F5 Networks Training BIG-IP® LTM V10.2 Essentials Student Guide CE NETWOAKS BIG-IP* LIM Essentials Student Guide - © ZU1U Fb Networks, nc areata)Preface BIG-IP® LTM V10.2 Essentials Student Guide ‘Thirteenth Printing November 2010 ‘Tis marl was wile BGP Lo Te Manager veion 1020. Atop sane fe ears assent ‘iene were ma it be v1020 rn neat Canes apy pe ene od OPALTA (22010, FS Neto, ne. A his ead CHA erwants Support and Contact Information Ching Terni Spe Web ‘ech com (ASKS) Phone (200) 272-6888 mall (support issue) suppon@ts.com mall (ugueion) —eedtuck@IS.com Contacting FS Neto wee we Fm mall salesQP com info com Fs Nears a SNe La seo ae Fs Newer corporate Ofer att Kington ‘stra a ‘GV Eton Ame Wes Chetny Ca We ‘See Bskrt ‘Aa ade iy 19F ‘Sea, ashy 8119 ‘Cay Sey RTVGAAP_— SOLO Sure TowerS 41 Alaa Mar Ts ssc. nied Keio Sigs, 988 Tele 107-052 pen ‘ano 2555 ‘Twnorsnsezoce Ts 633-6103 Tanssiesa0 Fano 273551 (40182 5401 Feeens.si06 Fe@n3siieszot Tring om EMEATanine@Sm —APACTaining@fScom—_‘epesraing@Sc0m BIG-IP* LTM Eesantale Student Guide © 2010 FS Networks, Inc.Preface. Legal Notices Copyright Copyright 2010, FS Networks, ne. Allsiphtreserved. FS Newors, Ins (5) betes the infomation ‘ube be scurts a elabe: Hwee, FS asues ao espoasib fothe se of is fort, bot ‘ny infingement of patents ooh ih of thd pris which ay re fs se. No ze prance ty pletion reherwise unex ny ptt opi the inl pepe rit of FS excep ‘penieallydecbed by applicable ier Geese Freres the igh to can spceaton aay ie. ‘Trademarks SLDNS, Aces Falicy Manager, APM, Acopa, Acopt Neos Advanced Cleat Auton, Advanced owing. Appision Sort Mange, ASM, ARX, Ast FS, IGP, Data Manger DevCextral, DevCentral (Geigy), Edge lent, age Gateway, Entre Mange, , FS, FS (liga) 5 agement ack, FS ‘Networks, F5 Worl Fast Aptetin Prony, Fart Cate, ean, label Trafic Manager, GTM, sConoo, Inligeat Browse Refeodag IB, neligent Compression, PV Gateway, Query, ules, Rules ‘aDenand, TF Apiy. Your Wey L7 Rate Shaping Link Coll, Loca Tai Manager, LT, ‘Message Security Module, MSM, Necele, OneConne, Packet Velo, Probea Secu Mode, PSM, SSL Acceleration, Stongbs, SY Chest, TCP Expres, Taspreol Dats Redscton, TDR, The Wold Rus ‘eter With F, Trae Mangement Operting Sytem, TMOS, TraShiel, VIPRION, Web Accelerator, .WA, WAN Option Modul, WOM, an Zonet, are vademaks or seice mus of FS Newors, Incyinthe US another counted may nat eed without FS exes ten consent Aller ‘roduc nd conpanyaunes herein maybe tadenas of tir respsive owes. Patents ‘Thi product may be rote by US. Patents 6311278, 6327.22, 637400, 641829, 6473802, {6505230640 240, 6:72203, 6970933, 686929, 747 301, 705116, 7102996, 7 113,962, 7.14.80, ‘Tings, 9146384, 719766, 7.206282, 7128646, 7287084, 7129645, 7296263, 730845, 734813, 2346695, 7349391, 735597, 1376967, 7383 288, 7395 34,7409 40, 740 ae, 70,95, 741048, 1961200747213, 1987283, 7490162, 71493, 38, 7505485, 7309.322, 751273, 735219, 758888, 1562110756133, 7580383, 7901628, 7606912. Curent asf Aug 201, bt oe pues ening Export Regulation Notice “Tis product may include cryplpapic ware Under th Export Adisistaton Ac te Unie Ste goverment may consider ermal fens export hs rod om th nied Sas RF Interference Warning This isa Chas A podct Ine domestic environment hs prodot may caus ac inereene, in which ese ‘hoster maybe regure lke adopts messze FCC, Canadian Regulatory and Standards Compliance ‘Thirequpment hasbeen eos ou to comply wih he its fora Cas gia device pura 1 Part Sof FCC rales Thee ints are desiged to provide reasonable protein opis bal inereeace when. the equpmests opera ina conmercal envvaeat Tals i etre tats td a rade aio ‘Seqney energy and fined and eed in scordane wih he insston masa ny oar arf intererence oid crmmuniaen.Opersinn of sequen seta aren kayo ense emf merece in which nee wr is own enpere, wl bs rue ks whalver meas ‘may be equ ocr: te nereeoe. Any mds o his deve less expressly approved by he ‘manficrr can othe wer bony to pete gulp! under pat IS of ie FCC res “This Clas Adiga appr complis wih Canadian ICES-O13, Ths prodctcofom tothe TEC, Europes Union ANSUUL snd Canadian CSA sandads appizble lloraton Tecan adult he ine of muna. BIG-IP® LTM Essentials Sudent Guido - © 2010 FS Networks, ne.Beg Preface F5 Networks: Ensuring The Secure and Optimized Delivery Of Applications ‘Asthepioner in Application Delivery Networks, FS continues o lead the industry by driving more {ntelignee imo the network to delve advanced application agility. PS products ensure the secure and optimized delivery of applications to any user, wig any device, anywhere inthe werd. Through its lexble and coesive architecture, FS delivers unmatched vale by improving the way ‘xpanizations seve thelr employees, customers and constituents—while dramatically lowering opertional oss S's aplication delivery network products provide: Application Optimization 5 architecture automatically assigns every application the right mix of availabiliy, security, and performance at the network lotl futher optimizing their performance. Applicaton Security 5s Applicaton Trafic Management architecture suppor integrated Securit features that protect the delivery of applications by enforcing security policies athe edge ofthe network, before a session isllowed Applicaton Delivery architecture delivers the raw horsepower, based on tighily integrated security, sailably, elabity all of which work gether to deliver exceptional throughput and feenccion performance F5 Product Suite Overview 5 prot addres the three main areas of Application Delivery Networking: Application Security, ‘Application Optimization ad Application Avalabily Regardless ofyour nctwork application pain, FS has a solution. In tion because we recognize tht ‘each networklasue as an mpl upon oe rial ras, FS products share powerful attributes frost the instr’ only intgrted platform - TMOS, TMOS includes the (Contol API, which allows FS profuts to communicate with each ote and implemeat extremely flexible policies in the form of ies. An ative developer communi, unique to FS, creates and shares customized iRues forenfrcng ually ay kind of applicaton-dlvery bebavic. ‘The results degant and powerful solutions to protect you from security threats, network failures and trafic congesion, while puting in pace architecture forthe future [BIG-IP* LIM Essentats Student Guide - © 2010 Fb Networks, ncF5 Products includ + BIGAP Local Trafic Manage (LTM) + BIGAP Global Trafic Manager (GTM) + BIGIP Link Contoler (LC) + BIGAP Application Security Manager (ASM) 1 BIGAIP Access Policy Manager (APM) ‘+ BIG. WebAccelerator Module (WAM) 1 BIGAP WAN Optimization Module (WOM) + BIGAP Bége Gateway ‘+ Enterprise Manager (EM) + FrePas + ARK BIG-IP - Traffic Management ‘From basic local and wide are load balancing, to link trafic management, to applications that require special andlng and avgmened security, FS bas the solution to ft every business need, and every BIGAP® Local Traffic Manager (LTM) [Network intelligence on a cost-effective, Integrated SSL hardware platform for ‘exible, fast, secure IP-centic traffic management BIG-1P* LTM isa local are aplication ai management solution, BIG-IPLTM provides the benefits of trafic management eadiionally reserved for Web-only applica, tal IP based spplicatons and Webservice. BIG-IP LTM ensues busines contin, security and performance by intereptng inspecting, trasforming and dieting aplication and Web services requests based ‘on values foand inthe header or payload BIG-IP LTM prodicts also inlide SSL. acceleration ‘ofload this proessng-intensive function frm the applistion serves dhetseves,ineessng pplication performance. BIGP® Global Traffic Manager (GTM) Wide-area network high-availabilty, intelligent load balancing ‘The BIG-IP® GTM System provides wide-ra tafic management and high walbilty of IP spplicatonsservices runing seross mulpe data center. With GTM, busines ean ensure opal ‘elability and fst performance across al oftheir Inteet sites, no matter wie they are inthe word. {GTM addeinaligence to standard DNS, and ensures that end users ae sont site that ie avalable 1nd provides the Best espnse Is unigue intelligence can examine the healthof datacenters, he network, andthe geography of users, the det wai based on customizable business rules. BIG-IP® LTM Essentials Student Guide - © 2010 F5 Networks, nca Preface BIGAP® Link Controller (LC) ‘High availabilty and intelligent routing for mult-homed networks ‘As caerrises increase teu ofthe Internet o deliver ther basnes-rticalaplcations, ‘malting oly one lnk othe public network represents a single point of faire and serious ‘network vulnerability. The BIGAP® Link Conller monitors availablity and performance of ‘multiple WAN connections to intelgeniy manage afi flows oan from site - providing faut tolerant, optimized Interns access. .BIG-1P® Application Security Manager (ASM) Web Application Firewall [BIG-IP® ASM provides comprehensive security for IP-based aplication and services, protecting them aginst known and snow external rest a the network and application layers. ASM isan ‘Application Fucwall, a nw clas of device that protects applications fram backers and other ‘malicious sacks, ASM offers several moles for ltexing out malicious requests, subbing dt sent o users, and Cloaking application infatructue. The core functionality is a poweeul application frewal tat ‘heck every user equest against known set of wer interactions with tbe Web application, eecing any request not own tbe egal Unlike network firewall -roducts that focus on protecting