Professional Documents
Culture Documents
'V '
t;/' \(1(;!vJ
F5 Networks Training
This manual was written for BIG-Ip® products version 11 A. Some of Ihe features discussed in this course were added with
version 11.4, but most of the concepts apply to previous versions of BIG-Ip®.
Contacting F5 Networks
Web www.fS.com
Email sales@fS.com & info@fS.com
Trademarks
3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced
Routing, APM, Application Security Manager, ARX, AskF5, ASM, B1G-1P, Cloud Extender,
CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DS1, DNS Express, DSC, Edge
Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DES[GN], F5 Management Pack,
F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM,
lBR, lntelligent Browser Referencing, Intelligent Compression, lPv6 Gateway, iApps, iControl, iHeaJth,
iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link
Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect,
Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration,
StrongBox, SuperVlP, SYN Check, TCP Express, TOR, TMOS, Traffic Management Operating System,
TrafficShieJd, Transparent Data Reduction, UNlTY, VlPRlON, vCMP, WA, WAN Optimization
Manager, WANJet, WebAccelerator, WOM, and ZoneRwmer, are trademarks or service marks ofF5
Networks, lnc., in the U.S. and other countries, and may not be used without F5's express written consent.
All other product and company names herein may be trademarks of their respective owners.
Materials
The material reproduced on this manual, including but not limited to graphics, text, pictures, photographs,
layout and the like ("Content"), are protected by United States Copyright law. Absolutely no Content
from this manual may be copied, reproduced, exchanged, published, sold or distributed without the prior
written consent of F5 Networks, Inc
Patents
This product may be protected by U.S. Patents 6,31 1,278,6,327,242,6,374,300,6,405,2 I 9,6,473,802,
6,505,230,6,640,240,6,772,203,6,970,933, 6,889,249, 7,047,301, 7,051,126, 7,102,996, 7,1 13,962,
7,114,180,7,126,955,7,146,354,7,197,661, 7,206,282, 7,286,476, 7,287,084, 7,296,145, 7,296,263,
7,308,475,7,343,413,7,346,695,7,349,391, 7,355,977, 7,376,967, 7,383,288, 7,395,349, 7,409,440,
7,409,460,7,430,755,7,441,045,7,461,290, 7,472,413,7,487,253,7,490,162,7,493,383,7,505,455,
7,509,322,7,512,673,7,552,191,7,558,848, 7,562,1l0, 7,567,573, 7,580,353, 7,590,625, 7,606,9[2,
7,639,700,7,640,347,7,640,580,7,650,392, 7,657,618, 7,676,828, 7,697,427, 7,702,809, 7,705,829,
7,707,182,7,707,287,7,707,289,7,710,867, 7,752,400, 7,768,823, 7,774,484, 7,774,835, 7,783,781,
7,788,335,7,822,839,7,826,487,7,831,712, 7,882,084, 7,916,728, 7,916,730, 7,921,282, 7,945,678,
7,953,838,7,958,222,7,958,347,7,975,025 7,996,886, 8,004,971, 8,005,953, 8,010,668, 8,015,314,
8,024,443,8,024,483,8,103,746,8,103,770,8,103,809, 8,108,554,8,112,491,8,116,222,8,117,244,
8,121,117,8,145,768,8,150,957,8,159,940, 8,176,164, 8,180,747, 8,185,617, 8,189,476, 8,195,760,
8,195,769, 8,200,957, 8,203,949, 8,204,860, 8,204,930, 8.209,403, 8,239,354, 8,260,958, 8,261,351,
8,275,909,8,284,657,8,301,837,8,306,036, 8,306,038, 8,326,923, 8,326,984, 8,341,296, 8,345,701,
Disclaimer
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights
of third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Table of Contents
Importing a Device Certificate ......... ................. ........... ...... ........ . .......................... 1-17
Option A: Configure the management port via the management port ....................................... 1-36
Option B: Contigure the management port via a serial console... .................................. 1-39
Option C: Configure the management port via the LCD panel ................................................. 1-42
Lab 1.4 - Test Access and Archive the Configuration....... . ................................................................ I-55
........................ 3·15
Saving and Replicating Configuration Data CUCS and SCF) .......................................................................... 4-15
Lab 4.1 - tmsh Configuration Labs ... ......................... ........................ .. ............. .... 4-22
Introducing iApps ....... ...... ....... ...... ...... ......... ........ .......... ........ .......... ..... ... ............. .. 8-1
Lab 8.2 - Deploy a Custom Application Service ...... .................. ................... ... 8-25
Lab 11.2 - AOM IP Address Lab (BIG-IP Hardware Only) .................................................................... I J-27
Lab 11.3 - Admin Partitions and Users Lab .......... . ..... II-59
Lesson Objectives
Packet-based design
A network device with a packet-based (or packet-by-packet) design is located in the middle of
communication streams, but is not an endpoint for those communications; it just passes traffic through, as
shown in Figure I.
D +-------
Connection
D
o
-o
Figuro 1: Packet-based design
A packed-based device does often have some knowledge of the protocols that flow through it, but it is far
from being a real protocol endpoint. The speed of these devices is primarily based on not having to
understand the entire protocol stack, hence reducing the amount of work needed to handle traffic.
A full proxy is the opposite of a packet-by-packet design. Instead of having a minimal understanding of
the communications streaming through the device, a full proxy completely understands the protocols, and
is itself and endpoint and an originator for the protocols.
A full proxy maintains two separate connections - one on the client-side, one on the server-side, as shown
in Figure 2. A full proxy device such as the BIG-IP effectively creates a gap between the two
connections, allowing the contents of traffic exchanged over the connections to be viewed and modified
to address a wide range of security, performance, and availability issues that are unique to each "side" of
the proxy. For example, clients often experience higher latency because of lower bandwidth connections,
while servers are generally low latency because they're connected via a high-speed LAN. The
optimization and acceleration techniques used on the client side are often very different from those used
on the server side because the issues that give rise to performance and availability challenges are vastly
different. Or perhaps we'd like to use the BIG-IP system to offload some of resource intensive functions
that are normally handled by the application servers such as SSL encryption or data compression. Or
suppose we just want to be able to connect a legacy lPv4 network to an lPv6 network.
llH Ittfl :
'-' Modified
Application data application data
-D ••
O •
Encrypted
I" .. "."' ....".'" .'" III"' • • --------tI
Unencrypted
-0 ......--------......·..............
---~••·.
Compressed ncompressed
-D ......--------•• ... ·
IPv6 IPv4
- ~··,~· II,~
Because the BIG-IP full proxy is an actual protocol endpoint, it fully implements the protocols as both a
client and a server. (A packet-based design does not.) This also means the BIG-lP system can have its
own TCP connection behavior, such as buffering, retransmits, and TCP options. A client connecting to
the BIG-IP system would likely have different connection behavior than the BIG-IP system might use for
communicating with the back end servers. Therefore, the BIG-IP system allows for the optimization of
every connection uniquely, regardless of the original source or the final destination.
Deny-by-Default
Some network devices pennit all traffic to pass through by default, and then are configured to restrict
undesirable traffic. In contrast, remember that the BIG-IP system is a "default deny" system. In other
words, when you insert a new BIG-IP system into your network, all traffic is denied to start with. This
method provides much tighter security because you must then specifically configure the objects that will
open up the system to traffic processing.
Throughout the remainder of this class, we'll examine what these objects are and how they can be
configured to exploit BIG-iP's lull proxy capabilities.
The internal architecture of the BIG-lP system is separated into two major lunctional areas - one that is
responsible for traffic management and the other that is responsible for operational management, as
illustrated in Figure 3.
BIG-IP' :
TMOS'!i); Traffic Management Administration
GUI
iRules TMSH
Ful Proxy
SSL Compression
eLI
........
-.
Figure 3: What's inside th e BIG-IP system?
Traffic Management
At run-time, when traffic flows through BIG-lP, it all goes through TMOS, a purpose-built operating
system designed and built by F5 specifically to support intelligent application delivery services. This
"side" ofBIG-IP handles traffic management functions, including but not limited to:
Access control (APM) Carrier-grade NAT (CGNAT)
Application security (ASM) Encrypt and decrypt (SSL)
Network firewall (AFM) Compression
Application acceleration (AAM) Caching
Load balancing (LTM) iRules
DNS services (GTM) iControl
ISP connection management (Link Controller)
Operational Management
Operational management resides on its own "side" of BIG-IP using off-the-shelf components and
software that start with a Linux core. In essence, it's a box within a box. This "side" ofBIG-lP has
nothing to do with the actual flow of traffic through BIG-IP aside from configuration. Instead, it provides
administrative functionality through the Linux shell (bash), TMOS Shell (TMSH) and the graphical
user interface (GUI).
Although the physical layout of each BIG-IP platfonn is a bit different, they all typically share some
common features, as shown in Figure 4. These features include:
1 Management interface 5 Indicator LEDs
LCD panel and LED indicators ~()rf," ;I,;s,{ q'),vrt/ft( hr{ '
Using the LCD panel and its associated control buttons, you can manage the BIG-IP hardware unit
without attaching a console or network cable. For example, you can use the LCD to configure the
management port, reboot the BIG-IP system, power the unit on or off, or clear alarms.
The BIG-IF system uses two network connection entry points: the TMM switch interfaces and the
management interface (MGMT).
The Traffic Management Microkemel (TMM) controls all of the TMM switch interfaces, and the
underlying Linux operating system controls the BIG-IP management interface.
The BIG-IP system processes two types of traffic: Application traffic and administrative traffic. The
management interface processes administrative traffic only. The TMM interfaces can process both
application traffic and administrative traffic. These topics are discussed in more detail throughout the
course, as are some of the other aspects of the BIG-IP platform hardware previously shown.
Before you can activate, configure, or manage a BIG-IP system, you typically connect BIG-IP to a
management workstation or management network so as to easily perform administrative functions. There
are several ways to gain initial access to the BIG-IP system and configure the management interface
including but not limited to:
• Using the serial console
• Using the LCD panel and control buttons
• Using the management interface at its default IP address
Note: The BIG-IP setup process is covered in detail in the next lesson.
The BIG-IP system offers both graphical user interface (GUI) and command line interface (CLI) tools to
configure and administer BIG-IP, so that you can work in the environment where you are most
comfortable given the tasks at hand. Once you have completed the initial configuration ofBIG-IP, you
can continue with more detailed configuration and administration tasks using either CLI tools such as the
Traffic Management Shell or tmsh (see Figure 6), or GUI tools such as the Configuration utility, or a
combination of the two.
Note: Some functions can only be performed with the CLI; others can only be performed (or are
more easily performed) with the GUI. Most functions can be performed using either tool.
You can use the command line interface (a.k.a. CLI) to manage the BIG-IP system and its configuration
objects. You can also use the CLI to monitor network traffic, current connections, and the operating
system itself, to completely shut down the BIG-IP system, or to manage some BIG-IP settings that are not
available through the GUI.
Depending on your terminal access and user role settings, you can manage the BIG-IP system using
command line functions such as the Linux shell (bash), the config utility, and/or the Traffic Management
Shell (tmsh). You can use command line tools directly on the BIG-IP system console, or, given
appropriate configuration settings, you can connect to the management interface using an SSH client such
PuTTY, Tera Term, or SecureCRT, and run commands.
All BIG-IP platforms have serial console access through the port labeled CONSOLE on BIG-IP . The
default setting is N-8- 1 at 19,200bps. Prior to initial setup, only the root user has access. After initial
setup, the root user still has access and the default administrator user account (admin) has no command
li ne access by dcfault. Tbis can be chan ged using the CLI or the GUt
BIG-LP ships with an SSH server that provides authorized users with secure login connections and file
transfer over the network. The server uses cryptographic authentication, automatic session encryption,
and integrity protection for all transferred data.
To access the CLI, open an SSH sess ion to the BlG-lP system using PuTTY Or other SSH-enabled utility.
On initial serup, this address is the management IP address; after setup, you may also be able to SSH to
one of the BIG-IP system's selflP addresses, assuming you bave permitted such access via the Port
Lockdown setting. (We' ll discuss Port Lockdown in more detail later in this course.)
As part of initia l setup, a BIG-IP administrator can choose wbether or not to enable SSH access for one or
more lP add resses. By default, the root user has access to the CLI (via console or SSH) and tbe admin
user only has access to tbe GUl (but can be given access to the CLI, if you wish). Other user roles,
besides administrators, can also be given access to the CLI. As mentioned before, the root user bas no
access to the GUl and this cannot be changed.
You can use the Configuration utility (a.k.a. GUl) to manage the BIG-IP system and its configu ration
objects. You can also use tbe Configuration utility to monitor network traffic, ClUTent connections, and the
operating system itself.
To access the Configuration utility:
l. Open a web browser session to https, / / <B IG - IP mgmt address>. On initial setup this
add ress is the managementlP address configured during setup, or after setup, a self IP add ress
that pennits port 443 access via its Port Lockdown setting.
2. When you connect to the Configuration utility, you r browser may alert you that the SSL
connection is using a secure certificate that is not recognized by a certi fi cate signing authority.
This is normal behavior as B1G-IP creates a self-signed certificate during installation. Accept the
cert ifi cate .
3. Enter an appropriate usemame and password such as the default administrative user (admiD).
Tbis will open the Configuration utility's Welcome page. (This page is also accessible at any time
by cl icking the F5 logo in the upper left comer of any Configuration utility page.)
The modules that appear in the Navigation pane vary depending on your license.
Note : The root user has no access 10 the GUI, and this cannot be changed.
There are distinct advantages to using the Configuration utility (GUI) versus TMOS shell (trnsh) to
perfonu configuration tasks:
• The learning curve is smaller because it is easier to use and more intuitive.
• It minimizes the chances of configuration errors. Input is checked and errors are reported
immediately.
• Changes are recorded immediately in BlG-lP's configuration files and effective immediately on
the system. No restarting of BIG-IP processes or manual reloading of configuration files is
required, except in the case of provisioning.
• It is easier to access. More people have browsers installed on their workstations than SSH clients.
For products such as Access Policy Manager (APM), Application Security Manager (ASM), and
Enterprise Manager (EM), almost all tasks are perfonued using the GUI over the CLl.
The Always-On Management (AOM) is a separate subsystem on some BIG-IP platforms (not YEs) that
provides lights-out management for the BIG-IP system using the lOll DOll 000 Ethernet management port
over SSH, or using the serial console. Since it operates independently from the BIG-IP host subsystem,
AOM allows you to manage aspects of the BIG-IP platform, even if the host subsystem is locked up or
turned off. If the AOM is reset or fails, the BlG-IP host subsystem continues operation, and there is no
interruption to application traffic.
The AOM provides the ability to power onloffand restart the BIG-IP host subsystem. The AOM is
powered on when power is supplied to the BIG-IP platform; it cannot be turned off.
To access the AOM Command Menu using the serial console, connect the serial console to the BIG-1P's
CONSOLE port (as described earlier), tbcn type the following key sequence: <Esc> then ( within 3
seconds. (On US keyboards, ( is the same as <Shift+9>.)
The AOM Command Menu opens as displayed below:
AOM Command Menu
Note: If the BIG-IP Host subsystem is powered off, option 5 changes to Power on Host
subsystem.
Before you can directly access the AOM over the network using an SSH client such as PuTTY or
TeraTerm, you must configure an IP address for AOM by running the N -- AOM network configurator
command from the command menu, as sbown above. The AOM IP address must be different than the
BIG-IP management address, but must be on the same IP subnet.
Once the AOM has been configured with an IP address, you can open an SSH client on a workstation
connected to the management port on the BIG-IP system and type the following commands:
ash root@<AOM_ip_address>
hostconsh
Esc then (
Note: For complete steps to configure the AOM, please see SOL9608: Configuring the AOM so
it can be accessed over the network.
Lesson Objectives
There arc several steps that are performed to initially set up a BIG-IP device, and get it ready to configure
for processing application traffic. These steps are summarized in Figure 7.
One of the first steps in setting up a BIG- IP system is to configure the management interface (MGMT).
The management interface is used by the BIG-IP system to perfonn system management function s, and is
intended for administrative traffie only. It cannot be used for load-balanced traffic. As there are no access
controls available on the management interface (except for limiting SSH access), F5 recommends that
you limit network access throug h this interface to trus ted traffic. For security reasons, the management
internce s hould on ly be connected to a secure, management-only network, suc h as one that uses an
RFCI918 private IP address space. If you do not ha ve a trusted and secure management network, F5
recommends that you do not use the management internee, and that you grant administrative access
through the TMM s witch interfaces or the local seria l console.
There are several ways you can initially access the BIG-IP system to configure the management interface:
• Using a serial console - If you're installing a BIG-IP appliance, you can use a null modem cable
or RJ45 console cable (depending on platfonn model) to connect a management sys tem that is
running a terminal emulator program to the BIG-JP console port. If you're installing a BIG-JP VE
sys tem, you can use the Console display on your VE management software (such as VMware
VSphere).
• Use the LCD panel and associated control buttons - This method applies only if you have
physical access to a BIG-IP appliance or VJPRlON device. There is no equivalent on BIG-IP VE.
• Using tbe default management interface - You can reconfigure the management interface by
connecting to the Ethemet interface labeled Management (MGMT) to remotely access the
command line or the GUI.
F5 ships BIG-IP, VIPRlON, and Enterprise Manager systems with default values pre-configured for
several platfonn properties, including default management port JP address and netmask, and default
credentials for accessing the system. These settings are summarized in the tables that follow.
Default IP Addresses
If these settings are not appropriate for your network or security needs, they can and s hould be changed .
We will explo re how to change these values in the remainder of thi s c hapter.
There are several tools you can use to sct the management lP address to something other than the F5
default:
• From the command line via the conlig command
• From the command line via tmsh commands or a tmsh script
• From the BlG-lP hardware device front panel LCD controls
• From the GUl via the Configuration utility or the Setup utility (after initial deployment)
Establish a connection to BlG-lP using the serial console or an SSH session to the default management lP
address (192.168.1.245 for BlG-lP; 192.168.1.246 for VlPRlON), and log in as the root user with the
password of default. Enter config at the Linux bash prompt (e.g. config # config). You will be asked to
enter a management lP address, netmask, optional default route, and then confirm your choices. (See the
Configure Management IP Address lab later in this chapter for step-by-step instructions.)
Note: If you are connected to the B IG-IP system via the management IP address and you
change this address, you will lose your connection. You must then establish a new connection
to the changed management IP address to continue with any other configuration activities.
Establish a connection to BlG-lP using the serial console (not the management lP address), and log in as
the root user with the password of default. Enter tmsh at the Linux bash prompt. To change the
management lP address, enter:
tmsh create Isys management-ip <address/netmask>
... replacing <address/netmask> with the appropriate management lP address and network mask
combination.
Note: A BIG-IP system can only have one management IP address assigned to it. The create
command changes the existing management-ip address to the new address/netmask specified.
We recommend that you do not delete the management IP address using tmsh.
You can also configure the management lP address via the LCD panel on BlG-lP. Access the system
menu by pressing the red X button, then set the IP address, netmask, and, optionally, the default route.
Click Commit to save your settings. (See the Configure Management IP Address lab later in this chapter
for step-by-step instructions.)
After configuring the management interface, you can access thc GUI through the management interface,
and use the Setup utility to begin activating your BIG-lP system for operation. (Note: You could use the
command line instead to perform these tasks but it is generally considered more complicated than using
the GUl.) This next phase begins with a step to activate the license for your BlG-IP system software. The
licensing process consists of five basic steps, as illustrated in Figure 8.
F5 License Server
~:::--- ___-:I~. . ._.. . . . .__!a~ct=ivate . F5. com
Admin
o
(pre-populated on the BIG·IP s}lslem)
o
Figure 7. Overview of tho BIG·IP licensing procoss
I. Find the Base Registration Key (Note: A registration key is already pre-populated on F5-shipped
BIG-lP hardware devices.)
2. Generate the dossier on the BIG-lP system. The dossier includes the registration key.
3. Send the dossier to the F5 license server at activate.fS.com
4. Generate the license and send back to the BIG-IP system
5. Install the license on the BIG-JP system, finishing the licensing process
• Dossier
A dossie r is au tomati ca lly generated by BIG-lP during the licensing process. It contains
encrypted information that identifIes your platform to the F5 License Server. Multiple system
settings are stored in the dossier, including the base registration key.
• Access to the Internet to connect to the FS License Server
As mentioned previously, if the BIG-IP system is on a network with Internet access, you can have
the BIG-IP system carry out the licensing steps automatically. If the BIG-IP system is not
connected to tbe Internet, you must manually carry out the licens ing steps.
Note: For complete, up-to-date licensing instructions and troubleshooting tips, please refer to
S0L7752: OveNiew of licensing the BIG-IP system available at AskF5.com. You will be
manually licensing your BIG-IP system during class, and will have an opportunity to walk
through the licensing steps in detail there.
..... . :::::
:::::
:::::
:::::
The license you receive from F5 Networks detennines what software modules the BIG-IP system will
support. The process of allocating CPU, memory, and disk space to licensed software modules is called
provisioning and gives the application administrator some control over the way BIG-lP apportions these
resonrces to each module. For example, if you're deploying LTM and ASM to serve mostly as your
application firewall (as opposed to load balancing traffic), you may want to allocate more resources to
ASM than to LTM.
Provisioning is an operational management feature that is integral to the initial installation and setup of
BIG-IP. Provisioning gives the nctwork administrator limited control over the resources - CPU and RAM
- that are allocated to each licensed module. For example, on a BIG-IP that is licensed for both LTM and
GTM, you might want to minimize the resources allocated to GTM to give more resources to LTM as it's
usually the bigger work borse.
With the exception of Enterprise Manager, all modules have some reliance on management (Linux),
Traffic Manager Microkemel (TMM), and the user interface (UI), so these elements are always
provisioned. Other modules must be manually provisioned.
Options for provisioning the Management special module include Small, Medium, and Large. Use
Large for configurations containing more than 2,000 objects, or more specifically, for any configuration
that exceeds 1,000 objects per 2GB of installed memory.
License status
The resource provisioning screen on the GUI shows all modules available on the BIG-lP system and an
indication of whether the module is licensed or unlicensed in the License Status column. Although you
can provision and configure some unlicensed modules, the unlicensed module functionality is not
generally active or is active only on a limited basis.
Provisioning levels
To provision a licensed module, click the checkbox next to the None option in the Provisioning column,
then select one of the available pre-defined resource levels, as shown in Figure 9:
• The Dedicated setting specifies that this is the only active module. If you select Dedicated for
one module, the system resets other modules to the None setting. The Dedicated provisioning
setting is primarily applicable for Application Security Manager (ASM) and other such modules
installed in standalone configurations (when no other modules are installed, including Local
Traffic Manager).
• Nominal gives the module its minimum functional resources and distributes additional resources
to the module only if they are available after all other provisioned modules are enabled. It
allocates CPU, memory, and disk space in a way that is applicable for most typical
configurations.
• The Minimum setting allocates the least amount of resources required for the module to be
enabled. No additional resources are ever allocated to the module during operation.
Note: For more information on how TMM uses CPU and RAM during processing, refer to
S0L3242: Overview of BIG-IP Traffic Management Microkemel (TMM) CPU and RAM usage.
t WA ,
,""
Ism-all
• M~ (MGMTl
CBmI!r Grad~ NAT (CG.'i.liT) • ,
I _ ~~t'l r:III'W./'JII(AFM) [J Nao p
" ".
.. .
X150
• "'fIpkatl~,i.etl:lI:, ut!n rl M a~ (MM)
"'
" ~'" 12
Ij:J lftn9!(j
• PoNe)' ErlfDfCillmenl (PEM ) "
Figure 8. Sample Resource Provisioning pa ge In the Configuration utility showing L TM and ASM provisioned
Once you have made and saved your provisioning selections, traffic processing may be briefly interrupted
while BIG -IP reloads the configuration.
Note: The BIG-IP Product Matrix is a PDF file that lists the various product modules/features
and the platforms that support those modules/features. It can be found in SOL 10288: BIG-IP
software and platform support matrix.
SOL9476: The F5 hardware/software compatibility matrix lists the product software versions
supported by F5 hardware platforms.
In some cases, BIG-IP systems need 10 exchange SSL certificates and keys in order to verify each othe r's
c redentials before exchanging data . For example, multiple BIG-tP systems might need 10 verify
credentials before commun icating with each other over a wide area network to collect performance data
for globa l traffic management.
To perform mutual authen tication, BtG-IP systems can use either self-signed certificates or CA-signed
certificates.
• Self-signed certificates - When you install BIG-JP software, the ap pli cation in cludes a self
signed SS L certi fi ca te (i.e. created and authenticated by the system on which it resides).
• CA-signed certificates - If your network includes one or more certificate authority (CA) servers,
you can replace the self-signed certificate on each BIG-IP system with a CA-signed certificate
(i.e. a certificate that is signed by a third party). Authenticating BIG-JP systems using CA-signed
certificates is mo re secure than using self-signed certificates.
After licensing and provisioning is complete, the Setup utility includes an optio nal step to allow the
administrator to import a CA-signed certi fi cate onto the BIG-IP system, replac ing the se lf-signed
certificate that was included by default. Import types include certificatelkey source pairs or PKCSl2 files.
Note: In this course, you will be using the self-signed certificate unless otherwise instructed. For
more information on managing SSL certificates for BIG-IP devices, please refer to the chapter
entitled SSL Certificates for BIG-IP Devices in the BIG-IP TMOS: Concepts manual available at
AskF5.com.
Activation Complete
Once you have completed licensing, provisioning, and installing a device certi fic ate, your BIG-IP system
is almost ready to operate . Of course, as a default deny device, the BIG-JP sys tem won't do much of
anything until you specifically tell it who it is, where to listen for traffic, and what to do with that traffic
when it hears it. This is the time to begin configuring your BIG-IP platform to operate in your application
delivery network environment. What this configuration looks like will certainly vary from one shop to
another, and frequ ently from one BIG-IP system to another, depending on the applications that are
delivered.
You have already learned how to configure the management port on the BIG-IP device using the conf ig
command from the command line. The management port can also be configured from within the Setup
utility, or from the System » Platform area of the Configuration utility, as shown in Figure 1O.
The management port can be configured manually or automatically (via DHCP).
Note: Effective in version 11.3, configuration of the management port is set to Manual by default
on BIG-IP hardware devices, and to Automatic by default on virtual editions.
General Properties
Management Port
Network Mask I 255.255.0.0
Management Route I
When Manual configuration is enabled, you manually configure the management port by assigning an LP
address and netmask to the port, as shown in Figure 10. The IP address that you assign to the
management port must be on a different network than the selflP addresses that you assign to VLANs ,
(VLANs are discussed in more detail in the next lesson.) You can also specify an IP address for the BIG
IP system to use as a default route to tbe management port.
Nole: BIG-IP supports either an IPv4 or an IPv6 address for Ihe management port,
When Automatic (DHCP) configuration is enabled, DHCP uses UDP ports 67 and 68. On first boot, the
BIG-lP system contacts your DHCP server and obtains a lease for an IP address and default route for the
management port, and DNS and NTP servers.
The DHCP leasc renews automatically at the configured interval.
Note: If you do not have a DHCP server on your network, and DHCP configuration is enabled,
the BIG-IP system assigns a default IP address of 192.168.1.245 to the management port of
BIG-IP hardware devices and virtual editions, and 192.186.1.246 to the management port of
VIPRION systems.
Host name
Every BIG-IP system must have a host name that is a fully qualified domain name. In your classroom
BIG-IP lab environment, your B1G-IP will have the host name bigipX.fStrn.com (where "X" is your
workstation number).
Host name is used to identify BIG-lP systems during device group configuration and administration. and
also to match UCS files with the B1G-IP system on which they were originally created . (UCS files are
covered in detail later in this course.)
Host IP address
Every BIG-IP system has a host IP address. The default is to use the same address as the manage ment
port (Use Management Port IP Address) .
Time zone
Use the Time Zone pull-down to specify the time zone region that most closety represents the location of
the BIG-IP system you are configuring. Atthough it is important to configure this setting, it is marc
important to ensure that the system time is correctly set to start with.
The BIG -lP system uses two clocks to track time:
• The hardware clock tracks time even when thc system is unplugged, and is used to initialize the
operating system clock when the system is booted .
• The operating system clock is a software clock that is available when the system is running. This
clock stores time according to the local time zone that yo u configured when you initially set up
tbe system .
Once the date and time bave been set to a rougbly accurate va lue, F5 recommends that you set up the
BIG-lP sys tem to keep its clock synchronized with an NTP server. NTP servers can be added to the BIG
IP system later using either the Configuration utility or the command line. Tbe hardware clock can be
initially set using the command line.
Note: For more information on configuring the BIG-IP system to use an NTP server, see
SOL 13380: Configuring the BIG-IP system to use an NTP server from the command line or
SOL3122: Using the BIG-IP Configuration utility to add an NTP server
BIG-IP platfonn properties also include the credentials for the default administrative accounts, and the lP
addresses that will be allowed to access the BIG-IP management through SSH, as shown in Figure J 1.
User Administration
Password: ! ••••••••••
Root Account I
;i
Confirm:
I •••••••••• I
Password: ! ••••••••••
Admin Account I
Confirm: ••••••••••
I !
SSH Access o Enabled
ISSH IP Allow I* All Addresses "
Figure 10: Configuring root and admin user credentia's, and enabling SSH access to the management interface for afl
IP addresses
The BIG-lP system ships with two default administrative accounts, root and admiD. The root account
has full command line access but no GUI access to the BIG-IP system. By default, the admiD account has
GUI access to all functions on the BIG-lP system, but no command line access. (This can be changed
later 00.)
Duriog initial BIG-IP deployment using the Setup utility, you are prompted to enter and continn new
passwords for both the root and admiD accounts. In doing so, you will be logged out and then asked to
log back iota the BIG-IP system. Upon logging back in, you should be returned to the next Setup utility
page.
You can also use System » Platform (io the GUI) to cbange tbe default passwords for tbe root and
ad miD accounts after initial deployment, and are encouraged to do so on a regular basis to comply with
password policies, standards such as PCI compliance, or otber security policies appropriate to your
organization.
Note: You are not required to have any user accounts other than the root and admin accounts,
and the root account is not present if the BIG-IP device is running in appliance mode. F5
recommends that you create other user accounts as a way to intelligently control administrative
access to system resources . (User administration is covered later in this course.) F5 also
recommends that you change all user passwords on a regular basis for security purposes.
If you lose or forget the root account password, you can reset it without reinstalling the system
software. See S0L13121: Changing system maintenance account passwords (11.x)
Administrative access to the BIG-lP system through the management port using an SSH client cao be
controlled through the SSH Access and SSH IP Allow.
When disabled, no SSH access to the BIG-lP system 's management interface is pennitted.
When eoabled, SSH access can be granted to all IP addresses (* All Addresses in the SSH IP Allow pull
down) or limited to selected IP addresses (Specify Range in the SSH lP Allow pull-down).
Note: You can also restrict access to the Configuration utility (GUll by source IP address. See
SOL 13309.· Restricting access to the Configuration utility by source IP address for more
information.
Note: In this class, we will be using the Setup utility to create the BIG-IP configuration objects
that support the classroom network environment.
The Standard Network Configuration screens in the Setup utility can be used to:
• Configure basic network components including the TMM switch interfaces, VLANs and self
IPs .
• Configure a standard Active/Standby pair including senings for ConfigSync, failover, and
mirroring, as well as peer discovery.
The TMM switch interfaces on the BIG-IP system are the physical ports that con.nect the BIG-lP system
to other devices on the network, such as routers, bubs, switches, destination servers, etc, and process
application traffic. Through its interfaces, the BIG-IP system can forward traffic to or from other
networks . The exact number of interfaces depends on thc platform type.
A virtual LAN or VLAN is a way of logically partitioning a physical network so that distinct broadcast
domains are created. Hosts can be grouped by a common set of requirements regardless of their physical
location.
A self lP address is an IP address/netmask combination on the BIG-I? system that you associate with a
VLAN to allow the BIG-IP system to access hosts in that V LAN. By virtue of its netmask, a self lP
address represents an address space - that is a range of IP addresses spanning the hosts in a VLAN, rather
than a single host address. You associate one or more self LP addresses with a VLAN to create a distinct
broadcast domain - a logical su bset ofa physical network that is independent of the physical network
topology.
Note: We will cover VLANs and self IPs in more detail throughout the remainder of this course.
Once you have completed configuring your BIG-IP system for administrative access, and to participate in
your network environment, you're ready to configure it to listen for and process application traffic. The
Welcome page is the default landing page when signing into a licensed and provisioned BIG-IP system.
This can be changed by modifying the Start Screen setup under System» Preferences.
The Configuration utility's Welcome page contains a variety of useful infonnation, as shown in Figure
12. Use the objects in the Navigation pane to navigate to pages where configuration and administration
tasks can be perfonned. Use the links on the Welcome page to perfonn additional setup tasks, change
your system preferences for the Configuration utility, or link to F5's online support sites such as AskF5
and DevCentral.
You can usually access the Welcome page by clicking on the F5 logo in the upper left comer of each
Configuration utility page. (This can change depending on where you are in the GU! and what your BIG
IP's preferences are set to.) The contents of the Welcome page are also shown in the About tab.
Pr.fulncu
o,.tl.Sytle nl
~~g
~II
fl)llhll C~,.. Ut ,h'y
_....
sorl.ltlon C. m.r
Th . StlYlJIIII'I Cuht " ~ I Y''''s ~1.1Ip"'b:r-.lftt DIplD~ GU ' d8~ ,
WhIt.., PIIIH', Appil:'.uD n B!lef~, SLiOCti~ 'SlU'R1, Tut o~ 31~ 3nd
~ , I:~ ~t'lUIi, DfItt' ,.w1'l... lnIIjlil~ t ()()~ gu r~d Ih4I! I~Bl! .....ng
C. vC . ntraJ
1h11 Salu p UII I~T
D ~nlrtl' liIJIIO''1du n«work ii d ,nil'llll~iltO' i a"d . '(, ":'00
~~.'" : ...,.\,~, ~~'fIIIItJ all'lBn_ l ools, t'P! , _ _ If.llll, an.:l(.;)mmun,ly
: C'f'llll:1
nlSOlK'H ~gned 10 ,,-pe ed IC II'lD1II ~I =
~ ~I i . a
·
• rdF>
"....
• lh ~I~ !r<oI' .....,
IQ rU Il'II Q'~ ~,~
• V~ iJeoC.rt.'1Il
pr. Cl;( Qii
You can access the Setup utility even after the system is licensed and configured. Navigate to the
Welcome SCreen by clicking on the FS logo from most anywhere within the Configuration utility (or click
the About tab). Scroll down and click on the Run the Setup Utility link.
Note: The ability to rerun the Setup utility in its entirety depends heavily on the other
configuration objects that exist on the system. If those objects deviate from what the Setup utility
would normally generate, the utility will typically stop and/or issue an error message.
Print button
a UCon• • Ty po
a UConoO<J Dot.
Use the Print button to obtain a printable copy of the contextual help 5peclfles the date on whleh the
for the screen. Ileensc was actlva1ed.
Click the Expand button to expand all the help major topics. After clicking Expand, the Collapse button
will appear. Clicking Collapse collapses all the help major topics. You can also click a specific help topic
heading (e.g. "+ License Type" or "- Licensed Date", as shown in the figure to the right) to expand or
co llapse that particular topic.
You can customize your Configuration utility experience using the options
available [rom the cog pull-down that appears at the left of the menu bar
area on each page. (See Figure 14.)
When Auto-close menus is turned on, any open major configuration object in the navigation pane will
automatically collapse before another object is opened. When Auto-close menu s is turned of[, any major
configuration object you open in the navigation pane will stay open, even when you click ano ther object.
You must manually close an obj ect by clicking on its title.
Lesson Objectives
Note: BIG-IP configuration backup files are covered in more detail later in this course.
Understanding Archives
As you administer the BIG-IP system using any of the available tools, you create configuration data that
consists of system and network definitions, such as VLANs, self IPs, and administrative user accounts, as
well as application traffic elements, such as virtual servers, pools, and profiles. Once you have created
this configuration data, you may wish to save it to use for backing out a change, disaster recovery, or even
as a way to propagate data to other systems.
We will cover B1G-IP arcbives in more detail in the chapter entitled Traffic Management Shell (tmsh) and
Managing the BIG-IP Configuration. In the meantime, it's important that you at least understand how to
create an archive so that you can regularly back up your BIG-IP systems before and after each lab, should
you so desire.
BIG-lP configuration data can be backed up to a User Configuration Set (UCS) archive file. By default,
the UCS archive contains all files required to restore your current configuration including system specific
configuration files, product licenses, user accounts and password information, DNS zone files, and
installed SSL keys and certificates.
To create a new UCS archive, navigate to System » Archives and click on the Create button. Give the
archive a name and click the Finished button to save the archive, as shown in Figure 15. By default, BIG
IP saves the UCS archive file with a .ucs extension and places the file in an archive directory whose path
is Ivarllocal/ucs.
General Properties
Encryption iDisabled ¥ .
Figure 14: Creating a UCS arch ive using the Configuration utilIty
For more information on backing up and restoring BIG-IP configuration files and transferring
archives to a secure location, see SOL 13132: Backing up and restoring BIG-IP configuration
files (11 .x) and SOL 175: Transferring files to or from an F5 system
Lesson Objective:
AskF5.com
, ~'I~II' '., ~I ,,1_, It,·." '" ' " \I •
r' II
AskF5 Knowledge Base
Licltn5Jng
• Fit-e db;!lck
Diagnostics and Firmware
~ ....ung llsts Upgrades
Recent Add itions and Updates I View All
tOO UIi8"~llti ~iI96'flrtN
0612812.013 sot.'.lolIIl Iblr lo IJIIlti@fctf~1UaI{Ilrot-M" 5tJI~~ ~ ft
.tRX ~ .111 8 1IIlIt'laQt!{I n...r AMt.&r-i-On iI1 ~ H) 1 13
8K}. I P~1
06127/201::: ;;()L 14.t!t I I hi!, WS~ II:fIQfllI' ~ ~ ttl ~~ ~r,p1.~1
Hotfix Infonnalion
Figure 15." AskF5.com provides a centralized starling point for locating information that relates to BIG-iP system
adminislration Emd supporls
Need access to the latest product updates? Looking for product guides, release notes, solutions to known
issues, and how-to infonnation? AskF5 is a complete, easy-to-use storehouse for thousands of solutions to
help you manage your F5 products mOfe effectively.
Whether you want to search the knowledge base periodically to research an issue, Or you need the most
recent news on you r F5 products, AskF5 is your source for:
The F5 hardware/software compatibility matrix is your best source for information abo ut product ve rsions
and the latest scep, AOM, and EUD ve rsions supported by F5 hard ware platforms. This table shows
each F5 platform and chassis marketing name (e.g. BIG-IP 4200s, BIG-IP 10200v, VIPRJON
4800/S 100), the platform type, the BIG-LP software versions supported by the platform, the latest version
of seep/AOM firmware supported by the platfoml, and the latest ve rsion of EUD supported by the
platform. We' ll cover seep/AOM and EUD later in this class.
Use the AskF5 Knowledge Base as your first resource when you need help. AskF5 solutions are avai lable
whenever you need them and include the most up-to-date information available from F5.
Step-by-step instructions, downloads, and links to additional resources give you the means to so lve issues
quickly and without delay. Because you can search by product, version, and document type, in addition to
key words, it is easy to find the answers you need. For more complex queries, you can narrow your search
using Boolean operators (AND and OR) and Lucene search mode (to modify the way the search engine
interprets special characters for wildcard, fuzzy, and proximity searches).
AskF5 provides resources fo r you to add ress potential issues before they become reality. In addi tion to
standard searches to find information, you can select a specific product to see all documents related to that
product, read release notes, access product manuals, and view the most requested so lutions for the
product.
Documented known issues are posted to Askf5 between release dates so you can implement solutions
right away. If vulnerabilities are discovered in a BIG-IP component, F5 will send a security email alert
The email alert wilt point you to the security advisory, which will specify wbich products are affected,
describe the vulnerability, explain risks associated with running an affected version, and provide available
hotfix information.
Askf5 RSS feeds are an excellent way to stay informed about new documents specific to your F5
products and versions. The AskFS Recent Additions page, which is published over RSS, provides an
overview of recently added or updated documents. You can configure feeds tbat pertain to specific
products, product versions, and document sets. You can also aggregate multiple feeds in your RSS reader
to display One unified list of all selected documents.
Document categories
~ Manual ~TroobleShooting
Askf5 's Advanced Search functionality provides additional granularity when specifyi ng search criteria .
For example, a series of selections can be used to filter the results produced by a keyword search. These
include:
• Product - Limits the search to a specific F5 product
• Version - When Product filter is specified, further limits the search to a particular version of the
selected Product
• Document type - Limits the search to a particular document type (e.g. Release Notes, Manuals,
Best Practice, Known Issue, Security Advisory, General Solution)
• Publication date - Limits the search to documents published within a particular time frame (e.g.
week, month, three months, year, two years)
• Updated date - Limits the search to documents last updated within a particular time frame (e.g.
week, month, three months, year, two years)
Security Updates
Receive timely security updates and ASM attack signature updates from F5. When remote vulnerabilities
are discovered, F5 implements, tests, and releases security hotfixes for any vulnerable supported version,
and sends an cmail alert to the F5 Security mailing list. F5 encourages customers with an active support
account to scribe to tbis list. For more information, see SOL4602: Overview ofthe F5 security
vulnerability response policy. To sign up for the Security mailing lists, click Mailing Lists in the left
navigational panel of the AskF5 Knowledge Base.
TechNews
RSS Feed
Use F5 RSS feeds to stay infonned about new documents pertaining to your installed products, or
products of interest. AskF5's Recent Additions page provides an overview of all the documents recently
added to the knowledge base. Recent Additions is also published over RSS to provide additional
configurability. You can configure feeds that pertain to specific products, product versions, andlor
document sets. You can also aggregate multiple feeds in your RSS Reader to display one unified list of all
selected documents.
To sign up for RSS feeds, click the Recent Additions tab at AskF5.com. After you plug the feeds into the
RSS Reader of your choice, you are automatically informed whenever relevant documents are published
including known issues, security advisories, hest practices, general solutions, manuals, and release notes.
Chapter Resources
SOL2595 Activating and installing a license file from Ihe Command line
SOL3782 Finding the serial number or registration key of your BIG-IP system
SOL3242 Overview of BIG-IP Traffic Management Microkernel (f MM) CPU and RAM usage
SOL 13369 Performing a first-time configuralion from the command tine (11.x)
SOL 13127 Restoring the BIG-IP configuration to factory default settings (11.x)
SOL 13380 Configuring the BIG-tP system to use an NTP server from the command line (11.x)
SOL13418 Archiving UCS files using the log rotate and crontab utilities (11.x)
SOL9957 Creating a custom RSS feed to view new and updated documents
The BIG-IP System Setup Labs are di vided into several sections, as follows:
• Lab I, I - Confi gure the Management Port
• Lab 1,2 - Activate the BIG-IP System (License, Provision , Device Certificate)
• Lab 1,3 - Classroo m Network Configuration
• Lab 1.4 - Test Access and Archive the Configuration
• Lab 1.5 - AskF5 Research (if Internet access)
Estimated Time for Comp letion: 45 minutes
Note: For all labs, when an "X" is listed in lab instruction steps, please substitute your lab station
number instead, For example, for lab station 1, the IP address shown as 192,168,X.3 1 in the lab
instructions would be entered as 192.168.1.31 when carrying out the instruction . A password
specified as "root)(" in the instructions would be entered as root1 .
