Introduction to F5 Load Balancer

F5 Networks best known for its BIG-IP products.

1.Set of application delivery products

2.load balancing
3.link traffic management
4.special handling
5.augmented security
6.contains multiple components

1.BIG-IP Local Traffic Management or LTM

load balancing module

2. BIG-IP Global Traffic Management or GTM :

GTM provides wide area traffic management and high availability of IP

application and services running across multiple data centers

3. Linkcontroller :

Linkcontroller monitors availability and performance of multiple WAN

connections (or Links) and then intelligently manages traffics flows
through those links, provide fault torrent, Optimized internet access.
4. BIG-IP Application security manager or ASM :

ASM Provides comprehensive security that protects IP-Based

application and services against known and unknown external threats at
the network and application layer.

5. BIG-IP Web accelerator:

Web accelerator assists web applications for mobile workers by

coaching content and working with the client browser session to
improve performance.

6. BIG-IP Enterprise manager:

BIG-IP enterprise manager provides a single, centralized management &
operational interface for the other F5 devices.

Other BIG-IP Modules

BIG-IP AAM

BIG-IP AFM

BIG-IP Analytics

BIG-IP APM

BIG-IP ASM
 BIG-IP DNS

BIG-IP Edge Gateway

BIG-IP GTM

BIG-IP Link Controller

BIG-IP LTM

BIG-IP PEM

BIG-IP PSM

BIG-IP WebAccelerator

BIG-IP WOM

Question: What does BIG-IP LTM actually do?

Answer: BIG-IP LTM Manages yours network by monitoring status of each server
and load balancing the traffic.

In this diagram, BIG-IP Lies between your server & the internet, it receives
incoming traffic and most cases sents outgoing taffic.

The LTM balances the load by sending traffic to different servers.

1.Monitors servers status

2.Load balances Traffic

 Users

Internet

BIG-IP LTM

Servers

If a server is unavailable LTM stops sending traffic to it. Unlike traditional

load balancers that are reserved for web-only applications BIG-IP LTM can
manages traffic for all ip based applications and web servers.

The LTM Examines values in the header or pay load of incoming packet and based
on its value it intercepts transforms and directs application and web services
requests.

One of the best feature of LTM is handling of SSL Traffic. The BIG-IP LTM can
of load this processing intensive function from the application servers,
greatly increasing application performance.

##########################################################
####################################################

Module 1 - Initial Setup

##########################################################
####################################################
 1. Lesson 1- Exploring BIG-IP Hardaware

2. Lesson 2- Connecting to the console

3. Lesson 3- Licensing BIG-IP

4. Lesson 4- Configuring Admin Access

5. Lesson 5- Hardware,Software.OS

#######################################################

Exploring BIG-IP LTM Hardware Details

Management Ports (MGMT) : This is the BIG-IP

management port.It has default IP address of
https://www.linkedin.com/redir/invalid-link-page?
url=192%2e168%2e1%2e245 although you can change its
address. This port is also known as Eth0.

USB Ports : There are two USB ports. use this port to
connect other devices to BIG-IP.

Console port : This is the BIG-IP console ports.Use this

DB9 connector for connecting a serial console.
Failover port : This is the failover port. use this DB9
connector for connecting a redundant system.

Ethernet ports : Use these Ethernet ports to connect the

BIG-IP to the network as well as to connect both clients and
servers to the BIG-IP. The Ethernet ports are numbered top to
bottom and left to right . for example the top left port is 1.1
while the port below it is 1.2

Gigabit SFP : Optical fiber or copper.

Fan ports : These are the BIG-IP fan ports.

LCD Pannel : while displaying massages about the status

of BIG-IP.

Controls of LCD Panel : These are the controls for the

LCD panel using these controls, you can configure a number
of BIG-IP settings.
####################################################

Connecting to the console | Connecting console to the BIG-

IP LTM

Three basic steps to overall process

1. During the first step you set the IP address, net mask and
optionally the default route for the management port if the
default IP address is not appropriate for your network.

2. The second step is to license the system. After connecting

BIP-IP to the network, you need a valid license to active the
software. this enables the features you purchased.

3. The step is to configure the administrator access to BIG-IP.

This includes settings the root and the web administrator
passwords as well as optionally defines various network and
vlan settings.

Several utilities & tools during the setup process.

Setup tools:

1. SSH client :- To establish a remote command line

session to the BIG-IP's management port, you will need a
SSH client. I recommend putty, which you can download for
free.

2. Serial Terminal client :- To establish a serial

connection between your PC or laptop and the BIG-IP
console port, you will need a serial terminal client we
recommend tera term you can also use other serial terminal
clients such as hyper terminal or net term. all of these
applications are downloaded from the internet.

Note:- The serial terminal setting should be N-8-1 at 19,000

bps using an emulator type of Vt 100.

3. BIG-IP config script :- To configure the IP address of

the management ports as well as other network parameters,
you will use either a BIG-IP command line configuration
script which is is already loaded on the system or the LCD
panel on the hardware.
4. BIP-IP web based configuration utility :- To license
the system and configure administrator access, you will use
the BIG-IP web based configuration utility note that this
configuration utility uses SSL and access control lists to
provide secure real time configuration.

#######################################################

SETUP-OVERVIEW

Step1: Setup IP address of MGMT port.

Step2: License the system.

Step3: Configure administrator access.

Setting the management IP address :

By default IP address of the BIG-IP management port is

https://www.linkedin.com/redir/invalid-link-page?
url=192%2e168%2e1%2e245, default net mask is
https://www.linkedin.com/redir/invalid-link-page?
url=255%2e255%2e255%2e0 . There is no default network
route.
Although you can use the default IP address most people
change it. It is important to set this address, as well as net
mask and route prior to licensing the system.

BIG-IP offers two approaches for the configuring this

information 1. the command line config script or the LCD
panel on hardware.

1. Access the system :- To change the ip address, net

mask and default route of BIG-IP, you will need to access the
system via the serial console. to do so connect a null modem
cable between the BIG-IP console port and the serial port on
the BIG-IP console port and not to the fail over port.

Connect and login :-Using your serial terminal client,

open a serial connection log in as the "root" user with a
password "default"

3. Run configuration Script :-to run the configuration

script, type "config" at the comment line.

4. Type appropriate values :- As the script prompts you,

type the appropriate system Ip address, net mask and
optionally a default route.

5. Confirm choices :- The configuration script display the

choices you have made confirm or change the values.
##########################################################
####################################################

Licensing BIG-IP

BIG-IP Offers two licensing methods :

Automatic

Manual

If your BIG-IP has internet access, you can use the automatic
method.

If your BIG-IP does not have internet access or blocked by

firewall, you will need to use the manual method.

Automatic licensing Method :- To use this method you select

the appropriate box in the web configuration utility. At that
point, BIG-IP generates what is called a dossier. The dossier
contains hardware information from system as well as the
registration key.(which is prepopulated on new BIG-IP
system)
BIG-IP then sends the dossier to the F5 licensing server. If
the dossier is valid, the licensing server sends a licensing
file back to the BIG-IP. BIG-IP stores a BIG-IP licensing file in
the config directory.

Manual licensing method :- It involves a four additional steps.

To use this method, you select the manual check box in the
web configuration utility BIG-IP generates a dossier, just as
in the automatic method. However when using the manual
licensing method, you either copy the dossier or download it
as file to your PC.

If your current PC does not have an outbound connection to

the internet, you then copy the dossier to a PC that does
have one. you need to this connection to communicate with
the F5 licensing server.

You then send the dossier from the PC to the licensing

server. The licensing server returns the appropriate license
file. You then copy the license file to BIG-IP.
Accessing BIG-IP :-

Regardless of which licensing method you chose the first

step is to access the BIG-IP. You do this by connecting to the
IP address that you configured for the BIG-IP management
port. Be sure to use https for this connection.

