F5 Networks Training
Configuring BIG-IP LTM v12 Local Traffic Manager Instructor Guide
v12.1 – June, 2016
Instructor Guide: Configuring BIG-IP LTM v12.1
Configuring BIG-IP LTM v12 Instructor Guide Ninth Printing; June, 2016 This manual was writte n for F5 solutions at th e version listed on the fron t cover of this document . Some of the featur es discussed in this course were added with this version; but many of the concepts also apply to previous and subsequent versions.
© 2016, F5 Networks, Inc. All rights reserved.
Support and Contact Information Obtaining Technical Support Web
tech.f5.com (Ask F5)
Phone
(206) 272-6888
Email (support issues)
[email protected]
Email (suggestions)
[email protected]
Contacting F5 Networks Web
www.f5.com
Email
[email protected] &
[email protected]
F5 Networks, Inc.
F5 Networks, Ltd.
F5 Networks, Inc.
F5 Networks, Inc.
Corporate Office 401 Elliott Avenue West Seattle, Washington 98119
United Kingdom Chertsey Gate West Chertsey Surrey KT16 8AP
Asia Pacific 5 Temasek Boulevard #08-01/02 Suntec Tower 5
Japan Akasaka Garden City 19F 4-15-1 Akasaka, Minato-ku
T (888) 88BIG-IP
United Kingdom
Singapore, 038985
Tokyo 107-0052 Japan
T (206) 272-5555
T (44) 0 1932 582-000
T (65) 6533-6103
T (81) 3 5114-3200
F (206) 272-5557
F (44) 0 1932 582-001
F (65) 6533-6106
F (81) 3 5114-3201
[email protected]
[email protected]
[email protected]
[email protected]
Instructor Guide: Configuring BIG-IP LTM v12.1
Legal Notices Copyright Copyright 2016, 2016, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor a ny infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other other intellectual property property right of F5 except as specifically specifically described by applicable applicable user licenses. F5 reserves the right to change specifications specifications at any time without notice. notice.
Trademarks AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, APM, Application Acceleration Manager, Application Security Manager, AskF5, ASM, BIG-IP, BIG-IP EDGE GATEWAY, BIG-IQ, BIG-IQ, Cloud Extender, Cloud Manager, CloudFucious, Clustered Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS SWAT, Defense.Net, defense.net [DESIGN], DevCentral, DevCentral [ DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, ENGAGE, Enterprise Manager, F5, F5 [DESIGN], F5 Agility, F5 Certified [DESIGN], F5 Networks, F5 SalesXchange [DESIGN], F5 Synthesis, f5 Synthesis, F5 Synthesis [DESIGN], F5 TechXchange [DESIGN], Fa st Application Proxy, Proxy, Fast Cache, FCINCO, Global Traffic Manager, GTM, GUARDIAN, iApps, IBR, iC all, iControl, iHealth, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping, LC, Link Controller, LineRate, LineRate, LineRate Point, LineRate Precision, LineRate Systems [DESIGN], Local Traffic Manager, LROS, LTM, Message Security Manager, MobileSafe, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Sec urity Manager, PSM, Ready Defense, Real Traffic Policy Builder, SalesXchange, ScaleN, S DAS (except in Japan), SDC, Signalling Delivery Controller, Solutions for an a pplication world, Software Designed Applications Services, Silverline, SSL Acceleration, SSL Everywhere, StrongBox, SuperVIP, SYN Check, SYNTHESIS, TCP Express, TDR, TechXchange, TMOS, TotALL, TDR, TMOS, Traffic Management Operating System, Traffix, Traffix [DESIGN], Transparent Data Reduction, UNITY, VAULT, vCMP, VE F5 [DESIGN], [ DESIGN], Versafe, Versafe [DESIGN], [ DESIGN], VIPRION, Virtual Clustered Clustered Multiprocessing, WebSafe, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.All other product and company names herein may be trademarks t rademarks of their respective owners.
Materials The material reproduced on this manual, including but not limited to graphics, text, pictures, photographs, layout and the like ("Content"), are protected by United States Copyright Copyright law. Absolutely no Content Content from this manual may be copied, reproduced, exchanged, exchanged, published, sold or distributed without the prior written consent of F5 Networks, Inc
Patents This product may be protected by one or more patents indicated at: http://www.f5.com/about/policies/patents
Instructor Guide: Configuring BIG-IP LTM v12.1
Instructor Guide: Configuring BIG-IP LTM v12.1
Table of Contents
Table of Contents Chapter 1: Course Description Description.................................................................. ............................................................................................. ........................... 1-1 Course Overview ................................................................................................................................................ 1-1 Audience ............................................................................................................................................................. 1-1 Course Objectives ............................................................................................................................................... 1-2 Prerequisites ....................................................................................................................................................... 1-3 Additional Documentation and Resources ................................ .............................................. ............................ ..................... ..................... ............................ .................... .......... .... 1-4 Course Outline .................................................................................................................................................... 1-5
Chapter 2: Print Version and Organizational Organizational Changes....................................................... Changes....................................................... 2-1 Chapter 3: Classroom Setup Instructions Instructions................................................................ ........................................................................... ........... 3-1 Accessing the Instructor Site on F5 University ............................ ................................... ..................... ............................ ...................... ..................... ......................... .............. 3-1 Accessing the ATC Support Site on F5 University ............................ ................................... .................... ........................... ..................... ..................... ....................... ......... 3-3 Classroom Network Configuration ..................................................................................................................... 3-4 Logical Networks ............................ ................................... .................... ........................... ....................... ...................... ......................... ......................... ........................... ...................... ............. ..... 3-4 F5 Classroom Network Diagram ...................... ................................ ....................... ........................... ........................ ........................ ........................... .......................... ................. .... 3-5 Instructor BIG-IP System IP Addresses .......................... .................................... ........................ ............................ .......................... .......................... ..................... ............ ..... 3-6 Student Workstation IP Addresses ................... ................................ .......................... .......................... ..................... ..................... ........................... ..................... ................. .......... 3-7 Back-end Application Servers IP Addresses ................... ................................ .......................... ........................... ..................... ..................... ........................... ............... .. 3-8 Training Server 3.4 Routing Considerations ..................... ................................ ........................ ........................... .................... .................... ............................ ................ .. 3-9 Setting U p the Instructor BIG-IP System (LTM17) .............................. ........................................ ....................... ........................ ........................ ......................... ............ 3-10 Overview .......................... ................................... ...................... .......................... ...................... ...................... .......................... .......................... .......................... ..................... ...................... ................. ... 3-10 Setup Steps ................................................................................................................................................ 3-10 Sample Script to Set LTM17 as Default Internet Gateway ....................................................................... 3-11 LTM17 Configuration Obj ect Use by Course ...................... ................................ ........................ ............................ .................... .................... ......................... ........... 3-12 Setting Up the Back-End Servers ..................................................................................................................... 3-15 Setting Up Training Server 3.4........... ........... ............... ........... .......... ................ .......... ........... ............... .... 3-15 DNS Zones on Training Server 3.4 ...................... ................................ ....................... ........................... ..................... ..................... ............................ ..................... ............. ...... 3-19 Setting Up Hack-It 2.0 Server ................................................................................................................... 3-23 Setting Up dc.f5trn.com Server ................................................................................................................. 3-23 Setting Up the Student Workstations ........... .......... ................ ........... ........... ............... ........... ............... ........... . 3-24 Student Workstation Tool Usage................. Usage............................... ..................... ..................... .......................... .......................... ........................... .................... .................... ............. 3-25 Configuring BIG-IP LTM v12.1 Class Setup ................ .............................. ...................... ..................... .......................... .......................... .......................... .................. ..... 3-27
Instructor Guide: Configuring BIG-IP LTM v12.1
T-i
Chapter 1 – Course Description
Chapter 1: Course Description Course Overview Description This three-day course gives network prof essionals a functional understanding of BIG-IP BIG-IP Local Traffic Manager, introducing students to both commonly used and advanced BIG-IP BIG-IP LTM features and functionality. Incorporating lecture, extensive hands-on labs, and classroom discussion, the course helps students build the well-rounded skill set needed to manage BIG-IP BIG-IP LTM systems as part of a flexible and high performance application delivery network.
Topics covered in this course include: BIG-IP initial setup (licensing, provisioning, and network configuration) A review of BIG-IP local traffic configuration objects Using dynamic load balancing methods Modifying traffic behavior with persistence (including SSL, SIP, universal, and destination destination address affinity persistence) Monitoring application health with Layer 3, Layer 4, and Layer 7 monitors (including transparent, transparent, scripted, and external monitors) Processing traffic with virtual servers (including network, forwarding, and reject virtual servers) Processing traffic with SNATs (including SNAT pools and SNATs as listeners) Configuring high availability (including active/standby and N+1 sync sync failover device groups, connection and persistence mirroring, and sync-only device groups) Modifying traffic behavior with profiles (including advanced HTTP profile options, caching ca ching, compression, and OneConnect profiles) Advanced BIG-IP LTM configuration options (including VLAN tagging and trunking, SNMP features, packet filters) Deploying application services with iApps Customizing application delivery with iRules and local traffic policies
By the end of this course, the student should be able to use both the Configuration utility, TMSH, and Linux commands to configure and manage BIG-IP LTM systems in an application delivery network. In addition, students should be able to monitor the BIG-IP system to achieve operational efficiency, and establish and maintain high availability infrastructure for critical business applications. applicatio ns.
Audience This course is intended for system and network administrators responsible for installation, setup, configuration, and administration of the BIG-IP BIG-IP LTM system.
Instructor Guide: Configuring BIG-IP LTM v12.1
1-1
Chapter 1 – Course Description
Course Objectives At the end of this course, the student will be able to: Access the BIG-IP system to configure the management interface Activate the BIG-IP system for operation, including licensing, provisioning, and optional device certificate installation Use the Setup utility to create the classroom lab environment network configuration Back up the BIG-IP system configuration for safekeeping Configure virtual servers, pools, monitors, profiles, and persistence objects Test and verify application delivery through the BIG-IP system using local traffic statistics Configure priority group activation on a load balancing pool to allow servers to be activated only as needed to process traffic Compare and contrast member-based and node-based dynamic load balancing methods Configure connection limits to place a threshold on traffic volume to particular pool members and nodes Differentiate between SSL, SIP, universal, and destination address affinity persistence, and describe use cases for each Descript the three Match Across Services persistence options and use cases for each Configure health monitors to appropriately monitor application delivery through a BIG-IP system Configure different types of virtual services to support different types of traffic processing through a BIG-IP system Configure different types of SNATs to support routing of traffic through a BIG-IP system Establish device trust and configure an active/standby pair in support of high availability Configure and manage a sync-failover device group with more than two members Configure stateful failover using connection mirroring and persistence mirroring Configure VLAN tagging and trunking Restrict administrative and application traffic through the BIG-IP system using packet filters, port lockdown, and virtual server settings Configure SNMP alerts and traps in support of remote monitoring of the BIG-IP system Configure the BIG-IP system to act as a gateway between IPv4 and IPv6 networks Use an F5-supplied iApp template to deploy and manage a website application service Develop a simple iApp template Use iRules and local traffic policies a ppropriately to customize application delivery through the BIG-IP system
1-2
Instructor Guide: Configuring BIG-IP LTM v12.1
Chapter 1 - Setting Up the BIG-IP System
1-11
BIG-IP System Setup Labs The BIG-IP System Setup Labs are divided into several sections. Your instructor will tell you which lab to start with: Lab 1.1 – Configure the Management Port Lab 1.2 – Activate the BIG-IP System and Configure the Network Lab 1.3 – Test Administrative Access Lab 1.4 – Archive the Configuration Estimated Time for Completion: 35 minutes
For all labs, when an “X” is listed in lab instruction steps, please substitute your lab station number instead. For example, for lab station 1, the IP address shown as 192.168.X.31 in the lab instructions would be entered as 192.168.1.31 when carrying out the instruction. A password specified as “rootX” in the instructions would be entered as root1. If lab instructions do not provide a value for a particular configuration parameter, accept whatever the default is for that parameter.
