ltm virtual
ltm virtual(1) BIG-IP TMSH Manual ltm virtual(1)
NAME
virtual - Configures a virtual server.
MODULE
ltm
SYNTAX
Configure the virtual component within the ltm module using the syntax shown in the following sections.
CREATE/MODIFY
create virtual [name]
modify virtual [name]
options:
all
address-status [yes | no]
app-service [[string] | none]
auth [add | delete | replace-all-with] {
[profile_name ... ]
}
auth [default | none]
auto-discovery [enabled | disabled]
auto-lasthop [default | enabled | disabled ]
clone-pools [add | delete | replace-all-with] {
[pool_name ... ] {
context [clientside | serverside]
}
}
clone-pools none
cmp-enabled [yes | no]
connection-limit [integer]
dhcp-relay
description [string]
destination [ [virtual_address_name:port] | [ipv4:port] | [ipv6.port] ]
[disabled | enabled]
eviction-protected [enabled | disabled]
fallback-persistence [none | [profile name] ]
flow-eviction-policy [none | [eviction policy name] ]
fw-enforced-policy [ [policy_name] | none ]
fw-staged-policy [ [policy_name] | none ]
gtm-score [integer]
ip-forward
ip-protocol [any | [protocol]
internal
l2-forward
last-hop-pool [ [pool_name] | none]
mask { [ipv4] | [ipv6] }
mirror { [disabled | enabled | none] }
nat64 [enabled | disabled]
per-flow-request-access-policy [ [policy_name] | none ]
persist [replace-all-with] {
[profile_name ... ] {
default [no | yes]
}
}
persist none
policies [ add | delete | replace-all-with] {
policy_name [[policy_name] ...]
}
pool [ [pool_name] | none]
profiles [add | delete | replace-all-with] {
[profile_name ...] {
context [all | clientside | serverside]
}
}
profiles [default | none]
rate-class [name]
rate-limit [integer]
rate-limit-mode [destination | object | object-destination |
object-source | object-source-destination | source |
source-destination]
rate-limit-dst [integer]
rate-limit-src [integer]
related-rules { none | [rule_name ...] }
reject
rules { [none | [rule_name ... ] }
security-nat-policy {
policy [ [policy_name] | none]
use-device-policy [no | yes]
use-route-domain-policy [no | yes]
}
serverssl-use-sni [ enabled | disabled ]
service-down-immediate-action [none | drop | reset]
service-policy [ [policy_name] | none ]
snat [automap | none] DEPRECATED - see source-address-translation
snatpool [snatpool_name] DEPRECATED - see source-address-translation
source { [ipv4[/prefixlen]] | [ipv6[/prefixlen]] }
source-address-translation {
options:
pool [ [pool_name] | none]
type [ automap | lsn | snat | none ]
}
source-port [change | preserve | preserve-strict]
traffic-classes [add | delete | replace-all-with] {
[traffic_class_name ...]
}
traffic-classes [default | none]
translate-address [enabled | disabled]
translate-port [enabled | disabled]
transparent-nexthop [vlan_name]
vlans [add | delete | replace-all-with] {
[vlan_name ... ]
}
vlans [default | none]
vlans-disabled
vlans-enabled
metadata [add | delete | modify] {
[metadata_name ... ] {
value [ "value content" ]
persist [ true | false ]
}
}
reset-stats virtual [ [ [name] | [glob] | [regex] ] ... ]
fw-enforced-policy-rules { [rule name] }
fw-staged-policy-rules { [rule name] }
security-nat-rules { [rule name] }
profiles { [profile name] }
options:
fw-context-stat
ip-intelligence-categories
port-misuse
DISPLAY
list virtual
list virtual [ [ [name] | [glob] | [regex] ] ...]
show running-config virtual
show running-config virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show virtual
show virtual [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties (default | exa | gig | kil | meg | peta | raw | tera |
yotta | zetta)
detail
field-fmt
fw-context-stat
ip-intelligence-categories
port-misuse
mv virtual [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
DELETE
delete virtual [name]
DESCRIPTION
You can use the virtual component to create, delete, modify properties on, and display information about
virtual servers. Virtual servers are externally visible IP addresses that receive client requests. Rather than
sending the requests directly to the destination IP address specified in the packet header, it sends the
requests to any of several content servers that make up a load balancing pool. Virtual servers also apply
various behavioral settings to multiple traffic types, enable persistence for multiple traffic types, and
direct traffic according to user-written iRules(r).
Note: After you configure a Global Traffic Manager listener, when you use the tab completion feature within
the ltm module, the listener displays as one of the virtual servers in the Configuration Items section.