1. https://(BIG-IP IP address)

Note this first time during any browser session that you
connect to BIG-IP, the web browser alerts you that BIG-IP
security certificate is not known this is normal behavior.

The BIG-IP system creates a self signed certificate as a part

of the setup utility. The handling of self-signed certificate
varies across different web browsers of the option provided
by your web browsers, select the one that accepts BIG-IPs
certificate and continues to the web configuration utility.

the next step is to log to the BIG-IP configuration utility. The

default user name is admin and the default password is
admin.

Entering registration key

If a BIG-IP is not licensed, the configuration utility displays
the activate button. Click this button to pick off the licensing
process.

The next step is verify the existence of or enter the

registration key. As long as the registration key file exists in
the BIG-IP file system, the base registration key field is pre-
populated otherwise you will need to obtain your registration
key & enter it normally.

You then chose the licensing method you with to use

automatic or manual and click next.

If chose the automatic method, BIG-IP takes over at this point

and complete the licensing process for you.

If you chose the manual method, BIG-IP builds a dossier and

displays it in the user interface.

Processing licensing Manually:-

copy dossier locally

connect pc to internet
 send dossier to F5 licensing server

get license from F5

copy license to BIG-IP system

click next

When the licensing process complete successfully, BIG-IP

displays a configuration changes verified massage. At this
point, you should reboot the system.

Configuration admin access:-

After the licensing process complete, BIG-IP automatically

launches the setup utility, which is actually a component of
the overall web configuration utility.The primary purpose of
the setup utility is to configure administrative access to the
BIG-IP. You can configure the password for the root user of
the command line interface and for the admin user of the web
interface. You can also configure hostname for the BIG-IP as
well as a variety of other settings.

Setup utility --> platform --> 1. Root account

2. Admin account
3. Host account

--> Click next

Configuring network information

Basic network configuration allows you to create two V-lans

internal and external then IP address and interfaces to both
V-Lans.

Click next to continue with basic network configuration. The

first configuration screen is for the internal V-lan. You can
assign self IP address and net mask for your internal V-lans.
Note that port lockdown field. Port lockdown is a security
feature that allows you to limit which ports are listening on
the self IP address. You can also configure interfaces and V-
Lan tags if needed and if redundant pair was specified, a
floating IP address and Failover-peer.
Clicking not displaying an almost identical screen for
configuring the external V-lan. Once you have configured
both V-lans, the intial setup is complete.

Web configuration utility: Functionality :-

You can use the web configuration utility for variety of

configuration takes, such as setting up virtual servers, pods,
monitors and SNATs and also perform monitoring.

In additional provides convenient access to

downloads

Configuration Monitors Downloads

Vertual server Network traffic SNMP MIB

Pools current connection

Monitors Operating system

SNATs
Web config utility :- interface

In web configuration utility, you access various functions.

There are some tabs in the panel. The tabs common to all
BIG-IP products are.

Overview :- from which you can download documentation

and run the setup utility.

Templates & Wizards :- for creating common

configurations.

Network:- for configuring network routing and switching.

Systems:- for backing up yours configurations and

releasing the system.

Local traffic :- this appears BIG-IP is licensed for LTM. This

tab is where will configure most LTM feature and where you
will be spending most of your time.
You can also configure BIG-IP using a command line
interface (CLI). You access through either the BIG-IP serial
console remotely via SSH.

Backing up your configuration

BIG-IP backs up its configuration to a user configuration set

(UCS) file.

The UCS file is actually composed of a series of files

command into a single compressed file that can be stored on
the BIG-IP or downloaded to another system. Note also that
the UCS file contains the BIG-IP license.

To access or create backup files, select the system tab in the

web configuration utility, and then select archives.

This open the archive screen from which you can upload
existing backup files BIG-IP or create new backup files.

Systems --> archives

####################################################
#####

Hardware, software and OS of F5 BIG-IP Load balancer

Provisioning BIG-IP resources (CPU and RAM)

Provisioning, which was added to BIG-IP in version 10, gives

you some control over the BIG-IP resources both CPU and
RAM, that are allocated to each license module.

For example if you are licensed for both GTM and LTM & you
know that you are implementation of GTM will require fewer
resourses than LTM.

You can use provisioning to minimize that resources

dedicated to GTM. LTM is provisioned by default. Unless you
have purchased additional BIG-IP modules, there is nothing
you need to do.

Configuring provisioning :-

To provision BIG-IP resources you use the system tab in web

configuration utility. These are four levels you can set to
indicate the resources you want allocated for each you are
licensed to use.
Dedicated

Nominal

Minimum

None

Dedicated :- If only one module is functional on that CPU

or on the whole system.

Nominal :- Nominal gives the module enough resources for

most typical configuration if they are available.

Minimum :- it gives the module its minimum functional

resources to other modules. Use the minimum setting to
coexist system.

None :- Use none of you do not want any resources

provisioned for the module.

##########################################################
####################################################

BIG-IP Hardware platforms

F5 network offers multiple BIG-IP platforms to fit different
traffic needs. All platforms run the same software, but higher
end platforms contain more options and can support more
modules simultaneously.

BIG-IP LTM 8900 Series

The 8900 series comes with symmetrical multi processing

across eight core. It includes 16 gigabytes of RAM, 16 copper
Ethernet ports, each with a speed of 1 gigabit, 4 fiber ports
and dual power. The 8900 also supports upto 56,000
transactions per second

(or TPS) of SSL encryption.

BIG-IP LTM 6900 Series

The 6900 series comes with symmetrical multi processing

across 4 cores. It includes 8gb of RAM, 16 copper Ethernet
ports with speed upto 1gb, 4 fiber ports and dual power. The
6900 also supports upto 25,000 TPS of SSL encryption.
BIG-IP LTM 3600 Series

The 3600 series comes with symmetrical multi processing

across 4 cores. It includes 4gb of RAM, 8 copper Ethernet
ports with speed upto 1gb, dual power is an option . The
3600 also supports upto 10,000 TPS of SSL encryption.

BIG-IP LTM 1600 Series

The 1600 series comes with symmetrical multi processing

across 4 cores. It includes 4gb of RAM, 4bg copper Ethernet
ports, Dual power is an option . The 1600 also supports upto
5,000 TPS of SSL encryption.

BIG-IP VIPRION

The most powerful BIG-IP platform is the VIPRION, a single

controller that uses modular performance blades you can
add or remove with out disrupting your applications. A fully
loaded VIPRION system with blades delivering greater
performance superior functionality then competitive
products. Each of the blades includes 2 dual- core
processors, 8gb of RAM, 8 copper Ethernet ports each with
upto 1gb speed, 12 gb fiber ports and upto 2 10 gigabit fiber
ports.
####################################################
####################################################
##########

Inside a 3600 BIG-IP

All one board

processor

SSL chip

AOM

switch fabric

Adding hardware

There are few pieces of additional hardware that you can

order from F5.

A redundant power supply.

A F IPs SSL accelerator card which allows for

independently- certified secured management and storage of
private keys. Note that F IPs card must be installed at the
factory.

A small form pluggable (or SFP)

Additional RAM
This power supply and FAN chassis included with the
product are customer replaceable.

BIG-IP LTM Software support

Platform V9.x v10.x

VIPRION V9.6 + Y

8900, 6900, 3600, 1600 V9.4x+ Y

8800, 8400, 6800, 6400 3400, 1500 Y Y

4.5100, 2400, 1000 Y N

5.520,540 V9.2+ N

Details of each platform the versions of BIG-IP

software that is supported.

Light Out Management System

The BIG-IP Hardware is actually running two operating

systems. The primary BIG-IP operating system is linux, but
traffic management micro kernel (TMM) is responsible for
processing all client network traffic.
The second is either always ON management (AOM) or
switch card control processor (SCCP) (depending ON the
hardware platform) and is dedicated separate system the
provides light out management as well as other supporting
functions for BIG-IP.