Lab Preparation Tasks Verify workstation IP addresses are properly configured Check your workstation’s network settings to ensure that it is configured with two IP addresses: 192.168.X.30/16 and 10.10.X.30/16. This will allow you to access the BIG-IP system through both the management network and external self IP, as well as access the applications you configure it to deliver.
Continue with Lab 1.1: Configure the Management Port
Configuring BIG-IP LTM v12
1-11
1-12
Chapter 1 - Setting Up the BIG-IP System
Lab 1.1 – Configure the Management Port (Optional for BIG-IP VE Classrooms) Lab Objectives Configure an IP address and network mask for the BIG-IP management port to provide administrative access to the BIG-IP system from the student’s workstation
Lab Requirements For classrooms with BIG-IP hardware devices, serial console access to the BIG-IP system or physical access to the BIG-IP device if using the LCD option. This lab can be skipped if the management port is already configured, as is often the case in BIG-IP VE classroom environments.
Configure the Management Port Your instructor will tell you which method you will use to configure your BIG-IP system’s management port, or if you will bypass this lab altogether (e.g. if your management port is already configured): Lab 1.1A: Configure the Management Port via a Serial Console (pages 113 thru 1-14) Lab 1.1B: Configure the Management Port via the LCD Panel (page 1-15) If your management port is already configured, please skip to Lab 1.2, which begins on page 1-16.
1-12
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-13
Lab 1.1A: Configure the Management Port via a Serial Console This lab requires serial console access to your BIG-IP system (not available in BIG-IP VE classroom environments).
Access the serial console 1. Gain access to the BIG-IP system’s serial port a.
For classes using serial cables, connect a null-modem cable between the BIG-IP device and a terminal with VT-100 emulation. The serial settings should N-8-1 at 19,200bps.
b. For classes using serial terminal emulators, open an SSH session using PuTTY (or other SSH client) to the serial console IP address provided by your instructor. This should connect you to the serial port of your BIG-IP system. You may need to log into the console server before logging into the BIG-IP system in the next step. Your instructor will provide credentials, if necessary. 2. When prompted to log into the BIG-IP system, enter root for the username and default for the password. 3. At the Linux bash prompt (e.g. config #), enter the command: config 4. Start the utility by clicking the OK button.
Use the key to tab between fields and options in the config tool. Use the and/or keys to remove field content. Use the key to select an option (such as “OK” or “Next”). You can also select an option by moving the mouse cursor over a particular option (such as “OK” or “Next”) and clicking.
Select manual configuration of the IP address 5. On the Configure IP Address panel, ensure the No option is highlighted (to bypass automatic configuration of the IP address) and press the key. (If the No option is not already highlighted, use the key to tab to it before pressing the key.)
Configuring BIG-IP LTM v12
1-13
1-14
Chapter 1 - Setting Up the BIG-IP System
Set the IP address to 192.168.X.31 6. On the Configure IP Address panel, use the , , and/or arrow keys to change the IP address to 192.168.X.31, where “X” is your station number. After changing the IP address, press the key to highlight the OK option, then press the key to continue.
Set the netmask to 255.255.0.0 7. On the Configure Netmask panel, set the netmask to 255.255.0.0, press the key to highlight the OK option, then press the key to continue.
Set no default route 8. When prompted to create a default route for the management port, select the No option and press the key to continue. In our classroom environment, no default route is required.
Confirm the management port configuration 9. On the Confirm Configuration panel, ensure that your settings are correct, as shown in the table below, then select the Yes option and press the key to complete the configuration. If the options are not correct, select the No option and rerun the config command. IP Address
192.168.X.31
Netmask
255.255.0.0
Unless otherwise instructed, please skip forward to Lab 1.2: Activate the BIG-IP System and Configure the Network on page 1-16.
1-14
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-15
Lab 1.1B: Configure the Management Port via the LCD Panel (Optional) This optional lab can only be performed on BIG-IP hardware devices.
This lab can only be carried out if your classroom environment includes BIG-IP hardware devices. All steps are done using the buttons to the right of the LCD display on the front of the BIG-IP device itself. The arrow buttons are used for navigation. The checkmark button is used to make a selection or to save a setting. 10. Press the red X button to start the configuration process. 11. Using the up/down arrows, navigate to System menu and press the green check mark button to select it. 12. Navigate to the Management menu and press the green check mark button to select it. 13. Navigate to the IP Address menu and select it. 14. Navigate to the IP Address field and select it. 15. Using the up and down arrow keys to increment/decrement the values in each octet, enter the IP address as 192.168.X.31 where “X” is your station number. Press the green check mark button to save your setting. 16. Navigate to the Netmask field and select it. 17. Enter the netmask as 255.255.0.0 and save your setting. 18. Use the down arrow to navigate to the Commit menu and select it. When you see the OK menu blinking, click the green checkmark button .
Continue with Lab 1.2: Activate the BIG-IP System and Configure the Network
Configuring BIG-IP LTM v12
1-15
1-16
Chapter 1 - Setting Up the BIG-IP System
Lab 1.2 – Activate the BIG-IP System and Configure the Network Lab Objectives Ensure the BIG-IP system: Is properly licensed and provisioned Has a valid host name, and updated root and admin user credentials Has the VLANs and Self IPs that are used in support of the classroom lab environment Is prepared for high availability
Lab Requirements Access to the BIG-IP system’s base registration key Access to the Internet or to the BIG-IP system’s license file Network access to the BIG-IP system’s management port on the 192.168/16 network
Access the Configuration utility via the MGMT Port Start the Setup utility 1. Open a browser session to https://192.168.X.31 where “X” is your station number. BIG-IP ships with a self-signed SSL certificate. Accept the certificate (not permanently, if using Fir efox) and log in with username admin and password admin.
Upon connecting to your BIG-IP system, you should be directed to the Setup utility. Please let your instructor know if you are not placed directly into the Setup utility.
2. Click the Next button to start the Setup utility.
If your BIG-IP system is already licensed, a “Reactivate” button and a “Next” button will appear at the bottom of the License page. If this is the case, click the “Next” button and skip forward in this lab to Provision Your BIG-IP System. Otherwise, continue with the next step.
3. On the subsequent Setup Utility » License page, click the Activate button to begin the licensing process.
1-16
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-17
License the BIG-IP system If you have Internet access from your classroom workstation, follow the instructions in step 4. If you do not have Internet access from your classroom workstation, follow the instructions in step 5.
4. Manually activate your BIG-IP license at the F5 License Server: a.
Ensure there is already a value present in the Base Registration Key field on the Setup » License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system.
b. In the Activation Method setting, select the Manual radio button. c.
In the Manual Method setting, select the Download/Upload File radio button.
d. In the Step1: Dossier area, click the button that reads Click Here to Download Dossier File. If prompted where to save the dossier , select your desktop. Note where the dossier was downloaded, as you will need it t o generate a license. e.
In Step2: Licensing Server , click the link that reads Click here to access F5 licensing server to open a new browser window to the F5 license server.
f.
On the F5 License Server, click the Activate License link.
g. Click the Choose File button to the right of the Select your dossier file prompt. Locate the dossier you downloaded in step 4d, and upload it to the F5 License Server. h. Click the Next button on the F5 License Server to generate a license from the dossier. (You may be prompted to accept the terms of the F5 License Agreement.) i.
On the resulting page, click the Download license button to download the generated license to your workstation. If prompted where to save the license, select your desktop. Note where the license was downloaded, as you will need it to complete activation.
j.
Back on your BIG-IP system, on the Setup » License page, click the Choose File button to the right of the Step 3: License field. Locate the license you downloaded in step 4i, and upload it to your BIG-IP system.
k. Click the Next button on the BIG-IP system to complete license activation. l.
Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in the Setup utility.
Skip forward in this lab to Provision Your BIG-IP System (step 6).
Configuring BIG-IP LTM v12
1-17
1-18
Chapter 1 - Setting Up the BIG-IP System
Your instructor will let you know where to find the license file for your BIG-IP system. Make sure this file is available to you before carrying out step 5 below. Please skip to step 6 if you licensed your BIG-IP system in step 4.
5. Manually activate your BIG-IP license using an existing license file. a.
Ensure there is already a value present in the Base Registration Key field on the Setup » License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system.
b. In the Activation Method setting, select the Manual radio button. c.
In the Manual Method setting, check the Download/Upload File radio button.
d. In the Step1: Dossier area, click the button that reads Click Here to Download Dossier File. If prompted where to save the dossier , select your desktop. Normally at this point, you would access the F5 License Server and upload the dossier you just downloaded to generate a license. This has already been done for you in this classroom environment. Please ask your instructor for assistance if you do now know where the appropriate license file for your BIG-IP system is located. e.
In the Step3: License area, click the button that reads Choose File. Navigate to the license file you identified earlier, and upload it to your BIG-IP system.
f.
Click the Next button on the BIG-IP system to complete license activation.
g. Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in the Setup utility.
Skip forward in this lab to Provision Your BIG-IP System (step 6).
1-18
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-19
Provision Your BIG-IP System 6. On the Resource Provisioning page of the Setup utility, provision your BIG-IP system, as shown in the table below. Setup utility Setup Utility » Resource Provisioning Current Resource A llocation section Management (MGMT)
Small
Local Traffic (LTM)
Nominal
When complete, click…
Next (or Submit)
Your BIG-IP may produce a warning message that certain system daemons may restart or the system may reboot, causing your session to wait for anywhere up to several minutes. This is normal behavior when changing provisioning settings. Click the OK button to continue.
Accept the BIG-IP Self-Signed Device Certificate 7. After provisioning is complete, you should be taken to the Device Certificates page in the Setup utility. We will be using the BIG-IP system’s self-signed certificate in class. Note t he expiration date for the certificate. (If the certificate is expired, please notify the instructor.) Click the Next button to continue the Setup utility.
Configuring BIG-IP LTM v12
1-19
1-20
Chapter 1 - Setting Up the BIG-IP System
Configure Platform General Properties and User Administration 8. Configure host name, time zone, and administrative access usernames/passwords. Remember to substitute your station number for “X.” Some fields may already contain the correct values. Where specific information is not provided in the instructions below, accept the defaults on your BIG-IP system. Setup utility Setup Utility » Platform General Properties section Management Port Configuration
Manual
Management Port
IP Address[/prefix]: 192.168.X.31 Network Mask: 255.255.0.0
Host Name
bigipX.f5trn.com
Host IP Address
Use Management Port IP Address
Time Zone
Set to your classroom’s local time zone
User Adm inistration section Root Account
Disable login: Uncheck ed Password: rootX Confirm: rootX
Admin Account
Password: adminX Confirm: adminX
When complete, click…
Next, then OK
You are changing the passwords for the root and admin accounts, not creating new accounts. Since you are currently logged in using the admin account, you will need to log back in again with your new password.
9. Log back in to BIG-IP as user admin with password adminX. You should be taken directly to the Setup Utility » Network page.
1-20
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-21
Configure the Classroom Network 10. Continue the Setup utility by performing a Standard Network Configuration. Click the Next button under the Standard Network Configuration heading.
Configure Redundant Device Wizard options 11. Set Redundant Device Wizard Options to prompt for ConfigSync settings and High Availability options. Setup utility Setup Utility » Redundancy Redundant Device W izard Options section ConfigSync
Check the box for Display configuration synchronization options
High Availability
Check the box for Display failover and mirroring options Select Network for Failover Method
When complete, click…
Next
Configure Self IPs and VLANs 12. Configure VLAN internal and its self IPs, interface, and default port lockdown settings. Setup utility Setup Utility » VLANs Internal Network Configuration section Self IP
Address: 172.16.X.31 Netmask: 255.255.0.0 Port Lockdown: Allow Default
Floating IP
Address: 172.16.X.33 Port Lockdown: Allow Default
Internal VLAN Configuration section VLAN Interfaces: Select 1.2 Tagging: Select Untagged Click the Add button
Interfaces When complete, click…
Configuring BIG-IP LTM v12
Next
1-21
1-22
Chapter 1 - Setting Up the BIG-IP System
13. Configure VLAN external and its self IPs, interface, and port lockdown settings. Setup utility Setup Utility » VLANs External Network Configuration section External VLAN
Click the Create VLAN external radio button
Self IP
Address: 10.10.X.31 Netmask: 255.255.0.0 Port Lockdown: Allow None
Default Gateway
Leave blank Address: 10.10.X.33 Port Lockdown: Allow None
Floating IP
External VLAN Configuration section Interfaces: Select 1.1 Tagging: Select Untagged Click the Add button
Interfaces When complete, click…
Next
14. Configure the high availability network to use the existing VLAN named internal. Setup utility Setup Utility » VLANs High Availability Network Configuration section High Availability VLAN
Click the Select existing VLAN radio button
Select VLAN
internal
When complete, click…
Next
Configure Network Time Protocol 15. If NTP servers are needed in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.
