ltm virtual
ltm virtual(1) BIG-IP TMSH Manual ltm virtual(1)
NAME
virtual - Configures a virtual server.
MODULE
ltm
SYNTAX
Configure the virtual component within the ltm module using the syntax
shown in the following sections.
CREATE/MODIFY
create virtual [name]
modify virtual [name]
options:
all
address-status [yes | no]
app-service [[string] | none]
auth [add | delete | replace-all-with] {
[profile_name ... ]
}
auth [default | none]
auto-lasthop [default | enabled | disabled ]
clone-pools [add | delete | replace-all-with] {
[pool_name ... ] {
context [clientside | serverside]
}
}
clone-pools none
cmp-enabled [yes | no]
connection-limit [integer]
dhcp-relay
description [string]
destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ]
[disabled | enabled]
fallback-persistence [none | [profile name] ]
flow-eviction-policy [none | [eviction policy name] ]
fw-enforced-policy [ [policy_name] | none ]
fw-staged-policy [ [policy_name] | none ]
gtm-score [integer]
http-class none
http-class {
[profile_name ...]
}
ip-forward
ip-protocol [any | [protocol]
internal
l2-forward
last-hop-pool [ [pool_name] | none]
mask { [ipv4] | [ipv6] }
mirror { [disabled | enabled | none] }
nat64 [enabled | disabled]
persist [replace-all-with] {
[profile_name ... ] {
default [no | yes]
}
}
persist none
pool [ [pool_name] | none]
profiles [add | delete | replace-all-with] {
[profile_name ...] {
context [all | clientside | serverside]
}
}
profiles [default | none]
rate-class [name]
rate-limit [integer]
rate-limit-mode [destination | object | object-destination |
object-source | object-source-destination | source |
source-destination]
rate-limit-dst [integer]
rate-limit-src [integer]
related-rules { none | [rule_name ...] }
reject
rules { [none | [rule_name ... ] }
security-nat-policy {
policy [ [policy_name] | none]
use-device-policy [no | yes]
use-route-domain-policy [no | yes]
}
service-down-immediate-action [none | drop | reset]
service-policy [ [policy_name] | none ]
snat [automap | none] DEPRECATED - see source-address-translation
snatpool [snatpool_name] DEPRECATED - see source-address-translation
source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] }
source-address-translation {
options:
pool [ [pool_name] | none]
type [ automap | lsn | snat | none ]
}
source-port [change | preserve | preserve-strict]
traffic-classes [add | delete | replace-all-with] {
[traffic_class_name ...]
}
traffic-classes [default | none]
translate-address [enabled | disabled]
translate-port [enabled | disabled]
transparent-nexthop [vlan_name]
vlans [add | delete | replace-all-with] {
[vlan_name ... ]
}
vlans [default | none]
vlans-disabled
vlans-enabled
metadata [add | delete | modify] {
[metadata_name ... ] {
value [ "value content" ]
persist [ true | false ]
}
}
reset-stats virtual [ [ [name] | [glob] | [regex] ] ... ]
fw-enforced-policy-rules { [rule name] }
fw-staged-policy-rules { [rule name] }
security-nat-rules { [rule name] }
profiles { [profile name] }
options:
ip-intelligence-categories
port-misuse
DISPLAY
list virtual
list virtual [ [ [name] | [glob] | [regex] ] ...]
show running-config virtual
show running-config virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show virtual
show virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties (default | exa | gig | kil | meg | peta | raw | tera |
yotta | zetta)
detail
field-fmt
ip-intelligence-categories
port-misuse
mv virtual [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
DELETE
delete virtual [name]
DESCRIPTION
You can use the virtual component to create, delete, modify properties
on, and display information about virtual servers. Virtual servers are
externally visible IP addresses that receive client requests. Rather
than sending the requests directly to the destination IP address
specified in the packet header, it sends the requests to any of several
content servers that make up a load balancing pool. Virtual servers
also apply various behavioral settings to multiple traffic types,
enable persistence for multiple traffic types, and direct traffic
according to user-written iRules(r).
Note: After you configure a Global Traffic Manager listener, when you
use the tab completion feature within the ltm module, the listener
displays as one of the virtual servers in the Configuration Items
section.
EXAMPLES
create virtual myV2 { destination 11.11.11.12:any persist replace-all-
with { source_addr } } pool myPool}
Creates a virtual server named myV2, which uses the source address
persistence method.
modify virtual vs_fl4_http4 profiles replace-all-with { profile-udp }
Replaces the profile associated with the virtual server vs_f14_http4.
