F5 Networks Training
Administering BIG-IP v12 Instructor Guide
v12.1 – June, 2016
Instructor Guide: Administering BIG-IP v12.1
Administering BIG-IP v12 Instructor Guide Eleventh Printing; June, 2016 This manual was written for F5 solutions at the version listed on the front cover of this document. Some of the features discussed in this course were added with this version; but many of the concepts also apply to previous and subsequent versions. © 2016, F5 Networks, Inc. All rights reserved.
Support and Contact Information Obtaining Technical Support Web
tech.f5.com (Ask F5)
Phone
(206) 272-6888
Email (support issues)
[email protected]
Email (suggestions)
[email protected]
Contacting F5 Networks Web
www.f5.com
Email
[email protected] &
[email protected]
F5 Networks, Inc.
F5 Networks, Ltd.
F5 Networks, Inc.
F5 Networks, Inc.
Corporate Office 401 Elliott Avenue West Seattle, Washington 98119
United Kingdom Chertsey Gate West Chertsey Surrey KT16 8AP
Asia Pacific 5 Temasek Boulevard #08-01/02 Suntec Tower 5
Japan Akasaka Garden City 19F 4-15-1 Akasaka, Minato-ku
T (888) 88BIG-IP
United Kingdom
Singapore, 038985
Tokyo 107-0052 Japan
T (206) 272-5555
T (44) 0 1932 582-000
T (65) 6533-6103
T (81) 3 5114-3200
F (206) 272-5557
F (44) 0 1932 582-001
F (65) 6533-6106
F (81) 3 5114-3201
[email protected]
[email protected]
[email protected]
[email protected]
Instructor Guide: Administering BIG-IP v12.1
Legal Notices Copyright Copyright 2016, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, APM, Application Acceleration Manager, Application Security Manager, AskF5, ASM, BIG-IP, BIG-IP EDGE GATEWAY, BIG-IQ, Cloud Extender, Cloud Manager, CloudFucious, Clustered Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS SWAT, Defense.Net, defense.net [DESIGN], DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, ENGAGE, Enterprise Manager, F5, F5 [DESIGN], F5 Agility, F5 Certified [DESIGN], F5 Networks, F5 SalesXchange [DESIGN], F5 Synthesis, f5 Synthesis, F5 Synthesis [DESIGN], F5 TechXchange [DESIGN], Fast Application Proxy, Fast Cache, FCINCO, Global Traffic Manager, GTM, GUARDIAN, iApps, IBR, iCall, iControl, iHealth, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping, LC, Link Controller, LineRate, LineRate Point, LineRate Precision, LineRate Systems [DESIGN], Local Traffic Manager, LROS, LTM, Message Security Manager, MobileSafe, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Security Manager, PSM, Ready Defense, Real Traffic Policy Builder, SalesXchange, ScaleN, SDAS (except in Japan), SDC, Signalling Delivery Controller, Solutions for an application world, Software Designed Applications Services, Silverline, SSL Acceleration, SSL Everywhere, StrongBox, SuperVIP, SYN Check, SYNTHESIS, TCP Express, TDR, TechXchange, TMOS, TotALL, TDR, TMOS, Traffic Management Operating System, Traffix, Traffix [DESIGN], Transparent Data Reduction, UNITY, VAULT, vCMP, VE F5 [DESIGN], Versafe, Versafe [DESIGN], VIPRION, Virtual Clustered Multiprocessing, WebSafe, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.All other product and company names herein may be trademarks of their respective owners.
Materials The material reproduced on this manual, including but not limited to graphics, text, pictures, photographs, layout and the like ("Content"), are protected by United States Copyright law. Absolutely no Content from this manual may be copied, reproduced, exchanged, published, sold or distributed without the prior written consent of F5 Networks, Inc
Patents This product may be protected by one or more patents indicated at: http://www.f5.com/about/policies/patents
Instructor Guide: Administering BIG-IP v12.1
Table of Contents
Table of Contents Chapter 1: Course Description............................................................................................. 1-1 Course Overview ................................................................................................................................................ 1-1 Audience............................................................................................................................................................. 1-1 Course Objectives............................................................................................................................................... 1-2 Prerequisites ....................................................................................................................................................... 1-3 Additional Documentation and Resources ......................................................................................................... 1-4 Course Table of Contents ................................................................................................................................... 1-5
Chapter 2: Print Version and Organizational Changes....................................................... 2-1 Chapter 3: Classroom Setup Instructions........................................................................... 3-1 Accessing the Instructor Site on F5 University ................................................................................................. 3-1 Accessing the ATC Support Site on F5 University ............................................................................................ 3-3 Classroom Network Configuration..................................................................................................................... 3-4 Logical Networks ........................................................................................................................................ 3-4 F5 Classroom Network Diagram................................................................................................................. 3-5 Instructor BIG-IP System IP Addresses ...................................................................................................... 3-6 Student Workstation IP Addresses .............................................................................................................. 3-7 Back-end Application Servers IP Addresses ............................................................................................... 3-8 Training Server 3.4 Routing Considerations ............................................................................................... 3-9 Setting Up the Instructor BIG-IP System (LTM17) ......................................................................................... 3-10 Overview ................................................................................................................................................... 3-10 Setup Steps ................................................................................................................................................ 3-10 Sample Script to Set LTM17 as Default Internet Gateway ....................................................................... 3-11 LTM17 Configuration Object Use by Course ........................................................................................... 3-12 Setting Up the Back-End Servers ..................................................................................................................... 3-15 Setting Up Training Server 3.4.................................................................................................................. 3-15 DNS Zones on Training Server 3.4 ........................................................................................................... 3-19 Setting Up Hack-It 2.0 Server ................................................................................................................... 3-23 Setting Up dc.f5trn.com Server ................................................................................................................. 3-23 Setting Up the Student Workstations................................................................................................................ 3-24 Student Workstation Tool Usage............................................................................................................... 3-25 Administering BIG-IP v12.1 Class Setup ..................................................................................................... 3-27
Instructor Guide: Administering BIG-IP v12.1
T-i
Chapter 1 – Course Description
Chapter 1: Course Description Course Overview Description This two-day course gives network administrators, network operators, and network engineers a functional understanding of the BIG-IP system as it is commonly deployed in an application delivery network. The course introduces students to the BIG-IP system, its configuration objects, how it processes traffic, and how typical administrative and operational activities are performed. The course includes lecture, hands-on labs, interactive demonstrations, and discussions. Topics covered in this course include: Getting started with the BIG-IP system Traffic processing with BIG-IP Local Traffic Manager (LTM) Using TMSH (TMOS Shell) command line interface Using NATs and SNATs Monitoring application health and managing object status Modifying traffic behavior with profiles, including SSL offload and re-encryption Modifying traffic behavior with persistence, including source address affinity and cookie persistence Troubleshooting the BIG-IP system, including logging (local, high-speed, and legacy remote logging), and using tcpdump Always-On Management (AOM) User roles and administrative partitions vCMP concepts Customizing application delivery with iRules
Audience This course is intended for network administrators, operators, and engineers responsible for managing the normal day-to-day operation and administration of a BIG-IP application delivery network. This course presents the prerequisite knowledge for many of F5’s other BIG-IP instructor-led training courses.
Instructor Guide: Administering BIG-IP v12.1
1-1
Chapter 1 – Course Description
Course Objectives At the end of this course, the student should be able to: Describe the role of the BIG-IP system as a full proxy device in an application delivery network; Set up, start/restart/stop, license, and provision the BIG-IP system out-of-the-box; Create a basic network configuration on the BIG-IP system including VLANs and self IPs; Use the Configuration utility and TMSH to manage BIG-IP resources such as virtual servers, pools, pool members, nodes, profiles, and monitors; Create, restore from, and manage BIG-IP archives; View resource status, availability, and statistical information and use this information to determine how the BIG-IP system is currently processing traffic; Use profiles to manipulate the way the BIG-IP system processes traffic through a virtual server; Perform basic troubleshooting and problem determination activities including using the iHealth diagnostic tool, researching known issues and solutions on AskF5, submitting a problem ticket to F5 Technical; Support, and view traffic flow using tcpdump; Understand and manage user roles and partitions; Describe the role of iRules in affecting traffic behavior.
1-2
Instructor Guide: Administering BIG-IP v12.1
Chapter 1 – Course Description
Prerequisites The following free web-based training courses, although optional, will be very helpful for any student with limited BIG-IP administration and configuration experience. These courses are available at F5 University (http://university.f5.com): Getting Started with BIG-IP Getting Started with BIG-IP Local Traffic Manager (LTM) The following general network technology knowledge and experience are recommended before attending any F5 Global Training Services instructor-led course: OSI model encapsulation Routing and switching Ethernet and ARP TCP/IP concepts IP addressing and subnetting NAT and private IP addressing Default gateway Network firewalls LAN vs. WAN
Instructor Guide: Administering BIG-IP v12.1
1-3
Chapter 1 – Course Description
Additional Documentation and Resources Additional documentation and resources related to the F5 products and solutions described in this course can be found online at www.F5.com and at AskF5.com. Some relevant resource types and titles are shown in the table below, and throughout the course material: Resource Type
Title
Manual Manual Manual Manual Manual Manual Manual Release Notes
BIG-IP Local Traffic Manager: Implementations BIG-IP Local Traffic Manager: Monitors Reference BIG-IP Local Traffic Manager: Concepts BIG-IP TMOS: Concepts BIG-IP TMOS: Implementations BIG-IP Device Service Clustering: Administration TMSH Reference Guide BIG-IP LTM and TMOS 12.1
1-4
Instructor Guide: Administering BIG-IP v12.1
Chapter 1 – Course Description
Administering BIG-IP Table of Contents Preface ...................................................................................................................................P-1 Course Overview ................................................................................................................................................ P-1 Audience............................................................................................................................................................. P-1 Course Objectives............................................................................................................................................... P-2 Prerequisites ....................................................................................................................................................... P-3 Additional Documentation and Resources ......................................................................................................... P-4
Chapter 1: Setting Up the BIG-IP System ............................................................................ 1-1 Introducing the BIG-IP System .......................................................................................................................... 1-1 Initially Setting Up the BIG-IP System ............................................................................................................ 1-10 Configuring the Management Interface..................................................................................................... 1-11 Activating the Software License ............................................................................................................... 1-13 Provisioning Modules and Resources ....................................................................................................... 1-15 Importing a Device Certificate .................................................................................................................. 1-17 Specifying BIG-IP Platform Properties..................................................................................................... 1-18 Configuring the Network........................................................................................................................... 1-22 Configuring Network Time Protocol (NTP) Servers................................................................................. 1-23 Configuring Domain Name System (DNS) Settings................................................................................. 1-23 Configuring High Availability Options..................................................................................................... 1-23 Archiving the BIG-IP Configuration ................................................................................................................ 1-28 Leveraging F5 Support Resources and Tools ................................................................................................... 1-29 Chapter Resources ............................................................................................................................................ 1-34 BIG-IP System Setup Labs ............................................................................................................................... 1-35 Lab 1.1 - Configure the Management Port ............................................................................................... 1-36 Lab 1.1A - Configure the management port via a Serial Console ...................................................... 1-37 Lab 1.1B - Configure the management port via the LCD Panel......................................................... 1-39 Lab 1.2 - Activate the BIG-IP System and Configure the Network ......................................................... 1-40 Lab 1.3 – Test Administrative Access ...................................................................................................... 1-49 Lab 1.4 - Archive the Configuration......................................................................................................... 1-52
Instructor Guide: Administering BIG-IP v12.1
1-5
Chapter 1 – Course Description Chapter 2: Traffic Processing Building Blocks................................................................... 2-1 Identifying BIG-IP Traffic Processing Objects .................................................................................................. 2-1 Network Packet Flow .................................................................................................................................. 2-6 Configuring Virtual Servers and Pools............................................................................................................... 2-8 Load Balancing Traffic..................................................................................................................................... 2-11 Viewing Module Statistics and Logs ................................................................................................................ 2-14 Lab 2.1 – Virtual Servers and Pools Lab .................................................................................................. 2-22 Using the Traffic Management Shell (TMSH) ................................................................................................. 2-28 Understanding the TMSH Hierarchical Structure ..................................................................................... 2-28 Navigating the TMSH Hierarchy .............................................................................................................. 2-30 Managing BIG-IP Configuration State and Files ............................................................................................. 2-32 BIG-IP System Configuration State .......................................................................................................... 2-32 Loading and Saving the System Configuration ......................................................................................... 2-35 Shutting Down and Restarting the BIG-IP System ................................................................................... 2-37 Saving and Replicating Configuration Data (UCS and SCF)........................................................................... 2-38 Viewing the BIG-IP Connection Table ............................................................................................................ 2-46 Chapter Resources ............................................................................................................................................ 2-49 Lab 2.2 – Configure BIG-IP using TMSH................................................................................................ 2-50
Chapter 3: Using NATs and SNATs ..................................................................................... 3-1 Address Translation on the BIG-IP System........................................................................................................ 3-1 Mapping IP Addresses with NAT ...................................................................................................................... 3-2 Lab 3.1 – Use NAT on the BIG-IP System ................................................................................................ 3-6 Solving Routing Issues with SNATs .................................................................................................................. 3-8 Configuring SNAT Auto Map on a Virtual Server........................................................................................... 3-14 Monitoring for and Mitigating Port Exhaustion ............................................................................................... 3-17 Chapter Resources ............................................................................................................................................ 3-19 Lab 3.2 – SNAT Auto Map Lab ............................................................................................................... 3-20
1-6
Instructor Guide: Administering BIG-IP v12.1
Chapter 1 – Course Description Chapter 4: Monitoring Application Health........................................................................... 4-1 Introducing Monitors .......................................................................................................................................... 4-1 Types of Monitors .............................................................................................................................................. 4-3 Monitor Interval and Timeout Settings............................................................................................................... 4-7 Configuring Monitors ......................................................................................................................................... 4-9 Assigning Monitors to Resources..................................................................................................................... 4-13 Managing Pool, Pool Member, and Node Status .............................................................................................. 4-18 Using the Network Map ................................................................................................................................... 4-23 Chapter Resources ............................................................................................................................................ 4-25 Lab 4.1 – Monitor Application Health...................................................................................................... 4-26
Chapter 5: Modifying Traffic Behavior with Profiles........................................................... 5-1 Introducing Profiles ............................................................................................................................................ 5-1 Understanding Profile Types and Dependencies ................................................................................................ 5-4 Configuring and Assigning Profiles ................................................................................................................... 5-7 Chapter Resources ............................................................................................................................................ 5-10 Lab 5.1 – Configure an FTP Virtual Server.............................................................................................. 5-11
Chapter 6: Modifying Traffic Behavior with Persistence.................................................... 6-1 Understanding the Need for Persistence............................................................................................................. 6-1 Introducing Source Address Affinity Persistence............................................................................................... 6-5 Introducing Cookie Persistence .......................................................................................................................... 6-9 Lab 6.1 – Source Address Affinity Persistence ........................................................................................ 6-14 Lab 6.2 – Cookie Persistence.................................................................................................................... 6-19 Lab 6.3 – Enable Cookie Encryption (Optional) ...................................................................................... 6-23 Introducing SSL Offload and SSL Re-Encryption ........................................................................................... 6-25 Lab 6.4 – Implement SSL Offload and SSL Re-Encryption..................................................................... 6-30 Managing Object State ..................................................................................................................................... 6-34 Introducing Action on Service Down ............................................................................................................... 6-41 Lab 6.5 – Manage Object State................................................................................................................. 6-42
Instructor Guide: Administering BIG-IP v12.1
1-7
Chapter 1 – Course Description Chapter 7: Troubleshooting the BIG-IP System .................................................................. 7-1 Configuring Logging .......................................................................................................................................... 7-1 Introducing BIG-IP System Logging .......................................................................................................... 7-1 Legacy Remote Logging ............................................................................................................................. 7-7 Introducing High Speed Logging (HSL) ................................................................................................... 7-10 High-Speed Logging Filters ...................................................................................................................... 7-10 HSL Configuration Objects....................................................................................................................... 7-12 Configuring High Speed Logging ............................................................................................................. 7-13 Using tcpdump on the BIG-IP System ............................................................................................................. 7-15 Lab 7.1 – High Speed Logging ................................................................................................................. 7-23 Lab 7.2 – Legacy Remote Syslog ............................................................................................................. 7-29 Leveraging the BIG-IP iHealth System ............................................................................................................ 7-32 Working with F5 Support ................................................................................................................................. 7-40 Information Required when Opening a Support Case............................................................................... 7-40 Providing Files to F5 Technical Support................................................................................................... 7-42 Running End User Diagnostics ................................................................................................................. 7-43 Chapter Resources ............................................................................................................................................ 7-45 Lab 7.3 – iHealth Diagnostics .................................................................................................................. 7-46
Chapter 8: Administering the BIG-IP System ...................................................................... 8-1 Leveraging Always-On Management (AOM) .................................................................................................... 8-1 Lab 8.1 – AOM IP Address Lab (Optional) ............................................................................................... 8-4 Expanding Availability with Device Service Clustering (DSC)......................................................................... 8-6 Viewing BIG-IP System Statistics ..................................................................................................................... 8-9 Defining User Roles and Administrative Partitions ......................................................................................... 8-16 Lab 8.2 – Administrative Partitions and Users ......................................................................................... 8-25 Leveraging vCMP ............................................................................................................................................ 8-32 Chapter Resources ............................................................................................................................................ 8-37
Chapter 9: Customizing Application Delivery with iRules ................................................. 9-1 Identifying iRules Components .......................................................................................................................... 9-1 Triggering iRules with Events ............................................................................................................................ 9-4 Leveraging the iRules Ecosystem on DevCentral .............................................................................................. 9-6 Lab 9.1 – HTTP to HTTPS Redirect via iRule ........................................................................................... 9-7 Lab 9.2 – Pool Selection via iRule ............................................................................................................. 9-9
1-8
Instructor Guide: Administering BIG-IP v12.1
Chapter 1 – Course Description Chapter 10: Additional Training and Certification ............................................................ 10-1 Getting Started Series Web-Based Training ..................................................................................................... 10-1 F5 Instructor Led Training Curriculum ............................................................................................................ 10-2 F5 Professional Certification Program ............................................................................................................. 10-3
Instructor Guide: Administering BIG-IP v12.1
1-9
Chapter 2 - Print Version and Organizational Changes
Chapter 2: Print Version and Organizational Changes Eleventh Printing – June, 2016 1. Chapter 2: Traffic Processing Building Blocks a. Added discussion of a change in behavior where SCF files now contain device certificate and key information, and that encryption is the default option to student guide, slide deck and lab steps. 2. Chapter 4: Monitoring Application Health a. Added description of viewing monitor statistics via TMSH to student guide, slide deck and lab steps. 3. Chapter 6: Modifying Traffic Behavior with Persistence a. Added coverage of Action on Service Down feature to student guide, slide deck and lab steps. 4. Chapter 7: Troubleshooting the BIG-IP System a. Added a short discussion on new log destination pool distribution methods to Student Guide. b. Lab 7.2: Legacy Remote Syslog: i. Reverted to sending output to PC rather than to 10.10.17.99 VS on LTM17 ii. Have students create a syslog-formatted destination that points to hsl_destination right out of the gate. iii. Made section on creating a Splunk-formatted destination optional. 5. Chapter 8: Administering the BIG-IP System a. Added section on viewing system and performance statistics to Student Guide. b. Removed iApps coverage completely.
