BIG-IP Local Traffic Manager

(LTM) Fundamentals
F5 Partner Technical Boot Camp
Written for TMOS v13.0
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
• Lesson 1: BIG-IP Installation
Initial BIG-IP System Setup
BIG-IP System Initial Setup

1 Set up the management port

2 Run the Setup Utility

• License the BIG-IP system
• Provision modules
• Configure the platform
• Optionally, setup a failover pair
Management Port Defaults

IP Address 192.168.1.245/24
Username / Password BIG-IP configuration utility: admin / admin
CLI: root / default
Configure the Management Port Using CLI

Log into the CLI using root / default

Type “config” at the CLI prompt

Access the BIG-IP Setup Utility

https://<mgmt
https://<mgmt port
port IP>
IP>
Log in to the BIG-IP System

Log in as admin with a password of admin

• Lesson 1: BIG-IP Installation
Use the Setup Utility
Setup Utility

Obtain a BIG-IP system

license from F5 Networks
Licensing Methods

Use without Internet access

or if behind a firewall

Use if the BIG-IP system

has Internet access
Automatic Licensing

F5 Licensing
Server

18.202.191.1

/config/bigip.license

127.20.10.3 172.20.10.4
Manual Licensing

F5 Licensing
Server

172.20.20.1

127.20.10.3 172.20.10.4
Two Methods for Manual Licensing
Using the F5 Licensing Server Web Site
Download or Copy the F5 License
Paste the License on the BIG-IP System
Resource Provisioning

Provisioning a module
requires a license
Setup Utility – Platform Page

F5 Networks recommends
changing the root and admin
account passwords
Setup Utility – Standard Network

Requires manual configuration

of network settings
Setup Utility – Internal Network Configuration
Setup Utility – External Network Configuration
Using the Configuration Utility
Configuration Utility User Interface

For Local Traffic

System dashboard,
Manager (LTM)
analytics, and performance
iApp application services
and templates

DNS services and global server load

balancing using BIG-IP DNS
Web application firewall using
BIG-IP Application Security
Manager (ASM)
High availability
and clustering
Routing, self IP
Secure remote
Network
addresses, access
firewall
and using
using
VLANs
Backups,
BIG-IP
BIG-IP resource
Access Policy
Advanced Firewall
provisioning, and licensing
Manager (APM)
(AFM)

Fraud protection using

BIG-IP WebSafe
Access the Archives Page
• Lesson 1: BIG-IP Installation
Use TMSH
TMSH Structure
tmsh
Use TMSH to manage root
BIG-IP system objects create /ltm/profile/tcp “NAME”

apm gtm ltm net sys

auth dns monitor persistence profile virtual

application disk software

client-ssl http tcp

create “NAME”
Two Methods to Issue TMSH Commands
Use Command Completion

Use the Tab key to

complete commands
Exit from TMSH

Command Context Action

/ Any level of the tmsh hierarchy Returns you to the root module
exit Within object mode Returns you to the component
within which the object resides
exit Within a component Returns you to the module
within which the component
resides
exit Within a module Returns you to the parent
module
quit Within a module Closes tmsh
LTM Exercise 1 – Initial BIG-IP Configuration

• In this exercise:
• Access Ravello lab environment
• Re-activate BIG-IP license
• Complete Setup Utility
• Explore tmsh commands
• Create an archive file
• Estimated completion time: 30 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Load Balancing
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Nodes

Physical or
logical server
Represented by
an IP address

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

Pool Members

Represented by an
IP address and a port

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Pools

Each pool is
configured with a load
balancing method

Ratio
Round Robin
(Member)

Group of pool members that A node can be a member

represents an application of multiple pools

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080

172.20.10.3:80
172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Virtual Servers

BIG-IP LTM is a
default deny device
Represented by an
IP address and a port

104.219.2.100:80 104.219.2.100:443

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Processing Traffic – Request Packet #1
18.200.150.10 104.219.2.100:80
http://www.f5.com

Request packet DNS response:

Source IP: 18.200.150.10:4003 www.f5.com – 104.219.2.100
Destination IP:
104.219.2.100:80

104.219.2.100:80 104.219.2.100:443

Request packet
Source IP: 18.200.150.10:4003
Member: 172.20.10.1:80
Destination IP: 172.20.10.1:80

BIG-IP LTM modifies

the packet

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080 172.20.10.4:80

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Processing Traffic – Request Packet #2
18.200.150.10