aginst network level tacks or pure Intrasion Provention Systm dt focus on preventing ever neeasing quantities of known atacks. [ASM offers onganization «complete Web aplication protection sytem capable of blocking road range of network, and Web application ack BIGIP® Access Policy Manager (APM) ‘Simplified web access management 'BIG.IP APM provides plicy based context-aware aces outers while simplifying autheatcaton, authorization, abd accounting (AAA) management. By providing fll AAA contol directly onthe [BIG System, BIG-IP APM enables users to consolidate aces in fastucture, redaceautentication and authorization costs, zd cae to suppor thousands of users simultaneously. BIG-IP APM provides dynamic access contol by erating LA an L.7 access contol iss (ACLS) ‘sed on user deni, [Padres and abuts such as group membership pulled from te directory. ‘In regarsto authentication, BIG-IP APM supports Active Directory, Radius, Native RSA Secu, ‘s0U LDAP sccouting aswell at authentication redundany. IG-IP® LTM Eecentole Student Guide -© 2010 FS Natworke neProfoge ie BBIG.AP® Web Accelerator” Modulo (WAM) Application Optimization Mobile workers csess enterprise applications from coffe shops, spots and offices. These workers ‘expect ther web applications —evmal, ERP, sales foreeautomation~to perform well inal locations. any part of th application delivery system falters, end-vend performance degrades and productivity sues. BIG-IP WebAccelertor™ is an advanced application delivery solution that provides superior web pplication pecormance for mebile workers WebAccelertor speeds up web applications suchas “Hypesion™,Peopesof™,Plumtes™, SAP™, Scbel™ and others, ofen increasing performance by 200% 10 500%. BIG-IP® WAN Optimization Module (WOM) Optimize and accelerate mission-critical applications across the WAN BIG-IP WOM svereames network snd application sses on the WAN wo ensure that all users get the ‘pplication avalabity and perfomance they ned to stay productive. These services are integrated ‘Grectly on BIGAP Systems and include superior compression, encryption, and walle coat ‘apabilies tha dramatically seduce bandwith usage and enable users to improve quality of sevice forthe eral plications tht drive businesses Key benefits of WOM ar ‘+ Enryptand accelerate data benveen mile BIG-IP devices + Roluce server usage and sve on costly bandwith upgrades with superior compresion ‘ad TCP optimization *Accclerte applications across the WAN to improve user performance and scalability BIGP® Edge Gateway Delivers secure and accelerated remote access to applications ‘As more mobil and remote worker acces applications and dat from many diferent devies and locations, easing fst application performance for remote users is a growing concer for IT ‘organizations 'BIG-IP Bag Gateway isan aces solution that brings together SSL. VPN remot acces, security, pplication scleration and aval sevies for remote wers, BIG-P Edge Gateway dives ‘dent ito the network to provide context aware, plicy convlled, secure remot aces 10 spplietions at LAN spect [BIG.IP LTM Essentials Student Guide ~ © 2010 F5 Networks, Inc.B. Preface Enterprise Manager (EM) ‘Simplified multsF5 device management and control Eerprse Manager (EM) provides a single, centralized management an operational interace fr FS levies Itmakes configuring and managing muliple FS devices easy by allowing administrators to see changes aeross many devices or objets = reducing overiead and saving time. With Enterprise ‘Manages, you wil Reduce your labor costs for managing multiple FS devices Archiv and safeguard device conigutions for contingency planing * Easily and quickly roll-out software upgrides and security patches Receive ales tha help you keep a healthy environment and tke proactive actions FirePass® ‘SSL VPN Remote Access 5% FirePass Controle provides soar remote aces to corporate applications an data via standard ‘Web browser technology. Iteables companies o extend secure emete access fo anyone connected tothe interme uhing desktops, lsptops, PDAS, Kiosks and more - while eliminating the acd for ‘complex IPSec VPN. FiePar i the first SL VPN soliton with complet eros-platform suppor. Extending is support for any TP aplication to Mecintssh, PocketPC and Linux cies, in addition to ‘Windows, and expending client and application security for Web, email and Me pplication access, FiePass supors access Web hosts, terminal servers, client-server applications, legacy boss, mobile devices and Windows desktops, without pre-inaled client soars ARK Inteigent File Virtualization Taormation Lifeeycle Management (ILM) holds tremendous promise forthe enterprise, yet its ‘option hasbeen slowed by factors such as proprietary vendor approaches, complexity ad lack of {eternal coordination. Increasingly caterprise are using inteligent file virtualization to create stonge tiers and tous those ers more efficient, without many ofthe drawbacks associated with wadisonl ILM eppeoctes Intelligent ile virtualization offers a simple, open approche astomated storage tering that ean be deployed rapidly to provide a dramatic positive economic impacto enterprises. iControl? SDK Software Development Kit “The iConrl®arvhiteture and SDK provide an interfne between third party solutions and F's site of produc. This interface creates the opperunity for application developers, ISVs, adware ‘manufacturer, servic providers, and other toad valet har solutions by allowing det communication with our suite to create tue applicaton-ware network. For more ‘information, plas vst hps/deveental,f.com, IG-IP* LIM Essentials Student Guide - © ZUIU F> Networks, In.Preface Pa F5 Customer Support Network Support Center 'F5@ Technical Suppor is designed to remotely asst you wit specific break-fix issues regarding ‘ongoing maintenance of you FS produc. all FS products come with one-year manufactures ‘brdware waranty and 90 days of software media warranty. Technical support is ited 0 FS products with active support contract, Subscribers who require ational levee of suppor from our ‘ippor team may opt to upgrde to Premiam Support, which includes 24 x7 support Ask F5 ‘Ask F ssn onlin knowledgebase accessible 24x7 through our ecrical support website. Ask FS ‘ives you realime acces to in-deph product and technical suppor infomation, by providing 2 ‘mpl, English language query-based Search. ASk FS provides wlmited acess ane aditora ‘charge for ll FS customers covered under an FS annua sevice agreement. Web Support Portal ‘The FS Web Suppor Poral proves you wih more flexibility and better, faster acces to FS support, 26% 7. Quickly nate new support cases, immediatly receive an automated ease number, read ease ewils and updates on your open cases, upload troubleshooting attachments, and more. You never have to remember phone numbers or wait on bold and line hep is always available DevCentral ‘DevCentral is «community of experienced FS uses who regularly post answers based on realife knowledge. To asst DevCentral member, FS provides technical documentation, ips, acceso free sample downloads anda confidential discussion forum fr receiving answers to technical questions, DevCentral sfc of charge to our customers fr balding ils snd iControl applications, od the forum is monitored by FS eaginers and experts who offer assistance on technical questions inclding design architecture, troubleshooting, and general sistance with bulding Rules and iCotrel applications. 5 offers extensive, expet taining on FS products for IT professionals. We help you achieve success through ever eertfieaions while Keeping you one-ep ahead of rapidly changing networking and “eret technologies. Courses are presented in» hand-on lb format, combining theoretical content ‘wi highly iterative exereises to belp IT profesional experience real-world sppliations and solitons. These services ar delivered through FS and FS-authrized taining centers located around ‘heworl [BIGuP* LTM Essentials Student Gulde — © 2010 F5 Networks, Inc.0 es F5 Professional Services 5 Profesional Services executes onthe company’s paradigm of innovation by delivering a fllvange of consulting serves, icloding pliaing, design, deployment, upgrades, migrations, optimization. nd application vification to ensue highly available, scalable and secure infarct. Design and Planning Services “Maximize your ren on product investment, Allow our Professional Consultants to design the ‘optial network aitectire and create comprehensive deployment plan to puttin produc, ‘We design ficiency, flexibility, salabiity and seounty into every project oft your busines needs, uslizing FS best practices for psical and logical topology and application walle management Installation Services ‘An FS profesionl Consultat will wrk to ensure your FS product is installed and running as efficiently as posable: Network topology, lod balancing design review, application tuning and roduc orientation ar included in his service. Network performance tning and comprehensive Produc trining ar not inched Optimization Services 5 Consultants ca elp you leverage the te power of advanced product features such as compression, cating, end traffic baping, Network performance tuning and application ning re slso offered to optimize your FS deployment Application Deployment Services Get the mast out cf you oad-balanced applications by allowing an FS product expert to assist wih ‘pplication deployment. An FS cozsulisnt wll review your basives goals, pplication arehiectse snd affc managemctrequreeats to creat a