BIG-IP Local Traffic Manager : Implementations 11.1

(1)

BIG-IP

®

Local Traffic Manager

®

:

Implementations

11.1

(2)

(3)

Legal Notices...13

Acknowledgments...15

Chapter 1: Configuring a Simple Intranet...19

Overview: A simple intranet configuration...20

Task summary...20

Creating a pool...21

Creating a virtual server...21

Chapter 2: Configuring ISP Load Balancing...23

Overview: ISP load balancing...24

Illustration of ISP load balancing...24

Task summary for ISP load balancing...24

Creating a load balancing pool...24

Creating a virtual server for inbound content server traffic...25

Creating a virtual server for outbound traffic for routers...26

Creating self IP addresses an external VLAN...26

Enabling SNAT automap for internal and external VLANs...26

Chapter 3: Routing Based on XML Content...29

Overview: XML content-based routing...30

Task summary...30

Creating a custom XML profile...31

Writing XPath queries...31

Creating a pool to manage HTTP traffic...32

Creating an iRule...33

Viewing statistics about XML content-based routing...34

Chapter 4: Configuring an EtherIP Tunnel...35

Overview: Preserving BIG-IP connections during live virtual machine migration...36

Illustration of EtherIP tunneling in a vMotion environment...36

Task summary...36

Creating a VLAN...37

Creating an EtherIP profile...38

Creating an EtherIP tunnel object...38

Creating a VLAN group...39

Creating a self IP for a VLAN...39

Creating a self IP for a VLAN group...40

Creating a Virtual Location monitor...40

3 Table of Contents

(4)

Syncing the BIG-IP configuration to the device group...41

Implementation results...42

Chapter 5: Configuring nPath Routing...43

Overview: Layer 2 nPath routing...44

About Layer 2 nPath routing configuration...44

Guidelines for UDP timeouts...45

Guidelines for TCP timeouts...45

Task summary...45

Creating a custom Fast L4 profile...46

Creating a server pool for nPath routing...46

Creating a virtual server for Layer 2 nPath routing...47

Configuring the virtual address on the server loopback interface...47

Setting the route for inbound traffic...47

Configuring the Connection.Autolasthop bigdb key...48

Chapter 6: Configuring Layer 3 nPath Routing...49

Overview: Layer 3 nPath routing...50

Configuring Layer 3 nPath routing using TMSH...50

Layer 3 nPath routing example...51

Chapter 7: Creating a Basic Web Site and E-commerce Configuration...53

Overview: Basic web site and eCommerce configuration...54

Illustration of basic web site and eCommerce configuration...54

Task summary...54

Creating a pool to manage HTTPS traffic...55

Creating a virtual server to manage HTTP traffic...56

Creating a virtual server to manage HTTPS traffic...56

Chapter 8: Installing a BIG-IP System Without Changing the IP Network...59

Overview: Installing a BIG-IP system without changing the IP network...60

Task summary...61

Removing the self IP addresses from the default VLANs...61

Creating a VLAN group...61

Creating a self IP for a VLAN group...62

Creating a pool of web servers...62

Chapter 9: Web Hosting Multiple Customers Using an External Switch...65

Overview: Web hosting multiple customers using an external switch...66

Illustration for hosting multiple customers using an external switch...66

Task summary for hosting multiple customers...66

(5)

Creating a VLAN with a tagged interface...66

Creating a virtual server for HTTP traffic...68

Chapter 10: Web Hosting Multiple Customers Using Untagged Interfaces...69

Overview: Web hosting multiple customers using untagged interfaces...70

Illustration for hosting multiple customers using untagged interfaces...70

Task summary for hosting multiple customers...70

Creating a VLAN with an untagged interface...70

Chapter 11: Web Hosting Multiple Customers Using Route Domains...73

Overview: Use of route domains to host multiple web customers on the BIG-IP system...74

Illustration of sample BIG-IP configuration using route domains...75

Illustration of resulting route domain configuration...75

Task summary...76

Creating an administrative partition...76

Creating a VLAN with a tagged interface...77

Creating a self IP address for a default route domain in an administrative partition...77

Creating a route domain on BIG-IP LTM...78

Adding routes that specify VLAN internal as the resource...79

Chapter 12: Managing Client-side HTTPS Traffic Using a Self-signed Certificate...81

Overview: Managing client-side HTTPS traffic using a self-signed certificate...82

Task summary...82

Creating a self-signed SSL certificate...82

Creating a custom HTTP profile...83

Creating a custom Client SSL profile...83

Creating a virtual server for client-side HTTPS traffic...84

Chapter 13: Managing Client and Server HTTPS Traffic using a Self-signed Certificate...87

Overview: Managing client and server HTTPS traffic using a self-signed certificate...88

Task summary...88

Creating a self-signed SSL certificate...88

(6)

Creating a custom Server SSL profile...90

Creating a pool to manage HTTPS traffic...90

Creating a virtual server for client-side and server-side HTTPS traffic...91

Chapter 14: Managing Client-side HTTPS Traffic using a CA-signed Certificate...93

