Sie sind auf Seite 1von 149

Chapter 1

Initial Setup

Exploring Big-IP Hardware

Exploring Big-IP File System
Licensing Big-IP
Basic Configuration
Big-IP Hardware Platform
The Hardware

10/100/1000 Mbps 1000 Mbps

Copper Ports Fibre Ports

OOB Failover USB Port

Management Cable
Port LCD Panel
and controls
Looking Inside a 3600Big-IP
Big-IP LTM Software support
Lights Out Management
-Two operating systems
-TMM for primary use
-AOM/SCCP for lights
Out management
-Always on Mansgment
-Switch card control processing
What to do first ?
Setup Overview
Setup Tools
SSH Client
-username:- root
Serial Terminal Client
-username:- root
Big-IP Config Script
Big-IP Wab-based configuration
-username:- admin
Licensing Methods
Entering Registration Key
Manual Licensing
Completing the Licensing Process
Configuring administration Access
File System

Built on top Linux

Has Linux files structure
Files are relevant to the operation
Main file in BIG-IP LTM are mentioned below:
- Holds all information relevant to the load
Like: virtual, pool, profile, monitor, irules etc
-Shared between 2 units if in a pair configuration

-Holds all information relevant to the basic
elements of the BigIP
Like: management IP, vlans, routes few more things

-hosts which are allowed to use the local INET
Such as services are SSH, snmp for the snmp devices
-bigdb database holds a set of bigdb configuration
-Keys define the behaviours of various aspects of the
BIG-IP system

-For example, the bigdb key Failover.Active Mode, when

set to enable, causes a redundant system to operate
in active-active mode, instead of the default
active/standby mode.

-We can edit these values by using

-The Configuration utility
-The bigpipe db command
#bigpipe db all list
-Holds all information about the license of the
BigIP system
-Without this file or a valid license file, the BigIP
will not operate

There are few more vital files

Management configuration
Giving IP to management port
#b mgmt {netmask }

Putting route for management network

#b mgmt route netmask { gateway }

#b mgmt route netmask {

gateway }
VLAN Configuration
vlan external {
tag 10
interfaces 1.1
vlan internal_phy {
tag 4093
interfaces 1.2
vlan internal_virt {
tag 4092
interfaces 1.4
Self IP/Port configuration

Assigning IP address the to vlan

#b self { netmask vlan external
allow tcp ssh tcp https tcp 4353 }
#b self { netmask vlan
internal_virt allow tcp https }

Opening the Port

#b self allow { default udp snmp tcp ssh tcp domain tcp snmp udp
efs tcp 4353 udp domain udp 4353 tcp https proto ospf }
Configuring Floating
This part of configuration is for redundant pair
#b self {
unit 1
floating enable
vlan external
allow tcp https
#b self {
unit 1
floating enable
vlan internal
allow default
Chapter 2

Traffic Processing
Pools , Members & Nodes
Virtual Server
-Big-IP is default deny device, so listener (virtual) is must
-Virtual server gules everything together
-Typically virtual are associated with pool
-Before virtual server can load balance it should mapped to pool
-Big-IP translate the destination ip address from virtual server to
actual server
-Client see the pool servers as single server, hence the term Virtual
Asymetric Routing Problem
Full Proxy Architecture

-Big-IP do much more than translating the network Address

-F5 implemented full proxy architecture in Big-IP
-Separate tcp connections for the client & the server
Chapter 3
Load Balancing

Load Balancing Method

Member vs Node
Priority Group Activation
Configuring load balancing
Load Balancing Methods
-Static method do not take server performance in to consideration
-Dynamic method does consider server performance
Round Robin

-Round Robin is default & most commonly used method

-Big-IP evenly distributes client request across all available pool
-Ratio method is appropriate to use if some of the members are
powerful than other.
-Since Ratio is static method, this means that server with highest
ratio value will receive more request then others even if the
performance of the server is slow.
#b pool lab_Pool { lb method member/node ratio }
Least Connections

-This method consider the current connections count to decide

where to send next request
#b pool lab_Pool { lb method least conn }
Least Connections
-After connections counts shown below, the big-IP round robin next
requests between all three servers.
-Fastest uses the outstanding layer 7 request to decide where to
send the next request
-Request or Response ?
#b pool lab_Pool { lb method fastest }
-Ping response form server doesnt take into account how fast
server will response at port 80.
-SYN-ACK response form server at port 80 doesnt take into
account how fast backend database server will populate the
content of web page

