F5_Config_Guide.pdf

(1)

Instructor Guide: Configuring BIG-IP LTM v12.1 Instructor Guide: Configuring BIG-IP LTM v12.1

F5 Networks Training

Configuring BIG-IP LTM v12

Local Traffic Manager

Instructor Guide

v12.1 – June, 2016

(2)

(3)

Configuring

Configuring BIG-IP LTM v12

BIG-IP LTM v12

Instructor Guide

Ninth Printing; June, 2016

This manual was writte

This manual was writte n for F5 solutions at thn for F5 solutions at th e version listed on the frone version listed on the front cover of this documentt cover of this document . Some of the featur. Some of the features disces discussedussed in this course were added with this version; but many of the concepts also apply to previous and subsequent versions.

in this course were added with this version; but many of the concepts also apply to previous and subsequent versions.

Support and Contact Information

Obtaining Technical

Obtaining Technical SupportSupport Web

Web tech.f5.com (Ask F5)tech.f5.com (Ask F5) Phone

Phone (206) 272-6888(206) 272-6888 Email (support

Email (support issues)issues) [email protected]@f5.com Email

Email (suggestions)(suggestions) [email protected]@f5.com Contacting F5

Contacting F5 NetworksNetworks Web

Web www.f5.comwww.f5.com Email

Email [email protected] & [email protected] & [email protected]@f5.com

F5

F5 Networks, Networks, Inc. Inc. F5 F5 Networks, Networks, Ltd. Ltd. F5 F5 Networks, Networks, Inc. Inc. F5 F5 Networks, Networks, Inc.Inc. Corporate

Corporate Office Office United United Kingdom Kingdom Asia Asia Pacific Pacific JapanJapan 401

401 Elliott Elliott Avenue Avenue West West Chertsey Gate Chertsey Gate West West 5 5 Temasek Temasek Boulevard Boulevard Akasaka Akasaka Garden Garden City City 19F19F Seattle,

Seattle, Washington Washington 98119 98119 Chertsey Chertsey Surrey Surrey KT16 KT16 8AP 8AP #08-01/02 #08-01/02 Suntec Suntec Tower Tower 5 5 4-15-1 4-15-1 Akasaka, Akasaka, Minato-kuMinato-ku T

T (888) (888) 88BIG-IP 88BIG-IP United United Kingdom Kingdom Singapore, Singapore, 038985 038985 Tokyo Tokyo 107-0052 107-0052 JapanJapan T

T (206) (206) 272-5555 272-5555 T T (44) (44) 0 0 1932 1932 582-000 582-000 T T (65) (65) 6533-6103 6533-6103 T T (81) (81) 3 3 5114-32005114-3200 F

F (206) (206) 272-5557 272-5557 F F (44) (44) 0 0 1932 1932 582-001 582-001 F F (65) (65) 6533-6106 6533-6106 F F (81) (81) 3 3 5114-32015114-3201 [email protected]

(4)

Legal Notices

Copyright

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, believes the information it furnishes to be accurate and reliable. However, F5F5 assumes no responsibility for the use of this information, nor a

assumes no responsibility for the use of this information, nor a ny infringement of patents or other rightsny infringement of patents or other rights of third parties which may result from its

of third parties which may result from its use. No license is granted by implication or use. No license is granted by implication or otherwise under anyotherwise under any patent, copyright, or ot

patent, copyright, or other intellectual properher intellectual property right of F5 except as specity right of F5 except as specifically described by applfically described by applicableicable user licenses. F5

user licenses. F5 reserves the right to reserves the right to change spchange specifications at any time ecifications at any time without noticewithout notice..

Trademarks

AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, APM, Application Acceleration Manager, Application Security Manager, AskF5, ASM, Routing, AFM, APM, Application Acceleration Manager, Application Security Manager, AskF5, ASM, BIG-IP, BIG-IP EDGE GATEWAY,

BIG-IP, BIG-IP EDGE GATEWAY, BIG-IBIG-IQ, Cloud Q, Cloud Extender, Cloud Manager, CloudFucious, ClusteredExtender, Cloud Manager, CloudFucious, Clustered Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS SWAT,

Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS SWAT, Defense.Net,Defense.Net, defense.net [DESIGN], DevCentral, DevCentral [

defense.net [DESIGN], DevCentral, DevCentral [ DESIGN], DNS Express, DSC, DESIGN], DNS Express, DSC, DSI, Edge Client, DSI, Edge Client, EdgeEdge Gateway, Edge Portal, ELEVATE, EM, ENGAGE, Enterprise Manager, F5,

Gateway, Edge Portal, ELEVATE, EM, ENGAGE, Enterprise Manager, F5, F5 [DESIGN], F5 Agility,F5 [DESIGN], F5 Agility, F5 Certified [DESIGN], F5 Networks, F5

F5 Certified [DESIGN], F5 Networks, F5 SalesXchange [DESIGN], F5 Synthesis, f5 Synthesis, F5SalesXchange [DESIGN], F5 Synthesis, f5 Synthesis, F5 Synthesis [DESIGN], F5 TechXchange [DESIGN], Fa

Synthesis [DESIGN], F5 TechXchange [DESIGN], Fa st Application Proxst Application Proxy, Fast Cache, y, Fast Cache, FCINCO, GlobalFCINCO, Global Traffic Manager, GTM, GUARDIAN, iApps, IBR, iC

Traffic Manager, GTM, GUARDIAN, iApps, IBR, iC all, iControl, iHealth, Intelligent Browserall, iControl, iHealth, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iQuery, iRules,

Referencing, Intelligent Compression, IPv6 Gateway, iQuery, iRules, iRules OnDemand, iSession, L7iRules OnDemand, iSession, L7 Rate Shaping, LC,

Rate Shaping, LC, Link Controller, LineRatLink Controller, LineRate, LineRate Point, e, LineRate Point, LineRate Precision, LineRate SystemsLineRate Precision, LineRate Systems [DESIGN], Local Traffic Manager, LROS, LTM, Message Security Manager, MobileSafe, MSM, [DESIGN], Local Traffic Manager, LROS, LTM, Message Security Manager, MobileSafe, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Sec

OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Sec urity Manager, PSM,urity Manager, PSM, Ready Defense, Real Traffic Policy Builder, SalesXchange, ScaleN, S

Ready Defense, Real Traffic Policy Builder, SalesXchange, ScaleN, S DAS (except in Japan), SDC,DAS (except in Japan), SDC, Signalling Delivery Controller, Solutions for an a

Signalling Delivery Controller, Solutions for an a pplication world, Software Designed Applicationspplication world, Software Designed Applications Services, Silverline, SSL

Services, Silverline, SSL Acceleration, SSL Everywhere, StrongBox, SuperVIP, Acceleration, SSL Everywhere, StrongBox, SuperVIP, SYN Check,SYN Check, SYNTHESIS, TCP Express, TDR, TechXchange, TMOS, TotALL, TDR, TMOS,

SYNTHESIS, TCP Express, TDR, TechXchange, TMOS, TotALL, TDR, TMOS, Traffic ManagementTraffic Management Operating System, Traffix, Traffix [DESIGN], Transparent Data Reduction, UNITY, VAULT, vCMP, Operating System, Traffix, Traffix [DESIGN], Transparent Data Reduction, UNITY, VAULT, vCMP, VE F5 [

VE F5 [DESIGN], Versafe, Versafe [DESIGN], Versafe, Versafe [DESIGN], VIPRION, Virtual ClusteDESIGN], VIPRION, Virtual Clustered Multiprocessing, WebSafe,red Multiprocessing, WebSafe, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be

and may not be used without F5's express written consent.All other product and company names hereinused without F5's express written consent.All other product and company names herein may be t

may be trademarks of their respective owners.rademarks of their respective owners.