Configure Domain Name Server 16. If DNS settings are required in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.
1-22
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-23
Configure ConfigSync 17. Configure ConfigSync on the non-floating self IP for VLAN internal , the VLAN we’re using for high availability (HA). Setup utility Setup Utility » ConfigSync ConfigSync Configuration s ection 172.16.X.31 (internal)
Local Address When complete, click…
Next
Configure Failover Unicast and Failover Multicast settings 18. Use the default settings for Failover Unicast Configuration and Failover Multicast Configuration , as shown below: Setup utility Setup Utility » Failover Failover Unicast Configuration section Local Address | Port | VLAN
172.16.X.31 192.168.X.31
| 1026 | internal | 1026 | Management Address
Failover Multicast Configuration s ection Use Failover Multicast Address When complete, click…
Unchecked (Disabled)
Next
Mirroring configuration 19. Use the default primary and secondary local mirror address settings for Mirroring Configuration , as shown below: Setup utility Setup Utility » Mirroring Mirroring Configuration section Primary Local Mirror Address
172.16.X.31 (internal)
Secondary Local Mirror Address
None
When complete, click…
Configuring BIG-IP LTM v12
Next
1-23
1-24
Chapter 1 - Setting Up the BIG-IP System
Finish the Setup Utility You have now completed configuring the network interfaces that are used in support of the basic classroom environment. If your course requires additional HA configuration, it will be performed in a later lab. 20. Click the Finished button under the Advanced Device Management Configuration heading. You should be taken to the Welcome page, and there should be a message at the top of the page indicating Setup Utility Complete.
Classroom Network Configuration Diagram
Figure 6: Conceptual representation of your c lassroom environment after lab completion
Continue with Lab 1.3: Test Administrative Access
1-24
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-25
Lab 1.3 – Test Administrative Access Lab Objectives Ensure that your BIG-IP network settings are correct Customize administrative access to the BIG-IP system by allowing SSH and HTTPS traffic directly to the self IPs for VLAN external
Lab Requirements Access to a BIG-IP system that has completed the initial setup process, including management port configuration, licensing, provisioning, device certificate setup, and standard network configuration.
Test Administrative Access to the BIG-IP System Test SSH (port 22) access to the management port 21. Using PuTTY, open an SSH session to the management port at 192.168.X.31. Make sure the protocol is set to SSH (port 22) before connecting. Log in as root with password rootX.
Test HTTPS (port 443) access to VLAN external’s self IPs 22. Try to open a browser session to https://10.10.X.31 . Were you able to connect?
Your browser connection in the previous step should fail, as the self IP is currently protected via Port Lockdown. When using the Setup utility to create VLAN external, the BIG-IP system allows no access to VLAN external’s self IPs by default (“Allow None”). This is a change in behavior from previous versions where the Port Lockdown setting for VLAN external’s self IPs defaulted to “Allow 443” when running the Setup utility.
Configuring BIG-IP LTM v12
1-25
1-26
Chapter 1 - Setting Up the BIG-IP System
23. Navigate to Network » Self IPs » 10.10.X.31 and reconfigure the self IP address 10.10.X.31 to also allow access via port 443. Configuration utility Network » Self IPs » 10.10.X.31 Configuration section Port Lockdown
Select Allow Custom
Custom List
Select the TCP and Port radio buttons Enter 443 in the field that appears to the right of Port Click the Add button
When finished…
Click Update
24. Try to open a browser session to https://10.10.X.31 again. This time you should be successful. Accept the site’s certificate, if and when prompted about the validity of the certificate. If using Firefox, do not create a permanent exception. (Uncheck the permanent exception box.) 25. Log in as user admin with password adminX. 26. Try to open a browser window to https://10.10.X.33 , the floating self IP on VLAN external. If you were unsuccessful, fix the problem using the same method as you did in an earlier step.
Test SSH (port 22) access to VLAN external’s non-floating self IP 27. Using PuTTY, try to open an SSH session to 10.10.X.31. Were you able to connect? Why or why not? If you were unable to connect, allow SSH access to 10.10.X.31 using the same method as in an earlier step, and test.
Configure command line access for the admin user 28. On your PuTTY session to 10.10.X.31, attempt to log in with the admin user credentials (admin / adminX). Were you successful?
Your attempt to log in to the command line interface as the admin user in the previous step should fail. By default, the admin user does not have command line access.
1-26
Configuring BIG-IP LTM v12
Chapter 1 - Setting Up the BIG-IP System
1-27
29. Navigate to System » Users and update the admin user settings to permit access to the command line interface, but only to TMSH. Configuration utility System » Users : User List, then click on user admin Account Properties section Terminal Access When finished, click…
tmsh Update
When changing terminal access for the admin user – the user you are currently logged in as - you may have to log back onto the Configuration utility again.
30. Open an SSH session to 10.10.X.31 or to 192.168.X.31 and test logging in with the admin user credentials again.
Check root user access to the Configuration utility 31. Open a browser window to https://10.10.X.31 or https://192.168.X.31 and attempt to log in as the root user. Were you successful?
Your attempt to log into the Configuration utility as user “root” should fail. User “root” does not have access to the BIG-IP systems administrative Configuration utility, only to the command line. This cannot be changed.
Continue with Lab 1.4: Archive the Configuration
Configuring BIG-IP LTM v12
1-27
1-28
Chapter 1 - Setting Up the BIG-IP System
Lab 1.4 – Archive the Configuration Lab Objectives Create a UCS archive of the BIG-IP system configuration.
Create a UCS Archive of Your Configuration 32. Open a browser window to https://10.10.X.31 or https://192.168.X.31 and create a backup of your current configuration Configuration utility System » Archives then click Create General Properties section File Name When complete, click…
trainX_base.ucs Finished, then click OK when the archive is complete
33. Download your new UCS backup to your workstation hard drive for possible use in a later lab. Configuration utility System » Archives then click trainX_base.ucs General Properties section Archive File
1-28
Click Download: trainX_base.ucs, then save to desktop of your m anagement PC, if prompted.
Configuring BIG-IP LTM v12
Chapter 2 - Reviewing Local Traffic Configuration
2-43
Lab 2.1 – Configure for Application Delivery using the Configuration Utility Lab Objectives Use the Configuration utility to create the configuration objects that will be used to deliver two applications (one HTTP, the other HTTPS) through the BIG-IP system Estimated time for completion: 30 minutes
Lab Requirements BIG-IP base setup configuration
Remember to substitute your station number for the letter “X.” For example, 10.10.X.100 becomes 10.10.4.100 if you are working at station 4.
Use the Configuration Utility to Create Local Traffic Objects Create an HTTP monitor Create a custom HTTP monitor that will check the health of the HTTP application you will be deploying later. Use the specifications in the table below: Name
Type
Settings
configltm_http_monitor
HTTP
Send String: GET /index.php\r\n Receive String: Server [1-3]
Configuring BIG-IP LTM v12
2-43
2-44
Chapter 2 - Reviewing Local Traffic Configuration
Create pools Define the load balancing pool whose members serve the HTTP application content. Use the specifications in the table below: Name
Load Balancing Method
http_pool
Ratio (member)
Members
Ratio
Monitor
172.16.20.1:80 172.16.20.2:80 172.16.20.3:80
1 2 3
configltm_http_monitor
Define the load balancing pool whose members serve the HTTPS content for our application. Use the specifications in the table below: Name
https_pool
Load Balancing Method
Members
Round Robin
172.16.20.1:443 172.16.20.2:443 172.16.20.3:443
Create a source address affinity persistence profile Create a source address affinity persistence profile that will be used on the virtual server that delivers the HTTPS application. Use the specifications in the table below. (The Timeout setting is deliberately low so that you can observe persistence records expiring more quickly): Name configltm_src_persist
Persistence Type
Parent Profile
Source Address Affinity
source_addr
Custom Settings Timeout: 30 seconds Prefix Length: Specify IPv4 and 16
Create virtual servers Use the specifications in the table below to create the virtual server that will deliver the HTTP application: Name
Destination Address:Port
Default Pool
http_vs
10.10.X.100:80
http_pool
Use the specifications in the table below to create the virtual server that will deliver the HTTPS application.
2-44
Name
Destination Address:Port
Default Pool
Default Persistence Profile
https_vs
10.10.X.100:443
https_pool
configltm_src_persist
Configuring BIG-IP LTM v12
Chapter 2 - Reviewing Local Traffic Configuration
2-45
Test Application Delivery and View Traffic Statistics Observe traffic distribution patterns with ratio (member) load balancing Open a browser session to the HTTP application (http_vs) at http://10.10.X.100 . Hard-refresh (Ctrl+F5) the page 5-10 times. On your BIG-IP system, view Local Traffic Statistics for the virtual server and pool. (Statistics » Module Statistics : Local Traffic then select Pool and Virtual Servers for Statistics Type) a.
How many connections total to http_vs?
b. How many connections total to http_pool (as a whole)? c.
How many connections to each pool member in http_pool ?
d. Are the connections being load balanced to the pool members as you expected them to? Reset statistics for the virtual server and pool. Change the ratio on each member in http_pool as shown in the table below: Pool Member
Ratio
172.16.20.1:80 172.16.20.2:80 172.16.20.3:80
4 4 1
Back on your browser session with http://10.10.X.100 , hard-refresh the page 5-10 times again. View the statistics for pool http_pool again and confirm that connections are being load balanced according to the new ratios.
Observe traffic distribution with round robin load balancing and persistence Open a browser session to the HTTPS application (https_vs) at https://10.10.X.100 . Hard-refresh (Ctrl+F5) the page 5-10 times. a.
Do you have a secure connection?
b. Are all your connections being load balanced? Why or why not? View the persistence records for your BIG-IP system from the command line, and det ermine which pool member are you persisting to: tmsh show ltm persistence persist-records
a.
When the persistence record expires, refresh the browser session again. Are you persisting to the same pool member?
b. View local traffic statistics for https_pool to confirm your observations. Have another student in the classroom (or the instructor) access your HTTPS application (https_vs) at https://10.10.X.100 . a.
Are they able to reach your virtual server? If not, think about the default routes on the back-end servers and adjust the configuration on http_vs so that they can access your virtual server.
Configuring BIG-IP LTM v12
2-45
2-46
Chapter 2 - Reviewing Local Traffic Configuration b. Once they can access your virtual server, are they persisting to the same pool member as you? Why or why not?
Remove persistence and retest Remove persistence from https_vs. Back on your browser session to https://10.10.X.100 , hard-refresh the page several times. View local traffic statistics on your B IG-IP system again to see how connections were distributed to the pool members.
Expected Results When you first tested the HTTP application through virtual server http_vs and its associated pool http_pool , and viewed local traffic statistics, you should have seen connections distributed to all pool members with a ratio of nearly 1:2:3 for the pool members at 172.16.20.1, 172.16.20.2, and 172.16.20.3 respectively. After changing each member’s ratio, and retesting, the connections should have been distributed with a ratio of nearly 4:4:1. When you first tested the HTTPS application through virtual server https_vs and its associated pool https_pool , you should have seen one load balancing decision made. Subsequent connections from your workstation (and the other student’s workstation) should have been directed to the same pool member as the result of the source address affinity persistence profile attached to the virtual server. You should have seen persistence information similar to the following: Sys::Persistent Connections source-address 10.10.0.0 10.10.4.100:443 172.16.20.3:443 (tmm: 0) Total records returned: 1
After waiting 30 seconds for the persistence record to expire, you should have seen another load balancing decision being made, followed by the creation of a new persistence record. Also, the other student could not access your application until you added source address translation, such as Auto Map, to the virtual server’s configuration. Once added, that student’s connections to your virtual server should have persisted to the same pool member as you, due to the persistence mask - 10.10.0.0.