comprehensive deploymca plan, thea asist ins implementation, Upgrade and Migration Services Take advantage ofthe latest and greatest tafe management features. Our seasoned consultant will, work with you to pln and execute upgrades to new software versions or hardware platforms. We are tlso happy to asi you with migrations fom competing trafic management produce, Custom Scripting and Monitor Development Many application requir “outside the box” customization posible only by scripting: EAV (Extended Applition Verification), complex monitors, IRues™,iContol®, and oer complex sutomated ass ean take yourFS ivestneat tothe next level FS Consultants have he requisite txtersve knowleeg of product” internal workings to develop erestive and compatible slutons that adress your specific requirements. BIG-IP* LTM Essentials Student Guide - © 2010 FS Networks, Inc.Table of Contents Module 1: Installation and Initial Access. A ‘BGP Local Tale Mazager Overview me Licensing. Provisioning & te Setup Ui ie “nsllaon snd Sep Labs. 9 ‘Lab —Changog nal IP Ades : co re 1Lab—Senp Uti. = ener ee i) Lab ~ Configuration Uli enn Le ab — Configuration Baap ee MT IG Hardware Ptr Ls ‘Sth Crd Control Proceso (SCP) and Always On Management (ADM) 120 ‘Lab ~SOCP/ AOMIP Adress Cofigustion. — 121 Mele 2: Load Balancing. — 24 ‘Virtual Server and Pools 2 a Coniguing Virtua Serves and Pools 2 {La - Vial Server an Pot. 26 Ne Map Bl [Lend Balancing Moves 23 Conguing Load Basing. — ne IT {Labs Load Baling — 29 ‘Medle 2: Monitors Monitor Cane ML Monitor Coafguton re) Moai tus Reporting. — no [Lab - Morita or Nodes 10 [as Monitor for Pols and Members 32 ‘Module 4: Profile. ‘role Types and Depends. Common Protocol Profile Type and Seng (Contguing and Using Profiles, vn [BIG.1P* LTM Essentials Student Gulde ~ © 2010F5 Networks, Inc.Tablet Contents Module : Persistence 51 Panistace Conc | Soure Adds Pesos, 52 ‘Lab ~ Sore Adee Perse ss chic Peritese 58 1b Cooke Penien nn — si Objee Manageme soon Sar Lab - Disab Members — 20 Module 6 Processing SSL. Trafic... SSL Termination. SSL Profile Conguation, ab Cleat SSL. vn [Lab Cin and Serer SSL (Option en 8 Module 7: Lab Project. at (Coie n Project nnn {La -Configuntion Post. 72 Review Quetons = Medes 110 6 nnn "Module 8: NATS and SNATS. 8 ‘Network Address Trastion (NAT) 4 {Lab ConiguringaNAT.. so a ‘Seere Network Adres Trait (SNAT) yee as [LabeSNAT Labs... vc vn “7 \Nodule& Rules... ‘Rule Cocep ‘Rules Even... Coniguring Rules aba ~ Rules Lab. abs ~ Rules Lab #2. ‘Module 10: Instalation ofa Redundant Pai Redan Pit Cos nn Synehoizton Sut and Flor ab Redundant aie Sep Lab Sypevonizaon nn Redundant Pair Communion ‘Upgading the BIGAP St IG-IP* LTM Essantinis Student Guide ~ © 2010 F5 Networks, ne.‘Table ofContents Modle 1: High AVAIBIIY a Falover Tepe “a Falbover Tiger Coit ns na Lab —Filover Tries itd Flor Det neem ve HS Lab — Network Faller 6 Stef Fi 0 nen ‘Lab ~ Connection Mira. 19 Lab — Persistence Miron nnn HD MAC Masquer : un Options Lab ~ MAC Maxquensing 3 Mesule 12: Maintaining BIG-P LTM. o -S Suport Resurer nd Tole — Documentos fr FS Supa... : na NextStep nd Review Que8086 ne HAO Options Labs FS Reso nn : es Appendis A Instalation. se Presale infra, et Inctliaion Woke nn 2) ‘0x Inston options... : : As ‘Options Lab -V10x Re acl. an ‘Appendix B ~ New Features. see ‘New Festue summary for Version 1020, . Ba New Fest sna fo Versi 1.1.0 nnn Ba New Featuesurmary for Version 1000, — Be New Fest for Vesion94X. - bs ‘Appendix € ~ Additional Topics ea ep nn : : ca Recovering Compled Passwords - or ‘Appendix D- HTTP Basics. Requests nd Response TTP Header. Printout of Powerpoint... BIG.IF® LTM Essentials Student Guide ~© 2010 FS Networks, Inc.Table of Contents BIG-IP*LTM Essentials Student Guide - © 2010 F5 Networks, IncModule 1 BIG-IP Local Traffic Manager Overview Lesson Objective: installation and Initial Access Ding tis eso, you wil ea the basic fantonality ofthe BIG-IP TM System and how it ‘operates inthe netork. You wil also learn some of he diferent platfonns and Service Level ofthe IGP LIM System. Overview of the BIG-IP LTM System ‘The BIG-IP LTM platform ia network appliance tht manages and balances ali for networking equipment such as web servers, cache servers, routers, firewalls, and proxy servers. A variety ofthe BIGHP LM System's usefl features meet the speci needs of e-commerce sts, Internet Service Providers (SPs), and managers of args intranets The ystems highly configurble and is web- based and command line configuration wits allow for easy system set yp and monitoring, Adding | BIG-IP LTM System to your network eases tht your network remains reliable i lents Internet 1 a ores BIG-IP*LTM Essentials Student Guide ~ © 2010 F5 Networks, Inc42 atta 1 nso, Licensing, Provisioning, & the Setup Utilit Lesson Objective: During thi con, you wl loam the purpce and function ofthe Configuration, Licensing, and Sop ules, Atthe endo is module you wil have aliceased BIG-IP Syston, and have secure acess to both the Command Line Interface (CLI) and the web-based configuration uty, Initial setup tools ‘Ther ar four intl steps wo se up a BIG-IP LTM System: 1. Sethe Pads ofthe Management (MGMT port via the confi utility or LCD panel conta, 2 License the system trough the web interface. This enables the features you purchased with your BIG-P Sytem, 3. Rum the Setup Uslity which configures management acces to the BIG-IP System, This Include adsunuaor passwords, provisioning the syst, and optionally nctwork and ‘VLAN definitions onthe BIG-IP System, MGMT |[ Console Fan Ports Controls Ge [Fatove[Ehere|[eimmnsr ] — [Lebrana 800 GusseLavour Management Port IP Address “The system's default adres is 192.1681.248724 with no default route. This adress iso the [MGMT port. Usually, the TP address, netmask and default route shoud be se prior o Licensing the system, This canbe done through the command ine tol, config or he LCD panel, Changing Management IP address via the Command Line ‘Acoess the system vi serial console or optionally, SSH. Lopin asthe rot usr (default password of “default” and run the tol by entering conf ig tthe command line. You will be asked to ener 8 system IP addres, netmask, default route if desired andthe to confirm he chaces BIG. LIM Essontias Studont Guide © ZUTU Fo Networks, Inc.Modile 4 - Installation 13 Changing Management IP address via the LCD Panel ‘You can alo change the IP adress via the LCD panel onthe BIGP LTM system. Access the system menu by pressing tbe ed X bution. Then, the IP aress, mask nd default route canbe se (On 1600 and later systems, be sure o click Comm to save Your seings. (Once the BIGLIP System has acces to the network, license canbe obtained. License Administration (Once you connect the BIG-IP System to the network, you ned a valid license to activate the software. To gins liens, you ned 1o use your repsaton key to generat dossier and then resent the dosir tothe cease server. The base repstration key is 27-character string. Systems are sipped with your registration key in feofigyRegKey teense, The file contains the repstason key inthe format RegisvatonKey: AAAAA-BBBBB-CCCCC-DDDDD-EEBEEEE F's lcease server has the registration key associated with each customer's purchase ‘information so that when the dossier i presented, he eppropiatefenues ae enabled. The daster is generated by the BIGIP System, and isan encrypted is of characteristics, that dont your platform. Mulpe systems stings are stored inthe dossier including the system time and registration key. Ifaceded, set the sytem elock to the cutent lea dae and tne prior to creating the dossier. 1m general, hese are the steps to obtain the cease: 1. Access the BIGHP System 2. Note the registration key (ab enviroments may need to enter the key iit sno preset in the conigRegKey liens il), Generate the dosier ‘Send the dossier tthe iene server Insta the bgip ens le Provision he sytem 1. Reboot the BIGAP system ‘NOTE: The iconfg/RegKey. license may be lost during upgrades. Its recommended that ‘tes keop backups of thee registration keys, dossis and license fles. The registration key is also contained within the icense fle. You can also acquie registration keys from FS ‘suppor ifyou supply the platform's serial number. ‘Automatic license activation via the Configuration Utility ‘This method sued with he BIGEIP system can communicate direct withthe license server. The 2. Login as adain witha password of admin 3. Step through the License Process 44 Note th registration key (ab environments may ned to ents the Key fits no present in ‘he /eonigyRegKey license fie). 