Important: If using Firefox as your browser throughout these labs, please do NOT permanently
accept any certificate exceptions when accessing the BIG-IP system ,
Ifpossible, yo ur workstation should be configured with two IP addresses in order to access the BIG-IP
system simultaneously through the management IP address ( 192. 168.X.3 I) and external self IP address
( 10. 10.X.3 1). The steps below are genera lly applicable for a Windows 7 environment. If you are using a
different operating system andlor are unfamiliar with how to configure multiple lP addrcsses, please
consult with the in structor.
1. Open the Windows Control Panel function
2. Select Network and Internet (may also be Network Connections)
3. Click View network status and tasks
4. C li ck Local Area Connection
5. Cli ck the Properties button
6. Double click Internet Protocol Version 4 (TCP/JPv4)
7. Se leclthe radio button next to Use the following LP address and configure the fo llowing
settings:
a. IP address: 192.168.X.30
9. In the Advanced TCP/IP Settings window, click the Add button under the IP addresses area
and configure the following:
a. IP address: 1O.IO.X.30
b. Subnet mask: 255.255.0.0
c. Default gateway: 10.1 0.17.33 (or as provided by your instructor)
10. Select the radio button next to Use the following DNS server addresses and set Preferred DNS
serve to 10.10.17.53 (or as provided by your instructor).
II. As necessary, click OK to close all network configuration windows and save your changes.
Note: If you cannot configure your PC to have more than one IP address, start with the
192.168.X.30/16 address and then switch to the 1O.10.X.30/16 address after the BIG-IP system
has been licensed, initially set up, and a standard network configured.
Lab Requirements
• For classrooms with BIG-IP hardware devices, serial console access to the BlG-IP system or
physical access to the BlG-IP device if using the LCD option
• For classrooms with BIG-IP YEs, access to the preconfigured management port (l92.l68.x.31)
to rerun the conjig command, if desired.
Note: Your instructor will tell you which method you will be using to configure your BIG-IP
system's management port.
A: Configure the management port via the MGMT port (pages 1-36 through 1-38), or
B: Configure the management port via a serial console (pages 1-39 through 1-41), or
C'. Configure the management port via the LCD panel (page 1-42)
1. Gain access to the BIG-IP system's management port. Open an SSH session using PuTTY (or
other SSH client) to the preconfigured management port IP address 192.16S.X.31 where "X" is
your station number.
2. When prompted to log into the BIG-IP system, enter root for the usemame and default for the
pass word.
3. At the config # prompt, enter the command: config
Note: Use the <Tab> key to tab between fields and options in the config tool. Use the
<Backspace> andlor <Delete> keys to remove field content. Use the <Enter> key to select an
option (such as "OK" or "Next"). You can also select an option by moving the mouse cursor over
a particular option (such as "OK" or "Next") and clicking.
4. Start the process of configuring the management port. On the Configuration Utility panel, as
shown below, press the <Enter> key to select the OK option.
· ..·nfl'I'J! ,tl·;;1 "tITlt'
Use t his utility to add an IP address, netmask and default route
for the management port on t his system.
You must add an IP address and netmask for the management port
before you can use the web- based Setup utililty.
--
5. On the Configure IP Address panel, as shown in the example below, ensure the No option is
highlighted (to bypass automatic configuration of the IP address) and press the <Enter> key. (If
the No option is not already highlighted, use the <Tab> key to tab to it before pressing the
<Enter> key.)
IMPORTANT: Do NOT select the <Yes> option shown in the panel below or you may
inadvertently reset your BIG-IP device to its default IP address and netmask, rendering it
inaccessible. Alert your instructor immediately if you inadvertently do so.
De fault Route :
6. On the Configure IP Address panel, as shown in the example below, use the <Backspace>,
<Delete>, andlor arrow keys to change the IP address to 192.168.X.3I, where "X" is your station
number. After changing the IP address, press the <Tab> key to highlight the OK option, then
press the <Enter> key to continue.
F~~~~~~~~~=~·'·'II.f.lY Il.L 1 Ad<lL~'''S:l==~~~~~~~~~='i1
IP Address
[ 1 92 . 168.X_31 P
I
-- <Ca ('.;1>
7. On the Configure Ne/mask panel, as shown in the example below. After changing tbe netmask,
press the <Tab> key to highlight the OK option, then press the <Enter> key to continue.
Netmask
[255.255.0.0
8. When prompted to create a default route for the management port, select the No option and press
the <Enter> key to continue, as sbown in the example below. In our classroom environment, no
default route is required.
anaGeme'lt hl)ut
Do you want t o create a default route for the management port ?
This i s requi red I f you want to connect to the management port
from another subnet •
< tee
Note: Do not do these steps if you already completed A: Configure the Management Port via
the MGMT Port. Skip forward instead to Lab 1.2 Activate the BIG-IP System.
Note : Use the <Tab> key to tab between fields and options in the config tool. Use the
<Backspace> andlor <Delete> keys to remove field content. Use the <Enter> key to select an
option (such as "OK" or "Next"). You can also select an option by moving the mouse cursor over
a particular option (such as "OK" or "Next") and clicking.
4. Start the process of configuring tbe management port. On the Configuration Utility panel, as
shown below, press the <Enter> key to select the OK option.
~======~~~~~~ · C.[';".T7
~··~Wt
!U ~~t~~,
I 7~'-~~~~
. 'l l l l~,~~~~~~~~~~~~
Use th~ s utility to add an IP address, netmask and default route
for the management port on this system.
You must add an IP address and netmask for the management port
before you can use the web-based Setup utililty.
--
Administering BIG -IP v11 1-39
1-40 Chapter 1 - Setting Up the BIG-IP System
5. On the Configure IP Address panel, as shown in the example below, ensure the No option is
highlighted (to bypass automatic configuration of the [p address) and press the <Enter> key. (If
the No option is not already highlighted, use the <Tab> key to tab to it before pressing the
<Enter> key.)
IMPORTANT: Do NOT select the <Yes> option shown in the panel below or you may
inadvertently reset your BIG-IP device to its default IP address and netmask, rendering it
inaccessible. Alert your instructor immediately if you inadvertently do so.
6. On the Configure lP Address panel, as shown in the example below, use the <Back.space>,
<Delete>, andlor arrow keys to change the [p address to 192.168.X.3I, where "X" is your station
number. Af\er changing the [p address, press the <Tab> key to highlight the OK option , then
press the <En ter> key to continue.
1
IP Address
1192 .168.X.31
< d >
7. On the Configure NemlGsk panel, as shown in the example below. After changing the nctmask,
press the <Tab> key to highlight the OK option, then press the <Enter> key to continue.
',' I I l' ': :j'.')', _.
Ne lmask
[255.255.0.0
8. When prompted to create a default route for the management port, select the No option and press
the <Enter> key to continue, as shown in the example below. In our classroom envirorunent, no
default route is required.
~======================~~"~~;~~~~~~
C'~ "'~ lr'-'~ lr i~(7t~3i==~
nu~ __________________====~
Do you want to create a default route for t he management por t ?
This is required if you want t o connect to the management port
from another subne t •
<
Note: Do ill!! do these steps if you already completed A: Configure the Management Port via
the MGMT Port or B: Configure the Management Port via the Serial Console. Skip forward to
Lab 1.2: Activate the BIG-IP System instead.
This lab can only be carried out if your classroom environment includes BIG-LP
hardware devices. All steps are done using the buttons to the right of the LCD
display on tbe front of the BIG-IP device itself The arrow buttons are used for
navigation. The checkmark button is used to make a selection or to save a setting.
I. Press the red X button to start the configuration process.
2. Using the up/down arrows, navigate to System menu and press the
3. Navigate to the Management meou and press the green check mark button to select it
4. Navigate to the lP Address menu and select it
5. Navigate to the IP Address field and select it
. 6. Using the up and down arrow keys to increment/decrement the values in each octet, enter the IP
address as 192.168.X.31 where "X" is your station numbeL Press the green check mark button
to save your setting.
7. Navigate to the Netmask field and select it
8. Enter the netmask as 255.255.0.0 and save your setting.
9. Use the down arrow to navigate to the Commit menu and select it When you see the OK menu
blinking, click the green checkmark button.
Lab Objectives
Lab Requirements
Note: Your instructor will tell you which method you will be using to activate your BIG-IP system,
including licensing , provisioning, and device certificate setup. Two methods are available and
instructions for each have been provided in the lab steps that follow. You should run only one
set of steps, as outlined below and as indicated by your instructor.
Run either:
l. Open a browser session to https:11192.168.X.31 where "X" is yOUJ station num ber. BIG-IP ships
with a self-signed SSL certificate. If your browser asks you to, accept the certificale (not
permanentl y, ifusing Firefox) and log in with usemame adruin and password admin .
2. On the resulting Welcome page, click the Run the Setup Utility li.1lk thai appears in the Setup
area of the page. You may need to scroll down to find il.
3. On the subsequenl Setup Utility » License page ofthe Setup utility, click the Next button 10
continue.
4. On Ihe subsequent Setup Utility » Resource Provisioning page oflhe Setup utility, provision
your BIG-IP system, as shown below .
Note: Your BIG-IP may produce a warning message that certain system daemons may restart ,
causing your session to wait for a minute or so. This is normal behavior when changing
provisioning settings.
5. After provisioning is complete, you should be taken to the Device Certificates page in the Setup
ulility. We will be using the BIG-JP system's self-signed certificate in class. Note Ihe expiration
date for the certificate for possible later discussion, and click the Next button to conlinue the
Setup utility.
6. Configure host name, time zone, and administrative access usernames/passwords. Remember to
substitute your station number for "X." Some fields may already contain the correct values.
Management Port
Nexl, then OK
Note: You are changing the passwords for the root and admin accounts, not creating new
accounts. Since you are currently logged in using the admin account, you may need to log back
in again with your new password.
7. Log back in to BIG-IP as user adruiD with password ofadruinX. You should be taken directly to
the Setup Utility » Network page. If the page does not load entirely (parts of it are blank), try
clicking on any visible tab (such as Main or About), hard-refresh your browser page (Ctrl-F5) or,
worst case scenario, restart your browser and connect to the BIG-1P management port again.
Note: Do not do these steps if you already completed A: Activate a Licensed BIG-IP System.
Skip forward instead to Lab 1.3 Classroom Network Configuration.
Note: Your instructor will let you know where to find the base reg istration key and license
information that you will use during this lab. Please ask your instructor for assistance if you
cannot quickly locate this information.
t. Locate the base registration key and license file that you will use in subsequent steps. Your
instructor will let you know where to find them.
2. Open a browser session to https:11192.168.X.31 where "X" is your station number. BlG-IP ships
with a self-signed SSL certificate. Accept tbe certificate (not pennanently, if using Firefox) and
log in with usemame admin and password admin.
Note: Upon connecting to your BIG-IP system, you should be directed to the Setup utility.
Please let your instructor know if you are not placed directly into the Setup utility.
5. Use the Base Registration Key you located earlier to generate a dossier us ing either step <a) or
(b) below, depending on whether or not the Base Registration Key field already has a value in it.
a. If your Base Registration Key field does not already have a value prepopulated in it:
6. Generate the dossier and install your license. In Step!: Dossier below, a fil e called dossier.do
will be downloaded to your workstation. If prompted for where to save the file, choose the
desktop. In Step 3: License below, select the bigip.license file you found in a previous lab step.
7. Upon returning to the BIG-IP system from the previous step, you should be taken directly to the
Resource Provisioning page of the Setup utility. Provision your BIG-JP system, as shown below.
Note: Your BIG-IP may produce a warning message that certain system daemons may restart,
causing your session to wait for a minute or so. This is normal behavior when changing
provisioning settings.
8. After provisioning is complete, you should be taken to the Device Certificates page in the Setup
utility. We will be using the BlG-JP system's self-signed certificate in class. Note the expiration
date for the certificate, and click the Next button to continue the Setup utility.
Next. then OK
Note: You are changing the passwords for the root and admin accounts, not creating new
accounts. Since you are currently logged in using the admin account, you may need to log back
in again with your new password.
10. Log back in to BIG-IP as user admin with password of ad minX. You should be taken directly to
the Setup Utility » Network page. If the page does not load entirely (parts of it are blank), try
clicking on any visible tab (such as Main or About), hard-refresh you r browser page (Ctrl-FS) or,
worst case scenario, restart your browser and connect to the BIG-IP management port again.
Lab Objectives
• Continue using Ihe Setup ulility 10 creale Ihe VLANs and Self IPs that are used in support of the
classroom lab environment, and to prepare the BIG-JP system for high availability.
Lab Requirements
• Access to a li censed and provisioned BIG-IP system via the management port
• Students already have an open browser window to the BIG-IP system, and are in the Setup utility,
havi ng completed licensing, provisioning, and device certificale steps.
I. Continue the Setup utility by performing a Standard Network Configuration. Click tbe Next
button under the Standard Network Configuration heading, as shown in Figure J8:
• Redundancy
• VLANs
• Config Sync
Fallover
• MirrOring
• Peer Device OiscO\'-ery (for Redur l d~'irlt CUIlfigufations )
Figure 17: Click the Next button to use the Setup utility wizard for standard networl< configuration
2. Set Redundant Device Wizard Options to prompt for CODfigSync settings and High
Availability options.
3. Configure VLAN internal and its self IPs, interface, and port lockdowo settings.
Setup utility
Self IP
Netmask: 255.255.0.0
Port Lockdown: Allow Default
Address: 172.16.X.33
Floating IP
Port Lockdown : Allow Default
Internal VLAN Configuration section
VLAN Name internal
VLANTag 10
auto
Move 1.2 from the Available column to the
VLAN Interfaces
Untagged column
When complete, cliCk... I Next
4. COnfigure VLAN external and its self LPs, interface, and port lockdown settings.
Address: 10.10.X.31
Setf tP Netmask: 255.255.0.0
Port Lockdown : Allow 443
Address: 10.1 0.X.33
Floating IP
Port Lockdown: Allow 443
External VLAN Configuration section
5. Configure the high availability network to use the existing VLAN internal.
Address: 172.16.X.31
Netmask: 255.255.0.0
High Ava~abillty VLAN Configuratlon section
I
Configure ConfigSync
7. Use the default settings for Failover Unicast Configuration and Failover Multicast
Configuration.
Mirroring configuration
8. Use the default primary and secondary local mirror address settings for Mirroring
Configuration .
Next
You have now completed configuring the network interfaces that are used in support of the classroom
envirorunenl. We will not be configuring a standard Active/Standby pair in this class so you can exi t the
Setup utility at this point.
9. Click the Finished button under tbe Advanced Device Management Configuration heading.
You should be taken to the Welcome page, and there should be a message at the top of the page
indicating the Setup Utility has completed, similar to what is shown in Figure 19.
Figure 18: Setup Utility Completion is indicated in the message area after exiting
Continue with Lab 1.4: Test Access and Archive the Configuration
Lab Requirements
• Access to a 8 IG-IP system that has completed the initial setup process, including management
port configuratio n, licensing, provisioning, device certificate setup, and standard network
configuratio n.
I. Using PuTTY, open an SSH session to 192.168.X.31. Make sure the protocol is set to SSH (port
22) before connecting. Log in as root with password rootX. Were you able to connect? What
BIG-IP configuration setting(s) permits this access? When you are done, you may close the
PuTTY window or leave it open for later lab steps.
Open a browser window to https:III0.1O.X.31 and log in as user admin with password admin)'
What are you connecting to at this address? What 8IG-1P configuration setting(s) permit this
access?
Open a browser window to bttps:III0.I0.X.33 and log in as user admin with password adminX.
What are you connecti ng to at this address? What BIG-IP configuration setting(s) permit thi s
~I.!' 8"* access?
~ote: Although you can connect to the GUI or command line using the BIG-IP system's self IP
addresses, such access is typically restricted to avoid security risks . On a customer- or Internet
facing VLAN , there is often no access via the self IPs, or access is restricted to port 443
(HTTPS) only.
4. Using PuTTY, try to open an SSH session to IO.IO.X.3I. Make sure the protocol is set to SSH
(port 22) before connecting. Were you able to connect? Why or why not? • .
-1/"..
Note: Your network connection in the previous step should be refused, as this self IP is currently
protected via Port Lockdown. By default, when using the Setup utility to create VLAN external,
the BIG-IP system only permits access to this VLAN's self IPs via port 443 (https). SSH uses
port 22. Port Lockdown is covered in more detail later in this course.
s. Reconfigure the self IP address IO.IO.X.3I to also allow access via port 22.
Configuration section
6. Using PuTTY, try to open an SSH session to IO.IO.X.3I again. You should have success this
time. If not, review the Port Lockdown settings for this self IP and make sure port 22 was
successfully added in the previous step.
Note: In the next section, you'll start using some Traffic Management Shell (tmsh) commands to
become familiar with the command line interface. tmsh commands will be discussed in more
detail in a later chapter.
The lIess parameter used in the instructions below allows scrolling when tmsh command output
is more than the console can display. Use the arrow keys and the space bar to scroll through
the output. Type q to quit scrolling mode and return to the Linux bash prompt.
7. Use the Traffic Management Shell (tmsh) command to view various conliguration settings. Using
PuTTY, open (or reuse) an SSH session to to.to.X.3I or to I92.I68.X.31:
a. Log in to the SSH session as the root user with password rootX.
b. At the Linux bash prompt, enter the following command and compare the results with what
you see in the Configuration utility (GUI) at Network» VLANs.
tmsh list /net vlan Iless
c. At the Linux bash prompt, enter the following command and compare the results with what
you sec in the Conliguration utility (GUI) at Network » Self IPs.
tmsh li st /net s el f I less
d. At the Linux bash prompt, enter the following command and compare the results with what
you see in the Configuration utility (G UI) at Network » Interfaces.
tmsh list /net inte r face Iless
e. At the Linux bash prompt, enter the following command and compare the results with what
you see in the Configuration utility (GUI) at System » License.
tmsh show jsys license
8. Open another SSH session window to W.W.X.31 or to 192.l68.X.3l and attempt to log in as the
admin user with password ad minX. Were you successful?
Note: Your attempt to log in to the command line interface as the admin user in the previous
step should fail. By default, the admin user does not have access to the command line.
9. Update the admin user settings to permit access to the command line interface, but only to the
Traffic Management Shell (tmsh).
Note: When changing terminal access for the admin user - the user you are currently logged in
as - you may have to log back onto the GUI again.
10. Open an SSH session to W.lO.X.31 or to 192.168.X.31 and test logging in with the admin user
credentials again. Were you able to connect this time?
11. How is your access different from the root user? (Hint: Check the prompt after you log in as
each user.) What do you have access to as the root user that you do not have access to as the
admin user?
12. Open a browser window to IO.10.X.31 or 192.l68.X.31 and attempt to log in as the root user.
Were you successful?
Note: Your attempt to log into the GUI as user "root" should fail. User "root" does not have
access to the BIG-IP systems administrative GUI, only to the command line.
13. Open a browser window to 10.10.X.31 or 192.168.X.31 and create a backup of your current
configuration
14. Download your new UCS backup to your workstation hard drive for possible use in a later lab.
TralnlLbase.uca section
Click Download: IrainX_base.ucs, then save to
Archive File
des ent PC.
View the backup UCS file using the command line interface
mkdir /var/tmp/test
(Note: This directory may already exist from a previous class. If so, continue with the next step.)
cd /var/tmp/test
18. Copy the backup previously downloaded to the new directory (and replace, ifnecessary).
Remember to replace the "X" with your station number in the file names:
cp Ivar/local/ucs/trainX_base.ucs trainX base.ues
The resulting files show the directory structure and all files stored within the UCS backup.
individual files can be viewed with cat, tail, more, less, and other command line tools.
Expected Results
At the end of the previous labs, you should have configured the BIG-lP system up to the point where it is
connected to the network and able to process administrative traffic. For the remainder of the class, you'll
learn how to configure the BIG-IP system for application delivery. Whether you're working on BIG-lP
virtual edition or on actual BIG-IP devices, Figure 20 provides a conceptual representation of the work
you've done to date. You can use this as a reference throughout the remainder of the class.
192.168.X.30 0 10.10.X.30
MGMT IP
192.168.X.31/16
VLAN: exte rn al
Inte rface: 1.1
Non·floating Self IP: 10.10.X.31/ 16
Floating Self IP: 10.10.X.33
Port Lockdown: Allow Custom (22 & 443)
VLAN: internal
Interface: 1.2
Non-floating Self IP: 172.16.X.31 / 16
Figure 19: Conceptual rep resenta tion of your ctassroom environment aner setop lob completion
Lab Requirements:
Research Solutions
STOP
Lesson Objectives
At the end of this lesson, you should be able to:
• Define the terms vutual server, pool, and pool member, as they relate to BIG-IP Local Traffic
Manager (LTM)
optimization and DNS processing into a single, centralized application delivery solution.
Application
Server
Application Servers
Figure 1: Client-server behavior (top) contrasted with client-server behavior when BIG-IP Local Traffic Manager sits
as a fuff-proxy in-between clients and servers (bottom)
Nodes
A 00 de is a logical configuration object on BIG-IP that identifies the LP address of a physical device on
the network. A single node may logically represent multiple pool members, as shown in Figure 2. Nodes
are typically not defined directly. Rather, as a pool member is defined, its associated node object is
automatically created, if necessary.
Node
l= IP Address (rOI..- :z p)
Figure 2. A node definition on the BIG-IP system consists of an IP address only
Pool Member
Pool members are tbe actual application servers used to process client traffic, and are defined as
configuration objects on the BIG-IP system. The difference between a node and a pool member is that a
node is designated solely by the device's lP address (e.g. 172.16.20.1), while a pool member includes
both an lP address and a service port (e.g. 172.16.20.1 :80), as shown in Figure 3.
Note: The same IP:port combination can be defined in multiple load balancing pools, but each is
treated as a separate and distinct pool member within the BIG-IP system.
Pool
A pool is a logical set of pool members that are grouped together to receive and process a certain ty pe of
traflic. Instead of sending client traffic to the destination LP address specified in the client request, LTM
sends the request to any of the servers that are members of that pool. This helps to efficiently distribute
the traffic load on your server resources.
When you create a pool, you assign pool members to it. You then assign tbe poot to a virhlal server. LTM
directs traffic coming into the virhlal server to a member of its assigned pool .
With few exceptions, all the members of a given pool typicall y host the same content, as shown in Figure
4. A pool is assigned a load balancing method (or algorithm) at the time it is created. LTM uses the load
balanci ng method, along with other criteria, to detennine which pool member to direct network traffic to.
(See Distributing Traffic across Application Servers later in this chapter.)
Nn.1p I172.16.20.2
virtual server should be the same TCP or UDP port known to client programs. For example, traffic to F5
Network' s website is processed by a virtual server on a BIG-IP system. The host name
http://www.fS.com - resolves to an IP address (suppose it's 216.34.94.17) . The virtual server is
con fi gured wi th this IP address and port 80, the standard port for HTTP traffic.
Virtual servers also include many other properties that give it the intelligence it needs to process the
traffic that it receives. For example, the properties can tell the BIG-IP system which poo l to use, by
defau lt, to load balance requests to, as shown in Figure 5, or on which VLAN(s) to listen for traffic,
limiting or opening up access to the vi rtual server and its associated back end resources. Other properties
can tell the BIG-IP system to use different methods when process ing traffic on the client side connection
vs. on the server side connection. For example, a virtual server can be configured to use SSL when
communicating with the client but not when communicating with pool members, reducing the workload
for the servers.
Destination Destination
Client Virtual Server Client Pool Member
Pool Members
Client
Destination Destination
Client Virtual Server Client Pool Member
A gure 6- Tra ffic flow through thf1 B/G-IP system showing the address translation proce ss used on both reque st and
response packets
The separate connections allow many changes to be made to traffic as it flows through BIG-IP including
but not limited to unencrypting requests and even changing request content. It also allows you to maintain
compatibility to disparate server operating systems in the data center.
In full-proxy architecture, the BIG-lP system appears as a Tep peer to both the client and the server by
associating two independent Tep connections with the end-to-end session. Although certain client
information such as the source IP address or source Tep port may be re-used on the server-side of the
connection, the BIG-l? system manages two sessions independently, making itselftransparent to the
client and server, as show in Figure 7. The three-way Tep handshake occurs on the client side of the
connection before the BIG-1P LTM initiates the Tep handshake on the server side of the connection.
Depending on the connection type, BIG-IP may also wait for the client to send its first packet of
information before initiating the server-side connection.
For more information on how BIG-IP processes TCP connections between client and server,
please see SOLBOB2: Overview of TCP connection set-up for BIG-IP L TM virtual server types.
Client
o TCP
Handshake
(client/BIG-I P)
Request
(client to BIG-IP)
Response
(BIG-IPto client)
TCP
Handshake Request Response
(BIG-IP/server) (BIG-IPto server) (server to BIG-IP)
Servers
Lesson Objective
At the end of this lesson, you should be able to:
• Use the Configuration utility to create a new virtual server, pool, and pool members, and
Pool Configuration
You can use the Configuration utility or TMOS Shell (tmsh) to create a load balancing pool, or to modify
a pool and its members. When you create a pool, LTM automatically assigns a group of default settings to
that pool and its pool members. You can retain these settings or modify them (either during pool creation
or at a later time), as shown in Figure 8.
For a complete description of LTM pool configuration settings, please refer to the manual
entitled BIG-IP Local Traffic Manager: Concepts, available at AskF5.
C onfiguration: iBas\r: ..
-.. :
~Ul~s Rillourc ••
l
i L..CI~d E].~r~nong I\r'.eU'oai •
~ Pnl;Jnly GrtI!lp A::toration IO$8bile:o J::.
l
...."'... .1
_. PO". II Il f<m'
Ne.... Member:>
[MlJ
ON!-! Cache's R.l POC O !n1G20 1 IT:! ii2!) 1 1ft!
R 1 P DC(J 17 J 162Q..1 I1J 18 :1 0 280
•••
rn!J~
~-----------------1
After configuring a pool, you can assign it to one or more virtual servers.
For a complete description of both Basic and Advanced virtual server configuration settings,
please refer to the manual entitled BIG-IP Local Traffic Manager: Concepts available at AskF5.
- L.ooC<Jl Tumc )I
Genen.1 Properties
VlrtlJ'al S.rvllrt ' Vlru!... 1So rvlI! r lIu th·, In'Ii .. ' ,;;"'1 ... ·
Type Standard
!Rules.
Service PO ll LOI _ -,I I,,-HTTF'
S:::..
O vl
;.:...:.;._ _....
I h~ pool
~
Default Pool .j ...1
Figure 9: Configuring a standard host virtual Server at IP address:port 10.10.4.100:80 that is associated with default
poolllffpyool
http://www.mysite.com https:l/store.mysite.com
D~
Virtual SeIVer1 Virtual Server2
www.MySite.com store.MySite.com
216.34.94.17:80 216.34.94 17:443
htlp pool sst pool
Figure 10: Illustration of a basic web site and eCommerce configuralion with lraffic distributed by BIG·'P across
application servers
In this example, the two pools are sharing a node between them at 172.168.20.2. Requests for content
from www.mysite.comare load balanced between two pool members, 172.16.20.1:80 and 172.16.20.2:80.
E-commerce traffic is also load balanced between two pool members, 172.16.20.2:443 and
172.16.20.3:443.
This scenario eliminates a single point of failure for both sites without needing to add a fourth node. The
server at 172.16.20.2 may bave more capacity and better perfonmance compared to the other two servers
so that it can handle the apparent additional workload. However a lot depends on the load balancing
method used in each pool, as you'll see in the next section.
Lesson Objective
At the end of this lesson, you should be able to:
• Compare and contrast two of the BIG-IP system's load balancing - Round Robin and Ratio
• Configure a load balancing method for a pool
The table below summarizes just a handful of the different load balancing methods available on the BIG
IP system.
Note: In this class, we will focus on the Round Robin and Ratio methods. For a complete list of
BIG-IP load balancing methods, please see the Pools section of the manual entitled BIG-IP
Local Traffic Manager: Concepts and the chapter entitled Pools.
Round Robin
Round Robin is the default load balancing method on the BIG-IP system. In Round Robin mode, each
new connection is passed to the next available
o o
pool member in succession, eventually
distributing connections evenly across the
array of pool members being load balanced, as
shown in Figure 11.
Round Robin is a static load balancing
method. In other words, no dynamic run-time
information - except pool member status - is
used in the Round Robin algorithm to select
the next pool member to load balance to.
The Round Robin load balancing method r
works well in most configurations, especially
if the servers that you are load balancing
traffic to are roughly equal in processing speed
and memory, and the applications being served
have even loads per request.
pOOl
J----D
As with round robin, ratio is a static load balancing method, and distribution is based on user-specified
ratio weights tbat are typically proportional to the capacity of the servers. No dynarrUc run-time
infonnation factors into tbe load balancing decisions BIG-lP makes with the exception of pool member
status.
Later in tills course, we'll explore the effect of node and pool member status on how the BIG-lP system
makes load balancing decisions.
Lesson Objective
At the end of this lesson, you should be able to:
• Use BIG-JP's traffic statistics functionality to monitor and assess application traffic flow
• Use the BIG-IP system log as part of assessing overall application delivery and operational health
Overview of S
tatistics
An important part of successfully managing a network is having access to up-to-date information about
network performance. The BIG-IP system offers many different options for collecting, analyzing, and
viewing all sorts of network-related statistics, application statistics, performance statistics, transaction
statistics, connections statistics, throughput statistics, client-side and server-side latency, memory usage,
CPU usage, packet filter statistics, SNAT statistics, and much, much more.
In this course, we'll focus in on Module Statistics and, more specifically, Local Traffic statistics, a tool
that helps the BIG-IP administrator get a simple yet clear picture of traffic flow into and out oflocal
traffic objects such as virtual servers, pools, and nodes. Later on in this course, you'll use this same tool
to view SNAT statistics and persistence records.
Module Statistics
Module Statistics provide a tabular view of many different statistics. From the Main tab of the
The following table summarizes the statistics available in each tab on an LTM provisioned BIG-lP:
2~affi~!>IJ_~a_ry ___~()~I!!2~~~_c
_ _______N__etw rk________ ~~!1l0ry
__ o__
(Shows by default) Availability and utilization of.. Availability and utilization of. .. "Current allocations ..
tP Persistence records
• Fragments
Auto Refresh
On each statistics display, you can also tum Display Options
on the Auto Refresh function to ,
automatically refresh the data on the page at Statistics Type [ Status Summ ary .3
the specified interval rate, as shown in Figure
13. Statistics can also be refreshed manually
Data Format [ Nor~l lzed 21
by clicking the Refresh button.
Auto Refresh IIDisabled vi Eefres~
Note: Short refresh intervals may impact 1'0 seconds
system performance. Local Traffic Summary 20 seconds
) 30 seconds
ObJe~[ T'lPe li'rOt31 60 seconds
Search Virtual Servers 1 i '80 seconds
, 300 seconds
A search option is also available on some of
Pools 1
the statistics pages, and allows you to fdter
the results for specific objects, as shown in Nodes 3
Figure 14. You can search either on object
name or a partition/path name. The * can be Figore 13: Statistics can be manually or automa tically refreshed
used to create a wildcard search.
Some statistics entries include links. For StatistiCs T ypt" IV1~ual Servers vJ
example, in Figure 14, the vs_https link will
take you directly to the configuration for this
Data Format I NormalIzed .::II
virtual server. The View ... link in the Details
column expands the level of detail, providing
II Auto Refres~ Disabled -:J Reiresij
additional and more granular statistical data ~s_hlIps I~ Beset s earcij
for that object including profile statistics, and
" ~ii Status It· VoI1lJ.aI SeM'r Partrban ' Path Detalts
connection details.
I r0 CJ v< _ 1111PS Common VII"W
Data Format
Statistical data can be viewed unrormatted or normalized . Unformatted presents the actual data value,
including all decimal places. Normalized rounds data values to the nearest whole number. An unformatted
"Bits In" value might display as 3120936; normalized, the same data value will display as 3.1 M .
Ok"" Options
Reset displayed
statistics to zero
lin . Paden, Conn. I s .. ~ ..,..s....
... ...... .... .......
,- ' ..........
,-
~~~ I".ur.liooq
. '" ,
• te::1JID A ~
.....
.,~
""' ,..
. 'II<
• ....
lftJiC
''''
..
lO...
""" ""' j
",,
11· ~ .
" .,"
""'" "
•.
O/\O:Ii!t- C \ll~ , !_fit
....
c.cJO..c
'IV
.,... '
",
... Ss....... SU •
" ".,
1"-.. I)~ '11< u.
..
.-.:,w '- .!rI"JIf<laotJ"
~ C !)T'l' C'1ID.
"
The Traffic Summary page shows overall traffic rates in terms of bits, packets, and connections per
second and in total for both client side and server side traffic. It also shows packet discard stati stics which
can be useful to help identify packet drops, as shown in Figure 16. When administering the BIG-lP
system, it is important to understand the causes of packet drops. Not all packet drops are for the same
reason, and drops are not always indicative of an issue with the device; in some cases, packet drops may
be expected behavior. For example, the BIG-IP system may
intentionally drop packels in certain situations, such as when a Packet Discards
-
BIG-IP interface receives a frame containing an invalid VLAN Maint mode virtual server or
o
issue with the configuration or the BIG-IP system itself. For
Connection limit rea ched (virtual
example:
address)
o
• A BIG-IP interface will drop packets containing frame
Connection limit reached (\I1rtual
check sequence (FCS) errors. A high ratio of FCS errors 46
server)
may be a sign of a configuration issue. such as a duplex
mismatch. No clientside connection o
• When a packet arrives at the BIG-IP system with tbe No virtual server, NAT or SNAT
for request
38
destination IP address matching a virtual server, but
containing a non-matching service port, the packet is No available memory for
discarded. connection
o
• Packets may also be dropped if there is insuffocient
memory in which to process them or a connection limit Figure 16.· Sample packet discard
has been reached. statistics
Oispl<ty Option5
Sl:;!tistics Type
Data Format
Auto Refresh
The local traffic statistics pages contain a wealth of infonnation on local traffic objects such as virtual
servers, pools, nodes, and others, as shown in Figure 17. The Status Summary page provides a quick
view of all local traffic object types and their current status - available, unavailable, offline, or unknown.
Click on a number in the Total column to be taken directly to the list of those objects. For example, in
Figure 17, clicking on the number "2" in the Virtual Servers column takes you directly to the virtual
servers list at Local Traffic » Virtual Servers: Virtual Server List. Likewise, clicking on anyone of
the numbers in the Available, Unavailable, Offline, or Unknown columns will take you directly to a list of
those particular objects. For example, clicking on the "I" in the Available column for Pools takes you
directly to the one pool that is currently marked with a status of available.
You can filter the displayed statistics to a particular local traffic object type using the Statistics Type
pull-down. As shown in Figure 17, many different local traffic object statistics can be accessed this way.
mFigure 18, we've limited the statistics display to virtual servers only, and the resulting list can be
further filtered using the Search field, as described earlier in this chapter.
DisplOlY Options
1,0..
Co~.ctlon.
.,t.....:IrTlum
~-
R....Hb CPU UtiUndon AVII.
1~ 5'"
0
"""""
".... "" ~ Ctm:flt TtA'1l 5Sec, 1.
,...
(I 0 B3S 0 0%
0
-,os_hllp Cornman 3 !M 34 0M 411\ 5 7K
, " ir21
0%
""
~
IJ Wf_ttli:pt C"","""
""'" 11 4M 1 6K 33K
" 0 0"
'" 0%
Figure 18: Sample statistics data for virtual server local traffic objects
These traffic statistics provide useful information during problem diagnosis and can also shed light on
how the BIG-IP system is processing (and in many cases, modi tying) traffic behavior and how your
application systems are working. For additional details, click on the View ... link in the Details column to
expand statistics data for a specific object, as illustrated in Figure 19.
Di5pl ~ Options
•
IINmm""'" :;J
_ 1 ~b1!!d ... ~
0 0 0 0 a o
Syncookllt Dfiails
""'"'
""
Profil . s
S el~ct Proltie
~11!
0
SVN CooIae
Inltanc..
Si:Jft"n'aT"! SYtI CooIuE'
0 0
SYN Clc:h.
"'",," ~
• o
Software SVN Cooki.
o a -
Harctwv. SYN Cookl.
• _ _--J
Connections
o
"'o"
Es tab~ s he d
"'o "
&po.d o
,Q/:jandoned o
Miscellaneous
Gad C hec\...~ um D
S ~OlJ.Df Qm!.or rI
Re c eived SYN Coo ki e 0
Re LranSll1ltt1!d-Seg~ 0
General Propeltlel
","'"
~IUiOI'I/ Pa(t,
Conflluradon! B~
Oi.p1rt Option.
...J
l
SI35lICS-lype
();lUI FormM
The Configuration utility is often used to set up and view logging data, as it provides column-level sorting
functions and search fiJtering capabilities. From the Navigation pane, select System» Logs, then choose
one of the options shown above, or select Configuration:Options to configure Jogging options.
Note: Logs are covered in more detail in the Troubleshooting section of this class.
Chapter Resources
Objectives:
• Configure pools for virtual servers
• Configure virtual servers and associate them with a pool
• VerifY functionality
Estimated time for completion: 20 minutes
Lab Requirements:
• Administrative access to a BIG-IP LTM system
• IP and port addresses available for use on BIG-IP LTM that can be reached by the client systems
• Actual servers with appropriate routes to return traffic through each BlG-IP LTM system
Note: When asked to "refresh" a browser window throughout the labs in this course, we
recommend a hard refresh (a.k.a. hard reload). On most PC browsers, hold down Ctrl and
press F5. You can also change your browser preferences to avoid caching altogether, or refer to
the Wikipedia article, Bypass your cache, for instructions for various browsers.
Create a Pool
1. Create a Pool using the information in the following table.
Configuration section
Resources section :
2. Navigate to Local Traffic »Nodes and notice that tbe BIG-IP system automatically created three
new node entries as the result of you creating the three pool members in the previous step.
Resources section:
the address and port are configured correctly for this virtual server. It should be 10.1 O.x.l 00,
Does 10.1 0.x.1 00 appear in your workstation's ARP table? Open the Windows Run dialog
box. (Press the keyboard shortcut combination .. W" ~ - Windows icon key plus the letter
R.) Type cmd. exe to open the Windows command line interface. Type arp -a and examine
the results to see if you connected with the virtual server on Local Traffic Manager.
• Is traffic getting to the pool members?
lfno traffic is going TO the pool members, verify httpyool has been assigned to vs_http.
Verify that pool members have the correct IP address and port assigned.
If traffic goes TO a pool member but does not return, verify self IP and VLAN
Type: Host
Address: 10.1 0.X.1 00
Resources seclJon :
10. At the login prompt, enter the root user credentials you set up in the first lab.
I I. Back on your browser window connected to https:IIIO.IO.X.IOO, hard-refresh the page once
using CtrI+FS.
12. On your SSH window, view pool and virtual server statistics by entering the following commands
at the config# prompt:
tmsh show /ltm pool https-pool Imore
13. Compare the statistics shown via tmsh to those currently shown on the Configuration utility. The
tmsh statistics should show additional traffic statistics.
Verify the pool members have the correct lP address and port assigned.
If traffic goes TO a pool member but does not return, verify selflP and VLAN
You may stop here or continue with optional Lab 2.2: Packet Discard Lab
Objectives:
• Generate situations that can cause the BIG-IP system to drop packets and view the results in
Module Statistics
Estimated time for completion: 5 minutes
Even though this lab introduces specific configuration settings that have not been discussed yet, they
allow you to further explore general traffic statistics and to see how the BIG-JP system functions as a
default deny device.
Lab Requirements:
• Administrative access to a BIG-IP LTM system
• Existing virtual server vs_http at IO.1O.X.lOO:80
3. Open a new browser window and try to connect to virtual server vs_http at http://IO.IO.X.IOO.
Your request should fail as the virtual server is no longer able to receive traffic. What are the
symptoms, as seen from the application user's perspective?
4. Back on your BIG-IP system, navigate to Statistics» Module Statistics» Traflic Summary»
General, and refresh Traflic Summary statistics by clicking the Refresh button.
S. Scroll down to the Packet Discards section and view the statistics shown there. Were packets
discarded? What reason does the BIG-IP system indicate for the discards?
6. Clear the Traflic Summary: General statistics again by clicking the Clear Statistics button.
7. Try connecting to your other virtual server, vs_https, at https:IIIO.IO.X.IOO. Are you successful?
8. Enable virtual server vs_http again but set its connection limit to a maximum of 1. This will
require you to change the Configuration section view from Basic to Advanced.
9. On your browser session to http://IO.IO.X.IOO, hard refresh the page five to ten times (Ctrl+FS).
Did you connect to the virtual server? Were there any problems?
10. Back on your BIG-IP system, navigate to Statistics» Module Statistics» Traffic Summary»
General, and refresh Traffic Summary statistics by clicking the Refresh button.
11. Scroll down to the Packet Discards section and view the statistics shown there. Were packets
discarded? What reason(s) does the BIG-IP system indicate for these discards?
STOP
2-30 Ad mlntstertng
' BIG-IP vll
Chapter 3 - Using NATs and SNATs 3-1
172.16.20.1
O ?O (11) 1 100 80
Vinua l Server
(one-to-ma ny)
!~====~
..... -t;'Or. Destination: ~~ilic.1
172.16 .20180
172 16 20 2.S0 or
172 1520 .3'80
O
207.10.1.103 172.16.20.3 172.16.20.3
-.'
~ ....-.-......
Destination:
NAT (one-to-o ne)
Destination:
207.10.1.103 172.16.20.3
.... , _fO;;
Source:
__~~~__~~~1~7~2~.1:6~.2~0:/2:4~~17121·1C6J.21°11
·1
o
Source:
207.10.1.101:pOl1 1 SNAT
172.16.20.2
172.16.20.3
..... - t 5
Figure 1: Examples of address franslation objects on the BIG-IP system: virtual server, NA T, and SNA T
NAT Concepts
Lesson Objectives
At the end of this lesson, you should be able to:
• Describe what a NAT is and how it is sometimes used in the BlG-lP environment
Introduction to NATs
In some cases, you might want to allow a client on an external network to send a request directly to a
specific internal node, bypassing the normal B1G-1P LTM load balancing methods upon which server
selection is typically made. To connect directly to an internal node, a client would need to know that
node's lP address. However, since such addresses are typically private (i.e. non-publicly routable RFC
1918), some sort of translation mechanism is needed.
A NAT is a feature of BlG-IP Local Traffic Manager that provides a one-to-one mapping between two lP
addresses, such as between an internal, non-publicly roulable lP address and an external, publicly roulable
address, as shown in Figure 2, so that:
• When an external node sends traffic to the public lP address defined in the NA T, the BIG-IP
system automatically translates that destination address to the associated private lP address that
represents a specific node on the internal network.
• When an internal node initiates traffic to an external network, its private IP address is hidden
from the external network.
In other words, a NAT provides a routable address for sending packets directly to or from a node that has
a private class lP address. NA Ts can also be used to hide publicly roulable lP addresses for security
reasons.
When you create a NAT, you can map only lP address to another lP address (for example, private lP to
public lP), hence the term one-to-one mapping (see Figure 2.) l[you want to map more than one lP
address (e.g. multiple internal nodes) to a single lP address (e.g. a publicly routable IP), you would create
a SNA T instead, as we'll discuss later in this chapter.
O
207101 103 172.16.20.3 172.16.20.3
---· -· --.
