Applies To:
Show Versions
3-DNS Controller versions 1.x - 4.x
- 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
5
Configuring the Base Network
- Introduction
- Configuring the interfaces
- Configuring a self IP address
- Configuring trunks
- Working with VLANs
Introduction
This chapter describes the 3-DNS interfaces and the related topics of self IP addresses, VLANs, and trunks. Interfaces are the network interface cards installed in the 3-DNS, and are designated by a number that specifies their physical position in the 3-DNS. A VLAN is a logical grouping of network interfaces. You can use a VLAN to logically group devices that are on different network segments. Self IP addresses are the IP addresses owned by the 3-DNS. A trunk is a group of interfaces associated for link aggregation and fail-over. Collectively, these objects are referred to in this manual as the base network.
The base network is what you configure when you run the Setup utility for the first time. This initial base network configuration also includes such things as the default gateway pool for the 3-DNS, fully qualified domain names, remote communications, and certificate information that can only be configured using the Setup utility. This chapter focuses on the VLAN and networking components of the Setup utility as you would configure them once the initial base network is in place. This chapter also discusses trunks and VLAN grouping, which you can configure only after you configure the initial base network for the first time. (To make changes to other base network components, such as remote access, default routes, and certificate information, refer to Chapter 4, Working with the Setup Utility .)
Each active interface on the 3-DNS must be configured with a VLAN membership, and each VLAN must have a self IP address. (Each interface can have one or more additional, floating self IP addresses as required.) You can change the self IP addresses or create any number of additional ones for a VLAN in floating form.
The configuration options for VLANs include tagging (which allows multiple VLANs to be configured on a single interface), creating new VLANS for additional interfaces, and associating a single VLAN with multiple interfaces. In addition, you can group separate VLANs for the purpose of sharing packets between them. This is known as VLAN grouping.
Trunks are aggregated links. In link aggregation, interfaces can be combined into a trunk to increase bandwidth in an additive manner. The other benefit of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.
Configuring the interfaces
Typically, a 3-DNS has two network interfaces. The following sections describe the naming convention, displaying the status, setting the media type, and setting the duplex mode for the interfaces in the 3-DNS.
Understanding the interface naming convention
By convention, the Ethernet interfaces on a 3-DNS take the name <s>.<p> where s is the slot number of the NIC, and p is the port number on the NIC. For the 2U platform, slot numbering is top-to-bottom and port numbering is left-to-right as shown in Figure 5.1 .
Figure 5.1 Rear view of a 3-DNS with two interface ports
Displaying status for interfaces
Use the following syntax to display the current status and the settings for the installed interface cards:
b interface show
Figure 5.2 is an example of the output you see when you issue this command.
Figure 5.2 The bigpipe interface show command output
interface speed pkts pkts pkts pkts bits bits errors trunk STP
Mb/s in out drop coll in out
1.1 UP 100 HD 0 213 0 0 0 74.2K 0
2.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0
Use the following syntax to display the current status and the setting for a specific interface.
b interface <if_name> show
Setting the media type
You can set the media type to the specific media type for the interface card or to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface is used, for example 100BaseTX.
Use the following syntax to set the media type:
b interface <if_name> media <media_type> | auto
(Default media type is auto.)
Note: If the 3-DNS is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.
Setting the duplex mode
You can set duplex mode to full or half duplex. If the media type does not allow duplex mode to be set, this is indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported for the interface, the duplex setting is not saved to bigip.conf.
Use the following syntax to set the duplex mode:
b interface <if_name> duplex full | half | auto
(Default mode is auto.)
Note: If the 3-DNS is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.
Configuring a self IP address
A self IP address is an IP address mapping to one or more VLANs and their associated interfaces on a 3-DNS. You assign a self IP address to each interface on the unit as part of the initial configuration, and you also assign a floating (shared) alias for units in a redundant system. You can create additional self IP addresses for health checking, gateway failsafe, routing, or other purposes. You create additional self IP addresses using the self command in the bigpipe utility. (See the 3-DNS Reference Guide, Appendix C, bigpipe Command Reference, for more information.)
To add a self IP address to a VLAN using the Configuration utility
- In the navigation pane, click Network.
The VLANs screen opens. - In the VLANs screen, click the Self IP Addresses tab.
