Professional Documents
Culture Documents
F5 LTM Revisit
Load Balancing Revisit
Load Balancing Using Member
10.10.1.30
• If http_pool uses Leas Connections (member) then
10.10.0.0/16
http_vs = 10.10.1.100:80
…next connection request to member
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3
http_vs = 10.10.1.100:80
…next connection request to node
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3
Fallback Host
• Client would be redirected to destination if all member fails
• Works only for HTTP Traffic
• Implemented under HTTP Profile
Load Balancing Revisit
Static Load Balancing Failure Mechanism
• Round Robin (default) • Priority Group Activation
• Ratio • Fallback Host
Node Default
• Where Health Monitor is applied, effect all Nodes
Nodes
Load Balancing Using Node
10.10.1.30
• If http_pool uses Leas Connections (node) then
10.10.0.0/16
http_vs = 10.10.1.100:80
…next connection request to node
http_pool
with fewest connections
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1 172.16.20.2 172.16.20.3
Pool Member
• IP / Node + Port
• Is exclusive to a specific Pool (can’t be re-used)
• Pool Member Port doesn’t need to match Virtual Server port as it can be translated
(same as IP Address)
• Can be managed individually – Ratio, Priority, Value, Health Monitor, Conn Limit etc.
• Requires at least one available pool member to make a Pool Available
Pools
Advanced Options
• Multiple Health Monitors
• Slow Ramp – In Seconds
• Action on Service Down – None, Reject, Drop, Reselect
• ToS
• QoS
• Any many more
Virtual Servers
Virtual Server / VS / VIP
• Traffic / Application Object and Listener represented by an IP address and Port Number
• Communicates to the client of behalf of the servers and distribute traffic to across multiple servers
• Translates both IP Address and Port
• Treat vary various types of traffic based on settings
• Settings include Layer 4, Application and SSL Profiles, Compression, iRule, Persistnce, Pool Association etc
Virtual Server Types
• Standard
• Forwarding (Layer 2)
• Forwarding (IP)
• Performance (HTTP)
• Performance (Layer4)
• Stateless
• Reject
• DHCP
Virtual Servers
Virtual Server Order of Precedence Virtual Server Desination Address
• <network>:<port> 10.10.10.0/24:80 10.10.10.102:80 – address within the range with specific port
• <network>:* 10.10.10.0/24:* 10.10.10.102:22 – address within the range with wildcard port
*:*
*.* 10.10.100.10:22 - wildcard address and wildcard port
•
SYN
HTTP GET
SYN/ACK
HTTP RESPONSE
ACK
http_pool
Manual Resume
• Pool Member wouldn’t be marked Available when it goes back online
• Must be manually enabled
• Used commonly during Server maintenance and troubleshooting
HTTP Health Monitors
Customizing HTTP Monitor
• Send String
• Receive String
• Receive Disable String
Symbol Description
Green Circle Available
DST IP – 10.10.1.30
SRC IP – 10.10.1.100
http_vs = 10.10.1.100:80
Configuration
• SNAT List / Manual
SRC IP – 172.16.1.33
DST IP – 172.16.20.1
VLAN Internal
Self IP Address - 172.16.1.31/16
• Virtual Server
Floating IP – 172.16.1.33/16
DST IP – 172.16.1.33
SRC IP – 172.16.20.1
172.16.20.1 :80 172.16.20.2 :80 172.16.20.3 :80
SNAT Revisit
SNAT Pool
• Pool where you can add one more pool translated IP Address
• Use to resolve SNAT Port Exhaustion
SNAT List
• Manual SNAT configuration
• Define the source of IP Address / Range
• Define Translated IP – Automap, SNAT Pool, or Specific IP
• Applies to all Virtual Server when SNAT in VS is not configured
http_vs = 10.10.1.100:80
http_pool
TCP Profile Performance Settings
• Nagles algorithm – reduce network congestion
• Memory Management - proxy buffer levels and window size
SYN • TTL, TCP Flags, ToS, QoS etc.
SYN/ACK
ACK
tcp-legacy
Dependencies
• Compression, Cookie Persistence, Web Acceleration, Fallback Host, iRule with
HTTP event require HTTP Profile
SSL Profile Revisit
SSL Termination / SSL Offload
10.10.1.30
• Client SSL Profile
• Client Side - Encrypted Traffic
• Server Side - Unencrypted Traffic
https_vs = 10.10.1.100:443
Limitation Without SSL Termination
• No HTTP Profiles
VLAN Internal
Self IP Address - 172.16.1.31/16 • No HTTP Compression, Web Acceleration, Cookie Persistence
Floating IP – 172.16.1.33/16
• No Security Inspection
• Limited iRules
https_vs = 10.10.1.100:443
Disadvantage of Re-Encryption
• Certificate and Keys are required on both BIG-IP and Servers
VLAN Internal
Self IP Address - 172.16.1.31/16 • More Resource Consumption on Server side
Floating IP – 172.16.1.33/16
• Complex Troubleshooting
10.10.1.30 10.10.1.40
http_vs = 10.10.1.100:80
http_pool
http_vs = 10.10.1.100:80
http_pool
Associated iRule
when HTTP_REQUEST {
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}
Universal Persistence
http://10.10.1.100/env.cgi?user=spoonman&pw=abc
Persistence Persistence Virtual Pool Pool Member Age
Value Mode Server
10.10.1.30 10.10.1.40 spoonman Universal http_vs http_pool 172.16.20.1:80 13 sec
http_vs = 10.10.1.100:80
http_pool univ_pers
when HTTP_REQUEST {
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}
http_vs = 10.10.1.100:80
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
iRule Variable
• Piece of data stored in memory
• Named and re-used
when HTTP_REQUEST {
if { [HTTP::header User-Agent] contains "Chrome" } {
pool pool1
} elseif { [HTTP::header User-Agent] contains "MSIE" } {
pool pool3
} else {
pool pool2 }
}