Destinat·ion: liNiAiTi(oiniei-tioi-Oiniei)r~~~~;;
Destination:
207.10 .1.103 172.16.20.3
.•... - fS
Figure 2: A NA T can be used to provide a one-to-one, bi-direclionaf mapping between a private class IP address and
a pubt/cfy routable IP address
The BIG-IP system can apply a NAT to either an inbound or an outbound connection.
Note: NATs do not support port translation, and are not appropriate for protocols that embed IP
addresses in the packet, such as FTP, NT Domain, or CORBA IIOP.
Tip: When you use a NAT to provide access to an internal node, all ports on that internal node
are open. This can present a security risk that can be mitigated by using a SNAT instead.
EXTERNAL INTERNAL
Client
Node
NAT Origin
172.16.20.3
D -~ Address
207.10.1 .103
Ad dress
172.16.20.3
Destination: NAT
Destination:
207.10 .1.103 172.1 6.20 .3
tlH ffHl :- <. f.'i
FlgUlli 3: Inbound conn ection traffic flaw from an extarn al client 10 a publicfy-routabJe NA T on the BIG, IP system, .and
addrass lransla tion to the p nvafo class IP add(1jss of an in ternal node
As shown in Figure 3, a client on the external network needs to directly access a node on the internal
network (without load balancing involved). The node has a private class JP address of 172.16.20.3. You
can create a NAT with a public destination address of your choice (the NAT address; here we've used
207.10.1.103) and map it to the private class address 172.16.20.3 (the origin address). Whenever a client
on the external network initiates a connection to the NAT address - 207.10. I. I03 and any port - the BIG
IP system translates that NAT address to the origin address - 172.16.20.3 - and passes the packet along to
the internal node at that address for processing.
EXTERNAL INTERNAL
r
NAT
Address
207 .10.1.101
"Origin
Add ress
172.16.20.1
Node
172.16.20.1
Source: NAT
Source :
207.10. 1.10 1
tlH fHtI _ =- ,> f5
172. 16 .20.1
Figure 4: Ou~bou nd connection lrafflc now fro m ,m ;nternaf node to en axtema{ nOde through a NA T on the BIG-IP
system, and address trans/ation of the ongin address to the publicly routable NA T addross.
NAT Drawbacks
When you use a NAT to provide access to an internal node, all ports on that internal node are open. In
other words, the NAT will accept traffic for any service port so long as tbe destination lP address on the
packet matches the NAT address. To mitigate this security risk, many administrators opt to use a SNAT
instead, as you'll see later in this chapter.
Also, since it is a one-to-one mapping of lP addresses, in the case where many internal nodes with private
IP addresses need publicly routable addresses in order to connect to external networks, a separate NAT
would have to be configured for each internal node. This can create significant administrative overhead as
well as quickly use up already depleted publicly routable IPv4 addresses. Also, since NATs are bi
directional listeners, there is a potential security risk. In the outbound NAT example above, the desired
result was to provide internal nodes with tbe ability to initiate traffic to external nodes. However, an
external clients could also initiate traffic to the same NAT (via the NAT address), thereby giving them a
direct connection to an internal node on 0/1 service ports. Again, SNATs provide a far less risky option
with significantly less overhead.
Lastly, the BIG-IP system does not track NAT connections. Therefore, the public IP address that you
define in a NAT cannot be the same address as a virtual server address or a SNAT address.
As a result, NAT use in the BIG-IP environment is relatively uncommon.
SNAT Concepts
------------------------------------
Lesson Objectives
At the end of this lesson, you should be able to:
• Describe what a SNAT is and how it is commonly used in the BIG-lP environment
• Compare and contrast SNAT Auto Map and SNAT Pool, and identify use cases for each
Understanding SNATs
SNAT - source network address translation or secure network address translation (both are correct)
- is roughly equivalent to a form of NAT known as network address and port translation (NAPT) or Port
Address Translation (PAT). While a basic NAT is a one-to-one translation mapping - one source lP
address translated to a different source lP address - a SNAT typically provides a many-to-one address
translation mapping, as illustrated in Figure 5.
Source:
172. 16.20/:2!4_ t 1. 7.2.:S
.1:::l.•20• .•1
o
Source: 172.1S.20.2
207.10.1.101:port
SNAT
(many-to-ona)
172.16.20.3
Figure 5: SNAT can be used to translate multiple source IP addresses - such as Intemal private IP addresses - to a
different source address - such as to a pubficly routable address
There are many uses for SNAT in a BIG-lP network configuration. For example, SNAT can provide a
secure mechanism for translating internal, non-publicly-routable addresses into publicly routable
addresses. Unlike NAT, which requires a separate publicly-routable address for each internal host, SNAT
allows a single publicly-routable IP address to be used by many hosts on an internal, private network.
This translation method allows you to conserve addresses in the publicly-routable address space, with port
translation providing the necessary uniqueness. Also, unlike NAT, SNATs are secure in tbat tbey arc
unidirectional: they only listen for traffic sourced/rom a specified origin address, not destined to the
SNA T address.
SNAT's are commonly used in the BIG-lP environment to belp deal with routing complexities, and it is
this aspect of SNAT tbat we will explore throughout tbe remainder of this chapter.
reversing the original destination IP address translation, as shown in Figure 6. In fact, the success of this
whole transaction relies integrally on the translation reversal occWTing.
Destination Destination
Client Vlrrual Se<Ver Client Pool Member
10.10.1.30:2181 10.10.1 .100.80 10.10.1.30:2181 172 16.20 180
Client
10.10.1.30 Pool Member
o ..... - I~
172.16.20,1:80
DeSlination Destination
Clienl Virtuai Servor Client Pool Member
10.10.1.30:2181 10 10 1 100:80 10.10.1.30:2181 172.16,20 1:80
The server respoose to a client-initiated connection will be returned to the client through the BIG-IP
system in the following typical network configuration:
• The server nodes are on the same subnet as the BIG-IP system.
• The client nodes are on a different suboet from the server nodes.
• The BIG-IP system is the default gateway for the server subnet.
But what if the network configuration is atypical, such that the required return path through the BIG-IP
system is not used? What if the clients aod servers are on the same network? What if the default gateway
of the server node is not the BIG-IP system? Let 's take a look at these situations to see how a SNA T
might help. But first, a brief look at how a SNA T works.
2. [fthe client's IP address is defined in the origin address list, the BlG-lP system translates the
source IP address to a translation address defined in the SNAT. The translation address is an lP
addressed defmed on the BIG-lP device. The source port may also be translated.
3. The BIG-IP system then sends the client request to the pool member or other destination.
4. The response is returned to the BIG-IP system by virtue of the updated source IP address on the
request.
5. The BIG-lP system reverses the source address translation, restoring the original source IP
address, and sends the response to the client.
Destination Destination
10.10.1.30 10.10.1.100 10.10 .1 .30 172.16.20.1
10.10.1.30
D ~-
Figure 7: Without SNAT, routing issues can occur, for exampJe, If a node 's default gateway is not the 8IG-JP system
With a SNA T, both the destination lP address and the source LP address are changed : the destination by
the virtual server and tbe source by the SNA T, as illustrated in Figure 8. From tbe pool member' s
perspective, the request originated on the BIG-IP system and so the response will be returned there. Tben
the BlG-LP system can reverse the original inbound translation, cbanging both the source and destination
IP addresses using the virtual server and SNAT respectively.
Destination Destination
10.10.1.30 10.10.1.100 SNAT 172.16.20.1
SNAT
10.10.1.30
172.16.1.30
D ...-=-----'---~
Figure 9: If client and server oro on the same subnet, the response from the pool member does not route back
through the BIG·IP system and failures occur
SNAT causes the BIG-JP system to change the source IP in the message, and the server' s response will be
sent back via the 8IG·JP system, as shown in Figure 10.
SNAT
172.16.20.1
Figure 10: SNAT ensures the response is routed back through the BIG· IP system
Internal clients with private IPs need to share one outbound Internet connection
Here's another example of how a SNAT might be used in the BIG-I P e nvironment. Internal clients often
have private IP addresses that cannot be routed on the Internet (i.e. publicly-routable). Nor do companies
have limitless resources for connecting devices directly to the Internet. When an internal c lient initiates a
connection to an externa l host, a SNAT ensures that tbe LP add ress of the internal client remains hidden to
the externa l bost, and that the request is ro uted through a single, publicly-routable address, as illustrated
in Figure J1. The externa l bast can then use th is public address when sending the response.
A SNAT for an outgoi ng connection works in the following way:
1. BIG-LP receives a packet from an interna l server
2. B1G-IP checks to see if that source LP address is defined in a SNAT.lfit is, BIG-IP cbanges the
source LP address in the packet to the !Tanslation address in the SNAT.
3. BIG-IP sends the packet with the SNAT translated address to the destination external server node.
What are we
What
translating
addresses are
them to?
we translating?
172.16.20 .1
Translation Origin
Address Addresses
207.10.1.102 172.16.20.0/24
SNAT
o Source:
207.10.1.102:3155
Source:
172.16.20.3:3155
Figure 1,. SNAT can be used to affow mulliple internaf, pnvate clients to share a single publicly routable IP address
Note: Starting in BIG-IP 9.6.1 and 10.0.0, it is possible to control, on a per-virtual-server basis,
whether the system should preserve the client's source port. For more information, refer to
SOL 11003: Configuring source port preservation for virtual servers.
Socket pairs
Each SNAT address, like any IP address, has only 65,536 ports available. This is a limit ofthe TCP and
UDP protocols (not a limit ofSNAT), since each uses a 16-bit unsigned integer (2 16 = 65,536) to specify
the source and destination ports in their respective headers. However, each SNAT address can potentially
process more than 65,536 concurrent connections so long as each socket pair is unique. A socket pair
consists of the following elements:
• Source IP address
• Source port
• Destination IP address
• Destination port
A given SNA T address can keep using the same source port as long as tbe remote socket (destination
address:port) is unique, thus allowing the SNAT address to process more than 65,536 concurrent
connections. The table below shows how the same SNAT IP translation address and port combination
could be used by the BIG-IP system to connect with different remote socket combinations:
SNAT Translation Address:Port Destination Address:Port
172.16.1.33: 1234 172.16.20.1 :80
172.16.1.33: 1234 172.16.20.2:80
172.16.1.33:1234 172.16.20.1 :443
172.16.1.33:1234 172.16.20.2:443
Nole: The previous error messages are not specific to SNAT port exhaustion, and may be
logged whenever TMM detects port exhauslion for a traffic management object.
If you believe SNAT port exhaustion may be occurring, you can monitor the number of concurrent
connections going through the SNAT, as shown in Figure 12. In the Configuration utility, navigate
to Overview » Statistics » Local Traffic and for Statistics Type, select SNATs, SNAT Pools, or SNAT
Translations in the drop-down menu.
Display OpUons
Configuring SNATs
SNA Ts can be configured in many ways to address a variety of network configurations and routing issues
- more than just the three examples presented earlier. When you create a SNAT, you map an original LP
address to a translation address in one of several ways, depending on your needs.
Note: In this course, we will be limiting our discussion to the use of the SNAT Auto Map and
SNAT Pools on a virtual server. For more information on other types and uses of SNATs, please
take the Configuring BIG-IP Local Traffic Manager (L TM) course or see BIG-IP Local Traffic
Manager: Concepts (manual) or S0L7820: Overview of SNA T features .
10.10.1 .30
o Origin addresses?
Clients that connect
to the virtual server
Translated address?
IP address :port
on egress VLAN
Note: For techniques you can use to address this issue, see SOL4816: Using the X-Forwarded
For HTTP header to preserve the original client IP address for traffic translated by a SNA T.
Lesson Objectives
At the end of this lesson, you sho uld be able to:
• IdentifY which IP addresses will be used for SNAT Auto Map
• Configure a virtual server on the BIG-IP system to use SNA T Auto Map
• Describe the source address translation process used by the BIG-IP system when SNAT Auto
Map is configured
D 10 rD
Ceneral Properties
Name
Partition I Path Common
Oescriptlon [
Type Standard
Source I 0.0.0.010
iBaslc
Figure 14: Assigning Auto Map as the Source Address Translation method for a vlrtua! server
SNAT Pools
Lesson Objectives
At the end of this lesson, you should be able to:
• Configure a SNA T pool
• Describe the source address translation process used by the BIG-IP system when a SNAT pool is
configured
Note: If a translation address on the egress VLAN is not available, the BIG-IP system will select
another IP address from the list. This may result in traffic disruption. You should ensure that you
have sufficient IP addresses to handle the maximum number of concurrent connections
expected.
Create a new virtual server (or edit an existing virtual server) and, in the Configuration section, set
Source Address Translation to SNA T , and set SNAT Pool to the desired SNAT pool, as illustrated in
Figure 17.
100'no,at Properties
Name
Partition I Path Common
Descripllon
Source O.O.O.OJ!)
S8Mce Port
Configuration: leaslc
Chapter Resources
Objectives:
• Demonstrate the functionality ofa NAT on the BlG-IP system
• Estimated time for completion: 10 minutes
Lab Requirements:
• Administrative access to a BlG-1P LTM system
• At least one server on the VLAN iDternal (172 .16/16 network)
3. There should be no statistics yet for Nat_200_to_2 as you haven't initiated any traffic to the NAT
address or from the Origin Address yet. (All the values for Bits, Packets, and Connections should
be 0.)
4. Open a new browser window to http://10.10_X.200. Note the server you are connected to.
5. Back on the BIG-IP browser WiDdow where you are viewing NAT local traffic statistics, click the
Refresh button to refresh the information on the screen . Note the bits, packets, and connections
values for NAT_200_lo_2.
6. Open a browser window to https:/1l0. 1O.X-200. What server are you connected to?
7. Back on the BIG-IP system, refresh the NAT local traffic statistics by clicking the Refresh button
once. Did the statistics change and why?
8. Open a PuTTY session to lO.1 0.X.200. Log in with usemame student and password student.
9. Back on the BIG-LP system, refresh the NAT local traffic statistics by clicking the Refresh
button . Did the statistics change and why?
Expected results
You should be able to connect to multiple services (e.g. http, https, and ssh) through the one NAT, and
you should always connect to 172.16.20.2. Unlike a virtual server, a NAT li stens on all ports. Therefore,
statistics increase every time there is traffic through the NAT, no matter what port is requested.
While NAT_200_to_2 would also allow outbound connections from 172.16.20.2, our classroom
environment is not set up to be able to test this.
If you are unable to connect, as expected, check your NAT defmition to make certain your NAT Address
and Origin Address are specified correctly.
Clean-up
10. Delete NAT_200_to_2 and conftrrn that you are no longer able to directly access 172.16.20.2
through lO. lO.X .200.
Objectives:
• Demonstrate the functionality ofSNAT Auto Map and SNAT pool on a virtual server
• Estimated time for completion: 10 minutes
Lab Requirements:
• Administrative access to a BIG-IP LTM system
• Two available floating se lf IP addresses - one for each VLAN (internal and external)
• Two available IP addresses for the SNAT pool - one 00 each VLAN (internal and external)
FIgure 18: Click the link Source IP Address to view the source IP as lransfated and passed to the node
http://l0.l0.X.l00 https:lll0.l0.X.l00
Source IP Address 111 II? t ,. IP . .'3
Connected to Virtual Address Ar fr • ¥ . 4.t'" t? ,.• .(~~
Connected to Node Address _ _ _~H: . 'iz . .:z... .~
3. Have another student attempt to open a browser session to your virtual servers
(bttp:1I10.10.X.IOO and https:1I10.10.X.100), and you to theirs. Both attempts should fail due to
the route settings on the back end application servers (shown below):
Destination Gateway
10.10.1/24 172.16.1.33
10.10.2/24 172.16.2 .33
10.10.3/24 172.16.3.33
• •
• •
• •
Configure SNAT Auto Map and Test
Add SNAT Auto Map to the virtual server
4. Follow the instructions in the table below to add SNAT Auto Map to vs_ http
Configuration section
Configuration section
MySnalPool
IP Address: 10.10.X.150, then click Add
Member List
IP Address: 172.1B.X.150, then click Add
When oomplete. click . .. Finished
Change the virtual server to use a SNAT pool instead of SNAT Auto Map
8. Change the Source Address Translation method on vs_http from Auto Map to SNAT pool.
Configuration sectJon
Configuration section
Select 172.16.X.1S0 from the list, and then click the
Member List
Delete button that is to the i of the Edit button.
When complete. cllck... Update
14. Retest access to http://IO.IO.X.IOO. What does tbe application show your source IP address as
now? How is this possible') Can your partner still access http://JO.IO.x.IOO') Why or why not?
Clean up
15. Reset the Source Address Translation method on vs_http to Auto Map, and then delete
MySnatPool.
STOP
Chapter Objectives
After completing this chapter, you will be able to:
• Use the Traffic Management Shell (tmsh) to view and configure objects on the BIG-LP system
• Discuss how the BIG-IP system stores its configuration data
• Backup and restore BlG-LP configuration data
Lesson Objectives
At the end of this Jesson, you should be able to:
• Di scuss how to restrict access to the Traffic Management Shell (tmsh) and the Linux bash shell
(Advanced shell)
• Discuss tmsh hierarchy and how it applies when navigating within the shell
• Use command completion features and help functions to construct a tmsh command
• Create, modify and delete common BlG-lP configuration obj ects using trnsh
Note: Traffic Management Shell replaces bigpipe shell as the primary command-line interface
starting in version 11.0.0.
and the available options will vary depending on a User Nama admln
specific user's role. For example, the
New: ~ ••••••••••
Administrator and Resource Administrator roles Password
can be configured with any of the three options, as Confirm: ..........
Locked Oul
If you configure Advanced sheU access for a user
account, the user will land in the bash shell at the failed Logins o
config directory upon logging in (i.e. the command
line prompt will show config #). The Traffic Syst~m " Usors: Usor Ust 'i,'.J 11 ,,'I
Management Shell can then be accessed by typing
tmsh from within the bash shell, as shown in Figure
2. A£counlProperdes
I
If you configure tmsh tenninal access for a user User Name operal or1
Fig(1ff) J: User accounts with Imsh terminal access (such as admln after Lab 1 In this course) are placed dJrflctly in
Ihe Tmfl'ic Managemenl Shell(lmsh) upon Ioggmg inlo Ih e BIG-IP system's command Ime inlerface
Note: You must provision a BIG-IP product before you can use tmsh to fully configure it. For
example, you must provision the Global Traffic Manager (GTM) before you can execute tmsh
commands against that reference the gtm module (e.g . tmsh create gtm ... J
••••
vlan
• •• •
• •
• snat • •
•
•
•
Figure 4" The tmsh hierarchy is comprised of modules, sub-modulus, and compon ents
Using tmsh
If your user account has Advanced shell access defined, you can run tmsh commands in the following
ways:
• Issue a single tmsh command at the Linux bash shell prompt (e.g. config #). For example, to
display all the modules provisioned on the BIG-lP system:
Cun fl # tmsh list aye provision
• Open the Traffic Management Sbell first, by typing tmsh at the Lioux basb shell prompt (e.g.
config #). This starts tmsh in interactive shell mode and displays tbe shell's root prompt, similar
to this:
user@(bigipl) (cfg-sync Standalone) ((Common) (tmos)#
If your user account has tmsh terminal access defined, you will be automatically placed in tbe Traffic
Management Shell upon logging in to the BIG-lP terminal (e.g. with PuTTY).
In the example above, the root user is logged on in this session; the host name (or at least the first level
qualifier of a fully-qualified host name) of this BIG-IP is bigipl; the device is not configured as part of a
device group therefore there is no need for configuration synchronization (crg-sync Standalone); and,
tmsh is currently pointing to the /Common partition.
The prompt can also convey status infonnation, as in the example below:
root@(bigipl) (cfg-sync Changes Pending) (REBOOT REQUIRED) (/Common) (tmos)#
Here, the prompt infonns you that the device is part of a device group and that there are configuration
changes waiting to be synchronized between the devices in that group (crg-sync Changes Pending); and,
a reboot of the BIG-IP system is required in order for certain configuration changes that have been made
to take effect.
Tip: You can change the information that displays in the tmsh prompt, but the prompt always
includes your location in the hierarchy and ends with a pound sign (#).
[root@bigip4:Active:Standalone] config #
Figure 5: General techniques for navigating mto, within, and out of the Traffic Management Shell (tmsh)
Once in the Traffic Management Shell, you can navigate to modules, sub-modu les, general components,
or to a specific component. The following table provides exa mples of how the tmsh prompt changes as
you navigate through the hierarchy executing a series of tmsh commands.
Note: You can only navigate directly to a specific configuration object (e.g . pool, virtual server) if
that object already exists, and you must use the modify command with no options to get there
(e .g . modify 111m pool P1).
* ... only if user's Tenninal Access setting is Advanced shell, otherwise the session is terminated. Also, if
you entered the Traffic Management Shell from a Linux directory other than "con fig" (e .g. " var") you
will return to that same directory upon quitting tmsh.
Note: Your user role may impact the options that tmsh presents when using the command
completion feature. For more information, please consult the Traffic Management Shell (tmsh)
Reference Guide, available at AskF5.
For more infonnation about using wildcards, access the man page for eacb program using tbe following
tmsh commands:
(tmos)U help regex
(tmos)U help glob
... retums :
Components:
When you type a question mark in tbe middle of a command, tmsh returns belp on the portion of the
command to the left of tbe cursor. For example:
( tmos)# sho w Itm virtual?
... returns something like tbis (some output under "Options" bas been omitted):
Options:
all Apply the command to all c onfiguration objec t s
all-properties Display a l l properties for the spe cifi e d it e ms
default Units are determined base d on c urrent v a lues
Identifier:
[o bje c t identifierl Name of the virtual server
Properties:
"( n Optional delimiter
Pro files Specifies a list of profiles for the virtua l
server to use to direct and manage traffi c .
Man pages
tmsh includes man pages for each of its commands, modules, sub-modules, and components. You can
For example, to access the man page for configuring a pool: (tmos) # help /ltm pool
You can also search the man pages for infonnation on a specific tenn or topic. To do this, use the
For more information on tmsh man pages, please see the Traffic Management Shell (tmsh)
Reference Guide, available at AskF5.
! [string] Runs the last command that began with the specified
[string].
tmsh on DevCentral
DevCentral has an entire Hot Topics section devoted to tmsh, including:
• tmsb Wiki - Learn new ways to create corrunands and automate tasks via the CLI on your BIG
!P.
• tmsb Samples - Find sample tmsh scripts that perform various functions such as creating a test
report detailing all invalid or soon-to-expire certificates or displaying a list ofvirrual servers that
are currently marked as down.
Lesson Objectives
Atthe end of this lesson, you should be able to:
• Articulate the difference between the BIP-lP system's running configuration and stored
configuration
• Compare and contrast how using the Traffic Management Shell and the Configuration utility
impact the running and stored configurations
• Describe what happens when an administrator saves or loads configuration data using tmsh
LOGal Traffic ,. Virtu.1 Servers: Virtual Server List .. New VIrtual Server.
General Properties
I Name
Desclipllon [
Type [ Standard
Source
1
Type: Ii) Hos! ~ NelWork
Desllnation
.
Address: 10.10.1.100 J
Service Port L~~_ 1H..:...;TT":,,,;"------lo.Ofl
,",-,I PS
I~:::=~~
Cancel [[ Repeat II
Finished [I
fi les
Running Stored
Configuration Configuration
Figure 6: BIG-IP system configuration changes made using the GUf affect both the running configuration and the
stored configuration
(tmo s )~
create Iltm virtual vs_https destination 10.10.1.100:443 ...
(tmos)1 save Isys config
-~-~, ...-----
Entire configuration """--'"""
Config
flies
Running
Stored
Configuration
Configuration
(jH ~ :- <. f5
FigtJre 7: BJG-fP systartJ config uration changes made using tmsh affect just th f) ru nning c onfiguration A lmsh save
sys config command must be iss ued to update the stored configuration. All changes made via tmsh since tile last
save sy s config are saved to the stored configuration.
bigip_base.conf Stores the BIG-IP system network components such as self-IP addresses, traffic
group definitions, VLANs, interfaces, device trust certificates, etc.
bigip_gtm.conf Stores all uniquely GTM configuration elements such as data centers, servers and
their virtual servers, and wide IPs
.--- _ __ __ _-
bigip_user.conf
_.. .... .. .._... __
Stores
_..--. all.. __user roles
._----_ . ---
Note: In versions prior to BIG-IP 11.0.0, the BIG-IP configuration files, such as
the bigip.conf file and the bigip_base.conffile, reside only in the /config directory.
Beginning in BIG-IP 11.0.0, the BIG-IP configuration files may reside in multiple locations.
Configuration data for objects in the Common partition continue to exist in the BIG-IP
configuration files residing in the /config directory. Configuration data for objects in a partition
other than the Common partition exist in configuration files located in
the /config/partitions/<partition name>/ directory.
For example, if there is a self IP configured for the ExampleA partition, the self IP will be in
the/config/partitionslExampleAlbigip base.conf file.
load sys c;onfig • Rebuilds all local traffic objects using bigip .conf
o Rebuilds all network objects using bigip_base .conf
• Rebuilds all system user accounts using bigip_user.conf
• Updates system maintenance account settings using bigip_user.conf
• Retains the managementlP address
• Retains the BIG·IP license file
• Retains files in the /shared folder
• Retains manually modified bigdb variables
load sya config default • Removes all local traffic objects
• Removes all network objects
• Removes all system user accounts
• Resets passwords for system maintenance account to defaults
(rooVdefault and admin/admin)
• Retains the management IP address
• Retains the BIG·IP license file
• Retains files in the /shared folder
• Retains manually modified bigdb variables
Note: Only users with the Administrator or Resource Administrator role are authorized to
load configuration data with tmsh. Users assigned other roles receive an error message if they
attempt to run this tmsh command.
Warning : If multiple users are making changes to BIG·IP via tmsh, and one user runs the tmsh
save /sys config command, BIG·I P saves the changes made by al/ the users, not just the one
issuing the save command.
Note: Although we have not yet discussed the BIG-IP system's administrative partitions feature ,
there is significance with respect to the scope and impact of tmsh load/save sys config
commands . The significance is presented in this section for reference purposes, and becomes
relevant after you have completed reviewing administrative partitions later in this course.
In versions prior to BIG-LP 11.3.0, the tmsh save Isys config command saves the configuration in
the current ad ministrative partition only. Similarly, the tms h l oad Isys config command loads the
configuration in the current admini strative partition only. To save configuration data for all administrative
partitions, you used the tms h save Isys config partitions all command . Simi larl y, you used
the tmsh l oad Isys config part iti ons all command to load con fi guration in all administrative
partitions.
Beginning in BIG-IP 11.3.0, the tmsh save Isy s conf i g command now saves the configuration in all
administrative partitions. Similarly, the tmsh l oad I sys conf ig command now loads the
configuration in all administrative partitions.
The tmsh lsave/loa dl Isys config partitions all command remains unchanged and
continues to save/load the configuration in all administrative partitions.
Wh en using tmsh to perform a configuration save/load in a specific administrative partition, you can use
either the new current - part i tion optjon or the parti tions option.
Overview
Once you have created configuration data for the BlG-IP system, you can replicate almost all of this data
in a separate file to use:
• As an archive for disaster recovery - Using the archives feature, you can back up the current
configuration data, and if necessary, restore the data at a later time. We recommend that you use
this feature to mitigate the potential loss of BlG-LP system configuration data. An archive is also
referred to as a user configuration set (or UCS).
• As a way to propagate data to other systems - Using the single configuration file (or SCF)
feature, you can easily and quickly propagate the exact configuration of the BIG-IP system to
otner BIG-IP systems.
Note: SCF is just one of the tools that can be used to transfer a configuration from one BIG-IP
system to another. Enterprise Manager (EM) and/or ConfigSync (if the BIG-IP system is in a
high availability configuration) are olher options that will be discussed later in this class.
UCS configuration archives are primarily intended for complete configuration backup and restoration
only, as part of an overall strategy for securing your BIG-lP configuration data offsite in tbe event ofa
disaster, or to back out changes in the event of a failure. Unlike SCF archives, UCS archives contain
licensing information and device certificates and keys. Using a UCS archive to restore confIguration data
onto a BIG-lP system other than the device on which the UCS was created requires additional
considerations, as we'll see shortly.
role admin
shell tmsh
Itm default-nade-monitor
rule none
/Common/172.16.20.2,SO {
address 172.16.20.2
/Common/172.16.20.3,SO {
address 172.16.20.3
mask 255.255.255.255
traffic-group /Common/traffic-group-l
UCS Archives
Before you replace a version of the BIG-JP system with a newer version, apply a hot-fi x, or make
significant configuration changes, you should create an archive (backup copy) of c urrent configuration
data in the form of a user configuration set or UCS. Theu, if yo u need to recover that data later, you can
res to re the data from the archive.
UCS archives can be created and managed using either the Configuration utility or tmsh.
Note: Only users with either the Administrator or Resource Administrator user role can
manage archives (e.g. create, delete, upload, or download).
Saving archives
By default, the BIG-IP system stores all archives in the directory I var I l oea 1 lues . If using Lbe GUI
(System » Archives), this is the only location in which you can create a new archive. You can save a
UCS archive directl y to a different directory on the BIG-IP system using the command line (tmsh) but, if
you do, you will not be able to see the file in the list of archives on the G UI.
After you create an arc hive on the BIG-[P system, you can download a copy of it to the system from
which you are running the Configuration utility - preferably a secure remote system. Th is provides an
extra level of protection by p reserving the configuration data on a remote system. In the unlikely event
that you need to restore the data, and a BIG-IP system event prevents you from accessing the archive in
the BIG-IP system directory in which you saved the archive, you st.i ll have a backup copy of the data.
Important: If your configuration data includes SSL keys and certificates, be sure to store the
UCS archive file in a secure environment.
Restoring archives
If using tbe GUI to restore a UCS archive, the archive must be in the Ivar/loe al / ues directory
otberwise it will not appear in the archive list. If yo u previously downloaded an archive to a remote
system, you can upload it to the Iva r / l oea l / ues directory at System » Archives.
Best Practice: F5 recommends that you include the BIG-IP hos tname as part of the filename to
easily identify the file .
For more information on the data contained in the UCS archive , see SOL4422: Viewing and
modifying the files that are configured for inclusion in a UCS archive
Secure storage --
Figure 8: Encrypting a UCS at the time it is created; P rivate keys are also
excluded in this example
For more information on securing and managing UCS archives, see SOL 175: Transferring files
to or from an F5 system.
, Changes in BIG-IP 11 .x
Prior to BIG-IP version II , when a UCS file was installed on B1G-IP, the BIG -IP system restored the
configuration either partially or in full depending on the hOSlname of the unit that th e install wa s
occurnog 00.
If the hostname of the unit matched the hostname stored in the UCS archive, BIG -IP restored the full
configuration, including sel f-IP addresses and VLANs. If the hOSlname of the unit did not match the
hostname stored in the archive, BiG-lP restored only the shared confi guration (e.g. virtual servers, pools,
profiles).
Note: Beginning in BIG-IP version 11.0.0, BIG-IP always restores the full configuration when
installing a UCS configuration archive. This has certain impacts on the BIG-IP license. See
SOL4423: Overview of UCS archives for more details.
Chapter Resources
Manuat Chapter
BIG-IP TMOS: Concepts Archives
BIG-IP TMOS : Implementations WorkinQ with Sin~le Conf~g_uration Files
Objectives:
• Configure pools and virtual servers using tmsh and observe the changes that occur in the stored
configuration files as the result of these changes.
• Estimated time for completion : 30 minutes
Lab Requirements:
• Command-line access to BIG-lP
• Services to load balance, including SSH
172.16.20.2 22
172.16.20 .3 22
Note the "j" is required in front of the "sys" as you are currently in the "Itm" module and the
"save config" command is part of the "sys" module. Notice also that your prompt still reads:
(tmos .ltml # indicating you are in the LTM module within the TM shell.
21. Navigate to the bash shell (if not already there) and view the stored configuration again: more
/config/bigip.conf
22. Is vs_ssh listed? Why or why not?
29. Make an SCF archive of your current configuration by running the following:
(~S)# save /sys config file trainX_ffiod4.scf
30. View your current local traffic objects: (tmos) # list /ltm
Note that you can see all the virtual servers, pools, pool members, and nodes you've created so
far in class.
31. Restore your UCS archive from the very first lab in this course by running:
32. All of the localrraffic objects created after Lab 1 should now be gone (virtual servers, pools,
etc.). Look at the stored configuration in bigip.conf, and then the running configuration via the
Configuration utility (GUI) or via:
(tmoa )# list /ltm
33. Restore the configuration as it existed before the UCS restore, and view local traffic objects
again. Everything should be back to normal.
(tmos )# l o ad / sys ucs trainX mod4.ucs
cd /var/local/ucs
ls - 1
37. Notice that there are additional UCS archives in tbis directory, above and beyond those that you
have explicitly created to date. You should see train4_base.ucs (which you created in the first
lab) and train4_D1od4.ucs (whicb you created just a few moments ago). Notice also that there are
severa l UCS files called cs_backup.ucs, cs_backup.ucs.I, etc . When you issued the l oad / sys
uc s command in step 31 to restore tbe configuration from traioX_base.ucs, the BIG-LP system
first archived tbe ex isting running configuration as one of the cs_backup.ucs archives you see in
tbe Ivar/local/ucs directory. The date and time 00 the actual cs_ backup archive will be slightly
after you created the train4_mod4.ucs file in step 3D, just before you did the restore.
38. View the rotating archive configuration file: more cs_bac kup_ro t at e. c onf
STOP
(J
I . 9~/
?' «_ I'(,/W;)-{
r"i~ V"~) ~
r'F;:-A I)C- r
, I '
~:I ,( , ~ n (o.
j) ~/.:.... ~ chcct{
r4~/(
Chapter Objectives
After completing this chapter, you will be able to use healtb monitors and tbe network map to dete rmine
the avai lability of network resou rces.
Monitor Concepts
Lesson Objectives
At the end o f this lesson, yo u will be able to:
• Compare and cont rast health monitors and performance monito rs
• Descri be the types o f configuration objects a health monitor ca n be assigned to
• Describe how a mo nitor inherits configuration settings from its parent
Overview of Monitors
Monitors determi ne the availability and performance of network resources such as nodes (devices) and
poo l me mbers (services). If a monitored resource repeatedly fails or does not respond to a health monitor
tcst, or shows that its performance is degraded or its load is excessive, the BIG-lP syste m can mark that
resource as temporarily unavailabl e and redirect traffic to another resource.
Monitors gather information about your network and that information is ava ilab le fo r you to view and use
duri ng troubleshooting activities, or as input to system maintenance, performance management or
capacity planning processes.
Monitoring methods
BIG-lP ptovides three methods of monitoring:
Note: In this course, we will focus on some typical health monitors for nodes and pool members .
For information on other BIG-I P health and performance monitoring features, please see BIG-IP
Local Traffic manager: Monitors Reference or take our Configuring L TM course.
( Pool
)
all the pool members it contains may also be
Pool
marked offline.
Member
( Node
)
other monilOrs, the child pool members may
We will discuss resource status and status inheritance in more detail later in this chapter. For now, keep
this hierarchy in mind as you learn more about some commonly used BIG-lP monitors.
Types of Monitors
Pre-configured monitors are included as part of the BIG-lP system - - while other mon itors called
custom monitors are created by network administrators. Every monitor, whether pre-configured or
custom, is a certain type (or category) of monitor:
• Add ress check monitor
• Service check monitor
• Conte nt c heck monitor
• Application c heck monitor
• Perfo mlance check monitor
• Path check monitor
Some monitors types are more robust than others; some more granular in their ability to measure the
health andlor performance of the network. Each is designed to perform a very specific type of monitoring
function .
Note: In this class , we will focus on address check, service check, and content check health
monitor types .
172.16.20.2:80 172.16.20.1
. 172.16.20.2:443
172.16.20.2:22
. 172.16.20.2:21 172.16.20 .2
172.16.20.3
Figure 1: An address check monitor such as ICMP assigned to a node simply pings that node's IP address and. if a
response is received, marks the node as available.
When an address check moni tor is associated with a node, the availability of th e node can also affect the
availa bility of pool members that share that node's IP address. In other words, if an add ress check
monitor assigned to a node detec ts that the node is not responding properly, the node is marked offline. In
addition, all pool members attba t node will be marked ofOine (regardless of the success or fa ilure of any
monitors assigned directly to those pool members). To compound matters, when the node's address check
monitor detects that the node is back up again, it will mark the node as availabte - bu t the pool members
may still show as orOine. This is due to the fact that an address check monitor tests at the IP address level,
not at the port level.
..... - .
F,gure 2: Pool members can inhent status from {he parent nodes . If a node is marked offline by a
172.16.20.3
monitor, pool
members that share the same IP address will also be marked offline.
Note: An address check monitor on a node as a means to determine the status of an application
is ineffective, at best, providing a false sense of security unless accompanied by other monitor
tests. A node test may show the node is available, but all its pool members may be down ,
rendering the applications the node serves as unreachable.
Only the Gateway ICMP address check monitor can be assigned to a specific pool member or as the
default monitor for all pool members in a given pool. The other address check monitors can only be
assigned at the node level. Even though Gateway ICMP may be assigned to a pool member (IP address
and service port) it still only checks the IP address (essentially the node). However, in this case, if the
address check fails, only the one pool member is marked offline; the node's status does not change.
Likewise, when the IP address is finally reachable, the Gateway ICMP morutor marks the pool member as
available, even though the pool member's port was not actually tested.
• 172.16.20.3:80
. 172.16.20.3:443
• 172.16.20.3:22
172.16.20.3:21
..... . RST
172.16.20.3:443
Figure 3: Example of the rep Half Open service check monitor assigned to pool member 172.16.20.3:443
When associated with a pool member, the TCP Half Open monitor determines the availability of that
service. If the connection fails, the pool member is marked offline, and no additional requests are load
balanced to that pool member until the monitor detects that the pool member is once again available.
Service check monitors can be associated with a specific pool member or assigned as the default monitor
for a pool. If assigned at the pool level, the monitor normally applies to all the pool members in that pool.
(This behavior can be overridden by selecting Member Specific as opposed to Inberit from Pool as the
Health Monitors setting for a specific pool member in the pooL) If a service check monitor is assigned to
a specific pool member, only that member is monitored.
While a service check monitor may determine that a particular service is available, it does not determine
whether or not the service is working properly. For that, a more robust monitor such as a Content Check
Monitor is required.
• 172.16.20.3:80
. 172.16.20.3443
172.16.20.3:22
. 172.16.20.3:21
[r esponse]
Figure 4: A content check momtor, such as the HTTP monitor "'ustraled here, determines availabffily of a service and
that appropriate content is being served
BIG-lP includes several pre-configured monitors that can be used as templates for creating a custom
content check monitor. For example, the HTTP monitor can be used as the basis for creating a custom
monitor to check the status of a web application service. You might configure the custom monitor's send
string to send GET / index. html \r\n, and configure the receive string to look for a response that
definitively confirms that the index. html page was successfully served. When assigned to a pool
member, the monitor periodically establishes a connection with the pool member, sends the send string,
then compares the response to the receive string, closes the connection, and marks the pool member as
either available or offline, depending on the whether or not the test was successful.
Configuration: IBasic •
Interval 5 seconds
Timeout seconds
Figure 5" A monitor instance will ke ~p its associated resource marked available untfl the timeout value is reached.
Here, timeout is 16 seconds. Each successful monitor test result resets the timeout counter to O. Each upright tick
mark represents a 5 second interval. During the first interval, a successful response is received and the timeout
counter IS reset. During the next three intervals, no successful response ;s received. The resource is marked offline 1
second after the last test if no successful response has been receIVed.
On a simple address check monitor (such as icmp), having the B1G-1P system ping every lP address to
which the monitor is assigned every five seconds mayor may not represent a significant increase in traffic
within your network. However, setting up and tearing down a complete HTTP connection - including
sending a request and receiving a response - to every pool member an http-type monitor is assigned to
every five seconds is potentially significant.
There are no steadfast recommendations for setting interval (or timeout, for that matter), as applications
and networks vary greatly from one installation to the next. Instead, you should simply understand that
any B1G-1P health monitor instance creates additional network traffic. Care must be taken to balance the
need for monitors - and the important feedback they provide with respect to application health - with the
inevitable increase in traffic. A best practice when implementing monitors is to stress and volume test the
impact of various interval and timeout values on traffic, and choose the settings (and monitors) that
provide the most effective overall balance.
For example, you might set interval for a content check monitor, such as http, to 30 seconds, knowing that
the infonnation it provides is critical to assessing the availability ofa web application, but also knowing
that it creates significantly more network traffic than an address check monitor. If timeout is then set
accordingly to 91 seconds (3 x 30 + I), the potential exists for a "broken" web application on a pool
member to go undetected for 91 seconds before the BIG-JP system finally marks that pool member
oilline. If this is a business-critical web application, perhaps that's too long to wait, given that any
application users (clients) who are being load balanced to this pool member are no doubt seeing
unpredictable results (at best) on their end.
In the end, if you did decide to run this http monitor more frequently, you could take steps to ensure that
the monitor's Send String request produced as little response data as possible for the BIG-IP system to
detennine that appropriate content is being served. For example, you could have the monitor request a
page that was specifically designed for the monitor test, rather than a page that an application user might
request. While this does not preclude the possibility that an important user page is not bcing served
properly, it does provide an alternative, especially if that important user page has lots of content (e.g. jpgs,
gifs, html, etc.)
Con'figuring Monitors
Lesson Objective:
At the end of this lesson, you will be able to configure a custom monitor using the Configuration utility.
Monitor Templates
The BIG-lP system includes a set of pre-configured monitors for address, service, and content checks.
Some of these monitors can be used with no changes; all can be used as templates to create monitors with
settings that are customized for particular network or application needs. Once a custom monitor is
created, it can also be used as a template to create other custom monitors.
The tables below summarize some of the more commonly used monitors.
Creating Monitors
A few pre-configured monitors can be assigned to resources without modification, and can occasionally
be useful in their default form. For example, there is little to change in the ICMP or TCP Half Open
monitors except perhaps to their interval or timeout settings. If the default settings are satisfactory for
your monitoring requirements, they can be used as-is.
However, most pre-configured monitors are of little value without customization. The HTTP monitor's
default receive string is null ~ not very useful from a content check perspective as any response string
would be considered acceptable. As a result, most production environment BIG-IP monitors are
customized to meet your application services and network needs.
Some pre-configured monitors, such as the FTP monitor, cannot be assigned directly to a resource; they
can only be used as a template to create a custom monitor - log on credentials may be required; paths and
file names may need be specified, send and receive strings should be set to something other than a null
value; and timer intervals should be configured to work within the characteristics and constraints of your
network and application services, so that monitors don't become a burden on BIG-IP performance.
General Properties
I Name I my-http
..>
Loo-al nome Description
Profiles
I
Configuration: Basic
JRules
Interval I5 seconds
Traffic Class
Address Translation
r<~"'
11 J I I
ONS Expre ss Zones
Receive string
ONS Caches
Figure 6: Creating a cuslom monitor, in this case a new HTTP monitor type based on the FS-provided default monitor
called "hffp" (Parent Monilor)
Every five seconds, it will establish a connection to an assigned poo l member, send an HTTP GET
request for index. hIm! (the Send String), and upon receiving a response, will examine the response
contents to see if it includes the character string Server 11-31 (the Receive String). In this case, the
Receive String setting includes a regular expression -the " [1-3)" part - that permits a value of I , 2, or 3
at this location in tbe string.
