Ltm Training Ppt

8/18/2019 Ltm Training Ppt

1/168

F5 Training


2/168

F5 LTM TrainingTopic Section Time

Day 1

Introduction • Introduction• Types of SLB• Is load Balancing dierent from

Clustering• LB Vendor Comparison• F5 Solutions• F5 Solution Cont

!"" #!$" pm

LTM%latforms

• &'at is BI()I% LTM• *ard+are Line)up• ,-ploring *ard+are• Inside Vie+• Lig'ts .ut Management• LTM Soft+are

!$" #!!" pm


3/168

F5 LTM TrainingTopic Section Time

Day 1

Initial Setup • Big)I% *ard+are• ,-ploring Big)I% File System• Licensing Big)I%

• Basic Con/guration

!!" #5"" pm

LTM .0ects • Virtual Ser2ers• %ools• 3odes

• I)4ules• *ealt' Monitors

5"" #5$" pm


4/168

M.DL, ) 1

INTRODUCTION


5/168

I3T4.DCTI.3Load Balancer6 as t'e name suggests is a

tool +'ic' 0alances load Since +e aredealing +it' net+or7s6 it 0asically does83et+or7 Load Balancing9 3o+6 if I 'ad to

de/ne 8Load Balancing96 I +ould prefera0lydo it as6 “Load balancing (performed by aload balancer) is a type of service

performed by a tool that assigns work loads

to a set of servers in such a manner thatthe computing resources are used in anoptimal manner”. T'is optimal manner may0e any t'ing and it is con/gura0le

Load 0alancers are used to increase


6/168

Types of SLB

Load 0alancers are generallygrouped into t+o categories<

• Layer 7 < It load 0alancers distri0utere=uests 0ased upon data found inapplication layer protocols suc' as *TT%

• Layer 4 < Layer ! load 0alancers act

upon data found in net+or7 andtransport layer protocols :I%6 TC%6 FT%6D%;


7/168

IS L.>D B>L>3CI3( DIFF,4,3TF4.M CLST,4I3(?

Load)Balancing and Clustering are 0ot' solutions to t'esame pro0lem 0ut t'ey go a0out it some+'at dierentlyClustering usually refers to t'e use of proprietary soft+areto interact at an .S le2el and is speci/c to t'e 2endor in=uestion Since t'ere is a re=uirement for tig't integration

0et+een ser2ers6 special soft+are is re=uired6 and t'us t'e2endor +ill only support a /nite amount of platforms Typically6 t'e cost of t'e net+or7 application de2ice is t'esame if not less t'an t'e @clustering@ soft+are solution>dditionally6 t'ere is less to trou0le)s'oot +it' t'e Load)Balancer t'an t'ere is +it' t'eir soft+are counterparts

Similarly6 scala0ility is usually muc' easier to ac'ie2e +it'a Load)Balancer as all t'e user must do is add a ser2er6update its content and tell t'e Load)Balancer of itse-istence


8/168

LB Vendor Comparison


9/168

F5 Solutions

F5 products address t'e t'ree main areasof >pplication Deli2ery 3et+or7ing<

>pplication security >pplication .ptimiAation

>pplication >2aila0ility


10/168

F5 Solution


11/168

M.DL, ) $

BIG-IP LTM Platforms


12/168

&'at is BI()I% Local TracManager?

BIG-IP® Local Trafc Manager controlsnet+or7 trac t'at comes into or goes out of alocal area net+or7 :L>3;6 including an intranet

Local Trac Manager includes a 2ariety of featurest'at perform functions suc' as inspecting and

transforming 'eader and content data6 managing SSLcerti/cate)0ased aut'entication6 and compressing*TT% responses

In so doing6 t'e BI()I% system not only directs tracto t'e appropriate ser2er resource6 0ut also en'ances

net+or7 security and frees up ser2er resources 0yperforming tas7s t'at +e0 ser2ers typically perform


13/168

BI()I% *ard+are Line)upPrice

Function / Performance

BIG-IP 3!!

Dual core CPU

8 10/100/1000 + 2x 1GB SFP

1x 160 GB HD + 8GB CF

4 GB memorySSL @ 10 !PS / 2 G" "ul#

1 G"$% max %o&'(are com$re%%)o*

" G#$s Traffic1 ,-a*ce, Pro,uc' .o,ule

BIG-IP %&!!

