F5 Networks Training
Configuring ®
BIG-IP LTM V11
Instructor Lab Guide
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
12 / 19 / 2011
Configuring BIG-IP LTM V11 Instructor Lab Guide First Printing December 2011 This manual was written for BIG-IP Local Traffic Manager version 11.0.0. Although some of the features discussed in this course were added with the v11.0.0 version most of the concepts apply to previous versions of BIG-IP LTM. © 2011, F5 Networks, Inc. All rights reserved.
Support and Contact Information Obtaining Technical Support Web
tech.f5.com (Ask F5)
Phone
(206) 272-6888
Email (support issues)
[email protected]
Email (suggestions)
[email protected]
Contacting F5 Networks Web
www.f5.com
Email
[email protected] &
[email protected]
F5 Networks, Inc.
F5 Networks, Ltd.
F5 Networks, Inc.
F5 Networks, Inc.
Corporate Office 401 Elliott Avenue West Seattle, Washington 98119
United Kingdom Chertsey Gate West Chertsey Surrey KT16 8AP
Asia Pacific 5 Temasek Boulevard #08-01/02 Suntec Tower 5
Japan Akasaka Garden City 19F 4-15-1 Akasaka, Minato-ku
T (888) 88BIG-IP T (206) 272-5555 F (206) 272-5557
[email protected]
United Kingdom T (44) 0 1932 582-000 F (44) 0 1932 582-001
[email protected]
Singapore, 038985 T (65) 6533-6103 F (65) 6533-6106
[email protected]
Tokyo 107-0052 Japan T (81) 3 5114-3200 F (81) 3 5114-3201
[email protected]
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Legal Notices Copyright Copyright 2011, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time.
Trademarks 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, Application Security Manager, ASM, ARX, Ask F5, BIG-IP, Data Manager, DevCentral, DevCentral (design), Edge Client, Edge Gateway, Enterprise Manager, EM, F5, F5 (design), F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, Firepass, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, IBR, Intelligent Compression, IPv6 Gateway, iQuery, iRules, iRules onDemand, IT Agility. Your Way., L7 Rate Shaping, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, SSL Acceleration, Strongbox, SYN Check, TCP Express, Transparent Data Reduction, TDR, The World Runs Better With F5, Traffic Management Operating System, TMOS, TrafficShield, VIPRION, WebAccelerator, WA, WAN Optimization Module, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners.
Patents This product may be protected by U.S. Patents 6,311,278, 6,327,242, 6,374,300, 6,405,219, 6,473,802, 6,505,230, 6,640,240, 6,772,203, 6,970,933, 6,889,249, 7,047,301, 7,051,126, 7,102,996, 7,113,962, 7,114,180, 7,126,955, 7,146,354, 7,197,661, 7,206,282, 7,286,476, 7,287,084, 7,296,145, 7,296,263, 7,308,475, 7,343,413, 7,346,695, 7,349,391, 7,355,977, 7,376,967, 7,383,288, 7,395,349, 7,409,440, 7,409,460, 7,430,755, 7,441,045, 7,461,290, 7,472,413, 7,487,253, 7,490,162, 7,493,383, 7,505,455, 7,509,322, 7,512,673, 7,552,191, 7,558,848, 7,562,110, 7,567,573, 7,580,353, 7,590,625, 7,606,912. Current as of Aug 2010, but other patents pending.
Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.
RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.
FCC, Canadian Regulatory and Standards Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. This Class A digital apparatus complies with Canadian ICES-003, and conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products.
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Table of Contents Preface: Product Overviews and Hardware ...............................................................P-1 BIG-IP Product Family ........................................................................................................ P-1 ARX Product Family............................................................................................................ P-3 F5 Hardware ......................................................................................................................... P-5 F5 Services and Resources ................................................................................................... P-11
Module 1: Installation and Initial Access .....................................................................1-1 BIG-IP Local Traffic Manager Overview ............................................................................ 1-1 Licensing, Provisioning & the Setup Utility ........................................................................ 1-2 Installation and Setup Labs ………………………………………………………………..1-9 Lab – Changing Initial IP Address ............................................................................. 1-9 Lab – Licensing the System and Provisioning ........................................................... 1-11 Lab – Setup Utility ..................................................................................................... 1-14 Lab – Configuration and Backup .............................................................................. 1-19 BIG-IP Hardware Platforms ................................................................................................. 1-20 Switch Card Control Processor (SCCP) and Always On Management (AOM) ................... 1-22 Ask F5: F5 Support Resources and Tools ............................................................................ 1-23 Lab – SCCP / AOM IP Address Configuration ......................................................... 1-25 Lab – AskF5 Resource ............................................................................................... 1-26
Module 2: Load Balancing ............................................................................................2-1 Virtual Servers and Pools .................................................................................................... 2-1 Configuring Virtual Servers and Pools ................................................................................ 2-3 Lab – Virtual Servers and Pools................................................................................. 2-6 Network Map ....................................................................................................................... 2-11 Load Balancing Modes ........................................................................................................ 2-13 Configuring Load Balancing ................................................................................................ 2-17 Labs – Load Balancing .............................................................................................. 2-19
Module 3: Monitors ........................................................................................................3-1 Monitor Concepts ................................................................................................................. 3-1 Monitor Configuration ......................................................................................................... 3-3 Monitor Assignment............................................................................................................. 3-5 Monitor Status Reporting ..................................................................................................... 3-8 Lab – Monitors for Nodes .......................................................................................... 3-10 Labs – Monitors for Pools and Members .................................................................. 3-12
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Table of Contents
Module 4: Profiles ......................................................................................................... 4-1 Profiles ................................................................................................................................. 4-1 Profile Types and Dependencies .......................................................................................... 4-2 Common Protocol Profile Types and Settings ..................................................................... 4-5 Configuring and Using Profiles ............................................................................................ 4-9
Module 5: Persistence .................................................................................................. 5-1 Persistence Concepts ............................................................................................................ 5-1 Source Address Persistence .................................................................................................. 5-2 Lab – Source Address Persistence ............................................................................. 5-5 Cookie Persistence ............................................................................................................... 5-8 Lab – Cookie Persistence ........................................................................................... 5-14 Object Management ............................................................................................................. 5-17 Lab – Disabled Members ........................................................................................... 5-20
Module 6 Processing SSL Traffic ................................................................................ 6-1 SSL Termination/Initiation................................................................................................... 6-1 SSL Profile Configuration .................................................................................................... 6-4 Lab – Client SSL ....................................................................................................... 6-6 Lab – Client and Server SSL (Optional) .................................................................... 6-8
Module 7: Lab Project #1 .............................................................................................. 7-1 Configuration Project ........................................................................................................... 7-3 Lab –Configuration Project ........................................................................................ 7-3 Review Questions – Modules 1 to 6 .................................................................................... 7-4
Module 8: NATs and SNATs ......................................................................................... 8-1 Network Address Translation (NAT) ................................................................................... 8-1 Lab – Configuring a NAT .......................................................................................... 8-4 Secure Network Address Translation (SNAT) ..................................................................... 8-5 Labs – SNAT Labs ..................................................................................................... 8-7
Module 9: iRules............................................................................................................ 9-1 iRules Concepts .................................................................................................................... 9-1 iRules Events ........................................................................................................................ 9-3 Configuring iRules ............................................................................................................... 9-5 Labs – iRules Lab #1................................................................................................ 9-6 Labs – iRules Lab #2................................................................................................ 9-9
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Module 10: High Availability .........................................................................................10-1 Sync-Failover Group Concepts ............................................................................................ 10-1 Synchronization State and Failover ...................................................................................... 10-2 Lab –Sync-Failover Device Group ............................................................................ 10-4 Redundant Pair Communication .......................................................................................... 10-7 Upgrading the BIG-IP System ............................................................................................. 10-7 Fail-over Triggers & Detection ............................................................................................ 10-8 Lab – VLAN Failsafe................................................................................................. 10-10 Stateful Fail-over ................................................................................................................. 10-11 Labs – Connection & Persistence Mirroring .............................................................. 10-12
Module 11: High Availability Part 2 .............................................................................11-1 Traffic Group Concepts........................................................................................................ 11-1 MAC Masquerading ............................................................................................................. 11-3 Lab – Traffic Groups ................................................................................................. 11-4 Lab – n + 1 High Availability .................................................................................... 11-5
Module 12: tmsh Command Line Configuration .......................................................12-1 Command Line using tmsh .................................................................................................. 12-1 Running vs Saved Configuration ......................................................................................... 12-10 Labs – tmsh Configuration ........................................................................................ 12-13 Config Files .......................................................................................................................... 12-18 Lab – Config Files ..................................................................................................... 12-22 Optional Labs – SNATs and Monitors ..................................................................... 12-23
Module 13: BIG-IP Administration ................................................................................13-1 BIG-IP iHealth ..................................................................................................................... 13-1 Documentation for Support .................................................................................................. 13-6 tcpdump ................................................................................................................................ 13-9 The bigtop and bigstart Commands...................................................................................... 13-14 VLAN Network Configuration ............................................................................................ 13-21 Restricting Network Access ................................................................................................. 13-25 Logging and Notification ..................................................................................................... 13-29 SMP Features ....................................................................................................................... 13-31 Lab – Remote Syslog ................................................................................................. 13-32 Lab – SNMP Trap ...................................................................................................... 13-33 Lab – AskF5 Resource ............................................................................................... 13-34 Lab – iHealth and qkview .......................................................................................... 13-35 Optional Lab – Packet Filters ............................................................................................. 13-36 Optional Lab – Command Line Tools ................................................................................ 13-39
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Table of Contents
Module 14: BIG-IP Administration part 2.................................................................... 14-1 Administration Domains ..................................................................................................... 14-1 Lab – Admin Partitions and Users ............................................................................. 14-6 Clustered Multi-Processing (CMP) ...................................................................................... 14-9 Virtualized CMP (vCMP) .................................................................................................... 14-10 Sync-Only Device Groups.................................................................................................... 14-15 Lab – Sync-Only Group ............................................................................................. 14-16
Module 15: Profiles part 2............................................................................................. 15-1 TCP Express Optimization ................................................................................................... 15-1 HTTP Profile Options .......................................................................................................... 15-8 OneConnect .......................................................................................................................... 15-10 HTTP Compression .............................................................................................................. 15-12 Lab – HTTP Compression ......................................................................................... 15-16 HTTP Caching...................................................................................................................... 15-17 Streaming profile ................................................................................................................. 15-19 F5 Acceleration Technologies .............................................................................................. 15-22 Optional Labs – Caching, Streaming & Authentication ............................................ 15-24
Module 16: iApps ......................................................................................................... 16-1 iApps Concepts .................................................................................................................... 16-1 Analytics .............................................................................................................................. 16-5 Lab – Deploying an Application Service ................................................................... 16-10 Lab – Modifying an Application Service ................................................................... 16-14 Lab – Analytics .......................................................................................................... 16-18
Module 17: Virtual Servers part 2 ................................................................................ 17-1 Virtual Servers Concepts ...................................................................................................... 17-1 Lab – Forwarding Virtual Servers .............................................................................. 17-3 Path Load Balancing ............................................................................................................ 17-4 Auto Last Hop ...................................................................................................................... 17-6 Firewall Sandwiches – An Example..................................................................................... 17-7
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Module 18: SNATs part 2 ..............................................................................................18-1 SNATs Re-visited ................................................................................................................ 18-1 SNAT Automap ................................................................................................................... 18-3 SNAT Pools ......................................................................................................................... 18-6 SNAT as Listeners ............................................................................................................... 18-7 SNAT Configuration ............................................................................................................ 18-8 Labs – SNAT Lab ...................................................................................................... 18-10 VIP Bounceback................................................................................................................... 18-13 Lab – VIP Bounceback .............................................................................................. 18-14 Network Packet Processing .................................................................................................. 18-17
Module 19: Monitors part 2 ..........................................................................................19-1 Monitors Re-visited .............................................................................................................. 19-1 Configuring Monitors........................................................................................................... 19-9 Other Monitor Options ......................................................................................................... 19-11 Passive or Inband Monitors .................................................................................................. 19-12 Lab – Monitors .......................................................................................................... 19-13
Module 20: Persistence part 2 .....................................................................................20-1 Persistence Re-visited .......................................................................................................... 20-1 Persistence Options .............................................................................................................. 20-2 Other types of Persistence .................................................................................................... 20-3 Lab – Universal Persistence ....................................................................................... 20-6
Module 21: iRules part 2 ..............................................................................................21-1 iRules Re-visited .................................................................................................................. 2-1 iRule Events ......................................................................................................................... 21-3 iRule Commands .................................................................................................................. 21-7 Context ................................................................................................................................. 21-11 String Manipulation Commands .......................................................................................... 21-11 Other iRule Concerns ........................................................................................................... 21-13
Module 22: Lab Project 2 .............................................................................................22-1 Configuration Project Options ............................................................................................. 22-1 Labs – iRules Labs 1 to 6 ........................................................................................... 22-2 Lab – Path Load Balancing Project ............................................................................ 22-9
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Table of Contents
Appendix A - Installation .............................................................................................. A-1 Pre-Installation Information ................................................................................................. A-1 Installation Worksheet.......................................................................................................... A-4 Installation options ............................................................................................................... A-5 Optional Lab – V11 Re-Install .................................................................................. A-12
Appendix B – New Features ......................................................................................... B-1 New Feature summary for Version 11.0.0 ........................................................................... B-1 New Feature summary for Version 10.2.0 ........................................................................... B-3 New Feature summary for Version 10.1.0 ........................................................................... B-5 New Feature summary for Version 10.0.0 ........................................................................... B-6
Appendix C – Additional Topics .................................................................................. C-1 Setup Utility labs for v10 ..................................................................................................... C-1 bigpipe command line labs for v9 ........................................................................................ C-4 Redundant Pair labs for v10 ................................................................................................. C-9
Appendix D – HTTP Basics .......................................................................................... D-1 Requests and Responses ....................................................................................................... D-3 HTTP Headers ...................................................................................................................... D-6
Printout of PowerPoints ............................................................................................... E-1
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Course Description and Prerequisites Course Description
This four-day course gives networking professionals a functional understanding of the BIG-IP Local Traffic Manager (LTM) v11 system as it is commonly used, as well as an in-depth understanding of advanced features. The course covers installation, configuration, and management of BIG-IP LTM systems. This hands-on course includes lectures, labs, and discussion Topics covered in this course include: Installation and Licensing Virtual Servers and Pools and Load Balancing Profiles iRules Persistence Health Monitors SSL Termination and Certificate Management NATs and SNATs Highly Available Redundant System configurations Device Groups and Traffic Groups tmsh (TM Shell) command line, SNMP and Logging BIG-IP Admin topics such as Clustered Multi-Processing (CMP), VLAN Management, and Administrative Domains A new v11 feature called iApps By the end of this course, the student should be able to setup an initial Configuration and build many common and advanced configurations of BIG-IP LTM systems using either the Graphical User Interface or Command Line utilities. In addition, the student should be able to monitor and manage common tasks concerning traffic processed by a BIG-IP LTM system.
Audience
This course is intended for system and network administrators responsible for installation, setup, configuration, and administration of the BIG-IP LTM system.
Prerequisites Students should understand:
TCP/IP Addressing and Routing including: o The Address Resolution Protocol o Direct and Indirect Routing o TCP Handshakes Command Line Configuration including: o Commands and Parameters o Command Line Access (DOS or UNIX) o Common elements of and differences between WAN and LAN components. o Fundamental programming concepts. In addition, students should be proficient in: The Linux File System pico editor or vi editor, the tcpdump program, and shell scripting. TCL (Tool Control Language)
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Course Print Version LTM Config Topics Changes – First Print – v11.0.0 HF1 – Dec. 2011 High level changes – 1. 2. 3. 4. 5.
Combined LTM Ess. and LTM Adv.v10.2.1 into a single 4 day course Some modules have changed order to accommodate new course flow Device Groups, and Traffic Groups: New Topic iApps: New Topic Tested Labs for v11.0.0 Hotfix 1
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Lab Setup Section This section discusses the details on how to setup the classroom to support most courses for BIG-IP Version 11. Additional details for each lab are provided in the notes pages of lab slides within the instructor PowerPoint file. All the labs in the course assume the topologies on the following pages with highlights listed below.
Classroom Network There are three logical networks:
192.168/16: Access to Management Ports on BIG-IP LTMs 10.10/16: Client machines and most Virtual Servers – External VLAN 172.16/16: Server machines –Internal VLAN
It is important that the 10.10/16 and 172.16/16 networks are separate. If not, bridge loops will form and the classroom network will fail. The 192.168/16 and 10.10/16 networks can be on the same physical network.
Student Stations Each student station is assumed to have the following equipment:
A Personal Computer with the following: o A supported Browser o Rights to change IP address and routing. o An SSH client (Putty version .55 or later is needed because BIG-IP v9 needs “keyboard interactive” enabled. This feature is there but not enabled prior to Putty v5.5 ) o A copy of the BIG-IP LTM license for the associated BIG-IP LTM system o Optional: a copy of Adobe Acrobat reader Student addresses, both administrative addresses and Virtual Server addresses, will have their station number (1-16 normally with the instructor’s machines using 17) in the third octet of all IP addresses. This is required for routing traffic from the single server station. Student personal computer addresses are 10.10.X.30 with a default gateway address of 10.10.X.33, where X is their station number. Serial Console (null-modem cable) access to their BIG-IP LTMs. One BIG-IP LTM per station for modules 1-9; pairs of BIG-IP LTMs per station for modules 10-11. For modules 10 and 11, fail-over cables must be available. For modules 1-9, at most 2 students should be on a station. For modules 10 and 11, at most 4 students should be on a station.
Here are set up instructions for the Student Stations after they have been used in class.
Make sure you have backup copies of the license files for each machine [/config/bigip.license].
Reload the appropriate version of BIG-IP LTM from a PXE server. Many Dell laptops are able to boot from the BIG-IP LTM distribution CD allowing such a system to act as the boot server. (The key is the NIC in the laptop; generally, Intel and Broadcom NICs are supported.) All systems should be set to perform a netboot, then reboot them and perform a clean install. Note: You can get a “partially clean” machine by deleting the following files:
/config/bigip.conf /config/bigip_base.conf /config/BigDB.dat
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Instructor’s PC The instructor may use their personal computer as the presentation machine for the class slides or use an additional machine for this purpose. There is no requirement for instructor labs from this PC.