The net effect is that if any pool member this monitor is checking has an index.html page that contains the
character string "Server I" or "Server 2" Or "Server 3" the pool member will be marked as available. If
the pool member'S index. html page does not contain one of these character strings, the monitor will mark
the pool member as offline.
For more information on using regular expressions in monitor receive strings, please see
SOLS917: Using regular expressions in a health monitor Receive String
Lesson Objective:
At the end of this lesson, you will be able to:
• Assign a node default or node specific monitor
• Assign a monitor to all members in a pool or to a specific pool member
Monitor Associations
Creating a custom monitor is an important process, but unless the monitor is assigned to a resource - a
node, a pool, or a pool member, for example - the monitor will not perform any tests. Monitor assigrunent
can be assigned at a group level (a pool, for example) or individually (node specific, for example).
Configuration: IBasic
Active Available
Common
Health Monitors gateway_icmp
https_443
icmp
real _server •
[QPdateJ
Figure 7: By default, there is no Default Monitor setting for nodes on the BIG-IP system
Configuration: IBasic
Active Available
Common
Hea~h Monitors gateway _icmp
https_443
real_server
snmp_dca
I Update I
Figure 8: Setting a Node Default Monitor, in this case, icmp
For cach node the default monitor(s) should apply to, select the node's configuration and ensure that
Health Monitors is set to Node Default, as shown at the top left of Figure 9. When a health monitor is
made active at the global level in this way, all local traffic nodes on LTM with their Health Monitor
setting configured to Node Default will be checked.
A node can be assigned monitors individually with the Node Specific setting, as shown at the top right of
Figure 9. Node specific monitors are used instead afthe Default Monitor, not in addition to the Default
Monitor.
Ifa node is configured with the Health Monitors setting of None, as shown at the bottom of Figure 9, no
monitor checking is performed for that node regardless of any node Default Monitor settings.
General Propertie.
Neme
_.
General Properties
Name
Partition I Path
172.16.20.1
172.16.20.1
Common
Addre SS'
Plllrtition I Path
Health Monitors
172.16.20.2
Common
II
Available (Enabled) - Notte address is evaHable
Co "figl..ll'il1fon
Selecl MOIlnor'S
gtltew8y-icmp
B httpl_443
icmp
I)enaral' Properties
N. "", 112.16.20.3
Address 112.16.20.1
CnertpUon
Unknown (Enabled) - Node addrlSs does not fll!lV e service cflecklng enabled
CUrr.nC Connections o
II) Enabled tAil tramc allowed)
.tao. I) Dlsabted (Only persistent or ac1i've connec1tons aHowed)
o Forced omlne (Only actiVe connections allowed)
------~
Configuration
IINone
Figure 9 ' Specifying different Health Monttors settings on nodas. Node 112.16.20.1 will be assigned th e Node Default
monitor. in this case, icmp (lop-left); Node 172. 16.20.2 has a Node Specific monitor, gateway-icmp (Iop~righl). This
overrides any node Defaull MQnitor setting; Node 172.16.20.3. has no Health Momtors (bottom). This also overndes
any node Default Monitor setting.
General Properties
Name
Application CDurse_Administering
DescripUon
I Update 11 Oelele I
Figure 10: All members in pool http""pool wilfbemonitored using the my_ http monifor, unless certain pool members
have Member Specific or None for their Health Monitors setting
When a defaul t heal th monito r is made ac tive at the pool level, all pool mem bers in the pool w ith their
Health Monitor setti ng con fi gured to Inherit From Pool will be checked by those moni tors.
A pool member can be assigned monitors individually with the Member Specific setting. Member
specific monitors are used inslead of the pool's default monitor, not in addi tion to the default monitor.
If a pool member is con fi gured with the Health Monitors setting of None, no moniior checking is
performed for thai p ool member regardless ofthe pool's default monitor settings .
Monitor Instances
When you associate a mo nitor wi th a reso urce such as a node, the BIG-JP system auto matically creates
an instance of that monitor for tbat node. A mo nitor associati o n thus creates an instance of a mo nitor fo r
each resource that you ass ign it to. Thi s means tbat you can bave multiple instances of tbe same monitor
running on your nodes and poo l members,
You can view the instances of a particular monitor by naviga tin g to the mon itor definitio n and then
c licking on the Instances tab, as shown in Figure JJ.
Figure 11: A monitor's Instan ces tab shows which resource s the monNor is currently associated with (checkingJ- In
this example, the icmp monitor is checking the health of three nodes via ping
and by the slate the object is set to. A BIG-lP Administrator can change an object's state using the
The table below shows the icons and their general meaning.
(Green
Object is enabled and available (able A
(Yellow
Object is enabled but currently
unavailable (e.g. connection limit
to receive traffic)
has been reached)
• •
circle) triangle)
Object is enabled but offline because The status of the object is unknown;
(Red a health monitor has marked the (Blue
it may not be monitored or the
diamond) object as unavailable (down). square) monitor has not timed out yet
Object is operational but its state has Object has been manually forced
(Black been manually set to disabled (Black offline
circle) diamond)
• Red diamond
Node is enabled but offline because an associated monitor has marked
the node down. User intervention is required.
•
Node status is unknown. Possible reasons include :
Blue square • No monitor associated with the node
• Monitor results not available yet
•
• Node is set to disabled although monitor has marked node as up.
Black circle Enable the node to resume normal operation.
• Node is set to disabled and is down.
•
Node is set to disabled and is offline either because a user disabled it or
a monitor has marked the node down . If a user disabled the node , you
Black diamond
may be able to enable it again to resume normal operation (depending
on why it was disabled to start with).
•• Yellow Iriangle
Red diamond'
No pool members are currently available but may become available
later with no user aclion required . Example : Con~ection limit reached
All pool members are unavailable and cannot accept Iraffic. User
intervention may be required.
Slatus of at least one pool member is unknown and no other pool
• Blue square
•
Pool member is unavailable. Possible reasons :
Red diamond • Parent node is down
• Monitor has marked pool member down
• Blue square
Pool member has no monitor associated wilh it, or no monitor resulls are
available yet.
•
pool member as up. Enable the pool member to resume normal
Slack circle operation.
• Pool member is set to disabled and is offline because parent node is
down.
•
• Pool member is sella disabled and is offline because a user disabled
it.
Black diamond
• Pool member is set to disabled and is offline because either the parent
node is down or a moni!or h~~~~~,:?_th ~!'?'?L~em~er ~_~~~.: __
•• Yellow triangle
Red diamond
Virtual server is enabled but currently unavailable . It may become
available later with no user action required . Example: Connection limit
reached
Virtual server is enabled but offline because an associated object has
••
marked the node down. User intervention is required .
Blue square Virtual server status is unknown but is still able to receive traffic.
Virtual server is operational but set to disabled . Enable the virtual server
Black circle
to resume normal operation.
The following table lists Configuration utility pages where you can check the statlJ s of vari ous objects:
The foll owing table shows the tmsh commands you can use to check the statlJs of vari ous obj ects:
Summary statistics t ms h show /l t m vir t ual <v irt ual server n a me>
Virtual server status t ms h show /ltm virtua l <vi rtual serv e r na me >
Member Properties
Address 172.16.20.2
Servl,. Port 80
Per1itlon I Path Common
Otscrtp110n
Health Monitors
Member Properties
Address 172.16.20.2
SIN\c:e Port 80
Partition I Path Common
Oesct1pllon
Figure 13: BIG-IP correlates the avera/} status of a resource with the status produced by each health monitor
assigned to the resource, as shown in the se two examples.
At the top of Figure 13, pool member 172.16.20.2:80 is being checked by two http-type health monitors:
mLhttp and mLbad_http. More importantly, mLbad_http's health check has failed, as indicated by
the red diamond to the left of its entry in the Health Monitors area. In this particular case, the monitors are
configured such that all checks need to be successful if the pool member is to be marked as available.
Since one has failed, the pool member has been marked amine, as indicated by the red diamond in the
Availability area.
At the bottom of Figure 13, we've changed the way the monitors are configured such that just one
successful monitor check is required for pool member 172.16.20.2 in order for it to be marked as
available. In this case, even though my-bad_http has failed, my-http is returning a successful result.
Therefore, the pool member has been marked as available for traffic processing, as indicated by the green
circle in the Availability area.
Note: Monitor availability requirements are configured under the Configuration:Advanced view,
and these settings are discussed in more detail in the Configuring L TM course.
Lesson Objectives:
At the end of this Jesson, you will be able to use the Network Map feature to assess the status of virtual
servers, pools, pool members, and nodes.
.-
~.
otItKI TJtlI T~ ~
, • ,0
Vh111~ Servers (I
0
• ,
Pool Members 9
, • 0
0 3
""'""
iRul 8:fi 0
0
"
Figure 14: Example of a local traffic summary dispJay on the ne/work map page
• ""-"110.... ""_1'1.....
• mr_'1IJUOOI
• 117.11.2C.1!80
• H:!,HUO.l::flO
•
...
",_ftGQ
•
•
....."...
H2..tft.20.1;SO
1'11..1!UO.2;aO
-
.'
CI .........nttPI
.
.
............
1n.1G.2(].1:U3
112.tI.2fI.2=44.]
.--
• 1n.li!UO.l~IfIC • 1n.16.2'0..3:10 • U2.1e.2Q,~
a ft _llIltp7
•
. '"1.. .. . ,. .
l11J _otfte.r.wel'-'l!tp_~.t
• 112. HI,21], UU
~ IIIlfD...JJDOl2
g H.2.10'2'0 1.aO
• "-sst.
• t7l.1f.2ll.1:21
Q 112.HI.2tI.HO • 1T2.1I.2(1.2:22
• ,n.1UD.:lID . ,n.11!.2IU92
Figure 15: Example of a local traffic network disp lay an the nelwork map page
When you position the cursor over an object on the map, the system presents hover text containing
additional information about the object, such as the parent node on a pool member, and destination
address on a virtual server.
When you position the cursor over the status icon that accompanies an object, the system presents hover
text containing additional information about the object's status.
.
• 172.1B-2Q,2:8Q
•
. l n l fa.20 .J:80
..,..............
""_Qtt.r.w!tII_lIIltp_.... rtullll
.
•
,n. 1ft....1O .1::11O
1T2.16-20.:2:8Q
. o 172.1..,'"",'
,_,,_,Up>
"...........
•
•
, n.l6.:ztLl~44'J
172..16..2C1..2:44:l
1 0 11>.11,20.':2'
Figure 16: Using the filtering mechanisms - s ra/us, Type, and Search - to limit the displayed results
Search strings can refer to object names, IP address, and IP address:port combinations (in both IPv4 and
IPv6 formats). The string is processed with implied wildcard characters (asterisks - *) surrounding the
string. For example, a search on the string 10 is the same as entering the search string as *10*. You can
specifically include wildcards in the search string. For example, a search string 10.* will only highlight
objects whose IP address first octet is 10.
Tip: Browsers have limits as to how much data they can render before they become sluggish
and halt processing. Mapping large configurations might approach these limits, or memory
constraints might prevent the system from producing a network map of the whole configuration.
If this occurs, the system posts an alert indicating that you can use the Network Map to
determine the complexity of the configuration which, in turn, can give you an indication of the
size of the resulting map. You can then modify the search criteria to return fewer results,
producing a map that does not encounter those limits.
Chapter Resources
Objectives:
• A ssign health monitors to nodes and pool members
• Create a custom monitor
• Estimated time for completion: 15 minutes
Lab Requirements:
• Access to a BIG-LP provisioned with LTM with at least one pool with two working members
• Some knowledge of the tratlic sent by the members
Configuration section
Select icmp
Health Monitors
Press « button
When complete, click... I Update then click the Node List tab in menu bar
Note: Each time the Node List tab is clicked, the screen will refresh.
£
(-Iv <"I.~ 'J V
3. Recheck node status indicators. What are the nodes' statuses? Was the change imroediate'V , /~
At this point, each node is being tested with the default icmp "ping" monitor. Remember this monitor
only checks the status of the parent node, not the various child pool members that you now have
configured at ports 80, 443 and 22.
6. Add my-http as the default monitor for all pool members in httpyool
Configuration section
Select my_http
Health Monitors
Press « button
When complete, cUck... Update then click the Members tab in menu bar
7. Recheck pool member status indicators. (Each time you click the Members tab, the status will be
updated.) What are the pool member~' statuses? Was the change immediate?
' / I 2 ~ Lt I";
Customize the monitor and check status again
8. Customize the my_http monitor by adding a specific Send String and Receive String relevant to
our application .
Configuration section
Update
9. Check the pool members' statuses again. (Each time you click the Members tab, the status will be
updated.) What are they now? Why? Was the change immediate?
[0. What is the status ofpoo] httpyool? [s this what you expected? Why or why not?
[1. What is the status of virtual server vs_http? [s this what you expected? Why or why not?
Note: The string "[1-3]" in the Receive String below is a regular expression that implies "match
any single character in the range 1 to 3"
Configuration section
13. What are the pool members' statuses now? Why? Was the change immediate?
STOP
Introducing Profiles
Lesson Objectives
At the end of this lesson, yo u will be ab le to describe what profi les are and how they are used on tbe BIG
IP system to affect traffic behavior.
Client Server
virtual server
-
Tra ffic behavior
cookie persistence
-
one connect
En Unencrypted
optimilsd caching
wan optimized
Uncompressed
-
Com com ression
http
WAN 0 m ized
-
tcp-lan LA N
Figure 1.- Profiles affect the behavior of traffic as if flows through the BIG-IP system, and are used for many reasons
includmg offloa.(ling work from back-end servers, connect;ng disparate networks, and allowing for optimum tuning of
traffic flow over different types of connectiotis.
For example, if you want to encrypt traffic on the client-side connection but have the server-side
connection's traffic unencrypted, you can assign a Client SSL profile to the virtual servers that process
that traffic. [fyou want to compress data between the client and BIG-IP but not between BIG-IP and the
back end servers, as illustrated in Figure I, assign an HTTP compression profile to the virtual servers
where that behavior is desired.
Lesson Objectives:
Upon completion of this lesson, you will be able to:
• Articulate some of the benefits ofusing client SSL termination
• Configure a client SSL profile and assign it to a virtual server
DOD
SSL Acceleration
Server performance can be severely affected by the process of encrypting and decrypting SSL traffic.
Tests show packet processing times increase by a factor of 20-30 when SSL encryption is used. Installing
an SSL accelerator card can help servers that are processing SSL traffic. Such cards use hardware instead
of software to encrypt and decrypt traffic, resulting in throughput times that are comparable to non
encrypted traffic. However, SSL accelerator cards are expensive, especially when they must be replicated
through dozens, hundreds, or cven thousands of servers.
Each BIG-IP system is built with one or more SSL accelerator cards or chips, and is licensed to provide a
maximum number of client-side SSL transactions per second (TPS). Specific Iirnits are determined by the
license on the BIG-IP system. These independent processors allow the BIG-IP system to perform both the
SSL key exchange and bulk crypto work via hardware components rather than software components.
F5 recommends that you monitor traffic volumes in order to allow the license lirnit to be proactively
managed. You can configure BIG-IP to send an email message to a specified address or to send SNMP
traps whenever a message is logged as a result ofthe SSL TPS limit being reached.
For information about SSL TPS log messages and notification options, refer to S0L7747: Error
message: 'SSL transaction (TPS) rate limit reached' or 'no SSL TPS or run out'
For more information on installing SSL certificates for local traffic, please see BIG-IP Local
Traffic Manager: Concepts and BIG-IP Local Traffic Manager: Implementations
For more information on configuring a Client SSL profile, please see BIG-IP Local Traffic
Manager: Concepts
Lesson Objectives:
During this lesson, you will learn how individual profiles deal with specific traffic types, and must
sometimes be assigned along with other profiles in order to affect traffic behavior.
I
Once you've configured a profile, you can associate it
and other profiles with one or more virtual servers.
For example, you can associate a TCP profile, a
cookie persistence profile, and an HTTP profile with
the same virtual server. The virtual server tben Custom
processes traffic according to the behaviors specified Profiles
in the assigned profiles' settings.
A profile can be assigned to a virtual server at the
time tbe virtual server is created, or can be added to a
virtual server later on. It is not unusual for multiple Figure 4: Illustration of profile parent-<:hild relationship
Profile Types
Profiles are grouped to make configuration clearer. Typically, a virtual server will have only one profile
of any given type assigned to it. Some profile groupings are shown in the next tabl e.
Profile Types
Protocol Profiles
Usage Profiles Types
Control timeouts and connection management. All Fast L4 TCP
virtual servers must have at least one protocol Fast HTTP UDP
profile assigned to them . LTM assigns a default HTTPClass SCTP
depending on the virtual server's protocol setting .
Application-Layer Profiles
Usage Profiles Types
Intelligently control application layer traffic HTIP RTSP
including inserting headers into HTTP requests HTIP Compression Diameter
and compressing HTTP server responses. FTP RADIUS
DNS XMP
SIP
Session Persistence Profiles
Usage Profiles Types
Ensures client connections are directed to the Cookie SIP
same pool member throughout the life of a Destination address affinity Source address
session or during subsequent connections. Hash SSL
RDP Universal
SSL Profiles
Usage Profiles Types
Intelligently control SSL traffic: authenticate clients SSL connection termination and initiation
and servers; offload SSL cert verification tasks Client and server authentica tion
Remote Server Authentication Profiles
Usage Profiles Types
Authenlicate client traffic separately from LDAP SSLOCSP
underlying authentication technology (PAM RADIUS CRLDP
support) TACACS+ Kerberos
SSULDAP XMP
Analytlcs Profiles
Usage Profiles Types
Application statistics data collection Analytics
Other Pro Illes
Usage Profiles Types
Specific traffic behavior management. OneConnect Stream
NTLM Request Logging
Statistics
Profile Dependencies
Profiles can both complement and contradict each other. More
specifically, some profiles are dependent upon others, and some .. Coo1<1e Persistence I
combinations of profiles are not allowed. As a general rule: ~
,
..
J
• Profiles of a given layer of the OSI model are often '"
1:
dependent upon profiles that work at lower layers. (/) IHTlP FTP
fti
• Profiles at the same OS! layer are mutually exclusive on a :::J
~
u_ ,
L ~. J<lI
single virtual server, meaning they cannot co-exist. :>
• All virtual servers have a Layer 4 profile assigned (for "TCP X.UDP I
TrOinsport
example TCP) J
Lesson Objectives:
At the end of this lesson, you will be able to:
• Create a custom profile and assign it to a vi rtual server
• Articulate how a custom profile inherits changes from its parent profile
Name
The profile creation screen contains a check box to the right of each customizable profile setting, as
shown 00 the right in Figure 7. When you check a custom box for a setting in tbe child profile, that
setting is now considered customized. More importantly, the setting's value in the cbild is retained even if
the corresponding setting value in the parent is subsequently changed. Thus, checking tbe custom box for
a setting io the child ensures that the parent profile never overwrites that setting's value in the child
through inheritance.
For example, in Figure 7, client SSL profile Pr_Client_SSL is a child of parent profile clientssl, one of
the default profiles on the BIG-IP system. The only custom setting in Pr_Client_SSL is its Certificate
value. If the Certificate value in clientssl (the parent) ever changes (not that it is likely to), the Certificate
value in Pr_Client_SSL (the child) remains unchanged. However, if the Proxy SSL value in clientssl ever
changed to a defaul t of enabled (checked), the Proxy SSL value in Pr_Client_SSL will also change to
enabled (checked) as the result of inheritance .
.....
"..-on I,. ...
-
- _--",,I
I...'m...._ _...
--
~
-,
-
FIgure 7: A ch,1d With a custom configuroflon serting will not inherit any upda fes to that setting from its paron!
Note: If you check the Custom box at the top of the Settings area when creating a new profile,
all profile settings within the child become customized, even if no values are actually changed
from their initial inherited settings. Any changes made subsequently in the parent profile will not
be inherited by the child.
Deleting profiles
A custom profile that is parent to one or more child profiles may not be deleted unless the child profiles
are deleted first.
Note: Default profiles may never be deleted , even if they have no children.
Configuration: Basic
Protocol
HTTPPro1lle None ..
FTP Profile
RTSP Profile
Selected Available
JCommon
El clientss\
SSl Profile (CHent)
[ El
clientssl-insecure-c(
wom-default-clients!
Selected Available
/Common
SSL Profile (Server)
[ El
EI
apm-default-servers!
serversst
serverss~insecure-c
wom-default-servers
J
...J - ~ - -
VlAN and TUM_I Traftic
Figure 8. Profile settings are generally found in the Configuration section of a virtual server's defmition on the GUt
You may need to scroll down or expand the Configuration setTing from Basic to Advanced in order to
find tbe appropriate profile setting option.
Content Rewrite (new in vi 1.4) and Acceleration profiles have their own sections towards the bottom of
the virtual server's page. Persistence profiles are applied on the Resources tab of the virtual server's
page.
ChapterReso~r___
ces _________________________
Solution Solution Title
Number
SOL 14488
Working with profiles
SOL4707
Choosing appropriate profiles for HTTP traffic
SOL7559
Overview of the TCP profile
SOL 14783
Overview of the Client SSL profile (11.x)
SOL 14806
Overview of the Server SSl profile (11.x)
SOL 13171
Conf.iguring the cipher strength for SSL profiles (11.x)
SOL 13136
SSL ciphers used in the default SSL profiles (11.x)
SOL 13163
SSL ciphers supported on BIG-IP platforms (11.x)
SOL 13213
SSL ciphers that are fully hardware accelerated on BIG-IP platforms (11.x)
SOL 13349
Verifying SSL certificate and key pairs from the command line (11.x)
SOL 13579
Generating new default certificate and_.key pairs for BIG-IP SSL ~o!!les
Objectives:
• Create a Client SSL profile, assign the profile to a virtual server, and observe the change in traffic
behavior between the BlG-LP system and the pool member.
• Estimated time for completion: 5 minutes
Lab Requirements:
• Existi ng pool bttpjlool (pool mem bers port 80) and pool httpsjlool (pool mem bers port 443)
Finished
Resources section:
7. Test the results of this change by refreshing (Ctrl+FS) the page at https:1Il0.10.x.lOl. Your
connection should fail with an SSL connection error or similar. (If a failure does not occur, you
may need to restart your browser, or test from a different browser.) The connection from your
client to the BIG-[P is encrypted, and the connection from BlG-LP to the back end server is also
encrypted. But because of the default pool change, we're load balancing to a pool member at port.
80 (http) instead of port 443 (https). You'll "fix" this in the next steps.
Configuration section
STOP
Lesson Objectives
During this lesson, you will learn how the BIG-IP system uses persistence to direct client connections to
the same server multiple times, rather than being load balanced.
~Q mysite com ~Q
= (cart 12 3)
shop.mYSlte.com
(cart:o 123)
(home page)
shop.mysite.com
mysile.com/aboul.html cart = 123
• =
add2cart camera
• (about page)
shop.mysile.com
mysile.com/brochure.pd(
• cart = 123
add2cart=CO!Tlluler
(brochure document)
Figure 1: Example of a stateless interaction between a Figure 2: Example of a slatefu/ interaction between a user
user and a web application and an e-commerce web application
In its original design, HTTP supported a stateless request-response model for transferring a document
(think web page) from a server to a client. In HTTP 1.0, the request-to-connection ratio was I: I (one
request-response pair per connection). In HTTP vl.l, the ratio was expanded to N: 1 (think keep-alives) to
address the growing complexity of web pages that now required many objects and elements be transferred
from server to client for each request (think html,jpgs, gifs, video, audio, css, scripts). Still, the
underlying HTTP protocol was stateless.
Sessions
Although not used exclusively by the HTTP protocol, sessions provide a way for a web application to
maintain state across multiple user interactions. When a user connects to a server for the first time, a
corresponding session is created in the server's memory and associated with the connection. Application
developers can use tbat session area as a place to store application-state data such as a customer !D,
shopping cart number, or even page display options.
There are some inherent prOblems with using session data alone to manage application state information.
The session can become disassociated from the connection, if the connection times out (i.e. is idle for too
long). And, the timeout for a connection is typically much shorter than the timeout for a session (often
seconds for a connection vs. minutes for a session). This can result in the session remaining in memory on
the server even after its associated connection has been tenninated due to inactivity. In can also waste
server resources and, more importantly, break the application if not combined with some other state
management mechanism, such as cookies.
Cookies
Cookies are bits of data stored on the client by the browser, and shared between the client's browser and
the web application server via two cookie-related HTTP headers: Set-Cookie and Cookie. Defined in
RFC2965: HTTPSlale Management Mechanism (and by its very name), cookies provide a mechanism for
maintaining and managing state in an HTTP application. The application typically sets the cookie value
using Set-Cookie; the browser shares unexpired cookies back with the application using Cookie; and the
cookies are passed back and forth between browser and application using HTTP.
The browser automatically knows to store a cookie shared by a web application in a file on the client, and
keeps track of these cookies on a per domain basis. Of course, this assumes the user has configured
hislber browser settings to accept cookies.
Many browsers allow you to view cookies stored by your browser, as shown in Figure 3.
Figure 3: Sample cookie data from tin Amazon session, as shown via the Chrome browser's Inspect Element option
Unexpired cookies for a given domain are always passed to the server by the browser in the Cookie HTTP
header. The application on the server can then retrieve the cookies' values simply by asking for them.
Many modem web applications use a session's identifier and pass it along as a cookie, enabling the
application to find the session data on the server, even after the connection from which the session was
created is closed or times out. Through this exchange of session ill between browser and application,
state is maintained.
Persistence Concepts
BIG-IP's persistence fealure tracks and slores
persistence data, such as the specific pool member that
previously serviced a client connection, ensuring that
multiple client connections are directed to the same
pool member throughout the life of the persistence
record.
If an application is stateless, there is no need for
persistence. Client connections can be load balanced to
any pool member at any time. And not all stateful web
applications require persistence. There are other state
management mechanisms an application can use Figure 4,· Persistence can be used to direct
besides session data, including cookies, passed multiple clien t connections to the same pool
parameters (GETfPOST data), and databases. member, in support of a stateful web application
But if persistence is needed to support state management for an application, then the virtual server for that
application can be configured with a persistence proHle. The persistence profile instructs the BlG-IP
system to treat client connections differently. Persistence can ensure that a series of stateful interactions
between client and application are directed to the same pool member, as illustrated in Figure 4.
Persistence types
Persistence is a property of a virtual server, and is configured by assigning a persistence proHle to the
virtual server, thus modifying the normal behavior of traffic through that virtual server. Many persistence
types are available on the BIG-IP system, and are distinguished by the way they identify a returning client
connection. In this course, we'll examine two commonly used persistence types:
Persistence Type Description
Source address Directs connections to the same pool member based solely on the source IP
affinity persistence address of a connection.
Cookie perSistence Uses a special BIG-IP cookie shared with the client's browser to allow the client
to reconnect to the same pool member used previously.
You can configure certain types of virtual servers to have a persistence profile. (The default is no
persistence.) When a persistence profile is assigned to a virtual server, the BIG-JP system examines each
connection to that virtual server to determine whether or not persistence should apply. In the case of
source address affinity persistence, the BIG-JP system maintains internal persistence records that
indicate the source IP address - or range of addresses - for which persistence applies, as well as
information about the pool member to persist to. In the case of cookie persistence, if a persistence cookie
is passed in the HTTP request, then persistence applies.
In general, if persistence is found to apply, the connection is directed to the specified pool member. If
persistence does not apply (i.e. the persistence record or persistence cookie has expired), the connection is
load balanced according to the associated pool's load balancing method, and new persistence criteria is
established (e.g. a new persistence record or a persistence cookie on the outbound response).
https_pool
172.16.20.1 :443
Source Address Affinity
Mask 255.255.0.0
Timeout 180 seconds
172.16.20.2:443
~
172.16.20.3:443
.:.
172.16.20.4:443
.:.
Figure 5: Persistence records cause client connections to be directed to the same pool member, in essence,
changing the normal behavior of the load balancing method.
Ifno persistence record matches, the connection is load balanced to ao ava il able pool member, and the
BIG-IP system creates a new persistence record.
A persistence record includes:
• Persistence value - IP address or range of addresses to which persistence applies;
• Persistence mode - Indicates the type of persistence (in this case, source address affinity)
• Virtual server - which virtual server the persistence record applies to (by name); click on the
entry to view the virtual server's configuration;
• Pool - the name of the pool containing the pool member connections will persist to; click on the
entry to view the pool's configuration;
• Pool Member - the IP address and port of the specific pool member connections that match this
record will be directed to; click on the pool member to view its configuration; and,
• Age - How long Ihe persistence record has existed. Age increases from 0 up to the timeout va lue
specified in the persistence profile, and is reset back to zero each lime a connection that matches
the persistence record is directed to the pool member indicated.
Unless Ihe entry times out, Or the named pool member fails a monitor health check, subsequent
coo.nections from the specified client(s) to the named virtual server will be directed to the same pool
member.
Source address affinity persistence is a good choice for basic persistence because of its robustness and
simplicity. It also does not require the client to have cookies enabled, as you'll see in the Cookie
Persistence section. As long as a client's IP address does not change during the persistence period, and the
pool member remains available to process traffic, all coo.nections from th at cli ent to the associated virtual
server will be directed to the same pool member.
Persistence mirroring
Persistence mirroring can be used to duplicate persistence records to other BIG-IP systems in a hi gh
availability configuration. This setting provides higher reliability in the event ofa failure, and can only be
configured if the BIG-I? device is part of a SyncFailover device group.
General Properti ••
Name Pr_Src_PerSl:>l
AppIiCaiion Cousc_Adn'lInl:ill!rI1Q
Conftguratlon
Custom 0
Mask Ill"". • I 0
The table below summarizes a few of the commonly specified settings when creating a custom source
address affinity profile:
Lesson Objective:
During this lesson, you will learn bow cookie persistence works, and how to configure a cookie
persistence profile and assign it to a virtual server.
Note: In this course , we will focus on insert, rewrite , and passive methods only.
The only significant difference between the cookie insert, rewrite, and passive methods is how aod when
the BlG-LP system becomes involved in setting cookie persistence values. The method you choose will
depend a lot on how your application works.
However, iftbe cookie's expiration is set to a particular time value, for example 2 hours, and the desired
bebavior is for tills expiration time to be reset on eacb subsequent client connection, tben Always Send
Cookies should be enabled. in doing so, tbe cookie will be resent with a new expiration time on each
subsequence connection. If Always Send Cookies is disabled undcr these circumstances, the client gets
one 2-hour window in which persistence will apply. At the end of that 2-hour window, the BIG-IP system
will load balance the client's next connection to the virtual server first, before a new persistence cookie
with a new 2-hour expiration time is sent back to the client.
Note: F5 recommends using Cookie Rewrite over Cookie Passive whenever possible.
" ,~
1
pis play Cogkl,
S.PLJlitJP ~9d'rll!
_
• NetwOl1t. t Source",
"CJFr~
- 0110104 tOOl nll9nll4 10!1HfI 1Il{ll1 10 10" InO
- ~'Web SaL
• {J1-.d01l
... loc al Stor aye
.. $ FlS:S!on Storage
... CoI*e':i
.. t; 10 10" 100
Note: For more information on decoding the value in a BIG-IP persistence cookie, see
SOL6917: Overview of BIG-IP persistence cookie encoding.
Important: In some environments, it may be unacceptable to disclose the IP and port numbers
of origin web servers behind the BIG-IP system in an HTTP cookie. Of your security policy
requires this information to be obscured, refer to the processes described in SOL 14784:
Configuring BIG-IP cookie encryption (10.x through 11.x)
Lab Requirements:
• Two or more working pool members in httpsyool
• A virtual server at https:lIlO , I OX . I 00 associated with httpsyool
Configuration section
Check the Custom box, then specify timeout setting
Timeout
as 30 seconds
When complete. click ... ..
..
Configuration utility
II. Wait 30 seconds, and tben refresb tbe screen at bttps:IIIO.IO.X.IOO again. At this point, you
should be load balanced to another pool member. Confirm by looking at pool member statistics.
Refresh
13. Ifno Persistence Records display, switch back to your browser window where you are connected
to https:IIIO.IO.X.lOO and refresh the screen several times. Check for Persistence Records
statistics again.
,
Q. What is the Persistence Value? ,J' A I. f} 1'7
tP
·'1 v, , -y ) , ;;.
Before you start this next series of steps, ensure you have two browser windowsltabs open : one
to your BIG-IP system at Statistics" Module Statistics" Local Traffic, and viewing
Persistence Records ; and the other to https:II10_10_X.100. You will be switching back and
forth between these two windows frequently as you go along.
15. Have a student at another workstation accessyollr virtual server at https:lllO.IO.X.IOO. What
pool member are they persisting to?
16. On your browser session to https:IIIO.10.X.100, refresh yo ur screen several times. What pool
member are you persisting to?
17. On your BIG-IP system wb ere you are viewing Persistence Records, refresh the statistics by
clicking the Refresh button on the Auto Refresh line:
Configuration utitity
Configuration section
Check the Custom box
Mask Select Specify from the pull-down menu
Enter 255.255.0.0 in the space to the right
19. Navigate to Statistics» Module Statistics» Local Traffic and view Persistence Records
statistics . If any persistence records still exist, wait until they have all expired before continuing.
20. Have a student at another workstation access YOllr virtual server at https:II IO.IO.X.IOO. What
pool member are Ihey persisting to?
21. On your browser session to https: IIIO.IO.x.IOO,refresh your screen several times. What pool
member are YOll persisting to?
22. On your BIG-IP system where you are viewing Persistence Records, refresh the statistics by
clicking the Refresh button on the Auto Refresh line:
Q . How many Persistence Records are there now, and for what range of IP
addresses?
23. Wait until all Persistence Records have expired again, and then refresh your browser session to
https:lllO.10.X.100. Have the other student do the same. Did you both persist to the same pool
member again? Examine the Pers istence Records statistics again to confinn the results.
Objectives:
• Configure a cookie persistence profile, assign it to a virtual se!>'er, verify functionality and
obse!>'e changes in traffic behavior.
• Estimated time for completion: 15 minutes
Lab Requirements:
• Two or more working pool members in httpyool
• A virtual se!>'er at http://lO.IO.X . IOO associated with httpyool
• System time on student's workstation and the BlG-IP system must be synchronized.
Synchronize system time on the BIG-IP system and the lab workstation
I. Ensure tbe system time on your Jab workstation is synchronized with the time on tbe BIG-IP
system. Iftbere is a discrepancy, correct it. For example, if running Windows on your
workstation (PC), you should be able to right click the click display and select Adjust
DatefTime. Adjust the date/time on tbe PC to match what is currently di splayed on your BIG-IP
system.
Finished
Hint: If you received an error message after clicking Update, think "profile dependencies,"
and make the necessary corrections to success fully add Pr_Cookie_Persist to vs_btlp.
13. Back On http://IO.IO.X.l00, view tbe BIG-IP persistence cookie by clicking on the Display
Cookie link in the middle of the page.
Note: In the next lab steps, we'd like you to view and periodically delete the BIG-IP persistence
cookie stored by your browser. The steps to do this vary from browser to browser, and are
summarized here. Actual steps may differ depending on the version of browser you are using.
Chrome (v24) Users - Right click anywhere on the page and select Inspect Element from the
resulting pull-down, then click on the Resources tab, then expand Cookies. You can view and
delete cookies in the Inspect Element window.
Safari (v5) Users - Ensure Show Development menu in menu bar is checked in your
Preferences -7 Advanced settings. Then follow the same directions as for Chrome.
Firefox (v18) Users - In the pull-down menus at the top of your browser window, select Tools
-7 Options -7 Privacy -7 Remove individual cookies. You can view and dele Ie cookies in Ihe
resulting pop-up window.
IE (v8) Users - To view cookies, press F12, then select Cache -7 View Cookie Information
from the pull-down menus at the top of the resulting Oeveloper Tools window. This opens a
new browser tab with cookies listed as a scrollable page. To delete cookies , select Clear
Session Cookies and Clear Cookies for Domain from the Cache pull-down .
In all cases, you 're looking for a cookie called BIGipServerhttp_pool that is associated with the
"domain name" lO.lO.X.100.
IS. Delete the cookie and close the browser window to http://)O.lO.X.IOO in anticipation of the next
lab step. (If you cannot delete individual cookies in the browser you're using, delete all cookies
and close the browser window to http://l0.10.X.IOO.)
16. Reconfigure Pr_Cookie_Persist with an expiration time of30 seconds.
ConflQuration section
Check the Custom box on the far right, and then set
Expiration
Seconds to 30.
When complete, click .. .
17. Open a new browser window to http://10.10.X.IOO, and hard-refresh the browser session several
times. View the cookie and its expiration time again. Did you load balance to a different pool
member than the last time you connected? Why or why nofl
18. Refresh the screen several times to ensure that you are persisting, and then wait at least 40
seconds before refreshing again. Did you load balance to a different pool member than the last
time you connected? Why or why not?
19. Reconfigure Pr_Cookie_Persist with an expiration time of 2 hours.
Configuration section
20. Hard-refresh the browser session with bttp:IIIO.IO.X.IOO. Did you load balance to a different
pool member?
21. View the cookie and note its expiration time. Did it change to 2 hours or does it still show 30
seconds?
22. Wait a few seconds and refresh your browser session with http://IO.I0.X.IOO. View the cookie
expiration time again. Did it change? Why or why not?
Configuration section
Click the Custom box on the far right, then click the
Always Send Cookie
Enabled box.
When complete, click ...
24. Refresh your browser session with http://IO.IO.X.IOO, and view the cookie expiration time again.
Now did it change?
Note: If using a specific cookie expiration time on Cookie Insert mode, and you want the timer to
reset to 0 on each client connection, you should enable Always Send Cookie. Otherwise, the
default action is for the BIG-IP system to set the cookie expiration time on the initial client
connection, and to not update the expiration time on any subsequent client connections for
which the persistence cookie applies.
STOP
Lesson Objectives
During thi s lesson, you will learn how to change the availability of pool members and nodes through
management action. You will be able to prevent the BIG-lP system from sending client traffic to pool
members that you wish to remove from service so as to perform problem diagnosis, upgrade, or
maintenance activi ties.
For example, to sel the state of node 172.16.20.1 to forced offline, you would type th e followin g
command al the TMOS prompt:
t msh modify fI t m node 172. 16.20.1 state user-down
Remember that when using the command line to make changes, if you want those changes
saved, you must follow the modify command with a save /sys config command.
I ISearchl
172.16.20 .1
------------------~-- 172.16.20.1
172.1 6.20 .2 172.16.20.2
172.16. 20 .3 172.16. 20 .3
172.16.20.4 172.16.20.4
General Properties
Name 172.16.20.1
Address 172.16.20.1
Partition I Path Common
Description
Current Connections
Figure 8. Changing node slale using the Configuration uliflly (Top: Change node 10 disabled or enabled at tM Nodes
List page; Bottom: Change node to enabled, disabled, or forced offline at the specific node's configuration page .
Remember that when using the command line to make changes, if you want those changes
saved, you must follow the modi fy command with a save / sys conf ig command.
Current Members
Description
HeaRh Monitors
Current Connections
Figure 9: Changing pool member state using the Configuration utility (Top: Change member Slate to disabled or
enabled at the Members tab of a particular pool; Bottom: Change member state to enabled, disabled, Or forCed offline
at the member's configuration page,
Remember that when using the command line to make changes, if you want those changes
saved, you must follow the modify command with a save s y s config command .
IISearcN
-- . - 'IF:
.. Name Appi cation Destination Service Port Type
General Properties
Name
Partition 1 Path Common
Description
Type Siandard
Source 0 .0 .0 .010
Figure 10: Changing virtual server slate using [he ConfIguration utilily (Top: Change virtual server state to disabled or
enabled at the Virtual Servers list page; Bottom. Change virtual server state to enabled or disabled at the virtual
servers configuration page. Forced offline is not available for a virtual server.
Objectives:
• See the effect of object state on persistence
• Estimated time for completion : 15 minutes
Lab Requirements:
• vs_https with resources httpsyool and Pr_Src_Persist profile
Configuration section
Q . What is the IP address of the pool member you are persisting to?
3. Use either tbe Configuration utility OR tmsb 10 di sable the pool member you are persisting to
(as noted in Ihe previous step). instructions for bOlh methods are shown below: (a) for the
Conliguralion uliJity; (b) for Imsh.
a. To disable Ihe pool member using the Configuration ulility:
b. To disable the pool member using tmsh, substitute the IP address:port combination for
the server you are persisting to for <pool.member:port>:
tmsh modify Itm pool https-pool members modify {
<pool.member,port> { session user-disab led) )
4. Go back 10 Ihe browser window connected to https:II IO.IO.X.IOO and refresh the page several
times.
Q. Are you still persisting to the same pool member? Why or why not?
s. Use either tbe Coofiguratioo utility OR tmsb to force the pool member you are persisting to
omine. instructions for both methods are shown below: (a) for the Configuration utility; (b) for
tmsh.
a. To force th e pool membe r omine using the Configuration utility:
b. To force the pool member omine using tmsb, substitute the IP address:port combination
of the server you are persisting to for <pool.member;port>:
tmsh modify ltm pool https-pool members modify {
<pool.member'port> { state user-down} }
6. Go back to the browser window connected to https:1I10.10.X.IOO and refresh the page several
times.
a. To disable the node using tmsh, substitute the IP address for the parent node of the pool
member you are persisting to for <node name>:
tmsh mOdify ltm node <node name> session user-disabled
8. Refresb tbe page at https:1I10.10.X.IOO several times.
Q. Are you still persisting to the same node? Why or why not?
STOP
Figure 1: Without iApps, application configuration objects are grouped and managed from a network-centric
perspective - as virtual servers, pools, monitors, profiles, etc, rather than as the application each object supports.
The real breakthrough came in version 11.0 with the introduction of iA pps, the BIG-IP system's
framework for deploying application serv ices. Using iApps, network administrators can deploy
commonly-used applications such as Oracle or Exchange by answering a series of simple questions that
relate to their application management needs and network infrastructure topology. The responses to these
questions will drive the creation of certain BIG-IP system con fi guration objects that are then grouped
together under a centralized application service, as shown in Figure 2. This alleviates the need to manage
discrete components on the BIG-IP system.
Exchilnge 2010
I
I
Vii_OWl! J (
wwwcocom
V5_com ) ...Inlta.co.coO
V5_intra
[
oW8_pool
pop3
)
)
vpnJlOot
Oriel. )
I www-"ool
I HTTP
)
)
Inlrv-"ool
(
HTTP ,
I
[ ow. J
I Cookie )
I Client SSL I ( ClientSSL ) ( HTTP ) I HTTP )
( TCP )
I TCP ) ( TCP ) ( TCP )
[ OWAAccet ] ( InttaAcCH5)
( SSO )
(OWA Append I I WkEncRedlr I I Proxy Pa&s ) (HTIPThrotue)
( HTTPRed l, , ConlTypeRep
By managing appli cati on services rather than individual networking components and configurations,
application deployment speed is dramatically improved, and it is easier to replicate commonly-used
application services across the enterprise.
