Manual Chapter : BIG-IP Reference Guide v4.1: Configuring the Base Network

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
Manual Chapter


2

Configuring the Base Network



Introduction

This chapter describes the BIG-IP interfaces and the related topics of self IP addresses, VLANs, Trunks, Spanning Tree Protocol (STP) domains, and port mirrors. Collectively, these objects are referred to in this manual as the base network, as distinct from the high-level network, which is built on load-balancing pools.

The base network, or at least an initial version of it, is what you configure when you run the First-Time Boot utility as described in the BIG-IP Installation Guide. This initial base network also includes such things as the default route for the BIG-IP, fully qualified domain names, and certificate information that can only be configured using the First-Time Boot utility or its sub-utilities. This section focuses on interface settings, self IP addresses, and VLANs as you would configure them once an initial base network is in place, and also covers trunks, STP domains, and port mirrors, which can be configured only at this point. (To make changes to other base network components, such as domain names, default routes, and certificate information, refer to the BIG-IP Installation Guide, or to Chapter 6, BIG-IP Base Configuration Tools, which describes the First-Time Boot utility and its various sub-utilities.)

A BIG-IP may have anywhere from two to twenty-eight network interfaces. Each active interface must be configured with a VLAN membership and each VLAN must have a self IP address. (It may have one or more additional, floating self IP addresses as required.) You can change self IP addresses or create any number of additional ones for a VLAN in floating form.

VLAN options include tagging (which allows multiple VLANs to be configured on a single interface), creating new VLANS for additional interfaces, and associating a single VLAN with multiple interfaces. In addition, you can group separate VLANs for the purpose of sharing packets between them.

Most things commonly thought of as attaching to interfaces, principally addresses and the various things that have addresses (virtual servers, NATs, SNATs, and proxies), are now attached instead to the VLAN associated with the interface. Exceptions are trunks, STP domains, and port mirrors.

  • Trunks are aggregated links. In link aggregation, interfaces can be combined into a trunk to increase bandwidth in an additive manner. The other benefit of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.
  • Spanning Tree Protocol (STP) domains provide for loop resolution in configurations where one or more external switches is connected in parallel with an IP Application Switch. For more information about Spanning Tree Protocol, refer to the IEEE 802.1D standard.
  • Port mirroring allows you to copy traffic from any interface or set of interfaces on a BIG-IP Application Switch to a single, separate interface. Typically you would install a sniffer device on the target port for debugging and/or monitoring.

Interfaces

A BIG-IP can have as few as two network interfaces and as many as twenty-eight. Interface names are fixed according to the naming convention described following. Properties that are configurable on the interfaces include media and duplex, as shown in Table 2.1.

The attributes you can configure for an interface
Interface Attributes Description
media You may specify a media type or use auto for automatic detection.
duplex You may specify a full or half duplex mode, or use auto for automatic selection.

Interface naming convention

By convention, the Ethernet interfaces on a BIG-IP take the name <s>.<p> where s is the slot number of the NIC, and p is the port number on the NIC. As shown in Figure 2.1, for the 4U platform, slot numbering is left-to-right, and port numbering is top-to-bottom. Note that slot 1 is reserved for the onboard NIC whether or not it is present.

Figure 2.1 Vertical slot and port numbering

For the 2U platform, slot numbering is top-to-bottom and port numbering is left-to-right as shown in Figure 2.2.

Figure 2.2 Horizontal slot and port numbering

For the Application Switch, slot numbering is left-to-right and port numbering is top-to-bottom as shown in Figure 2.3. Note that slot 2 is used for the gigabit ports, and slot 3 for a dedicated administrative port.

When a bigpipe command calls for a list of interfaces, the list may consist of one or more interfaces, with multiple interfaces separated by spaces. For example:

2.1 2.2 2.4 2.6

Figure 2.3 Application Switch slot and port numbering

Displaying status for interfaces

Use the following syntax to display the current status and the settings for all installed interface cards:

b interface show

Figure 2.4 is an example of the output you see when you issue this command on an active/standby unit in active mode.