Instructor Guide: Administering BIG-IP v12.1
2-1
Chapter 3 – Classroom Setup Instructions
Chapter 3: Classroom Setup Instructions The information contained in this document is applicable for F5 classroom environments, and may differ in ATC or partner classrooms.
Accessing the Instructor Site on F5 University The Instructor Site on F5 University is home to most of the materials required to setup and run F5 Global Training Services customer-facing instructor-led courses. To access the Instructor Site page: 1. Log onto http://university.f5.com using your F5 University credentials 2. Click on the link for ATC Trainer Materials
This site is exclusively for our worldwide family of F5 Certified Trainers. It provides the latest available training materials and classroom setup instructions. Visibility and access to individual courses are granted based on your current training certification levels. If you do not see a specific course listed, it may be because you have not completed all of the certification requirements for that course. If you have any questions or concerns, please email us at
[email protected]. Download course materials The instructor site page contains links to downloadable read-only zipped support files for each course in our current curriculum that your credentials allow you access to, including: Classroom PowerPoint presentation with accompanying slide notes to assist you in preparing to teach a course Instructor Guide (this document), which contains the course outline, course description, course changes, classroom setup instructions, and table of contents and lab pages from the Student Guide. Any additional files and scripts for use during labs You can also download the current course completion certificates in PDF form.
Instructor Guide: Administering BIG-IP v12.1
3-1
Chapter 3 - Classroom Setup Instructions Download classroom setup materials From the instructor site page, you can also access and download: Training Server .ova file Instructor BIG-IP (LTM17) setup script
Instructor Guide: Administering BIG-IP v12.1
Chapter 3 – Classroom Setup Instructions
Accessing the ATC Support Site on F5 University The ATC Support Site on F5 University is home to the latest news and information about F5 Global Training Services’ course curriculum, including instructor-led and web-based training courses. To access the Instructor Site page: 1. Log onto F5 University using your credentials (http://university.f5.com) 2. Click on the link for ATC Support
On the ATC Support page, you can access: Announcements – The latest courseware news and holiday closures Newsletters – Our periodic newsletter summarizing events of interest to F5 instructors and partners Errata Sheets – Corrections for published course material Frequently Asked Questions – If you’re looking for help locating something or setting up something, you might find the answer here first. Best Practices for Ordering Manuals – For Americas, EMEA, and APAC
Instructor Guide: Administering BIG-IP v12.1
3-3
Chapter 3 - Classroom Setup Instructions
Classroom Network Configuration Logical Networks There are three logical networks defined in the classroom environment: Subnet
Name
Use
192.168/16 10.10/16
Management network External network
172.16/16
Internal network
Administrative traffic to/from the BIG-IP systems Primarily for handling application traffic between clients and the BIG-IP systems Can also handle administrative traffic to/from the BIG-IP systems via the self-IP addresses on VLAN external Handles application traffic between the BIG-IP systems and application servers
The 10.10/16 and 172.16/16 logical networks must be on separate physical networks, otherwise bridge loops will form and the network will fail. The 192.168/16 and 10.10/16 networks can be on the same physical network without issue.
Instructor Guide: Administering BIG-IP v12.1
Chapter 3 – Classroom Setup Instructions
F5 Classroom Network Diagram
The workstation at 10.10.17.30 is optional. If present, it is designated as the instructor’s workstation.
Instructor Guide: Administering BIG-IP v12.1
3-5
Chapter 3 - Classroom Setup Instructions
Instructor BIG-IP System IP Addresses Most of the courses require the presence of an additional BIG-IP system. Designated as the Instructor BIG-IP system, it is sometimes referred to as BIGIP17 or LTM17 in some course-related documentation, and provides the following support: Acts as the default gateway for student workstations to access the Internet (via self IP 10.10.17.33) Provides DNS resolution services for student workstations (via VIP 10.10.17.53) Provides additional virtual servers that are used to support certain labs and, in some cases, act as application servers that sit on the external network (these are documented within each specific course section) Optionally provides Internet access for student workstations (must be configured for this) Due to these special functions, it is not available for student use in the classroom environment. The Instructor BIG-IP system is located at the following IP addresses: Management: 192.168.17.31 External: 10.10.17.31 and 10.10.17.33 Internal: 172.16.17.31 and 172.16.17.33 In addition to the IP addresses noted above and on the classroom network diagram in Figure 1, the Instructor BIG-IP system provides support for the following virtual IP addresses, some of which are used as back-end application servers on the external network: 10.10.20.1 10.10.20.2 10.10.20.3 10.10.17.208 10.10.17.209 10.10.17.53 10.30.17.100 10.10.20.0/30 10.10.17.201 10.10.17.202 10.10.17.203 (See the section entitled Setting Up the Instructor BIG-IP System for detailed setup information.)
3-6
Instructor Guide: Administering BIG-IP v12.1
Chapter 3 – Classroom Setup Instructions
Student Workstation IP Addresses Most of F5’s classroom environments support up to 16 students, each with their own workstation and BIG-IP system, however this is not a requirement. In general, we recommend one student per workstation, whenever possible, to maximize the learning experience. Network configuration The labs assume the student workstations are configured as shown below: Management: 192.168.X.30/16 and fc00:c0a8:0:X::30/48 External: 10.10.X.30/16 and fc00:0a0a:0:X::30/48 Gateway: 10.10.17.33 and fc00:0a0a:0:17::33 DNS: 10.10.17.53 and fc00:0a0a:0:17::50
For IPv6 addresses, specify the student’s workstation number (“X”) in decimal, not hexadecimal. For example, the management IPv6 address for workstation 12 should be fc00:c0a8:12::30/48.
The IP addressing standard used in the classroom environment expects the student’s workstation number to be present in the third octet of IPv4 addresses and in the fourth group of IPv6 addresses. For example, workstation 1 should be configured with the following IP addresses: Management IPv4: 192.168.1.30/16 External IPv4: 10.10.1.30/16 Management IPv6: fc00:c0a8:0:1::30/48 External IPv6: fc00:0a0a:0:1::30/48 These correspond with the addressing scheme used on the student’s BIG-IP system, and with the routing tables on the back-end application servers. As noted above, for IPv6 addresses, specify the workstation address in decimal rather than hexadecimal. (See the section entitled Setting Up the Student Workstations for detailed information on these workstations and the applications they provide.)
Instructor Guide: Administering BIG-IP v12.1
3-7
Chapter 1 - Setting Up the BIG-IP System
1-35
BIG-IP System Setup Labs The BIG-IP System Setup Labs are divided into several sections. Your instructor will tell you which lab to start with: Lab 1.1 – Configure the Management Port Lab 1.2 – Activate the BIG-IP System and Configure the Network Lab 1.3 – Test Administrative Access Lab 1.4 – Archive the Configuration Estimated Time for Completion: 35 minutes
For all labs, when an “X” is listed in lab instruction steps, please substitute your lab station number instead. For example, for lab station 1, the IP address shown as 192.168.X.31 in the lab instructions would be entered as 192.168.1.31 when carrying out the instruction. A password specified as “rootX” in the instructions would be entered as root1. If lab instructions do not provide a value for a particular configuration parameter, accept whatever the default is for that parameter.
Lab Preparation Tasks Verify workstation IP addresses are properly configured Check your workstation’s network settings to ensure that it is configured with two IP addresses: 192.168.X.30/16 and 10.10.X.30/16. This will allow you to access the BIG-IP system through both the management network and external self IP, as well as access the applications you configure it to deliver.
Continue with Lab 1.1: Configure the Management Port
Administering BIG-IP v12
1-35
1-36
Chapter 1 - Setting Up the BIG-IP System
Lab 1.1 – Configure the Management Port (Optional for BIG-IP VE Classrooms) Lab Objectives Configure an IP address and network mask for the BIG-IP management port to provide administrative access to the BIG-IP system from the student’s workstation
Lab Requirements For classrooms with BIG-IP hardware devices, serial console access to the BIG-IP system or physical access to the BIG-IP device if using the LCD option. This lab can be skipped if the management port is already configured, as is often the case in BIG-IP VE classroom environments.
Configure the Management Port Your instructor will tell you which method you will use to configure your BIG-IP system’s management port, or if you will bypass this lab altogether (e.g. if your management port is already configured): Lab 1.1A: Configure the Management Port via a Serial Console (pages 137 thru 1-38) Lab 1.1B: Configure the Management Port via the LCD Panel (page 1-39) If your management port is already configured, please skip to Lab 1.2, which begins on page 1-40.
1-36
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-37
Lab 1.1A: Configure the Management Port via a Serial Console This lab requires serial console access to your BIG-IP system (not available in BIG-IP VE classroom environments).
Access the serial console 1. Gain access to the BIG-IP system’s serial port a. For classes using serial cables, connect a null-modem cable between the BIG-IP device and a terminal with VT-100 emulation. The serial settings should N-8-1 at 19,200bps. b. For classes using serial terminal emulators, open an SSH session using PuTTY (or other SSH client) to the serial console IP address provided by your instructor. This should connect you to the serial port of your BIG-IP system. You may need to log into the console server before logging into the BIG-IP system in the next step. Your instructor will provide credentials, if necessary. 2. When prompted to log into the BIG-IP system, enter root for the username and default for the password. 3. At the Linux bash prompt (e.g. config #), enter the command: config 4. Start the utility by clicking the OK button.
Use the key to tab between fields and options in the config tool. Use the and/or keys to remove field content. Use the key to select an option (such as “OK” or “Next”). You can also select an option by moving the mouse cursor over a particular option (such as “OK” or “Next”) and clicking.
Select manual configuration of the IP address 5. On the Configure IP Address panel, ensure the No option is highlighted (to bypass automatic configuration of the IP address) and press the key. (If the No option is not already highlighted, use the key to tab to it before pressing the key.)
Administering BIG-IP v12
1-37
1-38
Chapter 1 - Setting Up the BIG-IP System
Set the IP address to 192.168.X.31 6. On the Configure IP Address panel, use the , , and/or arrow keys to change the IP address to 192.168.X.31, where “X” is your station number. After changing the IP address, press the key to highlight the OK option, then press the key to continue.
Set the netmask to 255.255.0.0 7. On the Configure Netmask panel, set the netmask to 255.255.0.0, press the key to highlight the OK option, then press the key to continue.
Set no default route 8. When prompted to create a default route for the management port, select the No option and press the key to continue. In our classroom environment, no default route is required.
Confirm the management port configuration 9. On the Confirm Configuration panel, ensure that your settings are correct, as shown in the table below, then select the Yes option and press the key to complete the configuration. If the options are not correct, select the No option and rerun the config command. IP Address
192.168.X.31
Netmask
255.255.0.0
Unless otherwise instructed, please skip forward to Lab 1.2: Activate the BIG-IP System and Configure the Network on page 40.
1-38
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-39
Lab 1.1B: Configure the Management Port via the LCD Panel (Optional) This optional lab can only be performed on BIG-IP hardware devices.
This lab can only be carried out if your classroom environment includes BIG-IP hardware devices. All steps are done using the buttons to the right of the LCD display on the front of the BIG-IP device itself. The arrow buttons are used for navigation. The checkmark button is used to make a selection or to save a setting. 1. Press the red X button to start the configuration process. 2. Using the up/down arrows, navigate to System menu and press the green check mark button to select it. 3. Navigate to the Management menu and press the green check mark button to select it. 4. Navigate to the IP Address menu and select it. 5. Navigate to the IP Address field and select it. 6. Using the up and down arrow keys to increment/decrement the values in each octet, enter the IP address as 192.168.X.31 where “X” is your station number. Press the green check mark button to save your setting. 7. Navigate to the Netmask field and select it. 8. Enter the netmask as 255.255.0.0 and save your setting. 9. Use the down arrow to navigate to the Commit menu and select it. When you see the OK menu blinking, click the green checkmark button.