-It is basically Ratio load balancing but with Ratio assigned by Big-
-Servers with connections lower than average will given ratio of 3
-Servers with connections higher than average will given ratio of 2
#b pool lab_Pool { lb method member observed }
>Connections status
-server B & C with Ratio 3
-Servers A & D with Ration 2
-Predictive method is similar to Observed, but assigns more
aggressive value
#b pool lab_Pool { lb method member predictive }

>Connections status
-server A & C with Ratio 1
-Servers B & D with Ration 4
Pool Member vs. Node
Load Balancing by:
-Total service for one IP Address
-Take all transactions for the IP address into account
#b node <ip_addr> { ratio <no.>/ session <enable/disable>}

>Pool Member
-IP Address & Service
-Take the decision based transactions happening on
the service port.
Priority Group Activation

-Use to designate preferred & backup sets of pool members with

in a pool
-Once priority group activated
-The available member with highest priority will consider first
Priority Group Activation
-If the number of member falls below the priority group
activation set,
-The next highest priority member also start serving
the requests.
Priority Group Activation
Configuration example

#b pool lab_pool '{

lb_method predictive
min_active_members 2
member priority 10
member priority 10
member priority 10
member priority 5
member priority 5
member priority 5 }
Fallback Host
-Fallback host feature is designed for HTTP protocol only.
-It comes into play if all the members in a pool are unavailable
Configuring Load Balancing
bigpipe pool <pool_name> { lb method
<method_name> }

(rr | node ratio | member ratio | member least conn |

member observed | member predictive | fastest |
least conn | predictive | observed | dynamic ratio |
fastest app resp)
Chapter 4


Monitor Functionality
Monitor Types
Configuring Monitor
Assigning Monitor
Intro to monitor
Big-IP system can monitor the health of nodes &

Monitor is the test that Big-IP performed

-simple test
-Highly interactive test

The result of these test will define the status of

respective node or member is available

Big-IP perform continues monitoring irrespective of

the status of node or member
Step to set-up a monitor
Step 1: Create

Step 2: Name & Type

-name the new monitor select the type from system

Step 3: Customize

Step 4: Assign
- to pool/node/pool member

Step 5: Status
Types of monitoring

Address Check
-IP address node

Service Check

Content Check
-IP:port & check data returned

Interactive Check
-Interactive with servers
-Multiple commands and multiple response
Address Check

System Custom

#b monitor icmp list #b monitor icmp_mon list

monitorroot icmp { monitor icmp_mon {
interval 5 defaults from icmp
timeout 16 interval 7
dest * timeout 22
} }
Service Check
-Service checks only test whether server is listening to respective
-Doesnt provide any insight into quality of the content that might
System Custom

#b monitor tcp list #b monitor tcp_port_mon

monitorroot tcp { list
interval 5 monitor tcp_port_mon {
timeout 16 defaults from tcp
dest *:* interval 15
recv "" timeout 47
send "" }
Content Check
-Content check go beyond testing whether a node is
-It also test if it is responding with correct content
System: Custom:
#b monitor http list #b monitor http_mon list
monitorroot http { monitor http_mon {
interval 5 defaults from http
timeout 16 recv "Health Check"
dest *:* send "GET /health_check.html
password "" HTTP/1.0\n\n"
recv "" }
send "GET /"
username ""
Interactive Check

#b monitor ftp list

monitorroot ftp {
interval 10
timeout 31
dest *:*
debug ""
get ""
mode "passive"
password ""
username ""
Assigning Monitor to Nodes

#b node { ratio 100

monitor testwmi_mon

#b node { monitor gateway_icmp and icmp }

Assign Monitor to Pool & member
Assigning Monitor to Pool

#b pool bluecoat_pool { monitor all tcp }

#b pool bsd01_pool { monitor all bsd_mon }

Assigning Monitor to Pool member

#b pool lab_Pool '{

member monitor tcp
member monitor http
Status Icon
Below are the status Icons
Status: Available
Example-1 Example-2
Status: Offline
Example-1 Example-2
Status: Unknown
Example-1 Example-2
Status: Unavailable
Example -1 Example -2
Chapter 5


Profile Concept
Profile Configuration
Profile Concept
Contain settings that instruct how to pass the traffic
through virtual server

Why any one want to change default traffic processing

behavior of virtual server ?