AOM is included is most current BIG-IP products the 8900,

6900, 3600 and 1600 series.

SSCP is on the 8800, 6400, 3400, and 1500 models. Both AOM
and SCCP are embedded linux systems.

Configuring IP for AOM / SCCP

For the light out operating system to be available remotely. In

case TMM goes down, you must configure an IP address for
AOM or SCCP. The best time is to do this is during the initial
setup. You must use the serial console session with BIG-IP
to configure this IP address. To access the menu, press and
release the escape key and then press the left parenthesis
{ Key

The menu for SCCP or AOM appears chose option and

follows the prompts to configure the IP address
==================================================
==================================================
==================================================
============

Module 2 - Processing Traffic

==================================================
====

==================================================
==================================================
========.

1. Lesson 1 - Processing Traffic Technology

2. Lesson 2 - Processing Traffic

3. Lesson 3 - Configuring Pools and Virtual Servers

==================================================
====
BIG-IP LTM Processing Traffic Technology | BIG-IP LTM
Processing Traffic

BIG-IP LTM Processing Traffic Technology

Note:- Node is an supply a IP address

Pool member :- It is a combination of IP address and Port.

It other words, a pool member represents the service to
which BIG-IP will direct traffic.

Pool :- A grouping of pool members is known as pool. All

pool members generally host the same content. Pool
member do not have to the listing on same port. They can be
on the same IP address and different ports. Generally clients
do not connect directly to pool members.

Virtual Server :- The virtual server gives every thing

together on BIG-IP. Like pool members, virtual servers
typically contain both an IP address and Port. Each virtual
server is often called a Listener as it is listening for traffic
destined to its particular IP address and port combination.
IP address + Service (Port)

Combination

Listens for and manages traffic

BIG-IP is default deny device. Therefore, it is important to

realize that without configuring a listener such as virtual
server, BIG-IP process no client traffic.

Typically, you associate virtual server with a pool and BIG-IP

distributes the traffic across pool.

####################################################
####

F5 BIG-IP LTM Processing traffic

F5 BIG-IP Basic Nomenclature

have a look at basics first

Processing traffic

Virtual server Address translation

When the packet arrives, BIG-IP translates the destination IP

address from the virtual server to that of the actual server.
The client sees the pool of the servers as a single server
hence the teem virtual server.

Although uncommon, you can configure pool member to use

different ports, in which case BIG-IP would also translate the
virtual server port to the actual server port.

Network flow- Packet # 1

First a DNS server resolves the DNS request to virtual server
address on BIG-IP.

In some cases clients must go through a NAT devices (a

device the performs NAT), prior to reaching BIG-IP. In this
case the DNS request is resolved to an address on the NAT
device that is translated to the virtual server address.

The client machine then initiates the connection across the

internet to the virtual server address. At this point the source
IP address is that of client and the destination IP address the
virtual server using normal IP routing process, the packet
appears on a BIG-IP interface. BIG-IP receives the packet and
processes it based on virtual server configuration.

By default, BIG-IP translate the destination IP address to that

of a pool member, but leaves the source IP address alone.
BIG-IP uses a combination of monitor results, persistence
load balancing method and setting to choose a pool member.

Asymmetric Routing Problem

If BIG-IP changes an IP address of an incoming packet the
response must return through BIG-IP.

The roundtrip is necessary because BIG-IP is the only device

that knows how to translate the IP address back to its
original value so that the client will accept the response
packet.

If the pool member default route does not go through BIG-IP.

As a result, an asymmetric routing problem occurs. The
client machine refuses the response packet because the
source IP address differs from the original destination
address. It is now the address of the real server instead of
virtual server.

The only solution is to make sure the packet comes back

through BIG-IP.
One way to accomplish this is to set the servers default or
state routing so that packets pass back through BIG-IP.

A second option is to use a SNAT, which changes the source

address to BIG-IP address, thus forcing the response packet
through BIG-IP.

Network flow packet #1 return

Lets assume that we chose to change the server default

route.

By forcing the packet back through BIG-IP, is allows BIG-IP

translate the packets source IP address (which is now the
address of the actual server) back to the virtual server to
which the client originally sent the packet.

Because the source address now matches the original

destination address of the initiation packet, the machine
accepts the response.

Network flow-packet #2
For the next initiated packet from either the same client or a
different client the same process occurs flow ever. Here we
show BIG-IP load balancing this next request to a different
pool member.

Noticed to the different port than the virtual server. So port

translation will occur also.

Network flow-packet #2 return

Just like our previous example, the response packet must

return through BIG-IP, So that the source address can be
translated back to the virtual server address.

Network flow-packet #3

If a pool member is unavailable, BIG-IP sends the incoming

packet to next available pool member.

How BIG-IP chose this next member is the subject of a future

module. Note that clients are not aware they are being load
balanced nor that their request has been diverted to another
server. BIG-IP administrator, however can configure SNMP
traps to alert them when pool members are marked up or
down.
#######################################################

More than NAT- Fully proxy architecture

It is important to note that BIG-IP is doing much more than

translating network address. F5 network has implemented a
fully proxy architecture with in BIG-IP.

This means that BIG-IP can have separate TCP connection

for the client and for the server. This allows for tremendous
flexibility and robust functionality within the product.

####################################################
####################################################
##########

F5 BIG-IP LTM Configuring Pools and Virtual

Servers

Configuring Pools :

In order to configure a new pool select the local traffic

section of navigation panel, select pools and click
create(either in the fly out menu or on the pool configure
screen)

Type a name for the pool, adding a monitor is optional and

then select the load balancing method and member
definitions.

Click finished.

Configuring virtual servers:

To configure a new virtual server, select virtual servers and

then click create (either in the flyout menu or on the virtual
servers configuration screen)

Next, type a name for the virtual server as well as its IP

address and port and select profiles if desired. Note that we
will examine profiles in a future module.

Finally, scroll down the resources section and enter your

chosen pool in the default pool setting.

Click finished

Notice the plus (+) sign option next to the default

pool. This allows the BIG-IP administrator to
configure a new pool in the midst of configuring a
virtual server.
##########################################################
####################################################

Network Map

Another important feature in the web configuration utility is

the network map. Network map allows the administrator to
view an entire configuration at once along with the status of
all virtual servers and their components both i-rules and
pools.

This can be extremely useful when you need a quick

overview of the current status of yours BIG-IP configuration.

Statistics

There will also be times when you want to determine the

amount of traffic BIG-IP is processing and how its being
distributed.

To accomplish this you can view BIG-IP statistics information

with in the web configuration utility.
There are two ways to view statistics. Either select the
overview tab then type of resource or from the statistics tab
within the particular resource.

For example you might choose pools or virtual servers and

then click the statistics tab from that item.

Logs:

Viewing loging information can also be helpful BIG-IP log

files show the status of pool members but only if you have
assigned monitor to the pools. You can also use SNMP traps
and/or a centralized syslog server for automatic notification
of certain log events.

##################################
##################################
##################################
############

Module 3 - Load Balancing

 ####################################################
####################################################
##########

lesson-1 load balancing modes

lesson-2 member vs node

lesson-3 priority group activation

lesson-4 configurating load balancing

####################################################
####################################################
##########

F5 BIG-IP LTM Load Balancing Methods

Load balancing methods

BIG-IP LTM offers a variety of load balancing methods to
choose from.

There are two types of load balancing methods.

statistic load balancing method / mode.

dynamic load balancing mode.

statistic load balancing mode:-

There are two static load balancing modes.

1.Round robin

2.Ratio

2..Dynamic load balancing mode:-

1.least connections

2.fastest
3.observed

4.predictive

5.dynamic ratio

These modes are considered dynamic because each

one takes server performance into account in some
way.

1.Round Robin:-

Round Robin is the default and probably the most commonly

used load balancing method.