Overview: Managing client-side HTTPS traffic using a CA-signed certificate...94

Task summary...94

Requesting a certificate from a certificate authority...94

Creating a virtual server for client-side HTTPS traffic...96

Chapter 15: Implementing Proxy SSL on a Single BIG-IP System...99

Overview: Direct client-server authentication with application optimization...100

Task summary...100

Creating a custom Server SSL profile...101

Creating a virtual server for client-side and server-side SSL traffic...102

Implementation result...103

Chapter 16: Configuring HTTP Load Balancing with Source Address Affinity Persistence...105

Overview: HTTP load balancing with source affinity persistence...106

Task summary...106

Chapter 17: Configuring HTTP Load Balancing with Cookie Persistence...109

Overview: HTTP load balancing with cookie persistence...110

Task summary...110

Creating a custom cookie persistence profile...110

Chapter 18: Compressing HTTP Responses...113

Overview: Compressing HTTP responses...114

Task summary...114

Creating a customized HTTP compression profile...114

(7)

Creating a virtual server for HTTP compression...115

Chapter 19: Using the Request Logging Profile...117

Overview: Configuring a request logging profile...118

Task summary for configuring request logging...118

Creating a pool with request logging to manage HTTP traffic...118

Creating a request logging profile...119

Configuring a virtual server for request logging...120

Deleting a request logging profile...121

Request logging profile settings...121

Request logging parameters...123

Chapter 20: Load Balancing Passive Mode FTP Traffic...127

Overview: FTP passive mode load balancing...128

Task Summary for load balancing passive mode FTP traffic...128

Creating a custom FTP monitor...128

Creating a pool to manage FTP traffic...130

Creating a virtual server for FTP traffic...130

Chapter 21: Load Balancing Passive Mode FTP Traffic with Data Channel Optimization...133

Overview: FTP passive mode load balancing with data channel optimization...134

Task Summary for load balancing passive mode FTP traffic...134

Creating a custom FTP profile...134

Creating a custom FTP monitor...135

Creating a pool to manage FTP traffic...136

Creating a virtual server for FTP traffic...137

Chapter 22: Referencing an External File from within an iRule...139

Overview: Referencing an external file from an iRule...140

iRule commands for iFiles...140

Task summary...141

Importing a file to the BIG-IP system...141

Creating an iFile...141

Writing an iRule that references an iFile...141

Chapter 23: Configuring the BIG-IP System as a DHCP Relay Agent...143

Overview: Managing IP addresses for DHCP clients...144

About the BIG-IP system as a DHCP relay agent...144

Task summary...145

Creating a pool of DHCP servers...145

(8)

Creating a DHCP Relay type virtual server...146

Chapter 24: Configuring the BIG-IP System for DHCP Renewal...147

Overview: Renewing IP addresses for DHCP clients...148

About DHCP renewal ...148

Task summary...148

Creating a DHCP renewal virtual server...149

Chapter 25: Configuring a One-IP Network Topology...151

Overview: Configuring a one-IP network topology...152

Illustration of a one-IP network topology for the BIG-IP system...152

Task summary for a one-IP network topology for the BIG-IP system...152

Creating a pool for processing HTTP connections with SNATs enabled...153

Defining a default route...154

Configuring a client SNAT...154

Chapter 26: Implementing Health and Performance Monitoring...155

Overview: Health and performance monitoring...156

Task summary...156

Creating a custom monitor...157

Chapter 27: Preventing TCP Connection Requests From Being Dropped...159

Overview: TCP request queuing...160

Preventing TCP connection requests from being dropped...160

Chapter 28: Load Balancing to IPv6 Nodes...163

Overview: Load balancing to iPv6 nodes...164

Task summary...164

Configuring the radvd service (optional)...164

Creating a virtual server for IPv6 nodes...165

Chapter 29: Configuring DNS Express on BIG-IP Systems...167

How do I configure DNS Express?...168

What is DNS Express?...168

Task summary...168

Creating a DNS Express TSIG key...168

Creating a DNS Express zone...169

(9)

Enabling DNS Express ...169

Assigning a DNS profile to a virtual server...170

Configuring the legacy DNS server to allow zone file transfers...170

Viewing information about DNS Express zones...171

Chapter 30: Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds....173

Overview: Handling IPv6-only connection requests to IPv4-only servers...174

Task summary...174

Creating a custom DNS profile ...174

Assigning a DNS profile to a virtual server...176

Chapter 31: Mitigating Denial of Service Attacks...177

Overview: Mitigating Denial of Service and other attacks...178

Denial of Service attacks and iRules...178

iRules for Code Red attacks...178

iRules for Nimda attacks...178

Common Denial of Service attacks...179

Task summary...182

Configuring adaptive connection reaping...182

Setting the TCP and UDP connection timers...183

Applying a rate class to a virtual server...183

Calculating connection limits on the main virtual server...183

Setting connection limits on the main virtual server...184

Setting the SYN Check activation threshold...184

Chapter 32: Configuring Remote CRLDP Authentication...185

Overview of remote authentication for application traffic...186

Task Summary...186

Creating a CRLDP configuration object for authenticating application traffic remotely...186