Benefits of using iApps include:
• User-customizable
• Easy ed iting of configurations and cleanup
• Reentrancy
• Configuration encapsulation
• Cradle-to-grave configuration management
• Strictness protects against accidental changes to the configuration
• Operational tasks and health status for application service components (configuration objects)
• Copy/import/export capability
• Community support for DevCentral hosted templates
iApps Elements
The iApps framcwork consi sts of two main elements, as shown in Figure 3:
• Templates
• Application services
Templates Template
The template is where all the
groundwork for deploying and
application is defined. Templates
'!iJ!!1 wabt!J! ~
include programmatic information
that will be used to create
• F5-supplied
configuration objects, tbe visual
layout of the form that the iApp user • Shared
Kmt Wtb&ft. POOl )
will interact with on the BIG-lP
system (the GUI), and help
(DevCentral) ( !cme Wt'btrte tim!: !!!Q:n1tQ[
)
information. At the time an • Custom built
application service is generated, its ( i1~ wlibaHe htta
)
associated configuration Objects will
be derived from the template that was ( .em. Wfltl.1t& cookie-
pI,.....~ne. )
used to deploy it, and the values that
the iApp user provides when filling
out the template form ' s various fields. Figure 3 : T&mplates provide the guidance needed 10 deploy an
application service and its assocfaled configuration Objects.
Some iApp templates come pre-
configured on thc BIG-IP system; others can be obtained from tbe DevCentral iApps community pages.
You can use any of these as the basis for developing your own iApps templates, or you can build a
template completely from scratch .
Application services
iApps application services use templates to help drive the configuration process. When gene rating an
application service, the iApps user uses the Configuration utility to deploy the service from a previous ly
developed template, filling out fields and answering questions in the template's visual layout that are then
used by the template'S programming logic to generate BIG-lP system configura tion objects, such as
virtual servers, pools, pool members, profiles, monitors, and so on. All the objects created during
deployment are then bundled as components of the application service, and can be viewed and managed
from a single screen in the Configuration utility.
Note: Because objects that are initially configured by an iApps template can be very difficult to
change, there are configuralion objects that are better suited for inclusion in an iApp template,
and others that are not. In general, avoid elements lhat you configure using the BIG-IP System
option. Examples of configuration objects that are good to include in an iApps template are pool
members, virtual servers, health monitors, and profiles.
Presentation section
The presentation section is written with APL, or application presentation language, and constructs the
user interface for the iApp template. From an iApp user's perspective, the user interface consists of a
series of questions, the aru;wers to which determine the configuration objects that are generated . The APL
describes what questions to ask, when to ask them, how the questions are presented (e.g. free-form text
field, a pull-down list, etc), and the names of the variables used to store the values the user inputs. For
example, the APL code snippet below is from the presentation section of the F5-supplied template called
f5.http. It results in a graphical user interface display that contains a section similar to that sbown in
Figure 4, and sets up for the responses that will feed back into the template's programming logic to
generate the appropriate configuration objects.
section 5s l {
choice mode display "xx large " default "no _551"
•
•
•
5sl "SSL Encryption"
SSL Encryption
Figure 4: Presentation section code constructs the user interface for the iApp temp/ate.
Implementation section
The implementation section is wrinen with the TeL-based tmsh scripting language. This is the
programmjng section of the template that does the work of building and applying the configuration.
Virrually anything that can be done with tmsh can be accomplished within an iApps template. For
example, in the snippet of implementation seclion code shown below (from the F5-supplied template
fS.http), the script is considering whether or not to set up a Client SSL profile depending on the user's
response to the questions that were asked in the presentation section.
# CLIENT SSL
set do client s8l [iapp: :is : :881 mode client ssl client s81 server 881)
set new - client - s8l lexpr { ! $advanced II liapp 0 -;- is \ - -
: ; ssl_client_sslyrofile $;: CREATE_NEW_ANSWERJ }]
set do- chain- cert [expr { $advanced && \
! [iapp: :is : :ssl_use_chain_cert $: :DO_NOT_USE_ANSWERJ }l
Help section
The help section is html-based, and is used to guide the iApp
user in the purpose and function of the iApp template.
[ .... .1 Hetp
1 Maul· 1
I I
For example, the snippet of help section html code below might ~I ,1m E'Pand
produce output similar to what is shown in Figure 5. I
web iApp Temptate
<p><strong>web iApp Template</strong></p>
This template creates a complete
Inline help is also a best practice for iApp templates, and is generally turned on or off by the iApp user at
the time they create or reconfigure an application service from a template. For example, turning on inline
help in the fS.http template changes the text around the SSL Encryption section shown in Figure 4 to look
like Figure 6.
SSL Encryption
How shoukllh. BIG-I? system
handle SSllramc?
IEncrypllo clianls , pl~lnlexi to servers (SSL omOlld)
SSL is a cryptographic protocol used 10 secure clienllo server communications. Select hOW you warrtlhe
BtG-IP system to handle encrypted trame. For encryplion between client and BIG-IP system:
tt'your application requires encrypllon and session persistence twh1ch ensures requests from a single usef
are always dislribut8(j to the server on which they started) . we recommend you conftgure the BIG-IP system
for terminating SSL for clienl requests. This allows the system to more accurately persist connecllons based
on granular protocol or applicalion-speciftc variables.
If security requirements do not allow the BIG-'IP system \0 decrypt client connections. select to re-encryplto
the web servers_ With this selection the system will use SSL ID or CllentlServer IP to enforce session
persistence. Because Ihese parameters are less granular. using them may resullin inconsistent distribution or
client requests.
Encryption and decryption of SSL is computationally intensive and consumes server CPU resources. In
environments that do not requifll encrypilon between the BIG-IP system and the web servers. select SSL
Offload 10 terminale the SSl session from the client atlhe BIG-IP system and provide elear text
communication rrom Ihe BIG-IP system to the web servers.
For environments that require encryption between the BIG-IP system and the web servers. selee! SSL
re-encryption 10 terminate the SSL session from the ellenl at the BIG-IP system and re-encryptll ror
communication belween the BIG-IP system and the web serve~.
Iryou have already created an Cllenl SSL pronle Ihallncludes the appropriate certiflcate and key, you can
• r;elee!1t rrom the list. Otherwise , the iApp creates a new Client SSl profile.
Figure 6: SSL Encryption sectio" of the f5.h tlp template with tnline Ilelp turned on
Macro section
New in version II A, tbe macro section allows template developers to create generic text that can be used
as iRules, and that can be customized with tbe iApp user's unique input while maintaining syntactical
accuracy and consistency. In essence, it's a bridge between iApps and iRules.
FS-Supplied Templates
The BIG-lP system contains many F5-supplied templates tbat can be used as is to deploy commonly used
applications such as Microsoft Exchange or Sharepoint. These templates all have names tbat begin with
tbe prefix "[5." System-supplied templates cannot be modified, but can be copied to another name and
then edited.
In versions 11.0-11.3, the following iApps templates were shipped with BIG-IP:
• ClFS
• FTP
• Replication
• VMware vMotion
Note: There are also many other s upported templates available for download at DevCentral
(devcentral.f5.com). See the iApps Codeshare for a complete list of F5 templates by application .
F5-supported iApp templates are c reated, tested , and sup ported by F5 Networks for customers
with current maintenance contracts.
Note : iApps templates a re used to create application services and cannot be used by
themselves. Th is is a fundamental c hange in the way templates are used from BIG-IP versions
prior to 11.0,
Note : You can only edit no n-system-supplied templates from this view. System-supplied
templates must be copied and renamed before they can be edited .
Copying a template
At the ti me an iApps template is developed, the developer specifies which BIG-IP modules must be
provisioned in order to use the template (e.g. LTM, ASM, GTM , etc). Before copying and modifyi ng any
temp late, you should license and provision the designated modules to avoid issues during deployment.
You should also ensure that you have administrator privileges on the BIG-IP sys tem where you are going
to modify a copied template, as this could also prcvent successfu l deployment.
DeplC?ying an Application S_
e_rv_i_c_
e_ _ _ _ _ _
Overview
An iApps application service lets you create and deploy new configurations by filling out screens with
fonDS generated by the underlying informati on in an iApps template . Using the B1G-IP Configuration
uti lity, iApps users can manage, reconfigure, and view statistics about an application service once it is
created. (To view application statistics, the Application Visibility and Reporting (A VR) module must be
provisioned.)
Note: When creating an application service, users are prompted to license the modules required
by the selected template if the modules are not licensed, and this may require permission that
the user does not have.
Figure 7 illustrates the deployment of an application service using the F5-supplied template called f5.http.
(Some parts of the GUI generated by the presentation section of the templ ate have been omitted for
discussion purposes.)
I"'.hllp
Template OpHons ------------------------------------~
Do you want 10 see inane nelp? INo, do 1'101 shaw inline help
WhIch conngurellon mode do
you wanllo use?
IBasic· Use FS's recommended selllngs
---.1-----
SSL Encryption
NodeJIP addren f1]"2."16 .20 .1 po· l·o Connedlon lim _ ' 0 [[)
Which web saNen should NodeJIP 8ddress f 172 .16 .20.2 v Po. 1.
;":-::0- ConnectIon tim" i-I""
0 -- 0
~ induded in this Pllol?
NodallP address 17 2. 16 . 20 .~ \II' portleo Connedlon tlmII l 0 [[]
IAdd l
Application Haallh
Create a new hunh monitor or
use en exisUng one?
ICreale a new H TTP monitor
Whal HTTPURlshouldbeseni
I l1ndex.hlml
to the servers?
As you select the answers to va rious questions, the contents of the screen may change. New questions
may appear or existing questions ma y d isappear depending on your selections. For example, if you did
not select "Create a new poo l," the questi on "Which web servers should be included in this poo)?"
disappears.
If the template follows F5 's best practices, it should also include an inline help selection that provides
additional information as to what each setting might accomplish .
The results of deptoying an application service, as shown in Figure 8, might look something like this:
a 8t~
ilLl"""""'" .......
.3 [] drJ"l~rQl,)ffl_~!8_Y':.
a
...
dS'5SrtXfT1_we~w llttv_1t11J" .Ier
.A_
o 11) III !V , ':It • Ava;:OOfe;
9 Ll m'e'll' ,"""""",
~ ~on :" fj J: Pool Member
9D 1'1} 161(. 1 II,""""""
iil.[] 172 tl:: 103l.Gl • AvalaOle Member
Figure 8: Sample oulpul (rom deploying an iApp application service, as shown in Figure 6
As you can see in Figure 8, several pro tile objects were created that do not seem to coincide with any
questions presented in the screens shown in Figure 7 (e.g. classroom_ website_oneconnect). In this case,
these objects are controlled by other questions that would appear if you selected "Advanced" in response
to "Which contiguration mode do you want to use?" The important takeaway is that the iApp developer
has anticipated a range of scenarios that could apply to your basic "http" application service, and has
provided means for you to customize the service - using the template - to meet your specitic needs.
IAddl
v Port 180 Connedlon limn aI m
1=c;nc;;J Finished
Figure 9: Reconfigun'ng an application service to change its configuration when Strict Updates are enabled. In this
case, a fourth pool member-172.16.20.4:BO - is being added.ISome p arts of the screen have been omitted here.)
During a reconfigure operation, the old configuration is changed to the new configuration by the iApp
script using a process called mark-and-sweep. In essence, mark-and-sweep causes ...
• ... any object from the old con figuration that is not present in the new configuration to be deleted.
• ... any object from tbe old configuration that is in tbc new configuration to be modified with the
new configuration's settings.
• ... any object that is in the new configuration but not in the old configuration to be created with
the specified settings.
In the reconfiguration example in Figure 9, assuming all other settings are unchanged from the initial
deployment, the net effect is for pool classroom _ websiteyool to be modified to include pool member
172.16.20.4:80.
Note: Unless you have a specific reason to lAflP " Allfllu:nUon SOrvlCOS I~""r-. ,('I .' t I·
disable strict updates, F5 recommends that e. Prcpenles ~~~~"1igtl~':! • "'II. ".. ..""
you leave the Strict Updates selling enabled ~
(checked) .
I
Application Service: Mv-anced Id
If you do decide you wisb to manage the ~Ication Service classroom_website
application service's components directly (without Partition I Path Commonlcfassroom_websil e .app
using Reconfigure), you can initially deploy the
application service from the appropriate template, Description
II
template and disable strict updates. The net effect SInd Updates II (recommended)
is that the initial deployment is quick and easy, but
I Update II Delete I
ongoing maintenance is carried out using the Local
Traffic area rather tban the iApps area of the Figure 10: Strict updates enabled on an applicallon
Configuration utility. service.
Note: The ability to disassociate an application service from a template is new in version 11.4.
Once disassociated, the application is referred to as a generic application service.
Note: Even with strict updates enabled, you may manually enable and disable some objects
(e.g. virtual servers, pools, nodes, etc.) using other Configuration utility screens or tmsh.
tI _ ,. _ . _ .
--
iApps
,-
,- . -"-
---- • --
---
'
> a.--~ __
....-----_...- 0
- .... _
,- ~ ..
- - ..
- _. ._
----
T"PC~
.. - - _....- ....-.. .
...'
_ .... ". ... Pl'
-- .. v- ..---.---.
t. "-'---
_ _ _ L"' _ _
"
,~.,.
III
~
. -------
_.......--
_-_. .. .
FIgure 11: 09vCentral.f5.com pro v;des a weelfh of iApps ~ rel1)fed dOGumentation and templates
Lab Requirements:
• BlG-IP system with standard network configuration (self IPs, VLAN s, etc.)
• Access to the fS.http template (F5-supplied template)
80
www.classroomwebsiteX.com
b. What is the name and type of the monitor that is checking pool member health?
c. Is the pool membe r monitor part of the classroom _webs ite application service?
e. What is the name and type of the monitor that is checking node hea lth?
g. What profiles were created by the template as the result of you acce pting the tem plate' s
default sett ings?
3. Click on the entry for pool cIassroom_websiteyool to navigate directly to its configuration
entry. Note the name of the associated Application in the General Properties section.
4. What load balancing method did tbe te mplate set for classroom_ website.Jlool?
5. Navigate bac k to tbe application service page by clicking on classroom_website in the General
Properties section. Click the Components tab, if necessary, to view the components of the
classroom_website application service again.
The template set Least Connections (member) as the load balancing method for the pool
classroom_ websiteyool.
b. What is tbe source LP address, as seen by the back end server, and why? Can finn your
answer by viewing the vi rtual server configuration settings for classroom_website_vs.
c. Hard-refresb tbe screen several times. Did you load balance to a different pool member?
Why or why not? Confi.n n your answer by viewing the virtual server configuration
settings for classroom_website _ vs.
7. On your browser window to http://1O.10.x.200, refresh the page several times to ensure you are
persisting, and then delete the BIG-IP cookie and refresh the screen several times again. (Refcr to
the instructions at the start of the first lab in tbis cbapter if you forget how to do this.)
a. Did you continue to persist to the same pool member? Wby or why not? Confinn your
answer by reviewing the persistence settings for the virtual server again .
When complete, click ... Update (if Strict Updates was not already checked)
13. Was your attempt to add a fourth pool member successful? Why or why nor)
14. Disable the Strict Updates setting for classroom_website.
15. Try again to add a fourth pool member (In.! 6.20.4:80) directly to pool classroom_website~ool
(as you attempted in a previous step).
a. Were you successful this time') Why or why nor)
b. What is the new pool member's status) Is it being monitored? Confinm your answer by
checking the pool member's properties.
23. Navigate to pool classroom_websiteyool and view its members. Does the fourth pool member
sbow here as well? What is its status?
24. Wait until the fourth pool member's status changes as the result of its associated health monitor
test. (Check the assigned monitor's interval and timeout settings to determine how long you
might have to wait.) What did the pool member's status change to? Why?
25. Reconfigure the application service so that the expected response setting on the healtll monitor
will allow for a successful response from the fourth pool member. Confirm that the monitor is
now receiving a successful response.
Natwork section
have you configured Servers have a route to clients through the BIG-IP
web servers?
Virtual Server and Pools section
Should the BIG-IP system
insert the X-Forwarded-For Do not insert X-Forwarded-For HTTP header
header?
Which persistence profile do
Do not use persistence
want to use?
Which load balancing method
Round Robin
do want to use?
0eIiveIy Optimization section
Which Web Acceleration profile
Do not use caching
do want to use for
Which compression profile do
Do not compress HTIP responses
want to use?
Server Offload section
Which OneConnect profile do
Do not use OneConnect
want to use?
27. Refresh your browser window to http://IO.IO.X.200 and view the results. How is traffic through
the application service behaving differently with these new settings?
a. Is source address translation (SNAT) being perfonned?
b. Is traffic pe"isting?
c. Does you r browser sti ll have a cookie from when cookie pe"istence was configured on
classroom_website_ vs? If so, why are you not pe" isting?
Lab Requirements:
• BIG-IP system with all configuration objects from the previous labs
• Access to the ClassSetup.tmpl iApp template.
Figure 12: Prior to the sta rt of this lab, your network configuration should look som &ttling like this.
2. Create a UCS arcbive of your current BIG-IP system configuration using e ithe r the Configuration
utility or tmsh . Call the archive trainX_ modS.ucs.
3. Confirm the UCS was successfully created before continuing with the next steps. Download the
UCS to your hard drive, if you'd like extra insurance!
4. Restore your BIG-IP system from the UCS archive called trainX_base.ucs using either the
Configuration utility or trnsh . This archive will restore the BIG-IP system to its configuration
state just after you completed the Setup utility in tbe very first lab of this class, in effect removi ng
a ll the o bjects you have created until now, and the c lassroom_website application service you
created in the previous lab.
5. Using either tbe Configuration utility or trnsh (or both), confirm that you no longer have any of
the configuration objects you saw via the Network Map at the start of this lab. Also conlirm that
you are no longer able to access any of your back end applications by trying to establ ish browser
sessions to http :// IO.IO.X.IOO, https://lO.IO.X.IOO, and https://lO.IO.X.I 0 I, and an SSH session
(via PuTTY) to 10.lO.X.100:22. (Remember to refresh via Ctrl-F5 to force a reload of the page
from the website and not from your browser's cache.)
Configuration utility
Template section
Finished
II. Open a new browser session and connect to https:1Il0.10.X.IOO. Refresh the screen 5-10 times.
You should be connecting securely (SSL) all the way through to the back end application servers.
Are you persisting? Ifso, with what method?
12. Open a new browser session and connect to bttps:IIIO.IO.X.IOl and test this virtual server's
functionality . You should be seeing SSL encryption on the session from your PC to the BIG-JP,
and no SSL encryption on the session between B1G-lP and the pool member due to the
assignment of the client SSL profile Pr_ Client_ SSL on this virtual server.
13. Open an SSH session (using PuTTY) to 192.168.X.31. Attempt to log in as root/rootX to verify
access to the bash shell. Are the credentials working?
14. Open an SSH session (usi ng PuTTY) to lO.IO.X.31. Log in as adminiadmiuX to verify access to
tbe basb shell.
15. Open an SSH session (using PuTTY) to lO.10.x.l00:22. Log in as student/student to verify that
this virtual Server is also working correctly.
16. lfall testing was successful, please close all browser sessions except your BIG-LP window. Also
close tbe SSH session window.
Note: If any of your testing was not successful, please notify the instructor immediately. We will
be using this configuration as the foundation for the remaining labs in this class.
STOP
Con'figuring Logging
Lesson Objectives
At the end of this lesson, you will be able to
• View and describe BlG-lP log information using the Configuration utility and tmsh
• Set minimum log levels for various local traffic events
• Describe the BlG-LP log rotation process
• Configure remote logging
Logging locally
The mechanism that B1G-IP uses to log events is the Linux utility syslog-ng, an enhanced version of the
standard UNIX and Linux logging utility, syslog. Each type of event is stored in a separate log file, and
the information in each log file varies depending on the event type. By default, BIG-IP logs these event
messages locally in the directory Ivarllogl. Some of the log files contained in this directory are shown in
the table below:
Syslog-ng uses facilities and levels to describe system messages. Facilities describe the specific element
of the system generating the message, as show in the table above. Levels describe the severity of the
message, as shown in ttle next table.
I' ~
.. TlfllI!Stamp Log Level Ho!il SeMce Event
Thu Oct 3104:02:05 POT 2013 notice bigip4 syslog- Configuration reload request received, reloading
ng(3005] configuration;
Thu Oct 31 10:00:03 PDT 2013 notice bigip4 mcpd[5828] 01070639 Pool fCommonlhttpsyool member
ICommonl172.1S.20.2:443 session
status enabled.
Thu Oct 31 10:00:03 PDT 2013 notice bigip4 mcpd[5828] 01070638 Pooll/Common/https_pool member
ICommon/172.1S.20.2:443 monitor status
unchecked. [ 1[ was forced down for
19hrs:17mins:24sec 1
.0 ... ::i~t'rTI :crtJ'uo,:J r,,,, saCIIO'll P"CI'i!" Frnll'l Loce -rlf1Tl: Audit .. ,. rlr.Yll':tlI11Jl ..
--=:J~
~'l"IMction UEvent
User Name .. T
F rt Nov 109:01 :14 PDT 2013 admin 0-0 htlpd(mod_au1hyam): user=admln(admin) par1illon={AJ~ level=Admlnlslr2llor
lty=lusrlbif1l1msh hosl=192.166.4.30 attempts=1 slart="Fn Nov 1 09 :01:14
M
2013 . :
Fri Nov 1 09:08 :53 PDT 2013 rool Il-O sshd(p am_audlt): user-rool(rool) partilion=[AJ~ level=Admlnislralor tly=ssh
host=10.10.4.30 attempts=1 slar1="Fri Nov 1 09 :06 :532013".:
Fri Nov 1 09 :16:10 PDT 2013 rool 0-0 sshd(pam_2Iudil): user-root(re ol) parti1ion=[AJ~ tevel=Admlnislralor tly=ssh
host=10.10.4.30 attempts=1 slar1="Thu Oct 31 15:22 :24 2013- end="Fri Nov 1
09:16:10201r.:
Fri Nov 109:16:19 PDT 2013 root Il-O sshd(pam_2IudH): user=root(rool) partition=[AJ~ level=Administrator lI'y-ssh
hOst=10.10.4 .30 attempls=1 star1=· Thu ad 3113 :53 :40 2013"end="Frl Nov 1
09 :16:192013-.:
Figure 1: (top) Sample System log messages; (middle) Sample Local Traffle log messages; (bottom) Sample Audit
log messages
level indicates the minimum severity level at which the BIG-IP system logs that type of event.
For auditing events, you can set a log level that indicates the type of event that the system logs, such as
The log levels that you can set for local traffic events are:
...-..Highest
. . ..- ...Severity
. .- - Level
===- - -- --
...
- --=::;;-r;:;:;:;:;;-;:;;;;;;:;;;.----
• Lowest Severity Level
Emergency r Alert Critical [ Error - [ Warning [ Notice I Informational I Debug
For example, by default, only Warning level or higher Network event messages are recorded to local
logs. If you changed the minimum log level for Network events to Error, then the BIG-JP system only
logs Network-generated messages that have a severity of Error or higher. However, when you set up
legacy remote syslog servers, all log messages are delivered remotely, regardless of the local log level
settings, leaving it up to the remote syslog software to filter out and deliver log messages to the
appropriate log server destination.
Note: For detailed instructions on setting local log levels, please see SOL5532: Configuring the
level of information logged for TMM-specific events. Also, check each BIG-IP product's
documentation for specific instructions on what events can be logged, and how to configure
such logs.
The log levels that you can set for audit events are as follows:
o Disable - (Default) Turns audit logging off.
o Enable - Log messages for user-initiated configuration changes only.
o Verbose - Log messages for user-initiated configuration changes and any loading of
o Debug - Log messages for all user-initiated and system-initiated configuration changes.
non Cd 1 04:02:04 PDT 20f2 l10tice bloiP2 s)'~lo g - Conligurabo n reload request rece ived, reloading co n ti ~ urallO n:
ng(115061
To view log files using tmsh, use the show log command. For example, to display the current Local
Traffic log:
tmsh show /sys log Itm
To use the command line to watch log messages being recorded to a local log file, you can use the Linux
command:
tail -f /var/log/<logfile>
For example, to view log messages as they are recorded to the localltm log file, run:
tail -f /var/log/ltm
For complete instructions on customizing the log rotation process, please refer SOL 13367:
Managing log files on the BIG-IP system (11.x)
Each archive is a compressed file in standard gzip format with a .gz suffix placed in the
ivarilogldirectory. A number is used just prior to the suffix to indicate the archive's relative position in
the rotation. For example, the most recent LTM log archive will be named Itm,Lgz; the oldest archive
will have the largest number before the .gz suffix (e.g. Ilm.B.gz, if there are 8 archives currently in
rotation).
Note: The Configuration utility can only be used to view active log files. To view log archives,
you can use tmsh or the command line.
Properties
~
10 10 1.30514
I EdD I Delete I
I Update I
Figure 3: Adding a remote syslog server to the remote sysfog server list using the Configuration utility
The BIG-lP system automatically names each remote syslog server listed using its own naming
convention (e.g. remotesyslogl, remotesyslog2, etc.).
Note: To configure extensive syslog-ng custom izations, you must use the command line. See
the section entitled Customizing syslog-ng later in this chapter.
Note: For more info, see SOL 1333: Filtering log messages sent to remote syslog servers (11 .x)
Yes
Syslog
No (legacy)
Figure 4 ~ When a syste m log message is generated, if a ma fc hing HSL filter exisrs , ",e message will be processed by
HSL. If no filter exists, the message is processed by legacy syslog functions.
Filter criteria
When you create a custom HSL log filte r, you specify criteria that tie the filter back to one or more log
messages. Filter criteria include:
• Message severity level
emergency
• Message source
• Message lD
• Log publisher critical
Message severity level error
The severity level that you select includes that level plus all
higher levels. For example, if you specify severity level as notice, warning
as shown in Figure 8, the filter covers all log messages with a log
level of notice through emergency. (Any other filter criteria
specified also applies.)
Message source
Message SOurce identifies anyone of the BIG-lP system processes
debug
that generate log messages (e.g. big3d, mcpd, tmm, tmsh,
Figure 5: The severily level that you selecl
tcpdump, etc.) You can also set this option to all to log messages for B r.i!er i" c/udes th at level and a/l higher
from all processes, or to no-source as a convenient way to turn severity IOVf::/S
off a log filter without completely removing it.
MessagelD
In addition to specifying a message severity level and message source, you can further fi lter the messages
a fi lter will apply to by specifying the 8-hex-digit lD number that appears in the log message (e.g.
01071434 or 0 13e0002). Only one message 10 is supported in v 11.4.
Log publisher
A filter's log publisher setting specifies the publisher to which the system sends messages that match the
filter criteria. A publisher is the first in a series of new configuration objects on BIG-IP v 11.4 that support
high speed logging functionality. Setting Log Publi sher to None causes the log messages matching the
filter to be discarded.
The function of a fonnatted destination is to essentially convert the fonnat of a log message to the fonnat
used by the remote Jogging server. The fonnatted destination then passes the message to its associated
higb-speed logging destination, which consists of a pool name. The high-speed logging destination then
forwards the log messages to the named pool of log servers.
Note: An HSL publisher can point directly to a high-speed logging destination (i.e. without an
intermediary formatted destination).
Pool
Understanding SNMP
The Simple Network Manage ment Protocol (SNMP) is an industry-standard protocol for monitoring
de vices on lP networks. You can configure the BIG-IP system with SNMP traps and an SNMP agent that
sends data to an SNMP manager, as illustrated in Figure 4. The BIG-lP system supports several SNMP
versions including SNMP vi , v2, and v3.
Note: Effective in version 11 .3, BIG-IP High-Speed Logging (HSL) supersedes SNMP traps
when configured for the same log messages. When HSL is in effect, SNMP traps/alerts and
associated notifications should be configured on the remote syslog server software (e.g. Splunk,
ArcSight, etc.). The SNMP agent functionality on the BIG-IP system is not impacted by HSL.
• 172.16.20.1
Figure 7: The BIG-IP system includes an SNMP agent that call response to polls for performance metrics from a
remote SNMP manager. The B IG-IP system 's a'erld component can also sent alert messages to the SNMP manager
based on default or custom-defined SNMP lIaps.
A standard SNMP implemenl<ltion consists of an SNMP manager, which IUns on a network management
system and makes requests to the BIG-IP system, and an SNMP agent, which runs on the BIG-lP system
and fulfills requests from the SNMP manager. SNMP device management is based on the standard
management informatioD base (MlB-II), as well as object lOs and MLB files.
• MIB - Defines the Sl<lndard objects you can manage for a device, as presented in a hierarchical
tree structure.
• 010 - Each object defined in the MLB has a unique object lD (OLD) written as a series of
integers . An OLD indicates the location of the object within the MLB tree.
• MIS files - A set of Mill files resides on both the SNMP manager system and the managed
device. Mill fil es specity values for the data objects defined in the Mill. This set of Mill files
consists of standard SNMP MlB files and enterprise MIB files - those Mill files that pertain to a
particular company, such as F5 Networks, Inc.
Some of the tasks an SNMP manager performs includes polling for device data, receiving event
notifications from a device, and moditying writable object data.
• Control access to SNMP data - Assign access levels to SNMP communities or users to control
access to SNMP data
• Configure traps - Enable or disable traps and specify the destination SNMP manager system for
SNMP traps
Note: Only users with either the Administrator or Resource Administrator user role can
configure SNMP on the BIG-IP system.
• Memory use
• Number of active connections
• Number of new connections
• Throughput in bits per second
• Number of HTTP requests
• RAM cache use
• CPU use
• Number ofSS L transactions
Each metric has one or more SNMP object IDs (OIDs) associated with it. To gather performance data,
you specify these OIDs with the appropriate SNMP command.
Record Properties
Version ·1
Community I Public
Destination 1 10.10.1.30
Port
1 Cancel I 1 Finished 1
Figure 8: Example of SNMP trap destination configuration using the Configuration utility
lcdwarn des c ripti o n=" CPU fan too slow." priority ::"3"
BIG-IP also supports custom, user-defined SNMP traps. These are defmed in the /conlig/user_alert.conr
file .
User-<l efin ed SNMP traps take precedence over the pre-configured SNMP traps. Ifule same trap is
configured in both files, BIG-LP will use the user-defined trap instead oftne pre-configured trap .
Note: F5 does not recommend or support the manual addition or removal of traps {or any other
changes) to the alert.cont file. Use the Configuration utility or tmsh to disable unwanted pre
configured traps, Create custom, user-defined SNMP traps in Icontig/user_alert.cont using
either the Cnfiguration utility or tmsh.
For more information on creating custom SNMP traps, refer to the Custom SNMP Traps article
on the DevCentral site or to S0L3727: Configuring custom SNMP traps.
Configurabon
De ¥fce: , Enabled
Figure 9.< Enabling traps for specific events using the Configuration utiflty
You can enable or disable these specific events using tbe Configuration utility. Navigate to System»
SNMP » Traps» Configuration.
Lesson Objectives
At the end of this lesson, you will be able to use the tcpdump command to observe traffic flowing through
a BIG-lP system.
tcpdump Overview
tcpdump is a common packet analyzer that runs under the command line on most Unix-like operating
systems such as Linux. lt can be used in the BIG-IP environment to intercept and display lP packets being
transmitted or received by BIG-IP. It is the primary command line utility used for troubleshooting packet
flow on BIG-lP and otber network devices.
tcpdump "prints out" a description of the contents of packets on a network interface that match a Boolean
expression. The printout can be directed to the command line screen in real time Cas the packets are
received/sent) or can be saved to a file for later analysis - or both.
A single execution oftbe tcpdump command will report on only one network interface at a time.
However, multiple instances of the command can run concurrently to report on traffic over multiple
network interfaces.
Several tcpdump command options exist to control the network interface on which packets will be
captured, the conditions for capturing packets, and the disposition of the captured results. When tcpdump
finishes capturing packets, it will report counts of:
• Packets captured - the number of packets tcpdwnp received and processed
• Packets received by fIlter - the meaning depends on the OS on which tcpdump is running
• Packets dropped by kernel - the number of packets that were dropped due to insufficient buffer
space
tcpdump options
The table below summarizes a few of the options that can be specified on the tcpdump command:
tcpdump examples
• On the BIG-IP VLAN na med internal, capture and print the next 100 packets that contain the
source/dest ination IP address:port 172.16.20.1 :80.
tcpdump - i internal h os t 172.16.20.1 and port 80 - c 100
o
o
H2.:1.6.20.LBO
:1.72..16.20.2,80
172.:1.6.20.3,80
• On the BlG-lP VLAN na med internal, capture the next 10 packets that are ARPs.
tcpdump - i internal arp -c 10
0 -1
SYN
- ...
• _ _ _ _ _ SYNjACK
....- - - SyNjACK
ACK _ _ _ +
Figvre 10: Throe way handshake on cllenr-side and server-side
All TCP connections are initiated with a three-way handshake. The synchronize flag (SYN) is set in the
first and second packet; the acknowledgement flag (ACK) is set in the second and third packet, as
illustrated in the client-server connection shown in Figure 10. ACK is also set on all subsequent packe ts.
Within the tcpdump output, SYN fl ags are shown with the single letter "S"; ACK flags are shown with
the string "ack". While ACK flags are sent in most every TCP packet, SYN flags are only sent only
during connection initiation.
In the example below, the packets exchanged during TCP connection initiation between BIG-JP (at IP
address 172. 16. 16.3 1) and a n appl ication service at JP address :port combination 172. 16.20. I :80 are
captured and shown in the tcpdump output below . Name resolution was suppressed using the -n option.
Example analysis
T he timestamps show the two connections occur approximately fi ve (5) seconds apart, at 9:50 :32 a nd
9:50:37 res pecti vely. Notice that the port used by BIG -lP inc reased with each connectio n - fro m 396 13 to
3962 1. Normally, port is increased by o ne with each connectio n. In tbis case, the jump of 8 indicates otber
connections happened that were n' t captured in the tcpdump. T he tcpdump shows both connection
establishment (S - Slack - ack) a nd connection completion (F).
1.72.1.6.20.2 :80
1.0.1.0.1.7.25
1.72.1.6.20.3 :80
In the examp le below, HTTP traffic originates from a client at IP address 10.10.17.25 to a virtual server
on BIG-IP with IP address:port combination ID.I 0.17.1 00:80 . tcpdump outpu t fo r this traffic is sh own in
Example Icpdump oulpul: window I .
BIG -lP load balanced the request to pool member 172. 16.20 .1: 80. tc pdump oulpul for tbis traffic is
shown in Example Icpdump 0 1.11: window 2.
12:03 : 59 . 22 1980 10.10.1 7 .1 00 . 80 > 10.10.1 7 . 2 5.1 287: F 1 7 2 : 1 72(0) a ck 279 win
1 7520 ( OF )
1 2:03 : 59.2225 71 1 0 . 10.17.25.1287 > 10.10.1 7 .1 00 . 80: ac k 17 3 wi n 8589 (OF)
1 2:03:59.223080 1 0 .1 0. 17.25. 1 287 > 1 0 . 10 . 17 .1 00.80: F 279 : 279(0) ack 1 73 win
8 5 89 (OF)
1 2:03: 5 9.223252 1 0. 1 0. 1 7. 1 00.80 > 1 0. 1 0. 1 7.2 5 . 1 287: ac k 280 wi n 17520 (O F )
Example analysis
The timestamps help relate the packets io the two traces to one another. You can see the address
ITanslat ions BIG-lP performs.
On inbouod ITaffi c (from cl ient to we b applicati on service):
• The client address (1 0. 10.17.25) is the source address in both the client-side and server-side
packets.
• The virtual server address (10.10. 17. 100) is the destination address 00 the client-side packets; the
node address (1 72.16.20.1) is the destination address in the server-side packets.
On outbound traffic (from web application service to client):
• The c lient address ( 10.10. 17.25) is the destination address in both the client-side and server-side
packets.
• The node address (172. 16.20. 1) is the source address in the server-s ide packets; the virtual server
address (10.10.1 7 . lOO) is the source address in the cl ient-side packets.
--
You can also run tcpdump from the
Configuration utility. On the System .. Support
page (same page as for creating qkview files),
click the TCP Dump checkbox to view TCP 0"'-
Dump Conliguration option s, as shown in n::P Dump
Figure 11.
The table below summarizes th e tcpdump configuration options available on the Configuration utility:
_....__.__ .. _-_._ - - - - - -
Configuration Option Description
VlAN SpeCifies the target VLAN on which the utility runs.
Packets Specifies the maximum number of packets to capture. The default is Unlimited .
Options Specifies the additional options to set on the tcpdump command. These are the
same options that you might use on the command line version of tcpdump.
Type a value in the Options box, and click the Add button to add it to the list.
Timeout Specifies, in minutes, how long the Tep dump utility captures packets . The
maximum length of time you can run the utility from the GUI is 5 minutes. The
default setting is 1 minute .
BIG-lP creates a snapshot file which can tben be downloaded to your workstation by clicking the
Download Snapshot File button.
For more information on running tcpdump on a BIG-IP system, please refer to :
SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP system
SOL 411 : Overview of packet tracing with the tcpdump utility
S0L7227: Using tcpdump to view traffic on a tagged VLAN
SOL 13639: Capturing internal TMM information with tcpdump
Objectives:
• Configure B1G-lP to send log messages to a remote log server.
• Estimated time for completion: 10 minutes
Lab Requirements:
• tcpdu mp to view message transmission. Since log messages are sent using UDP, there is no
connection process; the data will be transmitted on the wire in clear text.
• A virtual server defined on the instructor BIG-IP system with destination lP address
10. 10.17.99:514 with an iRuie configured to drop all traffic.
Properties section
b. ...OR open a second SSH session to your BIG-IP system and use tmsh to configure
remote logging. Confirm your setup afterward. For example:
(tmos sys)# modify syslog remote-servers add {mylog{hos t lO.10.17.99}}
(cmos sys)# list syslog remote-servers
Set up tcpdump
2. Open an SS H session to your BIG-IP sys tem and set up a tcpdump to capture log messages sent
to 10.10.17.99 via UDP and port 514 on VLAN external. The captured traffic wi ll be saved to a
fil e in the I var / tmp/ te st directory on the BIG-IP system.
con1 i9~ tcpdump -ni external -Xs 0 udp and host 10.1 0.17.99 and po rt 514 - w
! var /t mp /t est / trainX_ re mote_ sys l og
Stop the tcpdump and view the resulting file using Wires hark
5. Stop the tcpdump on your SSH session to the BIG-IP system by pressing <Ctrl-C>.
6. Open a WinSCP session to your BIG-IP system using the following specifications:
a. File protocol: SFTP
b. Host name: J92.168X.31
c. Port number: 22
d. User name: root
e. Password: rootX
7. When the WinSCP window opens, elick on the file folder for the /<rool> directory. (It should be
at the top of the list of directories.) Navigate to the /var/tmp/test directory and drag the icon tor
file trainXJemote_syslog from your BIG-IP system to your workstation desktop.
8. Close the WinSCP window.
9. Start the Wireshark application on your workstation, and open file trainXJemote_syslog on
your desktop. You should see many log messages captured by your tcpdump.
10. Set up a filter to view only BIG-IP local traffic messages (LOCALO facility). If you're not
familiar with Wireshark, instructions are provided below:
a. Click the Expression link to the right of the Filter: field at the top left of the Wireshark
screen.
b. In the Field name pane, scroll down to Syslog - Syslog message and click the plus-sign
(+) to the left of the entry.
c. Select syslog.facility - Facility (Message facility) in the Field name pane.
d. Select "= =" in the Relation pane.
e. In the Predefined values: pane, scroll down and select LOCALO - reserved for local
use.
f. Click the OK button to generate the filter. You should see the string syslog.facility = =
16 in the Filter: field. If the string does not appear correctly, you can type it into the
Filter: field manually.
g. Click the Apply button to apply the filter to the log messages. Review the resulting
filtered messages list to see what was generated.
Configuration utility
.. ..; I ;.; .; I.
b. ...OR open a second SSH session to your BIG-lP system and use tmsh to remove
10.10.17.99:514 as a remote syslog server. Confirm the deletion afterward. For example:
(tmos.sys)# modify syslog remote-servers none
(tmos.sys)# list syslog remote-servers
Lab Requirements:
• Although there is no SNMP management console in the classroom, tcpdump can be used to view
tbe output fro m the SNMP trap.
Configure Traps
Configure a destination for traps
I . Configure a destination for traps triggered on BIG-IP. Choose to use EITHER the
b. ... OR use tmsh to set up a trap destination and display the results, tben quit tmsh.
(Substitute your station number for "X" in both locations.) For example:
(t mo s)# modif y / sys s nmp vl -traps add { tsX {host lO.lO.X.30
commun ity Public} }
(I moa)U li st / sys s nmp
s. On your tepdump window, press the <Enter> key several times to insert some space between the
previous set oftrap messages and any new ones that are generated.
6. Change the receive string of the my_http monitor again such that it marks all the pool members
in http-"ool up again.
Q. Did trap messages appear immediately in your tcpdump output? Why or
why not?
7. Stop your tcpdump by pressing <Ctrl-C> on your SSH session window with BIG-IP.
8. Go look at the SNMP alerts that are pre-configured on BIG-IP.
Objectives:
• Configure BIG-IP to filter and send certain log messages to a remote high-speed logging pool.
• Estimated time for completion: 15 minutes
Lab Requirements:
• tcpdump to view message transmission.
Thu Ocl31 14:03:09 PDT 2013 nolice biglp4 mcpd[5B2B] 01070639 Pool /CommorvtlHpyool member
/Commonl1'72.16.20.1 :60 session status
forced disabled.
Thu Oct 31 14:03 :09 PDT 2013 notice bigip4 mcpd[5B2B] 01070807 Monitor lCommon/my-hHp inslance
172.16.20.1:80 has been dIsabled.
Note that the log messages were produced by a BIG-IP service called mcpd, and each has a severity level
of notice. Also note the Status Code (message ill) for the second message - 01070639. We will use this
infonnation in the next section to create a high-speed logging filter that specifically causes these
messages to be directed to a high-speed logging publisher rather than to the local logs.
4. Set the state for pool member 172.16.20.1:80 in pool http_poolbackto Enabled. View the Local
Traffic log again for new messages - there should be several indicating the status change for the
pool member and its associated monitor instance.
Note: Although you would probably not do this in a real world situation, in this lab you can use
your PC as a destination for high-speed logging messages, then use tcpdump to view those
messages as they are transmitted across the network from the BIG-IP system to your PC.
5. Using either the Configuration utility or tmsh, create a new pool using the following
specifications:
Create a publisher
7. Create a publisher called hslyublisher where the BIG-IP system will send log messages for
specific resources.
Configuration section
Configuration section
Clean-up
19. Effectively disable high-speed logging by deleting Log Filter hsl_ mcpd _notice _filter. Force
pool member 172.16.20.1:80 in pool httpJ)ool omine and then enable it again. Use either the
Configuration utility or the command line to confirm that log messages that were being filtered
for HSL are now being sent to the local log files again.
STOP
Lesson Objectives
At the end of this lesson, yo u should be able to:
• Generate a qkvi ew diagnostic file and upload it to
:;,..::.v~w case number te-5.i support file far g2 r "''''f-'Jhr·r -, .lIt' • - II! .:. ....... ,'e' ~ I . V} ·e
I Slalus Status
Diagnostics
Overview
Results ! 3 Medium
Hardware
Recommendation
Software Status .", No new potential Issues Identified since last update.
links ~ Pnnter.Friend ly (I nc lude Internal) II PDF Include Intern
Failover
licenSing File
Upload Date Nov 19 2013, 07 ' 11 '00 PM (GMT)
Uploaded By
~ Network
F5 Case (none] '"
Command. Non-F5 Case Inone]
Graph. System
Figure 12: Sample BIG·/P iHealth screen from a qkview diagnostics file
Ln addition to translating the raw data, the BIG-IP iHealtb Diagnostics component ortbe BIG-IF iHealth
system evaluates the logs, command output, and configuration of your BIG-I P system against a database
of known issues, common mi stakes, and published F5 best practices. The prioritized results provide
tailored feedback abou t configuration issues or code defects, and provide a description of the issue,
recommendations for resolution, and a link to further information in the AskFSTM Knowledge Base.
