F5: Difference between revisions
→Enable Internet Access on VMs
| (70 intermediate revisions by the same user not shown) | |||
Line 1:
[[Category:LoadBalancers]]
__TOC__
<br />
=
; Interfaces
* Control Plane
Line 14 ⟶ 19:
-> Only active on Active Unit
-> Pcaps filter with this IP else it will have Monitoring traffic as well.
; Change Hostname:
tmsh
modify /sys global-settings hostname bigip1.example.net
save /sys config
= F5 Training =
;LTM How BIG IP process Traffic
* Node - represent the Ip address
Line 24 ⟶ 34:
* Virtual server - combination of virtual IP and port, is also known as listener and we associate virtual server to pool members.
== Loadbalancing Methods ==
* Static - Round robin, Ratio
* Dynamic -LFOPD -> Least connection, Fastest, Observed, Predictive, Dynamic ratio
;Details:
* Least connection -
* Fastest - No of layer 7 request pending on each member.
* Observed - ration load balancing method but ratio assigned by BIG IP, No off least connections counts BIG IP assign the request and check dynamically and assign the ratio's of the request.
* Predictive - similar to observed but assigns the ratio aggressively based on average connection counts .
;Load balancing by pool member or node:
* Priority activation -helps to configure back sets for existing pool members .BIG IP will use high priority pool member first .
* Fallback host is only used for HTTP request ,if all the pool members are not available BIG will redirect the client request
== Monitors ==
* Check the status of nodes and pool members, if any pool member response time is not good or is not responding Big IP will not send the request to that node.
;Monitor type:
* Address check - BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the traffic further to that node.
* Service check - will check TCP port number on which server is listening ,if no response it considers down ----
* Content check - we can check if the server is responding with right contest ,like for http request get/http .... request is send .
* Interactive check - TEST for FTP connection .once connection is open username and password is send then request is send get /file once file is received connection is closed .
* F5 recommends time out = 3n+1 (frequency) for setting the monitor for http
* Customization of monitor
* Assign nodes to monitor
== Profiles ==
* Defining traffic behavior for virtual server.
* Profiles contains setting how to process traffic though virtual servers. If for certain application BIG IP load balance the traffic then it will break the client connection
to avoid this we use prescience profile so that return request for the client is send to same server.
* Persistence profile - is configured for clients and group of clients how BIG IP knows the returning client request need to send to same server, persistence profile is configured taking source IP address of http cookie.
* SSL termination
* FTP profile
* All virtual servers have layer four profile includes TCP, UDP, Fast, l4
* Profile types - service profile, persistence profile, protocol profile, SSL profile, authentication profile, other profiles.
== Persistence Types ==
* Source address persistence: keeps the track of source IP address, administrator can set the net mask in persistence record so that all clients in same mask will assigned to same pool member.
* Limitation - if the client address being NAt'ed.
* Cookie persistence - only uses http protocol
* Three modes : (insert ,rewrite ,passive ) mode.
Insert mode - BIG ip create special cookie in HTTP response to client .
rewrite - pool member created blanK cookie and big ip inserts special cookie
passive - pool member created special cookie and BIG IP let it pass through
== SSL Profile ==
* SSL is secured socket layer .
* Using SSL termination BIG can decrypt the traffic and assigned to pool member.
* BIG IP contains SSL encryption hardware so all the encruption and key exchange are done in hardware .centralized certifiacte management.
== iRule ==
* iRule is a script that direct traffic though BIG IP , based on TCL command language.
* iRule give control of inbound and outbound traffic from Big IP.