BIG-IP '!!

Dual core CPU

4 10/100/1000 + 2x 1GB SFP

1x 160GB HD

4 GB memorySSL @ !PS / 1 G" Bul#

1 G"$% max %o&'(are com$re%%)o*

' G#$s Traffic

1 Ba%)c Pro,uc' .o,ule

2 x Dual core CPU

16 10/100/1000 + 8x 1GB SFP

2x 20 GB HD S/ 3D5 + 8GB CF

8 GB memory

SSL @ 2 !PS / 4 G" "ul#

G"$% max ar,(are com$re%%)o*

G#$s Traffic

.ul')$le Pro,uc' .o,ule%

BIG-IP &!!2 x 7ua, core CPU

16 10/100/1000 + 8x 1GB SFP

2x 20 GB HD S/ 3D5 + 8GB CF

16 GB memory

SSL @ 8 !PS / 96G" "ul#

6 G"$% max ar,(are com$re%%)o*

'" G#$s Traffic.ul')$le Pro,uc' .o,ule%


14/168


15/168

: ()$lorin* Bi*-IP +ar,are


16/168


17/168


18/168


19/168


20/168

: Insi,e .ie of 3!! BIG-IP


21/168

Lights Out Management

)T+o operating systems)TMM for primary use

)>.MSCC% for lig'ts

.ut management)>l+ays on Management

)S+itc' card control processing


22/168

: BIG-IP LTM oftare


23/168

MODULE 2

Initial Setup

Exploring Big-IP Hardware

Exploring Big-IP File System

Licensing Big-IP

Basic Configuration


24/168

The Hardware

OOBManagementPort

ConsoleCable

FailoverCable

USB Port

LCD Paneland controls

!"!!"!!! MbpsCopper Ports

!!! MbpsFibre Ports


25/168

What to do first ?


26/168

Setup Overview


27/168

Setup Tools

SSH Client

username! root

"assword!default

Serial Terminal Client

username! root "assword!default

#ig$" Config S%ript%onfig

#ig$" Wa&&ased %onfiguration

https!''()2*(+,*(*2-.

username! admin

"assword!admin

https://192.168.1.245/https://192.168.1.245/


28/168

Li%ensing Methods


29/168

Entering /egistration 0e1


30/168

: u'oma')c L)ce*%)*;


31/168

Manual Li%ensing


32/168

: .a*ual L)ce*%)*;


33/168

Completing the Li%ensing "ro%ess


34/168

ile S1stem

Built on top LinuxHas Linux files structureFiles are relevant to the operation

Main file in BIG-IP LTM are mentioned belo! '%onfig'&igip*%onf

'%onfig'&igip3&ase*%onf

'%onfig'#igD#*dat

'et%'hosts*allow '%onfig'&igip*li%ense

'var'log'ltm


35/168

"coinfi#"bi#ip$conf Holds all information relevant to the load

balancin#

Li4e! virtual5 pool5 profile5 monitor5 irules et%

Shared &etween 2 units if in a pair %onfiguration

"confi#"bi#ip%base$conf

-Holds all information relevant to the basicelements of the Bi#IP

Li4e! management $"5 vlans5 routes few more things

"etc"hosts$allo

-hosts hich are alloed to use the local I&'Tservices$

Su%h as ser2ices are SS*6 snmp for t'e snmp

de2ices


36/168

"confi#"Bi#(B$dat

-bi#db database holds a set of bi#db confi#uration)e*s

0e1s define the &ehaviours of various aspe%ts of the#$6$" s1stem

or e7ample5 the &igd& 4e1 ailover*8%tive Mode5 when

set to ena&le5 %auses a redundant s1stem to operatein a%tivea%tive mode5 instead of the defaulta%tive'stand&1 mode*

We %an edit these values &1 usingThe Configuration utilit1

The &igpipe d& %ommand

#bigpipe db all list


37/168

"confi#"bi#ip$license

-Holds all information about the license of theBi#IP s*stem

Without this file or a valid li%ense file5 the #ig$"will not operate

There are fe more vital files

'config/ssl/ssl.crt

/config/ssl/ssl.key


38/168

MODULE 9

LTM OB#$CTS


39/168

Local trac o0ects

T'e most 0asic o0ects in Local Trac Manager t'at youmust con/gure for local trac management are<