Creating a custom CRLDP profile...187

Modifying a virtual server for CRLDP authentication...187

Chapter 33: Configuring Remote LDAP Authentication...189

Overview of remote LDAP authentication for application traffic...190

Task Summary...190

Creating an LDAP configuration object for authenticating application traffic remotely...190

Creating a custom LDAP profile...191

Modifying a virtual server for LDAP authentication...191

(10)

Chapter 34: Configuring Remote RADIUS Authentication...193

Task summary for RADIUS authentication of application traffic...194

Creating a RADIUS server object for authenticating application traffic remotely...194

Creating a RADIUS configuration object for authenticating application traffic remotely...195

Creating a custom RADIUS profile...195

Modifying a virtual server for RADIUS authentication...196

Chapter 35: Configuring Remote SSL LDAP Authentication...197

Overview of remote SSL LDAP authentication for application traffic...198

Task Summary...198

Creating an LDAP Client Certificate SSL configuration object...198

Creating a custom SSL Client Certificate LDAP profile...199

Modifying a virtual server for SSL Client Certificate LDAP authorization...199

Chapter 36: Configuring Remote SSL OCSP Authentication...201

Task Summary...202

Creating an SSL OSCP responder object for authenticating application traffic remotely...202

Creating an SSL OCSP configuration object for authenticating application traffic remotely...203

Creating a custom SSL OCSP profile...203

Modifying a virtual server for SSL OCSP authentication...203

Chapter 37: Configuring Remote TACACS+ Authentication...205

Task Summary...206

Creating a TACACS+ configuration object...206

Creating a custom TACACS+ profile...207

Modifying a virtual server for TACACS+ authentication...207

Chapter 38: Configuring Kerberos Delegation...209

Task Summary...210

Creating a Kerberos Delegation configuration object...210

Creating a Kerberos delegation profile object from the command line...211

Creating a virtual server with Kerberos delegation and Client SSL profiles...212

(11)

Chapter 39: Load Balancing Diameter Application Requests...213

Overview: Diameter load balancing...214

Task summary...214

Creating a custom Diameter profile...214

Creating a custom Diameter monitor...214

Creating a pool to manage Diameter traffic...215

Creating a virtual server to manage Diameter traffic...215

(12)

(13)

Legal Notices

Publication Date

This document was published on February 3, 2014.

Publication Number

MAN-0293-04

Copyright

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by one or more patents indicated at:

http://www.f5.com/about/guidelines-policies/patents

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

(14)

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

(15)

Acknowledgments

This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected under the GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected under the GNU Public License.

(16)

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating

systems includes mainly non-profit oriented systems for research and education, including but not restricted

to NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General Public License (©_{1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.}

This product includes the standard version of Perl software licensed under the Perl Artistic License (©_1997,

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License. This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: This product includes software developed by the Computer Systems Engineering Group at Lawrence Berkeley Laboratory.

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY

(17)

DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes the GeoPoint Database developed by Quova, Inc. and its contributors.

This product includes software developed by Ian Gulliver©_{2006, which is protected under the GNU General}

Public License, as published by the Free Software Foundation.

17 BIG-IP®_{Local Traffic Manager}®_{: Implementations}

(18)

(19)

Chapter

1

Configuring a Simple Intranet

• Overview: A simple intranet configuration

(20)

Overview: A simple intranet configuration

The simple intranet implementation is commonly found in a corporate intranet (see the following illustration). In this implementation, the BIG-IP®system performs load balancing for several different types of connection requests:

• HTTP connections to the company's intranet web site. The BIG-IP system load balances the two web servers that host the corporate intranet web site,Corporate.main.net.

• HTTP connections to Internet content. These are handled through a pair of cache servers that are also load balanced by the BIG-IP system.

• Non-HTTP connections to the Internet.

As the illustration shows, the non-intranet connections are handled by wildcard virtual servers; that is, servers with the IP address0.0.0.0. The wildcard virtual server that is handling traffic to the cache servers is port specific, specifying port80for HTTP requests. As a result, all HTTP requests not matching an IP address on the intranet are directed to the cache server. The wildcard virtual server handling non-HTTP requests is a default wildcard server. A default wildcard virtual server is one that uses only port0. This makes it a catch-all match for outgoing traffic that does not match any standard virtual server or any port-specific wildcard virtual server.

Task summary

To create this configuration, you need to complete these tasks.

Task list

Creating a pool

Creating a virtual server

(21)

Creating a pool

You can a create pool of servers that you group together to receive and process traffic, to efficiently distribute the load on your server resources.

