Professional Documents
Culture Documents
JOB AID
Setting Up a Standalone
BIG-IP System Using the
Command Line Interface
(CLI)
DIGITAL EDUCATION SERIES
JOB AID
TABLE OF CONTENTS
Introduction 3
Requirements for Initially Setting Up a Standalone BIG-IP System 3
Sample Deployment Summary 3
Wrap-Up 27
DIGITAL 2
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
Introduction
This document will walk you through an example of setting up a two-armed standard network configuration on a BIG-
IP system, as shown in the figure below. Although the steps were carried out using a BIG-IP appliance running
software version 14.1, they are largely applicable for BIG-IP versions v11.4 and later.
If you are setting up a BIG-IP Virtual Edition, ensure that you have the base registration key for your BIG-IP system
available. The base registration key should be provided to you by email after you purchase the F5 product. If you
cannot locate your base registration key, please contact F5 Technical Support for assistance. If you are activating a
BIG-IP appliance or VIPRION, the base registration key is preinstalled in your system.
• The management interface is configured on the 192.168/16 network. SSH access is limited to clients in
192.168/16 network. The instructions in this document show you how to configure the management
interface using the LCD panel on a BIG-IP hardware device. (The CLI version of this document shows you
how to configure the management interface using the config command from the command line.)
DIGITAL 3
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
• VLAN external is client-facing, and includes hosts in the 10.10/16 network. The static self IP for this VLAN
is 10.10.2.31 and the floating self IP is 10.10.2.33.
• VLAN internal is server-facing, and includes hosts in the 172.16/16 network. The static self IP for this VLAN
is 172.16.2.31 and the floating self IP is 172.16.2.33.
• Most configuration steps in this document are performed using the Setup utility wizard. References to
comparable Configuration utility pages are provided throughout. (The CLI version of this document shows
you how to perform the same configuration steps using the command line.)
Configure the Management Port IP Address and Netmask from the BIG-IP
Console
1. Log into the BIG-IP system’s console interface using username root and password default. (Alternatively, you
can log into the system using its default management IP address, 192.168.1.245.) The system will prompt you
to change the password for the root user. Follow the directions to complete this activity.
2. After changing the root user’s password, start the F5 Management Port Setup utility:
DIGITAL 4
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
4. Select the appropriate IP family type for the address you will configure, either IPv4 or IPv6. In this example, we
are using an IPv4 address.
5. On the Configure IP Address panel, note the default settings for the IP address, netmask and default route.
You can configure your BIG-IP system’s management port manually or via DHCP. If connecting to the
management port at its default IP address, you may lose connectivity when performing this configuration step.
We recommend connecting to your BIG-IP system console instead. In this example, select No to configure the
management port manually.
DIGITAL 5
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
6. Enter the appropriate IP address for the management port and select OK to continue.
7. On the Configure Netmask panel, enter the appropriate netmask value for the management port, then select
OK to continue.
DIGITAL 6
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
8. The last step in the wizard is to confirm your settings. On the Confirm Configuration panel, select Yes to
confirm that the settings displayed are accurate.
9. Confirm that the new configuration was set correctly by listing the management IP address and mask.
DIGITAL 7
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
10. The Management Route panel allows you to create a default route for the management port. A default route is
only required if you want to connect to the management port from another subnet. In this deployment, we are
not going to configure a default route, so select No to continue.
DIGITAL 8
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
1. Open an SSH session to the new Management port IP address and log in as the root user.
2. To generate a dossier, run the command below substituting A1234-56789-01234-12345-6789012 with the
correct base registration key. The output appears similar to the example shown below. This sample dossier has
been truncated for clarity.
3. Highlight and copy the dossier contents to your clipboard. Make sure that you copy the dossier text only and not
any part of the command you’ve just issued.
4. Open a secure browser session to the F5 Licensing Server at activate.f5.com. Follow the instructions provided
on the screen to generate and retrieve your BIG-IP license. Copy the entire license contents to your clipboard.
5. Open the /config/bigip.license file with the vi editor.
6. Paste the license contents that you copied in the previous step and save the changes made to the file.
7. Activate the license by running the command below. When successfully activated, notice the prompt changes to
include the word Active to indicate that the license is now operational.
DIGITAL 9
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for provisioning a software module on your BIG-IP system is shown below:
1. Use TMSH to provision the appropriate modules at the appropriate level. In this example, we are provisioning
the Local Traffic Manager (LTM) and the Application Security Manager (ASM) modules as Nominal.