* iRule contains following events -> Irule name, events, condition, action
= Deploy F5 in KVM =
* Topology
[client]-------------------------[ F5 ]------------------------[server]
192.168.45.121 192.168.45.21 | 192.168.68.3 192.168.68.108
|
192.168.30.217
|
|
{10.157.146.116}
Host
* Install [https://aman.awiki.org/wiki/Virtualization#KVM_Installation KVM]
* Download the Image from F5 Portal:
sudo mv BIGIP-16.1.3-0.0.12.qcow2 /var/lib/libvirt/images/
* Create 3 virtual bridge interfaces:
;virbr0 (Ignore if already existing)
vim virbr0.xml
Add bridge details to the file:
<syntaxhighlight lang=ini><network>
<name>br0</name>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<ip address='192.168.30.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.30.50' end='192.168.30.200'/>
</dhcp>
</ip>
</network>
</syntaxhighlight>
sudo virsh net-define virbr0.xml
sudo virsh net-start br0
sudo virsh net-autostart br0
sudo virsh net-list --all
ip addr show dev virbr0
;virbr1
vim virbr1.xml
Add bridge details to the file:
<syntaxhighlight lang=ini><network>
<name>br1</name>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='192.168.45.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.45.50' end='192.168.45.200'/>
</dhcp>
</ip>
</network>
</syntaxhighlight>
sudo virsh net-define virbr1.xml
sudo virsh net-start br1
sudo virsh net-autostart br1
sudo virsh net-list --all
ip addr show dev virbr1
;virbr2
vim virbr2.xml
Add bridge details to the file:
<syntaxhighlight lang=ini><network>
<name>br2</name>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr2' stp='on' delay='0'/>
<ip address='192.168.68.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.68.50' end='192.168.68.200'/>
</dhcp>
</ip>
</network>
</syntaxhighlight>
sudo virsh net-define virbr2.xml
sudo virsh net-start br2
sudo virsh net-autostart br2
sudo virsh net-list --all
ip addr show dev virbr2
* Install F5 VM:
sudo virt-install \
--name=bigip \
--description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \
--disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.3.qcow2,bus=virtio,format=qcow2 \
--disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.3.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \
--network=bridge=virbr0,model=virtio \
--network=bridge=virbr1,model=virtio \
--network=bridge=virbr2,model=virtio \
--graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \
--console pty,target_type=serial \
--vcpus=2 --cpu host --ram=8096 \
--os-type=linux --os-variant=rhel6.0 \
--import --autostart --noautoconsole
* VM Operations and information:
sudo virsh shutdown bigip
sudo virsh destroy bigip
sudo virsh undefine --domain bigip
sudo virsh list --all
sudo virsh net-dhcp-leases default
* Obtaining Console access:
sudo virsh console bigip
* Default CLI Credentials:
root / default
* Set WebUI Credentials using below command:
passwd admin
* Iptables enable Web UI access using NAT from Host VM:
sudo iptables -t nat -I PREROUTING -p tcp -d 10.157.146.116 --dport 8443 -j DNAT --to-destination 192.168.30.217:443
sudo iptables -I FORWARD -m state -d 192.168.30.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
* The above rules might not survive reboot of host, hardcoding them:
sudo yum install iptables-services
sudo systemctl start iptables
sudo systemctl enable iptables
sudo service iptables save
* Apply License
tmsh install /sys license registration-key <KEY>
* Save Config
tmsh save /sys config
* Increase bash Columns
vi /root/.bashrc
<syntaxhighlight lang="bash">
#!/bin/bash -i
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
resize() {
old=$(stty -g)
stty raw -echo min 0 time 5
printf '\033[18t' > /dev/tty
IFS=';t' read -r _ rows cols _ < /dev/tty
stty "$old"
stty cols $cols