Figure 2.4 The bigpipe interface show command output

 interface  speed   pkts   pkts   pkts   pkts   bits   bits errors trunk STP    
Mb/s in out drop coll in out
5.1 UP 100 HD 0 213 0 0 0 74.2K 0
4.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0

Use the following syntax to display the current status and the setting for a specific interface.

b interface <if_name> show

Setting the media type

You can set the media type to the specific media type for the interface card or to auto for auto detection. If the media type is set to auto and the card does not support auto detection, the default type for that interface is used, for example 1000BaseTX.

Use the following syntax to set the media type:

b interface <if_name> media <media_type> | auto

(Default media type is auto.)

Note: If the BIG-IP is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.

Setting the duplex mode

You can set duplex mode to full or half duplex. If the media type does not allow duplex mode to be set, this is indicated by an onscreen message. If media type is set to auto, or if setting duplex mode is not supported for the interface, the duplex setting is not saved to bigip.conf.

Use the following syntax to set the duplex mode:

b interface <if_name> duplex full | half | auto

(Default mode is auto.)

Note: If the BIG-IP is inter-operating with an external switch, the media setting should match that of the switch. To accomplish this, it is best to specify the setting explicitly, and not rely on automatic detection using auto.

VLANs

A VLAN is a grouping of separate networks that causes them to behave as if they were a single local area network, whether or not there is a direct ethernet connection between them. Equally important, you can make nodes on the same network behave as if they were on separate networks by placing them on separate VLANs. This VLAN segmentation localizes broadcast traffic and also provides security.

Acting as an Layer 2 switch, the BIG-IP supports two types of VLANs: interface-group (untagged), and tagged. The difference is in the method by which traffic is passed among the interfaces that are members of the VLAN. An interface group VLAN allows untagged traffic onto a member interface based on a table of member MAC addresses. A tagged VLAN allows tagged traffic onto a member interface based on the interface having a tag ID matching that of the packets.

A BIG-IP interface can belong to only one untagged VLAN but to multiple tagged VLANS. Tagging therefore becomes a way of accepting traffic from multiple VLANs onto one BIG-IP interface.

Interface group VLANs and the default VLAN mapping

By default, the First-Time Boot utility configures each interface on the BIG-IP as an untagged member of an interface-group VLAN. The BIG-IP identifies the fastest interfaces, makes the lowest-numbered interface in that group a member of the VLAN external, and makes all remaining interfaces members of the VLAN internal. This creates the mapping shown in Figure 2.5.

Figure 2.5 VLANs

As Figure 2.5 shows, VLAN flexibility is such that separate IP networks can belong to a single VLAN, while a single IP network can be split among multiple VLANs. (The latter case allows the BIG-IP to be inserted into an existing LAN without renaming the nodes.) The VLANs named external and internal are separate networks, and in the configuration shown they behave like separate networks. The networks belonging to VLAN internal are also separate networks, but have been made to behave like a single network. You accomplish this using a feature called VLAN bridging.

VLAN grouping and L2 forwarding

In the example shown in figure 2.5, VLANs external and internal represent separate networks that were originally a single network. You can make them behave like a single network again much like the networks contained in VLAN internal. You accomplish this by grouping them as shown in Figure 2.6.

Figure 2.6 VLANs and a VLAN group

Grouping allows nodes on the separate VLANs to exchange packets directly using a configurable feature called L2 forwarding. L2 forwarding is the equivalent of bridging where you want communication between VLANs.

Tagged VLANs

A tagged VLAN has a tag number associated with it. Any BIG-IP interface that is explicitly added to the VLAN may send traffic tagged with that number, and can accept traffic that is similarly tagged (meaning the traffic originated from another member interface). Although it is the interface that is added to the VLAN, in practice tagging is usually used to associate multiple VLANs with a single interface. An example is shown in Figure 2.7.