Materials

The material reproduced on this manual, including but not limited to

The material reproduced on this manual, including but not limited to graphics, text, pictures, photographs,graphics, text, pictures, photographs, layout and the like ("Content"), are protected by United States Copyrig

layout and the like ("Content"), are protected by United States Copyright law. ht law. Absolutely no ContenAbsolutely no Contentt from this manual

from this manual may be copied, may be copied, reproduced, exchreproduced, exchanged, published, sold or distributed without the prioranged, published, sold or distributed without the prior written consent of

written consent of F5 Networks, IncF5 Networks, Inc

Patents

This product may be protected by one

This product may be protected by one or more patents indicatedor more patents indicated at:

(5)

(6)

Table of Contents Table of Contents

Chapter 1: Course Description

Course Overview

Description

This three-day course gives network prof

This three-day course gives network prof essionals a functional understanding of BIG-essionals a functional understanding of BIG-IP Local TrafficIP Local Traffic Manager, introducing students to both commonly used and

Manager, introducing students to both commonly used and advanced BIG-advanced BIG-IP LTM IP LTM features andfeatures and functionality. Incorporating lecture, extensive hands-on labs, and classroom discussion, the

functionality. Incorporating lecture, extensive hands-on labs, and classroom discussion, the course helpscourse helps students build the well-rounded skill set needed to

students build the well-rounded skill set needed to manage BIG-Imanage BIG-IP LTM P LTM systems as part of systems as part of a flexible anda flexible and high performance application delivery network.

high performance application delivery network. Topics covered in this course include: Topics covered in this course include:

BIG-IP initial setup (licensing, provisioning, and network configuration) BIG-IP initial setup (licensing, provisioning, and network configuration) A review of BIG-IP local traffic

A review of BIG-IP local traffic configuration objectsconfiguration objects Using dynamic load balancing methods

Using dynamic load balancing methods Modifying traffic behavior

Modifying traffic behavior with persistence (including SSL, with persistence (including SSL, SIP, universal, SIP, universal, and destinatiand destinationon address affinity persistence)

address affinity persistence)

Monitoring application health with Layer 3,

Monitoring application health with Layer 3, Layer 4, and Layer 4, and Layer 7 monitors (including transparentLayer 7 monitors (including transparent,, scripted, and external monitors)

scripted, and external monitors) Processing traffic with virtual

Processing traffic with virtual servers (including network, forwarding, and reject virtual servers (including network, forwarding, and reject virtual servers)servers) Processing traffic with SNATs (including SNAT pools and SNATs as listeners)

Processing traffic with SNATs (including SNAT pools and SNATs as listeners) Configuring high availability (including active/standby and

Configuring high availability (including active/standby and N+1 sN+1 sync failover device ync failover device groups,groups, connection and persistence mirroring, and

connection and persistence mirroring, and sync-only device groups)sync-only device groups) Modifying traffic behavior

Modifying traffic behavior with profiles (including advanced with profiles (including advanced HTTP profile options, caHTTP profile options, cachingching,, compression, and OneConnect profiles)

compression, and OneConnect profiles)

Advanced BIG-IP LTM configuration options (including VLAN tagging and trunking, SNMP Advanced BIG-IP LTM configuration options (including VLAN tagging and trunking, SNMP features,

features, packet packet filters)filters)

Deploying application services with iApps Deploying application services with iApps

Customizing application delivery with iRules and local

Customizing application delivery with iRules and local traffic policiestraffic policies

By the end of this course, the student should be able to use both the Configuration utility, TMSH, By the end of this course, the student should be able to use both the Configuration utility, TMSH, and Linux commands to configure and manage BIG-IP LTM systems in an application delivery and Linux commands to configure and manage BIG-IP LTM systems in an application delivery network. In addition, students should be able to monitor the BIG-IP system to achieve

network. In addition, students should be able to monitor the BIG-IP system to achieve

operational efficiency, and establish and maintain high availability infrastructure for critical operational efficiency, and establish and maintain high availability infrastructure for critical business applicatio

business applications.ns.

Audience

This course is

This course is intended for system and intended for system and network administrators responsible for installation, setup,network administrators responsible for installation, setup, configuration, and administration of the

(8)

Chapter 1 – Course Description

Course Objectives

At the end of this course, the student will be able to:

Access the BIG-IP system to configure the management interface

Activate the BIG-IP system for operation, including licensing, provisioning, and optional device certificate installation

Use the Setup utility to create the classroom lab environment network configuration Back up the BIG-IP system configuration for safekeeping

Configure virtual servers, pools, monitors, profiles, and persistence objects

Test and verify application delivery through the BIG-IP system using local traffic statistics

Configure priority group activation on a load balancing pool to allow servers to be activated only as needed to process traffic

Compare and contrast member-based and node-based dynamic load balancing methods

Configure connection limits to place a threshold on traffic volume to particular pool members and nodes

Differentiate between SSL, SIP, universal, and destination address affinity persistence, and describe use cases for each

Descript the three Match Across Services persistence options and use cases for each

Configure health monitors to appropriately monitor application delivery through a BIG-IP system Configure different types of virtual services to support different types of traffic processing

through a BIG-IP system

Configure different types of SNATs to support routing of traffic through a BIG-IP system Establish device trust and configure an active/standby pair in support of high availability Configure and manage a sync-failover device group with more than two members

Configure stateful failover using connection mirroring and persistence mirroring Configure VLAN tagging and trunking

Restrict administrative and application traffic through the BIG-IP system using packet filters, port lockdown, and virtual server settings

Configure SNMP alerts and traps in support of remote monitoring of the BIG-IP system Configure the BIG-IP system to act as a gateway between IPv4 and IPv6 networks Use an F5-supplied iApp template to deploy and manage a website application service Develop a simple iApp template

Use iRules and local traffic policies a ppropriately to customize application delivery through the BIG-IP system

(9)

Chapter 1 - Setting Up the BIG-IP System 1-11

Configuring BIG-IP LTM v12 1-11

BIG-IP System Setup Labs

The BIG-IP System Setup Labs are divided into several sections. Your instructor will tell you which lab to start with:

Lab 1.1 – Configure the Management Port

Lab 1.2 – Activate the BIG-IP System and Configure the Network Lab 1.3 – Test Administrative Access

Lab 1.4 – Archive the Configuration Estimated Time for Completion:35 minutes

Lab Preparation Tasks

Verify workstation IP addresses are properly configured

Check your workstation’s network settings to ensure that it is configured with two IP addresses:

192.168.X.30/16 and 10.10.X.30/16. This will allow you to access the BIG-IP system through both the management network and external self IP, as well as access the applications you configure it to deliver.