Instructor’s BIG-IP LTM17 Station The labs assume the use of an instructor’s BIG-IP LTM system LTM17. There is a script to setup this BIG-IP that can be downloaded from the F5 Instructor site at university.f5.com.
Server Setup Section
There must be ftp, ssh, http and https servers available in the classroom at IP addresses 172.16.20.1, 172.16.20.2 and 172.16.20.3 and standard ports (21, 22, 80 and 443). These can be on a single machine or multiple machines. The server, 172.16.20.1:80, must have files named text.txt, file.txt, text.one in the default directory of the web server for the iRules labs. Students must have access to the ssh and ftp servers using the userid “student” and a password of “student”. The same file listed above, text.txt, needs to be included in each students default ftp directory on the server. The servers must have routes that direct responses through each students BIG-IP LTM System(s) rather than a default route. For example, traffic destined for the 10.10.1.* network should be sent through 172.16.1.33. This does not change throughout the course. Note that for the Firewall Sandwich, the student BIG-IP LTM’s must be using 172.16.X.33 and 10.20.X.33 addresses for routing.
VMWare image of Unix Server for running most F5 courses The instructions and download for the VMWare image Unix server are on the F5 Instructor site. Please obtain a userid from
[email protected] if you are a certified F5 Instructor. Some details are on next page. In general the classroom network is configured like the picture to the right. The client PC’s have been configured with both a 192.168.X.30 and 10.10.X.30 address so that they can connect to both the Management and External IP addresses of their station BIG-IP. The client PC can then be used to both configure the BIG-IP and drive client traffic through to demonstrate lab function. The routes for the 172.16.20.Y servers are described in more detail on next page. In general, anything coming from 10.10.X is directed back through 172.16.X.33 which is the Internal floating address of your station’s BIG-IP. The exception is the GTM class which sets all 10.10 routes to 172.16.17.33 which is the instructor BIG-IP.
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Quick reference for VMWare image v1.0.8
Userid / Password – root and f5training IP Addresses – 172.16.20.1 through 172.16.20.5 and 10.10.20.11 to 20.13 for VIP bb lab. Route scripts - /etc/f5_routes/ Web server – Apache v2.2.3, config file - /etc/httpd/conf/httpd.conf, keepalives turned off Web content files in /var/www/html/server/ Bind files - /var/named/ /etc/ntp.conf has to be modified to allow ntp requests from 172.16.0.0/16 Radius server at 172.16.20.1, port 1812, secret – testing123, student1 to 16
Routes for VMWare image v1.0.8 Destination 10.10.1/24 10.10.2/24 10.10.3/24 ... 10.10.16/24
Gateway 172.16.1.33 172.16.2.33 172.16.3.33 … 172.16.16.33
Unix Server Sample Scripts: Shown below is a simple index.html page used for Web Server 1. WEB SERVER 1 YOU ARE ON SERVER 1 Address:
172.16.20.1:80
Click here to show Source IP address
Listed below is the env.cgi script that displays the IP Address of the client. #!/usr/bin/perl print "Content-type: text/html", "\n\n"; print "", "\n"; print "Source IP Address Identifier", "\n"; print "Source IP Address Identifier", "\n"; print ""; print "You are connected to Server: print "with a Host Name of: print "Your address is: "", "", "", "\n";
", $ENV{'SERVER_ADDR'}, "", "\n";
", $ENV{'SERVER_NAME'}, "", "", "\n";
", "", $ENV{'REMOTE_ADDR'},
print "", "\n"; printConfiguring "", LTM BIG-IP®"\n"; exit (0);
Instructor Lab Guide – © 2011 F5 Networks, Inc.
Quick reference for LTM Config Topics individual Lab details
Mod 18 – VIP bb lab uses Inst station 17 config with VS’s at and iRules at 10.10.20.1, 10.10.20.2 and 10.10.20.3. Alternately, the VMWare Unix server can be moved to External VLAN and students then test against 10.10.20.11, 10.10.20.12 and 10.10.20.13. Mod 22 – last optional iRule lab has students build html sorry server Mod 22 - Optional Path Load balance lab uses Inst station 17 config as 2nd BIG-IP Details for each lab are in the Instructor ppt file in the notes pages on the lab slides
Configuring BIG-IP® LTM Instructor Lab Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-9
Setup Utility Labs Stages:
Configure management access to the BIG-IP system
License the BIG-IP system
Access the configuration tools of the BIG-IP system
Estimated Time: 40 minutes
LAB CONFIGURATION
Changing Initial IP Address Lab Objective:
Set the management port’s IP address for initial network access
Estimated time for completion: 5 minutes
Lab Requirements:
System default user ID and password (root / default)
Serial console access or physical access if using the LCD
Your station number
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-10
Module 1 - Installation
NOTE: For all labs, when an “X” is listed, enter your station number. For station 1, the IP address 192.168.X.31 would be entered as 192.168.1.31 and a password of rootX would be entered as root1. Generally, the IP address of the management port must be reset so the system can access the network to obtain a license. This can be accomplished through the config tool or the LCD. Both set of steps are listed here, but the lab assumes use of the config tool.
Changing default IP address via the Command Line 1. Gain access to the system serial port. a. For classes using serial cables, connect a null-modem cable between the BIG-IP LTM system and a vt-100 emulator. The serial settings should be set to N-8-1 at 19,200 bps. b. For classes using Serial Terminal servers, open an SSH session using Putty or other SSH client to the IP address provided by the instructor. That session should then connect to the serial port of your system. You may need to log into the console server prior to logging into the BIG-IP system. 2. When prompted, logon as the root user using the password default. 3. Enter the config command to start using the tool. Note: When using the config tool, edit current characters using cursors and backspaces. 4. When prompted, press Enter to choose OK. 5. When prompted to use automatic configuration, select No and press Enter. 6. If prompted for choosing to assign an address using DHCP, press Tab and Enter to choose No and then press Enter. 7. When prompted, change the IP address to 192.168.X.31, where X is your station number. Press Tab and Enter to choose OK. 8.
When prompted, change the Netmask to 255.255.0.0. Press Tab and Enter to choose OK.
9. When prompted to create a default route, select No and press Enter. 10. A final confirmation screen appears; your settings should be as follows: IP Address Netmask Default Route
192.168.X.31 255.255.0.0 --none--
11. If all entries are correct, press Enter to choose Yes.
Changing default IP address via the LCD – Lab (Optional) 1. Press the red X button on the display. 2. Navigate to the System menu and press the green check mark button. 3. Navigate to Management menu and press the green check mark button. 4. Navigate to IP Address menu and press the green check mark button. 5. Navigate to the IP Address field and press the green check mark button. Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-11
6. Using the up and down arrow keys, enter the IP address 192.168.X.31 and press the green check mark button. 7. Navigate to the Netmask field and press the green check mark button. 8. Enter the netmask 255.255.0.0, and press the green check mark button. 9. Navigate to the Default Route menu, and press the green check mark button. (optional – a Default Route is not required). 10. Using the up and down arrow keys, enter a default route for 192.168.20.1 and press the green check mark button. 11. Navigate to the Commit menu, and press the green check mark button. 12. When you see the OK menu blinking, press the green check mark button.
Licensing and Provisioning Lab Objective:
Insure the system has a proper license.
Estimated time for completion: 5 minutes
Lab Requirements:
Access to the system’s registration key
Access to the Internet or access to the system’s license file
Network access to the BIG-IP LTM System
Your BIG-IP LTM System may be licensed already. To determine if you have a BIG-IP LTM license file on your box, check for the existence of /config/bigip.license. View it by typing from a console session: more /config/bigip.license If you already have the correct license file, then you can skip to Setup Utility lab. Otherwise, license your system as follows.
Configure Address of Administrative System (PC) Set / Ensure the IP settings on your PC match the following table. IP Address Netmask Default Route
192.168.X.30 and 10.10.X.30 *if your system supports only 1 address at a time, use 192.168.X.30 at this point. 255.255.0.0 (both) 10.10.17.33 *could vary between sites
Specific Licensing Steps
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-12
Module 1 - Installation 1. Connect to https://192.168.X.31. The system ships with a self-signed SSL Certificate. After accepting the certificate, login using the Username admin and password of admin. Press Enter or click the Log in button. 2. If the system is unlicensed, you will be in the Introduction to the Setup Utility. Click Next to continue. Then, begin the licensing processes by clicking Activate. 3. If the Base Registration Key field is blank, ask the instructor where to find your registration key. Generally, it will be in one of these locations:
Within a file on the student workstation such as RegKey.license on the desktop or within a licenses folder.
Or, in the license file itself toward the bottom. The license should be on the desktop or within a licenses folder.
NOTE: Systems shipped directly from F5 manufacturing will have the registration key in the file /config/RegKey.license. When this file is available and formatted properly, the setup utility will pre-populate the “Base Registration Key” field with your registration key. 4. Within the first General Properties section, set the following values: Base Registration Key Add-On Registration Key List Activation Method Outbound Interface Note: Once “Manual” is selected, this option will not be available
Enter Registration Key if needed Leave Blank Select Manual This field is usually not applicable for classroom labs. However, if site has Internet access, the instructor may suggest using Automatic registration.
5. When complete, click Next. 6. Within the second General Properties section, set the following values: Registration Key Add-On Registration Key List Manual Method Step 1: Dossier Step 2: Licensing Server
Step 3: License
Registration Key (Read Only) Read Only – Probably Blank Select the Download/Upload File button Click the “Click Here to Download Dossier” button and save the dossier to the desktop. If your classroom has Internet access, you may regenerate the license. Alternately, move to step 3. Browse for your license; either on the desktop, a licenses folder, or a location specified by the instructor.
7. When complete, click Next.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-13
8. Once the license has been applied, several processes are restarted. Once the system prompts you, click Continue to view the default provisioning settings and adjust if desired. 9. The screen below shows a system with an LTM license, but your lab license might be different. Make sure that Local Traffic (LTM) provisioning is set to Nominal and other modules are set to None (Disabled). 10. Click Next to continue with the Setup Utility lab steps on next page.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-14
Module 1 - Installation
User Accounts and Network Config Lab Objective:
Run the Setup Utility and to configure system access parameters
Estimated time for completion: 20 minutes
Lab Requirements:
Reachable IP address on the management port
Valid License for the BIG-IP LTM Systems
Administration system with an IP address on the BIG-IP LTM’s network
Setup Utility 1. From the Navigation pane, select Set-up, and then select Platform. 2. Within the General Properties section, specify the following: Management Port Configuration IP Address: Network Mask: Management Route: Host Name: Host IP Address: Time Zone:
Manual (radio button) 192.168.X.31 255.255.0.0 192.168.20.1 bigipX.f5trn.com Use Management Port IP Address America/Los Angeles
3. Within the User Administration section, specify the following: Root Account Password: Root Account Confirm: Admin Account Password: Admin Account Confirm: SSH Access: SSH IP Allow:
rootX rootX adminX adminX Enabled * All Addresses
4. Click Next. 5. Agree to the prompt indicating you will have to log in again. Click OK NOTE: Note that you are setting the password of the root and admin accounts, not creating new accounts. The lab suggests you change the admin password from admin to adminX. If you do, you will need to log back into the system with the new password. 6. Login to the system as user admin with password of adminX. Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-15
7. Click the Next button under Standard Network Configuration . Note: The Standard Network Configuration steps through creating a failover partner, two VLANs, internal and external, their interfaces and their self-IP addresses. Once that is complete, those VLANs can be modified or others created. If you choose the Advanced Network Configuration option, you must create VLANs and their settings manually. The Redundant Device Options will be discussed more in the Device Groups modules. Redundant Device Options Config Sync High Availability Failover Method
Default (checked) Default (checked) Default (Network)
8. Click the Next button to continue. Internal Network Configuration Self-IP Address Self-IP Netmask Self-IP Port Lockdown Floating IP Address Floating IP Port Lockdown
172.16.X.31 255.255.0.0 Allow Default 172.16.X.33 Allow Default
Internal VLAN Configuration VLAN Name VLAN Tag ID VLAN Interfaces
internal (Read Only) auto Untagged – Port 1.2
9. Click the Next button to configure the external VLAN, then specify the following: External Network Configuration External VLAN Self-IP Address Self-IP Netmask Self-IP Port Lockdown Default Gateway Floating IP Address Floating IP Port Lockdown
Create VLAN external (radio button) 10.10.X.31 255.255.0.0 Allow 443 Leave blank 10.10.X.33 Allow 443
External VLAN Configuration VLAN Name VLAN Tag ID VLAN Interfaces
external (Read only) Auto Untagged – Port 1.1
10. Click Next.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-16
Module 1 - Installation
High Availability Network Configuration High Availability VLAN Select VLAN Self-IP Address Self-IP Netmask
Select existing VLAN (radio button) Internal 172.16.X.31 255.255.0.0
High Availability VLAN Configuration VLAN Name VLAN Tag ID VLAN Interfaces
internal (Read only) Auto Untagged – Port 1.2
11. Click Next. Config Sync Configuration Local Address
172.16.X.31 (internal)
12. Click Next. Failover Unicast Configuration 172.16.X.31 Address 192.168.X.31 Address
Leave configured at defaults Leave configured at defaults
Failover Multicast Configuration Use Failover Multicast Address
Leave at default (unchecked)
13. Click Next. Mirroring Configuration Primary Local Mirror Address Secondary Local Mirror Address
172.16.X.31 (internal) Default (None)
14. Click Next. 15. Click the Finished button under Advanced Device Management Configuration . Once the Standard Network Configuration is complete, the Welcome screen from the Overview section appears. The administrator can choose to change many presentation options, enable SNMP including downloading the MIB, access F5’s knowledge database (Ask F5) or re-run the setup utility to change addresses or access methods.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-17
Configuration Utility Lab Objective:
Access both the Web Configuration utility and Command Line (SSH) utility for BIG-IP system and get familiar with the interface
Estimated time for completion: 10 minutes
Lab Requirements:
Self IP address of the BIG-IP system on the external VLAN
CLI and GUI users and passwords for the BIG-IP system
Configure Address of Administrative System In the next steps you will set / ensure the IP settings on your PC match the following table. IP Address Netmask Default Route
192.168.X.30 and 10.10.X.30 *if your system supports only 1 address at a time, use 10.10.X.30 at this point. 255.255.0.0 (both) 10.10.17.33 *could vary between sites
The Web Configuration Utility 1. Open a browser window to https://10.10.X.31 to connect to the Web Configuration Utility. 2. Accept the self-signed SSL certificate and login as admin using the password set earlier. (adminX was suggested) 3. Note options available on the Welcome page such as DNS, NTP, re-running the Setup Utility and links to materials such as the product documentation, AskF5, and DevCentral. 4. Click on the Network tab and note parameters for Interfaces, Self IPs, and VLANs.
Command Line access (SSH) 1. Open an SSH session and attempt to connect the external IP Address of your BIG-IP system (10.10.X.31). Some examples of SSH Clients are Putty, Teraterm, and SecureCrt. 2. Notice that you are not able to access your BIG-IP sytem. This is because Port Lockdown for the external self-IP addresses defaults Allow 443 only. Access to port 22 is prevented. 3. From the web GUI select Network / Self IPs and then click the 10.10.X.31 self IP Address. 4. Under Port Lockdown / Allow Custom, click the Port radio button, enter 22 as the port, click Add, and then click Update. Add port 443 if not already in the Custom List. 5. Once port 22 has been added, you should be able to successfully use SSH to attach to your BIG-IP system. You may be prompted to accept the SSH key, do so. Login as root using the password set earlier (rootX was suggested). 6. If prompted for terminal type, select vt100.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-18
Module 1 - Installation 7. Enter the following commands and compare to what you saw in the Network section.
Note: tmsh commands will be discussed in later modules. The |less parameter below allows scrolling when command output is more than the console can display. Press ‘q’ to quit. tmsh list /net vlan |less tmsh list /net self |less tmsh list /net interface
Verifying User Access 1. Open a new SSH session but try to login as the admin user. By default, it should fail. 2. From the Web Configuration utility select System / Users and then select the link for the admin user. Change the Terminal Access to Advanced Shell access, click Update, and then test SSH access with the admin user ID again. 3. Close all browser sessions / windows. 4. Open a new browser to the GUI interface and attempt to login in as root. It should fail. Note: root user does not have GUI rights.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-19
Configuration Backup Lab Saving a configuration 1. Open a new browser session and connect to the Web Configuration Utility, using the Admin user account. 2. From the Navigation pane, click the System / Archives then click Create. 3. Within the General Properties section, specify the following: File Name Encryption Private Keys Version
Download: trainX_base.ucs Disabled Include BIG-IP Version (read only)
4. Click Finished. Soon, an OK button will appear. Click OK or select Archives again. 5. Select trainX_base.ucs (the name is a link). Then click to save a copy to your desktop. There are now two backups; one on the BIG-IP system in the /var/local/ucs directory and one on the desktop. This base configuration will be used later in this course. 6. If desired, the files contents can be viewed from the CLI of your BIG-IP system. a.
Make a new directory for this lab: mkdir /var/tmp/test/
NOTE: The directory may already exist from previous courses. b.
Change to the new directory: cd /var/tmp/test/
c.
Copy the backup to the new directory (and replace, if necessary): cp /var/local/ucs/trainX_base.ucs trainX_base.ucs
d.
Decompress the file and extract the file: tar -xvzf trainX_base.ucs
e.
The resulting files show the directory structure and all files stored in the *.ucs file. Individual files can be viewed with cat, tail, more, less and other tools.
End of Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 1 - Installation
1-25
SCCP / AOM IP Address Lab (Optional) Objective:
Configure an IP Address on the SCCP / AOM
Reboot the Host (Linux and TMM) from the SCCP / AOM
Estimated Time: 10 minutes
NOTE: This section of the lab may vary per training location. If you do not have access to a serial console session in your location, then you may already have an IP Address for your SCCP / AOM so ask your instructor for details.
