F5 201 Exam Preparation

F5 LTM Revisit
Load Balancing Revisit
Load Balancing Using Member
10.10.1.30
• If http_pool uses Leas Connections (member) then
10.10.0.0/16

http_vs = 10.10.1.100:80
…next connection request to member
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool

http_pool
ssh_pool

1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3

http_pool 107 108 99

ssh_pool 2 3 25
Load Balancing Revisit
Load Balancing Using Node
10.10.1.30
• If http_pool uses Leas Connections (node) then
10.10.0.0/16

http_vs = 10.10.1.100:80
…next connection request to node
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool

http_pool
ssh_pool

1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3

http_pool 107 108 99

ssh_pool 2 3 25
Load Balancing Failure Mechanism
Priority Group Activation
• Pool member is grouped by priority values
• Controlled by Less than Value / Minimum available pool members
• Disabled by default and priority values are set to 0
• Persistent connection are still allowed to pool members that’s already de-activated

Fallback Host
• Client would be redirected to destination if all member fails
• Works only for HTTP Traffic
• Implemented under HTTP Profile
Load Balancing Revisit
Static Load Balancing Failure Mechanism
• Round Robin (default) • Priority Group Activation
• Ratio • Fallback Host

Dynamic Load Balancing Member and Node Load Balancing

• Least Connections • Member = IP + Port
• Fastest • Node = IP only
• Weighted Least Connections
• Least Session
• Observed
• Predictive
Nodes
Node
• IP address
• Can be named
• Can be re-used when adding members to a pool
• Automatically created when Pool Member is added in a Pool
• Can be managed individually – Ratio, Health Monitor, Conn Limit and FQDN etc.

Node Default
• Where Health Monitor is applied, effect all Nodes
Nodes
Load Balancing Using Node
10.10.1.30
• If http_pool uses Leas Connections (node) then
10.10.0.0/16

http_vs = 10.10.1.100:80
…next connection request to node
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool

http_pool
ssh_pool

1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3

http_pool 107 108 99

ssh_pool 2 3 25
Pools
Pool
• Load Balancing component
• Container of Pool Members (Node + Port)
• Where Pool Member is managed (enabled, disabled, force offline etc)
• Where Health Monitors can be enabled and will by default inherit by Pool Members
• Can be re-used in multiple VS

Pool Member
• IP / Node + Port
• Is exclusive to a specific Pool (can’t be re-used)
• Pool Member Port doesn’t need to match Virtual Server port as it can be translated
(same as IP Address)
• Can be managed individually – Ratio, Priority, Value, Health Monitor, Conn Limit etc.
• Requires at least one available pool member to make a Pool Available
Pools
Advanced Options
• Multiple Health Monitors
• Slow Ramp – In Seconds
• Action on Service Down – None, Reject, Drop, Reselect
• ToS
• QoS
• Any many more
Virtual Servers
Virtual Server / VS / VIP
• Traffic / Application Object and Listener represented by an IP address and Port Number
• Communicates to the client of behalf of the servers and distribute traffic to across multiple servers
• Translates both IP Address and Port
• Treat vary various types of traffic based on settings
• Settings include Layer 4, Application and SSL Profiles, Compression, iRule, Persistnce, Pool Association etc
Virtual Server Types
• Standard
• Forwarding (Layer 2)
• Forwarding (IP)
• Performance (HTTP)
• Performance (Layer4)
• Stateless
• Reject
• DHCP
Virtual Servers
Virtual Server Order of Precedence Virtual Server Desination Address

• <address>:<port> 10.10.10.100/32:80 10.10.10.100:80 – both address and port match

• <address>:* 10.10.10.101/32:* 10.10.10.101:22 – address match with wildcard port

• <network>:<port> 10.10.10.0/24:80 10.10.10.102:80 – address within the range with specific port

• <network>:* 10.10.10.0/24:* 10.10.10.102:22 – address within the range with wildcard port

• *:<port> *:80 10.10.100.10:80 – wildcard address with specific port

*:*
*.* 10.10.100.10:22 - wildcard address and wildcard port
•

Virtual Server vs Virtual Address

• Virtual Server Destination consist of IP address and Service Port
• Virtual Address is IP Address of a Virtual Server
• http_vs – 10.10.10.100:80
• https_vs – 10.10.10.100:443
Standard Virtual Servers
Standard
• Full Proxy – Three-way TCP handshake on both client and server side connection
• Optimize TCP connections to clients
• Load balance application traffic to a pool of servers
• iRule can process most request.
• Most option are available (if not all) such as Layer 4, HTTP, FTP, SSL profiles, Persistence, Pool etc