2. Verify that the provisioning configuration has been successfully changed by examining the current provisioning
settings. This example shows the ASM and LTM modules have been successfully provisioned.
DIGITAL 10
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for creating a new x509 BIG-IP self-signed certificate and key pair is shown below:
openssl req –x509 –nodes –days <# of days> –newkey rsa:<keysize> –keyout
/config/httpd/conf/ssl.key -out/config/httpd/conf/ssl.crt/server.crt
1. At the bash prompt, enter the following command to create a new self-signed certificate and key pair:
DIGITAL 11
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
2. Enter the certificate attributes: (use the Enter key to confirm the information provided)
3. Restart the httpd daemon to force the BIG-IP system to authenticate with the new certificate.
4. Confirm that the new certificate has been successfully deployed. The sample output below has been truncated
for space reasons.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12345678910111213141 (0x123a4bcd5fgh6ij7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=F5 Networks,
OU=Training, CN=bigip2.f5trn.com
Validity
Not Before: Dec 13 18:17:40 2016 GMT
Not After : Dec 11 18:17:40 2026 GMT
Subject: C=US, ST=Washington, L=Seattle, O=F5 Networks,
OU=Training, CN=bigip2.f5trn.com
DIGITAL 12
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for updating the default password for the admin administrative account is:
The general command format for updating the default password for the root administrative account is:
The general command format for restricting SSH access to the BIG-IP system is:
(tmos)# modify / sys sshd allow add { <IP address or IP address range> }
5. Update the default passwords for the default command line interface (root) and the default Configuration utility
(admin) administrative users.
6. For security reasons, you should configure the BIG-IP system to restrict SSH administrative access to only
systems on the 192.168/16 network. List the setting afterward to confirm it was set correctly. Note: This setting
is better performed from the Configuration utility as you may inadvertently lock yourself out of SSH access if
your IP address is included in the list.
DIGITAL 13
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for setting the BIG-IP time zone is:
1. From the BIG-IP bash prompt, navigate to the /usr/share/zoneinfo directory and list its contents. The output
displays a list of directories that match geographical regions. Identify the geographical region related to the time
zone that you wish to configure on the BIG-IP system - in this deployment, we will use America.
# ls /usr/share/zoneinfo
Africa
America
Antarctica
Arctic
…
2. List its contents of the directory you chose in the previous step (in this case, America). The output displays a list
of time zone files. In this example, the closest match to the time zone that we would like to set for the BIG-IP
system is Los_Angeles.
# ls /usr/share/zoneinfo/America
Adak
Anchorage
…
Los Angeles
…
3. Use the information identified in the previous steps to set the appropriate time zone on the BIG-IP system.
DIGITAL 14
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for assigning a host name to the BIG-IP system is:
DIGITAL 15
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The VLAN names used in these examples are identical to the VLAN names that
are created when using the Setup utility to do the same thing. With the Setup
utility, you have no control over VLAN names. With TMSH, you may name your
VLANs as desired.
The general command format for creating a VLAN, and associating it with a BIG-IP interface is:
The general command format for creating self IP, and associating it with an existing VLAN is:
The general command for creating a floating self IP, and associating it with an existing VLAN is:
DIGITAL 16
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
1. Configure a VLAN named internal to process untagged traffic received on interface 1.2.
2. Create a static (non-floating) self IP on the VLAN named internal. (You must do this before you can create a
floating self IP on the same VLAN.) In this example, port lockdown settings on the self IP will allow
connections for system default protocols. By default, the self IP will be associated with traffic-group-local-only,
which is what makes the self IP non-floating.
3. Create a floating self IP on the VLAN named internal. To make a self IP “floating,” simply assign it to any traffic
group other than traffic-group-local-only. This example creates a new floating self IP in traffic-group-1, and
allow connections to that IP address using any of the system default protocols.
4. Configure a VLAN named external to process untagged traffic received on interface 1.1.
5. Create a static (non-floating) self IP on the VLAN named external. In this example, port lockdown settings on
the self IP will not allow any services.
6. Create a floating self IP on the VLAN named external and assign it to traffic-group-1. Once again, no services
will be allowed to this self IP.
DIGITAL 17
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
7. Configure a VLAN named HA that will be used for high-availability (also known as Device Service Clustering or
DSC). HA communication will occur over the 1.3 untagged interface on this system. F5 recommends
configuring a dedicated VLAN for high availability, as we are doing our deployment below. If a dedicated VLAN
for HA is not possible, use a non-floating self IP on a non-client-facing VLAN.
