F5 - Configuring BIG-IP LTM v11 - Instructor

Configuring BIG-IP LTM v11
12/19/2011 Uploaded by Foucss

learnflakes.net
2
Introductions
Instructor:
– Name:
– Experience:
Students:
– Name:
– Company:
– Job Title:
– Network Experience:
– Industry Experience:
– F5 Product Exposure:
© F5 Networks, Inc.
3
Classroom Facilities
• Emergencies
• Class Roster/Sign In
• Cell phones, email and internet use
• Breaks and lunch
• Punctuality
• Side conversations
• Food and beverages

• Parking
• Restrooms
• Smoking
4
Product Offerings
• BIG-IP Product Family (Application Delivery Controller)
• ARX Series (File Virtualization)
• Enterprise Manager (F5 Device Management)
5
BIG-IP Traffic Management Operating

System (TMOS)
TMOS Overview
Clients
Syn Syn/Ack Ack Client side

profile
Client data TCP
Full Application Proxy
Server side
profile
Syn
Syn/Ack Ack Client Server

Servers data response
(nodes)
6
BIG-IP Local Traffic Manager
Local Load Balancing
• Load balance traffic

• Monitor server status
• iRules
LTM
7
BIG-IP GTM
Wide Area Load Balancing
• Resolve DNS Queries to Best Answer
• Monitor Server Status
• Example: Resolve www.f5.com
www.f5.com = ? www.f5.com = ?
65.197.145.183 143.166.83.200
GTM
207.46.134.222 65.197.145.183 143.166.83.200
Company Data Center and Servers © F5 Networks, Inc.

8
BIG-IP Access Policy Manager (APM)
E-mail servers
Remote Web servers
APM
Mobile Application servers
File servers
Local
Access Manager Authentication server Terminal

• Authentication servers
• Client Machine
Policy Manager
• Which resources © F5 Networks, Inc.
9
BIG-IP Application Security Manager
• Positive and Negative Security Logic
• Application Learning
207.17.117.25 192.168.10.1
• Attack Signatures
• Deployment Wizard
• Policy Builder
• XML and JSON Support
• Full Reporting Virtual Server
ASM
10
BIG-IP Link Controller
Link Load Balancing

• Outbound Links
• Inbound Links
• Load Balance Servers
ISP #1 ISP #2
Link Controller
11
BIG-IP WAN Optimization Manager (WOM)

and WebAccelerator (WA)
Primary Data Center Remote Data Center
BIG-IP Internet BIG-IP

Local Traffic Manager or WAN Local Traffic Manager
+WAN Optimization Manager +WAN Optimization Manager
Client Client
• Cache closer to client (WA)

• TCP profiles reduce packet loss and latency (LTM)
• Data deduplication (WOM)
• Compression when sending data (WOM)
• Increase TCP connections for faster content delivery
(WA)
12
BIG-IP Edge Gateway
• BIG-IP Edge Gateway includes:

• Application Security Manager
• WAN Optimization Manager
• WebAccelerator Module (WAM)
13
Adaptive Resource Switch (ARX)
Decouples logical access from

physical file locations
• Data Migration
• Storage Tiering
• Load Balancing
• Data Replication
14
ARX Cloud Extender (CE)

• Cloud storage tier for file data
• Communicates with native cloud protocols
• Requires ARX ownership/purchase, not sold stand-alone
Users and Applications
ARX
Windows Server
running ARX CE
Private Cloud
Cloud Storage
Local File Storage
Provider
15
F5 Data Manager (DM)
• Software platform for data

management services
• Creates file system inventories
and reports
• Monitors storage usage
• Provides statistics and trend
reports
• Assists deployment with script
creation
16
Enterprise Manager (EM)
GTM
LTM
Enterprise Manager
ASM Edge Gateway WebAccelerator
Centralized Management
Link Controller
• Device Inventory WOM
• Software Installs
• Configuration Backup
• ASM Policy Synch and Attack Signatures
• SSL Certificate Monitoring
• Performance Monitoring
• Enable/Disable Objects © F5 Networks, Inc.
17
"
BIG-IP Platforms "
VIPRION 4400"
"
VIPRION 2400"

assis

O N Ch 2x Quad core CPU /
V IPRI 4200 Blades (4x)
Price
Quad core CPU /

2100 Blades (4x) "
"
" " BIG-IP 11000
" 2x Hex core CPU
" BIG-IP 8900
S witch " 2x Quad core CPU
ca= on " "
i
Appl "
"
" BIG-IP 6900
2x Dual core CPU

BIG-IP " 3900

Quad core CPU
BIG-IP 3600
Dual core CPU
BIG-IP 1600
Dual core CPU
= on s
l E d i
a
Virtu
Production!
Lab!
Func=on / Performance
18
ARX Series
Price
ARX4000
Data
Manager ARX2500
ARX2000
ARX1500
ARX VE
Scale / Performance
ARX Cloud Extender
Workgroup Departmental Enterprise
19
Virtual Edition (VE)

• LTM VE
• GTM VE
• ASM VE
• APM VE
• WAM VE
• WOM VE
• ARX VE
• FirePass VE
• EM VE
20
F5 Services
• Getting Started
• Technical Support
Services
• Professional
Services
• Global Training
Services
21
F5 University
• Essentials
• What’s New
• Technology
Overview
22
AskF5 Knowledge Base
• Release notes
• Product manuals
• Known solutions
• Hotfix information
• Downloads
• EOL products
• Upgrades
23
DevCentral
http://devcentral.f5.com/
• F5 blogs, Wiki, podcasts, tutorials, discussion forums
• Tech tips, code sharing, developer resources, daily news
• Participation in DevCentral is free, but requires registration
24
iHealth
• Diagnostics
• Health Viewer
• qkview files
25
Course Outline
1. Installation
2. Load Balancing
3. Health Monitors
4. Profiles Day 1
5. Persistence
6. Processing SSL Traffic
7. Lab Project 1
8. NATs and SNATs
9. iRules Day 2
10. High Availability
11. High Availability Part 2
26
Course Outline
12. Command Line – tmsh
13. Administration
14. Administration part 2 Day 3
15. Profiles part 2
16. iApps
17. Virtual Servers part 2
18. SNATs part 2
19. Monitors part 2
Day 4
20. Persistence part 2
21. iRules part 2
22. Lab Project 2
27
Module 1 - Installation
Clients
Internet
BIG-IP
LTMs
Servers
28
Module 1 - Outline
• MGMT IP Address
• Setup Utility
• Licensing
• Provisioning
• Standard Network Config
• Install Lab
• BIG-IP Platforms
• AskF5
• SCCP / AOM Lab
29
BIG-IP Chassis Front (3600)

• Tri-Speed Ethernet Ports
• Auto Sensing
• Numbering: Top to Bottom, Left to Right
• 2 Gigabit SFP Ports
• Management (MGMT) Port is eth0
MGMT Console Fan Ports Controls
USB Failover Ethernet Gigabit SFP LCD Panel

30
config Utility
Initial IP Address is 192.168.1.245
31
BIG-IP Setup Utility
• Licensing
• Provisioning
• Root & Admin passwords
• Standard Network Config

• IP Addresses
• VLAN Interfaces
• Redundancy
• Config Sync
• Mirroring
32
License Process – Automated

F5 License Server
License the system PC BIG-‐IP
ac5vate.F5.com
• Ac=vate to Begin

• Enter Registra=on Key Internet
• Select Parameters
• Get License from F5
• Run Setup U=lity
• Reboot
33
License Process – Manual

BIG-‐IP
License the system PC
F5 License Server
ac5vate.F5.com
• Select “Manual”
• Copy Dossier Locally
PC
• Move PC Internet
• Send Dossier to License Server
• Get License from F5
• Copy License to BIG-‐IP System
• Run Setup U=lity
• Reboot
34
Provisioning
• Manage Resources by Module
• LTM usually provisioned
35
Management Port & User Admin
https://Management IP Address
36
Standard Network Config
37
Setup Utility – High Availability
38
Web Configuration Utility
For LTM
39
Setup / Configuration Access
Two Interfaces:
• Web Interface
• HTTPS (remote)
• Command Line
• SSH (remote)
• Management Port
• Self-IPs
• SCCP / AOM
• Serial Terminal
40
BIG-IP Backup Process
• Stores Configuration
• UCS files: User Configuration Set
• UCS files include license
41
Installa5on Labs – Physical Machines Pages 1-‐9 ! 1-‐19

Config U5lity:
1. MGMT IP -‐ 192.168.X.31
Setup U5lity:
1. hMps://192.168.X.31
2. Ac5vate License & Provision LTM
3. Passwords – rootX, adminX Internet
MGMT External 10.10.X.31
4. Network Failover 192.168.X.31 Floa5ng 10.10.X.33
5. Internal VLAN 172.16.X.31 & 33
6. External VLAN 10.10.X.31 & 33 Internal 172.16.X.31
7. HA VLAN select Internal Floa5ng 172.16.X.33
Test Access & Backup:

1. hMps://10.10.X.31
2. ssh to 10.10.X.31
172.16.20.2
3. Create TrainX_base.ucs 172.16.20.1 172.16.20.3
42
Installa5on Labs – Remote to London Pages 1-‐9 ! 1-‐19

Config U5lity:
1. MGMT IP -‐ 192.168.X.31
2. Get License files from: 192.168.253.1
Setup U5lity:
1. hMps://192.168.X.31
2. Ac5vate License & Provision LTM Internet
MGMT External 10.10.X.31
3. Passwords – rootX, adminX 192.168.X.31 Floa5ng 10.10.X.33
4. Network Failover
5. Internal VLAN 172.16.X.31 & 33 Internal 172.16.X.31
6. External VLAN 10.10.X.31 & 33 Floa5ng 172.16.X.33
7. HA VLAN select Internal
Test Access & Backup:
1. hMps://10.10.X.31
172.16.20.2
2. ssh to 10.10.X.31 172.16.20.1 172.16.20.3
3. Create TrainX_base.ucs © F5 Networks, Inc.
43
BIG-IP Hardware Platforms

• 11000 (3U) Series
– 2X hex core CPUs, 32 G Ram,
10X 10Gig ports, Dual Power
• 8900 (2U) Series
– 2X quad core CPUs, 16 G Ram,
16X ports, 2X10Gig, Dual Power 8900
• 6900 (2U) & 3900 (1U) Series
– 4 core CPUs, 8G Ram, 8-‐16 ports
• 3600 (1U) & 1600 (1U) Series
– 2 core CPUs, 4G Ram, 4-‐8 ports
1600
• Integrated SSL Accelera5on

• LCD panel control interface
• For current info -‐> hMp://www.f5.com
44
3600 platform inside
All one board B

A. Processor
B. SSL chip A
C. AOM
D. 8G CF card
D
45
BIG-IP VIPRION
• Viprion 4400 (7U) Chassis

– 4X Power Supplies
• Viprion 4200 Blades
– 2X quad core CPUs, 16 G
Ram, 8X 1Gig and
12X10Gig ports
• Viprion 2400 (4U) Chassis
– 2X Power Supplies
• Viprion 2100 Blades
– 1X quad core CPUs, 16 G
Ram, 8X10Gig ports
46
Add-on Hardware
Orderable
• Redundant Power Supply
• FIPS SSL Accelerator card
• Small Form Pluggable (SFP)
• RAM
Customer Replaceable
• Power Supply
• Fan Chassis
• RAID disk on some platforms
47
BIG-IP Software versions

Hardware V10.x V11.x
VIPRION 4400 Y Y
VIPRION 2400 V10.2 Y
8900, 6900, 3900, 3600, 1600 Y Y
11000 V10.2 Y
3400,1500 Y No
LTM, GTM, LC, ASM, WAM Y Y

APM, WOM, EGW, LTM VE V10.1 Y
VE for GTM, ASM, APM, WOM N Y
48
SCCP and AOM

Separate Linux System
TMM
Lights out Management
SCCP (previous platforms)

1500, 3400, 6400 & 8800
AOM (new platforms)

1600, 3600, 6900 & 8900
AOM
TMM is BIG-IP
49
SCCP and AOM Network config

• Keystroke to Access – Esc (
• Set IP Address (Serial Console)
50
Working with F5 Support
• Case Creation via the support web portal

• Telephone
• Web Portal at Ask F5
• Information Needed
• System Serial Number
• Problem Description and Impact
• Contact Information
• Product Documentation
• See Solutions 135 and 2486
51
Ask F5 – http://tech.f5.com
52
Ask F5 – SOL135
53
Product Specific Information
• tech.out file (qkview)
• Log files
• Packet traces (tcpdump)
• UCS archive
• Core files
54
Op5onal: AOM Lab Page 1-‐23
Add IP Address:

1. Keystroke – Esc ( ! ESC Shig-‐9
2. Serial console op5on N Host MGMT IP TMM
3. Configure 192.168.X.35 192.168.X.31
4. ssh to 192.16.X.35
Reboot from AOM:
1. Reboot for license
2. Note: Connec5on not lost
AskF5:
AOM IP AOM
1. Read several Solu5ons 192.168.X.35
55
Module 2 – Load Balancing
Internet
1 2 3 4
5 6 7 8
56
Module 2 – Outline
• Virtual Servers, Members & Nodes

• Configuring Virtual Servers & Pools
• Virtual Server & Pool Lab
• Network Map
• Load Balancing Modes
• Configuring Load Balancing

• Load Balancing Labs
57
Pools, Members and Nodes
172.16.20.1 :80 172.16.20.2 :80 172.16.20.3 :80
Node = IP address Pool Member = Node + Port
Pool = Group of pool members

58
Virtual Server
Internet Virtual Server

• IP Address + Service (Port)
Combina5on
216.34.94.17:80
• “Listens” for and manages
traffic
• Normally Associated with a
Pool
Pool Members
59
Virtual Server to Pool Members
Internet
Virtual Server
216.34.94.17:80
Maps
to
Pool
Members
60
Virtual Server - Address Translation

Internet
216.34.94.17:80 Virtual Server
Network
Address
Transla5on
Actual Server Address:

172.
172.
172.
172.
Pool Members
16.2
16.2
16.2
16.2
0.2:4
0.4:8
0.1:8
0.3:8
002
080
0
0
61
Network Flow - Packet #1

www.f5.com
Internet
DNS Server
216.34.94.17:80
resolves www.f5.com to
BIG-‐IP LTM Virtual Server
Address 216.34.94.17
62

207.17.117.20
Packet # 1
Internet Src -‐ 207.17.117.20:4003
Dest – 216.34.94.17:80
216.34.94.17:80 LTM translates Dest

Address to Node based on
Load Balancing
Packet # 1
Src – 207.17.117.20:4003
Dest – 172.16.20.1:80
63
Network Flow – Packet #1 Return

207.17.117.20
Packet # 1 -‐ return

Internet Dest -‐ 207.17.117.20:4003
Src – 216.34.94.17:80
216.34.94.17:80
LTM translates Src Address
back to Virtual Server
Address

Dest – 207.17.117.20:4003
Src – 172.16.20.1:80
64

207.17.117.21
Packet # 2
Internet Src -‐ 207.17.117.21:4003
Dest – 216.34.94.17:80
216.34.94.17:80
Packet # 2
Src – 207.17.117.21:4003
Dest – 172.16.20.2:4002
65