Note: To replace the profile associated with a virtual server, you must
enclose the name of the new profile in curly brackets.
delete virtual myV4 myV5 myV6
Deletes the virtual servers named myV4, myV5, and myV6.
show virtual myV4
Displays statistics and status for the virtual named myV4.
show virtual myV4 all-properties
Displays statistics and status for the virtual named myV4.
Note: If the system includes Packet Velocity(r) ASIC (PVA) and PVA
Assist capabilities, this command displays status and statistics for
that feature.
mv /ltm virtual /Common/my_vip to-folder /Common/some_folder
Moves a virtual server named my_vip to the folder named some_folder,
where some_folder has already been created under /Common.
Note: Please note that you may not move a virtual server that is
associated with CGNAT configuration items, such as LSN pools.
OPTIONS
all Specifies that you want to modify all of the existing components
of the specified type.
address-status
Specifies whether the virtual will contribute to the operational
status of the associated virtual-address. The default value is
'yes'.
app-service
Specifies the name of the application service to which the virtual
server belongs. The default value is none. Note: If the strict-
updates option is enabled on the application service that owns the
object, you cannot modify or delete the virtual server. Only the
application service can modify or delete the virtual server.
auth Specifies a list of authentication profile names, separated by
spaces, that the virtual server uses to manage authentication.
clone-pools
Specifies a pool or list of pools that the virtual server uses to
replicate either client or server traffic. You must specify a
value of either clientside or serverside for the context option
for each clone pool. Typically, this option is used for intrusion
detection.
cmp-enabled
Enables or disables clustered multi-processor (CMP) acceleration.
This feature applies to certain platforms only. The default value
is yes.
connection-limit
Specifies the maximum number of concurrent connections you want to
allow for the virtual server. The default value of 0 (zero) allows
for an unlimited number of concurrent connections.
context
Specifies that the pool is either a clientside or serverside clone
pool.
Note: Because validation occurs outside of TMSH, you will receive
an error when you modify the context for profiles in a virtual
server.
dhcp-relay
Specifies a virtual server that relays all received dhcp requests
to all pool members. If there is no pool, the received request get
dropped. If you specify the dhcp-relay option, you cannot use the
ip-forward or l2-forward or reject options.
description
User defined description.
destination
Specifies the name of the virtual address and service on which the
virtual server listens for connections.
The format for "ipv4" is a.b.c.d[:port]. The format for an "ipv6"
address is a:b:c:d:e:f:g:h[.port].
The default value is any:any.
(enabled | disabled)
Specifies the state of the virtual server. The default value is
enabled.
Note: When you disable a virtual server, the virtual server no
longer accepts new connection requests. However, it allows current
connections to finish processing before going to a down state.
fallback-persistence
Specifies a fallback persistence profile for the virtual server to
use when the default persistence profile is not available. The
default value is none.
flow-eviction-policy
Specifies a flow eviction policy for the virtual server to use, to
select which flows to terminate when the number of connections
approaches the connection limit on the virtual server. The default
value is none.
fw-enforced-policy
Specifies an enforced firewall policy. fw-enforced-policy rules
are enforced on a virtual server.
fw-enforced-policy-rules
Specifies firewall rules enforced on ltm virtual via referenced
fw-enforced-policy.
fw-staged-policy
Specifies a staged firewall policy. fw-staged-policy rules are not
enforced while all the visibility aspects namely statistics,
reporting and logging function as if the fw-staged-policy rules
were enforced on a virtual server.
fw-staged-policy-rules
Specifies firewall rules staged on ltm virtual via referenced fw-
staged-policy.
security-nat-rules
Specifies security nat rules associated with ltm virtual via
referenced security-nat-policy.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
gtm-score
Specifies a score that is associated with the virtual server.
Global Traffic Manager (GTM) can rely on this value to load
balance traffic in a proportional manner.
traffic-acceleration-status
Displays the current traffic-acceleration status. The virtual
server is considered traffic-acceleration-dedicated if it uses a
traffic-acceleration profile.
http-class
Specifies a list of HTTP class profiles, separated by spaces, with
which the virtual server works to increase the speed at which the
virtual server processes HTTP requests. The default value is none.