For all labs, when an “X” is listed in lab instruction steps, please

substitute your lab station number instead. For example, for lab station 1,

the IP address shown as 192.168.X.31 in the lab instructions would be

entered as 192.168.1.31 when carrying out the instruction. A password

specified as “rootX” in the instructions would be entered as root1.

If lab instructions do not provide a value for a particular configuration

parameter, accept whatever the default is for that parameter.

(10)

1-12 Chapter 1 - Setting Up the BIG-IP System

Lab 1.1 – Configure the Management Port

(Optional for BIG-IP VE Classrooms)

Lab Objectives

Configure an IP address and network mask for the BIG-IP management port to provide administrative access to the BIG-IP system from the student’s workstation

Lab Requirements

For classrooms with BIG-IP hardware devices, serial console access to the BIG-IP system or physical access to the BIG-IP device if using the LCD option. This lab can be skipped if the

management port is already configured, as is often the case in BIG-IP VE classroom environments.

Configure the Management Port

Your instructor will tell you which method you will use to configure your

BIG-IP system’s management port, or if you will bypass this lab altogether

(e.g. if your management port is already configured):

Lab 1.1A: Configure the Management Port via a Serial Console (pages

1-13 thru 1-14)

Lab 1.1B: Configure the Management Port via the LCD Panel (page 1-15)

If your management port is already configured, please skip to Lab 1.2,

which begins on page 1-16.

(11)

Lab 1.1A: Configure the Management Port via a Serial

Console

Access the serial console

1. Gain access to the BIG-IP system’s serial port

a. For classes using serial cables, connect a null-modem cable between the BIG-IP device and a terminal with VT-100 emulation. The serial settings should N-8-1 at 19,200bps. b. For classes using serial terminal emulators, open an SSH session using PuTTY (or other

SSH client) to the serial console IP address provided by your instructor. This should connect you to the serial port of your BIG-IP system. You may need to log into the console server before logging into the BIG-IP system in the next step. Your instructor will provide credentials, if necessary.

2. When prompted to log into the BIG-IP system, enter root for the username anddefault for the password.

3. At the Linux bash prompt (e.g. config #), enter the command: config 4. Start the utility by clicking the OK button.

Select manual configuration of the IP address

5. On the Configure IP Address panel, ensure the No option is highlighted (to bypass automatic configuration of the IP address) and press the <Enter> key. (If theNo option is not already highlighted, use the <Tab> key to tab to it before pressing the <Enter> key.)

This lab requires serial console access to your BIG-IP system (not

available in BIG-IP VE classroom environments).

Use the <Tab> key to tab between fields and options in the config tool.

Use the <Backspace> and/or <Delete> keys to remove field content. Use

the <Enter> key to select an option (such as “OK” or “Next”). You can

also select an option by moving the mouse cursor over a particular option

(such as “OK” or “Next”) and clicking.

(12)

Set the IP address to 192.168.X.31

6. On the Configure IP Address panel, use the<Backspace>,<Delete>, and/or arrow keys to change the IP address to 192.168.X.31, where “X” is your station number. After changing the IP address, press the<Tab> key to highlight the OK option, then press the <Enter> key to

continue.

Set the netmask to 255.255.0.0

7. On the Configure Netmask panel, set the netmask to 255.255.0.0, press the<Tab> key to highlight theOK option, then press the <Enter> key to continue.

Set no default route

8. When prompted to create a default route for the management port, select theNo option and press the<Enter> key to continue. In our classroom environment, no default route is required.

Confirm the management port configuration

9. On the Confirm Configuration panel, ensure that your settings are correct, as shown in the table below, then select theYes option and press the <Enter> key to complete the configuration. If the

options are not correct, select theNo option and rerun the config command.

IP Address 192.168.X.31

Netmask 255.255.0.0

Unless otherwise instructed, please skip forward to Lab 1.2: Activate the

BIG-IP System and Configure the Network on page 1-16.

(13)

Lab 1.1B: Configure the Management Port via the LCD

Panel (Optional)

This lab can only be carried out if your classroom environment includes BIG-IP hardware devices. All steps are done using the buttons to the right of the LCD display on the front of the BIG-IP device itself. The arrow buttons are used for navigation. The checkmark button is used to make a selection or to save a setting.

10. Press thered X button to start the configuration process.

11. Using the up/down arrows, navigate to System menu and press the green check mark buttonto select it.

12. Navigate to theManagement menu and press thegreen check mark button to select it. 13. Navigate to theIP Addressmenu and select it.

14. Navigate to theIP Addressfield and select it.

15. Using the up and down arrow keys to increment/decrement the values in each octet, enter the IP address as192.168.X.31 where“X” is your station number. Press thegreen check mark button to save your setting.

16. Navigate to theNetmask field and select it.

17. Enter the netmask as 255.255.0.0 and save your setting.

18. Use the down arrow to navigate to theCommitmenu and select it. When you see the OK menu blinking, click thegreen checkmark button.

This optional lab can only be performed on BIG-IP hardware devices.

Continue with Lab 1.2: Activate the BIG-IP System and Configure the

Network

(14)

Lab 1.2 – Activate the BIG-IP System and

Configure the Network

Lab Objectives

Ensure the BIG-IP system:

Is properly licensed and provisioned

Has a valid host name, and updatedroot andadmin user credentials

Has the VLANs and Self IPs that are used in support of the classroom lab environment Is prepared for high availability

Lab Requirements

Access to the BIG-IP system’s base registration key

Access to the Internet or to the BIG-IP system’s license file

Network access to the BIG-IP system’s management port on the 192.168/16 network

Access the Configuration utility via the MGMT Port

Start the Setup utility

1. Open a browser session tohttps://192.168.X.31 where“X” is your station number. BIG-IP ships with a self-signed SSL certificate. Accept the certificate (not permanently, if using Fir efox) and log in with usernameadmin and passwordadmin.

