ltm essentials
DESCRIPTION
TRANSCRIPT
Chapter 1
Initial Setup
Exploring Big-IP Hardware
Exploring Big-IP File SystemLicensing Big-IPBasic Configuration
Big-IP Hardware Platform
The Hardware
OOBManagementPort
ConsoleCable
FailoverCable
USB Port
LCD Paneland controls
10/100/1000 MbpsCopper Ports
1000 MbpsFibre Ports
Looking Inside a 3600Big-IP
Big-IP LTM Software support
Lights Out Management
-Two operating systems -TMM for primary use-AOM/SCCP for lightsOut management -Always on Mansgment-Switch card control processing
What to do first ?
Setup Overview
Setup ToolsSSH Client-username:- root
-Password:-defaultSerial Terminal Client -username:- root
-Password:-default
Big-IP Config Script-configBig-IP Wab-based configurationhttps://192.168.1.245
-username:- admin
-Password:-admin
Licensing Methods
Entering Registration Key
Manual Licensing
Completing the Licensing Process
Configuring administration Access
File System
Built on top LinuxHas Linux files structure Files are relevant to the operationMain file in BIG-IP LTM are mentioned below: -/coinfig/bigip.conf -/config/bigip_base.conf -/config/BigDB.dat -/etc/hosts.allow -/config/bigip.license -/var/log/ltm
/coinfig/bigip.conf- Holds all information relevant to the load
balancingLike: virtual, pool, profile, monitor, irules etc-Shared between 2 units if in a pair configuration /config/bigip_base.conf-Holds all information relevant to the basic
elements of the BigIP Like: management IP, vlans, routes few more things
/etc/hosts.allow-hosts which are allowed to use the local INET
services. Such as services are SSH, snmp for the snmp
devices
/config/BigDB.dat-bigdb database holds a set of bigdb
configuration keys -Keys define the behaviours of various aspects of the
BIG-IP system
-For example, the bigdb key Failover.Active Mode, when set to enable, causes a redundant system to operate in active-active mode, instead of the default active/standby mode.
-We can edit these values by using -The Configuration utility -The bigpipe db command #bigpipe db all list
/config/bigip.license-Holds all information about the license of the
BigIP system -Without this file or a valid license file, the BigIP will
not operate There are few more vital files /config/ssl/ssl.crt/config/ssl/ssl.key
Management configurationGiving IP to management port#b mgmt 10.192.230.129 {netmask 255.255.255.0 }
Putting route for management network#b mgmt route 10.216.0.0 netmask 255.255.0.0 ‘{ gateway
10.192.230.145 }’
#b mgmt route 10.12.11.32 netmask 255.255.255.224 ‘{
gateway 10.192.230.145 }’
VLAN Configurationvlan external { tag 10 interfaces 1.1}vlan internal_phy { tag 4093 interfaces 1.2}vlan internal_virt { tag 4092 interfaces 1.4}
Self IP/Port configuration
Assigning IP address the to vlan#b self 172.31.230.129 ‘{ netmask 255.255.255.0 vlan external
allow tcp ssh tcp https tcp 4353 }’
#b self 192.168.230.129 ‘{ netmask 255.255.255.128 vlan internal_virt allow tcp https }’
Opening the Port #b self allow ‘{ default udp snmp tcp ssh tcp domain tcp snmp udp
efs tcp 4353 udp domain udp 4353 tcp https proto ospf }’
Configuring FloatingThis part of configuration is for redundant pair#b self 172.22.100.6 { netmask 255.255.255.0 unit 1 floating enable vlan external allow tcp https}#b self 192.168.100.3 { netmask 255.255.255.0 unit 1 floating enable vlan internal allow default}
Chapter 2
Traffic Processing
Pools , Members & Nodes
Virtual Server-Big-IP is default deny device, so listener (virtual) is must
-Virtual server gules everything together
-Typically virtual are associated with pool
-Before virtual server can load balance it should mapped to pool
-Big-IP translate the destination ip address from virtual server to actual server
-Client see the pool servers as single server, hence the term Virtual Server
Asymetric Routing Problem
Full Proxy Architecture
-Big-IP do much more than translating the network Address
-F5 implemented full proxy architecture in Big-IP
-Separate tcp connections for the client & the server
Chapter 3
Load Balancing
Load Balancing MethodMember vs NodePriority Group Activation Configuring load balancing
Load Balancing Methods
-Static method do not take server performance in to consideration
-Dynamic method does consider server performance
Round Robin
-Round Robin is default & most commonly used method
-Big-IP evenly distributes client request across all available pool member
Ratio-Ratio method is appropriate to use if some of the members are
powerful than other.