The order in which the profiles are entered sets the priority of
each profile, in ascending order, specific to this virtual server.
ip-forward
Specifies a virtual server that has no pool members to load
balance, but instead, forwards the packet directly to the
destination IP address specified in the client request. If you
specify the ip-forward option, you cannot use the l2-forward or
reject options. Internal virtual servers do not receive external
connections, instead they are specified by name by profiles in the
parent virtual server (see ltm profile request-adapt and ltm
profile response-adapt). Since internal virtual servers do not
listen for external connections, not all attributes are used for
internal virtual servers. The destination, mask, translate-
address, translate-port, vlans, vlans-disabled and vlans-enabled
attributes are set by the system and any attempt to change them
will have no effect.
ip-protocol
Specifies the IP protocol for which you want the virtual server to
direct traffic. Sample protocol names are TCP and UDP. The default
value is any.
Note: You do not use this setting when creating an HTTP class
virtual server.
internal
Specifies an internal virtual server that handles requests for a
parent virtual server, such as content adaptation. Internal
virtual servers do not receive external connections, instead they
are specified by name by profiles in the parent virtual server
(see ltm profile request-adapt and ltm profile response-adapt).
Since internal virtual servers do not listen for external
connections, not all attributes are used for internal virtual
servers. The destination, mask, translate-address, translate-port,
vlans, vlans-disabled and vlans-enabled attributes are set by the
system, any attempt to change them will have no effect.
l2-forward
Specifies a virtual server that shares the same IP address as a
node in an associated VLAN. You create this type of virtual server
when you want to create a VLAN group. If you specify the
l2-forward option, you cannot use the ip-forward or reject
options.
last-hop-pool
Specifies the name of the last hop pool that you want the virtual
server to use to direct reply traffic to the last hop router. The
default value is none.
mask Specifies the netmask for a network virtual server only. This
setting is required for a network virtual server.
The netmask clarifies whether the host bit is an actual zero or a
wildcard representation. The default value is 255.255.255.255 for
IPv4 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff for IPv6.
mirror
Enables or disables mirroring. You can use mirroring to maintain
the same state information in the standby unit that is in the
active unit, allowing transactions such as FTP file transfers to
continue as though uninterrupted. The default value is none.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
nat64
Enable or disable NAT64. The default value is disabled. NAT64 is a
service that automatically translate IPv6 traffic into IPv4.
partition
Displays the name of the administrative partition within which the
virtual server resides.
persist
Specifies a list of profiles separated by spaces that the virtual
server uses to manage connection persistence. The default value is
none.
To enable persistence, typically you specify a single profile.
However, you can specify multiple profiles in conjunction with
iRules(r) that define a persistence strategy based on incoming
traffic. In the case of multiple profiles, the default option
specifies which profile you want the virtual server to use if an
iRule does not specify a persistence method. When you specify
multiple profiles, the default value of the default property is
no. You can set the value of the default property to yes for only
one of the profiles.
pool Specifies a default pool to which you want the virtual server to
automatically direct traffic. The default value is none.
port-misuse
Used to show or reset port misuse policy statistics for the
virtual server.
profiles
Specifies a list of profiles for the virtual server to use to
direct and manage traffic. The default value is fastL4.
rate-class
Specifies the name of an existing rate class that you want the
virtual server to use to enforce a throughput policy for incoming
network traffic. The default value is none.
rate-limit
Specifies the maximum number of connections per second allowed for
a virtual server. The default value is 'disabled'.
rate-limit-mode
Indicates whether the rate limit is applied per virtual object,
per source address, per destination address, or some combination
thereof. The default value is 'object', which does not use the
source or destination address as part of the key.
rate-limit-dst-mask
Specifies a mask, in bits, to be applied to the destination
address as part of the rate limiting. The default value is '0',
which is equivalent to using the entire address - '32' in IPv4, or
'128' in IPv6.
rate-limit-src-mask
Specifies a mask, in bits, to be applied to the source address as
part of the rate limiting. The default value is '0', which is
equivalent to using the entire address - '32' in IPv4, or '128' in
IPv6.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
related-rules
Specifies a list of iRules, separated by spaces, that customize
the behavior of secondary channels (for instance the data channel
on FTP) opened on behalf of the virtual server. The default value
is none.
reject
Specifies that the BIG-IP(r) system rejects any traffic destined
for the virtual server IP address. If you specify the reject
option, you cannot use the ip-forward or l2-forward options.
rules
Specifies a list of iRules, separated by spaces, that customize
the virtual server to direct and manage traffic. The default value
is none.
