Original Publication Date: 04/13/2011
This release note contains information related to downloading and configuring BIG-IP® Access Policy Manager™ Virtual Edition (VE).
- Access Policy Manager VE host machine requirements and recommendations
- Creating the Access Policy Manager Virtual Edition virtual machine
- Powering on the Access Policy Manager Virtual Edition virtual machine
- Assigning a management IP address to a Virtual Edition virtual machine
Access Policy Manager Virtual Edition (VE) is a version of the Access Policy Manager system that runs as a virtual machine, packaged to run in a VMware® hypervisor environment. Access Policy Manager VE includes all features of Access Policy Manager, running on standard hardware.
Note: The Access Policy Manager VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the Access Policy Manager VE licensing page within the Configuration utility or Administrative console.
You can update Access Policy Manager Virtual Edition with the same updates, hotfixes, and patches as the hardware version of Access Policy Manager. Access Policy Manager VE does not require separate software updates.
Access Policy Manager Virtual Edition (VE) is compatible with VMware ESX® 4.0 and 4.1, and VMware ESXi™ 4.0 and 4.1 hosts.
The high-level architecture of Access Policy Manager Virtual Edition consists of a VMware guest environment, a hypervisor layer, and a physical layer.
|VMware guest environment||This layer represents an image of Access Policy Manager VE, potentially sharing physical resources with other virtual machines running on the same hardware platform.|
|VMware hypervisor layer||The VMware hypervisor software layer is a bare-metal hypervisor that simulates a set of dedicated resources for each Access Policy Manager virtual machine.|
|Hardware platform layer||Physical resources such as CPU, memory, data storage, and network interface cards (NICs).|
The virtual machine guest environment for VE includes these minimum characteristics:
Note: When you use the VMware vSphere client system to deploy VE on the ESX or ESXi host system, it is important that you retain the guest environment characteristics as shown here. Modifying these characteristics can produce unexpected results. Also note that the guest environment does not support vmmemctl, the memory balloon driver.
To deploy the Access Policy Manager VE system on a VMware ESX or ESXi server, you perform the following tasks:
After you complete these tasks, you can log in to BIG-IP VE and run the Setup utility. Using the Setup utility, you can perform basic network configuration tasks such as assigning VLANs to interfaces.
There are specific requirements for the host system on which the Access Policy Manager VE system can run.
To successfully deploy and run the Access Policy Manager VE system, the host system must contain the following:
F5 Networks highly recommends that the host system contain CPUs based on AMD-V or Intel-VT technology.
The first steps in deploying Access Policy Manager VE are to download the Zip file to your local system. You can then run the Deploy OVF Template wizard from within VMware vSphere Client. This wizard copies the file to the ESX/ESXi server and configures some network interface settings. Note that the Zip file contains a virtual disk image based on an Open Virtual Format (OVF) template. By following the steps in this procedure, you create an instance of the Access Policy Manager system that runs as a virtual machine on the host system.
Important: Do not modify the configuration of the VMware guest environment. This includes the settings for the CPU, RAM, and network adapters. Doing so can produce unexpected results.
You can view the status of the Access Policy Manager VE virtual machine on the VMware vSphere Client screen.
You must power on the Access Policy Manager VE virtual machine.
VE needs an IP address assigned to its virtual management port.
When deploying Virtual Edition on a VMware ESX or ESXi host, you should follow these best practices.
