BIG IP Administration and LTM configuration

BigIP LTM
Agenda

Introduction
F5 Networks

Device basic configuration

First administrative access
BigIP installation

Network configuration
L1/2/3 configuration

Load-Balancing & Reverse Proxy

Basic (L4) load-balancing
 Load-balancing concepts
 Load-balancing methods
 Monitors
Agenda

Load-Balancing & Reverse Proxy

Basic (L4) load-balancing
 Profiles
 SNAT
 Persistence

Load-Balancing & Reverse Proxy

 SSL reverse proxy
 LTM Policies
 iRules
Agenda

HA cluster
Network failover & configuration synchronization

BigIP administration
Upgrade
BigIP operations
 Manual configuration save/restore
 Logs overview
 TCPdump overview
 QKView overview
 GUI performance graphs
Introduction
F5 Networks
F5 Networks
Overview

Foundation : 1996 ADC Market Share

NASDAQ : 1999
Radware
Recommended Top Sourcing: since 2006 (in addition to Radware) 8% AWS
ELB
FY18 : $2,161 Billion (+3,4% vs FY17) Citrix 8% A10
Headquarter : Seattle (Washington, US) 19% 7%
F5 offices in 32 countries
Other
Worldwide employee : 4 400 9%
ADC (Application Delivery Controller) market share leader

F5
49%

Source: Gartner 2014

F5 Networks
ADC market from Gartner
Magic Quadrant for Application Delivery
Controllers

“F5 has a solid and long-standing

understanding of the ADC market,
and has the capability to address
complex and customized application
environments better than other
vendors in this research.”
“All enterprises globally should
consider F5 for their Mode 1
initiatives, especially when support
for complex or custom application
environments is a requirement”
F5 networks
BigIP and Viprion platform line-up

VIPRION 4800
3M L7 CPS
VIPRION 4480 8,8M L4 CPS
1,5M L7 CPS 320G/640G - L7/L4 TPUT
VIPRION 2400
4,4M L4 CPS
1,2M L7 CPS
160G/320G -L7/L4 TPUT
4M L4 CPS
320G - L7/L4 TPUT BIG-IP i10600
350k L7 CPS
BIG-IP i7600 1M L4 CPS
250K L7 CPS 40G/80G - L7/L4 TPUT
BIG-IP i5600 750K L4 CPS
170k L7 CPS 40G/80G - L7/L4 TPUT
BIG-IP i4600 500k L4 CPS
75k L7 CPS 35G/60G - L7/L4 TPUT
250k L4 CPS
BIG-IP i2600 20G L7/L4 TPUT
40k L7 CPS
125K L4 CPS
10G L7/L4 TPUT

PRODUCTION
LAB 25M, 200M, 1G, 3G,
5G, 10G L4/L7 TPUT
F5 networks
F5 Software lineup
International
Data Center

Cell

BigIQ
Applications &
PC - Home
BIG-IP BIG-IP DNS BIG-IP App. BIG-IP Adv. FW
Storage
Local Traffic Security Manager
Manager Manager

BIG-IP Acces
Remote - WAN BIG-IP Secure BIG-IP Pol. BIG-IP
Link Controller Policy Manager
Web Gateway Enforcement

iControl
PC - LAN
TMOS

WLAN
F5 networks
BigIP iSeries i4x00 hardware description example 1x 500GB HDD
32 GB RAM
1x250W Platinum
2
PSU (2x optional)
1 4
SSL ASIC

1U

3
5 6 7
1  10/100/1000-BaseT management port - eth0 in BigIP config, default address is 192.168.1.245
2  USB port – use for clean installation
3  Console serial port
4  Hard failover port
5  1G SFP ports – supported SFPs: 1000BASE-T / SX / LX
6  10G SFP+ ports – supported SFPs+: 10GBASE-SR / LR
7  LCD touchscreen – 2’’2 LCD used for basic direct configuration
F5 networks
TMOS (Traffic Manager Operating System)

SSL Dedicated Hardware

Bandwidth Management

Intelligent scripting engine

MultiProtocols Health Checks

Web Applicaton Optimization
Reverse Web Caching

Web Compression
TCP optmization
and Multiplexing

(iRules)
Client
Server

High Performance Hardware

Each core is using its own CPU capacity and dedicated memory

64 Bits Linux (CentOS) based OS

F5 proprietary OS
Single OS for all software modules and all form fabrics
REST API support
Multiple TMM (F5 CPUs) load-balanced via Cluster Multi Processing (CMP) using DAG HW component
F5 networks
F5 in Recommended Group

Internal needs (OF and affiliates) and managed services (ABC) scope
~1500 F5 devices installed in Recommended group (~70% entry-level HW models)
use-cases :
 Load-Balancing and HTTP reverse proxy on IAS (Recommended web portals, internal
applications for sales force, VoD/TV platforms, Recommended customer web portals,…)
 Reverse proxy for Voice over IP (SIP)
 Mobile Traffic management (HTTP header insertion, TCP optimization, Radius/Diameter
load-balancing, data charging, Mobile FW, DNS cache…)
 Messaging services (Outlook Web Access, collaboration tools, synchronization tools,..)
 …
LTM is the main F5 module used but security modules are also used (ASM, AFM,
APM) + BigIP DNS and PEM
Introduction
F5
F5
Software modules used