%irt&al Server<

T'ese acts li7e a 2irtual ser2er +it' an Virtual I%6 as t'e

name suggests6 t'is I% is not real and t'is is t'e I% on+'ic' client sends t'eir re=uests T'ese ser2ers recei2et'e re=uest from a client and t'en for+ard it directly to a8pool9 or to a 8I)4ule9 +'ic' in turn for+ards to a pool

Pools<

T'is is a collection of 3odes :>ctual Ser2ers Computers;6It may 'a2e 1 to 3 num0er of real nodes


40/168

Local trac o0ects

'odes( T'ese are not'ing 0ut t'e actual I% address of t'e real

ser2ers +'ic' actually 'a2e to ser2ice t'e re=uests

)*+&les ,Or some times -&st .+&les/0< T'ey 0asically de/ne t'e rules6 +'ic' 'as to 0e met inorder to get t'e re=uests ser2iced 0y t'e actualser2ers6 in ot'er +ords t'ey control re=uests fromreac'ing t'e actual ser2ers 0ased on some rules li7e

source I% and t'e destination port 3ormally t'ey areassociated +it' a pool as a destination and t'ey are

called 0y t'e Virtual ser2ers


41/168

Local trac o0ects

1ealt2 Monitors<

*ealt' Monitors are normally eep a li2es +'ic'are sent to t'e nodes in order to determine t'at

t'ey are 'ealt'y and can process data For,-ample6 > +e0 ser2er s'ould acceptconnections at port E"6 if it doesnt t'en it ispro0a0ly do+n and cannot ser2ice t'e re=uests6

+e 'a2e dierent type of 'ealt' monitors andt'ese are determined 0y t'e ser2er +e are usingand t'e port +e +ant to connect


42/168

MODULE -

Traffic Processin#


43/168

"ools 5 Mem&ers : ;odes


44/168


45/168

)#efore virtual server %an load &alan%e it should mapped to pool#ig$" translate the destination ip address from virtual server to

a%tual server

Client see the pool servers as single server5 hen%e the term


46/168

8s1metri% /outing "ro&lem


47/168

ull "ro71 8r%hite%ture

)#ig$" do mu%h more than translating the networ4 8ddress. implemented full pro71 ar%hite%ture in #ig$"

Separate t%p %onne%tions for the %lient : the server


48/168

MODULE .

Load Balancin#

Load Balancing Metod Mem!er "s #odePriority $roup %cti"ation

Configuring load !alancing


49/168

Load #alan%ing Methods

Stati% method do not ta4e server performan%e in to %onsideration

D1nami% method does %onsider server performan%e


50/168

/ound /o&in

)/ound /o&in is default : most %ommonl1 used method

#ig$" evenl1 distri&utes %lient re?uest a%ross all availa&le poolmem&er


51/168

/atio

/atio method is appropriate to use if some of the mem&ers arepowerful than other*

Sin%e /atio is stati% method5 this means that server with highestratio value will re%eive more re?uest then others even if theperforman%e of the server is slow*

#b pool lab_Pool { lb method member/node ratio }


52/168

Least Conne%tions

)This method %onsider the %urrent %onne%tions %ount to de%idewhere to send ne7t re?uest

@b pool lab_Pool { lb method least conn }


53/168

Least Conne%tions

8fter %onne%tions %ounts shown &elow5 the &ig$" round ro&inne7t re?uests &etween all three servers*


54/168

astest

astest uses the outstanding la1er A re?uest to de%ide where to

send the ne7t re?uest/e?uest or /esponse B

@b pool lab_Pool { lb method fastest }


55/168

astest

"ing response form server doesnt ta4e into a%%ount how fast

server will response at port ,*S;8C0 response form server at port , doesnt ta4e into

a%%ount how fast &a%4end data&ase server will populate the%ontent of we& page


56/168

O&served

$t is &asi%all1 /atio load &alan%ing &ut with /atio assigned &1 #ig$"

