F5

= Interfaces =

eth0 - Mgmt Syslog traffic uses this interface
 * Control Plane

tmm interfaces - usually trunk HSL - High Speed Logging uses this interface
 * Data Plane

- Self IP -> Monitoring Traffic - Float IP -> Application traffic -> Only active on Active Unit -> Pcaps filter with this IP else it will have Monitoring traffic as well.

= F5 Training =


 * LTM How BIG IP process Traffic


 * Node - represent the Ip address
 * Pool member - combination of Ip address and port number, in other words pool member is application server on which F5 will redirect the traffic Pool-combination of pool member.
 * Virtual server - combination of virtual IP and port, is also known as listener and we associate virtual server to pool members.

Loadbalancing Methods

 * Static - Round robin, Ratio
 * Dynamic -LFOPD -> Least connection, Fastest, Observed, Predictive, Dynamic ratio


 * Details:


 * Least connection - Load balancing is based on no of connection counts, if the connection counts are equal it will use round robin.
 * Fastest - No of layer 7 request pending on each member.
 * Observed - ration load balancing method but ratio assigned by BIG IP, No off least connections counts BIG IP assign the request and check dynamically and assign the ratio's of the request.
 * Predictive - similar to observed but assigns the ratio aggressively based on average connection counts.


 * Load balancing by pool member or node:
 * Priority activation -helps to configure back sets for existing pool members .BIG IP will use high priority pool member first.
 * Fallback host is only used for HTTP request ,if all the pool members are not available BIG will redirect the client request

Monitors

 * Check the status of nodes and pool members, if any pool member response time is not good or is not responding Big IP will not send the request to that node.


 * Monitor type:


 * Address check - BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the traffic further to that node.
 * Service check - will check TCP port number on which server is listening ,if no response it considers down
 * Content check - we can check if the server is responding with right contest ,like for http request get/http .... request is send.
 * Interactive check - TEST for FTP connection .once connection is open username and  password is send then request is send get /file once file is received connection is closed.


 * F5 recommends time out = 3n+1 (frequency) for setting the monitor for http
 * Customization of monitor
 * Assign nodes to monitor

Profiles

 * Defining traffic behavior for virtual server.

to avoid this we use prescience profile so that return request for the client is send to same server.
 * Profiles contains setting how to process traffic though virtual servers. If for certain application BIG IP load balance the traffic then it will break the client connection


 * Persistence profile - is configured for clients and group of clients how BIG IP knows the returning client request need to send to same server, persistence profile is configured taking source IP address of http cookie.


 * SSL termination


 * FTP profile


 * All virtual servers have layer four profile includes TCP, UDP, Fast, l4


 * Profile types - service profile, persistence profile, protocol profile, SSL profile, authentication profile, other profiles.

Persistence Types

 * Source address persistence: keeps the track of source IP address, administrator can set the net mask in persistence record so that all clients in same mask will assigned to same pool member.


 * Limitation - if the client address being NAt'ed.


 * Cookie persistence - only uses http protocol


 * Three modes : (insert ,rewrite ,passive ) mode.

Insert mode - BIG ip create special cookie in HTTP response to client. rewrite - pool member created blanK cookie and big ip inserts special cookie passive - pool member created special cookie and BIG IP let it pass through

SSL Profile

 * SSL is secured socket layer.
 * Website which uses HTTPS we need to us SSL profile as traffic is being Nated for source clients and web app is using https protocol.
 * Using SSL termination BIG can decrypt the traffic and assigned to pool member.
 * BIG IP contains SSL encryption hardware so all the encruption and key exchange are done in hardware .centralized certifiacte management.

iRule

 * iRule is a script that direct traffic though BIG IP, based on TCL command language.
 * iRule give control of inbound and outbound traffic from Big IP.
 * iRule contains following events -> Irule name, events, condition, action

= Deploy F5 in KVM =

[10.170.131.132:8443] -> [Mgmt-192.168.122.109:8443] [10.170.131.132:443] --> [VIP-192.168.122.110:443] --> [CentOS-192.168.122.98:80]

sudo mv BIGIP-16.1.3-0.0.12.qcow2 /var/lib/libvirt/images/
 * Download the Image from F5 Portal:

sudo virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial'
 * Install Ubuntu Server VM:

sudo virt-install --name=CentOS --description="CentOS WebServer" --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.qcow2,bus=virtio,format=qcow2 --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 --network=bridge=virbr0,model=virtio --graphics none --console pty,target_type=serial --vcpus=1 --cpu host --ram=1024 --os-type=linux --os-variant=rhel6 --import --autostart --noautoconsole
 * Install CentOS Server VM:

sudo virt-install \ --name=F5-BIGIP \ --description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.qcow2,bus=virtio,format=qcow2 \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ --network=bridge=virbr0,model=virtio \ --network=bridge=virbr0,model=virtio \ --network=bridge=virbr0,model=virtio \ --graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \ --serial tcp,host=:2223,mode=bind,protocol=telnet \ --vcpus=2 --cpu host --ram=8096 \ --os-type=linux \ --os-variant=rhel6 \ --import --autostart --noautoconsole
 * Install F5 VM:

sudo virsh shutdown bigip sudo virsh destroy bigip sudo virsh undefine --domain bigip
 * VM Operations and infomration:

sudo virsh list --all sudo virsh net-dhcp-leases default

sudo virsh console 
 * Obtaining Console access:

root / default
 * Default F5 Credentials:

tmsh show sys management-ip --> notworking tmsh show running-config
 * 1) config   -> Assign IP address for management

nano /etc/libvirt/hooks/qemu

v=$(/sbin/iptables -L FORWARD -n -v | /usr/bin/grep 192.168.122.109/32 | /usr/bin/wc -l) [ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT
 * 1) !/bin/bash
 * 2) Hook to insert NEW rule to allow connection for VMs
 * 3) 192.168.122.0/24 is NATed subnet
 * 4) virbr0 is networking interface for VM and host
 * 5) Written by Vivek Gite under GPL v3.x {https://www.cyberciti.biz}
 * 6) get count
 * 7) NOTE replace 192.168.2.0/24 with your public IPv4 sub/net   ##
 * 1) get count
 * 2) NOTE replace 192.168.2.0/24 with your public IPv4 sub/net   ##
 * 1) NOTE replace 192.168.2.0/24 with your public IPv4 sub/net   ##
 * 1) avoid duplicate as this hook get called for each VM

chmod -v +x /etc/libvirt/hooks/qemu

vim /etc/ufw/before.rules


 * 1) KVM/libvirt Forward Ports to guests with Iptables (UFW) #
 * nat
 * PREROUTING ACCEPT [0:0]

-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP" COMMIT

sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443 sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.109:80 sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT sudo service netfilter-persistent save

curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip | jq -M.

192.168.122.145 root/kIr@t#29

tmsh install /sys license registration-key 

tmsh modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } save /sys config

Install CentOS
wget https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2

virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe

sudo virt-install \ --name=CentOS \ --description="CentOS WebServer" \ --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.qcow2,bus=virtio,format=qcow2 \ --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ --network=bridge=virbr0,model=virtio \ --graphics none \ --console pty,target_type=serial \ --vcpus=1 --cpu host --ram=2048 \ --os-type=linux \ --os-variant=rhel6 \ --import --autostart --noautoconsole

sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.110:443 sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.110:80 sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT


 * References