Adding an Address to SCCP /AOM 1. If you have access to a serial console session with your BIG-IP System, then from your serial console session, type ESC ( 2. Choose option N, SCCP / AOM network configurator 3. For Use DHCP? Enter n 4. For Host name (optional): press the Enter key 5. For IP address (required): 192.168.X.35 6. For Network mask (required): 255.255.0.0 7. For Broadcast IP address (optional): press the Enter key 8. For Default gateway IP address (optional): 192.168.20.1 9. For Nameserver IP address (optional): press the Enter key
Rebooting the Host System from SCCP / AOM (Optional) NOTE: If you don’t have access to a serial console or SCCP / AOM from your location, then ask your instructor for options rebooting the Host System. 1. Open an SSH session to SCCP / AOM at 192.168.X.35 2. When prompted, log in as root with a password of rootX 3. From the prompt, enter hostconsh and then ESC ( to access the SCCP or AOM menu. 4. Select option 1, Connect to Host subsystem console and press the Enter key. 5. From the host prompt, enter ESC ( to access the AOM/SCCP menu again. 6. Select option to Reboot Host subsystem (5 for SCCP and 2 for AOM) and enter Y when prompted. 7. For AOM you are automatically connected back to the Host subsystem. For SCCP, select option 1, Connect to Host subsystem console and press the Enter key. You will now see the host subsystem rebooting from an SSH session with SCCP or AOM and you should not lose your connection during this reboot.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
1-26
Module 1 - Installation
AskF5 Resource Lab (Optional) AskF5 Labs Requires Internet access and Ask F5 user ID and password 1. Login to https://tech.f5.com with your AskF5 user ID and password. 2. Search for SOL135 and read the solution. 3. Other interesting Solutions that relate to topics in this module include: a. SOL1858 b. SOL4080 c. SOL7318 d. SOL13083 e. SOL3727 4. Interesting Solutions relating to topics in the next module include; SOL7399 & SOL7402.
End of Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-6
Module 2 – Load Balancing
Virtual Servers and Pools Lab Objective: Configure pools for servers Configure virtual servers and associate them with a pool Verify functionality Estimated time for completion: 20 minutes
Lab Requirements: IP and port addresses available for use on BIG-IP LTM that can be reached by the client systems Actual servers with appropriate routes to return traffic through each BIG-IP LTM system
Creating Virtual Servers and Pools Create a Pool 1. From the Navigation pane, expand the Local Traffic section. 2. Select Pools and then the Create button. 3. In the Configuration section, enter the following: Configuration Level Name Description Health Monitors
Basic http_pool HTTP Pool Leave Blank
4. In the Resources section, enter the following: Load Balancing Method Priority Group Activation New Members For each, enter Address and Service Port and press Add
Round Robin Disabled Leave Node Name Blank 172.16.20.1 port 80 172.16.20.2 port 80 172.16.20.3 port 80
5. When complete, click Finished.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 2 – Load Balancing
2-7
Create a Virtual Server that uses this pool 1. From the Navigation pane, expand the Local Traffic section. 2. Select Virtual Servers and click Create. 3. In the General Properties section, enter the following: Name Destination: Host Address Service Port State
vs_http 10.10.X.100 80 (or HTTP) Enabled
4. In the Configuration section, accept all defaults. 5. In the Resources section, enter the following: iRules HTTP Class Profiles Default Pool Default Persistence Profile Fallback Persistence Profile
Leave Blank Leave Blank http_pool None None
6. When complete, click Finished.
Verification through Statistics 1. Open a new browser session on your PC and point it to your virtual server address of http://10.10.X.100. Note the results and refresh the screen 5-10 times. 2. View statistics and configuration information through: a. Overview / Statistics / Local Traffic and choose a Statistics Type from the drop-down list. b. Local Traffic / Virtual Servers / Statistics c. Local Traffic / Pools / Statistics 3. Did traffic go to each pool member? 4. Did each pool member manage the same number of connections? 5. Did each pool member manage the same number of bytes? 6. How many TCP connections are opened each time you refresh the browser page?
Expected Results and Troubleshooting Expected result: 5 connections per refresh distribute evenly among the pool members. If not, verify the following:
Is traffic getting to the virtual server?
Does 10.10.X.100 appear in your workstation’s ARP table? arp -a
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-8
Module 2 – Load Balancing
Does the Statistics page show traffic received by vs_http? Verify that the address and port are correctly configured
Is traffic getting to the pool members?
If no traffic is going TO the pool members:
Verify http_pool has been assigned to vs_http
Verify the correct members address / port
If traffic goes TO pool member, but does not return:
Verify that self IP address 172.16.X.33 is configured on the external VLAN and Untagged interface 1.2 (this address is the pool members’ route back to your PC.)
Create a second Pool and Virtual Server 1. From the Navigation pane, select Local Traffic, Virtual Servers, and click Create. 2. In the General Properties Section, enter the following: Name Destination: Host Address Service Port State
vs_https 10.10.X.100 443 (or HTTPS) Enabled
3. In the Configuration Section, accept all defaults. 4. Since we “forgot” to create the pool first, navigate to the Resources Section and click the character to the right of Default Pool. 5. In the Configuration section of the new pool, enter the following: Configuration Name Health Monitors
Basic https_pool Leave Blank
6. In the Resources section, enter the following: Load Balancing Method Priority Group Activation New Members For each, enter Address and Service Port and press Add
Round Robin Disabled Leave Node Name Blank 172.16.20.1 port 443 172.16.20.2 port 443 172.16.20.3 port 443
NOTE: Since the member’s IP addresses are the same, you could select Node List and choose the member’s IP addresses from the drop-down list. 7. When the pool is complete, press Finished. Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 2 – Load Balancing
2-9
8. In the Virtual Server’s Resources section, verify the following settings: iRules HTTP Class Profiles Default Pool Default Persistence Profile Fallback Persistence Profile
Leave Blank Leave Blank https_pool None None
9. When complete, make sure to click Finished for the virtual server.
Verification through Statistics 1. Open a new browser session on your PC and point it to your virtual server address (https://10.10.X.100). If prompted, accept the self-signed SSL Certificate. Note the results and refresh the screen 5-10 times. 2. View statistics and configuration information through: a. Overview / Statistics / Local Traffic and choose a Statistics Type from the drop-down list. b. Local Traffic / Virtual Servers / Statistics c. Local Traffic / Pools / Statistics 3. Did traffic go to each pool member? 4. Did each pool member manage the same number of connections? 5. Did each pool member manage the same number of bytes? 6. How many TCP connections are opened each time you refresh the browser page?
Statistics using the Command Line 1. Open an SSH client window to your BIG-IP external self IP address, by entering the external IP Address of your BIG-IP system (10.10.X.31) and make sure the protocol is set to SSH. Some examples of SSH Clients are Putty, Teraterm, and SecureCrt. 2. When prompted, enter root as the user ID and the password that you added during setup (rootX was suggested). 3. If prompted for terminal type, accept or enter vt100. 4. Enter the command bigtop -n. This command shows real time information on the virtual servers and pool members that you have configured. 5. View the screen while refreshing your session to either http://10.10.X.100 or https://10.10.X.100. What does bigtop show? Exit bigtop by pressing the q key. 6. Statistics for pools and virtual servers can be viewed by typing the following: tmsh show /ltm pool [members] |more example: tmsh show /ltm pool https_pool |more tmsh show /ltm virtual example:
tmsh show /ltm virtual vs_https |more
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-10
Module 2 – Load Balancing
Expected Results and Troubleshooting Expected result: You may see 6 connections the first time you request the page, (due to the SSL key exchange) but should see 5 connections per subsequent refresh. The requests should be evenly distributed among the pool members. If not, verify the following:
Confirm that the virtual server was created. Students often neglect to hit Finish for the virtual server after hitting Finish for the pool.
Local Traffic / Virtual Servers
Is traffic getting to the virtual server?
Does 10.10.X.100 appear in your workstation’s ARP table? You may need to clear your ARP table before testing to remove the entry from the vs_http virtual server.
Does the Statistics page show traffic received by vs_https? Verify that the address and port are correctly configured.
Is traffic getting to the pool members? Check Pool statistics:
If no traffic is going TO the pool members: Verify https_pool has been assigned to vs_https Verify the correct members address / port
If traffic goes TO pool member but does not return:
Verify that self IP address 172.16.X.33 is configured on port 1.2 (this address is the pool members route back to your PC).
End of Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-18
Module 2 – Load Balancing
Load Balancing Labs Objective: Choose differing load balancing methods and view the resulting behavior Choose differing member priority and ratio values and view the resulting behavior Estimated time for completion: 10 minutes
Lab Requirements: Access to a BIG-IP LTM with at least a pool with two or more working members
Network Map Lab View Configuration and Status from Network Map 1. From the Navigation pane, expand the Local Traffic section and select Network Map. 2. Click Show Map. 3. Mouse over both virtual server and pool objects and notice what information is displayed about that object. 4. Select a Pool member and disable it. Choose one of the following sets of steps: a. From the Network map, click on a member from http_pool. b. In the State section, click the Disabled option. c. Click Update. OR a. From the Navigation pane, expand the Local Traffic section and select Pools. b. Select http_pool. c. Select Members. d. Check the box to the left of the chosen member and click the Disable button. 5. Go back to Network Map and notice that status changed to disabled or a black square. 6. Change the search field to 20.1 and then click Update Map. Notice that all members are still listed, but matches are highlighted. 7. Re-enable the disabled pool member for later labs. 8. From the Navigation Pane, expand System and select Preferences. 9. Change the Start Screen from Welcome to Network Map and click Update. 10. Log out using the Log out button in the upper-right corner of the GUI. 11. Connect a new browser session to the GUI and log back in. Once logged in, you should be in the Network Map. Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 2 – Load Balancing
2-19
Round Robin Load Balancing Lab Reset the Statistics for http_pool 1. From the Navigation pane, expand the Overview section and select Statistics. 2. From the Display options sections, change the Statistics Type to Pools. 3. Select the checkbox adjacent http_pool. 4. Click Reset. View Results using Round Robin Load Balancing 1. Open a browser session and access http://10.10.X.100. 2. Refresh the screen a few times by pressing Ctrl-F5. 3. Navigate back to the pools statistics page. 4. What are the results? Were the connection requests distributed evenly?
Ratio member Load Balancing Lab Configure Member Ratios and Ratio (member) Load Balancing and test. 1. Reset the statistics for http_pool. 2. From the Navigation pane, expand the Local Traffic section and select Pools. 3. Select http_pool. 4. Select Members. 5. Within the Load Balancing section, change the Load Balancing Method to Ratio (member) and click Update. 6. Within the Configuration section of each member, set the ratio values as follows: Member 172.16.20.1:80 172.16.20.2:80 172.16.20.3:80
Ratio 1 2 3
7. Open a new browser session and connect to http://10.10.X.100. 8. Refresh the screen 5-10 times by pressing Ctrl-F5. 9. View the pool statistics. What are the results?
Expected Results and Troubleshooting Expected result: Traffic will be distributed to all members on a 1:2:3 ratio.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-20
Module 2 – Load Balancing
Priority Group Activation Lab Configure Priority Group Activation 1. Reset the statistics for http_pool. 2. From the Navigation pane, expand the Local Traffic section and select Pools. 3. Select http_pool. 4. Select Members. 5. In the Load Balancing section, change the Priority Group Activation setting to Less than …, the number of Available Members to 2, and click Update. 6. Within the Configuration section of each member, set the Priority values as follows: Member 172.16.20.1:80 172.16.20.2:80 172.16.20.3:80
Ratio 1 2 3
Priority Group 0 4 4
7. Open a new browser session and connect to http://10.10.X.100. 8. Refresh the screen 5-10 times by pressing Ctrl-F5. 9. View the pool statistics. What are the results? 10. Reset the statistics for http_pool. 11. Disable the member 172.16.20.2:80. 12. Open a new browser session and connect to http://10.10.X.100. 13. Refresh the screen 5-10 times by pressing Ctrl-F5. 14. View the pool statistics. What are the results? 15. Within http_pool a. Re-enable the member 172.16.20.2:80. b. If you are not doing the optional labs, disable Priority Group Activation. c. If you are not doing the optional labs, change the load balancing method to Round Robin.
Expected Results and Troubleshooting Expected result :
In step (9), 172.16.20.1:80 should receive no traffic. The traffic will be distributed to the 20.2 and 20.3 with a 2:3 ratio
In step (14), 172.16.20.2:80 should receive no traffic. The traffic will be distributed to the 20.1 and 20.3 with a 1:3 ratio
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 2 – Load Balancing
2-21
Ratio Node Load Balancing Lab (Optional) Configure Ratio (node) Load Balancing 1. Reset the statistics for http_pool. 2. Navigate http_pool / Members and change the load balancing method to Ratio (node). 3. The next steps change the ratio of the node 172.16.20.3 to 5: a. From the Navigation pane, expand the Local Traffic section and select Nodes. b. From the Node List tab, select 172.16.20.3. c. Within the Configuration section, change the Ratio value to 5. d. Click Update. 4. Open a new browser session and connect to http://10.10.X.100. 5. Refresh the screen 5-10 times by pressing Ctrl-F5. 6. View the pool statistics. What are the results?
Expected Results and Troubleshooting Expected result: 172.16.20.1:80 should receive no traffic. The traffic will be distributed to the 20.2 and 20.3 members with a 1:5 ratio.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
2-22
Module 2 – Load Balancing
Member Threshold Lab (Optional) Setting Member Threshold 1. Reset the statistics for http_pool. 2. Change the Connection Limit for the member 172.16.20.3:80 to 1. a. From the Navigation pane, expand the Local Traffic section. b. Select Pools, then select http_pool, and finally select Members. c. Select the member 172.16.20.3:80. d. Within the Configuration section, set the Connection Limit to 1. e. Click Update. 3. Open a new browser session and connect to http://10.10.X.100. 4. Refresh the screen multiple times by pressing and holding Ctrl-F5. 5. View the pool statistics. What are the results? 6. Within http_pool a. Change the load balancing method to Round Robin. b. Disable Priority Group Activation. c. Connection limit for 172.16.20.3:80 set to 0 (unlimited)
Expected Results Expected result: 172.16.20.1:80 should receive no traffic. The traffic to 20.3 should have a Maximum Connections of 1. The traffic will be distributed between 20.2 and 20.3 members.
Note: If the Connection Limit is not reached, Clustered MultiProcessing (CMP) on multi-core systems could be affecting your results. CMP is discussed in the Administration module.
End of Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
3-10
Module 3 – Monitoring
Monitors for Nodes Lab Association of Monitors to Nodes Lab Objective:
Associate nodes with monitors
Create custom monitors
Estimated time for completion: 10 minutes
Lab Requirements:
Access to a BIG-IP LTM with at least one pool with two working members
Some knowledge of the traffic sent by the members
Check Current Node States 1. From the Navigation pane, select the Local Traffic section and select Nodes. 2. What are the nodes’ statuses? 3. Will BIG-IP LTM distribute traffic to nodes that are Unknown?
Assign a Default Monitor to all Nodes 1. From the Navigation pane, expand the Local Traffic section and select Nodes. 2. Above the list of nodes, select the Default Monitor tab. 3. From the list of Available monitors, select icmp, press the move to the left button ( modify pool /Common/https_pool members modify {172.16.20.1:443 { monitor /Common/my_https } } Object http_pool 172.16.20.1:443 *
Association Pools Pool Member Node
Pool http_pool https_pool NA
Assigned Monitor my_http my_https my_icmp
NOTE: Test your configuration before proceeding to the next lab to verify it is correct.
Un-assign Monitors Un-assign monitors from any pools, members or nodes to prepare for future monitor labs.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
13-32
Module 13 – BIG-IP Administration
Remote Syslog Lab Objective: Set up a BIG-IP LTM system to send log messages to central log servers.
Lab Requirements: We can use tcpdump to view message transmission. Since these messages use UDP, there is no connection process; the data will be transmitted on the wire in clear text.
Configure Log Message Redirection 1. Issue the tmsh command to show syslog servers: tmsh> list /sys syslog remote-servers 2. Issue the following tmsh command: tmsh> modify /sys syslog remote-servers add { test { host 10.10.X.30 } } ‘test’ is a required arbitrary name, for additional parameters refer to the tmsh guide. Where 10.10.X.30 is a working classroom IP address on the internal or external VLAN that is not your BIG-IP system. Your PC, another PC, or another BIG-IP system would work.
Use tcpdump to view the notifications The example command assumes messages being sent on the external VLAN. tcpdump –ni external –Xs 0 udp and port 514
Generate log messages This could be accomplished many ways. Some options:
Establish an SSH and login with a valid or invalid user ID / password Use a monitor to mark a node or member unavailable
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 13 – BIG-IP Administration
13-33
SNMP Trap Lab Objective: Setup the BIG-IP LTM System to send traps to SNMP Management consoles.
Lab Requirements: While we have no SNMP Management console in the classroom, tcpdump can be used to view SNMP traps. Since SNMP uses UDP, there is no connection process; the data is transmitted on the wire in clear text format.
Default Traps Specify a destination for traps from the Admin GUI 1. From the Navigation pane, expand the System section, select SNMP Traps Destination and click Create. 2. In the Record Properties section, choose from the following: Version V1 Community Public Destination Specify the IP address of any valid system other than your BIG-IP LTM. Example: 10.10.X.30, your PC. Port 162 3. Click Finished
Or specify a destination for traps from the Command line 1. Issue the following tmsh command: tmsh> modify /sys snmp v1-traps add { tsX {host 10.10.X.30 community Public} } 2. Then issue the tmsh command to show snmpd settings: tmsh> list /sys snmp
Prepare to View Traps 1. Open an SSH session to your BIG-IP LTM system and logon as root. 2. Run a tcpdump command to capture your traps. In most cases, the following example should suffice: tcpdump –ni external –Xs 200 udp and port 162 This assumes traps are being sent on the external VLAN, which should be true based on setting the trap destination to your local PC on 10.10/16 network.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
13-34
Module 13 – BIG-IP Administration
Cause a Trap to be Generated Use monitors that mark a device up or down. Other available options are can be found in /etc/alertd/alert.conf.
Questions 1. Did traps appear? 2. Assuming a monitor will mark a device down, how long should it take? 3. Navigate to System / Services and stop the SNMPd service. Did a trap appear? Why or why not? What option could be changed to change the result?
