Scribd
Upload
218 views95 pages

F5 BigIP LTM Configuration Guide

Uploaded by

Ahmed A. Gaballah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
218 views95 pages

F5 BigIP LTM Configuration Guide

Uploaded by

Ahmed A. Gaballah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 95

BIG IP Administration and LTM configuration

BigIP LTM

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Agenda

Introduction
F5 Networks

Device basic configuration


First administrative access
BigIP installation

Network configuration
L1/2/3 configuration

Load-Balancing & Reverse Proxy


Basic (L4) load-balancing
 Load-balancing concepts
ENG: Mohamed
Load-balancing
Mansourmethods
 Monitors
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Agenda

Load-Balancing & Reverse Proxy


Basic (L4) load-balancing
 Profiles
 SNAT
 Persistence

Load-Balancing & Reverse Proxy


 SSL reverse proxy
 LTM Policies
 iRules

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Agenda

HA cluster
Network failover & configuration synchronization

BigIP administration
Upgrade
BigIP operations
 Manual configuration save/restore
 Logs overview
 TCPdump overview
 QKView overview
 GUI performance graphs
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Introduction
F5 Networks

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 Networks
Overview

Foundation : 1996 ADC Market Share


NASDAQ : 1999
Radware
Recommended Top Sourcing: since 2006 (in addition to Radware) 8% AWS
ELB
FY18 : $2,161 Billion (+3,4% vs FY17) Citrix 8% A10
Headquarter : Seattle (Washington, US) 19% 7%
F5 offices in 32 countries
Other
Worldwide employee : 4 400 9%
ADC (Application Delivery Controller) market share leader

ENG : Mohamed Mansour F5


Whatsapp : +201149345848 49%
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly Source: Gartner 2014
Contact me directly.
F5 Networks
ADC market from Gartner
Magic Quadrant for Application Delivery
Controllers

“F5 has a solid and long-standing


understanding of the ADC market,
and has the capability to address
complex and customized application
environments better than other
vendors in this research.”
“All enterprises globally should
consider F5 for their Mode 1
initiatives, especially when support
for complex or custom application
ENG : Mohamed Mansour
Whatsapp : +201149345848
environments is a requirement”
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 networks
BigIP and Viprion platform line-up

VIPRION 4800
3M L7 CPS
VIPRION 4480 8,8M L4 CPS
1,5M L7 CPS 320G/640G - L7/L4 TPUT
VIPRION 2400
4,4M L4 CPS
1,2M L7 CPS
160G/320G -L7/L4 TPUT
4M L4 CPS
320G - L7/L4 TPUT BIG-IP i10600
350k L7 CPS
BIG-IP i7600 1M L4 CPS
250K L7 CPS 40G/80G - L7/L4 TPUT
BIG-IP i5600 750K L4 CPS
170k L7 CPS 40G/80G - L7/L4 TPUT
BIG-IP i4600 500k L4 CPS
75k L7 CPS 35G/60G - L7/L4 TPUT
250k L4 CPS
BIG-IP i2600 20G L7/L4 TPUT
40k L7 CPS
ENG : Mohamed Mansour
125K L4 CPS
Whatsapp : +201149345848
10G L7/L4 TPUT
Mail : [email protected]

Please Do Not Share Videos – if someone PRODUCTION


need them kindly
Contact me directly. LAB 25M, 200M, 1G, 3G,
5G, 10G L4/L7 TPUT
F5 networks
F5 Software lineup
International
Data Center

Cell

BigIQ
Applications &
PC - Home
BIG-IP BIG-IP DNS BIG-IP App. BIG-IP Adv. FW
Storage
Local Traffic Security Manager
Manager Manager

BIG-IP Acces
Remote - WAN BIG-IP Secure BIG-IP Pol. BIG-IP
Policy Manager
Web Gateway Enforcement Link Controller

iControl
PC - LAN
TMOS
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
WLAN
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
F5 networks
BigIP iSeries i4x00 hardware description example 1x 500GB HDD
32 GB RAM
1x250W Platinum
2
PSU (2x optional)
1 4
SSL ASIC