-Since Ratio is static method, this means that server with highest ratio value will receive more request then others even if the performance of the server is slow.
#b pool lab_Pool { lb method member/node ratio }
Least Connections
-This method consider the current connections count to decide where to send next request
#b pool lab_Pool { lb method least conn }
Least Connections-After connections counts shown below, the big-IP round robin next
requests between all three servers.
Fastest
-Fastest uses the outstanding layer 7 request to decide where to send the next request
-Request or Response ?
#b pool lab_Pool { lb method fastest }
Fastest
-Ping response form server doesn’t take into account how fast server will response at port 80.
-SYN-ACK response form server at port 80 doesn’t take into account how fast backend database server will populate the content of web page
Observed
-It is basically Ratio load balancing but with Ratio assigned by Big-IP
-Servers with connections lower than average will given ratio of 3
-Servers with connections higher than average will given ratio of 2
#b pool lab_Pool { lb method member observed }
Observed>Connections status
-server B & C with Ratio 3
-Servers A & D with Ration 2
Predictive
-Predictive method is similar to Observed, but assigns more aggressive value
#b pool lab_Pool { lb method member predictive }
Predictive
>Connections status
-server A & C with Ratio 1
-Servers B & D with Ration 4
Pool Member vs. Node Load Balancing by:>Node -Total service for one IP Address -Take all transactions for the IP address into account #b node <ip_addr> { ratio <no.>/ session <enable/disable>}
>Pool Member -IP Address & Service -Take the decision based transactions happening on
the service port.
Priority Group Activation -Use to designate preferred & backup sets of pool members with in
a pool
-Once priority group activated
-The available member with highest priority will consider first
Priority Group Activation
-If the number of member falls below the priority group activation set,
-The next highest priority member also start serving the requests.
Priority Group ActivationConfiguration example
#b pool lab_pool '{ lb_method predictive min_active_members 2 member 10.100.10.10:80 priority 10 member 10.100.10.20:80 priority 10 member 10.100.10.30:80 priority 10 member 10.100.10.30:80 priority 5 member 10.100.10.40:80 priority 5 member 10.100.10.50:80 priority 5 }’
Fallback Host-Fallback host feature is designed for HTTP protocol only.
-It comes into play if all the members in a pool are unavailable
Configuring Load Balancing bigpipe pool <pool_name> { lb method
<method_name> }
(rr | node ratio | member ratio | member least conn |
member observed | member predictive | fastest | least conn | predictive | observed | dynamic ratio | fastest app resp)
Chapter 4
Monitor
Monitor Functionality Monitor TypesConfiguring MonitorAssigning MonitorStatus
Intro to monitor Big-IP system can monitor the health of nodes &
member
Monitor is the test that Big-IP performed
-simple test
-Highly interactive test
The result of these test will define the status of respective node or member is available
Big-IP perform continues monitoring irrespective of the status of node or member
Step to set-up a monitor Step 1: Create
Step 2: Name & Type
-name the new monitor select the type from system templates
Step 3: Customize
Step 4: Assign
- to pool/node/pool member
Step 5: Status
Types of monitoring
Address Check
-IP address –node
Service Check -IP:port
Content Check -IP:port & check data returned
Interactive Check -Interactive with servers
-Multiple commands and multiple response
Address Check
Example
System
#b monitor icmp list
monitorroot icmp {
interval 5
timeout 16
dest *
}
Custom
#b monitor icmp_mon list
monitor icmp_mon {
defaults from icmp
interval 7
timeout 22
}
Service Check-Service checks only test whether server is listening to respective
port.
