Table of Contents
F5 BIG-IP CLI via “tmsh” (TMOS shell) is another method of BIG-IP configuration and monitoring in addition to the GUI that we started in the previous section.
In this section we will focus on the CLI method of F5 BIG-IP configuration and monitoring.
F5 BIG-IP CLI based configuration
F5 BIG-IP management methods
GUI, CLI and REST API are three main methods to configure and monitor F5 BIG-IP and many other networking products.
GUI is the most common method and the method we will focus on in the course to configure and monitor the BIG-IP LTM module.
This section is dedicated to the CLI or TMOS shell environment.
The REST API is a method used to programmatically configure and monitor BIG-IP.
F5 BIG-IP Linux Bash Shell
When you connect to BIG-IP via SSH, you are in a Linux CentOS bash shell environment and most bash shell commands work here.
Some examples of bash commands are “ls” to list the file and directories, “pwd” to show the current working directory, “ifconfig” to list interfaces including MAC address and IP address, “netstat -nr“, to view the routing table and “top” command to check live processes and their memory and CPU usage, and many other bash commands.
[root@ltm1:Active:Standalone] config # ls -al total 1054 drwxr-xr-x. 25 root root 4096 Sep 6 04:07 . dr-xr-xr-x. 23 root root 1024 Aug 31 07:22 .. drwxr-xr-x. 4 root root 4096 Jun 16 03:02 aaa drwxr-xr-x. 2 root root 4096 Aug 31 07:26 api_settings drwxr-xr-x. 2 root root 4096 Aug 31 07:26 big3d -r--r--r--. 1 root root 353797 Sep 6 04:07 BigDB.dat drwxr-xr-x. 4 root root 4096 Aug 31 07:23 bigip -rw-r-----. 1 root root 11842 Aug 31 14:49 bigip_base.conf -rw-r-----. 1 root root 11842 Aug 31 14:49 bigip_base.conf.bak -rw-r-----. 1 root root 11437 Aug 31 14:49 bigip.conf -rw-r-----. 1 root root 11351 Aug 31 14:46 bigip.conf.bak -rw-r--r--. 1 root root 258 Aug 31 14:49 .bigip_emergency.conf -rw-r--r--. 1 tomcat tomcat 12509 Aug 31 07:59 bigip.license -rw-r-----. 1 root root 460 Aug 31 14:49 bigip_user.conf -rw-r-----. 1 root root 460 Aug 31 14:49 bigip_user.conf.bak drwxr-xr-x. 2 root root 4096 Jun 16 03:07 bigpipe ...
[root@ltm1:Active:Standalone] config # pwd /config
[root@ltm1:Active:Standalone] config # ifconfig ... external: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.186 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::20c:29ff:fe7f:7c41 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7f:7c:41 txqueuelen 1000 (Ethernet) RX packets 4486 bytes 612900 (598.5 KiB) RX errors 0 dropped 504 overruns 0 frame 0 TX packets 10 bytes 940 (940.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 internal: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe7f:7c37 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7f:7c:37 txqueuelen 1000 (Ethernet) RX packets 1 bytes 50 (50.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 580 (580.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ... mgmt: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.186 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::20c:29ff:fe7f:7c2d prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7f:7c:2d txqueuelen 1000 (Ethernet) RX packets 8039 bytes 812814 (793.7 KiB) RX errors 0 dropped 654 overruns 0 frame 0 TX packets 2153 bytes 2098325 (2.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ....
[root@ltm1:Active:Standalone] config # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 external 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 mgmt 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 127.1.1.253 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 external 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 internal
top - 09:36:44 up 12 min, 1 user, load average: 0.31, 1.39, 1.41 Tasks: 277 total, 1 running, 276 sleeping, 0 stopped, 0 zombie %Cpu(s): 19.2 us, 6.3 sy, 0.3 ni, 72.7 id, 1.0 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem : 2049860 total, 58096 free, 1663760 used, 328004 buff/cache KiB Swap: 1023996 total, 964340 free, 59656 used. 77856 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 10804 root 7 -13 489084 120816 75612 S 10.9 5.9 1:17.37 tmm.0 11919 tomcat 20 0 731312 325912 5520 S 7.6 15.9 1:03.97 java 7412 root 20 0 1417800 237048 6744 S 5.3 11.6 1:03.02 java 6712 root 20 0 260924 111544 19992 S 2.0 5.4 0:08.47 mcpd 4825 root 25 5 96580 14604 8980 S 0.7 0.7 0:04.61 merged 1417 root 20 0 8596 548 492 S 0.3 0.0 0:12.42 jitterentropy-r 4248 root 20 0 124192 8048 3960 S 0.3 0.4 0:00.14 httpd ....