2. Click theNext button to start the Setup utility.

Upon connecting to your BIG-IP system, you should be directed to the

Setup utility. Please let your instructor know if you are not placed directly

into the Setup utility.

If your BIG-IP system is already licensed, a “Reactivate” button and a

“Next” button will appear at the bottom of the License page. If this is the

case, click the “Next” button and skip forward in this lab to Provision

Your BIG-IP System. Otherwise, continue with the next step.

(15)

License the BIG-IP system

4. Manually activate your BIG-IP license at the F5 License Server:

a. Ensure there is already a value present in theBase Registration Key field on the Setup» License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system.

b. In the Activation Method setting, select the Manual radio button.

c. In theManual Method setting, select the Download/Upload File radio button.

d. In the Step1: Dossier area, click the button that readsClick Here to Download Dossier File. If prompted where to save thedossier, select your desktop. Note where the dossier was downloaded, as you will need it t o generate alicense.

e. InStep2: Licensing Server, click the link that readsClick here to access F5 licensing server to open a new browser window to the F5 license server.

f. On the F5 License Server, click theActivate License link.

g. Click the Choose File button to the right of the Select your dossier file prompt. Locate thedossier you downloaded in step 4d, and upload it to the F5 License Server.

h. Click the Next button on the F5 License Server to generate a license from thedossier. (You may be prompted to accept the terms of the F5 License Agreement.)

i. On the resulting page, click the Download license button to download the generated license to your workstation. If prompted where to save the license, select your desktop. Note where the license was downloaded, as you will need it to complete activation. j. Back on your BIG-IP system, on the Setup » License page, click the Choose File button

to the right of the Step 3: License field. Locate the license you downloaded in step 4i, and upload it to your BIG-IP system.

k. Click the Next button on the BIG-IP system to complete license activation.

l. Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in theSetup utility.

If you have Internet access from your classroom workstation, follow the

instructions in step 4. If you do not have Internet access from your

classroom workstation, follow the instructions in step 5.

(16)

5. Manually activate your BIG-IP license using an existing license file.

a. Ensure there is already a value present in theBase Registration Key field on the Setup» License page. If the field is blank, please ask your instructor for assistance in locating the proper registration key to use with your BIG-IP system.

b. In the Activation Method setting, select the Manual radio button.

c. In theManual Method setting, check the Download/Upload File radio button.

d. In the Step1: Dossier area, click the button that readsClick Here to Download Dossier File. If prompted where to save thedossier, select your desktop.

Normally at this point, you would access the F5 License Server and upload thedossier you just downloaded to generate a license. This has already been done for you in this classroom

environment. Please ask your instructor for assistance if you do now know where the appropriate license file for your BIG-IP system is located.

e. In theStep3: License area, click the button that readsChoose File. Navigate to the license file you identified earlier, and upload it to your BIG-IP system.

f. Click theNext button on the BIG-IP system to complete license activation.

g. Your BIG-IP system will take a few moments to verify the license activation. Wait for the verification to complete successfully, and click the Continue button to return to the next step in theSetup utility.

Your instructor will let you know where to find the license file for your

BIG-IP system. Make sure this file is available to you before carrying out

step 5 below. Please skip to step 6 if you licensed your BIG-IP

system in step 4.

(17)

Provision Your BIG-IP System

6. On theResource Provisioning page of the Setup utility, provision your BIG-IP system, as shown in the table below.

Setup utility

Setup Utility » Resource Provisioning Current Resource A llocation section

Management (MGMT) Small Local Traffic (LTM) Nominal When complete, click… Next (or Submit)

Accept the BIG-IP Self-Signed Device Certificate

7. After provisioning is complete, you should be taken to the Device Certificates page in the Setup utility. We will be using the BIG-IP system’s self-signed certificate in class. Note t he expiration date for the certificate. (If the certificate is expired, please notify the instructor.) Click theNext button to continue the Setup utility.

Your BIG-IP may produce a warning message that certain system

daemons may restart or the system may reboot, causing your session to

wait for anywhere up to several minutes. This is normal behavior when

changing provisioning settings. Click the OK button to continue.

(18)

Configure Platform General Properties and User

Administration

8. Configure host name, time zone, and administrative access usernames/passwords. Remember to substitute your station number for “X.” Some fields may already contain the correct values. Where specific information is not provided in the instructions below, accept the defaults on your BIG-IP system.

Setup utility

Setup Utility » Platform General Properties section

Management Port Configuration Manual

Management Port IP Address[/prefix]: 192.168.X.31 Network Mask: 255.255.0.0

Host Name bigipX.f5trn.com

Host IP Address Use Management Port IP Address Time Zone Set to your classroom’s local time zone User Adm inistration section

Root Account

Disable login: Uncheck ed Password: rootX

Confirm: rootX

Admin Account Password: adminX

Confirm: adminX When complete, click… Next, then OK

9. Log back in to BIG-IP as user admin with passwordadminX. You should be taken directly to theSetup Utility »Network page.

You are changing the passwords for the root and admin accounts, not

creating new accounts. Since you are currently logged in using the admin

account, you will need to log back in again with your new password.

(19)

Configure the Classroom Network

10. Continue the Setup utility by performing a Standard Network Configuration. Click theNext button under theStandard Network Configuration heading.

Configure Redundant Device Wizard options

11. SetRedundant Device Wizard Options to prompt for ConfigSync settings and High Availability options.

Setup utility

Setup Utility » Redundancy

Redundant Device W izard Options section

ConfigSync Check the box for Display configuration synchronization options

High Availability

Check the box for Display failover and mirroring options

Select Network for Failover Method When complete, click… Next

Configure Self IPs and VLANs

12. Configure VLANinternal and its self IPs, interface, and default port lockdown settings. Setup utility

Setup Utility » VLANs

Internal Network Configuration section

Self IP

Address: 172.16.X.31 Netmask: 255.255.0.0

Port Lockdown: Allow Default Floating IP Address: 172.16.X.33

Port Lockdown: Allow Default Internal VLAN Configuration section

Interfaces

VLAN Interfaces: Select 1.2 Tagging: Select Untagged Click the Add button When complete, click… Next

(20)

1-22 Chapter 1 - Setting Up the BIG-IP System 13. Configure VLANexternal and its self IPs, interface, and port lockdown settings.

Setup utility

External Network Configuration section

External VLAN Click the Create VLAN external radio button Self IP

Address: 10.10.X.31 Netmask: 255.255.0.0 Port Lockdown: Allow None Default Gateway Leave blank

Floating IP Address: 10.10.X.33

Port Lockdown: Allow None External VLAN Configuration section

Interfaces

Interfaces: Select 1.1 Tagging: Select Untagged Click the Add button When complete, click… Next

14. Configure the high availability network to use the existing VLAN named internal. Setup utility

High Availability Network Configuration section

High Availability VLAN Click the Select existing VLAN radio button

Select VLAN internal

When complete, click… Next

Configure Network Time Protocol

15. If NTP servers are needed in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.

Configure Domain Name Server

16. If DNS settings are required in your course, they will be configured in a later lab. Leave this page with its default settings, and click the Next button to continue.

