Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Network and System Management Guide: 3 - Configuring the BIG-IP Platform and General Properties
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


3

Configuring the BIG-IP Platform and General Properties


Introducing the BIG-IP platform and general properties

Part of managing a BIG-IP system involves configuring and maintaining a certain set of system properties. These properties fall into two main categories:

  • General platform properties such as the BIG-IP system host name, IP address, and passwords for its system administrative accounts
  • Device and local traffic properties, such as NTP, DNS, and persistence settings

When you configure platform and device-related properties, you are affecting the operation of the BIG-IP system as a whole, rather than just one aspect of it. Similarly, when you configure the properties related to local traffic, you are globally affecting the operation of the local traffic management system.

Note

For detailed information on configuring specific features of local traffic management, see the Configuration Guide for BIG-IP® Local Traffic Management.

The remainder of this chapter describes how to configure and maintain these platform and general properties so that you can tailor the BIG-IP system to fit your needs exactly.

Configuring platform properties

When you configure platform properties, you configure settings such as the the IP address of the management port, the host name of the BIG-IP system, the host IP address, and user account passwords.

You can also view information about the device certificate, as well as import or export the certificate.

Configuring platform properties and user administration settings

From the General screen, you can configure general platform properties and user administration settings. Note that you can also configure many of these properties and settings by running the Setup utility.

Configuring general platform properties

You can configure these general properties for the BIG-IP system platform:

  • An IP address, netmask, and route for the management interface
  • The host name for the BIG-IP system
  • The host IP address for the BIG-IP system
  • Whether the BIG-IP system is a single device or part of a redundant system
  • The unit ID, if the system is part of a redundant system
  • The time zone in which the BIG-IP system operates

The following procedure provides the basic steps for configuring platform-related general properties. Following the procedure is a description of each property, along with additional details you might need for completing step 4 of the procedure.

To configure general platform properties

  1. On the Main tab of the navigation pane, expand System, and click Platform.
    The General screen opens.
  2. For the Management Port setting, type an IP address, a netmask, and a route address.
  3. In the Host Name box, type a unique name for the BIG-IP system.
  4. Configure all other general property settings as needed.
    For more information, see the sections following this procedure, as well as the online help.
  5. At the bottom of the screen, click Update.

Configuring the management interface

Every BIG-IP system has a management port, or interface, named MGMT. The management interface is a special interface that the BIG-IP system uses to receive or send certain types of administrative traffic. You cannot use the management interface for normal traffic that is slated for load balancing. Instead, the BIG-IP system always uses the TMM switch interfaces for that type of traffic. TMM switch interfaces are those interfaces controlled by the Traffic Management Microkernel (TMM) service.

Configuring the management interface of a BIG-IP system means assigning an IP address to the interface, supplying a netmask for the IP address, and specifying an IP address for the BIG-IP system to use as a default route. The IP address that you assign to the management interface must be on a different network than the self IP addresses that you assign to VLANs. Note that specifying a default route for the management interface is only necessary if you intend to manage the BIG-IP system from a node on a different subnetwork.

To configure the management interface, you use the Management Port setting on the General screen. There are no default values for this setting.

Note

The IP address for the management port must be in IPv4 format.

Tip


You can also configure the management port using the LCD menu on the IP switch hardware. If you configure the management port using the LCD menu, you do not need to configure the port with the Configuration utility.

For procedural information on configuring the management interface, see the guide Installation, Licensing, and Upgrades for BIG-IP® Systems. For information on the way that the TMM service affects the management interface, see the description of the TMM service in Chapter 18, Configuring BIG-IP System Services .

Supplying a host name

Every BIG-IP system must have a host name. Using the Host Name setting, type a fully qualified domain name for the BIG-IP system. An example of a host name is mybigip.win.net.

Assigning a host IP address

Every BIG-IP system must have a host IP address. This IP address can be the same as the address that you used for the management port, or you can assign a unique address.

To assign the host IP address, locate the Host IP address setting and select either Use Management Port IP Address or Custom Host IP address. The default value is Use Management Port IP Address.

Configuring high availability

You can use the general properties screen to specify whether the BIG-IP system is to operate as a single device or as part of a redundant system. The default value is Single Device.