Supported modules
 LTM (Local Traffic Manager)
 BigIP DNS (ex-GTM), dedicated or mutualized
 ASM (Application Security Manager), dedicated or mutualized (WAGO)
 APM (Access Policy manager)

This training only concerns LTM module

F5
Standard designs

Two armed load-balancing (logical design) INTERNET

 2 different IP subnets (1 on client side –external-and 1
on server side - internal)
 BigIP is presenting a VIP and do the address 10.10.0.0/24

translation to the selected end-server VIP

10.10.0.12
 On the end-servers, client IP addresses are
conserved
 The end-servers are going through BigIP thanks to
the routing path 192.168.0.0/24

Pros & Cons

 + : the most simple design
 - : limited design on use-cases Server1 Server2 Server3
192.168.0.10 192.168.0.11 192.168.0.12
F5
Standard designs

Two armed load-balancing (physical design)

 BigIP is a FW service companion INTERNET
 Very standard implementation to load-
balance Secure Gateway service
companions (DMZ)
 VIP clients could come from Internet or
Intranet

INTRANET
F5 in ABC
Standard designs

One armed load-balancing (logical design)

 Flow force to return to BigIP with source NAT INTERNET

 BigIP is doing translation on source & destination

IP (not the client IP is seen by the end-servers)
 Works as the BigIP is doing source-nating to
ensure that return’s packet are going through 10.10.0.0/24
BigIP VIP
10.10.0.5

Pros & Cons

 + : Allows multi-zone load-balancing, simple to
insert a BigIP when not added on the initial
design Server1 Server2 Server3
 - : BigIP IP seen on end-servers instead of real 10.10.0.10 10.10.0.11 10.10.0.12

client IP, the flow passes twice across the FW

F5
Standard designs
INTERNET
One armed load-balancing (physical design)
 Mainly used for hosting purposes
 BigIP is on one DMZ and load-balancing on VIP
other DMZs 192.168.0.3

 This design is generating twice connections

on the firewall
10.10.0.0/24 20.20.0.0/24

Server1 Server2 Server3 Server3

10.10.0.10 10.10.0.11 20.20.0.12 20.20.0.12
F5
Standard designs

Virtualized Big-IP (logical design)

 Multi-instances BigIP with own isolated
administrative, L2/L3 environment
 Used for mutualized platform

Pros & Cons

 + : Isolated customer environment
 - : Complex configurations
F5 in ABC
Standard designs
INTERNET
Virtualized BigIP (physical design)
 Work as two-armed design
 Virtualized firewall can also be added to
have customer specific environment

10.10.0.0/24 20.20.0.0/24

Server1 Server2 Server3 Server4

10.10.0.10 10.10.0.11 20.20.0.12 20.20.0.12
F5 in ABC
Standard designs

Web-cache redirection Internet

 Used to load-balance transparent proxy

 HTTP flow interception as BigIP is in the path of
client Internet connection
 L2 load-balancing
 Traffic going twice through the BigIP
Proxy 1

LAN Client Proxy 2

Client
Device basic
configuration
First administrative
access
First administrative access
Console access

 Serial connection to the console port from a workstation

 Use serial terminal client (HyperTerminal, Putty, CRT,…)
 Serial console default settings :
– Speed : 19 200 bps
– Data : 8 bits
– Parity : none
– Stop : 1 bit
– Flow control : none
 Default login/pwd : root/default

Recommended implementation
First administrative access
SSH access

 SSH access (TCP/22 per default) = secured CLI

access
 Use SSH client (Putty, Secure CRT,…)
 Default login/pwd : root/default

Recommended implementation
First administrative access
Traffic Management Shell (TMSH)

 Type “tmsh” when connected with SSH

or console port  (tmos)# prompt
displayed :

 Completion (type “?” or press TAB key

for suggestions), history (“show /cli
history”) and help available (type “help”
+ command)

 Hierarchical structure :
First administrative access
TMSH examples

 Create, modify a pool

 List a pool
First administrative access
TMSH config save

 WARNING :
ALWAYS save your changes after configuration modification via CLI.

[root@timon:Active:In Sync] config # tmsh save /sys config

 Configuration changes are lost after reboot if not saved

First administrative access
TMSH quiz : Let’s play 

 Could you guess the purpose of the following TMSH commands?