stty rows $rows
export COLUMNS=$cols
export LINES=$rows
}
[[ $(tty) = '/dev/ttyS0' ]] && stty cols 1000
</syntaxhighlight>
stty -F /dev/ttyS0 rows 100
stty -F /dev/ttyS0 cols 100
== Prepare the Ubuntu Minimal Image ==
* Download Image file:
virt-builder --list
virt-builder centos-7.5 --format qcow2 --size 20G -o centos75-client.qcow2 --root-password password # no root password set
sudo mv centos75-client.qcow2 /var/lib/libvirt/images/
sudo cp /var/lib/libvirt/images/centos75-client.qcow2 /var/lib/libvirt/images/centos75-server.qcow2
=== Install Client ===
* Start VM:
<syntaxhighlight lang="bash">
sudo virt-install \
--name=client \
--description="Ubuntu Minimal Client" \
--disk path=/var/lib/libvirt/images/centos75-client.qcow2,bus=virtio,format=qcow2 \
--network=bridge=virbr1,model=virtio \
--graphics none \
--console pty,target_type=serial \
--vcpus=1 --cpu host --ram=1024 \
--os-type=linux \
--os-variant=rhel6.0 \
--import --autostart --noautoconsole
</syntaxhighlight>
* Obtaining Console access:
sudo virsh console client
* Basic config:
sudo vi /etc/hostname # change hostname
sudo yum install httpd
sudo systemctl enable httpd
sudo systemctl start httpd
sudo systemctl status httpd
sudo iptables -F
=== Install WebServer ===
* Start VM:
<syntaxhighlight lang="bash">
sudo virt-install \
--name=server \
--description="CentOS WebServer" \
--disk path=/var/lib/libvirt/images/centos75-server.qcow2,bus=virtio,format=qcow2 \
--network=bridge=virbr2,model=virtio \
--graphics none \
--console pty,target_type=serial \
--vcpus=1 --cpu host --ram=1024 \
--os-type=linux \
--os-variant=rhel6.0 \
--import --autostart --noautoconsole
</syntaxhighlight>
* Obtaining Console access:
sudo virsh console server
sudo iptables -F
== F5 Configuration ==
=== Manually assign Management IP address ===
tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip 192.168.30.217/24
tmsh create sys management-route default { gateway 192.168.30.1 network default }
=== Create VLAN ===
<pre>
net vlan myVlan {
fwd-mode l3
if-index 128
interfaces {
1.2 { }
}
sflow {
poll-interval-global no
sampling-rate-global no
}
tag 4094
}
</pre>
=== Create SelfIP ===
<pre>
net self SelfIpforPool {
address 192.168.68.3/24
traffic-group traffic-group-local-only
vlan myVlan
}
</pre>
=== Create Pool ===
<pre>
ltm pool myPool {
members {
server1:http {
address 192.168.68.108
logging enabled
session monitor-enabled
state up
}
}
monitor http
}
</pre>
=== Create VS ===
<pre>
ltm snat-translation 192.168.68.7 {
address 192.168.68.7
inherited-traffic-group true
traffic-group traffic-group-1
}
ltm snatpool mySNatIP {
members {
192.168.68.7
}
}
</pre>
<pre>
ltm virtual myVS {
creation-time 2024-04-30:09:50:10
destination 192.168.45.21:http
ip-protocol tcp
last-modified-time 2024-05-01:02:29:35
mask 255.255.255.255
pool myPool
profiles {
tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool mySNatIP
type snat
}
translate-address enabled
translate-port enabled
vlans {
ExternalVlan
}
vlans-enabled
vs-index 2
}
</pre>
=== Enable Internet Access on VMs ===
; On VMs:
* Add Interface for the common network on host to the VMs:
sudo virsh attach-interface --type bridge --source virbr0 --model virtio client
; On Host:
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables --table nat --append POSTROUTING --out-interface ens192 -j MASQUERADE # ens192 is default exit interface in Host
sudo iptables --insert FORWARD --in-interface virbr0 -j ACCEPT # virbr0 is newly added interface in VM
== UCS Backup ==
tmsh save sys ucs $(echo $HOSTNAME | cut -d'.' -f1)-$(date +%H%M-%m%d%y)
scp root@192.168.30.217:/var/local/ucs/labdevice-0305-061324.ucs .
<br />
;References
<references/>
<br />
<br />
<br />
{{DISQUS}}
| |||