Continue with Lab 1.2: Activate the BIG-IP System and Configure the Network
Administering BIG-IP v12
1-39
1-40
Chapter 1 - Setting Up the BIG-IP System
Lab 1.2 – Activate the BIG-IP System and Configure the Network Lab Objectives Ensure the BIG-IP system: Is properly licensed and provisioned Has a valid host name, and updated root and admin user credentials Has the VLANs and Self IPs that are used in support of the classroom lab environment Is prepared for high availability
Lab Requirements Access to the BIG-IP system’s base registration key Access to the Internet or to the BIG-IP system’s license file Network access to the BIG-IP system’s management port on the 192.168/16 network
Access the Configuration utility via the MGMT Port Start the Setup utility 1. Open a browser session to https://192.168.X.31 where “X” is your station number. BIG-IP ships with a self-signed SSL certificate. Accept the certificate (not permanently, if using Firefox) and log in with username admin and password admin.
Upon connecting to your BIG-IP system, you should be directed to the Setup utility. Please let your instructor know if you are not placed directly into the Setup utility.
2. Click the Next button to start the Setup utility.
If your BIG-IP system is already licensed, a “Reactivate” button and a “Next” button will appear at the bottom of the License page. If this is the case, click the “Next” button and skip forward in this lab to Provision Your BIG-IP System. Otherwise, continue with the next step.
3. On the subsequent Setup Utility » License page, click the Activate button to begin the licensing process. 1-40
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-41
License the BIG-IP system If you have Internet access from your classroom workstation, follow the instructions in step 4. If you do not have Internet access from your classroom workstation, follow the instructions in step 5.
4. Manually activate your BIG-IP license at the F5 License Server: a. Ensure there is already a value present in the Base Registration Key field on the Setup » License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system. b. In the Activation Method setting, select the Manual radio button. c. In the Manual Method setting, select the Download/Upload File radio button. d. In the Step1: Dossier area, click the button that reads Click Here to Download Dossier File. If prompted where to save the dossier, select your desktop. Note where the dossier was downloaded, as you will need it to generate a license. e. In Step2: Licensing Server, click the link that reads Click here to access F5 licensing server to open a new browser window to the F5 license server. f.
On the F5 License Server, click the Activate License link.
g. Click the Choose File button to the right of the Select your dossier file prompt. Locate the dossier to open a new browser window to the F5 license server. h. Click the Next button on the F5 License Server to generate a license from the dossier. (You may be prompted to accept the terms of the F5 License Agreement.) i.
On the resulting page, click the Download license button to download the generated license to your workstation. If prompted where to save the license, select your desktop. Note where the license was downloaded, as you will need it to complete activation.
j.
Back on your BIG-IP system, on the Setup » License page, click the Choose File button to the right of the Step 3: License field. Locate the license you downloaded in step 4i, and upload it to your BIG-IP system.
k. Click the Next button on the BIG-IP system to complete license activation. l.
Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in the Setup utility.
Skip forward in this lab to Provision Your BIG-IP System (step 6).
Administering BIG-IP v12
1-41
1-42
Chapter 1 - Setting Up the BIG-IP System
Your instructor will let you know where to find the license file for your BIG-IP system. Make sure this file is available to you before carrying out step 5 below. Please skip to step 6 if you licensed your BIG-IP system in step 4.
5. Manually activate your BIG-IP license using an existing license file. a. Ensure there is already a value present in the Base Registration Key field on the Setup » License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system. b. In the Activation Method setting, select the Manual radio button. c. In the Manual Method setting, check the Download/Upload File radio button. d. In the Step1: Dossier area, click the button that reads Click Here to Download Dossier File. If prompted where to save the dossier, select your desktop. Normally at this point, you would access the F5 License Server and upload the dossier you just downloaded to generate a license. This has already been done for you in this classroom environment. Please ask your instructor for assistance if you do now know where the appropriate license file for your BIG-IP system is located. e. In the Step3: License area, click the button that reads Choose File. Navigate to the license file you identified earlier, and upload it to your BIG-IP system. f.
Click the Next button on the BIG-IP system to complete license activation.
g. Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in the Setup utility.
Skip forward in this lab to Provision Your BIG-IP System (step 6).
1-42
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-43
Provision Your BIG-IP System 6. On the Resource Provisioning page of the Setup utility, provision your BIG-IP system, as shown in the table below. Setup utility Setup Utility » Resource Provisioning Current Resource Allocation section Management (MGMT)
Small
Local Traffic (LTM)
Nominal
When complete, click…
Next (or Submit)
Your BIG-IP may produce a warning message that certain system daemons may restart or the system may reboot, causing your session to wait for anywhere up to several minutes. This is normal behavior when changing provisioning settings. Click the OK button to continue.
Accept the BIG-IP Self-Signed Device Certificate 7. After provisioning is complete, you should be taken to the Device Certificates page in the Setup utility. We will be using the BIG-IP system’s self-signed certificate in class. Note the expiration date for the certificate. (If the certificate is expired, please notify the instructor.) Click the Next button to continue the Setup utility.
Administering BIG-IP v12
1-43
1-44
Chapter 1 - Setting Up the BIG-IP System
Configure Platform General Properties and User Administration 8. Configure host name, time zone, and administrative access usernames/passwords. Remember to substitute your station number for “X.” Some fields may already contain the correct values. Where specific information is not provided in the instructions below, accept the defaults on your BIG-IP system. Setup utility Setup Utility » Platform General Properties section Management Port Configuration
Manual
Management Port
IP Address[/prefix]: 192.168.X.31 Network Mask: 255.255.0.0
Host Name
bigipX.f5trn.com
Host IP Address
Use Management Port IP Address
Time Zone
Set to your classroom’s local time zone
User Administration section Root Account
Disable login: Unchecked Password: rootX Confirm: rootX
Admin Account
Password: adminX Confirm: adminX
When complete, click…
Next, then OK
You are changing the passwords for the root and admin accounts, not creating new accounts. Since you are currently logged in using the admin account, you will need to log back in again with your new password.
9. Log back in to BIG-IP as user admin with password adminX. You should be taken directly to the Setup Utility » Network page.
1-44
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-45
Configure the Classroom Network 10. Continue the Setup utility by performing a Standard Network Configuration. Click the Next button under the Standard Network Configuration heading.
Configure Redundant Device Wizard options 11. Set Redundant Device Wizard Options to prompt for ConfigSync settings and High Availability options. Setup utility Setup Utility » Redundancy Redundant Device Wizard Options section ConfigSync
Check the box for Display configuration synchronization options
High Availability
Check the box for Display failover and mirroring options Select Network for Failover Method
When complete, click…
Next
Configure Self IPs and VLANs 12. Configure VLAN internal and its self IPs, interface, and default port lockdown settings. Setup utility Setup Utility » VLANs Internal Network Configuration section Self IP
Address: 172.16.X.31 Netmask: 255.255.0.0 Port Lockdown: Allow Default
Floating IP
Address: 172.16.X.33 Port Lockdown: Allow Default
Internal VLAN Configuration section VLAN Interfaces: Select 1.2 Tagging: Select Untagged Click the Add button
Interfaces When complete, click…
Administering BIG-IP v12
Next
1-45
1-46
Chapter 1 - Setting Up the BIG-IP System
13. Configure VLAN external and its self IPs, interface, and port lockdown settings. Setup utility Setup Utility » VLANs External Network Configuration section External VLAN
Click the Create VLAN external radio button
Self IP
Address: 10.10.X.31 Netmask: 255.255.0.0 Port Lockdown: Allow None
Default Gateway
Leave blank
Floating IP
Address: 10.10.X.33 Port Lockdown: Allow None
External VLAN Configuration section Interfaces: Select 1.1 Tagging: Select Untagged Click the Add button
Interfaces When complete, click…
Next
14. Configure the high availability network to use the existing VLAN named internal. Setup utility Setup Utility » VLANs High Availability Network Configuration section High Availability VLAN
Click the Select existing VLAN radio button
Select VLAN
internal
When complete, click…
Next
Configure Network Time Protocol 15. If NTP servers are needed in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.
Configure Domain Name Server 16. If DNS settings are required in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.
1-46
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-47
Configure ConfigSync 17. Configure ConfigSync on the non-floating self IP for VLAN internal, the VLAN we’re using for high availability (HA). Setup utility Setup Utility » ConfigSync ConfigSync Configuration section 172.16.X.31 (internal)
Local Address When complete, click…
Next
Configure Failover Unicast and Failover Multicast settings 18. Use the default settings for Failover Unicast Configuration and Failover Multicast Configuration, as shown below: Setup utility Setup Utility » Failover Failover Unicast Configuration section Local Address | Port | VLAN
172.16.X.31 192.168.X.31
| 1026 | internal | 1026 | Management Address
Failover Multicast Configuration section Use Failover Multicast Address When complete, click…
Unchecked (Disabled)
Next
Mirroring configuration 19. Use the default primary and secondary local mirror address settings for Mirroring Configuration, as shown below: Setup utility Setup Utility » Mirroring Mirroring Configuration section Primary Local Mirror Address
172.16.X.31 (internal)
Secondary Local Mirror Address
None
When complete, click…
Administering BIG-IP v12
Next
1-47
1-48
Chapter 1 - Setting Up the BIG-IP System
Finish the Setup Utility You have now completed configuring the network interfaces that are used in support of the basic classroom environment. If your course requires additional HA configuration, it will be performed in a later lab. 20. Click the Finished button under the Advanced Device Management Configuration heading. You should be taken to the Welcome page, and there should be a message at the top of the page indicating Setup Utility Complete.
Classroom Network Configuration Diagram
Figure 18: Conceptual representation of your classroom environment after lab completion
Continue with Lab 1.3: Test Administrative Access
1-48
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-49
Lab 1.3 – Test Administrative Access Lab Objectives Ensure that your BIG-IP network settings are correct Customize administrative access to the BIG-IP system by allowing SSH and HTTPS traffic directly to the self IPs for VLAN external
Lab Requirements Access to a BIG-IP system that has completed the initial setup process, including management port configuration, licensing, provisioning, device certificate setup, and standard network configuration.
Test Administrative Access to the BIG-IP System Test SSH (port 22) access to the management port 1. Using PuTTY, open an SSH session to the management port at 192.168.X.31. Make sure the protocol is set to SSH (port 22) before connecting. Log in as root with password rootX.
Test HTTPS (port 443) access to VLAN external’s self IPs 2. Try to open a browser session to https://10.10.X.31. Were you able to connect?
Your attempt to connect in the previous step should fail, as the self IP is currently protected via Port Lockdown. Although not required in a production environment, in the next several steps you will allow custom access to the self IPs on VLAN external to see how this is done.
Administering BIG-IP v12
1-49
1-50
Chapter 1 - Setting Up the BIG-IP System
Allow custom access to the external self IPs 3. Navigate to Network » Self IPs » 10.10.X.31 and reconfigure the self IP address 10.10.X.31 to also allow access via port 443. Configuration utility Network » Self IPs » 10.10.X.31 Configuration section Port Lockdown
Select Allow Custom
Custom List
Select the TCP and Port radio buttons Enter 443 in the field that appears to the right of Port Click the Add button
When finished…
Click Update
4. Try to open a browser session to https://10.10.X.31 again. This time you should be successful. Accept the site’s certificate, if and when prompted about the validity of the certificate. If using Firefox, do not create a permanent exception. (Uncheck the permanent exception box.) 5. Log in as user admin with password adminX. 6. Try to open a browser window to https://10.10.X.33, the floating self IP on VLAN external. If you were unsuccessful, allow access using the same method as you did in an earlier step.
Test SSH (port 22) access to VLAN external’s non-floating self IP 7. Using PuTTY, try to open an SSH session to 10.10.X.31. Were you able to connect? Why or why not? If you were unable to connect, allow access using the same method as in an earlier step, and test.
Configure command line access for the admin user 8. On your PuTTY session to 10.10.X.31, attempt to log in with the admin user credentials (admin / adminX). Were you successful?
Your attempt to log in to the command line interface as the admin user in the previous step should fail. By default, the admin user does not have command line access.
1-50
Administering BIG-IP v12
Chapter 1 - Setting Up the BIG-IP System
1-51
9. Navigate to System » Users and update the admin user settings to permit access to the command line interface, but only to TMSH. Configuration utility System » Users : User List, then click on user admin Account Properties section Terminal Access When finished, click…
tmsh Update
When changing terminal access for the admin user – the user you are currently logged in as - you may have to log back onto the Configuration utility again.
10. Open an SSH session to 10.10.X.31 or to 192.168.X.31 and test logging in with the admin user credentials again.
Check root user access to the Configuration utility 11. Open a browser window to https://10.10.X.31 or https://192.168.X.31 and attempt to log in as the root user. Were you successful?
Your attempt to log into the Configuration utility as user “root” should fail. User “root” does not have access to the Configuration utility, only to the command line. This cannot be changed.
Continue with Lab 1.4: Archive the Configuration
Administering BIG-IP v12
1-51
1-52
Chapter 1 - Setting Up the BIG-IP System
Lab 1.4 – Archive the Configuration Lab Objectives Create a UCS archive of the BIG-IP system configuration.
Create a UCS Archive of Your Configuration 1. Open a browser window to https://10.10.X.31 or https://192.168.X.31 and create a backup of your current configuration Configuration utility System » Archives then click Create General Properties section File Name When complete, click…
trainX_base.ucs Finished, then click OK when the archive is complete
2. Download your new UCS backup to your workstation hard drive for possible use in a later lab. Configuration utility System » Archives then click trainX_base.ucs General Properties section Archive File
1-52
Click Download: trainX_base.ucs, then save to desktop of your management PC, if prompted.
Administering BIG-IP v12
2-22
Chapter 2 - Traffic Processing Building Blocks
Lab 2.1 - Virtual Servers and Pools Lab Lab Objectives Configure load balancing pools Configure virtual servers and associate them with a pool Verify traffic flow through the BIG-IP system using statistics
When asked to “refresh” a browser window throughout the labs in this course, we recommend a hard refresh (a.k.a. hard reload). On most PC browsers, hold down Ctrl and press F5. You can also change your browser preferences to avoid caching altogether. Refer to the Wikipedia article, Bypass your cache, for instructions for various browsers.
Create a Pool 1. Create a Pool using the information in the following table. Configuration utility Local Traffic » Pools : Pool List, then click Create Configuration section Name
http_pool
Description
HTTP pool with ratio load balancing
Resources section Load Balancing Method
Ratio (member)
New Members
Address:Port 172.16.20.1:80 Ratio: 1 Click Add Address:Port 172.16.20.2:80 Ratio: 2 Click Add Address:Port 172.16.20.3:80 Ratio: 3 Click Add
When complete, click…
Finished
2. Navigate to Local Traffic »Nodes and notice that the BIG-IP system automatically created three new node entries as the result of you creating the three pool members in the previous step.
2-22
Administering BIG-IP v12
Chapter 2 - Traffic Processing Building Blocks
2-23
Create a Virtual Server 3. Create a Virtual Server that uses the pool created in the previous step. Configuration utility Local Traffic » Virtual Servers : Virtual Server List, then click Create General Properties section Name
http_vs
Type
Standard
Destination Address/Mask
Address: 10.10.X.100
Service Port
80 (or type or select HTTP)
Resources section Default Pool When complete, click…
http_pool Finished
Test Your Configuration Changes Connect to virtual server http_vs (10.10.X.100:80) In this next section, you will drive application traffic through the BIG-IP system, not as an administrator (as you have done previously) but as a user accessing an application that is delivered by the BIG-IP system. Keep this in mind as you switch between your roles as a BIG-IP administrator and an application user.