BIG-IP iHealth Diagnostics take advantage of the technical knowledge of experienced F5 engineers to
assist you in implementing the best practices for your system. Using advanced diagnostics, iHealth can
determine when your system is operating outside of normal levels so you can take the necessary steps to
improve performance. BIG-JP iHealth Diagnostics also check for security issues and recommend patches
or software updates. F5 recommends upload a qkview file to the BIG-JP iHealth system at least once a
month, since F5 updates the BIG-IP iHealth known issues and best practices on a weekJy basis.
The prioritized results provide tailored feedback about configuration issues or code defects, and provide a
description of the issue, recommendations for resolution, and a link to further information in the AskFSTM
Knowledge Base.
This customized diagnostic information enables you to take the recommended action, and in many cases,
can help you resolve common configuration issues without the need to contact F5 Technical Support. If
you require assistance from F5 Technical Support, your BIG-IP iHealth data will be available to F5
engineers for faster resolution.
F5 recommends that generate a qkview file and run iHealth diagnostics once a month to
determine if your system is operating within normal levels, is properly configured, and to check
for security issues and recommended hotfixes.
You can use either the Configuration utility or the command line (tmsh) to run the qkview utility. The
qkview utility runs a large number of commands when collecting information. This behavior may cause
aD additional performance burden on systems that are already heavily loaded. If possible, run the qkview
utility at non-peak bours or during a regular BIG-IP maintenance window.
Support Snapshot
QKVJew
TCP Dump
Figure 13: Running the qkview utility from the Co nfig uration utility
While the qkview utility is processing, a clock will appear. You may cancel the qkview utility by clicking
tbe Cancel button. (See Figure 14.)
Support Snapshot
When the qkview utility completes, you have the option of either downloading or deleting the qkview
diagnostic file that was produced by the utility, as shown in Figure 15. To download the file to your
workstation, click the Download Snapshot File button.
Support Snapshot
Dale 1 Thu Sop 2715:35:12 PDT 2012 I'
Size 3 1491343 b!1es
5napshOI ...:..:
F~.______....:J)::'ownI""d::::::
=== S/1a.P::::OFi : ::...-_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _J "
's!I::l::io]
~
The downloaded file is a single compressed tar folder and will be named something like:
case~number_### support flle.tar
If you already have an open case number, you can rename Ihe .Iar file, substinning Ihe case number for
Ihe hash marks (1##1) in tbe file name, before uploading 10 iHealth.
Note: For more information on the iHealth system, please refer to the BIG-IP iHealth tutorial
available as a link from the BIG-IP iHealth website at ihealth.f5.com .
Note: You must have a valid F5 support contract and be registered at https:iilogin .f5.com in
order to use BIG-IP iHealth.
At the login screen, enter your user email and password, and then press LOGIN to continue to BIG-IP
iHealth. On the initial BIG-IP iHealtb page, click the Upload button to begin the upload process, as
shown in Figure J 6.
f5 BIG·IP (Health
I
Navigate to the qkview file you want to upload. If you have an open support case witb F5, you may add
your case number to the F5 Case field. You may also add your own identifier to the External Case field
for tracking purposes. Click the Upload button to upload the file. Once the upload has completed , BIG-lP
iHealth processes the file. This may take several minutes after which the BlG-lP iHealth viewer will
automatically display tbe results of its analysis.
Note : You can upload as many files to iHealth as you would like - one at a time - but qkview
files are only retained on iHealth for 30 days.
Grop'"
Critica' lOJ
'1' OI.gnOlltcs
c"..,.,
Expt'cwd data may be missing aft.r a qkvi.w 'il. upload
Recommended upgrade version Solution Links Internill Solutions
None None S0111iOi
Providing feedback
The FS B1G-IP iHealth team makes updates to the iHealth system on a regular basis using feedback from
iHealth system users like you. If you run into issues or have suggestions for improving iHealth
functionality, we welcome your input. Use the Feedback link at the top of any iHealth page to send your
comments to the iHealth team. The team responds to each and every feedback submission, and tracks
reported issues and suggestions in an internal support system.
Overview of Analytics
What is Analytics?
Analytics (also called Application Visibility and Reporting or AVR) is a module on the BIG-IP system
that lets you analyze performance of web applications. It provides detailed metrics such as:
• Transactions per second
• Server and client latency
• Request and response throughput
• Session data
You can view metrics for applications, virtual servers, pool members, URLs, specific countries, and
additional detailed statistics about application traffic running through the BIG-IP system.
Transaction counters for response codes, user agents, HTTP methods, countries, and IP addresses provide
statistical analysis of the traffic that is going through the BIG-IP system. You can capture traffic for
examinatiou, and have the system send alerts so you can troubleshoot problems and immediately react to
sudden changes.
The Analytics module also provides remote logging
capabilities so that your company can consolidate
statistics gathered from multiple BIG-IP appliances
onto syslog servers or SIEM devices, such as Splunk.
Analytics profiles
Unlike other BIG-IP profiles that modify traffic
behavior, the Analytics profile collects information
about traffic behavior. The Analytics profile is a set
of definitions that determines the circumstances
under which the system gathers, logs, notifies, and
graphically displays information regarding traffic to
an application. Thc Analytics module requires that
you select an Analytics profile for each application
you want to monitor. You associatc the Analytics
profile with one or more virtual servers used by the Figure 18. The AnelyOes p rofile determines the
application, as illustrated in Figure 18, or with an CitCUfflSrancas under which application statislics are
iApps application service. Each virtual server can galh6t'6d and published
have only one Analytics profile associated with it.
AvO Server LlIte n~ per Pool Mem~r ovef t61\~ (ms) Avg Gel 'lef I..a(~ per Po ol Member" ( m~ )
20 10
8
15
10
5
2
o+-----~--- o
11/ 19/20) 3 1 3: 4S :W/l 9/201J 14 :OS'm/19 2 3
Me.a~1'I. tD di51llay
lI."V S!:rve;-~ms~· ...
Figure 19: Sample traffic capture statistics from Analytics
Note: For complete instructions on setting up application statistics collection, please refer to the
chapter entitled Setting Up Application Statistics Collection in the BIG-IP Analyfics:
Implementation manual.
When you set up the BIG-IP system to collect application traffic statistics, you can troubleshoot problems
that have become apparent by monitoring those statistics. For example, by examining captured requests
and responses, you can investigate issues associated with latency, throughput, or reduced transactions
per-second to understand what is affecting application performance. Of course, this assumes that you have
some baseline performance statistics established such that anomalies can be detected.
After A VR is provisioned, you create an Analytics profile that includes traffic capturing instructions. The
BIG-IP system can collection application traffic locally, remotely, or both. If the system is already
monitoring applications, you can also update an existing Analytics profile to make surc it captures traffic.
If logging locally, the BIG-IP system logs the first 1,000 transactions, and displays charts based on the
analysis of those transactions. For VLPRION systems, the local logging consists of the first 1,000
transactions multiplied by however many blades are installed. If logging remotely, the system logs
information on that system; log size is limited only by any constraints of the remote logging system. To
see updated application statistics, you can clear the existing data to display the current statistics.
Note: For complete instructions on capturing traffic, see the chapter entitled Troubleshooting
Applications by Capturing Traffic in the BIG-IP Analytics: Implementations manual.
Lesson Objectives
After completing this lesson, you will be able to describe tbe goals and resources of the F5 support
organization.
F5 Support Commitment
F5 is constantly striving to improve our service and create closer customer relationships. Designed to
remotely assist you with specific break-fix issues and ongoing maintenance of your F5 products, you can
always expect consistent, professional, high-quality support services from F5. This means:
• We expect our Network Support Engineers to conduct themselves professionally at all times.
• We are committed to providing the best customer experience possible.
• You will be treated with respect and given every consideration possible.
• Our goal is to provide customers with resolutions the first time, every time.
• You have a right to request manager escalation for unresolved or "network down" issues.
Many of the technical support issues we deal with are due to configuration errors, either within the BJG
IP system or with other devices in your network. In some cases, the issue comes down to a
misunderstanding of BIG-IP's capabilities. And some even involve BIG-IP device flaws. Regardless of
the root cause of a problem, our goal is to resolve your issues quickly and consistently.
F5 Support Resources
F5's support resources are available 24 hours a day, seven days a week, and are distributed around the
globe in multiple support centers. Live technical support is provided by our professional Network Support
Engineers, and hours vary depending on the customer's service contract. Self-service support is provided
through many online tools including AskF5 and Deveentral, which we covered earlier in this course.
These resources can be very useful in helping you to identify whether or not you're dealing with a known
lssue.
.. S&f1 al Numb_ ,
o.vC . ntc;sl
Panlnt Syst em 10:
........
log A qkview file contains the log entries for the last day. If your issue has existed for
more than one day, provide all the log files on the system to F5 Technical Support.
Use the following steps to create a ,tar archive:
1. Access the command line
2. Change directories to the Ivarllog directory: cd /var /log
3. Compress all log files into one:
Packet trace If the problem involves the network, perform a packet trace while the problem's
symptoms are showing, and provide the output when you open the case. See Using
tcpdump in a BIG-IP Environment later in this chapter or refer to SOL4714:
Perfonning a packet trace and providing the results to F5 Technical Support
UCS archive If you cannot give F5 Technical Support remote access to your BIG-IP system, you
may be asked to provide a UCS archive of your current configuration at the time you
open a case. UCS archives were covered earlier in this course. For more information,
refer to SOL2250: Overview of UCS archives.
Core files BIG-IP can generate core dump files (also known as core files or cores) for a variety
of reasons. When BIG-IP encounters an issue, it may deliver a signal to the affected
process which terminates the process and writes a core dump file containing an
image of the process's memory at the time of tenmination. Cores are written to the
Ivarlcorel directory. For more information, refer to SOL 10062: Working with BIG-IP
core files.
If you experience difficulty logging in to the dropbox.fS.com site, please contact FS Technical Support.
Note: For information about EUD software, please refer to the End USer Diagnostics release
notes, available at AskF5.com.
Chapter Resources
Courseware
Troubleshooting BIG-'IP Local Traffic Manager
Manual
_ .--._
Chapter
BIG-IP TMOS: I,:!,plementations SNMP Trap Configuration
Objectives:
• Use your knowledge of B[G-IP traffic flow and the troubleshooting tools presented in this chapter
to determine where the instructor has introduced a problem into the network.
• Estimated time for completion: 15 minutes
Lab Requirements:
• vs _ https virtual server at lO.IO.X. [00:443 and vs _http virtual server at 10.1 O.X.! 00:80
Try to access your existing virtual servers to determine if each still works. Access:
I. http://IO.I0.X.I00 using your browser
2. https:IIIO.IO.X.IOO using your browser
3. 1O.IO.X.IOO port 22 with an SSH client (such as PuTTY)
4. Use statistics, tcpdump, and other troubleshooting tools and techniques you've learned during
class to diagnose the problem.
5. When you figure out what is wrong, determine if you can fix or circumvent the problem with a
configuration change. If so, make the change and retest the non-working virtual server(s) again.
If you have Internet access and an iHealth account, continue with Lab
9.5 - iHealth Lab.
Objectives:
• Create a qkvicw file and upload to BIG-IP iHealth for analysis.
• Estimated time for completion: 10 minutes
Lab Requirements:
• This Jab is dependent on connectivity to both BIG-LP and the Internet from the same workstation.
• Student must have an iHealth login.
The qkview process may take several minutes to complete. When it does, continue with the steps
below.
Note: If you do not have Internet access from your workstation, the instructor may demonstrate
these steps instead.
STOP
The BIG-IP product family is a system of integrated application delivery services that work together on
the same best-in-class hardware. From load balancing, SSL offload, and web acceleration to application
security, access control, and much more, the BIG-IP system creates an agile infrastructure to ensure your
applications arc always fast, secure, and available.
Lesson Objective
Upon completion of this lesson, participants will be able to list the most common implementations of
GTM systems and some of their advantages and disadvantages.
DNS Servers
Many systems provide DNS services. Many are based on recent versions of BIND. Additionally, many
sites use Microsoft DNS services. BIND is used on most UNIX systems and is the more prevalent choice
overall while Microsoft DNS is used in many Window environunents.
GTM Advantages
GTM uses its knowledge of your environunent to aid in making name resolution decisions. First, GTM
will determine which addresses are working properly. If desired, GTM can compare the response time
between your customers and your various data centers. Using these metrics, GTM will choose the best of
the available virtual servers and resolve the name request to that LP address. This is known as intelligent
DNS.
o
192.33.4.12 Loca.I DN S
• http://www.f5.com
216.34.94.32
VI"ual Server on
BIG-IP System .com Server
100.1 .1.1
216.301.94.' 7
CD -....
([) GTMSystem
Internal Clle~
Root name Sorver
<D
192.33.4 .12
CD http://www.f5.com
Figure 2: OTM as the LONS server
Note: If a DNS query arrives on a GTM system that is not destined for a Listener address but is
destined for a self-IP that has port UDP 53 unlocked, the query will be processed by the
instance of BIND running on the GTM system.
Intelligent
Name is a Wid€-IP? Yes Original GTM
Resolution
No
.
No
No
No
No
No
Figure 4 shows an example of how infonnation might flow through the entire application, from end-user
to the database. User data is sent via the web browser, accepted by the web server, processed by the CGI
scripts and the application server, and then sent to the backend server and the database server.
Data
~ ~ Application server
~ .f\ CGI/JavaScript
~ Web server
Hnp
< >
HTML
Request
\t ~
Applications differ greatly in functionality. Some applications are based on .asp, .jsp, or .cgi. Some
applications run on Apache, Linux, or Windows. While web applications differ in what they do, they are
relatively similar in the way they do it. Web browsers provide the means by which users interact with
web applications. HTTP is the protocol that governs communication between browsers and web servers.
HTML is the language used to fonnat the pages browsers can display.
Web application logic says that if valid input comes in, then the application knows how to deal with it and
valid output will come out. Using the same logic, if invalid input goes in, invalid output may come out.
Now there are lots of systems within the web applicatlon and some might know how to deal with such
invalid input but some may not.
Each part of the web application can potentially be vulnerable to attacks. While it may seem
unimaginable to any IT manager that a general user from the outside will have direct access to the
database, there is a risk.
An example is a username and password request from a client to an application. In such a scenario,
unsanitized user input can be processed by the database with potentially unwanted results.
If an attacker included database commands in their "username", they might cause the database to act
contrary to the site's policies. This type of attack is known as a SQL injection.
When an organization deploys a web application, they invite the world to send them HTTP requests.
Attacks buried in these requests sail past ftrewalls, ftlters, platform hardening, and intrusion detection
systems without notice because they are inside legal HTTP requests.
There is always a need to inspect the HTTP request before sending that traffic to web application
components. Within ASM, if the HTTP request matches legal policy enforcement, that request is
allowed. If the HTTP request does not match legal policy enforcement, a violation will be issued and that
request can be blocked.
Data
Database server
Application server
CGI/JavaScript
Web server
t j l ..r I I
(A""' >
r~ ljj HTIP
Appllaaijgn ~tufly Request
HTM L
Menager
tl- - - - .
f3.rowser
Figure 5: ASM blocks illegal HTTP requBsts
Hardened Servers
Security plans include updating applications when issues are found, but this only protects against t1aws in
the application and not t1aws in the application logic. For example, if an undocumented method to access
an application is found, a "back-door", tbat is an application t1aw. That can be patched with application
updates. On the other hand, allowing a user to manipulate an item's price on an ecommercc site is an
application logic t1aw.
Most environments provide some degree of protection against many network-level attacks, but are
vulnerable to logical attacks.
In addition to network-level attacks, sites should have both negative security, protcctions against known
attacks, and positive security, awareness of appropriate client-server interaction.
Positive security is the only protection against "zero-day" attacks - when an attack is so new that
dcvelopcrs have had zero days to address tbe vulnerability.
Network Firewalls
Firewalls offer sophisticated security abilities but only up to the transport layer of the OS! model. The
client may not be able to connect to the SSH server running on your equipment since port 22 is blocked,
but you cannot block port 80.
Firewalls are usually aware of the connect state as well, and can thwart clients attempting to send packets
that are not part of a validated connection. But once a client is validated, they will have access to the
server - to some degree.
Firewalls can inspect !rafiic for RFC compliance and malicious patterns. However, in many cases, traffic
related to port 80 attacks is usually RFC compliant. Such lrafiic may not "look" malicious, so it passes
through network firewalls. The damage that this lrafiic causes is only relevant in the application context.
In addition, if your site is using SSL, the firewall is unable to even to provide this level of security.
Web
application
firewall
u Presentation Layer 0
li= c
......
em ~
"E::J
0
Session Layer
C'"
0
c
::J
0.
...,-1
]
-e Transport Layer
Ql
:!;
(")
Traditional
firewall
Physical Layer
Figure 7" Web application fire waifs work at thGl application layer, not at the transport layer
Protocol Element
In some envi ronments, web appli cations are vulnerable to buffer overflow, encoding attacks, and
unexpected system crashes.
ASM protects the web application from the protocol element by enforcing RFC compliancy of the HTTP
request and domain cookie, cheCking for malicious patterns and allowed characters in request and
response headers, va lidating the HTTP method, and veri tying cookie and total HTTP request lengths.
Request Element
Some web applications are vulnerable to forceful brows ing and 3rd party miscontigura tion attacks.
ASM protects the web application from request resource attacks by veri tying the method and file
extension are valid, checking for malicious patterns in the obj ect and object name, and veri tying object
length.
Data Element
Some web appl ications are vulnerable to stealth commanding, SQL inj ections, cross-s ite scripting, cookie
poisoning, and buffer overllow attacks.
ASM protects the web application from data context attacks by checking for allowed characters in the
parameter name and value, cheCking for malicious patterns in user input parameters, ensuring domain
cookies ha ve not been tampered with , and veri tying query string and POST data request lengths.
Response Element
Some web applications are vulnerable to improper error handling and sensitive information leakage.
ASM protects the web application from response element vuLnerabilities by checking for malicious
patterns in the response, verifying valid response codes, hiding the server header, and performing content
scrubbing.
Virtual Con!iguralion
Reque ~ ,-___S_e~Ne_r
r- __- ,
No
•
HTTP
class
match?
Yes
• Security
enabled?
No Other HTTP
class
processing
Default Yes
pool?
Application Security Manager
(P.,.ing Requalll)
Default
Yes Valid
request?
Pool
(btocking mode)
Lesson Objective:
During this lesson, you will learn the concept of the different APM Access methods Portal and Network
Access and how they are built into the Policy engine.
address.
Application Access
An app tunnel (application tunnel) provides secure,
application-level TCP/lP connections from the client to
the network.
Additionally, optimization is available for app tunnels.
With compression settings for app tunnels, you can
specify the available compression codecs for client-to
server connections. The BIG-lP compares the available
compression types configured with the available
compression types on the client, and chooses the most
effective mutual compression setting based on the type
of traffic to provide application specific optimization.
The compression settings for the BIG-lP are configured
in the connectivity profile.
There are similarities across the BIG-lP product line in how traffic is processed using Virtual Servers.
Most BIG-IP products enable features that modify traffic behavior using Profiles. From there the
products vary, but in many cases SNA Ts, Monitors and Pools are also used.
• APM
WA/WOM
GTM
• ASM
LTM
BIG-IP LTM
In most cases for BIG-IP LTM, client trafflc arrives at BIG-JP, matches a Virtual Server and is distributed
to a Pool Member. If Monitors are enabled they can mark Pool Members offline and then that Pool
Member wiU Dot be considered during the load balancing decision . SNATs can be configured , changin g
the source address and help address routing issues. And of course Profiles added to a Virtual Server
contig wiU affect how tbe trafflc is processed. Figure 12 sbows the examples of SSL termination and
HTTP compression .
Client
c Virtua l
Server
SNAT
- Pool Member
1
Pool Member
Unencrypted
2
Uncompressed
Profiles
Monitors
BIG-IP GTM
GTM traffic flow is depicted in Figure 13. As with LTM, a GTM listener (similar to a virtual server)
li stens for DNS requests and then uses one of the four methods available to respond to tbat request.
ClientDNS
~.EJ
Request
IGiIII Listener
~ (VS)
i
l.....
•
DNS Express
Zone
t
•• DNS Load
BalanCing
I Pool
I
I
.... -. Local BIND
Profile
BIG-IP ASM
For BlG-IP ASM, again client traffic arrives at BlG-IP, matches a Virtual Server and then might be
distributed to Pool Member or dropped. For ASM to validate the HTTP request, an HTTP class with
Security enabled must be configured on the Virtual Server. Specific ASM checks are configured within
ASM profIles or the HTTP class itself attached to the Virtual Server. If ASM determines the HTTP
request is valid then as with LTM, the client request is distributed to a Pool Member. This process is
depicted in Figure 14.
Allow
request
Client _ - - - - _ No
Virtual "Profile"
Server
(class)?
Yes Yes
Valid HTTP
request?
Deny
BIG-IP APM
For BIG-IP APM, client traffic arrives at BIG-IP, matches a Virtual Server (typically 443 or https) and
then several tests might be performed with the client within the APM policy. One test might be to
validate the viewer's userid / password combo against an Authentication server. Another test might be to
validate the client machine is running a current version of Anti virus software.
x
Re source 1 1
Client
l •
Access --- x
Traffic Virtual
Server
Policy
Checks
,"' [• Re source2 1
Based on these tests, APM has the capability to build a dynamic webtop (Portal) with potentially different
resources given for each test. A resource can be an LTM Pool, an individual application like Remote
Desktop, ssh, or webpage or access to a Network range (SSL VPN). All of the policy and possible
resources are configured in the Visual Policy Editor which builds an Access Profile that is attached to the
Virtual Server, as shown in Figure 15.
Console port
10/100/1000 interfaces
1
SFP ports LCD control
buttons
Hard-wired failover port
Enterprise Manager is an F5 software application that helps you streamline the administrative tasks
associated with managing multiple BIG-IP systems. These administrative tasks include:
• Perfonnance monitoring
• Software installation and upgrades
• Configuration archival and restoration
• Certificate monitoring
• Security policy management
• Software image storage
• User account management
Edge Gateway
,....
Enterpnse Manager
LTM
DOCUMENT DESCRIPTION
Enterprise Manager This guide provides you with the basic concepts and tasks required to set up
Getting Started Guide your Enterprise Manager and start managing devices.
Enterprise Manager: This guide contains information to help use iHealth for diagnostics purposes,
Monitoring Network track certificates, create alerts for events, run reports, and manage statistics
Health and Activity storage.
Enterprise Manager This guide provides information about the basic concepts of device
Administrator Guide management, user management, as well as information specific to
Application Security Manager policy management.
Platform Guide: These guides include Enterprise Manager system hardware platform
Enterprise Manager 4000 specifications, installation instructions, and important environmental
warnings.
Release notes Release notes contain information about the current software release,
including a list of associated documentation, a summary of new features,
enhancements, fixes, known issues and available workarounds, as well as
installation and upgrade instructions.
Solutions and Tech Notes Solutions are responses and resolutions to known issues. Tech Notes
provide additional configuration instructions and how-to information.
443 For communication between managed devices and the Enterprise Manager
system, for the purpose of device management
4353 For communication between Enterprise Manager and a managed device's big3d
3306 For communication between Enterprise Manager and a remote statistics database,
for the purpose of storing and reporting statistics_
DeVIce
Managemenl
Netwon, 1'hIJ':)r: EM DoI!'II;S ~nBQ('me.tlf
BfG~P BlG-fP
IdGln MGMT
1l4M TWM
Production
Network
Tip: Place the Enterprise Manager system on a management subnet that is separate from traffic
management to keep device management and communication independent from traffic
management activities.
You must specify the lP address of your DNS server for communication to the F5 file servers and for
SMTP email notification. After you specify the lP address of your DNS server, you can verify that the
address properly resolves.
Important: To perform the discovery task, you must have administrator privileges with root
access for the Configuration utility. To successfully discover devices and receive the user name
and password combination, the device must have an active SSL server listening for traffic on
port 443.
(Note: Prior to Enterprise Manager version 3.0, the Custom Lists section of the configuration
browser was called the Networks Objects Browser.)
There are two types of custom network object lists tbat you can create: static lists and dynamic lists.
• A static list is a fixed selection of network objects.
• A dynamic list is a selection of network objects tbat match characteristics that you define in the
list's rules.
Note: Custom lists are available only for Enterprise Manager version 2.1 and later. Data
collection must be enabled to use this feature. You have the opportunity to enable data
collection as part of the process of creating a list. However, if you upgraded to the current
version of Enterprise Manager from a version prior to 1.7, you must re-license the system before
you can enable data collection. Due to the processing power required to collect and store
statistical information, data collection is available only for the Enterprise Manager 4000 platform.
Custom static lists that you create retain the network objects that you selected until you remove the
objects from the list, or you delete the list.
Note: You can view only the objects for which you have administrative partition rights. For
information about administrative partitions, see the TMOS Management Guide for BIG-IP
Systems.
Note: You can modify the status of network objects only if you have administrative partition
rights to that object. For information about administrative partitions, see the TMOS Management
Guide for BIG-IP Systems.
Note: Be sure to keep the distinction between these two different classifications of users-EM
users and device users--clear.
• Operator and AppLication Editor -By default, these restricted roles penOlUl fewer management
tasks than the Administrator. You can customize each role by specifying the tasks that the role is
allowed to penorm.
Users a re authenticated through Enterprise Manager's local database.
Enterprise Manager increases the efficiency of managing user passwords by centralizing the password
change process for your devices. This saves you time, while ensuring that when you change a password,
the new password is the same for each selected device.
Managing licenses
Two of the more time-consuming tasks of managing multiple devices are renewing the device license on
cach device, or acquiring an initial license. Enterprise Manager provides automated features to expedite
the licensing process for all managed devices in the network.
Enterprise Manager automatically determines which devices need to be licensed and displays this
information on the Device List screen. You can then configure a task using the License Device wizard to
license or renew a license on as many devices as you need.
Licensing a device
Using the License Device wizard, you can select the devices that you want to license, view and accept the
End User License agreement (EULA) for each device (if required), and start a task that updates the
license on the devices you select.
The License Device wizard automates the entire licensing process. It retrieves the license dossier from the
managed device, sends it to the F5 Networks licensing server, acquires a new license from the server, and
provides you the opportunity to back up the device configuration before renewing the license.
Certificate monitoring
When you usc BIG-IP Local Traffic Manager to manage your SSL traffic, you must track both traffic and
system certificates for the devices in your network. Traffic certificates are server certificates that a device
uses for traffic management tasks. System certificates are the web certificates that allow client systems to
Jog into the 8IG-JP Configuration utility.
To assist you in overseeing these certificates, Enterprise Manager provides a summary of vital certificate
information for each managed device in your network. The information that displays on the certificate list
screen provides a summary of:
• Certificate expiration status
• Certificate and organization name
• A changeset is a collection of user-defined configuration data that you create and save for any
managed device in your network and distribute to other managed devices. For example, when you
configure a BIG-LP system, you typically specitY certain profiles, monitors, and iRules. To set up
these systems individually, you must keep track of each setting, and manually enter those values
for every new device that you add to the network. However, if YOll use changesets, you can
deploy the same profiles, monitors, and iRules configurations from one device to as many devices
as needed.
Temptates offer you the ability to set variables for different devices in the network, so you can use
templates in conjunction with change sets to help manage common network configuration tasks. Since
these options are somewhat inter-related, it helps to have a basic understanding of the elements associated
witb each.
Althougb changesets and templates each represent a collection of configuration files that you can use to
manage device configurations, they differ in three primary ways, as outlined in tbe following table.
Changesets Templates
Used to manage a single set of configuration Used to dep'loy configuration data to devices,
Used for a wide variety of tasks, including setting Used to manage elements of configuration data
new applications.
for multiple devices, using device-specific configuration changes for multiple devices.
variables.
Creating a changeset
To create a change set, we recommend that you use tbe Changeset wizard, which automatically locates
dependencies for each network object included in the changeset. Additionally, tbe Changeset wizard
writes all of the syntax required to correctly classitY network objects and system settings in the cbangeset
configuration file . This process ensures that you can successfully deploy the cbangeset to otber managed
devices.
Creating a changeset using the Changeset wizard involves the following tasks :
5. Selecting a source
6. Reviewing dependencies for objects
Enterprise Manager stores changeset infomlation in text form, ensuring compatibility with configuration
files on a managed device. You can verify the compatibility of the changeset with managed devices in the
network, then deploy it to those devices. This gives you better control over device configurations in your
network.
By default., only Administrator-level users can create changesets. Administrators can delegate, to the
Operator or Application Editor roles, the ability to stage a changeset using published templates.
Publishing templates
When you create a custom template, it is available only for you to dep loy and use. To make the template
avai lable for others, you must publish it. Thi s adds an additional layer of control to device configuration
management when combined with the requirement that all staged changesets must be verified before they
are dep loyed.
interfa ces (
1.1 ( }
tag 4094
These configuration details are saved in the UCS file of the ind ividual object and on Enterprise Manager
when you back up the configuration of a device.
• Details, such as object type and name, about any enabled network objects associated with a
managed device
• Perfonnance and health data for managed devices and associated network objects
You can use collected statistics to display standardized reports about the health and perfonnance of
managed devices in your network. This helps you identify any systems that are not performing at full
capacity and assists you in detennining when you should add new devices.
Lesson Objectives
At the end of this lesson, you should be able to articulate the differences in high availability features
between BIG-IP version 10 and version I I.
configuration, the load on each BIG-LP system had to be kept at or below 50% so that each device can
process all the workload in the event of a failure. In effect, this still renders 50% of your total BIG-IP
resources unusable.
An Active/Active configuration also cannot be used to distribute a large traffic load associated with a
single virtual server or a group of virtual servers using the same lP address.
Your servers' response path also needs to be considered when configuring an Active/Active pair in v I O. If
using a routed method, each server's default route should be the internal floating IP address of the BIG-IP
device from which that it receives traffic. In an Active/Active configuration, each BIG-IP device has its
own internal floating IP. The net effect is that a server then becomes associated withjust one of the BIG
IPs in the pair. (A SNAT could be used to negate this problem.)
Finally, conversion from Active/Standby to Active/Active (or vice-versa) requires sigoificant planning
and execution. It pays to consider all of the points described above prior to deploying one confIguration or
another.
o o o o
• Active • Standby
Device Group
Figure .,: BIG-IP v11 introd~d many new features and options for high availability, as well as many new Isrms
including traffic group and de vice group
To support these larger device groups, BIG-LP v II introduces many new features and options, including
some new configuration components described in the table below and shown in Figure 2:
Configuration Description
Component
Device A device is a physical or virtu a! BIG-IP system, as well as a member of a local trust
domain and a device group. Each device member has a set of unique identification
properties that the BIG-IP system generates.
Device group A device group is a collection of BIG-IP devices that trust each other and can
synchronize, and sometimes fail over, their BIG-IP configuration data. A "device" can
include a physical device or a virtual representation of a device, including a vCMP
instance. (See CMP and vCMP later in this chapter.)
Traffic group A traffic group is a collection of related configuration objects (such as floating self IP
addresses, virtual addresses, and SNAT addresses) that run on a BIG-IP device and
process a particular type of application traffic. When a BIG-IP device becomes
unavailable, a traffic group can float - that is, fail over - to another device in the device
group to ensure that application traffic continues to be processed with little to no
perceived interruption in service.
Device trust and Before BIG-IP devices on a local network can synchronize configuration data or fail
trust domains over, they must establish a trust relationship known as device trust. A trust domain
is a collection of BIG-IP devices that trust one another and can therefore synchronize
and fail over their BIG-IP configuration data, as well as exchange status and failover
messages on a regular basis. A local trust domain is a trust domain that includes the
local device-that is, the device you are currently logged in to.
Device Trust
..... - . ..... -.
Device Group
Figure 2: Device Service Clustering (OSe) Introduced new features and associated terminology, including device
trust, sync-faifover and sync-only device groups, and traffic groups.
Note: More information on Device Service Clustering (High Availability) is available in FS's
Configuring Local Traffic Manager (L TM) course.
AOM allows you to manage the BIG-JP system using SSI-I or the serial console, even if the host
subsystem is turned off. The BIG-IP host subsystem and the AOM subsystem operate independently. If
the AOM is reset or fails, the BlG-lP host subsystem continues operation, and there is no interruption to
load-balanced traffic. Likewise, if the BlG-IP host subsystem locks up, you can use the AOM Command
AOM is always powered on when power is supplied to BlG-lP; it cannot be turned olI
Interfaces
The interfaces on the BIG-IP system are the physical ports that connect the BIG-lP system to other
devices on the network, such as routers, hubs, switches, destination servers, etc. Through its interfaces,
the BIG-lP system can forward traffic to or from other networks.
There are two types of interfaces - a management interface and TMM switch interfaces. While the
management interface handles administrative traffic to and from the BIG-IP device, application traffic is
handIed via the TMM switch interfaces. The TMM switch interfaces are most often referred to simply as
interfaces.
Note: Throughout the remainder of this course, the term interface will be generically used to
refer to the TMM switch interfaces - the physical ports on the BIG-IP system on which
application traffic is handled. When referring to the management interface, we will use the terms
management interface, management port, or MGMT.
Every BIG-lP system includes multiple interfaces. The exact number of interfaces depends on the
platform type. For example, the BIG-lP 4200v (see Figure 3) includes eight (8) Gigabit Ethernet CU
ports and two (2) optional IO Gigabit Fiber ports (SFP+), while the 1600 contains four (4) Gigabit
Ethernet CU and two (2) optional Gigabit Fiber ports.
Interface names
By convention, the names of the interfaces use the format s.p where s is the slot number of the network
interface card (NIC) and p is the port number on the NIC. For example, the interface at slot l/port I is
named 1.1; slot l/port 2 is named 1.2; slot 2/port 3 is named 2.3, etc.
Interface properties
Each interface has unique properties, such as a MAC address, media speed, duplex mode, and support for
Link Laye r Discovery Protocol (LLDP).
Some of these properties can be modified; others cannot. All can be viewed to help you assess the way
that a particular interface is forwarding traffic. For example, you can view interface properties to
determine the specific virtual LANs (VLANs) for which an interface is currently forwarding traffic, and
determine the speed at which it is currently operating.
I nterface state
When an interface is enabled, it can accept both ingress and egress traffic; when it is disabled, it cannot
accept any traffic.
Trunking
A truok is a logical grouping of interfaces on the BIG-LP system that functions as a single interface. The
BIG-IP syste m uses a trunk to distribute traffic across multiple links, in a process known as link
aggregation . Link aggregation increases the bandwidth of a link by adding the bandwidth of multiple
links together. For example, when aggregated, four fast Ethernet (100 Mbps) links create a single 400
Mbps link.
You can aggregate a max imum of eight links in a single trunk. For optimal performance, you should
aggregate links in powers of two (e.g. two, four, or eight links).
You can use trunks to transmit traffic from a BIG-IP system to another vendor switch. Two systems that
usc trunks to exchange traffic are known as peer systems.
There are several benefits that come with using trunks:
• Increase bandwidth without upgrading hardware
• Provide link failover if a member link becomes unavailable
Figura 4. Trtmking (fink aggreg ation) can be used on the BfG- /P system to increase bandwidth without upgrading
hardwaro. and to provide link fai/over if a mamber 'lnk becomes unavailable.
A primary goal of the trunks feature is to ensure that frames exchanged between peer systems are never
sent out of order or duplicated on the receiving end. The BIG-IP system is able to maintain frame order by
using the source and destination addresses in eacb frame to calculate a hash value, and then transmitting
all frames with that hash value on the same member linIe
The BIG-IP system automatically assigns a unique MAC address to a trunk. However, by default, the
MAC address that the system uses as the source and destination address for frames that the system
transmits and receives (respectively), is the MAC address of the lowest-numbered interface of the trunk.
The BIG-IP system also uses the lowest-numbered interface of a trunk as a reference link. The BIG-IP
system uses the reference link to take certain aggregation actions, such as implementing the automatic
link selection policy. For frames corning into the reference link, the BIG-IP system load balances the
frames across all member links that the BIG-iP system knows to be available. For frames going from any
link in tbe trunk to a destination host, the BIG-IP system treats those frames as if they carne from the
reference link.
Finally, the BIG-IP system uses the MAC address of an individual member link as the source address for
any LACP control frames.
Overview of LACP
A key aspect of trunks is Link Aggregation Control Protocol, or LACP. Defined by IEEE standard
802.3ad, LACP is a protocol that detects error conditions on member links and redistributes traffic to
other member links, tbus preventing any loss of traffic on the failed link. On a BlG-1P system, LACP is
an optional feature that you can configure.
You can also customize LACP behavior. For example, you can specify the way that LACP communicates
its control messages from the BIG-IP system to a peer system. You can also specify the rate at which the
peer system sends LACP packets to the BIG-IP system. If you want to affect the way that tbe BIG-IP
system chooses links for link aggregation, you can specify a link control policy.
Configuring trunking
Trunks can be configured on the BIG-IP system using eitber the Configuration utility (see Figure 5) or
using tmsh.
Configuration
Name seattle
Members' Available:
1.1 I _ 2.1
Interfaces 1.2
1.3
B 2.2
1.4 EI
I--
On the Interfaces setting, you specifY the interfaces that you want the BIG-lP system to use as mcmber
links for the trunk. Once you have created the trunk, the BIG-lP system uses these interfaces to perform
link aggregation.
Tip: To optimize bandwidth utilization, F5 recommends that, if possible, the number of links in
the trunk be a power of 2 (for example, 2, 4, or 8).
The BIG-IP system uses the lowest-numbered interface as the reference link to negotiate links for
aggregation.
The interfaces that you specifY for the trunk must operate at the same media speed, and must be set at
full-duplex mode. Otherwise, the BIG-lP system cannot aggregate the links.
Any interface that you assign to a trunk must be an untagged interface. Also, you can assign an interface
only to one trunk. Because of these restrictions, the only interfaces that appear in the Interfaces list in the
Configuration utility are untagged interfaces that are not assigned to another trunk. Before creating a
trunk and assigning any interfaces to it, you should verifY that each interface for the trunk is an untagged
interface.
After creating the trunk, you can assign it to one or more VLANs, using the same VLAN screen that you
normally use to assign an individual interface to a VLAN. The trunk name will appear in the list of
available interfaces.
If you are using one of the spanning tree protocols (STP, RSTP, or MSTP), the BIG-lP system sends and
receives spanning tree protocol packets on a trunk, rather than on individual member links. Likewise, use
of a spanning tree protocol to enable or disable learning or forwarding on a trunk operates on all member
links together, as a single unit.
• Two or more VLANs can be combi ned into a BIG-lP object called a VLAN group. A host in one
VLAN can communicate with a host in another VLAN using a combination of Layer 2
forwarding and IP routing, offering both performance and reliability benefits.
Note: A single VLAN can be assigned multiple s to create a logical broadcast domain that is
independent of physical network topology.
~H Hf+H - f5
e:
I
I I
I
I
c I
I I I I
L_ l_.
,-----,
I I
I I
I A I
~ Hf+.H-1 - f5
I e I
I I
1__ ..I
Figure 6: Examples of VLAN inlerface assignment: (lop) 1 VLAN 10 1 inlerface; (second) 1 VLAN 10 multiple
interfaces; (third) multiple VLANs 10 1 inlerface; (bollom) mix and malch
On the BIG-IP system, a VLAN is always assigned a unique tag (a.k.a. VLAN JD) at the time the VLAN
is created, as shown in Figure 7. If yo u do not explicitly assign a tag to the VLAN. the BIG-IP system
wi ll assign one automatically. starting with 4094 and working backward toward I.
General Properties
Name external
Description
Tag 4093
Resources
Interfaces
EJ [
1 -~ I B ~J'
B ~ EJ I
Figure 7: t xample of assigning a tagged interface to a VLAN
You a lso typically assign one or more interfaces to a VLAN at the time the VLAN is created. An interface
is assigned as either Tagged or Untagged. VLAN tramc that passes through an associated tagged
interface will have the VLAN ill added to the frame header. In doing so. each frame becomes
distinguishable as being within exactly one VLAN. If the interface is assigned as untagged. frames sen t
through the interface for that VLAN will not contain a tag fIeld in the header.
Whenever a packet with a tag in the header comes into a BlG-lP interface. the interface reads the tag and
compares itto the tag associated with each VLAN assigned to that interface. If the tag in the packet
matches a VLAN tag. the packet is accepted for that VLAN. lf the tag does no t match any V LAN tags.
the packet is rejected . If the packet has no tag in the header and there is a VLAN with that interface
assigned as untagged, the packet will be accepted for that VLAN only.
Note: If a single interface is handling traffic for multiple VLANs (i.e. multiple VLANS : 1
interface). only one of the VLANs can have the interface assigned to it as untagged. The other
VLANs must have the interface assigned as tagged . so that the BIG-IP system can determine
which VLAN the traffic belongs to.
Application
Administrators Users Servers
As shown in Figure 8, your BIG·JP lab environment in class has two VLANs - one named external and
the other named internal (although their names could have just as easily been something completely
different). VLAN internal is assigned tbe non-floating address 172.16.X.31 (where "X" is your
classroom station number) and its netmask is 255.255.0.0 (or 16) indicating that it participates in a virtual
LAN that logically encompasses the network address space consisting of IP addresses beginning with the
two octets 172.16. Likewise, VLAN external encompasses an address space consisting of IP addresses
beginning with the two octets 10.10.
Your PC workstation is configured with the IP address 192.168.X.30 so that it can participate in the
network that includes the BIG·IP management interface· whose IP address is 192.168.X.3 1/24. Your
PC workstation is also configured with IP address 10.IO.X.30 and connected to the network that is
plugged into interface 1.1, so it is logically part of VLAN external.
The servers that contain the web applications you will be accessing have the IP addresses 172. 16.20.1 ,
J 72.16.20.2, and 172.16.20.3. They are logically part of VLAN internal.
Interface 1.1 is the only interface assigned to VLAN external, and it is assigned as an untagged
resource. This means that all traffic pertaining to VLAN internal will flow through the physical port
configured at interface 1.1, and the packet headers will not include a tag.
Interface 1.2 is the only interface assigned to VLAN internal, and it, too, is assigned as an untagged
resource. This means that all traffic pertaining tn VLAN external will flow through the physical port
configured at interface 1.2, and the packet headers will not include a tag.
Lesson Objectives
After completing this lesson, you will be able to:
• Restrict administrative access to the BIG-IP system using port lockdown, SSH restrictions, and
packet filters
• Restrict client traffic through tbe BIG-IP system using packet fLlters and virtual server settings
o
DGliUnalio n
o
Destination
10.10.1.100:80 10.10.1.100:80
r-- ---
BIG-IP
-- · ·---r-----~------:-:~ -----~-----: . 1
: external :: internal :
I I I I
l _____ _____) l__________)
~
In some cases though, you might want to limit the networks that can reach a particular virtual server. T o
do so, you adjust the VLANs the virtual server is listening on by eithe r:
• Enabling tbe virtual servers on the networks (VLANs) where you want to receive traffic
• Disabling the virtual servers on the networks (VLANs) where you don 't want to receive traffic
Figure 10 shows the virtual server at 10.10.1.100:80 enabled on VLAN internal. Incoming traffic 00 the
10.10116 network destined for this virtual server will be accepted; incoming traffic on the 172.16/16
network destined for tbis virtual server may not be accepted. It depeods on whether or not there is another
listener configured that can process the traffic.
o
Destination
o
DesUnalion
10.10.1.100:80 10.10.1.100:80
Figurv 10: Vlr/ual server 10. 10. 1. 100:80 is enabled only on VLAN ex/ernal. Incoming traffic on th o 10. 10/16 network
to this virtual server will be accepted; incoming traffic on the 172.16116 network to this virtual server may not. In fhis
particular case, the same net effect can be achieved by disabling the virtual server on VLAN internal.
