floating (shared) self IP address for units in a redundant system. Additional self IP addresses may be created for health checking, gateway fail-safe, routing, or other purposes. These additional self IP addresses are created using the self command.


    Options

    The <ip_addr> variable specifies an IP address to assign to the BIG-IP system or 3-DNS Controller.

    The vlan <vlan_name> option specifies the VLAN to which the self IP address is being assigned.

    The vlan <vlangroup_name> option specifies the VLAN group to which the self IP address is being assigned.

    The netmask <ip mask> option specifies an IP mask used to set the network of the self IP address.

    The broadcast <broadcast_addr> option specifies the broadcast address.

    The unit <id> option specifies an optional unit ID, 1 or 2. The default value is 1.

    The floating option enables or disables a floating self IP address.

    The snat automap option enables or disables SNAT automapping on the specified self IP address. Once snat automap is enabled, the self IP address can be used as the translation address when SNAT automapping is enabled for a VLAN.

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


    Creating self IP addresses

    The following are examples of using the bigpipe self command to create self IP addresses:

    b self 10.1.0.1 vlan external netmask 255.255.0.0

    b self 10.2.0.1 vlan internal netmask 255.255.0.0

    For a redundant configuration, the IP addresses that are shared by the two units are configured as floating IP addresses. For example:

    b self 10.1.1.1 vlan external netmask 255.255.0.0 floating enable

    b self 10.2.1.1 vlan internal netmask 255.255.0.0 floating enable

    To create self IP addresses that are shared between the two units in an active-active configuration, assign a unit number to each self IP address, as in the following examples:

    b self 10.1.1.1 vlan external netmask 255.255.0.0 unit 1\ floating enable

    b self 10.1.1.2 vlan external netmask 255.255.0.0 unit 2\ floating enable

    b self 10.2.1.1 vlan internal netmask 255.255.0.0 unit 1\ floating enable

    b self 10.2.1.2 vlan internal netmask 255.255.0.0 unit 2\ floating enable


    service

    b service <service> [<service>...] limit <limit>

    b service <service> [<service>...] tcp enable | disable

    b service <service> [<service>...] timeout tcp <timeout>

    b service <service> [<service>...] udp enable | disable

    b service <service> [<service>...] timeout udp <timeout>

    b service [<service>... ] [show]

    b service [<service>... ] stats reset

    b -n service <options>

     

    Enables and disables network traffic on services, and also sets connection limits and timeouts. An idle connection is one in which no data has been received or sent for the number of seconds specified by the service timeout command.

    The default timeout value for tcp services is 1005 seconds, and 60 seconds for udp services. For idle connection reaping to be effective, you should set the timeout value to be greater than the configured timeout for the service daemons installed on your nodes.

    You can use port numbers or service names (for example, www, http, or 80) for the <service> parameter. Note that the settings you define with this command control the service for all virtual servers that use it. By default, all services are disabled.


    Options

    The <service> variable specifies any valid port number, between 1 and 65535, inclusive, or any valid service name in the /etc/services file.

    The <limit> variable specifies the maximum number of simultaneous connections to be allowed to the service for all virtual servers. To turn off a connection limit for a service, specify a value of 0.

    The <timeout> variable specifies the number of seconds until a connection to the service times out.

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


    snat

    b snat map <orig_ip> [<orig_ip>...] to <snat_ip> [unit <unit ID>] [netmask <ip>] [arp disable] [vlan <vlan_name>... disable]

    b snat map default to <snat_ip> [unit <unit ID>] [netmask <ip>] [arp disable] [vlan <vlan_name>... disable]

    b snat map default to auto

    b snat map <orig_ip> | <vlan name> [<orig_ip> | <vlan name>...] to auto

    b snat default show

    b snat default dump [verbose]

    b snat [<snat_ip>] dump [verbose]

    b snat globals show

    b snat <snat_ip> show | delete

    b snat auto show | delete

    b snat <snat_ip> arp show

    b snat [<orig_ip>] limit <max_conn>

    b snat default limit <max_conn>

    b snat <orig_ip> mirror enable | disable

    b snat default mirror enable | disable

    b snat <orig_ip> timeout tcp | udp <seconds>

    b snat default timeout tcp | udp <seconds>

    b snat <orig_ip> stats reset

    b snat default stats reset

    b snat <orig_ip> disable | enable

    b snat <snat_ip> vlans <vlan_list> disable | enable

    b snat <snat_ip> vlans enable all

    b snat <snat_ip> vlans show

    b snat <snat_ip> arp [enable | disable]

     

    The snat command creates and deletes secure network address translations (SNATs), and displays information about them. A SNAT defines one or more addresses that nodes can use as a source IP address when initiating connections to hosts on the external network. Note that clients cannot use SNAT addresses to connect directly to nodes.