4. Verify that your virtual server is configured correctly by accessing it as an application user. Open another web browser window and establish a connection to your virtual server at http://10.10.X.100. Note the results of the page that is displayed, then “hard-refresh” the page five to ten times. (In most browsers Ctrl+F5 hard-refreshes the page.)
Administering BIG-IP v12
2-23
2-24
Chapter 2 - Traffic Processing Building Blocks
5. Verify that traffic was sent through your virtual server and pool members by examining statistics on Local Traffic and answering the questions below in the space provided. Hint: Use the Refresh and Reset buttons in the Display Options area to manage the statistics display. Configuration utility Statistics » Module Statistics » Local Traffic Display Options section Statistics Type: Virtual Servers Do you see incoming traffic from client to virtual server? Do you see outgoing traffic from virtual server to client? Statistics Type: Pools Did traffic go to each pool member? Did each pool member manage the same number of connections? (Look at the values in Total Connections) How many connections went to member 172.16.20.1:80? How many connections went to member 172.16.20.2:80? How many connections went to member 172.16.20.3:80? Is the ratio of total connections between the pool members approximately 1:2:3?
Expected results and troubleshooting Depending on what browser you’re using, you should see five or six connections per refresh, distributed among the pool members in approximately a 1:2:3 ratio over time. For example: 172.16.20.1:80 has 3 connections 172.16.20.2:80 has 6 connections 172.16.20.3:80 has 9 connections If not, verify the following: Is traffic getting to the virtual server? -
Does the Configuration utility Statistics page show traffic received by http_vs? Verify that the address and port are configured correctly for this virtual server. It should be 10.10.X.100, port 80 (or HTTP). Does 10.10.X.100 appear in your workstation’s ARP table? Open the Windows Run dialog box. (Press the keyboard shortcut combination - Windows icon key plus the letter R.) Type cmd.exe to open the Windows command line interface. Type arp –a and examine the results to see if you connected with the virtual server on Local Traffic Manager.
Is traffic getting to the pool members? -
2-24
If no traffic is going TO the pool members, verify http_pool has been assigned to http_vs. Verify that pool members have the correct IP address and port assigned. If traffic goes TO a pool member but does not return, verify self IP and VLAN configurations. (See the instructor, if necessary.)
Administering BIG-IP v12
Chapter 2 - Traffic Processing Building Blocks
2-25
Create a Second Pool and Virtual Server Next, you will create a second virtual server with the same IP address (10.10.X.100) as the virtual server you created in the last section. The port and the load balancing method will be different though—443 instead of 80, and Round Robin instead of Ratio (member). Additionally, this time you will create the pool for your virtual server in a different way. That is, you will create the pool at the same time you are creating the virtual server, not before. After you create the new pool, you will be returned to the New Virtual Server page where you must complete your virtual server configuration. 6. Create another virtual server and pool. Configuration utility Local Traffic » Virtual Servers : Virtual Server List, then click Create General Properties section Name
https_vs
Destination Address/Mask
Address: 10.10.X.100
Service Port
443 (or type or select HTTPS)
Resources section Click + (This opens the New Pool screen)
Default Pool
Local Traffic » Pools : Pool List » New Pool New Pool screen Configuration section https_pool
Name
Resources section (on “New Pool” screen) Load Balancing Method
Round Robin
New Members
Click Node List and use the resulting pull-down to select the nodes to add to the member list: Address: 172.16.20.1 Service Port: 443 Click Add Address: 172.16.20.2 Service Port: 443 Click Add Address: 172.16.20.3 Service Port: 443 Click Add
When complete, click…
Finished (This will return you to the New Virtual Server screen. Scroll down to the bottom to continue below.)
Local Traffic » Virtual Servers: Virtual Server List » New Virtual Server… Resources section (back on the “New Virtual Server” screen) Default Pool When complete, click…
Administering BIG-IP v12
https_pool Finished
2-25
2-26
Chapter 2 - Traffic Processing Building Blocks
You must click “Finished” twice in the step above (once on the “New Pool” page, and again on the “New Virtual Server” page) in order for both configuration objects – the pool and the virtual server – to be created.
Test Your Configuration Changes When driving traffic to your virtual servers during testing, make sure that you are connected to the correct one: http://10.10.X.100 for virtual http_vs at 10.10.X.100:80 and https://10.10.X.100 for virtual https_vs at 10.10.X.100:443.
Connect to virtual server https_vs (10.10.X.100:443) If you cannot connect to your virtual server in the next step, confirm that it was actually created. (Go to Local Traffic » Virtual Servers in the Configuration utility, and see if there is a virtual server called https_vs in the list.) Students often fail to click the Finish button on the New Virtual Server screen after clicking the Finish button on the New Pool screen. 7. Open a new web browser window and establish a connection to your new virtual server at https://10.10.X.100. If prompted, accept the self-signed SSL certificate. Note the results of the page that is displayed. Refresh the screen several times using Ctrl+F5.
Verify traffic flow via Configuration utility statistics 8. View statistics and configuration information to confirm traffic and answer the questions in the table below: Configuration utility Statistics » Module Statistics » Local Traffic Display Options section Statistics Type: Virtual Servers Did traffic go to virtual server https_vs? Statistics Type: Pools Did traffic go to each pool member in https_pool? How many connections went to member 172.16.20.1:443? How many connections went to member 172.16.20.2:443? How many connections went to member 172.16.20.3:443? How many TCP connections are opened each time you hard-refresh the browser page at https://10.10.X.100?
2-26
Administering BIG-IP v12
Chapter 2 - Traffic Processing Building Blocks
2-27
Verify traffic flow via TMSH statistics 9. Using PuTTY, open an SSH session to your BIG-IP at either the management IP address (192.168.X.31) or at the external non-floating self-IP (10.10.X.31), and log in as the root user. 10. Back on your browser window connected to https://10.10.X.100, hard-refresh the page once using Ctrl+F5. 11. On your SSH window, view pool and virtual server statistics by entering the following commands at the Linux bash prompt (config#): tmsh show /ltm pool https_pool |more tmsh show /ltm virtual https_vs |more
12. Compare the statistics shown via TMSH to those currently shown on the Configuration utility.
Expected results and troubleshooting Depending on the browser you are using, you should see several connections for each connection refresh to https_vs. Also, each pool member in https_pool should be getting approximately the same number of connections each time. The total number of connections should also be approximately the same for each pool member due to the Round Robin setting. If you are not seeing the results expected via statistics: Is traffic getting to the virtual server? -
Do statistics show traffic received by https_vs? Verify that the address and port are configured correctly for this virtual server. It should be 10.10.X.100, port 443 (or HTTPS). Does 10.10.X.100 appear in your workstation’s ARP table? Open the Windows Run dialog box. (Press the keyboard shortcut combination - Windows icon key plus the letter R.) Enter cmd.exe to open the Windows command line interface. Enter arp –a and examine the results to see if you connected with the virtual server on BIG-IP. You may need to clear your ARP cache before testing to remove the entry from the http_vs virtual server. Enter netsh interface ip delete arpcache on the Windows command line interface screen (not the PuTTY command line screen).
Is traffic getting to the pool members? -
If no traffic is going TO the pool members, verify https_pool has been assigned to https_vs. Verify the pool members have the correct IP address and port assigned. If traffic goes TO a pool member but does not return, verify self IP and VLAN configurations. (See the instructor, if necessary.)
Administering BIG-IP v12
2-27
2-50
Chapter 2 - Traffic Processing Building Blocks
Lab 2.2 – Configure BIG-IP using TMSH Lab Objectives Configure pools and virtual servers using TMSH and observe the changes that occur in the stored configuration files as the result of these changes.
Lab Requirements Command-line access to BIG-IP Services to load balance, including SSH
Configure a Pool using TMSH In this lab, wherever you see notation such as , please interpret that as meaning you should press the keyboard key specified rather than type the letters. For example, means “press the Tab key.” When an instruction indicates that you should “run” a particular command, press after typing in the command.
Access the Traffic Management Shell (TMSH) 1. Access the command-line interface to BIG-IP and log in as the root user. 2. At the bash prompt, enter the Traffic Management Shell by typing: tmsh 3. Navigate to the ltm module using command completion by typing: ltm Your command prompt should now read something like this: root@(bigipX)(cfg-sync Standalone)(Active)(/Common)(tmos.ltm)#_
Create a pool using TMSH 4. Create a new pool—ssh_pool—as defined in the table below using the TMSH command shown immediately below the table. During the creation process, you should practice using TMSH’s auto-completion functions when you can. If you are already comfortable using TMSH, feel free to create the pool and move to the next step. Object Name
Load Balancing Mode
Node IPs
Port
ssh_pool
Round Robin
172.16.20.1 172.16.20.2 172.16.20.3
22 22 22
(tmos.ltm)# create pool ssh_pool load-balancing-mode round-robin members add { 172.16.20.1:22 172.16.20.2:22 172.16.20.3:22 }
5. Verify the pool was successfully created by viewing its configuration. You should see three members: (tmos.ltm)# list pool ssh_pool
2-50
Administering BIG-IP v12
Chapter 2 - Traffic Processing Building Blocks
2-51
Save the running configuration to the stored configuration 6. Save the current running configuration to the stored configuration by running: (tmos.ltm)# save /sys config
Note the “/” is required in front of the “sys” as you are currently in the “ltm” module and the “save config” command is part of the “sys” module. Notice also that your prompt still reads: (tmos.ltm)# indicating you are in the LTM module within the TM shell.
View pools in the running configuration 7. View all pools in the running configuration by running: list pool 8. Are all of the pools displayed, including ssh_pool?
View the stored configuration in bigip.conf 9. Exit TMSH by running: quit 10. View the stored configuration in bigip.conf by running: more /config/bigip.conf 11. Use the space bar to page down or the key to scroll down through the display. 12. Is pool ssh_pool in the stored configuration? Why or why not? 13. End the “more” display by typing: q
Create a virtual server using TMSH 14. Create the virtual server defined in the table below using the TMSH command shown immediately below the table as the basis. (Hint: Navigate to the correct shell and module first before running the command exactly as shown, or add the appropriate syntax to the command to run it from wherever you are currently located.) Object Name
IP Address
Port
Profile
Resource
ssh_vs
10.10.X.100
22
tcp
ssh_pool
(tmos.ltm)# create virtual ssh_vs destination 10.10.X.100:22 profiles add { tcp } pool ssh_pool
15. List the virtual server’s properties: list virtual ssh_vs all-properties 16. Navigate to the bash shell (if not already there) and view the stored configuration again: more /config/bigip.conf 17. Is ssh_vs listed? Why or why not?
Test your configuration changes and view statistics 18. Open a new SSH session to virtual server ssh_vs (at the appropriate IP address:port). Were you able to connect? Log in with userid student and password student. 19. Which pool member did you load balance to? Hint: Check node statistics by running the command: tmsh show /ltm node 172.16.20.*
20. The asterisk is a wildcard that indicates any value in the last octet. You can reset each node’s statistics by running the command:
Administering BIG-IP v12
2-51
2-52
Chapter 2 - Traffic Processing Building Blocks tmsh reset-stats /ltm node 172.16.20.*
21. On your SSH window, view pool and virtual server statistics by entering the following commands at the Linux bash prompt (config#): tmsh show /ltm pool ssh_pool |more tmsh show /ltm virtual ssh_vs |more
View connection table entries 22. View the connection table and filter to show only connections to your ssh_vs virtual server. tmsh show /sys connection cs-server-addr 10.10.X.100 cs-server-port 22
23. Do you have an open (current) connection to one of the pool members? Which one? 24. Open a second SSH session to ssh_vs, and view the connection table entries again.
View configuration files 25. Close the SSH session windows to ssh_vs. Back on the SSH session to BIG-IP, save the running configuration to the stored configuration. 26. View the stored BIG-IP configuration bigip.conf again to verify that ssh_vs is now part of the stored configuration. 27. You’ve looked at bigip.conf. Now go look at /config/bigip_base.conf. What types of configuration objects are stored there?
Create UCS and SCF backups of your configuration using TMSH 28. Create a UCS archive of your current configuration by running the following: (tmos)# save /sys ucs trainX_mod2.ucs
29. What directory did the BIG-IP system save the UCS archive in by default? 30. Create an unencrypted SCF archive of your current configuration by running the following: (tmos)# save /sys config file trainX_mod2.scf no-passphrase
31. What directory did the BIG-IP system save the SCF file in by default? 32. View your current local traffic objects: (tmos)# list /ltm pool (tmos)# list /ltm virtual (tmos)# list /ltm node
Note that you can see all the virtual servers, pools, pool members, and nodes you’ve created so far in class.
View TMSH command history 33. View your TMSH command history so far: (tmos)# show /cli history or (tmos)#! 34. Note the number associated with the list /ltm pool command you executed earlier and re-execute it. For example: (tmos)#!35 where “35” is the number associated with the command.
2-52
Administering BIG-IP v12
Chapter 2 - Traffic Processing Building Blocks
2-53
Restore from a previous UCS archive using TMSH 35. Restore the UCS archive from the very first lab in this course by running: (tmos)# load /sys ucs trainX_base.ucs
36. All of the local traffic objects created after Lab 1 should now be gone (virtual servers, pools, etc.). Look at the stored configuration in bigip.conf, and then the running configuration via the Configuration utility (GUI) or the same TMSH commands you ran earlier (for example, tmsh list /ltm pool). 37. Restore the configuration as it existed before the UCS restore, and view local traffic objects again. Everything should be back to normal. (tmos)# load /sys ucs trainX_mod2.ucs
View SCF contents 38. View the single configuration file (SCF) you created earlier with cat, tail, more, less, and other Linux bash tools. For example: cat /var/local/scf/trainX_mod2.scf |less
View the automatic rotating BIG-IP system archives 39. Change to the default UCS archive directory and list its directory: cd /var/local/ucs ls -l
40. Notice that there are additional UCS archives in this directory, above and beyond those that you have explicitly created to date. You should see trainX_base.ucs (which you created in the first lab) and trainX_mod2.ucs (which you created just a few moments ago). Notice also that there are several UCS files called cs_backup.ucs, cs_backup.ucs.1, etc. When you issued the load /sys ucs command in an earlier step to restore the configuration from trainX_base.ucs, the BIG-IP system first archived the existing running configuration as one of the cs_backup.ucs archives you see in the /var/local/ucs directory. The date and time on the actual cs_backup archive will be slightly after you created the trainX_mod2.ucs file in step 28, just before you did the restore. 41. View the rotating archive configuration file: more cs_backup_rotate.conf
Administering BIG-IP v12
2-53
3-6
Chapter 3 - Using NATs and SNATs
Lab 3.1 – Use NAT on the BIG-IP System Lab Objectives Demonstrate the functionality of a NAT on the BIG-IP system
Lab Requirements BIG-IP base setup configuration
Using NAT to Directly Access an Internal Node Configure the NAT 1. Add a NAT to connect the external-facing IP address 10.10.X.102 directly to the internal node at address 172.16.20.2. Configuration utility Local Traffic » Address Translation » NAT List, then click the Create button General Properties section Name
nat_10_to_172
NAT Address
10.10.X.102
Origin Address
172.16.20.2
When complete, click…
Finished
2. View the local traffic statistics for 10_to_172_nat. Configuration utility Statistics » Module Statistics » Local Traffic Display Options section Statistics Type
NATs
3. There should be no statistics yet for nat_10_to_72 as you haven’t initiated any traffic to the NAT address or from the Origin Address yet. (All the values for Bits, Packets, and Connections should be 0.)