security-nat-policy
Configures the following options to specify which Security NAT
Policy is to be used to match the incoming traffic and perform
source/destination translation (address/port) using the first-
match rule criteria:
policy
Specifies the name of the Security NAT Policy to be used (see
security nat policy).
use-route-domain-policy
Specifies whether to use the virtual server's route domain
context's Security NAT policy. If enabled AND the virtual
server does not have a NAT policy configured, route domain's
security NAT policy is used.
use-device-policy
Specifies whether to use the security device context NAT
policy (see security device-context). If enabled AND both
virtual server as well as route domain do not have a NAT
policy configured, NAT policy configured at security device
(a.k.a global) level is used.
service-down-immediate-action
Specifies the immediate action the BIG-IP system should respond
with upon the receipt of the initial client's SYN packet if the
availability status of the virtual server is Offline or
Unavailable. This is supported for the virtual server of Standard
type and TCP protocol. The default value is none.
service-policy
Specifies a service policy for the virtual server. If set, it will
enforce the service policy for incoming network traffic. The
service policy can be used to validate if incoming traffic
conforms to a set of application protocols.
snat Specifies whether SNAT automap is enabled for the virtual server.
The default value is none. This attribute is DEPRECATED. Use
source-address-translation { type ( automap / none ) }
snatpool
Specifies the name of an existing SNAT pool that you want the
virtual server to use to implement selective and intelligent
SNATs. This attribute is DEPRECATED. Use source-address-
translation { type snatpool pool pool_name }
source
Specifies an IP address or network from which the virtual server
will accept traffic.
The format for an "ipv4" address is a.b.c.d[/prefixlen]. The
format for an "ipv6" address is a:b:c:d:e:f:g:h[/prefixlen].
source-address-translation
Specifies the type of source address translation enabled for the
virtual server as well as the pool that the source address
translation will use.
pool Specifies the name of a LSN or SNAT pool used by the
specified virtual server.
type Specifies the type of source address translation associated
with the specified virtual server.
The options are:
automap
Specifies the use of self IP addresses for virtual
server source address translation.
lsn Specifies the use of a LSN pool of translation addresses
for virtual server source address translation.
none Specifies no source address translation to be used by
the virtual server.
snat Specifies the use of a SNAT pool of translation
addresses for virtual server source address translation.
source-port
Specifies whether the system preserves the source port of the
connection. The default value is preserve.
The options are:
change
Obfuscates internal network addresses.
preserve
Preserves the source port of the connection.
preserve-strict
Use this value only for UDP under very special circumstances,
such as nPath or transparent (that is, no translation of any
other L3/L4 field), where there is a 1:1 relationship between
virtual IP addresses and node addresses, or when clustered
multi-processing (CMP) is disabled.
traffic-classes
Specifies a list of traffic classes that are associated with the
virtual server. The default value is none.
translate-address
Enables or disables address translation for the virtual server.
Disable address translation for a virtual server if you want to
use the virtual server to load balance connections to any address.
This option is useful when the system is load balancing devices
that have the same IP address. The default value is disabled.
translate-port
Enables or disables port translation. Disable port translation for
a virtual server, if you want to use the virtual server to load
balance connections to any service. The default value is disabled.
transparent-nexthop
Specifies the egress interface for traffic and enables layer 2
(MAC) address preservation. Layer 2 address preservation disables
layer 3 (IP/IPv6) address translation.
vlans
Specifies a list of VLANs on which the virtual server is either
enabled or disabled. The default value is none. The options vlans-
disabled and vlans-enabled indicate whether the virtual server is
disabled or enabled on the list of specified VLANs.
vlans-disabled
Disables the virtual server on the VLANs specified in the vlans
option. This is the default setting.
vlans-enabled
Enables the virtual server on the VLANs specified in the vlans
option.
vs-index
Displays a unique index assigned to this virtual server.
metadata
Associates user defined data, each of which has name and value
pair and persistence. Persistent(default) means the data will be
saved into config file.
ip-intelligence-categories
Used to show/ reset statistics on IP intelligence white/ black
lists categories.
SEE ALSO
create, delete, edit, glob, list, ltm persistence, ltm pool, modify,
mv, security nat policy, net service-policy, net vlan, net vlan-group,
security firewall schedule, security firewall rule-list, regex, reset-
stats, rule, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2014, 2016. All rights
reserved.
BIG-IP 2016-11-18 ltm virtual(1)