    This command also allows you to set properties on a SNAT. A SNAT defines the relationship between an externally visible IP address, or translated address, and a group of internal IP addresses, or originating address, of individual servers at your site.


    Options

    The <orig_ip> variable specifies an originating IP address, that is, an address that is behind the BIG-IP system.

    The <snat_ip> variable specifies a translated IP address, that is, an address that is outside the BIG-IP system.

    The <unit id> variable specifies a unit ID, currently 1 or 2. The default unit ID value is 1.

    The <vlan_name> variable specifies the name of an existing VLAN on which access to the SNAT is enabled or disabled. By default, a SNAT is accessible on all VLANs.

    The <limit> variable specifies a connection limit.

    The <seconds> variable specifies the number of seconds for timeout.

    The auto option enables SNAT automapping.


    Defining a SNAT

    SNATs map one or more originating addresses to a single translated address. Use the following syntax to define one or many originating addresses to translated address maps:

    b snat map <orig_ip> [<orig_ip>... ] to <snat_ip>

    For example, the following command maps a SNAT, which has two clients, to a single translated address:

    b snat map 192.140.100.10 192.140.100.20 to 192.168.11.22

    You can set the following properties on a SNAT:

    • A connection limit (limit option)
    • A tcp timeout value (timeout tcp option)
    • A udp timeout value (timeout udp option)
    • Connection mirroring (mirror option)
    • ARP enable or disable
    • A VLAN deny access list

    Deleting SNAT

    Use the following command-line syntax to permanently delete a SNAT from the BIG-IP system configuration:

    b snat <snat_ip>... <snat_ip> delete


    stp

    b stp <stp_name> interfaces add <interface_name> [<interface name>...] | all

    b stp <stp_name> hello <num>

    b stp <stp_name> max_age <num>

    b stp <stp_name> forward_delay <num>

    b stp <stp_name> interface <interface_name> priority <num>

    b stp <stp_name> interface <interface_name> path_cost <num>

    b stp <stp_name> interfaces delete <interface_name> [<interface name>...]

    b stp <stp_name> enable | disable

    b stp [<stp_name>] show

     

    The BIG-IP Application Switch provides Spanning Tree Protocol (STP) implementation for loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP system. This feature allows you to configure two or more interfaces on the platform as an STP domain. For interfaces in the STP domain, the spanning tree algorithm identifies the most efficient path between the network segments, and establishes the switch associated with that path as the root. Links forming redundant paths are shut down, to be re-activated only if the root fails.

    The STP domain should contain all ports that are connected in parallel to an external switch where there are nodes on the link capable of generating or receiving traffic. You will want a second domain if there is an additional switch or switches connected in parallel with additional BIG-IP interfaces.

    Options

    The <stp_name> variable specifies an arbitrary name for the spanning tree protocol (STP) domain.

    The <interface_name> variable specifies an interface name, for example, 3.1.

    The show option displays the interfaces that make up the STP domain.


    summary

    b summary

     

    Displays a summary of current usage statistics. The output display format for the summary command is shown in Figure A.7 . You can find detailed descriptions of each statistic displayed by the summary command, as well as output of the bigpipe summary command, in Administering the BIG-IP System .

    Figure A.7 Example of a bigpipe summary display screen


    BIG-IP total uptime = 1 (day) 4 (hr) 40 (min) 8 (sec)
    BIG-IP total uptime (secs) = 103208
    BIG-IP total # connections = 0
    BIG-IP total # pkts = 0
    BIG-IP total # bits = 0
    BIG-IP total # pkts(inbound) = 0
    BIG-IP total # bits(inbound) = 0
    BIG-IP total # pkts(outbound) = 0
    BIG-IP total # bits(outbound) = 0
    BIG-IP error no nodes available = 0
    BIG-IP tcp port deny = 0
    BIG-IP udp port deny = 0
    BIG-IP virtual tcp port deny = 0
    BIG-IP virtual udp port deny = 0
    BIG-IP max connections deny = 0
    BIG-IP virtual duplicate syn ssl = 0
    BIG-IP virtual duplicate syn wrong dest = 0
    BIG-IP virtual duplicate syn node down = 0
    BIG-IP virtual maint mode deny = 0
    BIG-IP virtual addr max connections deny = 0
    BIG-IP virtual path max connections deny = 0
    BIG-IP virtual non syn

