F5 BIGIP Basic Training

Document created by Kalpesh Dalwadi F5 BIGIP Configuration F5 offers free training for the LTM module. You have to register and create your account and using this account you can take the online training classes. https://f5.learn.com/learncenter.asp?

Configuration examples via iApp GUI: Project example: Add new url tctssw.con-way.com with 80 & 443 services. The physical servers (pool members) will be listneing on tcp/8080 for http request while for https request they will listen on tcp/443. The physical servers in this example are 10.6.109.79 & 10.6.109.80 Implementation: Step 1: Selecting correct partition on F5 where the URL configuration will reside: After login to the correct F5, select the right partition for the new url (There are different partitions on F5 based on application types) : Click on ‘Local traffic’ and then ‘Pools’. On the right hand top you have Partition drop box where you can select correct partition where the URL configuration should reside. Note: LTM – Refers to Local Traffic Manager – This is the module in the iApp GUI.

Step 2: Create Pool and add pool members (physical servers) in the pool: LTM -> POOLS -> + (there is a + sign by clicking which you can add new configuration) - We will start with configuring the pool for http://tctssw.con-way.com. The pool consist of physical server members and their ports (which can be same or different then the url ports) Configuration: Name:

Advanced p- prepod-tctssw.con-way.com-8080

Health Monitor:

eweb_lb_healthcheck

Note: Select health monitors from the ‘Available’ box. You can also create custom health monitors by selecting ‘Monitors’ under Local Traffic. Availability Requirement: Allow SNAT: Yes

All (Health Monitors)

Note: SNAT option depends on how the F5 is setup: 1) Transparent mode- In this mode the server VLAN resides on the

LB and hence server will use LB as their gateway. The client source address is forwarded by the F5 to the server as is. In this mode both the URL access and a direct server access will be routed via the F5. Default route for the servers will point to F5 gateway IP. 2) Proxy mode- In this mode LB uses SNAT to NAT the source IPs so that the physical server sees the connection come in from the SNAT IP pool configured on F5 and will not see the real client IP. F5 maintains the translations and will route the packets from clients to the physical servers. In this case the server VLAN will not reside on the F5, instead it will reside on the layer 3 switch. All the traffic destined to the URL VIP will be directed to the F5, F5 will NAT the source IP and will proxy the request to the physical servers. If a connection is sent directly to the physical server from the client, the packets will be routed by the layer 3 switch directly to the server and not via the F5. F5 will have default pointing to the VIP subnet gateway IP assigned to one of it’s physical interface connected to layer 3 switch, while the routes to all the server subnets will point to another physical interface IPed out of the SNAT Subnet. The gateway on the servers will be their respective subnet network address which will reside on the layer 3 switch. Allow NAT: Action On Service Down:

Yes None

Slow Ramp Time:

10 seconds

IP ToS to Client:

Pass Through

IP ToS to Server:

Pass Through

Link QoS to Client:

Pass Through

Link QoS to Server:

Pass Through

Reselect Tries:

0 (zero)

Click on ‘Update’ box to save the Pool configuration. Now we need to add the physical servers as Pool members under the newly created pool. Click on Members as show in below image.

Under Load balancing: Load Balancing Method:

Least Connections (members)

Note: There are different types pf LB algorithms supported by F5. Ask the application team/requestor of the project on what algorithm they want to use. Note: Difference between a node and a member is node is just referred to as an IP, while member refers to IP & a service port. Priority Group Activation: Disabled

Then click on Add to add physical members. Under New Pool Members Address:

New Address

Note: Select ‘New Address’ if you don’t have the physical server added under Nodes (under LTM). Select ‘Node list’ if the Node exist already. Service Port:

8080

Under Configuration: Ratio:

1

Priority Group: 0 Connection limit:

0

Health Monitors:

Inherit From pool

Select Monitor: We have already configured health monitor for the Pool so the same will be applicable to the members in the pool. Click on Update to save.

Step 3: Create virtual server (URL) and assign the pool to the virtual server Note: VS – Referred to as Virtual Server LTM -> VIRTUAL SERVERS -> + (create) Under General Properties: Name:

vs- prepod-tctssw.con-way.com-80

Destination:

Type: Host

Address: 10.6.111.130 (this is the virtual IP for the URL – if new URL you need to assign the IP from the VIP pool depending on the F5 environment for e.g. test/dev/prod etc and need to register the URL in DNS) Service Port:

80 (HTTP)

State:

Enabled

Under Configuration (Select ‘Advanced’) Type:

Standard

Protocol:

TCP

Protocol Profile (client):

TCP

Protocol Profile (Server):

Use client Profile

OneConnect Profile :

None

NTLM Conn Pool:

None

HTTP Profile :

http-eweb

Note: This is a custom HTTP profile which can be created under ‘Local Traffic’ Profiles  HTTP FTP Profile:

None

Stream Profile:

None

SSL Profile (client):

None

SSL Profile (server):

None

Authentication Profiles:

None

RTSP Profile:

None

Diameter Profile:

None

SIP Profile:

None

Statistics Profile:

None

VLAN and Tunnel Traffic: SNAT Pool:

All VLANs and Tunnels

Auto Map

Traffic Class:

None

Connection Limit:

0 (zero meaning no limit)

Connection Mirroring:

Do not check this box

Address Translation:

Enabled

Port Translation:

Enabled

Source Port:

Preserve

Clone Pool (Client):

None

Clone Pool (Server):

None

Last Hop Pool:

None

Click on Update to save. Now click on resource at the top as shown in the below picture

Under Load Balancing: Default Pool:

p- prepod-tctssw.con-way.com-8080

Default Persistence Profile: None Fallback Persistence Profile: None Click on update to save. Note: If you have to assign existing iRule to the VS (iRule is a custom script written in TCL which provides different type of manipulation, responses for a given URL request that comes to the F5 LB.) the click on Manage  Under Resource Management select the iRule you want to assign from the ‘Available box’ and click on finish.

In the same way if you want to assign HTTP Class Profile to the VS (Virtual server = URL)

Understanding iRule An iRule is a powerful and flexible feature of BIG-IP devices based on F5's exclusive TMOS architecture. iRules provide you with unprecedented control to directly manipulate and manage any IP application traffic. iRules utilizes an easy to learn scripting syntax and enables you to customize how you intercept, inspect, transform, and direct inbound or outbound application traffic.

An iRule consists of one or more event declarations, each containing TCL code that is executed when that event occurs. To further understand the iRules and how they work, please refer the below link. https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/a rticleId/122/iRules-101--01--Introduction-to-iRules.aspx To learn more about TCL language operators and commands refer the below link. http://tmml.sourceforge.net/doc/tcl/index.html Note: ‘Curl’ and ‘bigpipe’ commands are very helpful in troubleshooting F5 issues from CLI (ssh to the F5 and login via root user)