1U

3
5 6 7
1  10/100/1000-BaseT management port - eth0 in BigIP config, default address is 192.168.1.245
2  USB port – use for clean installation
3  Console serial port
4  Hard failover port
5  1G SFP ports – supported SFPs: 1000BASE-T / SX / LX
ENG6:  10G SFP+
Mohamed Mansourports – supported SFPs+: 10GBASE-SR / LR
7  LCD
Whatsapp touchscreen – 2’’2 LCD used for basic direct configuration
: +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 networks
TMOS (Traffic Manager Operating System)

SSL Dedicated Hardware


Bandwidth Management

Intelligent scripting engine

MultiProtocols Health Checks


Web Applicaton Optimization
Reverse Web Caching

Web Compression
TCP optmization
and Multiplexing

(iRules)
Client
Server

High Performance Hardware

Each core is using its own CPU capacity and dedicated memory

64 Bits Linux (CentOS) based OS


F5 proprietary OS
Single OS for all software modules and all form fabrics
ENG
REST: Mohamed Mansour
API support
Whatsapp : +201149345848
Multiple
Mail TMM (F5 CPUs) load-balanced via Cluster Multi Processing (CMP) using DAG HW component
: [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 networks
F5 in Recommended Group

Internal needs (OF and affiliates) and managed services (ABC) scope
~1500 F5 devices installed in Recommended group (~70% entry-level HW models)
use-cases :
 Load-Balancing and HTTP reverse proxy on IAS (Recommended web portals, internal
applications for sales force, VoD/TV platforms, Recommended customer web portals,…)
 Reverse proxy for Voice over IP (SIP)
 Mobile Traffic management (HTTP header insertion, TCP optimization, Radius/Diameter
load-balancing, data charging, Mobile FW, DNS cache…)
 Messaging services (Outlook Web Access, collaboration tools, synchronization tools,..)
 …
LTM is the main F5 module used but security modules are also used (ASM, AFM,
ENGAPM) +Mansour
: Mohamed BigIP DNS and PEM
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Introduction
F5

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5
Software modules used

Supported modules
 LTM (Local Traffic Manager)
 BigIP DNS (ex-GTM), dedicated or mutualized
 ASM (Application Security Manager), dedicated or mutualized (WAGO)
 APM (Access Policy manager)

This training only concerns LTM module

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5
Standard designs

Two armed load-balancing (logical design) INTERNET


 2 different IP subnets (1 on client side –external-and 1
on server side - internal)
 BigIP is presenting a VIP and do the address 10.10.0.0/24

translation to the selected end-server VIP


10.10.0.12
 On the end-servers, client IP addresses are
conserved
 The end-servers are going through BigIP thanks to
the routing path 192.168.0.0/24

Pros & Cons


 + : the most simple design
 - : limited design on use-cases
ENG : Mohamed Mansour
Whatsapp : +201149345848 Server1 Server2 Server3
Mail : [email protected] 192.168.0.10 192.168.0.11 192.168.0.12

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5
Standard designs

Two armed load-balancing (physical design)


 BigIP is a FW service companion INTERNET
 Very standard implementation to load-
balance Secure Gateway service
companions (DMZ)
 VIP clients could come from Internet or
Intranet

INTRANET

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 in ABC
Standard designs

One armed load-balancing (logical design)


 Flow force to return to BigIP with source NAT INTERNET

 BigIP is doing translation on source & destination


IP (not the client IP is seen by the end-servers)
 Works as the BigIP is doing source-nating to
ensure that return’s packet are going through 10.10.0.0/24
BigIP VIP
10.10.0.5