Continue with Lab 2.2: Configure for Application Delivery using TMSH
2-46
Configuring BIG-IP LTM v12
Chapter 2 - Reviewing Local Traffic Configuration
2-47
Lab 2.2 – Configure for Application Delivery using TMSH Lab Objectives Use TMSH to create a virtual server and associated pool and monitor to deliver an SSH application through the BIG-IP system Use TMSH to create and assign a monitor to an existing pool Estimated time for completion: 30 minutes
Lab Requirements BIG-IP base setup configuration
Lab Overview In this lab, you will use TMSH to configure the BIG-IP system for delivery of an SSH application, and verify traffic by viewing statistics from the command line. Remember to use the TMSH command completion feature and TMSH help to determine command syntax.
Use TMSH to Create Local Traffic Objects Create a pool and view its configuration Use TMSH to define a load balancing pool whose members serve the SSH application content. (A command hint is shown below the table.) Name
ssh_pool
Load Balancing Method
Members
Round Robin
172.16.20.1:22 172.16.20.2:22 172.16.20.3:22
(tmos)# create /ltm pool ssh_pool load-balancing-mode round-robin members add { 172.16.20.1:22 172.16.20.2:22 172.16.20.3:22 }
View the pool in the running configuration: list /ltm pool ssh_pool Save the running configuration to the stored configuration: save sys config Exit TMSH to return to the Linux bash prompt: quit
Configuring BIG-IP LTM v12
2-47
2-48
Chapter 2 - Reviewing Local Traffic Configuration View bigip.conf . (Try both commands below. To terminate the “more” command, type “q”) Do you see configuration data for ssh_pool? Why or why not? more /config/bigip.conf grep "ssh_pool" /config/bigip.conf
Create a virtual server and view its configuration Use TMSH to create a virtual server that will deliver the SSH application. Name
Destination Address:Port
Default Pool
Profiles
ssh_vs
10.10.X.100:22
ssh_pool
tcp
(tmos)# create /ltm virtual ss h_vs destination 10.10.X.100:22 pool ssh_pool profiles add { tcp }
View the virtual server in the running configuration: list /ltm virtual ssh_vs Exit TMSH to return to the Linux bash prompt. View bigip.conf again. Do you see configuration data for ssh_vs? Why or why not? Save the running configuration to the stored configuration. Verify ssh_vs is now in the stored configuration.
View general stored configuration data In viewing /config/bigip.conf , what types of configuration objects do you find stored here? View /config/bigip_base.conf . What types of configuration objects are stored here? View /config/bigip_user.conf . What types of configuration objects are stored here? View /config/bigip.license . What is the service check date for your BIG-IP system?
Test Application Delivery and View Traffic Statistics Connect to the virtual server and view statistics Open a separate SSH session (PuTTY, etc.) to ssh_vs at 10.10.X.100:22 , and login with user-id student and password student. Were you able to connect and login? On your BIG-IP system, use TMSH to view statistics and determine the pool member you load balanced to: tmsh show /ltm pool ssh_pool members { all }
2-48
Configuring BIG-IP LTM v12
Chapter 2 - Reviewing Local Traffic Configuration
2-49
View local traffic statistics for the virtual server: tmsh show /ltm pool ssh_pool tmsh show /ltm virtual ssh_vs
a.
Compare Bits In and Bits Out for the virtual server (client-side) with Bits In and Bits Out on the pool member you load balanced to (server-side). How do they compare?
Terminate and reestablish your connection to 10.10.X.100:22 . Which pool member did you load balance to this time? Show the BIG-IP connection table entries for all server-side server connections to port 22. tmsh show sys connection ss-server-port 22
a.
Do you see your connection?
b. More importantly, do you see source and destination IP addresses and ports for both the client-side and server-side connections? What are the values? c.
How long has the connection been open and idle? ( Look at the value to the right of the tcp string in the connection table entry.)
On your SSH session to virtual server ssh_vs, list the directory you are currently in: ls –l Back on your BIG-IP system, view the connection table entries again. Was the idle time indicator updated?
Archive the Configuration Use TMSH to save a UCS backup of your current configuration in the /shared/tmp directory: tmsh save sys ucs /shared/tmp/trainX_modul e2b.ucs
Can you see the UCS you just created from the Configuration utility? Why or why not? Use TMSH to restore the UCS archive you took at the beginning of the class. All of your configuration objects you created in this lab should be gone. Confirm this by examining the bigip.conf file and looking for ssh_vs and ssh_pool: tmsh load sys ucs trainX_base.ucs
Now all of your configuration objects you created in this lab should be gone. Confirm this by examining the bigip.conf file and looking for ssh_vs and ssh_pool . Restore the configuration you created earlier named trainX_module2b.ucs . (Remember that it’s in the /shared/tmp directory.)
Configuring BIG-IP LTM v12
2-49
2-50
Chapter 2 - Reviewing Local Traffic Configuration
Expected Results and Troubleshooting After you initially created ssh_vs, its configuration could not be found in bigip.conf. Changes made using TMSH affect only the running configuration. You had to manually save the running configuration to the stored configuration in order to view the entry for ssh_vs in bigip.conf . This behavior is different from the Configuration utility, where changes are recorded to both the running configuration and the stored configuration immediately upon finishing. bigip.conf contains application traffic processing objects such as virtual servers, pools, monitors, and profiles, from the last time the running configuration was saved to the stored configuration. bigip_base.conf contains network and system-related objects such as VLANs, self IPs, device groups, and platform information, from the last time the running configuration was saved to the stored configuration. bigip_user.conf contains user names and passwords for all users configured on the BIG-IP system from the last time the running configuration was saved t o the stored configuration. bigip.license contains the license information for your BIG-IP system. The service check date will vary depending on when the last time the system’s dossier was submitted to the F5 License Server for activation.
UCS archives are only visible to the Configuration utility if they are located in /var/local/ucs . Therefore, the UCS you saved in /shared/tmp is not visible from the Configuration utility.
2-50
Configuring BIG-IP LTM v12
Chapter 3 - Load Balancing Traffic with LTM
3-15
Lab 3.1 – Test Priority Group Activation Lab Objectives Configure priority group activation on a pool and view load balancing behavior with statistics Estimated time for completion: 15 minutes
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous chapter) http_vs (as configured at the end of the previous chapter)
Test Priority Group Activation Configure priority group activation on http_pool Reset the statistics for http_pool. Modify pool http_pool and, on the Members tab, set Priority Group Activation to Less than… 2 Available Member(s). Modify the members in pool http_pool according to the specifications in the table below: Member
Ratio
Priority Group
172.16.20.1:80
1
0
172.16.20.2:80
2
4
172.16.20.3:80
3
4
Test the effects of priority group activation Open a new browser session, connect to http://10.10.X.100 , and hard-refresh the screen 5-10 times. View the statistics for http_pool. a.
Which pool members processed traffic?
b. How were the connections distributed between the pool members? Reset the statistics for http_pool. Disable pool member 172.16.20.2:80 in http_pool.
Back on your browser session to http://10.10.X.100, hard-refresh the screen 5-10 times. View the statistics for http_pool again. What are the results now and why?
Configuring BIG-IP LTM v12
3-15
3-16
Chapter 3 - Load Balancing Traffic with LTM
Test the effects of persistence with priority group activation Disable pool member 172.16.20.3:80 in pool http_pool to ensure you will load balance and persist to pool member 172.16.20.1:80. Assign the F5-supplied Source Address Affinity persistence profile called source_addr to http_vs . Back on your browser session to http://10.10.X.100 , hard-refresh the screen several times and ensure you are persisting to pool member 172.16.20.1:80. View persistence records to confirm. Enable pool members 172.16.20.2:80 and 172.16.20.3:80 in http_pool.
Back on your browser session to http://10.10.X.100, hard-refresh the screen several times. Are you still persisting to pool member 172.16.20.1:80, even though its priority group is no longer activated (because the higher priority group now contains 2 members again)? View persistence records to confirm.
Clean up Remove persistence from http_vs .
Expected results and troubleshooting With priority group activation set to less t han 2 members and all pool members enabled, 172.16.20.1:80 should receive no traffic. Traffic is distributed to members 172.16.20.2 and 172.16.20.3 in a 2:3 ratio. With priority group activation set to less t han 2 members and pool member 172.16.20.2:80 disabled, the next lower priority group (0) is activated. Traffic is then distributed to members 172.16.20.1 and 172.16.20.3 in a 1:3 ratio. When you added a source address affinity persistence profile to http_vs, and forced your connections to load balance and persist to the pool member in the lowest priority group (172.16.20.1:80), even after reenabling the other two members and once again having two members available in the pool, you still persisted to 172.16.20.1:80, and would continue to do so until the persistence record expires.
Continue with Lab 3.2: Test Ratio (node) Load Balancing
3-16
Configuring BIG-IP LTM v12
Chapter 3 - Load Balancing Traffic with LTM
3-17
Lab 3.2 – Test Ratio (node) Load Balancing Lab Objectives Compare the effects a member-based load balancing method with a node-based load balancing method Estimated time for completion: 10 minutes
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous lab) http_vs (as configured at the end of the previous lab)
Configure Ratio (node) Load Balancing Reset the statistics for http_pool. Change the load balancing method for pool http_pool from Ratio (member) to Ratio (node). Change the ratio of node 172.16.20.3 to 5. Open a new browser session and connect to http://10.10.X.100 , and hard-refresh the screen 5-10 times. View pool statistics for http_pool . What are the results and how do they compare to the results with Ratio (member) load balancing?
Expected Results and Troubleshooting Since priority group activation is still configured on http_pool, only two pool members need be active in order to meet the minimum. Members 172.16.20.2:80 and 172.16.20.3:80 are in the highest priority group, and are the only members the BIG-IP system load balances connections across. However, even though pool member 172.16.20.2:80 has a ratio of 2, and pool member 172.16.20.3:80 has a ratio of 3, the BIG-IP system ignores these ratios and uses the ones that are configured on the associated nodes instead. Node 172.16.20.3 has a ratio of 5, compared to node 172.16.20.2, which has a ratio of 1. Therefore, the pool member at 172.16.20.3:80 receives about 5 times as many connections as the pool member at 172.16.20.2:80.
Continue with Lab 3.3: Test the Effect of Connection Limits on Priority Group Activation
Configuring BIG-IP LTM v12
3-17
3-18
Chapter 3 - Load Balancing Traffic with LTM
Lab 3.3 - Test the Effect of Connection Limits on Priority Group Activation Lab Objectives Force a connection limit condition to cause a lower priority group of members to be temporarily activated Estimated time for completion: 10 minutes
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous lab) http_vs (as configured at the end of the previous lab)
Configure and Test Connection Limits Confirm traffic behavior before connection limits Reset the statistics for http_pool. Open a browser session to http_ vs at http://10.10.X.100 and hard-refresh the screen multiple times and very rapidly by holding the Ctrl-F5 keys down continuously for several seconds. Refresh and view the statistics for http_pool: a.
Did pool member 172.16.20.1:80 process any connections?
b. What was the maximum number of concurrent connections processed by pool members 172.16.20.2:80 and 172.16.20.3:80?
Configure a connection limit on one pool member in priority group 4 Reset the statistics for http_pool. Change the Connection Limit for pool member 172.16.20.3:80 in http_pool to 3. On your browser session to http_vs at http://10.10.X.100 , hard-refresh the screen rapidly again by holding the Ctrl-F5 keys down continuously for several seconds. Refresh and view statistics for pool http_pool . a.
How were the connections distributed across the pool members?
b. What was the maximum number of connections on pool member 172.16.20.3:80? Is this what you expected?
3-18
Configuring BIG-IP LTM v12
Chapter 3 - Load Balancing Traffic with LTM
3-19
Clean Up Change the load balancing method on pool http_pool to Round Robin and disable priority group activation. Set the Connection Limit for pool member 172.16.20.3:80 in http_pool to 0. Set Priority Group to 0 and Ratio to 1 for all pool members in http_pool.
