Virtual Clustered Multiprocessing (vCMP) is a feature of the BIG-IP system that allows you to provision and manage multiple, hosted instances of the BIG-IP software on a single hardware device. A vCMP hypervisor allocates a dedicated amount of CPU, memory, and storage to each BIG-IP instance. As a vCMP system administrator, you can create BIG-IP instances and then delegate the management of the BIG-IP software within each instance to individual administrators.
A key part of the vCMP system is its built-in flexible resource allocation feature. With flexible resource allocation, you can instruct the hypervisor to allocate a different amount of resource to each BIG-IP instance according to the particular needs of each instance. The hypervisor provides these resources to BIG-IP instances in the form of cores, which contain a portion of system CPU and memory.
At a high level, the vCMP system includes two main components:
This illustration shows a basic vCMP system with a host and four guests. Note that each guest a different set of modules provisioned, depending on the guest's particular traffic requirements.
In addition to the host and guests, the vCMP system includes these components:
The BIG-IP system license authorizes you to provision the vCMP feature and create guests with one or more BIG-IP system modules provisioned. Note the following considerations:
You activate the BIG-IP system license when you initially set up the vCMP host.
To enable the vCMP feature, you perform two levels of provisioning. First, you provision the vCMP feature as a whole. When you do this, the BIG-IP system, by default, dedicates most of the disk space to running the vCMP feature, and in the process, creates the host portion of the vCMP system. Second, once you have configured the host to create the guests, each guest administrator logs in to the relevant guest and provisions the required BIG-IP modules. In this way, each guest can run a different combination of modules. For example, one guest can run BIG-IP Local Traffic Manager (LTM) only, while a second guest can run LTM and BIG-IP ASM.
The vCMP system separates the data plane network from the management network. That is, the host operates with the hardware switch fabric to control the guest data plane traffic. This provides true multi-tenancy by ensuring that traffic for a guest remains separate from all other guest traffic on the system.
The following illustration shows the separation of the data plane network from the management network.
Administering a vCMP system requires two distinct types of administrators: a vCMP host administrator who manages the host to create trunks and VLANs, create guests, and allocate resources to those guests, and a vCMP guest administrator who provisions and configures BIG-IP modules within a specific guest.
On a vCMP system, the administrative user accounts, roles, and associated access control mechanisms of a vCMP host are separate from those of the guests. This prevents a guest administrator from accessing either the host or other guests on the system, thereby ensuring the separation of administrative tasks across the vCMP deployment.
After you initially set up the vCMP host, you will have a standalone, multi-tenant vCMP system with some number of guests defined. A guest administrator will then be ready to provision and configure the BIG-IP modules within a guest to process application traffic. Optionally, if the host administrator has set up a second system with equivalent guests, a guest administrator can configure high availability for any two equivalent guests.
As a vCMP host administrator, you can configure each vCMP guest to be either bridged to or isolated from the management network.
When you create a vCMP guest, you can specify that the guest is a bridged guest. A bridged guest is one that is connected to the management network. This is the default network state for a vCMP guest. This network state bridges the guest's virtual management interface to the physical management interface on which the guest is running.
You typically log in to a bridged guest using its cluster management IP address, and by default, guest administrators with the relevant permissions on their user accounts have access to the bash shell, the BIG-IP Configuration utility, and the Traffic Management Shell (tmsh). However, if per-guest Appliance mode is enabled on the guest, administrators have access to the BIG-IP Configuration utility and tmsh only.
Although the guest and the host share the host's Ethernet interface, the guest appears as a separate device on the local network, with its own MAC address and IP address.
Note that changing the network state of a guest from isolated to bridged causes the vCMP host to dynamically add the guest's management interface to the bridged management network. This immediately connects the guest to the physical management network.
When you create a vCMP guest, you can specify that the guest is an isolated guest. Unlike a bridged guest, an isolated guest is disconnected from the management network. As such, the guest cannot communicate with other guests on the system. Also, because an isolated guest has no management IP address for administrators to use to access the guest, the host administrator, after creating the guest, must use the vconsole utility to log in to the guest and create a self IP address that guest administrators can then use to access the guest.
Appliance mode is a BIG-IP system feature that adds a layer of security in two ways:
You can implement Appliance mode in one of two ways:
When you enable Appliance mode on a guest, the system enhances security by preventing administrators from accessing the root-level advanced shell (bash).
If you want to use the BIG-IP version 11.5 Appliance mode feature on a guest, both the host and the guest must run BIG-IP version 11.5 or later.