General Properties
N....
Oesllnlilon
Address: 10.10.4.100 __ J
Sorvtco Po~
L~~ __ ' HT~
AvoNobll1ty
I Ava~a~. (Enllbled) K The virtual server Is avlJMable
Conftgurauon: Basic
VL.AN and Tunnel Trame Enabled on ..•
Selected Available
ICommon ICommon
Internal
VLANs end Tum.ls
1
Figure 11: In this example, virtual server vs_http is configured to listen exclusively on VLAN external
Allow All Allow None Allow Default Allow Custom Allow Custom
(Include
Defaun)
All traffic No traffic ·OSP F Your list (e.g. Your list, plus
permitted permitted • DNS (port 53) 1 port 443 only) defaults
• F5-iQuery (port 4353) 1
• HTIPS (port 443) 2
• SNMP (port 161) 1
• SSH (port 22) 2
• RIP (port 520) 3
• Network ~ilover (port 1026) 3
1 rcp and UDP; 2 rcp only; 3 UDP only
Note: CMI uses the same port as F5-iQuery, but is independent of iQuery and the port
configuration options available for the port.
• lCMP: ICMP traffic to sel f lP addresses is not affected by the port lockdown list, and is
implicitly allowed in all cases.
Note: In most cases, it is not possible to ping self IP addresses across VLANs . For more
information, refer to SOL3475: The BIG-IP system may not respond to ICMP ping requests for a
self IP address.
Note: Do not specify port 1028 explicitly in an "Allow Custom " list as it can generate an error.
See SOL 12932: The BIG-IP system resets state mirror connections when port 1028 is
configured in the Self IP Port Lockdown list.
Configuration
Name 10.10.4.31
IP Address 10.10.4.31
Netmask I 255.255.0.0 1
VLAN I Tunnel Lexternal 21
Port Lockdown IAllow Custom v
UDP Protocol :
Figure 12: Configuring Port Loekdown on one of Ihe BIG-IP system's seil lP addresses. In Ihis example, only port 443
(Mps) Iraffle will be permitted 10 Ihe self IP address 10.10.4.3.
User Administration
password: I ·· ..•.... ·
Root Account
Confirm :
1
password: E .. ]
Admin Account
Conftrm: l::::..
'-----------'
]
SSHAcc8SS Enabled
I Update I
Figure 13. Restricting administrative SSH tra ffic to the BfG-/P sys tem. In this example, only clients in the
192.168.4124 and 10.10.4/24 networks will be permitted administrative access to the BfG-fP system using SSH.
Address ranges can be specified using several methods including wildcard (*) or netmask. This setting does not
impact application SSH traffic. only administrative SSH traffic (i.e. SSH connections to the management interface or
to the self IP addresses) .
Important: Separate the IP addresses in the SSH IP Allow range with a space. If you separate
the IP addresses with a comma, a non-working entry will be recorded in the BIG-IP
configuration file , potentially preventing you from reconnecting to the network through SSH . For
more information, see SOL5380: Specifying allowable IP ranges for SSH access.
The SSH lP Allow setting is stored in a dynamically created run-time configuration file named
/var/run/conlig/hosts.allow. This is an auto-generated file and should not be edi ted. Instead, limit SSH
access using the Configuration utility or tmsh.
serial console
• LTIJ. Base (C859992·9723294)
." SWbps
• On platforms thaI include
No R O<)t~!3 s h)
Ihe Always-On • NlP
Management (AOM)
• Ciient AuUlentiCation
subsystem, AOM cannot • comptesSIOII fX 1t.IBPS)
access the host and is only • ONSSeMetl
• EA FeabJrH
able to reset the host using • Global TtaliC !IAn-O.' UO<lIIe
a hardwa re reset • 1PY6 Gatewa1
• Ul\k ConlrOlttf
command. (More on OpIIo"'" UO<lu'•• IASI.I
AOM later in tb is course.) • Ram Cache
Note For more information on running the BIG-IP system in Appliance mode , see SOL 12815:
Overview of Appliance mode.
Pf~r1IeI
only, and can affect both admi ni strative traffic and client Ellempdons
traffic. (Administrative access via the management port is not ~ .....,.a~ AAP
ProIIocO'1
affected by packet filters.) The criteria for accepting or r.rllM-ajI ~ imc.onal'll lCMP
rejecting packets are defined in expressions contained in IA.&.C "'oar...-u 1,.01'1. H
packet filter rules (not to be confused with iRules). IP MatiUi INone 1·1
There are three basic steps required to configure packet
filters. All three are generally carried out using the
"" . !NQn. H
Configuration utility: [ "'.... 1
I . Enable packet filtering on the BIG-IP system Figure 15: Enabling packet filters and global
packet filter settings
2. Define global packet tilter settings
3. Detine specific packet filter rules
~~ ,. 1"IIdI... ' .... ~ ~
" - , .
Enabling packet filters
cool'igouratlon
IDlu~I · 1
Global packet filter settings ""'"'
r . .rhp .......
Once packet Jilters are enabled, the administrator can =Iilll4 i+.....oo
F...,[g. .... IiIIIIbo:z
1·1
define global actions for hand ling packets that do not
match any packet filter - Unhandled Packet Action ~- I AII1 I· J
s. 11/1.I, ,,,,<::'ltt IR ISIrtaI. . ,,..IIIa 1.. 1
and packets that are exempt from filtering - Exemptions.
The default action for unhandled packets is to accept
them (i .e. allow them to continue within the BIG-IP
system), and is often change to the alternatives, discard
I . Hol . I _. ""
I 10.10 11.)0 !!iii
J
or reject, to ensure the effect iveness of your packet I~~
[J~".-u.. Holb MlG
~[I!«'. I.....- J
I.)
Warning: Changing the default value of the Figure 16: Example of a specific packet filler (tile
Unhandled Packet Action property can produce
unwanted consequences. Before changing this value to Discard or Reject, make sure that any
traffic you want the BIG-IP system to accept meets the criteria specified in packet filter rules .
Objectives:
• Define packet filters on your BIG-lP system to allow and restrict administrative and application
traffic from specific networks and network devices
• Estimated time for completion: 15 minutes
Lab Requirements:
• Access to multiple BIG-IP systems via the 10.10116 network
• Virtual server on the 10.10116 network with at least one available pool member and source
address translation set to SNA T Auto Map
Properties section
Configuration section
4. Verify that you can still access your BlG-IP at https:III0.I0.X.31 , and your panner' s BlG-IP at
https:lllO. 10.Y.3!.
Configuration sectJon
6. Verify that you can sti ll access your BIG-IP at https:III0.I0.X.31 , but your panner cannot.
Configuration section
Configuration section
14. Open an SSH session to your BIG-IP and enter the following command to view the packet filter
logs :
15. Disable loggi.ng on packet filter rule Me, and enable it on packet filter Them . Have another
student (other tban your partner) try to access your BIG-IP system at bttps:IIIO.IO.X.31 to see the
log messages that are generated on packet discards.
Clean up
16. On your SSH session to your BIG-lP, terminate the tail command by typing <CtrI+C>.
17. Disable packet filtering.
If you are working on BIG-IP hardware , continue with Lab 11.2: Always
On Management
Objective:
• Configure an IP Address on the AOM
• Reboot the Host (L inux and TMM) from AOM
• Estimated Time: 10 minutes
NOTE: This section of the lab may vary per training location. If you do not have access to a
serial console session in your location, then you may already have an IP Address for your AOM
so ask your instructor for details.
Lesson Objective:
At the end of this lesson, you will be able to:
• Compare and contrast license date, Iicense check date, and service check date
• Underst·and tbe impact of service check date on system upgrade and system startup processes
Note: The license file contains the license date and the service check date, but does not
contain the license check date. License check dates for each BIG-IP and EM version are built
into each BIG-IP software version but not in any way that is viewable. However, there is a list of
the license check date for each BIG-IP version in S0L7727: License activation may be required
prior to software upgrade.
Service
11.4.0 11.4.1
Check
release release
License Upgrade
date to 11.4.1 ............
Figure 17: A successful system upgfllue can be performed If the BIG -IP system's service check dale Is ener the
release date (license check dale) for the upgrade version
For more information , re fer to SOL7702: Upgrades using Enterprise Manager will verify service
check date and aHempt to reactivate system license if required,
• Periodically check for and remove non-critical maintenance file s. For example, old tcpdump,
qkviews, or software images (.iso files) should be deleted from the sys tem or moved to a network
share. Of course, if you are unsure of the origin or use of a specific file, contact FS Technical
Support before removing the file from the BIG-IP system.
For more information, see SOL 14403: Maintaining disk space on the BIG-IP system (11.x) and
SOL8865: Overview of the diskmonitor utility.
FS also releases engineering hotfixes (similar to patches) but only by way of a support case. Engineering
hotfixes are rolled up into cumulative hotfixes.
Software Images
Part of the hard drive can be used to store BIG-IP software images. FS usually distributes so ftware images
as ISO archive tiles ("ISO files," with a .iso file extension), the data from which is eventually stored on
BIG-JP systems in one of three states:
• Available images: software images that have been imported onto the BIO-iP system (using the
Configuration util ity or tmsh) and placed in the Isharedlimages folder.
• Installed images : software images that have been installed into boot locations on the BIG-IP
hard drive . The number of boot locations a BIG-IP device can accommodate depends in large part
on the size of its hard drive.
• Active image: the installed software image from which that the BIO-LP system is currently
booted. There can only be one active image on a BIG-IP system at any time, except when vCM P
is configured.
Logical View
HD1 --- --
- - - Bool locations
30 .9 GB free of 102 .4 G8 • MySQL
AVR
Figure 19: Logical view of a BIG -IP hard drive showing how the disk space is utilized
For example, Figure 19 shows the disk space utilization of HD I (hard drive I) on a BIO-LP YE.
Figure 20 shows the breakdown of boot locations on the same system shown in Figure J9, and the
software version that is installed on each. The boot location names are in the fonnat HDx.y where x is the
hard drive number and y is a boot location number.
Boot Locations
Select a Product Version and Container for BIG-IP v11 .x / Virtual Edition
The latest produC I version IS displayed by def' " • you are looking for downloads related 10 a diferent version of Ihis product , please
selec t from the follOWIng optJons.
_1.14 .1[:1
Installed tmages
p,- Version BuIld Disk Boot: LocalJon Active Oefaul Boot Media InstaP St.",.
Figure 22: Use the System> Software Management> Image List screen to import a major or mIn or BIG-IP software
release. Use the Hotfix List tab to import a hotfix. H01.1 is the active boot location in thiS screen shot, and a software
image for version 11.4.1 has been imported onto the BIG-IP system in the /sharedlimages directory
Note: Do not navigate away from the Import screen while the import is in progress because this
can cause the import to stop. Remain on the Import screen until the import is complete.
If the import was successful, tbe .iso file should appear in the Available Images list, as shown in Figure
24. You can do an import for the MD5 file as well.
Note: You can also use SCP to copy the files directly to the BIG-IP system. If you do, make sure
the files are copied into the /sharedlimagesi directory, otherwise they will not be accessible to
the installation process via the GUt.
Note: There is no space between the two hyphens (--) and the word check (--check).
You should receive a response from the md5sum command indicating the associated .iso file is
OK. For example:
md5sum -- check BIGIP-11.4.1.60B.O.iso.md5
BIGIP - 1 1 .4. 1. 60B.O.iso, OK
If you do not receive an " OK" response to the md5sum command, yo u should download/import the ISO
archive again and retry the MD5 checksum.
x
Install Software Image
Select Disk:
[BD1 (30.9 GB free) ~I
(Version:11.2. 0 Build:2446.0)
Install II Cancel
Figure 23: Select the boot loca tion (disk and volume) in which you wa nt to install the selected software image. then
cfick Install to continue. Type in a number in the ~Volume set nam .. a re fo create a new volume. For example, to
install 11.4.1 into new boot locatIon HD1.4, type a "4" in the volume name
Installed Images
ProdUct Von"" BuIld Disk I Boot Loe""" ~dlYo Dord Boot Media lmIiIIISI.....
(3) BIGIP·1 1.4.1.6Cl8.0 .110 11.4.1 Wed Nov 2713:06:032013 1515 MB Ves Ves
o.lBte- II
R gur8 24: installing BIG·IP 11.4. 1 info a new boot locatIOn, HD1 .4. Install status shows progress currently at 67%.
The installation process can take several minutes to camp tete, and progress is denoted in the green
Progress bar that will automatically update in the boot location 's entry (see Figure 24). If the installation
completes successfully, you shou ld receive a screen similar to Figure 25.
-
Installed Images
BIG-IP
BIG-IP
V",1on
11.4.0
11.2.0
Build
2384.0
2446.0
Oillc
H0 1
HDI
BOOI Location
HD1.1
H01.2
AdM
Ves
No
001,._ EIool
Ves
No
U,dl.
hd
hd
tnst.II st.IUI
complete
complete
IBIG-IP
11.3.0 2806.0 HOI HOD No No hd complete
BIGIP·11.4 .1.60e .O.iso 11 .4 .1 Wed Nov 2713:06 :032013 1575 MB Ves Ves
1"",/1
Figure 25: Successful installation of BIG-IP version 11.4.1 into boot location, HD1 .4
for example:
(tmos )# install /sys software hotfix Hotfix - BIGI P-1 1.4.1-625 .0-HFl.iso
volume HD1.4
You can also watch the progress of the installation from the command line using the tmsh show /sys
software status command.
Boot Locations
Figure 26: Use the Boot Locations tab in Software Management to activate a different boot location
Software Management»
version/build, as shown in I II
Cancel Activate I
4. Click the Activate button to activate the selected boot location. The BIG-IP system will take
several minutes to reboot from the new location . During reboot, no traffic is processed and
administrative/unctions are not available!
If the reboot is successful, you should be able to log back into the Configuration utility and begin testing.
To boot the BIG-IP system from a different boot location (volume) usillg the command lille:
Note: If at all in doubt about carrying out the software upgrade process, please contact F5
Technical Support for assistance.
SAP Partition
Common Partition
Network Administrators
Figure 28: Partitions provide multi-tfmancy on the BfG-IP system from an administrative perspeclive. For example, a
company might divide the administration of a BIG-IP system along the same Jines as their application systems are
mamtained. Here, network administrators maintain the Common partition and the BIG-IP system as 8 whole, while no
SAP manager and an OWA manager are restn"cted to the partitions thaf support /heir respective applications.
System Accounts
The BIG ·tP system includes two types of system accounts:
• System maintenance accounts - predefined and with full access to all BIG·IP system
maintenance interfaces, utilities, and functions.
• System user accounts - defin ed by a BIG·IP administrator and may be configured with more
limited access to specific portions of the system, as needed , to suit their role.
Note: If a remote authentication method is specified for system user accounts, the BIG-IP local
database will still be used to authenticate the system maintenance accounts root and admin.
This ensures that if the remote authentication device is unreachable, the system maintenance
accounts can still access the BIG-IP system.
User Roles
User roles are a means of controlling access to BIG-IP system resources. You assign a user role to each
administrative user and, in doing so grant the user a set of permissions for accessing 8IG-IP system
resources. More specifically, a user role defines:
• Tbe resources a user can manage - For example, a user with the role of Operator can manage
nodes and pool members only. By contrast, a user with the Resource Administrator role can
manage all objects except user accounts.
• The tasks a user can perform on those resources - For example, a user with the role of
Operator can only enable or disable nodes and pools; they cannot create, modify, or delete them.
On the other hand, a user with the role of Administrator can perfonn all tasks on all resources.
The table below summarizes some of the various roles for user accounts:
Administrator This role grants users complete access to all partitioned and non-partitioned objects
on the system . In addition, accounts with the Administrator role can change their own
passwords .
Resource This role grants users complete access to all partitioned and non-partilioned objects
Administrator on the system, except user account objects. In addition, accounts with
the Resource Administrator role can change their own passwords .
User Manager Users with the User Manager role that have access to all partitions can create,
modify, delete, and view all user accounts except those that are assigned
the Administrator role, or the User Manager role with different partition access.
Accounts with the User Manager role that have access to all partitions can also
change their own passwords.
Users with the User Manager role that have access only to a single partition can
create, modify, delete, and view only those user accounts that are in that partition
and that have access to that partition only. For example, if your user account has
a User Manager role and has acoess to Partition A orily, then you can manage only
those user accounts that both reside in and have acoess to Partition A only.
User accounts with the User Manager role can change their own passwords.
Manager This role grants users permission to create, modify, and delete virtual servers, pools,
pool members, nodes, custom profiles, custom monitors, and iRules®. These users
can view all objects on the system and change their own passwords.
Certificate This role grants users permission to manage device certificates and keys, as well as
Manager perform Federallnfonmation Processing Standard (FIPS) operations.
iRule Manager This role grants users permission to create, modify, and delete iRules. Users with
this role cannot affect the way that an iRule is deployed. For example, a user with
this role can create an iRule but cannot assign it to a virtual server or move the iRule
from one virtual server to another. A user with this role can be assigned universal
access to administrative partitions.
Application This role grants users permission to modify nodes, pools, pool members, and
Editor monitors. These users can view all objects on the system and change their own
passwords .
Operator This role grants users permission to enable or disable nodes and pool members.
These users can view all objects and change their own passwords .
Auditor This role grants users permission to view all configuration data on the system,
including logs and archives. Users with this role cannol create, modify, or delete any
data, nor can they view SSL keys or user passwords.
Acceleration This role allows users to view, create, modify, and delete all WebAccelerator policy
PolicyEditor objects in all administrative partitions. Users can also view, create, update, and
delete LTM Web Acceleration and HTTP Class profiles.
Web This role grants users access to Application Security Manager security policy
Application objects, in one or all administrative partitions. These users can modify HTTP Class
Security profiles, but cannot create or delete them. More specifically, these users can access
Administrator LTM objects in these ways:
Ability to enable or disable application security from within an HTIP Class profile.
Read-only permission for these profile types: HTIP, FTP, and SMTP.
These users have no access to other LTM objects, nor to any TMOS objects. They
can, however, change their own passwords. With respect to security policy objects,
this role is similar to the Administrator role. You can assign this role only when the
BIG-IP system includes the Application Security Manager component.
Web This role allows a user to configure or view most parts of the ASM module, in a
Application specified adminislrative partition only. Specifically, these users have limited access
Security Editor to LTM objects, namely read-only permission for these profile types: HTIP, FTP,
SMTP, and HTTP Class.
These users have no access to other LTM objects, nor to any TMOS objects. They
can, however, change their own passwords.
You can assign this role only when the BIG-IP system includes the Application
Security Manager component
Guest This role grants users permission to view all objects on the system except for
sensitive data such as logs and archives. Users with this role can change their own
passwords.
• Custom profiles
Figure 29 ' Objects in tenant partitions can reference objects in
• Custom monitors the Common parMian. In this example. two virlual servers
• SSL keys one in PartitionA and the other in PartitionB - can both
reference the same client SSL profile called cllenl_ ssl in the
• Certificates
Common partition.
• Certificate revocation lists
• iApps templates and application instances
General Properties
N.... hllp""pool....,psrta
Partllon I Path PartA
Load Balanelng
Current Memben Md
,...&.II.___ M...
...Olm
_IOo,
- ._
______• ...Ad
_ ;;,;;;
ch.,._ . _- _ o.. L___"""___....._ n.dioll Umi
COll Partition I Plitt
172 .1 6 20. 1:80 172.16.20.1 1 0 (Active) o Common
Figure 31 : hNpyoolyarta's one pool member at 172.16.20. 1:80 is defined in Ihe Common partllion, even though the
poolis defined in PartA. In this example, this occurred because node 172.16.20.1 was already defined in Common .
• Using the cd command within the Traffic Management Shell (tmsh) to switch partitions . For
example, to switch from the Common partition to partition PartA, you could issue the following
command from anywhere withi n the tmsh hierarchy. (There is no equivalent to "All [Read Only)"
in nnsh.):
roo L@( b igip4) • . . (f Common ) (tmo s ) ff cd ( PartA
Important: If your BIG-IP user account gives you access to all partitions. make sure you are in
the correct partition before making changes to the configuration!
Lesson Objectives
At the end of this lesson, you should be able to describe the benefits of CMP and vCMP, and how each is
leveraged in a BIG-IP environment.
Multi-threaded TMM
Beginning in BIG-IP 1\.3.0, TMM supports a multi-threaded architecture. The multi-threaded model is
derived from the Symmetric Multi-Processing (SMP) infrastructure, and operates by dividing work into
a basic context of execution called a thread. Multiple threads are spread across multiple processors,
resulting in faster processing and more efficient use of system resources. The number of simultaneous
TMM threads varies by platform.
For example, starting in BIG-IP 11.3.0, the BIG-IP 8950 platform runs two TMM processes, one for each
CPU. Each TMM process creates four separate TMM thread contexts.
You can display the number ofTMM threads running on a BIG-IP system by running:
tmsh show /sys tmm-info
Note: For more information, please see SOL 14358: Overview of Clustered Multi-Processing
(11.3.0 and later)
BIG-IP
Figure 32: With CMP disabled on a virtual seNer, a/l connections to thai virtual server will be processed by one TMM,
in thIS case. TMMO.
BIG-IP
172.16.20.1:80 172.16.20.4:80
Figore 33' Connections on a CMP-enablod virtual server are distributed among the avaifab;e TMM processes, and
load ba/ancmg is appllGd indepandentiy in eBch TMM This
When you view standard performance graphs using the Configuration utility, you can see the various
instances of the TMM service (e.g. tmmO, tmml).
CMP considerations
When CMP is enabled, be aware of the following facts:
• While displaying some statistics individually for each TMM instance, the BIG-lP system displays
other statistics as the combined total of all TMM instances.
• Certain load balancing modes might behave differently than on non-CMP systems.
• FS recommends that you disable the CMP feature if you set a small connection limit on pool
members. For example, if you set the connection limit to 2 on BtG-lP system with 4 running
TMM instances, the calculated connection limit will be I for each running TMM, resulting in a
higher-than-expected overall connection limit.
supported platforms
vCM P is supported on both VlPRlON and BIG-J P platforms including:
• VIPRlON B2100, B4200, B4300, B4340N
• BIG-lP S200v, noov, 10200v
Note: Discussions in the remainder of this seclion that reference slots and blades are
applicable only to VIPRION platforms (chassis-type devices). In virtually all cases, BIG-IP
appliance-type systems can be thought of as a device with a single slot.
Important: Before you license, provision , and configure the vCMP feature, verify that you have
correctly configured the hardware platform. For more information, see the relevant platform
guide and configuration guide on AskF5.com.
vCMP host
The vCMP host is the system-wide hypervisor that makes it possible for you to create and view BIG-IP
instances, known as guests. Through the vCMP host, you can also manage guest properties. For each
guest, the vCMP host allocates system resources according to the particular resource needs of the guest.
vCMP guest
A vCMP guest is an instance of the BIG-IP software that you create on the vCMP system for the purpose
of provisioning one or mOre BIG-IP modules to process application traffic. A guest consists of a TMOS
instance, plus one or more BIG-IP modules (e.g. LTM, GTM, and ASM). Each guest has its own share of
hardware resources that the vCMP host allocates to the guest, as well as its own management JP address,
self JP addresses, virtual servers, and so on. This effectively allows each guest to function as a separate
BIG-JP device, configured to receive and process application traffic, with no knowledge of other guests
on the system. Furthennore, each guest can use TMOS features such as route domains and administrative
partitions to create a multi-tenant configuration.
Each guest requires its own guest ad ministrator to provision, configure, and manage BlG -IP modules
within the guest.
Each guest is also able to run a different version of BIG-IP software fro m the other guests. This means
that test and development sta ff can create new guests to test new versions of software with little or no
effect on existing deployments. Or, competing business units can choose if and when they upgrade their
BIG-IP software to meet their unique business requirements.
Figure 34 shows a basic vCMP system with a host and three guests. Note that each guest can have a
different set of modules provisioned, depending on the guest's application delivery requirements.
Guest3
Administrator
GuesU Guest2
Administrator Administrator
GM'
TMOS
v11.4 v11.2
Administrator
Figure 34: A vCMP host configured with fhre e vCMP guests. EsdI guest consists of a TMOS instanco, plus one or
more BIG-IP modules. Guests can run different versions of BIG-'P software as welf as provision different modules.
vCMP provisioning
To enable the vCMP feature, you perfonn two levels of provisioning:
I. Provisioo the vCMP feature as a whole - The host administrator provi sions the vCMP feature
as a whole, creating the host portion of tbe vCMP system. The host administrator then configures
each of the guests.
2. Provision the guests - Once the guests are created, each vCM P guest administrator logs in to
their relevant guest and provisions the required BIG-IP modules they need to process their
application traffic. For example, ooe guest might provision LTM only, while another might
provision LTM , ASM, and GTM.
Important: Once you provision the vCMP feature, you cannot provision any BIG-IP modules on
the vCMP host. More importantly, if any BIG-IP modules are already provisioned on the system
before you provision the vCMP feature, those modules are de-provisioned and any application
traffic currently being processed is interrupted.
---------------------------
Flexible resource allocation
Flexible resource aUocation is a built-in vCMP feature that allows vCMP host administrators to
optimize the use of ava ilable system resources. Flexible resource allocation gives the host administrator
the ability to configure the vCMP host to allocate a different number of processor cores (processor units
or PUs) to each guest, based on the needs of the BIG-IP modules to be provisioned in the guest, and the
volume of application traffic the guest will process.
When you create each guest, you specify the number of processing cores that you want the host to
allocate to the guest. Configuring these settings detennines the total amount of CPU and memory that the
host allocates to the guest. On a VLPRION, guests can be allocated cores on a single blade, or can span
multiple blades, as shown in Figure 35. Guest can also be configured to automatically expand across new
blade resources that are added on-tho-fly.
Figure 35: vCMP gue sts can exist on single blades or span mulhplo blades. Th ey ca n also be configurod to
automatically expand across new blade resources that are added on-the-fly.
Chapter Resources
Solutions
Manuals
Manual Chapter
BIG-IP Device Service Clustering : Administration All
BIG-IP TMOS: Concepts Failsafe and Fast Failover
BIG-IP TMOS: Implementations Creating an Active-Standby Configuration Using
the Setup Utility/Configuration Utility
BIG-IP TMOS: Implementations Creating an Active-Active Configuration Using the
Setup Utility/Configuration Utility
BIG-IP TMOS: Implementations Upgrading Active-Standby Systems
BIG-IP TMOS: Implementations Upgrading Active-Active Systems
BIG-IP System : Upgrading Active-Standby Upgrading BIG-IP Active-Standby Systems to
Systems Version 11 .x
BIG-IP System : Upgrading Active-Active Systems Upgrading BIG-IP Active-Active Systems to
Version 11 .x
vCMP Systems: Configuration
vCMP for Appliance Models : Administration
Lab Requirements:
• Access to the BiG-i? system as an administrator.
2. Create two new manager users accounts called managera and managerb using either the
Configuration utility Ca) or tmsh Cb).
a. Create manager user accounts using the Configuration utility. "
New: managera
Confirm :
When
Repeal
click.
New: managerb
Confirm:
Finished
As you create and view objects, notice how they are referenced not only by
object name but also by the partition they are defined in .
Q. Can you view all the virtual servers and pools you created throughout
class while you are logged in as the managerb user?
Q. Can you modify any of the configuration objects that are in ICommon?
8. Change partitions to Common and notice how the prompt changes: cd /Common
9. View all virtual servers in partition Common: l i st /ltm virtual
You should receive a configuration error indicating a conflict over the node with IP address
172.16.204. This node was created automatically by BIG-IP in partition PartB in an earlier lab
step (as pan of creating pool member 172. 16.204:80). Although you're now working in partition
PartA and can ' t see that node 172.16.20.4 actually exists, the BIG-IP system can, and prevents
you from creating a duplicate IP configuration.
Note: Partitions only impact BIG-IP administrative activities; they do not affect how the BIG-IP
system processes application traffic. In other words, the administrative partition a particular
virtual seNer or pool (or other configuration object) is administered in is irrelevant when it oomes
to how that virtual seNer or pool will process application traffic.
13. Change 172.16.20.4:80 to 172.16.20.5:80 in the above configuration and try again to create pool
httpayool. Use tmsh list commands to answer the following questions:
o In what partition was pool member 172.16.20.1 :80 created and why?
Pool member 172.16.20.5:80?
14. Use tmsh to create a virtual server in PartA named vs_httpa at 10.10.X.121 :80, with default pool
httpayool and profile tcp. Use corrunand completion and help to guide you through the process .
15. Back on your BIG-LP session where you are logged in as managerb, can you see the virtual
server vs_ httpa and pool http a_pool you just added in /PartA?
Note: If your workstation is only configured with one IP address on the 10.10/16 network, open
the two browser windows to the BIG-IP self IPs using one browser (such as Firefox), then start
up another browser (such as IE) and open a window to https:1I10.10.X.31 for the third user.
16. Close all your browser sessions to BIG-IP. Open three new browser windows as follows:
a. Connect to BIG-IP via the management port at https:1II92.168.X.31 and Jog in as user
admin with password adminX.
b. Connect to BIG-IP via the external non-floating selfIP at https:II IO.l0.X.31 and log in
as user managera with password managera.
c. Connect to BIG-IP via the external floating self IP at https:1I10.10.X.33 and log in as
user manager with password manager.
17. Notice the User: and Role: designations at the top of each window.
18. Compare and contrast the Network Map view in each user role. Which resources do you see for
each?
19. Compare and contrast the Navigation pane selections on the different user roles. For example, as
an Administrator, the admin user has selections for System» SNMP and System» Logs, but
the Manager roles do not. An Administrator role has the ability to switch to anotber boot location
(System» Software Management» Boot Locations) or reboot the BIG-IP system (System»
Configuration » Device) but the Manager role does not.
20. On the admin user window, navigate to the Network Map, and switch the partition you are
working in using the Partition pull-down at the top left corner of the Configuration utility screen
(to tbe left of the Log out button). Notice that this pull·down does not appear on the views for
managera and managerb. View the virtual servers and pools in all partitions by selecting All
(Read Only( from the Partition pull-<lown . Notice bow the view changes yet again.
21. Close all your browser windows before continuing.
24 . View the saved configuration fil e,/config/bigip.conf, using more or cat . Notice that the virtual
servers and poots created in partitions PartA and PartB are not included in this bigip.conf file.
25. Stop viewing bigip .conf and list the Iconfigl directory. Notice there is a directory named
Iconfiglpartitions/.
26. Change directories to IconfigipartitioDsl and li st its contents. Notice that there are directories for
PartA and PartB, and that there is a bigip.conf file in each. View these two fi les and answer th e
questions below:
27. View the Iconfiglhigip_base.conf file and notice the folder specification for the two partitions is
not ICo mmonl but instead is IPartAi and [PartB/.
STOP
Overview
An iRule is a script that can examine and potentially alter traffic between tbe BIG-IP system and both its
clients and pool members. iRules are often used to select a pool to process a client's request. In tbis case,
the client's initial packets can be parsed and tbat data be used to select an appropriate pool. Additionally,
iRules are used to c hange tbe traffic as it flows between the client and server. In this case, the traffic
stream is monitored and changed as dictated by the iRule.
iRules give you complete control over wbat, when and how to change application traffic at any point in
the transaction. Application owners now have a programming language in the network focused on
application delivery. The iRules you create can be simple or sophi sticated, depending on your content
switching needs. An example of a si mple iRule would be:
rule IP Address
when CLIENTSS L_ HANDSHAKE
if { [IP, ,remote addr J starts with "10." } {
pool /Common/t e n-pool
else
pool / common / custome r-poo l
This iRule is triggered wh en a client-side SSL bandsbake has been completed . Then, iftbe client's IP
address starts with the character string "10." the connection request is seat to a member of the pool
tenyool. If not, the request is sent to a member of customeryool. Tbis example uses tbe client's lP
address to determine what pool should be used. Rather than using tbe lP address, other iRules could
make the decision based on (be client's data.
iRules can direct traffic to specific pools, pool members, or specific devices, including port numbers and
URI paths, either to implement persistence or to meet specific load balancing requirements.
iRule syntax is based on Tool Command Language (TCL). You can use many of tbe standard TCL
commaads plus BIG-IP system extensions to help you manage traffic more effectively. For information
about standard TCL syntax, see: http://troml. sourceforge.netldocJtcVindex.html.
iRule Components
iRules generally have the following simple structure:
I. When a certain event occurs ..
2. . .. If a particular condition ex ists ..
3. .. .... Perform an action.
Overall, iRules are built from three components: events, conditional statements, and actions. Events
define what occurred that caused the rule processing to begin. Conditional statements use relational
operators to process data and return a Boolean (true or false). Commands or actions define tbe BIG-IP
LTM System's response to the results of the conditional statement.
rule <rule name>
when EVENT (
if { condit ion a l _ statement } {
act i on when cond iti o n true
- - -
Event declarations
iRules are event-driven. Wben various events occur in tbe client-side or server-side connection, the BIG
IP system triggers iRules based on those events. Events include CLIENT_ACCCEPTED, wbich occurs
whenever a client has established a connection and HTTP_REQUEST, wbich occurs whenever a client
sends a valid HTTP request. Within the iRul e, the event declaration includes tbe keyword "when"
followed by the event name.
Operators
An tRule operator compares operands to detennine a relationship. Based on the result, action can be
taken. For example, the following statement, defining a goal to use a specific pool for clients with a
specific IP address, can be accomplished witb the iRule pbrase below.
Goal: "If the remote client address equals 10.10.10.10, send to pool my--'poo]"
iRule Phrase: if { [IP, ,client_addrJ equals "10 .10.10.10 " } (
pool /Common/ http-pool
The table below lists the some of the available operators that you can use within iRules.
Rule commands
An iRule command causes the BlG-lP system to take action. Command types include:
• Query commands
These commands search for header and content data. An example of a query command is
lP::remote_ addr, which searches for and returns the remote IP address of a connection.
• Action/modification commands
These commands perform actions such as inserting headers into HTTP requests. An example of
ao action command is HTTP::header remove <name>, which removes the last occurrence of
the named header from a request or respoose.
• Statement commands
These commands specify traffic destinations such as pools or URLS (for rewriting HTTP
redirections), An example of a statement command is pool <name>, which directs traffic to the
named load balancing pool.
• UIE commands
These commands are functions that perform deep packet inspection to either directly select a pool
or specific member of a pool based on the result of searching for any data that you specify in the
command. An example of a UlE command is decode_uri <string>, which decodes the named
string using HTTP URI encoding and returns the result.
iRules Events
Events define multiple points in the client's session that can cause the BIG-lP system to impact traffic.
Events are defined in many groups including: Authentication, Global, HTTP, TCP, and SSL. Each group
has specific events that represent stages in the communication between client and server.
Event Examples
EVElntT~ _ De_script i?n EJ("l'TlpIEl~_
Global Global events deal with connection establishment RULE_INIT
LB_SELECTED
HTTP HTTP events deal with HTTP requests and responses HTTP_REQUEST
HTTP_RESPONSE
SSL SSL events deal with client authentication during the CLiENTSSL_HANDSHAKE
initial SS l handshake. iRules responding to such
CLiENTSSL_CLlENTCERT
events let the BIG-IP system redirect clients if they are
not able to support the encryption 'level desired by the SERVERSSL_HANDSHAKE
site or do not have a client certificate.
If a client 's User-Agent does not contain MSIE or Mozilla, its traffic will be sent to a member of the
default pool if it exists or discarded if it does not.
iRules Resources
DevCentral
Resources for iRules and Syntax
F5 hosts an interactive site designed to help users implement iRules more quickly. Additional
documentation and feedback are available at http://devcentral.rS.com .
Configuring iRules
There are a variety of tools that can be used to create iRules. You can down load a copy of the iRule
Editor from DevCentral, use a simple text editor, or use the Configuration utility. Regardless, be sure to
create the pools that you will use in your iRule before creating the iRule. After successful creation of the
iRule, then you can map the iRule to your virtual server as a resource.
Note: When referencing objects in an iRule, make sure the object is created first!
Objectives:
• Con figure a series of iRules, pools, and virtual servers in o rder to demonstrate a variety of rule
features and functions.
• Estimated time for completion: 10 minutes
Lab ReqUirements:
• External lP address of the virtual server
• lP addresses of internal nodes
Properties section
Definition
e l se if ( (TCP" l oca l -port ) equals 443 } (
poo l /Commo n / pool 2
Resources section
12 . Try to open an SSH session to 10.10.X.I03 again. Were you able to connect now? Which pool
and node did you connect to?
STOP
Instructor:
Name:
• Experience:
Administering BIG-IP vii
Students:
Name:
Company:
Job Ti tle:
Industry experience:
Network Expefl£!fl.Ce:
F5 Producl Exposure:
EmergencIes
...
Class Roste(/ Slgn In
Punctuality
1
- ---
--- -
.......
\Mlo" ,.:..,
-
~
-.
...
Parking
Restrooms
$mokinR
.!..
• Capability VMware
vmware
£$X aod ESX,
•
Expandability • '<C1ood CITRIX"
Flex.ibil ity Cilflx •
..
ViPR ION 4000
"',
• XenSer.e<"
Microsoft
• Hyper-v 00 Wmdows
8JrE7qh,a\.
Windows
Hypef-V-
unux. KVM
• Red Hal Enlefllrise
• CenlOS
CentOS
4 000Se nes Arnawn
3900 • EC2
2000 ......
F5 Instructor Led Training Courses F5 Certification Roadmap
.. ~
"-
Day 1 Day 2
1. $vt11"i up thCli ~ IG-If> Sy.>lem iL Dep lDymg Applil:;llltll'l SeI'VlCe'll
w ll~ IApps
P ~ltl l l a (f1C with LTM
9 Jrcnlbie5hoollng I~ DI G IP
3 LISlnc NAli end $ NATs .,.,.",
4 , Ul1hl!i tMe Jr.tfic Manal:e rnell\ 10. lJIe 8l G·IP Prod !la ~
S/IQII CtmeA/
-
6, Beha;.,or wllh 12. CU5!Oln Wng ApplDUm}
Pro:A1le!1
OcliYery wllh I Rul ~
Packet-Based Design
BIG-IP Full Proxy Architecture The BIG-IP System
Encrypted Unencrypted
_O ...- - ........ "'.... " .. •· .. ·.. ·· .....;.....;...:;.;;.~_Cl-_
BIG-IP Application Delivery Controller (ADC) LCD Panel and LED Indicators
o eu nne<:l VIa
I I console
US(: LCO panel
•
Default MGMT IP address/netmask
8IG-IP: 192168,1.245/24
• VIPRION ~ 192. 168.1.246/24
config # config
•
BIG-IP Configuration Tools License the BIG-IP System
htlps:fI <management-ip-8ddress>
• e.g. https:jj192.168X31
.. -
Ii
f l!l ~ nse Ser;er
ac1'yale F5 com
LU1UX bostl
• Automat IC
TraHic M·illl.Jgement Shell rlmSI]!
---
"""'""',.- --
,
--
Use BIG-IP self-signed cert (default)
Install your own cert (optional)
-
,
~ Mn11n -
I
e
~_Io ,,", ~ ~<)oJOOIQ IIlf ~
•
Platform Configuration Network and HA Configuration
'1--
-"
Configuration utility
Traffic Management Shell (tmsh)
---
"" .".
Classroom Network Configuration Welcome Screen and About Tab
-_.....
-_ ..... _._--
--_
:=-- ---
""::z.-c::.=._"
... _-
. _-_.
: -~- ...
;;=.:-=.. ----_
---
..
--
~-
:;;::-
-==:"'...:.::=:
-. ".
1......,.,""',...
II
'-
Fil.,.,..
httPS:j/d""""nllOU5.com/
I.JIb 1.1- CQnOC_ IoIQMT Port.
F5 blogs. Wlki. podcasts, tutoria lS, discussion forums l'lJItoo:o"" ",,1
· 1Jn 1.68.:0:31/1$
110 lQ.X 31/t6
1O.JO l.3.3
Tech tiPS, code sharing, developer resources, daily
news • LJc.eflDe D'II\>1IIon,
~Cf'n~1
d"...,
uti t..2 . AC(iva(O! 1l1Q..lP ~1In'O
~ .-.:I
"1.,.. ....
3
-""
HJII i )(l VLAN ~lIltrNtl
11 l' ' . l. 33
t ab 1A - ko!;\ I><Id ~.Up
.------'--~
'::': ~~
__ ,--Soot'P 1D..1O~ !/ 16
~ !>o.t., 1O,UU.J.).
f\)O\IMtlo,_ " <lallftlo
-
" _""",,,0,1_
,...,
17;>..18$ 11,1'"
tn 11)1.»
,....t'WO_OtI....
~ .:::. 112 16 _10 I
t ~ 112. 16 2Dl
_ _ U 2.I6.20.3
l oad balance lIalfie
MonnO( ser~f health
'Rule!.
nrewan
I I I
lDIi:Jd Ekllancin~ AooIIQltlOn Trnfl'tc wl,n lTM
"r\.IvlIOR 1.,lt'(: l'fOces$lng ...... \11 SU)1 151 ICfi ::Jr"\tl Logs 172.16.2Q.1 :80 172.1§.20.2 :80 172.16.20.3 :80
-+
.. - J" l R Relate<! poUt members.
Pools, Pool Members and Nodes Virtual Server tKl fll l .-w.15.com
Normally associated
wrth a pool (LTM)
-
Node 172..1 5.20.3
....
Virtual Server Address Translation Inbound Virtual Server Address Translation
-
0 0
~,,-~.
-~
Destination translated to
pool member based on
~ load balancing decision
~-
~
1 T. . . . .LII:ofI
~ ~ - 1
~-
112..U1.2ClH1O 1·/ 2..1Eo2lU'"8O H;!'..lti20 3 :80
-
Outbound Virtual Server Address Translation Inbound Virtual Server Address Translation
-o
20H H U .20 2OI1.l1 U 7.W
back [0
Can be different ports
virtual server address
.
Outbound Virtual Server Address Translation Not Just NAT. A Full-Proxy Architecture
o -
Q
(!;IG. I' I I _
III
4",_",
-
Configuring Pools Configuring Virtual Servers
..- , --
~~.~ I
1-
-- .
Gi- 1- ...,..
-'-1
_.
-- . ' -
=tJ-
,.,. ., --- J
Tp _ 1"-"""
• _ .. l D l~ .•. l00
~-- - I
•--l .~
1 ....:f.r- ~r.-
"
Virtual Server vs. Virtual Address Distributlng Traffic Across Application Servers
--
-
- -
•
•
_
eo-
11.1)01.
_to. ", ...
"'"
-
......'-
w
Statio
• Preoe rined seUings
-o Dynamic
Observed oehavlDr
• Server ca pacity / load
Next four
."-'
'1-., '3
4 4
o ...
[,::...:.. -
-- ?
1---'
~-:-
-
t-::
....... __
Traffic Summary Statistics
,
-""""' ---
---.....