Using this method, BIG-IP evenly distributes client request

across all available pool members.

Server availability

It is important to know that BIG-IP distributes request

between available servers only. Server availability is
determined by the administrator and monitor status of both
the node and the member.

Lets examine the round robin example for a moment

suppose server 4 has been marked offline or disabled by a
monitor r an administrator.

Using the Round robin load balancing method, BIG-IP

distributes client request evenly across the remaining
available servers.

2.Ratio:-

The ratio method is appropriate to use if same pool members

are more powerful than others. In this example, the ratio is
set as 3:2:1:1.
As a result, BIG-IP sends three times as many requests to
server 1 and twice as many requests to server 2 (as
compared with servers 3 & 4)

If one server that was much faster than the others. After
receiving the available load balancing methods to choose
Ratio method. Knowing it would allow BIG-IP to letter utilize
his more efficient server.

As request are processed, all available members are given

one client request.

Then three or greater, and so on until the member with the

highest ratio has been given the number of requests equally
its ratio. Then the whole process starts over again.

Remember that both ratio and Round robin are static load
balancing methods. This means that if a server with a higher
ratio is available, it will still receive more requests then the
other servers even if its performance is shown then the
others.

If you want to consider server performance, you should use

one of the dynamic load balancing methods.

1.Least Connections :-

The least connections load balancing method uses the

current connection to decide where to send the next client
request. Assuming the current connection counts are listed.

The next connection will go to server1. now server1 & 2 have

equal counts so BIG-IP will round robin between them.

Assuming connections count stay as shown, now server 1,2

&3 all have equal counts so BIG-IP will round robin between
all three.
Least connections is appropriate for many cases but may be
most relevant when the client connection length varies
significantly and round robin could result in uneven loads.

2.Fastest:-

The load balancing method known as fastest uses the

outstanding layer7 request to decide where to send the next
client request. You might have assumed the fastest load
balancing method used response time to make a decision
but what response time should be used ? the response time
to ping does not take into account how fast a web server at
port 80 will respond. And syn-ack response to a SYN for a
port doesnot take into account how fast the backend
database server will be able to populate the content of the
web page. These are the two examples why fastest load
balancing method uses outstanding layer7 requests rather
than response time.
If the server 1 ,2 and 3 have equal number of outstanding
layer7 requests then BIG-IP will round robin between them.
Notice that server 4 may not be used until its outstanding
layer 7 request reach a similar. Volume to other server.

3.Observed:-

The observed load balancing method is basically Ratio load

balancing but with a ratio assigned by BIG-IP. The ratio
assigned to each member is based on the current connection
count. Servers with a lower than average connection count.
Servers with a lower than average connection count are
assigned a ratio of 3 . those with higher then average
connection count are given a ratio of 2. based on your
understanding of ratio load balancing, you know more
requests will be distributed to the servers with lower
connection count. These ratios are dynamically reassigned
by BIG-IP every second.
In our example, if servers B and C have lower then the
average connection counts they will receive more requests.

4.Predictive:-

The predictive method is similar to observed, but assigns

more aggressive ratio values.

Servers with a lower than average connection count are

assigned a ratio of 4, and those with a higher than average
connection count are give a ratio of 1. this means 4 times as
many requests will be distributed to the servers with lower
connection counts. Again these ratios are dynamically
reassigned by BIG-IP every second.

In this example server B and D are the ones with lower than
average connection counts and receive more requests.
Note:- The ratio numbers mentioned for observed and
predictive were used as explain the difference between these
two dynamic load balancing methods.

Member vs Node | Difference between Member and

Node in F5 BIG-IP Load Balancer

BIG-IP can do load balancing by pool member or node when

during which approach we take, the key question to ask is
this : Do you want BIG-IP LTM to make a load
balancing choice based on pool member statistics
or node statistics ? If you recall a typical pool member
contains both an IP address and a port where as node
contains only an IP address.

There fore if the administrator chooses load balancing by

node, BIG-IP will take all transactions for that IP address into
account when making a load balancing decision.
On the other hand, if the administrator chooses load
balancing by member, BIG-IP makes the load balancing
decision based on pool member port at that IP address. Load
balancing by

Node :- Total service for 1 IP address.

Pool Member: - IP address & Service .

Priority Group Activation | Priority Group Activation

of F5 BIG-IP LTM Load Balancer

Priority group activation allows the BIG-IP administrator to

designate and backup sets of pool members with in a pool.
This feature is often used to assist meeting client traffic
demand when too many servers are unavailable.

Take a look at this diagram. As you can see all six servers
are members of a single pool.
With priority group activation set to 2, and 3 of highest
priority member available, lower priority member are not
used.

We decides two available server is enough to handle client

traffic loads. Just to be sure though we decides to use three.
These three servers then should be the first to receive
requests. Priority group activation makes this behavior
possible.

We configures three servers with a priority of 10 and

configures the others with a priority of 5. if priority group
activation is set to BIG-IP will use available members with the
highest priority number first. It will then add all pool member
at the next lower priority until a total of two available member
is obtained.
In this case, if atleast two priority 10 pool member are
available, those servers will receive all the requests.

But lets suppose two of priority 10 pool members are marked

offline. Since this means only one priority 10 members is left,
we have now fallen below our 2 available pool members.

BIG-IP LTM then adds all available members at the next lower
priority number atleast 2 are obtained. In this scenario load
balancing occurs as shown. If another priority 10 members
becomes available, BIG-IP no longer uses the priority 5
member.

Fall back Host (http only)

The fall back host feature, which is designed for the http
protocol only comes into play if all members in a pool are
unavailable.

If all members fail then client can be sent an http redirect.

Using this fall back host feature BIG-IP sends an HTTP

redirect to the client rather then sending no response at all.

Configuring Load balancing in F5 BIG-IP Load

Balancer

Configuring Load balancing:-

You configuring the different load balancing methods within

a pool configuring page, which is located in the local traffic
section of the web configuration utility. Notice that most load
balancing methods allow you to choose between member
and node keep this in mind when making your choice.

You also configure priority group activation in the same

location.

You can set the ratio and priority for each pool member by
selecting each member and then configuring it, or you can
set there values when you initially create a pool.

Ratio of member and node:-

Note that the ratio number within a pool is only relevant if the
selected load balancing method is ratio(member) not ratio
(node). If a load balancing method other than ratio(member)
is chosen such as round robin shown here, the ratio
numbers would be ignored.
If you choose a Ratio (node) load balancing method, you
must set the ratio within the node as opposed to within the
pool member.

##################################
##################################
##################################
###########

Module 4 - Monitors

####################################################
####################################################
#########

Lesson 1 : Monitor functionality

Lesson 2 : Monitor types

Lesson 3 : Configuring a Monitor

Lesson 4 : Associating a Monitor

Lesson 5 : Status due to Monitors

####################################################
####

Monitor Functionality

The BIG-IP LTM system can monitor the health and

performance of nodes and members, in an attempt to ensure
client is not sent to a server that is not available or not
serving good content.

A monitor is a test that BIG-IP performs on a node or

member. The test can be as simple as a response from a
node to highly interactive with multiple requests and
corresponding responses.
A monitor generally tests a specific node or member for an
expected response within a defined time interval.

BIG-IP uses the results of these tests to determine whether a

node or member is available, meaning it is working properly
and serving good content. After a monitor marks down, due
to lack or an inappropriate response that particular member
will not be sent client traffic.

BIG-IP LTM continues monitoring, so when a positive

response is received the member can be marked up and
once again receive client traffic.

The fallowing interactions describe the general steps to

setup a monitor.

Step1: Create :- Just as with many other options in the

web configuration utility, you create a new monitor from the
local traffic tab in the navigation panel.
Step2: Name and Type :- The second step is to name the
new custom monitor and select the type from the list of
system templates.

Step3: Customize :- the third step is to customize the

setting to fit any deployment-specific needs and then save
the new monitor.