Expected Results Before setting a connection limit on pool member 172.16.20.3:80, traffic was load balanced only across the two members in priority group 4: 172.16.20.2:80 and 172.16.20.3:80. The maximum number of concurrent connections to pool member 172.16.20.3:80 will vary, but should have been well over 3. After setting the connection limit to 3 on pool member 172.16.20.3:80, traffic was load balanced across all pool members, as this pool member would have reached its maximum number of connections periodically, triggering activation of priority group 0, of which 172.16.20.1:80 is a member. After activation, the BIG-IP system load balanced traffic across all three pool members until the number of connections on 172.16.20.3:80 went below 3. When viewing statistics for http_pool, the maximum number of concurrent connections to 172.16.20.3:80 should have been 3. The maximum number of concurrent connections to the other pool members will vary.
Configuring BIG-IP LTM v12
3-19
3-20
Chapter 3 - Load Balancing Traffic with LTM
3-20
Configuring BIG-IP LTM v12
Chapter 4 - Modifying Traffic Behavior with Persistence
4-19
Lab 4.1 – Implement Universal Persistence Lab Objectives Configure a virtual server with universal persistence using an iRule and confirm traffic behavior using statistics Estimated time for completion: 10 minutes
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous chapter) http_vs (as configured at the end of the previous chapter)
Configure and Test Universal Persistence You can use the following command to view persistence records throughout this lab. tmsh show /ltm persistence persist-records all-properties
Confirm traffic behavior before universal persistence 1. Open a browser session to http_vs at http://10.10.X.100 , and hard-refresh the screen several times. a.
Confirm via local traffic statistics that your connections are load balancing across all members of http_pool.
b. Verify that no persistence records were cre ated.
Configuring BIG-IP LTM v12
4-19
4-20
Chapter 4 - Modifying Traffic Behavior with Persistence
Create an iRule to persist on a query parameter in the HTTP URI 2. Create a new iRule named user_persist_irule that will persist on the value of the user query parameter in the HTTP URI, if present, using the code in the table below. (Note that there are spaces between “user=”, the number 5, and the “&”): Definition
when HTTP_REQUEST { if { [HTTP::uri] contains "user=" } { persist uie [ findstr [HTTP::uri] "user=" 5 "&" ] } }
Create a universal persistence profile 3. Create a new universal persistence profile using the specifications in the table below. (The Timeout setting is deliberately low so that you can observe persistence records expiring more quickly.):
Configuration utility Local Traffic » Profiles : Persistence, then click Create General Properties Name
configltm_universal_persist
Persistence Type
Universal
Parent Profile
Universal
Configuration section: iRule
user_persist_irule
Timeout
Specify…30 seconds
When complete, click…
Finished
Assign the profile to the virtual server 4. Assign configltm_universal_persist to virtual server http_vs. (Hint: If an error occurs, you can use the F5-supplied profile called http.)
Confirm traffic behavior after universal persistence 5. Reset the statistics for http_pool. 6. Open a browser session to http://10.10.X.100?user=abc&pw=123 , and hard-refresh the screen several times.
4-20
Configuring BIG-IP LTM v12
Chapter 4 - Modifying Traffic Behavior with Persistence
4-21
7. View persistence records again. Which pool member are you persisting to? What is the persistence matching criteria (persistence value) shown in the persistence record? 8. Check the statistics records for http_pool. Is all traffic being load balanced to the same pool member? 9. Which element(s) of the page are persisting? Why? 10. In your browser’s address bar, c hange the user= query string from abc to something else and hard-refresh the screen several times. 11. View persistence records again. Which pool member are you persisting to now? What is the persistence matching criteria shown in the persistence record now?
Configuring BIG-IP LTM v12
4-21
4-22
Chapter 4 - Modifying Traffic Behavior with Persistence
Expected results The page you are connecting to at http://10.10.X.100 is comprised of a number of elements. The first connection request is for the default page, and includes the user= and pw= query parameters in the HTTP URI. This request is load balanced according to the load balancing method for pool http_pool . The server that processed the request is displayed in the “ HTML from Server X” line on the page, as shown in Figure 9 below. The HTML references many other page elements, including .jpg, .png, and .css files. Each of these generated additional connections, none of which contained the user= parameter. Therefore, they did not match the persistence record created on the initial connection, and were load balanced, as shown in the traffic statistics. The only element of the page that persists is the HTML itself, and the “HTML from Server X” message should remain constant as long as you are persisting.
Figure 9: The only element on the page that persists is the HTML, as it was requested with the user= query parameter which is w hat the persistence criteria is generated from
Continue with Lab 4.2: Implement Match Across Services
4-22
Configuring BIG-IP LTM v12
Chapter 4 - Modifying Traffic Behavior with Persistence
4-23
Lab 4.2 – Implement Match Across Services Lab Objectives Configure Match Across Services as a persistence option and observer traffic behavior Estimated time for completion: 5 minutes.
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous lab) http_vs (as configured at the end of the previous lab) https_vs (as configured at the end of the of Lab 2.1) configltm_src_persist (as configured at the end of the Lab 2.1)
Confirm Traffic Behavior before Persistence 1. Set configltm_src_persist as the Default Persistence Profile for virtual servers http_vs and https_vs . 2. Open two browser sessions - one to http://10.10.X.100 and another to https://10.10.X.100 – and refresh the page several times. a.
Are you persisting on both sessions? View persistence records to confirm.
b. How many persistence records are there? c.
Which pool member is your session to http://10.10.X.100 persisting to?
d. Which pool member is your session to https://10.10.X.100 persisting to? 3. Let both persistence records timeout so that they are deleted.
Test Match Across Services 4. Enable the Match Across Services option in the configltm_src_persist persistence profile. 5. Refresh the sessions to http://10.10.X.100 and https://10.10.X.100 . a.
Are you persisting on both sessions? View persistence records to confirm.
b. How many persistence records are there? c.
Which pool member are you persisting to on both sessions?
Configuring BIG-IP LTM v12
4-23
4-24
Chapter 4 - Modifying Traffic Behavior with Persistence
Expected results Without Match Across Services, the two sessions—one to http://10.10.X.100 and the other to https://10.10.X.100 —are treated independently with respect to persistence. There is a chance the sessions could have been initially load balanced to the same underlying node, but upon viewing persistence records, you should have seen two - one for each session. After enabling Match Across Services, and refreshing the page on both sessions, you should have seen only one persistence record, and both pages should show results from the same underlying node for all page elements.
Clean Up 6. Remove persistence from both http_vs and https_vs .
4-24
Configuring BIG-IP LTM v12
Chapter 5 - Monitoring Application Health
5-23
Lab 5.1 – Configure and Test Monitors Lab Objectives Configure health checks using multiple default and custom monitors to verify pool member availability Estimated time for completion: 40 minutes
Lab Requirements BIG-IP base setup configuration http_pool (as configured at the end of the previous chapter) https_pool (as configured at the end of the previous chapter) http_vs (as configured at the end of the previous chapter)
Establish Baseline Traffic Behavior 1. Remove any monitors from pools http_pool and https_pool. Confirm the status of the pools and pool members is unknown. 2. Reset virtual server and pool statistics. 3. Connect to your virtual servers – http_vs and https_vs, hard refresh the page several times (Ctrl+F5), and observe traffic behavior using statistics to establish baseline traffic behavior.
Test Multiple Monitors and Availability Requirement Configure monitors 4. Check the configuration for monitor configltm_http_monitor and ensure it meets the specifications in the table below: Monitor Type
Parent Monitor
Interval, Timeout
Other Parameters
HTTP
http
5, 16
Send: GET /index.php\r\n Receive: Server [1-3]
5. Create a new custom HTTPS monitor using the specifications in the table below: Monitor Name
Monitor Type
Parent Monitor
Interval, Timeout
Other Parameters
configltm_https_monitor
HTTPS
https
5, 16
Send String: GET /index.php\r\n Receive String: Server [1-3] Alias Service Port: 443 (HT TPS)
Configuring BIG-IP LTM v12
5-23
5-24
Chapter 5 - Monitoring Application Health
Assign monitors, availability requirement and test effects 6. View the local LTM log from the command line and leave the window open so you can check log messages throughout the lab: tail –f /var/log/ltm 7. Set the default monitors for pool http_pool to configltm_http_monitor and configltm_https_monitor , and ensure Availability Requirement is set to All health monitors. a.
What is the status of http_pool after monitor assignment?
b. Look at the detail for each pool member in http_pool. Are both monitors producing successful test results? c.
What log messages were produced as the result of applying the monitors?
d. View monitor statistics to view monitor status changes over time: tmsh show ltm monitor https configltm_https_monitor
8. Connect to virtual server http_vs at 10.10.X.100, refresh the page several times, and use statistics to observe how connections were load balanced. 9. Change the Receive String on configltm_https_monitor to Server 2. a.
What is the status of each pool member in http_pool after the monitor change?
b. What if any log messages were produced as the result of the change? Check monitor statistics, too. c.
If the change in pool member status was not immediate, what explains this behavior?
10. Reset pool statistics and refresh your connection to http_vs again several times. How are connections load balanced now? 11. Change the Availability Requirement for monitors on pool http_pool to At Least…1. a.
How did the pool members’ status change?
b. Examine each pool member’s configuration detail. Which monitors are reporting successful test results and which are not? c.
What log messages were produced and what do monitor statistics show now?
Restore original monitor settings 12. Change the Receive String on configltm_https_monitor so that it once again produces correct test results for all pool members. 13. Change the Availability Requirement for monitors on pool http_pool back to All. 14. Confirm that all pool members in http_pool are available again.
Expected results When both monitors are properly configured with Receive String set to Server [1-3], and Availability Requirement is set to All, the status of http_pool is available, and the status of all pool members is available. Traffic is load balanced across all pool members. Log messages show the members being marked up.
5-24
Configuring BIG-IP LTM v12
Chapter 5 - Monitoring Application Health
5-25
When the Receive String on one of the monitors is set to Server 2, the monitor test will fail for all pool members except 172.16.20.2:80. Since Availability Requirement is set to All, and not all of the monitor tests are successful, the status of pool members 172.16.20.1:80 and 172.16.20.3:80 changes to unavailable (red diamond) after the failing monitor’s timeout period (16 seconds), and log messages are produced. Traffic is load balanced only to member 172.16.20.2:80. When Availability Requirement is set to At Least…1, even though one of the monitors is failing on members 172.16.20.1:80 and 172.16.20.3:80, the other monitor is producing a successful test. After waiting for the failing monitor’s timeout period, these members are also marked available since at least one of the monitor tests is successful.
Test Receive Disabled String 15. On monitor configltm_https_monitor , change the Receive String to Server 2 and the Receive Disable String to Server 1. a.
What is the status of the pool members in http_pool now?
b. Looking at each pool member’s detail, how is each monitor impacting the member’s availability? c.
What log messages were written? What do monitor statistics indicate?
d. Drive traffic to the pool members through the virtual server and observe load-balancing behavior using statistics. How is traffic being load balanced?
Clean up 16. Change the settings on configltm_https_monitor so that it is producing a successful test on all pool members, and there is no Receive Disable String specified. Make sure the status of all pool members is available (green circle) before continuing.
Expected results Each member of http_pool now has a different status: The status of member 172.16.20.1:80 is available but its state is disabled (black circle) by configltm_https_monitor due to the monitor’s Receive String and Receive Disable String settings. The Receive String – Server 2 - is not being returned by the service at 172.16.20.1:80, but the Receive Disable String – Server 1 – is. Therefore, the monitor disables the pool member. (Had you left the Receive String as “Server [1-3]”, when the pool member returned the string “Server 1,” this would match both the Receive String and the Receive Disable String. In the event both Receive String and Receive Disable String tests are successful, the Receive String test prevails and the pool member remains up.) In its disabled state, only existing and persisting connections will be allowed to this pool member. The status of member 172.16.20.2:80 is available (green circle) as both monitors are returning successful test results. Traffic is allowed to this member. The status of member 172.16.20.3:80 is offline (red diamond) as monitor configltm_https_monitor is failing and Availability Requirement is set to all. No traffic is allowed to this pool member.