1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

2. Click Create.

The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members. For example, in the illustration, the pool members for http_pool are 192.168.100.10:80 and192.168.100.11:80. The pool members for specificport_pool are 192.168.100.20:80 and 192.168.100.21:80.

5. Click Finished.

The load balancing pool appears in the Pools list.

Creating a virtual server

This task creates a destination IP address for application traffic. As part of this task, you must assign the relevant pool to the virtual server.

1. On the Main tab, click Local Traffic > Virtual Servers.

The Virtual Server List screen displays a list of existing virtual servers. 2. Click the Create button.

The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. In the Destination field, verify that the type of virtual server is Host, and in the Addressfield, type an IP address for the virtual server. For example, you can assign the IP address 192.168.200.30:80 to the virtual server that processes HTTP traffic. For load balancing connections to cache servers, you can assign the address 0.0.0.0:80 to the virtual server, making it a wildcard virtual server. To create a forwarding virtual server, you can assign the address 0.0.0.0:0.

5. In the Service Port field, type80, or select HTTP from the list.

6. In the Configuration area of the screen, locate the Type setting and select either Standard or Forwarding (IP).

7. From the HTTP Profile list, select an HTTP profile.

8. In the Resources area of the screen, from the Default Pool list, select a pool name. 9. Click Finished.

You now have a virtual server to use as a destination address for application traffic.

(22)

(23)

Chapter

2

Configuring ISP Load Balancing

• Overview: ISP load balancing

(24)

Overview: ISP load balancing

You might find that as your network grows, or network traffic increases, you require an additional connection to the Internet. You can use this configuration to add an Internet connection to your existing network. The following illustration shows a network configured with two Internet connections.

Illustration of ISP load balancing

Task summary for ISP load balancing

There are number of tasks you must perform to implement load balancing for ISPs.

Task list

Creating a load balancing pool

Creating a virtual server for inbound content server traffic Creating a virtual server for outbound traffic for routers Creating self IP addresses an external VLAN

Enabling SNAT automap for internal and external VLANs

Creating a load balancing pool

You can a create load balancing pool, which is a logical set of devices, such as web servers, that you group together to receive and process traffic, to efficiently distribute the load on your resources. Using this procedure, create one pool that load balances the content servers, and one pool to load balance the routers. 1. On the Main tab, click Local Traffic > Pools.

The Pool List screen opens. 2. Click Create.

3. In the Name field, type a unique name for the pool.

(25)

4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.

The default is Round Robin.

6. For the Priority Group Activation setting, select the way to handle priority groups: • Retain the default option, Disabled to disable priority groups.

• Select Less than, and type the minimum number of members in the Available Members field that must remain available in each priority group in order for traffic to remain confined to that group. 7. Using the New Members setting, add each resource that you want to include in the pool:

a) Either type an IP address in the Address field, or select a node address from the Node List. b) Type a port number in the Service Port field, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority field.

d) Click Add.

8. Click Repeat and create another pool. 9. Click Finished.

The load balancing pools appear in the Pools list.

Creating a virtual server for inbound content server traffic

You must create a virtual server to load balance inbound connections. The default pool that you assign as a resource in this procedure is the pool of internal servers.

4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.

The IP address you type must be available and not in the loopback network.

5. Type a port number in the Service Port field, or select a service name from the Service Port list. 6. If the traffic to be load balanced is of a certain type, select the profile type that matches the connection

type.

To load balance HTTP traffic, locate the HTTP Profile setting and select http. 7. In the Resources area of the screen, from the Default Pool list, select a pool name. 8. Click Finished.

The virtual server is configured to load balance inbound connections to the servers.

(26)

Creating a virtual server for outbound traffic for routers

You must create a virtual server to load balance outbound connections. The default pool that you assign as a resource in this procedure is the pool of routers.

4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.

The IP address you type must be available and not in the loopback network. 5. In the Resources area of the screen, from the Default Pool list, select a pool name. 6. Click Finished.

The virtual server is configured to load balance outbound connections to the routers.

Creating self IP addresses an external VLAN

You must assign two self IP addresses to the external VLAN. 1. On the Main tab, click Network > Self IPs.

The Self IPs screen opens. 2. Click Create.

The New Self IP screen opens.

3. In the IP Address field, type an IP address.

This IP address should represent the network of the router.

The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Select External from the VLAN list.

6. Click Repeat.

This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.

The system accepts IP addresses in both the IPv4 and IPv6 formats. 8. Click Finished.

The screen refreshes, and displays the new self IP address in the list. The self IP address is assigned to the external VLAN.

Enabling SNAT automap for internal and external VLANs

You can configure SNAT automapping on the BIG-IP system for internal and external VLANs. 1. On the Main tab, click Local Traffic > SNATs.

(27)

The SNAT List screen displays a list of existing SNATs. 2. Click Create.

3. Name the new SNAT.

4. From the Translation list, select automap.

5. For the VLAN List setting, in the Available field, select external and external, and using the Move button, move the VLANs to the Selected field.