207.17.117.21

Internet Dest -‐ 207.17.117.21:4003
Src – 216.34.94.17:80
216.34.94.17:80

Dest – 207.17.117.21:4003
Src – 172.16.20.2:4002
66

207.17.117.25
Packet # 3
Internet Src -‐ 207.17.117.25:4003
Dest – 216.34.94.17:80
216.34.94.17:80
Packet # 3
Src – 207.17.117.25:4003
Dest – 172.16.20.4:8080
67

207.17.117.25

Internet Dest -‐ 207.17.117.25:4003
Src – 216.34.94.17:80
216.34.94.17

Dest – 207.17.117.25:4003
Src – 172.16.20.4:8080
68
More than NAT – Full Proxy Architecture
Syn, Syn-‐Ack, Ack
Internet Client Data
Separate Client and

Server connec5ons
Server
Response
More on this later

69
Configuring Pools
70
Configuring Virtual Servers

Scroll down
71
Statistics
• Summary
• Virtual Servers
• Pools
• Nodes
72
Logs
73
Virtual Servers & Pools Lab Pages 2-‐6 ! 2-‐10
Pool:
1. hMp_pool @ 172.16.20.1 -‐-‐ 3:80
Virtual Server:
1. vs_hMp -‐ 10.10.X.100:80
Internet
2. Resource -‐ hMp_pool 10.10.X.100
Test:
1. Connect to VS & Refresh
2. bigtop and Sta5s5cs
Virtual Server:
1. vs_hMps -‐ 10.10.X.100:443 172.16.20.2
172.16.20.1 172.16.20.3
2. hMps_pool @ 172.16.20.1-‐3 :443
Check BIG-‐IP LTM Sta5s5cs: © F5 Networks, Inc.
74
Network Map
75
Load Balancing Modes

• Round Robin
• Ra5o Sta5c

• Least Connec5ons
• Fastest
• Observed Dynamic
• Predic5ve
• Dynamic Ra5o

• Priority Group Ac5va5on F a i l u r e
• Fallback Host Mechanisms
76
Round Robin
Clients
Internet
Router
Client requests are
distributed evenly
BIG-‐IP LTM
1 2 3 4 Members
5 6 7 8
77
Ratio
Clients
Internet
Router
If ra5o set to 3:2:1:1
BIG-‐IP LTM
1 5 7 2 6 3 4 Members
8 12 14 9 13 10 11
78
Least Connections
Clients
Internet
Router
Next requests goes to
device with fewest open
BIG-‐IP LTM
connec5ons
1 3 6
2 5
Members
4
459 460 461 470

Current Connec5ons © F5 Networks, Inc.
79
Least Connections
Clients
Internet
Next requests goes to Router

device with fewest open
connec5ons BIG-‐IP LTM
1 3 6
2 5
Members
4
459
461
460
462 461
460
462 461
462 470
80
Least Connections
Clients
Internet
Router
Some 5me later, number
of connec5ons change
BIG-‐IP LTM
61 63
Members
62
421 213 114

112
113 114
113
81
Fastest
Clients
Internet
Next request to the Router

member with fewest
outstanding layer 7 requests
BIG-‐IP LTM
1 2 3 Members
4 5 6
10 req 10 req 10 req 17 req

82
Fastest
Clients
Internet
Router
Some 5me later, request
count changes
BIG-‐IP LTM
101 102 Members

103 104
10 req 10 req 7 req 7 req

83
Least Sessions
Clients
Internet

member with fewest
exis5ng persistence records
BIG-‐IP LTM
1 2 3 Members
4 5 6
10 per 10 per 10 per 17 per

84
Weighted Least Connections
Clients
Internet

member with fewest
connec5ons percentage
BIG-‐IP LTM
based on its connec5on
limit.
1 2 Members
Capacity 50% 540% 5

40% 60%
85
Observed
Clients
Internet
Servers are dynamically
assigned ra5os based on Router
past load. Requests are
distributed based on the
current ra5o values. BIG-‐IP LTM
1 2
Members
2 3 3 2
86
Predictive
Clients
Internet
Servers are dynamically
assigned ra5os based on
past load. Requests are Router
distributed based on the
current ra5o values. BIG-‐IP LTM
1 2
Members
1 4 1 4
87
Priority Group Activation
Clients
Internet
With Priority Group
Ac5va5on set to 2, and 3 of
Router
highest priority members
available, lower priority
members aren’t used. BIG-‐IP LTM
1 2 3
Server
Pool
4 5 6
Priority 10 Priority 5

88
Priority Group Activation
Clients
Internet
If number of members falls
below Priority Group
Router
Ac5va5on (2), next highest
priority members are used
also. BIG-‐IP LTM
1 2 3 4 Server
5 6 7 8 Pool
Priority 10 Priority 5

89
Fallback Host (http)
Clients
Internet
Router
If all members fail, then
client can be sent an hMp
BIG-‐IP LTM
redirect.
Members
90
Pool Member vs. Node
Load Balancing by:

• Pool Member
• IP Address & service
• Node
• Total services for one IP Address
91
If using Member
Internet
If hMp pool uses Least
Connec5ons (member) load
balancing method, then…
Next connec5on request to 1

member with fewest 2
connec5ons
http 107 108 99
ftp 2 3 25
Current Connec5ons
92
If using Node
Internet
If hMp pool uses Least
Connec5ons (node) load
balancing method, then…
Next connec5on request to

node with fewest current
connec5ons 1
2
http 107 108 99

ftp 2 3 25
Current Connec5ons
93
Configuring Load Balancing
94
Ratio & Priority Group Activation
95
Ratios for Member & Node
Ra5o for
Members
96
100 requests distributed how?
97
100 requests #2 distributed how?
98
99
100
Load Balancing Labs Pages 2-‐18! 2-‐22

Explore Network Map
Ra5o (member)
1. 172.16.20.1:80 r1 p1
2. 172.16.20.2:80 r2 p1
3. 172.16.20.3:80 r3 p1 Internet
10.10.X.100
Priority Group Ac5va5on
1. 172.16.20.1:80 r1 p1
2. 172.16.20.2:80 r2 p4
3. 172.16.20.3:80 r3 p4
Ra5o (node) -‐ (Op5onal)
1. 172.16.20.2 ra5o = 5 172.16.20.2
172.16.20.1 172.16.20.3
Member Threshold -‐ (Op5onal)
1. Set Connec5on limit = 1 on 172.16.20.3:80 © F5 Networks, Inc.
101
Module 3 – Monitors
Internet
172.16.20.3:80
102
Module 3 - Outline
• Monitor Concepts
• Configuring Monitors
• Assigning Monitors
• Status: Node, Member, Pool, Virtual Server
• Health Monitor Labs
103
Monitor Concepts
• Address Check
• Node – IP Address
• Service Check
• IP : port
• Content Check
• IP : port plus check data returned
• Interactive Check
• Path Check
104
Address Check
Internet
• Packets sent to IP Address
• If no response, Node unavailable
• Members Unavailable
• No Connections to Members ICMP
• Example: ICMP
105
Service Check
• TCP connection opened Internet

and closed
• If connection fails,
Member Unavailable T C P
• No Connections to Member Connec5on
• Example – TCP
106
Content Check
• TCP connection opened Internet
• Command Sent
• Response Examined
• Connection Closed HTTP GET
• If connection or response
fails, Member Unavailable
• No Connections to Member
• Example – HTTP
107
Interactive Check
Internet
• TCP connection(s) opened
• Command(s) Sent
• Response(s) Examined
• Connection(s) Closed Conversa5on
• If the Condition fails, Member

Unavailable
• Example – External
108
Path Check
www.f5.com
• Two Destinations ISP1

• First Hop (device to test)
• End Point (trusted site)
• Packet through first hop to ISP1 ISP2
End point
• If no response, Member
Unavailable BIG-‐IP LTM
• Example – ICMP
109
Configuring Monitors
• System Supplied Monitors (Templates)
• Address Checks (icmp)
• Service Checks (tcp)
• Content Checks (http)
• Interactive Checks (ftp)
• Availability:
• Templates can be Customized
• Some Must be Customized before Assignment
• Some Should be Customized before Assignment
110
Creating Custom Monitors
111
Example Monitor Parameters: HTTP
• Send String
• Receive String
• Receive Disable String
• Reverse
• Transparent
112
Monitor Timers
• Frequency (Interval)
• Timeout
• Recommended: 3x + 1
113
Assigning Monitors
• Default for all Nodes
• Single Node Options
• Node Default
• Node Specific
• None
• Default all Members of a Pool

• Single Pool Member Options
• Inherit from Pool
• Member Specific
• None
114
Assigning Monitors to Nodes
“All” Nodes
Each Node
115
Assigning Monitors to Pools
116
Assigning Monitors to a Pool Member
117
Member and Node Status

• Status Op=ons
• Available – Green Circle
• Offline – Red Diamond
• Unknown – Blue Square
• Connec=on Limit – Yellow

Triangle
• Parent-‐Child Rela=onship
• Node
• Member
• Pool
• Virtual Server
118
Performance Dashboard
• Dashboard Sta=s=cs
• Near real-‐=me
• Historical
• Performance
• Visually displayed
• Graphs
• Gauges
• Tables
• Health
• Alerts
• Module specific gauges

• Available for Licensed and Provisioned module
• Requires Abode Flash Player (version 9+)

• Customized Views © F5 Networks, Inc.
119
Performance Dashboard Screens
120
Health Monitors Labs Page 3-‐10 ! 3-‐15
Node associa5on:
1. Create my_icmp & associate nodes
Pool & Member associa5on :
Internet
1. Create my_hMp & assign to hMp_pool
10.10.X.100
Pool associa5on :
1. Create my_hMps & assign to
hMps_pool
Check status in Network Map:
172.16.20.2
172.16.20.1 172.16.20.3
121
Module 4 – Profiles
Internet
Virtual Server
Profiles determine how Virtual Server

traffic is processed on BIG-‐IP LTM
122
• Profiles Concepts
• Profile Dependencies
• Profile Types
• Configuring Profiles
123
Profile Concepts
• Defines Desired Traffic Behavior

• SSL Decryption
• Compression
• Persistence
• Apply Behavior to Many Virtual Servers
• Provided Templates
• Applied Directly
• Base of User-Defined Profile
124
Profile Example: Persistence
1 1
2 2
3 3
125
Profile Example: SSL Termination
Encrypted
Decrypted
126
Profile Example: FTP
Client Begins Control

Connec5on
Server Begins
Data Transfer Connec5on
127
Profile Dependencies
Think in terms of

OSI Model Cookie
Some dependent on HTTP FTP
others
Some can’t be
combined in one VS TCP UDP
Network
Data Link
Physical
128
Profile Types
• Services – Layer 7 oriented

• Persistence – Session oriented
• Protocol – Layer 4 oriented
• SSL – Encryption oriented
• Authentication – Security oriented
• Other
129
Profile Configuration Concepts
• Defaults Profiles
• Stored in /config/profile_base.conf
• Should Not be Modified
• Cannot be Deleted
• Custom Profiles
• Stored in /config/bigip.conf
• Created from Default Profiles
• Dynamic Child and Parent relationship
130
Virtual Server Profiles
• Virtual Servers all have a Layer 4 Profile

• Defaults
• Standard (TCP Protocol): TCP
• Standard (UDP Protocol): UDP
• Performance (Layer 4): fastL4
• Forwarding: fastL4
131
Configuring Profiles
132
• Name and Type

• Parent and Parameters
• Will inherit from
Parent
• Custom (if checked)
will not inherit from
Parent
• Associate with a Virtual
Server
133
• Match Across Services – All

connec=ons from any client IP
going to same VIP will go to
same node
• Match Across VS – All
connec=ons from the same
client IP go to same node
• Match Across Pools – System
can use any pool that contains
this persistence record
134
Module 5 - Persistence
1 1
2 2
3 3
135
• Source Address Persistence

• Source Address Persist Lab
• Cookie Persistence
• Insert, Rewrite, & Passive
• Cookie Persist Lab
136
Source Address Persistence

• Based on Client Source IP Address
• Netmask -‐> Address Range
205.229.151.10
205.229.151.107
205.229.152.11
If Netmask is
255.255.255.0
1 1
2 2
3 3
137
Source Address Persistence
• Type: Source Address

• Parameters
• Mirroring (Mod10)
• Timeout
• Mask
• Associate with a Virtual
Server
138
Associating with Virtual Server

• New: Resources Sec=on
• Exis=ng: Resources Tab
139
Source Address Persistence Lab Pages 5-‐4 ! 5-‐6
Source Address persistence:

1. Create Source Address
Persistence Profile
• Timeout 15
Internet
• Mask – 255.255.255.0 10.10.X.100
2. Assign persistence profile to
vs_hMps
Test
2. Sta5s5cs / Persist Conn /
IP Addresses -‐ * 172.16.20.2
172.16.20.1 172.16.20.3
140
Cookie Persistence
• Insert mode
• LTM Inserts Special Cookie in HTTP Response
• Pool Name
• Pool Member (encoded)
• Rewrite mode
• Web Server Creates a “blank” cookie
• LTM Rewrites to make Special Cookie
• Passive mode
• Web Server Creates Special Cookie
• LTM Passively lets it through
141
Cookie Insert Mode
TCP handshake
HTTP request (no special cookie)
pick
First Hit
server TCP handshake

HTTP reply (no special cookie)
HTTP reply (with inserted cookie)
Client TCP handshake Server

HTTP request (with same cookie)
cookie
Second Hit
specifies
HTTP reply (no special cookie)
HTTP reply (updated cookie)
142
Cookie Rewrite Mode
TCP handshake
pick
First Hit

HTTP reply (with blank cookie)
HTTP reply (with rewriMen cookie)

cookie
Second Hit
specifies
HTTP reply (with blank cookie)
HTTP reply (with updated cookie)
143
Cookie Passive Mode
TCP handshake
pick
First Hit

HTTP reply (with special cookie)

cookie
Second Hit
specifies
144
Configuring Cookie Persistence

Profile Dependencies
• HTTP Profile First
• Cookie Persist Profile Second
145
Cookie Persistence Lab Pages 5-‐12 ! 5-‐14
Cookie persistence:
1. Create Cookie Persistence Profile
• Insert Cookie Method
• Custom Expira5on Internet
2. Assign persistence profile to vs_hMp 10.10.X.100
Test
2. Look at Cookie
172.16.20.2
172.16.20.1 172.16.20.3
146
Member State
147
Service Down Actions
• Administrator Option
• Advanced Pool Settings
• None
• Reject
• Drop
• Reselect
148
Member & Node State Lab Page 5-‐17
Establish Persistence:
1. Connect to hMps://10.10.X.100
2. Verify Persistence is occurring
Disable Member & Test: Internet
10.10.X.100
1. Disable member and refresh.
S5ll persistent?
2. “Forced Offline ..” on member.
S5ll persistent?
Disable Node & Test:
1. Disable Node and refresh.
172.16.20.2
S5ll persistent? 172.16.20.1 172.16.20.3
149
Module 6 – Processing SSL Traffic
Internet Encrypted
Decrypted
172.16.20.2
172.16.20.1 172.16.20.3
150
• Client SSL
• Server SSL
• Configuring SSL Profiles
• Client SSL Labs
151
SSL Concepts
• Encrypted End-to-End
• Certificates & Keys Packet
Encrypted
• SSL Accelerator Cards
• Hardware Encryption /
Decryption
• Takes load off Server
152
SSL Termination
Advantages
• SSL key exchange done by hardware
• SSL bulk encryption done by hardware
• Centralize certificate management
• Offload SSL traffic from Web Servers
• Allows rule processing & cookie persistence
153
Traffic Flow: Client SSL
1. Client sends Encrypted packet

2. BIG-‐IP receives Encrypted packet, Internet
Decrypts it and processes it.
Includes load balancing to pool
member.
3. Pool member processes Un-‐
Encrypted request and sends Un-‐
Encrypted response to BIG-‐IP
4. BIG-‐IP Encrypts response and sends
to client.
154
Traffic Flow: Client SSL & Server SSL
1. Client sends Encrypted packet

2. BIG-‐IP receives Encrypted packet, Internet
Decrypts it and processes it.
Encrypts packet as it is load
balanced to pool member.
3. Pool member receives Encrypted
request, processes it, Encrypts the
response and sends to BIG-‐IP
4. BIG-‐IP receives the Encrypted
response, Decrypts it, processes it,
and Encrypts the response, and
sends to client.
155
SSL Acceleration
• Hardware Encryption & Decryption
Platform Maximum TPS

1600 5,000
3600 10,000
3900 15,000
6900 25,000
8800 48,000
8900 58,000
8950 56,000
11050 100,000
VIPRION 200,000
156
What is FIPS?
• Federal Information Processing Standard (FIPS)
• FIPS 140-2 standard :

• “Security Requirements for Cryptographic Modules”.
• Standard SSL & Server Keys?