Figure 2.7 Equivalent solutions using untagged and tagged VLANs

The configuration on the left shows a BIG-IP unit with three internal interfaces, each a separate interface group (untagged) VLAN. This is a typical solution for supporting three separate customer sites. The configuration on the right shows a BIG-IP with one internal interface and an external switch. The switch places each interface on a separate VLAN. Each of these VLANS is configured on the BIG-IP with a tag, and then has the BIG-IP internal interface added to each: this way the single interface becomes a tagged member of all three VLANs and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration on the left.

VLANs may be created with or without tags specified. If a tag is not specified, one is automatically assigned. Therefore, a VLAN always has a tag; whether it functions as a tagged VLAN depends on whether it actually has tagged members.

VLAN commands

Tagged and untagged VLANs may be created, renamed and deleted using the Configuration utility or at the command line. VLAN command options are summarized in Table 2.2.

Configuration properties of VLANs
Option Description
Default VLAN configuration The First-Time Boot utility provides a default VLAN configuration. On a typical unit with two interfaces, you create an internal and external VLAN.
Create VLAN Create, rename, or delete a VLAN. Typically, one untagged VLAN is assigned to one interface.
Tag VLANs You can tag VLANs and associate a single interface to multiple tagged VLANs.
Set VLAN security You can set port lockdown by VLAN.
Set fail-safe timeouts You can set a failsafe timeout on a VLAN. You can use a failsafe timeout to trigger fail-over in a redundant system.
Self IP addresses You can set one or more self IP addresses for VLANs.
MAC masquerade You can use this attribute to set up a media access control (MAC) address that is shared by a redundant system. This allows you to use the BIG-IP in a topology with secure hubs.
Edit L2 forwarding table You can enter static MAC address assignments by editing the L2 forwarding table.

Creating, renaming, and deleting VLANs

Typically, if you use the default configuration, one VLAN is assigned to each interface. However, if you need to change your network configuration, or if the default VLANs are not adequate for a network configuration, you can create new VLANs, rename existing VLANs, or delete a VLAN.

To create a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button to start the Add VLAN wizard.
  3. In the Add VLAN screen, type the attributes for the VLAN. For more information about VLANs, click the Help button.

To rename or delete a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. In the VLANs screen, use one of the following options:
  • To rename a VLAN, click the VLAN name you want to change. The VLAN properties screen opens. Type the new name in the VLAN name box.

    · To delete a VLAN, click the Delete button for the VLAN you want to delete.

To create, rename, or delete a VLAN from the command line

To create a VLAN from the command line, use the following syntax:

b vlan <vlan name> interfaces add <if name> <if name>

For example, if you want to create a VLAN named myvlan that contains the interfaces 1.1 and 1.2, type the following command:

b vlan myvlan interfaces add 1.1 1.2

To rename an existing VLAN, use the following syntax:

b vlan <vlan name> rename <new vlan name>

For example, if you want to rename the VLAN myvlan to yourvlan, type the following command:

b vlan myvlan rename yourvlan

To delete a VLAN, use the following syntax:

b vlan <vlan name> delete

For example, to delete the VLAN named yourvlan, type the following command:

b vlan yourvlan delete

VLAN group

A VLAN group is a grouping of two or more VLANs belonging to the same IP network for the purpose of allowing layer 2 packet forwarding, also known as L2 forwarding, between those VLANs.

For a VLAN group to use layer 2 forwarding, you must configure the following BIG-IP features:

  • The VLANs between which the packets are to be passed must be on the same IP network.
  • The VLANs between which the packets are to be passed must be grouped.
  • Layer 2 forwarding must be enabled for the VLAN group.
  • A self IP address must be assigned to the VLAN group for routing purposes.

To create a VLAN group from the command line

You can define a VLAN group from the command line using the vlangroup command. For example:

b vlangroup network11 vlans add internal external

To assign the self IP address to the VLAN group, use the following syntax:

b self <ip address> vlan <vlangroup name>

Layer 2 forwarding must be enabled for the VLAN group using the vlan proxy_forward attribute. This attribute is enabled by default when the VLAN group is enabled. To verify that proxy forwarding is enabled, type the following command:

b vlans show

Check the output of the VLAN group for proxy_forward enable.