SNAT automapping on the BIG-IP system is configured for internal and external VLANs.

(28)

(29)

Chapter

3

Routing Based on XML Content

• Overview: XML content-based routing

(30)

Overview: XML content-based routing

You can use the BIG-IP®system to perform XML content-based routing whereby the system routes requests to an appropriate pool, pool member, or virtual server based on specific content in an XML document. For example, if your company transfers information in XML format, you could use this feature to examine the XML content with the intent to route the information to the appropriate department.

You configure content-based routing by creating an XML profile and associating it with a virtual server. In the XML profile, define the matching content to look for in the XML document. Next, specify how to route the traffic to a pool by writing simple iRules®. When the system discovers a match, it triggers an iRule event, and then you can configure the system to route traffic to a virtual server, a pool, or a node. You can allow multiple query matches, if needed.

This example shows a simple XML document that the system could use to perform content-based routing. It includes an element calledFinanceObjectused in this implementation.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:eai="http://192.168.149.250/eai_enu/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"> <soapenv:Header/> <soapenv:Body> <eai:SiebelEmployeeDelete soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <FinanceObject xsi:type="xsd:string">Route to Financing</FinanceObject> <SiebelMessage xsi:type="ns:ListOfEmployeeInterfaceTopElmt" xmlns:ns="http://www.siebel.com/xml"> <ListOfEmployeeInterface xsi:type="ns:ListOfEmployeeInterface"> <SecretKey>123456789</SecretKey> <Employee>John</Employee> <Title>CEO</Title> </ListOfEmployeeInterface> </SiebelMessage> </eai:SiebelEmployeeDelete> </soapenv:Body> </soapenv:Envelope>

Task summary

You can perform tasks to enable XML content-based routing whereby the system routes requests to an appropriate pool, pool member, or virtual server based on specific content in an XML document.

Task list

Creating a custom XML profile Writing XPath queries

Creating a pool to manage HTTP traffic Creating an iRule

Viewing statistics about XML content-based routing

(31)

Creating a custom XML profile

To implement content-based routing, you first need to use the BIG-IP®Configuration utility to create an XML profile. XML profiles specify the content to look for in XML documents. In the XML profile, you define XPath queries to locate items in an XML document.

1. On the Main tab, click Local Traffic > Profiles > Services > XML. 2. On the New XML Profile screen, click Create.

3. In the Name field, type a unique name for the XML profile, such ascbr_xml_profile. 4. In the Settings area, select the Custom check box at right.

The Namespace Mappings and XPath Queries settings become available.

5. If you want to reference XML elements with namespaces in XPath queries, from Namespace Mappings, select Specify.

The screen displays the Namespace Mappings List settings. 6. Add namespaces to the list:

a) In the Prefix field, type the namespace prefix.

b) In the Namespace field, type the URL that the prefix maps to. c) Click Add to add the namespace to the Namespace Mappings List.

7. To define the matching criteria in the XML document, from XPath Queries, select Specify. The screen displays the XPath Queries settings.

8. Add XPath queries to the list:

a) In the XPath field, type an XPath expression.

For example, to look for an element calledFinanceObject, type//FinanceObject. b) Click Add to add the XPath expression to the XPath Queries list.

You can define up to three XPath queries. The expression is added to the list.

9. To allow each query to have multiple matches, select Multiple Query Matches. 10.Click Finished.

The system creates an XML profile.

Writing XPath queries

You can write up to three XPath queries to define the content that you are looking for in XML documents. When writing XPath queries, you use a subset of the XPath syntax described in the XML Path Language (XPath) standard athttp://www.w3.org/TR/xpath.

These are the rules for writing XPath queries for XML content-based routing. 1. Express the queries in abbreviated form.

2. Map all prefixes to namespaces. 3. Use only ASCII characters in queries.

4. Write queries to match elements and attributes.

5. Use wildcards as needed for elements and namespaces; for example,//emp:employee/*. 6. Do not use predicates in queries.

(32)

Syntax for XPath expressions

This table shows the syntax to use for XPath expressions.

Description Expression

Selects all child nodes of the named node. Nodename

Selects all attribute nodes of the named node. @Attname

Indicates XPath step. /

Selects nodes that match the selection no matter where they are in the document.

//

XPath query examples

This table shows examples of XPath queries.

Description Query

Selects the root elementa. /a

Selects allbelements wherever they appear in the document. //b

Selects any element in a namespace bound to prefixb, which is a child of the root elementa. /a/b:*

Selects elements in the namespace of elementc, which is bound to prefixb, and is a child of element a.

//a/b:c

Creating a pool to manage HTTP traffic

For implementing content-based routing, you can create one or more pools that contain the servers where you want the system to send the traffic. You write an iRule to route the traffic to the pool.

If you want to specify a default pool to which to send traffic when it does not match the content you are looking for, repeat the procedure to create a second pool. You specify the default pool in the virtual server. Alternatively, you can create a node or a virtual server to route traffic to instead of creating a pool. 1. On the Main tab, click Local Traffic > Pools.