Pros & Cons


 + : Allows multi-zone load-balancing, simple to
insert a BigIP when not added on the initial
design Server1 Server2 Server3
ENG: Mohamed
- : BigIP IP seen on end-servers instead of real 10.10.0.10 10.10.0.11 10.10.0.12
Mansour
client
Whatsapp IP, the flow passes twice across the FW
: +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5
Standard designs
INTERNET
One armed load-balancing (physical design)
 Mainly used for hosting purposes
 BigIP is on one DMZ and load-balancing on VIP
other DMZs 192.168.0.3

 This design is generating twice connections


on the firewall
10.10.0.0/24 20.20.0.0/24

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]
Server1 Server2 Server3 Server3
Please Do Not Share Videos – if someone need them kindly 10.10.0.10 10.10.0.11 20.20.0.12 20.20.0.12
Contact me directly.
F5
Standard designs

Virtualized Big-IP (logical design)


 Multi-instances BigIP with own isolated
administrative, L2/L3 environment
 Used for mutualized platform

Pros & Cons


 + : Isolated customer environment
 - : Complex configurations

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
F5 in ABC
Standard designs
INTERNET
Virtualized BigIP (physical design)
 Work as two-armed design
 Virtualized firewall can also be added to
have customer specific environment

10.10.0.0/24 20.20.0.0/24

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]
Server1 Server2 Server3 Server4
Please Do Not Share Videos – if someone need them kindly 10.10.0.10 10.10.0.11 20.20.0.12 20.20.0.12
Contact me directly.
F5 in ABC
Standard designs

Web-cache redirection Internet

 Used to load-balance transparent proxy


 HTTP flow interception as BigIP is in the path of
client Internet connection
 L2 load-balancing
 Traffic going twice through the BigIP
Proxy 1

LAN Client Proxy 2

ENG : Mohamed Mansour


Whatsapp : +201149345848 Client
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Device basic
configuration
First administrative
access
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
Console access

 Serial connection to the console port from a workstation


 Use serial terminal client (HyperTerminal, Putty, CRT,…)
 Serial console default settings :
– Speed : 19 200 bps
– Data : 8 bits
– Parity : none
– Stop : 1 bit
– Flow control : none
 Default login/pwd : root/default

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
SSH access

 SSH access (TCP/22 per default) = secured CLI


access
 Use SSH client (Putty, Secure CRT,…)
 Default login/pwd : root/default

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
Traffic Management Shell (TMSH)

 Type “tmsh” when connected with SSH


or console port  (tmos)# prompt
displayed :

 Completion (type “?” or press TAB key


for suggestions), history (“show /cli
history”) and help available (type “help”
+ command)

 Hierarchical structure :
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
TMSH examples

 Create, modify a pool

 List a pool

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
TMSH config save

 WARNING :
ALWAYS save your changes after configuration modification via CLI.

[root@timon:Active:In Sync] config # tmsh save /sys config

 Configuration changes are lost after reboot if not saved

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
TMSH quiz : Let’s play 

 Could you guess the purpose of the following TMSH commands?

1) [root@timon:Active:In Sync] config # tmsh modify ltm


virtual vs-apache destination 192.168.10.50:443
Solution : modification of the Virtual Server address to 192.168.10.50:443

2) [root@timon:Active:In Sync] config # tmsh create net


self self-train address 192.168.10.20/24 vlan VIPBIGIP

Solution : Self IP creation named « self-train » with address 192.168.10.20/24 on vlan


« VIPBIGIP »
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
First administrative access
GUI
 HTTPS GUI, default login/pwd
: admin/admin, SSA
login.SEC/password

Statistics, dashboard views and tools


Load-balancing, reverse proxy
configuration

HA cluster configuration
L3 configuration
ENG : Mohamed Mansour
Whatsapp
Appliance : +201149345848
configuration (SNMP
Mail : [email protected]
monitoring, upgrades, Syslog,…)
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Device basic
configuration
BigIP installation

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Device basic configuration
Management port configuration

 Connect to the BigIP using console port and root


account (see previous slides for access details)
 Type “config” once connected
 Provide the IP address/netmask + management
route

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Device basic configuration
License installation

 Licensing process implies 3 licence items :