1) [root@timon:Active:In Sync] config # tmsh modify ltm

virtual vs-apache destination 192.168.10.50:443
Solution : modification of the Virtual Server address to 192.168.10.50:443

2) [root@timon:Active:In Sync] config # tmsh create net

self self-train address 192.168.10.20/24 vlan VIPBIGIP

Solution : Self IP creation named « self-train » with address 192.168.10.20/24 on vlan

« VIPBIGIP »
 First administrative access
GUI
 HTTPS GUI, default login/pwd
: admin/admin, SSA
login.SEC/password

Statistics, dashboard views and tools

Load-balancing, reverse proxy
configuration

HA cluster configuration
L3 configuration
Appliance configuration (SNMP
monitoring, upgrades, Syslog,…)
Device basic
configuration
BigIP installation
Device basic configuration
Management port configuration

 Connect to the BigIP using console port and root

account (see previous slides for access details)
 Type “config” once connected
 Provide the IP address/netmask + management
route

Recommended implementation
Device basic configuration
License installation

 Licensing process implies 3 licence items :

– Base Registration Key: F5 device
identifier for F5 licensing server (pre
installed key). Necessary to generate the
dossier.
– Dossier: encrypted list of identification
keys of the platform. Necessary to
generate the license.
– License : provided by F5 licensing server
mandatory to enable the licensed
modules

Recommended implementation
Alway use manual license installation
Device basic configuration
License installation

 Copy the Dossier

 Go to F5 licensing website
(https://activate.f5.com/license/)
 Paste the Dossier on the website
according field
 Paste on the BigIP the licence provided
by the F5 licencing website

Recommended implementation
Device basic configuration
Platform configuration

 Provide hostname.sec
 Set Timezone (always GMT)
 Set root (CLI) and admin (GUI)
passwords

Recommended implementation
Lab 1 – First installation
Network configuration
L1/2/3 configuration
Network configuration
Physical interface configuration

 Network > Interfaces > Interface List

Interface status
MAC address display
Interface speed configuration (fixed or
negotiated)
Enable/disable an interface

Recommended implementation
Unused interfaces are disabled
Network configuration
L1 interfaces status quiz : Let’s play 

 Could you guess what means these different interface status?

UP: interface is up and is ready to
receive traffic

DOWN: interface is down and cannot

receive any traffic

DISABLED: interface is administratively

disabled and cannot receive any
traffic

UNPOPULATED: no SFP plugged and cannot

receive any traffic
Network configuration
Physical interface configuration – useful commands

 #tmsh show net interface

up/down : interface status
disabled : administratively disabled
miss : no SFP plugged

Watch for errors

 #tmsh reset-stats net

interface x.y
Reset interface counters
Network configuration
Vlan configuration

 Network > VLANs > VLAN List

Assign a VLAN to an interface
Untagged or tagged VLAN (802.1q)
support

Recommended implementation

BigIP administrative vlans and customer flow vlans on different Routing Domains
Network configuration
L2 – useful commands

 #tmsh show net fdb

View forwarding table (learned
MAC address on which interface)

 #tmsh show net vlan

View assigned MAC address, MTU,
Tagged/untagged vlan…
Network configuration
Self IP configuration

 Network > Self IPs

Set IP address + netmask
Assign a VLAN to the interface
Set Port Lockdown option

Recommended implementation

Port Lockdown different depending on Self IP on Common partition or cust partition

Network configuration
Self IP configuration – additional information

 L3 network interfaces in F5 terminology = Self IP

 MAC addresses depend on VLAN assignment

 Main usages :
– Source LB NAT
– Source address used for health-checks

 Must be different of a VIP

Network configuration
Self IPs – useful commands

 #tmsh show net arp all

ARP (Address Resolution Protocol) table

 Ping, traceroute,…
Standard Linux L3 commands available
Network configuration
interface status quiz : Let’s play 

 What do you think the result of ifconfig includes?

Linux based output. mgmt L3 interface displayed + other

interfaces used internally for TMOS + L3 interfaces in Common
partition
 Always use tmsh list net self all command
Network configuration
interface status quiz : Let’s play 

 What do you think the result of ifconfig includes?

Network configuration
Route Domain – concept

 Split the BigIP into seperate L3 zones

 Used when mutualizing BigIP for multiple customers
 Allows IP overlapping
Network configuration
Route Domain – additional information

Recommended implementation

1 RD for administration flows (security updates, HA) and 1 RD for customer flows
Network configuration
Partition - concept

 Partitions are admistrations views grouping objects which belongs to same

logical environment
 Used for easier administration when the BigIP is mutualized between several
customers or environments
 Facilitate administration of Route Domains
 Any object created into a Partition belongs to that Partition
 Default partition is the Common Partition
 Every object created in the Common partiton is visble and usable on other
partition but only Common partition can edit this object

Recommended implementation

1 customer partition created in addition of the Common partition (because of 2 RD)

Network configuration
Route Domain configuration

 Network > Route Domains

Name and Route Domain ID are
mandatory
Route Domain created will be the
default current Partition Route
Domain

Recommended implementation
Network configuration
Partition configuration

 Users > Partition List

Provide a name to the created
partition
Link the Partition to a default
Route Domain

Recommended implementation
Network configuration
Route domains and Partitions – useful commands (1)

 Change Partition
- Via GUI

- Via CLI
Network configuration
Route domains and Partitions – useful commands (2)

 #ping 192.16.20.11%1 (example)

Bash commands with RD ID

 #rdexec 1 ping 192.16.20.11 (example)

Execute a single bash command

for the specified Route Domain

 #rdsh 1 (example)
Specify RD shell for all following
commands
Lab 2 – L1/2/3 configuration