Servers with %onne%tions lower than average will given ratio of 9

Servers with %onne%tions higher than average will given ratio of 2

Gb pool lab_Pool { lb method member observed }


57/168


58/168

"redi%tive

"redi%tive method is similar to O&served5 &ut assigns more

aggressive valueGb pool lab_Pool { lb method member predictive }


59/168

"redi%tive

FConne%tions status server 8 : C with /atio (

Servers # : D with /ation -


60/168

"ool Mem&er vs* ;ode

Load Balancin# b*!F;ode

Total servi%e for one $" 8ddress

Ta4e all transa%tions for the $" address into a%%ount

#b node { ratio / session }

F"ool Mem&er

$" 8ddress : Servi%e

Ta4e the de%ision &ased transa%tions happening onthe servi%e port*


61/168

"riorit1 6roup 8%tivation

Use to designate preferred : &a%4up sets of pool mem&ers with

in a pool

On%e priorit1 group a%tivated

The availa&le mem&er with highest priorit1 will %onsider first


62/168


)$f the num&er of mem&er falls &elow the priorit1 groupa%tivation set5

The ne7t highest priorit1 mem&er also start serving the

re?uests


63/168


Configuration e7ample

@b pool lab_pool '{

lb_method predictive

min_active_members

member !".!"".!".!"$" priority !"

member !".!"".!"."$" priority !"

member !".!"".!".%"$" priority !"

member !".!"".!".%"$" priority &

member !".!"".!"."$" priority &

member !".!"".!".&"$" priority & }(


64/168

Fall0ac7 *ost

)all&a%4 host feature is designed for HTT" proto%ol onl1*$t %omes into pla1 if all the mem&ers in a pool are unavaila&le


65/168

Configuring Load #alan%ing

&igpipe pool Gpool3nameF l& methodGmethod3nameF I

=rr J node ratio J mem&er ratio J mem&er least %onn J

mem&er o&served J mem&er predi%tive J fastest J least %onn J predi%tive J o&served J d1nami% ratio J

fastest app resp>


66/168

MODULE +

Monitor

Monitor FunctionalityMonitor &ypes

Configuring Monitor

%ssigning Monitor

Status


67/168

$ntro to monitor

#ig$" s1stem %an monitor the health of nodes :mem&er

Monitor is the test that #ig$" performed

simple test

Highl1 intera%tive test

The result of these test will define the status of

respe%tive node or mem&er is availa&le

#ig$" perform %ontinues monitoring irrespe%tive ofthe status of node or mem&er


68/168

Step to setup a monitor Step (! Create

Step 2! ;ame : T1pe

name the new monitor sele%t the t1pe from s1stemtemplates

Step 9! CustomiKe

Step -! 8ssign

to pool'node'pool mem&er

Step .! Status


69/168

T1pes of monitoring

8ddress Che%4 $" address node

Servi%e Che%4

$"!port

Content Che%4

$"!port : %he%4 data returned

$ntera%tive Che%4

$ntera%tive with servers

Multiple %ommands and multiple response


70/168

8ddress Che%4


71/168

E7ample

System

#b monitor icmp list

monitorroot icmp {

interval & timeo)t !*

dest +

}

Custom

#b monitor icmp_mon list

monitor icmp_mon {

defa)lts from icmp

interval ,

timeo)t

}


72/168

Servi%e Che%4Servi%e %he%4s onl1 test whether server is listening to respe%tive

port*Doesnt provide an1 insight into ?ualit1 of the %ontent that might

return


73/168

,-ample

S*stem

#b monitor tcp list

monitorroot tcp { interval &

timeo)t !*

dest ++

recv --

send --

}

+ustom

#b monitor tcp_port_mon

list monitor tcp_port_mon {

defa)lts from tcp

interval !&

timeo)t ,

}


74/168

Content Che%4

Content %he%4 go &e1ond testing whether a node isresponding'listening

$t also test if it is responding with %orre%t %ontent


75/168

E7ampleS*stem!

#b monitor http list

monitorroot http {

interval &

timeo)t !* dest ++

passord --

recv --

send -01 /- )sername --

}

+ustom!