5. Click the Automated ink Manual license activation via the Configuration Utility ‘This method is usd when th BIG-DP system canst communicate direty with he liens server of when sites wish to retain copies ofthe system dossiers Sil, client machine must be able o ‘comaniate withthe lcense server, This method involves aditional eps th dossier mist be ‘opie from the BIG-IP system to another device sb part ofthe repistaion process. Then he osser must be submited othe FS liens server, the license retrieved, an thea the license copied to ‘he BIGAIP system, Once the BIGLIP sytem address ss 1. Consett https// ‘Login as admin wit password of admin Step through the license process Ente the registration key (lick the Manual ink Generate the dosir and copy ito the client machine Connes the client machin to the Tnteret and connect ‘Submit the dosier to the license server and then download the license that is created Connect the client machin othe BIG-IP System and install the lcense. The resting licens must be named bigipeese snd must be sored inthe font decay. activate sS.com, Provisioning Provisioning isa new management feature to help suppor the installation and coniguation ofthe ‘many modules available with BIGAIP. Provisioning gives you some control over the resources, bath (CPU and RAM, which are allocted to each licensed module. You may wart, or example, to ‘minimize the resources avaiable to GTM on a system lcesed for LIM and GTM, Since ll modules have sme reliance on both management (Linx) and lea wae features, they will always be provisioned. Other modules mist be manually provisioned. When you provision te ‘module, you chose baween five levels of resources. Dedieatod, Nominal, Minimum and None are ‘valble for ll modules and Lite is ih level availble for ial ‘+ Dedleated is desigod for situations where only one modules functional onthe system, suchas GTM, * Nominal gives the module its minimum functional resources and distributes additonal resources the module if hey ae availble. eis designed o give modules a good amount ofthe system resources, [BIG-IP® LTM Essential Student Guide -© 2010 FS Network, no.Instaliton “Minimum gives the module its minimum funeonal resources and distbutesaditonal resources to oer madsles.Iis designed to alow the maximum snout of modules to ‘covexiston system [None is designed for stations where another module neds dedicated aces to Lite avalbie or select modules granting mse teatres or als. =< Setup Utility Functionality ‘The Setup uty helps you quickly define management stings, such as roo password andthe TP Addresses for he nrfaces that connect the BIG System to the network. Some ofthe itemns that willbe entered during the Setup lity ince the following SelfIP Adresses and Netmask for VLAN Assign oterice to VLANs IP adress of the default route Root password fo the BIGHP System Command Line Interface (CLI) Admin password for the BIG-IP System Configuration Uli IP adress (or range of IP adresses allowed for SSH. [BIGIM* LIM Essontats Student Guide - © 2010 F Networks, Inctlt Instat "The Setup tty creates many files hat store basic BIG-P Systm configuration stings Administrative IP acces files Fetehostallow * Interface and Configuration files ‘eonfig/igip.cont ‘eonfig/bigip_basecont ‘eonfig/BigDB.dat ‘Accessing the Setup utility ‘The Setup tty canbe acest once the sytem is iensed. It canbe run ia the management poms deful address, or with analtemate address set withthe coll too or the LCD. Once the Setup uly i complet, the BIG-P System can also be accessed trough the adress pected inthe Seup uy The Web Configuration Utility (GU!) ‘The Web Configuration uty ia browser-based interface that uses SSL and access cont! lists to provide secure, real-time configuration. This secure interface i provided bythe BIGAP System inning the Apache OpenSSL web server, You should ue thie ult to change the BIG-IP System's ‘onfguration forthe following reasons * The learning curves smaller because itis ease to use and mor intuitive. "minimizes the chances of coniguation evar. Inputs checked and erors ae reported ‘mmmeditly. (Changes are effective immediately (n0 restarting of processes or reading of ‘configuration fle) and the changes are elected immediatly in the con gution fs. 1 kis easier to access — more people ave browsers installed on thei systems than SSH cat, ‘Accessing the Web Configuration Utility The BIG-IP Web Configuration uty canbe used to configure virtua servers, pools, NATS, and Secure NATs(SNATS). The BIO-IP Web Configuration uty also lls you monitor network wai, caret connections, and the operting system itself It alo provides convenieat aces oie uch as the SNMP Management Information Base (MIB), ‘Steps fo Access the Web Configuration Utlity: 1. Batrthe bis adres htps/ All Adressas 3. Click Next. 4. Agree tothe prompt indicating you wil have to login again. Click OK 'NOTE: Noto that you are setng the password ofthe rot and admin accounts, nat erating ‘new accounts. The lab suggests you change the admin password from admin to adminX. If $yoU o, you wll nee to tog back into the systom with the new password 5. Lopinvo the system a wer admin with pasword of admin. IG-IP® LTM Essantile Student Guide © 2010 FS Networks, IneModule 4 = instalation 6, Seleet Basie Network Configuration andthe intemal VLAN by clicking Next [Note:_The Basic Network Configuration step through creating two VLANs, internal and ‘external, thelr interfaces and ther self-P addresses. Once thats compat, those VLANs ‘an be mosiied or others created. If you choose the Advanced Network Configration Spl, you must croate VUAN ar Ue sells manual Internal Network Settings SaliP Address W72t6X3t Self Netmask 255:255.0.0 ‘SFP Port Lockdown ‘Allow Default Floating IP Address F72.16X.33 Floating IP Por Lockdown | Allow Defaul Fallover Peer 172.1632 Internal VLAN Configuration ‘VIAN Name internal (Read On) ‘VLAN Tag ID aula ‘VLAN Interfaces ‘Untagged = Por 12 7. Click the Next button to configure th exeral VLAN, then specify the ellowiag: External Network Settings ‘SeFIP Address TOAOXST ‘Sof IP Netmask 1255.255.0.0 ‘Sef IP Port Lockdown ‘Allow 443, Delault Gatoway Leave bank Fleating IP Address 10.1033 Floating IP Por Lockdown | Alow 443, External VAN Configuration VIAN Name ‘exer (Read oni) VIAN Tag ID) ‘Auto VLAN interfaces Untagged — Por .1 Click Finished ‘Once the Basic Network Configuration i complet, the Welcome sren from the Overview section ‘appears. The acminstator can choose to change many presentation options, enable SNMP including ‘wnloading the MIB, access FS's knowledge database (Ask F5) or eran the setup uty to change [BICAP® LTM Essentale Student Guide - © 2010 FE Networks, Ino.Installation ion Utility Lal Objective: Lab Requirement: 1 Access bot the Web Configuration uility and Command Lin (SSH ust for BIGIP ‘systom and get fanilie wit the interface Estimate ne for completion: 10 minutes ‘Sel ads ofthe BIG-P system onthe external VLAN ‘+ CLand GUT users and passwords forthe BIGLIP sytem Configure Address of Administrative System ‘Set/ Ensure the IP stings on your PC match the following table TP Address | 192,168.30 and 10.10.X.30 1 your aystem supports only 1 address at a time, use 10.10.X:30 at this pont Netmaak '255:256.0.0 (bth) Defauit Route | 10.10.17.35 ‘could vary Botween sea ‘The Web Configuration Utility 1 2 4 (Open browser window to https: 10:10 X.4 to connect othe Web Configuration Us ‘Accop the selfsignd SSL carta and login as admin using the password stealer (adminX was suggested) Note options avilable on the Weleome page suchas DNS, NTP, e-zunning the Setup Utility snd ins to materials suchas the product documeatution, AsKFS, and DevCental, Click on the Nework and ate parameters fr Intrfces, Sef Ps, and VLAN Command Line access (SSH) 1 6 ‘Open an SSH session and atemprto connect the extemal IP Address of your BIG-P system (10.1031). Some examples of SSH Clients are Paty, Teraterm, and SesureCt. [Notice that you rent abet acess your BIO-IP sytem. This is because Port Lockdown forthe extemal veiEIP addresses defaults Aow 443 only. Acces fo port 2 is prevented rom the web GUI select Network / elf IPs sod then click the 10.10.X.31 self IP Ades Under Port Lockdown / Custom Lis cick the Port radio bution, enter 2 asthe port click ‘Add, a0 then dick Update, (Once por 22 hasbeen added, you should beable to successfully use SSH to atch to your BIG-IP system. You may be prompted to accept the SSH key, do 0. Login a root using the password set cae (o0tX was sugested), prompted forerminal yp, select v0, [BIG-IP* LTM Essentials Student Guide - © 2010 F5 Networks, Inc.Module 1 Instaation ir 17. Fater the following commands and compare to wht you sw inthe Network section, Note: "bis shor for"bigppe” vian show b self ahow b interface show Verifying User Access 1. Open a new SSH session but ty to opin asthe admin user, By defn it should Si 2. From the Web Coofiguatio uty slet System / Users snd then select he ink forthe admin user, Change the Terminal Acces to Advanced Shell access, click Update, and then et SSH access withthe admin ute ID again, 3. Opena browser tothe GUI interface and atempr to login ia as root. By default should fi, c Tesco Saving a configuration mite 1, From the Navigation pane ik the System / Archives then click Crete 2, Within the General Properties section, specify the follwing: [Ee Nama [ink pasa) Encryption | Disabled Private Keys | incude. Version BIG-IP Version (oad only) 3. When complet, click Finished. Soon, an OK button wll appear. Click OK or slact Archives again 4. Select tralnX_asesues (the name i ink). Then cickDowload to save a copy to your Aeskop. The are now two backups; one on the BIG-P system inthe /varlca/ues ‘Szccory and ane on the desktop. Ths base configuration wil bused later inthis course 5. ferred the ils contents can be viewed fom the CLIof your BIGeIP system, 2 Makeanow directory fr this lub: mk /var/tmp/test/ NOTE: The directory may already exist rom prvious courses. 