Request packet #2
Source IP: 18.200.150.10:4003
Destination IP:
104.219.2.100:80

104.219.2.100:80 104.219.2.100:443

Request packet #2
Source IP: 18.200.150.10:4003
Member: 172.20.10.2:80
Destination IP: 172.20.10.2:80

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Pool Member Availability
18.200.150.10 SNMP traps can send alerts
about offline pool members

Request packet #3
Source IP: 18.200.150.10:4003
Destination IP: 104.219.2.100:80

104.219.2.100:80 104.219.2.100:443
172.20.10.3
is offline
Request packet #3
Source IP: 18.200.150.10:4003
Member: 172.20.10.4:80
Destination IP: 172.20.10.4:80

What if a pool member

is unavailable?
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080 172.20.10.4:80

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Processing Server Responses
18.200.150.10
BIG-IP LTM modifies
the response packet

Request packet
Source IP: 18.200.150.10:4003 Response packet
Destination IP: 104.219.2.100:80 Source IP: 104.219.2.100:80
Destination IP: 18.200.150.10:4003

104.219.2.100:80 104.219.2.100:443

Response packet
Source IP: 172.20.10.1:80
Destination IP: 18.200.150.10:4003

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080 172.20.10.4:80

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Asymmetric Routing Problem
If the BIG-IP changes an IP
18.200.150.10
address, the response must
return through the BIG-IP

Request packet Response packet

Source IP: 18.200.150.10:4003 Source IP: 172.20.10.1:80
Destination IP: 104.219.2.100:80 Destination IP: 18.200.150.10:4003

104.219.2.100:80 104.219.2.100:443

Request packet
Source IP: 18.200.150.10:4003 172.20.10.240
172.20.10.241
Destination IP: 172.20.10.1:80
Solution #2:
Use Secure Network
Response Address
packet
Translation
Source (SNAT)
IP: 172.20.10.1:80
Destination IP: 18.200.150.10:4003

DG: 172.20.10.241

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

Solution #1:
Configure the default gateway or
172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080 172.20.10.4:80
static routing on every pool member 172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
TMOS – Full TCP Proxy Architecture
18.200.150.10

104.219.2.100:80 104.219.2.100:443

TMOS:
Traffic Management
Operating System

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080 172.20.10.4:80

172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
Create a Pool
Configure a Pool
Create a Virtual Server
Configure a Virtual Server – General Properties
Configuration a Virtual Server – Configuration

Using Source Address

Translation to solve the issue
of asymmetric routing
Configure a Virtual Server – Content Rewrite
Configure a Virtual Server – Acceleration
Configure a Virtual Server – Resources

You can create a new

pool while creating a
new virtual server
Use the Network Map
Statistics

View statistics for a specific

Identify how much traffic BIG-IP LTM object
BIG-IP LTM is processing
LTM Exercise 2 – Create a Pool and Virtual Server

• In this exercise:
• Create a pool of HTTP web servers
• Create virtual server for the new pool
• Use statistics to test traffic flow
• View the Network Map and logs
• Estimated completion time: 50 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
SNAT Concepts
188.50,.22.19

SNAT: Secure Network Address Translation

Source network address translation

Traffic initiated to a SNAT is refused

104.219.2.150 Request from
104.219.2.100 188.50.22.19
Many-to-one mapping

Request from
172.20.1.1 Self IP: 172.20.1.1

A single, public IP address can

be used by multiple internal
nodes with private IP addresses

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Using SNAT with Non-Routable Clients

18.90.220.50

104.219.104.148
Use SNAT to give Internet
access to internal nodes with
private IP addresses

172.20.5.20
172.20.5.15
172.20.10.3 172.20.10.4
SNAT Routing Using Auto Map

SNAT Auto Map is easiest and uses a configured self IP address

Preference giving to a floating self IP address on the egress or exit VLAN

SNAT Auto Map Translation
188.50,.22.19

BIG-IP TM selects a self

IP address based on the
direction of the traffic

External VLAN

Self IP: 104.219.2.254 104.219.2.100

Self IP: 172.20.10.254

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Internal VLAN
Configuring SNAT Auto Map

Enable SNAT Auto Map

within a virtual server
LTM Exercise 3 – Configure SNAT Auto Map

• In this exercise:
• Examine the client IP before adding SNAT
• Add SNAT Auto Map, and then examine the
client IP address
• Estimated completion time: 15 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Priority Group Activation