There are a few files in the Linux bash shell that may be helpful to know.
The first is the LTM log file, located in “/var/log/ltm”. You can check the log file in real-time at any time using the “tail -f” command.
[root@ltm1:Active:Standalone] config # tail -f /var/log/ltm Sep 5 09:27:25 ltm1.rayka-co.local notice mcpd[6712]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976 Sep 5 09:27:30 ltm1.rayka-co.local info snmpd[7072]: 0114002b:6: HA daemon_heartbeat snmpd enabled. Sep 5 09:27:30 ltm1.rayka-co.local notice icr_eventd[5167]: 01a10012:5: Startup: MCP subscriber Sep 5 09:27:31 ltm1.rayka-co.local info cbrd[5479]: 0114002b:6: HA daemon_heartbeat cbrd enabled. Sep 5 09:27:31 ltm1.rayka-co.local notice mcpd[6712]: 01070404:5: Add a new Publication for publisherID AlertdPublisher and filterType 0 Sep 5 09:27:31 ltm1.rayka-co.local notice icr_eventd[5167]: 01a10012:5: Startup: Invalidating down stream cache Sep 5 09:27:31 ltm1.rayka-co.local notice icr_eventd[5167]: 01a10012:5: Startup: Beginning MCP message processing Sep 5 09:27:32 ltm1.rayka-co.local info bigd[6450]: 0114002b:6: HA daemon_heartbeat bigd enabled. Sep 5 09:27:39 ltm1.rayka-co.local warning chmand[4267]: 012a0004:4: CHMAN request (from get_dossier) for tag:19 failed Sep 5 09:28:34 ltm1.rayka-co.local notice root[11813]: tmsh restart /sys service tomcat ==> /usr/bin/bigstart restart tomcat
The second group of files are configuration files.
“bigip.conf” is located in “/config/bigip.conf” and is used to store LTM configuration files such as virtual servers, profiles, access policies, iRules, and authentication settings.
The other configuration file is “bigip_base.conf” which is located in the same folder and is used to store basic level network and system configuration such as such as VLANs, self IPs, device service clustering (DSC), and provisioning.
It’s also good to know that „/config/bigip.license“ is the license file and this file should never be edited.
See this article (K26582310: Overview of BIG-IP Configuration Files) for the list of important Big-IP files.
F5 BIG-IP CLI navigation
To configure Big-IP, we need to enter the TMOS shell environment, which is done with the “tmsh” command.
In the tmsh environment, if you type a question mark, you can see the names of the modules and the list of commands.
[root@ltm1:Active:Standalone] config # tmsh root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# ? Modules: / TMOS Command Line Interface auth User accounts and authentication cli Local user settings and configuration transactions cm Centralized management configuration ltm Local Traffic Manager mgmt REST configuration objects net Network configuration saas SaaS security Global Security Policies sys General system configuration util Utility programs that can be run from within tmsh wom WAN Optimization Commands: bash Run the bash shell ccmode Use Common Criteria mode settings cd Change the current working folder cp Creates a copy of the configuration object. create Create new configuration delete Remove configuration items dig Interrogate DNS name servers domain-tool Manage Kerberos Host identities edit Update configuration using a text editor ...
The list of modules are the same as what you see in the categories on the left side of the GUI environment.
Below the module names you can see the list of commands.
The main commands to manage BIG-IP LTM are “list” to show the configuration, “show” to view statistics and status, “create” to create a new configuration, “delete” to delete the configuration, and “modify” to change the configuration.
create Create new configuration delete Remove configuration items show View runtime information, statistics and status list View configuration and settings modify Update existing configuration exit Exit the current command mode quit Quit tmsh save Save the running configuration to configuration files
Some other important commands are “exit” to back one step from the existing context, “quit” to exist from the tmsh environment and return to the Linux bash shell and “save” to save the configuration.