Tagging VLANs

You can create tagged VLANs, tag existing VLANs, and add multiple tagged VLANs to a single interface. There are three steps to creating multiple tagged VLANs on one interface.

  • Create the VLANs for which you want to tag the interface.
  • Mark the interface as tagged.
  • Add the tagged VLANs to the tagged interface.

To create a tagged VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the Add button.
    The Add VLAN screen opens.
  3. On the Add VLAN screen, enter the VLAN name and specify the tagged interfaces by choosing them from the Resources list and clicking tagged >>.
  4. Configure the other VLAN options as desired and click the Done button. (It is not necessary to fill in a VLAN tag number. This is done automatically.)

To tag an existing VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. On the screen, specify the tagged interfaces by choosing them from the Resources list and clicking tagged >>. (It is not necessary to fill in a VLAN tag number. This is done automatically.)

To create a tagged VLAN from the command line

You create a new tagged VLAN using the bigpipe vlan tag command, specifying a tag number. For example:

b vlan my_vlan tag 1209

A tagged VLAN is mapped to an interface or interfaces (or an untagged VLAN is tagged and mapped an interface or interfaces) using the tagged flag. For example:

b vlan external interfaces add tagged 4.1 5.1 5.2

The effect of the command is to place a tag on interfaces 4.1.and 5.1, which in turn makes external a tagged VLAN. (However, it remains an untagged VLAN for interfaces which are part of it but not tagged.)

An interface can have more than one tag, for example, it can be a member of more than one tagged VLAN:

b vlan external interfaces add tagged 4.1

b vlan internal interfaces add tagged 4.1

Setting up security for VLANs

You can lock down a VLAN to prevent direct connection to the BIG-IP through that VLAN. This lockdown may be overridden for specific services by enabling the corresponding global variable for that service. For example:

b global open_ssh_ports enable

To enable or disable port lockdown using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. To enable port lockdown, click a check in the Port Lockdown box.
    To disable port lockdown, clear the check from the Port Lockdown box.

To enable or disable port lockdown from the command line

To enable port lockdown, type:

b vlan <vlan_name> port_lockdown enable

To disable port lockdown, type:

b vlan <vlan_name> port_lockdown disable

Setting fail-safe timeouts for VLANs

For redundant BIG-IP pairs, fail-over occurs when loss of traffic is detected on a VLAN, and traffic is not restored during the fail-over timeout period for that VLAN. You can enable a fail-safe mechanism to attempt to generate traffic when half the timeout has elapsed. If the attempt is successful, the fail-over is stopped.

To set the fail-over timeout and arm the fail-safe using the Configuration utility

  1. In the navigation pane, click Network.
    The VLAN screen opens.
  2. Click the VLAN name in the list.
    The properties screen for that VLAN opens.
  3. Check the Arm Failsafe box and specify the timeout in seconds in the Timeout box.

To set the fail-over timeout and arm the fail-safe from the command line

Using the vlan command, you may set the timeout period and also arm or disarm the fail-safe.

To set the timeout, type:

b vlan <vlan_name> timeout <timeout_in_seconds>

To arm the fail-safe, type:

b vlan <vlan_name> failsafe arm

To disarm the fail-safe, type:

b vlan <vlan_name> failsafe disarm

Setting the MAC masquerade address

You can share the media access control (MAC) masquerade address between BIG-IP units in a redundant pair. This has the following advantages:

  • Increase reliability and failover speed, especially in lossy networks
  • Inter-operability with switches that are slow to respond to the network changes
  • Inter-operability with switches that are configured to ignore network changes

    The MAC address for a VLAN is the MAC address of the first interface to be mapped to the VLAN, typically 4.1 for external and 5.1 for internal. You can view the interfaces mapped to a VLAN using the following command:

    b vlan show

    You can view the MAC addresses for the interfaces on the BIG-IP using the following command:

    b interface show verbose

    Use the following syntax to set the MAC masquerade address that will be shared by both BIG-IP units in the redundant system.

    b vlan <vlan_name> mac_masq <MAC_addr>

Warning: You must specify a default route before using the mac_masq command. You specify the default route in the /etc/hosts and /etc/netstart files.