AskF5 Resource Lab AskF5 Labs Requires Internet access and Ask F5 user ID and password 1. Login to https://tech.f5.com with your AskF5 user ID and password. 2. Search for SOL135 and read the solution. 3. Other interesting Solutions that relate to topics in this module include: a. SOL1858 b. SOL4080 c. SOL7318 d. SOL13083 e. SOL3727 4. Interesting Solutions relating to topics in the next module include; SOL7399 & SOL7402.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 13 – BIG-IP Administration
13-35
iHealth Lab Lab Objective This lab is dependent on an active connection to f5.com via the internet. When you complete this lab, you will have generated a qkview file and downloaded it to your local computer. Then you will upload the qkview file to F5 Networks BIG-IP iHealth.
Generate the qkview file 2. Log in to your BIG-IP system. (iHealth supports v10 and above) 3. In the navigation pane of the BIG-IP, click System, and then click Support. 4. Make sure that QKView is selected. 5. Click the Start button. After a few moments, the Download Snapshot File button will appear, indicating that your qkview file is ready to download. 6. Click the Download Snapshot File button and file to your local computer. Note: You can also manually generate a qkview file using the command line qkview utility. Some web browsers may append a file extension (such as .zip) to the downloaded qkview file. Ensure that the filename of your qkview file ends in .tar.gz before continuing.
Upload the qkview file to BIG-IP iHealth Note: If you don’t have internet access from your client PC, the instructor might demonstrate these steps instead. The next part of the process is to upload the qkview file to BIP-IP iHealth. 7. On your local workstation, open a browser and navigate to https://ihealth.f5.com. 8. When prompted for a login account, use your F5 WebSupport credentials. The Upload a QKView screen appears. 9. Click the Upload button. The QKView upload page will display. 10. Click Choose File. 11. Browse to the location of the qkview file on your computer. Important: The BIG-IP iHealth system accepts only valid qkview files. You may upload several files, one at a time. For this lab, leave the F5 Case field blank. You may add your own identifier to the External Case field for tracking purposes. 12. Click Upload. Once the upload has completed, then BIG-IP iHealth system may take several minutes to process the data. 13. After processing look for priority notifications. You should find one that says your admin userid is not secure because you reset the password to the default of “admin”.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
13-36
Module 13 – BIG-IP Administration
Optional: Packet Filters Lab Objective: Define packet filters on your BIG-IP system to restrict management and client access to specific devices.
Lab Requirements: Estimated time for completion: 15 minutes Access to multiple BIG-IP systems via the network.
General Filter Guidelines When you define an IP filter, you can filter traffic in many ways. You can:
Accept or deny traffic to or from a specific address or network address. Accept or deny traffic to or from a specific port. Accept or deny traffic from a specific or network address to a port.
In this lab, you will add filters to deny traffic from other client machines.
Test Behavior before Adding IP Filters 1. Open a browser session to https://10.10.Y.33 where Y is a partner machine. 2. If it succeeds, then you have access to change the configuration of this BIG-IP system.
Enable Packet Filters 1. From your Navigation pane (https://10.10.X.33), expand the Network section then Packet Filters. 2. Within the Properties section, change Packet Filtering to Enabled and accept defaults for other options. 3. When complete, click Update.
Ensure your PC has access to your BIG-IP system 1. From the Navigation pane, expand the Network section, then select Packet Filters Rules Create. 2. Within the Configuration section, enter the following: Name Order Action Rate Class Apply to VLAN Logging
ME First Accept None (Note: only available if licensed) *All VLANs Disabled
3. Within the Filter Expression section, enter the following:
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 13 – BIG-IP Administration Filter Expression Method Protocols Source Hosts and Network List Destination Hosts and Networks Destination Port
13-37 Build Expression Any Restrict to any in list … 10.10.X.30 Any Any
5. When complete, press Finished. 6. Verify that you still have access to your system and your partner’s system.
Prevent all other traffic 1. From your Navigation pane, create another filter. In the Configuration section, enter the following: Name Order Action Rate Class Apply to VLAN Logging
Them Last Discard None (Note: only available if licensed) *All VLANs Disabled
2. Within the Filter Expression section, enter the following: Filter Expression Method Protocols Source Hosts and Network List Destination Hosts and Networks Destination Port
Build Expression Any Restrict to any in list … Enter either: 10.10 or 10.10.0.0/16 Any Any
3. When complete, click Finished. 4. Verify that your partner has lost access to your system.
Grant Access to Partner PC 1. From your Navigation pane, create another filter. In the Configuration section, enter the following: Name Order Action Rate Class Apply to VLAN Logging
Partner Last Accept None *All VLANs Disabled
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
13-38
Module 13 – BIG-IP Administration
2. Within the Filter Expression section, enter the following: Filter Expression Method Protocols Source Hosts and Network List Destination Hosts and Networks Destination Port
Build Expression Any Restrict to any in list … 10.10.Y.30 Any Any
3. When complete, click Finished. 4. Verify that your partner still does not have access to your system. 5. Note how filter order can be changed. From the Rules tab, click Change Order and move sort the filters such that Me is first, Partner second, and Them is third. 6. Verify that your partner now has access to your system, but others in the class do not. 7. View the filters within /config/bigip.conf or via CLI with tmsh list /net packetfilter Note the order parameter.
Log Filter Events 1. From the Navigation pane, select Network / Packet Filters / Rules. 2. Select the Me filter from the existing rules. 3. Within the Configuration section, change the logging option from Disabled to Enabled then click Update. 4. Open a CLI session to your system (SSH recommended). 5. Run the following command to view the packet filter logs: tail -f /var/log/pktfilter 6. Do you see the log entries?
Disable Packet Filters 1. From the Navigation pane, expand the Network section. 2. Select Packet Filters. 3. Within the Properties section, enter the following: Packet Filtering
Disabled
4. When complete, click Update.
End of Packet Filters Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 13 – BIG-IP Administration
13-39
Optional: Command Line Tools Labs Objective: Use various command line tools available for monitoring, controlling, and examining BIG-IP LTM traffic processing and configuration.
tcpdump Capture the traffic between your active BIG-IP LTM System and the node 172.16.20.2:80. How frequently does this TCP connection occur? Is the TCP connection process apparent? Capture the traffic between your PC and a BIG-IP LTM System on port 22 (SSH). Limit the number of packets that are captured. Did you capture a connection process?
bigtop Use bigtop commands to: Change bigtop’s refresh rate to once per second. View statistics only for two Virtual Servers.
bigstart Use bigstart commands to: View the processes that are started on boot by issuing bigstart list command. View the processes that are started when bigstart restart is issued. Hint: Wait until the command prompt says “Active” then issue bigstart status command. Stop and start selected processes.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
14-6
Module 14 – BIG-IP Administration Part 2
Admin Partitions and Users Lab Objective:
Add several partitions on the BIG-IP LTM System
Add users to each partition on the BIG-IP LTM System
Add Virtual Servers to each partition on the BIG-IP LTM System
Lab Requirements:
External IP address of the BIG-IP LTM system
Admin user ID and password for the BIG-IP LTM system
The Common Partition 1. Connect to your systems configuration utility at https://10.10.X.31 and login as admin. 2. Notice the reference to the “Common” partition in upper right corner of screen.
Adding Partitions 1. Expand the System section and select Users Partition List Create from the flyout menus. 2. Within the General Properties section, specify the following: Name Description
part1 Partition number 1
3. When complete, click Finished. 4. Add another Partition named part2.
Adding Partition users 1. Expand the System section and select Users User List Create from the flyout menus. 2. Within the Account Properties section, specify the following: User Name Password Role Partition Access Terminal Access
adm1 adm1 Manager part1 tmsh
3. When complete, click Finished. 4. Add another User named adm2 that has a Manager role for part2. 5. Also make sure the Admin user is set to Advanced Shell for Terminal Access.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 14 – BIG-IP Administration Part 2
14-7
Adding resources to partitions 1. Log out and back in with the adm2 user ID and create the pool and virtual server below in partition part2 using the configuration utility. 2. How is your access different from the Admin user ID? 3. With the adm2 user ID, in the part2 partition create a pool, persistence profile and virtual server with the following characteristics: Resource Pool
Name http2_pool
Virtual
vs2_http
Characteristics 172.16.20.2:80 172.16.20.4:80 10.10.X.122:80
http monitor http2_pool and Pr_Src_Persist from the Common partition
4. Can this adm2 user see all the Virtual Servers and pools? How about modifying all Virtual Servers and pools? Can the Pr_Src_Persist profile from the Common partition be assigned to the vs2_http virtual server?
Adding resources to partitions using tmsh command line 1. Open a command line session and login using adm1 user ID and create the pool below in partition part1 using the command line. Notice the adm1 user only has tmsh and not root level access. Resource Pool
Name http1_pool
Characteristics 172.16.20.1:80 172.16.20.4:80
2. Notice you get an error that Node 172.16.20.4 can’t be used. This is because Node 172.16.20.4 was first used, therefore created in part2. Change 172.16.20.4 to 172.16.20.5 and try again to save http1_pool. 3. With adm1, create a Virtual Server named vs1_http at 10.10.X.121:80 that uses http1_pool. 4. Can this adm1 user see all the Virtual Servers and pools? How about modifying all Virtual Servers and pools? Can the http2_pool from the part2 partition be assigned to the vs1_http virtual server? 5. Close and re-open two browser sessions and logon as both adm2 and adm1. Notice that adm2 and adm1 have read and write access to different resources. 6. Now logoff and login as the admin user ID. Which Virtual Servers you can see? Change to view other partitions (upper right corner) and note the changes? NOTE: All client traffic can use any of these virtual servers regardless of which partition the resources are configured in. Partitions only affect BIG-IP administration.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
14-8
Module 14 – BIG-IP Administration Part 2
Config file changes 1. Open an SSH window, to your BIG-IP (10.10.X.31) and logon as root and rootX. If you are prompted to accept the SSH key, select Yes. 2. Save your configuration by typing tmsh save /sys config. 3. View the saved configuration in /config/bigip.conf using vi, pico, more or cat. 4. Notice the Virtual Servers and Pools created for “part1” and “part2” are not included. 5. Stop viewing bigip.conf and notice there is a /config/partitions/ directory. 6. Change to directory /config/partitions/ and notice there are directories for part1 & part2, but only a bigip.conf file for /part2. View the /part2/bigip.conf file and you should find the Virtual Server and Pool added to the part2 partition. 7. The Pool and Virtual Server for part1 were created using command line tmsh. Figure out the appropriate tmsh command to save the running config only to partition part1. Now view the /part1/bigip.conf file created. 8. View the /config/bigip_base.conf file and notice the folder specifications for the two partitions is not /Common/ but instead /partx/.
End of Admin Domains and Partitions Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
14-16
Module 14 – BIG-IP Administration Part 2
Sync-Only Group Lab Lesson Objective: During this lesson, you will learn how to setup a Sync-Only Device Group.
From both bigipX and bigipY 1. Select System / Platform set the admin passwords on both BIG-IPs to admin. 2. Select Device Management / Device Group, and if there is an existing Sync-Failover Group then Delete it after first deleting any Members.
Setting up a Device Trust from bigipX 1. After logging back in, from bigipX select the Device Management / Device Trust tab. 2. Click the Add button for Peer Authority Devices section. 3. Enter the Management IP Address of your partner (192.168.Y.31), along with the partner Username (admin) and partner Password (admin). 4. Accept the default Device Name of bigipY.f5trn.com. 5. Now both you and your partner should see both your own bigipX and partner bigipY if you select the Device Management / Devices tab.
Setting up a Device Group from bigipX 1. Select the Device Management / Device Group tab, and click the Create button. 2. Enter a Name of DG_XY_SyncOnly and Group Type of Sync-Only. 3. Check the box for both your system bigipX and your partners bigipY. 4. Leave the box unchecked for Yes, automatically synchronize this group. 5. From the partner bigipY verify that DG_XY_SyncOnly is configured under the Device Management / Device Group tab.
Create a new Folder from bigipY 5. Add another partition according to the following table: Name Description Device Group
/Common/Objects Leave blank DG_XY_SyncOnly
6. When complete, click Finished. 7. We will just use the admin user in this lab so there is no need to add another user.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 14 – BIG-IP Administration Part 2
14-17
Adding resources to Folder /Common/Objects from bigipY 5. Under the Local Traffic section add configuration objects to the /Common/Objects Folder with the following characteristics: Resource http profile iRule
Name /Common/Objects/Pr_http_sync /Common/Objects/IR_sync
Characteristics Leave at defaults when HTTP_REQUEST { log local0. }
Synchronizing the Configuration from bigipY 1. First, verify the configs are different for bigipX and bigipY by viewing http profiles list and viewing iRules list. 2. Next, from bigipY, click the link for DG_XY_SyncOnly and select the Config Sync tab. 3. Click the Synchronize to Group button, and click Synchronize TO Group when prompted. 4. Wait a minute, then verify Virtual Servers on both BIG-IPs match.
Verification 1. Now, verify the configs are the same for bigipX and bigipY by listing Partitions, then checking http Profiles and iRules.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
15-12
Module 15 – Profiles part 2
Compression Lab Lab Objective: Test various compression options to enable and disable compression between the BIG-IP system and a client.
Lab Setup Access to a BIG-IP LTM System A Virtual Server load balancing HTTP content Appropriate files on Web servers that can be compressed
Testing without Compression 1. Verify that you have a pool containing only the member 172.16.20.1:80 and create a Virtual Server that is associated with this pool. This lab will make use of files that only exist on the 172.16.20.1 server. 2. Clear statistics on the Virtual Server, then download the file Compress.HTML. (For example, http://10.10.X.100/Compress.HTML) 3. Notice the size of data outbound. 4. Depending on your interest, you may wish to view the HTTP headers and data with a tool such as tcpdump.
Testing with Compression – Default Options 1. Create a custom HTTP compression profile. Accept all defaults except enable compression. 2. Associate the custom HTTP profile with the Virtual Server used in the previous tests. 3. Clear statistics on the Virtual Server, then download the file Compress.HTML 4. Notice the size of data outbound. 5. Depending on your interest, you may wish to view the HTTP headers and data with a tool such as tcpdump.
Testing with Compression – Changing Options 1. Edit the custom HTTP profile. Set URI Compression to URI List and add /*.HTML to the exclude list. 2. Save the changes and test. 3. Clear statistics on the Virtual Server, then download the file Compress.HTML 4. Notice the size of data outbound. 5. Depending on your interest, you may wish to view the HTTP headers with a tool such as tcpdump.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 15 – Profiles part 2
15-13
Testing with Compression – Changing Options 1. Edit the custom HTTP profile. Set URI Compression to Not Configured. Make other changes as desired. 2. Save the change and test. 3. Clear statistics on the Virtual Server, then download the file Compress.HTML 4. Notice the size of data outbound. 5. Depending on your interest, you may wish to view the HTTP headers with a tool such as tcpdump.
End of Compression Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
15-18
Module 15 – Profiles part 2
RAM Cache Lab (Optional) Test various caching options between the BIG-IP LTM and a client.
Testing without Caching 1. Find or create a Virtual Server load balancing web traffic with no HTTP profile. For example, you may have a Virtual Server at 10.10.X.100:80 that has http_pool as its default pool. 2. Clear the statistics for the Virtual Server and pool. 3. Open a browser session to the Virtual Server and refresh it by pressing Ctrl-F5 several times. 4. Compare the connection count in the Virtual Server and the pool statistics.
Testing with Caching – Default Options 1. Create a custom Web Acceleration profile. Accept all defaults except enable caching. 2. Associate the custom Web Acceleration profile with the Virtual Server in the previous tests. 3. Clear statistics on the Virtual Server and pool. 4. Open a browser session to the Virtual Server and refresh it by pressing Ctrl-F5 several times. 5. Compare the connection count in the Virtual Server and the pool statistics. 6. View the cache objects using the following command: tmsh show /ltm profile ramcache webacceleration 7. How many URI’s are stored in the cache? 8. What are the sizes of the URIs that are stored in the cache? 9. What type of files (*.jpg, *gif, etc) are stored in the cache? 10. Remove the cached entries using the following command: tmsh> delete /ltm profile ramcache webacceleration
Testing with Caching – Other Options 1. Edit the HTTP profile that supports caching. Change settings so that some of the objects from the lab page will not be cached. For example: raise the minimum object size; add /*.jpg to the URI Caching exclude list. 2. Clear statistics on the Virtual Server and pool. 3. Open a browser session to the Virtual Server and press Ctrl-F5 several times. 4. Compare the connection count in the Virtual Server and the pool statistics. 5. View the cache objects through the following command: tmsh show /ltm profile ramcache webacceleration 6. How many URI’s are stored in the cache? 7. What are the sizes and types of the URIs that are stored in the cache?
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 15 – Profiles part 2
15-19
Streaming Profile Lab (Optional) 1. Change the characters Server 3 to Node 333 for vs_http virtual server using only a Stream profile. You can also run tcpdump to capture the packets before and after the iRule on first the internal then external interfaces.
Sample Authorization iRule Lab (Optional) 1. Navigate to the iRule configuration and note the five sample iRules that are shipped with the product. 2. Click on the _sys_auth_ssl_cc_ldap iRule. 3. Review this iRule’s code and notice the different events and decisions made based on those events…
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-10
Module 16 – iApps and Analytics
Application Service Lab Lab Objective: Verify the AVR module is provisioned and create a new Application Service using iApps.
Lab Setup
Access to a BIG-IP LTM System LTM and AVR licensed and provisioned Appropriate files on Web servers
Provision Application Visibility and Reporting (AVR) module 1.
From System > Resource Provisioning > Configuration: Resource Provisioning (Licensed Modules) section, set the Application Visibility and Reporting (AVR) module to Nominal.
2.
Click Update.
3.
Verify AVR (colored greenish-blue) appears in the CPU and Memory of the Current Resource Allocation section.
Configuring an Analytics Profile 1.
From the left navigation pane, expand the Local Traffic section.
2.
Select Profiles, then Analytics from the flyout menu.
3.
Click Create.
4.
In the General Configuration section, enter the following: Profile Name Parent Profile Traffic Capturing Logging Type Notification Type
my_analytics analytics Click the Custom checkbox and select Internal Click the Custom checkbox and select Syslog
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 16 – iApps and Analytics 5.
In the Statistics Gathering Configuration section, enter the following: Click the Custom checkbox and then select: Server Latency Page Load Time Throughput User Sessions : 300 seconds URLs Client IP Addresses Response Codes User Agents Methods
Collected Metrics
Collected Entities
6.
