F5: Difference between revisions

← Older edit

F5 (view source)

Revision as of 17:58, 13 June 2024

3,546 bytes added , 22 days ago

→‎Enable Internet Access on VMs

Amanjosan2008

Bureaucrats, Administrators

4,410

edits

Revision as of 15:48, 15 December 2022 (view source) Amanjosan2008 (talk \| contribs) No edit summary ← Older edit		Latest revision as of 17:58, 13 June 2024 (view source) Amanjosan2008 (talk \| contribs) (→‎Enable Internet Access on VMs)
(65 intermediate revisions by the same user not shown)
Line 1: [[Category:LoadBalancers]] __TOC__ <br /> = ~~Interfaces~~Configuration = ; Interfaces * Control Plane Line 14 ⟶ 19: -> Only active on Active Unit -> Pcaps filter with this IP else it will have Monitoring traffic as well. ; Change Hostname: tmsh modify /sys global-settings hostname bigip1.example.net save /sys config = F5 Training = ;LTM How BIG IP process Traffic * Node - represent the Ip address Line 44 ⟶ 54: * Check the status of nodes and pool members, if any pool member response time is not good or is not responding Big IP will not send the request to that node. ;Monitor type : * Address check - BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the traffic further to that node. * Service check - will check TCP port number on which server is listening ,if no response it considers down ---- * Content check - we can check if the server is responding with right contest ,like for http request get/http .... request is send . * Interactive check - TEST for FTP connection .once connection is open username and password is send then request is send get /file once file is received connection is closed . * F5 recommends time out = 3n+1 (frequency) for setting the monitor for http * Customization of monitor * Assign nodes to monitor Line 63 ⟶ 73: to avoid this we use prescience profile so that return request for the client is send to same server. * Persistence profile - is configured for clients and group of clients how BIG IP knows the returning client request need to send to same server, persistence profile is configured taking source IP address of http cookie. * SSL termination Line 71 ⟶ 81: * All virtual servers have layer four profile includes TCP, UDP, Fast, l4 * Profile types - service profile, persistence profile , protocol profile, SSL profile, authentication profile, other profiles. == Persistence Types == * Source address persistence: keeps the track of source ipIP address, administrator can set the net mask in ~~persitance~~persistence record so that all ~~lients~~clients in same mask will assigned to same pool member. * Limitation - if the client address being ~~NAted~~ NAt'ed. * Cookie ~~persistance~~persistence - only uses http protocol * Three modes : (insert ,rewrite ,passive ) mode. Insert mode - BIG ip create special cookie in HTTP ~~resonse~~response to client . rewrite - pool member created ~~blanl~~blanK cookie and big ip inserts special cookie passive - pool ~~memeber~~member created special cookie and BIG IP let it pass through == SSL Profile == Line 103 ⟶ 113: = Deploy F5 in KVM = * Topology ~~[10.170.131.132:8443]---------[Mgmt-192.168.122.109:8443]~~ ~~[10.170.131.132:443]---------[VIP-192.168.122.110:443]--------------[CentOS-192.168.122.98:80]~~ [client]-------------------------[ F5 ]------------------------[server] 192.168.45.121 192.168.45.21 \| 192.168.68.3 192.168.68.108 \| 192.168.30.217 \| \| {10.157.146.116} Host * Install [https://aman.awiki.org/wiki/Virtualization#KVM_Installation KVM] * Download the Image from F5 Portal: sudo mv BIGIP-16.1.3-0.0.12.qcow2 /var/lib/libvirt/images/ * Create 3 virtual bridge interfaces: ~~<pre>~~ virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial' ;virbr0 (Ignore if already existing) vim virbr0.xml ~~sudo virt-install --name bigip\~~ ~~--ram 4096\~~ ~~--disk path=/var/lib/libvirt/images/BIGIP-17.0.0.1-0.0.4.qcow2\~~ ~~--vcpus 2\~~ ~~--os-type linux\~~ ~~--os-variant rhel6\~~ ~~--graphics spice\~~ ~~--console pty,target_type=serial\~~ ~~--network bridge=virbr0\~~ ~~--noautoconsole\~~ ~~--import~~ ~~--extra-args 'console=ttyS0,115200n8 serial'\~~ ~~sudo virt-install \~~ ~~--name=F5-BIGIP \~~ ~~--description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \~~ ~~--disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.qcow2,bus=virtio,format=qcow2 \~~ ~~--disk path=/var/lib/libvirt/images/BIGIP-16.1.3-0.0.12.