The Pool List screen opens. 2. Click Create.

3. In the Name field, type a name for the pool, such asfinance_pool.

4. For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list.

5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.

The default is Round Robin.

6. For the Priority Group Activation setting, select the way to handle priority groups: • Retain the default option, Disabled to disable priority groups.

• Select Less than, and type the minimum number of members in the Available Members field that must remain available in each priority group in order for traffic to remain confined to that group. 7. Using the New Members setting, add each resource that you want to include in the pool:

(33)

a) Type an IP address in the Address field, or select a node address from the Node List. b) Type80in the Service Port field, or select HTTP from the list.

c) (Optional) Type a priority number in the Priority field. d) Click Add.

The new pool appears in the Pools list.

Creating an iRule

You create iRules®to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to a pool, a node, or virtual server. This implementation targets a pool.

1. On the Main tab, click Local Traffic > iRules. 2. Click Create.

3. In the Name field, type a 1- to 31-character name, such asXML_CBR_iRule.

4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax. For complete and detailed information iRules syntax, see the F5 Networks DevCentral web sitehttp://devcentral.f5.com.

Example of an iRule for XML content-based routing

This example shows an iRule that queries for an element calledFinanceObjectin XML content and if a match is found, an iRule event is triggered. The system populates the values of the Tcl variables

($XML::count,$XML::queries, and$XML::values). Then the system routes traffic to a pool called finance_pool.

when XML_CONTENT_BASED_ROUTING {

for {set i 0} { $i < $XML::count } {incr i} { log local0. $XML::queries($i)

log local0. $XML::values($i)

if {($XML::queries($i) contains "FinanceObject")} { pool finance_pool

} } }

Tcl variables in iRules for XML routing

This table lists and describes the Tcl variables in the sample iRule.

Description Tcl variable

Shows the number of matching queries.

$XML::count

Contains an array of the matching query names.

$XML::queries

Holds the values of the matching elements.

$XML::values

(34)

Viewing statistics about XML content-based routing

You can view statistics about XML content-based routing to make sure that the routing is working.

Note: The system first checks for a match, then checks for malformedness of XML content. So if the system

detects a match, it stops checking, and may not detect any subsequent parts of the document that are malformed.

1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens.

2. From the Statistics Type list, select Profiles Summary.

3. In the Global Profile Statistics area, for the Profile Type XML, click View in the Details.

The system displays information about the number of XML documents that were inspected, the number of documents that had zero to three matches, and the number of XML documents that were found to be malformed.

(35)

Chapter

4

Configuring an EtherIP Tunnel

• Overview: Preserving BIG-IP connections during live virtual machine migration

• Task summary

(36)

Overview: Preserving BIG-IP connections during live virtual machine

migration

In some network configurations, the BIG-IP®system is configured to send application traffic to destination servers that are implemented as VMware®virtual machines (VMs). These VMs can undergo live migration, using VMware vMotion™and an iSession™tunnel, across a wide area network (WAN) to a host in another data center.

To preserve any existing connections between the BIG-IP system and a virtual machine while the virtual machine migrates to another data center, you can create an EtherIP tunnel.

An EtherIP tunnel is an object that you create on each of two BIG-IP systems that sit on either side of a WAN. The EtherIP tunnel uses the industry-standard EtherIP protocol to tunnel Ethernet and IEEE 802.3 media access control (MAC) frames across an IP network. The two EtherIP tunnel objects together form a tunnel that logically connects two data centers. When the application traffic that flows between one of the BIG-IP systems and the VM is routed through the EtherIP tunnel, connections are preserved during and after the VM migration.

After you have configured the BIG-IP system to preserve connections to migrating VMs, you can create a Virtual Location monitor for the pool. A Virtual Location monitor ensures that the BIG-IP system sends connections to a local pool member rather than a remote pool one, when some of the pool members have migrated to a remote data center.

Tip: The BIG-IP system that is located on each end of an EtherIP tunnel can be part of a redundant system

configuration. Make sure that both units of any redundant system configuration reside on the same side of the tunnel.

Illustration of EtherIP tunneling in a vMotion environment

Task summary

Implement an EtherIP tunneling configuration to prevent the BIG-IP®system from dropping existing connections to migrating virtual machines in a vMotion environment. To set up this configuration, you must verify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.

(37)

Important: Perform these tasks on the BIG-IP system in both the local data center and the remote data

center.

Prerequisites

Before you begin configuring EtherIP tunneling, verify that these BIG-IP objects and module exist on the BIG-IP system:

An iSession profile

This profile creates an iSession tunnel to optimize the live migration of virtual machine servers from one data center to another.

A load balancing pool

This pool represents a collection of virtual machines on a host server in the data center.

A standard TCP or UDP virtual server

This virtual server load balances application traffic and optimizes vMotion traffic. This virtual server must reference the iSession profile and the load balancing pool.