Are profile overrides the load balancing property ?

How does profile help to improve the performance of

actual servers ?
Profile Example
Persistence SSL Termination
Profile Example

Profile Dependencies

-Some of the profiles are dependent on others

-Some cant be combine in one VS
Types of profile
Services Profiles:
-HTTP, FTP, RSTP, SIP, iSession

Persistence Profiles
-cookie, dest_addr, source_addr, hash.

Protocol Profiles
-tcp, udp, fastL4

SSl Profiles
-client, server

Authentications Profiles
-RADIUS servers, CRLDP servers

Other Profiles
-OneConnect, NTLM, stream
Profile Configuration Concepts

Default Profiles Tamplates

-Stored in /config/profile_base.conf
-Cant be deleted

Custom Profiles
-Stored in /config/bigip.conf
-Created from default profile
-Dynamic child & parent relationship
Services Profiles
Parent HTTP profiles Custom HTTP profile
profile http http {
basic auth realm none
oneconnect transformations enable
#b profile http pan_http_profile {
compress disable defaults from http_master
compress uri include none header insert "X-SSL: True"
compress uri exclude none fallback "[HTTP::host]"
compress prefer gzip
compress min size 1024
compress buffer size 4096
compress vary header enable #b profile http help ---for more option
ramcache max age 3600
ramcache min object size 500
ramcache max object size 50000
ramcache uri exclude none
ramcache uri include none
ramcache uri pinned none
ramcache ignore client cache control all
ramcache aging rate 9
ramcache insert age header enable
Chapter 6


Persistence profile
Source Address Persistence
Cookie Persistence
What is the need of Persistence ?

Persistence profile is required to achieve to change

the load balancing behavior of virtual server

Upon the initial connection:

-Big-IP store session data in persistence record

Persistence Record store

-client characteristics
-Pool member information which is serving request

Big-IP use persistence record to serve the next

Source Address Persistence
-Support both TCP & UDP protocol
-By Default Big-IP create persistence for host
source_addr Persistence configuration
Parent Profile:
profile persist source_addr {
mode source addr
mirror disable
timeout 180
mask none
map proxies enable
rule none
Custom Profile
#b profile persist pan_subnet { mode source addr mask }
Cookie Persistence

Why cookie Persistence ?

>Insert Mode
-LTM insert special cookie in HTTP response
-Pool name & Pool Member (encoded)
>Rewrite Mode
-Web server Creates a blank cookie
-LTM Rewrites to make Special Cookie
>Passive Mode
-Web server Creates Special Cookie
-LTM Passively lets it through
Cookie Insert Mode
Cookie Rewrite Mode
Cookie Passive Mode
Configuring Cookie persistence

Custom Profile
#b profile persist pan_cookie { mode cookie cookie mode rewrite cookie
name paa }

Parent Profile:
profile persist cookie {
mode cookie
mirror disable
timeout immediate
cookie mode insert
cookie name none
cookie expiration 0d 00:00:00
cookie hash offset 0
cookie hash length 0
rule none
Chapter 7

Processing SSL Traffic

Exploring SSL on Big-IP

Configuring Big-IP for SSL
Review of SSL Concepts
Establish an encrypted link between a Web server &
browser by using SSL protocol
This encryption uses PKI
Encrypting & decrypting SSL is impact the server
Packet processing time can increase 20 to 30 times
Use of SSL Accelerator Cards
Advantage of SSL Termination

Allow iRules processing and cookie persistence

Offload SSL traffic from web server
SSL key exchange and bulk encryption dane by
Centralize certificate management
Traffic Flow: Client SSL
Traffic Flow: Server SSL
SSL Acceleration
Enabling Client SSL Profile
Configuring Client SSL Profile
Configuring clientssl profile :
#b profile clientssl pan.com_ssl {
defaults from clientssl
chain ca-intermediate.crt"
Associating the clientssl profile to virtual server
#b virtual pan.com_https { profile pan.com_ssl }
Configuring Server SSL Profile
Configuring Serverssl profile :
#b profile serverssl pan.com_ssl {
defaults from serverssl"