3-6
Administering BIG-IP v12
Chapter 3 - Using NATs and SNATs
3-7
Test the NAT with port 80 (HTTP) traffic 4. Open a new browser window to http://10.10.X.102. Refresh the screen a couple of times to ensure you are bypassing any cached content, and note the server you are connecting to. 5. Back on the BIG-IP browser window where you are viewing NAT local traffic statistics, click the Refresh button to refresh the information on the screen. Note the bits, packets, and connections values for nat_10_to_172.
Test the NAT with port 443 (HTTPS) traffic 6. Open a browser window to https://10.10.X.102. What server are you connected to? 7. Back on the BIG-IP system, refresh the NAT local traffic statistics by clicking the Refresh button once. Did the statistics change? Why or why not?
Test the NAT with port 22 (SSH) traffic 8. Open a PuTTY session to 10.10.X.102. Log in with username student and password student. 9. Back on the BIG-IP system, refresh the NAT local traffic statistics by clicking the Refresh button. Did the statistics change? Why or why not? Do you show any current connections?
Expected Results and Troubleshooting You should be able to connect to multiple services (for example, HTTP, HTTPS, and SSH) through the one NAT, and you should always connect to 172.16.20.2. Unlike a virtual server, a NAT listens on all ports. Therefore, statistics increase every time there is traffic through the NAT, no matter what port is requested. While nat_10_to_172 would also allow outbound connections from 172.16.20.2, our classroom environment is not set up to be able to test this. If you are unable to connect, as expected, check your NAT definition to make certain your NAT Address and Origin Address are specified correctly.
Clean-up 10. Close your PuTTY session to 10.10.X.102. 11. Delete nat_10_to_172 and confirm that you are no longer able to directly access 172.16.20.2 through 10.10.X.102.
Administering BIG-IP v12
3-7
3-20
Chapter 3 - Using NATs and SNATs
Lab 3.2 – SNAT Auto Map Lab Objectives Demonstrate the functionality of SNAT Auto Map on a virtual server
Lab Requirements BIG-IP base setup configuration A virtual server at http://10.10.X.100 associated with http_pool A virtual server at https://10.10.X.100 associated with https_pool
Routing Tables on the 172.16.20.X Servers The routing tables on the back end application servers (172.16.20.1 through 172.16.20.5) are configured as shown in the following table:
3-20
Destination
Default Gateway
10.10.1/24 10.10.2/24 10.10.3/24 10.10.4/24 10.10.5/24 10.10.6/24 10.10.7/24 10.10.8/24 10.10.9/24 10.10.10/24 10.10.11/24 10.10.12/24 10.10.13/24 10.10.14/24 10.10.15/24 10.10.16/24
172.16.1.33 172.16.2.33 172.16.3.33 172.16.4.33 172.16.5.33 172.16.6.33 172.16.7.33 172.16.8.33 172.16.9.33 172.16.10.33 172.16.11.33 172.16.12.33 172.16.13.33 172.16.14.33 172.16.15.33 172.16.16.33
Administering BIG-IP v12
Chapter 3 - Using NATs and SNATs
3-21
Test Traffic Behavior without SNAT Auto Map 1. Open two browser sessions: one to http://10.10.X.100 and the other to https://10.10.X.100. 2. On each of the resulting web pages, note the client IP address, as passed from BIG-IP to the internal application server. You can use the table that follows Figure 14.
Figure 14: Note the client IP address as translated and passed to the node http://10.10.X.100
https://10.10.X.100
HTTP(S) to HTML served from Client IP address
3. Have another student attempt to open a browser session to your virtual servers (http://10.10.X.100 and https://10.10.X.100), and you to theirs. Both attempts should fail due to the route settings on the back end application servers. (The route table routes back their response through their BIG-IP even though they initially connected through your BIG-IP.)
Administering BIG-IP v12
3-21
3-22
Chapter 3 - Using NATs and SNATs
Configure SNAT Auto Map Add SNAT Auto Map to http_vs 4. Use TMSH or the Configuration utility to add Auto Map to http_vs. a. Using TMSH: tmsh modify /ltm virtual http_vs source-address-translation {type automap}
b. Using the Configuration utility: Configuration utility Local Traffic » Virtual Servers : Virtual Server List, then click http_vs Configuration section Source Address Translation When complete, click…
Select Auto Map
Update
Test Traffic Behavior with SNAT Auto Map 5. Refresh (Ctrl+F5) the browser window where you are connected to http://10.10.X.100 and view your client IP address there. It should have changed from 10.10.X.30 to 172.16.X.33, which is the floating self IP address of VLAN internal, the egress VLAN for traffic flowing from the BIG-IP system to the pool members. 6. Have another student try to access both your virtual servers (http://10.10.X.100 and https://10.10.X.100), and you to theirs.
Expected results and troubleshooting After setting SNAT Auto Map on http_vs, you should both have success accessing http://10.10.X.100 but not https://10.10.X.100. The SNAT on http_vs will always cause the back end servers to send their response back to the BIG-IP system that processed the original client request—no matter where that client request originated. This ensures the address translation performed by the virtual server on the inbound connection can be “undone,” and the response sent correctly back to the client.
3-22
Administering BIG-IP v12
4-26
Chapter 4 - Monitoring Application Health
Lab 4.1 - Monitor Application Health Lab Objectives Assign health monitors to nodes and pool members Create a custom monitor
Lab Requirements BIG-IP base setup configuration http_pool with three members at 172.16.20.1, 172.16.20.2, and 172.16.20.3 (all port 80)
Configure Monitors for Nodes Check current nodes’ status 1. Examine the current status indicators for all nodes and answer the questions in the space provided. Configuration utility Local Traffic » Nodes : Node List Node List section What are the nodes’ statuses? Will BIG-IP load balance traffic to nodes with this status? When complete, click…
4-26
Default Monitor tab in menu bar
Administering BIG-IP v12
Chapter 4 - Monitoring Application Health
4-27
Assign a default monitor to all nodes 2. Add icmp as the default monitor for all nodes (continues from the previous step) Configuration section Move icmp from the Available column to the Active column.
Health Monitors When complete, click…
Update then click the Node List tab in the menu bar
Click the Node List tab to refresh the screen and update the node’s status.
3. Recheck node status indicators. What are the nodes’ statuses? Was the change immediate? 4. Roll over the status icon for one of the nodes to display additional status information. At this point, each node is being tested with the default icmp “ping” monitor. Remember this monitor only checks the status of the parent node, not the various child pool members that you now have configured at ports 80, 443 and 22.
Configure Monitors for Pool Members Check current pool members’ status 5. Examine the current status indicators for the pool members in http_pool Configuration utility Local Traffic » Pools : Pool List : http_pool » Members Node List section What are the pool members’ statuses? Will BIG-IP load balance traffic to pool members with this status?
Administering BIG-IP v12
4-27
4-28
Chapter 4 - Monitoring Application Health
Assign a custom monitor to a pool 6. Create a new HTTP monitor called admin_http_monitor but with no customizations – yet! Configuration utility Local Traffic » Monitors » Create General Properties section Name
admin_http_monitor
Type
HTTP
When complete, click…
Finished
7. Add admin_http_monitor as the default monitor for all pool members in http_pool Configuration utility Local Traffic » Pools : Pool List, then select http_pool Configuration section Move admin_http_monitor from the Available column to the Active column.
Health Monitors When complete, click…
Update then click the Members tab in menu bar
8. Recheck pool member status indicators. (Each time you click the Members tab, the status will be updated.) What are the pool members’ statuses? Was the change immediate? 9. Check monitor statistics by running the following TMSH command: tmsh show /ltm monitor http admin_http_monitor
Q. What are the results? Do you see any error?
Customize the monitor and check status again 10. Customize the admin_http_monitor monitor by adding a specific Send String and Receive String that is partially relevant to our application. (This string only appears on the index.php page that is served from 172.16.20.2:80.) Configuration utility Local Traffic » Monitors » admin_http_monitor Configuration section Send String
GET /index.php\r\n
Receive String
Server 2
When complete, click…
4-28
Update
Administering BIG-IP v12
Chapter 4 - Monitoring Application Health
4-29
11. Check the status of the members in pool http_pool repeatedly over the course of about 20 seconds. (Each time you click the Members tab, the status will be updated.) What are they now? Why? Was the change immediate? Why or why not? Roll over the status icon for one of the pool members that has been marked down to display additional information. What does it say? 12. What is the status of pool http_pool? Is this what you expected? Why or why not? 13. What is the status of virtual server http_vs? Is this what you expected? Why or why not? 14. View monitor statistics again. What are the results?
Modify the custom monitor 15. Change the Receive String in admin_http_monitor to Server [1-3] so that the monitor test will be successful regardless of which pool member is checked.
The string “[1-3]” in the Receive String is a regular expression that implies “match any single character in the range 1 to 3”
16. What are the pool members’ statuses now? Why? Was the change immediate?
Expected Results and Troubleshooting When the Receive String was set to Server 2, only pool member 172.16.20.2:80 returned a value that matched. The other two pool members, 172.16.20.1:80 and 172.16.20.3:80 returned Server 1 and Server 3 respectively, and were therefore marked by the monitor as unavailable (red diamond) to process traffic after the timeout value expired. Monitor statistics should return errors indicating that no successful responses were received by the 172.16.20.1:80 or 172.16.20.3:80 pool members. When you changed the Receive String to Server [1-3], each pool member in pool http_pool was now checked for content matching the character string “Server” followed by a space, followed by either a “1” or “2” or “3”. All pool members returned content that matched the expression, so the monitor marked their status as available (green circle) to process traffic immediately upon receiving a successful test response. The changes in pool member status may or may not appear immediately. It depends on the monitor’s Interval and Timeout settings, and the time it takes for a monitor test to complete successfully. If you look at these settings for admin_http_monitor monitor, they are 5 second interval and 16 seconds timeout. If a monitor test is successful, the monitored resource is marked as available (green circle) immediately. If a monitor test fails or there is no response within the specified interval, another test is issued. If there is no response or all responses are failures within the specified timeout, the monitored resource is marked as unavailable (red diamond). Monitoring tests continue at each specified interval. If and when a successful test response is received, the monitored resource will be marked as available again.
Administering BIG-IP v12
4-29
4-30
Chapter 4 - Monitoring Application Health
4-30
Administering BIG-IP v12
Chapter 5 - Modifying Traffic Behavior with Profiles
5-11
Lab 5.1 – Configure an FTP Virtual Server Lab Objectives Configure an FTP pool and virtual server Test and troubleshoot access
Lab Requirements BIG-IP base setup configuration
Create a pool and virtual server 1. Use either the Configuration utility or TMSH to create a new pool, as defined in the table below. Object Name
Node IPs
Port
ftp_pool
172.16.20.1
21
2. Create the virtual server defined in the table below. Object Name
IP Address
Port
Resource
ftp_vs
10.10.X.100
21
ftp_pool
Test and troubleshoot access 3. Access and clear statistics information on Statistics » Module Statistics » Traffic Summary: General
4. Open a new FTP session to virtual server ftp_vs, using the login credentials student/student. Were you able to connect? Why or why not? 5. List the names of the files in ftp_vs by using the following command: ls –l
What are the results? Why? 6. Use TMSH or the Configuration utility to check for packet discards as the result of the FTP data connection failing. a. Using TMSH: tmsh show /sys tmm-traffic
b. Using the Configuration utility: Statistics ›› Module Statistics ›› Traffic Summary ›› General, then scroll down to the Packet Discards section. 7. Assign the F5-supplied profile called ftp to ftp_vs. Are you able to connect and list the files in it now?
Administering BIG-IP v12
5-11
5-12
Chapter 5 - Modifying Traffic Behavior with Profiles
Expected results Since ftp_vs has been configured to listen for traffic on port 21, the initial control connection will be successful. The separate data connection request from the server back to the client will be dropped by the BIG-IP system unless we configure it to anticipate this request by applying an FTP profile to ftp_vs. Therefore, the first attempt to list the names of the files will fail. After assigning an FTP profile to ftp_vs, the data connection will be successfully established and you will be able to list the names of the files in 10.10.X.100.
5-12
Administering BIG-IP v12
6-14
Chapter 6 - Modifying Traffic Behavior with Persistence
Lab 6.1 - Source Address Affinity Persistence Lab Objectives Configure a source address affinity persistence profile, assign it to a virtual server, verify functionality, and observe changes in traffic behavior.
Lab Requirements BIG-IP base setup configuration A virtual server at http://10.10.X.100 associated with http_pool
Configure Source Address Affinity Confirm traffic behavior before persistence 1. Ensure that the load balancing method for http_pool is Round Robin. Although this step is not required to enable persistence, it will ensure that you see the recurring direction of a connection to a pool member is due to persistence and not potentially due to a load balancing choice. 2. Access and reset the statistics for pool http_pool. 3. Open a new browser session and connect to http://10.10.X.100. 4. Refresh the screen 5-10 times by clicking Ctrl+F5 5. View pool statistics.
Q. What are the results? Do they effectively show round robin?
Expected results and troubleshooting You should see BIG-IP load balance each refresh request across all pool members, with each pool member receiving approximately the same amount of traffic. If you do not see these results, make sure you reset the statistics properly and walk through the steps again.
6-14
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-15
Create a source address affinity persistence profile 6. Create a source address affinity persistence profile called admin_src_persist Configuration utility Local Traffic » Profiles » Persistence then click Create General Properties section Name
admin_src_persist
Persistence Type
Source Address Affinity
Parent Profile
source_addr
Configuration section Check the Custom box, then specify timeout setting as 30 seconds
Timeout When complete, click…
Finished
7. Assign admin_src_persist_pr to http_vs. Configuration utility Local Traffic » Virtual Servers : Virtual Server List : http_vs » Resources Load Balancing section Default Persistence Profile When complete, click…
admin_src_persist
Update
Confirm traffic behavior after persistence 8. Access and reset the statistics for http_pool. 9. On your browser session to http://10.10.X.100, refresh the screen 5-10 times using Ctrl-F5. What pool member did you load balance to? Are you persisting? 10. View pool statistics for http_pool.
Q. What are the results? Which pool member are you persisting to?
Administering BIG-IP v12
6-15
6-16
Chapter 6 - Modifying Traffic Behavior with Persistence
To enable the persistence records display in the Configuration utility, execute the following TMSH command: tmsh modify sys db ui.statistics.modulestatistics.localtraffic.persistencerecords value true
11. Use either the Configuration utility or TMSH to view persistence records statistics. Instructions for both methods are shown below: (a) for TMSH; (b) for the Configuration utility. a. View persistence records statistics in TMSH by running the following command: tmsh show /ltm persistence persist-records all-properties
b. View persistence records statistics using the Configuration utility at Statistics » Module Statistics: Local Traffic, and select Persistence Records from the Statistics Type pulldown. 12. If no Persistence Records are displayed, switch back to your browser window where you are connected to http://10.10.X.100 and refresh the screen several times. Check for Persistence Records statistics again.
Q. What is the Persistence Value? Q. Does the Persistence Value represent a single IP address or a range of IP addresses? Q. Based on the Persistence Value, will this Persistence Record apply to a client connection with a different IP address? 13. Wait until the Persistence Record expires, and then refresh the screen at http://10.10.X.100 again. At this point, you should be load balanced to another pool member. Confirm by looking at pool member statistics and persistence records.
Expected results and troubleshooting While the persistence entry is active for your client IP address, all traffic generated every time you refresh will be directed to the same pool member. Since the persistence profile is configured with a timeout value of 30 seconds, your persistence entry may have timed out before you were able to navigate to the persistence statistics on the Configuration utility. Persistence profile admin_src_persist currently has a Prefix Length (mask) specification of None, indicating each unique IP address will be load balanced to an appropriate pool member before persistence applies.