    BIG-IP no handler deny = 7
    BIG-IP error virtual fragment no port = 0
    BIG-IP error virtual fragment no conn = 0
    BIG-IP error standby shared drop = 0
    BIG-IP tcp timeouts = 0
    BIG-IP udp timeouts = 0
    BIG-IP ssl timeouts = 0
    BIG-IP persist timeouts = 0
    BIG-IP memory errors = 0

    Total Number of CPUs = 1
    BIG-IP Mode = UP MODE
    BIG-IP mem pool total 96636758 mem pool used 95552 mem percent used 0.10
     

    trunk

    b trunk <controlling_link> define <link> [<link>...]

    b trunk [<controlling_link>...] show [verbose]

    b trunk [<controlling_link>...] stats reset

    b trunk <controlling_link> [<controlling_link>...] delete

     

    The trunk command aggregates links (individual physical interfaces) to form a trunk. This link aggregation increases the bandwidth of the individual NICs in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mb/s link. The other advantage of link aggregation is link failover. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.

    A trunk must have a controlling link and acquires all the attributes of that controlling link from Layer 2 and above. Thus, the trunk automatically acquires the VLAN membership of the controlling link but does not acquire its media type and speed. Outbound packets to the controlling link are load balanced across all of the known-good links in the trunk. Inbound packets from any link in the trunk are treated as if they came from the controlling link.

    A maximum of eight links may be aggregated. For optimal performance, links should be aggregated in powers of two. Thus, ideally, you will aggregate two, four, or eight links. Gigabit and fast ethernet links cannot be placed in the same trunk.

    For more information on interface naming, see Chapter 3, Post-Setup Tasks . To display a list of the interfaces on your system, see the bigpipe interface command.

    Options

    The <controlling_link> variable specifies the name of the interface chosen to be the controlling link for the trunk.

    The <link> variable specifies an interface name.

    The show option displays information and statistics for the trunk, on a single line.

    The <verbose> option, used with the show option, displays the information and statistics for the trunk in wordier form.

    The delete option deletes the specified interface.

    Trunk options example

    The following example shows how to create a trunk with a controlling link and two aggregated links:

    b trunk 1.1 define 2.1 3.1


    unit

    b unit [show]

    b unit peer [show]

     

    The unit number on a system designates which virtual servers use a particular unit in an active-active redundant configuration. You can use the bigpipe unit command to display the unit number assigned to a particular BIG-IP system. For example, to display the unit number of the unit you are on, type the following command:

    b unit show

    To display the unit number of the other unit in a redundant system, type in the following command:

    b unit peer show

    Note


    If you use this command on a redundant system in active/standby mode, the active unit shows as unit 1 and 2, and the standby unit has no unit numbers.

    Tip


    The bigpipe unit peer show command is the best way to determine whether the respective state mirroring mechanisms are connected.

    verbose

    b verbose <log_level_name> [<log_level_name>...]

     

    Used to modify the verbose log level. This command is an alternative to using the bigpipe global verbose_log_level command.

    Table A.11 compares use of the bigpipe verbose command to use of the bigpipe global verbose_log_level command.

     

    b verbose command

    b global verbose command

    b verbose bigip_udp_port_denial

    Turns UDP port denial logging on. This logs UDP port denials to the BIG-IP system address.

    b global verbose_log_level 1

    b verbose bigip_tcp_port_denial

    Turns TCP port denial logging on. This logs TCP port denials to the BIG-IP system address.

    b global verbose_log_level 2

    b verbose virtual_server_udp_port_denial

    Turns virtual UDP port denial logging on. This logs UDP port denials to the virtual server address.

    b global verbose_log_level 4

    b verbose virtual_server_tcp_port_denial

    Turns virtual TCP port denial logging on. This logs TCP port denials to the virtual server address.

    b global verbose_log_level 8

    b verbose bigip_udp_port_denial
    b verbose bigip_tcp_port_denial
    b verbose virtual_server_udp_port_denial
    b verbose virtual_server_tcp_port_denial

    Turns UDP and TCP port denial on for both virtual server and BIG-IP system addresses.

    b global verbose_log_level 15

     

    Options

    The <log_level_name> option specifies the name of one of the logging levels described in Table A.11 . You can use any combination of <log_level_name> options.

    verify

    b [log] verify <command>[...]

    b verify load [<filename> | -]

    b -n verify <options>

     

    Parses the command line and checks syntax without executing the specified command. This distinguishes between valid and invalid commands

    Use the verify command followed by a command that you want to validate:

    b verify virtual 10.10.10.100:80 use pool my_pool

    The command checks the syntax and logic, reporting any errors that would be encountered if the command executed.