-Doesn’t provide any insight into quality of the content that might return
ExampleSystem
#b monitor tcp list
monitorroot tcp {interval 5timeout 16
dest *:* recv "" send ""}
Custom
#b monitor tcp_port_mon list
monitor tcp_port_mon { defaults from tcp
interval 15 timeout 47}
Content Check-Content check go beyond testing whether a node is
responding/listening
-It also test if it is responding with correct content
Example System:
#b monitor http list
monitorroot http {
interval 5
timeout 16
dest *:*
password ""
recv ""
send "GET /"
username ""
}
Custom:
#b monitor http_mon list
monitor http_mon {
defaults from http
recv "Health Check"
send "GET /health_check.html HTTP/1.0\n\n"
}
Interactive Check
Example
#b monitor ftp list
monitorroot ftp {
interval 10
timeout 31
dest *:*
debug ""
get ""
mode "passive"
password ""
username ""
}
Assigning Monitor to Nodes
#b node 192.168.230.172 ‘{ ratio 100
monitor testwmi_mon
}’
#b node 10.10.10.10 { monitor gateway_icmp and icmp }
Assign Monitor to Pool & member Assigning Monitor to Pool
#b pool bluecoat_pool { monitor all tcp }
#b pool bsd01_pool { monitor all bsd_mon }
Assigning Monitor to Pool member
#b pool lab_Pool '{
member 10.101.23.55:80 monitor tcp
member 10.101.23.56:80 monitor http
}‘
Status IconBelow are the status Icons
Status: AvailableExample-1 Example-2
Status: OfflineExample-1 Example-2
Status: Unknown Example-1 Example-2
Status: Unavailable Example -1 Example -2
Chapter 5
Profile
Profile ConceptProfile Configuration
Profile Concept Contain settings that instruct how to pass the traffic
through virtual server
Why any one want to change default traffic processing behavior of virtual server ?
Are profile overrides the load balancing property ?
How does profile help to improve the performance of actual servers ?
Profile Example Persistence SSL Termination
Profile Example
FTP
Profile Dependencies
-Some of the profiles are dependent on others-Some can’t be combine in one VS
Types of profile
Services Profiles:-HTTP, FTP, RSTP, SIP, iSession
Persistence Profiles-cookie, dest_addr, source_addr, hash….
Protocol Profiles-tcp, udp, fastL4…
SSl Profiles-client, server
Authentications Profiles-RADIUS servers, CRLDP servers…
Other Profiles-OneConnect, NTLM, stream
Profile Configuration Concepts
Default Profiles – Tamplates
-Stored in /config/profile_base.conf
-Can’t be deleted
Custom Profiles
-Stored in /config/bigip.conf
-Created from default profile
-Dynamic child & parent relationship
Services Profiles Parent HTTP profilesprofile http http { basic auth realm none oneconnect transformations enable compress disable compress uri include none compress uri exclude none compress prefer gzip compress min size 1024 compress buffer size 4096 compress vary header enable . . . ramcache max age 3600 ramcache min object size 500 ramcache max object size 50000 ramcache uri exclude none ramcache uri include none ramcache uri pinned none ramcache ignore client cache control all ramcache aging rate 9 ramcache insert age header enable}
Custom HTTP profile
#b profile http pan_http_profile ‘{ defaults from http_master header insert "X-SSL: True" fallback "http://foo.com/f.asp?u=[HTTP::host]"}’
#b profile http help ---for more option
Chapter 6
Persistence
Persistence profileSource Address PersistenceCookie Persistence
Concept
What is the need of Persistence ?