6-16
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-17
Expand Source IP Range Using the Prefix Length Custom Setting In this next series of steps, you will specify an IPv4 prefix length value in the source address affinity persistence profile admin_src_persist, expanding the range of client IP addresses that will persist to the same pool member. To test the new behavior, you will enlist the help of another student in the class.
In this next series of steps, it helps if you have two browser windows/tabs open: one to your BIG-IP system at Statistics » Module Statistics » Local Traffic, and viewing Persistence Records; and the other to http://10.10.X.100. You will be switching back and forth between these two windows frequently as you go along.
14. Have a student at another workstation access your virtual server at http://10.10.X.100. What pool member are they persisting to? 15. On your browser session to http://10.10.X.100, refresh your screen several times. What pool member are you persisting to? 16. Use either the Configuration utility or TMSH to view persistence records statistics.
Q. How many Persistence Records are there now? Q. What client IP address does each apply to? Q. Based on your answers above, what Prefix Length (mask) value applies to profile admin_src_persist?
Administering BIG-IP v12
6-17
6-18
Chapter 6 - Modifying Traffic Behavior with Persistence
Expand the range of IP addresses admin_src_persist applies for 17. Modify the mask on admin_src_persist to specify a range of IP addresses using an IPv4 prefix length value of 16 Configuration utility Local Traffic » Profiles » Persistence then click admin_ src_persist Configuration section Check the Custom box Select Specify from the pull-down menu Select IPv4 from the pull-down menu next to Specify Enter 16 in the space to the right
Prefix Length
When complete, click…
Update
18. Use either the Configuration utility or TMSH to view persistence records statistics. 19. Have a student at another workstation access your virtual server at http://10.10.X.100. What pool member are they persisting to? 20. On your browser session to http://10.10.X.100, refresh your screen several times. What pool member are you persisting to? 21. View persistence records statistics again.
Q. How many Persistence Records are there now, and for what range of IP addresses?
22. Wait until all Persistence Records have expired again, and then refresh your browser session to http://10.10.X.100. Have the other student do the same. Did you both persist to the same pool member again? Examine the Persistence Records statistics again to confirm the results.
Expected results and troubleshooting When you expanded the prefix length on admin_src_persist from the default of None (which equates to a prefix of 32) to 16, persistence was expanded to apply to all client connections with IP addresses in the 10.10/16 network. Instead of two persistence records, each with a unique IP address as the Persistence Value, you should have seen only one Persistence Record with a Persistence Value 10.10.0.0. When the other student connected from a client with an IP address in that network, their connection persisted to the same pool member as your connection, and vice versa.
Continue with Lab 6.2: Cookie Persistence
6-18
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-19
Lab 6.2 - Cookie Persistence Lab Objectives Configure a cookie persistence profile, assign it to a virtual server, verify functionality and observe changes in traffic behavior.
Lab Requirements BIG-IP base setup configuration A virtual server at http://10.10.X.100 associated with http_pool System time on student’s workstation and the BIG-IP system must be synchronized.
Configure Cookie Persistence Ensure that the system time on your workstation (PC) and the time on your BIG-IP system are synchronized before beginning this lab. The easiest way to do this is to change the time on the PC to match the time on your BIG-IP system.
Synchronize system time on the BIG-IP system and the lab workstation 1. Ensure the system time on your lab workstation is synchronized with the time on the BIG-IP system. If there is a discrepancy, correct it. For example, if running Windows on your workstation (PC), you should be able to right click the clock display and select Adjust Date/Time. Adjust the date/time on the PC to match what is currently displayed on your BIG-IP system.
Confirm traffic behavior before persistence 2. Remove admin_src_persist from http_vs, close any browser sessions to http://10.10.X.100, and wait until any and all persistence records have expired before continuing. 3. Access and reset the statistics for pool http_pool. 4. Open a new browser session and connect to http://10.10.X.100. 5. Refresh the screen 5-10 times by clicking Ctrl+F5.
Administering BIG-IP v12
6-19
6-20
Chapter 6 - Modifying Traffic Behavior with Persistence
6. View pool statistics to ensure you are not persisting.
Q. What are the results?
Expected results and troubleshooting You should see BIG-IP load balance each refresh request across all pool members, with each pool member receive approximately the same number of connections. No persistence is in effect. If you do not see these results, make sure you changed the load balancing method to Round Robin and reset the statistics properly, and that no persistence records exist (Statistics » Module Statistics » Local Traffic, and select Persistence Records) before retrying the above lab steps again.
Create a cookie persistence profile and assign it to a virtual server 7. Create a custom cookie persistence profile called admin_cookie_persist. When you select Cookie as the Persistence Type, the Configuration Section will appear. Leave all defaults in the Configuration Section for now. Configuration utility Local Traffic » Profiles » Persistence then click Create General Properties section Name
admin_cookie_persist
Persistence Type
Cookie
Parent Profile
cookie
When complete, click…
Finished
8. Assign admin_cookie_persist to http_vs as the default persistence profile. (Hint: If you received an error message after clicking Update, think “profile dependencies,” and make the necessary corrections to successfully add admin_cookie_persist to http_vs.)
6-20
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-21
Note: In the next lab steps, we’d like you to view and periodically delete the BIG-IP persistence cookie stored by your browser. The steps to do this vary from browser to browser, and are summarized here. Actual steps may differ depending on the version of browser you are using. In all cases, you’re looking for a cookie called BIGipServerhttp_pool that is associated with the “domain name” 10.10.X.100. Chrome Users - Right click anywhere on the page and select Inspect element from the resulting pull-down, then click on the Resources tab, then expand Cookies. You can view and delete cookies in the Inspect element window. Safari Users – Ensure Show Development menu in menu bar is checked in your Preferences Advanced settings. Then follow the same directions as for Chrome. Firefox Users – In the pull-down menus at the top of your browser window, select Tools Options Privacy and click on the link for remove individual cookies. You can view and delete cookies in the resulting pop-up window. IE (v8) Users – To view cookies, press F12, then select Cache View Cookie Information from the pull-down menus at the top of the resulting Developer Tools window. This opens a new browser tab with cookies listed as a scrollable page. To delete cookies, select Clear Session Cookies and Clear Cookies for Domain from the Cache pull-down.
Confirm traffic behavior after persistence 9. Access and reset the statistics for http_pool. 10. Back on http://10.10.X.100, refresh the screen 5-10 times. 11. View the pool statistics.
Q. What are the results? Are you persisting?
12. View persistence records.
Q. What are the results? Why?
13. Back on http://10.10.X.100, find the BIG-IP persistence cookie value as your browser is storing it.
Q. What is the name and value of the cookie?
Administering BIG-IP v12
6-21
6-22
Chapter 6 - Modifying Traffic Behavior with Persistence
Test cookie persistence effects on other clients 14. Have another student access your http_vs virtual server at http://10.10.X.100. Did they persist? Did they persist to the same pool member that you are persisting to? Why or why not?
If desired, continue with optional Lab 6.3: Enabling Cookie Encryption
6-22
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-23
Lab 6.3 – Enable Cookie Encryption (Optional) Lab Objectives Mask persistence cookie information by enabling cookie encryption
Lab Requirements BIG-IP base setup configuration A virtual server at http://10.10.X.100 associated with http_pool Cookie insert persistence profile admin_cookie_persist
Configure and Test Cookie Encryption Confirm cookie contents before encryption 1. What is the name and value of the BIG-IP persistence cookie, as seen by your browser?
Add encryption to admin_cookie_persist 2. Customize cookie persistence profile admin_cookie_persist to include a cookie name, enable cookie encryption and provide a passphrase. Configuration utility Local Traffic » Profiles » Persistence » admin_cookie_persist Configuration section Cookie Name
TestCookie
Cookie Encryption Use Policy
required
Encryption Passphrase
testphrase123
When complete, click…
Administering BIG-IP v12
Update
6-23
6-24
Chapter 6 - Modifying Traffic Behavior with Persistence
Test persistence cookie encryption 3. In your browser session to http://10.10.X.100, delete the persistence cookie called BIGipServerhttp_pool (or delete all browser cookies). Hard refresh the session to http://10.10.X.100 and view the persistence cookie after your profile customizations. What are the cookie’s name and value now?
Clean up 4. Reset admin_cookie_persist to inherit all of its settings from its parent. 5. Verify that your persistence cookie is no longer encrypted, and that it is behaving as it did before the start of this lab.
6-24
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-30
Lab 6.4 – Implement SSL Offload and SSL ReEncryption Lab Objectives Configure a virtual server that will offload SSL from back-end servers onto the BIG-IP system Leverage SSL termination a virtual server to permit cookie persistence Configure a virtual server for SSL re-encryption and cookie persistence
Lab Requirements BIG-IP base setup configuration Existing pools http_pool (pool members at port 80) and https_pool (pool members at port 443)
Generate a Certificate In a production BIG-IP environment, you would almost certainly import and install a certificate from a trusted Certificate Authority to use in conjunction with your Client SSL profile. In our lab environment, we’ll mimic this behavior but create and test with a self-signed certificate instead. 1. Create a new self-signed certificate called TestCertificate. Configuration utility System » File Management » SSL Certificate List and click Create General Properties section TestCertificate
Name Certificate Properties section Issuer
Self
Common Name
www.testsite.com
Division
Training
Organization
F5 Networks
Locality
Seattle
State or Province
Washington
Country
United States
Key Properties section 2048 bits
Size When complete, click…
6-30
Finished
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-31
Create a Client SSL Profile and New Virtual Server Create a Client SSL Profile 2. Create a Client SSL profile called admin_clientssl_profile with clientssl as its parent, and customize the settings for Certificate Key Chain. Configuration Utility Local Traffic » Profiles » SSL » Client and click Create General Properties section Name
admin_clientssl_profile
Parent Profile
clientssl
Configuration section Certificate: TestCertificate Key: TestCertificate Click the Add button
Certificate Key Chain When complete, click…
Finished
Create a new virtual server 3. Create a new virtual server called ssl_vs, with destination and service port 10.10.X.104:443, and assign pool https_pool as its default pool.
Confirm behavior before SSL offload implementation 4. Open a web browser session to https://10.10.X.104 and accept the SSL certificate. 5. Note the pool member address and port you load balanced to.
Implement SSL Offload Add a Client SSL profile to ssl_vs and test 6. Assign the admin_clientssl_profile profile to virtual server ssl_vs. 7. Back on https://10.10.X.104, refresh the screen. What are the results? Why?
6-31
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-32
Expected results Your connection should fail with a Bad Request connection error. (If a failure does not occur, you may need to empty your cache, restart your browser, or test from a different browser.) As a result of the Client SSL profile assignment to the virtual server, traffic from your client to ssl_vs is now being unencrypted on the BIG-IP system. This causes a conflict when BIG-IP attempts to load balance the unencrypted traffic to a pool member at port 443.
Change ssl_vs default pool and test 8. Change the default pool for ssl_vs from https_pool to http_pool. 9. Test the results of this change by refreshing (Ctrl+F5) the page at https://10.10.X.104. Confirm that the browser session is still encrypted and secure from the client perspective. Also note the pool member port in the body of the web page has changed from 443 to 80. This indicates the back end connection is no longer encrypted, as traffic from BIG-IP to the load balanced server is now successfully being processed on port 80 rather than port 443.
Implement Cookie Persistence 10. Assign admin_cookie_persist to ssl_vs. If you received an error message, make the necessary corrections to successfully associate the cookie profile with the virtual server. 11. Back on https://10.10.X.104, refresh the screen 5-10 times. Are you persisting?
Implement SSL Re-Encryption Modify behavior on the virtual server even further so that traffic on the server side connection is reencrypted. Use the following steps as your guide: 12. Create a custom Server SSL profile called admin_serverssl_profile using F5-supplied profile serverssl as its parent. Accept all the default settings. 13. Assign admin_serverssl_profile to virtual server ssl_vs as the SSL Profile (Server) setting. 14. Change the default pool for ssl_vs to point to https_pool again. 15. Retest your connection to https://10.10.X.104. What are the results now? Is the traffic on the server-side connection encrypted? Are you persisting?
6-32
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-33
Expected results and troubleshooting Although as an application user, you cannot “see” any difference in application behavior, the BIG-IP system is unencrypting client traffic that arrives on ssl_vs. This would normally be done to allow interrogation of the traffic contents—perhaps to allow an iRule or Local Traffic Policy to affect traffic behavior or, in our case, to facilitate cookie persistence—before re-encrypting the traffic to send to the back end servers.
6-33
Administering BIG-IP v12
6-42
Chapter 6 - Modifying Traffic Behavior with Persistence
Lab 6.5 – Manage Object State Lab Objectives See the effect of object state on persistence
Lab Requirements BIG-IP base setup configuration http_vs with a persistence profile whose expiration time is long (for example, 1 hour or more, session) and load balanced to http_pool (Round Robin)
Persistence and Disabled Pool Members Establish a persistent session and disable a member 1. Open a browser window to http://10.10.X.100. Refresh the page several times to confirm that you are persisting to the same pool member.
Q. What is the IP address of the pool member you are persisting to?
2. Use either the Configuration utility or TMSH to disable the pool member you are persisting to (as noted in the previous step). Instructions for both methods are shown below: (a) for the Configuration utility; (b) for TMSH. a. To disable the pool member using the Configuration utility: Configuration utility Local Traffic » Pools : Pool List » http_pool » Members Current Members section Click the checkbox to the left of the pool member you are persisting to. When complete, click…
Disable
b. To disable the pool member using TMSH, substitute the IP address:port combination for the server you are persisting to for : tmsh modify /ltm pool http_pool members modify { { session user-disabled } }
6-42
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-43
3. Go back to the browser window connected to http://10.10.X.100 and refresh the page several times.
Q. Are you still persisting to the same pool member? Why or why not?
4. Use either the Configuration utility or TMSH to force the pool member you are persisting to offline. Instructions for both methods are shown below: (a) for the Configuration utility; (b) for TMSH. a. To force the pool member offline using the Configuration utility: Configuration utility Local Traffic » Pools » http_pool » Members Current Members section Select the pool member you are persisting to. Member Properties section Click the Force Offline button
State When complete, click…
Update
b. To force the pool member offline using TMSH, substitute the IP address:port combination of the server you are persisting to for : tmsh modify /ltm pool http_pool members modify { { state user-down } }
5. Go back to the browser window connected to http://10.10.X.100 and refresh the page several times.
Q. Are you still persisting to the same pool member?
Administering BIG-IP v12
6-43
6-44
Chapter 6 - Modifying Traffic Behavior with Persistence
Disable the parent node and test the results 6. Use either the Configuration utility OR TMSH to disable the parent node of the pool member you are now persisting to. Instructions for both methods are shown below: (a) for the Configuration utility; (b) for TMSH. a. To disable the node using the Configuration utility: Configuration utility Local Traffic » Nodes » Node List Node List section Click the checkbox to the left of the parent node of the pool member you are now persisting to. When complete, click…
Disable
a. To disable the node using TMSH, substitute the IP address for the parent node of the pool member you are persisting to for : tmsh modify /ltm node session user-disabled
7. Refresh the page at http://10.10.X.100 several times.
Q. Are you still persisting to the same node? Why or why not?
Configure Action on Service Down 8. Open an SSH session to virtual server ssh_vs. using the login credentials student/student. 9. Use either the Configuration utility or TMSH to force the pool member you are persisting to offline. 10. Is your connection to that pool member still open? Why or why not? 11. Use either the Configuration utility or TMSH to configure the Action on Service Down setting to reset any active connections to an unavailable pool member. a. To configure Action on Service Down using the Configuration utility: Configuration utility Local Traffic » Pools » ssh_pool » Properties Configuration section: Advanced Reject
Action on Service Down When complete, click…
6-44
Update
Administering BIG-IP v12
Chapter 6 - Modifying Traffic Behavior with Persistence
6-45
b. To configure Action on Service Down using TMSH: tmsh modify /ltm pool ssh_pool service-down-action reset
Confirm the change by using the following command: tmsh list /ltm pool ssh_pool service-down-action
12. Is your SSH connection to that pool member still open? Why or why not?
View object status from the Network Map 13. View the status of all your configuration objects from the Network Map screen. Hover your cursor over the status icon for the pool member you are persisting to and note the state of the pool member. Hover over the pool member IP address:port and note the status of the parent node.