Associating the clientssl profile to virtual server

#b virtual pan.com_https { profile pan.com_ssl }
Chapter 8

Nat & SNAT

NAT Concepts and Configuration

SNAT Concepts and Configuration
Nat Concepts
One to One mapping

Bi-directional traffic

Dedicated IP Address

Cant Configure port

Configuring NAT

#b nat to

#b nat to
#b nat list
#b nat show
SNAT Concept
Secure NAT

Performs Source Nat

Many to one mapping

Traffic initiated to SNAT

Address refused

SNATs used for

Routing problem
SNAT Configuration
#b snat pan { origin any translation }

# b snat pan { origin any translation vlan

clau_vlan enable }

#b snatpool pan_spool { member member }

#b snat pan { origin mask snatpool pan_spool }
Chapter 10


Big-IP is default deny device, so listener (virtual) is


Virtual server gules everything together

Virtual are first point of call for traffic

Types of VIP
Most common type of VIP for general purpose load balancing
Can make use of all functions including iRules, WebAccelerator, ASM etc

Forwarding (Layer 2)
Generally used when LTM is configured in a bridge mode (VLAN Groups)
Essentially just forwards packets at Layer 2

Forwarding (IP)
Used when LTM needs to forward or route packets
Can either just route them based on its IP routing table of load balance
multiple routers/firewalls etc

Performance (HTTP)
Used for very simple, very fast HTTP load balancing
Loose a number of features (see next slide)

Performance (Layer 4)
Used for general purpose fast load balancing of packets using the PVA ASIC
Loose a number of features depending on PVA Acceleration mode (see next
few slides)
Configuration of virtual
>Forwarding (IP)
#b virtual forward_vip { destination any:any ip forward }

>Forwarding (Layer 2)
#b virtual forward_vip { destination any:any l2 forward }

b virtual accel_vip {
ip protocol tcp
profile http_profile oneconnect_master tcp
persist simple_1800_profile
pool https_pool
Chapter 11

What is an iRule?

An iRule is a TCL script to give more control over

how traffic is processed via the LTM

Can do this based on just about anything found

in a packet, including client IP address, headers,
URI, destination port, etc.

The use of the Universal Inspection Engine (UIE)

is also done via iRules, allowing for rule based
What can an iRule work with?
Most commonly seen are HTTP events
Can also work with other protocols, such as SIP,
RTSP, XML, others
Can make adjustments to TCP behavior, such as
MSS, checking the RTT, looking into the payload
Can work with authentication or encryption, via
x509 commands, and AES encryption/decryption
Cache, compression, profiles are also available
Example iRules
Change server headers
HTTP::header replace Server "Microsoft-IIS/5.1"

Remove all server headers

HTTP::header sanitize ?ETag? ?Header01? ?Header02?

On 404 error, re-load balance

set RequestedPage [HTTP::uri]
if { [HTTP::status] eq "404" } {
log "Dooh, page '$RequestedPage' not found on server
HTTP::redirect $RequestedPage
More Samples (from CodeShare)
iRule Logging (really handy!)
You can turn on logging for any iRule and record anything
you like from requests or responses!

Often used when troubleshooting an iRule

Simply add the line log xxx (where xxx is anything you
like) to any iRule, for example:

log "Client [IP::remote_addr] has requested page
[HTTP::uri] from server [HTTP::host]."

You can use the CLI command tail f /var/log/ltm to view

these logs in real time
Troubleshooting Section

File System Overview and Vi

UCS file extracting
Look at the Statistics!
CLI Tools
PXE booting tips
File System Overview
Main VIP, Pool and iRule config is stored in:

Main IP and VLAN settings are stored in:


BIG-IP license file is stored in:


Log files are stored in:


Archived configs are stored in:

Tools/Commands to help

Change directory: cd
Print working directory: pwd
List directory contents: ls
View file: more <filename>
Edit file: vi <filename>
Copy file: cp <source> <dest>
Delete file: rm <filename>
Useful vi commands
i to start inserting text where the cursor is
A to start inserting text at the end of the line
Esc exits the editing mode
dd delete entire line
x delete single character
Esc then : then w to write the file
Esc then : then q to quit vi
/ starts a search through the file

Note: :wq would write the file and quit in one go

Note: :w! would write the file even if read-only file
Note: :q! would force vi to quit
UCS file extracting
UCS files are simply .tar.gz files with a number of
configuration files inside

Rename the file with a .tar.gz extension and use

WinRAR to extract the file

Note that a UCS file contains both the root password

and license key for that unit dont put it on another
box unless you have a backup!
Support will often request these