In the Capture Filter section, enter the following: Capture Requests Capture Responses Remaining Filter options
7.
16-11
Headers Headers All or Any
When complete, click Finished.
Deploying an Application Service 1.
From the left navigation pane, expand the iApp section.
2.
Select Application Services.
3.
Click Create.
4.
In the Template Selection section, enter the following: Name Template
my_http f5.http
Wait for the screen to automatically refresh with additional questions. 5.
Answer the HTTP template questions with the following information, other questions leave the default response: Analytics Do you want to enable Analytics so that you can view application statistics? Do you want to use a default Analytics profile or select a custom profile? Which Analytics profile do you want to use? Virtual Server Questions What IP address do you want to use for this virtual server? What port do you want to use for this virtual server? Do the HTTP servers have a route to application clients via this BIG‐IP system?
yes Select a Custom Profile my_analytics 10.10.X.110 80 Yes
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-12
Module 16 – iApps and Analytics HTTP Server Pool, Load Balancing, and Service Monitor Questions Do you want to create a new pool or use an Create New Pool existing one? Which load balancing method do you want to use? Round Robin Which servers do you want this virtual server Address Port reference? 172.16.20.1 80 Note: Click Add to create an additional entry. 172.16.20.2 80 172.16.20.3 80 Do you want to create a new health monitor or Use Monitor… use an existing one? Choose a monitor from the list of available http monitors. Protocol Optimization Questions Will clients be connecting to this virtual server WAN primarily over a LAN or a WAN
6.
Con.Limit 0 0 0
After answering the application services questions, click Finished.
Verifying Application Service component status 1. Select the Components tab from iApp > Application Services > my_http. 2. Verify the Application Service my_http’s object Availability (status) of its Pool Members, Pool, and Virtual Server. 3. Verify the Analytics Profile associated with the Application Service. 4. Verify the Persistence Profile associated with the Application Service. 5. Review other Profiles used by the Application Service. See Screenshot on next page.
Demonstrating behavior 1.
Open a new browser session and connect to http://10.10.X.110
2.
Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.
3.
Which Pool Member(s) were used in the load balancing?
4.
Was only a single Pool Member used? Why?
Expected Results and Troubleshooting Expected Results: All traffic will be directed to a single pool member. If not, ensure the browser allows cookies to be saved.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 16 – iApps and Analytics
16-13
Virtual Server referenced by name
Status
Profiles
Application Service for my_web.app showing Status and Profiles
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-14
Module 16 – iApps and Analytics
Deploying a Second Application Service Lab Lab Objective: Create a second Application Service using a custom iApps template.
Lab Setup
Access to a BIG-IP LTM System LTM and AVR licensed and provisioned my_analytics Profile created in Application Service Lab my_http_pool created in Application Service Lab
Customize iApps Template Create a custom iApps template, based on the f5.http template, with changes to the Profiles associated with the application service virtual server. 1. Select the f5.http (Name is link) from iApp > Templates: Template List tab. 2. Click Copy. 3. Edit the Template Name to my.http. 4. Add the following line to the script in the Implementation field: set profile_names {http} just prior to the commands calling f5.app_utils for the creation of an http virtual server. (2nd to last paragraph, just prior to the puts statements, about 90% the way down the script) else {
set profile_names {http} tmsh::run_proc f5.app_utils:create_http_vs $tmsh::app_name \ $destination $snat $pool_name $profile_names $persist_profile \ $tcp_server_profile_name $tcp_client_profile_name } } puts “ “ puts “ “ puts “Starting HTTP template.” puts “ “
5.
Click Finish. See description and reference information for f5.app_utils on next page.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 16 – iApps and Analytics
16-15
Reference
f5_app_utils from DevCentral Wiki: App – TCL Shared Code create_http_vs {app_name destination snat pool_name profile_names persist_profile tcp_server_profile_name tcp_client_profile_name} Description
create_http_vs appends the string_http to the end of the app_name variable and then calls create_vs
Arguments: vs_name
The name to use for the virtual server name
destination
The IP address and port destination in the form IP:Port
snat
The SNAT option. Legal values are none, automap, or a list of IP addresses inside a { } to use for the SNAT pool
pool_name
The name of the pool to connect to the VS, or $::EMTPY_STRING if no pool is to be used
profile_names
A list of profile names contained inside a { } or none
persist_pofile
The persist profile to use
tcp_server_profile_name The server‐side TCP profile tcp_client_profile_name The client‐side TCP profile
Deploying a Second Application Service with custom iApp Template For this second web application leverage existing objects created in previous lab(s). 1. Create a second analytics profile named ‘my_other.analytics’. Hint: parent profiles. 2. Configure a second Application Service using the following information: Name Template Analytics Profile Virtual Server IP address Do the HTTP servers have a route back to application clients via this BIG‐IP system? Pool
my_other.web my.http my_other.analytics 10.10.X.111 Yes my_http_pool
3. After answering the application services questions, click Finished. 4. Select the Components tab.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-16
Module 16 – iApps and Analytics
5. Verify the http profile is listed under the my_other.web_http virtual server. 6. Notice the location of auto-generated Profiles associated with the application service, but that are not associated with the virtual server.
Modifying an Application Service Modify an existing application service to allow other PC client access. 1. Select the Reconfigure tab from iApp > Application Services > my_other.web. 2. Modify the answers for the following application service questions: Do the HTTP servers have a route back to application clients via this BIG‐IP system? Will you have more than 64,000 connections at one time?
No No
3. Which BIG-IP features are these questions associated? 4. After answering the application services questions, click Finished.
Updating Application Service objects directly 1. Select the Components tab from iApp > Application Services > my_other.web. 2. Select my_other.web_http (name is link) virtual server.
3. Select the Resources tab. 4. Change the Default Persistence Profile to None from the drop down menu. 5. Click Update.
Note! Configuration Error: The application has strict updates enabled… When the Strict Updates setting is enabled, users can only control objects that are exposed through the templates. Template reentrancy, is not recommended if strict updates is turned off. Note! Application Services objects are auto-generated from iApps Templates and cannot be modified while strict updates are enabled.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 16 – iApps and Analytics
16-17
Allowing direct updates to Application Service objects 1. Select Local Traffic > Virtual Servers: Virtual Server List. 2. Under Applications, click the my_other.web link. 3. From the Properties tab, select Advanced from the Application Service: drop down menu. 4. Uncheck (disable) Strict Updates. 5. Click Update.
Updating Application Service objects directly 1. Select the Components tab from iApp > Application Services > my_other.web. 2. Select my_other.web_http (name is link) virtual server. 3. Select the Resources tab. 4. Change the Default Persistence Profile to None from the drop down menu. 5. Click Update.
Demonstrating behavior 1.
Open a new browser session and connect to http://10.10.X.111.
2.
Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.
3.
Which Pool Member(s) were used in the load balancing?
4.
Were multiple Pool Member used? Why?
5.
Request another student to connect to your Application Service from their student station.
6.
Request they use the Source IP Address link to display the IP Address Identifier page.
7.
What Source Address do you expect?
Expected Results and Troubleshooting Expected Results: Traffic will be load balanced across all pool members and other student client PCs can view your web application.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-18
Module 16 – iApps and Analytics
Analytics Lab Lab Objective: Configure a custom Analytics profile to gather statistics and generate various graphs and charts for multiple application services and server performance.
F5 Resources BIG-IP Analytics: Implementations Guide
Lab Setup
Access to a BIG-IP LTM System LTM and AVR licensed and provisioned my_analytics Profile created in Application Service lab my_web.app and my_other.web.app, created in previous labs
Associating additional Application Services to an Analytics Profile An Application Service can have only a one Analytics Profile associated with its virtual server. An Analytics Profile, on the other hand, can be associated with multiple virtual servers, even a virtual server not associated with an Application Service. 1. Select the my_analytics (Name is link) from Local Traffic > Profiles > Analytics: Analytics Profile List. 2. Click Add… from the Included Objects section to associate another Virtual Server to this Profile. 3. Select/verify the checkbox next to the my_other.web_http virtual server. 4. Click Done. 5. Click Update. 6. Verify the selected virtual server appears in the list of Included Objects. Note! Changes may take 5-10 minutes to be reflected in the charts.
Driving traffic to the Application Services 1.
Open a new browser session and connect to http://10.10.X.111.
2.
Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.
3.
Request another student to connect to your Application Service from their student station.
4.
Open a different browser session (IE, Firefox, and Safari are typically available) and connect to http://10.10.X.111.
5.
Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 16 – iApps and Analytics
16-19
Examining application statistics There are several ways to navigate to the Analytics screens. 1. From the left navigation pane, expand the Overview section 2. Select Statistics and Analytics from the flyout menu. The Statistics: Analytics screen opens and shows charts with application statistics. 3. From the Time Period drop down menu (on the right), select Last Day for the amount of time for which you want to view the statistics. Note! If the screen shows a greenish message bar “No data for requested filter(s)”, increase the Time Period for which you want to view the statistics. 4. Select Transactions tab, from the Overview > Statistics: Analytics. 5. Select Applications entity tab to display TPS per Application over time statistics for each associated application. See the screenshot below.
6. Select Stacked from the Display method drop down menu. This view graphs the cumulative summary of the information, so no totals are needed. 7. Explore each entity tab to examine specific details of the collected metrics. Using the gathered Analytics, answer the following questions: 8. What is the total number of transactions for each application? 9. What are the total numbers of transactions per Pool Member? 10. How many different types of browsers (User Agent) viewed each application?
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
16-20
Module 16 – iApps and Analytics
11. Which client (Client IP Address) viewed each application? 12. What is the Average Server Latency per application? 13. What is the total number of transactions for my_other.web application on Pool Member: 172.16.20.1?
Troubleshooting Applications by Capturing Traffic BIG-IP can collect application traffic so that you can troubleshoot problems that have become apparent by monitoring application statistics. 1. From the left navigation pane, select Overview > Statistics > Captured Transactions from the flyout menu. 2. Select a captured transaction, from the Captured Traffic section. A Details pane appears below the Captured Traffic section. Using the gathered transaction data, answer the following questions: 1. What Pool Member responded to the client request? 2. What was the Client’s IP address? 3. What method was used to make the request? 4. What was the Response Code? 5. What was the client’s browser (User Agent)?
End of Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 17 – Virtual Servers part 2
17-3
Forwarding Virtual Servers Labs Lab Requirements: To perform this lab, workstations must have a route to the 172.16 /16 network. This can be done by adding a static route or configuring the external floating address of your BIG-IP system as your default route.
On your PC, add a static route to the 172.16/16 network via your BIG-IP system 1. Open a DOS window on your workstation and type route print. 2. Windows 7 users, right-click within the DOS window and select “run as administrator”. 3. If you do not have a route to the 172.16/16 network via your BIG-IP system, then type the command: route add 172.16.0.0 mask 255.255.0.0 10.10.X.33 4. Exit the DOS window by typing: exit
Test Behavior before adding a Forwarding Virtual Server 1. Try to open a browser session to 172.16.20.1, 172.16.20.2 or 172.16.20.3. Results?
Configure a Network Forwarding Virtual Server 1. Destination (Network, not Host): 172.16.0.0 Netmask: 255.255.0.0 All ports (*). 2. Specify the type as Forwarding (IP) rather than Standard.
Test your configuration 1. Open HTTP, HTTPS, and or SSH sessions to 172.16.20.1, 172.16.20.2, or 172.16.20.3. Results?
Configure and test a more specific Virtual Servers 1. Create network virtual server for 172.16/16, port 80, that is Reject rather than Standard. 2. Open HTTP, HTTPS, and or SSH session to 172.16.20.1, 172.16.20.2, or 172.16.20.3. Results? 3. Finally, create a Host forwarding virtual server for 172.16.20.2, all ports (*), but only enable this virtual server on the External VLAN. Note connections to http://172.16.20.2 work, but http://172.16.20.1 and http://172.16.20.3 are rejected by the 172.16.0.0:80 Reject virtual server. Be ready to discuss your conclusions about more and less specific virtual servers. NOTE: Remember if a Forwarding Virtual Server is created for a single address (Host), by default it will be associated with all VLANs. If ARP is enabled for the Virtual Address then it is likely to create an IP Address conflict with the actual Node. Either you should disable ARPs for the 172.16.20.2 Virtual Address, or like the lab steps above, disable the 172.16.20.2 Virtual Server on the VLAN of the same network (Internal). 4. Remove all 172.16 virtual servers.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
18-10
Module 18 – SNATs part 2
SNAT Labs Objective: Configure SNATs using Automap and SNAT Pools and Verify Functionality.
Lab Requirements: A server script on the 172.16/16 network that displays source IP from BIG-IP.
More and Less Specific SNATs Lab Testing Behavior before SNATs are configured 1. Open a browser session to https://10.10.X.100. 2. Verify your IP address at the Web server is 10.10.X.30. 3. Verify your partner can’t access https://10.10.X.100 because SNATs aren’t configured, and there is no return route for their client machine.
Configure SNAT Automap for the vs_https virtual server 1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, and select vs_https. 2. Under General Properties / SNAT Pool option, select Automap and then the Update button.
Testing SNAT Automap for vs_https 1. Open a browser session to https://10.10.X.100 2. Verify your IP address at the Web server is now 172.16.X.33 3. Verify your partner can now access https://10.10.X.100 and that their source IP address is also 172.16.X.33, but they can’t access http:10.10.X.100.
Configure a SNATpool 1. From the Navigation pane, select Local Traffic menu, SNATs option, and select SNAT Pool List tab. 2. Click the Create button and give your SNAT Pool a name of MySNATPool, add members 10.10.X.150 and 172.16.X.150 and click Finished.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 18 - SNATs part 2
18-11
Configure a network SNAT for clients from the 10.10.X.0 network 1. Configure a SNAT, using defaults except as follows: Name Translation Origin Address List
SNAT_10.10.X SNAT Pool - MySNATPool Network – 10.10.X.0 / 255.255.255.0
2. Click Finished.
Testing the Network SNAT 1. Open a browser session to https://10.10.X.100 2. Verify your IP address at the Web server is still 172.16.X.33 3. Open a browser session to http://10.10.X.100 4. Verify your IP address at the Web server is now 172.16.X.150 5. Verify your partner can still access https://10.10.X.100 and that their source IP address is still 172.16.X.33, but they still can’t access http:10.10.X.100 because they don’t match the SNAT criteria of 10.10.X on their client PC.
Configure an All Addresses SNAT 1. Configure a SNAT and enter the following: Name Translation Origin
SNAT_Everyone IP Address 172.16.X.200 All Addresses
2. Click Finished.
Testing the All Addresses SNAT 1. Open a browser session to https://10.10.X.100 2. Verify your IP address at the Web server is still 172.16.X.33 3. Open a browser session to http://10.10.X.100 4. Verify your IP address at the Web server is still 172.16.X.150 5. Verify your partner can still access https://10.10.X.100 and that their source IP address is still 172.16.X.33, but now they can access http:10.10.X.100 and their source address is 172.16.X.200 because of the All Addresses SNAT.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
18-12
Module 18 – SNATs part 2
SNATs as Listeners Lab Testing SNATs as listeners NOTE: You may need a static route on your PC to your BIG-IP for these lab steps. Type the following: route add 172.16.0.0 mask 255.255.0.0 10.10.X.33 1. Try opening another browser session to http://172.16.20.1 and notice the connection works now because of the Network SNATs you configured. 2. Disable all virtual servers and try opening another browser session to http://172.16.20.1. Notice the connection still works, but connections to either http://10.10.X.100 or https://10.10.X.100 do not. 3. Re-enable all virtual servers and continue with next lab steps.
Disabling SNATs on VLANs 1. For both Network SNATs you created, under VLAN Traffic, select Disabled On and then move the external VLAN to Selected column and click Update. 2. Test the results by connecting to http://10.10.X.100 and attempting to connect to http://172.16.20.1. What are the results now? You should not be able to connect to 172.16.20.1, and your source address shouldn’t be changed to either the 172.16.X.150 or 172.16.X.200 SNAT addresses. 3. Change the VLAN association for the SNAT, re-enable the external VLAN, and disable the internal VLAN, and test again. You should notice the SNAT once again affects traffic because it is listening on the External VLAN where traffic arrives.
Disable SNAT for a Selected Pool 1. Open a browser session to https://10.10.X.100. Your source address should still be changed to 172.16.X.33 because the vs_https virtual server has SNAT Automap configured. 2. Select https_pool, change to the Advanced configuration screen and set the “Allow SNAT” option to No. 3. Now what are the results when connecting to https://10.10.X.100? 4. Change the Allow SNAT option back to Yes within https_pool before going on to next step.
Delete SNATs for later labs 1. Delete both SNATs, SNAT_Everyone and SNAT_10.10.X and turn off SNAT Automap for the vs_https virtual server before going on to next lab. 2. You do not need to delete the SNATPool you created. 3. Once more try opening a browser session to http://172.16.20.1 and notice the connection fails because there is no SNAT Listener to process up the traffic.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
18-14
Module 18 – SNATs part 2
VIP Bounce Back Lab Lab Overview This lab will use additional servers on the External VLAN. Rather than using database servers and web servers, this lab will have you connect your PC to a virtual server on the External VLAN that is associated with pool members that are also on the External VLAN. If these external servers are not available in your classroom, you may be able to perform this lab by moving your PC to the Internal VLAN and refer to the appendices on alternate labs.
Configuration and Verification of VIP Bounceback Test External servers individually 1. From your PC, open a session to a web server http://10.10.20.1. Now try making connections to http://10.10.20.2 and 20.3. All of these sessions should work.
Configure a Pool and Virtual Server. 2. Now Create a pool with members 10.10.20.1:80, 10.10.20.2:80 and 10.10.20.3:80. 3. Create a new virtual server at 10.10.X.102:80 and associate it with the pool created above.
Test results 4. From your PC, attempt to open a session to your virtual server at http://10.10.X.102. 5. Were you able to establish a connection? Since the virtual server is available for all existing VLANs, packets can travel from the client to the server, but cannot be returned. Why not? You may wish to use tcpdump to see why.
Return Path Options (choose one) 6. Create a NAT or SNAT so that the PC’s source IP address is translated by BIG-IP system. 7. Enabling SNAT within the virtual server definition is typically the best solution.