• Can’t login to Servers, can’t get at keys.
• Isn’t Standard SSL good enough?

• Want keys in tamper-proof hardware.
• Who needs FIPS-140?

• Companies regulated by U.S. government
157
Generate Certificate
158
Create SSL Profile
159
Associate with Virtual Server
160
SSL Termina5on Labs Page 6-‐6 ! 6-‐8
Client SSL :
1. Generate Cer5ficate
2. Custom Client SSL profile
3. vs_ssl 10.10.X.102:443 using Internet
Client SSL profile
10.10.X.102 : 443
Test:
1. Connect :443 to :80 web?
Server SSL (Op5onal):
1. Custom Server SSL profile
2. vs_ssl using both Client and
Server SSL profiles 172.16.20.2
172.16.20.1 172.16.20.3
Test again:
161
Internet
10.10.X.100 :
443
https_pool
no SSL profile
Server SSL Certificate Server SSL Certificate
172.16.20.1 :443 172.16.20.2: 443 172.16.20.3: 443

162
Internet
10.10.X.102 :
443
http_pool BIG-IP SSL
Client SSL Certificate
profile
172.16.20.1: 80 172.16.20.2: 80 172.16.20.3: 80

163
Internet
10.10.X.102 : 443
https_pool
Client SSL profile BIG-IP SSL
Server SSL profile Certificate
Server SSL Certificate Server SSL Certificate
172.16.20.1: 443 172.16.20.2: 443 172.16.20.3: 443

164
Course Outline
1. Installation
2. Load Balancing
3. Health Monitors
4. Profiles Day 1
5. Persistence
7. Lab Project 1
8. NATs and SNATs
9. iRules Day 2
165
Course Outline
13. Administration
15. Profiles part 2
16. iApps
18. SNATs part 2
19. Monitors part 2
Day 4
21. iRules part 2
22. Lab Project 2
166
Module 7 – Lab Project
• Save your configuration

• Restore trainX_base.ucs
• Add new
• Pools
• Monitors
• Virtual Servers
• Profiles
• Test new configuration
167
Archive Configurations
168
Lab Project Pages 7-‐1 ! 7-‐4
Backup / Restore configura5on:

1. Save to trainX_Module6 &
download Internet
2. Restore trainX_base … Gone?
3. Restore trainX_Module6… Back?
Create new configura5on:
1. Restore trainX_base … Gone
2. Add Pools, Monitors & Profiles
3. Create Virtual Servers & test 172.16.20.2
Answer ques5ons and… 172.16.20.1 172.16.20.3
1. Save to trainX_Module7

169
Module 7 – Verification
1. http://10.10.X.100 Load Balancing? Why?
2. https://10.10.X.101 Load Balancing? Why?
3. ssh://10.10.X.100 Did you connect?
4. https://10.10.X.101 Load Balancing now?
5. http://10.10.X.101 Redirect?
170
Questions?
1. Which sewngs can be specified during the Setup U5lity?

(choose 3)
a. Default route
b. Pool members
c. Self IP addresses
d. Virtual Server addresses
e. Password of root account
Answer: A, C & E
171
Questions?
2. Given the condi5ons in the chart below, what Member will be
selected for the next service request? The last five selec5ons have
been Members A, B, C, C, D.
Load Balancing Least Connec5ons

Priority Group Ac5va5on 2
Persistence Mode None
Node
Member Member Member Response
Address Connec5ons Status
Iden5fier Ra5o Priority Time
Ra5o
A 10.1.1.1:80 1 1 1 2 2 ms Up
B 10.1.1.2:80 1 2 1 6 2 ms Disabled
C 10.1.1.1:81 1 3 3 4 3 ms Up
D 10.1.1.2:81 1 4 3 12 2 ms Unavailable
Answer: A
172
Questions?
3. A connec5on is made to the Virtual Server at 150.150.10.10:80 associated with the
pool below. The last five connec5ons have been C, D, C, D, C. Given the condi5ons on
the charts below, if a client at IP address 205.68.17.12 connects, what node will be
selected for this service request?
Load Balancing Fastest
Priority Group Ac5va5on 2
Node
Member Member Member Response
Address Connec5ons Status
Iden5fier Ra5o Priority Time
Ra5o
A 10.1.1.1:80 1 1 1 5 3 ms Up
B 10.1.1.2:80 1 2 1 6 2 ms Disabled
C 10.1.1.1:81 1 3 3 7 3 ms Up
D 10.1.1.2:81 1 4 3 3 2 ms Unavailable
Persistence Mode Src Address Timeout = 600, Mask = 255.255.255.0
Client Address Virtual Path Pool Name Member Node Alive Time
200.11.225.0 150.150.10.10 WebPool 10.1.1.1:80 300
200.11.15.0 150.150.10.10 WebPool 10.1.1.2:80 500
205.68.17.0 150.150.10.10 WebPool 10.1.1.1:81 200
Answer: C
173
Ques5ons?
4. When a virtual server has a client-‐ssl profile but no server ssl profile,
which of that virtual server’s traffic is encrypted?
(choose 2)
a. traffic from the client to the BIG-‐IP LTM.
b. traffic from the BIG-‐IP LTM to the client.
c. traffic from the BIG-‐IP LTM to the selected pool member.
d. traffic from the selected pool member to the BIG-‐IP LTM.
Answer: a & b
174
Module 7 – Questions
• Admin passwords changed by setup?

What type Access?
• What is a Node, Pool, Profile & Virtual Server?
• List the Load Balancing Modes.
• What are Monitors assigned to?
• Pool Member disabled,
still receive client requests?
175
Module 8 – NATs and SNATs
Internet
207.10.1.101 207.10.1.103
Network Address
Transla=on
172.16.20.1 172.16.20.3
176
• NAT’s
• NAT Lab
• SNAT Concepts
• Configuring SNATs
• SNAT Labs
177
NAT Internet
• One-‐to-‐one mapping
207.10.1.101 207.10.1.103
• Bi-‐direc=onal traffic
• Dedicated IP address
• Port – less (security concern?)
• Configura=on:
172.16.20.1 172.16.20.3
178
NAT Lab Page 8-‐4
NAT:
1. 10.10.X.200 -‐>
172.16.20.2
Internet
10.10.X.200
2. Delete NAT !!
172.16.20.2
179
SNATs
• “Secure” NAT
Internet
• Performs Source NAT
207.10.1.102
• Many-to-one mapping
• Secure? - Traffic initiated to
SNAT Address refused
• SNATs used for “Routing”

problems
180
SNATs: Example 1
Internet
Many non-‐publicly routable to
one routable address 207.10.1.33
181
SNATs: Example 1 Flow Initiation

205.229.151.10
Internet
Source address translated to SNAT address
207.10.1.102:2222 ! 205.229.151.203:80 207.10.1.102
Note source port
172.16.20.3:1111 ! 205.229.151.203:80
182
SNATs: Example 1 Flow Response

205.229.151.10
Internet
205.229.151.203:80 ! 207.10.1.102:2222
207.10.1.102
Response packet translated back
205.229.151.203:80 ! 172.16.20.3:1111
183
SNATs: Example 2
Servers default route not

Internet
through LTM ! Packets do not
return via BIG-‐IP
Virtual Server
207.10.1.100:80 GW
Add SNAT: Packets return via Self IP

172.16.1.33
BIG-‐IP
184
SNATs: Example 2 Flow Initiation
Internet
150.150.10.10:1030 ! 207.10.1.100:80
Virtual Server
207.10.1.100:80 GW
Self IP
Source changed by SNAT 172.16.1.33
172.16.1.33:2000 ! 172.16.20.1:80
Des5na5on changed by VS
185
SNATs: Example 2 Flow Response
Source changed back by VS

Internet
207.10.1.100:80 ! 150.150.10.10:1030
Virtual Server
Des5na5on changed back by 207.10.1.100:80 GW
SNAT
Self IP
172.16.1.33
172.16.20.1:80 ! 172.16.1.33:2000
186
SNATs
Origin: Who can have their address changed?
Transla5on: What will be the new address? Internet
Arrival VLAN: Where packet arrived 207.10.1.102
187
SNATs using Automap
• Automap: Option for “changed to what”

• Self IP Addresses Used
• Floating Self-IP Addresses used if failover set up
• Egress or Exit VLAN will be used as closer to the

network devices where packet exists
188
SNAT Automap Translation

Traffic exi5ng
this direc5on
10.10.X.33
Floa5ng Self-‐IP
Addresses
172.16.X.33
Traffic exi5ng
this direc5on
189
SNAT Configured in Virtual Server
• What clients: All that can get to this VS:

Internet
10.10.17.100:443
172.16.17.33
• What Address(es) will be used:

SNAT Automap or SNAT pool
• What VLANs are enabled © F5 Networks, Inc.
190
SNAT Lab Page 8-‐6 ! 8-‐7
Test before:
Server sees Source IP as 10.10.X.30
Server routes 10.10.X/24 -‐> 172.16.X.33
Partner can’t use your VS’s Internet
10.10.X.100
SNAT Labs:
1. SNAT Automap for vs_hMps
172.16.X.33
2. Inbound uses 172.16.X.33
3. Global SNAT 172.16.X.201 for 10.10.X
4. vs_hMp source changed 172.16.X.201
but partner can’t hit vs_hMp 172.16.20.2
172.16.20.1 172.16.20.3
Delete all SNATs !! © F5 Networks, Inc.

191
Module 9 - iRules
when CLIENT_ACCEPTED {
if { [[IP::remote_addr] starts_with “10.” ] } {
pool ten_pool
}
else { Internet
pool customer_pool
}
}
ten_pool customer_pool
192
• iRule Concepts & Syntax

• iRule Events
• Configuring iRules
• iRules Labs
193
iRule Concepts & Syntax

• iRules Ohen Select Pool
• Basic Syntax
• If … then … else …
when EVENT {
if { condi5onal_statement } {
ac5on_when_condi5on_true
}
}
194
iRule Operators
• Relational Examples
• contains
• matches
• equals
• starts_with
• Logical Examples
• Not
• And
• Or
195
iRule Events
Network Ac5vity iRule Event
Internet Syn, Syn-‐Ack, Ack CLIENT_ACCEPTED
Client Data CLIENT_DATA

HTTP_REQUEST
LB_SELECTED
Syn, Syn-‐Ack, Ack SERVER_CONNECTED
Client Data
Server
Response SERVER_DATA
HTTP_RESPONSE
196
HTTP Event Example

Pool selection based on Browser
rule BrowserType {
when HTTP_REQUEST {
if { [[HTTP::header User-‐Agent] contains “MSIE”] }
{ pool /Common/IE_pool }
elseif { [[HTTP::header User-‐Agent] contains “Mozilla”] }
{ pool /Common/Mz_pool }
}else
{ /Common/
Other_browser } }
}
197
Sample Capture – For Rule Processing
GET /env.cgi HTTP/1.1!

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-
powerpoint, application/msword, */*!
Referer: http://172.27.166.175/!
Accept-Language: en-us!
Accept-Encoding: gzip, deflate!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR
2.0.50727; InfoPath.1)!
Host: 172.27.166.175!
Proxy-Connection: Keep-Alive!
!
FROM IE 6.0 sp 2
198
Configuring iRules
• Create Pools first

• Create Rule next
• Associate with VS
199
Configuring iRules
• Addi=onal Resources
• Interac=ve User Community
• hjp://devcentral.f5.com
200
iRules Labs Pages 9-‐6 ! 9-‐10

Simple Rule:
1. Pool1, 2, 3 – only 172.16.20.1,2,3:*
2. rule – rule_txt_ends
when HTTP_REQUEST {
if { [HTTP::uri] ends_with “txt”} { pool /Common/pool1 } }
Internet
3. VS 10.10.X.102:80 -‐> rule 10.10.X.100
4. pool3 default, then else leg
Rule Lab #2:
1. rule – rule_tcp_port
if { [TCP::local_port] equals 80} { pool /Common/pool1 }
elseif { [TCP::local_port] equals 443} { pool /Common/pool2 } }
2. VS 10.10.X.103:* -‐> rule & pool3
172.16.20.2
172.16.20.1 172.16.20.3
201
Module 10 – High Availability
Clients
Internet
BIG-‐IP LTMs
Servers
202
• Sync-Failover Concepts
• Device Group Lab
• Failover Triggers & Detection

• VLAN Failsafe Lab
• Stateful Fail-over
• Mirroring Labs
Module 11 – Ac5ve, Ac5ve, Standby concepts

Module 14 – Sync-‐only concepts
203
Sync-Failover Concepts
High Availability
• Floa5ng Address
Internet
• Failover Triggers
• Failover Detec5on
Floa5ng IP
10.10.X.31 10.10.X.33 10.10.Y.31
Ac5ve Ac5ve
Standby Floa5ng IP Standby
172.16.X.31 172.16.X.33 172.16.Y.
31
204
Setup Utility steps
205
Device Groups
206
Synchronizing Configuration
• Synchronize in “Correct” Direc=on
207
Determining Controller state

• From Configura=on U=lity
• From bigtop
• From Command Prompt
208
Changing Mode
• Force Ac=ve to Standby

• Standby takes over Ac=ve role
• From Configura=on U=lity
• From Command Line
Traffic Groups – Module 11

209
Sync-‐Failover Setup Labs Pages 10-‐4 ! 6
Device Group Prep:

1. Create TrainX_Mod9.ucs
Internet
2. Admin pw & delete Dev Group X Y
Device Trust & Group: 10.10.Y.29 10.10.Y.30
1. Device Trust between X & Y External IP

External IP Floa5ng IP
2. X Setup Device Group 10.10.X.31 10.10.Y.33 10.10.Y.31
Config-‐Sync & Failover:

Internal IP Floa5ng IP Internal IP
1. Y Sync to Group 172.16.X.31 172.16.Y.33 172.16.Y.
31
2. Shared config?
3. Force to Standby
210
Redundant Pair Communica5on
Failover :
1. Voltage via Serial Cable (No Data)
Failover
2. Only valid for 2 BIG-‐IPs cable
Synchroniza5on Data:
1. TCP Connec5on – port 443 Standby Ac5ve
2. Config Synched with partner
Mirroring Data:
1. TCP Connec5on – Port 1028
2. Connec5on and Persistence Tables Mirrored when Enabled
Network Failover:
1. UDP Datagrams – Port 1026
2. Network keep-‐alive when enabled
211
Upgrade Process
1. Upgrade Standby unit Working