Can be executed from the GUI or CLI

Contains box configuration, route information,

statistics etc
Logs can often highlight problems

Can be viewed from the GUI

Can be downloaded from the directory


Useful command to watch the LTM log file in

real time from the CLI:
tail f /var/log/ltm
CLI Tools

bigtop utility for a quick look at how the BIG-IP

is functioning. Provides statistics and information
on traffic flow, node operations and
troubleshooting (bigtop delay 2 useful)
TCPDUMP is an inbuilt network sniffer

To run TCPDUMP from the CLI and save the output to a file
that can be opened in Ethereal/Wireshark use the following

tcpdump -ni <VLAN> -v -s 1600 -w /var/tmp/filename.dmp


tcpdump -ni external -v -s 1600 -w /var/tmp/external.dmp

TIP: Use WinSCP to copy the file from the BIG-IP to your PC

TCPDUMP can be run from the GUI also

SSLDUMP is a utility available on the BIG-IP that can be used
to decode your SSL sessions by pre-loading your SSL keys
and using those to convert the session data into ASCII text.

SSLDUMP takes a raw TCPDUMP file as input

To display the handshake only

ssldump r <capture file>

To display the actual application data (with the key file)

ssldump r <capture file> -k <key file> -d
ssldump -r /var/tmp/internal.dmp -k
/config/ssl/ssl.key/default.key -d > /var/tmp/ssldump.dmp
Documentation for ssldump can be found on
Useful links F5 related
Compression Test

Devcentral (iRules, iControl, SDK)

Software Downloads

Askf5 (manuals, software, solutions, EOL info)
Chapter 12

Redundant Pair

Redundant pair Concept

Redundant Pair Setup
Config. Synchronization
When is high Availability is required ?
Increases Reliability
It consist of two identically configured Big-IP
There are two basic aspect:
Synchronizing configurations between two BIG-IP
Configuring fail-safe settings for the VLANs
Big-ip Individual System Settings
Big-IP LTM System -1 Big-IP LTM System -2

Hostname:- Hostname:-

Admin Password:- XXXXX Admin Password:- XXXXX
Unit ID:- 1 Unit ID:- 2
Internal VLAN Internal VLAN
-Self: -Self:
-Float : -Float :
-Peer : -Peer :
Unit ID used for Identification, do not designate
primary and secondary
Floating IP is always own by Active box
Failing Over
>Gratuitous ARP sent to all neighboring network devices
Synchronize Configuration
Initiated from Either System
Redundant pair should service the same monitors,
pools & virtual Servers
Synchronization condition
Administrative password must be same on each

Port 443 must not be blocked by the port lockdown

setting or by another system between the
redundant pair.

Clock of the system must be within a certain

number of minutes of each other.

Pull or Push Operation Sync in Correct Direction

Synchronization Process
1-Create UCS file.
-Which contain all configurations + licensing information
2-Send to peer
3-Peer creates backup of itself
4-Peer opens UCS file
a) Matching Hostname > Full Installation
b) Different Hostname >Shared Installation
Synchronize to Peer
# bigpipe config sync pull
# bigpipe config sync all
Determine Active System
Change to Standby Mode
Chapter 13

High Availability

Failover Trigger
Failover Detection
Stateful Failover
MAC Masquerading
Failover Managers
Failover Mangers detects a failed process,
takes one of the several action restarting the
process, failing back to the standby, reboot the big-
Performs hardware health checks
Software to correct hardware failures
monitors the switch fabric and takes corrective action for
switch failures
All failover Managers update and monitor the high
Availability Table
High Availability Table
Update & Monitor by Failover Managers
Table Fields
-Feature Name
-Action on Failure
-Failed State
Command Line: b ha table show
HA Table
Failover Trigger
Processes (Daemons)
VLAN Failsafe
Gateway Failsafe
Failover Triggers - Daemans
VLAN Failsafe
Detects no network traffic Tries to generate traffic
Timeout reached Time Action; Standby becomes
Gateway Failsafe
Hardware Failover
Standby notices a loss of voltage, it Takes over the
active role
Network Failover
Heartbeat sent over network
No 50 foot (15.24 meter) limitation
Slower than Hardware Failover
Setting not synchronized between peers
If Both Hardware Failover & Network Failover are being
Network Failover Settings
Network Communication
Stateful Failover
Types of Mirroring
Failover without MAC Masquerading
MAC Masquerading
MAC Masquerading