The Self IP Addresses screen opens. - On the Self IP Addresses screen, click the Add button.
The Add Self IP Address screen opens. - In the IP Address box, type the self IP address to be assigned.
- In the Netmask box, type an optional netmask.
- In the Broadcast box, type an optional broadcast address.
- If you want to configure the self IP address as a floating address, click a check in the Floating box.
- In the VLAN box, type the name of the VLAN to which you want to assign the self IP address.
- Click the Done button.
To add a self IP address to a VLAN from the command line
Assigning a self IP address to a VLAN automatically maps it to the VLAN's interfaces. Use the following syntax:
b self <addr> vlan <vlan_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]
You can add any number of additional self IP addresses to a VLAN to create aliases. For example:
b self 11.11.11.4 vlan external
b self 11.11.11.5 vlan external
b self 11.11.11.6 vlan external
b self 11.11.11.7 vlan external
Also, any one self IP address can have floating enabled to create a floating alias that is shared by both units of a 3-DNS redundant pair:
b self 11.11.11.8 floating enable
Configuring trunks
Link aggregation is the grouping of links (individual physical interfaces) to form a trunk. Link aggregation increases the bandwidth of the individual links in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mbps link. The other advantage of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.
A trunk must have a controlling link, and it acquires all the attributes of that controlling link from layer 2 and above. The trunk automatically acquires the VLAN membership of the controlling link, but does not acquire its media type and speed. Outbound packets to the controlling link are load balanced across all of the known-good links in the trunk. Inbound packets from any link in the trunk are treated as if they came from the controlling link.
You can create a trunk with a maximum of eight links. For optimal performance, links should be aggregated in powers of two. Thus, you ideally will aggregate two, four, or eight links.
To configure a trunk using the Configuration utility
- In the navigation pane, click Network.
The Network screen opens. - Click the Trunks tab.
The Trunks screen opens. - On the Trunks screen, click the Add button.
The Add Trunk screen opens. - From the Available Interfaces list, select the link that is to be the controlling link, and click controlling >>.
The interface appears at the top of the Aggregated Interfaces list. - From the Available Interfaces list, select the remaining link(s) and click aggregated >>.
The interface(s) appears in the Aggregated Interfaces list below the controlling link. - Click Done.
To configure a trunk from the command line
Use the following syntax to configure a trunk from the command line:
b trunk <controlling_if> define <if_list>
Interfaces are specified using the s.p naming convention, where s is slot number and p is port number. An <if_list> is one or more such interfaces, with multiple interfaces separated by spaces.
For more information on interface naming, refer to Understanding the interface naming convention, on page 5-2 .
Working with VLANs
A VLAN, or virtual local area network, is a grouping of separate networks that causes them to behave as if they were a single local area network, whether or not there is a direct Ethernet connection between them. A VLAN can be associated with one or more interfaces on one or more systems. VLANs are configured using software rather than hardware, which offers a great degree of flexibility. VLAN segmentation localizes broadcast traffic and also provides security.
Acting as a layer 2 switch, the 3-DNS supports two types of VLANs: interface-group (untagged), and tagged. The difference is in the method by which traffic is passed among the interfaces that are members of the VLAN. An interface group VLAN allows untagged traffic onto a member interface based on a table of member MAC addresses. A tagged VLAN allows tagged traffic onto a member interface based on the interface having a tag ID matching that of the packets.
A 3-DNS interface can belong to only one untagged VLAN, but can belong to multiple tagged VLANS. Tagging therefore becomes a way of accepting traffic from multiple VLANs onto one 3-DNS interface.
Note: You should use VLAN tagging only if you are running the 3-DNS in bridge mode.
Interface group VLANs and the default VLAN mapping
By default, the Setup utility configures each interface on the 3-DNS as an untagged member of an interface-group VLAN. The 3-DNS identifies the lowest-numbered interface in that group a member of the VLAN external, and makes the remaining interface a member of the VLAN internal. In most 3-DNS configurations, you only use one VLAN, external. This creates the mapping shown in Figure 5.3 .
VLAN flexibility is such that separate IP networks can belong to a single VLAN, while a single IP network can be split among multiple VLANs. The latter case allows the 3-DNS (when running in bridge mode) to be inserted into an existing LAN without reconfiguring the existing DNS server.