(21)

Configure ConfigSync

17. Configure ConfigSync on the non-floating self IP for VLANinternal, the VLAN we’re using for high availability (HA).

Setup utility

Setup Utility » ConfigSync ConfigSync Configuration s ection

Local Address 172.16.X.31 (internal) When complete, click… Next

Configure Failover Unicast and Failover Multicast settings

18. Use the default settings for Failover Unicast Configuration and Failover Multicast Configuration, as shown below:

Setup utility

Setup Utility » Failover

Failover Unicast Configuration section

Local Address | Port | VLAN 172.16.X.31 | 1026 | internal

192.168.X.31 | 1026 | Management Address Failover Multicast Configuration s ection

Use Failover Multicast Address Unchecked (Disabled) When complete, click… Next

Mirroring configuration

19. Use the default primary and secondary local mirror address settings forMirroring Configuration, as shown below:

Setup utility

Setup Utility » Mirroring Mirroring Configuration section

Primary Local Mirror Address 172.16.X.31 (internal) Secondary Local Mirror Address None

(22)

Finish the Setup Utility

You have now completed configuring the network interfaces that are used in support of the basic classroom environment. If your course requires additional HA configuration, it will be performed in a later lab.

20. Click theFinished button under the Advanced Device Management Configurationheading. You should be taken to the Welcome page, and there should be a message at the top of the page indicatingSetup Utility Complete.

Classroom Network Configuration Diagram

Figure 6: Conceptual representation of your c lassroom environment after lab completion

(23)

Lab 1.3 – Test Administrative Access

Lab Objectives

Ensure that your BIG-IP network settings are correct

Customize administrative access to the BIG-IP system by allowing SSH and HTTPS traffic directly to the self IPs for VLAN external

Lab Requirements

Access to a BIG-IP system that has completed the initial setup process, including management port configuration, licensing, provisioning, device certificate setup, and standard network

configuration.

Test Administrative Access to the BIG-IP System

Test SSH (port 22) access to the management port

21. Using PuTTY, open an SSH session to the management port at 192.168.X.31. Make sure the protocol is set to SSH (port 22) before connecting. Log in asroot with password rootX.

Test HTTPS (port 443) access to VLAN external’s self IPs

22. Try to open a browser session tohttps://10.10.X.31. Were you able to connect?

Your browser connection in the previous step should fail, as the self IP is

currently protected via Port Lockdown. When using the Setup utility to

create VLAN external, the BIG-IP system allows no access to VLAN

external’s self IPs by default (“Allow None”). This is a change in behavior

from previous versions where the Port Lockdown setting for VLAN

(24)

1-26 Chapter 1 - Setting Up the BIG-IP System 23. Navigate toNetwork» Self IPs» 10.10.X.31 and reconfigure the self IP address 10.10.X.31 to

also allow access via port 443. Configuration utility

Network » Self IPs » 10.10.X.31 Configuration section

Port Lockdown Select Allow Custom Custom List

Select the TCP and Port radio buttons

Enter 443 in the field that appears to the right of Port Click the Add button

When finished… Click Update

24. Try to open a browser session to https://10.10.X.31 again. This time you should be successful. Accept the site’s certificate, if and when prompted about the validity of the certificate. If using Firefox, do not create a permanent exception. (Uncheck the permanent exception box.)

25. Log in as user admin with password adminX.

26. Try to open a browser window tohttps://10.10.X.33, the floating self IP on VLAN external. If you were unsuccessful, fix the problem using the same method as you did in an earlier step.

Test SSH (port 22) access to VLAN external’s non-floating self IP

27. Using PuTTY, try to open an SSH session to 10.10.X.31. Were you able to connect? Why or why not? If you were unable to connect, allowSSH access to 10.10.X.31 using the same method as in an earlier step, and test.

Configure command line access for the admin user

28. On your PuTTY session to 10.10.X.31, attempt to log in with theadmin user credentials (admin / adminX). Were you successful?

Your attempt to log in to the command line interface as the admin user in

the previous step should fail. By default, the admin user does not have

command line access.

(25)

29. Navigate toSystem » Users and update the admin user settings to permit access to the command line interface, but only to TMSH.

Configuration utility

System » Users : User List, then click on user admin Account Properties section

Terminal Access tmsh

When finished, click… Update

30. Open an SSH session to10.10.X.31 or to192.168.X.31and test logging in with the admin user credentials again.

Check root user access to the Configuration utility

31. Open a browser window tohttps://10.10.X.31 orhttps://192.168.X.31 and attempt to log in as theroot user. Were you successful?

When changing terminal access for the admin user – the user you are

currently logged in as - you may have to log back onto the Configuration

utility again.

Your attempt to log into the Configuration utility as user “root” should fail.

User “root” does not have access to the BIG-IP systems administrative

Configuration utility, only to the command line. This cannot be changed.

(26)

Lab 1.4 – Archive the Configuration

Lab Objectives

Create a UCS archive of the BIG-IP system configuration.

Create a UCS Archive of Your Configuration

32. Open a browser window to https://10.10.X.31 orhttps://192.168.X.31 and create a backup of your current configuration

System » Archives then click Create General Properties section

File Name trainX_base.ucs

When complete, click… Finished, then click OK when the archive is complete 33. Download your new UCS backup to your workstation hard drive for possible use in a later lab.

System » Archives then click trainX_base.ucs General Properties section

Archive File Click Download: trainX_base.ucs, then save to desktop of your m anagement PC, if prompted.

(27)

Chapter 2 - Reviewing Local Traffic Configuration 2-43

Lab 2.1 – Configure for Application Delivery

using the Configuration Utility

Lab Objectives

Use the Configuration utility to create the configuration objects that will be used to deliver two applications (one HTTP, the other HTTPS) through the BIG-IP system

Estimated time for completion:30 minutes

Lab Requirements

BIG-IP base setup configuration

Use the Configuration Utility to Create Local Traffic Objects

Create an HTTP monitor

Create a custom HTTP monitor that will check the health of the HTTP application you will be deploying later. Use the specifications in the table below:

Name Type Settings

configltm_http_monitor HTTP Send String: GET /index.php\r\n Receive String: Server [1-3]

Remember to substitute your station number for the letter “X.” For example,

10.10.X.100 becomes 10.10.4.100 if you are working at station 4.