Redundant Pair
2. Failover Active box to No
Standby Upgrade? Get upgraded

controller back to
Yes working status with
Tech Support
3. Verify Upgraded unit Upgrade current
standby controller
works
Failover Active Failover to non-
Controller to upgraded controller
4. Upgrade other box upgraded Standby
Controller
and call Tech Support
No
Is upgraded
unit functional?
Yes
Upgrade current
standby controller
Done
212
Installing a Upgrade or HotFix
Internet
Steps:
1. Download file from AskF5
2. Read release notes Standby Active
3. Verify with MD5
4. GUI or tmsh install
5. Follow Flow Chart Apply
Fix
213
Failover Triggers
• Fail-over Managers: Overdog & SOD

• HA table – tmsh show /sys ha-status
• Fail-over Triggers
• Processes (Daemons)
• VLAN traffic
• Gateway
• Switch board
214
Fail-over Triggers - Daemons
215
VLAN Failsafe
• Detects no network traffic à Tries to generate traffic
• Active Drops to Standby à Standby Assumes Active role
216
Failover Detection
• Failover Cable (only 2 BIG-IPs)
• Serial Cable between boxes
• Looks for loss of voltage
• Always active – cannot be disabled
• Network Failover
• Communication Across the Network
• Looks for loss of Network Pulse
217
Triggers Lab Page 10-‐14
VLAN Failsafe:
1. Set VLAN Failsafe -‐ External Internet
2. Pull network cable on Ac5ve
3. Did failover occur?
4. Plug all cables back in Standby
Ac5ve
5. Remove VLAN failsafe
218
Stateful Fail-over
• Default Actions on Fail-over
• New connections through new Active system
• Current connections & persistence lost
• Stateful Failover
• New connections through new Active box
• Current connections & persistence Maintained
• Mirroring - dictates Standby box have knowledge of
existing connections & persistence
219
Mirroring
• Connection Mirroring
• Applicable to Long Lasting connections
• telnet, ftp, etc…
• Connection should not be lost
• Persistence Mirroring
• For Persistent sessions
• Timer starts anew at Fail-over
220
Connection Mirroring
Scroll
down
221
Persistence Mirroring
222
NAT & SNAT Mirroring

• No need to mirror NATs
• SNAT Mirroring configuration
223
Mirroring Labs Pages 10-‐16 ! 17
Connec5on Mirroring:
1. ssh – 10.10.X.100 then failover
2. ssh session ends / disconnected Internet
3. Set mirror connec5on for ssh virtual
server – 10.10.X.100:22
4. ssh – 10.10.X.100 then failover
VS -‐10.10.X.100
5. Connec5on s5ll ac5ve?
Persistence Mirroring:
1. vs_hMps – source addr persist profile Standby Ac5ve
2. hMps://10.10.X.101
3. Failover, refresh, did connec5on persist
ager Failover?
4. Mirror persist for profile
5. Try again, Persist?
224
Module 11 – High Availability Part 2
• Traffic Group Concepts

• Traffic Group Configuration
• Mac Masquerading
• Traffic Group Lab
• N+1 Concepts
• N+1 Lab
225
Traffic Group Failover Objects
• Virtual Addresses VS_A

IP_A
• Floa=ng Self IPs
• SNAT Addresses
BIG-‐IP_A BIG-‐IP_B
Ac5ve Ac5ve
Standby Standby
226
Traffic Groups Failover Object
227
Traffic Group Concepts
TG_A TG_B
VS_A VS_B
IP_A IP_B
BIG-‐IP_A BIG-‐IP_B
Ac5ve Ac5ve
228
Traffic Group configuration
229
MAC Masquerading
• Floating MAC Address for Traffic Group
• No ARP cache refresh needed
• Related Option: Link Down on Failover
230
Traffic Group Labs Page 11-‐4
Exis5ng partners:
1. Add TG2 Internet
2. Add 10.10.X.102 to TG2

3. Synchronize
Ac5ve
4. Failover Traffic Groups & test Ac5ve
231
Default & Backup Device
232
N+1 Concepts
TG_A TG_B TG_C
BIG-‐IP_A BIG-‐IP_B BIG-‐IP_C
Ac5ve Ac5ve Ac5ve

Standby Standby
233
N+1 Concepts
TG_A TG_B TG_C
BIG-‐IP_A BIG-‐IP_B BIG-‐IP_C
Ac5ve Ac5ve Ac5ve

Standby Standby
234
N+1 Concepts
TG_A2
TG_A1 TG_B1 TG_C1 TG_D1
TG_A2 TG_B2 TG_C2 TG_D2
BIG-‐IP_A BIG-‐IP_B BIG-‐IP_C BIG-‐IP_C
Ac5ve Ac5ve Ac5ve Ac5ve

Standby Standby
235
N+1 Lab Page 11-‐6
Combine in 3’s or 4’s:

1. New partners reset to base config Internet
2. Add Device Trust for new partners
3. Add new partners to Device Group
4. Add TG3 and set 10.10.X.103
Ac5ve
5. Synchronize Standby
Ac5ve
6. Failover Traffic Groups & test

Reset to individual sta5ons:
1. Restore trainX_base.ucs config
236
Course Outline
1. Installation
2. Load Balancing
3. Health Monitors
4. Profiles Day 1
5. Persistence
7. Lab Project 1
8. NATs and SNATs
9. iRules Day 2
237
Course Outline
13. Administration
15. Profiles part 2
16. iApps
18. SNATs part 2
19. Monitors part 2
Day 4
21. iRules part 2
22. Lab Project 2
238
Remainder of Course
• Expectations:
• Knowledge of previous concepts
• Goals:
• Command Line for configuring
• More complex aspects of LTM
• Practical application of concepts
239
Module 12: Command Line

tmos> create /ltm virtual vs_hMp
des5na5on 10.10.17.100:80
persist add { Pr_Src_Persist }
pool /Common/hMp_pool
OR
240
Module 12 Agenda
• tmsh command shell
• tmsh syntax & command completion lab
• create Pools, Profile & Virtual Servers lab
• /config/bigip.conf file
• Edit bigip.conf file lab
• Optional labs: SNAT, Monitor…
241
tmsh (TM Shell) Architecture

• Hierarchical structure
• Modules
• Components
• Commands
• Verb-Object syntax
• create virtual …
• modify pool …
242
Hierarchical Structure
• tmsh
• “root” level
• Access: tmsh
• Prompt: tmos
243
Hierarchical Structure
Modules Sub-‐Modules Components
auth wideip
monitor
bigip
cli
selngs
hjp
gtm
monitor
snat
profile
ltm hjp
tmos persistence
inband
tunnels
net vlan
rate-‐shaping
sys performance
244
Navigating the Hierarchy

• Navigation to a Module: name
• Back up one level: exit
• Change to root: /
• Leave TM Shell: quit
245
Help and Completion

• Completion
• Continuation
• Syntax Examples
Space and Tab
246
Keyboard Map
• Keyboard short cuts
• Common examples:
• Ctrl + C Cancels the current command
• Ctrl + E Moves cursor to end of line
• Ctrl + G Clears all characters from line
• Ctrl + K Deletes from cursor to end of line
• Ctrl + L Clears screen but not the line
• Esc + U Changes word to uppercase
• Up Arrow Scrolls up through command history
• Down Arrow Scrolls down though command history
247
Global commands
• create
• delete
• exit
• list
• load
• modify
• quit
• run
• run big3d_install
• save
• show
248
LTM Components Components

hjp & 30+ others
monitor Clientssl & 20+ others
profile Source addr, Cookie &

others…
ltm persistence
tmos pool
virtual
snat
Node &
others…
For more informa5on -‐ tmsh Reference Guide

249
tmsh Examples
• Pool
• Virtual Server
250
Creating, Modifying, Listing a Pool
251
Creating a Virtual Server
252
Config files
• /config/bigip.conf
• Virtual Servers, Pools, SNATs, Monitors, etc…
• /config/bigip_base.conf
• VLANs, Interfaces, Self IPs, Device Groups, etc…
• /config/BigDB.dat
• System settings
• And many others…
253
save, load & list
Store Running Configura5on ! View Running Configura5on !

tmsh save /sys config To Disk RAM tmsh list …
Load Stored Configura5on !

tmsh load /sys config
From Disk DISK
254
BigDB.dat Database
• Central configura=on file

• Located in /config/BigDB.dat or
• “modify /sys db” commands
• Examples:
modify / sys db failover.network

value enable
255
Configuration archives
• /var/local/ucs/<filename>.ucs
• Zipped archive file
• tmsh save /sys ucs <filename>
• /var/local/scf/<filename>.scf
• Readable single config file
• tmsh save /sys config file <filename>
256
Restoration to another System
Backup System Original System

tmsh save /sys ucs <filename>
Backup somewhere off system

scp or gp <filename>
Replacement System
Install Archive on Alternate System

tmsh modify /sys global-‐sewngs hostname <name>
tmsh load /sys ucs <filename>
License System
257
bigpipe (v9) – tmsh

• b pool gp_pool { lb method member least conn members
172.16.20.1:21 172.16.20.2:21 172.16.20.3:21 }
• create /ltm pool gp_pool load-‐balancing-‐mode least-‐connec5ons-‐

member members add { 172.16.20.1:21 172.16.20.2:21
172.16.20.3:21 }
tmsh list
bigpipe list
Appendix C – v9 bigpipe lab © F5 Networks, Inc.

258
Command Line Labs Pages 12-‐13 ! 17
1. tmsh command comple5on & syntax
2. tmos > create hMp_pool

3. Look at /config/bigip.conf file
4. tmos > save /sys config Internet
5. tmos > create hMps_pool & ssh_pool 10.10.X.100
6. tmos > create persistence:

7. tmos > create vs_hMp
8. tmos > save /sys config
9. tmos > create vs_hMps & vs_ssh
172.16.20.2
10. Save & Test configura5on 172.16.20.1 172.16.20.3
11. Op5onal: SNAT & Monitor
259
Config Verification
1. bigip.conf contains? bigip_base.conf?
2. http://10.10.X.100 Load Balancing? Why?
3. https://10.10.X.100 Load Balancing? Why?
4. ssh to 10.10.X.100 Does it work?
5. Optional Labs – Working?
• SNAT
• Monitor
260
Module 13: Administration
• iHealth & qkview

• tcpdump, bigtop & bigstart commands
• F5 VLAN Terminology
• Restricting Access
• Logging and Notification
• Labs:
• Remote Syslog Server
• SNMP trap
• iHealth
• Optional: Packet Filters
261
BIG-IP iHealth
Available at hMps://ihealth.f5.com
262
BIG-IP iHealth
• Consists of two components:

• BIG-IP Diagnostics
• BIG-IP iHealth Viewer
• Input data provided by the qkview file
263
BIG-IP iHealth qkview file
264
Upload qkview file to BIG-IP iHealth
265
Command line tools
• tcpdump
• bigtop
• bigstart
266
tcpdump
• tcpdump - packet capture tool

• Part of Unix Operating System
• Capture traffic through any interface
• More on tcpdump in Troubleshooting course
267
Command Switches for tcpdump
-i <interface> -c <number of packets>

-e -s <number of bytes>
-n host <ip address>
-X port <service>
-r <file> “and”, “or”, “not”
-w <file>
> <file>
268
Three-way Handshake
Internet
Source Des5na5on
1. Syn
2. Syn Ack
3. Ack
269
Monitor Example
Client
• Capture data between Internal
interface & Node
• tcpdump –i internal –n host
172.16.20.1 and port 80 Internet
172.16.20.1
270
tcpdump -i internal -n host 172.16.20.1 and port 80
09:50:32.811118 172.16.17.31.39613 > 172.16.20.1.80: S 444272268:444272268(0) win

16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF)
09:50:32.811383 172.16.20.1.80 > 172.16.17.31.39613: S 1938541816:1938541816(0) ack
444272269 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF)
09:50:32.811430 172.16.17.31.39613 > 172.16.20.1.80: . ack 1 win 17520
<nop,nop,timestamp 1162263 3552379> (DF)
09:50:32.811759 172.16.17.31.39613 > 172.16.20.1.80: P 1:8(7) ack 1 win 17520
09:50:32.844589 172.16.20.1.80 > 172.16.17.31.39613: . 1:1449(1448) ack 8 win 17520
09:50:32.844714 172.16.17.31.39613 > 172.16.20.1.80: . ack 1449 win 16072
09:50:32.844851 172.16.17.31.39613 > 172.16.20.1.80: F 8:8(0) ack 1449 win 16072
09:50:32.845692 172.16.20.1.80 > 172.16.17.31.39613: . 1449:2897(1448) ack 8 win 17520
09:50:37.757819 172.16.17.31.39621 > 172.16.20.1.80: S 454708950:454708950(0) win
16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF)
271
Virtual Server Example

• Capture data of both internal & Client
external interface
10.10.17.25
• tcpdump –i external –n host
10.10.17.25 and port 80
Internet
• tcpdump –i internal –n host 10.10.17.100

10.10.17.25 and port 80
172.16.20.2
172.16.20.1 172.16.20.3
272
tcpdump -i external -n host 10.10.17.25 and port 80

12:03:59.218520 10.10.17.25.1287 > 10.10.17.100.80: S 19608494:19608494(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
12:03:59.218775 10.10.17.100.80 > 10.10.17.25.1287: S 4036340102:4036340102(0) ack 19608495 win
17520 <mss 1460> (DF)
12:03:59.219598 10.10.17.25.1287 > 10.10.17.100.80: . ack 1 win 8760 (DF)
….
12:03:59.221980 10.10.17.100.80 > 10.10.17.25.1287: F 172:172(0) ack 279 win 17520 (DF)
12:03:59.222571 10.10.17.25.1287 > 10.10.17.100.80: . ack 173 win 8589 (DF)
12:03:59.223080 10.10.17.25.1287 > 10.10.17.100.80: F 279:279(0) ack 173 win 8589 (DF)
tcpdump -i internal -n host 10.10.17.25 and port 80
12:03:59.218600 10.10.17.25.1287 > 172.16.20.1.80: S 19608494:19608494(0) win 8192 <mss
1460,nop,nop,sackOK> (DF)
12:03:59.218749 172.16.20.1.80 > 10.10.17.25.1287: S 4036340102:4036340102(0) ack 19608495 win
17520 <mss 1460> (DF)
12:03:59.219619 10.10.17.25.1287 > 172.16.20.1.80: . ack 1 win 8760 (DF)
….
12:03:59.221965 172.16.20.1.80 > 10.10.17.25.1287: F 172:172(0) ack 279 win 17520 (DF)
12:03:59.222592 10.10.17.25.1287 > 172.16.20.1.80: . ack 173 win 8589 (DF)
12:03:59.223100 10.10.17.25.1287 > 172.16.20.1.80: F 279:279(0) ack 173 win 8589 (DF)
273
Other tcpdump comments
Saving output to a file

tcpdump –w <filename> host 10.10.10.30 and port 80

FastL4 Virtual -‐> no tcpdump output
274
bigtop Command
275
bigtop Command options
• q or Ctrl + c
• bigtop –delay #
• bigtop –n
• bigtop –once
• bigtop –once|more
276
bigstart Commands
• Ac=ons
• Stop, Start, Restart
• Start on Boot, Include in Default
• Processes
• bigd – Monitors
• alertd – No=fica=on
• bigstart status
277
Connection Management
278
Idle Connection Management

Memory U=liza=on
Reaper High Water Mark 95%
Reaper Low Water Mark 85%
Un=l mmemory
When emory uu=liza=on
=liza=on returns
reachs uthe
nder Low
H igh
the Time
Low WM
Water ater
ark,
Mn aark,
ll
o hnalf-‐open
ew
the cIonnec=ons
dle Tcimeout
onnec=ons
aire
s raeduce,
llowed
are
more maemory
dropped.
un=l nd more.
use drops below the Low Water
Mark.
279
VLANs
• Types of identification:
• Port
• MAC
• VLAN Tag
• VLAN Name
280
VLAN Tagging in F5 terms

• 802.1q format
• Additional header on frame
281
VLAN Trunking in F5 terms
Same as Fast Etherchannel or Port Channeling
282
Restricting Network Access
• VS, SNAT, NAT disable by

VLAN Client Traffic
• iRules
• Port Lockdown
• ssh Access Admin Traffic
Switch Ports for

• Packet Filters Admin or Client Traffic
283
Virtual Server
• IP + Port “Listener”
Virtual Server
10.10.17.100:80
• disable by VLAN
284
Port Lockdown
“Default” list includes:
• UDP – DNS, SNMP, RIP & iQuery
• TCP – SSH, DNS, SNMP, HTTPS & iQuery
285
Restricting ssh Access
216.34.91.10 216.34.94.15
Deny Internet
216.34.94.32
Allow 216.34.94.*
286
Packet Filters
287
Packet Filter Rule Configuration

• Enable / Disable
• Filter Order
• Filter Ac5ons
• Accept, Discard, Reject, Con5nue
• Filters Logged?
• Filter on:
• protocol
• src or dest host or network
• dest port
• and, or, not
• Don’t apply to Mgmt port © F5 Networks, Inc.

