ltm virtual
ltm virtual(1) BIG-IP TMSH Manual ltm virtual(1)
NAME
virtual - Configures a virtual server.
MODULE
ltm
SYNTAX
Configure the virtual component within the ltm module using the syntax shown in the following sections.
CREATE/MODIFY
create virtual [name]
modify virtual [name]
options:
all
address-status [yes | no]
app-service [[string] | none]
auth [add | delete | replace-all-with] {
[profile_name ... ]
}
auth [default | none]
auto-discovery [enabled | disabled]
auto-lasthop [default | enabled | disabled ]
clone-pools [add | delete | replace-all-with] {
[pool_name ... ] {
context [clientside | serverside]
}
}
clone-pools none
cmp-enabled [yes | no]
connection-limit [integer]
dhcp-relay
description [string]
destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ]
[disabled | enabled]
eviction-protected [enabled | disabled]
fallback-persistence [none | [profile name] ]
flow-eviction-policy [none | [eviction policy name] ]
fw-enforced-policy [ [policy_name] | none ]
fw-staged-policy [ [policy_name] | none ]
gtm-score [integer]
ip-forward
ip-protocol [any | [protocol]
internal
l2-forward
last-hop-pool [ [pool_name] | none]
mask { [ipv4] | [ipv6] }
mirror { [disabled | enabled | none] }
nat64 [enabled | disabled]
per-flow-request-access-policy [ [policy_name] | none ]
persist [replace-all-with] {
[profile_name ... ] {
default [no | yes]
}
}
persist none
policies [ add | delete | replace-all-with] {
policy_name [[policy_name] ...]
}
pool [ [pool_name] | none]
profiles [add | delete | replace-all-with] {
[profile_name ...] {
context [all | clientside | serverside]
}
}
profiles [default | none]
rate-class [name]
rate-limit [integer]
rate-limit-mode [destination | object | object-destination |
object-source | object-source-destination | source |
source-destination]
rate-limit-dst [integer]
rate-limit-src [integer]
related-rules { none | [rule_name ...] }
reject
rules { [none | [rule_name ... ] }
security-nat-policy {
policy [ [policy_name] | none]
use-device-policy [no | yes]
use-route-domain-policy [no | yes]
}
serverssl-use-sni [ enabled | disabled ]
service-down-immediate-action [none | drop | reset]
service-policy [ [policy_name] | none ]
snat [automap | none] DEPRECATED - see source-address-translation
snatpool [snatpool_name] DEPRECATED - see source-address-translation
source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] }
source-address-translation {
options:
pool [ [pool_name] | none]
type [ automap | lsn | snat | none ]
}
source-port [change | preserve | preserve-strict]
traffic-classes [add | delete | replace-all-with] {
[traffic_class_name ...]
}
traffic-classes [default | none]
translate-address [enabled | disabled]
translate-port [enabled | disabled]
transparent-nexthop [vlan_name]
vlans [add | delete | replace-all-with] {
[vlan_name ... ]
}
vlans [default | none]
vlans-disabled
vlans-enabled
metadata [add | delete | modify] {
[metadata_name ... ] {
value [ "value content" ]
persist [ true | false ]
}
}
reset-stats virtual [ [ [name] | [glob] | [regex] ] ... ]
fw-enforced-policy-rules { [rule name] }
fw-staged-policy-rules { [rule name] }
security-nat-rules { [rule name] }
profiles { [profile name] }
options:
fw-context-stat
ip-intelligence-categories
port-misuse
DISPLAY
list virtual
list virtual [ [ [name] | [glob] | [regex] ] ...]
show running-config virtual
show running-config virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show virtual
show virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties (default | exa | gig | kil | meg | peta | raw | tera |
yotta | zetta)
detail
field-fmt
fw-context-stat
ip-intelligence-categories
port-misuse
mv virtual [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
DELETE
delete virtual [name]
DESCRIPTION
You can use the virtual component to create, delete, modify properties on, and display information about virtual servers.
Virtual servers are externally visible IP addresses that receive client requests. Rather than sending the requests directly
to the destination IP address specified in the packet header, it sends the requests to any of several content servers that
make up a load balancing pool. Virtual servers also apply various behavioral settings to multiple traffic types, enable
persistence for multiple traffic types, and direct traffic according to user-written iRules(r).
Note: After you configure a Global Traffic Manager listener, when you use the tab completion feature within the ltm module,
the listener displays as one of the virtual servers in the Configuration Items section.