Step4: Assign :- The fourth step is to assign the monitor.

Monitors can assigned to nodes, pool members or pools.

Step5: Status :- The final step is to view the status of the

nodes, members, pools and virtual server. You can view
status from the network map or statistic screens.

Monitor Types | F5 BIG-IP LTM Monitor Types

Monitor Types

Types of monitoring:-

1. Address check :- IP address Node

2. Service check :- IP- Port

3. Content check :- IP:Port & Check data retuned

4. Interactive check :- Interactive with servers and

multiple commands and multiple responses.

Address check :- the simplest type of test is the address

check one type of address check is internet control message
protocol (or ICMP). It is used to ping an IP address and listen
for a response from the node.

An address check only the tests the node and does not tell
BIG-IP any thing about how a service is performing i.e pool
members.
If there is no response from the node within the monitors set
timeout period, the node is marked unavailable. This will also
cause the pool member using this IP address to be marked
down.

Service Check :- Service check test if the server is

listening on a port for the IP address. When such monitors
are associated with a pool member, they determine the
availability of a service.

For a TCP service check, a TCP connection is opened. If

there is a positive response from the server, then the TCP
connection is closed. This positive response is considered a
successful check.

If there is no positive response before the timeout period

then the member is marked down and unavailable to pool.

Service check only test whether the server is listening on a

port and does not provide any insight into the quality of
content that might be returned. So remember, it is important
to understand what is being checked and whether that is
enough to determine upon down state approximately.

Content check:- Content check go beyond testing whether

a node is responding or a member is listening. They also test
whether the server is responding with correct content.

After the TCP connection is established a command is sent.

In the example, an HTTPGET/ command is issued. Each
servers response is checked against the receiver string.

for example, if the receive string is defined as the text

server and the response contains the text server, the text
is constructed successful and the pool member is marked
up.
If the connection fails or the response does not include the
receive string, the member is marked down and unavailable
for client requests.

It is important to pick an appropriate receive string for your

content check. As shown on this page you might think It is
ok to check for the characters server but....

the 404-file or directory not found web page also contains

the text server. This means the error page also passes the
monitor check and the member would be marked up. This is
an example of the receive string not being specific enough.

Interactive check:- Services like FTP require interactive

checks because information like user name, password,
directory and file name are typically required.

BIG-IP opens a TCP connection and then initial commands

are sent and examined. Additional commands can be sent
and examined before the connection is closed.
If any condition fails, the member is marked down.

Most interactive checks are external monitors LTM calls an

external scripts (like shell, Perl etc) to perform one or more
tests and aggregate the results.

Monitor check example chart

Customizing a monitors in F5 BIG-IP LTM

Customizing a monitor

The system provided monitors are used as templates for

creating your own custom monitors.
A few monitors checks like ICMP can be used with little or no
modification.

Most templates are just, templates. They are not designed to

be used in production should be customized.

For example, many sites use the default HTTP monitor, but
because it does not check content, it would not generally be
recommended.

HTTP opens a connections sends a GET/ command and then

marks the device UP regardless of the content returned.
With out user defined receive rule, the HTTP monitor will fail
to detect many server problems.

There are also many templates that must be customized

before they can be used. Many monitors checks require very
specific information such as user name password, directory
or database information, as well as an expected response.
Note that you can also use custom monitors as a template for
creating other custom monitors.

Creating custom Monitors

General steps required to configure a new custom monitor.

To start, selectmonitors and then click the create button or

select create from the flyout menu.

Note that the options on the monitors configuration screen

very significantly depending on the type of monitor chosen.

In the general properties section, type the name for the

custom monitor you are creating and then select a template
from thetype drop down menu.

In the configuration section enter appropriate settings

forinterval and time out.
For the HTTP monitor type, the send string is prepopulated
with the GET/ command with no file name. this results in
requests for the default webpage, such as index.html.

Additional monitor parameters

For some monitor types we can enter a regular expression

for the regular string. The receive string causes BIG-IP to
look for a match with in the service response before making
the member UP.

The reverse receive rule will mark the member down, when
the receive string response is found. This allows BIG-IP to
check for down conditions like the server error-404page.
Monitor Timers

All monitors checks have an interval or frequency and

timeout configuration settings.

The interval setting is the number of seconds between

monitor checks, it determines the frequency BIG-IP will
performed a monitor check on a node or pool member.

The timeout setting is also represented in seconds and

determines how long to wait for a positive response before
deciding to mark a pool member or node down. F5 networks
recommends setting the timeout duration to 3 times the
length of the interval setting, plus 1 additional second.

BIG-IP continues to issue monitor checks at the designated

interval even if the node or pool member has been marked
down. If the monitor check receives a positive response them
the node or pool member status is changed to up or
available.

.frequency of check (interval)

.timeout

.recommended : 3n+1

Associating a Monitor to F5 BIG-IP LTM

Associating a Monitor

Assigning Monitors to Nodes

To assign the node default monitor, expandlocal traffic from

the navigation panel, select nodes and then select the default
monitor

Select a Health monitor and move it from theavailable box to

the Active box and click update

When assigned, this default monitor checks all Nodes

configured on BIG-IP unless it is overridden as shown in the
next steps.
To set a monitor to a specific node select Nodes from
thelocal traffic section of the navigation panel.

Click on the IP address of the node, from theNode list, to be

assigned a different monitor.

Within the configuration section, change the health monitors

drop down menu toNode specific. Select an available monitor
and move it from theavailable box to theactive box and click
update.

We have now assigned the node default monitor and

changed an individual node to a Node-Specific monitor. We
could have also assignedNone to health monitors. If we did
not want any monitor checks performed on the individual
node.

Assigning Monitors to Pools

The most common way to monitor pool member is to assign

a monitor to the pool.

In order to accomplish this, from the navigation panel,

expand thelocal trafficsection and select pools.
From the pool list, click the name of the pool to be assigned
the monitor.

with in the configuration screen, select an individual box to

theActive box and clickupdate.

By default, assigning a Monitor to the Pool tests each

individual Pool member with the specified monitor.

Assigning Monitors to a Pool Member

Sometimes Individual Pool member need different monitor

checks because of additional requirements or difference in
hardware. Whatever the case might be, to assign a monitor to
an individual Pool Member select the local traffic section and
then selects the Pools.

Select the appropriate pool then the Member Tab, and then
the individual Pool Member that needs its own monitor
check.
With in the configuration Screen header, select advanced.

Now the selects Member specific from the health monitors

drop down menu and move a Monitor from the available box
to Active box and click update.

A member specific monitor is used on a pool member

instead of any monitor assigned at the Pool level, not in
addition to.

Status of Monitors of F5 BIG-IP LTM

Status due to Monitors

Logical diagram of Health Monitor status

The logical diagram shows the relation ship between the
different objects at each layer and how the status of the
object, bubbles up to influence the layer above it.

The status of a Node influence the state of the Pool member

at that IP address.

The status of the Pool Member determine the state of the

Pool and status of the Pool determines the state of the
associated virtual server.

States

UP/ available :-The available state means that the object

passed the monitor passed the monitor check and BIG-IP will
send it new client connections.

Down/Offline:-The offline state means that the object has

not received any positive responses to monitor checks with
in the timed out period. No new client connections will be
sent to this object.

Unknown:-The unknown state means that the no monitor

has been assigned to the object or that the results of the
monitor checks are still undetermined.

Objects in a unknown state will be sent new client

connections.

Connection limit/ unavailable:-The unavailable state

means that the object has reached a preset connection limit
and that no new client connections will be sent to that object.

Monitor status Icons

Status options

Status from the Network Map Screen

Expand thelocal traffic tab from the navigation panel, and
select Network Map.

Thelocal traffic summary screen, displays a number of

objects and its status.

Click theshow map button for a view similar to health monitor

logical diagrams.