Configuring BIG-IP LTM v12
5-25
5-26
Chapter 5 - Monitoring Application Health
Test Manual Resume 17. Change the Receive String on monitor configltm_https_monitor to Server [1-2] and set Manual Resume to Yes. a.
What is the status of the members in pool http_pool now?
b. What log messages were produced? What do monitor statistics indicate? 18. Change the Receive String on monitor configltm_https_monitor so that it is producing successful test results for all pool members again. a.
What is the status of the member in pool http_pool now?
b. What log messages were produced? What are they telling you with respect to the action that needs to be taken? What do monitor statistics indicate? 19. Manually enable pool member 172.16.20.3:80 and view the results again.
Expected results With the Receive String corrected and Manual Resume set to yes, even though the monitor test for member 172.16.20.3:80 is successful again, the member’s status is not yet fully available as it is awaiting a manual resume operation (black diamond), as indicated by log messages and monitor statistics. When you manually enable the pool member, its status changes to available (green circle).
Clean Up 20. Set Manual Resume to No on monitor configltm_https_monitor . 21. Remove monitor configltm_https_monitor from pool http_pool .
5-26
Configuring BIG-IP LTM v12
Chapter 6 - Processing Traffic with Virtual Servers
6-5
Lab 6.1 – Test Different Virtual Server Behavior Lab Objectives Create a network forwarding virtual server, reject forwarding virtual server, and a host forwarding virtual server for a specific VLAN Estimated time for completion: 20 minutes
Lab Requirements BIG-IP base setup configuration
Test Virtual Server Order of Precedence 1. From your Windows workstation Command Prompt, check to see if you already have a route to the 172.16/16 network through your BIG-IP system: route print
Some Windows 7 users may need to Start » Search » cmd.exe and rightclick and select “Run as administrator”.
2. If you do not have a route to the 172.16/16 network via your BIG-IP system, add a static one: route add 172.16.0.0 mask 255.255.0.0 10.10.X.33
Establish baseline behavior 3. Try to open a browser session to 172.16.20.1, 172.16.20.2 or 172.16.20.3. You should not be able to connect directly to these servers, as there is no listener on your BIG-IP system that can process the traffic when it is routed there from your client workstation.
Add a network forwarding virtual server 4. Create a network virtual server that will forward traffic destined to the 172.16/16 network, using the specifications in the table below: Name
Type
Destination Address/Mask
Service Port
fwd_vs
Forwarding (IP)
172.16.0.0/16
*All Ports
Configuring BIG-IP LTM v12
6-5
6-6
Chapter 6 - Processing Traffic with Virtual Servers
5. Open HTTP, HTTPS, and/or SSH sessions to 172.16.20.1, 172.16.20.2, and/or 172.16.20.3. Can you successfully connect now?
Add a network reject virtual server 6. Create a network reject virtual server that will drop traffic destined to the 172.16/16 network on port 80, using the specification in the table below: Name
Type
Destination Address
Service Port
reject_vs
Reject
172.16.0.0/16
80
7. Try connecting directly to the HTTP, HTTPS, and SSH services on 172.16.20.1, 172.16.20.2, or 172.16.20.3. Which services can you connect to and why?
Add a host forwarding virtual server 8. Finally, create a host forwarding virtual server that will forward traffic that arrives on VLAN external destined to 172.16.20.2 on all ports, using the specifications in the table below. What are your results now? Name
Type
Destination Address
Service Port
VLAN and Tunnel Traffic
host_vs
Forwarding (IP)
172.16.20.2
*All Ports
Enabled on… VLAN external
Expected results With just virtual server fwd_vs, you should be able to connect to all services on all of the 172.16.20.1, .2, and .3 servers. After adding reject_vs , you should only be able to connect to the HTTPS and SSH ser vices on those servers. Attempts to connect to the HTTP service on all the services should fail. After adding host_vs, you should still be able to access HTTPS and SSH services on all the servers, but the HTTP service only on 172.16.20.2.
Clean Up 9. Delete all 172.16 virtual servers.
6-6
Configuring BIG-IP LTM v12
7-12
Chapter 7 - Processing Traffic with SNATs
Lab 7.1 – Test SNAT Order of Precedence Lab Objectives Test SNAT order of precedence when there are several SNAT configurations that may be eligible to provide source address translation Estimated time for completion: 15 minutes
Lab Requirements BIG-IP base setup configuration http_vs (10.10.X.100:80, default pool http_pool) https_vs (10.10.X.100:443, default pool https_pool)
If you have not already configured a static route on your PC for 172.16.0.0/16 through your BIG-IP system (10.10.X.33), you will need to add it here for this lab. From the Command prompt on your PC: route add 172.16.0.0 mask 255.255.0.0 10.10.X.33
7-12
Configuring BIG-IP LTM v12
Chapter 7 - Processing Traffic with SNATs
7-13
Test SNAT Order of Precedence In each of the following scenarios, you and your partner will test the specified configuration settings by connecting to both your virtual servers ( http_vs and https_vs), and you will connect to 172.16.20.1 firstly, noting the results in the table below. If you are successfully connected, note the source IP address used on the server-side connection. If not successfully load balanced, note why. Compare your results to the Expected Results listed at the end of this lab. Baseline No SNAT (Test 1)
SNAT Auto Map on https_vs (Test 2)
SNAT with Origin Network Range (Test 3)
All Addresses SNAT (Test 4)
http_vs Me
https_vs 172.16.20.1 http_vs
Partner https_vs
Test 1: Establish baseline behavior with no SNAT 1. Remove any Source Address Translation for virtual servers http_vs and https_vs . 2. Test access to http_vs and https_vs for both you and your partner, to 172.16.20.1 for you, and fill out the Test 1 column in the results table above.
Test 2: Configure SNAT auto map on https_vs 3. On virtual server https_vs , set Source Address Translation to Auto Map. 4. Test again, and fill out the Test 2 column in the results table.
Test 3: Configure a SNAT for a range of origin IP addresses 5. Navigate to Local Traffic » Address Translation » SNAT Pool List and create a new SNAT pool using the specifications in the table below: Name
Member List
snat_pool
10.10.X.150 172.16.X.150
Configuring BIG-IP LTM v12
7-13
7-14
Chapter 7 - Processing Traffic with SNATs
6. Navigate to Local Traffic » Address Translation » SNAT List and create a SNAT listener using the specifications in the table below: Name
Translation
Origin
Address List
snat_10.10.X
snat_pool
Address List
10.10.X.0/24
7. Test, and fill out the Test 3 column in the results table.
Test 4: Configure an all addresses SNAT 8. Create a second SNAT listener using the specifications in the table below: Name
Translation
Origin
everyone_snat
172.16.X.200
All Addresses
9. Test and fill out the Test 4 column in the results table.
See Expected Results on the next page
7-14
Configuring BIG-IP LTM v12
Chapter 7 - Processing Traffic with SNATs
7-15
Expected Results Baseline No SNAT (Test 1)
Me
SNAT Auto Map on https_vs (Test 2)
SNAT with Origin Network Range (Test 3)
All Addresses SNAT (Test 4)
http_vs
10.10.X.30
10.10.X.30
172.16.X.150
172.16.X.150
https_vs
10.10.X.30
172.16.X.33
172.16.X.33
172.16.X.33
172.16.20.1
Fail; no listener (SNAT or VS)
Fail; no listener (SNAT or VS)
172.16.X.150
172.16.X.150
http_vs
Fail; no route back to my BIG-IP
Fail; no route back to my BIG-IP
Fail; no route back to my BIG-IP
172.16.X.200
https_vs
Fail; no route back to my BIG-IP
172.16.X.33
172.16.X.33
172.16.X.33
Partner
Source address 172.16.X.33 is provided by the SNAT Auto Map setting configured on virtual server https_vs Source address 172.16.X.150 is provided by the SNAT listener snat_10.10.X Source address 172.16.X.200 is provided by the all addresses SNAT, everyone_snat
Continue with Lab 7.2: Restrict SNAT Scope
Configuring BIG-IP LTM v12
7-15
7-16
Chapter 7 - Processing Traffic with SNATs
Lab 7.2 – Restrict SNAT Scope Lab Objectives Restrict the effect of SNAT listeners by enabling and disabling on various VLANs Restrict the effect of SNATs by disallowing them on particular pools Estimated time for completion: 10 minutes
Lab Requirements BIG-IP base setup configuration http_vs (10.10.X.100:80, default pool http_pool) https_vs (10.10.X.100:443, default pool https_pool) snat_10.10.X configured with origin addresses in the 172.16/16 network and translation addresses in SNAT pool snat_pool everyone_snat configured with all origin addresses and one translation address, 172.16.X.200.
Restrict SNAT Listeners on VLANs Use the table below to fill in your test results during this lab, as you did in the previous lab. Baseline SNATs enabled on all VLANs
Me
http_vs
172.16.X.150
https_vs
172.16.X.33
172.16.20.1
172.16.X.150
http_vs
172.16.X.200
https_vs
172.16.X.33
SNATs disabled on VLAN external (Test 1)
SNATs enabled on VLAN external (Test 2)
Disallow SNAT on https_pool (Test 3)
Partner
7-16
Configuring BIG-IP LTM v12
Chapter 7 - Processing Traffic with SNATs
7-17
Confirm baseline behavior 1. Confirm the baseline behavior shown in the results table above. This is the same behavior you should have seen upon completion of the previous lab, with Auto Map on https_vs, and the two SNAT listeners – snat_10.10.X and everyone_snat enabled on all VLANs. You and your partner should be able access the two virtual servers, and you should be able to access 172.16.20.1.
Disable SNAT listeners on VLAN external and test 2. Disable both SNAT listeners - everyone_snat and snat_10.10.X - on VLAN external. 3. Test access to http_vs and https_vs for both you and your partner, to 172.16.20.1 for you, and fill out the Test 1 column in the results table on the previous page.
Enable SNAT listeners on VLAN external only and test 4. Enable both SNATs - everyone_snat and snat_10.10.X - on VLAN external only, and test again, filling out the Test 2 column in the results table.
Restrict SNATs at the Pool Level 5. On the Advanced configuration view for pool https_pool , change the Allow SNAT setting to No, to make this pool ineligible for SNATed connections. 6. Test again, and fill out the Test 3 column in the results table.
Clean Up 7. Delete both SNATs and remove any source address translation settings from your virtual servers. 8. Allow SNAT on pool https_pool again.
See Expected Results on the next page
Configuring BIG-IP LTM v12
7-17
7-18
Chapter 7 - Processing Traffic with SNATs
Expected Results
Me
Baseline SNATs enabled on all VLANs
SNATs disabled on VLAN external (Test 1)
SNATs enabled on VLAN external (Test 2)
http_vs
172.16.X.150
10.10.X.30
172.16.X.150
172.16.X.150
https_vs
172.16.X.33
172.16.X.33
172.16.X.33
10.10.X.30
172.16.20.1
172.16.X.150
Fail; no listener (SNAT or VS)
172.16.X.150
172.16.X.150
http_vs
172.16.X.200
Fail; no route back to my BIG-IP
172.16.X.200
172.16.X.200
172.16.X.33
Fail; no route back to my BIG-IP since SNAT not allowed
Partner https_vs
172.16.X.33
172.16.X.33
Disallow SNAT on https_pool (Test 3)
Source address 172.16.X.33 is provided by the SNAT Auto Map setting configured on virtual server https_vs Source address 172.16.X.150 is provided by the SNAT listener snat_10.10.X Source address 172.16.X.200 is provided by the all addresses SNAT, everyone_snat
7-18
Configuring BIG-IP LTM v12
Chapter 7 - Processing Traffic with SNATs
7-21
Lab 7.3 – Solve a Routing Issue with SNAT Pool Lab Objectives Use a SNAT pool to solve a routing issue where clients and servers are on the same subnet Estimated time for completion: 20 minutes
Lab Requirements BIG-IP base setup configuration
Solve a Routing Issue w ith Load Balancing Clients and Servers on the Same Subnet Establish baseline behavior 1. Test browser connectivity directly to the web services at http://10.10.20.1 , http://10.10.20.2 and http://10.10.20.3 . You should be able to connect to all three services without issue, as the traffic is not being proxied by your BIG-IP system. The page should look similar to this:
Configuring BIG-IP LTM v12
7-21
7-22
Chapter 7 - Processing Traffic with SNATs
Load balance traffic to the web services through your BIG-IP system 2. Create a new virtual server at 10.10.X.102:80 that load balances to the pool members at 10.10.20.1:80, 10.10.20.2:80, and 10.10.20.3:80. 3. Test connectivity to your virtual server. Are you able to successfully connect? Why not? 4. View local traffic statistics to see what, if any, traffic is going into and out of both the virtual server and the pool members. 5. Correct the routing issue by enabling source address translation. Choose from the following: a.
