F5 Viprion

VoiceTone VNI F5 Viprion Configuration

First-Time Configuration
Syslog
SNMP
NTP
HTTPS Security
HealthChecks
DNS-monitor
http-ImAlive (Content and Audio servers)
Watson_Wireline
Natural Language Text-to-Speech
SIP_Proxy
Profiles
Nodes
Pools
Virtual Servers

First-Time Configuration
Login over console and configure mgmt IP and host name.
initial console login root, default.
initial web login admin, admin.
Whenever issuing bigpipe commands, save the configuration.

bigpipe save

Under Construction
run the config command and follow the instructions to enter the Viprion Management IP Address, the Network Mask, and Management Default
Gateway and specific routes.
-or-

bigpipe mgmt 10.18.1.216 netmask 255.255.255.128

bigpipe mgmt route default gateway 10.18.1.129
bigpipe mgmt route 135.25.231.0/24 gateway 10.18.1.129

Next the Viprion must be licensed. Use a web browser to connect to the Viprion's management IP using HTTPS ( https:// ), and follow the initial
setup prompts.
End Under Construction
run the bigpipe system hostname command to configure the fully qualified domain name.

bigpipe system { hostname x275240bvprns0001.ops.vni.ec.att.com }

Syslog

copy syslog.inc to the /config directory or create a file syslog.inc in the /config directory:

destination d_loghost {
# The priority is the result of facility * 8 + severity.
# So priority = 19 (facility local5) * 8 + 5 (Severity NOTICE) = 157
udp("135.201.104.65" port(514) template("<157>$DATE $HOST $MSG\n"));
udp("132.201.226.83" port(514) template("<157>$DATE $HOST $MSG\n"));
};
log {
source(s_syslog_pipe);
source(s_cluster);
destination(d_loghost);
};

Then run

bp syslog include none

bpsh < syslog.inc

SNMP
run the following command within bpsh:

bpsh
bp snmpd community CompuLert {
access ro
community name "CompuLert"
ipv6 disable
oid none
source "default"
}
bp snmpd allow {
127.
135.201.104.65
135.201.104.67
135.201.104.69
132.201.226.83
132.201.226.86
132.201.226.89
}

NTP
Configure NTP and time zone. Note that "America/Swift Current" is equivalent to NWT/CST with no daylight savings time, and will be displayed as
CST in both the top of the F5 Web GUI and from a console session to the F5.

bp ntp timezone "America/Swift_Current"

bp ntp servers 135.25.231.14 add
bp ntp servers 135.25.231.15 add

HTTPS Security
Since the Big-IP can be managed through HTTPS, and since SSL certificates expire, create a self-signed certificate with an expiration date in 10
years (3,650 days in this case).

openssl x509 -x509toreq -in /config/httpd/conf/ssl.crt/server.crt -out

/config/httpd/conf/ssl.crt/server.csr -signkey /config/httpd/conf/ssl.key/server.key
openssl x509 -sha1 -req -in /config/httpd/conf/ssl.crt/server.csr -signkey
/config/httpd/conf/ssl.key/server.key -days 3650 -out
/config/httpd/conf/ssl.crt/server.crt
bigstart restart httpd

Record the fingerprint of the SSL certificate. Run the following two commands and store the output in a safe place. When accessing the Viprion
for the first time via web browser, compare the fingerprints to ensure that the SSL session has not been highjacked.

openssl x509 -fingerprint -in /config/httpd/conf/ssl.crt/server.crt|grep Fingerprint

openssl x509 -fingerprint -sha1 -in /config/httpd/conf/ssl.crt/server.crt|grep
Fingerprint

In order to restrict less secure algorithms (refer to https://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.html for more detail) modify
the cipher string.

bigpipe httpd sslciphersuite 'ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW'

bigpipe save all

HealthChecks
In F5 nomenclature, healthchecks are undertaken by "monitors". Several monitors are included, and some we have added or customized.

DNS-monitor
The DNS-monitor health-check uses an external script located at /usr/bin/monitors/DNS-monitor. It takes 2 parameters - a DNS name to lookup,
and the expected answer.
Example:

monitor DNS-monitor {
defaults from external
args "wr01000ldns0001.vni.ec.att.com 10.198.111.212"
run "DNS-monitor"
}

http-ImAlive (Content and Audio servers)

The http-ImAlive healthcheck fetches /ImAlive/ImAlive.jsp over HTTP, and expects an HTTP 200/OK response.

monitor http-ImAlive {
defaults from http
recv "200 OK"
send "GET /ImAlive/ImAlive.jsp HTTP"
}

Watson_Wireline
The Watson_Wireline monitor open up a connection to TCP port 8889 on an ASR, and sends the string "HealthCheck", and expects the reply to
be the string "HealthAvailable".

monitor Watson_Wireline {
defaults from tcp
dest *:8889
recv "HealthAvailable"
send "HealthCheck"
}

Natural Language Text-to-Speech

This service uses the built-in tcp monitor to make sure that ASR servers are accepting TCP connections on port 5950.

SIP_Proxy
The SIP_Proxy monitor sends a SIP OPTIONS request to an SPX and expects a valid SIP response code. Note that any response code is
considered as a success.

monitor SIP_Proxy {
defaults from sip
debug "no"
filter "\x2a"
mode "tcp"
}

Profiles
Nodes
node 10.198.111.212 {
monitor icmp
screen wr01000ldns0001
}

Pools
pool DNS {
monitor all DNS-monitor
members {
10.198.111.212:domain {}
10.198.111.213:domain {}
}
}

Virtual Servers

virtual AAS-1 {
pool AAS-1
destination 10.198.111.11:http
ip protocol tcp
profiles fastL4 {}
}
virtual ASR-1 {
pool ASR-1
destination 10.198.111.13:any
ip protocol tcp
profiles fastL4 {}
}
virtual CAS-1 {
pool CAS-1
destination 10.198.111.12:http
ip protocol tcp
profiles fasthttp {}
}
virtual DNS {
pool DNS
destination 10.198.111.53:domain
ip protocol udp
}
virtual TDD-1 {
pool TDD-1
destination 10.198.111.13:22000
ip protocol tcp
profiles fastL4 {}
}
virtual TTS-1 {
pool TTS-1
destination 10.198.111.13:5950
ip protocol tcp
profiles fastL4 {}
}
virtual SPX-1 {
pool SPX-1
destination 10.198.111.14:5060
ip protocol udp
persist sip_proxy_persist
profiles udp_sip {}
}