EXAMPLES
create virtual myV2 { destination 11.11.11.12:any persist replace-all-with { source_addr } } pool myPool}
Creates a virtual server named myV2, which uses the source address persistence method.
modify virtual vs_fl4_http4 profiles replace-all-with { profile-udp }
Replaces the profile associated with the virtual server vs_f14_http4.
Note: To replace the profile associated with a virtual server, you must enclose the name of the new profile in
curly brackets.
delete virtual myV4 myV5 myV6
Deletes the virtual servers named myV4, myV5, and myV6.
show virtual myV4
Displays statistics and status for the virtual named myV4.
show virtual myV4 all-properties
Displays statistics and status for the virtual named myV4.
Note: If the system includes Packet Velocity(r) ASIC (PVA) and PVA Assist capabilities, this command displays
status and statistics for that feature.
mv /ltm virtual /Common/my_vip to-folder /Common/some_folder
Moves a virtual server named my_vip to the folder named some_folder, where some_folder has already been
created under /Common.
Note: Please note that you may not move a virtual server that is associated with CGNAT configuration items,
such as LSN pools.
OPTIONS
all Specifies that you want to modify all of the existing components of the specified type.
address-status
Specifies whether the virtual will contribute to the operational status of the associated virtual-
address. The default value is 'yes'.
app-service
Specifies the name of the application service to which the virtual server belongs. The default value is
none. Note: If the strict-updates option is enabled on the application service that owns the object, you
cannot modify or delete the virtual server. Only the application service can modify or delete the virtual
server.
auth Specifies a list of authentication profile names, separated by spaces, that the virtual server uses to
manage authentication.
auto-discovery
Enable or disable security protected objects (virtual server) auto discovery functionality. The default
value is disabled.
clone-pools
Specifies a pool or list of pools that the virtual server uses to replicate either client or server
traffic. You must specify a value of either clientside or serverside for the context option for each
clone pool. Typically, this option is used for intrusion detection.
cmp-enabled
Enables or disables clustered multi-processor (CMP) acceleration. This feature applies to certain
platforms only. The default value is yes.
connection-limit
Specifies the maximum number of concurrent connections you want to allow for the virtual server. The
default value of 0 (zero) allows for an unlimited number of concurrent connections.
context
Specifies that the pool is either a clientside or serverside clone pool.
Note: Because validation occurs outside of TMSH, you will receive an error when you modify the context
for profiles in a virtual server.
dhcp-relay
Specifies a virtual server that relays all received dhcp requests to all pool members. If there is no
pool, the received request get dropped. If you specify the dhcp-relay option, you cannot use the ip-
forward or l2-forward or reject options.
description
User defined description.
destination
Specifies the name of the virtual address and service on which the virtual server listens for
connections.
The format for "ipv4" is a.b.c.d[:port]. The format for an "ipv6" address is a:b:c:d:e:f:g:h[.port].
The default value is any:any.
(enabled | disabled)
Specifies the state of the virtual server. The default value is enabled.
Note: When you disable a virtual server, the virtual server no longer accepts new connection requests.
However, it allows current connections to finish processing before going to a down state.
eviction-protected
Enables or disables protection for the virtual server from the aggressive sweeper. The default is
disabled.
fallback-persistence
Specifies a fallback persistence profile for the virtual server to use when the default persistence
profile is not available. The default value is none.
flow-eviction-policy
Specifies a flow eviction policy for the virtual server to use, to select which flows to terminate when
the number of connections approaches the connection limit on the virtual server. The default value is
none.
fw-enforced-policy
Specifies an enforced firewall policy. fw-enforced-policy rules are enforced on a virtual server.
fw-enforced-policy-rules
Specifies firewall rules enforced on ltm virtual via referenced fw-enforced-policy.
fw-staged-policy
Specifies a staged firewall policy. fw-staged-policy rules are not enforced while all the visibility
aspects namely statistics, reporting and logging function as if the fw-staged-policy rules were enforced
on a virtual server.
fw-staged-policy-rules
Specifies firewall rules staged on ltm virtual via referenced fw-staged-policy.
security-nat-rules
Specifies security nat rules associated with ltm virtual via referenced security-nat-policy.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
gtm-score
Specifies a score that is associated with the virtual server. Global Traffic Manager (GTM) can rely on
this value to load balance traffic in a proportional manner.
traffic-acceleration-status
Displays the current traffic-acceleration status. The virtual server is considered traffic-acceleration-
dedicated if it uses a traffic-acceleration profile.
ip-forward
Specifies a virtual server that has no pool members to load balance, but instead, forwards the packet
directly to the destination IP address specified in the client request. If you specify the ip-forward
option, you cannot use the l2-forward or reject options. The destination, mask, translate-address,
translate-port, vlans, vlans-disabled and vlans-enabled attributes are set by the system, any attempt to
change them will have no effect.
ip-protocol
Specifies the IP protocol for which you want the virtual server to direct traffic. Sample protocol names
are TCP and UDP. The default value is any.