Test results 8. From your PC, open a new session to the web servers using the 10.10.X.102:80 virtual server. 9. You should have been able to establish a connection this time. It works now because the client address is SNAT’d and the web server returns the packet to the SNAT address (BIG-IP LTM Address) rather than directly to the client.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 19 –
Monitors Part 2
19-13
Monitors Labs Objective: In this exercise you will configure health checks using multiple defaults and custom monitors to verify Pool Members.
Lab Requirements:
Estimated time for completion: 40 minutes
Access to a BIG-IP LTM System
At least one Virtual Server with one working Node
Removing Monitors from Earlier Labs Unassign any monitors created or assigned in the optional command line labs.
Testing before configuration Connect to http://10.10.X.100 look at the statistics page for both virtual servers and pools to see how data is flowing through the BIG-IP system.
Assigning Multiple Monitors Create Custom Monitors for HTTP and HTTPS 1. Create a new monitor to check http services with the following characteristics: interval – 5, timeout – 16 and checks for the characters Server somewhere on the index.html page. 2. Create a new monitor to check https services with the following characteristics: Specify the Alias Service Port as 443, the interval – 5, timeout – 16 and check for the characters Server 2 somewhere on the index.html page. The Alias Service Port will make sure the monitor will always test the port 443 regardless the port of the assigned Pool member.
Set Monitor Assignments and Test 1. Associate the http-based monitor with http_pool. 2. What is the status of the http_pool? What are the statuses of the members? Which monitor(s) are testing each member? 3. Associate the https-based monitor with http_pool also. 4. What is the status of the http_pool? What are the statuses of the members? Which monitor(s) are testing each member? Are the current monitor assignments appropriate for the servers in the classroom labs? 5. Change the availability requirements of the pool’s monitors from All to At Least 1. 6. Did the status of the pool or members of http_pool change? 7. Change the availability of the pool’s monitors back to All. 8. Change the receive rule for the https-based monitor to Server [1-3]
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
19-14
Module 19 – Monitors Part 2
NOTE: [1-3] is a regular expression that matches any single character in the range from 1 to 3. 9. What is the status of the http_pool? What are the statuses of the members? Which monitor(s) are testing each member?
Enabling and Testing Receive Disabled String 1. For the https-based monitor, change the Receive String back to Server 2 and the Receive Disabled String to Server 1. 2. Check the status of the pool and its members and test by sending traffic to the virtual server. NOTE: Each member should be in a different state – one disabled, two up, three down. Why? 3. Remove the Receive Disable String.
Enabling and Testing Manual Resume 1. For the https-based monitor, set the Manual Resume option to Yes. You may wish to decrease the Interval and Timeout settings as well. 2. Check the status of the pool and its members and test by sending traffic to the virtual server. 3. Change the Receive String for the https-based monitor back to Server [1-3] and test the results by verifying the status of the pool, its members, and by sending traffic to the virtual server. 4. Manually resume the appropriate pool members and test again. 5. Select the pool http_pool and disassociate all monitors from previous labs.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 19 –
Monitors Part 2
19-15
Optional Monitor Labs Objective: In this exercise you will configure inband monitors and a custom ftp monitor.
Using Inband (Passive) Monitors Preparation 1. Disable Priority Group Activation for http_pool. 2. Add a new pool member to http_pool: 172.16.20.10:80 3. Create a new Inband monitor accepting all defaults except set the Retry Time to 30. 4. Assign the Inband monitor to http_pool. The status of all pool members should be Available at this point in the lab.
Send Traffic to the Virtual Server 1. Open a browser to http://10.10.X.100. Does the page display properly? Refresh a few times and check the status of the pool members. 2. After waiting around 30 seconds, refresh again 1 time. Results? Status of pool members? 3. Delete the 172.16.20.10:80 pool member for future labs, or change the assigned monitor from inband back to an http monitor type that marks 172.16.20.10:80 down.
End of Monitor Lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
20-6
Module 20 - Persistence
Universal Persistence Lab Objective: Configure Persistence based on an Expression.
Lab Requirements: To complete this lab, you will need the following:
Access to a BIG-IP system At least 1 Virtual Server for port 80 with at least 2 working nodes
Repeating behavior before persistence 1. Ensure the Load Balance method for http_pool is Round Robin, the Priority values for http_pool members are 1, and no persistence is enabled for vs_http. 2. Access and clear the statistics for the http_pool. 3. Open a new browser session and connect to http://10.10.X.100 4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key. 5. View the pool statistics. What are the results?
Build an iRule to Persist on the HTTP::uri Create an iRule to persist on the characters in the HTTP::uri after the “user=”. When HTTP_REQUEST { If { [HTTP::uri] contains “user=”} { Persist uie [findstr [HTTP::uri] “user=” 5 “&”] } }
Create a Profile and Virtual Server that use this iRule 1. Create a Universal Persistence Profile with a Timeout value of 30 seconds that references the iRule above. 2. Associate the vs_http virtual server with this new persistence profile.
Demonstrating behavior after persistence 1. Access and clear the statistics for the http_pool. 2. Open a new browser session and connect to http://10.10.X.100/env.cgi 3. Refresh the screen 5-10 times by clicking Refresh or pressing CTRL-F5. 4. View the pool statistics. What are the results? 5. View persistence records via the command: tmsh> show /ltm persistence persist-records 6. Clear the statistics for the http_pool again.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 20 - Persistence
20-7
7. Open a new browser session and connect to: http://10.10.X.100/env.cgi?user=123&pw=456 8. Refresh the screen 5-10 times by clicking Refresh or pressing CTRL-F5. 9. Open a new browser session and connect to: http://10.10.X.100/env.cgi?user=abc&pw=def 10. Refresh the screen 5-10 times by clicking Refresh or pressing CTRL-F5. 11. View the pool statistics. What are the results? 12. Disable this Universal persistence profile from the vs_http virtual server. We need Universal persistence disabled for the next lab.
Optional Match Across Services Lab Objective: Configure Persistence for both http and https protocols
Lab Requirements:
Estimated time for completion: 5 minutes. Two or more working members in both http and https_pool Virtual servers at both http://10.10.X.100 and https://10.10.X.100 with appropriate pools.
Repeating behavior before persistence 1. Make sure the Load Balancing method for https_pool is set to Round Robin and priority group activation is disabled. 2. Make sure that virtual server vs_https has source address persistence set, but also that vs_http does not have any persistence profile specified. Now, test to make sure persistence is working for vs_https but not vs_http.
Set Match across Services 1. Enable Match Across Services for the persistence profile used by vs_https, and associate this same profile for vs_http virtual server. 2. Now test again to make sure that not only is persistence working for both vs_https and vs_http, but also that they both use the same pool member.
End of Persistence Labs
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 22 – Lab Project 2
Next Steps Other F5 Courses Other courses you might take that are related to the BIG-IP LTM product include:
Troubleshooting BIG-IP LTM
Architecting BIG-IP in an Application Delivery Network
Configuring BIG-IP with iRules
Other F5 product courses include:
Configuring BIG-IP GTM
Configuring BIG-IP ASM
ARX Configuring and Administering
ARX Troubleshooting and Monitoring
Configuring BIG-IP APM
Configuring BIG-IP WAM
And Configuring BIG-IP WOM
Lab Project options You will not have time to finish all the following lab projects. Your options are:
iRules labs 1 to 5 along with 2 optional labs for #3 and #4
or a Path Load Balancing lab
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
22-2
Module 22 – Lab Project
iRules Labs There are 5 iRule labs in this lab project. Estimated time – 90 minutes.
iRules Lab #1 Create and use an iRule that processes requests based on substrings within the http content frame and directs traffic to two different pools
Create Pools Create three pools per the specifications in the table. Pool Name pool1 pool2 pool3
Members 172.16.20.1:80 172.16.20.2:80 172.16.20.3:80
Create an iRule checking the HTTP::uri Create the rule listed below: Name rule_me_http Definition when HTTP_REQUEST { if {[findstr [HTTP::uri] "user=" 5] equals "me" } { pool /Common/pool2 } else { pool /Common/pool3 } }
Create a Virtual Server using the iRule VS Name vs_me
IP Addr / Port 10.10.X.104 : 80
Resources rule_me_http
Profiles tcp, http
Verification through Statistics 1. Open a new browser session on your PC and direct it to your Virtual Server address and files: http://10.10.X.104 http://10.10.X.104/?user=me http://10.10.X.104/?user=meandthem 2. Which pool members are you being directed to? Why? 3. View statistics and configuration information through: a. Overview Section / Statistics / Choose from Statistics Type drop-down list. b. Local Traffic Section / Virtual Servers / Statistics c. Local Traffic Section / Pools / Statistics Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 22 - Lab Project
22-3
iRules Lab #2 Create and use a rule that processes requests based on substrings within the tcp content frame and directs traffic to two different pools.
Create an iRule checking TCP::payload Create the rule listed below: Name rule_me_tcppayload Definition when CLIENT_ACCEPTED { if { [TCP::local_port] == 80 } { TCP::collect 100 } } when CLIENT_DATA { if {[findstr [TCP::payload] "user=" 5 2] == "me" } { pool /Common/pool2 } else { pool /Common/pool3 } }
Create a Virtual Server using the iRule VS Name vs_rule_tcp
IP Addr / Port 10.10.X.105 : 80
Resources rule_me_tcppayload
Profiles tcp
Verification through Statistics 1. Open a new browser session on your PC and direct it to your Virtual Server address and files: http://10.10.x.105 http://10.10.x.105/?user=me http://10.10.x.105/?user=meandthem 2. Which pool members are you being directed to? Why? 3. View statistics and configuration information through: a. Overview Section / Statistics / Choose from Statistics Type drop-down list. b. Local Traffic Section / Virtual Servers / Statistics c. Local Traffic Section / Pools / Statistics
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
22-4
Module 22 – Lab Project
iRules Lab #3 Create and use a rule that processes requests based on substrings within the http_uri and log message based on success of rule.
Create a third iRule which uses logging Create the rule listed below: Name Definition
rule_me_logmsg when HTTP_REQUEST { set fdstr [findstr [HTTP::uri] "user=" 5] set debug "1" if { $fdstr equals "me"} { if {$debug} {log local0. "uri matched $fdstr"} pool /Common/pool2 } else { if {$debug} {log local0. "uri did not match $fdstr"} pool /Common/pool3 } }
Create a Virtual Server and Associate the iRule VS Name vs_rule_log
IP Addr / Port 10.10.X.106 : 80
Resources rule_me_logmsg
Profiles tcp, http
Verification through Statistics 1. Open a new browser session and direct it to your Virtual Server and files: http://10.10.x.106 http://10.10.x.106/?user=me http://10.10.x.106/?user=meandthem View /var/log/ltm. Do you see log messages? 2. View statistics and configuration information through: a. Overview Section / Statistics / Choose from Statistics Type drop-down list. b. Local Traffic Section / Virtual Servers / Statistics c. Local Traffic Section / Pools / Statistics 3. Which node is traffic being directed to for each address above? 4. Change the value of debug and set to 0. (set debug “0”). What is the effect?
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 22 - Lab Project
22-5
Optional: iRule Lab #3 – Logging Modification After you have figured out why traffic is being directed to different pools for one client request for the previous logging iRule, then you can change the previous iRule to the following. Name Definition
rule_me_logmsg when HTTP_REQUEST { set fdstr [findstr [HTTP::uri] "user=" 5] set debug "1" if { $fdstr equals "me" } { pool /Common/pool2 } else { if { $debug and [string compare $fdstr ""] } { log local0. "uri did not match $fdstr" } pool /Common/pool3 } }
Verification through Statistics 1. Open a new browser session and direct it to your Virtual Server and files: http://10.10.x.106 http://10.10.x.106/?user=me http://10.10.x.106/?user=meandthem View /var/log/ltm. Do you see log messages? 2. The results for this second logging iRule should be: a. When uri=me, send the request to pool2, without generating a log message. b. When uri=them, send the request to pool3, and generate only one message to /var/log/ltm that states uri did not match them.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
22-6
Module 22 – Lab Project
iRules Lab #4 Create and use an iRule that detects server responses and redirects 404 responses to a different virtual server.
Test before Open a new browser session to the listed uri’s below and explain the results: http://10.10.x.104/?user=me http://10.10.x.104/text.txt
NOTE: You should receive a 404 msg because text.txt is not on node 3.
Create a Virtual Server VS Name vs_redirect
IP Addr / Port 10.10.X.107 : 80
Resources pool1
Profiles tcp
Create a fourth iRule to handle a server 404 response Create an iRule that searches the server’s response for 404 statuses. If found, redirect the client to an alternate virtual server (see iRule below). Name Redirect_rule Definition when HTTP_RESPONSE { if {[HTTP::status] equals "404"} { HTTP::redirect "http://10.10.X.107" } }
Assign this iRule to the previous Virtual Server vs_me Navigate to the Virtual Server vs_me’s resource’s tab and click Manage to associate this second iRule, Redirect_rule, with vs_me also.
Test after new redirect rule Open a new browser session to the uri’s listed below and explain the results. http://10.10.x.104/?user=me http://10.10.x.104/text.txt NOTE: This time you should NOT receive a 404 message because the HTTP_RESPONSE rule should redirect to pool1.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 22 - Lab Project
22-7
Optional: iRules Lab #4 Edit the previous iRule so that the file name that is requested is returned from an alternate server.
Test before In the previous lab, you were redirected to another site when a 404 was received, but the redirect did not request the file from the new site. With a few changes, the requested file name can be stored and requested from the new site.
Create a fifth iRule for a 404 that maintains the requested file Create an iRule that searches the server’s response for 404 statuses. If found, redirect the client to an alternate virtual server and include the original file name (see iRule below). Name Redirect_rule2 Definition when HTTP_REQUEST { set myfile [findstr [HTTP::uri] “/” 1] } when HTTP_RESPONSE { if {[HTTP::status] equals "404"} { HTTP::redirect "http://10.10.X.107/$myfile" } }
Assign this iRule to the previous Virtual Server vs_me Navigate to the Virtual Server vs_me’s resource’s tab and click Manage. Remove the iRule Redirect_rule from previous lab and associate the iRule Redirect_rule2.
Test after new redirect rule Open a new browser session to the uri listed below and explain the results. http://10.10.x.104/text.txt NOTE: Once again you should NOT receive a 404 message because the HTTP_RESPONSE rule should redirect to pool1, but also you should receive the file text.txt rather than the index.html.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
22-8
Module 22 – Lab Project
iRules Lab #5 Create an iRule that displays an apology page when a pool is no longer available.
Create a new Virtual Server and Monitor for use with http_pool 1. Create an iRule that Displays an Apology Page Name Apology_Rule Definition when HTTP_REQUEST { if { [active_members http_pool] < 1 } { HTTP::respond 200 content { Apology Page Come back later. It's break time! Signed, the servers. } TCP::close } } 2. Create a monitor that will mark the members of the pool http_pool down. Set the timeout to around 30 seconds. 3. Create a new virtual server at http://10.10.X.108 using http_pool, Apology_Rule, and the monitor created in step 2. 4. Quickly, open a browser session to http://10.10.X.108. 5. Did the connection work or fail? Refresh a few times so your monitor has a chance to timeout – if it hasn’t already.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Module 22 - Lab Project
Optional: Path Load Balancing Lab Lab Objective: Firewall Sandwich Configurations allow load balancing both path (Firewalls) and service (pool members) in a multi-tiered environment. This lab focuses on configuring a firewall sandwich to support inbound traffic where the firewalls are not performing address translation.
Lab Requirements: This lab assumes you are working on system A, below, and everyone is sharing a system B. The transparent devices and system B should be set up by the instructor.
Create a backup of your current configuration 1. Create trainX_day4end.ucs
Change the self-IPs on your LTM 1. Restore trainX_base.ucs 2. Delete the self IP addresses from the Internal VLAN 3. Add a new self IP address on the Internal VLAN: 10.20.X.33
Add a transparent virtual server 1. Add a pool of the transparent devices’ 10.20/16 addresses a. 10.20.30.1 b. 10.20.30.2 2. Add a virtual server to load balance traffic to the 10.30/16 network through the transparent devices.
Verify / Change the PC’s network settings For this lab, your PC needs to have a static route to the 10.30/16 network via your BIG-IP system. 1. Open a DOS prompt 2. Check your routes: route print 3. If you are missing a route to the 10.30/16 network via your BIG-IP system, add one: route -p add 10.30.0.0 mask 255.255.0.0 10.10.X.33
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
22-9
22-10
Module 22 – Lab Project
Test Your Configuration 1. Open a browser session to 10.30.17.100 2. If you are successful, create a transparent monitor and associate it with the pool. If you are not, follow the troubleshooting steps below.
Troubleshooting External clients (your PC) should now have access to the 10.30.17.100:80 Virtual Server. If not, troubleshoot this problem with tools such as tcpdump . Focus on the traffic in each portion of the network and the status of the monitor. PC Your Network Virtual Server Does your Network Virtual Server show traffic? If not, check the routes on your PC. Your Network Virtual Server Selected Firewall Do the your pool members (the firewalls) on show traffic? If not, check the state of the nodes. If they do, check that address and port translation is disabled on the Virtual Server. Selected Firewall Instructor Virtual Server Does the Instructor Virtual Server show traffic? If not, are they set on the correct network and responding to the firewalls’ ARP requests? System B Virtual Server Pool Member Do the pool members (the web servers) on show traffic? If not, check the state of the nodes. If they do, check the routes on the web servers and the address on the client (third octet must be X). Member Response Internal Virtual Server Does the Virtual Server on show response (out) traffic? If not, check the ARP tables on the web servers. Internal Virtual Server Same Firewall Is System B sending responses back to the firewalls? If not, check whether the Instructor LTM has auto last hop or a last hop pool configured. Selected Firewall Your Network Virtual Server Are the firewalls sending the responses back to your LTM? If not, check the routes on the firewalls and the address of the client. External Virtual Server PC Does the Your Network Virtual Server show response (out) traffic? If not, check the ARP tables.
Configuring BIG-IP® LTM Student Guide – © 2011 F5 Networks, Inc.
Appendix A – Installation
Pre-Installation Information Objective: Now having a better understanding of the BIG-IP LTM Software and how it works, this section conveys additional information to consider during a BIG-IP LTM System installation. You will learn the types of hardware and networking questions that need to be answered before an installation takes place.