EXAMPLES
create virtual myV2 { destination 11.11.11.12:any persist replace-all-with { source_addr } } pool myPool}
Creates a virtual server named myV2, which uses the source address persistence method.
modify virtual vs_fl4_http4 profiles replace-all-with { profile-udp }
Replaces the profile associated with the virtual server vs_f14_http4.
Note: To replace the profile associated with a virtual server, you must enclose the name of the new profile in curly
brackets.
delete virtual myV4 myV5 myV6
Deletes the virtual servers named myV4, myV5, and myV6.
show virtual myV4
Displays statistics and status for the virtual named myV4.
show virtual myV4 all-properties
Displays statistics and status for the virtual named myV4.
Note: If the system includes Packet Velocity(r) ASIC (PVA) and PVA Assist capabilities, this command displays status and
statistics for that feature.
mv /ltm virtual /Common/my_vip to-folder /Common/some_folder
Moves a virtual server named my_vip to the folder named some_folder, where some_folder has already been created under
/Common.
Note: Please note that you may not move a virtual server that is associated with CGNAT configuration items, such as LSN
pools.
OPTIONS
all Specifies that you want to modify all of the existing components of the specified type.
address-status
Specifies whether the virtual will contribute to the operational status of the associated virtual-address. The default
value is 'yes'.
app-service
Specifies the name of the application service to which the virtual server belongs. The default value is none. Note: If
the strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
virtual server. Only the application service can modify or delete the virtual server.
auth Specifies a list of authentication profile names, separated by spaces, that the virtual server uses to manage
authentication.
auto-discovery
Enable or disable security protected objects (virtual server) auto discovery functionality. The default value is
disabled.
clone-pools
Specifies a pool or list of pools that the virtual server uses to replicate either client or server traffic. You must
specify a value of either clientside or serverside for the context option for each clone pool. Typically, this option
is used for intrusion detection.
cmp-enabled
Enables or disables clustered multi-processor (CMP) acceleration. This feature applies to certain platforms only. The
default value is yes.
connection-limit
Specifies the maximum number of concurrent connections you want to allow for the virtual server. The default value of
0 (zero) allows for an unlimited number of concurrent connections.
context
Specifies that the pool is either a clientside or serverside clone pool.
Note: Because validation occurs outside of TMSH, you will receive an error when you modify the context for profiles in
a virtual server.
dhcp-relay
Specifies a virtual server that relays all received dhcp requests to all pool members. If there is no pool, the
received request get dropped. If you specify the dhcp-relay option, you cannot use the ip-forward or l2-forward or
reject options.
description
User defined description.
destination
Specifies the name of the virtual address and service on which the virtual server listens for connections.
The format for "ipv4" is a.b.c.d[:port]. The format for an "ipv6" address is a:b:c:d:e:f:g:h[.port].
The default value is any:any.
(enabled | disabled)
Specifies the state of the virtual server. The default value is enabled.
Note: When you disable a virtual server, the virtual server no longer accepts new connection requests. However, it
allows current connections to finish processing before going to a down state.
eviction-protected
Enables or disables protection for the virtual server from the aggressive sweeper. The default is disabled.
fallback-persistence
Specifies a fallback persistence profile for the virtual server to use when the default persistence profile is not
available. The default value is none.
flow-eviction-policy
Specifies a flow eviction policy for the virtual server to use, to select which flows to terminate when the number of
connections approaches the connection limit on the virtual server. The default value is none.
fw-enforced-policy
Specifies an enforced firewall policy. fw-enforced-policy rules are enforced on a virtual server.
fw-enforced-policy-rules
Specifies firewall rules enforced on ltm virtual via referenced fw-enforced-policy.
fw-staged-policy
Specifies a staged firewall policy. fw-staged-policy rules are not enforced while all the visibility aspects namely
statistics, reporting and logging function as if the fw-staged-policy rules were enforced on a virtual server.
fw-staged-policy-rules
Specifies firewall rules staged on ltm virtual via referenced fw-staged-policy.
security-nat-rules
Specifies security nat rules associated with ltm virtual via referenced security-nat-policy.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
gtm-score
Specifies a score that is associated with the virtual server. Global Traffic Manager (GTM) can rely on this value to
load balance traffic in a proportional manner.
traffic-acceleration-status
Displays the current traffic-acceleration status. The virtual server is considered traffic-acceleration-dedicated if
it uses a traffic-acceleration profile.
ip-forward
Specifies a virtual server that has no pool members to load balance, but instead, forwards the packet directly to the
destination IP address specified in the client request. If you specify the ip-forward option, you cannot use the
l2-forward or reject options. The destination, mask, translate-address, translate-port, vlans, vlans-disabled and
vlans-enabled attributes are set by the system, any attempt to change them will have no effect.
ip-protocol
Specifies the IP protocol for which you want the virtual server to direct traffic. Sample protocol names are TCP and
UDP. The default value is any.