Find the MAC address on both the active and standby units, and choose one that is similar but unique. A safe technique for choosing the shared MAC address follows.

Suppose you want to set up mac_masq on the external interfaces. Using the b interface show command on the active and standby units, you note that their MAC addresses are:

Active: 3.1 = 0:0:0:ac:4c:a2

Standby: 3.1 = 0:0:0:ad:4d:f3

In order to avoid packet collisions, you now must choose a unique MAC address. The safest way to do this is to select one of the addresses and logically OR the first byte with 0x40. This makes the MAC address a locally administered MAC address.

In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a suitable shared MAC address to use on both BIG-IP units in the redundant system.

The shared MAC address is used only when the BIG-IP is in active mode. When the unit is in standby mode, the original MAC address of the network card is used.

If you do not configure mac_masq, on startup, or when transitioning from standby mode to active mode, the BIG-IP sends gratuitous ARP requests to notify the default router and other machines on the local Ethernet segment that its MAC address has changed. See RFC 826 for more details on ARP.

Note: The MAC masquerade information is stored in the bigip_base.conf file.

Viewing and editing the L2 forwarding table

Layer 2 forwarding is the means by which packets are exchanged directly between nodes on separate VLANs that are members of the same VLAN group as described in VLAN grouping and L2 forwarding, on page 2-7. This is accomplished using a simple forwarding table for each VLAN with proxy forward enabled. The forwarding table has an entry for each node in the VLAN and associates the MAC address of that node with the BIG-IP interface using the following format:

<MAC address> -> <if>

For example:

00:a0:c9:9e:1e:2f -> 4.1

You can view this table, delete entries, and add static entries. The entries that appear in the table automatically are learned and periodically updated and are called dynamic entries. Entries that you add to the table manually are called static entries. Static entries are not automatically updated. Entering static entries is useful if you have network devices that do not advertise their MAC addresses.

You can view and edit the L2 forwarding table using the bigpipe vlan <vlan_name> fdb command. The <vlan_name> may be either a VLAN or a VLAN group.

To view the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb show

For example:

b vlan internal show

This produces a display like this:

Forwarding table --

00:40:05:30:cc:94 -> 5.1)

To view L2 forwarding table static entries from the command line

Type the following command:

b vlan <vlan name> fdb show

For example:

b vlan internal show

To view L2 forwarding table dynamic entries from the command line

Type the following command:

b vlan <vlan name> fdb dynamic show

For example:

b vlan internal fdb dynamic show

To add an entry to the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb add <MAC address> interface <ifname>

For example:

b vlan internal fdb add <MAC address> interface <ifname>

To delete an entry from the L2 forwarding table from the command line

Type the following command:

b vlan <vlan name> fdb delete <MAC address> interface <ifname>

For example:

b vlan <vlan name> fdb delete 00:a0:c9:9e:1e:2f interface 4.1

vlan <vlan name> fdb static show

vlan <vlan name> fdb dynamic show

vlan <vlan name> fdb show

Setting the L2 forwarding aging time

Entries in the L2 forwarding table have a specified life span, after which they are flushed out if the MAC address is no longer present on the network. This process is called the L2 forward aging time and you can set it using the global variable L2 Aging Time. The default value is 300 seconds.

To set the L2 forwarding aging time using the Configuration utility

  1. In the navigation pane, click System.
    The System Properties screen opens.
  2. Click the Advanced Properties tab.
    The Advanced Properties screen opens.
  3. In L2 Aging Time text entry box, enter the aging time in seconds.

To set the L2 forwarding aging time from the command line

Type the following command:

b global l2_agingtime <time_in_seconds>

For example:

b global l2_agingtime 200

Self IP address

A self IP address is an IP address mapping to one or more VLANs and their associated interfaces on a BIG-IP. You assign a self IP address to each interface on the unit as part of First-Time Boot configuration, and you also assign a floating (shared) alias for units in a redundant pair. You can create additional self addresses for health checking, gateway failsafe, routing, or other purposes. You can create these additional self IP addresses using the self command.