8. Create a static (non-floating) self ip on the VLAN named HA, and allow default services.
9. Confirm the successful creation of VLANs and self IP addresses. (Some output has been truncated to save
space.)
DIGITAL 18
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format to add DNS lookup servers to the BIG-IP system is shown below:
1. Specify the IP address of the DNS lookup server that the BIG-IP system will use to validate DNS lookups and
resolve host names. List the setting afterward to confirm it was set correctly:
DIGITAL 19
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format for adding an NTP server to a BIG-IP system’s configuration is shown below:
1. Configure the BIG-IP system to synchronize its clock with an NTP server with a hostname of time.google.com.
List the setting afterward to confirm it was set correctly:
2. From the bash prompt, execute the ntpstat command from the bash shell to verify connectivity to the NTP peer
server.
# ntpstat
synchronized to NTP server (216.239.35.4) at stratum 3
time correct to within 7975 ms
polling server every 64 s
DIGITAL 20
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general TMSH command format for defining the local ConfigSync IP address is shown below:
The general TMSH command format for changing the BIG-IP system device name is shown below:
1. Update the BIG-IP system’s device name to bigip2-SEA, to comply with your company’s BIG-IP naming policy:
2. Set the IP address the system will use for ConfigSync operations to the non-floating self IP on the VLAN named
HA. List the setting afterward to confirm it was set correctly:
DIGITAL 21
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The general command format to define primary and secondary mirror IP addresses are shown below:
3. Set the primary mirroring IP address to the IP address of the non-floating self IP on the VLAN named HA, and
list it to confirm it was set properly:
DIGITAL 22
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
4. Set primary and secondary unicast IP addresses for failover and list them to confirm they were set properly. For
primary, we are using the non-floating self IP on the VLAN named HA. For secondary, we are using the
management IP address:
DIGITAL 23
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
General TMSH command format for modifying authentication timeout values for idle administrative SSH connections
to the BIG-IP system:
General TMSH command format for modifying authentication timeout values for idle Configuration utility sessions:
General TMSH command format for modifying authentication timeout values for idle console sessions to the BIG-IP
system:
1. As a security measure, update the default value for the amount of time that Configuration utility, SSH and
console sessions to the BIG-IP system can be idle before automatic user logout to 300 seconds.
The general TMSH command format for creating a new user account with bash shell privileges and access to all
system partitions in an administrator role is shown below:
The general TMSH command format for disabling the default admin user and assigning primary administrator rights
to a new administrative user account is shown below:
The general TMSH command format for disabling access for the default root account is shown below:
DIGITAL 24
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
2. Create a new BIG-IP administrative user account with bash shell privileges and full partition access. When
prompted, type and confirm the password for the new user account.
(tmos)# create /auth user jdoe shell bash partition-access add { all-
partitions { role admin } } prompt-for-password
changing password for jdoe
new password:
confirm password:
Skip the next step to preserve the default admin user account.
3. Disable the default admin user by assigning primary administrator privileges to the new user account you’ve
created in the previous step. Note that executing this command will immediately disconnect any administrative
users currently connected to the BIG-IP Configuration utility.
4. Disable access for the default root account. This setting should not be changed until you have created at least
one administrative user with advanced shell access on the device.
The general TMSH command format for enabling and configuring a security banner to be displayed when opening an
SSH connection to the BIG-IP system is shown below:
The general TMSH command format for setting up a security banner to be displayed on the login screen of the
Configuration utility is shown below:
DIGITAL 25
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
5. As a security measure, configure a custom legal warning banner to be displayed before users initiate an SSH
session to the BIG-IP system.
6. Configure a legal warning to be displayed on the login screen of the Configuration utility.
The general TMSH command format for restricting administrative SSH access to the BIG-IP system is shown below:
The general TMSH command format for restricting administrative Configuration utility access to the BIG-IP system is
shown below:
7. Configure the BIG-IP system to allow SSH administrative access from clients in the 192.168/16 network.
DIGITAL 26
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
Wrap-Up
This completes the final step in setting up a standalone BIG-IP system. You can now move on to other follow-up
activities that may be of interest after initial setup, such as adding routes, creating a backup of your system, installing
hotfixes, or pairing this BIG-IP system with another BIG-IP system for redundancy. Or, you may just move into
configuring the system for application delivery, adding virtual servers, pools, profiles, and more.
DIGITAL 27
EDUCATION
SERIES