Persistence profile is required to achieve to change the load balancing behavior of virtual server
Upon the initial connection: -Big-IP store session data in persistence record
Persistence Record store -client characteristics -Pool member information which is serving request
Big-IP use persistence record to serve the next traffic
Source Address Persistence-Support both TCP & UDP protocol
-By Default Big-IP create persistence for host
source_addr Persistence configurationParent Profile:profile persist source_addr {
mode source addr
mirror disable
timeout 180
mask none
map proxies enable
rule none
}Custom Profile
#b profile persist pan_subnet ‘{ mode source addr mask 255.255.255.0 }’
Cookie Persistence
Why cookie Persistence ?Modes:>Insert Mode -LTM insert special cookie in HTTP response
-Pool name & Pool Member (encoded)
>Rewrite Mode -Web server Creates a “blank” cookie
-LTM Rewrites to make Special Cookie
>Passive Mode -Web server Creates Special Cookie
-LTM Passively lets it through
Cookie Insert Mode
Cookie Rewrite Mode
Cookie Passive Mode
Configuring Cookie persistence
Custom Profile#b profile persist pan_cookie { mode cookie cookie mode rewrite
cookie name paa }
Parent Profile:profile persist cookie { mode cookie
mirror disabletimeout immediatecookie mode insert
cookie name none cookie expiration 0d 00:00:00 cookie hash offset 0 cookie hash length 0 rule none}
Chapter 7
Processing SSL Traffic
Exploring SSL on Big-IPConfiguring Big-IP for SSL
Review of SSL ConceptsEstablish an encrypted link between a Web server
& browser by using SSL protocol This encryption uses PKI Encrypting & decrypting SSL is impact the server
performance Packet processing time can increase 20 to 30
times Use of SSL Accelerator Cards
Advantage of SSL Termination
Allow iRules processing and cookie persistence
Offload SSL traffic from web server SSL key exchange and bulk encryption
dane by hardwareCentralize certificate management
Traffic Flow: Client SSL
Traffic Flow: Server SSL
SSL Acceleration
Enabling Client SSL Profile
Configuring Client SSL ProfileConfiguring clientssl profile :#b profile clientssl pan.com_ssl {
defaults from clientssl
key “www.pan.com.key"
cert “www.pan.com.crt"
chain “ca-intermediate.crt"
}Associating the clientssl profile to virtual server#b virtual pan.com_https { profile pan.com_ssl }
Configuring Server SSL ProfileConfiguring Serverssl profile :#b profile serverssl pan.com_ssl ‘{
defaults from serverssl"
Associating the clientssl profile to virtual server#b virtual pan.com_https { profile pan.com_ssl }
Chapter 8
Nat & SNAT
NAT Concepts and ConfigurationSNAT Concepts and Configuration
Nat ConceptsOne to One mapping
Bi-directional traffic
Dedicated IP Address
Can’t Configure port
Configuring NAT
#b nat 172.16.20.1 to 207.10.1.101#b nat 172.17.20.3 to 207.10.1.103#b nat list#b nat show
SNAT Concept “Secure” NAT
Performs Source Nat
Many to one mapping
Traffic initiated to SNAT Address refused SNAT’s used forRouting problem
SNAT Configuration #b snat pan { origin any translation 4.2.2.2 }
# b snat pan ‘{ origin any translation 4.2.2.2 vlan clau_vlan enable }’
#b snatpool pan_spool ‘{ member 3.2.2.2 member 3.2.2.3 }’
#b snat pan ‘{ origin 172.16.16.0 mask 255.255.255.0 snatpool pan_spool }’
Chapter 10
Virtual
Virtual
Big-IP is default deny device, so listener (virtual) is must
Virtual server gules everything together
Virtual are first point of call for traffic
Types of VIP Standard
Most common type of VIP for general purpose load balancing Can make use of all functions including iRules, WebAccelerator, ASM etc
Forwarding (Layer 2) Generally used when LTM is configured in a bridge mode (VLAN Groups) Essentially just forwards packets at Layer 2
Forwarding (IP) Used when LTM needs to forward or route packets Can either just route them based on it’s IP routing table of load balance
multiple routers/firewalls etc
Performance (HTTP) Used for very simple, very fast HTTP load balancing Loose a number of features (see next slide)
Performance (Layer 4) Used for general purpose fast load balancing of packets using the PVA ASIC Loose a number of features depending on PVA Acceleration mode (see next
few slides)
Configuration of virtual >Forwarding (IP)
#b virtual forward_vip { destination any:any ip forward }
>Forwarding (Layer 2)#b virtual forward_vip { destination any:any l2 forward }
>Standard
b virtual accel_vip ‘{
destination 10.118.10.12:https
ip protocol tcp
profile http_profile oneconnect_master www.foo.com tcp
persist simple_1800_profile
pool https_pool
}’
Chapter 11
iRule
What is an iRule?