Working with the VLAN commands
You can create, rename, or delete tagged and untagged VLANs using the Configuration utility, or from the command line. Table 5.1 summarizes the VLAN command options.
Creating, renaming, and deleting VLANs
Typically, if you use the default configuration, one VLAN is assigned to each interface in the system. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN.
To create a VLAN using the Configuration utility
- In the navigation pane, click Network.
The VLANs screen opens. - Click the Add button to start the Add VLAN wizard.
- In the Add VLAN screen, type the attributes for the VLAN. For more information about VLANs, click the Help button.
To rename or delete a VLAN using the Configuration utility
- In the navigation pane, click Network.
The VLANs screen opens. - In the VLANs screen, use one of the following options:
- To rename a VLAN, click the VLAN name you want to change. The VLAN properties screen opens. Type the new name in the VLAN name box.
· To delete a VLAN, click the Delete button for the VLAN you want to delete.
To create, rename, or delete a VLAN from the command line
To create a VLAN from the command line, use the following syntax:
b vlan <vlan name> interfaces add <if name> <if name>
For example, if you want to create a VLAN named my_vlan that contains the interfaces 1.1 and 1.2, type the following command:
b vlan my_vlan interfaces add 1.1 1.2
To rename an existing VLAN, use the following syntax:
b vlan <vlan name> rename <new vlan name>
For example, if you want to rename the VLAN my_vlan to your_vlan, type the following command:
b vlan my_vlan rename your_vlan
To delete a VLAN, use the following syntax:
b vlan <vlan name> delete
For example, to delete the VLAN named your_vlan, type the following command:
b vlan your_vlan delete
Configuring VLAN groups
A VLAN group is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing layer 2 packet forwarding, also known as L2 forwarding, between those VLANs.
For a VLAN group to use layer 2 forwarding, you must configure the following 3-DNS features:
- The VLANs between which the packets are to be passed must be on the same IP network.
- The VLANs between which the packets are to be passed must be grouped.
- Layer 2 forwarding must be enabled for the VLAN group.
- A self IP address must be assigned to the VLAN group for routing purposes.
To create a VLAN group from the command line
You can define a VLAN group from the command line using the vlangroup command. For example:
b vlangroup network11 vlans add internal external
To assign the self IP address to the VLAN group, use the following syntax:
b self <ip address> vlan <vlangroup name>
You must enable layer 2 forwarding for the VLAN group using the vlan proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled. To verify that proxy forwarding is enabled, type the following command:
b vlans show
Check the output of the VLAN group for proxy_forward enable.
Configuring tagged VLANs
A tagged VLAN has a tag number associated with it. Any 3-DNS interface that is explicitly added to the tagged VLAN can send traffic tagged with that number, and can accept traffic that is similarly tagged (meaning the traffic originated from another member interface). Although you add the interface to the VLAN, in practice we usually use tagging to associate multiple VLANs with a single interface.
You can create VLANs with or without specified tags. If you do not specify a tag, 3-DNS automatically assigns one to the VLAN. Therefore, a VLAN always has a tag; whether it functions as a tagged VLAN depends on whether it actually has tagged members.
Tagging a VLAN
You can create tagged VLANs, tag existing VLANs, and add multiple tagged VLANs to a single interface. There are three steps to creating multiple tagged VLANs on one interface.
- Create the VLANs for which you want to tag the interface.
- Mark the interface as tagged.
- Add the tagged VLANs to the tagged interface.
To create a tagged VLAN using the Configuration utility
- In the navigation pane, click Network.
The VLAN screen opens. - Click the Add button.
The Add VLAN screen opens. - On the Add VLAN screen, enter the VLAN name and specify the tagged interfaces by selecting them from the Resources list and clicking tagged >>.
- Configure the other VLAN options as needed, and click the Done button. (It is not necessary to fill in a VLAN tag number. This is done automatically.)
To tag an existing VLAN using the Configuration utility
- In the navigation pane, click Network.
The VLAN screen opens. - Click the VLAN name in the list.
The properties screen for that VLAN opens. - On the screen, specify the tagged interfaces by selecting them from the Resources list and clicking tagged >>. (It is not necessary to fill in a VLAN tag number. This is done automatically.)