Virtual Server LAN Settings

• Enabled on all VLANs (default)
• Recommended to disabled VLAN/s that is not processed by Virtual Server
Forwarding Virtual Servers
Forwarding Virtual Servers
• Forwards traffic directly to the destination IP address specified by the client request.
• Use routing table to make forwarding decisions
• Pool association is not support / Load Balancing is disabled
• Processed in Layer 2 or 3 (IP)

Resolving Duplicate IP Address Issue

• Enabling only the VLAN where VS traffic listens to
• Disable ARP under Virtual Address
• Local Traffic ► Virtual Servers : Virtual Address List
Health Monitors Revisit
Layer 7
10.10.1.30
• Accurate Content Checking
• Examines Single Request/Response such http, https
• Built-in request/response such as FTP, SIP, Oracle, IMAP
• Multiple request/responses – Scripted and External
http_vs = 10.10.1.100:80
http_pool

SYN
HTTP GET
SYN/ACK
HTTP RESPONSE
ACK

http_pool

172.16.20.1:80 172.16.20.2:80 172.16.20.3 :80

Health Monitors Revisit
Built-in Application Check Monitor
• Connects to monitored resources
• Logs in using credentials
• Navigates to a specific directory
• Example: FTP

Assigning Multiple Monitors

• Select Advanced under Pool Configuration
• Specify Availability Requirement (At least)

Manual Resume
• Pool Member wouldn’t be marked Available when it goes back online
• Must be manually enabled
• Used commonly during Server maintenance and troubleshooting
HTTP Health Monitors
Customizing HTTP Monitor
• Send String
• Receive String
• Receive Disable String

Regex in the Receive String

• Match one from the group 172.16.20.1 | 172.16.20.2
• Wildcards . ? *
• Bracket Expressions [1-5] [a-d] [^f]
Objects Status
Traffic Object Status
• Determine availability of Configuration objects such as Virtual Server, Pools, Pool Members and Nodes
• Network Map - Summarized view all configured traffic objects

Symbol Description
Green Circle Available

Blue Square Unknown

Yellow Triangle Enable but Unavailable

Red Diamond Offline

Black Icons Manually Disabled

Black Diamond Manually Forced Offline

Gray Icons Parent Object has disabled the object

Objects Status
Disabled vs Force Offline
• Both will no longer accept new connections
• Both still accepts traffic from an active connections (ssh and ftp)
• Disabled still accepts traffic from existing persistence records
• Force Offline drops traffic even from existing persistence records
 SNAT Revisit

SRC IP – 10.10.1.30 Translation

DST IP – 10.10.1.100
10.10.1.30
• IP Address / Range of IP Address
• SNAT Pool
• Auto Map

DST IP – 10.10.1.30
SRC IP – 10.10.1.100
http_vs = 10.10.1.100:80
Configuration
• SNAT List / Manual
SRC IP – 172.16.1.33
DST IP – 172.16.20.1
VLAN Internal
Self IP Address - 172.16.1.31/16
• Virtual Server
Floating IP – 172.16.1.33/16

DST IP – 172.16.1.33
SRC IP – 172.16.20.1
172.16.20.1 :80 172.16.20.2 :80 172.16.20.3 :80
SNAT Revisit
SNAT Pool
• Pool where you can add one more pool translated IP Address
• Use to resolve SNAT Port Exhaustion

SNAT List
• Manual SNAT configuration
• Define the source of IP Address / Range
• Define Translated IP – Automap, SNAT Pool, or Specific IP
• Applies to all Virtual Server when SNAT in VS is not configured

SNAT in Virtual Server

• Takes Precedence over SNAT List
Profiles Revisit
Profiles Types
• Layer 4 / Protocols:
Layer 4 / Protocols – TCP, UDP
Optimization – Mobile, LAN, WAN
• Layer 7 / Services
HTTP
FTP
• HTTP Profiles
• Acceleration Profiles
HTTP Compression
HTTP Caching / Web Acceleration
• Persistence Profiles
• Profile Dependencies
Some profiles are dependent on others
Some profiles can’t be combined on one virtual server
TCP Profiles
TCP Profile Performance
10.10.1.30
• Latency - compute-intensive processing such as SSL
• Congestions – cause by too much data received.

http_vs = 10.10.1.100:80
http_pool
TCP Profile Performance Settings
• Nagles algorithm – reduce network congestion
• Memory Management - proxy buffer levels and window size
SYN • TTL, TCP Flags, ToS, QoS etc.
SYN/ACK
ACK

