Documente Academic
Documente Profesional
Documente Cultură
F5 LTM Training
Topic
Section
Time
Day 1
Introduction
Introduction
Types of SLB
Is load Balancing different from
Clustering
LB Vendor Comparison
F5 Solutions
F5 Solution. Cont.
LTM
Platforms
4.00
4.20 pm
4.20
4.40 pm
F5 LTM Training
Topic
Section
Time
Day 1
Initial Setup
Big-IP Hardware
Exploring Big-IP File System
Licensing Big-IP
Basic Configuration
4.40
5.00 pm
LTM Objects
Virtual Servers
Pools
Nodes
I-Rules
Health Monitors
5.00
5.20 pm
MODULE - 1
INTRODUCTION
INTRODUCTION
Load Balancer, as the name suggests is a
Types of SLB
Load balancers are generally
grouped into two categories:
Layer 7 : It load balancers distribute
LB Vendor Comparison
F5 Solutions
F5 products address the three main areas
of Application Delivery Networking:
Application security
Application Optimization
Application Availability
F5 Solution
MODULE - 2
Price
BIG-IP 6900
BIG-IP 3600
BIG-IP 1600
6 Gbps Traffic
Multiple Product Modules
2 Gbps Traffic
1 Advanced Product Module
1 Gbps Traffic
1 Basic Product Module
Function / Performance
12 Gbps Traffic
Multiple Product Modules
MODULE 2
Initial Setup
Exploring Big-IP Hardware
Exploring Big-IP File System
Licensing Big-IP
Basic Configuration
The Hardware
Console
Cable
OOB
Management
Port
10/100/1000 Mbps
Copper Ports
1000 Mbps
Fibre Ports
What to do first
Setup Overview
Setup Tools
SSH Client
-username:- root
-Password:-default
Licensing Methods
Automatic Licensing
Manual Licensing
Manual Licensing
File System
Built on top Linux
Has Linux files structure
Files are relevant to the operation
Main file in BIG-IP LTM are mentioned below:
-/config/bigip.conf
-/config/bigip_base.conf
-/config/BigDB.dat
-/etc/hosts.allow
-/config/bigip.license
-/var/log/ltm
/coinfig/bigip.conf
Holds all information relevant to the load
balancing
Like: virtual, pool, profile, monitor, irules etc
-Shared between 2 units if in a pair configuration
/config/bigip_base.conf
devices
/config/BigDB.dat
/config/bigip.license
/config/ssl/ssl.crt
/config/ssl/ssl.key
MODULE 3
LTM OBJECTS
MODULE 4
Traffic Processing
Virtual Server
-Big-IP is default deny device, so listener (virtual) is must
-Virtual server glues everything together
-Typically virtual are associated with pool
MODULE 5
Load Balancing
Round Robin
Ratio
-Ratio method is appropriate to use if some of the members are
powerful than other.
-Since Ratio is static method, this means that server with highest
ratio value will receive more request then others even if the
performance of the server is slow.
#b pool lab_Pool { lb method member/node ratio }
Least Connections
-This method consider the current connections count to decide
where to send next request
Least Connections
-After connections counts shown below, the big-IP round robin
next requests between all three servers.
Fastest
-Fastest uses the outstanding layer 7 request to decide where to
send the next request
-Request or Response ?
Fastest
-Ping response form server doesnt take into account how fast
server will response at port 80.
-SYN-ACK response form server at port 80 doesnt take into
account how fast backend database server will populate the
content of web page
Observed
-It is basically Ratio load balancing but with Ratio assigned by BigIP
-Servers with connections lower than average will given ratio of 3
-Servers with connections higher than average will given ratio of 2
Observed
>Connections status
-server B & C with Ratio 3
-Servers A & D with Ration 2
Predictive
-Predictive method is similar to Observed, but assigns more
aggressive value
Predictive
>Connections status
-server A & C with Ratio 1
-Servers B & D with Ration 4
>Node
-Total service for one IP Address
-Take all transactions for the IP address into account
#b node <ip_addr> { ratio <no.>/ session <enable/disable>}
>Pool Member
-IP Address & Service
-Take the decision based transactions happening on
the service port.
activation set,
-The next highest priority member also start serving the
requests.
priority
priority
priority
priority
priority
priority
10
10
10
5
5
5 }
Fallback Host
-Fallback host feature is designed for HTTP protocol only.
-It comes into play if all the members in a pool are unavailable
MODULE 6
Monitor
Monitor Functionality
Monitor Types
Configuring Monitor
Assigning Monitor
Status
Intro to monitor
Big-IP system can monitor the health of nodes &
member
Step 1: Create
Step 3: Customize
Step 4: Assign
- to pool/node/pool member
Step 5: Status
Types of monitoring
Address Check
-IP address node
Service Check
-IP:port
Content Check
-IP:port & check data returned
Interactive Check
-Interactive with servers
-Multiple commands and multiple response
Address Check
Example
System
#b monitor icmp list
monitorroot icmp {
interval 5
timeout 16
dest *
}
Custom
#b monitor icmp_mon list
monitor icmp_mon {
defaults from icmp
interval 7
timeout 22
}
Service Check
port.