Pre-installation hardware checklist Network Hardware 1. What is the physical media type used in your environment? 2. What brand/type of switches or hubs do you use? 3. What brand/type of routers do you use? 4. What IP network ranges do you use? 5. What are your future needs for IP addresses (considering growth)? 6. What routing protocols do you employ (both internally and at the border)? 7. What router redundancy methods do you employ? 8. Do you use multiple ISPs for link redundancy?
Servers 1. What type of hardware are your servers? 2. What OS are your servers?
Backend databases and application servers 1. What type of hardware are your backend database servers? 2. What backend database products do you use?
Oracle
MS SQL 6.5
Informix
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-2
Appendix A
Pre-installation network checklist Wide Area Describe any geographical disbursed fail-over sites do you have? Do you do any load distribution across multiple geographic sites? Is co-location or hosting part of your multi-site plans? Bandwidth What is the total amount of bandwidth into each geographical site? What is the average amount of sustained throughput that you use? Do you use any rate shaping or traffic prioritization products? Backend database replication • Transaction level • Batch replication • Hardware mirroring • Software mirroring Do you use any backend HA devices or software? • Network Appliance • Qualix • Veritas • Wolfpack What other backend content products do you use? • Opentext • Vinette Story server • BroadVision State maintenance Do your applications require that the client return to the same server for the entire session? Security concerns/Architecture How important is security to your site? What type of firewall do you use? Does your firewall perform NAT? Describe the basic rule set used: What type of proxy server do you use? What type of cache server do you use? What type of VPN do you use? Network Management How do you view or manage your network site? What products do you use for network troubleshooting/monitoring? • CA Unicenter • HP Openview • NetIQ • Compaq Insight Manager • MS-SMS Administrative How do you securely administer your server or backend database if your site is co-located? Do you have a secure back channel or VPN via the internet for server or database administration? Do you use and remote terminal software PC Anywhere, Remotely Possible, F-Secure SSH, Telnet, etc?
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
A-3
Pre-Installation Checklist Follow the steps below to ensure proper installation of your BIG-IP LTM System. 1. Provide 3 real internet addresses for a redundant BIG-IP LTM System configuration. 2. Provide a real internet address for each virtual IP address (VIP) or NAT. 3. Provide 3 internal IP addresses (e.g. 10.x.x.x, RFC 1918 etc.) [redundant BIG-IP LTM System configuration]. 4. Provide one internal IP address per node on the internal network. 5. Provide appropriate connectivity to physical segments. 6. Provide the IP addresses of the DNS servers (optional depending on implementation). 7. Provide access to the existing production content server(s), or an alternate content server. 8. Provide one 110/220 power outlet for each BIG-IP LTM System unit. 9. Identify and provide access to any management workstations (For example workstation running CA Unicenter or other monitoring tool). 10. Identify and provide access to a monitoring workstation (non-dedicated) for the SSH client software (optional). 11. Designate an individual as the primary contact and “BIG-IP LTM System administrator” (tier 2 or 3). 12. Verify that each BIG-IP LTM external IP address can be accessed through incoming tcp port 22 (optional - to verify remote administration capability). 13. Verify that each BIG-IP LTM System can use outgoing tcp port 22 from tcp port 1023-1019 (optional). 14. Verify your ability to change DNS A records (for conversion from DNS round robin). 15. Create a DNS entry for each BIG-IP LTM administrative IP address (optional).
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-4
BIG-IP LTM System Worksheet
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
Appendix A
A-5
Installing BIG-IP LTM software Performing prerequisite Installation tasks A basic installation consists of some prerequisite tasks that prepare you for installing the software. These tasks involve:
Configuring the management interface
Establishing a connection to the system
Setting the active volume
Making sure the license is active and updated
Configuring the management interface To install software upgrades and perform management tasks on the BIG-IP system, you must use the management interface. When you initially set up the system hardware, you probably configured an IP address, netmask, and default route for the management interface. If you did not, you can use the default settings, or you can use the LCD controls to specify settings appropriate to your network. To allow remote connections, the traffic management software comes with a default root account and password and two pre-defined IP addresses. The preferred default IP address is 192.168.1.245. The alternate IP address is 192.168.245.245. The default netmask is 255.255.255.0. To change the default IP Address on the management port using the “config” command or the LCD front console refer to the BIG-IP Getting Started Guide.
Working with volumes This version of the BIG-IP system software uses the volumes disk-formatting scheme. A specific section of a hard drive is called a volume. Also called logical volume management (LVM), this feature supports all platforms and modules available for the BIG-IP system. Each volume holds a complete version of the BIG-IP software. You can create additional volumes to hold additional software versions, and can delete existing volumes you no longer need. To install the software, you boot to a volume that you do not want to upgrade, to serve as the source. You cannot install to the active volume. LVM labels, disk names, volume indexes, and file system labels are used internally by the disk management system. At any given time, only one volume may be the active partition. The active volume or partition contains the software that runs when you start up or reboot the system.
Activating the software license To install new versions of BIG-IP system software, you must have an active and updated license. An active and updated license contains a valid service check date for the system software release you plan to install and run. During installation and initialization, the system verifies the software release check date in the software against the service check date in the license file on your system. To activate the license for the system, you must have a base registration key. The base registration key is a 27-character string that lets the license server know which F5 products you are entitled to license. The base registration key is preinstalled on your system. If the system is not yet licensed, the Configuration utility prompts you to enter the base registration key. You enter keys for additional modules using settings in the Add-On Registration Key List area of the License screen. BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-6
Appendix A
Performing Software Installations This section describes the method to install and upgrade BIG-IP systems. tmsh can be used for both installations and upgrades. With tmsh /sys software commands you can install many different versions of BIG-IP; you are no longer limited to two slots (BIG-IP v9 using disk partitions) and can now have many Volumes, depending on the capacity of the system’s hard drive.
Installation using tmsh You can use the tmsh components that reside within the sys software module to configure the BIG-IP system settings and display information about the system. Installation of a hotfix or software image is performed to an inactive volume. Assuming the system is currently booted to the image on slot HD1.1, the following command, run from the /shared/images directory, would install a clean image of an image.iso (BIGIP…iso) on volume HD1.2, and reboot the system after installation. tmsh install /sys software image [image.iso] volume [HD1.2] reboot To install a software image on a new volume (HD1.3), add the create-volume option. tmsh install /sys software image [image.iso] volume [HD1.3] create-volume In order to see the progress of the installation from the linux /bash shell use the following command. watch ‘tmsh show /sys software status’ Assuming the system is currently booted to the image on slot HD1.1, the following command, run from the /shared/images directory, would install a hotfix on the image in slot HD1.2, but leave the current slot active. tmsh install /sys software hotfix [hotfix.iso] volume [HD1.2] After any upgrade, you can confirm the installed versions by issuing the switchboot command. Switchboot displays the version that is installed on each slot or volume, shows which is the current default boot slot, and allows you to change the default boot slot. The output shown below is of a system with version 10.2.1 on slot 1.1 and version 11.1.0 on slot 1.2. Slot 1.2 is currently set as the default boot slot. tmos>
run /util bash –c “switchboot”
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
A-7
Version Management using the Configuration Utility Software management can also be performed through the Configuration Utility. This includes importing ISO images and hotfixes, installing ISO images and hotfixes, changing the default boot location, then rebooting to that location, and creating additional volumes for systems.
The screen above shows the version of the current installations, the active and default boot location, and the available images to install. The Import button would allow you to copy additional images from your PC to the BIG-IP system. The Hotfix List tab shows the list of Hotfixes on the system. The Boot Locations tab shows the current default boot image but also allows you to change it. Disk Management allows you to manage the logical volumes that are created on a physical hard drive.
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-8
Appendix A
Provisioning TMOS modules The license you receive from F5 Networks determines what software modules the BIG-IP system can support. The license ensures that you can activate all software modules you have purchased. An F5 license is applicable for the life of the system, or until you reactivate it, for example, by purchasing additional modules. The modules available for this version of the software include Local Traffic (LTM), Global Traffic (GTM), Link Controller (LC), Application Security (ASM), Protocol Security (PSM), Application Policy (APM), WebAccelerator (WAM), and WAN Optimization (WOM). When you have multiple modules on a BIG-IP system, you must portion CPU, memory, and disk space among the modules to make the modules functional. This process of assigning CPU, memory, and disk space to licensed software modules is called provisioning. Provisioning and licensing work together to make sure that software modules are accessible and appropriately provided with system memory and disk space. You can determine which modules your license supports by checking the License screen, available in the System section on the Main tab of the navigation pane. If you have a license for a module that you have not provisioned, the system posts an alert in the identification and messages area of the Configuration utility: Licensed yet unprovisioned: , to let you know that you do not have provisioning specified for that module.
Important Some modules require that you provision CPU, memory, and disk space before they are visible in the Configuration utility. If you do not see a module that you have licensed, first check to make sure you have provisioned CPU, memory, and disk space for it.
Understanding Resource Provisioning settings The system provides provisioning settings on the Resource Provisioning screen, available in the System section on the Main tab of the navigation pane. When you click Resource Provisioning, the system presents a screen containing a color graph representing the current allocations for CPU cycles, system memory, and disk space (Logical Volume Management (LVM) formatting), along with a section representing each module installed on the system. Each module has associated with it a unique color, which the allocation graph uses to visually represent the module’s CPU, memory, and disk provisioning. The system designates unlicensed modules with an (Unlicensed) label. The system also uses the (Unlicensed) label to represent modules whose licenses have expired.
Specifying provisioning levels For each module, you can specify one of the following provision levels: Dedicated, Nominal, Minimum, None (Disabled), or Lite (No License Required) The Dedicated setting specifies that this is the only active module. If you select the Dedicated setting for one module, the system resets other modules to the None (Disabled) setting. The Dedicated provisioning setting is primarily applicable for Application Security Manager, WebAccelerator™ and WAN Optimization Manager (WOM) systems installed in standalone configurations, that is, when a system contains no other installed modules, including Local Traffic Manager. The Nominal setting allocates CPU, memory, and disk space in a way that is applicable for most typical configurations. BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
A-9
The Minimum setting allocates the smallest amount of CPU, memory, and disk space to the corresponding module. The None (Disabled) setting indicates that there is no allocated CPU, memory, or disk space. When you select the None (Disabled) setting, the system allocates no CPU, memory, or disk space to the module. This is a typical setting for unlicensed modules. Depending on what you select or change, the system might require a reboot after provisioning or de-provisioning a module. The Lite (No License Required) setting allows certain modules to be configured with only a sub-set of their fully licensed features.
Provisioning a module using tmsh You must provision a BIG-IP product before you can use tmsh to configure it. For example, you must provision the Global Traffic Manager™ before you can configure the tmsh gtm module. The command sequence list /sys provision displays the BIG-IP system modules that can be provisioned. For more information about provisioning, see provision, in the tmsh Reference Guide, and the TMOS Management Guide for BIG-IP® Systems. To provision the minimum amount of resources for the BIG-IP Application Security Manager: tmos> modify /sys provision asm level minimum then reboot the system. To de-provision the BIG-IP Application Visibility and Reporting Module (AVR): tmos> modify /sys provision avr level none then reboot the system.
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-10
Appendix A
Optional Lab: Provisioning Note: Ask your instructor before doing this lab. First you will need to license your system for both BIG-IP LTM and another BIG-IP product. Once your BIG-IP is licensed for LTM and another product, then perform steps to Nominally provision the other product in addition to BIG-IP LTM, then reboot your BIG-IP. Issue the following command to show provisioning numbers for CPU and Memory: tmos>
show /sys provision How much resources are allocated to LTM versus the other module(s)?
Issue the following command to see the provisioned level of each module: tmos>
list /sys provision
To de-provision the BIG-IP Application Visibility and Reporting Module (AVR): tmos> modify /sys provision avr level none then reboot the system.
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
A-11
Optional Lab: Reload Steps Note: Ask your instructor for specific instructions when doing this lab. In some locations re-install will cause problems for future classes, so please ask before doing this lab. Download 1. Access the ISO and MD5 files per the instructor’s directions. 2. Copy the files to the /shared/images directory. Verify the Download 1. Check the iso against the md5 file with the command md5sum | diff - 2. If they are not the same then download the file again. Reboot and make other partition the active partition 1. Type switchboot and set the other partition as the default partition, then reboot. Install 1. Install the iso with the command: tmsh install /sys software image [image.iso] volume [HD1.X] 2. View the progress of the installation with the command: watch 'tmsh show /sys software status' Reboot and make other partition the active partition 1. Type switchboot and set the original partition as the default boot partition. Verify Installation 1. After the system reboots, verify the version and note the hotfix. tmos> show /sys version tmos> show /sys license
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
A-12
BIG-IP® LTM Advanced Topics – © 2011 F5 Networks, Inc.
Appendix A
Appendix C
Appendix C – Additional v9 & v10 Labs This section contains several alternate Labs for students on previous BIG-IP versions including:
v10 – Initial Setup differences with v11
v9 - bigpipe command line lab steps
v10 – Redundant Pair differences with v11
Setup Utility Differences Lab Requirements:
Reachable IP address on the management port and valid License for the BIG-IP LTM Systems
Setup Utility 1. Within the General Properties section, specify the following: Management Port Configuration IP Address: Network Mask: Management Route: Host Name: Host IP Address: High Availability: Unit ID: Time Zone:
Manual 192.168.X.31 255.255.0.0 192.168.20.1 bigipX.f5trn.com Use Management Port IP Address Redundant Pair 1 America/Los Angeles
2. Within the User Administration section, specify the following: Root Account Password: Root Account Confirm: Admin Account Password: Admin Account Confirm: SSH Access: SSH IP Allow:
rootX rootX adminX adminX Enabled * All Addresses
3. Click Next. 4. Agree to the prompt indicating you will have to log in again. Click OK
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-2
Appendix C – Additional Labs
NOTE: Note that you are setting the password of the root and admin accounts, not creating new accounts. The lab suggests you change the admin password from admin to adminX. If you do, you will need to log back into the system with the new password. 5. Login to the system as user admin with password of adminX. 6. Select Basic Network Configuration and the internal VLAN by clicking Next..
Note: The Basic Network Configuration steps through creating two VLANs, internal and external, their interfaces and their self-IP addresses. Once that is complete, those VLANs can be modified or others created. If you choose the Advanced Network Configuration option, you must create VLANs and their settings manually. Internal Network Settings Self-IP Address Self-IP Netmask Self-IP Port Lockdown Floating IP Address Floating IP Port Lockdown Failover Peer
172.16.X.31 255.255.0.0 Allow Default 172.16.X.33 Allow Default 172.16.X.32
Internal VLAN Configuration VLAN Name VLAN Tag ID VLAN Interfaces
internal (Read Only) auto Untagged – Port 1.2
7. Click the Next button to configure the external VLAN, then specify the following: External Network Settings Self-IP Address Self-IP Netmask Self-IP Port Lockdown Default Gateway Floating IP Address Floating IP Port Lockdown
10.10.X.31 255.255.0.0 Allow 443 Leave blank 10.10.X.33 Allow 443
External VLAN Configuration VLAN Name VLAN Tag ID VLAN Interfaces
external (Read only) Auto Untagged – Port 1.1
8. Click Finished.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-3
The Web Configuration Utility 1. Open a browser window to https://10.10.X.31 to connect to the Web Configuration Utility. 2. Accept the self-signed SSL certificate and login as admin using the password set earlier (adminX was suggested) 3. Note options available on the Welcome page such as DNS, NTP, re-running the Setup Utility and links to materials such as the product documentation, AskF5, and DevCentral. 4. Click on the Network and note parameters for Interfaces, Self IPs, and VLANs.
Command Line access (SSH) 1. Open an SSH session and attempt to connect the external IP Address of your BIG-IP system (10.10.X.31). Some examples of SSH Clients are Putty, Teraterm, and SecureCrt. 2. Notice that you are not able to access your BIG-IP sytem. This is because Port Lockdown for the external self-IP addresses defaults Allow 443 only. Access to port 22 is prevented. 3. From the web GUI select Network / Self IPs and then click the 10.10.X.31 self IP Address. 4. Under Port Lockdown / Custom List, click the Port radio button, enter 22 as the port, click Add, and then click Update. 5. Once port 22 has been added, you should be able to successfully use SSH to attach to your BIGIP system. You may be prompted to accept the SSH key, do so. Login as root using the password set earlier (rootX was suggested). 6. If prompted for terminal type, select vt100. 7. Enter the following commands and compare to what you saw in the Network section. Note: “b” is short for “bigpipe” b vlan show b self show b interface show
Saving a configuration 1. From the Navigation pane, click the System / Archives then click Create. 2. Within General Properties section, leave defaults and specify the File Name as trainX_base: 3. When complete, click Finished. Soon, an OK button will appear. Click OK or select Archives again.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-4
Appendix C – Additional Labs
bigpipe Configuration Lab v9 Objective: In this, you will configure pools, iRules, and Virtual Servers using bigpipe commands and editing the configuration files directly.
Lab Requirements:
Command line access to your BIG-IP System
Services to load balance including HTTP, HTTPS, FTP, SSH
Backup configuration using bigpipe command Change to the /var/local/ucs/ directory and then type: b config save trainX_AdvBase.ucs
Create Pools using bigpipe commands Create the pools below in the Common Partition using bigpipe commands.
Example: b pool http_pool { lb method round robin min active members 2 member 172.16.20.1:80 priority 4 member 172.16.20.2:80 priority 4 member 172.16.20.3:80 } Name http_pool
https_pool
Load Balance Round Robin Minimum Active: 2 Member Ratio
Members 172.16.20.1 172.16.20.2 172.16.20.3 172.16.20.1 172.16.20.2 172.16.20.3
Port 80 80 80 443 443 443
Ratio 1 1 1 1 2 3
Priority 4 4 1 1 1 1
Save and View Configuration 1. Save current configuration to file: b save 2. View saved configuration: pico /config/bigip.conf
Create Pools by Editing the Configuration File Create the pools in the table below by editing the /config/bigip.conf file.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-5
Example Format: pool ssh_pool { member 172.16.20.1:ssh member 172.16.20.2:ssh member 172.16.20.3:ssh } Name ssh_pool
Load Balance Round Robin
rule_pool
Round Robin
Members 172.16.20.1 172.16.20.2 172.16.20.3 172.16.20.1
Port 22 22 22 80
Ratio 1 1 1 1
Priority 1 1 1 1
View the Current Configuration and Load the Saved Configuration 1. View the current configuration (in memory) by entering: b list? 2. Do all of the pools show up in the list http, https, ssh and rule_pool? 3. Load the saved configuration (file) to memory by entering: b load 4. Do all the pools appear now by entering: b list?