To create a tagged VLAN from the command line
You create a new tagged VLAN using the bigpipe vlan tag command, specifying a tag number. For example:
b vlan my_vlan tag 1209
A tagged VLAN is mapped to an interface or interfaces (or an untagged VLAN is tagged and mapped an interface or interfaces) using the tagged flag. For example:
b vlan external interfaces add tagged 4.1 5.1 5.2
The effect of the command is to place a tag on interfaces 4.1.and 5.1, which in turn makes external a tagged VLAN. (However, it remains an untagged VLAN for interfaces which are part of it but not tagged.)
An interface can have more than one tag, for example, it can be a member of more than one tagged VLAN:
b vlan external interfaces add tagged 4.1
b vlan internal interfaces add tagged 4.1
Setting up security for VLANs
You can lock down a VLAN to prevent direct connection to the 3-DNS through that VLAN. This lockdown can be overridden for specific services by enabling the corresponding global variable for that service. For example:
b global open_ssh_port enable
To enable or disable port lockdown using the Configuration utility
- In the navigation pane, click Network.
The VLAN screen opens. - Click the VLAN name in the list.
The properties screen for that VLAN opens. - To enable port lockdown, check the Port Lockdown box.
To disable port lockdown, clear the Port Lockdown check box.
To enable or disable port lockdown from the command line
To enable port lockdown, type:
b vlan <vlan_name> port_lockdown enable
To disable port lockdown, type:
b vlan <vlan_name> port_lockdown disable
Setting fail-safe timeouts for VLANs
For redundant 3-DNS systems, the machine fails-over when it detects the loss of traffic on a VLAN, and the traffic is not restored during the fail-over timeout period for that VLAN. You can enable a fail-safe mechanism to attempt to generate traffic when half the timeout has elapsed. If the attempt is successful, the fail-over is stopped.
To set the fail-over timeout and arm the fail-safe using the Configuration utility
- In the navigation pane, click Network.
The VLAN screen opens. - Click the VLAN name in the list.
The properties screen for that VLAN opens. - Check the Arm Failsafe box, and specify the timeout in seconds in the Timeout box.
To set the fail-over timeout and arm the fail-safe from the command line
Using the vlan command, you can set the timeout period and also arm or disarm the fail-safe.
To set the timeout, type:
b vlan <vlan_name> timeout <timeout_in_seconds>
To arm the fail-safe, type:
b vlan <vlan_name> failsafe arm
To disarm the fail-safe, type:
b vlan <vlan_name> failsafe disarm
Setting the MAC masquerade address
You can share the media access control (MAC) masquerade address between 3-DNS units in a redundant system. This has the following advantages:
- Increased reliability and failover speed
- Inter-operability with switches that are slow to respond to network changes
- Inter-operability with switches that are configured to ignore network changes
The MAC address for a VLAN is the MAC address of the first interface to be mapped to the VLAN, typically 1.1 for external and 1.2 for internal. You can view the interfaces mapped to a VLAN using the following command:
b vlan show
You can view the MAC addresses for the interfaces on the 3-DNS using the following command:
b interface show verbose
Use the following syntax to set the MAC masquerade address that will be shared by both 3-DNS units in the redundant system.
b vlan <vlan_name> mac_masq <MAC_addr>
Warning: You must specify a default route before using the mac_masq command. You specify the default route in the /etc/hosts and /etc/netstart files.
Find the MAC address on both the active and standby units, and choose one that is similar but unique. A safe technique for choosing the shared MAC address follows.
Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are:
Active: 1.1 = 0:0:0:ac:4c:a2
Standby: 1.1 = 0:0:0:ad:4d:f3
In order to avoid packet collisions, you now must choose a unique MAC address as the MAC masquerade address. The safest way to do this is to select one of the addresses and logically OR the first byte with 0x40. This makes the MAC address a locally administered MAC address.
In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both 3-DNS units in the redundant system. The shared MAC address is used only when the 3-DNS is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.
If you do not configure mac_masq, on startup, or when transitioning from standby mode to active mode, the 3-DNS sends gratuitous ARP requests to notify the default router and other systems on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.
Note: The MAC masquerade information is stored in the bigip_base.conf file.