(28)

2-44 Chapter 2 - Reviewing Local Traffic Configuration

Create pools

Define the load balancing pool whose members serve the HTTP application content. Use the specifications in the table below:

Name Load Balancing

Method Members Ratio Monitor

http_pool Ratio (member) 172.16.20.1:80 172.16.20.2:80 172.16.20.3:80 1 2 3 configltm_http_monitor

Define the load balancing pool whose members serve the HTTPS content for our application. Use the specifications in the table below:

Name Load Balancing

Method Members

https_pool Round Robin

172.16.20.1:443 172.16.20.2:443 172.16.20.3:443

Create a source address affinity persistence profile

Create a source address affinity persistence profile that will be used on the virtual server that delivers the HTTPS application. Use the specifications in the table below. (The Timeout setting is deliberately low so that you can observe persistence records expiring more quickly):

Name

Persistence Type

Parent

Profile Custom Settings configltm_src_persist

Source Address Affinity

source_addr Timeout: 30 seconds

Prefix Length: Specify IPv4 and 16

Create virtual servers

Use the specifications in the table below to create the virtual server that will deliver the HTTP application:

Name Destination

Address:Port Default Pool http_vs 10.10.X.100:80 http_pool

Use the specifications in the table below to create the virtual server that will deliver the HTTPS application.

Name Destination

Address:Port Default Pool

Default Persistence Profile

(29)

Test Application Delivery and View Traffic Statistics

Observe traffic distribution patterns with ratio (member) load balancing

Open a browser session to the HTTP application (http_vs) at http://10.10.X.100. Hard-refresh (Ctrl+F5) the page 5-10 times.

On your BIG-IP system, view Local Traffic Statisticsfor the virtual server and pool. (Statistics » Module Statistics :Local Traffic then selectPool andVirtual Servers forStatistics Type)

a. How many connections total tohttp_vs?

b. How many connections total tohttp_pool (as a whole)? c. How many connections to each pool member in http_pool?

d. Are the connections being load balanced to the pool members as you expected them to? Reset statistics for the virtual server and pool. Change the ratio on each member in http_pool as shown in the table below:

Pool Member Ratio 172.16.20.1:80 172.16.20.2:80 172.16.20.3:80 4 4 1

Back on your browser session withhttp://10.10.X.100, hard-refresh the page 5-10 times again. View the statistics for pool http_pool again and confirm that connections are being load balanced according to the new ratios.

Observe traffic distribution with round robin load balancing and persistence

Open a browser session to the HTTPS application (https_vs) at https://10.10.X.100. Hard-refresh (Ctrl+F5) the page 5-10 times.

a. Do you have a secure connection?

b. Are all your connections being load balanced? Why or why not?

View the persistence records for your BIG-IP system from the command line, and det ermine which pool member are you persisting to:

tmsh show ltm persistence persist-records

a. When the persistence record expires, refresh the browser session again. Are you persisting to the same pool member?

b. View local traffic statistics for https_pool to confirm your observations.

Have another student in the classroom (or the instructor) access your HTTPS application (https_vs) athttps://10.10.X.100.

a. Are they able to reach your virtual server? If not, think about the default routes on the back-end servers and adjust the configuration onhttp_vs so that they can access your

(30)

2-46 Chapter 2 - Reviewing Local Traffic Configuration b. Once they can access your virtual server, are they persisting to the same pool member as

you? Why or why not?

Remove persistence and retest

Remove persistence fromhttps_vs.

Back on your browser session to https://10.10.X.100, hard-refresh the page several times. View local traffic statistics on your BIG-IP system again to see how connections were distributed to the pool members.

Expected Results

When you first tested the HTTP application through virtual server http_vs and its associated pool http_pool, and viewed local traffic statistics, you should have seen connections distributed to all pool members with a ratio of nearly 1:2:3 for the pool members at 172.16.20.1, 172.16.20.2, and 172.16.20.3 respectively. After changing each member’s ratio, and retesting, the connections should have been distributed with a ratio of nearly 4:4:1.

When you first tested the HTTPS application through virtual server https_vs and its associated pool https_pool, you should have seen one load balancing decision made. Subsequent connections from your workstation (and the other student’s workstation) should have been directed to the same pool member as the result of the source address affinity persistence profile attached to the virtual server. You should have seen persistence information similar to the following:

Sys::Persistent Connections

source-address 10.10.0.0 10.10.4.100:443 172.16.20.3:443 (tmm: 0) Total records returned: 1

After waiting 30 seconds for the persistence record to expire, you should have seen another load balancing decision being made, followed by the creation of a new persistence record.

Also, the other student could not access your application until you added source address translation, such as Auto Map, to the virtual server’s configuration. Once added, that student’s connections to your virtual server should have persisted to the same pool member as you, due to the persistence mask - 10.10.0.0.

(31)

Lab 2.2 – Configure for Application Delivery

using TMSH

Lab Objectives

Use TMSH to create a virtual server and associated pool and monitor to deliver an SSH application through the BIG-IP system

Use TMSH to create and assign a monitor to an existing pool Estimated time for completion:30 minutes

Lab Requirements

Lab Overview

In this lab, you will use TMSH to configure the BIG-IP system for delivery of an SSH application, and verify traffic by viewing statistics from the command line. Remember to use the TMSH command completion feature and TMSH help to determine command syntax.

Use TMSH to Create Local Traffic Objects

Create a pool and view its configuration

Use TMSH to define a load balancing pool whose members serve the SSH application content. (A command hint is shown below the table.)

Name Load Balancing

Method Members

ssh_pool Round Robin

172.16.20.1:22 172.16.20.2:22 172.16.20.3:22 (tmos)# create /ltm pool ssh_pool

load-balancing-mode round-robin

members add { 172.16.20.1:22 172.16.20.2:22 172.16.20.3:22 } View the pool in the running configuration: list /ltm pool ssh_pool

Save the running configuration to the stored configuration: save sys config

(32)

2-48 Chapter 2 - Reviewing Local Traffic Configuration Viewbigip.conf . (Try both commands below. To terminate the “more” command, type “q”) Do you see configuration data forssh_pool? Why or why not?

more /config/bigip.conf

grep "ssh_pool" /config/bigip.conf

Create a virtual server and view its configuration

Use TMSH to create a virtual server that will deliver the SSH application.

Name Destination

Address:Port Default Pool Profiles

ssh_vs 10.10.X.100:22 ssh_pool tcp

(tmos)# create /ltm virtual ss h_vs destination 10.10.X.100:22 pool ssh_pool

profiles add { tcp }

View the virtual server in the running configuration: list /ltm virtual ssh_vs Exit TMSH to return to the Linux bash prompt.

Viewbigip.conf again. Do you see configuration data for ssh_vs? Why or why not? Save the running configuration to the stored configuration.

Verifyssh_vs is now in the stored configuration.

