Professional Documents
Culture Documents
Server1 Configuration
# Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.100
up echo nameserver 8.8.8.8> /etc/resolv.conf
Server2 Configuration
# Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.100
up echo nameserver 8.8.8.8> /etc/resolv.conf
PC1 Configuration
# Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.2.1
netmask 255.255.255.0
gateway 192.168.2.100
up echo nameserver 8.8.8.8> /etc/resolv.conf
Check the status of Interface 1.1 is internal VLAN Interface and 1.2 is External VLAN interface.
SNMP Manager:
o A software that runs on the device of the Network administrator System.
o A Computer to monitor network, also called Network Management System.
SNMP Agent:
o A software runs on network devices that we want to monitor router, firewall, etc.
SNMPv2c:
o SNMPv2c is an update SNMPv2 and SNMPv2c.
o SNMPv2c uses the community-based security model of SNMPv1.
o SNMPv2c "c" in SNMPv2c stands for "community".
o SMMPv2c sends the community strings in clear text.
SNMPv3:
o SNMPv3 is the most secure version among other SNMP versions.
o SNMPv3 provides secure access to devices using authentication & encryption.
o Authentication security feature makes sure that the message is from a valid source.
o Integrity security feature makes sure that the message has not been tampered.
o Encryption security feature provides confidentiality by encrypting the contents.
o SNMPv3 will never send the user password in the clear text.
o SNMPv3 uses the SHA1 or MD5 hash-based authentication.
o SNMPv3 encryption is done using the AES, 3DES and DES.
o SNMP offers three security levels: noAuthNoPriv, AuthNoPriv and AuthPriv.
o Auth stands for Authentication and Priv for Privacy.
o NoAuthNoPriv = no authentication and no encryption.
o AuthNoPriv = authentication but no encryption.
o AuthPriv = authentication AND encryption.
Configuring SNMP manager access to the SNMP agent on the BIG-IP system
Gather the IP addresses of the SNMP managers that you want to have access to the SNMP
agent on this BIG-IP system. Configure the SNMP agent on the BIG-IP system to allow a client
running the SNMP manager to access the SNMP agent for the purpose of remotely managing
the BIG-IP system.
On the Main tab, click System > SNMP > Agent > Configuration. In the Client Allow List area, for
the Type setting, select either Host or Network, depending on whether the IP address you
specify is a host system or a subnet. In the Address field, type either an IP address or network
address from which the SNMP agent can accept requests. If you selected Network, type the
netmask in the Mask field. Click Add and then click Update.
Enabling Traps:
You can configure the SNMP agent on the BIG-IP system to send, or refrain from sending,
notifications to the traps destinations.
On the Main tab, click System > SNMP > Traps > Configuration. To send traps when an
administrator starts or stops the SNMP agent, verify that the Enabled check box for the Agent
Start/Stop setting is selected. To send notifications when authentication warnings occur, select
the Enabled check box for the Agent Authentication setting. To send notifications when certain
warnings occur, verify that Enabled check box for the Device setting is selected. Click Update.
Local Logging:
o By default, BIG-IP system logs events locally & stores messages in the /var/log directory.
o Local logging is done on LTM using Linux syslog-ng and log data is stored local to System.
o Local Syslog logs that the BIG-IP system can generate include several types of information.
Remote Logging:
o Can configure system to use HSL mechanism to log messages to pool of remote log servers.
o You can configure the system to use high-speed logging mechanism (HSL) to store the logs.
o If LTM processes a high volume of traffic or generates an excessive amount of log files.
o F5 recommends that you configure remote logging high-speed logging mechanism (HSL).
o F5 Network recommend that you store logs on a pool of remote logging servers use HSL.
o If Remote Logging is implemented using TMOS then it is called as High-Speed Logging
Audit Logs:
Audit tab will show us administrative actions, for example, Route added or deleted by admin,
user disabled by admin, user add, delete, create pool, delete, etc. stored in /var/log/audit file.