All addresses SNAT
b. SNAT for a network range of origin addresses c.
SNAT for a particular origin IP address
d. SNAT within the virtual server 6. Were you able to successfully connect after enabling source address translation? What is the client address as seen by the pool member?
Clean Up 7. Delete the configuration objects you created in this lab.
Expected Results After setting up your BIG-IP system to load balance traffic to the web services through a virtual server, your connection to the virtual server failed, due to the response being sent directly from the pool members back to the client at Layer 2, bypassing your BIG-IP system. By adding some form of source address translation, the response can be forced back through your BIG-IP system for address translation to be “undone.” The easiest SNAT option is to configure source address translation within the virtual server, either using Auto Map or a SNAT pool. The other SNAT options will also work, but they have the potential to apply to any traffic traversing the BIG-IP system, not just the traffic that is load balancing the web services through the virtual server.
7-22
Configuring BIG-IP LTM v12
Chapter 8 - Configuring High Availability
8-9
Lab 8.1 - Configure an Active/Standby Pair Lab Objectives Setup a redundant pair of BIG-IP systems Perform initial synchronization (ConfigSync) Identify which device is in active mode and which is in standby mode Change modes from active to standby Estimated time for completion: 20 minutes
Lab Overview In this lab, students will work in pairs to configure their BIG-IP systems as part of a device group. For the first section of this lab, we will r efer to one of the BIG-IP systems as “BIGIP-A” and the other BIG-IP system as “BIGIP-B”. Partner up and agree on which system is BIGIP-A and BIGIP-B. Substitute your station number with “A” or “B” in the lab instructions.
Figure 4: Lab systems
Configuring BIG-IP LTM v12
8-9
8-10
Chapter 8 - Configuring High Availability
On Both BIGIP-A and BIGIP-B Backup your systems and reset to default configuration Before changes are made to either system, backups should be created. Navigate to System » Archives and create a ucs archive named trainX_pre_ha. Restore trainX_base.ucs on both systems. For the purpose of this lab, change your admin account password to admin.
Review ConfigSync, Failover and Mirroring settings On the Main tab, navigate to Device Management » Devices. Click the name of your device. From the Device Connectivity menu, choose ConfigSync. Ensure that ConfigSync is configured to use 172.16.X.31, the non-floating self IP for VLAN internal . Confirm that the Failover Unicast Configuration and Failover Multicast Configuration options are using the default settings, as shown below. Configuration utility Device Management » Devices » » Device Connectivity » Failover Network Failover Unicast Configuration section Local Address | Port | VLAN
172.16.X.31 192.168.X.31
| 1026 | internal | 1026 | Management Address
Failover Multicast Configuration section Use Failover Multicast Address
Unchecked (Disabled)
Ensure that the default primary and secondary local mirror address settings are being used for Mirroring Configuration. Configuration utility Device Management » Devices » » Device Connectivity » Mirroring Mirroring Configuration section Primary Local Mirror Address
172.16.X.31 (internal)
Secondary Local Mirror Address
None
Review initial configuration Examine the information displayed in the upper left-hand corner of the Configuration utility screen. Is your BIG-IP system available? What is its current ConfigSync state?
8-10
Chapter 8 - Configuring High Availability
Chapter 8 - Configuring High Availability
8-11
Go to Network » Self IPs . Examine your device self IP addresses. What traffic groups do they belong to? Why? Navigate to Device Management » Traffic Groups » traffic-group-1 . Click the Failover Objects tab. What failover objects does this traffic group contain?
On BIGIP-A Establish device trust Navigate to Device Management » Overview. There should be one device group currently available. What type of device group is it? (Hint: check the Device Group Type column). What devices are listed as members of that device group? Configure device trust using the information in the following table. Configuration utility Device Management » Device Trust » Peer List, then click the Add button Remote Device Credentials Device IP Address
192.168.B.31 where “B” is the station number of your partner’s BIG-IP system
Administrator Username
admin
Administrator Password
admin
When complete, click…
Retrieve Device Information
On the next screen, verify that the name and certificate of the remote device are correct. Click Finished to complete the device trust process.
On Both BIGIP-A and BIGIP-B Since both devices are now members of a trust domain, you should see the name of your partner’s BIG-IP system listed in the Peer List tab. Examine the ConfigSync state of your BIG-IP devices. Has it changed? Why?
On BIGIP-A Create a Sync-Failover device group Navigate to Device Management » Device Groups. Click the Create button.
Configuring BIG-IP LTM v12
8-11
8-12
Chapter 8 - Configuring High Availability Name your device group DG_AB_failover , substituting your station number for “A” and your partner’s station number for “B” (for example: DG_89_failover). In the Group Type field, select Sync-Failover . In the Configuration section, the Available column shows any devices that are members of your device's local trust domain but are not currently members of a Sync-Failover device group. Select the host names of both your and your partner’s BIG-IP systems and use the arrow icon to move both to the Includes list. Select the Network Failover checkbox, to indicate that we want device group members to handle failover communications over the network. Leave the other checkboxes unselected. Click Finished .
On Both BIGIP-A and BIGIP-B Navigate to Device Management » Devices. You should see both BIG-IP systems listed in the device list. What is the ConfigSync state of your BIG-IP devices now?
On BIGIP-B Perform initial device group synchronization Navigate to Device Management » Overview. Note that now there are two device groups available. In the Device Groups section, ensure that the Sync-Failover device group is selected. In the Devices section, click on the entry for your device to select it. The screen should expand to show sync options. Ensure that the Sync Device to Group option is selected, then click the Sync button. Wait for the synchronization operation to complete (it should only take a few seconds) and then verify that the Sync Summary area now shows the message All devices in the device group are in sync.
On Both BIGIP-A and BIGIP-B Review configuration changes after initial synchronization What is the status of your BIG-IP devices now? Navigate to Device Management » Traffic Groups » traffic-group-1 . Click the Failover Objects tab and look at its contents. Does the traffic group still contain the same floating self-IP addresses that you identified at the beginning of this lab? Examine each device’s self IP addresses. Do both BIG-IP systems still have their static and floating self IP addresses? Why?
8-12
Chapter 8 - Configuring High Availability
Chapter 8 - Configuring High Availability
8-13
Expected results and troubleshooting When reviewing the initial configuration, both BIG-IP systems have a ConfigSync state of Standalone, indicating that the local trust domain currently contains one member only, which is the local device. The status legend on both devices is ONLINE (ACTIVE). When examining the self-IP addresses, you will notice that there are two default traffic groups in both BIG-IP systems: traffic-group-1 (floating traffic group), which currently contains the BIG-IP’s floating self IP addresses; and another traffic group named traffic-group-local-only (non-floating traffic group) which contains the device’s static self IP addresses. The only device group available before establishing device trust is device_trust_group , and your BIG-IP system should be the only member of that device group. Once device trust is established, both devices are listed as members of device_trust_group. The ConfigSync state for both BIG-IP systems is now In Sync, indicating that all devices in the device group are synchronized. The Sync-Failover device group you created includes one BIG-IP system operating in Active mode (BIGIP-B) and one BIG-IP system operating in Standby mode (BIGIP-A). Before synchronizing the configuration for the first time, an Awaiting Initial Sync status message is displayed in both BIG-IP systems, informing you that the devices recently added to the device group are awaiting to be synchronized. After synchronizing configuration data in the device group, the ConfigSync state of both devices is In Sync, indicating that all BIG-IP systems in the device group contain the current configuration. Since the BIG-IP system synchronizes floating self IP addresses only, and the BIG-IP system that is active at the time the initial synchronization is performed is the one that hosts the floating Self IP addresses, BIGIP-B still has its original floating Self IPs, but BIGIP-A floating Self IP addresses are now the same as BIGIPB. traffic-group-1 now contains the floating self IP addresses for BIGIP-B only. If synchronization fails, make sure the system times on both Active and Standby BIG-IPs are within one minute. Both systems must be in the same time zone. If needed, set the time by running the command date MMDDHHMMYYYY.SS, then try synchronizing again.
In the following sections, we will refer to each device as “Active” and “Standby” instead of “BIGIP-A” and “BIGIP-B”
Create Traffic Objects and Synchronize Configuration On the active BIG-IP, create a new pool with the following settings: Name
Load Balancing Method
Members
Port
ssh_pool
Round Robin
172.16.20.1 172.16.20.2 172.16.20.3
22 22 22
Sync the configuration to the device group. On the standby BIG-IP, verify that you can see ssh_pool .
Configuring BIG-IP LTM v12
8-13
8-14
Chapter 8 - Configuring High Availability Creating a new virtual server on the standby BIG-IP (where “X” is the standby system’s workstation number). using the settings below: Name
IP Address
Port
Resource
ssh_vs
10.10.X.100
22
ssh_pool
On the standby BIG-IP, access the Sync menu by clicking the Changes Pending message to the right of the F5 logo, and then sync your configuration to the device group On the active BIG-IP, verify that the synchronization was successful by ensuring that you can see the ssh_vs virtual server.
Force Active Device to Standby On both BIG-IP systems, navigate to Device Management » Traffic Groups . In the Failover Status section, note the status of your device. On the active device, click the traffic-group-1 link. Review the information in the General Properties section, especially the Current Device and Next Active Device settings. Click the Failover Objects tab and examine its contents. What kind of failover objects are part of traffic-group-1 ? Do you see any additional failover objects in addition to the self-IP addresses we identified previously? Back on the Properties tab, click the Force to Standby button. On the pop-up window that appears, click the OK button to confirm the Force this Traffic Group to standby request.
As there is only one Traff ic Group in your Device Group, only one of the two BIG-IP systems will ever be Active at a time — the other will be Standby since it is not processing any traffic.
The BIG-IP systems should switch from active to standby and standby to active. Navigate to Device Management » Overview and review the Sync Summary. Click Device Management » Traffic Groups and review the Failover Status. Open an SSH session to the Active BIG-IP system and run the following command: tmsh run /sys failover standby
On the SSH session, press Enter on your keyboard a few times and notice the command line prompt changing from Active to Standby.
Test access to virtual server From both your and your partner’s workstations, open an SSH session to ssh_vs, and use student/student as login credentials. Are both BIG-IP systems able to access ssh_vs? Why or why not? Discuss with your partner.
8-14
Chapter 8 - Configuring High Availability
Chapter 8 - Configuring High Availability
8-15
Assign Auto Map to ssh_vs, then sync the configuration to the device group. Are both BIGIP systems able to access ssh_vs now?
Expected results When examining the traffic group configuration, the active BIG-IP system should be listed in the Current Device field. The Standby device should be listed as Next Active Device, indicating that that device will accept the traffic group if a failover of that traffic group should occur. In addition to the floating self IPs, traffic-group-1 now also has a virtual address listed, corresponding to the ssh_vs virtual server. You should have success opening an SSH session to ssh_vs from both workstations after enabling Auto Map, which causes the back end servers to send their response back to the BIG-IP system that processed the original client request.
Configuring BIG-IP LTM v12
8-15
Chapter 8 - Configuring High Availability
8-19
Lab 8.2 – Create a Second Traffic Group Lab Objectives Create a new traffic group with its own failover objects including self IP and virtual address Manage traffic groups and the devices they are active on, resolving any routing issues that arise Estimated time for completion: 15 minutes
Test with Two Traffic Groups In this next series of steps, you will create a second traffic group and new configuration objects, and put those objects into the new traffic group, effectively creating an HA pair with two traffic groups. Your systems may change their active or standby designation as you progress.