View general stored configuration data

In viewing/config/bigip.conf , what types of configuration objects do you find stored here? View/config/bigip_base.conf . What types of configuration objects are stored here?

View/config/bigip_user.conf . What types of configuration objects are stored here? View/config/bigip.license. What is the service check date for your BIG-IP system?

Test Application Delivery and View Traffic Statistics

Connect to the virtual server and view statistics

Open a separate SSH session (PuTTY, etc.) to ssh_vs at 10.10.X.100:22, and login with user-id student and password student. Were you able to connect and login?

On your BIG-IP system, use TMSH to view statistics and determine the pool member you load balanced to:

(33)

View local traffic statistics for the virtual server: tmsh show /ltm pool ssh_pool

tmsh show /ltm virtual ssh_vs

a. CompareBits In andBits Out for the virtual server (client-side) with Bits In andBits Out on the pool member you load balanced to (server-side). How do they compare? Terminate and reestablish your connection to 10.10.X.100:22. Which pool member did you load balance to this time?

Show the BIG-IP connection table entries for all server-side server connections to port 22. tmsh show sys connection ss-server-port 22

a. Do you see your connection?

b. More importantly, do you see source and destination IP addresses and ports for both the client-side and server-side connections? What are the values?

c. How long has the connection been open and idle? ( Look at the value to the right of the tcp string in the connection table entry.)

On your SSH session to virtual server ssh_vs, list the directory you are currently in:ls –l Back on your BIG-IP system, view the connection table entries again. Was the idle time indicator updated?

Archive the Configuration

Use TMSH to save a UCS backup of your current configuration in the /shared/tmp directory: tmsh save sys ucs /shared/tmp/trainX_modul e2b.ucs

Can you see the UCS you just created from the Configuration utility? Why or why not? Use TMSH to restore the UCS archive you took at the beginning of the class. All of your configuration objects you created in this lab should be gone. Confirm this by examining the bigip.conf file and looking forssh_vs andssh_pool:

tmsh load sys ucs trainX_base.ucs

Now all of your configuration objects you created in this lab should be gone. Confirm this by examining the bigip.conf file and looking for ssh_vs andssh_pool.

Restore the configuration you created earlier named trainX_module2b.ucs. (Remember that it’s in the/shared/tmp directory.)

(34)

2-50 Chapter 2 - Reviewing Local Traffic Configuration

Expected Results and Troubleshooting

After you initially created ssh_vs, its configuration could not be found in bigip.conf. Changes made using TMSH affect only the running configuration. You had to manually save the running configuration to the stored configuration in order to view the entry for ssh_vs inbigip.conf . This behavior is different from the Configuration utility, where changes are recorded to both the running configuration and the stored configuration immediately upon finishing.

bigip.conf contains application traffic processing objects such as virtual servers, pools, monitors, and profiles, from the last time the running configuration was saved to the stored configuration.

bigip_base.conf contains network and system-related objects such as VLANs, self IPs, device groups, and platform information, from the last time the running configuration was saved to the stored

configuration.

bigip_user.conf contains user names and passwords for all users configured on the BIG-IP system from the last time the running configuration was saved t o the stored configuration.

bigip.license contains the license information for your BIG-IP system. The service check date will vary depending on when the last time the system’s dossier was submitted to the F5 License Server for

activation.

UCS archives are only visible to the Configuration utility if they are located in /var/local/ucs. Therefore, the UCS you saved in /shared/tmp is not visible from the Configuration utility.

(35)

Chapter 3 - Load Balancing Traffic with LTM 3-15

Lab 3.1 – Test Priority Group Activation

Lab Objectives

Configure priority group activation on a pool and view load balancing behavior with statistics Estimated time for completion:15 minutes

Lab Requirements

http_pool (as configured at the end of the previous chapter) http_vs (as configured at the end of the previous chapter)

Test Priority Group Activation

Configure priority group activation on http_pool

Reset the statistics forhttp_pool.

Modify poolhttp_pool and, on theMembers tab, setPriority Group Activation toLess than… 2 Available Member(s).

Modify the members in poolhttp_pool according to the specifications in the table below:

Member Ratio Priority Group

172.16.20.1:80 1 0

172.16.20.2:80 2 4

172.16.20.3:80 3 4

Test the effects of priority group activation

Open a new browser session, connect to http://10.10.X.100, and hard-refresh the screen 5-10 times.

View the statistics for http_pool.

a. Which pool members processed traffic?

b. How were the connections distributed between the pool members? Reset the statistics forhttp_pool.

Disable pool member172.16.20.2:80in http_pool.

Back on your browser session to http://10.10.X.100, hard-refresh the screen 5-10 times. View the statistics for http_pool again. What are the results now and why?

(36)

3-16 Chapter 3 - Load Balancing Traffic with LTM

Test the effects of persistence with priority group activation

Disable pool member172.16.20.3:80 in poolhttp_pool to ensure you will load balance and persist to pool member 172.16.20.1:80.

Assign the F5-supplied Source Address Affinity persistence profile called source_addr to http_vs.

Back on your browser session to http://10.10.X.100, hard-refresh the screen several times and ensure you are persisting to pool member 172.16.20.1:80. View persistence records to confirm. Enable pool members 172.16.20.2:80 and 172.16.20.3:80in http_pool.

Back on your browser session to http://10.10.X.100, hard-refresh the screen several times. Are you still persisting to pool member 172.16.20.1:80, even though its priority group is no longer activated (because the higher priority group now contains 2 members again)? View persistence records to confirm.

Clean up

Remove persistence fromhttp_vs.

Expected results and troubleshooting

With priority group activation set to less t han 2 members and all pool members enabled, 172.16.20.1:80 should receive no traffic. Traffic is distributed to members 172.16.20.2 and 172.16.20.3 in a 2:3 ratio. With priority group activation set to less t han 2 members and pool member 172.16.20.2:80 disabled, the next lower priority group (0) is activated. Traffic is then distributed to members 172.16.20.1 and

172.16.20.3 in a 1:3 ratio.

When you added a source address affinity persistence profile to http_vs, and forced your connections to load balance and persist to the pool member in the lowest priority group (172.16.20.1:80), even after re-enabling the other two members and once again having two members available in the pool, you still persisted to 172.16.20.1:80, and would continue to do so until the persistence record expires.

(37)

Lab 3.2 – Test Ratio (node) Load Balancing

Lab Objectives

Compare the effects a member-based load balancing method with a node-based load balancing method

Lab Requirements

http_pool (as configured at the end of the previous lab) http_vs (as configured at the end of the previous lab)

Configure Ratio (node) Load Balancing

Change the load balancing method for pool http_pool fromRatio (member) toRatio (node). Change the ratio ofnode 172.16.20.3 to5.

Open a new browser session and connect tohttp://10.10.X.100, and hard-refresh the screen 5-10 times.