In the Main tab, navigate to System > Logs > Configuration > Remote Logging to configure the
Remote Syslog server IP address click Update to apply the setting.
On Pool-Syslog Server which is 192.168.1.50 where Syslog Server is install to receiving logs.
Also, can verify from Pool-Syslog statistics as well, which showing hits.
F5 Interface Configuration
Management NAT Cloud
1.1 Connected to a dedicated LAN
1.2 External
Finally, all three Internal VLAN Self IP List for VLAN10, VLAN20 and VLAN30.
Finally, three Internal VLANs Self IPs and one External VLAN Self IP list.
Creating Node:
From the F5 home page, click Local Traffic > Nodes > Node List. Click Create. In the New Node
page, enter the following information: In the Name field, enter a name for the node. In the
Address field, enter the IP address of the node. Optionally, in the Description field, enter a brief
description for the node. In the Configuration area, keep the default configurations. Click
Finished. The new node is created. Finally, all three Nodes SRV-1, SRV-2 and SRV-3 look like
below in screenshot.
Click the Resources tab, from the Default Pool drop-down list select the pool you have created.
Click Finished.
Open a new browser session on the external clients and enter the address of the virtual
server at http://192.168.2.200
PC Configuration
IP address: 1.1.1.1
Subnet Mask: 255.255.255.0
Gateway: 1.1.1.254
DNS: 8.8.8.8
Navigate to Server-2 Docker desktop click on WWW folder inside open html folder right click on
index.html file open with Pluma copy past below html click Save.
<html>
<head>
<title>This is Server 2</title>
</head>
<body>
<h1 style="color:blue;">THIS IS SERVER 2</h1>
</body>
</html>
Navigate to Server-3 Docker desktop click on WWW folder inside open html folder right click on
index.html file open with Pluma copy past below html click Save.
<html>
<head>
<title>This is Server 3</title>
</head>
<body>
<h1 style="color:green;">THIS IS SERVER 3</h1>
</body>
</html>
Enter desired IP address for the management interface and click OK.
Enter desired subnet mask for the management interface and click OK.
It will prompt you to change the password type current password in our case Abc@admin1
while New password type the same Abc@admin1 and confirm Abc@admin1
Click the Resources tab, from the Default Pool drop-down list select the pool you have created.
Click Finished.
Finally, Default route is ready which will send all the traffic to our ISP Router 192.168.1.254
From the F5 home page, click Statistics > Dashboard> > Module Statistics > Local Traffic. In
Statistics Type in dropdown select Nodes to see the traffic in and out.
F5 LTM HA Modes:
Active-Standby:
o In Active-Standby one LTM actively manages traffic while other is synchronized.
o With an Active-Standby based deployment traffic is only processed by a single device.
o This is achieved via single traffic group, which all failover objects reside within.
o In Active-Standby standby is ready to transition to active state, should failure occur.
o One actively manages traffic until a path, link, system, or network failure occurs.
o When active firewall fails, Standby LTM transitions to active state and takes over.
o In F5 Active-Standby has simple design concept and it is easier to troubleshooting.
o Synchronized between devices & connection persistence state data can be mirrored.
o If failure is detected on the active unit, all the traffic will be moved to the standby.
o Standby member is already having all configuration & connections persistence state.
o Active-Standby deployments with BIG-IP System should use only traffic-group-1.
HA Pre-Requisite:
o To set up High Availability HA on F5 LTM, need a pair of LTM that meet fallowing.
o The same model—The F5 LTM in the pair must be of the same hardware model.
o The BIG-IP units in a redundant system must run the same software versions.
o F5 don’t support BIG-IP redundant configurations run different software versions.
o In BIG-IP Systems in a redundant configuration must run the same hotfix version.
o F5 does not support BIG-IP redundant configurations run different hotfix versions.
o BIG-IP units in a redundant system must match with respect to product licensing.
o BIG-IP units in a redundant system must match with respect to module provisioning.
o Cluster members must also have the same hardware configuration such as same HDD.