From this screen, there are also variousstatistics and

configuration screens that provide monitor status and at
glance show the health of the various parts of the system.

Module 5 - Profiles

lesson1- profiles concepts

lesson2- configuring profiles

Profile concepts | F5 BIG-IP LTM Load Balancer Profile

concepts

Profile concepts

Profile contains settings that instruct BIG-IP to process

traffic through that virtual server.

Why would you want to change virtual server default traffic

processing behavior ?

From the modules 2 and 3 we know that default behavior for

a standard virtual server is to load balance traffic.

Ex: - We has an application that starts information about the

client only on the server to which the client originally
connected? If the client returns on a subsequent connection
and BIG-IP load balance to a different server, the application
breaks.

To prevent this from happing, you can apply a persistence

profile to the virtual server. A persistence profile tells BIG-IP
how to identify a returning client connections to the same
server rather than make new load balancing decision.

Persistence profile takes precedence over the virtual server

default load balancing traffic behavior when working with
returning clients.

Another variable reason for profiles is duplicating setting to

multiple virtual servers.

We also knows that our application needing persistence

receives its client traffic from many different networks.
So we has decided to use multiple virtual server to handle
this traffic coming from different network. All of these virtual
server points to the same pool and can use the same
persistence profile.

Specific example where profiles are used are

Persistence

SSL Termination

PTP Protocol

Profile example : Persistence

A common misconception is that a persistence profile

overrides the load balancing decision altogether.

Even if a persistence profile is configured, BIG-IP performs

load balancing for a virtual server. A persistence record is
created for a client group of clients for given time period or
time out.
When the persistence record times out, or a new client
initiates a connection from that client persist before reaching
the time out.

Profile example : SSL Termination

A second example where a profile is used to change a virtual

servers traffic behaviors is SSL termination.

Lets say you have an HTTPS virtual server. The client traffic
to this server is encrypted from the client to the server. But
what if needs to examine some of the encrypted content?
And what if you want to offload the SSL encryption and
decryption work from your servers? These are the two
excellent reasons for using a clients profile and having BIG-
IP terminate the SSL session rather then the servers.
Because it contains accelerator hardware, BIG-IP can speed
up SSL processing. Terminating SSL session on BIG-IP also
allows the servers to speed their CPU cycles on serving up
the content rather than doing SSL encryption and decryption
work. Certificate management also becomes easier because
the administrator only need to install the SSL certificate at
one device(BIG-IP) rather then one each pool member.

Profile example: FTP

The final profile example is FTP. If virtual servers were only

configured to process client traffic. What would happen one
of the pool members tried to initiate traffic outbound via BIG-
IP LTM? The answer is that LTM would drop the packet. There
is no listens (virtual server) configured to receive traffic from
the pool member and direct that traffic out bound.

How does active FTP protocol work?

In active FTP, the clients initiates a connection typically to
port 21 for command control but the server initiates the
data transfer connection from typically port 20. How can this
possibly work on BIG-IP LTM? The answers is an FTP profile
is used. The FTP profile gives BIG-IP the smarts to accepts
the server initiation packed back to the client for the data
transfer connection.

One way to illustrate How profile work is a scene from the

movie The Matrix. The character Neo needs to learn
jujitsu. But rather then training for months, they sit him down
and play in a martial arts program, voila, a master. A virtual
server learns things the same way. An HTTP profile tells the
virtual server what cookie is, what an HTTP method is,
basically how to read HTTP.

Profile Dependencies
Some profile requires the presence of other profiles on the
virtual server. The OSI model provides a help full context for
explaining this requirement. The rule of thumb to remember
is if you are using a higher level profile in terms of the OSI
model, the lower level profiles are required for that virtual
server.

For instance, if the BIG-IP administrator decides to use the

cookie persistence profile, then that virtual server also needs
an HTTP profile. The cookie is contained in HTTP header.
BIG-IP cannot read the cookie without being able to read the
HTTP part of the packet.

Because HTTP is a TCP protocol, the virtual server also

needs a TCP Profile.

It is important to note that two profiles cannot coexist on the

same layer. For example, you cannot configure both a TCP
and UDP profile on one virtual server. To use both profiles,
the BIG-IP administrator would need to configure one virtual
server for TCP and another for UDP.
And the virtual server cannot be configured for both FTP and
HTTP protocols. Again each protocol would needs its own
virtual server.

Protocol-Layer4 Profiles

All virtual servers have at least one protocol (or layer 4)

profiles configured.

The most commonly used protocol profiles are TCP, UDP and
Fast L4. you do not have worry about which one the choose
because BIG-IP automatically selects the appropriate one for
your situation.

For example, if you configure an HTTP profile for a virtual

server, BIG-IP automatically sets the layer4 profile to TCP.
Configuring profiles in F5 BIG-IP LTM Load Balancer

Configuring profiles

Profile types

The different types of profiles are

Service Profiles

Persistence Profiles

Protocol Profiles

SSL Profiles

Authentication Profiles

Other Profiles
Service Profiles:-Service profiles are layer7 oriented. Two
examples are HTTP and FTP.

Persistence Profiles:-Persistence profiles are usually

client-oriented. Two examples are cookie and source
address.

Protocol profiles: -Protocol profiles are layer4 oriented.

Several examples are TCP, UDP and Fast L4.

SSL Profiles: -The types of SSL profiles are either client

SSL or Server SSL, and they are named referencing where
the traffic is encrypted.

Authentication Profiles: -Authentication profiles allow

BIG-IP to authenticate clients with the assistance of
authentication servers prior to load balancing traffic to Pool
Member.

Other Profiles: -One example the remaining profile type

(Other) is the stream profile allows BIG-IP to modify content
from the server before it reaches the client.
Profile configuration concepts

Profile configuration is based on the template

concept.

The default profiles (or templates ) are stored in the location

shown below, can be changed, but cant be deleted. However
F5 recommends not modifying the default profiles.

Default Profiles Templates

Stored in / config/profile_base.conf

cannot be deleted.

Custom profiles are stored in the location below. When they

are created, they are built from a parent profile which creates
a child /parent relation ship. We will wait until the
configuration screen to discuss child /parent relation ship.

Custom profiles

Stored in / config/bigip.conf

created from default probes

Dynamic child and parent relation ship.

Creating Profiles

There are several ways to create profiles. First select local

traffic, then profiles.

Use the Flyout menu to get to the group and specific type
and then click create.
If you dont use the Flyout menus be careful to select the
appropriate group and type of profile before clicking the
create button or you might create the wrong type.

Configuring Profiles

After creating the profile, from the new profile screen, enter
the profile name and if necessary select the appropriate type.
In this example we are creating a persistence profile and we
need to select the persistence type.

The parent profile field defaults to the template for that type,
but you can specify

another of the same type if you have already create a custom

profile.

As previous mentioned, this parent profile server as template

for your custom profile. You can accept the default values for
each setting or you can customize one or more of them by
selecting the custom check box.

Then you specify the value for each setting you are
changing. It is important to understand how these custom
values are treated. Setting that are not customized inherit the
same value as the parent. If the parent profile settings are
later changed, the child will dynamically receive that change
also.

Lets say you are creating a persistence profile and you are
customizing only the time out value later on, someone
changes the values for time out and mark in the parent
profile.

The time out value in your child profile would not change
(because you customize it)but the mask value would change
(because the child profile inherited its value from parent).
Note that if the custom check box is selected, that setting is
considered to be a static value even if it matches the default
value.

Last, the profile needs to be associated with the virtual

server before the changes will take effect.
Module 6 - Persistence

F5 BIG-IP Load Balancer Persistence

Lesson 1: Persistence Profile

Lesson 2: Source Address Persistence

Lesson 3: Cookie Persistence

Lesson 4: Administrator Status

Persistence Profile

Introduction to Persistence: -
When an application maintains the client state, a persistent
session between the server and client must be maintained in
order to properly process client requests.