To add a self IP address to a VLAN using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. In the VLANs screen, click the Self IP Addresses tab.
    The Self IP Addresses screen opens.
  3. On the Self IP Addresses screen, click the Add button.
    The Add Self IP Address screen opens.
  4. In the IP Address box, type the self IP address to be assigned.
  5. In the Netmask box, type an optional netmask.
  6. In the Broadcast box, type an optional broadcast address.
  7. If you want to configure the self IP address as a floating address, click a check in the Floating box.
  8. If you want to enable the address for SNAT auto-mapping, place a check in the SNAT Automap box.
  9. In the VLAN box, type the name of the VLAN to which you want to assign the self IP address.
  10. Click the Done button.

To add a self IP address to a VLAN from the command line

Use the following syntax:

b self <addr> vlan <vlan_name> [ netmask <ip_mask> ][ broadcast <broadcast_addr>] [unit <id>]

You can add any number of additional self IP addresses to a VLAN to create aliases. For example:

b self 11.11.11.4 vlan external

b self 11.11.11.5 vlan external

b self 11.11.11.6 vlan external

b self 11.11.11.7 vlan external

Also, any one self IP address may have floating enabled to create a floating alias that is shared by both units of a BIG-IP redundant pair:

b self 11.11.11.8 floating enable

Assigning a self IP address to a VLAN automatically maps it to the VLAN's interfaces. Since all interfaces must be mapped to one and only one untagged VLAN, assigning a self IP address to an interface not mapped to an untagged VLAN produces an error message.

Enabling or disabling SNAT automap

The translation address for SNAT auto-mapping is determined by the self IP addresses you enable on the external VLAN. For more information about SNAT auto-mapping, refer to Enabling or disabling SNAT automap.

Trunks

Link aggregation is the grouping of links (individual physical interfaces) to form a trunk. Link aggregation increases the bandwidth of the individual links in an additive manner. Thus, four fast Ethernet links, if aggregated, create a single 400 Mbps link. The other advantage of link aggregation is link fail-over. If one link in a trunk goes down, traffic is simply redistributed over the remaining links.

A trunk must have a controlling link, and acquires all the attributes of that controlling link from layer 2 and above. The trunk automatically acquires the VLAN membership of the controlling link but does not acquire its media type and speed. Outbound packets to the controlling link are load balanced across all of the known-good links in the trunk. Inbound packets from any link in the trunk are treated as if they came from the controlling link.

A maximum of eight links may be aggregated. For optimal performance, links should be aggregated in powers of two. Thus, you ideally will aggregate two, four, or eight links.

To configure a trunk using the Configuration utility

  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the Trunks tab.
    The Trunks screen opens.
  3. On the Trunks screen, click the Add button.
    The Add Trunk screen opens.
  4. Select the link that is to be the controlling link from the Available Interfaces list, and click controlling >>.
    The interface appears at the top of the Aggregated Interfaces list.
  5. Select the remaining link(s) from the Available Interfaces list and click aggregated >>.
    The interface(s) appears in the Aggregated Interfaces list below the controlling link.
  6. Click Done.

To configure a trunk from the command line

Use the following syntax to configure a trunk from the command line:

b trunk <controlling_if> define <if_list>

Interfaces are specified using the s.p convention, where s is slot number and p is port number. An <if_list> is one or more such interfaces, with multiple interfaces separated by spaces.

For more information on interface naming, refer to Interface naming convention, on page 2-2.

Spanning Tree Protocol (STP)

The BIG-IP Application Switch provides Spanning Tree Protocol (STP) implementation for loop resolution in configurations where one or more external switches is connected in parallel with the BIG-IP. You can use this feature to configure two or more interfaces on the unit as an STP domain. For interfaces in the STP domain, the spanning tree algorithm identifies the most efficient path between the network segments, and establishes the switch associated with that path as the root. Links forming redundant paths are shut down, to be re-activated only if the root fails.