Devices:
o Represents either a physical or virtual instance of a BIG-IP system Local Traffic Manager.
Device Groups:
o Device group is collection of BIG-IP Units that have established a device trust & share data.
o Type of data shared depends on what type of data the device group is configured to share.
o Group of devices synchronize based on device group type also failover their configuration.
o There are two 2 types of device groups first one is sync-only and second is sync-failover.
Device Trust:
o Device Trust represents trust relationship between devices also known as trust domain.
o Device Trust in Local Traffic Manager is achieved via certificate-based authentication.
o In BIG-IP System device Trust is a prerequisite for both device groups and traffic groups.
o To provide failover or configuration sync, LTM on network must be in same trust domain.
o In BIG-IP System initial trust of each device is performed over the management interface.
Sync-Failover:
o Both configuration data and the failover objects are synchronized, Utilizes traffic groups.
o Sync-failover device group synchronizes configuration data & traffic group data for failover.
o Use this configuration to fully synchronize two BIG-IP systems Local Traffic Manager LTM.
o If active becomes unavailable, failover occurs & standby is able to instantly pick up traffic.
Sync-Only:
o In Device Groups Type Sys-Only, Only the configuration data is synchronized.
o Sync-only device group synchronizes only configuration data, such as policy data.
o In Device Groups Type Sync-Only, but it does not synchronize failover objects.
Traffic Groups:
o A traffic group is a collection of related configuration objects that run on a BIG-IP system.
o A collection of failover objects that runs on one of the devices within the Device Group.
o Should the device become unavailable failover object is served by other device in Group.
o In general, in F5 LTM traffic group makes sure that when a device becomes unavailable.
o All of failover objects in the traffic group fail over to a standby system in its device group.
Overwrite Configuration:
o When performing action synchronize configuration regardless of when it has been modified.
Connection Mirroring:
o Connections & persistence information on active F5 chassis are duplicated to the peer unit.
o Event of failover, peer can begin processing connections immediately without interruption.
Configuration Synchronization:
o ConfigSync is a high availability process that collects the configuration files and directories.
o From one unit of redundant pair into an archive file, and then transmits and installs on peer.
Network Failover:
o When BIG-IP System redundant systems are configured to use network failover method.
o The BIG-IP System LTM systems communicate over the configured failover addresses only.
Floating IP:
This is the cluster shared IP; this IP will be active on the active device and it will move to the
other device in case of failover. This will be the GW for servers.
Manual:
If you do not enable auto sync, you must manually synchronize the BIG-IP configuration among
device group members to ensure that the devices remain in sync. With manual synchronization,
the BIG-IP system notifies you whenever configuration data within the group has changed and
therefore needs to be synchronized.
Full:
When you enable full sync, the BIG-IP system syncs the entire set of BIG-IP configuration data
whenever a config sync operation occurs. You can only do a full sync operation if you have
enabled manual sync; Full sync operations are not available when automatic sync is enabled.
Incremental:
When you enable incremental sync, the BIG-IP system syncs only the changes that are more
recent than those on the target device.
Device Details
PC1 Webterm Docker # Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.2.1
netmask 255.255.255.0
gateway 192.168.2.100
PC2 Webterm Docker # Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.2.2
netmask 255.255.255.0
gateway 192.168.2.100
PC3 Webterm Docker # Static config for eth0
auto eth0
iface eth0 inet static
address 192.168.2.3
netmask 255.255.255.0
gateway 192.168.2.100
All three configured Backend Servers SRV1, SRV2 and SRV3 in BIGIP1.
There is only one HTTP configured Pool in BIGIP1 no need to configure in BIGIP2.
Same in BIGIP2 choose 192.168.3.101 (VLAN HA) & 192.168.114.101 (Management IP Address).
Same configuration but different IP on BIGIP2 Primary HA-VLAN while Secondary Internal-VLAN.