#b monitor http_mon list

monitor http_mon {

defa)lts from http

recv -2ealth 3heck-

send -01 /health_check.html211P/!."4n4n-

}

$ t ti Ch 4


76/168

$ntera%tive Che%4

E7ample


77/168

E7ample

#b monitor ftp list

monitorroot ftp { interval !"

timeo)t %!

dest ++

deb)g --

get --

mode -passive-

passord --

)sername --

}


78/168


79/168

8ssign Monitor to "ool : mem&er

8ssigning Monitor to "ool

#b pool bl)ecoat_pool { monitor all tcp }

#b pool bsd"!_pool { monitor all bsd_mon }

8ssigning Monitor to "ool mem&er

#b pool lab_Pool '{

member !".!"!.%.&&$" monitor tcp

member !".!"!.%.&*$" monitor http

}6


80/168

Status $%on

#elow are the status $%ons


81/168

Status! 8vaila&le

E7ample(

E7ample2


82/168


83/168

Status! Un4nown

E7ample(

E7ample2


84/168

Status! Unavaila&le

,-ample )1

,-ample )$


85/168

MODULE A

Profile

Profile Concept

Profile Configuration


86/168

"rofile Con%ept

Contain settings that instru%t how to pass the traffi%through virtual server

Wh1 an1 one want to %hange default traffi% pro%essing

&ehavior of virtual server B

8re profile overrides the load &alan%ing propert1 B

How does profile help to improve the performan%e ofa%tual servers B


87/168

"rofile E7ample

%ersistence

SSL Termination

"rofile E7ample


88/168

"rofile E7ample

FT%

"rofile Dependen%ies


89/168

"rofile Dependen%ies

)Some of t'e pro/les are dependent on ot'ers)Some cant 0e com0ine in one VS

T pes of p ofile


90/168

T1pes of profile

Servi%es "rofiles!

HTT"5 T"5 /ST"5 S$"5 iSession

"ersisten%e "rofiles%oo4ie5 dest3addr5 sour%e3addr5 hash*

"roto%ol "rofilest%p5 udp5 fastL-

SSl "rofiles%lient5 server

8uthenti%ations "rofiles/8D$US servers5 C/LD" servers

Other "rofilesOneConne%t5 ;TLM5 stream


91/168

"rofile Configuration Con%epts

Default "rofiles Tamplates

Stored in '%onfig'profile3&ase*%onf Cant &e deleted

Custom "rofiles

)Stored in '%onfig'&igip*%onf Created from default profile

D1nami% %hild : parent relationship


92/168

Servi%es "rofiles "arent HTT" profiles

profile http http {

basic a)th realm none

oneconnect transformations enable

compress disable

compress )ri incl)de none

compress )ri e7cl)de none

compress prefer g8ip

compress min si8e !" compress b)ffer si8e "5*

compress vary header enable

.

.

.

ramcache ma7 age %*""

ramcache min ob9ect si8e &"" ramcache ma7 ob9ect si8e &""""

ramcache )ri e7cl)de none

ramcache )ri incl)de none

ramcache )ri pinned none

ramcache ignore client cache control all

ramcache aging rate 5

ramcache insert age header enable

}

Custom HTT" profile

#b profile http pan_http_profile 6{

defa)lts from http_master

header insert -:;= 1r)e-

fallback -http//foo.com/f.asp)?@211PhostA-

}(

#b profile http help ;;;for more option


93/168

MODULE ,

"ersisten%e

Persistence profile

Source %ddress Persistence

Coo'ie Persistence

Con%ept


94/168

Con%ept

What is the need of "ersisten%e B

"ersisten%e profile is re?uired to a%hieve to %hangethe load &alan%ing &ehavior of virtual server

Upon the initial %onne%tion! #ig$" store session data in persisten%e re%ord

"ersisten%e /e%ord store %lient %hara%teristi%s

"ool mem&er information whi%h is serving re?uest

#ig$" use persisten%e re%ord to serve the ne7ttraffi%


95/168

dd " i t fi ti


96/168

sour%e3addr "ersisten%e %onfiguration

"arent "rofile!

profile persist so)rce_addr {

mode so)rce addr

mirror disable

timeo)t !$"

mask none map pro7ies enable

r)le none

}

Custom "rofile #b profile persist pan_s)bnet 6{ mode so)rce addr mask

&&.&&.&&." }(

Coo4ie "ersisten%e


97/168

Coo4ie "ersisten%e

Wh1 %oo4ie "ersisten%e BModes!