– Base Registration Key: F5 device
identifier for F5 licensing server (pre
installed key). Necessary to generate
the dossier.
– Dossier: encrypted list of identification
keys of the platform. Necessary to
generate the license.
– License : provided by F5 licensing server
mandatory to enable the licensed
modules

Recommended implementation
ENG : Mohamed Mansour
Alway
Whatsapp use manual license
: +201149345848 installation
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Device basic configuration
License installation

 Copy the Dossier


 Go to F5 licensing website
(https://activate.f5.com/license/)
 Paste the Dossier on the website
according field
 Paste on the BigIP the licence provided
by the F5 licencing website

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Device basic configuration
Platform configuration

 Provide hostname.sec
 Set Timezone (always GMT)
 Set root (CLI) and admin (GUI)
passwords

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Lab 1 – First installation

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
L1/2/3 configuration

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Physical interface configuration

 Network > Interfaces > Interface List


Interface status
MAC address display
Interface speed configuration (fixed or
negotiated)
Enable/disable an interface

Recommended implementation
ENG : Mohamed Mansour
Unused
Whatsapp interfaces are
: +201149345848 disabled
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
L1 interfaces status quiz : Let’s play 

 Could you guess what means these different interface status?


UP: interface is up and is ready to
receive traffic

DOWN: interface is down and cannot


receive any traffic

DISABLED: interface is administratively


disabled and cannot receive any
traffic

UNPOPULATED: no SFP plugged and cannot


ENG : Mohamed Mansour
Whatsapp : +201149345848 receive
any traffic
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Physical interface configuration – useful commands

 #tmsh show net interface


up/down : interface status
disabled : administratively disabled
miss : no SFP plugged

Watch for errors

 #tmsh reset-stats net


interface x.y
Reset interface counters
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Vlan configuration

 Network > VLANs > VLAN List


Assign a VLAN to an interface
Untagged or tagged VLAN (802.1q)
support

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
BigIP administrative vlans and customer flow vlans on different Routing Domains
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Network configuration
L2 – useful commands

 #tmsh show net fdb


View forwarding table (learned
MAC address on which interface)

 #tmsh show net vlan


View assigned MAC address, MTU,
Tagged/untagged vlan…

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Self IP configuration

 Network > Self IPs


Set IP address + netmask
Assign a VLAN to the interface
Set Port Lockdown option

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
Port Lockdown different depending on Self IP on Common partition or cust partition
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Network configuration
Self IP configuration – additional information

 L3 network interfaces in F5 terminology = Self IP

 MAC addresses depend on VLAN assignment

 Main usages :
– Source LB NAT
– Source address used for health-checks

 Must be different of a VIP

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Self IPs – useful commands

 #tmsh show net arp all


ARP (Address Resolution Protocol) table

 Ping, traceroute,…
Standard Linux L3 commands available
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
interface status quiz : Let’s play 

 What do you think the result of ifconfig includes?

ENG : Mohamed Mansour Linux based output. mgmt L3 interface displayed + other
Whatsapp : +201149345848
Mail : [email protected] interfaces used internally for TMOS + L3 interfaces in Common
partition
Please Do Not Share Videos – if someone need them kindly
 Always use tmsh list net self all command
Contact me directly.
Network configuration
interface status quiz : Let’s play 

 What do you think the result of ifconfig includes?

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Route Domain – concept

 Split the BigIP into seperate L3 zones


 Used when mutualizing BigIP for multiple customers
ENG : Mohamed Mansour
 Allows IP overlapping
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Route Domain – additional information

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
1 RD for administration
Mail : [email protected] flows (security updates, HA) and 1 RD for customer flows
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Network configuration
Partition - concept

 Partitions are admistrations views grouping objects which belongs to same


logical environment
 Used for easier administration when the BigIP is mutualized between several
customers or environments
 Facilitate administration of Route Domains
 Any object created into a Partition belongs to that Partition
 Default partition is the Common Partition
 Every object created in the Common partiton is visble and usable on other
partition but only Common partition can edit this object

