Traffic flow

Note: BIG-IP statistics for interfaces, VLANs, and trunks do not differ from this model.

Traffic flow with respect to BIG-IP is viewed from a client-oriented model; the traffic flow from a client is seen as In to a virtual
server and In to a server. Likewise, the response from the server is seen as Out from the server and Out from the virtual server.

This orientation is due to the BIG-IP design. The virtual server is always presented as a client side access, regardless of whether the
virtual server is being used by servers to access gateways. The virtual server is seen as providing a service to the client and thus traffic
flow is defined from the point of view of the virtual server for which the connection was initiated.

Note: This behavior holds true for network and forwarding virtual servers regardless of whether they are listening on multiple
VLANs, or for virtual servers configured for VIP Bounce Back/One Arm Configuration for which a virtual server resides on the
same VLAN/subnet as the server to which it is load balancing.

In the BIG-IP centric diagram, the traffic directed to the server from the client through the virtual server is considered inbound to the
server and does not follow the conventional traffic flow a typical Layer 2 or Layer 3 device would consider as outbound traffic from
the interface. This behavior is due to the client-oriented model; from the client's perspective, the virtual server appears to be the server
or end point of the connection.

When viewing the detailed throughput graphs for client-side throughput and server-side throughput, you can see the client bits out can
match closely with the server bits out.
Managing SSL Certificates

http://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_device_certif_config.html

A Forwarding VS that will enable the bigip to work as a gateway for all non load balanced trafic.

Back/One Arm Configuration for which a virtual server resides on the same VLAN/subnet as the server to which it is load
balancing.

Using internal and external VLANS is a best practice to keep internal network protected, but it's not mandatory.

You can load balance trafic on a single interface but it's not ideal since you will cumulate client side and server side trafic
on the same link and this could be a problem if you have high load.

b node <node name> down

b pool <pool name> members <IP:port> session <enable|disable>

v 11
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13310.html

v9-10
http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7566.html

Great iRule post

https://devcentral.f5.com/questions/http-forward-to-pool-not-working-as-expected

…redirecting to another pool when initial pool is unavailable

Persistence
https://devcentral.f5.com/questions/load-balancing-methods-not-working-on-pool-

b persist mode msrdp show all

TCPDUMP

Capturing extended TMM data with tcpdump

http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13637.html

To capture internal TMM information, a noise amplitude operator is appended to the interface argument for a
given tcpdump command, as shown in the following syntax:

tcpdump -i <interface>:<noise amplitude>

The noise amplitude defines the level of TMM details included in the packet capture. The following noise levels
may be captured:

 n: Low details
 nn: Low and medium details
 nnn: Low, medium, and high details

F5 recommends always capturing the maximum noise level with the nnn option.

Low Details

 Ingress: A flag indicating whether TMM is sending or receiving the packet. A zero (0) indicates that TMM is
sending the packet, while a non-zero number indicates that TMM is receiving the packet.
 Slot: The chassis slot number of the TMM that is handling the packet.
 TMM: The number of the TMM that is handling the packet.
 VIP: The name of the virtual server that is handling the connection. Prior to BIG-IP 11.2.0, the name was limited
to 16 characters. In BIG-IP 11.2.0 and later, the name is limited to 96 characters.

Medium Details

 Flow ID: A number identifying a flow within TMM. The same flow ID can be used for different flows in different
TMMs. Also, the same flow ID can be re-used for a different flow within the same TMM at a different time.
 Peer ID: A number identifying the peer flow within TMM. Note that the same peer ID can be used for different
flows in different TMMs. Also, the same peer ID can be re-used for a different flow within the same TMM at a
different time.
 Reset Cause: In BIG-IP 11.2.0 and later, the reset cause (if available) will be included for TCP reset packets. For
more information, refer to SOL13223: Configuring the BIG-IP system to log TCP RST packets.
 Connflow Flags: Diagnostic information used by F5 Technical Support.
 Flow Type: Diagnostic information used by F5 Technical Support.
 High Availability Unit: Diagnostic information used by F5 Technical Support.
 Ingress Slot: Diagnostic information used by F5 Technical Support.
 Ingress Port: Diagnostic information used by F5 Technical Support.

High Details

 Peer IP Protocol: The IP protocol of the peer flow. This field is not populated prior to BIG-IP 11.0.0
 Peer VLAN: The VLAN ID number that is associated with the peer flow.
 Peer Remote Address: The IP address of the host on the far end of the peer flow.
 Peer Local Address: The IP address used by TMM for the peer flow.
  Peer Remote Port: The protocol port of the host on the far end of the peer flow.
 Peer Local Port: The protocol port used by TMM for the peer flow.

Running tcpdump in a route domain

Recommendations

 When using tcpdump to capture traffic in a non-default route domain, F5 recommends that you run the
tcpdump command from the default route domain (route domain 0), and specify interface 0.0.

For example, the following command captures traffic from all VLANs in all route domains when
invoked from the default route domain:

tcpdump -ni 0.0

run the tcpdump -ni 0.0 command to capture all route domain traffic.

TCPDUMP with "-p" flag to dump on "peer" flows on a VS with AutoSNAT (ver11.2)

https://devcentral.f5.com/questions/tcpdump-with-snat

-e shows the ethernet MAC addresses in the output. And VLAN tagging as well if running 802.1Q
-i 0.0 listen on all interfaces.
-nn don't translate IP's or ports to names

-D - view the interfaces

-n - disable name resolution
-i - interface
-X - show the headers
-w /path.cap - write files
-s0 - capture the entire packet
-vvv - maximum verbosity

tcpdump -e -i 0.0 –nn <- don't translate IP's or ports to names

tcpdump -e -i 0.0:nn <- Capture Low and medium NOISE details

:nnn VS –vvv ???

tcpdump -vvv -s 0 -nni internal -w test.cap host 192.168.22.33 and net 10.1.1.0/24 and port 8080

ssldump utility
https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html?sr=31391333
GTM Load Balancing
http://www.shilohsf.com/home/3-gtm-loadbalancing