1b, Change tothe new directory: ed /var/tmp/teet/ © Copy the backup tothe new retry: ep /var/local/ucs/traink_base.uce traink_pase.uce 4 Decompres the fle and extract the fle: tar -xvat traink base.uce © Theresuling files show the directory stature anal les stored inthe *. ue fil Individual les canbe viewed with ca tal, mow nd ober ols BIC-IP* LTM Essentials Student Culde © 2010 FS Network, Inc.6 Module 4 - Installation BIG-IP Hardware Platforms Lesson Objective: During this lesson, you lam about the platform options for BIG-IP systems and tow to asign an IP dress tothe embadded Linux system sed fo ou-ofband management BIG-IP Hardware Platforms ‘BIG-IP Systems optinize sever avalability and performance, esuring that applications and servers respond quickly with the correct content BIG-IP Systems sit betweon clint andserves, ‘Continuously monitoring server and network devices to ensure svat and performance, sod ‘iretng incoming queries tothe best server. Multiple platforms are available wot you waffic aed. ‘Al platforms run the same sortvare, but nghe-cd platforms have more options abd ean support ‘more modules simultaneously, Current platforms include the Viprion, 11000, 8500, 690, 3600 and 1600. These platfonns all present yeas of research and development at FS Netvrks tat has resulted in best-of-breed application management systems. Many sts will entiaue to se one of FS ‘Network's second generation systems, nloding the 8800, 8400, 6800, 6400, 3400, and 1500 All systems are igh avalblty, intelligent wafic management products and include out-of-band ‘management sval console acess and font pane! LCD serees. All systems suport integrated SSL (Gey and balk encryption) and HTTP compression. All systems includ pgabit Hterct pat and ‘many include 1Ogigabit ports NOTE: For current information, go to: htpviwa.5.comd BIGP VIPRION® \VIPRION is the fst application delivery controle that scales on demand, It provides the highest level of troughput en transactions per sevond available using he FTMOS” latfrm to deliver ‘massive performance and scalability for BIG-IP® platforms. This single, powerll controler uses ‘modular performance blades you can ado eave without disrupting your pplatons, Instead of ding more devices inthe network ad segmenting applications, you cn imply add more power to Your existing infastuctre es neoded. A fully loaded VIPRION system with fou: bades delivers Performance tai orders of magnitoe gener han anything else you wil find ca the market. Each Dt the blades includes 2 dual-core processors, 8 GB RAMA gigabit copper por, 12 pgabit fiber ‘ons, and up 02 10-gigabit fiber por BIG4P® 11000 Series ‘The 11000 comes with ymmetical maliprocesing aro twelve core It inci 10X 10giabit ‘ber pons. The 11000 supports upto 100,000 TPS of SSL encryption. Dual ver isincluded. BIG-P® 8900 Series ‘The 8900 comes with symmetical mulirocesing across eight cores. Includes 16 gigabit copper pots, upto # SX, LX or copper ports (4 SX included in base) nd en option for v0 2 10-pgabt ‘pons ‘The $900 supports up to 86,000 TPS of SSL encryption. Dual powers included. ‘BIG-IP® LTM Essentials Student Guide -© 2010 FS Networks, nc.Module 4 n BIG-P® 6900 Series The 6900 comes with symmetrical multiprocessing across four ors Itincludes 16 gigabiteopper Ehemet pts and up to 8 SX, LX or copper prt (4 SX included in bse). The 6900 support po 25,000 TPS of SSL. encryption, Dual power i inladed BIG4P® 3900 Series ‘The 3900 comes with symmetrical muitprocessng across four cores. Includes 8 gigabit copper pots and up t 4 SX, LX or copper ports. The 3900 supports upto 15,000 TPS of SSL. eneyption. Dual power isan opin, BIG-P® 3600 Series ‘The 3600 comes with symmetical multiprocessing across two cores. Iiacldes 8 gigabit opper pons and up t9 2 SX, LX or eoper ports. The 3600 supports upto 10,000 TPS of SSL. eacyton. Dual poweis a option. BIGP® 1600 Series ‘The 1600 comes with symmetrical multiprocessing cross two cores. Iinchdes 4 gigabit copper ports and up t0 2 SX, LX ot copper port. "The 1600 supports up to 5000 TPS of SSL. encryption, Dual powers an option. ‘Add-On Hardware Redundant Power Supply isl power supplies reduce any single pont of failure within the appliance. The $90 and 6900 platforms hip with ual power supplies The 8400, 6800, 6400 and 3600 platforms exn be nero ‘wth an oponal Redundant Power Sop HTTP Compression ‘Tae 8900, $900, and 8800 platforms include HTTP compression hardware, The $400,680, and 6#00 can hve hardware compression added. IG.IP® FPs SSL Accelerator ‘The BIG FIPs SSL Aczalerator san optional ard hat can beaded to most BIG-IP Sysems “FIPS 140-1 lve 3 validation allows fr indepeadetly-crtfied secure management and stage of private kes. Its allows for tamper resistant seeurty and holographic ele tat guard aginst ‘Physical atacks on your hardware and indicates any atempts at physical tampering. The FP option ‘et be intl at he factory. IGP LTM Essentials Student Guide -© 2010 FS Networks, nc.420 Module 1 = nstaition Switch Card Control Processor (SCCP) and Always On Management (AOM| ‘The SCCP and AOM are embeded Linux systems and are dedicated separate systems that provide lights out management and other supporting functions forthe BIGAIP systems. The 8900, 6500, ‘3600, and 1600 have th AOM chip The 8800, 8400, 650, 6400, 3400 and S00 have the SCCP ‘hip. Both are accessed trough a dedicated menu. ‘Accessing SCCP or AOM from the console From a console session, whether o ot you are logged i, you can aces the dedisted men to ‘manage the system ado asign an IP adress, mask und gateway tothe system. This should be done ‘5 pt of any iil insallaton. To access the menu, pres Hse ress andrlease the ESCape key and then press the sift and 9 keys wo produce let parenthesis Either the SCCP menu wil appear: Select Hos fon boot node! nethoot manvfactsring test Reboot Hos fen (sends reboot comand) mu ‘SGCP network configurator jes hardware raset--USE WITH CARE!) Orth AOM menu will appear: sraware reaet™-USE WITH CARE!) ardvare veset=-OSE WET! CARE!) Power Off Host subeysten (Loeuea hardvare. ohutcows--USE WITH CARE!) Aan baud rate configurator For bot, option N, to set te Padres, is avalable only ifcomected via serial console. Ise the address rust be inthe same network range asthe management ort adress. It is best practice ‘ther st the IP adress of SCCP/AOM, or us serial terminals, or both to ensure emote access is ‘vailabl othe system even while the host ystems being updaed o rebooted. BIG-IP® LTM Essentials Student Guide - © 2010 FS Netwerks, Inc.aren Objective: * Configure an IP Adress on the SCCP /AOM ‘Reboot the Host (Linux and TMM) ftom the SCCP/ AOM. Estimated Time: 10 minutes NOTE: This section ofthe lab may vary per training location. Ifyou do not have access to a ‘eral console session in your location, then you may already have an IP Adéress for your 'SCGP J AOM so ask your instructor for dota Adding an Address to SCCP /AOM 1 you have access toa serial console session with your BIG-IP System, then fom your seria console sion, type BSC ( ‘Choose option N, SCCP / AOM network configurator For Use DHCP? Eater For Hostname optional: press the Enter key For IP address (required) 192.168X.35. For Network mask (required): 285285.00 For Broadcast IP adress (optional): press the Enter key For Def gatoway IP adress (optional): 192.168.20.1 For Nameserver IP aes (optional): pres the Enter key Rebooting the Host System from SCCP / AOM (Optional) [ NOTE: Ifyou don’t have access fo a serial console o¢ SCGP / AOM from your location, then ask your iasrucor fo options rebooting the Host System, ‘Opce an SSH session to SCCP / AOM at 192.1683%.35 When prompted, login s root with a password of rot [From he prompt, enterhost coneh and then ESC ( to acces the SCCP or AOM men. Selet option 1, Connect to Host subsystem console and press the Enter key rom the host prompt, enter ESC (to acces the SCCP menu again, Select option to Reboot Host subsystem (5 for SCCP and for AOM) and enter ¥ when prompted 7. For AOM you are automatically connected bak wo the Host subsystem. For SCCP, select option 1, Connect o Host subsystem console and press the Ente key. You will ow soe the ost subsystem rebooting fom an SSH session with SCCP or AOM and you shoul not Jose your connection during thi eb IG. LIM Essentials Student Guida ~© 2010 FS Networks, Ine.422 ‘Module 1 - Insalaion BIG-P* LTM Essentials Student Guide - © 2010 FS Networks, Ine.Module 2 - Load Balancing ual Servers and Pools Lesson Objective: uring tis eso, you wil be nocd tothe concep of viral eres, pos pool member. Pool Members ach of he actual servers used for len trafic are defined on your BIG-P system and are known a ‘pool menbers. Esch pool member wil cade the server's IPedéress and pert.