Expected results After forcing the pool member you are persisting to offline and setting Action on Service Down to Reject, the BIG-IP system will reset your connection to ssh_vs and remove it from its connection table, causing your SSH session to close.
Clean-up 14. Enable the node and pool member you disabled earlier in this lab using either the Configuration utility or TMSH.
Administering BIG-IP v12
6-45
6-46
Chapter 6 - Modifying Traffic Behavior with Persistence
6-46
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-23
Lab 7.1 – High Speed Logging Lab Objectives Configure BIG-IP to filter and send certain log messages to a remote highspeed logging pool.
Lab Requirements BIG-IP base setup configuration
Test Local Syslog Behavior 1. Open a browser session to your BIG-IP system, and view the Local Traffic logs, sorting them in descending timestamp sequence: System » Logs: Local Traffic. Or, open an SSH session to your BIG-IP system and view the tail end of the Local Traffic log. On the command line, enter: tail –f /var/log/ltm
2. Use the Configuration utility to set the state for pool member 172.16.20.1:80 in pool http_pool to Forced Offline. Or, use TMSH to set a similar state for the pool member: tmsh modify ltm pool http_pool members modify {172.16.20.1:80 {session user-disabled state user-down}}
3. Examine the three first syslog messages that were generated relating to the manual force offline. Note that the log messages were produced by a BIG-IP service called mcpd, and each has a severity level of notice. Also note the Status Code (message ID) for the second message – 01070639. We will use this information in the next section to create a high-speed logging filter that specifically causes these messages to be directed to a high-speed logging publisher rather than to the local logs. 4. Set the state for pool member 172.16.20.1:80 in pool http_pool back to Enabled. View the Local Traffic log again for new messages – there should be several indicating the status change for the pool member and its associated monitor instance. One should be another instance of Status Code (message ID) 01070639.
Administering BIG-IP v12
7-23
7-24
Chapter 7 - Troubleshooting the BIG-IP System
Configure High-Speed Logging Create a pool with one remote logging server Although you would probably not do this in a real world situation, in this lab you can use your PC as a destination for high-speed logging messages, then use tcpdump to view those messages as they are transmitted across the network from the BIG-IP system to your PC.
5. Using either the Configuration utility or TMSH, create a new pool using the following specifications: Name
Member(s)
Load Balancing
hsl_pool
10.10.X.30:514
Default
6. Examine the current status indicator for the node associated with the pool member you have just created. If your BIG-IP system’s default monitor marks your node as unavailable, change its monitor assignment to None.
Create a remote high-speed logging destination 7. Create a remote high-speed log destination called hsl_destination to point to hsl_pool created previously. Configuration utility System » Logs : Configuration : Log Destinations then click the Create button General Properties section Name
hsl_destination
Type
Remote High-Speed Log
Pool Settings section Pool Name
Select hsl_pool
Protocol
UDP
Distribution
adaptive
When complete, click…
7-24
Finished
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-25
Create a Syslog formatted logging destination 8. Create a formatted destination called hsl_syslog_destination to point to hsl_destination created previously. Configuration utility System » Logs : Configuration : Log Destinations then click the Create button General Properties section Name
hsl_syslog_destination
Type
Remote Syslog
Pool Settings section Syslog Format
Syslog
Forward to
hsl_destination
When complete, click…
Finished
Create a publisher 9. Create a publisher called hsl_publisher where the BIG-IP system will send log messages for specific resources. Configuration utility System » Logs : Configuration : Log Publishers then click the Create button General Properties section Name
hsl_publisher
Log Destinations section Destinations When complete, click…
Administering BIG-IP v12
Move hsl_syslog_destination from the Available column to the Selected column Finished
7-25
7-26
Chapter 7 - Troubleshooting the BIG-IP System
Create a logging filter 10. Create a logging filter called hsl_mcpd_notice_filter that will send all notice severity level messages from the BIG-IP mcpd service to hsl_publisher. Configuration utility System » Logs : Configuration : Log Filters then click the Create button General Properties section Name
hsl_mcpd_notice_filter
Configuration section Severity
Notice
Source
mcpd
Log Publisher
hsl_publisher
When complete, click…
Finished
Start tcpdump to view port 514 traffic from BIG-IP to your PC 11. Open a new PuTTY session to 10.10.X.31:22, login as root, and at the bash prompt, enter the following command to start tcpdump. config# tcpdump –ni external –Xs 0 udp and host 10.10.X.30 and port 514
Generate notice-level messages from the mcpd service 12. Generate log messages by using the Configuration utility to set the state for pool member 172.16.20.1:80 in pool http_pool to Forced Offline. 13. View your tcpdump output. You should see the same three log messages that you observed previously in the Local Traffic log, as captured by tcpdump as they were transmitted to our pretend high-speed logging server pool. 14. View the local traffic logs at System » Logs : Local Traffic or via tail –f /var/log/ltm , and notice that the messages that were sent to the remote HSL server are not present in the local log, but other messages that did not match your HSL filter criteria are. For example, you may see messages about your tcpdump command starting and/or stopping. 15. Enable pool member 172.16.20.1:80 in pool http_pool again, and use tcpdump to confirm that you see another series of log records transmitted to your “pretend” high-speed logging server.
7-26
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-27
Optional Steps Change the mcpd notice-level filter 16. Change the hsl_mcpd_notice_filter to send only log messages with ID 01070639 to our pretend high-speed log server. Configuration utility System » Logs : Configuration : Log Filters then select hsl_mcpd_notice_filter Configuration section 01070639
Message ID When complete, click…
Update
17. Force pool member 172.16.20.1:80 in pool http_pool offline again and confirm the change in behavior with respect to which message(s) are send to the HSL server and which message(s) are recorded in the Local Traffic log. Notice that some messages go to HSL, others go to the local log.
Add a Splunk formatted destination and view change in log message format 18. Add a formatted destination called hsl_splunk_destination. Configuration utility System » Logs : Configuration : Log Destinations then click the Create button General Properties section Name
hsl_splunk_destination
Type
Splunk
Forward To
hsl_destination
When complete, click…
Finished
19. Change publisher hsl_publisher to point to hsl_splunk_destination rather than hsl_syslog_destination. 20. Enable pool member 172.16.20.1:80 in pool http_pool again, and view your tcpdump output to see how the format of the log message sent to the remote HSL server has changed from previous iterations. It is now being formatted for Splunk software.
Expected results and troubleshooting When you set up the high-speed logging filter for notice level messages generated by the mcpd service, all messages that matched that filter were sent to the remove high-speed logging destination, as defined by the associated publisher for the filter. All log messages that did not match an HSL filter were directed to local syslog processing functions. Later, when you changed the filter criteria to be more specific, only log messages with ID number 01070639 were sent to the HSL destination; the others were sent to the local logs as they did not match any HSL filter criteria.
Administering BIG-IP v12
7-27
7-28
Chapter 7 - Troubleshooting the BIG-IP System
Initially, a Syslog formatter was sitting in between the publisher and the unformatted destination. Later, you introduced a Splunk formatter. The purpose of these formatter destinations is to simply format the log messages differently.
Clean-up 21. Effectively disable high-speed logging by deleting Log Filter hsl_mcpd_notice_filter. Force pool member 172.16.20.1:80 in pool http_pool offline and then enable it again. Use either the Configuration utility or the command line to confirm that log messages that were being filtered for HSL are now being sent to the local log files again. If you haven’t done so already, stop your tcpdump and tail-f SSH sessions to the BIG-IP system by pressing .
(Optional) Continue with Lab 7.2: Remote Syslog Server Lab
7-28
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-29
Lab 7.2 – Legacy Remote Syslog Lab Objectives Configure BIG-IP to send log messages to a remote log server.
Lab Requirements BIG-IP base setup configuration
Configure a Remote Syslog Server and Capture Log Message Traffic using tcpdump Configure a remote syslog server 1. Add a remote server using your PC as the syslog server. Choose to use either the Configuration utility (a) or TMSH (b) to carry out this step. a. Use the Configuration utility to configure remote logging… Configuration utility System » Logs » Configuration » Remote Logging Properties section Remote IP
10.10.X.30
Remote Port
514
When complete, click…
Add then click Update
b. …OR open an SSH session to your BIG-IP system and use TMSH to configure remote logging. Confirm your setup afterward. For example: (tmos.sys)# modify syslog remote-servers add {mylog{host 10.10.X.30}} (tmos.sys)# list syslog remote-servers
Administering BIG-IP v12
7-29
7-30
Chapter 7 - Troubleshooting the BIG-IP System
Set up tcpdump 2. Open an SSH session to your BIG-IP system and set up a tcpdump to capture log messages sent to 10.10.X.30 via UDP and port 514 on VLAN external. The captured traffic will be saved to a file in the /var/tmp/ directory on the BIG-IP system. config# tcpdump –ni external –Xs 0 udp and host 10.10.X.30 and port 514 –w /var/tmp/trainX_remote_syslog
Generate local traffic log messages 3. Generate some local traffic log messages by deliberately modifying the monitor on pool http_pool in such a way that the monitor health test will fail for all pool members, and the pool and the virtual server will be marked as unavailable. (If you don’t remember how to do this, refer back to the labs in the chapter on monitors earlier in this course.) Wait for the pool members’ status to change before proceeding with the next step. 4. Generate more local traffic log messages by resetting the monitor on pool http_pool such that the monitor health test will succeed again for all pool members. Confirm that the pool members are back up, then wait about 15 seconds or so before proceeding to ensure the log messages are successfully written.
Stop the tcpdump and view the resulting file using Wireshark 5. Stop the tcpdump on your SSH session to the BIG-IP system by pressing . 6. Open a WinSCP session to your BIG-IP system using the following specifications: a. File protocol: SFTP b. Host name: 192.168.X.31 c. Port number: 22 d. User name: root e. Password: rootX 7. When the WinSCP window opens, click on the file folder for the / directory. (It should be at the top of the list of directories.) Navigate to the /var/tmp/ directory and drag the icon for file trainX_remote_syslog from your BIG-IP system to your workstation desktop. 8. Close the WinSCP window. 9. Start the Wireshark application on your workstation. 10. In the Wireshark home screen, click on the File menu and select the Open… option. 11. Select the file trainX_remote_syslog on your desktop. You should see many log messages captured by your tcpdump. 12. Set up a filter to view only BIG-IP local traffic messages (LOCAL0 facility). If you’re not familiar with Wireshark, instructions are provided below: a. Click in the Filter field at the top left of the Wireshark screen. b. Type the following string: syslog.facility = = 16 c. Click the Apply button to apply the filter to the log messages. Review the resulting filtered messages list to see what was generated. 7-30
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-31
Expected results and troubleshooting You should see several log messages relating to local traffic events, including: The start of your tcpdump command The pool members status changing to down/up SNMP_TRAP messages when your virtual servers became unavailable/available as the result of the changes in pool member status If you did not capture any local traffic log messages (LOCAL0), make sure your monitor health test changes did result in all pool members being marked down/up. You may need to wait a few seconds between making the monitor mark the members up and terminating your tcpdump command to ensure that any buffered log messages are actually transmitted. If you did not capture any log messages at all, check your tcpdump command to ensure that it is specified correctly.
Clean-up at end of lab 13. Delete 10.10.X.30:514 as a remote syslog server using either the Configuration utility or TMSH. a. Use the Configuration utility to delete 10.10.X.30:514 as a remote syslog server… Configuration utility System » Logs » Configuration » Remote Logging Properties section Remote Syslog Server List When complete, click…
Select 10.10.X.30:514 and click the Delete button
Update
b. …OR open an SSH session to your BIG-IP system and use TMSH to remove 10.10.X.30:514 as a remote syslog server. Confirm the deletion, then save your configuration. (tmos.sys)# modify syslog remote-servers none (tmos.sys)# list syslog remote-servers
Administering BIG-IP v12
7-31
7-46
Chapter 7 - Troubleshooting the BIG-IP System
Lab 7.3 - iHealth Diagnostics (if Internet) Lab Objectives Register for an iHealth account (if not already registered) Create a qkview file, upload to BIG-IP iHealth for analysis, and review the diagnostics produced
Lab Requirements BIG-IP base setup configuration This lab is dependent on connectivity to both BIG-IP and the Internet from the same workstation. If not already registered for an iHealth account, the student must have a working email address and be able to read their email in class, either on their workstation or on a personal computer/device.
If you do not already have an iHealth account, please register for one at iHealth.f5.com before beginning this lab. You will need a valid email address and be able to pick up the registration confirmation email in order to finish creating your account.
Generate a qkview File and Upload to BIG-IP iHealth Generate the qkview file 1. Change the password for your admin user from adminX back to just admin. 2. Generate a qkview file on your BIG-IP. Configuration utility System
Support
Support Snapshot section Check the box to the right of qkview
QKview When complete, click…
Start
The qkview process may take several minutes to complete. When it does, continue with the steps below. 7-46
Administering BIG-IP v12
Chapter 7 - Troubleshooting the BIG-IP System
7-47
Download the qkview file 3. Download the qkview file to your workstation. (Assumes you have just successfully generated a qkview file, as in step 1). Support Snapshot section Snapshot File
Click the Download Snapshot File button
4. Find the downloaded qkview file on your workstation and rename it to case_number_bigipops_support_file.qkview. (The file should currently be named something like case_number_###_support_file.qkview).
Upload the qkview file to iHealth If you do not have Internet access from your workstation, the instructor may demonstrate these steps instead.
5. Open a separate browser window and connect to ihealth.f5.com. 6. Sign in using your iHealth account credentials. Click the Upload button to continue. 7. Click the Choose button and select the qkview that was downloaded to your workstation in step 3 and renamed in step 4. Click the Upload QKView(s) button to continue. The BIG-IP iHealth system may take several minutes to upload and then analyze the file. 8. After the analysis is complete, click on the qkview to view its contents. An iHealth viewer window with the results of your qkview file analysis will be displayed.
Review diagnostic information 9. Do you have any high priority diagnostic results? What are the recommended actions? 10. Download a synopsis of the Diagnostics in PDF format to your workstation. In the Diagnostics area, click the Select file.. drop-down menu under the Downloads section and select the PDF option. 11. Click to expand the Files menu, select the Config option, and view the bigip.conf file associated with this BIG-IP system. 12. What hardware specifications are shown by iHealth? (Hint: go to the Status menu) 13. Go to the Virtual Servers option under the Config Explorer menu to filter and view information about your virtual servers.
Administering BIG-IP v12
7-47
7-48
Chapter 7 - Troubleshooting the BIG-IP System
14. Execute commands against the qkview output. From the Commands menu, click on tmsh, and execute several commands such as: a. list /net self all-properties b. show running-config /net self c. show /ltm virtual all-properties d. show /ltm pool members
15. Generate some statistical graphs at Graphs > Standard. Download the graphs to your workstation and view them. 16. View and customize your iHealth settings at Options > Settings (upper right corner of the page).
Clean-up after viewing iHealth diagnostics 17. On your BIG-IP system, change the password for the admin user from admin back to adminX.