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
1 customer partition
Mail : [email protected] created in addition of the Common partition (because of 2 RD)
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Network configuration
Route Domain and Partition Recommended implementation
Recommended implementation

 Starting 12.x Recommended implementations, 2 Route Domains with 2 Partitions are


configured during installation

Mgmt

Partition Partition
Common <cust_part>
Route Domain 0 Route Domain x
ENG : Mohamed Mansour Sec updates, Customer VS
Whatsapp : +201149345848
Mail : [email protected] HA, sec logs flows
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Network configuration
Route Domain configuration

 Network > Route Domains


Name and Route Domain ID are
mandatory
Route Domain created will be the
default current Partition Route
Domain

Recommended
ENG : Mohamed Mansour implementation
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Partition configuration

 Users > Partition List


Provide a name to the created
partition
Link the Partition to a default Route
Domain

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Route domains and Partitions – useful commands (1)

 Change Partition
- Via GUI

- Via CLI

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Network configuration
Route domains and Partitions – useful commands (2)

 #ping 192.16.20.11%1 (example)


Bash commands with RD ID

 #rdexec 1 ping 192.16.20.11 (example)

Execute a single bash command


for the specified Route Domain

 #rdsh 1 (example)
Specify
ENG : Mohamed RD shell for all following
Mansour
Whatsapp : +201149345848
commands
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Lab 2 – L1/2/3 configuration

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Load-Balancing &
Reverse Proxy
Basic (L4) load-
balancing
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-Balancing concepts - Pools, members and nodes

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-Balancing concepts – Virtual Servers

 VS = IP address + service port


combination

 Traffic distributed among the


pool members

 BigIP = deny box only listen on


the VS IP in the VS port

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-balancing flow – incoming packet

BigIP translates the packet to the


selected pool member

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-balancing flow – return packet

When packet comes back, BigIP


translates sources node address
to VS address

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Pools and pool members configuration

 Local Traffic > Pools

Pool members are created from


Pools menu

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Virtual servers configuration

 Local Traffic > Virtual


Servers

Name, IP address + L4
port, default pool are
mandatory
Multiple options available
(main VS options used in
Recommended will be
described in later slides)

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
with LTM objects naming convention
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Basic VS quiz : Let’s play 

 Can you answer to the customer request?

Mr customer : “I have one HTTP service and one HTTPS service running
behind the same BigIP VS IP, will I be able to configure different pools for
each of my services?”

Solution : Yes . As a VS is an IP+port, you will be able to configure 2 different VS (1 for


HTTP, 1 for HTTPS) with the same IP address. Each VS will have its own individual
configuration so its own pool.

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Virtual Servers types – Standard

 TCP proxy

 1 TCP connection on client-side.


1 other TCP connection on
server side

 Application data sent after 3 way


handshake successful on both
sides

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
Only Standard VS type is allowed by default
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Virtual Servers types – Standard (L7)

 TCP behavior when an


application profile is configured

 3 way handshake occurs on


server side only when the
application data is received from
the client

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
Only Standard VS type is allowed by default
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Virtual Servers types – Performance L4

 No full TCP proxy (the node


manages the TCP connection)

 Better performance (used with


ASIC ePVA) but some
limitations with application
profiles

Recommended implementation
ENG : Mohamed Mansour
Only
Whatsapp Standard VS type
: +201149345848 is allowed by default
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Virtual Servers types – Forwarding IP (routing)

 By default Big-IP doesn’t route


packets (except if matching a
VS)
 Routing is allowed through
Forwarding IP VS
 VS Forward similar to route 
forward packet to the destination
specified in the client request
(no LB to pool, no address
translation)

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
Only Standard VS type is allowed by default
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Virtual Servers matching rule

 The best-match rule applies  BigIP checks first the most specific VS

10.10.200.3:80 Best priority


10.10.200.0/24:80
10.10.200.3:*
10.10.200.0/24:*
*:80
*:* Less priority

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Useful commands – VS statistics GUI

 Local Traffic > Virtual Servers > Statistics > Virtual Server

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Useful commands – VS statistics CLI

 #tmsh show ltm virtual <virtual-server> all-properties

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Useful commands – on-going connections

 #tmsh show sys connection <filter>


Result : display on-going connections (ALWAYS use filter!!!)