-You can define pool ‘member withthe host ame if the BIGHP system can resolve the name. Simla the service tame eat be ured instead ofthe port vale ifs standard pot is being ured. Frequently, server are located within networks tat use private (RFC 1918) addveses and physially isolated fom public networks. This allows you to take advantage ofthe many ofthe security Feats of the BIGAP system, Pool members are defined as you create and modify pools. Nodes ‘The devices epreseatedby the IP adresses of pool members ar called nodes. Since nodes only have an IP aderes, they may repreent multiple pool members. Nodes are typical not defined dic. ‘Rather, pool members are defined, te associated nodes are created atomically Pools A pool isa group of pool members. With ew exceptions all the members fa gven pool hos tbe ‘same content, Pools are named, and like most other objects on BIGHIP syste thei names can begin witha eter or underscore, can contain numbers and cannot contain spares. In aden to ‘members pools also have thei own load blancing metod, moatrs and ots eatues that are ‘efned when the pools eested or modified. You can also view or rset states on pools nd their ‘members ‘When ew connections ntnted to vival server tt ie mapped to «poo various exter {including the pools load balancing method, may be used to determine which member to use fo that request Virtual Servers ‘Viral servers ae the primary mechanism the BIG-IP system uses to process and tack fic, Each content sc tht a BIGHP system manages must be associated wit testo vital server. Like “poo, vital server definitions include «name, an TP address ands por. Beyond tha, viru servers ave mary features tat allow you to choose ow trafic is processed, ‘Glens mast beable to each the virtual server. Ofc, the viral adres is egistred othe st’ ‘host nam and clients discover the adress via DNS, “Altemaely, DNS requests may resolve to an _addess sted by a firewall rotber edge device tht wil perform network adress translation (NAT) BIGIP* LTM Essentials Student Guide -_© 2010 F5 Networks, nc2 —_____________Moriule2— Load Balancina ‘on the packet and forward request tothe Vital saver. The veal service port shouldbe the same ‘TCP of UDP port number known to client programs. For example, trafic to FS Network's websites processed by a viru server ona BIG-P system. ‘The host name www S.com resolves othe IP adress of viral server, 68.197.148.23, The vital servers pots 80, the standard port for HTTP. Al ital servers re represented by an TP addres: service combination and usualy ae associated ‘witha pool. This association maps the vrual server adress tothe pol member's adresses. When let trafic processed bythe BIG-IP sytem, the following fnction typically ocr + Note availability of al poo! members Load tance trafic cress a group of poo! members ‘Translate the vial server adres othe pool members IP address ' *Uneanslte” response packets a they are returned from the pool members For most virtual servers, IP addes and port wansatin is enabled by default. In advanced configurations address and port translations sometimes disabled. Inaditon, virtual servers can be ‘configure to perform additonal tafe management incloding: + Dizet afc based on tafe content 1 Persist subsequent requests to the same pool member Network Packet Flow ‘When client traffic aves on the BIG-IP system, itis type destined oa viru server adress and por. The BIGAP sytem ten processes tht request based onthe viral servers definition, The ‘Packet lw should be transparent othe end ser, they should not know hat tei request is being [rocessed bythe BIG-IP system and is being directed to aber internal servers (pool member). ‘While there ace many exceptions to the following diagram and description, they describe the most common traffic flow through te BIG-P sytem. 2orazax720 ou 7M translater Dest ‘Address to Node based on toad Balancing [BIG-IP® LTM Essentials Student Guide - © 2010 F5 Networks, nc.Module 2—Load Balancing ‘When the clint ends thee packet, the destination address isthe Viena server ads on the BIGAP system andthe source addres is that ofthe clint. BIG-IPsyem takes that destination address and ‘easlts iat the IP addres fone ofthe pool member, chosen by the load-balancing algoritm but eaves the clicat's IP address intact. The pol member's responschas the source and destination ‘ereses reversed, so one the response, the BIG-IP system must wandate the pool members address back to the viral servers addres, tis significant to note that fr most lent sessions, there re two TCP connetions. Thee i clint- side connection, between te client and BIGHIP, anda server-side consecton, between the BIG-P and the pool member. Since these are two separate connections many changes canbe made asthe traffic lows though the BIG-IP system. Examples include unenerypng wali, making dynamic changes to tfc content, and logging specified atack signatures, Configuring Virtual Servers and Pools Lesson Objectiv. Dera his eon you wl ear ow o creat pols and vl sever Pool Configuration 1. From the Navigation pave, expand the Local Traffi section. 2. Bidhor selct Pools and then th Creat button (upper ight) o eave your mous over Poo, ‘then Pool List, and finally click the create button © on the flyout menu, 3. Inthe Coniguation seton, select values fr the following parameters: ‘Configuration level | Basie Nee Tp Da wor NG Fe 4. tne Resouces ston sel alas fo falling urns: Tosi sonore | wate chose bot pol members ory Sou? _| ptonta dene airy among pol manors Tw Herbare | Us pol member by Adrss or DNS nav and port or well-known serve name, ‘5, When complete, click Finished, Virtual Server Configuration 1. rom the Navigation pane, expand the Lacal Tra sstion. 2, Bither slot Virtal Servers and then the Create button or leave your mouse over Virtual Server, then Virtual Server List and finally click the eat button © on the yout men, BIG-IP®LTM Essontale Student Guide - © 2010 FSNetworks, nc.2a z 3. Inthe General Properties section, select values fo the following parameters Nav 'No spaces; begins with letter or underscore, Host. IP Address or DNS name that cients Can access Destination Network Network address and netmask ‘Sevies Pot Port number or name of wel-known service ‘State Enabled / Disabled 4, Inthe Configuration section, slet values forthe following parameters: ‘Configuration Level [Basie Type. ‘Choose based on vital sever needs Protocol ‘Choose transport: TOP, UDP, SCTP. Profles Various profile choices. VLAN ‘Choose VLANs based on whore client wall wil arive 5. Inthe Resourees section, select values for the ellowing parameters “Choose to apply an existing Rule To manage this vital == servers traf ‘Choose to apply an existing HTTPClassprofeto manage this vitual server's trafic | Choose trom existing pools forthe vtual saver Detaut Poot ditibute cet requests. Ateatey,cckng the 6 futon wt alo yout create a pot before completing hata ere HTTP Ciass Profies Default Persistence Dela Choose apt an esting persstonce pole ‘Toor apy an ering parece pro ean Fatback Pristonce | Steamed Ony hose based on acerenees le are available. 6. When complete ick Finished. Utilizing Statistics The GUL allows yout view a vate of system statistics and logfiles. Noe tat rom the satistics sercens, you on access cuentas for virtual servers, pools, pool members snd ther objec ‘Systom statistics Among oer things, the Configuration tty allows you to vow the following dats Packet count and connection count fo virtua servers, pools, NATs and SNATS Requests, esponses and eros for various profiles Matching criteria and age of persistence recods * Use coun fo Rules BIG-IP*LTM Essentials Student Guide -© 2010 F5 Networks, IncModule2—Load Balancing Viewing system statistics 1. From the Navigation pane, expand the Overview section. 2. Select tats, 3. Choose one ofthe following: Local Teale - Displays the availabilty and utilization of objects suchas virtual serves 1nd pool members. Availabilty concems the functional st enabled, disabled, ete) while tization concersthe amount of traffic that has owed trough the given objec. 1 Network - Displays the availability and uilztin of physical ports o the BIG-IP LIM. System. Agala, this concerns bot functional state and wage + Memory Displays memory curently uted by various syst processes 4. Foreach statistical choice, you canals select the auto refiesh mt (deft is none) and ‘whether to display the data ina normalized fashion o as raw da. For many Local Trae hjects, you can view selected objects, uch as only some pools by entering matching criteria {nthe sath field and licking Search. Log files ‘The Configuration ily allows you to specify options concerning wha data is logged and gives you ‘window to view uch ofthis data, ‘System Log Options Various conditions can besarte based onthe sevice that logged the mssape. Additionally, you can Ser th Evens by entering matching criteria inthe search Nei and clicking Search, You ca sso select level of system auditing, Viewing Logs and Setting Log Options 1. From the Navigation pane, expand the System section. Select Logs 3. Choose one ofthe following: + System Displays system information that ia subset of vag mage, + Packet Filter Diaplnys rest of packot Gering that ea subset of Hvs/og phir: + Local Trae Displays traffic management information tha is subset of varlogitm. + Ava Displays system configuration changes by user and ime. The levels and types of lggiag canbe St through the Options sean. + Options Allows the administrator to specif the loging lve or various events and to enable ‘nuiing. [BIG.IP® _TM Essentials Student Guide — © 2010 FS Network, Ine.26 2— Lo Balcin Virtual Servers and Pools Lab Objective: cot poo for severe * Contig vital server and associa them wt pol + Ves fncoaliy + Ewinted tne fr compen: 20 mous Lab Requirements: + and pr arses vale for we on BIG-PLTM that canbe reached bythe cet sysons tual servers with appropriate ots ore tach ach BIGAPLTM system Creating Virtual Servers and Pools Create a Pool 1. From the Navigation pane expand the Local Trae section, 2. Select Pools and tha the Create buon. 3. Inthe Coaiguation section, enter the following Coniguraion Level [Basie ‘Name Tatp_pool Health Monin Leave Blank 4. Inthe Resources section, enter the following ‘oad Balancing Method | Round Robin Priory Group Activation | Disabled New Members 172.1620.1 pon 80 For each, enter Address and | 172.18.20.2 port 80, Service Port and press Add _| 172.1820.3 por 80 5. When complete, click Finished, BIG-IP® LTM Essentials Student Guide ~ © 2010 FS Networks, IncModule 2 Load Balancing 27 Create a Virtual Server that uses this pool 1 2 3 6 rem the Navigation pane, expand the Local Trafl section. ‘Sekt Virtual Servers and click Create In be General Properties section, eter the following Name vee Destination 10.10.X100 ‘Service Por 30 (or HTTP) ‘Sate Enabled In he Configuration section, accept all deft In be Resources section, enter the fllowing: iFules eave Blank HITP Class Profiles Leave Blank Dafault Pool —[ntp_poot Default Persstonce Profile | None Fallback Persistence Profle | None Wien complete click Finished. Verification through Statistics, 1 6 (pz anew browser session on your PC and point it to your vital server adress of ‘pi/10.10.X.100. Note erat and refieh the sexeen 5-10 ties, ‘View statistics and configuration information through ‘Overview / Statistics /Locl Trafic and choose frm Statistics Type drop-dowe list. Local Traffic / Vinal Servers/ Statistics Local Traffic / Pols Sttncs Did traffic goo each pool member? ig each pool member manage the same numberof connections? ‘Did each poo! member manage the same numberof bytes? ow many TCP connections are openad each time you refesh the browser page? Expected Results and Troubleshooting 1 Expected resale: 5 connections per effesh distribute evenly among the pool members. 