The persistence profile is used to change the load balancing

behavior of a virtual server.

New clients will be load balanced based on the load

balancing method configured in the pool.

All subsequent connection requests from the same client are

direct back to the same pool member if they occur prior to
the persistence record time out.

Session Data

Upon the initial connection, BIG-IP will track and store

session data in persistence record. The persistence record
includes information like client characteristics and the pool
member that secured the client request. This information is
used to identify a returning client and direct it back to the
same pool member that initially serviced the client request.

It is important to define what is meant by a persistence

session. A session is a virtual communication link between a
client and a pool member that lasts for a period of time,
devoted to specific activity.

A session is a series of separate connection between the

same client and same pool member. The session is not
continues connection, like the SSH protocol, but consist of
connections to the same pool member over a defined time
period.

The session for creating and storing persistence records is

to ensure subsequent connection requests from the same
client will be sent to same pool member for the life of the
persistence record.
Keep in mind, the difficulty part of any persistence method is
to accurately identifying returning clients.

F5 BIG-IP LTM Load balancer Source Address Persistence

Source Address Persistence

Source Address Persistence, supports TCP and UDP

protocols and direct client requests to the same server based
solely on the clients IP address.

The default net mask is /32 on 255.255.255.255. with this

mask set, BIG-IP creates a persistence second for each client
that connects to the virtual server.

One limitation of source address persistence is that if a

group of clients pass through a NAT device before they get to
the BIG-IP, they may all have the same source address.
Source address persistence will see them as the same client,
and same them all to the same pool member. If this group of
clients represents a significant percentage of the total
number of clients for this virtual server, this can result in
uneven distribution of clients across the pool.

In this animation the first client connection is load balanced

and then the subsequent client request persist.

The net mask can be changed for source address

persistence by the administrator. In this example, /24 or
https://www.linkedin.com/redir/invalid-link-page?
url=255%2e255%2e255%2e0 is used. Any client that share
the first three octets will match the same persistence record
and there fore be sent to the same pool member. Using a net
mask of /24 allows BIG-IP to maintain less persistence
records and there for use less BIG-IP resources.
The first client from the 205.229.151.0 network will be load
balanced and then persist. Any other client from the same
network will also be sent to the same pool member.

However, the same limitation of source address persistence

also applies if BIG-IP administrator decides to change the
network. For example /24 network would not work well if all
clients for a particular virtual server came from the internal
network of 172.16.20.X or any class C network.

Configuring Source Address Persistence

General steps required to create a source address

persistence profile.

Expandlocal traffic from the navigation panel and select

Profiles. Select Persistencetab and then click the create
button or select create from the flyout menu.

In thegeneral properties section, type the name for the profile

you are creating and then select Source Address affinity from
the Type drop down menu.
In theConfiguring section, you may want to select the custom
check box and change the timeout from its default of 3
minutes. You may also want to change the mask from /32 to
some thing appropriate for your client base and pool member
count.

Customize the settings for your requirements and

click finished.

Associating with virtual server

When creating a virtual server, a persistence profile is

assigned in the Resources section of the new virtual server
screen.

Assigning a persistence profile to an existing virtual server is

accomplished from the resources tab.

F5 BIG-IP LTM Load balancer Cookie Persistence

Cookie Persistence

Source address persistence worked properly for external

clients. But to add internal clients later and if he was a /24
mask on a persistence profile this will cause dumping all
internal clients come from 5 different /24 networks so they
will match the same persistence records and therefore be
mapped to the same pool members. Using source address
persistence in this situation will result in uneven loads of
traffic across the 10 different pool members.

Cookie Persistence might help in handling internal clients

since their application is http or web based.

Cookie Persistence modes

There are three cookie Persistence modes

Insert mode

Rewrite mode
Passive mode

The name of the cookie persistence mode describes how the

BIG-IP processes the http cookie in the response to the
client.

Insert mode: -BIG-IP inserts a cookie in the servers

response prior to sending to it to the client.

Rewrite mode:- The pool member inserts a blank cookie

and BIG-IP rewrite the cookie with the appropriate BIG-IP
information like the pool member.

Passive mode:- The pool member inserts the cookie in the

correct format and BIG-IP doesnt change it. Because it is in
the correct format. BIG-IP can read the cookie upon the next
client connection. All three modes discussed here result in
the same cookie being stored on the client. The issue is who
creates the cookie? BIG-IP alone (insert) and BIG-IP (rewrite)
or the server alone (Passive)

The limitations for all cookies persistence modes are two

fold.

Cookie persistence only covers the http protocol

If users disable the cookies, or the users PC date is off then
the cookie might not be sent by the client browser to BIG-IP
for examination.

State diagrams shows each step in the communication

between the client, BIG-IP and the pool member

Three cookie persistence modes

Insert mode: -

BIG-IP LTM inserts special cookies in http response

Pool name

Pool member

Rewrite mode: -

Web server creates a blank cookie

BIG-IP LTM rewrites to make special cookie

Passive mode: -
Web server creates special cookie and

BIG-IP LTM passively lit it through

Cookie insert mode

Regardless of the cookie method chosen, BIG-IP must

establish a TCP connection with the client and examine the
request before processing the cookie or selecting a pool
member.

For cookie insert mode, the first time the client connects to
the virtual server the clients web browsers does not yet have
a cookie.

BIG-IP detects that no cookie is present and load balances

the client to next appropriate pool member. The member
issues its HTTP reply to the client with no BIG-IP cookie.
BIG-IP then inserts a cookie with date time stamp and
specific number information.

This time, when a second client connection is sent if its

within the time out the web browser inserts a cookie into the
HTTP request. BIG-IP reads the cookie and then persists. If
the time out had been reached then the client web browser
will not insert the cookie into the request and BIG-IP will load
balance the client request.

The member issue its HTTP reply to the client, again with no
BIG-IP cookie attached.

And, BIG-IP inserts a new cookie with a new date-time stamp.

The advantage of insert mode cookie persistence is that the

application remains untouched. A disadvantage is the
increased workload for BIG-IP.
Cookie Rewrite Mode

With Rewrite mode cookie Persistence a client connects to

the virtual server for the first time, and once again, the client
web browser has yet to receive a cookie for this site.

BIG-IP detects that no cookie is present and load balances

the client to next appropriate pool member issue its HTTP
reply to the client, and includes a blank cookie.

BIG-IP rewrites the cookie with the same information as

cookie insert mode.

When the second client request is sent the web browser

inserts the cookie into its http request if its still within the
timeout period. BIG-IP either load balances or persists the
connection to the appropriate pool member based on
whether the BIG-IP cookie is present or not.
The member issues the HTTP response, and again includes a
blank cookie.

BIG-IP rewrites the cookie with BIG-IP information including

the pool member.

The advantage of rewrite mode cookie persistence is to

ensure the 4K cookie length boundary is not exceeded. In
insert mode the BIG-IP added cookie could result in this
error.

The disadvantage is you have to configure the content server

to send an additional blank cookie.

Cookie Passive Mode

Finally, lets loop at passive mode cookie persistence once

again, the first time the client connects to the virtual server,
the client web browser has no cookie for the side.
BIG-IP detects that no cookie is present and load balances
the client to the next appropriate pool member. The member
issues its http reply to the client, which includes a BIG-IP
cookie with the appropriate information.

BIG-IP leaves the cookie untouched.

A second client request is sent, this time the web browser

inserts the cookie into its HTTP request, if its within the time
out period. BIG-IP either load balances or persists the
connection to the appropriate pool. Member based on
whether the BIG-IP cookie is present or not.

The member issues its HTTP reply to the client, which

includes the BIG-IP cookie with a new date time stamp and
other BIG-IP information.

Again, BIG-IP leaves the cookie untouched.

The advantage of passive mode cookie persistence is
reduced workload on BIG-IP.