To designate the BIG-IP system as being part of a redundant system, use the High Availability setting to select Redundant Pair. Then use the Unit ID setting to select the unit ID that you want to assign to the BIG-IP system (1 or 2).

Specifying a time zone

Another of the general platform properties that you can specify is the time zone. The many time zones that you can choose from are grouped into these categories: Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, and Pacific.

To set the time zone, use the Time Zone setting to select a time zone from the list. Select the time zone that most closely represents the location of the BIG-IP system you are configuring.

Specifying user administration settings

Part of managing platform-related properties is maintaining passwords for the system accounts, as well as enabling the support account. You can also configure the system to allow certain IP addresses to access the BIG-IP system through SSH.

Changing administrative account passwords

When you ran the Setup utility on the BIG-IP system, you set up some administrative accounts. Specifically, you set up the root, admin, and support accounts. The root and admin accounts are for use by BIG-IP system administrators, while the support account is for F5 Networks support personnel who require access to the customer's system for troubleshooting purposes.

Users logging in with the root account have console-only access to the BIG-IP system. Users logging in with the admin account have browser-only access to the BIG-IP system.

You can use the General screen of the platform properties to change the passwords for root and admin accounts on a regular basis. To change a password, locate the Root Account or Admin Account setting, and in the Password box, type a new password. In the Confirm box, retype the same password. For more information, see To configure general platform properties .

Enabling the Support account

The support account is an optional account that you can enable on the BIG-IP system. When you enable this account, authorized F5 Networks support personnel can access the BIG-IP system to perform troubleshooting.

To enable the support account, find the Support Account setting and select Enabled. Then type a password, once in the Password box and again in the Confirm box.

Configuring SSH access

When you configure SSH access, you enable user access to the BIG-IP system through SSH. Also, only the IP addresses that you specify are allowed access to the system using SSH.

To configure SSH access, locate the SSH Access setting and click the Enabled box. Then use the SSH IP Allow setting to select either * All Addresses or Specify Range, which allows you to specify a range of addresses.

Managing a device certificate

Sometimes, multiple BIG-IP systems need to communicate securely over a network. For example, multiple BIG-IP systems might need to collect performance data over a wide area network, for global traffic management. In this case, these BIG-IP systems need to exchange SSL certificates and keys to ensure secure data communication. These certificates are separate from the SSL certificates that you install for managing (that is, terminating and initiating) local SSL traffic. For information on requesting and installing certificates to manage local SSL traffic, see the Configuration Guide for BIG-IP® Local Traffic Management.

You can view information about a device certificate that is currently installed on the BIG-IP system. You can also export a certificate or import a different certificate.

Viewing certificate and key information

You can use the Configuration utility to view information about any SSL certificate and key that you have installed on the BIG-IP system. The specific information you can view about a certificate is:

  • Name
  • Subject
  • Expiration date
  • Version
  • Serial number (if any)
  • Common Name
  • Division
  • Locality, state or province, and country
  • Issuer

To view device certificate and key information

  1. On the Main tab of the navigation pane, expand System, and click Device Certificates.
    This displays the properties of any self-signed certificate.
  2. On the menu bar, click Device Key.
    This displays the type and size of the key.
  3. On the menu bar, click Trusted Device Certificates.
    This displays the properties of any certificates signed by a trusted certificate authority (CA). If no trusted certificate exists, the value of the Subject property shows No certificate.

Importing, exporting, or renewing a device certificate

You can import, export, or renew two kinds of certificates: a device certificate or a trusted device certificate.

To import a device certificate

  1. On the Main tab of the navigation pane, expand System and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. At the bottom of the screen, click Import.
    This displays the screen for importing either a certificate, or a certificate and key.
  3. From the Import Type list, select an import type, either Certificate or Certificate and Key.
  4. From the Certificate Source setting, click either Upload File or Paste Text:
    • If you click Upload File, type a file name or click Browse.
      If you click Browse:
    • Navigate to the relevant Windows® folder and click a file name.
    • On the browser window, click Open.
    • If you click Paste Text:
    • Copy the text from another source.
    • Paste the text into the Certificate Source window.
  5. Click Import.