-Doesnt provide any insight into quality of the content that might
return
Example
System
#b monitor tcp list
monitorroot tcp {
interval 5
timeout 16
dest *:*
recv ""
send ""
}
Custom
#b monitor tcp_port_mon
list
monitor tcp_port_mon {
defaults from tcp
interval 15
timeout 47
}
Content Check
-Content check go beyond testing whether a node is
responding/listening
-It also test if it is responding with correct content
Example
System:
#b monitor http list
monitorroot http {
interval 5
timeout 16
dest *:*
password ""
recv ""
send "GET /"
username ""
}
Custom:
#b monitor http_mon list
monitor http_mon {
defaults from http
recv "Health Check"
send "GET /health_check.html
HTTP/1.0\n\n"
}
Interactive Check
Example
#b monitor ftp list
monitorroot ftp {
interval 10
timeout 31
dest *:*
debug ""
get ""
mode "passive"
password ""
username ""
}
Status Icon
Below are the status Icons
Status: Available
Example-1
Example-2
Status: Offline
Example-1
Example-2
Status: Unknown
Example-1
Example-2
Status: Unavailable
Example -1
Example -2
MODULE 7
Profile
Profile Concept
Profile Configuration
Profile Concept
Contain settings that instruct how to pass the traffic
actual servers ?
Profile Example
Persistence
SSL Termination
Profile Example
FTP
Profile Dependencies
-Some of the profiles are dependent on others
-Some cant be combine in one VS
Types of profile
Services Profiles:
Protocol Profiles
Authentications Profiles
-RADIUS servers, CRLDP servers
Other Profiles
-OneConnect, NTLM, stream
Custom Profiles
-Stored in /config/bigip.conf
-Created from default profile
-Dynamic child & parent relationship
Services Profiles
Parent HTTP profiles
profile http http {
basic auth realm none
oneconnect transformations enable
compress disable
compress uri include none
compress uri exclude none
compress prefer gzip
compress min size 1024
compress buffer size 4096
compress vary header enable
.
.
.
ramcache max age 3600
ramcache min object size 500
ramcache max object size 50000
ramcache uri exclude none
ramcache uri include none
ramcache uri pinned none
ramcache ignore client cache control all
ramcache aging rate 9
ramcache insert age header enable
}
MODULE 8
Persistence
Persistence profile
Source Address Persistence
Cookie Persistence
Concept
Cookie Persistence
Why cookie Persistence ?
Modes:
>Insert Mode
-LTM insert special cookie in HTTP response
-Pool name & Pool Member (encoded)
>Rewrite Mode
-Web server Creates a blank cookie
-LTM Rewrites to make Special Cookie
>Passive Mode
-Web server Creates Special Cookie
-LTM Passively lets it through
Custom Profile
#b profile persist pan_cookie { mode cookie cookie mode rewrite
cookie name paa }
Parent Profile:
profile persist cookie {
mode cookie
mirror disable
timeout immediate
cookie mode insert
cookie name none
cookie expiration 0d 00:00:00
cookie hash offset 0
cookie hash length 0
rule none
}
MODULE 9
Processing SSL Traffic
Exploring SSL on Big-IP
Configuring Big-IP for SSL
persistence
Offload SSL traffic from web server
SSL key exchange and bulk encryption
dane by hardware
Centralize certificate management
SSL Acceleration
MODULE 10
Nat & SNAT
Nat Concepts
One to One mapping
Bi-directional traffic
Dedicated IP Address
Cant Configure port
Configuring NAT
#b
#b
#b
#b
nat
nat
nat
nat
172.16.20.1 to 207.10.1.101
172.17.20.3 to 207.10.1.103
list
show
SNAT Concept
Secure NAT
Performs Source Nat
Many to one mapping
Traffic initiated to SNAT
Address refused
SNATs used for
Routing problem
SNAT Configuration
#b snat pan { origin any translation 4.2.2.2 }
# b snat pan { origin any translation 4.2.2.2 vlan
clau_vlan enable }
#b snatpool pan_spool { member 3.2.2.2 member
3.2.2.3 }
#b snat pan { origin 172.16.16.0 mask
255.255.255.0 snatpool pan_spool }
MODULE 11
Virtual
Virtual
Big-IP is default deny device, so listener (virtual) is
must
Types of VIP
Standard
Forwarding (Layer 2)
Forwarding (IP)
Performance (HTTP)
Performance (Layer 4)
Used for general purpose fast load balancing of packets using the PVA ASIC
Loose a number of features depending on PVA Acceleration mode (see next
few slides)
Configuration of virtual
>Forwarding (IP)
>Standard
b virtual accel_vip {
destination 10.118.10.12:https
ip protocol tcp
profile http_profile oneconnect_master www.foo.com tcp
persist simple_1800_profile
pool https_pool
}
Chapter 12
iRule
What is an iRule?