The default VLANs

These VLANs are namedexternalandinternal.

BIG-IP Global Traffic Manager™

This module directs traffic to the correct BIG-IP®Local Traffic Manager™virtual server.

Task list

Creating a VLAN

Creating an EtherIP profile Creating an EtherIP tunnel object Creating a VLAN group

Creating a self IP for a VLAN Creating a self IP for a VLAN group Creating a Virtual Location monitor

Syncing the BIG-IP configuration to the device group

Creating a VLAN

VLANs represent a collection of hosts that can share network resources, regardless of their physical location

on the network.

1. On the Main tab, click Network > VLANs. The VLAN List screen opens.

The New VLAN screen opens.

3. In the Name field, type a unique name for the VLAN.

Names can contain only letters, numbers, and the underscore character.

4. In the Tag field, type a numeric tag, from1to4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.

The VLAN tag identifies the traffic from hosts in the associated VLAN.

5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary.

(38)

6. From the Configuration list, select Advanced.

7. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated.

8. If you want to base redundant-system failover on VLAN-related events, check the Fail-safe box. 9. In the MTU field, retain the default number of bytes (1500).

10.Click Finished.

The screen refreshes, and displays the new VLAN in the list.

Creating an EtherIP profile

An EtherIP profile is a required component of an EtherIP tunnel in a vMotion™environment. An EtherIP

profile manages application traffic that traverses an EtherIP tunnel, for the purpose of preserving connections

when a virtual machine is migrating to another data center. You must perform this task using the Traffic Management shell (tmsh), a command-line utility.

1. On the BIG-IP®system, start a console session. 2. Type a user name and password, and press Enter. 3. At the system prompt, typetmsh, and press Enter.

This opens the Traffic Management shell (tmsh). 4. At the tmsh prompt, typenet tunnel, and press Enter.

5. Typecreate etherip etherip_profile_name, and press Enter. This command creates an EtherIP profile, assigning all of the default values. 6. Typesave / sys config, and press Enter.

7. To exit the Traffic Management shell (tmsh), typequit, and press Enter.

You now have an EtherIP profile that you can specify when you create an EtherIP tunnel object.

Creating an EtherIP tunnel object

Prerequisites: You must know the self IP address of the instance of the VLAN that exists, or will exist, on the BIG-IP®system in the other data center.

The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to enable the BIG-IP system to preserve any current connections to a server that is migrating to another data center by way of vMotion™. You must perform this task using the Traffic Management shell (tmsh), a command-line utility.

1. On the BIG-IP system, start a console session. 2. Type a user name and password, and press Enter. 3. At the system prompt, typetmshand press Enter.

This opens the Traffic Management shell (tmsh). 4. Typenet tunnels, and press Enter.

5. Type the following command, and then press Enter:

Note that the self IP addresses that you specify are those that you create for the VLAN on both the local and the remote BIG-IP system.

create tunnel tunnel_name profile etherip local-address local_self_ip_address remote-address remote_self_ip_address

6. Typesave / sys config, and press Enter.

(39)

7. To exit the Traffic Management shell (tmsh), typequit, and press Enter. The BIG-IP system configuration now includes a tunnel object.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs. 1. On the Main tab, click Network > VLANs > VLAN Groups.

The VLAN Groups list screen opens. 2. Click Create.

The New VLAN Group screen opens.

3. In the General Properties area, in the VLAN Group field, type a unique name for the VLAN group. Names can contain only letters, numbers, and the underscore character.

4. For the VLANs setting, move the VLANs that you want to include in the group from the Available list to the Members list.

5. From the Transparency Mode list, select a transparency mode, or retain the default setting, Transparent.

The transparency mode determines the level of exposure of remote MAC addresses within the VLAN group traffic.

Purpose Mode

The MAC addresses of remote systems are exposed in Layer 2 traffic forwarding.

Transparent

Similar toTransparentmode, except the locally-unique bit is set in the MAC addresses of remote systems.

Translucent

The system uses proxy ARP with Layer 3 forwarding, so the MAC addresses of remote systems are not exposed.

Opaque

6. Select the Bridge All Traffic check box if you want the VLAN group to forward all frames, including non-IP traffic.

The default setting is disabled (not selected).

7. Leave the Bridge in Standby check box selected if you want the VLAN group to forward frames even when the system is the standby unit of a redundant system.

Creating a self IP for a VLAN

Ensure that you have at least one VLAN or VLAN group configured before you create a self IP address. Self IP addresses enable the BIG-IP®system, and other devices on the network, to route application traffic through the associated VLAN or VLAN group.

1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.

3. In the Name field, type a unique name for the self IP.

(40)

Names can contain only letters, numbers, and the underscore character. 4. In the IP Address field, type an IP address.

This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.

The system accepts IP addresses in both the IPv4 and IPv6 formats. 5. In the Netmask field, type the network mask for the specified IP address.