    Use the verify command together with the load <filename> command to validate the specified configuration file. For example, to check the syntax of the configuration file /config/altbigpipe.conf, use the following command:

    b verify load /config/altbigip.conf

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


    version

    b [-n] version

     

    Displays the version of the BIG-IP operating system and the features enabled.

    For example, for a BIG-IP HA system, the bigpipe version command displays the output shown in Figure A.8

    Figure A.8 The version output display


    Product Code:
    BIG-IP HA

    Enabled Features:
    SSL Gateway Gateway Failsafe
    Static Load Balancing Snat
    Nat Pools
    Akamaizer Full Proxy
    Late Binding HTTP Rules
    Mirroring Failover
    Node HA Dynamic Load Balancing
    Destination Address Affinity Cookie Persistence
    SSL Persistence Simple Persistence
    EAV ECV SSL
    ECV ECV Transparent
    Health Check Filter
     

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.

    virtual

    b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip> [broadcast <ip>]] use pool <pool_name>

    b virtual <virt_ip>:<service> [/<bitmask>][unit <ID>] use pool <pool_name>

    b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip>] use rule <rule_name>

    b virtual <virt_ip>[:<service>] [unit <ID>] [netmask <ip>] forward

    b virtual <virt_ip>:<service> translate port enable | disable | show

    b virtual <virt_ip>:<service> svcdown_reset enable | disable | show

    b virtual <virt_ip>:<service> translate addr enable | disable | show

    b virtual <virt_ip>:<service> lasthop pool <pool_name> | none | show

    b virtual <virt_ip>:<service> mirror conn enable | disable | show

    b virtual <virt_ip>:<service> conn rebind enable | disable | show

    b virtual [<virt_ip:service>] stats reset

    b virtual <virt_ip>:<service> accelerate enable | disable | show

    b virtual <virt_ip>:<service> use pool <pool_name> accelerate disable

    b virtual <virt_ip>:<service> vlans <vlan_list> disable | enable

    b virtual <virt_ip>:<service> vlans show

    b virtual <virt_ip> arp enable | disable | show

    b virtual <virt_ip> any_ip enable | disable

    b virtual <virt_ip> any_ip timeout <seconds>

    b virtual <virt_ip> [:<service>] [...<virt_ip>[:<service>]] show

    b virtual <virt_ip> [:<service>] [...<virt_ip>[:<service>]] enable|disable

    b virtual <virt_ip>[:<service>] [ ... <virt_ip>[:<service>]] delete

    b virtual <virt_ip>[:<service>] [... <virt_ip>[:<service>]] limit <max_conn>

    b virtual <virt_ip>[:<service>] syncookie_threshold <num>

    b virtual <vlan_name>[:service>]

    b virtual <vlan_name> use pool <pool_name>

    b -n virtual <options>

     

    Creates and deletes virtual servers, and displays information about them. This command also allows you to set properties on a virtual server, such as connection mirroring, connection limits, and timeouts.

    A virtual server defines the relationships between an externally visible IP address that clients use to connect to your site, and the internal IP addresses of individual member servers that actually provide services for your site.


    Options

    The <virt_ip> variable specifies the IP address of the virtual server.

    The <service> variable specifies a port number or service name.

    The netmask <ip> variable specifies the IP address of the netmask.

    The broadcast <ip> variable specifies the IP address of the broadcast IP.

    The <bitmask> variable specifies a number representing the bits that are the network part of the virtual IP address.

    The <vlan_list> variable specifies the name of one or more existing VLANs for which you want to enable or disable access. By default, a virtual server is accessible on all VLANs.

    The <id> variable specifies a unit id, currently 1 or 2. The default value for the unit ID is 1.

    The <addr> variable specifies the IP address, of the form 10.20.30.40.

    The use pool <pool name> option specifies the name of an existing server pool.

    The <rule name> variable specifies the name of an existing rule that the virtual server should reference.

    The translate port option enables, disables, or shows port translation for a virtual server.