Local Traffic Statistics
_..'- "..a_Qk(:_o..
-
........... "" tuall«'o'l't or
~ ... _dIecI~
. . . . .1
'"'"
"•
."
.... 0::..1_
=dioo,"* '""""
J
i-c:-.-~ - (-.0 4e h.lpJ>OOl
11.... "- 1_ 1NO ;I"". . . CCifN«b'o 0
172116 20.1:60
.. ~~
~ .............. i'¥IlorSNAT
H ..... 172.1620 ,280
.. ,.,.......... _ yb
•
,. ,~ ..
"
•
· 0...."""' .. ...,.. _ _
• ~~~'" itWI· --. ' iii' .ct;
refr~ h
~ .::"""~ O~,~o~~~,," .~~,·,~.~~,Mj~ 1
• l"tD!I~.1I"111l1'·
CHiil_,",-JI(\Uf """,/If1Il&.pow! '~~~~~~~~~~~~~~
'T]"'"
I"1I:.tCI 1110 I· "l •• )e.~
l.J 44l
l' • ""-,,-/-2-,,,"1 1f:!~.ltL: ...... 112 .l,U•.:.1oU.1
T""t ~
,...--....,.
IfI[!I!I.~ M"-dI!,!iif."+
""'"
10J.0.1.30:2181
O'«',t
10.10.1.30:2181
1IbaI~
l /2... 0..0'1' t·w
--
0"""
J O.10.1.3O
,,'-""'"
-
o
202t1D!Dmm2 : at~ !) l
-----
Source:
rn ,..;Kt.ll
De fault Gateway Bypasses the BIG-IP System SNAT Ensures Response Goes Back via BIG·IP
A .Ii 8 Jjii
10.10.1...30 ..1.0301.100 1O.lil...1.3O 10.10.1...30 1Q101111O
••,#1'''' fA
• ,'anhA 4~~~
10.J.O .1.30 172.1fI.2'D.l
10.10.1.30 lO...1O.1.roo .112 11U.J3
\U'lf If\
Clients and Servers on the Same Network SNAT Ensures Response Goes Back via BIG-IP
P 1~ 1I
• 172.16.1.30
@M!!i ;,p 4111'-11 172.16.1.30 171.1C1.1..33 U2.1&"2O...1
Configuring SNAT on a Virtual Server Translation Addresses: SNAT Auto Map 'is. SNAT Pool
o
[JI'1ll1n JIoIX......"lI
Chen\$ 11I/.I1 CIlfIl1IOCt
. ,,'
to the "frtual St'l"o'er
,u,.uro
• Tnlr!dI1l!d MidlIISS1I
IP IIddreM:port
on ejJressVlAN
II' ., .. "
(0 'TJ I ~'~
®
172...1.6.20 1 172.16.20.2 172.16.20.3
-
""""
>7 2.1 6 .20....\ 17 2.16 .](1.2
_-.
f)
..
Associate SNAT pool with virtual server
... ....
""_hlip
~ r ~. t DA . t:IO
-1
~- • ~,
Port IS 16-biL unsigned integer in TCP/UDP header
• Mi:mmum 64K tOOClJmlf1 t connections
Il'':=:~ ,;. I ~- II
=
"- - - . "-
Monitoring SNAT Pools Using Statistics Address Translallon Labs ~ 3 26
., ..
DrliIw N ~T lll.1DJf.200 -'l> J r'2..:1EJIl.2
0
_.-
-, ~
3 2 SNAT Lab
•
r~D:r'lr,rWJr.lI1rtH1'1~",,*,~
- _. -
llU:lL"'OIl
~ -- '
• T'"'.ll tRfftolv<Ol W')" 'itu.T
SNAf l\tl(>1 La b
~.11INO SNAJ pool
~I~ MII~ C""_
.OM' ....
n ::t ll!l:-tl.l
~ ~
- "" ,. u ~~ ~II f1a:'lS'''''I,Io,no'o\li;l!l;l PooI
~
fKl tt.lr1rr'1flr .. JtItI~ '.f.Ii11lO[ll
~vco~ r!''1'If-'I'IIIr.1SN~1 PIID'f..., ,,·j·;~t
- ,-
de.tJ..na tJ.on 10,10 4 .100;bt tp
1p-prot.ocol tcp
_ _ lr. ~5 ~ . 255. 25~. 2~~
-
pool bttp..J>OOl
p~ofil •• r
ttp r I
. 0>11:0'1 0 0 . 0 0/0 .~ ,
,,.
-~
•
•_ _...1.._
lftl ~
._-- -
._
Terminal Access to the BIG-IP System Advanced Shell vs. tmsh Access
• No acc06& Password:
-
La.ot log~n. nil Sep 12 ll'05;5& 2011 fram 192.168.430
-......
Advanced shel)
•
ijlIfri/'IOOIIIIllr;;rrQ •
• 1~1c M:annFment •(root<!blglp5;Acuve;St..o.n6a.lone) contig I ...... " . , .1'. _n• .,-n~~'p.
-.....""
("oot~blglp5;Acti..-e;St..o.n6a.lo"e) conti,! I ,...10
Imsh
ll11fhr:;MIm~nl
& IMrtar.lnlonly
No _
, logi n • • i dIAl ..
081 no k"yb4aN_ i" t.eriOc<.lve a"u...ndca~lon
••••
-- •
•
•
•
•
•
•
•
.,
• _.
Command completion (tmos H_]' P~.
.- FlT1kF
Command help
(tmos . HOI), prc t U.
root@(bigip4) ... (tmos)' La. p;iC' L < .... .......~
. ",, - _, ~_ n ...... 1 _ 1
,J _~ , - .
Some Global tmsh Commands tmsh Changes Reflected in the Configuration Utility
list
show
modify --.....
create
delete
save
(tao.. . lbl.pool)' e:o..... ot. n -e.n _dol IHi' l6"_20.1::l:DI
(t-o" .I t- .pool)' ~,.. rL -..bor.... ~doli In2 16" ~O.2::I:-II1
load
J (t-o.. . l t- .pool)1 l..nt.
Itm pool PI (
,1.
help
"",mbers (
172 16 20 l:ht.q> addre .. s 172 16 20
exit / qUit
172 16 20 2:ht.q> add.1:e"" 172 16 20
(tmo" Itm.pool).
"-
Creating a Virtual Server BIG·IP Configuration Files
/config/bigip.conf
• /config/bigip_base.conf
- Virtual servers
VLA N ~
- Pools
Interface:!!
- SNATs
SelrlPs
- Monitors
Device groups
- etc.. etc..
(t.o.) ' ..... t... 11:& ... lrt.;o..ll..1 .... UfiIlUU n
~O.10 .1. . UIO 10 pooa1 "
_.
~_ ...,-. , _ l . v o n 1II"".~ ......... m .• ..".
1_ , C~ ... te
1-" ...... Iq.
Il~
-".
... ~ nuol ... _ htq.. do. . unauOD 10 10 J 100:44).
--
l~iI ........ Il too v L<. ....... 1 v _ _ I><.q.ur
.....
''''
1.=
T.". · ... ~
........ 10011.Uoo
.. .
tlH H++I : - .:. t!i
creatlolOd 5 y .. coo.t:l.<Jll.
cre.u. pool te .. tJ>OOl2.
/ var/ localjucs/
" Mp I[ IQst...JloC1ll
lbo pool U!"~J>OOll.
.-
I~- 1-..-
1- '
I ~.........
"'" j defauttsj
1=-
--- j ..........
1-·
---
For More Information (AskF5.com ) tmsh Configuration Lab ,.
· ""'/!IJ"II('</"" .
· .... ~ .c"'r CO'~"' .,,j
• I)..... V(:!'; ~r>d SCf' .,t'I\IOWj.
• lno6I., boI h a rtroJ"" flI;j I)PJ*
L. ....- ..
Chapter 5 • Monitoring
o -o
•
\ .. _ =
Monitor Concepts Monitor Concepts
Llnks 1
ClJP.<:;k ..
e . _ - " '001« ,.
e -~ r "'_""I10'\' '
. ' ~"'''' In'''''''''
'GTM "". l oo' Cootie' ",
.::. • 11l.l6.20.1
.::. 172.113.20.2
l-\6a/lhlest Pi n ~ an IP add ress Health Test OJJen9 . ~ l ion to poo l mem t2r ~ ~'IIi ce )
Maoo node oUlln<' II no response? Mi)rl\s poo l member (sel"ll lCe) o Hline
II no respo nse?
• Maoo pool mo: ,.100 rs on that nod e olfl'r1-e
Example rcp Half Open
Example ICMP
172,16.20.3:80 c~~~ur.IIO~" t
Intt >W1
i-lelllth Test Open connection. send com rTkmd. exa min e respon se
If no/Ul'llaLod
Mal1ls pool membe r (service) of/l ine
response?
-
~
IItt! ...-,,-
-- -
----- .
1-
I'~
~.... -
c..... _, ~
Ir.;;:--
I
!I ""
~,I.'" I
----
I
---
--
r--
---
, r--
"-
-- 1·'I:i~
• •
.. -
~
I
--
ll2..t1l2ll1
-
.-4IoIJj.I""
• ..:n'll
H71'1;'tJ1
-.
.""....,
I lIn~ J"rem IlOc>I In/lllllllflCIoTIPool
.iwIIl~ •
Iht>il<lllrnJ rn~
"..,.,IIDbID
--
. ~. I\IICl 1"1_"lW • ""_M iLl
_M
l1:<'..!!Ut)..1.l!1(Jo lr;!'-1'.J :':!I).:;.!,l.lO
Viewing Monitor Instances UsIng the Network Map
II...-""-.",:my_....
vs _http
• htto_ _,
-
. 172.16.20.1;80 Pool Member
172.14,2(1 I f 72".11 .:ilLl III
. 172.16.20.2:80 Parent Node
.-....
!11.15_2'O2 172 .16_2'0 _2 &Il
••_.1.72•.•"•2
..0•.'.,8. 0. 172.16.20.1
172.1'-""0.3 172.n.21J,3 10
.m...._
.iJt."".~iIII
• ""<I SO
~
l l t _ ..
Viewing Member Availability and Node Status Determining which MOnitor Changed a Resource's Availability
"....
•• ,--
--.
"'
•••
---
--'- -----
[ "......-d""' ~
'"Hi-'''
-..-..........,
, ~-.., ......
--.
---
.- -
- '"
0·-....tJI......,..
,._1""
:....... "
.'.-
.........
- .._11--
•. ...
.,;111_
--- •
. ... ~ ••Il
• i lt-t4JIIII.-.
,
10"
.IDII-.,;tIIt
• (d.""""
J --
--
_...,,............,-
.~
",,,,..,
.-..
.....
--
_ _• __
......... -- ""'""'-""'- ~
-- _
_ -
i_. ; r_ ,_tr,o ....
. . . II _ _ .=
..
. !_.
Health Monitors Labs --l- 5 2CJ Chapter 6 - Modifying Traffic Behavior with Profiles
IIIIIIIII!!!II .
o
-¢
ID.11k1...lII
~ ...., Server
• ~.... ~Minl "'IIUf'.jtors
A.o.slgll o. OS'lloaJl1'l!l6l1llo3f'llW<
• Se11arnp1ll5~nDo:le".-.nD'
-
Ir3ffic belJmIm
--
---
'~"'lWIr
IiI
<M111
hehavlo r
-- ."...""""'"
• ~ IIOdII Wlt;LII l'1llICft IUl~
r;. '''''
---~,
---'I jI---..--'"'>- - '
-- II
· '''' I
...-
~ t"U5IIDI
•
rnor..tDI- . nd reWSI
MolIlottntr_tIfa:I~",,~ -
r;. Comll, e~
-....."
"', I
li1cornpressed
r;.
-
~1lU\JITUz.ed
BB
lAI'4OIll~
''--'-'" ".
Typical SSl Encryption (When No BIG-IP)
D, "',,"
2]
- Managed cn il ppl ....JI("" &CIVl:r
,,"Cr\1llH
SSL acc e~ ratlon
I!!luloe!d
MBlItlt,>ed 01'1 a~h::MitXlItt' ,\~ r
- Encrypl10n / ~\.IOI1I\af{Jwa(e
I Ap plica tion
_ !II.'rver
,,,
,---
vj
-
) i"'i:i .
Protocol (requ ired)
Application-iClYer (serVices)
o
Persistence
-
SSL
Remote server authentication
Analytlcs
BIG·IP performs SSl key exchange ilnd bulk encryption Other
CCnllahl.e5 certificate m llni]~lt
' ",-
Profile Dependencies Configuring Profiles - Many Choices!
~
All ..i n ual ~fVers have a layer
4 prom!! (e.g. TCP) I•
-
..." m
SOIl'C" profiles are dependent
on others ~ I--~
So n~tw ornes
COIl ~
"",."
can't be
on "me virtua l
M on'
-
~1oI_ ..
_ -
...... _., .....
...,, - -
~-
--
-
-" -.
~-
-- ....
---, - -
~ =-
.
- "'-
-
<-,,-- -
O~ l ij Pt .~t,.5$l ;:;I{\>"it ~ SL
'II!!n"n""""","rJI'(II~
o Before SSL Termination: After SSL Termination:
(: "HI IMn.-I!II J 010.x. !n.1... ·~C .1."' . 1"I !!t1D0/10.10.X.10l !!t1D0/10.10.X.10l
~I" """~I
!<::.ilIMlIWMOi' DfItIwB U 'J ~ l 5St
~~dt: folllli poo llo l'mp.JIIIIII
1W'I1t-sJ~lOI"
A:isl1:I1""~SSL IO H~
TIIBL ~ tllM[ll mit.. doe',1 ::'~ L
.n _ _
Chapter 7 - Modifying Traffic Beha".jor with Persistence
Modifying Traffic Behavior
Ur.de~mfmg PefS.15it~nOE:
shop.mYSlte.com
mysne.com
(cart 123)
•
K
(home page)
shop.mysne.com
mYSlte.com/about.hlml cart K 123
add2cart camera K
(about page)
myslte.com/brochure.pdf I shop.mysrte.com
cart K 123
add2cart computer
K
(brochure document)
~D
.......
('",~l
Web Application lJ>e, Web Application
o 0-~
- '- ,
o
I-~"""'I
0 -- -. 1n"YII"-......."'~~
1 ~1lIb111t1
."
.Mllllm .. _ '
.... --,
o
•- 0 ."'-....,I3f. ''''·._''''11
.
~
UII!OI 00\ ~1iD"""'1
Source Address Affinity Persistence
Based on client
SoUfce
Addlt!S:>
Affinfty { source IP address
'Er
-
Cookie {
Md,,,,,, {
Dest inatioQ
Afflnlly
'
SSL {
UnM!'rsa l {
.. 100 _ _
-o
""0%.»
15cvv!~.,." iT)I
EMimple:
..... 2fI~~.(I O
'IIIOI8cM'U!I)~~
Mask is 255_255_255 0
"'" ""
-o
""-
- I
-
PIln...__ ~_· 1
Many clients connect through same proxy server
All connections appeM to come from same IP
Uneven lra ffi t: d lslributlon
Gan be encrypLed
[!J
1:-, . _ Always Send Cookie Enabled
''''nl
,...., ( I ... ""
t·d.E..2'J~ U;z..m?f1l:1
0 ,. - : .
-0 ~
,
'C':;':::- - --
~
,,S If.np ~ ...."It-.
--~
~'
Rewnte
~ ,.
,
----
,::""'Tc Phil. ./LiI ...
IfTl!I t~
HW~O
,
~{
,TtP~
•
H
T1P=1INI
IrTTP~
Load b&la ncl!
dcc~OIl
'"~
cookie
Ttf" " q~
lfI1II "MOOM
"'11' ,
,,
,,
Ie
~
""""'"
_ 0.-.. -
_-
,.... ".....
....
.. ~.-
--....
. .~-
---- ---
.....
. ...-.
,- -- ' ,
-,~
-...,..
- - I
-.
_
---- - -,-- •
---0-;._.. . --
... ~O.-._ ~
...... ,-
.
"
"1"1-"
. ,. ~.~, -
..-....,
Associating Persistence with Virtual Server Cookie Persistence Profile Dependencies
0 HTTPprorile
Cookie
...,.. f) persistence
profile
--
--.....
"-'
-
""'_IIr-,.
--
"-"""'
~-
----.,.
---
Persistence Cookie Persistence Labs c CC o • 00
1..1 SiIouAdd_AJ'(If\II;)'PtIf~
11!IIIl'0'8.-l'I!J r s~tDIP'II~I!!'O::'
o."ill1 1't 5 rc_ I""JM:jl "lid.,.."
ILttI triMlit""lltI""-" !,In", ~~I(~II
T"yI !>+'i'l',.lnru.. IleN ,,",_ ~ l1:li111'1
""_I' IIDS
r l te l'l ~
-0 -
0 0
7.:z~P~IQfN;lll ~-
1IIIC.' 'IiJO'&IJ ~".
w....:!:I~IOO"
II ~
lIfS11,.,1& l>;i/u11rt1lr ¥I111L ccDoJII e!lrnU' >fI
l
1....... 1l11'o':llV!i <;o, ,1tI o[.anVr 1IoeIm\m ,
".,- - ~
Pool Member State and Its Impact Persistence During Manual State Change
Forced
Offline
Active connections
only • Offline (Disabled)
Forceb down
@ Enabled
@ OlSabled
@ Forced ofllrne
Persistence During Manual State Change Manually Controlling Member State
........
---- --
lO..ID. 4 .30
~"" •
172.16.20.2:80
• 1WtI1~{tJ~,orced down
-(2) 1'wIIIio-1 1F-. , n
e'l"':&'
...............-.
@ Enabled ."'-"
@ Oisat>IcQ
@fOO:<"'Gofflor.e
(t172.16.20. 280 172.16.:.10 3;80
- .. ~
~~
(tIrIIQR\j."",loM;·
~
_c-wtc-l _ _ _ _t .......... - ......,
-
73 ~Sf_~~lster«
~~lIn~ tr.s/.
~1III'I1'OI!1IIJU1~ ~; :;..ro...u
DtA'tItIII1IIIIe.lIlll~I1-A~na
o (5 0 Day
2
~
9.
De(lkJI)"IlC ",*ll(;etJDn Services
wl m lJ\~
"-'''--
~/U_"'l"""r"--
Str.e ll [ t lT'r~" )
11 Ad .-,~~tlnt 11M!! BIG·IP
Monitoring
......"
5. S""" ~
6. M{)(:hJYlng TraJlK: Behirvklr With 12 C USl;oml.1\il1ll.~ llOn
Profiles De LJoooe ry wt\t1 IliUl$S
~
Modifying TrufJ~ 8i!h:ilv l() r With
Persisielll:e
Application
Administrator
BIG-IP AppilcaUon
DellveryController
-
Man agi ng Applications without iApps Managing Applications with IApps
- -.- 1
~-=--~J ;
Implementation
Processes user's responses
F5-supplied section
Creates application components
Shared
(DevCentral)
~==::::
"''''......_ r . _ );
!
Help section • • How to use the template
Custom built ,o.;;...__ 1"l'a )
New In 11.4
II
• f'\a'J\IiIl'" 10 lXIIIl!! ctIotR:!l.IInD~!L
./.umytl'l ~tltlll1ts.p&;I,1'1)eX1 ~~ lSSl~)
• lij(JlW'il leS5l frV/I'I doRIIG. lit-All'!lirypl to \lll:ll'01!Ifij. ISSl 801l1t.l~
• ~tn~1:1 to :.'Ilellts. ~tf)~!11 ~5
'''
Dat~ Cente, D~na Ce nler '"""'"
Da tB Ce nte r
Hong K<lnl(
Il;Ita ~ntcr
"
Application Service Components Changing an Application Service's Configuration
--_,.. ,--_
.. "*r I -~- -: .... Appllc lltlon S.uvlc:e : I~ J \
- ---
' '--.-.-.' .~
~KIIt'lM:IiSlf\li:le
- _. [' --- il
Ootscl rpOOn
SlIIQ 1Jpu...
I [ O'~=""""""'I
L~"'" I~
$
Share custom iApp templates
O~~nlr.ilt •
O_ e s lmple w n _~
(
(
__
-_--.
. .
...
er,lIHlJ !t:s "'W I~
II --
iApps dCV{;en1i'a 1.'5,cClm
· .... ' It'j n't ~"' lu;nl1g ( '-.
>-_.
• f1e310 r(l !f8 "~ I- . L Q
---
C,r a!e mo,,, a ppl icalk1n. _ _
,
.--..-- .
~1)l1Jf Cl-cant,, 11'!lIII (;lB!DcIut'I
~ fe Cou 'i!N!I_~,"Jl
.... ~ Cou r'l'l!_Allmml6\flt"'l ~
C4:Jnn ,"'t lvnf'!'nl';-:.} and I~t.r 10
(III~ ,,, I
-
( -.-.
•
•
•
I
~ ~cm pl~n UIII L~nfl. \cpdrJm~l Dn til;> OILiW .!ivslE'l'Jr
..I
}
Dc:velop a hypol.l>Mi:> SNlJlr"&1"., AIl;tI'/"ntl. .... I~IIO(,.Jlll0n PP.I Inl11111 ,r.e wilt! An,l f~IIG!io
~ltrI
Tloubles"O(I(,r,t::: L,!I.J~
Suvpnl[
.-.
-
lo.~" /1") 2. 1 6 :to I ~ Go __ ot t ?'r "t~tus Qr._ .
/Co--;m/a y http ..,nlt;or: down I I w"s " I' t.,r Qohr ~ mln Q 1 ~1I'C I
_ _ III"!J - . , 1~ Il/my_http. lIA'1lLo r , fbi'o1 ] \ 'W.u ~ Il ((I f" Dbr: 2m i 1l6 9",",c I
...... -cKIII _
--
un.!IvlO ihb l .
........
""""'"
/\dI",I1Q&Iltm
"'.01Zl:l
.
-·0
Joe;,17 Linul specific \)0(){ f!1(."'S&"lb'eS /v<lr/\ogIbooUog
- --..
............
--
I..o<" Tr _ ~ _
-'--
-
~ ~ .
-_......
.....
~
~- ,----,
~
--. ,.
_ , '"'0' .
-
~ ~
• ..."
-.......... - . ~. ~
- -.
""""- '' --
-
~ """' E_
Tr"'~ ' )S
,~
(.~ D
--- 'I bllah DIOdify l ays sysloq reJD:ote-servers
add I lIlysysloql [ host 10.10.4.30 remote-port 514 II
List of destmatlons
....
POOl name
What source?
·al!~
-,
"
11I1J,tlSp&edLoI'®<'-"
~, I:r
.~ ••,"
..... 50..-. .'1
~lf\"Io"I1t
...
Setting an SNMP Trap Destination Remote Monitoring Using SNMP
• l.72.lli21ll
..,,'"
RKOrd PrOfMrtilS
V..
•Il
~
----
Communlly
SN;:Sgem
. 1.7 ~.3
,-
Setting SNMP Traps on the BIG-IP System Using tcpdump on the BIG-I? System
etC/lllert a,talert.conf
Command line "packet sniffer" (packet
• Do not moOify1
Output can be saved to binary or text file
conl'gtus.cr_alert.conl
• iJB.fIt-def"~ SN tJI' tlaps
For more information on tcpdump:
WlRESH.-.RK
TriJp examples:
Troubleshooting fl lG-IP LTM course
SOL411: Over.!iew of packet tracing with the tcpdump utility
IIhl.l::t. m GIP_MCPD_ MC PDfJui. _ 'JIli'l'WU...J I.VAIL {
1!1j'. lt rl1r; OID _ " .1. J.~ . 1. 4. 1. B 75.2.4.0 135"
I
al ert B IG I P_MCPD_ MCPDBHll_V I RTUAL_ UNAVAIL I
e m"p t. ra p OID_ " .I. l . ti. l .4 .1. 3 j ·1 5.2.4. () . Db "
.,.- ...
External Moniloring of 8IG·IP Syslems: Imp/emenlafl ons
1...... _ , _ _" _
1111.
_ ,_....-,\U .. _ _
-o o
,~
lI,th. '
r.. _ _ - . . - ._ _
,.....,'.1
""""' _ ·~ ....... /famwrnpodool
l ;on. IMI'IfilIIIII
l_"'_____". . . . IAO_._
..._"'_'...,_
('""" .. * .-~_ ... U~ ..16_'IO,3;80
. --,
tcpdump Example
~-~l-.J"""ro.o '
So
""" .... 2'l'JlII;, II1n ' ''!,-'J . em; l..ro Ui l) ~ ~ ~ ~ l\l4'I' (.2'1
l::J "'llIo
source or destination service port is http
IT
. 0 n Ill!J03 II) 16 17 31 ~ll • JJ~ l~_:ld_L£IJ ~
... ..,-, r.:;p,~ J.J(.. ~ J~:>!J:,. run
::~~~~~~jJ~~~!'It;j~-- I M ~ t 61~I tEpdullJ3 - .1.. mrt.rn..1 --n IQI t 1[1.1-1),11.]0 .-d P'"rl
tcpdu:lIp - l intarn.a1 -n I1.:nt 10 100.1'" JO Ex\! JUrt 8Q
IfIjJ
G''''''O ~ ~I 1l'f: Iii 17 . 31 )"'111 _ I'" l~» 1 N· , ~,~IOI Kt< l "' ~ lo;Q'l';l
..... ,'50 J.1 . .Io'\::R!JJ \1';iI.1li en 1 M > n l Jj ,H,n!"CD I H 9.2 ~9~ \ ~ HU.o" ,'In
G'J I'S(I,1~.1SlIII[jo \'r.iIl .. " ]1.3%11.1'1':0: 1';,:to I &'!::« ' ~F(.,'!';-t! · . !oI1!II!I9:SOm >rU1
Sample BIG-IP System tcpdump Output Logging and SNMP Labs p g,,()2~ -7~'l
n \b J'
'"
,, '~ ",",.,., J",," " " , ..
·
~~ss.«t's
l~ ~~.~m~ o
"""'
I ~,
• l~m D III" tI10w IDA ~ Irnra-n ",~"w
...,. ,+..1
~!.~
~
.....
I·
~ 'Q
II....
IJ~' I I (l) , ." ., 9 2 SNMP Tl1l W...... t 1H
JJ ~J."'~.
J~ 'I. l'
", U~
U~. ,
~.I
J 1 .." ' ,n -7 1.' , ~-~, 1'1""
11~ ~NM Il'4~
~ -~L~~I7'I7"":. ~O''''"
,:••:-~.
~L"t~~Y ... UlaII " t 1 ('I' :,I d lf!ndl~
ll._ ..,..
J"'Wl"I _,'
•
LOI!" '
> I
'17
,t"lO
JlJ
J'I"
'Q, JIo"I
~
.... 7
".
'••,~,4"'.II;'j
1 . J" ..
1 '"1123
'):I'D
":;F:
.. 9 .3 ~ed l~Lab
C~ HSL mat. PL<bIIIMr. IR'IILI\a1 t:>Il,
[M"J1)I ..,, \Jl1{l 1U". :t. ~L4 u(JCll1lITlOlll!l )(,~
' ....
II'SlR_
10 Jl)l :J!I""l.
T~IDJ; ,~
Provides tailored feedback I-ue- No~ 19 10.50 11 PST 2013
~D , 0 ....
-- It_ h tUol:l'~.ffi.com
nmmJJii.. SOL12878' Gc r.cIM"'R BIG-IP dtagrlOSltc data USIng \he Qiw<ew ulIhly
Viewing IHealth Diagnostic and Configuration Information
Uploading a QKView File to BIG-IP IHealth
bigi~.f5trn.com
I
fS 81(;.U) IH<!aOlII
Viewing command: list Inet self all-properties
- . .t :J:.. ~~~~~:iri1f
all ""H:rv:lCWo (
..
l"lll
~.rr- " n!I ~'" IVII1-I'
::I"~r~p(JM' !nil.
tiDel""" '.! :juU!:I.. j
.100_ . .
1,--;.._-
0 ApplicatIon perfOnTIBnce
w;
-- ... --.-
lalency , ~C"CU' f.rar- ~f
ThrouC"PO"
Ses>1OIl tlala
M,,=
AnphcalOftS
~- -~.-...
. -~-
V"l niJl servO,6
~ ~ ~ ~
I 1'001 rrtvII'liEIr,!
Ulk s
S;-';>CI(IC ~
I-' l..1.fl ' • ....
Local/remota col ~1io n
"-
........
AskF5 Knowledge Base
---' --
I'".............
.. --~
_R
..
--
---, - ..
_......
,..._ I I:I.IUI ' "
_,. ."IIUI,,' "
,...,... " ....
""
---- ,_.-
,~
-~ ~ ,
~
_l_ ~f "" ',-..w oJ«<"l~ .... _~ .• _ .. 1"lnlTlClhll
_ -
lI iI.. . ..... '-:T
.... fl •
"-
WebSupport Case Management Opening a Support Case
support case
....,-
Retum Materials Authorization (RMA) End User Diagnostics (EUD) - Hardware Only
-__,'''......
_ ' .. rN_I~_
~ ."" .~ ,
When EuO Is running,.
11:1 T. "
.xr til ......
"-11 ..1
.....
"301 " " ..... _ - .
... ,.- .... n«
.."
I. · .... ~ ......
uL , .. ,
I . ' HI< to ..
II . _--"_,,.. Twt
BIG-IP Is NOn
........ . . .
"
"'"'-'"
"
.." ......"Y...-_""'"'
........ ow _--.""" ......
94 T~1I!D
• t_~I.O"-I_InIIl'. nd VSjll1.pS
• T~
~~UJ'1'S6IIh 1i1~1 ,u n d1 M~
rn..I'~ ...... ~.."'... bcl C~ •.... 111..... "<;
~~~.""''''' ' .
........-x..,' dl i.S!.r :
•
BIG-IP Local Traffic Manager (LTM)
The BIG-I P Product Suite
A~i on bIIfj' 900 Htlpo<1J(l g (AVR)
lOCc11 Tr,rlilC Mallf,lp-er [I.1M) L7 1~~ i genl l m ~ lliI:~t
GlObal TliJftlC tJanager \GTM I Cor \< protocol oIJilJttIIlSIbO(1(I'Tlf'. ",CP, 51"0'1', SS U
Global Traffic Manager (GTM) GTM In the DNS Name Resolution Process
01'1 _ _
-.---
-
0 -"'"""
LH ---
-~ . ?
,..
Accelerated DNS Resolution with Transparent Cache Accelerated DNS Resolution with Resolver Cache
Ttw~~['acM.
-
...----.-
m ,."
o
-
14 . 00
1BIIlt ill IYlII Bm<!lIlI
-..-.IS.com {200 A 208.86.:<09.2'0
--""...
..I:l
--
- J~
~""'-~
IJ
-o [}t ttttl -- I'>
.J:l
IJ
-o -------'
1
--- ---
Accelerated Resolution with DNS Express Wide IPs and Intelligent DNS Resolution
---- -
_ I'" 1 ... 1-...
"--"' ..
-- -- ;;::=='~-111111~-~ '1- "
t
-0 - ",
NegrlbVa
• [:I 1uck blt!:ed on iotn:nmll1UK:k s lgnalUl ~.'IOO lil'llx:k JID!11!'J'I15
~ Positive
-
Ailiraffic is 111e.pI1lI1iI5:s IelKned/lold lq 1;)ofl1~1
O- +-'iI • Block b.nsed 01\ ~~ leJl meu f rom tIM! :upPIM;;ltlMJn
~~ payloa(l
.
r
No load balancing
EJ
• Single Sign"", t!WIio.tfll!o;o-..... OlS (ld enut)' Fe<lt.l<1!bOn .tt/l. SAML 2.0)
BIG-IP Access Policy Manager (APM) Access Profile Visual Policy Editor (VPE)
.. _
. -
~Dynamic" Webtop Links to Everything! LTM Traffic Flow
f." -
® ,..-..,
..-
G """" ~ SAP f.~"",011
,rrlP c...,,,,,U,;M
... ......
"ff,mKNlS R~_
ORACLE"
1 Desktop
OG5Jllop
...-.,~
~"""'" Q "PMJO
..- ....
.....
-
-~,
L..18tftlc1r
'\is, r-G -- .......
"", 'ilfllJ~
L-i r~(~ ~
I
I _
)
-
I
I
I
I
I
L_{ '-~ )
,-~
APM TraffIc Flow BIG-IP Advanced Firewall Manager (AFM)
~eaource 1 ' I
Consol idates network firewall
~rce2' J services within the BIG-IP system
Le',er.gE.. other BIG-IP functionality
Resources can be ..
• Pool of webse rvers (LTM + APM mode)
• Webtop
Network access
Portal access
Application access
Remote desktop
-_.
BIG4P Application Acceleration Manager (AAM): BIG-IP Application Acceleration Manager (AAM):
Web Acceleration Web Optimization
L~"",W"'Li:I('i\
• Intelligent content
-
--
---
,
,-..
, ~
-----
-
o.-o~.
""'......~'~:......
n HU
I.... ~'*-~ ~
-
......,~ II..-. "-'
~. c
,.20 _ _ l:IIopooan
_ _ ~~
.......
"'_~ I '_I
--
btgip_o lm l .rorT\'
192_168_18.1~3
tlIBip._m Lc:IIm
192.168.18.144
""""'
192.168.18.200
1'l2_158_1IU43
192.168.1B.144
192_168..18.145
V"-,
EM 3.0.0
81G-IP 11.4.0
B1G·IP 113_0
B!G- IP 11.3_0
-
\4" ~ _ _ ~ .......... ~I' . . . .I
-- I
l:II"gI(l.gtmLcom
192.168.18-145
- -
--- - ""." ~
~
-,
-
I ...... ~ • •
-.l.
Software Installation wlthoul Enterprise Manager Software Installation with Enterprise Man ager
....-
-
-- , --
",.
,
•
-
c ...... -Iit
0"
._-
..
'
Ir.: ,
Iw;1· .~~- B-
•
.~
• By default, up to 10
•- JI_~~ ....-
~ •
rotating archives each ,
.'.
for itself and for every ~\I.
managed devi ce
,1: -... .,.-
~
--
•
\0,.......
-
~.!Ie!!!!
-
-• - -• • • • • •
..... ~~~ ,
~
~.
~
t O"'r ..... ,o ~
~
,
, ~"" ~- .... _ ..,
''''1 """ 0<11_ ... _
c ""....., ~ _""
_
- -
".
--
View a ~ users of managed devices
View devIces a user has access 10
r........ _ . _
Chango passwords
3 _......,..,.
,
--
liU" . "'.
..
Understanding Alerts Chapter 11 - Administering the BIG-IP System
-
I'*-_w.,- ~ ,
~~~~IIU' .. virtua l servers y.(lual MrVtt'S
~"JIooawo-.nEM
pools
~_t:I_lbi r.ilu ""
"-3!~IIIl ...aH ~
~ profiles
~ monitors
""""
~rofiles
monitors
GUI.Qs_ ~"*"
90:11 ...... 01-'1 ''''I''-:h(Jl'~~'''''.a
!I.onr.. 0MfIt1d ~!,,"
Common
"'.
"',,,., virtual servers. pools. profiles. monitors
'!!- ~
..... -.
High Availability (Pre-BIG-IP vii.O)
Administering the BIG-IP System
Oyt.:!I".~1 of High ,"w81lobilny
o o o
J\1 ....·:;,yo..(.)(I ·,. tlfl~Rf!ruen r I,'OM I
High Availability (BIG-IP vii.O and Beyond) Device Service Clustering (DSC)
-o -o -o -o
[___'
e- " - - .;"~
'~ G'O ~
P ,_
_e-- J
tie¥\t;e Gr(;o;JJ)
Alwa)/5-Qn-Management (AOM) Network Configuration Interfaces
,
~ct
"--" _
_'Y_ _
. . . . . . .<
.. ••"..
~
_I
. '111 0Jil.,
l 4:11 .:n £:Alllil
J._--1!jC
TMM switcll mlCrf()C{'s
<,",""a~I'"'
. .l"'C
11I\!IIfItDI 14
____________...
-
-
Unk~I~Io(,
Bo/lOU1I~;
--
• 1rV'II_ blnltN,dlh w, t~1\ UI I~I>Il'" ~ w
-
~I til one Of more VlANs
10.10.1.31/16
172.16.1.31/8
192.123.2.3/ 24
--
~
-
c...... .... - .
--
_ / P.... -
c
-, El-.
"'"'
,~
--
" "'111110" \/lAN, 11m 1I!111,..-.,d t:I
lhC!' ~ im c rf..ee. only 1 0I 111oMI
VI..A.'b c.o n_1Jrl\.ItilIlW lnI'fic
- "
,
~
~
'
0 0
...........
• PorI IOduioWn
• SSH iloce5!J
I1Ir. ...
r---+----:T--~--:
I enl!fIIIIIII I I I
• Packet filters
• 1:. " 10 III tOIl tIV
-~
.'u._
l"UI,~
....- ... -
'. .'
~
Restricting Access on a Virtual Server Restricting Self IP Traffic with Port Lockdown
-
0 -..........
"_
1"._
.. " _ _
--
-
_
..
. ,0. 1•
~ :-
--- 1
-
- - ~ ,- ..
<-
~""l_
....
Restricting SSH Access Restricting SSH Access
t !l21 M.~
-~""' ~
,~ -
~--
S?llP ,....,. SooKi". R~. Ill2l$8 1 •
~ _ J
Appliance Mode
"--.--.
. ..
_ll.l!It::I
-- .--
....--
,
· llJl_~~
.,
l ' ''-~
.,-_. -..
~-
.. ~, I
-- - .....
.· 11°
~,-u..l·_
.....
.
---
N/A \0 MGMl' port 10.10.<30 10..tO.V.30
l1.1 . v,..;ket FlIiIIo's l al/
o o
OfdI:r
Ai.'Uerr.I
,"""'.
'.~a.,o_
--
---- ..-_
,...-
........
u.,-...
-
~ will \II ~ dW ott..
•
s.:..-,-~ .
..........;;
'-'' '- -- J
''''IliI~ IIt!''f_lI~
""-
~~'
\1 d.(L- . ~, !)/kf/pl
't )R.!'Ut'1 f
,) O"t V)
vi f'&-__ ~
License Dates and Upgrade Considerations BIG-IP License File
/ conflglblgip.llcense
!•
•
L.lee.nse"- cl.ate 20120801
Servic-e ellee)!. cl.ate 20131113
Storvioe Status 201)-ll-13 this sysu. . has
lui J..t
o.n .eUve servie.. eonU"aet
• ~lat!e"", IntocmaUen
-1-_. ,._
Disk Management on the BIG-IP System Software Management on the BIG-IP System
* Image List
~ ..
..-
.--- , ..
,.
.'
. -
Store rnRlIltl'fli!rq-rclill!ld 111(1;<> ;n / -o;I1IJo1"ClljIIT1D
Stor1l k1l'\f-1.tIml m ~l ntenall(:e fl lBG [0 E VCS) o n a nelwork sh",!:'
---
__ 1".u1.._
_ JlI.I.
n .••
~
:::.:: ::'~
Pf(l'ioft rlJ lI l!IalJ1 locallon wh t>l1 creiMl"IlIIoe8
,Inooid '9lO111r,e ~ ., Unul (001' 1Ie::}'!I1M I _ _ _ I
_
PeTIodIc8 Ib' C~ -IMtlllKllc d i!;l\. l1pet11 ... ....;..-;.,
P~ 11r remove rl()(1-crllJ ~i)llnIlltlUlrt;:mce files
--
SOl..lA.CDJ. MClint8ining di~k space on the Blt;.-IP system
. -~
Wha t can the BIG-IP user see? What tan t.he BIG-lP user do?
'"
..., ",.
"". -
~.
uu
_.
_.
,...
..... .-......
.-,
User Roles and Access Configuring User Access
Mcourn PlOperi tH
1=
jotmd oe
WdlA~~ul il ~
Ecl rtOl (ASM\ Guesl
" -j
---
Partitions Allow More Effective Use of Resources Partitions Facilitate Administrative Agility
f->eP<lrtmcnt B
gggg ggog
--------------------- ---------i---------------
---- --------
Allowed Object References across Partitions Disallowed Object References across Partitions
1'.... l llflr.
--- ~ J
"
Traffic Processing Considerations with Partitions Traffic Processing Considerations with Partitions
•• _100
-. "
Adm inistering Across Partitions load Balancing Behavlor on CMP Disabled Virtual Servers
....
1'2 ltuO 11)0 172.UL.20.UIO 172..16.20.380 112.1620.• 80
G
_
Load Balancing Behaylor on CMP Enabled Virtual Servers vCMP Components and Administration
yCMP Guest 1.
Ii ~~_."..
vCMP Guest 2
- a
vCMP
Guest 3
112.16.10.411:0
'''-
LTM ASM
Speallc server
HTTPtoHTTPs
APM
l
Inlell.gern SNAT
u ~ss AD QueI)' resUlt! 10 web seNe'
'ooiI _ttm>_~t {
LI ~ U IUn'- t~"lc r Ueer-;r,,~1 a::nt.a:I"" ' MSIE"I ) {
' ~f {
1.,..,1 lo-_t lS.JlOcl
111mt' - ~r ~""":J"m l o:;.1t.ala" . ~l.lIat 1{
,.... ,
fXJOl /ttJm<nM F I
Pools Using:
UsingGUI:
Nodes BIG-IP GUI
NewVS:
Profiles lRules edItor
Resources section
Monitors Nolepad++
Exlsling VS:
Resources lab
Configuring iRules Course Agenda
Addl1 101'1011JlIIU)urus
Inlerac::tW UW-. Communltv Day 1 Day 2
hUp IId~lnU S.com
1 Gell;ng Slaflllcf .....'VIBIG-IP 8. oe"""'I'C~lCIItIOn Servl~
Sysw m
5 Morutof1flll.
12. C ~llYl!I.~~IOn
6. Moolf'tlne; r l!lflic B-.; huvlor .....m Oe' .....,. ~h~1u
'j)rofile~
Pe rslSle nte
--
F5 Certification Roadmap F5 Instructor Led Training Courses
iRules lab •
1IoAII~,*,,'1t
l'oUilyl....H 2 1_1fIIIo
• ~1I'r' .... :sc.-
F5 NetwOl'ks Training . ...... J " ~ 1\I.Jl1l..pQft
. ~IoJI.I]
.... ~ l l<>n
I1IIpJlto..tu l: tu)
IIllPYIKl .";0;lIT.
Iil/IID1D'ri . tlB
..................... ®
CERTIFICATE OF COMPLETION
~k\v'\~
Date :
John McAdam
Instructor: President and CEO
FS Networks, Inc . 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 WVII"'N.f5.(om
ClJDI1'~ ,j"lwork s. In( All '''lI'I~i~(vW FS. ,~ Nll' rwnrll. thotf., I!'g o, ano IT a()'~ry Your way.. ;If'" IraCl<>m;or lt!: (J f r5 NeI ...IOI ~ ~. In(. In ,fl(. U$ and I" ~~, olltl" UMJl'1f'M Oll"\e' f 5 l f~ Ik'"",r Ale.cIiorl"' 1Ptt
", T~ (<Mj A'ly otht!t PIUOU[b. IoI!IrvkA ~. Or ((I 'npany l\,IroIilh 'fit'<H>led hr.,.>!" .,..., lit u.oelllilrb 0 1 ,tlf'U ICIr-1've own~r~ ..... ,ttl no en L1Of~mIeM or Jltt.,rtOfr. l'l P'rK\ 0< ;"'I"~, (1.1,.,.... by I ~ , (){1().()O(90' 111