F$nsert Mode

LTM insert spe%ial %oo4ie in HTT" response

"ool name : "ool Mem&er =en%oded>F/ewrite Mode

We& server Creates a N&lan4 %oo4ie LTM /ewrites to ma4e Spe%ial Coo4ie

F"assive Mode We& server Creates Spe%ial Coo4ie LTM "assivel1 lets it through

Coo4ie $nsert Mode


98/168

Coo4ie $nsert Mode

Coo4ie /ewrite Mode


99/168

Coo4ie /ewrite Mode

Coo4ie "assive Mode


100/168

Coo4ie "assive Mode

+onfi#urin# +oo)ie persistence


101/168

Custom "rofile#b prole persist pancookie ! mode cookie cookie mode rewrite

cookie name paa "

"arent "rofile! profile persist cookie {

mode cookie

mirror disabletimeo)t immediate

cookie mode insert

cookie name none

cookie e7piration "d """"""

cookie hash offset " cookie hash length "

r)le none

}

MODULE )


102/168

MODULE )

Processin# SSL Traffic

Exploring SSL on Big-IP

Configuring Big-IP for SSL


103/168


104/168

8dvantage of SSL Termination

>llo+ i4ules processing and coo7iepersistence

.Joad SSL trac from +e0 ser2er

SSL 7ey e-c'ange and 0ul7 encryptiondane 0y 'ard+are

CentraliAe certi/cate management


105/168

Traffi% low! Client SSL


106/168

Traffi% low! Server SSL


107/168

SSL 8%%eleration


108/168

Ena&ling Client SSL "rofile


109/168

Configuring Client SSL "rofile

Configuring %lientssl profile !

#b profile clientssl pan.com_ssl {

defa)lts from clientssl

key B.pan.com.key-

cert B.pan.com.crt-

chain Bca;intermediate.crt-

}

8sso%iating the %lientssl profile to virtual server

#b virt)al pan.com_https { profile pan.com_ssl }


110/168

Configuring Server SSL "rofile

Configuring Serverssl profile !

#b profile serverssl pan.com_ssl 6{

defa)lts from serverssl-

8sso%iating the %lientssl profile to virtual server

#b virt)al pan.com_https { profile pan.com_ssl }

MODULE (


111/168

MODULE (

&at , S&T

#%& Concepts and Configuration

S#%& Concepts and Configuration


112/168

;at Con%epts

.ne to .ne mapping

Bi)directional trac

Dedicated I% >ddress

Cant Con/gure port


113/168

Configuring ;8T

#b nat !,.!*.".! to ",.!".!.!"!

#b nat !,.!,.".% to ",.!".!.!"%

#b nat list

#b nat sho

S3>T Concept


114/168

S3>T Concept

8Se%ure ;8T

"erforms Sour%e ;at

Man1 to one mapping

Traffi% initiated to S;8T

8ddress refused

S;8Ts used for

/outing pro&lem

S;8T C fi i


115/168

S;8T Configuration #b snat pan { origin any translation ... }

# b snat pan 6{ origin any translation ... vlancla)_vlan enable }(

#b snatpool pan_spool 6{ member %... member%...% }(

#b snat pan 6{ origin !,.!*.!*." mask&&.&&.&&." snatpool pan_spool }(


116/168

l


117/168


118/168

Standard Most %ommon t1pe of Used when LTM needs to forward or route pa%4ets Can either Pust route them &ased on its $" routing ta&le of load &alan%e

multiple routers'firewalls et%

"erforman%e =HTT"> Used for ver1 simple5 ver1 fast HTT" load &alan%ing Loose a num&er of features =see ne7t slide>

"erforman%e =La1er -> Used for general purpose fast load &alan%ing of pa%4ets using the "


119/168

Chapter (2


120/168

Chapter (2

i/ule

&' t i i4 l ?


121/168

&'at is an i4ule?