    The svcdown_reset option causes the BIG-IP system to immediately reap all connections for a node that transitions to a down state. When this option is disabled (the default setting), the BIG-IP system allows all currently-active connections to proceed.

    The translate addr option enables, disables, or shows address translation for a virtual server.

    The lasthop pool option allows you to specify a pool to which to send connections back, instead of using the same router from which the connection was received.

    The mirror conn option enables, disables, or shows the mirroring of connections in active/standby configurations.

    The conn rebind option enables, disables, or shows dynamic connection rebinding.

    The stats reset option resets statistics for a virtual server.

    The accelerate option enables, disables, or shows FastFlow acceleration, that is, increased speed of packet flow for TCP connections when the packets are not fragmented.

    The arp option causes the BIG-IP system to respond to ARP requests for the virtual server address and send a gratuitous ARP request for router table updates.

    The any_ip timeout <seconds> option

    The any_ip option allows you to configure a virtual server to load balance IP traffic other than TCP and UDP traffic, such as IPSEC traffic.

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.

    The syncookie_threshold option activates the SYN Check feature when some threshold of connections has been reached on a virtual server. The default value for the SYN Check threshold is disabled.


    Defining a virtual server using pools and rules

    To associate a pool of members with a virtual server, use a command such as the following:

    b virtual 10.20.2.102:http use pool cgi_pool

    To associate a rule with a virtual server, use a command such as the following:

    b virtual 10.20.2.102:http use rule cgi_rule


    Defining a virtual server with a wildcard port

    Use the following command-line syntax to define an individual virtual server and the node or nodes to which the virtual server maps. Note that this syntax allows wildcard ports:

    b virtual <virt_ip> use pool <pool name> | rule <rule name>

    You can also create multiple wildcard servers, one per VLAN. To create a wildcard server for a VLAN, use the following syntax:

    bigpipe virtual <vlan_name> use pool <pool_name>


    Deleting a virtual server

    Use the following command-line syntax to permanently delete one or more virtual servers from the BIG-IP system configuration:

    b virtual <virt_ip>:<service>... <virt_ip>:<service> delete


    vlan

    b vlan <vlan_name> rename <new_vlan_name>

    b vlan <vlan_name> delete

    b vlan <vlan_name> tag <tag_number>

    b vlan <vlan_name> interfaces add [tagged] <if_list>

    b vlan <vlan_name> interfaces delete <if_list>

    b vlan <vlan_name> interfaces delete all

    b vlan <vlan_name> interfaces [show]

    b vlan <vlan_name> port_lockdown enable | disable

    b vlan <vlangroup_name> proxy_forward enable | disable

    b vlan <vlan_name> snat automap enable | disable

    b vlan <vlan_name> mirror vlans <vlan1> [<vlan2>]

    b vlan <vlan_name> mirror hash enable

    b vlan <vlan_name> mirror hash port enable

    b vlan <vlan_name> mirror vlans internal

    b vlan <vlan_name> mirror vlans internal admin

    b vlan <vlan_name> failsafe arm | disarm | [show]

    b vlan <vlan_name> timeout <seconds> | [show]

    b vlan [show]

    b vlan <vlan_name> [show]

    b vlan <vlan_name> mac_masq delete

    b vlan <vlan_name> mac_masq <mac_addr> | [show]

    b vlan <vlan_name> mac_masq 0:0:0:0:0:0

    b vlan <vlan name> fdb add <MAC address> interface <if_name>

    b vlan <vlan name> fdb delete <MAC address> interface <if_name>

    b vlan <vlan name> fdb show static | dynamic | [show]

    b -n vlan <options>

     

    This command creates, displays and modifies settings for VLANs. VLANs are part of the base configuration.

    When creating a VLAN, a tag value (VLAN ID) for the VLAN is automatically chosen unless it is specified on the command line. If a tag is specified on the command line and that tag number is 0, the vlan command creates an empty VLAN.

    A VLAN can have both tagged and untagged interfaces. An interface can be added to a single VLAN as an untagged interface. Also, an interface can be added to multiple VLANs as a tagged interface.

    The vlan command defines VLANs, VLAN mappings, and VLAN properties. By default, each interface on a BIG-IP system or 3-DNS Controller is an untagged member of a VLAN. The lowest-numbered interface is assigned to the external VLAN, the interface on the main board is assigned to the admin VLAN, and all other interfaces are assigned to the internal VLAN.