The STP domain should contain all ports that are connected in parallel to an external switch where there are nodes on the link capable of generating or receiving traffic. A second domain is called for if there is an additional switch or switches connected in parallel with additional BIG-IP interfaces.

Warning: Use of STP may slow performance significantly, particularly if more than one STP domain is created, and may have unforeseen effects on complex networks. It is important to test your STP configuration before placing it online. For more information about Spanning Tree Protocol, refer to IEEE 802.1D.

Creating and deleting STP domains

You can create or delete STP domains using the Configuration utility or from the command line.

To create an STP domain using the Configuration utility

  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the STP tab.
    The Trunks screen opens.
  3. On the STP screen, click the Add button.
    The Add STP Domain screen opens
  4. In the Add STP Domain screen, configure the STP domain attributes. For additional information about defining an STP domain, click the Help button.

To create or delete an STP domain from the command line

To create an STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces add <if _list> | all

For example, if you want to create an STP domain named mystp that contains the interfaces 1.1 and 1.2, type the following command.

b stp mystp interfaces add 1.1 1.2

If you want to create an STP domain named mystp that contains all interfaces on the BIG-IP, type:

b stp <stp_name> interfaces add all

To delete an STP domain, use the following syntax:

b stp <stp_name> delete

Setting time intervals for an STP domain

You can set the time intervals in seconds for hello, max_age, and forward_delay for the STP domain from the command line using the following syntax:

b stp <stp_name> hello <interval>

b stp <stp_name> max_age <interval>

b stp <stp_name> forward_delay <interval>

Adding or deleting interfaces in an STP domain

To add interfaces to an STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces add <if _list>

To delete interfaces from an STP domain, use the following syntax.

b stp <stp_name> interfaces delete <if _list>

Disabling and re-enabling an STP domain

To disable an STP domain from the command line, use the following syntax:

b stp <stp_name> disable

To re-enable interfaces on an STP domain, use the following syntax:

b stp <stp_name> enable

Note: Disabling or deleting all interfaces on an STP domain disables the domain. You cannot re-enable the domain without adding interfaces.

Disabling and re-enabling interfaces in an STP domain

To disable specific interfaces in the STP domain from the command line, use the following syntax:

b stp <stp_name> interfaces disable <if_list>

To re-enable interfaces in an STP domain, use the following syntax:

b stp <stp_name> interfaces enable <if_list>

Port Mirroring

For the IP Application Switch, you can copy traffic from any port or set of ports to a single, separate port. This is called port mirroring. You should attach a sniffer device to the target port, called the mirror-to port, for debugging and/or monitoring.

Setting up a port mirror

Port mirroring consists of specifying a a mirror-to port and adding to it one or more ports (that is, a port list) to be mirrored. You can set up port mirroring using the Configuration utility or from the command line.

To set up port mirroring using the Configuration utility

  1. In the navigation pane, click Network.
    The Network screen opens.
  2. Click the Interfaces tab.
    The Interfaces screen opens.
  3. Click the Port Mirroring subtab.
    The Port Mirroring screen opens.
  4. In the Port Mirroring screen, configure the port mirror attributes. For additional information about defining a port mirror, click the Help button.

To set up port mirroring from the command line

Use this bigpipe syntax for setting up port mirroring:

b mirror <mirror_to_if> interfaces add <if_list>

Example:

b mirror 3.24 interfaces add 3.1 3.3 3.10

Deleting interfaces from a port mirror or deleting a port mirror

You can delete individual interfaces from a port mirror, or you can completely delete a port mirror.

To delete interfaces from the port mirror from the command line

Use this bigpipe syntax to delete interfaces from the port mirror:

b mirror <mirror_to_if> interfaces delete <if_list>

For example:

b mirror 3.24 interfaces delete 3.10

To delete the port mirror from the command line

Use this bigpipe syntax to delete the port mirror:

b mirror <mirror_to_if> delete

For example:

b mirror 3.24 delete