system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP systems multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
| || |BIG-IP Local Traffic Manager
system includes local traffic management features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management
| || |BIG-IP Global Traffic Manager
Global Traffic Manager provides intelligent traffic management to your globally available network resources. Through the Global Traffic Manager, you can select from an array of load balancing modes, ensuring that your clients access the most responsive and robust resources at any given time. In addition, the Global Traffic Manager provides extensive monitoring capabilities so the health of any given resource is always available. For more information, see the Configuration Guide for BIG-IP® Global Traffic Management
| || |BIG-IP Link Controller
Link Controller seamlessly monitors availability and performance of multiple WAN connections to intelligently manage bi-directional traffic flows to a site, providing fault tolerant, optimized Internet access regardless of connection type or provider. The Link Controller ensures that traffic is always sent over the best available link to maximize user performance and minimize bandwidth cost to a data center. For more information, see the Configuration Guide for BIG-IP® Link Controller
| || |BIG-IP Application Security Manager
Application Security Manager provides web application protection from application-layer attacks. BIG-IP®
Application Security Manager protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, cross-site scripting, and parameter tampering. For more information, see the Configuration Guide for BIG-IP® Application Security Management
| || |BIG-IP Protocol Security Module
Protocol Security Module provides security checks for HTTP, FTP, and SMTP traffic. Protocol Security Module is available as a module for BIG-IP®
Local Traffic Manager. Additionally, Protocol Security Module is a component of Application Security Manager. For more information, see the Configuration Guide for BIG-IP® Protocol Security Module
In a typical configuration, the BIG-IP system functions as a device on the
network, directing different types of protocol and application traffic to an appropriate destination server. The system accomplishes this by either forwarding the traffic directly to a load balancing server pool, or by sending it to a next-hop router or a pool of routers. The most basic configuration of the BIG-IP system includes two virtual local area networks (VLANs) with one or more BIG-IP system interfaces (ports) assigned to each VLAN. Using the BIG-IP systems browser-based Configuration utility, you can assign multiple interfaces to each VLAN, or you can configure the BIG-IP system to send traffic for multiple VLANs through the same interface.
The BIG-IP system consists of several fundamental network components
that you can configure in the way that best utilizes BIG-IP system capabilities.
A BIG-IP system has several interfaces for switching or routing traffic from
various hosts or other devices on the network. Interfaces
are the hardware ports that the BIG-IP system uses to send and receive traffic. When you create a virtual local area network (VLAN) on the BIG-IP system, you can assign multiple interfaces to that VLAN. You can also assign the same interface to multiple VLANs. For more information, see Chapter 7, Working with Interfaces
When you connect multiple switches to the BIG-IP system in parallel, you
can configure your hosts to make use of spanning tree protocols. Spanning tree protocols
provide path redundancy while preventing unwanted loops in the network. You can view spanning tree instances, configure global spanning tree options, and configure spanning tree settings for each interface. For optimal performance, you can use spanning tree protocols in conjunction with the trunks feature. For more information, see Chapter 13, Configuring Spanning Tree Protocols
Trunks are a feature you can use to aggregate your links. When you create trunks,
you group interfaces together to function as one larger interface and to provide redundancy if one interface in the trunk becomes unavailable. When that occurs, traffic can be processed on another interface in the trunk. For more information, see Chapter 11, Working with Trunks
A virtual local area network, or VLAN
, is a logical collection of hosts on the network. Each VLAN has one or more BIG-IP system interfaces associated with it. VLANs have these primary advantages:
| || |VLANs define boundaries for a broadcast domains
Traditionally, network administrators have deployed routers within the same IP network, to define smaller broadcast boundaries. A better solution is to use VLANs. When a host in a VLAN sends a broadcast message to find the MAC address of a destination host, the message is sent to only those hosts in the VLAN. Using VLANs to control the boundaries of broadcast domains prevents messages from flooding the network, thus enhancing network performance.
| || |VLANs ease system and network maintenance
Normally, the way to enable hosts to share network resources, such as storage devices and printers, has been to group hosts into the same physical location. Continually moving and re-cabling hosts to other locations on the network, as well as manually updating routing tables, can be a costly and time-consuming task for a system or network administrator. Using VLANs, you can avoid these problems. All hosts that you group within a VLAN can share network resources, regardless of their physical location on the network.
To enhance performance and flexibility, the BIG-IP system comes with two
existing virtual local area networks (VLANs), one for your external network, and one for your internal network. Each of these VLANs has a BIG-IP system interface already assigned to it. You can use these two VLANs as is, you can assign additional interfaces to these VLANs, or you can create more VLANs. A key feature of the BIG-IP system is that a single interface can forward traffic for multiple VLANs. For more information, see Chapter 5, Configuring VLANs and VLAN Groups
Each VLAN you create has its own self IP address
. The BIG-IP system uses this address as the source IP address when sending requests to hosts in a VLAN, and hosts in a VLAN use this IP address as the destination IP address when sending responses to the BIG-IP system.