To import a trusted device certificate

  1. On the Main tab of the navigation pane, expand System and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. On the menu bar, click Trusted Device Certificates.
    This displays the properties of a trusted CA certificate.
  3. At the bottom of the screen, click Import.
    This displays the properties of a trusted CA certificate.
  4. From the Import Method list, select an import method.
  5. From the Certificate Source setting, click either Upload File or Paste Text:
    • If you click Upload File, type a file name or click Browse.
      If you click Browse:
    • Navigate to the relevant Windows folder and click a file name.
    • On the browser window, click Open.
    • If you click Paste Text:
    • Copy the text from another source.
    • Paste the text into the Certificate Source window.
  6. Click Import.

To export a device certificate

  1. On the Main tab of the navigation pane, expand System, and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. If you want to export a trusted CA certificate, click Trusted Device Certificates on the menu bar.
  3. At the bottom of the screen, click Export.
    The screen displays the text of the existing certificate.
  4. Next to the Certificate File setting, click Download <certificate_name>.

To renew a device certificate

  1. On the Main tab of the navigation pane, expand System, and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. If you want to renew a trusted CA certificate, click Trusted Device Certificates on the menu bar.
  3. At the bottom of the screen, click Renew.
    This displays the properties of the certificate and its associated key.
  4. Change any properties as needed.
    For detailed information, see the online help.
  5. Click Finished.

Importing and exporting a key

You can use the Configuration utility to import and export keys.

To import a key

  1. On the Main tab of the navigation pane, expand System, and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. On the menu bar, click Device Key
    This displays the properties of the key.
  3. Click Import.
  4. From the Import Type list, select an import type, either Certificate or Certificate and Key.
  5. From the Key Source setting, click either Upload File or Paste Text:
    • If you click Upload File, type a file name or click Browse.
      If you click Browse:
    • Navigate to the relevant Windows folder and click a file name.
    • On the browser window, click Open.
    • If you click Paste Text:
    • Copy the text from another source.
    • Paste the text into the Key Source window.
  6. Click Import.

To export a key

  1. On the Main tab of the navigation pane, expand System, and click Device Certificates.
    This displays the properties of a self-signed certificate.
  2. On the menu bar, click Device Key.
    This displays the properties of the key.
  3. Click Export.
    The screen displays the text of the key.
  4. Next to the Key File setting, click Download <key_name>.

Configuring general properties

Using the Configuration utility, you can view and configure a number of general BIG-IP system properties. Some of these properties are related to the BIG-IP system as a device, while others are related to local traffic management.

Configuring device-related properties

You can view or configure a number of properties related to the BIG-IP system as a device. These properties fall into three main categories: general device properties, Network Time Protocol (NTP) properties, and Domain Name System (DNS) properties.

Configuring general properties

The BIG-IP system general properties that you can view are:

  • The host name
  • The BIG-IP software version number
  • The number of CPUs available
  • The number of CPUs that are active
  • The current CPU mode (uniprocessor or multiprocessor)

The BIG-IP system general properties that you can configure are:

  • Network boot
  • Quiet boot
  • The percent of memory usage for reboot

The following procedure provides the basic steps for configuring general properties. Following the procedure are descriptions of the properties that you might need for completing step 2 of the procedure.

To view or configure general properties

  1. On the Main tab of the navigation pane, expand System, and click General Properties.
    The General screen opens.
  2. View or configure any settings.
    For detailed information on these settings, see the online help and Table 3.1 .
  3. If you configured any settings, click Update.

Table 3.1 lists and describes the general properties that you can view or configure.

 

Table 3.1 General properties of a BIG-IP system
Property
Description
Default Value
Host Name
Displays the host name of the BIG-IP system. This name is the same host name that you specified on the main Platform screen.
No default value
Version
Displays the version number of the BIG-IP system software that is running on the system.
No default value
CPU Count
Displays the total number of CPUs that the BIG-IP system contains.
No default value
Active CPUs
Displays the total number of CPUs that are currently active on the BIG-IP system.
No default value
CPU Mode
Displays the current processor mode of the system, either uniprocessor or multiprocessor.
No default value
Network Boot
Enables or disables the network boot feature. If you enable this feature and then reboot the system, the system boots from an ISO image on the network, rather than from an internal media drive. Use this option only when you want to install software on the system, for example, for an upgrade or a re-installation. Note that this setting reverts to Disabled after you reboot the system a second time.
Disabled (unchecked)
Quiet Boot
Enables or disables the quiet boot feature. If you enable this feature, the system suppresses informational text on the console during the boot cycle.
Enabled
(checked)
Memory Restart Percent
Specifies the memory usage percent at which the system reboots.
97

 

Configuring NTP

Network Time Protocol (NTP) is a protocol that synchronizes the clocks on a network. You can use the Configuration utility to specify a list of IP addresses of the servers that you want the BIG-IP system to use when updating the time on network systems. You can also edit or delete the entries in the server list.