|Shared storage for virtual machines||Use NFS for shared virtual machine storage, although all types of VMware-supported storage are acceptable.|
|Redundant system configuration||Run the two units of an active/standby pair on separate physical hosts. You can accomplish this in two ways. You can manually create a virtual machine peer on each host, or, if you are using VMware Dynamic Resource Scheduler (DRS), you can create a DRS rule with the option Separate Virtual Machine that includes each unit of the BIG-IP VE redundant pair. Note that BIG-IP VE does not support VMware Fault Tolerance technology. For information on creating a DRS rule, refer to VMware's vSphere manuals.|
|Live migration of BIG-IP VE virtual machines||Perform live migration of BIG-IP VE virtual machines (using VMware VMotion) on idle BIG-IP VE virtual machines only. Live migration of BIG-IP VE while the virtual machine is processing traffic could produce unexpected results.|
|VMware DRS environments||In DRS environments, perform live migration of BIG-IP VE virtual machines (using VMware VMotion) on idle BIG-IP VE virtual machines only. Live migration of BIG-IP VE while the virtual machine is processing traffic could produce unexpected results. Disable automatic migrations by adjusting the VMware VMotion DRS Automation Level to Partially Automated, Manual, or Disabled on a per-BIG-IP VE basis.|
|Resource reservations||Increase the 2GHz default CPU reservation to prioritize BIG-IP VE processing, if your normal traffic patterns cause BIG-IP VE to consistently exceed that reservation. BIG-IP VE presents a unique workload when virtualized, compared to other commonly virtualized services. Therefore, BIG-IP VE is deployed by default with a 2GHz CPU reservation and a 2GB memory reservation. Together, these reservations prevent system instability on heavily loaded VMware hosts. Note that these reservations should be considered minimal.|
|Time synchronization||Configure all BIG-IP VE systems to use an external time synchronization source. You can do this either by configuring NTP within BIG-IP VE or by checking the Synchronize guest time with host box within vSphere Client and configuring all VMware hosts to share a single NTP time server or set of related NTP time servers. Note that units within a redundant system configuration must share a common time synchronization source, to prevent inconsistent system behavior.|
|Default route for management port||Define a default route for the virtual management port.|
The known issues in this release are as follows:
Status of virtual network interfaces (CR126854)
The BIG-IP system reports the status of host-only network interfaces as UNINITIALIZED, even though the interfaces are still functioning normally.
Auto-licensing and the default management route (CR133194)
If you have not defined a default route to the management port, interface 1.1 is used instead, which does not work. To prevent this from occurring, verify that you have defined a default route for the management port before attempting to activate a license.
Importing a User Configuration Set (UCS) with data from other BIG-IP modules (CR133762)
Importing a UCS file that contains configuration data from a module other than BIG-IP Local Traffic Manager can generate module-specific error messages during the import process. You can ignore these messages. The BIG-IP system safely imports only configuration data that is shared between modules.
Editing the virtual guest configuration (CR 134076)
F5 Networks strongly recommends that you do not edit the virtual configuration of BIG-IP VE, except for the virtual network interface mappings.
Unwanted characters on VMware console window (CR134154)
Because VMware Tools are not installed on the system, unwanted characters might appear in the VMware console window.
Event log regarding insufficient video RAM (CR 134473)
On VMware ESXi systems only, the following event message is logged:
The maximum resolution of the virtual machine will be limited to 1176x885 at 16 bits per pixel. To use the configured maximum resolution of 2360x1770 at 16 bits per pixel, increase the amount of video RAM allocated to this virtual machine by setting svga.vramSize="16708800" in the virtual machine's configuration file.
You can ignore this message or take the recommended action without adverse effects.
SSL::sessionid iRule command (CR135601)
The SSL::sessionid command within an iRule returns a blank value.
SSL alert codes (CR135917)
While handling malicious SSL traffic, upon error, the SSL alert code might describe a different, but similar, error type. Normal SSL traffic is not affected.
Time synchronization using VMware Tools or NTP protocol (CR135980)
If you want to use VMware Tools to enable time synchronization, you must check the Synchronize guest time with host box within vSphere Client. If you want to use the NTP protocol instead, you must first disable time synchronization in VMware Tools by clearing the box within vSphere Client. For more information, see the VMware vSphere Client documentation. Note that the two units of a BIG-IP VE redundant system configuration must share the same time synchronization source.
bigpipe import command (CR136004)
Use of the b import default command can generate Security-Enhanced Linux (SELinux) errors. You can ignore these errors.