View pool statistics forhttp_pool. What are the results and how do they compare to the results with Ratio (member) load balancing?

Expected Results and Troubleshooting

Since priority group activation is still configured on http_pool, only two pool members need be active in order to meet the minimum. Members 172.16.20.2:80 and 172.16.20.3:80 are in the highest priority group, and are the only members the BIG-IP system load balances connections across. However, even though pool member 172.16.20.2:80 has a ratio of 2, and pool member 172.16.20.3:80 has a ratio of 3, the BIG-IP system ignores these ratios and uses the ones that are configured on the associated nodes instead. Node 172.16.20.3 has a ratio of 5, compared to node 172.16.20.2, which has a ratio of 1. Therefore, the pool member at 172.16.20.3:80 receives about 5 times as many connections as the pool member at

172.16.20.2:80.

Continue with Lab 3.3: Test the Effect of Connection Limits on Priority

Group Activation

(38)

3-18 Chapter 3 - Load Balancing Traffic with LTM

Lab 3.3 - Test the Effect of Connection Limits

on Priority Group Activation

Lab Objectives

Force a connection limit condition to cause a lower priority group of members to be temporarily activated

Lab Requirements

http_pool (as configured at the end of the previous lab) http_vs (as configured at the end of the previous lab)

Configure and Test Connection Limits

Confirm traffic behavior before connection limits

Reset the statistics for http_pool.

Open a browser session to http_ vs athttp://10.10.X.100 and hard-refresh the screen multiple times and very rapidly by holding the Ctrl-F5 keys down continuously for several seconds. Refresh and view the statistics for http_pool:

a. Did pool member 172.16.20.1:80 process any connections?

b. What was the maximum number of concurrent connections processed by pool members 172.16.20.2:80 and 172.16.20.3:80?

Configure a connection limit on one pool member in priority group 4

Change theConnection Limitfor pool member 172.16.20.3:80inhttp_pool to3.

On your browser session to http_vs athttp://10.10.X.100, hard-refresh the screen rapidly again by holding the Ctrl-F5 keys down continuously for several seconds.

Refresh and view statistics for pool http_pool.

a. How were the connections distributed across the pool members?

b. What was the maximum number of connections on pool member 172.16.20.3:80? Is this what you expected?

(39)

Clean Up

Change the load balancing method on pool http_pool toRound Robin anddisable priority group activation.

Set theConnection Limit for pool member172.16.20.3:80 inhttp_pool to0. SetPriority Groupto0 andRatio to1 for all pool members in http_pool.

Expected Results

Before setting a connection limit on pool member 172.16.20.3:80, traffic was load balanced only across the two members in priority group 4: 172.16.20.2:80 and 172.16.20.3:80. The maximum number of concurrent connections to pool member 172.16.20.3:80 will vary, but should have been well over 3. After setting the connection limit to 3 on pool member 172.16.20.3:80, traffic was load balanced across all pool members, as this pool member would have reached its maximum number of connections

periodically, triggering activation of priority group 0, of which 172.16.20.1:80 is a member. After activation, the BIG-IP system load balanced traffic across all three pool members until the number of connections on 172.16.20.3:80 went below 3. When viewing statistics for http_pool, the maximum number of concurrent connections to 172.16.20.3:80 should have been 3. The maximum number of concurrent connections to the other pool members will vary.

(40)

(41)

Chapter 4 - Modifying Traffic Behavior with Persistence 4-19

Lab 4.1 – Implement Universal Persistence

Lab Objectives

Configure a virtual server with universal persistence using an iRule and confirm traffic behavior using statistics

Lab Requirements

http_pool (as configured at the end of the previous chapter) http_vs (as configured at the end of the previous chapter)

Configure and Test Universal Persistence

You can use the following command to view persistence records throughout this lab. tmsh show /ltm persistence persist-records all-properties

Confirm traffic behavior before universal persistence

1. Open a browser session tohttp_vs athttp://10.10.X.100, and hard-refresh the screen several times.

a. Confirm via local traffic statistics that your connections are load balancing across all members ofhttp_pool.

(42)

4-20 Chapter 4 - Modifying Traffic Behavior with Persistence

Create an iRule to persist on a query parameter in the HTTP URI

2. Create a newiRule nameduser_persist_irule that will persist on the value of the user query parameter in the HTTP URI, if present, using the code in the table below. (Note that there are

spaces between“user=”, the number5, and the“&”): Definition

when HTTP_REQUEST {

if { [HTTP::uri] contains "user=" } {

persist uie [ findstr [HTTP::uri] "user=" 5 "&" ] }

}

Create a universal persistence profile

3. Create a new universal persistence profile using the specifications in the table below. (The Timeout setting is deliberately low so that you can observe persistence records expiring more quickly.):

Local Traffic » Profiles : Persistence, then click Create General Properties

Name configltm_universal_persist

Persistence Type Universal

Parent Profile Universal

Configuration section:

iRule user_persist_irule

Timeout Specify…30 seconds

When complete, click… Finished

Assign the profile to the virtual server

4. Assignconfigltm_universal_persist to virtual serverhttp_vs. (Hint: If an error occurs, you can use the F5-supplied profile called http.)

Confirm traffic behavior after universal persistence

5. Reset the statistics for http_pool.

6. Open a browser session tohttp://10.10.X.100?user=abc&pw=123, and hard-refresh the screen several times.

(43)

Chapter 4 - Modifying Traffic Behavior with Persistence 4-21

7. View persistence records again. Which pool member are you persisting to? What is the persistence matching criteria (persistence value) shown in the persistence record?

8. Check the statistics records for http_pool. Is all traffic being load balanced to the same pool member?

9. Which element(s) of the page are persisting? Why?

10. In your browser’s address bar, change theuser= query string from abc to something else and hard-refresh the screen several times.

11. View persistence records again. Which pool member are you persisting to now? What is the persistence matching criteria shown in the persistence record now?

(44)

4-22 Chapter 4 - Modifying Traffic Behavior with Persistence

Expected results

The page you are connecting to athttp://10.10.X.100 is comprised of a number of elements. The first connection request is for the default page, and includes the user= andpw= query parameters in the HTTP URI. This request is load balanced according to the load balancing method for pool http_pool. The server that processed the request is displayed in the “HTML from Server X” line on the page, as shown in Figure 9 below. The HTML references many other page elements, including .jpg, .png, and .css files.

Each of these generated additional connections, none of which contained the user= parameter. Therefore, they did not match the persistence record created on the initial connection, and were load balanced, as shown in the traffic statistics. The only element of the page that persists is the HTML itself, and the “HTML from Server X” message should remain constant as long as you are persisting.

Figure 9: The only element on the page that persists is the HTML, as it was requested with the user= query parameter which is w hat the persistence criteria is generated from