Create a second floating traffic group and self IP 1. On one of the BIG-IP systems, create a new Traffic Group using the specifications below: Configuration utility Device Management » Traffic Groups » Create General Properties section Name When complete, click…
a.
traffic-group-2 Finished
What is the status of each BIG-IP system now?
b. Which BIG-IP is active for traffic-group-2? c.
Which BIG-IP is active for traffic-group-1?
2. On the same BIG-IP system as step 1 , navigate to Network » Self IPs, create a new floating self IP on VLAN internal (172.16/16 network) and assign it to traffic-group-2 . To avoid conflicts in the classroom, your best option is to use the same IP address as the floating self IP that was eliminated when you performed the initial ConfigSync. For example, if you synchronized from BIGIP4 to BIGIP3, and lost the floating self IP at 172.16.3.33, use this address when creating the new floating self IP. 3. Synchronize the new configuration to the other BIG-IP system.
Create a new virtual server and pool 4. On one of the BIG-IP systems, crea te a new virtual server named http2_vs at 10.10.?.101:80 , where “?” (the third octet) is the same as either one of your station numbers. The virtual server should load balance to a new pool that contains at least one pool member (or more) in the 172.16.20.1:80 to 172.16.20.5:80 range.
Configuring BIG-IP LTM v12
8-19
8-20
Chapter 8 - Configuring High Availability
5. View the virtual address for the virtual server you just created and change its Traffic Group to traffic-group-2 . (Local Traffic » Virtual Servers : Virtual Address List) 6. Synchronize the new configuration to the other BIG-IP system.
Test the new configuration 7. From both you and your partner’s workstations, open browser sessions to your new virtual server http2_vs . Are you both able to connect properly? Resolve any routing issues you may encounter. a.
What is the status of each BIG-IP system now?
b. Which BIG-IP is active for traffic-group-2? c.
Which BIG-IP is active for traffic-group-1?
8. At Device Management » Traffic Groups, experiment with forcing the traffic groups to standby and confirm that you can still access both ssh_vs and http2_vs from both of your workstations. 9. Use the TMSH command below to show the current failover status of both systems: tmsh show cm failover-status
10. From the active BIG-IP system, experiment with failing over a specific traffic group and with failing over all traffic groups on the device. For example: tmsh run /sys failover standby traffic-group tmsh run /sys failover standby
Review MAC addresses behavior during failover 11. From your client workstations, ping the virtual address of http2_vs. 12. View the ARP table and note the MAC address associated with the virtual address. (Hint: use the command arp –a .) 13. Force traffic-group-2 to standby and view your ARP table again. What is the MAC address for the virtual address now? Why?
Configure and test MAC masquerading 14. On one of the BIG-IP systems, navigate to Device Management » Traffic Groups » trafficgroup-2 . 15. Enter the following MAC address in the MAC Masquerade Address field: 02:00:00:00:00:XX , where XX is your station number, then click Update . 16. Sync your configuration to the device group. 17. View the ARP table. What is the MAC address associated with http2_vs now? 18. Force traffic-group-2 to standby and view the ARP table again. Is the MAC address the same as before the failover?
8-20
Configuring BIG-IP LTM v12
Chapter 8 - Configuring High Availability
8-21
Expected results Once MAC Masquerade is configured, the MAC address for http2_vs should remain the same after traffic-group-2 fails over from one B IG-IP device to the other, as a result of the MAC masquerade address floating to the newly-active device along with the traffic group.
Configuring BIG-IP LTM v12
8-21
Chapter 9 - Configuring High Availability Part 2
9-5
Lab 9.1 – Configure VLAN Failsafe Lab Objectives Configure the VLAN Failsafe trigger Estimated time for completion: 10 minutes
Chose the lab steps that correspond to your classroom setup: Option A: BIG-IP VE Option B: BIG-IP Hardware
Configuring BIG-IP LTM v12
9-5
9-6
Chapter 9 - Configuring High Availability Part 2
Option A: BIG-IP VE Steps Enabling VLAN failsafe 1. On one BIG-IP system only, create an additional VLAN, called null_vlan. Configuration utility Network
VLANs : VLAN List and click Create
General Properties section null_vlan
Name Configuration: Advanced Fail-safe
Checked
Fail-safe Timeout
15
Action
Failover
When complete, click…
Finished
2. Click OK to the prompt, “The VLAN has no interface, do you want to continue?” 3. This will take about 2 minutes to complete. At the BIG-IP CLI prompt you can watch the logfile with: tail –f /var/log/ltm
4. Watch both BIG-IP systems to view when the status change occurs when the active system fails over, the standby system will go active almost immediately. a.
On the GUI, refresh the page repeatedly. (The status should change automatically even without a page refresh.)
b. On the command line, press in the Enter Key repeatedly and watch f or the prompt to change.
Clean Up 5. Delete null_vlan from the BIG-IP system on which it was created before moving on to the next lab.
9-6
Configuring BIG-IP LTM v12
Chapter 9 - Configuring High Availability Part 2
9-7
Option B: BIG-IP Hardware Steps Enabling VLAN failsafe 1. From https://192.168.X.31 , navigate to Network » VLANs. 2. Click external, select Advanced and configure the following values as parameters: Failsafe
Timeout
Action
Check box
30 seconds
common.ha.failover
3. When complete, click Finished . 4. Configure the partner system as well; this setting is not synchronized. 5. On the active system, disconnect the Ethernet ca ble associated with the external VLAN. 6. Watch both systems to view when the state change occurs. When the active system fails over, the standby system will go active almost immediately. a. b. c.
At the BIG-IP CLI prompt you can watch the logfile with:
tail –f /var/log/ltm Configuration Utility: Refresh the page repeatedly.
d. Command Line: press in the Enter Key repeatedly. 7. Physical Box: View the STATUS light (Green – Active / Amber Standby). 8. Reconnect all Ethernet Cables.
Clean Up 9. Remove VLAN Failsafe settings on both systems before next lab.
Configuring BIG-IP LTM v12
9-7
9-10
Chapter 9 - Configuring High Availability Part 2
Lab 9.2 – Configure Connection Mirroring Lab Objectives Configure connection mirroring Force all the traffic groups that are active on one BIG-IP device to standby mode Estimated time for completion: 15 minutes
Lab Requirements BIG-IP base setup configuration ssh_vs (10.10.B.100:80, default pool ssh_pool)
Test Behavior Prior to Configuring Connection Mirroring 1. Verify traffic-group-1 contains failover object 10.10.B.100. 2. Open an SSH session to ssh_vs and login as student / student. 3. Test your connection by typing who or similar command. 4. Navigate to Device Management » Devices and select the BIG-IP device that is active for this traffic group. Click Force to Standby . 5. Notice that the SSH connection has been lost. (You may need to press the key in order for your SSH software to recognize that the connection was terminated.)
Configure Connection Mirroring and Test Behavior Configure connection mirroring and synchronize th e configuration 6. On one of the BIG-IP systems, navigate to Local Traffic » Virtual Servers and select ssh_vs, the virtual server that corresponds to 10.10.B.100:22 . 7. Using the Advanced configuration option, enable the Connection Mirroring setting and save your changes. 8. Synchronize the changes to the device group.
Establish SSH connection again and failover again 9. Open a new SSH session to 10.10.B.100:22 and log in again. 10. Test the connection by entering a command such as who. 11. Force the BIG-IP device that is active for traffic-group-1 to standby.
9-10
Configuring BIG-IP LTM v12
Chapter 9 - Configuring High Availability Part 2
9-11
12. Test the connection to 10.10.B.100:22 again. Note that the connection was maintained.
Continue with Lab 9.3: Configure Persistence Mirroring
Configuring BIG-IP LTM v12
9-11
9-12
Chapter 9 - Configuring High Availability Part 2
Lab 9.3 - Configure Persistence Mirroring Lab Objectives Activate persistence mirroring for a virtual server where source address persistence is enabled View persistence records to verify persistence mirroring is taking effect Estimated time for completion: 20 minutes
Lab Requirements BIG-IP base setup configuration
Test Behavior Prior to Configuring Persistence Mirroring Configure persistence and establish an HTTPS session 1. On one of the BIG-IP systems, create the traffic objects specified in the table below: Persistence Type
Profile Type
Name
Persistence
Source configltm_src_persist Address Affinity
Parent Profile
Custom Settings
source_addr
Name
Load Balancing Method
Members
Port
https_pool
Round Robin
172.16.20.1 172.16.20.2 172.16.20.3
443 443 443
Timeout: 30 seconds Prefix length: IPv4 24
Name
Destination
Port
Default Pool
Default Persistent Profiles
Other
https_vs
10.10.B.100
443
https_pool
configltm_src_persist
Auto Map
2. Synchronize changes to the device group. 3. Open a browser session to https://10.10.B.100 . 4. Ensure your session is persisting by hitting Ctrl-F5 several times.
9-12
Configuring BIG-IP LTM v12
Chapter 9 - Configuring High Availability Part 2
9-13
View persistence records 5. View persistence records on both BIG-IP systems using the TMSH command below:
tmsh show ltm persistence persist-records You should see a persistence record on the BIG-IP system that is active for the traffic group containing 10.10.B.100, but not on the BIG-IP system that is standby for that same traffic group. 6. Wait 30 seconds and view the persistence records on each BIG-IP system again. What happened to the persistence record? 7. Refresh the https://10.10.B.100 browser session and review the persistence records again.
Perform device failover 8. Force the BIG-IP device that is active for all traffic groups to standby. 9. Refresh the session to https://10.10.B.100 . While there is some chance the same pool member may be chosen, it is not due to persistence. If it does seem to persist to the same pool member, failover again and test.
Configure Persistence Mirroring and Test Behavior Configure persistence mirroring and synchronize the configuration 10. On either BIG-IP systems, update the persistence profile to enable the Mirror Persistence setting. Navigate to Local Traffic » Profiles: Persistence and select configltm_src_persist . Check the Custom box and then the box adjacent to Mirror Persistence. 11. Click Update . 12. Synchronize the configuration changes to the device group. 13. Make sure to check that the Mirror Persistence option was set on the other system for the configltm_src_persist profile.
Re-establish the https session, failover and retest 14. Open a browser session to https://10.10.B.100 and refresh your connection several times. 15. View persistence records. 16. Force the BIG-IP device that is active for all traffic groups to standby. 17. Refresh the browser session to https://10.10.B.100 . Notice that the https session persists to the same server. 18. View the persistence records on both systems.
Configuring BIG-IP LTM v12
9-13
9-14
Chapter 9 - Configuring High Availability Part 2
Expected results Now that Persistence Mirroring is enabled, you should see a persistence record on both the Active and Standby systems. You may have to adjust the timeout value.
9-14
Configuring BIG-IP LTM v12
9-16
Chapter 9 - Configuring High Availability Part 2
Lab 9.4 - Configure N+1 Availability Lab Objectives Add a third member to an existing device group and test failover capabilities Estimated time for completion: 15 minutes
Lab Overview Member of the previous Sync-Failover pair will join as 3 rd member of Sync-Failover group and will become an Active – Active – Standby Mode. Watch the Traffic Group float to another member of the Device Group when a traffic group is failed over.
Reset HA settings on BIGIP-C 1. On BIGIP-C, restore the configuration from trainX_base.ucs . 2. If you have not done so, change the admin password to admin.
On BIGIP-A, expand the device trust to include BIGIP-C 3. On BIGIP-A, navigate to Device Management » Device Trust . 4. Click the Peer List tab, then click the Add button to add a new device to the trust. 5. Enter the Management IP Address of BIGIP-C (192.168.C.31), along with the appropriate login credentials. 6. Click Retrieve Device Information. 7. Confirm new device trust by clicking Finished . 8. Wait a minute and stations should see systems BIGIP-A, BIGIP-B and BIGIP-C under the Device Management » Devices tab.
On BIGIP-A, add BIGIP-C to the device group 9. On BIGIP-A select the Device Management » Device Groups tab, and click the link for the DG_AB_failover Group. 10. From the Members section of Configuration, select bigipC.f5trn.com and click