288
System Log
• Possible Messages Defined as Facility.Level
Log Files
Remote Log
EMail
System Log
EMail
SNMP Traps
Alertd
LCD
289
Viewing Log Files

• Command Line
• tail, more, cat, …
• Configuration Utility
• System / Logs
290
Log Files & Local Facilities
• LTM -‐ /var/log/ltm local0

• EM -‐ /var/log/em local1
• GTM -‐ /var/log/gtm local2
• ASM -‐ /var/log/asm local3
• iControl -‐ /var/log/ltm local4
• Packet Filter -‐ /var/log/pkuilter local5
• HTTPD Errors -‐ /var/log/hjpd/hjpd_errors local6
• Boot Process -‐ /var/log/boot.log local7
• Archived:
• /var/log/<file>.1.gz -‐-‐ /var/log/<file>.8.gz
291
Changing syslog-ng.conf
• File -‐ /var/run/config/syslog-‐ng.conf
• tmsh list /sys syslog remote-‐servers

• tmsh modify /sys syslog remote-‐servers add
{ <name> { host 10.10.17.30 } }
• bigstart status syslog-‐ng
292
Configuring SNMP Traps

• Specifying Trap Des5na5ons
• /config/snmp/snmpd.conf
• Specifying Trap Events

• /etc/alertd/alert.conf
• /config/user_alert.conf
alert FilterHTTP "discard on vlan (.*?)" {
snmptrap OID= ".1.3.6.1.4.1.3375.2.4.0.200";
lcdwarn descrip5on= "No WEB" priority= “4";
email toaddress= "root"
fromaddress= "root"
body= "This is another test ... “
}
293
Syslog & Command Line Labs Pages 13-‐31 ! 38
1. Syslog remote server:

tmsh modify /sys syslog remote-‐servers add
{<name>{ host X.X.X.X }}
tcpdump command for output
2. SNMP trap: Internet
Enable SNMP traps 10.10.X.100
tcpdump command for output
3. iHealth:
Upload qkview to iHealth & analyze
4. Op5onal Labs:
Packet Filters, then DISABLE 172.16.20.2
tcpdump, bigtop, bigstart 172.16.20.1 172.16.20.3
294
Module 14: Administration Part 2

• Installation topics – Appendix A
• Administrative Roles & Partitions
• Admin Domains Lab
• Clustered MultiProcessing (CMP & vCMP)
• Sync-Only Administrative Groups
• Sync-Only Device Groups Lab
295
install from tmsh

• Syntax
• install /sys software image [image.iso] volume [HD1.#]
• Used for Hotfix also

• install /sys software hotfix [hotfix.iso] volume [HD1.#]
• Install to Inactive Volume

• Set default boot
• run /util bash –c “switchboot”
• switchboot from linux
• list /sys software volume [ [default-boot-location]
296
switchboot
297
System > Software Management

• Image List – List / Import Images
• Hotfix List – List / Import Hotfixes
• Boot Location – List / Change Boot
298
Software Management > Image List

• List of Installed Images
• Import additional images
• Select image to install / create Volume
299
User Roles & Partitions
• Roles
• Partition
• Terminal
300
User Roles and Access
All Users – Access Varies

Administrators
Administrators
User Managers © F5 Networks, Inc.

301
User Roles and Access
• Administrators: Full Access

• Resource Administrators: Full Access to Local Traffic
• User Managers: Edit User Accounts
• Applica5on Editors: Monitor Assignment; Enable/
Disable Members and Nodes
• Operators: Enable/Disable Members
• Guest: View only
302
Command Line Access

Terminal Access -‐ Disabled by Default
• tmsh: command line shell
• Advanced Shell: root level access
• Only Admins and Resource Admins

303
Common Partition
•Installa5on objects

•Default Par55on
Common
304
Partitions – Common, Users, and Defined

Par55on 1 Par55on 2
vs_hjp1
vs_hjp2
• Object names unique
vs_hjp
hjp_pool sjones
tbrown • Separate User Par55on
Common
Par55on User
305
Partitions – User Accounts – Example 1
Par55on 1 Par55on 2
vs_hjp1 Sjones
hjp_pool vs_hjp2 • Manager

• Par55on 1 only
• But can use Objects from

Common
vs_hjp
hjp_pool
Sjones
Common
User Par55on
306
Partitions – User Accounts – Example 2
Par55on 1 Par55on 2
vs_hjp1 tbrown
vs_hjp2
pool1 • Operator – (Enable /
pool2
Disable)
• All Par55ons
vs_hjp
hjp_pool
tbrown
Common
User Par55on
307
Admin Par55ons Lab Page 14-‐6 ! 8
Add Par55ons:
1. part1 & part2
Add users:
1. adm1 –> part1
Internet
2. adm2 –> part2 10.10.X.100
Add Resources:
1. VS2 & hMp2_pool in part2
2. VS1 & hMp1_pool in part1
3. New bigip.conf files in /
config/par55ons/
172.16.20.2
172.16.20.1 172.16.20.3
308
CMP – Clustered Multi-Processing
• CMP accelerates traffic

• Only for multi-core systems
• Creates separate instances of TMM
• Workload shared between TMMs
• Automatically enabled on all Virtual Servers
• Enabled / Disabled by tmsh command
309
CMP not SMP
• SMP = Symmetric Multi-Processing

• SMP distributes threads across multiple CPUs
• CMP allows multiple TMMs

• One TMM instance per CPU Core
310
Without CMP
100 %
Processor Core 1 Processor Core 2
• TMM uses up to 100% of

CPU
TMM
• Other CPU for other
processes
311
With CMP
• TMM uses up to 90%

of each CPU 90 %
TMM0 TMM1
• Each TMM instance Config

references same
configura=on
312
With CMP
• Virtual Server
Virtual Server
connec=ons are
distributed across
instances of TMM
TMM0 TMM1
313
Virtual Clustered MultiProcessing (vCMP)
• Clustered MultiProcessing (CMP)

• Load balancing of multiple processing cores
• Dedicated memory, network interface, etc.
• Independent Traffic Manager Microkernel (TMM)
• Near 1:1 scaling
• Virtual Clustered MultiProcessing (vCMP)

• Hypervisor – first purpose-built
• Resource segmentation
• Independent virtual ADCs (BIG-IP)
314
Multi-Tenancy and Virtualization

Multi-Tenancy Feature Virtualization
Flexible and Shared Z Resource [ Static & Dedicated
Allocation
Shared Z Operating [ Unique per Partition
System
Partition 1
Partition 1
Partition 2
Partition 3
Partition 2
Partition 3
Partition 4
Partition 4
Instance 1
Instance 2
Instance 3
Instance 4
OS OS OS OS
OS
Hypervisor
Hardware Hardware
315
BIG-IP VIPRION vCMP

• Multiple BIG-IP Virtual Instances on VIPRION
316
"
BIG-IP Platform Line-up "
VIPRION
"
4400"
VIPRION 2400"

assis

O N Ch 2x Quad core CPU /
V IPRI 4200 Blades (4x)
Price
Quad core CPU /

2100 Blades (4x) "
"
" " BIG-IP 11000
" 2x Hex core CPU
" BIG-IP 8900
S witch " 2x Quad core CPU
ca= on " "
i
Appl "
"
" BIG-IP 6900
2x Dual core CPU

BIG-IP " 3900

Quad core CPU
BIG-IP 3600
Dual core CPU
BIG-IP 1600
Dual core CPU
on s
a l Edi=
Virtu
Production"
Lab" Func=on / Performance
317
Administrative Folders
Similar to directories

• Hold objects
• In bigip_base.conf
• Par==ons and iApps use folders
• Can =e to Sync-‐Only Device Groups
318
Sync-Only Groups
• Synchronize config objects to many BIG-IPs

• Examples are Profiles, iRules
• NOT failover objects like Virtual Addresses
319
Sync-Only Group Concepts

VS_B
Profiles_A
VS_C
VS_A
BIG-‐IP_B Profiles_A
Profiles_A
BIG-‐IP_C
BIG-‐IP_A
VS_D
VS_E
Profiles_A
BIG-‐IP_D
BIG-‐IP_E
320
Sync-Only & Sync-Failover

VS_B
Profiles_A
VS_C
VS_A
BIG-‐IP_B Profiles_A
Profiles_A
BIG-‐IP_C
BIG-‐IP_A
VS_D
VS_E
Profiles_A
Profiles_A
BIG-‐IP_D
BIG-‐IP_E
321
Folders & Device Groups
322
Sync-‐Only Group Lab Page 14-‐16
Steps:
1. Create Device Trust Internet
2. Create Sync-‐Only Device

Group
3. Create Folder /Common/
Objects
4. Point Folder to Sync-‐Only
Group
5. Add iRule & Profile to Folder
6. Synchronize to Group
323
Module 15: Profiles part 2
• Full Proxy & TCP profiles

• HTTP Profile options
• OneConnect
• HTTP Compression
• HTTP Caching
• Streaming
• Authentication
• F5 Acceleration Technologies
324
TMOS – Full Application Proxy
Syn, Syn-‐Ack, Ack TCP Express

Client side
Full Proxy
Client Data Server side
Server
Response
325
Before Application Proxy at L4
TCP flow
#1 #2 #4 #5 #3 #3
Internet
#1 #2 #4 #5 #3 #3
Resend bytes
326
After Application Proxy at L4
TCP flow
#1 #2 #4 #3 #3 #5
Internet
Resend bytes
#1 #2 #3 #4 #5
327
Other examples
TCP Express TCP

Gateway
Internet
Client side IP v4
• Servers with legacy TCP/IP stacks
• Different TCP profiles for client

and server
Server side IP v6
328
TCP LAN and WAN default profiles

TCP LAN Optimized
• Proxy Buffer Low – 98304
• Slow Start – disable
• Bandwidth delay – disable
• Nagle – disable
• ACK on push – enable
TCP WAN Optimized

• Proxy Buffer Low – 131072
• Nagle – enable
• Selective ACKs – enable
329
HTTP Profile Options
• Client Address Insertion

• Allows retention of original client source address after SNAT
• Custom HTTP header or an XForwarded For header
• OneConnect
• Reuse server side connections
• Chunking
• Allows iRules and Compression to function with Chunked http data
330
Chunking
• Unchunk
• Unchunk if chunked - send unchunked
• Rechunk
• Unchunk if chunked – send chunked
• Selective
• Unchunk if chunked – send as received
• Preserve
• If chunked, send unprocessed
• If unchunked, process and send
331
Traffic Flow through BIG-IP LTM

1. Client sends request packet
2. BIG-‐IP LTM forwards requests to
server Internet
3. Server’s response may be chunked

or unchunked
4. BIG-‐IP LTM may:
• Chunk Unchunked Data
• Unchunk Chunked Data
• Leave Data Alone
• Process Unchunked Data
332
One Connect - Overview
• Keep Alives
• HTTP Version Variation
• Reuse of Idle connections
• Determining Idle Connections
• LTM Full Proxy

• Client Side and Server Side Connections
• Server Side Re-Use for Multiple Clients
333
One Connect - Aggregation
No Aggrega=on Aggrega=on Mul=ple Clients
Internet Internet Internet
334
One Connect - Aggregation
No Aggrega=on Aggrega=on Mul=ple Clients
Internet Internet Internet
335
One-Connect Profile
336
HTTP Compression
• hjp Profile Selng
Data to Client Compressed Internet
Data from Server Uncompressed
337
HTTP Compression - Process

• Client à LTM
• I can accept gzip / deflate traffic
• I want file /host/path/info.html
• LTM à Server
• I cannot accept compressed data
• I want file /host/path/info.html
• Server à LTM
• Here is your data
• LTM à Client
• I compressed the data using deflate. Here it is.
338
Configuring Compression
• Content Options
• URI Matching
• Content Type Matching
• Tuning Options
• Memory Management
• Compression Levels
339
Compression Lab Pages 15-‐12! 13
Steps:
1. Custom HTTP Profile
2. Verify Size of Data
Internet
10.10.X.10Y
172.16.20.2
172.16.20.1 172.16.20.3
340
RAM Cache
• Enhance client response
• Minimize server load

• Cache sta=c reusable content
Data Served from Cache Internet
No Communica5on with Server
341
HTTP Caching Process - Miss

• I want this object
• LTM à Server
• Server à LTM
• LTM à LTM RAM Cache
• Cache appropriate data
342
HTTP Caching Process - Hit

• LTM RAM Cache

• Update counters
343
HTTP Caching - Configuration

• Content Options
• URI Matching
• Content Type Matching
• Tuning Options
• Memory Management
344
Streaming Profile
345
Authentication
• Valid Server types:

• LDAP
• Radius
• TACACS Invalid Cert
• SSL Cert – LDAP valid Cert
• OCSP
• Valid Authen=ca=on – allow

• Invalid – disallow
Authen5ca5on
Server
346
Configuring Authentication Profiles
347
Optimization Technologies
SSL HTTP One TCP Express Content

Term Compress Connect Rewri5ng
Encrypted Compress clients TCP client iRule

Internet profile
Full Proxy
Un-‐ Un-‐ Re-‐use TCP Server iRule

Encrypted Compress connec5ons profile
348
Full Application Proxy – Another view
HTTP Compress Not Compressed
SSL Encrypted Not Encrypted
OneConnect
TCP WAN TCP LAN
IP v6 IP v4
Client BIG-‐IP Server