Link speed of management interface (CR136578)
The VMware system reports an incorrect link speed for the management interface. The reported link speed does not reflect the actual bandwidth capability.
Status of VMware Tools in vSphere (CR136980)
VMware vSphere incorrectly shows the status of VMware Tools as Not Installed. You can verify that VMware Tools are installed by viewing the IP Address and DNS Name fields on the vSphere screen. Note that if you migrate the virtual machine or start a snapshot or cloned image of the virtual machine, the status correctly shows as Unmanaged.
VMXNET3 availability (CR137014)
The VMXNET3 driver can become unavailable after you suspend and resume BIG-IP VE. Resetting the system solves the problem.
Support for Spanning Tree protocols (CR137326)
The BIG-VE system does not support the bridging protocols Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP).
Support for Link Aggregation Control Protocol (CR137328)
The BIG-IP VE system does not support the trunking protocol LACP.
Use of VLAN groups (CR137596)
Use of VLAN groups with BIG-IP VE requires proper configuration of VMware vSwitch or VMware vSwitch portgroup security policies. The Promiscuous Mode and Forged Transmits properties must be set to Accept. By default, Promiscuous Mode is set to Reject. For information on how to configure these options, refer to the vSwitch sections of VMware's vSphere manuals.
Use of Single Configuration File (SCF) feature (CR137597)
Copying an SCF from a VMware host system to an F5 hardware platform causes an error related to interface mismatching. To work around this issue, save the bigip.conf and bigip_sys.conf files within BIG-IP VE, copy the files to the new platform, and then, on the new platform, run the commands bigpipe merge bigip.conf and bigpipe merge bigip_sys.conf.
Configuration of an OVF with additional interfaces (CR137616)
When you deploy an OVF with more than five interfaces (one management interface and more than four TMM interfaces), the interface numbering appears out of order. To view the actual TMM-to-VMware interface mapping, compare the MAC addresses of the interfaces displayed in the BIG-IP Configuration utility to those displayed in vSphere Client.
Use of SNMP OID for RMON tables (CR137905)
Setting the source OID for RMON alarm, event, and history tables generates an error message. This OID will be disabled in future releases.
Media speed messages in log file (CR137973)
When starting the BIG-IP system or when removing an interface from a VLAN, the system logs media-related messages to the file /var/log/ltm. You can ignore these messages.
Hard-wired failover (CR138100)
Hard-wired failover is unsupported in this release. When configuring redundant BIG-IP VE virtual machines, configure the Network Failover screen within the BIG-IP Configuration utility.
Disabling TMM interfaces (CR138342)
When you disable a TMM interface, the interface continues to process traffic.
BIG-IP licensing and User Configuration Sets (CR138498)
When you import a UCS from another BIG-IP or BIG-VE system, the system overwrites the local license with the license contained in the UCS. To work around this issue, you can re-license the local system after importing the UCS by accessing a backup copy of the license file, located in /config/bigip.license.bak. Also note that when importing a UCS, you should ensure that the host names of the two systems differ. When the host names differ, the system correctly imports only the configuration data that is common to both the originating platform and the target platform. If the host names match, the system attempts to import all of the UCS configuration data, which can cause the import process to fail.
Exiting the shell at a system prompt (CR138672)
When you type exit at a BIG-IP system prompt, the system appears unresponsive.
HA events due to BIG-IP VE inactivity (CR138676)
If the VMware hypervisor runs the BIG-IP VE software for fewer than four minutes continuously (due, for example, to a manual suspension or the timeout of network disk I/O), high-availability failure events occur. The system either aborts and restarts key system processes or triggers failover. This is intended system behavior.
VMware Vswitch Promiscuous Mode (CR138798)
When the VMware Vswitch Promiscuous Mode is set to Reject, the VLAN group transparency mode Opaque does not function correctly.
Importing a UCS from BIG-IP Virtual Edition Trial (CR139456)
When you import a UCS from BIG-IP Virtual Edition Trial, the system displays an error message. You can ignore this message.
For additional information, please visit http://www.f5.com.