Preferred and backup sets of pool members

Used to meet client traffic demands

HTTP Pool
Use Priority Group Activation

BIG-IP LTM uses members with

the highest priority number first

1 2 3 4 5
6 7 8 9 10
40 40 40 40 40 30 30 30 30 15 15 15 15 15

HTTP Pool Priority Group Activation: Enabled

Less than 5 members
How Priority Group Activation Works

Priority Group Activation

ensures that a pool doesn’t
go below a threshold

1 2 3 4 5 6 7 8
9 10 11 12 13 14
40 40 40 40 40 30 30 30 30 15 15 15 15 15

HTTP Pool Priority Group Activation: Enabled

Less than 5 members
How Priority Group Activation Works

40 40 40 40 40 30 30 30 30 15 15 15 15 15

HTTP Pool Priority Group Activation: Enabled

Less than 5 members
Configure Priority Group Activation
Requires modifications
to both the pool and its
pool members
LTM Exercise 4 – Use Priority Group Activation

• In this exercise:
• Use priority groups
• Estimated completion time: 15 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Health Monitors Overview
LEGEND
Unknown
Monitoring ensures that
BIG-IP LTM does not send
Available
requests to offline servers

172.20.10.4
172.20.10.1 172.20.10.2 172.20.10.3 available?
available? available? available?

Yes I’m Yes I’m Yes I’m Yes I’m

online online online online

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Results from Using Health Monitors
LEGEND
Unknown
Health monitors are used to
determine pool member or
BIG-IP LTM continues to Available
node availability
monitor the offline pool
member for a period of time Offline

172.20.10.1 172.20.10.2 172.20.10.3

available? available? available?

Yes I’m Yes I’m Yes I’m

1 online 2 online online 3
9
4 5 6
7 8
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Address Check
LEGEND
Address
Internet checks
Control do
Message Unknown
not verify how
Protocol a
(ICMP)
service is performing Available

Offline

ping ping
172.20.10.1 172.20.10.3

ICMP reply from

172.20.10.1

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Service Check
LEGEND
Service
An HTTP
Service checks do not provide
checkrequire
checks only Unknown
insightthe
verifies
responses into the an
server
from quality
is of the
listening
IP returned
addressonand content
portport
80
Available

Offline

TCP connection
available?

TCP connection TCP connection

established available?

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Content Check
LEGEND
Content checks verify the Unknown
pool member is providing
valid content Available

Offline

Content checks can verify

specific text on the
returned web page

HTTP GET HTTP GET

/monitor.html /monitor.html

HTTP response HTTP response

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Content Check Response Send String = HTTP GET /welcome.php

Receive String = “Welcome to F5 Networks!”

Ensure you use an
appropriate receive string

This web page will be

considered a successful
content check
Use System-Supplied Monitors
Most
Use
Thesystem-supplied
system-supplied
system-suppliedmonitors
monitors as
are
HTTP monitor
nottodesigned
templates
fails to beweb
formany
detect custom used as isissues
monitors
server
Create a Custom Monitor
Configure a Custom Monitor

Some settings are

available for most monitors
Interval and Timeout Values
(7 * 3) + 1 = 22
Default settings:
Interval: 5 seconds
Timeout: 16 seconds

Interval: Number of seconds between checks

Timeout: Number of seconds before pool

member or node is considered offline

Recommended Timeout = (Interval * 3) + 1

Options for Assigning Monitors

There are four options for

assigning monitors

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

Assign a Default Node Monitor

If a node monitor fails, any

pool members using the node
will be identified as offline
Assign a Pool Monitor

The most common method

of monitoring is assigning a
monitor to a pool
All members of this pool
will use this monitor
 Monitor Status Example
LEGEND
Unknown

Available

Offline

Virtual server
104.219.2.100:80

Pool

Pool members 172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.3:80

If this node is used for any

other pool members, its
status does not change
Nodes
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4
Administrative States

A BIG-IP system administrator can

Offline change
manually objects an
do object’s
not state
accept any new client traffic

Enabled objects accept all

traffic connection types
Disabled objects accept existing
connections and new connections
from persistent clients
Objects forced offline accept
existing connections only
Virtual servers cannot
be forced offline
Status from Network Map
LTM Exercise 5 – Use Monitors

• In this exercise:
• Assign node monitors
• Create and test a custom HTTP monitor
• Estimated completion time: 40 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Profiles Overview

Profiles change how BIG-IP LTM

processes traffic

104.219.2.100:80 104.219.2.100:443
SSL profiles

Persistence profiles

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Using a Shopping Cart with Load Balancing