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \~~ ~~--network=bridge=virbr0,model=virtio \~~ ~~--graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \~~ ~~--serial tcp,host=:2223,mode=bind,protocol=telnet \~~ ~~--vcpus=2 --cpu host --ram=8096 \~~ ~~--os-type=linux \~~ ~~--os-variant=rhel6 \~~ ~~--import --autostart --noautoconsole~~ Add bridge details to the file: <syntaxhighlight lang=ini><network> <name>br0</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0'/> <ip address='192.168.30.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.30.50' end='192.168.30.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh ~~shutdown~~net-define ~~bigip~~virbr0.xml sudo virsh ~~destroy~~net-start ~~bigip~~br0 sudo virsh ~~undefine -~~net-~~domain~~autostart ~~bigip~~br0 sudo virsh net-list --all ip addr show dev virbr0 ;virbr1 vim virbr1.xml ~~sudo virsh list --all~~ Add bridge details to the file: <syntaxhighlight lang=ini><network> <name>br1</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr1' stp='on' delay='0'/> <ip address='192.168.45.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.45.50' end='192.168.45.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh net-~~dhcp-leases~~define ~~default~~virbr1.xml sudo virsh net-~~dhcp-leases~~start ~~default~~br1 sudo virsh net-autostart br1 sudo virsh net-list --all ip addr show dev virbr1 ;virbr2 ~~10.170.131.132~~ ~~192.168.122.109~~ vim virbr2.xml Add bridge details to the file: ~~sudo virsh console bigip~~ <syntaxhighlight lang=ini><network> <name>br2</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr2' stp='on' delay='0'/> <ip address='192.168.68.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.68.50' end='192.168.68.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh net-define virbr2.xml ~~Credentials:~~ sudo virsh net-start br2 ~~root default~~ sudo virsh net-autostart br2 sudo virsh net-list --all ip addr show dev virbr2 ~~# config -> Assign IP address for management~~ ~~tmsh show sys management-ip --> notworking~~ ~~tmsh show running-config~~ * Install F5 VM: sudo virt-install \ --name=bigip \ --description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.3.qcow2,bus=virtio,format=qcow2 \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.3.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ --network=bridge=virbr0,model=virtio \ --network=bridge=virbr1,model=virtio \ --network=bridge=virbr2,model=virtio \ --graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \ --console pty,target_type=serial \ --vcpus=2 --cpu host --ram=8096 \ --os-type=linux --os-variant=rhel6.0 \ --import --autostart --noautoconsole * VM Operations and information: ~~nano /etc/libvirt/hooks/qemu~~ sudo virsh shutdown bigip sudo virsh destroy bigip sudo virsh undefine --domain bigip sudo virsh list --all sudo virsh net-dhcp-leases default * Obtaining Console access: ~~#!/bin/bash~~ sudo virsh console bigip ~~# Hook to insert NEW rule to allow connection for VMs~~ ~~# 192.168.122.0/24 is NATed subnet~~ ~~# virbr0 is networking interface for VM and host~~ ~~# -----------------------------------------------------------------~~ ~~# Written by Vivek Gite under GPL v3.x {https://www.cyberciti.biz}~~ ~~# -----------------------------------------------------------------~~ ~~# get count~~ ~~#################################################################~~ ~~## NOTE replace 192.168.2.0/24 with your public IPv4 sub/net ##~~ ~~#################################################################~~ ~~v=$(/sbin/iptables -L FORWARD -n -v \| /usr/bin/grep 192.168.122.109/32 \| /usr/bin/wc -l)~~ ~~# avoid duplicate as this hook get called for each VM~~ ~~[ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ * Default CLI Credentials: root / default * Set WebUI Credentials using below command: ~~chmod -v +x /etc/libvirt/hooks/qemu~~ passwd admin * Iptables enable Web UI access using NAT from Host VM: ~~vim /etc/ufw/before.rules~~ sudo iptables -t nat -I PREROUTING -p tcp -d 10.157.146.116 --dport 8443 -j DNAT --to-destination 192.168.30.217:443 sudo iptables -I FORWARD -m state -d 192.168.30.