    Options

    The <vlan name> variable specifies a VLAN name, 1-15 characters in length.

    The tag <tag number> option specifies a valid VLAN tag number, in the range 0-4095. Note that if 0 is specified as the tag number, the vlan command creates an empty VLAN.

    The <if_list> variable specifies a list of interfaces to be added to or deleted from a VLAN.

    The interfaces add [tagged] option specifies that the interfaces specified with the <if_list> argument are to be added to the specified VLAN, as either tagged or untagged interfaces.

    The interfaces delete option deletes all interfaces for the specified VLAN.

    The interfaces show option shows all interfaces for the specified VLAN.

    The port_lockdown option enables or disables connection to the BIG-IP system through the specified VLAN.

    The proxy_forward option enables or disables proxy forwarding, for purposes of L2 forwarding.

    The failsafe option allows you to arm, disarm, or show the fail-safe mechanism for redundant systems.

    The timeout <seconds> option specifies a timeout value for the fail-safe mechanism.

    The snat automap option enables SNAT automapping for the specified VLAN.

    The mirror vlans option specifies the VLANs to receive replicated packets.

    The rename <new_vlan_name> option specifies the name to which you want to rename the specified VLAN.

    The <if_name> variable specifies an interface name.

    The mac_masq <MAC address> option specifies a MAC address, such as 0:a0:be:ef:1f:3a, that will be shared by both BIG-IP units in a redundant system.

    The fdb option adds the specified interfaces as entries in the L2 forwarding table.

    The -n option displays services and IP addresses numerically rather than by service name and host name, respectively.


    vlangroup

    b vlangroup [<vlangroup name>...] [show]

    b vlangroup [<vlangroup name>...] list

    b vlangroup <vlangroup name> [<vlangroup name>...] delete

    b vlangroup <vlan name> tag <number>

    b vlangroup [<vlangroup name>...] tag [show]

    b vlangroup [<vlangroup name>...] interfaces [show]

    b vlangroup <vlan name> vlans add <vlan if name list>

    b vlangroup <vlangroup name> vlans delete <vlan if name list>

    b vlangroup <vlangroup name> vlans delete all

    b vlangroup [<vlangroup name>...] vlans [show]

    b vlangroup <vlangroup name> [<vlangroup name>...] port_lockdown enable | disable

    b vlangroup [<vlangroup name>...] port_lockdown [show]

    b vlangroup <vlangroup name> [<vlangroup name>...] proxy_forward enable | disable

    b vlangroup [<vlangroup name>...] proxy_forward [show]

    b vlangroup <vlangroup name> [<vlangroup name>...] failsafe arm | disarm

    b vlangroup [<vlangroup name>...] failsafe [show]

    b vlangroup <vlangroup name> [<vlangroup name>...] timeout <number>

    b vlangroup [<vlangroup name>...] timeout [show]

    b vlangroup <vlangroup name> snat automap enable | disable (deprecated)

    b vlangroup <vlangroup name> [<vlangroup name>...] mac_masq <MAC addr>

    b vlangroup [<vlangroup name>...] mac_masq [show]

    b vlangroup <vlangroup name> [<vlangroup name>...] fdb add | delete <MAC addr> interface <if name>

    b vlangroup [<vlangroup name>...] fdb [show]

    b vlangroup [<vlangroup name>...] fdb show static | dynamic

    b vlangroup <vlan name> rename <vlan name>

    b -n vlangroup <options>

     

    The vlangroup command defines a VLAN group, which is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing L2 packet forwarding between those VLANs.

    The VLANs between which the packets are to be passed must be on the same IP network, and they must be grouped using the vlangroup command. For example:

    b vlangroup network11 { vlans add internal external }

    A self IP address must be assigned to the VLAN group using the following command:

    b self <ip_addr> vlan network11

    L2 forwarding must be enabled for the VLAN group using the VLAN proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled.

    Note that if a VLAN belongs to multiple VLAN groups, you can only delete the VLAN from one VLAN group at a time.


    Options

    The <vlangroup name> variable specifies a VLAN group name, 1-15 characters in length.

    The arguments available with the bigpipe vlangroup command are the same as those for the bigpipe vlan command except for the vlangroup option previously described. For a description of these options, see Options .



  • Table of Contents   |   << Previous Chapter   |   Next Chapter >>

    Was this resource helpful in solving your issue?




    NOTE: Please do not provide personal information.



    Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

    Additional Comments (optional)