Load balancing can break

a shopping cart application

104.219.2.100:80 104.219.2.100:443

1 2 3 4

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Profile Dependencies
Higher layer profiles are
dependent on lower layer profiles
Someprofiles
Some profilescannot
are
dependent on others
be combined in the
same virtual server 7 Application

6 Presentation

5 Session

4 Transport

3 Network

2 Data Link

1 Physical
Profile Dependencies in the Configuration Utility
Create a Profile
Basic Profile Configuration

All custom profiles

take three steps

Profile settings inherit values

from the parent profile
Add Profiles to a Virtual Server

Profiles are added to one

or more virtual servers

HTTP compression, web acceleration,

and HTTP/2 requires an HTTP profile

?
LTM Exercise 6 – Use a Stream Profile

• In this exercise:
• Create a custom HTTP monitor
• Create a stream profile
• Examine the changes to the web page after
applying the custom profiles
• Estimated completion time: 30 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Persistence Overview

Web applications
A persistence usingcan
profile
shopping
change the carts
BIG-IPmust
LTM load
maintain client
balancing state
behavior

104.219.2.100:80 104.219.2.100:443

Member: 172.20.10.4:80
172.20.10.3:80

1 1
2 2
3 3
4 4
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Source Address Affinity Persistence
Supports TCP and UDP traffic

Based on the client’s IP address

122.12.202.93
18.220.93.5

The default Netmask of /32 Persistence Records

(255.255.255.255) creates a
persistence record for every
incoming client
104.219.2.100:80 104.219.2.100:443
Client: 18.220.93.5
Member: 172.20.10.1:80
Client: 122.12.202.93
Member: 172.20.10.4:80
Member: 172.20.10.2:80
172.20.10.1:80

1 1
2 2
3 3
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Potential Issue with Source Address Persistence
NAT device

188.15.20.90

104.219.2.100:80 104.219.2.100:443 Persistence Records

Client: 188.15.20.90
Member: 172.20.10.1:80

Member: 172.20.10.2:80

1
5
2 9
6 12
3 10
7
4 8 11
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Create a Persistence Profile
Configure Source Address Persistence

The default timeout value is

180 seconds, or 3 minutes

The default prefix length is 32 (255.255.255.255),

which causes BIG-IP LTM to create a persistence
record for every incoming client
Add a Persistence Profile to a New Virtual Server
Add a Persistence Profile to an Existing Virtual Server
Cookie Persistence
Uses an HTTP
An HTTP cookiecookie stored
can remain
on the
valid forclient’s
severalcomputer
minutes,
hours, or even days
Member:
18.220.93.5
172.20.10.1

104.219.2.100:80 104.219.2.100:443 Persistence Records

Client: 18.220.93.5
Member: 172.20.10.1:80
Member:
172.20.10.1 Client: 122.12.202.93
Member: 172.20.10.1:80 Member: 172.20.10.4:80

1
2
3
172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:80 172.20.10.4:80

Configure a Cookie Persistence Profile
LTM Exercise 7 – Use Persistence Profiles

• In this exercise:
• Use source address persistence
• Use cookie persistence
• Estimated completion time: 20 minutes
• Lesson 1: BIG-IP Installation
• Lesson 2: Processing Traffic
• Lesson 3: Using SNAT
• Lesson 4: Priority Group Activation
• Lesson 5: Health Monitors
• Lesson 6: Profiles
• Lesson 7: Persistence
• Lesson 8: SSL Termination
Advantages of SSL Termination with BIG-IP LTM
Cookie persistence and iRules with SSL traffic

SSL key exchange and bulk encryption performed in hardware

Improves SSL performance

Centralized certificate management

172.20.10.1 172.20.10.2 172.20.10.3 172.20.10.4

172.20.10.1:443 172.20.10.2:443 172.20.10.3:443 172.20.10.4:443

Enable SSL Termination on BIG-IP LTM

Four steps for configuring SSL termination

1. Import an SSL certificate and key from a certificate authority

(or create a self-signed certificate)

2. Create and configure a client-side SSL profile

3. Create and configure a server-side SSL profile

Optional

4. Add the SSL profiles to a virtual server

virtual server
Create a Self-Signed Certificate
Configure a Self-Signed Certificate

Users may view the certificate

details before acceptance
Import an SSL Certificate
Create an SSL Profile
Configure an SSL Profile
Add SSL Profiles to a Virtual Server
LTM Exercise 8 – Support SSL Termination

• In this exercise:
• Create an HTTPS pool and virtual
• Create a self-signed certificate
• Create a client SSL profile
• Add the client SSL profile to the virtual server
• Estimated completion time: 30 minutes