An iRule is a TCL script to give more control over how traffic is processed via the LTM
Can do this based on just about anything found in a packet, including client IP address, headers, URI, destination port, etc.
The use of the Universal Inspection Engine (UIE) is also done via iRules, allowing for rule based persistence
What can an iRule work with? Most commonly seen are HTTP events Can also work with other protocols, such as SIP,
RTSP, XML, others Can make adjustments to TCP behavior, such as
MSS, checking the RTT, looking into the payload Can work with authentication or encryption, via
x509 commands, and AES encryption/decryption Cache, compression, profiles are also available
Example iRulesChange server headers
when HTTP_RESPONSE { HTTP::header replace Server "Microsoft-IIS/5.1"}
Remove all server headerswhen HTTP_RESPONSE { HTTP::header sanitize ?ETag? ?Header01? ?Header02?}
On 404 error, re-load balancewhen HTTP_REQUEST { set RequestedPage [HTTP::uri]}when HTTP_RESPONSE {if { [HTTP::status] eq "404" } { log "Dooh, page '$RequestedPage' not found on server
[IP::server_addr]!" HTTP::redirect $RequestedPage}}
More Samples… (from CodeShare)
iRule Logging (really handy!) You can turn on logging for any iRule and record anything you
like from requests or responses!
Often used when troubleshooting an iRule
Simply add the line “log xxx” (where “xxx” is anything you like) to any iRule, for example:
when HTTP_REQUEST {log "Client [IP::remote_addr] has requested page
[HTTP::uri] from server [HTTP::host]." }
You can use the CLI command “tail –f /var/log/ltm” to view these logs in real time
Troubleshooting Section
File System Overview and ViUCS file extractingQkviewLook at the Statistics!CLI ToolsLogsRunning TCPDUMP and SSLDUMPPXE booting tips
File System Overview Main VIP, Pool and iRule config is stored in:
/config/bigip.conf
Main IP and VLAN settings are stored in: /config/bigip_base.conf
BIG-IP license file is stored in:/config/bigip.license
Log files are stored in:/var/log/
Archived configs are stored in:/var/local/ucs/
Tools/Commands to help
Change directory: cdPrint working directory: pwdList directory contents: lsView file: more <filename>Edit file: vi <filename>Copy file: cp <source> <dest>Delete file: rm <filename>
Useful “vi” commands “i” to start inserting text where the cursor is “A” to start inserting text at the end of the line “Esc” exits the editing mode “dd” delete entire line “x” delete single character “Esc” then “:” then “w” to write the file “Esc” then “:” then “q” to quit vi “/” starts a search through the file
Note: “:wq” would write the file and quit in one go
Note: “:w!” would write the file even if read-only file
Note: “:q!” would force vi to quit
UCS file extracting UCS files are simply “.tar.gz” files with a number of
configuration files inside
Rename the file with a “.tar.gz” extension and use WinRAR to extract the file
Note that a UCS file contains both the “root” password and license key for that unit – don’t put it on another box unless you have a backup!
“Qkview”Support will often request these
Can be executed from the GUI or CLI
Contains box configuration, route information, statistics etc
LogsLogs can often highlight problems
Can be viewed from the GUI
Can be downloaded from the directory “/var/log”
Useful command to watch the LTM log file in real time from the CLI:tail –f /var/log/ltm
CLI Tools
“bigtop” – utility for a quick look at how the BIG-IP is functioning. Provides statistics and information on traffic flow, node operations and troubleshooting (“bigtop –delay 2” useful)
Running TCPDUMP TCPDUMP is an inbuilt network sniffer
To run TCPDUMP from the CLI and save the output to a file that can be opened in Ethereal/Wireshark use the following command:
tcpdump -ni <VLAN> -v -s 1600 -w /var/tmp/filename.dmp
Example:
tcpdump -ni external -v -s 1600 -w /var/tmp/external.dmp
TIP: Use WinSCP to copy the file from the BIG-IP to your PC
TCPDUMP can be run from the GUI also
Running SSLDUMP SSLDUMP is a utility available on the BIG-IP that can be used
to decode your SSL sessions by pre-loading your SSL keys and using those to convert the session data into ASCII text.