When you first ran the Setup utility, you assigned a self IP address to the
internal VLAN, and another self IP address to the external VLAN. As you create other VLANs, you assign self IP addresses to them, too. Also, units of a redundant system can share a self IP address, to ensure that the BIG-IP system can process server responses successfully when failover has occurred. For more information, see Chapter 6, Configuring Self IP Addresses
Another feature that should be familiar to network administrators for
managing the BIG-IP systems Layer 3 functions is the routing table. Using the routes
feature, you can explicitly add routes that you want the BIG-IP system to use when functioning as a Layer 3 device to forward packets around the network. For more information, see Chapter 8, Configuring Routes
The Address Resolution Protocol, or ARP
, feature gives you the ability to view or add entries to the ARP cache, which the BIG-IP system uses to match IP addresses to Media Access Control (MAC) addresses when using Layer 3 to send packets to destination hosts. When you want to eliminate the need to use IP routing to send ARP requests from one VLAN to another, you can enable the proxy ARP feature. A host configured with the proxy ARP
feature can send ARP requests to another VLAN using Layer 2 forwarding instead of IP routing. For more information, see Chapter 10, Configuring Address Resolution Protocol
A powerful security feature that the BIG-IP system offers is packet filtering.
Using packet filtering
, you can control and restrict the types of traffic passing through the BIG-IP system. Besides defining the action that the BIG-IP system should take when receiving a packet (accept, discard, or reject), you can exempt certain types of traffic from packet filtering, based on protocol, IP address, MAC address, or VLAN. For more information, see Chapter 12, Configuring Packet Filters
This guide addresses some of the system management options that are
common to all BIG-IP systems. These options include creating and maintaining administrative user accounts, configuring System Network Management Protocol (SNMP), and configuring and maintaining redundant systems.
You partially configure some of these options by running the Setup utility
on the BIG-IP system. Once you have run the Setup utility, you can use the Configuration utility to complete the configuration of these options and to manage the BIG-IP system on an ongoing basis.
artitions and user roles
You can create administrative partitions
for local traffic-management objects (such as virtual servers and pools) and then give BIG-IP system administrators access to individual partitions. This imposes a finer granularity of access control on BIG-IP system users.
User accounts can reside either locally on the BIG-IP system, or remotely on
a separate authentication server such as a Lightweight Directory Access Protocol (LDAP), Active Directory, or Remote Authentication Dial-in User Service (RADIUS) server. You can also manage the three special user accounts root
, and support
For each new user account that you create, you can assign a user role
that defines the type and level of access granted to that user. The available user roles are: Administrator
, Resource Administrator
, User Manager
, Application Editor
, Application Security Policy Editor
, and No Access
If BIG-IP system user accounts are stored remotely on an authentication
server, you can assign privileges (such as user role and partition access) on a group basis. A powerful remoterole
command on the BIG-IP system can interoperate with the remote server to determine user groups and then assign a different set of privileges to each group.
System Network Management Protocol (SNMP)
is an industry-standard protocol that allows you to manage the BIG-IP system remotely, along with other devices on the network. The BIG-IP system provides the SNMP agent and the MIB files that you need to manage the system remotely using SNMP. For more information, see Chapter 15, Configuring SNMP
To ensure high-availability of the BIG-IP system, you can set up a
redundant system configuration. Then, if one BIG-IP system becomes unavailable, another BIG-IP system can immediately and automatically take over to process the traffic.
When you first run the Setup utility on a BIG-IP system, you specify
whether the system is a unit of a redundant system configuration. When you configure two BIG-IP systems to function as units of a redundant system, a process known as failover occurs when one of those units becomes unavailable for any reason. Failover
ensures that the BIG-IP system can still process traffic when a unit is unavailable.
In addition to supporting redundant system configuration, TMOS monitors
the heartbeat of several critical system daemons such as mcpd
, and tmrouted
. Using the High Availability screens of the Configuration utility or using a command line interface, you can specify the action that the BIG-IP system should take if the system fails to detect a daemon heartbeat. This process of monitoring heartbeats and taking action is known as fail-safe
or more information, see Chapter 14, Configuring High Availability
Using the Syslog-ng
utility, the BIG-IP system logs many different types of events related to the operating system, packet filtering, local traffic management, and auditing. You can use the Configuration utility to display each type of event. For specific types of local traffic events, because each individual event is associated with a severity, you can set a minimum log level on an event type. Setting a minimum log level on an event type affects which messages the system displays, based on event severity. For example, you can set a minimum log level of Warning
on ARP-related events, which then causes the system to display only those ARP-related events that have a severity of Warning
or higher (that is, more severe). For more information, see Chapter 17, Logging BIG-IP System Events
The BIG-IP system includes several different services. Some of these
services, such as MCPD and TMM, must be running in order to process application traffic, while others are optional, such as postfix
Some services have heartbeats and are associated with failover in a
redundant system. When you configure a redundant system, you can specify the action that you want the BIG-IP system to take if it fails to detect a heartbeat. For example, you can configure the BIG-IP system to reboot if it fails to detect a heartbeat for the MCPD service. Finally, there are times when you might need to stop a service in order to perform a specify system-management task. For example, we recommend that you stop the TMM service when installing a new version of the BIG-IP system. For more information, see Chapter 18, Configuring BIG-IP System Services
Every BIG-IP system includes a set of essential configuration data that you
create when you initially configure your system. To protect this data in the event of a system problem, you can create an archive, also known as a .ucs
file. An archive is a backup copy of your configuration data that you create and store on the BIG-IP system. If your original configuration data becomes corrupted for some reason, you can use the archive to restore the data. As an added layer of protection, you can download your archives to a remote system, in case the BIG-IP system itself becomes unavailable. When the system is up and running again, you can upload the data back onto the system. For more information, see Chapter 16, Saving and Restoring Configuration Data
In addition to creating a .ucs
file, you can create a single configuration file, or .scf
file. A single configuration file is a replicated set of BIG-IP system configuration data that you can use to identically configure another BIG-IP system in one simple operation. For more information, see the BIG-IP® Command Line Interface Guide
The BIG-IP system offers a browser-based utility for managing the BIG-IP
system, and, as an alternative, various command line utilities. Note that all procedures in this guide describe how to manage the system using the browser-based Configuration utility.