8n i/ule is a TCL s%ript to give more %ontrol overhow traffi% is pro%essed via the LTM

Can do this &ased on Pust a&out an1thing found

in a pa%4et5 in%luding %lient $" address5 headers5U/$5 destination port5 et%*

The use of the Universal $nspe%tion Engine =U$E>is also done via i/ules5 allowing for rule &asedpersisten%e

Wh t i/ l 4 ithB


122/168

What %an an i/ule wor4 withB

Most %ommonl1 seen are HTT" events Can also wor4 with other proto%ols5 su%h as S$"5

/TS"5 QML5 others

Can ma4e adPustments to TC" &ehavior5 su%h as

MSS5 %he%4ing the /TT5 loo4ing into the pa1load Can wor4 with authenti%ation or en%r1ption5 via

7.) %ommands5 and 8ES en%r1ption'de%r1ption

Ca%he5 %ompression5 profiles are also availa&le


123/168

More Samples :f C d S' ;


124/168

More SamplesK :from CodeS'are;

i/ le Logging = eall hand R>


125/168

i/ule Logging =reall1 hand1R>

ou %an turn on logging for an1 i/ule and re%ord an1thing1ou li4e from re?uests or responsesR

Often used when trou&leshooting an i/ule

Simpl1 add the line Nlog 777 =where N777 is an1thing 1ou

li4e> to an1 i/ule5 for e7ample!

hen 211P_C0HI01 {

log -3lient @GPremote_addrA has reJ)ested page@211P)riA from server @211PhostA.-

}

ou %an use the CL$ %ommand Ntail f 'var'log'ltm to viewthese logs in real time

Trou&leshooting Se%tion


126/168

Trou&leshooting Se%tion

ile S1stem Overview and


127/168

ile S1stem OverviewMain


128/168

Tools'Commands to help

Change dire%tor1! %d

"rint wor4ing dire%tor1!pwd

List dire%tor1 %ontents! ls


129/168

Useful vi %ommands Ni to start inserting te7t where the %ursor is

N8 to start inserting te7t at the end of the line

NEs% e7its the editing mode

Ndd delete entire line

N7 delete single %hara%ter

NEs% then N! then Nw to write the file NEs% then N! then N? to ?uit vi

N ' starts a sear%h through the file

;ote! N!w? would write the file and ?uit in one go;ote! N!wR would write the file even if readonl1 file

;ote! N!?R would for%e vi to ?uit

UCS file e7tra%ting


130/168

UCS file e7tra%tingUCS files are simpl1 N*tar*gK files with a num&er of

%onfiguration files inside

/ename the file with a N*tar*gK e7tension and useWin/8/ to e7tra%t the file

;ote that a UCS file %ontains &oth the Nroot passwordand li%ense 4e1 for that unit dont put it on another&o7 unless 1ou have a &a%4upR

84view


131/168

4view

Support will often re?uest these

Can &e e7e%uted from the 6U$ or CL$

Contains &o7 %onfiguration5 route information5statisti%s et%

Logs


132/168

Logs

Logs %an often highlight pro&lems

Can &e viewed from the 6U$

Can &e downloaded from the dire%tor1 N'var'log

Useful %ommand to wat%h the LTM log file in

real time from the CL$!tail f 'var'log'ltm

CL$ Tools


133/168

CL$ Tools

N&igtop utilit1 for a ?ui%4 loo4 at how the #$6$"is fun%tioning* "rovides statisti%s and informationon traffi% flow5 node operations andtrou&leshooting =N&igtop dela1 2 useful>

/unning TC"DUM"


134/168

/unning TC"DUM" TC"DUM" is an in&uilt networ4 sniffer

To run TC"DUM" from the CL$ and save the output to a filethat %an &e opened in Ethereal'Wireshar4 use the following%ommand!

t%pdump ni G


135/168

SSLDUM" is a utilit1 availa&le on the #$6$" that %an &e usedto de%ode 1our SSL sessions &1 preloading 1our SSL 4e1s

and using those to %onvert the session data into 8SC$$ te7t*

SSLDUM" ta4es a raw TC"DUM" file as input

To displa1 the handsha4e onl1

ssldump r G%apture fileF

To displa1 the a%tual appli%ation data =with the 4e1 file>ssldump r G%apture fileF 4 G4e1 fileF dE7ample!

ssldump r 'var'tmp'internal*dmp 4 '%onfig'ssl'ssl*4e1'default*4e1 d F 'var'tmp'ssldump*dmp