Note: You do not use this setting when creating an HTTP class virtual server.
internal
Specifies an internal virtual server that handles requests for a parent virtual server, such as content
adaptation. Internal virtual servers do not receive external connections, instead they are specified by
name by profiles in the parent virtual server (see ltm profile request-adapt and ltm profile response-
adapt). Since internal virtual servers do not listen for external connections, not all attributes are
used for internal virtual servers. The destination, mask, translate-address, translate-port, vlans,
vlans-disabled and vlans-enabled attributes are set by the system, any attempt to change them will have
no effect.
l2-forward
Specifies a virtual server that shares the same IP address as a node in an associated VLAN. You create
this type of virtual server when you want to create a VLAN group. If you specify the l2-forward option,
you cannot use the ip-forward or reject options.
last-hop-pool
Specifies the name of the last hop pool that you want the virtual server to use to direct reply traffic
to the last hop router. The default value is none.
mask Specifies the netmask for a network virtual server only. This setting is required for a network virtual
server.
The netmask clarifies whether the host bit is an actual zero or a wildcard representation. The default
value is 255.255.255.255 for IPv4 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff for IPv6.
mirror
Enables or disables mirroring. You can use mirroring to maintain the same state information in the
standby unit that is in the active unit, allowing transactions such as FTP file transfers to continue as
though uninterrupted. The default value is none.
mobile-app-tunnel
Deprecated since v13.1.0.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
nat64
Enable or disable NAT64. The default value is disabled. NAT64 is a service that automatically translate
IPv6 traffic into IPv4.
partition
Displays the name of the administrative partition within which the virtual server resides.
per-flow-request-access-policy
Specifies the name of the per-request access policy to be used with the virtual server. The default value
is none.
persist
Specifies a list of profiles separated by spaces that the virtual server uses to manage connection
persistence. The default value is none.
To enable persistence, typically you specify a single profile. However, you can specify multiple profiles
in conjunction with iRules(r) that define a persistence strategy based on incoming traffic. In the case
of multiple profiles, the default option specifies which profile you want the virtual server to use if an
iRule does not specify a persistence method. When you specify multiple profiles, the default value of the
default property is no. You can set the value of the default property to yes for only one of the
profiles.
policies
Manage LTM Policies applied to the virtual server. LTM Policies define a set of conditions and actions
that can be used to inspect, modify, direct traffic, and enable/disable features on the fly, similar to
iRules. LTM Policies do not require programming. See also ltm policy.
pool Specifies a default pool to which you want the virtual server to automatically direct traffic. The
default value is none.
port-misuse
Used to show or reset port misuse policy statistics for the virtual server.
fw-context-stat
Used to show or reset firewall statistics for the virtual server.
profiles
Specifies a list of profiles for the virtual server to use to direct and manage traffic. The default
value is fastL4.
rate-class
Specifies the name of an existing rate class that you want the virtual server to use to enforce a
throughput policy for incoming network traffic. The default value is none.
rate-limit
Specifies the maximum number of connections per second allowed for a virtual server. The default value is
'disabled'.
rate-limit-mode
Indicates whether the rate limit is applied per virtual object, per source address, per destination
address, or some combination thereof. The default value is 'object', which does not use the source or
destination address as part of the key.
rate-limit-dst-mask
Specifies a mask, in bits, to be applied to the destination address as part of the rate limiting. The
default value is '0', which is equivalent to using the entire address - '32' in IPv4, or '128' in IPv6.
rate-limit-src-mask
Specifies a mask, in bits, to be applied to the source address as part of the rate limiting. The default
value is '0', which is equivalent to using the entire address - '32' in IPv4, or '128' in IPv6.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
related-rules
Specifies a list of iRules, separated by spaces, that customize the behavior of secondary channels (for
instance the data channel on FTP) opened on behalf of the virtual server. The default value is none.
reject
Specifies that the BIG-IP(r) system rejects any traffic destined for the virtual server IP address. If
you specify the reject option, you cannot use the ip-forward or l2-forward options.
rules
Specifies a list of iRules, separated by spaces, that customize the virtual server to direct and manage
traffic. The default value is none.