172.16.20.1:80 172.16.20.2:80 172.16.20.3 :80

TCP Profiles
TCP Profiles for Different Environments
• Layer 4 Profiles
tcp

f5-tcp-wan f5-tcp-lan f5-tcp-mobile f5-tcp-progressive

• Legacy TCP Profiles

tcp-legacy

tcp-wan-optimized tcp-lan-optimized tcp-mobile-optimized

HTTP Profiles
HTTP Profiles Options
• Client address insertion
- Retention of original client source address after translation (SNAT)
- Customize HTTP or XForwarded For header
• OneConnect
- Allows HTTP clients to reuse server-side connections
• Chunking
- Allows iRules and compression to function with chunked http data
• HTTP Compression vs HTTP Caching / Web Accelaration

Dependencies
• Compression, Cookie Persistence, Web Acceleration, Fallback Host, iRule with
HTTP event require HTTP Profile
SSL Profile Revisit
SSL Termination / SSL Offload
10.10.1.30
• Client SSL Profile
• Client Side - Encrypted Traffic
• Server Side - Unencrypted Traffic

https_vs = 10.10.1.100:443
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
Limitation Without SSL Termination
• No HTTP Profiles
• No HTTP Compression, Web Acceleration, Cookie Persistence
• No Security Inspection
• Limited iRules

172.16.20.1 172.16.20.2 172.16.20.3

SSL Profile Revisit
SSL Termination with Re-Encryption
10.10.1.30
• Client and Server SSL Profile
• Client Side - Encrypted Traffic
• Server Side – Encrypted Traffic

https_vs = 10.10.1.100:443
Disadvantage of Re-Encryption
• Certificate and Keys are required on both BIG-IP and Servers
VLAN Internal
Self IP Address - 172.16.1.31/16 • More Resource Consumption on Server side
Floating IP – 172.16.1.33/16
• Complex Troubleshooting

172.16.20.1 172.16.20.2 172.16.20.3

Persistence Revisit

10.10.1.30 10.10.1.40

http_vs = 10.10.1.100:80
http_pool

172.16.20.1 172.16.20.2 172.16.20.3

Persistence Revisit
Persistence Options

Source Address Affinity • Based on source IP address

Cookie Persistence • Based on contents of browser cookie

SSL • Based on SSL ID sessions using Session ID

Universal • Customize your own persistence criteria

Destination Address Affinity • Based on destination IP address

SIP • Call-ID persistence (telephony and multi-media)

Persistence Revisit
Fallback Persistence
10.10.1.30 10.10.1.40
• No cookies? What’s next
• Source and Destination Address are the only two options

http_vs = 10.10.1.100:80
http_pool

172.16.20.1 172.16.20.2 172.16.20.3

Universal Persistence
Universal Persistence
• Greatest flexibility in defining persistence
• Customizable based on packet information that will be used for persistence criteria
• Based on header or content data that is specific to your application
• Coupled with an iRule

Associated iRule
when HTTP_REQUEST {
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}
Universal Persistence
http://10.10.1.100/env.cgi?user=spoonman&pw=abc
Persistence Persistence Virtual Pool Pool Member Age
Value Mode Server
10.10.1.30 10.10.1.40 spoonman Universal http_vs http_pool 172.16.20.1:80 13 sec

http_vs = 10.10.1.100:80
http_pool univ_pers
when HTTP_REQUEST {
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}

172.16.20.1 172.16.20.2 172.16.20.3

iRule Revisit
HTTP_REQUEST
10.10.1.30
• Fully parse and inspect client HTTP headers
• Requires HTTP Profile
• Not include HTTP request body

http_vs = 10.10.1.100:80

VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16

172.16.20.1 :80 172.16.20.2 :80 172.16.20.3 :80

iRule Revisit
Logging from iRule
• Great tool for troubleshooting and testing
• Writes to local logs by default

log local0. “Destination: [HTTP:host]”

iRule Variable
• Piece of data stored in memory
• Named and re-used

set dest [HTTP:host]

log local0. “Destination: $dest”
iRule Revisit

Chrome User Agent

▰ Mozilla/5.0 (Windows NT 6.1, WOW64) AppleWebKit/537.36
10.10.1.30 10.10.1.40
(KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Internet Explorer User Agent

▰ Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3;
Trident/7.0; rv:11.0) like Gecko

Firefox User Agent

http_vs = 10.10.1.100:80
▰ Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0

when HTTP_REQUEST {
if { [HTTP::header User-Agent] contains "Chrome" } {
pool pool1
} elseif { [HTTP::header User-Agent] contains "MSIE" } {
pool pool3
} else {
pool pool2 }
}

172.16.20.1 172.16.20.2 172.16.20.3