349
Op5onal Labs Pages 15-‐24 ! 25
Op5onal: RAM Cache:

1. Custom HTTP Profile
2. Verify Number of Requests
3. View RAM Cache Object List
Internet
10.10.X.10Y
Op5onal: Stream Profile:
1. “Server 3” -‐> “Node 333”

Op5onal: Authen5ca5on:
1. iRule – sys_auth_ssl_cc_ldap
172.16.20.2
172.16.20.1 172.16.20.3
350
Module 16 – iApps
351
iApps Outline
• Simplified Application Deployment

• Templates
• Application Services
• Analytics
• DevCentral EcoSystem
• iApps Lab
352
v10 Templates and Deployment Guides

Exchange 2010 Deployment Guide

Saves (Minimum)
• 14 days to research (Exch)
• 14-‐21 days to research (F5)
• 5 days to setup test environment (Exch)
• 3 days to setup test environment (F5)
• 30 days to test (Exch/F5)
• 1 day implementa=on (Exch/F5)
Stats
• 100 pages of configura=on
• 1200 steps
• 20% inputs
Costs
• 2 hours to read guide
• 8 hours to gather inputs
• 8 hours to configure
• 100 % chance of misconfigura=ons
353
v10 Templates vs. iApps Templates

v10 iApps
Deploy Yes Yes
Maintenance No Yes
Updates With BIG-IP Yes
Customize No Yes
EcoSystem (DevCentral) No Yes
Application View No Yes
Analytics and Statistics No Yes
Multiple Module No Yes
354
BIG-IP v10: Maintaining Application Objects

Application Objects
Virtual Servers Pools Monitors Profiles Policies iRules
Virtual Server Pool Monitor Profile Policy iRule

vs_owa owa_pool owa TCP OWA_Accel HTTP
redirect
Virtual Server Pool Monitor Profile Policy
vs_anywhere rpc.ca_pool anywhere HTTP AAA iRule
OWA append
vs_activesync pop3_pool activesync NTLM SSO
Virtual Server Pool Monitor Profile iRule

vs_autodiscvr imap_pool autodiscovr Client.SSL Universal
Persistence
Virtual Server Monitor Profile
vs_rpc.ca rpc.ca OneConnect

vs_pop3 pop3 Cookie

vs_imap imap Src.Addr.Af
Profile
Class
355
BIG-IP v11: Managing Applications

Exchange 2010 Application
Oracle 11 Objects
www.co.com intra.co.com
Virtual
Virtual Servers
Server Pools Virtual Monitors
Server Profiles Virtual Server Policies iRules
Virtual Server
vs_owa vs_vpn vs_com vs_intra
Virtual Server Pool Monitor Profile Policy iRule
Pool vs_owa owa_pool Pool owa TCP
Pool OWA_Accel Pool append
OWA
owa_pool vpn_pool www_pool intra_pool
Monitor
vs_vpn vpn_pool Monitor Monitor
Client.SSL SSO iRule
Monitor
pop3
pop3
Monitor Oracle HTTP HTTP
HTTP
Virtual redirect
owaServer Pool Monitor Profile Policy
vs_intra intra_pool Profile Oracle Client.SSL
Profile Intra Access Profile
iRule
Profile Client.SSL HTTP HTTP
Virtual Server Profile
Wk_Encrypt
Client.SSL
Profile
Pool Monitor
vs_com Redirect
www_pool iRule HTTP HTTP
iRule Policy
TCP
Wk_Encrypt Cont.type Intra Access
iRule
Redirect
Monitor Profile Reporting
Policy iRule HTTP
HTTP FTP
SSO Proxy Throttle
iRule
Policy
Pass HTTP
OWA_Accel Profile
Throttle
iRule
HTTP Cont.type
iRule
Reporting
OWA append
iRule iRule
HTTP Proxy
redirect Pass
356
iApps Defined
• Application management framework
• Application focused
• Standard structure
• Custom solutions
• Simplify deployment and maintenance

• Templates - deploy
• Application Service - manage
• Contextual view
• Analytics and statistics
• Multiple Module support:
LTM, GTM, APM, WAM, WOM, ASM, AVR
357
iApps Components
1. Application Services
2. iApps Templates
3. Analytics and Statistics
4. DevCentral Ecosystem
358
Application Services
• Folder containing iApp objects

• Management interface
• Initial configuration (Deployment)
• Reconfiguration (Maintenance)
• Four tabs:
• Properties - Object properties
• Reconfigure - Allows changes to initial configuration
• Components - Hierarchy and Availability view
• Analytics - Statistics grouped by application
359
iApps Templates
• Application requirements
• 20+ iApps templates
• Multiple deployments
• Customize template
• Copy existing template
• Export / Import template
• From Scratch
360
iApps Template Sections
• Sections Includes:
• Presentation to users
• Implementations of inputs
Implementation: TMSH / TCL
• Help inline
Presentation: APL
• F5 supported Templates
• Additional Templates
Help: HTML
361
The Presentation Section
• Visual aspect of template

• Application Presentation
Language (APL)
362
The Implementation Section

• The creation of Application Service
• BIG-IP Objects:
• Virtual Servers
• Pools
• Monitors
• Profiles
• Total Control Language (TCL)

• Logic structure
• Traffic Management Shell (TMSH)

• TMOS control
363
The Help Section
• The support information b

• Help created with HTML sub-set blo
br
HTTP web Template cod
This template creates a complete dd
… implementa=ons. Before you start: 
dl
<ul>
<li>Check System :: Resource Provisioning to ensure dt
that LTM (local traffic manager) is provisioned.</li> em
…
</ul>
Sync and/or Failover Groups
364
iApps Analytics
 Application Visibility and Reporting module
 Real-time application performance statistics
 Application level reports
 Application performance tuning
365
Captured Transactions
• Troubleshooting
• 1000 transactions
• Requests
• Responses
• Analytics profile
• Filters
• Local logging
• Remote logging
• syslog server
• SIEM device
(ie. Splunk)
366
iApps Ecosystem
• Share custom iApps templates

• Updates for F5 iApps templates
• Discuss iApps implementations
• Tips from other users and F5 support
367
iApps Codeshare on DevCentral

F5 Contributed iApps Templates:
• HTTP with Arbitrary iRule Addition
• HTTP with Priority Group Activation
• DNSExpress iApp
• Microsoft Lync Server 2010 Updated iApp
• Citrix XenApp / XenDesktop Combined Load-balancing iApp
F5 Contributed iApp Libraries:

• IP Matching Data Profile iApp
• Generic per Object Metadata Library
• Custom iApp data profiles and other useful procedures
list as ofNetworks,
© F5 10.2011 Inc.
368
Provision AVR
369
Creating Analytics Profile
370
Configuring Application Services
371
Reconfiguring Application Services
372
Application Services Components
373
Components
• Application centric view

• Associated objects
• Enable/Disable objects
• Links to objects
374
Application Services Analytics
375
iApps Lab Page 16-‐10 ! 20
Provisioning:
1. Provision AVR
Applica5on Service:
1. my_web
2. f5.hMp template
3. vs 10.10.X.110
2nd Applica5on Service:
1. Customize template
2. my_other_web
3. my_hMp_template
4. vs 10.10.X.111
5. View status
Analy5cs:
1. Drive traffic
2. View sta5s5cs
3. Capture traffic
376
Course Outline
1. Installation
2. Load Balancing
3. Health Monitors
4. Profiles Day 1
5. Persistence
7. Lab Project 1
8. NATs and SNATs
9. iRules Day 2
377
Course Outline
13. Administration
15. Profiles part 2
16. iApps
18. SNATs part 2
19. Monitors part 2
Day 4
21. iRules part 2
22. Lab Project 2
378
Module 17: Virtual Servers part 2
• Virtual Server Concepts

• Network VS
• Forwarding VS
• More specific – Less specific
• Forwarding VS Lab
• Path Load Balancing
• Transparent VS
• Auto Last Hop
379
Virtual Server configuration
Des5na5on “Listener”
• Host
• Network
What to do with packet

• Standard (LB)
• Forwarding
• FastL4
380
Network Forwarding Virtual Server
Clients route -‐> BIG-‐IP

No Address Transla5on
Internet
172.16.0.0:0
10.10/16 NW
172.16.20.22
172.16.20.1 172.16.20.98
381
Disabling ARPs and VLANs
382
Multiple Virtual Servers
Des5na5on Listener
Internet
Most Specific
• Specific IP : Specific Port
• Specific IP : All Ports
• Network IP : Specific Port
• Network IP : All Ports
• All IPs : All Ports Least Specific
Servers
More in Architec5ng class
383
Forwarding Virtual Server Lab Page 17-‐3
Network Forwarding VS :

1. hMp://172.16.20.1 doesn’t work
2. Add FW VS -‐ 172.16.0.0
3. hMp://172.16.20.1, .2 & .3 -‐ work
4. hMps and ssh to 172.16 – work Internet
Reject VS: 172.16.0.0
1. Add 172.16.0.0:80 reject VS
2. hMp://172.16.20.X doesn’t work
3. Add FW VS 172.16.20.2:* but only
enable on External VLAN
4. Only hMp://172.16.20.2 works

172.16.20.2
Delete 172.16 Virtuals: 172.16.20.3
172.16.20.1
384
Path Load Balancing
• Multiple Components
• Transparent Virtual Server
• Auto Last Hop
• Transparent Monitor
• Troubleshooting
385
Transparent Virtual Servers
Internet
• Transparent Virtual Server
-‐ through not to pool
members -‐ no address ISP #1 ISP #2
transla5on
• Network Transparent
Virtual Server
Virtual Server
0.0.0.0:0
• Wildcard Virtual Server
0.0.0.0:0 –> all networks
172.16.20.3 © F5 Networks, Inc.

386
RouterPool 211.1.1.254 222.2.2.254

Src – x.x.x.x MAC 02....01 02..…02
Dest – 216.34.94.17
MAC – 02:00:00:00:00:01 ISP #1 ISP #2
No Des5na5on IP
Address Transla5on
Virtual Server
0.0.0.0:0
Src – x.x.x.x
Dest – 216.34.94.17
387

Client rou5ng:
To reach 202.1.1.0/24,
Src: 190.1.1.1 go at the BIG-‐IP
Dest: 202.1.1.1
.1 190.1.1.0 / 24
Internet
Src: 190.1.1.1 200.1.1.0 / 24
.254
Dest: 202.1.1.1 VS: 202.1.1.0
Virtual Server No IP Address
• Load Balancing type .254 Transla5on
• Address Transla=on disable 201.1.1.0 / 24

.1 .2
• Port Transla=on disable
• Default Pool: 201.1.1.1 201.1.1.2
– 201.1.1.1
– 201.1.1.2 202.1.1.0 / 24
.1 .2 .3
388
Transparent Virtual Server

207.17.117.21
Src -‐ 207.17.117.21
Dest – 216.34.94.17
Internet
No IP Address Virtual Server:
Transla5on 216.34.94.0:0
Src – 207.17.117.21 216.34.100.0 Network

Dest – 216.34.94.17
MAC – 02:00:00:00:00:02
216.34.94.0 Network
RouterPool 216.34.100.1 216.34.100.2 216.34.100.3
MAC 02....01 02..…02 02..…03
389
Auto Last Hop Feature

Request #1
• Thru ISP #1
• Reply needs to return Internet
thru ISP #1 not ISP #2
ISP #2
Request #2 ISP #1
• Forward and back

thru ISP #2
D e f a u l t
Gateway
390
Path Load Balancing – Inbound

Internet
Inbound Request
199.1.1.0/24
• LTM#1 – Transparent VS
Ac5ve
• LB Thru IDS #1
• LTM#2 – LB Nodes LTM #1
200.1.1.0/24
I D S I D S I D S
#1 #2 #3
Return Path
• Thru same IDS #1 – Last Hop 201.1.1.0/24
Ac5ve
Request #2 LTM #2
• In and Out thru IDS #2 202.1.1.0/24
391
Path Load Balancing – Outbound

ISP#1 ISP#2
Outbound Request 199.1.1.0/24
• Wildcard VS – LTM#2 – LB thru IDS’s
• LTM#1 – LB Links
LTM#1 200.1.1.0/24
I D S I D S I D S
#1 #2 #3
Return Path same, why?

201.1.1.0/24
• Same ISP – SNAT
• Same IDS – Last Hop LTM#1
LTM#2
202.1.1.0/24
Request #2
• Out & In same path
392
Configuration Overview
• Inbound traffic – non-translating

• Outbound traffic – non-translating
• Inbound traffic – translating
• Outbound traffic - translating
393
Module 18: SNATs part 2
• SNAT Review
• More on SNATs
• SNAT Labs
• VIP Bounceback
• VIP Bounceback Lab
• Other SNAT Options
394
SNATs
Who can be changed – Listener traffic from
Changed to what Internet
Where packet arrived from 207.10.1.102
172.16.20.22
172.16.20.1 172.16.20.98
395
SNATs: Example 1
Internet
Many non-‐publicly routable to
one routable address 207.10.1.33
172.16.20.22
172.16.20.1 172.16.20.98
396
SNATs: Example 2
Servers default route not Internet

through LTM à Packets do
not return via BIG-‐IP VS -‐ 207.10.1.100
GW
Add SNAT: Packets return

via BIG-‐IP
397
SNAT Automap Address used

Traffic exi5ng
10.10.X.33
this direc5on
172.16.X.33
Traffic exi5ng
this direc5on
172.16.20.22
172.16.20.1 172.16.20.98
398
SNAT Automap Traffic Flow
150.150.1.1
Internet
Dest 150.150.1.1
Self IP
Src 200.1.2.3 200.1.2.3
Dest 150.150.1.1
Src 172.16.20.3
172.16.20.3
399
SNAT Automap Traffic Flow
Internet
• If enabled for mul5ple
self IP’s Self IP Self IP
200.1.1.1 200.1.1.3
• Eliminates problem
running out of ports
172.16.20.3
400
SNAT Automap ISP #1

Internet
211.1 / 16
222.2 / 16
ISP #1
ISP #2
Dest X.X.X.X
Src 211.1.10.10 Self IP Self IP
222.2.10.10 211.1.10.10
First request is Load Balanced to
router on ISP #1 using wildcard
Virtual Server Virtual Server
0.0.0.0:0
Dest X.X.X.X
Src 172.16.20.3
172.16.20.3
401
SNAT Automap ISP #2

Internet
211.1 / 16
222.2 / 16
ISP #1
ISP #2
Dest Y.Y.Y.Y
Self IP Self IP
Src 222.2.10.10
222.2.10.10 211.1.10.10
Second request is Load Balanced to
router on ISP #2 using wildcard
Virtual Server Virtual Server
0.0.0.0:0
Dest Y.Y.Y.Y
Src 172.16.20.3
172.16.20.3
402
SNAT ISP #1
RouterPool 211.1.1.254 222.2.2.254

Src – 211.1.1.33 MAC 02....01 02..…02
Dest – 216.34.94.17
MAC – 02:00:00:00:00:01 ISP #1 ISP #2
Self IP Self IP

211.1.1.33 222.2.2.33
Virtual Server
0.0.0.0:0
Src – 172.16.20.3
Dest – 216.34.94.17
172.16.20.3 © F5 Networks, Inc.

403
SNAT ISP #2
RouterPool 211.1.1.254 222.2.2.254

Src – 222.2.2.33 MAC 02....01 02..…02
Dest – 216.34.94.17
MAC – 02:00:00:00:00:02 ISP #1 ISP #2
Self IP Self IP

211.1.1.33 222.2.2.33
Virtual Server
0.0.0.0:0
Src – 172.16.20.3
Dest – 216.34.94.17
172.16.20.3 © F5 Networks, Inc.