The follwoing save command is used to save all configurations.
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config Saving running configuration... /config/bigip.conf /config/bigip_base.conf /config/bigip_user.conf Saving Ethernet map ...done Saving PCI map ... - verifying checksum .../var/run/f5pcimap: OK done - saving ...done
BIG-IP "sys" module example
To see some examples, let’s focus on the system and network modules that we configured in the previous section. During the course we will see the commands related to the LTM module.
To configure or view the configuration of the management interface, we call the sys (system) module and then use the “management-ip” command.
The “list” command shows management IP address and “create” command adds management IP address.
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /sys management-ip sys management-ip 192.168.1.186/24 { description configured-statically } root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list /sys management-route sys management-route default { description configured-statically gateway 192.168.1.1 network default }
create /sys management-ip 192.168.1.186/24 create /sys management-route default gateway 192.168.1.1
BIG-IP "net" module examples
Let’s see some other examples from „net“ (network) module.
With „arp“ command in net module, you can check the arp table.
arp Manage the Address Resolution Protocol (ARP) table interface Interface configuration and statistics self Self-IP address configuration route Routing tables and configuration vlan VLAN configuration and statistics
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net arp -------------------------------------------------------------------------------------- Net::Arp Name Address HWaddress Vlan Expire-in-sec Status -------------------------------------------------------------------------------------- 192.168.2.1 192.168.2.1 f0:86:20:99:a4:58 /Common/external 297 resolved
with „interface“ command, we check status of interfaces.
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net interface --------------------------------------------------------------- Net::Interface Name Status Bits Bits Pkts Pkts Drops Errs Media In Out In Out --------------------------------------------------------------- 1.1 up 800 13.6K 2 25 0 0 10000T-FD 1.2 up 37.8M 70.6K 21.1K 135 0 0 10000T-FD 1.3 uninit 0 0 0 0 0 0 none mgmt up 22.9M 21.8M 22.3K 3.3K 0 0 100TX-FD
with „route“ command, we check routing table and configuration.
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# show net route -------------------------------------------------------------------------------------------- Net::Routes Name Destination Type NextHop Origin -------------------------------------------------------------------------------------------- external_default_gateway default gw 192.168.2.1 static 192.168.2.0/24 192.168.2.0/24 interface /Common/external connected 192.168.10.0/24 192.168.10.0/24 interface /Common/internal connected 127.1.1.0/24 127.1.1.0/24 interface tmm connected fe80::%vlan4094/64 fe80::%vlan4094/64 interface /Common/internal connected fe80::%vlan4093/64 fe80::%vlan4093/64 interface /Common/external connected fe80::/64 fe80::/64 interface /Common/socks-tunnel connected fe80::/64 fe80::/64 interface /Common/http-tunnel connected fe80::%vlan4095/64 fe80::%vlan4095/64 interface /Common/tmm_bp connected ff02:ffd::/64 ff02:ffd::/64 interface /Common/external connected ff02:ffe::/64 ff02:ffe::/64 interface /Common/internal connected ff02:fff::/64 ff02:fff::/64 interface /Common/tmm_bp connected ff02::/64 ff02::/64 interface tmm connected fe80::/64 fe80::/64 interface tmm connected root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net route net route external_default_gateway { gw 192.168.2.1 network default }
and in the last example, we can use the “self” and “vlan” commands to check the configuration of interfaces and the VLAN assigned to them.
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self net self 192.168.2.186 { address 192.168.2.186/24 allow-service { tcp:https } traffic-group traffic-group-local-only vlan external } net self 192.168.10.1 { address 192.168.10.1/24 allow-service { default } traffic-group traffic-group-local-only vlan internal }
root@(ltm1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net vlan net vlan external { dag-adjustment none fwd-mode l3 if-index 160 interfaces { 1.2 { } } tag 4093 } net vlan internal { dag-adjustment none fwd-mode l3 if-index 144 interfaces { 1.1 { } } tag 4094 }
We’ve seen examples of “sys” and “net” modules, but in the next sections where we configure the LTM module, we’ll also review equivalent CLI configurations.