Use the Verify Command Prior to Loading Files 1. Edit the /config/bigip.conf file and create a syntax error in the first line. 2. Verify the file (prior to loading) by entering: b verify load 3. View the current (in memory) configuration. 4. What is the current configuration in memory? 5. Load the current configuration file (including errors). 6. View the current (in memory) configuration. What is the state of the configuration? 7. What is your conclusion concerning syntax errors in the configuration file? 8. Edit the /config/bigip.conf file and remove the syntax error in the first line. 9. Load the saved configuration and verify it is in memory.
Create a Rule 1. Create the rule in the table below using a bigpipe command.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-6
Appendix C – Additional Labs
Example: b rule text_rule '{ when HTTP_REQUEST { if {[HTTP::uri] contains "text"} {pool rule_pool} else {pool http_pool}}}' NOTE: The command above uses a single quote or apostrophe, not a back tick, and would input something like the rule below if you looked at the /config/bigip.conf file. Name text_rule
Logic when HTTP_REQUEST { if {[HTTP::uri] contains "text"} { pool rule_pool } else { pool http_pool } }
2. Save the configuration file.
Create Profiles using bigpipe Command 1. Create profiles for persistence using bigpipe commands.
Example: b profile persist Pr_Src_Persist mode source addr timeout 15 mask 255.255.255.0 mirror enable Name
Mode
Pr_Src_Persist Source Address
Timeout Mask 15
Persistence Mirroring 255.255.255.0 Yes (enable)
2. Save the configuration file.
Create Virtual Servers using bigpipe Commands 1. Create the Virtual Servers in the table below using bigpipe commands.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-7
Example: b virtual vs_http destination 10.10.X.100:80 profile tcp http pool http_pool Name IP Address Port Profiles vs_http 10.10.X.100 80 tcp, http vs_text 10.10.X.101 80 tcp, http
Persistence None None
Resource http_pool text_rule
1. Save the configuration to file. 2.
View the configuration file to verify the changes are saved.
Create Virtual Servers by Editing the Configuration File 1. Create Virtual Servers in table below by editing the /config/bigip.conf file.
Example: virtual vs_https { destination 10.10.X.100:https ip protocol tcp profile tcp persist Pr_Src_Persist pool https_pool } Name IP Address Port Profiles Persistence Resource vs_https 10.10.X.100 443 tcp Pr_Src_Persist https_pool vs_ssh 10.10.X.100 22 tcp None ssh_pool 2. View memory (b list) to check if the changes are there. 3. Load the saved /config/bigip.conf file via b load. 4. View memory (b list) to verify the changes are loaded now.
NOTE: Default settings won’t display in the bigip.conf file if they are the only parameter. For instance, note that the tcp profile and round robin LB settings are not displayed.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-8
Appendix C – Additional Labs
Verify your configuration Activity Examine /config/bigip.conf Examine /config/bigip_base.conf Connect to http://10.10.X.100 Refresh the screen 5-10 times Disable Node 172.16.20.2 Connect again and refresh Re-Enable Node 172.16.20.2 Open a Browser and connect to https://10.10.X.100 Refresh the screen 5-10 times Connect to http://10.10.X.101 Refresh the screen 5-10 times Connect to and then refresh http://10.10.X.101/text.txt Connect to and then refresh http://10.10.X.101/file.txt Connect to and then refresh http://10.10.X.101/text.one Using an SSH client, open a session to 10.10.X.100:22 Login using User-id: student Password: student View files: ls
Open a Browser and connect (again) to https://10.10.X.100 Refresh the screen 5-10 times View the pool member statistics
Questions What types of parameters are stored here? What types of parameters are stored here? Are you load balancing? Why or why not? After Disabling Node 172.16.20.2 what changes? Are you load balancing? Why or why not? Explain the results you are seeing based on what the rule text_rule does?
Were you able to connect? Could you see the list of files? Which pool member did you connect to? Do you have an open connection? Are you load balancing? Why or why not? Are you connecting to the same pool member as in test above for https://10.10.X.100?
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Working? NA NA
Appendix C – Additional Labs
C-9
Redundant Pair Differences Setup utility Configuring a pair of BIG-IP systems is similar to configuring a single BIG-IP system. When you choose “Redundant Pair” in the Setup Utility, there are three additional parameters. You must set each system’s Unit ID, specify a partner address, and set floating IP addresses for each VLAN.
Combining Two Lab Systems Typically, redundant pairs are configured when the Setup Utility is run initially. This lab is artificial as we will addresses on existing systems. First, find a partner and agree on your group number. For example, if station 1 and 2 combine, the group station could be either 1 or 2. For these labs, we will refer to the system that is the partner number as “X” and the other system as “Y”. Overall, the BIG-IP system’s partner addresses must point to each other, the floating addresses must be the same, Unit ID’s must be different, and host names must be different. For the classroom, the third octet of the PC’s match the group number, “X”. Finally, a failover cable should connect the two systems.
CONFIGURATION OF REDUNDANT PAIR IN CLASSROOM
Setup of Station X Station X needs to change its partner address. Navigate to System / High Availability / Network Mirroring and change the Mirroring Address of your Peer from 172.16.X.32 to 172.16.Y.31.
Setup of Station Y Station Y must change its partner address, its floating addresses, its Unit ID, and the admin user’s password. For the classroom setting, the address of the PC “Y” must be changed as well. 1.
Change the partner address: Navigate to System / High Availability / Network Mirroring and change the Mirroring Address of your Peer from 172.16.Y.32 to 172.16.X.31.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-10
Appendix C – Additional Labs
2. Change the Unit ID: Navigate to System / Platform and change the Unit ID to 2. 3. Change the password for the admin user. Navigate to System / Platform and change the password to adminX where X is the group station number. 4. Change the address of the PC from 10.10.Y.30 to 10.10.X.29. For remote classes, this may cause a temporary loss of connection with the PC. 5. The floating addresses will change automatically when the systems are synchronized. NOTE: If the second system has no configuration, configure it per the options below.
Step Management interface root password Hostname High Availability Unit ID admin password SSH Access
System Y 192.168.Y.31 rootY bigipY.f5training.com Redundant Pair 2 adminX * All Addresses
VLAN Name on 1.2 Self IP Address Netmask Port Lockdown Floating IP Failover Peer IP Port Association
internal 172.16.Y.31 255.255.0.0 Allow Default 172.16.X.33 172.16.X.31 1.2 Untagged
VLAN Name on 1.1 Self IP Address Netmask Port Lockdown Default Route Floating IP Port Association
external 10.10.Y.31 255.255.0.0 Allow 443 & 22 Leave Blank 10.10.X.33 1.1 Untagged
Verification Verify that system Y is in standby mode. If not, check to be sure the failover cable is connected between the systems and that system Y has been set as Unit ID 2.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-11
Synchronization Lab Synchronization should always be from the system’s whose configuration is desired. In this case, we wish to retain the virtual servers from system X, so should synch from X to Y.
Synchronizing Configuration 1. From the Navigation pane on system X, expand the System section and select High Availability. 2. Select the ConfigSync tab and click the Synchronize TO Peer.
Verification At this point, traffic should flow successfully for both PC clients regardless which BIG-IP system is active. Also, you should have access to the CLI and GUI on both BIG-IP systems from either PC.
Changing Roles: Active to Standby 1. From the Navigation pane, expand the System section and select High Availability. 2. Select the Redundancy and click Force to Standby. 3. Or from the command line, enter: b failover standby
Add an FTP Virtual Server and Synchronize Configuration To ensure synchronization an occur from either system, this section is designed to verify that system Y can synchronize to system X. 1. On system Y, create a new virtual server and pool with the following objects and settings: Object
Pool
Name
ftp_pool
Pool Members
172.16.20.1:21, 172.16.20.2:21, 172.16.20.3:21
Health Monitors
Leave Blank
Object
Virtual Server
Name
vs_ftp
Destination
10.10.X.100
Service Port
21 (or FTP)
FTP Profile
ftp
Default Pool
ftp_pool
2. Synchronize from system Y to system X. 3. Verify the new virtual server and pool were copied to the other system and that the virtual server is working properly regardless which system is active. Use student as both the user ID and the password. Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-12
Appendix C – Additional Labs
Failover Triggers Labs Objective: During this lab, you will learn how to configure automatic the VLAN Failsafe trigger.
VLAN Failsafe Lab Enabling VLAN Failsafe 1. Navigate to System / High Availability / Fail-safe / VLANs. 2. Click Add. 3. In the Configuration section, select values for the following parameters: VLAN Timeout Action
Internal 30 seconds Failover
4. When complete, click Finished. 5. Configure the partner system as well; this setting is not synchronized. 6. On the active system, disconnect the Ethernet cable associated with the internal VLAN. 7. Alternate method for remote classes: disable the 1.2 interface. a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and click Disable. b. Command Line: b interface 1.2 disable. 8. Watch both systems to view when the state change occurs. When the active system fails over, the standby system will go active almost immediately. a. Configuration Utility: Refresh the page repeatedly. b. Command Line: press in the Enter Key repeatedly. c. Physical Box: View the STATUS light (Green – Active / Amber Standby). 9. Reconnect the Ethernet Cable. 10. Alternate method for remote classes: enable the 1.2 interface. a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and click Enable. b. Command Line: b interface 1.2 enable. 11. Disable VLAN Failsafe on both systems before next lab.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-13
Network Failover Lab Objectives: During this lab, you will configure network failover and differentiate between network and hardware (cable-based) failover.
Determining State Prior to Configuration 1. Open a console (serial or SSH) session to each system. On the standby system, press Enter to update the prompt repeatedly before and after the cable is removed (step 2). 2. Remove the failover cable from either system. 3. How quickly did the standby system also assume the active role? 4. Note that both systems are in active mode; both are trying to service all virtual servers, NATs and SNATs. 5. Replace the failover cable and note that Unit 2 reverts to Standby mode. Note: For remote classes, the instructor must remove and replace the failover cables.
Network Failover Configuration and Testing 1. This feature is not synchronized, so you must configure each system separately. 2. Navigate to System / High Availability / Network Failover. 3. On station X, Enter the following in the Configuration section: Network Failover Peer Management Address Unicast Multicast
Check the box 192.168.Y.31 Configuration Identifier: Any Name Local Address: Self IP address 172.16.X.31 Remote Address: 172.16.Y.31 Port: Blank (defaults to 1026) Leave Blank
4. On station Y, Enter the following in the Configuration section: Network Failover Peer Management Address Unicast Multicast
Check the box 192.168.X.31 Configuration Identifier: Any Name Local Address: Self IP address 172.16.Y.31 Remote Address: 172.16.X.31 Port: Blank (defaults to 1026) Leave Blank
5. When complete, click Update. 6. When both systems have been set, remove the failover cable from either system.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-14
Appendix C – Additional Labs
7. Note that the systems remain in active-standby mode. 8. Remove the Ethernet cable used for the VLAN of the self IP addresses used for network failover addresses. In the course labs, this should be for port 1.2. 9. Alternate method for remote classes: disable the 1.2 interface. a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and click Disable. b. Command Line: b interface 1.2 disable. 10. How quickly did the standby system assume the active role also? 11. Note that both systems are in active mode; both are trying to service all virtual servers, NATs and SNATs. 12. Replace the Ethernet cable and note that Unit 2 reverts to standby mode. How quickly did it revert to standby? 13. Alternate method for remote classes: enable the 1.2 interface. a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and click Enable. b. Command Line: b interface 1.2 enable.
Return to Hardwired Failover 1. Reconnect the failover cable. 2. On each system, disable network failover by navigating to System / High Availability / Network Failover and clearing the Network Failover option. 3. When complete, click Update.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-15
Connection Mirroring Lab Objective: During this lesson, you will learn how to configure connection mirroring.
Lab Requirements:
Virtual server at 10.10.X.100:22 along with a pool of SSH servers
Behavior Prior to Configuring Connection Mirroring Establish an SSH session 1. Using an SSH client such as Putty, open an SSH session to: 10.10.X.100:22. 2. Login as student / student. 3. Test your connection by typing ls or similar command. Perform Failover 1. Force the Active system to standby (System / High Availability / Force to Standby). 2. Notice that the SSH connection has been lost.
Configuring Connection Mirroring and Testing Subsequent Behavior Configuring Connection mirroring and Synchronize the configuration 1. From either BIG-IP system’s Navigation Pane, click Local Traffic / Virtual Servers and select the SSH virtual server. 2. Select Advanced from the Configuration menu. 3. Check the Connection Mirroring checkbox. 4. Click Update to set changes. 5. Synchronize from the same system (System / High Availability / ConfigSync) and click the Synchonize TO Peer button. 6. Click OK when prompted. Establish SSH connection again and Failover again 1. Using an SSH client such as Putty, open an SSH session to: 10.10.X.100:22. 2. Login as student / student. 3. Test your connection by typing ls or similar command. 4. Force the Active system to standby. (System / High Availability / Force to Standby). 5. Test your connection by typing ls or similar command. Note the connection is maintained.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-16
Appendix C – Additional Labs
Persistence Mirroring Lab Objective: During this lesson, you will learn how to activate persistence mirroring for a pool where source address persistence in enabled.
Lab Requirements: You must have a virtual server and pool appropriate for persistence other than cookie persistence.
Behavior Prior to Configuring Persistence Mirroring Configure Persistence, Establish an https session 1. From the Navigation Pane, expand the Local Traffic section, select Virtual Servers and the virtual server vs_https. 2. Select the Resources tab, make sure Pr_Src_Persist is the Default Persistence Profile. 3. Synchronize from the same system (System / High Availability / ConfigSync / Synchonize TO Peer). 4. Open a browser session to: https://10.10.X.100. 5. Ensure your session persists by hitting the F5 key several times. View the Persistence Record 1. View the persistence records on both systems. a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display Options section, choose Persistence Records. b. From the Command Line, enter: b persist all show all 2. On the active system, you should see a record. On the standby, you should not. 3. Re-enter this command several times and notice the Age of the record changes. 4. Let the Age count up to 30 seconds and then re-enter the command again. What happened to the persistence record? 5. Refresh the https://10.10.X.100 browser session again and then re-enter the command again. Did the Age count start over? Perform Failover 1. Force the Active system to standby. (System / High Availability / Redundancy / Force to Standby). 2. Refresh the session to https://10.10.X.100. While there is some chance the same node may be chosen, the https session does not persist to the same server. If it does seem to persist to the same node, failover again and test. You may need to refresh by pressing Ctrl-F5 to ensure the browser does not simply display its cache.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
Appendix C – Additional Labs
C-17
Configuring Persistence Mirroring and Testing Subsequent Behavior Configuring Persistence Mirroring and Synchronizing the configuration 1. From the Navigation Pane, select Local Traffic menu, Profiles option, Persistence tab, and then click the Pr_Src_Persist profile. 2. Check the Custom box and then the box adjacent Mirror Persistence and then click Update. 3. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize to Peer). 4. Make sure to check that the Mirror Persistence option was set on the other System for the Pr_Src_Persist profile. Re-establish the https session, failover and retest 1. Open a browser session to https://10.10.X.100. 2. Ensure your session persists by pressing the CTL-F5 several times. 3. Force the Active system to standby. (System / High Availability / Redundancy / Force to Standby). 4. Refresh the browser session to https://10.10.X.100. Notice that the https session does persist to the same server. 5. View the persistence records on both systems. a. From the Navigation Pane, select Overview / Statistics. In the Display Options section, choose Persistence Records. b. From the Command Line, enter: b persist all show all 6. You should see a persistence record on both systems. 7. Re-enter this command several times and notice the Age of the record for each system. Does the Age remain the same on both Systems? 8. Refresh the https://10.10.X.100 browser session again and then re-enter the command again. Explain the Age count on each system?
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
C-18
Appendix C – Additional Labs
MAC Masquerading Lab Objective: Demonstrate MAC Masquerading.
Prior to enabling MAC Masquerading 1. From a DOS window on your PC workstation, ping your BIG-IP LTM Systems’ external self IP addresses (10.10.X.31, 10.10.Y.31, 10.10.X.33) and Virtual Server addresses (10.10.X.100, 10.10.X.101, etc). 2. After pinging, note the MAC addresses associated with the IP addresses by viewing your ARP table. In a DOS session, type arp –a. 3. From the Active System Navigation Pane, select the System menu, High Availability option Redundancy tab, and click Force To Standby. 4. View your ARP table again. In a DOS session, type arp –a. 5. Note the changes in arp entries.
Configuring MAC Masquerading 1. From the Navigation Pane, select Network / VLAN, then click the external VLAN. 2. Select Advanced from the Configuration menu, and enter a unique MAC address in the MAC Masquerade box beginning with 0x02. Example: 02:00:00:00:00:XX, where XX is your station number, and click Update. NOTE: This Masquerade address should not match the hardware MAC address of any of your BIG-IP system’s ports. 3. Perform the same steps on your other system using the same MAC address. VLAN parameters are not synchronized.
Demonstrating MAC Masquerading 1. From a DOS window on your PC workstation, ping your BIG-IP systems’ external self IP addresses (10.10.X.31, 10.10.Y.31, 10.10.X.33) and Virtual Server addresses (10.10.X.100, 10.10.X.101, etc). 2. After pinging, note the MAC addresses associated with the IP addresses by viewing your ARP table. In a DOS session, type arp –a. This time both the floating self IP Address and Virtual Servers (10.10.X.33 & 10.10.X.100) should show the MAC Masquerade address of 02:00:00:00:00:XX. 3. From the Active System Navigation Pane, select the System menu, High Availability option Redundancy tab, and click Force To Standby. 4. View your ARP table again. In a DOS session, type arp –a. 5.
Note any changes in arp entries. When using MAC Masquerading, none of the arp entries should change on failover.
Configuring BIG-IP® LTM – © 2011 F5 Networks, Inc.