Note: You do not use this setting when creating an HTTP class virtual server.
internal
Specifies an internal virtual server that handles requests for a parent virtual server, such as content adaptation.
Internal virtual servers do not receive external connections, instead they are specified by name by profiles in the
parent virtual server (see ltm profile request-adapt and ltm profile response-adapt). Since internal virtual servers
do not listen for external connections, not all attributes are used for internal virtual servers. The destination,
mask, translate-address, translate-port, vlans, vlans-disabled and vlans-enabled attributes are set by the system, any
attempt to change them will have no effect.
l2-forward
Specifies a virtual server that shares the same IP address as a node in an associated VLAN. You create this type of
virtual server when you want to create a VLAN group. If you specify the l2-forward option, you cannot use the ip-
forward or reject options.
last-hop-pool
Specifies the name of the last hop pool that you want the virtual server to use to direct reply traffic to the last
hop router. The default value is none.
mask Specifies the netmask for a network virtual server only. This setting is required for a network virtual server.
The netmask clarifies whether the host bit is an actual zero or a wildcard representation. The default value is
255.255.255.255 for IPv4 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff for IPv6.
mirror
Enables or disables mirroring. You can use mirroring to maintain the same state information in the standby unit that
is in the active unit, allowing transactions such as FTP file transfers to continue as though uninterrupted. The
default value is none.
mobile-app-tunnel
Deprecated since v13.1.0.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
nat64
Enable or disable NAT64. The default value is disabled. NAT64 is a service that automatically translate IPv6 traffic
into IPv4.
partition
Displays the name of the administrative partition within which the virtual server resides.
per-flow-request-access-policy
Specifies the name of the per-request access policy to be used with the virtual server. The default value is none.
persist
Specifies a list of profiles separated by spaces that the virtual server uses to manage connection persistence. The
default value is none.
To enable persistence, typically you specify a single profile. However, you can specify multiple profiles in
conjunction with iRules(r) that define a persistence strategy based on incoming traffic. In the case of multiple
profiles, the default option specifies which profile you want the virtual server to use if an iRule does not specify a
persistence method. When you specify multiple profiles, the default value of the default property is no. You can set
the value of the default property to yes for only one of the profiles.
policies
Manage LTM Policies applied to the virtual server. LTM Policies define a set of conditions and actions that can be
used to inspect, modify, direct traffic, and enable/disable features on the fly, similar to iRules. LTM Policies do
not require programming. See also ltm policy.
pool Specifies a default pool to which you want the virtual server to automatically direct traffic. The default value is
none.
port-misuse
Used to show or reset port misuse policy statistics for the virtual server.
fw-context-stat
Used to show or reset firewall statistics for the virtual server.
profiles
Specifies a list of profiles for the virtual server to use to direct and manage traffic. The default value is fastL4.
rate-class
Specifies the name of an existing rate class that you want the virtual server to use to enforce a throughput policy
for incoming network traffic. The default value is none.
rate-limit
Specifies the maximum number of connections per second allowed for a virtual server. The default value is 'disabled'.
rate-limit-mode
Indicates whether the rate limit is applied per virtual object, per source address, per destination address, or some
combination thereof. The default value is 'object', which does not use the source or destination address as part of
the key.
rate-limit-dst-mask
Specifies a mask, in bits, to be applied to the destination address as part of the rate limiting. The default value is
'0', which is equivalent to using the entire address - '32' in IPv4, or '128' in IPv6.
rate-limit-src-mask
Specifies a mask, in bits, to be applied to the source address as part of the rate limiting. The default value is '0',
which is equivalent to using the entire address - '32' in IPv4, or '128' in IPv6.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
expression syntax.
related-rules
Specifies a list of iRules, separated by spaces, that customize the behavior of secondary channels (for instance the
data channel on FTP) opened on behalf of the virtual server. The default value is none.
reject
Specifies that the BIG-IP(r) system rejects any traffic destined for the virtual server IP address. If you specify the
reject option, you cannot use the ip-forward or l2-forward options.
rules
Specifies a list of iRules, separated by spaces, that customize the virtual server to direct and manage traffic. The
default value is none.