SSLDUMP takes a raw TCPDUMP file as input
To display the handshake onlyssldump –r <capture file>
To display the actual application data (with the key file)ssldump –r <capture file> -k <key file> -dExample:
ssldump -r /var/tmp/internal.dmp -k /config/ssl/ssl.key/default.key -d > /var/tmp/ssldump.dmp
Documentation for ssldump can be found on www.rtfm.com/ssldump/ssldump.html
Useful links… F5 related Compression Test
http://www.f5demo.com/compression
Devcentral (iRules, iControl, SDK)http://devcentral.f5.com
Software Downloadshttp://downloads.f5.com
Askf5 (manuals, software, solutions, EOL info)http://www.askf5.com
Chapter 12
Redundant Pair
Redundant pair Concept Redundant Pair Setup Config. Synchronization
Concept..When is high Availability is required ? Increases Reliability
It consist of two identically configured Big-IP system There are two basic aspect: Synchronizing configurations between two BIG-IP
units Configuring fail-safe settings for the VLANs
Big-ip Individual System SettingsBig-IP LTM System -1
Hostname:- bigip1.cw.com
Admin Password:- XXXXX
Unit ID:- 1
Internal VLAN
-Self: 172.16.1.31
-Float : 172.16.1.33
-Peer : 172.16.1.32
Big-IP LTM System -2
Hostname:- bigip2.cw.com
Admin Password:- XXXXX
Unit ID:- 2
Internal VLAN
-Self: 172.16.1.32
-Float : 172.16.1.33
-Peer : 172.16.1.31
Unit ID used for Identification, do not designate primary and secondary
Floating IP is always own by Active box
Failing Over>Gratuitous ARP sent to all neighboring network devices
Synchronize ConfigurationInitiated from Either System Redundant pair should service the same monitors,
pools & virtual Servers
Synchronization condition Administrative password must be same on each
system
Port 443 must not be blocked by the port lockdown setting or by another system between the redundant pair.
Clock of the system must be within a certain number of minutes of each other.
Pull or Push Operation –Sync in Correct Direction
Synchronization Process1-Create UCS file. -Which contain all configurations + licensing information 2-Send to peer3-Peer creates backup of itself4-Peer opens UCS file a) Matching Hostname > Full Installation
b) Different Hostname >Shared Installation
Synchronize to Peer# bigpipe config sync pull# bigpipe config sync all
Determine Active System
Change to Standby Mode
Chapter 13
High Availability
Failover Trigger
Failover Detection Stateful Failover MAC Masquerading
Failover ManagersFailover Mangers detects a failed process, takes one of the several action restarting the
process, failing back to the standby, reboot the big-ip
WatchdogPerforms hardware health checksOverdog Software to correct hardware failuresSODmonitors the switch fabric and takes corrective action for switch
failures
All failover Managers update and monitor the high Availability Table
High Availability TableUpdate & Monitor by Failover ManagersTable Fields-Feature Name-Action on Failure-Enabled-Failed StateCommand Line: b ha table show
HA Table
Failover TriggerProcesses (Daemons)SwitchboardVLAN FailsafeGateway Failsafe
Failover Triggers - Daemans
VLAN FailsafeDetects no network traffic Tries to generate trafficTimeout reached Time Action; Standby becomes
active
Gateway Failsafe
Hardware FailoverStandby notices a loss of voltage, it Takes over the
active role
Network FailoverHeartbeat sent over networkNo 50 foot (15.24 meter) limitationSlower than Hardware FailoverSetting not synchronized between peers If Both Hardware Failover & Network Failover are
being used…..
Network Failover Settings
Network Communication
Stateful Failover
Types of Mirroring
Failover without MAC Masquerading
MAC Masquerading
MAC Masquerading
Thanks