To configure a list of NTP time servers

  1. On the Main tab of the navigation pane, expand System, and click General Properties.
    The General screen opens.
  2. From the Device menu, choose NTP.
    This opens the NTP screen.
  3. For the Time Server List setting, add, edit, or remove an IP address:
    • To add an IP address to the list:
    • Type a time server's IP address or host name in the Address box.
    • Click Add.
    • To edit an IP address in the list:
    • In the Time Server List area, select an IP address.
      The IP address appears in the Address box.
    • In the Address box, change the IP address.
    • Click the Edit button.
    • To remove an IP address from the list:
    • In the Time Server List area, select an IP address.
      The IP address appears in the Address box.
    • Click the Delete button.
  4. Click Update.

Configuring DNS

Domain Name System (DNS) is an industry-standard distributed internet directory service that resolves domain names to IP addresses. If you plan to use DNS in your network, you can use the Configuration utility to configure DNS for the BIG-IP system.

When you configure DNS, you create two lists: a DNS lookup server list, and a BIND forwarder server list. The DNS lookup server list allows BIG-IP system users to use IP addresses, host names, or fully-qualified domain names (FQDNs) to access virtual servers, nodes, or other network objects.

The BIND forwarder server list provides DNS resolution for servers and other equipment load balanced by the BIG-IP system, that is, for the servers that the BIG-IP system uses for DNS proxy services.

Note

To use DNS Proxy services, you must enable the named service.

In addition to adding servers to the DNS lookup server list and the BIND forwarder server list, you can also edit or delete the entries in these lists.

To configure DNS for the BIG-IP system

  1. On the Main tab of the navigation pane, expand System, and click General Properties.
    The General screen opens.
  2. From the Device menu, choose DNS.
    This opens the DNS screen.
  3. In the DNS Lookup Server List area, you can add, edit, or remove a server IP address:
    • To add a server to the list:
    • Type the IP address of a properly-configured name server in the Address box.
    • Click Add.
    • To add backup DNS servers to the list, repeat steps a and b.
    • To edit an IP address in the list:
    • In the DNS Lookup Server List area, select an IP address.
      The IP address appears in the Address box.
    • In the Address box, change the IP address.
    • Click Edit.
    • To remove an IP address from the list:
    • In the DNS Lookup Server List area, select an IP address.
      The IP address appears in the Address box
    • Click Delete.
  4. In the BIND Forwarder Server List area, you can add, edit, or remove a server IP address:
    • To add a server to the list:
    • Type a server's IP address in the Address box.
    • Click Add.
    • To edit an IP address in the list:
    • In the BIND Forwarder Server List area, select an IP address.
      The IP address appears in the Address box.
    • In the Address box, change the IP address.
    • Click Edit.
    • To remove an IP address from the list:
    • In the BIND Forwarder Server List area, select an IP address.
      The IP address appears in the Address box
    • Click Delete.
  5. Click Update.

Configuring local-traffic properties

The BIG-IP system includes a set of properties that apply globally to the local traffic management system. These properties fall into two main categories: general local-traffic properties, and persistence properties. You can use the Configuration utility to configure and maintain these properties.

Configuring general local-traffic properties

You can configure a number of properties that affect the general behavior of the BIG-IP local traffic management system. In most cases, these properties are not directly related to any one type of local traffic management object, such as a virtual server or a load balancing pool.

The following procedure provides the basic steps for configuring general local-traffic properties. Following the procedure are descriptions of the properties with additional details you might need for completing step 3 of the procedure.

To configure general local-traffic properties

  1. On the Main tab of the navigation pane, expand System, and click General Properties.
    The General screen opens.
  2. From the Local Traffic menu, choose General.
  3. Configure all properties or retain the default values.
    For detailed information, see Table 3.2 .
  4. Click Update.

Table 3.2 lists and describes the properties that you can configure to manage the behavior of the local traffic management system.