Example iRules
Change server headers
when HTTP_RESPONSE {
HTTP::header replace Server "Microsoft-IIS/5.1"
}
Remove all server headers
when HTTP_RESPONSE {
HTTP::header sanitize ?ETag? ?Header01? ?Header02?
}
On 404 error, re-load balance
when HTTP_REQUEST {
set RequestedPage [HTTP::uri]
}
when HTTP_RESPONSE {
if { [HTTP::status] eq "404" } {
log "Dooh, page '$RequestedPage' not found on server [IP::server_addr]!"
HTTP::redirect $RequestedPage
}
}
More Samples
(from CodeShare)
when HTTP_REQUEST {
log "Client [IP::remote_addr] has requested page
[HTTP::uri] from server [HTTP::host]."
}
You can use the CLI command tail f /var/log/ltm to view
Troubleshooting Section
File System Overview and Vi
UCS file extracting
Qkview
Look at the Statistics!
CLI Tools
Logs
Running TCPDUMP and SSLDUMP
PXE booting tips
/config/bigip.conf
Main IP and VLAN settings are stored in:
/config/bigip_base.conf
BIG-IP license file is stored in:
/config/bigip.license
Log files are stored in:
/var/log/
Archived configs are stored in:
/var/local/ucs/
Tools/Commands to help
Change directory:
cd
Print working directory: pwd
List directory contents: ls
View file:
more <filename>
Edit file:
vi <filename>
Copy file:
cp <source> <dest>
Delete file:
rm <filename>
Useful vi commands
i to start inserting text where the cursor is
A to start inserting text at the end of the line
Esc exits the editing mode
dd delete entire line
x delete single character
Esc then : then w to write the file
Esc then : then q to quit vi
/ starts a search through the file
Qkview
Support will often request these
Can be executed from the GUI or CLI
Contains box configuration, route information,
statistics etc
Logs
Logs can often highlight problems
Can be viewed from the GUI
Can be downloaded from the directory
/var/log
CLI Tools
bigtop utility for a quick look at how the BIG-IP
Running TCPDUMP
TCPDUMP is an inbuilt network sniffer
To run TCPDUMP from the CLI and save the output to a file
TIP: Use WinSCP to copy the file from the BIG-IP to your PC
TCPDUMP can be run from the GUI also
Running SSLDUMP
SSLDUMP is a utility available on the BIG-IP that can be used
ssldump -r /var/tmp/internal.dmp -k
/config/ssl/ssl.key/default.key -d > /var/tmp/ssldump.dmp
Documentation for ssldump can be found on
www.rtfm.com/ssldump/ssldump.html
Chapter 13
Redundant Pair
Redundant pair Concept
Redundant Pair Setup
Config. Synchronization
Concept..
When is high Availability is required ?
Increases Reliability
It consist of two identically configured Big-IP
system
There are two basic aspect:
Failing Over
Synchronize Configuration
Initiated from Either System
Redundant pair should service the same monitors,
Synchronization condition
Administrative password must be same on each
system
Synchronization Process
1-Create UCS file.
-Which contain all configurations + licensing information
2-Send to peer
3-Peer creates backup of itself
4-Peer opens UCS file
a) Matching Hostname > Full Installation
b) Different Hostname >Shared Installation
Synchronize to Peer
# bigpipe config sync pull
# bigpipe config sync all
Chapter 14
High Availability
Failover Trigger
Failover Detection
Stateful Failover
MAC Masquerading
Failover Managers
Failover Mangers detects a failed process,
takes one of the several action restarting the
Overdog
Software to correct hardware failures
SOD
monitors the switch fabric and takes corrective action for
switch failures
-Feature Name
-Action on Failure
-Enabled
-Failed State
Command Line: b ha table show
HA Table
Failover Trigger
Processes (Daemons)
Switchboard
VLAN Failsafe
Gateway Failsafe
VLAN Failsafe
Detects no network traffic Tries to generate traffic
Timeout reached Time Action; Standby becomes
active
Gateway Failsafe
Hardware Failover
Standby notices a loss of voltage, it Takes over the
active role
Network Failover
Heartbeat sent over network
No 50 foot (15.24 meter) limitation
Slower than Hardware Failover
Setting not synchronized between peers
If Both Hardware Failover & Network Failover are
being used..
Network Communication
Stateful Failover
Types of Mirroring
MAC Masquerading
MAC Masquerading
Thanks