1 tot, verity the following ‘+ stmffic geting othe vital server? + Does 10.10.X.100 appear in your workstaton's ARP able? 5 1+ Does the Statsies page show trafic eceived by vs? ‘Ves thatthe adres and port are comectly configured BIG-P* LM Essentials Student Guide - © 2010 FS Networks, Inc.2g dle 2 La Balancing + Iswatic ging tothe pool members? + Ifo afte is going TO the po! members + Vestyhtp_pool bas been assigned to vs bp + Verity the comet members addres / port. frie goes TO poo! member, but doesnot etm: ‘+ Verity tat of Padres 172.1633 i configured on port 1.2 (tis dress she pool members" route back o yout PC) Create a second Pool and Virtual Server 1. From the Navigation pane, selact Local Trae, Virtual Servers and cick Create 2. Inthe General Properties Seton, enter the following: ‘Name venips Destination 10:10.X.100 | Service Port "4 (or HTTPS) [State Enabled 3. Inthe Configuration Section, acept al defi 4. Since we “rg” rete he pol in navigate Resoures Secon andctick he CD arate igh of Defanl Pool 5. Inthe Configuration section ofthe new poo, enter the following Gontiguraton Basie ‘Name hitps_pool Heath Manito Leave Blank 6. Inthe Resourees section, enter the following: [Load Balancing Method [Round Robin | Priofty Group Activation | Disabled | ‘New Members 172.1620.1 por 443 For each, entor Address and | 172.16.20.2 port 443 | Sevice Port and pross Add | 172.16.20.3 port 443. | ‘NOTE: Since the member’ IP addresses are the same, you could select Node List and choose the members IP addrasees from the drop-down lit 71. When the pool is complete, pres Finished ‘81G-1P* LTM Essentials Student Guide —© 2010 F5 Networks, Inc.lle 2 Load Balan 20 Inthe Virtual Server's Resourees section, verity the following seings [Ries ______Ttsave Bian) HTTP Clase Prof Leave Blank | Default Poo! Tntps_pool Default Persstonce Profle | None’ Fallback Persistence Profle | None 9. When complete, make sur t click Finished forthe via server Verification through Statistics 1. Open new browse session on your PC and point ito your virtual server address (aips:/10.10%.100). If prompted, accep the selfsigned SSL Cerificate, Notte results tndrefes the sereen 5-10 dies, 2. View stasis and configuration information through Overview / Statistics Chooe from Statistics Type drop-down ist Local Tac / Vista Servers / Stati + Local Traffic Pools / Sais 3. Didtralfic goto each pool member? 4, ideach pool member manage the same number of eonections? 'S. Dideach poo! member manage the sme number of bytes? 6. How many TCP connections ar opend cach time you refes the browser page? Statistics using the Command Line 1, Opes an SSH to your BIG-P externa sef IP addresciet window, eter the extemal IP Agetess of your BIG system (10.10X.31) and make sure the preiocal is set to SSH. Some ‘exanpes of SH Clets are Paty, Teraterm, and SeeueC. 2. Wha prompted enter 2008 asthe uterID andthe password that you add ding stp (rooex was suggested) fprompted for terminal ype, acceptor enter vt 200. 4, Baterthe command bi'stop -n. This command shows ral ime infomation onthe vital servis and pool members hat you have configured. S._ View the screen while refeshng your session ltr htp:/10.10.X.100 or Insps:0-10X.100, What docs bigtop show? Fxitbigt op by pressing the q key {6 ‘Statics for pools and virtual servers can be viewed by typing the following: b Fool show © note thts" is opto —itinth dat example: b pool nttpe_pool b virtual example: » virtual ve_netps BIG-IP* LTN Essentials Student Guide - © 2010 F5 Networks nc2. lodule 2 Load Balancioa. Expected Results and Troubleshooting * Expected result: You may se 6 connections the st ime yor request the pag, (Aveo the SSL key exchange) but shoul ee 5 connections per eubequent ees, The requests should be evenly dstibaed amoog te pool member. fat, verify the following: “Confirm thatthe viral server was created. Students often neglect hit Finish forthe viral server afer hing Fnish forthe pool + Local Traffic / Viral Servers ‘+ Istraffic ging tothe vial server? ‘+ Does 10.10.X.100 appear in your workstation's ARP abe? You may need to cler your ARP table before testing remove he entry ro the itp virtual server 4+ Does the Statistics page show tac rcsived by vs bps? Verify thatthe adress and por are comely configured, ‘+ Istatfic geting othe poo members? Check Poo tistics 4+ Tfnotmfic is going TO the poo! members: ‘Verify tps_poot has boen assigned to bps ‘Verify the comect members adress por ‘+ Ifa goes TO poo! member bu des nt ru: ‘+ Verity tat self IP address 172.1633 i cosfigured on pot 12 (his dress isthe pool member out back o your PO), BIG-IP® TM Essentials Student Guide - © 2010 F5 Networks, IncModule = Load Balancing 44 Network Map Lesson Objective: uring this eon you wil ar ow to we the Network Map iy. Network Map ‘Te network map presents visual hierarchy of he names and sta of virtual servers, pols, pool members and itles defined onthe system_ You can click the name or IP addres in the map open the properties seren ofthat object. The map shows ll objet in context, starting withthe vital servers a the top. The stings in display options detemmne which objects ae included. When you Potion the cursor over an objet, the system presents hover text contsning information about he Sbjct. Although a poo or pool member might be referenced in an Rul, they ae ot incined on te mp, “The system aranges vrual servers alphabetically and thei dependent cbjects in hierarchy. * Virwal server igncd by ITT classes ‘© That pool's members + iRules statically assigned * Defaitpoot That poo's members NOTE: Because each member coresponds to only one node, the system shows node- ‘elated information inthe hover text when you poston the mouse cursor over the ‘associated poo! member. The system shows the node name (or the node IP address, i there is. no associated name) and the node status. BIG.IF° LTM Essentials Student Guide © 2010 F5 Networks, Inc.BaD Display Options ‘You can use items nthe fer bar, slong the top ofthe seeen to ler the objet tht the sytem splays. Because of how Network Map presents objets in content, the updated screen also sbows ‘object of oter sauces, yes, and aes that eat those objects, Thi is becuse Network Map ‘lays shows objects in eontet with he objets hat depend on them, and the objects they depend on For example, if you have an availble virtual server with an availabe pool and two pol members, ‘one avalable and one offine, when you sect Omine om te Status isthe system shows the ‘oflne pool member in content withthe availble virtual server andthe evailable poo Seletons inte fier bar are cumulative. For example, iyou sleet Of fom te Stats list and ‘Virtual Servers fom the Type lis, the system ers all Vrual servers that are offline. I does not, show all objects that are offline and all virtual servers. ‘Th system highlights in bl all matches fom search operation. ‘Status Specitis whather you want to contain conteats and search operations ised on objet status. The efolt is Any Stas. You cn selec diffrent Status and click Update Summary treisplay the Screen based onthe new stings, When you select IRs from the Type list the Status list Becomes savalale Any Status: Specifis that you want to includ al objets, repardes of status, Available: Specifies tat you only want to include objets that are availabe *Unavallable: Specifics hat you only want to include objects that are unavalble. * Ot: Specifies that you oly want to include objet that are oie. * Unknowa:Speifes hat you oly watt include objects with status of Unknown, Type Specifies wheter you want to contain conteats and search operations based om objet type. The defaults All Types. You can select a diferent Type ad click Update Summary t edspay the ‘ereen based onthe new sens ‘All Types: Specifies that you want include all ojects, regardless of ype + Vietual Servers: Speciis tha you oly want include virtual server. 