7-48
Administering BIG-IP v12
8-4
Chapter 8 - Administering the BIG-IP System
Lab 8.1 - AOM IP Address Lab (Optional) Lab Objectives Configure an IP Address on the AOM Reboot the Host (Linux and TMM) from AOM
Lab Requirements BIG-IP base setup configuration
This section of the lab may vary per training location. If you do not have access to a serial console session in your location, then you may already have an IP Address for your AOM. Ask your instructor for details.
Adding an Address to AOM/SCCP 1. If you have access to a serial console session with your BIG-IP System, then from your serial console session, type ( 2. Choose option N, AOM network configurator 3. For Use DHCP? Enter n 4. For Host name (optional): press the Enter key 5. For IP address (required): 192.168.X.35 6. For Network mask (required): 255.255.0.0 7. For Broadcast IP address (optional): press the Enter key 8. For Default gateway IP address (optional): 192.168.20.1 9. For Nameserver IP address (optional): press the Enter key
Rebooting the Host System from AOM (Optional) 10. Open an SSH session to AOM at 192.168.X.35 11. When prompted, log in as root with a password of rootX 12. From the prompt, enter hostconsh and then ESC ( to access the AOM menu. 13. Select option 1, Connect to Host subsystem console and press the Enter key. 14. From the host prompt, enter ESC ( to access the AOM menu again. 8-4
Administering BIG-IP v12
Chapter 8 - Administering the BIG-IP System
8-5
15. Select Reboot Host subsystem 2 for AOM and enter Y when prompted. 16. You are automatically connected back to the Host subsystem. The Host subsystem now reboots in the console session and you should not lose your connection during this reboot.
Administering BIG-IP v12
8-5
Chapter 8 - Administering the BIG-IP System
8-25
Lab 8.2 - Administrative Partitions and Users Lab Objectives Discover the behavior of administrative partitions and different user roles on the BIG-IP system.
Lab Requirements BIG-IP base setup configuration
Add Partitions and Users Create new administrative partitions and users 1. Create two new administrative partitions called PartA and PartB using either the Configuration utility (a) or TMSH (b). a. Create administrative partitions using the Configuration utility… Configuration utility System » Users : Partition List then click the Create button Properties section PartA
Partition Name When complete, click…
Repeat
Properties section PartB
Partition Name When complete, click…
Finished
b. …or create administrative partitions using TMSH: tmsh create /auth partition PartA tmsh create /auth partition PartB
Administering BIG-IP v12
8-25
8-26
Chapter 8 - Administering the BIG-IP System
2. Create two new manager users accounts called managera and managerb using either the Configuration utility (a) or TMSH (b). a. Create manager user accounts using the Configuration utility… Configuration utility System » Users : User List then click the Create button Account Properties section User Name
managera
Password
New: managera Confirm: managera
Role
Manager
Partition
PartA Click Add
Terminal Access
tmsh
When complete, click…
Repeat
Account Properties section User Name
managerb
Password
New: managerb Confirm: managerb
Role
Manager
Partition
PartB Click Add
Partition Access
Select Manager/PartA, then click Delete
When complete, click…
Finished
b. …or create manager user accounts using TMSH: tmsh create /auth user managera {partition-access add {PartA {role manager}} shell tmsh password managera} tmsh create /auth user managerb {partition-access add {PartB {role manager}} shell tmsh password managerb}
Modify /Common/admin_http_monitor to check additional pool members 3. Modify admin_http_monitor so that it will check for successful responses from two new pool members you’ll create in the next few steps. Change the Receive String to Server [1-5].
8-26
Administering BIG-IP v12
Chapter 8 - Administering the BIG-IP System
8-27
Create Configuration Objects in PartB Log in to the Configuration utility as managerb 4. Log out of any existing browser session with the BIG-IP system, and log in as user managerb (password managerb). Ensure that you are working in partition PartB by examining the Partition specification in the upper right corner of your Configuration utility window, just to the left of the Log out button. Proceed only if your partition is set to PartB!
Create a virtual server and pool in PartB 5. Use the Configuration utility to create a pool and virtual server with the following characteristics: Object
Name
IP address:port
Resource(s)
Pool
httpb_pool
Virtual Server
httpb_vs
172.16.20.2:80 172.16.20.4:80 10.10.X.106:80
Round Robin load balancing /Common/admin_http_monitor / PartB/ httpb_pool /Common/admin_src_persist
As you create and view objects, notice how they are referenced not only by object name but also by the partition they are defined in. Q. In what partition was pool member 172.16.20.2:80 created and why? Pool member 172.16.20.4:80? Q. Can /Common/admin_http_monitor be assigned to httpb_pool? Q. Can you view all the virtual servers and pools you created throughout class while you are logged in as the managerb user? Q. Can you modify any of the configuration objects that are in /Common? Q. Can the /Common/admin_src_persist profile be assigned to httpb_vs?
Expected results and troubleshooting You should be able to view all configuration objects in both /PartB and /Common. And, although you can open a particular configuration object in /Common, you are prevented from modifying its settings while you are working in PartB. You can reference objects in /Common when you are creating objects in /PartB. For example, you should have successfully added monitor admin_http_monitor to pool httpb_pool.
Administering BIG-IP v12
8-27
8-28
Chapter 8 - Administering the BIG-IP System
Create Configuration Objects in PartA Log in to the command line interface as managera and navigate partitions The next series of lab steps will help you discover how to navigate administrative partitions when working with TMSH. 6. Open an SSH session to your BIG-IP and log in as user managera (password managera). Confirm that you enter the TMOS shell immediately upon logging in. Before proceeding, confirm that you are working in partition PartA by looking at the information contained in the prompt. It should look something like this: managera@(bigipX)(cfg-sync Standalone)(Active)(/PartA)(tmos)#
7. View all virtual servers in partition PartA: list /ltm virtual
Q. Are there any virtual servers in PartA? 8. Change partitions to Common and notice how the prompt changes: cd /Common 9. View all virtual servers in partition Common: list /ltm virtual
Q. Which virtual servers can you see here? 10. Try to change partitions to PartB: cd /PartB
Q. Were you successful? Q. What error message did you receive?
Create configuration objects in PartA using TMSH 11. Change partitions back to PartA and confirm you are in the correct partition before continuing.
8-28
Administering BIG-IP v12
Chapter 8 - Administering the BIG-IP System
8-29
12. Create a pool with the following characteristics. If you don’t remember how to do this, refer back to chapter 2, or use TMSH help and auto command completion. Object
Name
Members
Resource(s)
Pool
/PartA/httpa_pool
172.16.20.1:80 172.16.20.4:80
Round Robin load balancing /Common/admin_http_monitor
Q. Were you able to successfully create the pool? Q. What error message did you receive? You should receive a configuration error indicating a conflict over the node with IP address 172.16.20.4. This node was created automatically by BIG-IP in partition PartB in an earlier lab step (as part of creating pool member 172.16.20.4:80). Although you’re now working in partition PartA and can’t see that node 172.16.20.4 actually exists, the BIG-IP system can, and prevents you from creating a duplicate IP configuration.
Partitions only impact BIG-IP administrative activities; they do not affect how the BIG-IP system processes application traffic. In other words, the administrative partition a particular virtual server or pool (or other configuration object) is administered in is irrelevant when it comes to how that virtual server or pool will process application traffic.
13. Change 172.16.20.4:80 to 172.16.20.5:80 in the above configuration and try again to create pool httpa_pool. Use TMSH list commands to answer the following questions:
Q. In what partition was pool member 172.16.20.1:80 created and why? Pool member 172.16.20.5:80? 14. Use TMSH to create a virtual server in PartA named httpa_vs at 10.10.X.108:80, with default pool httpa_pool and profile tcp. Use command completion and help to guide you through the process. 15. Back on your BIG-IP session, log in as managerb. Can you see the virtual server httpa_vs and pool httpa_pool you just added in /PartA?
Administering BIG-IP v12
8-29
8-30
Chapter 8 - Administering the BIG-IP System
Compare Administrative Partition and User Role Views If your workstation is only configured with one IP address on the 10.10/16 network, open the two browser windows to the BIG-IP self IPs using one browser (such as Firefox), then start up another browser (such as IE) and open a window to https://10.10.X.31 for the third user.
16. Close all your browser sessions to BIG-IP. Open three new browser windows as follows: a. Connect to BIG-IP via the management port at https://192.168.X.31 and log in as user admin with password adminX. b. Connect to BIG-IP via the external non-floating self IP at https://10.10.X.31 and log in as user managera with password managera. c. Connect to BIG-IP via the external floating self IP at https://10.10.X.33 and log in as user managerb with password managerb. 17. Notice the User: and Role: designations at the top of each window. 18. Compare and contrast the Network Map view in each user role. Which resources do you see for each? 19. Compare and contrast the Navigation pane selections on the different user roles. For example, as an Administrator, the admin user has selections for System » SNMP and System » Logs, but the Manager roles do not. An Administrator role has the ability to switch to another boot location (System » Software Management » Boot Locations) or reboot the BIG-IP system (System » Configuration » Device) but the Manager role does not. 20. On the admin user window, navigate to the Network Map, and switch the partition you are working in using the Partition pull-down at the top left corner of the Configuration utility screen (to the left of the Log out button). Notice that this pull-down does not appear on the views for managera and managerb. View the virtual servers and pools in all partitions by selecting All [Read Only] from the Partition pull-down. Notice how the view changes yet again. 21. Close all your browser windows before continuing.
8-30
Administering BIG-IP v12
Chapter 8 - Administering the BIG-IP System
8-31
View Partition Definitions and Configuration File Structures 22. Open an SSH session to your BIG-IP and log in as the root user account. 23. Save the currently running configuration: tmsh save /sys config
Q. What files were saved during this operation?
24. View the saved configuration file, /config/bigip.conf, using more or cat. Notice that the virtual servers and pools created in partitions PartA and PartB are not included in this bigip.conf file. 25. Stop viewing bigip.conf and list the /config/ directory. Notice there is a directory named /config/partitions/. 26. Change directories to /config/partitions/ and list its contents. Notice that there are directories for PartA and PartB, and that there is a bigip.conf file in each. View these two files and answer the questions below:
Q. What are the differences between the contents of /PartA/bigip.conf and /PartB/bigip.conf? Q. Why are the contents of these files different?
27. View the /config/bigip_base.conf file and notice the folder specification for the two partitions is not /Common/ but instead is /PartA/ and /PartB/.
Administering BIG-IP v12
8-31
Chapter 9 - Customizing Application Delivery with iRules
9-7
Lab 9.1 – HTTP to HTTPS Redirect via iRule Lab Objectives Use an F5-supplied iRule, _sys_https_redirect, to redirect traffic from an HTTP virtual server to an HTTPS virtual server.
Lab Requirements BIG-IP base setup configuration Two virtual servers – one HTTP (port 80) and one HTTPS (port 443), both configured at the same IP address. (for example, 10.10.X.100:80 and 10.10.X.100:443)
Confirm traffic behavior before iRule 1. Remove any persistence profiles that are on http_vs and https_vs before continuing. 2. Reset the statistics for http_vs, https_vs, http_pool, and https_pool on your BIG-IP system. 3. Open a browser session to http://10.10.X.100, hard-refresh the screen several times, and ensure that you are not being redirected. You should consistently see the blue application pages, not red. 4. Verify through Local Traffic statistics that traffic is being directed solely to http_vs and http_pool. 5. Reset the statistics for http_vs, https_vs, http_pool, and https_pool on your BIG-IP system.
View _sys_https_redirect iRule 6. View the F5-supplied iRule called _sys_https_redirect that can be used to redirect traffic destined for an HTTP virtual server to an HTTPS virtual server. Navigate to Local Traffic » iRules: iRules List, and select member _sys_https_redirect. (Hint: Use the Search function to find this iRule or notice that there is more than one page of iRules available.) a. What event triggers this iRule? b. Are there any conditional statements in this iRule? c. What action will be taken?
The definition-signature section that follows the iRule code is used to confirm that the iRule was written by F5 and has not been modified. When writing iRules, you can include your own checksum or digital signature.
Administering BIG-IP v12
9-7
9-8
Chapter 9 - Customizing Application Delivery with iRules
7. Assign _sys_https_redirect to http_vs (10.10.X.100:80), addressing any configuration error messages that may result. Configuration Utility Local Traffic » Virtual Servers : Virtual Server List, then select http_vs Resources tab
iRules section, click Manage Move _sys_https_redirect from the Available column to the Enabled column
iRule When complete, click…
Finished
Verify redirect behavior 8. On your browser session to http://10.10.X.100, hard-refresh the screen. Did you get redirected to https://10.10.X.100? If so, you should see the red application page, not the blue. 9. View statistics to confirm that traffic was redirected from http_vs to https_vs.
If you would like, continue with optional lab 9.2 Pool Selection via iRule.
9-8
Administering BIG-IP v12
Chapter 9 - Customizing Application Delivery with iRules
9-9
Lab 9.2 – Pool Selection via iRule (Optional) Lab Objectives Configure a series of iRules, pools, and virtual servers in order to demonstrate a variety of rule features and functions.
Lab Requirements BIG-IP base setup configuration
Use an iRule to Process Requests Based on TCP Port Create three new pools 1. Using either the Configuration utility or TMSH, create three new pools as follows: a. /Common/pool1: One member at 172.16.20.1 (all services) b. /Common/pool2: One member at 172.16.20.2 (all services) c. /Common/pool3: One member at 172.16.20.3 (all services)
Create an iRule for TCP port checking 2. Create an iRule called admin_rule_tcpport: Configuration utility Local Traffic » iRules then click Create Properties section Name
admin_rule_tcpport
Definition
when CLIENT_ACCEPTED { if {[TCP::local_port] equals 80} { pool /Common/pool1 } elseif {[TCP::local_port] equals 443} { pool /Common/pool2 } }
When complete, click…
Administering BIG-IP v12
Finished
9-9
9-10
Chapter 9 - Customizing Application Delivery with iRules
3. Create virtual server /Common/tcpport_vs and assign it iRule admin_rule_tcpport: Configuration Utility Local Traffic » Virtual Servers then click Create General Properties section Name
tcpport_vs
Destination
10.10.X.110
Service Port
* All Ports
Resources section iRules
/Common/admin_rule_tcpport
Default Pool
pool3
When complete, click…
Finished
Verify behavior through statistics 4. Open a browser session to http://10.10.X.110. Which pool did you connect to and why? Which node did you connect to? 5. Open a browser session to https://10.10.X.110. Which pool did you connect to and why? Which node did you connect to? 6. Open an SSH session to 10.10.X.110. Which pool did you connect to and why? Which node did you connect to? 7. Verify where traffic was routed using statistics. 8. Close your SSH window to 10.10.X.110 and terminate the session.
9-10
Administering BIG-IP v12
Chapter 9 - Customizing Application Delivery with iRules
9-11
Repair iRule to cover all desired traffic scenarios In this next section, you’ll see what happens when an iRule itself does not logically cover all the scenarios that might occur during traffic processing. 9. Change the Default Pool setting on tcpport_vs to None. 10. Try to open an SSH session to 10.10.X.110 again. Were you able to connect? Why or why not? 11. Correct the iRule admin_rule_tcpport to have a final “else” statement that will provide a default pool for all traffic other than HTTP (port 80) and HTTPS (port 443). Change the code to this: when CLIENT_ACCEPTED { if {[TCP::local_port] equals 80} { pool /Common/pool1 } elseif {[TCP::local_port] equals 443} { pool /Common/pool2 } else { pool /Common/pool3 } }
12. Try to open an SSH session to 10.10.X.110 again. Were you able to connect now? Which pool and node did you connect to?
Administering BIG-IP v12
9-11