security-nat-policy
Configures the following options to specify which Security NAT Policy is to be used to match the incoming
traffic and perform source/destination translation (address/port) using the first-match rule criteria:
policy
Specifies the name of the Security NAT Policy to be used (see security nat policy).
use-route-domain-policy
Specifies whether to use the virtual server's route domain context's Security NAT policy. If
enabled AND the virtual server does not have a NAT policy configured, route domain's security NAT
policy is used.
use-device-policy
Specifies whether to use the security device context NAT policy (see security device-context). If
enabled AND both virtual server as well as route domain do not have a NAT policy configured, NAT
policy configured at security device (a.k.a global) level is used.
serverssl-use-sni
When multiple server-ssl profiles are attached to a virtual, setting this allows one to be chosen based
on the SNI extention from the ClientHello if a client-ssl profile is also attached to the virtual.
service-down-immediate-action
Specifies the immediate action the BIG-IP system should respond with upon the receipt of the initial
client's SYN packet if the availability status of the virtual server is Offline or Unavailable. This is
supported for the virtual server of Standard type and TCP protocol. The default value is none.
service-policy
Specifies a service policy for the virtual server. If set, it will enforce the service policy for
incoming network traffic. The service policy can be used to validate if incoming traffic conforms to a
set of application protocols.
snat Specifies whether SNAT automap is enabled for the virtual server. The default value is none. This
attribute is DEPRECATED. Use source-address-translation { type ( automap / none ) }
snatpool
Specifies the name of an existing SNAT pool that you want the virtual server to use to implement
selective and intelligent SNATs. This attribute is DEPRECATED. Use source-address-translation { type
snatpool pool pool_name }
source
Specifies an IP address or network from which the virtual server will accept traffic.
The format for an "ipv4" address is a.b.c.d[/prefixlen]. The format for an "ipv6" address is
a:b:c:d:e:f:g:h[/prefixlen].
source-address-translation
Specifies the type of source address translation enabled for the virtual server as well as the pool that
the source address translation will use.
pool Specifies the name of a LSN or SNAT pool used by the specified virtual server.
type Specifies the type of source address translation associated with the specified virtual server.
The options are:
automap
Specifies the use of self IP addresses for virtual server source address translation.
lsn Specifies the use of a LSN pool of translation addresses for virtual server source address
translation.
none Specifies no source address translation to be used by the virtual server.
snat Specifies the use of a SNAT pool of translation addresses for virtual server source address
translation.
source-port
Specifies whether the system preserves the source port of the connection. The default value is preserve.
The options are:
change
Obfuscates internal network addresses.
preserve
Preserves the source port of the connection.
preserve-strict
Use this value only for UDP under very special circumstances, such as nPath or transparent (that is,
no translation of any other L3/L4 field), where there is a 1:1 relationship between virtual IP
addresses and node addresses, or when clustered multi-processing (CMP) is disabled.
traffic-classes
Specifies a list of traffic classes that are associated with the virtual server. The default value is
none.
translate-address
Enables or disables address translation for the virtual server. Disable address translation for a virtual
server if you want to use the virtual server to load balance connections to any address. This option is
useful when the system is load balancing devices that have the same IP address. The default value is
disabled.
translate-port
Enables or disables port translation. Disable port translation for a virtual server, if you want to use
the virtual server to load balance connections to any service. The default value is disabled.
transparent-nexthop
Specifies the egress interface for traffic and enables layer 2 (MAC) address preservation. Layer 2
address preservation disables layer 3 (IP/IPv6) address translation.
vlans
Specifies a list of VLANs on which the virtual server is either enabled or disabled. The default value is
none. The options vlans-disabled and vlans-enabled indicate whether the virtual server is disabled or
enabled on the list of specified VLANs.
vlans-disabled
Disables the virtual server on the VLANs specified in the vlans option. This is the default setting.
vlans-enabled
Enables the virtual server on the VLANs specified in the vlans option.
vs-index
Displays a unique index assigned to this virtual server.
metadata
Associates user defined data, each of which has name and value pair and persistence. Persistent(default)
means the data will be saved into config file.
ip-intelligence-categories
Used to show/ reset statistics on IP intelligence white/ black lists categories.
SEE ALSO
create, delete, edit, glob, list, ltm persistence, ltm pool, modify, mv, security nat policy, net service-
policy, net vlan, net vlan-group, security firewall schedule, security firewall rule-list, regex, reset-stats,
rule, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2014, 2016. All rights reserved.
BIG-IP 2019-06-19 ltm virtual(1)