6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address. If creating a self IP address for an address space:

• On the internal network, select the VLAN that is associated with an internal interface or trunk. • On the external network, select the VLAN that is associated with an external interface or trunk. 7. From the Port Lockdown list, select Allow Default.

The screen refreshes, and displays the new self IP address in the list.

The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.

Creating a self IP for a VLAN group

Ensure that you have at least one VLAN or VLAN group configured before you create a self IP address. After you have created the VLAN group, create a self IP address for the VLAN group. The self IP address for the VLAN group provides a route for packets destined for the network. With the BIG-IP®system, the path to an IP network is a VLAN. However, with the VLAN group feature used in this procedure, the path to the IP network10.0.0.0is actually through more than one VLAN. As IP routers are designed to have only one physical route to a network, a routing conflict can occur. The self IP address feature on the BIG-IP system allows you to resolve the routing conflict by associating a self IP address with the VLAN group. 1. On the Main tab, click Network > Self IPs.

The Self IPs screen opens. 2. Click Create.

This IP address should represent the address space of the VLAN group that you specify with the VLAN/Tunnel setting.

The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address.

5. From the VLAN/Tunnel list, select the VLAN group with which to associate this self IP address. 6. From the Port Lockdown list, select Allow Default.

The screen refreshes, and displays the new self IP address in the list.

The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.

Creating a Virtual Location monitor

When the BIG-IP®system is directing application traffic to pool members that are implemented as virtual machines, you should configure a Virtual Location type of monitor on the BIG-IP system. A Virtual Location

(41)

monitor determines if a pool member is local to the data center or remote, and assigns a priority group to the pool member accordingly. The monitor assigns remote pool members a lower priority than local members, thus ensuring that the BIG-IP directs application requests to local pool members whenever possible. 1. On the Main tab, click Local Traffic > Monitors.

The Monitor List screen opens. 2. Click Create.

The New Monitor screen opens.

3. Typemy_virtual_location_monitorin the Name field. 4. From the Type list, select Virtual Location.

5. From the Configuration list, select Advanced.

6. Retain the default value (in seconds) of5in the Interval field. 7. Retain the default value ofDisabledin the Up Interval list. 8. Retain the default value (in seconds) of0in the Time Until Up field. 9. Retain the default value (in seconds) of16in the Timeout field.

10.Type the name of the pool that you created prior to configuring EtherIP tunneling in the Pool Name field.

11.Click Finished.

After configuring the Virtual Location monitor, the BIG-IP system assigns each member of the designated pool a priority group value to ensure that incoming connections are directed to a local pool member whenever possible.

F5 Networks recommends that you verify that BIG-IP®Global Traffic Manager™(GTM™) has automatically assigned a BIG-IP type of monitor to BIG-IP®Local Traffic Manager™(LTM®). A BIG-IP type of monitor can use the priority group assigned to each pool member to retrieve agtm_scorevalue.

Syncing the BIG-IP configuration to the device group

Prerequisite: Ensure that all devices targeted for config sync are members of a device group.

To ensure that the entire redundant system configuration operates properly within the device group, you must synchronize the BIG-IP®configuration data from the local device to all devices in the group.

Important: Perform the following procedure on one of the two devices.

Note: When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses

only. Static self IP addresses are not synchronized.

1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.

2. In the Group Name column, click the name of the relevant device group. 3. On the menu bar, click Config Sync.

4. Click Synchronize TO Group.

Except for static self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Task summary

Creating a Virtual Location monitor Task summary

(42)

Implementation results

After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configuration procedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.

After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated) virtual machine servers.

(43)

Chapter

5

Configuring nPath Routing

• Overview: Layer 2 nPath routing

• About Layer 2 nPath routing configuration

• Guidelines for UDP timeouts

• Guidelines for TCP timeouts

(44)

Overview: Layer 2 nPath routing

With the Layer 2 nPath routing configuration, you can route outgoing server traffic around the BIG-IP® system directly to an outbound router. This method of traffic management increases outbound throughput because packets do not need to be transmitted to the BIG-IP system for translation and then forwarded to the next hop.

Note: The type of virtual server that processes the incoming traffic must be a transparent, non-translating

type of virtual server.

In bypassing the BIG-IP system on the return path, Layer 2 nPath routing departs significantly from a typical load-balancing configuration. In a typical load-balancing configuration, the destination address of the incoming packet is translated from that of the virtual server to that of the server being load balanced to, which then becomes the source address of the returning packet. A default route set to the BIG-IP system then sees to it that packets returning to the originating client return through the BIG-IP system, which translates the source address back to that of the virtual server. The nPath configuration differs from the typical load-balancing configuration, as illustrated in the following section.

Note: Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not work properly

if Layer 7 traffic bypasses the BIG-IP system on the return path.

About Layer 2 nPath routing configuration

The Layer 2 nPath routing configuration differs from the typical BIG-IP®load balancing configuration in the following ways: