Applies To:

Show Versions Show Versions

Release Note: BIG-IP APM Virtual Edition 10.2.3
Release Note

Original Publication Date: 10/13/2011

Summary:

This release note contains information related to downloading and configuring BIG-IP® Access Policy Manager™ Virtual Edition (VE).

Contents:

     - Access Policy Manager VE host machine requirements and recommendations
     - Creating the Access Policy Manager Virtual Edition virtual machine
     - Powering on the Access Policy Manager Virtual Edition virtual machine
     - Assigning a management IP address to a Virtual Edition virtual machine
- Contacting F5 Networks

     - Access Policy Manager VE host machine requirements and recommendations
     - Creating the Access Policy Manager Virtual Edition virtual machine
     - Powering on the Access Policy Manager Virtual Edition virtual machine
     - Assigning a management IP address to a Virtual Edition virtual machine

What is Virtual Edition?

Access Policy Manager Virtual Edition (VE) is a version of the Access Policy Manager system that runs as a virtual machine, packaged to run in a VMware® hypervisor environment. Access Policy Manager VE includes all features of Access Policy Manager, running on standard hardware.

Note: The Access Policy Manager VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the Access Policy Manager VE licensing page within the Configuration utility or Administrative console.

Virtual Edition updates

You can update Access Policy Manager Virtual Edition with the same updates, hotfixes, and patches as the hardware version of Access Policy Manager. Access Policy Manager VE does not require separate software updates.

Access Policy Manager Virtual Edition compatibility with VMware hypervisor products

Access Policy Manager Virtual Edition (VE) is compatible with VMware ESX® 4.0 and 4.1, and VMware ESXi™ 4.0 and 4.1 hosts.

VMware system architecture components

The high-level architecture of Access Policy Manager Virtual Edition consists of a VMware guest environment, a hypervisor layer, and a physical layer.

Component Description
VMware guest environment This layer represents an image of Access Policy Manager VE, potentially sharing physical resources with other virtual machines running on the same hardware platform.
VMware hypervisor layer The VMware hypervisor software layer is a bare-metal hypervisor that simulates a set of dedicated resources for each Access Policy Manager virtual machine.
Hardware platform layer Physical resources such as CPU, memory, data storage, and network interface cards (NICs).

VMware guest environment

The virtual machine guest environment for VE includes these minimum characteristics:

  • 1 virtual CPU
  • 1 GB RAM
  • 3 virtual network adapters (e1000)
  • 1 40 GB LSI logic disk

Note: When you use the VMware vSphere client system to deploy VE on the ESX or ESXi host system, it is important that you retain the guest environment characteristics as shown here. Modifying these characteristics can produce unexpected results. Also note that the guest environment does not support vmmemctl, the memory balloon driver.


Deployment overview for Virtual Edition on VMware ESX or ESXi

To deploy the Access Policy Manager VE system on a VMware ESX or ESXi server, you perform the following tasks:

After you complete these tasks, you can log in to BIG-IP VE and run the Setup utility. Using the Setup utility, you can perform basic network configuration tasks such as assigning VLANs to interfaces.

Access Policy Manager VE host machine requirements and recommendations

There are specific requirements for the host system on which the Access Policy Manager VE system can run.

To successfully deploy and run the Access Policy Manager VE system, the host system must contain the following:

  • VMware ESX 4.0 or 4.1, or ESXi 4.0 or 4.1
  • VMware vSphere Client
  • Connection to a common NTP source. This is especially important for each host in a redundant system configuration. For more information, see the Best Practices section of this document.
  • Virtual hardware version 7

F5 Networks highly recommends that the host system contain CPUs based on AMD-V or Intel-VT technology.

Creating the Access Policy Manager Virtual Edition virtual machine

The first steps in deploying Access Policy Manager VE are to download the Zip file to your local system. You can then run the Deploy OVF Template wizard from within VMware vSphere Client. This wizard copies the file to the ESX/ESXi server and configures some network interface settings. Note that the Zip file contains a virtual disk image based on an Open Virtual Format (OVF) template. By following the steps in this procedure, you create an instance of the Access Policy Manager system that runs as a virtual machine on the host system.

Important: Do not modify the configuration of the VMware guest environment. This includes the settings for the CPU, RAM, and network adapters. Doing so can produce unexpected results.

  1. In a browser, open the F5 Downloads page, https://downloads.f5.com.
  2. Download the Access Policy Manager VE package.
  3. Extract the files from the Zip archive.
  4. Start VMware vSphere and log in.
  5. From the File menu, choose Deploy OVF Template.
    The Deploy OVF Template wizard starts.
  6. On the Source screen, click Deploy from file, and, using the Browse button, locate the OVA file.
    For example: \MyDocuments\Work\Virtualization\BIG-IP-10.2.1.xxxx.ova
  7. Click Next.
    The OVF Template Details screen opens.
  8. Verify that the OVF template details are correct, and click Next.
    This displays the End User License Agreement.
  9. Read and accept the license agreement and click Next.
    The Name and Location screen opens.
  10. In the Name box, type a name for the Access Policy Manager virtual machine, such as: test_ve_system_1.
  11. In the Inventory Location pane, select a folder name.
    Click Next.
  12. If the host system is controlled by VMware vCenter, the Host Cluster screen opens. Choose the desired host and click Next. Otherwise, proceed to the next step.
  13. Map the source network Management Network to the name of a destination management network in your inventory. An example of a destination management network is Management.
  14. Map the source network Internal Network to the name of a destination non-management network in your inventory. An example of a destination internal network is Private Access.
  15. Map the source network External Network to the name of an external network in your inventory. An example of a destination external network is Public Access.
  16. Click Next.
    The Ready to Complete screen opens.
  17. Verify that all deployment settings are correct, and click Finish.

You can view the status of the Access Policy Manager VE virtual machine on the VMware vSphere Client screen.

Powering on the Access Policy Manager Virtual Edition virtual machine

You must power on the Access Policy Manager VE virtual machine.

  1. From the main vSphere Client window, click the Administration menu.
  2. In the left pane, select the virtual machine that you want to power on.
  3. Click the Summary tab, and, in the Commands area, click Power On.

Assigning a management IP address to a Virtual Edition virtual machine

VE needs an IP address assigned to its virtual management port.

  1. From the main vSphere Client window, click the Administration menu.
  2. In the left pane, select the virtual machine to which you want to assign the management IP address.
  3. Click the Console tab.
  4. After a few seconds, a login prompt appears.
  5. At the <user name> login prompt, type maintenance.
  6. At the Password prompt, type default.
  7. Follow the instructions to set up the network and configure an administrative password.

Best practices for deploying Virtual Edition

When deploying Virtual Edition on a VMware ESX or ESXi host, you should follow these best practices.

Issue Recommendation
Shared storage for virtual machines Use NFS for shared virtual machine storage, although all types of VMware-supported storage are acceptable.
Redundant system configuration Run the two units of an active/standby pair on separate physical hosts. You can accomplish this in two ways. You can manually create a virtual machine peer on each host, or, if you are using VMware Dynamic Resource Scheduler (DRS), you can create a DRS rule with the option Separate Virtual Machine that includes each unit of the BIG-IP VE redundant pair. Note that BIG-IP VE does not support VMware Fault Tolerance technology. For information on creating a DRS rule, refer to VMware's vSphere manuals.
Live migration of BIG-IP VE virtual machines Perform live migration of BIG-IP VE virtual machines (using VMware VMotion) on idle BIG-IP VE virtual machines only. Live migration of BIG-IP VE while the virtual machine is processing traffic could produce unexpected results.
VMware DRS environments In DRS environments, perform live migration of BIG-IP VE virtual machines (using VMware VMotion) on idle BIG-IP VE virtual machines only. Live migration of BIG-IP VE while the virtual machine is processing traffic could produce unexpected results. Disable automatic migrations by adjusting the VMware VMotion DRS Automation Level to Partially Automated, Manual, or Disabled on a per-BIG-IP VE basis.
Resource reservations Increase the 2GHz default CPU reservation to prioritize BIG-IP VE processing, if your normal traffic patterns cause BIG-IP VE to consistently exceed that reservation. BIG-IP VE presents a unique workload when virtualized, compared to other commonly virtualized services. Therefore, BIG-IP VE is deployed by default with a 2GHz CPU reservation and a 2GB memory reservation. Together, these reservations prevent system instability on heavily loaded VMware hosts. Note that these reservations should be considered minimal.
Time synchronization Configure all BIG-IP VE systems to use an external time synchronization source. You can do this either by configuring NTP within BIG-IP VE or by checking the Synchronize guest time with host box within vSphere Client and configuring all VMware hosts to share a single NTP time server or set of related NTP time servers. Note that units within a redundant system configuration must share a common time synchronization source, to prevent inconsistent system behavior.
Default route for management port Define a default route for the virtual management port.

Virtual Edition known issues

The known issues in this release are as follows:

Status of virtual network interfaces (CR126854)
The BIG-IP system reports the status of host-only network interfaces as UNINITIALIZED, even though the interfaces are still functioning normally.

Auto-licensing and the default management route (CR133194)
If you have not defined a default route to the management port, interface 1.1 is used instead, which does not work. To prevent this from occurring, verify that you have defined a default route for the management port before attempting to activate a license.

Importing a User Configuration Set (UCS) with data from other BIG-IP modules (CR133762)
Importing a UCS file that contains configuration data from a module other than BIG-IP Local Traffic Manager can generate module-specific error messages during the import process. You can ignore these messages. The BIG-IP system safely imports only configuration data that is shared between modules.

Editing the virtual guest configuration (CR 134076)
F5 Networks strongly recommends that you do not edit the virtual configuration of BIG-IP VE, except for the virtual network interface mappings.

Unwanted characters on VMware console window (CR134154)
Because VMware Tools are not installed on the system, unwanted characters might appear in the VMware console window.

Event log regarding insufficient video RAM (CR 134473)
On VMware ESXi systems only, the following event message is logged:

The maximum resolution of the virtual machine will be limited to 1176x885 at 16 bits per pixel. To use the configured maximum resolution of 2360x1770 at 16 bits per pixel, increase the amount of video RAM allocated to this virtual machine by setting svga.vramSize="16708800" in the virtual machine's configuration file.