 #tmsh delete sys connection <filter>


Result : Kill specified on-going connection(s)

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-Balancing methods – Round-Robin

 Circular distribution 1
3
5 2
4
6

 Static method

 New session sent to the next


available server in the list

 Recommended when servers


have similar processing capacity

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Recommended
Contact me directly.
Restricted
Basic (L4) load-balancing
Load-Balancing methods – Ratio

 Based on Round-Robin method 5


3
7
1 6
4
2
with ratio applied

 Static method

 Connections sent according to


administrator defined ratio

 Recommended when servers


have measurable processing
capacity difference
ENG : Mohamed Mansour
 Example ratio : 3:2:1:1
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
LB methods – Least Connections
3
5
1 42
6
 New connection sent to the
server with the fewest
connections

 Dynamic method

 Good adaptation to server


processing capacity and current
servers load (servers with higher
capacity should close
connections quicker, servers
handling “heavy requests” with
fewer connections)
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected] Current Connections
Please Do Not Share Videos – if someone need them kindly 150
151
152
153 151
152
153 152
153 300
Contact me directly.
Basic (L4) load-balancing
Priority Group activation (servers HA)

 Servers with different priorities


in the same pool

 Servers with highest priority


used first

 If the threshold of available


servers (“Priority Group
Activation” parameter) is
reached, servers with the next
higher priority are used first

 Allows multiple levels of backup


servers
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Load-balancing method configuration

 Local Traffic > Pools >


<pool_name> > Members

LB method configuration on Pools


menu
Can also be set at the creation of
the pool
Usually available at member or
node level

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Least connections and Round-Robin are the default Recommended LB methods
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Ratio and priority group activation

 Local Traffic > Pools >


<pool_name> > Members

LB method configuration on Pools


menu

Ratio (member level) and priority


group configured in member
settings

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
Priority group configuration used when customer wants primary and secondary servers
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Priority-group quiz : Let’s play 

 Can you guess the priority-group configuration based on this customer request?
Mr customer : “My application software doesn’t support redundancy and we
want to configure active/backup server using the BigIP. Only one server
must have to be active at a time”

Solution :

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Lab 3 – Virtual Servers basics

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitors concept
 Objective : detect server availability
(UP or DOWN pool member status)
 Regular tests (interval time
configurable) to each pool member
in an active VS
 No client traffic sent to server with
failed monitoring. Comes back
automatically when monitor is OK
 A test is KO when a server does not
provide positive answer before
timeout period = 3 x interval +1 (by
default)
ENG: Mohamed
Tests initiated
Mansour from server side SelfIP
Whatsapp : +201149345848
Mail Monitor settings modified from
: [email protected]
monitor templates
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Node (address IP level – L3) monitor

 Basic test (not Recommended )

 ICMP (echo request) test sent to the


IP address of the node

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Pool member (TCP service - L4) monitor

 Higher level test

 Opens TCP connection toward pool


member (IP address:port)

 3 way handshake open connection +


closed connection

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Application (content – L7) monitor

 Most accurate test but could be


complex to maintain (application level)
 Scenario :
– TCP open connection (3 way
handshake)
– Request sent to the server
– Response from the server is
compared to the “Receive string”
value in BigIP monitor configuration
– TCP connection closed
 Content check monitors available :
HTTP, HTTPS, LDAP, MySQL, Oracle,
Radius,
ENG : Mohamed SMTP…
Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitor configuration (creation)

 Local Traffic > Monitors

Custom monitors based on monitor


templates

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]
L7 monitors can be allowed depending on complexity .
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Monitor configuration (Pool association)

 Local Traffic > Pools >


<pool_name>

Example of monitor associated to


a pool  all pool members in the
pool receives same monitor tests
Monitors can also be associated at
node or pool member level

Recommended implementation
ENG : Mohamed Mansour
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitor quiz : Let’s play 

 Can you answer to the customer request?