The Configuration utility is a browser-based application that you use to
configure and monitor the BIG-IP system. Once you complete the instructions for the Setup utility, you can use the Configuration utility to perform additional configuration steps necessary for your chosen load balancing solution. In the Configuration utility, you can also monitor current system performance, and download administrative tools such as the SNMP MIBs or the SSH client. For a list of browser versions that the Configuration utility supports, see the release notes for this product on the AskF5SM
Knowlege Base web site, https://support.f5.com
One of the tasks you can perform with the Configuration utility is setting
user preferences. Setting user preferences customizes the way that the Configuration utility displays information for you. For example, when you display a list of objects such as the virtual servers that you have created, the utility normally displays ten objects, or records, per screen. However, you can change this value so that the utility displays more, or fewer, than ten records per screen.
lists and describes the preferences that you can configure to customize the display of the Configuration utility. Following this table is the procedure for configuring these preferences.
In addition to using the Configuration utility, you can also manage the
BIG-IP system using command line utilities such as the bigpipe
utility. To monitor the BIG-IP system, you can use certain bigpipe
commands, or you can use the bigtop
utility, which provides real-time system monitoring. You can use the command line utilities directly on the BIG-IP system console, or you can run commands using a remote shell, such as the SSH client or a Telnet client. For more information on command line utilities, see the BIG-IP® Command Line Interface Guide
or the online man pages.
Before you use this guide, we recommend that you run the Setup utility on
the BIG-IP system to configure basic network and network elements such as static and floating self IP addresses, interfaces, and VLANs, to name a few.
After running the Setup utility, you can further customize your system by
using the Configuration utility to create local traffic management objects such as virtual servers, load balancing pools, and profiles.
In addition to this guide, there are other sources of the documentation you
can use in order to work with the BIG-IP system. The information is contained in the guides and documents described below. The following printed documentation is included with the BIG-IP system.
| || |Configuration Worksheet
This worksheet provides you with a place to plan the basic configuration for the BIG-IP system.
| || |BIG-IP Quick Start Instructions
This pamphlet provides you with the basic configuration steps required to get the BIG-IP system up and running in the network.
The following guides are available in PDF format from the AskF5SM
Knowledge Base web site, https://support.f5.com
. These guides are also available from the first Web page you see when you log in to the administrative web server on the BIG-IP system.
| || |Installation, Licensing, and Upgrades for BIG-IP Systems
This guide provides detailed information about installing upgrades to the BIG-IP system. It also provides information about licensing the BIG-IP system software and connecting the system to a management workstation or network.
| || |Configuration Guide for BIG-IP® Local Traffic Management
This guide contains any information you need for configuring the BIG-IP system to manage local network traffic. With this guide, you can perform tasks such as creating virtual servers and load balancing pools, configuring application and persistence profiles, implementing health monitors, and setting up remote authentication.
| || |BIG-IP® Command Line Interface Guide
This guide contains information you need if you choose to configure the BIG-IP system using the command line interface instead of the Configuration utility. It includes instructions for handling specific tasks, but it does not include instructions for configuring every aspect of the system. It also contains an appendix with detailed information about the bigpipe
All examples in this document use only private class IP addresses. When
you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
To help you identify sections where a term is defined, the term itself is
shown in bold italic text. For example, a floating IP address
is an IP address assigned to a VLAN and shared between two computer systems.
We apply bold text to a variety of items to help you easily pick them out of a
block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, with the bigpipe self <ip_address> show
command, you can specify a specific self IP address to show by specifying an IP address for the <ip_address>
We use italic text to denote a reference to another document. In references
where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, you can find information about SNMP traps in Appendix A, Troubleshooting SNMP Traps
We show complete commands in bold Courier text. Note that we do not
include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, the following command shows the configuration of the specified pool name:
explains additional special conventions used in command line syntax.
| || |Online help for local traffic management
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.