security-nat-policy
Configures the following options to specify which Security NAT Policy is to be used to match the incoming traffic and
perform source/destination translation (address/port) using the first-match rule criteria:
policy
Specifies the name of the Security NAT Policy to be used (see security nat policy).
use-route-domain-policy
Specifies whether to use the virtual server's route domain context's Security NAT policy. If enabled AND the
virtual server does not have a NAT policy configured, route domain's security NAT policy is used.
use-device-policy
Specifies whether to use the security device context NAT policy (see security device-context). If enabled AND
both virtual server as well as route domain do not have a NAT policy configured, NAT policy configured at
security device (a.k.a global) level is used.
serverssl-use-sni
When multiple server-ssl profiles are attached to a virtual, setting this allows one to be chosen based on the SNI
extention from the ClientHello if a client-ssl profile is also attached to the virtual.
service-down-immediate-action
Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial client's SYN
packet if the availability status of the virtual server is Offline or Unavailable. This is supported for the virtual
server of Standard type and TCP protocol. The default value is none.
service-policy
Specifies a service policy for the virtual server. If set, it will enforce the service policy for incoming network
traffic. The service policy can be used to validate if incoming traffic conforms to a set of application protocols.
snat Specifies whether SNAT automap is enabled for the virtual server. The default value is none. This attribute is
DEPRECATED. Use source-address-translation { type ( automap / none ) }
snatpool
Specifies the name of an existing SNAT pool that you want the virtual server to use to implement selective and
intelligent SNATs. This attribute is DEPRECATED. Use source-address-translation { type snatpool pool pool_name }
source
Specifies an IP address or network from which the virtual server will accept traffic.
The format for an "ipv4" address is a.b.c.d[/prefixlen]. The format for an "ipv6" address is
a:b:c:d:e:f:g:h[/prefixlen].
source-address-translation
Specifies the type of source address translation enabled for the virtual server as well as the pool that the source
address translation will use.
pool Specifies the name of a LSN or SNAT pool used by the specified virtual server.
type Specifies the type of source address translation associated with the specified virtual server.
The options are:
automap
Specifies the use of self IP addresses for virtual server source address translation.
lsn Specifies the use of a LSN pool of translation addresses for virtual server source address translation.
none Specifies no source address translation to be used by the virtual server.
snat Specifies the use of a SNAT pool of translation addresses for virtual server source address translation.
source-port
Specifies whether the system preserves the source port of the connection. The default value is preserve.
The options are:
change
Obfuscates internal network addresses.
preserve
Preserves the source port of the connection.
preserve-strict
Use this value only for UDP under very special circumstances, such as nPath or transparent (that is, no
translation of any other L3/L4 field), where there is a 1:1 relationship between virtual IP addresses and node
addresses, or when clustered multi-processing (CMP) is disabled.
traffic-classes
Specifies a list of traffic classes that are associated with the virtual server. The default value is none.
translate-address
Enables or disables address translation for the virtual server. Disable address translation for a virtual server if
you want to use the virtual server to load balance connections to any address. This option is useful when the system
is load balancing devices that have the same IP address. The default value is disabled.
translate-port
Enables or disables port translation. Disable port translation for a virtual server, if you want to use the virtual
server to load balance connections to any service. The default value is disabled.
transparent-nexthop
Specifies the egress interface for traffic and enables layer 2 (MAC) address preservation. Layer 2 address
preservation disables layer 3 (IP/IPv6) address translation.
vlans
Specifies a list of VLANs on which the virtual server is either enabled or disabled. The default value is none. The
options vlans-disabled and vlans-enabled indicate whether the virtual server is disabled or enabled on the list of
specified VLANs.
vlans-disabled
Disables the virtual server on the VLANs specified in the vlans option. This is the default setting.
vlans-enabled
Enables the virtual server on the VLANs specified in the vlans option.
vs-index
Displays a unique index assigned to this virtual server.
metadata
Associates user defined data, each of which has name and value pair and persistence. Persistent(default) means the
data will be saved into config file.
ip-intelligence-categories
Used to show/ reset statistics on IP intelligence white/ black lists categories.
SEE ALSO
create, delete, edit, glob, list, ltm persistence, ltm pool, modify, mv, security nat policy, net service-policy, net vlan,
net vlan-group, security firewall schedule, security firewall rule-list, regex, reset-stats, rule, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2014, 2016. All rights reserved.
BIG-IP 2019-06-19 ltm virtual(1)