404
SNATpool Configuration
405
SNAT Automap & SNAT Pool
• Automap changed to what

• Floating Self IP Addresses
• Egress VLANs
• SNATpool changed to what

• Pool of Addresses
• Egress VLANs
406
SNATpool member used

Traffic exi5ng this
direc5on 10.10.10.10
Traffic exi5ng this 172.16.2.2

direc5on
172.16.20.22
172.16.20.1 172.16.20.98
407
SNATs as listeners
traffic from 172.16 -‐> 207.10.1.102
192.168 traffic not SNATed Internet
Without VS, only 172.16 traffic SNAT to
processed by LTM not 192.168 207.10.1.102
VS 0.0.0.0:0
172.16.20.1 192.168.5.3
Listener traffic from

408
SNAT recommendations
At least one SNATpool member for

each exit VLAN SNATpool
members
172.16.X.X
192.168.X.X
205.X.X.X
10.X.X.X Enabled on

192.168.X.X
VLANS
205.X.X.X
192.168.X.X
10.X.X.X
172.16.X.X
409
SNAT configuration
• Source IP
• IP Address
• SNATpool
• Automap
• Configured in:
• SNAT (client source listener)
• Within VS (Automap or SNATpool)
410
Multiple SNATs
Most Specific
Internet SNAT within VS

SNAT Origin
• Specific IP
• Network IP
• All IPs
Least Specific
Servers
411
SNAT Labs Page 18-‐10 ! 12
More / less specific SNATs:

vs_hMps – SNAT Automap
Internet
10.10.X network – SNATpool
10.10.X.100
All Addresses SNAT
SNATs as Listeners:
traffic to 172.16.20.1
Disable VLAN / Pool
172.16.20.2
172.16.20.1 172.16.20.3
412
VIP Bounceback: a SNAT Application
• Issue: Servers have path back to client NOT

via LTM system
• Directly Connected
• Alternate Default Route
• Required: Force Return via LTM
413
VIP Bounceback: Example
• Two Tiered Applica=on Internet

• Client Request LB Across Web
Servers
• Web Server Request LB Across
Database Server
• Issue: Database Response Directly

to Web Servers
• Solu=on: SNAT Traffic
Database Web
Servers Servers
414
VIP Bounceback Src 190.1.1.1

To avoid rou5ng issues, VS Dst 200.1.1.100
DB Servers
VS WB
D eb needs NAT/SNAT
Servers
Servers 190.1.1.1
200.1.1.100
172.16.1.100
172.16.1.254
Src Internet
IP 1P72.16.1.2
Dst ool Members: LB
VS Web Servers
172.16.20.1-‐3
172.16.1.1-‐3 200.1.1.254 200.1.1.100
LB
VS DB Servers 172.16.1.254
172.16.1.100
Src 172.16.1.2
72.16.20.2 Src 172.16.1.2
72.16.20.2
Dst 172.16.1.254
72.16.1.2 Dst 172.16.20.2
72.16.1.100
172.16.1.1 172.16.20.3
172.16.1.2 172.16.20.2
Database Servers 172.16.1.3 172.16.20.1 Web Servers
Need informa5on from the database

servers to process the request
415
VIP Bounceback Lab Page 18-‐14

Optional Lab
Steps:
1. Add pool hMp_outside 10.10.20.1
20.2
10.10.20.1, 2 & 3 10.10.X.30 20.3
2. Create VS – 10.10.X.102:80
3. Test VS, doesn’t work use
tcpdump to check
4. Add SNAT to VS
10.10.X.102
5. Test again, works
416
Additional SNAT Options
• UDP & TCP or All Traffic

• SNATing in an iRule
417
SNAT Example: Using an iRule

if { [TCP::local_port] == 531 } {
snatpool chat_snatpool
}
elseif { [TCP::local_port] == 25 } {
snatpool smtp_snatpool
}
else {
snatpool other_snatpool
}
}
418

set MYPORT [TCP::local_port]
switch $MYPORT {
Internet
80 { snatpool SNATPool_80
pool hMp_pool } GW
443 { snatpool SNATPool_443
pool hMps_pool }
default { pool Pool_Other }
}
}
HTTP & HTTPS Pool_Other
419
SNATing in an iRule
Internet
Router Router Router Router
150.10.10.0/24 160.10.10.0/24
External 1 External 2
172.16.16.0/24
Client
Client
Internal
Client
Client
Client
Client
Client
Client
420

Internet
Router Router Router Router
150.10.10.0/24
160.10.10.0/24
172.16.16.0/24
Client
Client
Client
Client
Client
Client
Client
Client
SNATPool_80 SNATPool_443 SNATPool_Other

150.10.10.80 150.10.10.43 150.10.10.50
160.10.10.80 160.10.10.43 160.10.10.50
421

if { [TCP::local_port] == 80 } {
snatpool SNATPool_80
}
elseif { [TCP::local_port] == 443 } {
}
else {
snatpool SNATPool_Other
}
}
422

virtual wildcard {
des=na=on 0.0.0.0:any
mask 0.0.0.0
ip protocol tcp
profile tcp
pool routers
rule rule_SNAT
}

pool routers {
member 150.10.10.254:any
member 160.10.10.254:any
}

423
SNAT Conclusions
• Basis for Translation

• Client IP address or range
• All Clients of a given Virtual Server
• Clients of a given Virtual Server than also Match an
iRule criteria
• Choice of Translation
• Specific Address
• Self IP - Automap
• Member of SNAT Pool
424
Traffic Flow – Big Picture
Forwarding Transparent
Virtual NAT SNAT
Virtual Srv Virtual Srv
Server
Client side
Address not
Address Transla5on
Translated
Node side
425
Traffic Flow
Object VLANs Enabled

Virtual Server Source VLAN
NAT Source VLANs for all flows
SNAT Source VLAN
426
Module 19: Monitors part 2
Internet
172.16.20.3
427
Monitors – Outline
• Scripted Monitors
• EAV Monitors
• Advanced Monitor Options
• Multiple Assignments
• Manual Resume
• Receive Disabled String
• Alternate Destinations
• Passive Monitors
• Monitor Labs
428
Scripted Monitors
• Multiple “Sends” and “Expects”

expect “220”
send “HELO bigip1.host.net\r\n”

expect “250”
send “quit\r\n”
• Saved in a Reference File

/config/eav/<filename>
429
Sample Interactive Monitors
• FTP
• IMAP
• LDAP
• MSSQL
• Oracle
• Radius
• And External
430
Portion of an External Monitor
• EAV – Extended Application Verification

• External Program
• Independent Action
• Positive Results à “up” to standard out
status=$?
if [ $status –eq 0 ]
then
echo “up”
fi
431
Monitor Associations
• Monitors can be assigned to:

• Default (All Nodes)
• Nodes (Override Default)
• Pools (All Members)
• Pool Members (Override Pool)
432
Monitors Assigned to Nodes
Default Monitor – All Nodes
Or Individual Node
433
Assigned to Pools / Members
Pool level
Overridden by Member

434
Assigning Multiple Monitors
• Multiple Monitors
• Test Dependent Services
• Test Alternate Paths
435
Destination Definition
• Alias Address or Port

• Dependent Service on same Node
• Dependent Service on separate Node
436
Monitor Definition & Assignment
Monitor Monitor Assignment Checked Device Device whose State is

Definition Determined
* 172.16.20.1 172.16.20.1 172.16.20.1
*:* 172.16.20.2:80 172.16.20.2:80 172.16.20.2:80
*:443 172.16.20.3:80 172.16.20.3:443 172.16.20.3:80
10.10.10.10 172.16.20.4 10.10.10.10 172.16.20.4
10.10.10.10:50 172.16.20.5:80 10.10.10.10:50 172.16.20.5:80
437
Transparent Monitors
f5.com
RouterPool 211.1.1.254 222.2.2.254

Src – 222.2.2.31 MAC 02....01 02..…02
Dest – 216.34.94.17
MAC – 02:00:00:00:00:02 ISP #1 ISP #2
Self IP Self IP

211.1.1.31 222.2.2.31
438
Manual Resume
• After Monitor Fails and Successful Again
• Default: Mark Available (Up)
• Manual Resume: Mark Unavailable (Forced Down)
439
Receive Disabled String

• Match Marks Object Disabled
• Requires Receive String and No Match
• Allows Server Admins to Disabled Members
440
Inband Monitors
• Monitor Success of Client Connections
• Layer 4 only
• Failures Can be Detected Quickly
• Recovery May be Slow
441
Passive and Active Monitors together
VS -‐ 207.10.1.100
Inband when marked up

3 Failures mark Down
Set Retry = 0 (To Disable)
172.16.20.22
172.16.20.98
Then Ac5ve Monitoring un5l Up 172.16.20.1
442
Using Active and Passive Monitors Together
Client Server Pool

Pool
Pool MM ember(s)
ember(s) Up
Down
Applica=on Traffic
If LTM observes successful L4 connec=ons…

If LTM observes connec=on failures…
Ac=ve Monitors Begin
If Ac=ve Monitors report good server status…
Ac=ve Monitors stop and Passive Monitors
Resume monitoring
443
Monitors Labs Page 19-‐13 ! 15
Monitors:
1. Mul5ple Monitors
• Monitor with Alias port
• Mul5ple monitors to one pool
Internet
• Availability Requirements 10.10.X.100
2. Receive Disable String
3. Manual resume
• Set Manual resume – monitor
• Resume pool member
4. Op5onal: Inband monitor lab

172.16.20.2
172.16.20.1 172.16.20.3
444
Module 20: Persistence part 2
Subsequent connec5ons from

a user sent to same server –
load balancing modes
superceded
1 1
2 2
3 3
445
Persistence – Outline
• Review
• Source Address
• HTTP Cookie Persistence
• Session Persistence Criteria
• Match Across…
• Other Persistence Types
• SSL Persistence
• SIP Persistence
• Destination Address
• Universal Persistence
• Persistence Labs
446
Session Persistence criteria
447
SSL Persistence
• Based on SSL Session ID

• Remains Constant When Client IP Address
Changes
• Persistence Lost if Browser Changes
SSL Session ID
• Configuration
• Persistence Profile
448
SIP Persistence
• Session Initiation Protocol (SIP)

• Supports Call-ID persistence from proxy servers
that support SIP
• Most common in telephony & multimedia
• Configuration
• Persistence Profile
449
Destination Address
• Based on Destination IP
• Also called Sticky Persistence
• Most commonly used with:
• Caching servers
• Multiple ISP’s outbound
450
Destination Address
Services
• Traffic LB Across

Mul5ple ISPs Internet
• Client Source Address

ISP #1 ISP #2
Varies with ISP Choice
Client Client
451
Destination Address
Services
• Traffic LB Across
Mul5ple Caches
Internet
• Cache Separated by
Des5na5on
Client Client
452
Universal Persistence
• Can LTM iden=fy returning client?

• Fields in client request used so far
IP Address IP & TCP Header
SSL Session ID

SIP Call ID
TCP Data
HTTP Headers
User Defined Fields
• Let customer choose
453
Universal Persistence
• Persist on any part of packet

• Syntax based on iRules
when HTTP_REQUEST {
persist uie [findstr [HTTP::uri] “user=“ 5 “&” ] }
hMp://www.test.com/?env.cgi&user=abc&pw=456
More detail on findstr command – iRules Part 2

454
Configuring Universal Persistence
Profile needed for Timeout & Mirroring

455
Persistence Labs Pages 20-‐6 ! 7
Persistence:
1. Universal
2. Match Across Services
Internet
10.10.X.100
172.16.20.2
172.16.20.1 172.16.20.3
456
Module 21 – iRules part 2
when CLIENTSSL_HANDSHAKE {
if { [[IP::remote_addr] equals 10.10.10.10 ]} {
pool my_pool
}
}
Internet
my_pool Default
457
iRules – Outline
• Additional examples
• Re-visit Events
• Commands
• Context
• iRules Labs
458
Rule Syntax Overview
when EVENT {
if { condi=onal_statement1 } {
ac=on_when_condi=on1_true
} elseif { condi=onal_statement2 } {
ac=on_when_condi=on1_false_condi=on2_true
}
}
459
TCL Syntax Example

set MYPORT [TCP::local_port]
#log local0. "Port is $MYPORT"
switch $MYPORT {
80 {
pool hMp_pool
}
443 {
pool hMps_pool
}
460
iRule Events – Full Proxy
Syn, Syn-‐Ack, Ack CLIENT_ACCEPTED
CLIENT_DATA
HTTP_REQUEST
CLIENTSSL_HANDSHAKE
LB_SELECTED
SERVER_CONNECTED
Server SERVER_DATA
Response
HTTP_RESPONSE
SERVERSSL_HANDSHAKE
If an SSL session
461
iRule Events – Another view
HTTP_REQUEST HTTP_RESPONSE
CLIENT_DAT SERVER_DATA
A
CLIENT_ACCEPTED SERVER_CONNECTED
Client BIG-‐IP Server

462
Pre-Requisites for iRules: Profiles
Event Profile Requirement(s)

IP events No addi5onal profile requirement
UDP events Requires a udp-‐ or fastL4-‐based profile
TCP events Requires a tcp-‐ or fastL4-‐based profile
HTTP events Requires an hjp-‐ and a tcp-‐based profile
SSL events Requires either a clientssl-‐ or serverssl-‐based profile,
depending on the Rule context.
AUTH events No addi5onal profile requirement
463
iRule Event Groups
• Various Points Client-Server Communication

• Protocol
• IP TCP UDP SCTP
• Application
• HTTP RTSP SIP XML
• Security and Access

• APM ASM AUTH CLIENTSSL SERVERSSL
• Other
• CACHE DNS GLOBAL STREAM
464
iRule Event Examples - Protocol
• Connection Establishment, Data Communication

• CLIENT_ACCEPTED
• CLIENT_CLOSED
• CLIENT_DATA
• SERVER_CLOSED
• SERVER_CONNECTED
• SERVER_DATA
465
iRule Event Examples - Application
• HTTP
• HTTP_REQUEST & HTTP_RESPONSE
• RTSP
• RTSP_REQUEST & RTSP_RESPONSE
• SIP
• SIP_REQUEST & SIP_RESPONSE
• XML
• XML_BEGIN_ELEMENT & XML_END_ELEMENT
466
iRule Event Examples – Security and Access

• APM
• ACCESS_ACL_ALLOWED & ACCESS_ACL_DENIED
• ASM
• ASM_REQUEST_BLOCKING &
ASM_REQUEST_VIOLATION
• AUTH
• AUTH_ERROR & AUTH_FAILURE
• CLIENTSSL
• CLIENTSSL_CLIENTCERT & CLIENTSSL_DATA
• SERVERSSL
• SERVERSSL_DATA & SERVERSSL_HANDSHAKE © F5 Networks, Inc.
467
iRule Event Examples - Other
• CACHE
• CACHE_REQUEST & CACHE_RESPONSE
• DNS
• DNS_REQUEST & DNS_RESPONSE
• GLOBAL
• LB_FAILED, LB_SELECTED, & RULE_INIT
• STREAM
• STREAM_MATCHED
468
iRule Commands
• General Format NAMESPACE::parameter

• HTTP::method
• IP::client_addr
• Read Only and Read / Write
• HTTP::header – returns or modifies headers
• HTTP::response – returns response
• Return May Vary with Event Context
• IP::remote_addr (client’s or server’s?)
• Best Resouce: devcentral.f5.com

469
Example HTTP Commands

iRule Command Result
HTTP::header Returns value of the http header named <name>.