Table 3.2 General properties for globally managing local traffic
Property
Description
Default Value
Auto Last Hop
Specifies, when checked (enabled), that the system automatically maps the last hop for pools.
Enabled (checked)
Maintenance Mode
Specifies, when checked (enabled), that the unit is in maintenance mode. In maintenance mode, the system stops accepting new connections and slowly completes the processing of existing connections.
Disabled (unchecked)
VLAN-Keyed Connections
Check this setting to enable VLAN-keyed connections. VLAN-keyed connections are used when traffic for the same connection must pass through the system several times, on multiple pairs of VLANs (or in different VLAN groups).
Enabled (checked)
Path MTU Discovery
Specifies, when checked (enabled), that the system discovers the maximum transmission unit (MTU) that it can send over a path without fragmenting TCP packets.
Enabled (checked)
Reject Unmatched Packets
Specifies, when checked (enabled), that the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this setting is disabled, the system silently drops the unmatched packet.
Enabled (checked)
Maximum Node Idle Time
Specifies the number of seconds a node can be left idle by the Fastest load balancing mode. The system sends fewer connections to a node that is responding slowly, and periodically recalculates the response time of the slow node.
0 (disabled)
Reaper High-water Mark
Specifies, in percent, the memory usage at which the system stops establishing new connections. Once the system meets the reaper high-water mark, the system does not establish new connections until the memory usage drops below the reaper low-water mark. To disable the adaptive reaper, set the high-water mark to 100.
Note: This setting helps to mitigate the effects of a denial-of-service attack.
95
Reaper Low-water Mark
 
Specifies, in percent, the memory usage at which the system silently purges stale connections, without sending reset packets (RST) to the client. If the memory usage remains above the low-water mark after the purge, then the system starts purging established connections closest to their service timeout. To disable the adaptive reaper, set the low-water mark to 100.
85
SYN CheckTM Activation Threshold
Specifies the number of new or untrusted TCP connections that can be established before the system activates the SYN Cookies authentication method for subsequent TCP connections.
16384
Layer 2 Cache Aging Time
Specifies, in seconds, the amount of time that records remain in the Layer 2 forwarding table, when the MAC address of the record is no longer detected on the network.
300
Share Single MAC Address
Specifies, when checked (enabled), that all VLANs share a single MAC address. If you use the default value (unchecked), the BIG-IP gives each VLAN the MAC address of the VLAN's lowest-numbered interface. Use this setting when configuring an active/standby redundant system.
Disabled (unchecked)
SNAT Packet Forwarding
Specifies the type of traffic for which the system attempts to forward (instead of reject) Any-IP packets, when the traffic originates from a member of a SNAT. There are two possible values:
TCP and UDP Only: Specifies that the system forwards, for TCP and UDP traffic only, Any-IP packets originating from a SNAT member.
All Traffic: Specifies that the system forwards, for all traffic types, Any-IP packets originating from a SNAT member.
TCP and UDP Only

 

Configuring persistence properties

Using the Configuration utility, you can perform certain persistence-related tasks such as managing the way that destination IP addresses are stored in the persistence table, and specifying a data group that contains proxy IP addresses.

The following procedure provides the basic steps for configuring general persistence-related properties. Following the procedure are descriptions of the properties with additional details you might need for completing step 3 of the procedure.

To configure persistence properties

  1. On the Main tab of the navigation pane, expand System, and click General Properties.
    The General screen opens.
  2. From the Local Traffic menu, choose Persistence.
  3. Configure the properties or retain the default values.
    For detailed information, see Table 3.3 .
  4. Click Update.

Table 3.3 lists and describes the properties that you can configure to manage general persistence-related properties.

 

Table 3.3 General properties for controlling session persistence
Property
Description
Default Value
Management of Destination Address Entries
Specifies how the system manages the destination IP address entries in the persistence table.
Timeout: Specifies that entries remain in the persistence table until the BIG-IP system times them out, based on the timeout value configured in the corresponding persistence profile.
Maximum Entries: Specifies that the system stops adding entries to the persistence table when the number of entries reaches the maximum number of entries allowed.
Timeout
Proxy Address Data Group
Specifies the data group that contains proxy IP addresses. You use this data group to identify the addresses that are to be treated as proxies when you enable the Map Proxies option on a persistence profile.
aol

 




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)