You can ignore this message or take the recommended action without adverse effects.

SSL::sessionid iRule command (CR135601)
The SSL::sessionid command within an iRule returns a blank value.

SSL alert codes (CR135917)
While handling malicious SSL traffic, upon error, the SSL alert code might describe a different, but similar, error type. Normal SSL traffic is not affected.

Time synchronization using VMware Tools or NTP protocol (CR135980)
If you want to use VMware Tools to enable time synchronization, you must check the Synchronize guest time with host box within vSphere Client. If you want to use the NTP protocol instead, you must first disable time synchronization in VMware Tools by clearing the box within vSphere Client. For more information, see the VMware vSphere Client documentation. Note that the two units of a BIG-IP VE redundant system configuration must share the same time synchronization source.

bigpipe import command (CR136004)
Use of the b import default command can generate Security-Enhanced Linux (SELinux) errors. You can ignore these errors.

Link speed of management interface (CR136578)
The VMware system reports an incorrect link speed for the management interface. The reported link speed does not reflect the actual bandwidth capability.

Status of VMware Tools in vSphere (CR136980)
VMware vSphere incorrectly shows the status of VMware Tools as Not Installed. You can verify that VMware Tools are installed by viewing the IP Address and DNS Name fields on the vSphere screen. Note that if you migrate the virtual machine or start a snapshot or cloned image of the virtual machine, the status correctly shows as Unmanaged.

VMXNET3 availability (CR137014)
The VMXNET3 driver can become unavailable after you suspend and resume BIG-IP VE. Resetting the system solves the problem.

Support for Spanning Tree protocols (CR137326)
The BIG-VE system does not support the bridging protocols Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP).

Support for Link Aggregation Control Protocol (CR137328)
The BIG-IP VE system does not support the trunking protocol LACP.

Use of VLAN groups (CR137596)
Use of VLAN groups with BIG-IP VE requires proper configuration of VMware vSwitch or VMware vSwitch portgroup security policies. The Promiscuous Mode and Forged Transmits properties must be set to Accept. By default, Promiscuous Mode is set to Reject. For information on how to configure these options, refer to the vSwitch sections of VMware's vSphere manuals.

Use of Single Configuration File (SCF) feature (CR137597)
Copying an SCF from a VMware host system to an F5 hardware platform causes an error related to interface mismatching. To work around this issue, save the bigip.conf and bigip_sys.conf files within BIG-IP VE, copy the files to the new platform, and then, on the new platform, run the commands bigpipe merge bigip.conf and bigpipe merge bigip_sys.conf.

Configuration of an OVF with additional interfaces (CR137616)
When you deploy an OVF with more than five interfaces (one management interface and more than four TMM interfaces), the interface numbering appears out of order. To view the actual TMM-to-VMware interface mapping, compare the MAC addresses of the interfaces displayed in the BIG-IP Configuration utility to those displayed in vSphere Client.

Use of SNMP OID for RMON tables (CR137905)
Setting the source OID for RMON alarm, event, and history tables generates an error message. This OID will be disabled in future releases.

Media speed messages in log file (CR137973)
When starting the BIG-IP system or when removing an interface from a VLAN, the system logs media-related messages to the file /var/log/ltm. You can ignore these messages.

Hard-wired failover (CR138100)
Hard-wired failover is unsupported in this release. When configuring redundant BIG-IP VE virtual machines, configure the Network Failover screen within the BIG-IP Configuration utility.

Disabling TMM interfaces (CR138342)
When you disable a TMM interface, the interface continues to process traffic.

BIG-IP licensing and User Configuration Sets (CR138498)
When you import a UCS from another BIG-IP or BIG-VE system, the system overwrites the local license with the license contained in the UCS. To work around this issue, you can re-license the local system after importing the UCS by accessing a backup copy of the license file, located in /config/bigip.license.bak. Also note that when importing a UCS, you should ensure that the host names of the two systems differ. When the host names differ, the system correctly imports only the configuration data that is common to both the originating platform and the target platform. If the host names match, the system attempts to import all of the UCS configuration data, which can cause the import process to fail.

Exiting the shell at a system prompt (CR138672)
When you type exit at a BIG-IP system prompt, the system appears unresponsive.

HA events due to BIG-IP VE inactivity (CR138676)
If the VMware hypervisor runs the BIG-IP VE software for fewer than four minutes continuously (due, for example, to a manual suspension or the timeout of network disk I/O), high-availability failure events occur. The system either aborts and restarts key system processes or triggers failover. This is intended system behavior.

VMware Vswitch Promiscuous Mode (CR138798)
When the VMware Vswitch Promiscuous Mode is set to Reject, the VLAN group transparency mode Opaque does not function correctly.

Importing a UCS from BIG-IP Virtual Edition Trial (CR139456)
When you import a UCS from BIG-IP Virtual Edition Trial, the system displays an error message. You can ignore this message.

[ Top ]
 

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.


Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)