Do%umentation for ssldump %an &e found onwww*rtfm*%om'ssldump'ssldump*html

Useful lin4s . related

http://www.rtfm.com/ssldump/ssldump.htmlhttp://www.rtfm.com/ssldump/ssldump.html


136/168

Useful lin4s . related Compression Test

http!''www*f.demo*%om'%ompression

Dev%entral =i/ules5 iControl5 SD0>http!''dev%entral*f.*%om

Software Downloadshttp!''downloads*f.*%om

8s4f. =manuals5 software5 solutions5 EOL info>

http!''www*as4f.*%om

Chapter (9

http://www.f5demo.com/compressionhttp://devcentral.f5.com/http://downloads.f5.com/http://www.askf5.com/http://www.askf5.com/http://downloads.f5.com/http://devcentral.f5.com/http://www.f5demo.com/compression


137/168

Chapter (9

/edundant Pair

Ced)ndant pair 3oncept

Ced)ndant Pair et)p

3onfig. ynchroni8ation

Concept


138/168

ConceptWhen is high 8vaila&ilit1 is re?uired B

$n%reases /elia&ilit1

$t %onsist of two identi%all1 %onfigured #ig$"s1stem

There are two &asi% aspe%t! S1n%hroniKing %onfigurations &etween two #$6$"

units

Configuring failsafe settings for the


139/168


140/168

Unit $D used for $dentifi%ation5 do not designateprimar1 and se%ondar1


141/168

primar1 and se%ondar1

loating $" is alwa1s own &1 8%tive &o7


142/168

ailing Over


143/168

ailing Over6ratuitous 8/" sent to all neigh&oring networ4 devi%es


144/168

S1n%hroniKe Configuration$nitiated from Either S1stem


145/168

$nitiated from Either S1stem

/edundant pair should servi%e the same monitors5pools : virtual Servers

Sync'roniAation condition


146/168

y8dministrative password must &e same on ea%h

s1stem

"ort --9 must not &e &lo%4ed &1 the port lo%4downsetting or &1 another s1stem &etween the

redundant pair*

Clo%4 of the s1stem must &e within a %ertainnum&er of minutes of ea%h other*

"ull or "ush Operation S1n% in Corre%t Dire%tion

S1n%hroniKation "ro%ess

(Create UCS file


147/168

( Create UCS file*

Whi%h %ontain all %onfigurations li%ensing information

2Send to peer

9"eer %reates &a%4up of itself

-"eer opens UCS file

a> Mat%hing Hostname F ull $nstallation &> Different Hostname FShared $nstallation

S1n%hroniKe to "eer


148/168

1

@ &igpipe %onfig s1n% pull

@ &igpipe %onfig s1n% all

Determine >cti2e System


149/168

y

Change to Stand&1 Mode


150/168

g 1


151/168

ailover Managers

ailo e Mange s dete%ts a failed p o%ess


152/168

ailover Mangers dete%ts a failed pro%ess5

ta4es one of the several a%tion restarting thepro%ess5 failing &a%4 to the stand&15 re&oot the &igip

Wat%hdog

"erforms hardware health %he%4s

Overdog

Software to %orre%t hardware failures

SOD

monitors the swit%h fa&ri% and ta4es %orre%tive a%tion forswit%h failures

8ll failover Managers update and monitor the high8vaila&ilit1 Ta&le

*ig' >2aila0ility Ta0le


153/168

g ypdate H Monitor 0y Failo2er Managers

Ta0le Fields

)Feature 3ame

)>ction on Failure

),na0led)Failed State

Command Line< b ha table show

H8 Ta&le


154/168

ailover Trigger


155/168

gg"ro%esses =Daemons>

Swit%h&oard


156/168

VL>3 Failsafe


157/168

Dete%ts no networ4 traffi% Tries to generate traffi%

Timeout rea%hed Time 8%tion Stand&1 &e%omesa%tive

6atewa1 ailsafe


158/168


159/168


160/168

;etwor4 ailover Settings


161/168

;etwor4 Communi%ation


162/168

Stateful ailover


163/168

T1pes of Mirroring


164/168

ailover without M8C Mas?uerading


165/168

M8C Mas?uerading


166/168

M8C Mas?uerading


167/168


168/168

Date post:	07-Jul-2018
Category:	Documents
Upload:	amapreetscorpio
View:	221 times
Download:	0 times

Ltm Training Ppt

Documents