1 Res: Species that you only want to include Rules. When you selec Ru ‘Type ls the Status list becomes unavailable 1 Pools: Specifies that you only want to include pool ‘Pool Members: Specifies tat you only want to include pool members. ‘+ Nodes: Specifies that you only want to include nodes, Search ‘Specifies a text string that you want the system ous in Search operation, The default is asterisk (C sich matches all panes. The seings ofthe Status and Type Fels determine the sope ofthe ‘catch, The sytem ures search string to fier the rents daplayed on the sereen. For example, if 0 ‘onszin the search to include only unavailable nodes whose IP adress icles 10.1, the operation ‘tus thse nodes, along with the siblings i the poo, the poo ise, the associated viral server, BIG-IP* LTM Essentials Student Guide -© 2010 FS Networks, Incci Ls ‘nd any ies spied to tht viral serve. The system sot results alphabetically, by vital server “The system supports searching on names, IP addres, ad IP eddes:port combinations in both Pvt And IPv6 ade formats, The sytem processes the sng as if an asters wildeard crater Surrounds the sting For example, yu specify 10, the system effectively sarees asi had typed oe Load-Balancing Modes Lesson Objective: Daring this lesson, you willbe ale ols the varios lon-balancing modes, explain the differences ‘between them, and state the scenarios where each is mos spproprit Load Balancing Overview ‘The BIG-IPLTM System offers many load balancing modes. load-balancing mode defines the criteria aed to choose a member oboe each new connection. Thee are two groups of lad balncing moses: static and dymamic. Alo, dee are options that dynamically activate secondary ‘eribers if primary members fil allowing testo define some members ss "hot standbys" Static Load-Balancing ‘Static lad balancing options disuibutewafic across members based on pre-defined pater, ‘Member availablity is taken ino account but current performance isnot. Two modes ae suppor: Round Robin “The round robin mode disbutes connections evely across avlable members This ‘mode is wef for even distbuton of wali among equally capable members. Ratio “The rato mode distributes new connections actos available member inproparton toa ‘wer defined ratio This mode ie wef when members have diferent capaci. Ziaur a8 3 ~~ ‘BIG-IP® LTM Essontals Student Guide - © 2010 FS Networks, In.284 For example, if your pool contained one fast server andthe slower server, you couk? Sethe rato so thatthe fast server receives more connections. The rato canbe st for tach member or each noe, Ratio mode distributes new comnetons in a weighted ‘und-robin pater. The figure above shows how connections would be dstibued ifthe ‘ito values wer set at 3:2: 1:1, Dynamic Load-Balancing ‘Dypamic load balancing option disibte walle across members based on current vrver ‘performance and member availabilty. When each connection request is processed the chosen metic {er each member i compared andthe best member chosen. The BIG-P LTM System suppont fv: load balancing method for the speciod filename, Expects connection to complate and fle transfer to be succassful_ Upon receipt of fe, closes connection MSSQL_ Opens a connection. Upon connection comploton, issues SOL ‘command to specied database. Expects connection to complete and database to open successfull. Upon receipt of data, closes connection fa monitor's default function nests your needs, assiga the monitor to the poo, pool member, oF ‘ode. More ote, the templates are used to create casom monitors. Creating Monitors Concepts custom or uterdefined montor is based on default monitor template or another custom monitor ‘Castom monitors are given uniue names and vary fom tee template in one or more parameter Some templates canbe wed wibout modication an can wef in that form. For example, there is lite to change for ICMP moniors excep their timers. Oer monitor templates can be used dict, ‘but are ofinted use without estomization. Fo example, sac the HTTP monitor's default receive string ia mull sing, the response must only bea nul sing or more. In effect, no responses ‘equred and any responses scepable. Because of situations like that, most production monitors are customized, In fat, Some templates cannot be assigned diedy; they can only be used a template fora user-defined monitor. FIP ian example ofthis type. At aim, «pth and file name must ‘be specified before a custom fp monitor ean be assigned. “The general tps to create usetened monitors donot vay, but the parameters that can be specified ‘vary dependent upon the monitor ype. BIG-IP* LTM Essentials Student Guide ~© 2010 F5 Networks, ncModule 9=Monitong ‘Custom Monitor Configuration 1. From the Navigation pane expand the Local Taff section, 2. Select Monitors and click Create, 3. Inthe General Properties section, enter the flowing: ‘Name | Custom Name (no spaces) Type | Monitor Template impor | Once a type is chosen, you can choose the base template or other Sattings _| custom monitor based on that same template 4. Inthe Configuration section, enter appropriate setings. Options vary with the monitor type ‘and whether you are specifying basic or advanced settings. Typical stings include: Interval | Time between monitor tances: ] ‘Timeout | Time for a successful monitor occurrence before the device Is | considered unavailable. The recommended timeout is thee | times the interval valve plus one, This would mean the monitor must fail in three consocutve altompts before the device is marked unavailable, Send Sing | Command to send o Soner Receive | Regular expression, Wf a porion of the sowvers response sting matches tis fel, the monitors successful Receive | Regular expression. f a portion of the sorver® response Disable | maches this field and does NOT maich the required Receive ‘sing Sting, the object wil be disabled. | User Name | User name expected by server application. [Password | Password fr the User Name | Reverse | Checkbox. tnicates monitor wil consider a deviee unavailable when the servers response matches the recoive rule. ‘Traneparent [Hf chosen, the monior has two destinations: a frst hop and an | uitimate. The uimate destination shoula be specified as the ‘monitor's “Alias Address” 5. When complete, click Finished. Monitor Assignment Lesson Objective: using ths soo, you wil erm how monitors ar astcited wth nodes, pol members, od poo Monitor Associations Creating custom monitors isan important proces, but unless the monitor i ssgned to something —a node, pool member ors poolthe monitor wil nt perform any tte, Assignments can be performed by group, individually, or both. By defi, there are no monitor assignment BIG-IP*LTM Essentials Student Guide ~© 2010 F5 Networks, nc28 lodule 3 — Monitoring Associating Monitors to Nodes (One option is to monitor nodes the P addresses ofthe pool members. Every nodes set oe of thre sates: + Node Defilt € Def 1 Node Specitic None “Node Default” indicates thatthe node shoud be tested with the Default Monitor. However, since the Defalt Monitor inital unassigned the result that nodes reno tested by default Ifyou ‘would ie all odes tobe tested wit the same monitor, set the Default Monitr to that monitor. (Once th Deftlt Monitors st (or change) all des eto “Node Del” wl be ested by this sting for all odes, Fach node canbe asigned monitors individually by selecting "Node Specific". These monitors are ‘instead ofthe Default Moaitor, nota addition t them. ‘When "None" is selected, that node wil not be tested by any monitor regards the Defiult Monitor sting ‘Assigning the Default Monitor ‘This seting affect all odes set to “Node Default” 1 From the Navigation pane expand the Local Traffic section and select Nodes 2, Above he ist of ode, selec the Default Monitor tb, 3. Within the Conflguration section, enter the followin: Configuration Level [Basie Heatth Monitors | Move (<<) desired marilor to the "Adve coum 4. When complete, lick Update, Setting a Specific Monitor(s) for a Node This sting affects single nodes. 1. From the Navigation pane expand the Local Traffe section and select Nodes 2. From the ist of woes, selec the node of interest. 3. Within the Configuration soon, sete following: Health Monitors Node Spectic [Select Monitors [Move (<<) desired mentor tothe Adve column ‘Avalaiity Requrement_[ As desired 4. When complete, click Update, BIGIP* LTM Essentials Student Guide - © 2010 F5 Networks, ncModule 3 — Monitoring 24 ‘Setting a Node to No Monitor Assignment ‘This sting afets single nodes |. rom the Novgation pane, expand the Local Tate section and slet Nodes. 2, From te ist of nodes, select the nde of interest. 3. Within the Configuration scion, st the following: (Heath oniers [Rene 7 4. Wen compe lick Update, Assigning Monitors to Pool Members Like nodes, there are no dealt monitors associated with any poo! members, Ako ik nodes, pols ‘memberscan be associat witha default moniter, speife moniter, r no mont. However, with ool members, the default monitor isnot on the global level, but onthe ool level. The three hoies fra given pool member are! "Inherit fom Pool € Default Seting forall poot members. + Member Specific + Nowe Inert rom Poo allows yout assign monitor tthe pool lve only and be assed that cach pool rember wil be tested inthe ste way. Setting a Pool's Monitor “This seg aot all members in that poo! that exe sto Taher from Pool 1. From the Navigation pane, expund the Local Traffic ston and select Fools 2. From thelist of pools, select the poo of intrest. 3, Within te Configuration section, enter he following: Configuration Level | Basie Heath Monitors | Move (<<) desired monitor t the Acive column 4. When comple, lick Update, Setting a Specific Monitor(s) to a Member ‘This sting fects single members 1. From the Navigation pan, expand the Local Traffic section and select Fools. 2. Flom thelist of pools, selet the pool of interest. 3. Selo the Members tab 4, rom thelist of members select the member of interest 5. Within the Configuration seton, set the folowing: BIG-IF* LTM Essentials Student Gulde - © 2010 F5 Network, Inc.