Mr customer : “I have one HTTPS VS with HTTPS servers in my pool. This


VS doesn’t decrypt any SSL traffic but I want to use an L7 HTTPS monitor
that checks the HTML body of the monitored HTTPS page to test the
availability of my server. Do you think this would be possible?”

Solution : Yes . In this case, the BigIP will act as an SSL client
initiating the SSL connection and will be able to decrypt this HTTPS
monitor traffic (contrary to the external client flow which is initiated by
the Mansour
ENG : Mohamed client, BigIP will only see encrypted data for client flows).
Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitor status
Up : Expected answer received from server within timeout
period
 New connections sent to member

Down : no answer or answer unexpected received from


server within timeout period
 New connections NOT sent to member

Unknown : no monitor associated to a pool member or


timeout period no yet reached
 New connections sent to member

Unavailable : server has reached “Connection Limit”


ENGthreshold
: Mohamedparameter
Mansour
Whatsapp : +201149345848
Mail
: [email protected]
New connections NOT sent to member
Please Do Not Share Videos – if someone need them kindly
Contact me directly.
Basic (L4) load-balancing
Monitor status relationship

 Pool status : depends on pool


member status. Pool is UP if at least
one pool member is UP

 Virtual Server status : depends on


pool status

 Right example : one pool member is


available pool status is UP, VS is
then UP too Virtual Server status example

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitor status relationship

 Local Traffic > Network


Map

Single quick view of all


status (virtual servers +
LTM object dependencies
- associated pool and pool
members)

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Monitor HTTP debug – useful commands

 #curl http://<URL> <options>


Result : cURL tool available on BigIP (https://curl.haxx.se/docs/manpage.html)

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Manual pool member disable options

 Two methods to put an end-server (pool member) into maintenance

 “Disabled” :
– No terminate active connections
– New connections accepted only if matches an existing persistence session
– If not a persistence connection, no new connection is accepted
– Disabled pool-member marked with black circle on GUI

 “Force Offline”
– More aggressive method
– Only active connections allowed (no new connection even if there is an existing
persistence)
– :Forced-offline
ENG : Mohamed Mansour
Whatsapp +201149345848 pool-member marked with black polygon on GUI
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Manual pool member disable configuration - GUI

 Local Traffic > Pools > <pool> >


Members

Click on “Disable” or “Force


Offline” button

Click on “Enable” to reactivate the


pool member

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Manual pool member disable configuration - CLI

Disable
 #tmsh modify /ltm pool <pool> members modify { <pool_member:port>
{ session user-disabled } }
Result : Disable the specified pool-member
 #tmsh modify /ltm pool <pool> members modify { <pool_member:port>
{ session user-enabled } }
Result : Re-enable the specified pool-member from « Disable »

Force Offline
 #tmsh modify /ltm pool <pool> members modify { <pool_member:port>
{ session user-disabled state user-down} }
Result : Force Offline the specified pool-member
 #tmsh modify /ltm pool <pool> members modify { <pool_member:port>
ENG : Mohamed Mansour
{ :session
Whatsapp +201149345848user-enabled state user-up} }
MailResult : Re-enable the specified pool-member from « Force Offline »
: [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Basic (L4) load-balancing
Pool member – useful commands

 #tmsh delete /sys connection ss-server-addr <member_IP_address> ss-


server-port <member_server_port>
Result : Delete existing connections to the specified pool member

 #tmsh show ltm pool <pool_name> members { <member_name>:<member_port> }


Result : Display pool-member status

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.
Lab 4 – Work with monitors

ENG : Mohamed Mansour


Whatsapp : +201149345848
Mail : [email protected]

Please Do Not Share Videos – if someone need them kindly


Contact me directly.

You might also like