[value] <name> The “value” keyword can be omitted if the
<name> does not collide with any of the header
subcommands.
HTTP::header count Returns the number of http headers present on
the request or response.
HTTP::method Returns the type of HTTP request method.
HTTP::status Returns the response status code.
HTTP::uri Set/Get the complete uri of the request.

[<string>]
HTTP::is_redirect Returns true if the response is a 3XX redirect.
470
Example TCP Commands

TCP::remote_port Returns the current context’s remote TCP
port/service number.
TCP::local_port Returns the current context’s local TCP port/
service number.
TCP::payload [<size>] Returns the collected TCP data content.
TCP::payload length Returns the amount of collected TCP data

content in bytes.
TCP::collect <length> Causes TCP to start collecting the specified
amount of payload data and executes the
TCP_DATA rule event when this occurs.
TCP::release Causes TCP to resume processing the
connection and flushes collected data.
471
Example UDP Commands

UDP::remote_port Returns the current context’s remote UDP
port/service number.
UDP::local_port Returns the current context’s local UDP port/
service number.
UDP::payload [<size>] Returns the current UDP payload content.
UDP::payload length Returns the amount of UDP payload content
in bytes.
472
iRule Context
With reference to whom?
Client Side Internet

if { [[IP::remote_addr] equals …
Server Side
when SERVER_CONNECTED {
if { [[clientside[IP::remote_addr] equals …
473
Example Functions
• Data Group
• class, findclass, matchclass
• String
• domain, findstr, substr, getfield
• Utility
• b64decode, b64encode, decode_uri
474
findstr Example
when HTTP_REQUEST {
if { [ findstr [HTTP::uri] "user=" 5 "&" ] starts_with “A" } {
pool Alogin_pool }
elseif { [ findstr [HTTP::uri] "user=" 5 "&" ] starts_with “B" } {
pool Blogin_pool }
else { pool other_pool } HTTP::uri
}
hMp://host/path/file.ext?parameters
hMp://host/path/file.ext?comp=F5;user=B23456&...
475
iRule Logging
• iRules can cause content / status to be logged

• To log into /var/log/ltm:
log local0. “[<strings>]”
• Example:
log local0. “[ findstr [HTTP::uri] "user=" 5 "&" ]”
• Best Practice: log value iRule uses

• High Speed Logging
476
iRule Variables
• Store Data for use at later times

• No Variable Typing … all Strings
• To define a variable and set the value:
set variable_name “value”
• Example:
set debug 1
477
Course Outline
1. Installation
2. Load Balancing
3. Health Monitors
4. Profiles Day 1
5. Persistence
7. Lab Project 1
8. NATs and SNATs
9. iRules Day 2
478
Course Outline
13. Administration
15. Profiles part 2
16. iApps
18. SNATs part 2
19. Monitors part 2
Day 4
21. iRules part 2
22. Lab Project 2
479
BIG-IP LTM courses
Offered as
WBT Troubleshootin
g BIG-IP
Operators BIG-IP LTM BIG-IP LTM

/ Essentials Adv Topics
Admins/
Configuring
Engineers BIG-IP with
iRules
Configuring
Application BIG-IP LTM
BIG-IP with
Developers Essentials
iRules
Network BIG-IP LTM BIG-IP LTM Architecting

Essentials Adv Topics BIG-IP
Architects
480
Other F5 Product Courses
• BIG-IP GTM – Global Traffic Manager
• BIG-IP ASM – Application Security Manager
• ARX Configuring & Admin
• ARX Troubleshooting & Monitoring
• BIG-IP APM – Access Policy Manager
• BIG-IP WAM – WebAccelerator
• BIG-IP WOM – WAN Optimization Module

• Firepass
481
Thank You!
F5 Networks Training
482
Module 22 – Lab Project options
• iRules Labs # 1 to 6
• Path Load Balancing Lab
• Appendix C – v9 & v10 labs

• Appendix D – http fundamentals
483
iRules Projects Page 22-‐4 ! 10
Rules:
1. findstr
2. TCP::payload
3. Set variable & logging Internet
10.10.X.10Y
4. Redirect 404
Op5onal:
1. Redirect 404 & Capture File
2. Apology Message on Failed Pool
172.16.20.2
172.16.20.1 172.16.20.3
484
Path Load Balancing Lab Pages 22-‐11 ! 12
Steps for your BIG-‐IP: PC 10.10.X.30

1. Restore base config
10.10.0.0/16
2. Change 172.16.X.31/33 Self IP’s to
10.20.X.31/33 Self IP’s LTM #X
3. Transparent Virtual Server with
10.20.0.0/16
members 10.20.30.1 & ..30.2
4. Transparent Monitor to check System
T r a n s p a r e n t
B’s VS Device
Instructor BIG-‐IP:
10.30.0.0/16
1. Has “Standard” VS’s from
10.30.17.100 to 172.16. pools Inst LTM
Troubleshoot: 172.16.0.0/16
1. tcpdump – LTM #X
Servers
485
Additional Slides
• Instructor Notes for Class flow

• Instructor Notes to Setup class
486
Instructor Setup Notes

Topic Lesson Instructional Objectives Time
Course Introduction Class Introductions Introduce yourself, and then have each student provide: 30 min.
• Name, Work Function & Networking Experience
• F5 Product Experience and any F5 classes
• Objectives for attending class
Course Outline & Objectives Review course objectives and map to student objectives. Present course agenda and administrative details.
About F5 Discuss how F5 started and where F5’s products fit in the market space.
Module 1 – Installation & Overview, Setup, Configuration Learn basics of BIG-IP LTM and its operation in the network, Purpose and functionality of the Setup Utility & 60 min
Initial Access Utilities. How to access BIG-IP LTM Configuration utilities
Install Lab (Setup) Successfully install BIG-IP LTM System using Setup utility.
BIG-IP hardware and platforms Discuss the different hardware platforms for BIG-IP LTM and the basic architecture like SCCP, AOM and
TMM.
Lab to set an IP Address on SCCP Set an IP Address on the SCCP or AOM and then watch the box reboot while connected using an SSH network 15 min
connection.
Module 2 – Load Balancing Introduce Nodes, Pools, & Virtual Learn the concepts and how to configure Nodes, Pools and Virtual Servers 90 min
Servers
Virtual Servers and Pools Lab Successfully configure a Virtual Server using port 80 and 443.
Introduce Load Balancing Modes Be able to list the different Load Balancing Modes and explain the differences between them.
Load Balancing Labs Successfully configure and test the Round Robin, Ratio and Load Balancing with Priority Group Activation.
Module 3 – Monitors Introduce Monitors Learn the concepts and goals of monitors. Differentiate between monitor templates and user-defined monitors. 60 min
Monitor Labs Successfully assign a default and individual monitors to both nodes and pool members.
Module 4 – Profiles Introduce Profiles Learn the function and importance of profiles in effecting the way a given virtual server will process traffic.
Module 5 – Persistence Introduce Persistence Learn the concept of Persistence, and be able to discuss methods, advantages and disadvantages of source 75 min
address and cookie persistence.
Persistence Labs Successfully configure and implement source address and cookie persistence profiles.
Object Management Learn about managing node and node availability and when the BIG-IP LTM will direct traffic to a given
device.
Module 6 – Introduce Client and Server SSL Learn basic SSL Concepts, BIG-IP LTM SSL Proxy and Server SSL components. 60 min
SSL Termination Profiles
SSL Profile Labs Successfully create client SSL profile using a self-signed certificate and associate it with an appropriate virtual
server.
END OF DAY ONE DAY 1 TOTAL: 6 ½ Hours.

487

Topic Lesson Instructional Objectives Time
Module 7 – Configuration Configuration Project In one cohesive Project, configure everything from the previous day; Virtual Servers, Pools, Monitors, Load 60 min
Project Balancing and Persistence.
Review Previous Day Review Lab Project results and the six Questions in Module 7
Module 8 – NATs and SNATs NATs Learn how Virtual Servers, NATs and SNATs provide complimentary address translation options. Learn the 75 min
features of NATs and SNATs and how they are configured.
NATs lab Successfully configure and use NATs

SNATs Introduction Learn the basic features of SNATs
SNATs Labs Successfully configure and use several SNATs.

Module 9 – iRules iRule Introduction Learn basic function and syntax of iRules. Learn about the events that drive iRules. 60 min
iRules Labs Successfully configure and use iRules that direct traffic to specific pools.
Module 10 – Installation of a Introduce Redundant Pair Concepts Learn Redundant Pair concepts and how to configure a BIG-IP LTM System as either the Active or Standby box 60 min
Redundant Pair of a Redundant Pair.
Setup Lab for a Redundant Pair Successfully configure both boxes of a Redundant Pair (one as Active and the other as Standby).
Synchronization Lab Successfully synchronize the configuration of the two boxes
Module 11 – High Availability Introduce Failover Concepts Learn the conditions that will automatically trigger a failover and how to configure BIG-IP LTM System to 105 min
automatically detect these conditions.
Failover Labs Successfully configure and test VLAN Arming and compare hard-wired and network failover.
Introduce Stateful failover options Learn the concept mirroring connection and persistence information.
Mirroring Labs Successfully configure and test Connection and Persistence Mirroring on a Redundant Pair of BIG-IP LTMs.
MAC Masquerading Learn the concept of MAC Masquerading
Lab on MAC Masquerading Successfully configure and test MAC Masquerading during a failover between a Redundant Pair of BIG-IP
LTMs.
Module 12 – Maintaining BIG-IP Introduce F5 resources that help Learn about tcpdump, qkview, and Ask F5. 30 min
LTM with support.
Next courses & class review Review topics in this course, by answering test questions.
END OF DAY TWO DAY 2 TOTAL: 6 ½ Hours.

488

Module Pg # Time Change
1 Make hardware it’s own section after install lab and also separate the SCCP / AOM lab
more from install and cleanup
2-6 Minor edits & ppt changes
Day 2
7 – 12 Minor edits & ppt changes
Appx A – D Minor edits
Module Pg # Time Change

Preface – Mod 1 Minor edits only, new products added
2 – Load Balance Added section and lab steps for Network Map
3–6 Minor edits only
Day 2
7, 9, 10 & 12 Minor edits only
8 – SNATs Changed ppt slides and lab steps to flow better. Main focus is on SNAT changing source
address. Discussion about SNAT being a “listener” moved to Adv course.
11 – Failover Screen changes in ppt and lab step changes.

Appendix A – C Minor edits only
Appendix D Added HTTP basics section in case students need it.
489
• 13th Edit – v11.0.0 Dec 2011
• 12th Edit – v10.0.0 June 2009
• 11th Edit – v9.4.5 Feb 2009
• 10th Edit – v9.4.4 June 2008
• 9th Edit – v9.3.1 July 2007
• 8th Edit – v9.2.3 June 2006
490
Instructor Lab Setup Notes
• See notes pages below
491

Example A
Example B
492

Station ##
IP Address
10.10.##.30
255.255.0.0
Default Route
10.10.##.33
External Shared Alias

BIG-IP ##
10.10.##.33
255.255.0.0
10.10.##.31 10.10.##.32
255.255.0.0 255.255.0.0
172.16.##.31 172.16.##.32
255.255.0.0 255.255.0.0
Internal Shared Alias
172.16.##.33
255.255.0.0
The Servers should boot with the following routes:
route add -net 10.10.1 -netmask 255.255.255.0 -gateway 172.16.1.33 Servers

route add -net 10.10.2 -netmask 255.255.255.0 -gateway 172.16.2.33
route add -net 10.10.8 -netmask 255.255.255.0 -gateway 172.16.8.33 Server Server Server
route add -net 10.10.9 -netmask 255.255.255.0 -gateway 172.16.9.33 172.16.20.1 172.16.20.2 172.16.20.3
route add -net 10.10.10 -netmask 255.255.255.0 -gateway 172.16.10.33 255.255.0.0 255.255.0.0 255.255.0.0
route add -net 10.10.13 -netmask 255.255.255.0 -gateway 172.16.13.33 FTP Server FTP Server FTP Server
route add -net 10.10.14 -netmask 255.255.255.0 -gateway 172.16.14.33 Web Server Web Server Web Server
route add -net 10.10.15 -netmask 255.255.255.0 -gateway 172.16.15.33 (80 & 443) (80 & 443) (80 & 443)
SSH Server SSH Server SSH Server
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS,
and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries

F5 - Configuring BIG-IP LTM v11 - Instructor

Uploaded by

Copyright:

Available Formats

F5 - Configuring BIG-IP LTM v11 - Instructor

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

F5 - Configuring BIG-IP LTM v11 - Instructor

Uploaded by

Copyright:

Available Formats

Configuring BIG-IP LTM v11

12/19/2011 Uploaded by Foucss

• Food and beverages

• BIG-IP Product Family (Application Delivery Controller)

• ARX Series (File Virtualization)

• Enterprise Manager (F5 Device Management)

BIG-IP Traffic Management Operating

Syn Syn/Ack Ack Client side

Client data TCP

Full Application Proxy

Syn/Ack Ack Client Server

BIG-IP Local Traffic Manager

Local Load Balancing

• Load balance traffic

207.46.134.222 65.197.145.183 143.166.83.200

Company Data Center and Servers © F5 Networks, Inc.

BIG-IP Access Policy Manager (APM)

Remote Web servers

Access Manager Authentication server Terminal

BIG-IP Application Security Manager

• Positive and Negative Security Logic

• XML and JSON Support

• Full Reporting Virtual Server

BIG-IP Link Controller

Link Load Balancing

BIG-IP WAN Optimization Manager (WOM)

Primary Data Center Remote Data Center

BIG-IP Internet BIG-IP

• Cache closer to client (WA)

BIG-IP Edge Gateway

• BIG-IP Edge Gateway includes:

Adaptive Resource Switch (ARX)

Decouples logical access from

ARX Cloud Extender (CE)

Users and Applications

F5 Data Manager (DM)

• Software platform for data

Enterprise Manager (EM)

ASM Edge Gateway WebAccelerator

Quad core CPU /

ARX Cloud Extender

Workgroup Departmental Enterprise

Virtual Edition (VE)

AskF5 Knowledge Base

• Tech tips, code sharing, developer resources, daily news

• Participation in DevCentral is free, but requires registration

• SCCP / AOM Lab

BIG-IP Chassis Front (3600)

MGMT Console Fan Ports Controls

USB Failover Ethernet Gigabit SFP LCD Panel

BIG-IP Setup Utility

• Root & Admin passwords

• Standard Network Config

License Process – Automated

• Ac=vate to Begin

License Process – Manual

Management Port & User Admin

Standard Network Config

Installa5on Labs – Physical Machines Pages 1-‐9 ! 1-‐19

Installa5on Labs – Remote to London Pages 1-‐9 ! 1-‐19

Op5onal: AOM Lab Page 1-‐23

Packet # 1 -‐ return

Packet # 1 -‐ return

Packet # 2 -‐ return

Packet # 2 -‐ return

Packet # 3 -‐ return

Packet # 3 -‐ return

Syn, Syn-‐Ack, Ack

Virtual Servers & Pools Lab Pages 2-‐6 ! 2-‐10