The draw back is that each content to server needs to

configured to generate a BIG-IP cookie.

Configuring Cookie Persistence

Some profiles are dependent on other profiles. The cookie

persistence profile requires. That an HTTP profile also be
configured on the virtual server.

BIG-IPs abilities to examine and the process HTTP fields,

like cookies, is enabled via an HTTP profile.

Without an HTTP profile, BIG-IP cant read the HTTP content

and therefore cookie persistence will not work.
To add an HTTP profile to a virtual server, from the virtual
server screen, select theproperties tab and select http from
the HTTP profile drop down menu.

Next, select the Resources tab and select the name of your
cookie persistence profile from the Default Persistence
Profile drop down menu. Here we are using of the default
cookie persistence profile named cookie.

Administrative Status on F5 BIG-IP LTM Load

Balancer

Administrative Status

Monitors perform tests on nodes and members. The results

may dynamically change the state of a Node Member, Pool or
Virtual Server any time.
When an administrative needs to gracefully stop BIG-IP from
sending client traffic to a Node or member, they need to
change administrative state of the node, pool member or
Virtual server.

The default administrative state is enabled. This status

accepts all types of traffic. New connections Persistent
session and open existing connections.

All administrative states accept traffic from open existing

connections. The disable state also accepts traffic from new
connections, but only from returning clients within the time
out period. This means from clients that match a BIG-IP
Persistence record.

A Node and Pool member in the forced offline state only

services traffic from open existing connections. The disabled
and forced offline states differ only when persistence is
involved.

Again all administrative states accept traffic from any open

existing client connections, at least until the connection
terminates or time out. If a monitor has marked a Node or
pool member offline that is different, and no client traffic is
sent.

A virtual servers administrative state can only be changed

between enabled and disabled.

3 Administrative States

Administrative States icons

In the enabled administrative state-Monitor checks are used

to determine Nodes and members state. Pools an virtual
server states are determined from the inherited status of the
nodes and members. Monitor and administrator status can
be viewed from the statistics and Network map screens.
To indicate that a node or members administrative state is
now disabled, BIG-IP changes the icon colour to black while
maintaining its previous monitor status Icon shape.

To indicate that the node or members administrative state is

now off line, BIG-IP changes the Icon to a Black Diamond

A disabled and forced offline Node or a member share the

same black diamond status icon only if the monitor status
was offline also. So distinguish the Icon between two is

Disabled Icon Pool member has been marked down by a

monitor.

Disabled State
lets look at the Disabled Administrative state and its impact
on the state of the pool and virtual server

Ex: -

In this example, all of the member most resent monitors

check was successful, so all were available as was the pool
and virtual server.

Now two members have been disabled, but the pool and
virtual server are still marked available.

Even after the last member is disabled, the pool and virtual
server and virtual server are still marked available because
they will need to process client traffic for open existing
connections and supports new connections from client
matching existing persistence records.
Forced Offline State

Now lets load at the forced offline administrative state and its
impact on the state of pool and virtual server.

Ex:-

In this example, the first members most recent checks was

successful, so its status is available, while the other
members have just been Forced Offline.

This results in the pool and virtual server still being marked
available.

When the first member will maintain open existing client

connections, but since there are no pool members available
for new connections, both the pool and virtual server are
marked offline also.
Changing Pool Member State

To administratively change the state of pool member expand

local traffic from the navigation panel and select Pools.
Select Members tab and then select a member.

The state of a Pool Member can be changed by selecting one

of the state options.

A member can also be enabled or disabled but not forced

offline from the current members list.

Module 7 - Processing SSL Traffic

Explaining SSL on F5 BIG-IP LTM Load Balancer

Explaining SSL on BIG-IP

Review of SSL Concepts: -

SSL (or Source Socket Layer) is the standard security

technology for establishing an encrypted link between a web
server and a browser. This encrypted link ensures that all
data exchanged between the web server and browsers
remains private and integral SSL is an industry standard that
is widely used.

Before a web server can create an SSL connection it must

have an SSL certificate. You can either create this certificate
yours self (known as self-signed cert) or you can obtain one
from a certificate authority. The encryption uses a pair of
keys (a private key and public key), encrypting the data with
the public key and decrypting it with the private key.

Encrypting and decrypting SSL traffic has a significant

impact on server performance. Tests have shown that packet
processing time can increase 20 to 30 times. To minimize this
many people install SSL acceleration cards on their servers.
SSL accelerator card performs the work of data encryption
and decryption in hardware, rather than software. This
approach takes a huge load off the servers CPU.

SSL Termination

We realized with the online shopping cart application BIG-IP

cannot impact data that is encrypted. With out the ability to
read the data in a packet, BIG-IP cannot perform cookie
persistence. To solve this problem,

BIG-IP can terminate the SSL session. In other words, the

BIG-IP virtual server can act as the end point for the client
SSL session. It can decrypt the data, instead of relying on
the actual server.
Advantage of SSL Termination

SSL termination allows for cookies persistence and i rules

processing despite the client traffic being SSL.

SSL termination also enhance performance by offloading the

SSL traffic from the web servers and performing it on BIG-IP.
Thus Pool members only have to process encrypted traffic.

Because BIG-IP contains an SSL accelerators card the SSL

key exchange and bulk encryption are performed in
hardware. This of course enhances performance, but also
saver money. There is no need to to purchase separate SSL
accelerator cards for each of your servers.

And finally, having BIG-IP terminate client SSL traffic makes

it possible to centralize the management of your SSL
certificates in one place-both a time and money saver.

Traffic Flow : Client SSL

Lets take a look at how SSL termination works. We will first
examine an incoming client message. Note that BIG-IP relies
on the client SSL profile properties to determine how it
should handle incoming SSL requests.

A client indicates an SSL connection to the virtual server.

BIG-IP acts as the server for the SSL negotiations,
establishes an SSL session with the client, and then
decrypts the packet.

BIG-IP establishes a separate TCP connection to the

appropriate pool member that does not use SSL.

The Pool member processes the request, and then sends an

encrypted response back to BIG-IP.

BIG-IP then re-encrypts the server response and sends it

back to the client.
Server side Security

But what if your site has a requirement for encryption every

where on the network.

Using SSL termination on the client side enhances

performance and simplifies management, but it leaves
packets on the server side unencrypted. If server side
encryption is priority, you may want to use.

BIG-IPs sever-side SSL initiation in addition to the client side

SSL termination. Because this approach increase BIG-IP
processing time, we recommend using it only if encryption is
needed every where but you also need BIG-IP to examine the
data in unencrypted format.

Traffic flow: Server SSL

Just as in the previous example,

A client initiates an SSL connection to the virtual server, BIG-
IP acts as the server for the SSL negotiations establishes an
SSL session with the client, and then decrypts the traffic.

BIG-IP then processes the traffic and, unlike the previous

example, BIG-IP initiates another SSL connection with the
server using a different SSL certificate and key. This time
BIG-IP acts as the client. Note that BIG-IP relies on the server
SSL profile to define this behavior.

The Pool member receives the encrypted traffic, decrypts it,

processes the request, encrypts the response, and sends the
response back to BIG-IP.

BIG-IP decrypts the response, then re-encrypts the response

with the client certificate, and sends it back to the client.
Again the only reason to use both client and server SSL
profiles as if you need the data encrypted everywhere but
you need BIG-IP to examine the data unencrypted for
something like HTTP cookie persistence or I rules
processing.

SSL Acceleration

As started earlier, when server encrypt and decrypt SSL

traffic, their performance is negatively affected. Installing
SSL accelerator cards is often the solution. Depending on
the model, BIG-IP contains one or more of these cards, which
allows BIG-IP to use hardware for performing the SSL key
exchange and bulk crypto work. The table shown here lists
the maximum transactions per second supported by each
BIG-IP platform these numbers are current as of September
2009.Because F5 networks continuously improves the
performance of its products, these number will change over
time.