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT * The above rules might not survive reboot of host, hardcoding them: ~~# KVM/libvirt Forward Ports to guests with Iptables (UFW) #~~ sudo yum install iptables-services nat sudo systemctl start iptables ~~:PREROUTING ACCEPT [0:0]~~ sudo systemctl enable iptables ~~-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP"~~ sudo service iptables save ~~COMMIT~~ Apply License tmsh install /sys license registration-key <KEY> * Save Config tmsh save /sys config * Increase bash Columns ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443~~ vi /root/.bashrc ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.109:80~~ ~~sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ ~~sudo service netfilter-persistent save~~ <syntaxhighlight lang="bash"> #!/bin/bash -i # .bashrc # User specific aliases and functions alias rm='rm -i' ~~curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip \| jq -M .~~ alias cp='cp -i' alias mv='mv -i' # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi resize() { old=$(stty -g) ~~192.168.122.145~~ stty raw -echo min 0 time 5 ~~root/kIr@t#29~~ printf '\033[18t' > /dev/tty ~~tmsh install /sys license registration-key HOBOF-RKGYF-XKFTJ-HLGHP-KDQXQDS~~ IFS=';t' read -r _ rows cols _ < /dev/tty ~~tmsh install /sys license registration-key CEGMC-JBZNW-LGQZT-GPNOL-WHXDLFL~~ stty "$old" stty cols $cols stty rows $rows export COLUMNS=$cols export LINES=$rows } [[ $(tty) = '/dev/ttyS0' ]] && stty cols 1000 </syntaxhighlight> stty -F /dev/ttyS0 rows 100 ~~tmsh~~ stty -F /dev/ttyS0 cols 100 modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } ~~save /sys config~~ ~~=== Install CentOS ===~~ == Prepare the Ubuntu Minimal Image == ~~wget https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2~~ * Download Image file: ~~virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe~~ virt-builder --list ~~Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe~~ virt-builder centos-7.5 --format qcow2 --size 20G -o centos75-client.qcow2 --root-password password # no root password set sudo mv centos75-client.qcow2 /var/lib/libvirt/images/ sudo cp /var/lib/libvirt/images/centos75-client.qcow2 /var/lib/libvirt/images/centos75-server.qcow2 === Install Client === * Start VM: <syntaxhighlight lang="bash"> sudo virt-install \ --name=client \ --description="Ubuntu Minimal Client" \ --disk path=/var/lib/libvirt/images/centos75-client.qcow2,bus=virtio,format=qcow2 \ --network=bridge=virbr1,model=virtio \ --graphics none \ --console pty,target_type=serial \ --vcpus=1 --cpu host --ram=1024 \ --os-type=linux \ --os-variant=rhel6.0 \ --import --autostart --noautoconsole </syntaxhighlight> * Obtaining Console access: sudo virsh console client * Basic config: sudo vi /etc/hostname # change hostname sudo yum install httpd sudo systemctl enable httpd sudo systemctl start httpd sudo systemctl status httpd sudo iptables -F === Install WebServer === * Start VM: <syntaxhighlight lang="bash"> sudo virt-install \ --name=~~CentOS~~server \ --description="CentOS WebServer" \ --disk path=/var/lib/libvirt/images/~~CentOS~~centos75-~~7-x86_64-GenericCloud~~server.qcow2,bus=virtio,format=qcow2 \ --network=bridge=virbr2,model=virtio \ ~~--disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \~~ ~~--network=bridge=virbr0,model=virtio \~~ --graphics none \ --console pty,target_type=serial \ --vcpus=1 --cpu host --ram=~~2048~~1024 \ --os-type=linux \ --os-variant=rhel6.0 \ --import --autostart --noautoconsole </syntaxhighlight> * Obtaining Console access: sudo virsh console server sudo iptables -F == F5 Configuration == ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.110:443~~ ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.110:80~~ === Manually assign Management IP address === ~~sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ tmsh modify sys global-settings mgmt-dhcp disabled tmsh create sys management-ip 192.168.30.217/24 tmsh create sys management-route default { gateway 192.168.30.1 network default } === Create VLAN === <pre> net vlan myVlan { fwd-mode l3 if-index 128 interfaces { 1.2 { } } sflow { poll-interval-global no sampling-rate-global no } tag 4094 } </pre> === Create SelfIP === <pre> net self SelfIpforPool { address 192.168.68.3/24 traffic-group traffic-group-local-only vlan myVlan } </pre> === Create Pool === <pre> ltm pool myPool { members { server1:http { address 192.168.68.108 logging enabled session monitor-enabled state up } } monitor http } </pre> === Create VS === <pre> ltm snat-translation 192.168.68.7 { address 192.168.68.7 inherited-traffic-group true traffic-group traffic-group-1 } ltm snatpool mySNatIP { members { 192.168.68.7 } } </pre> <pre> ltm virtual myVS { creation-time 2024-04-30:09:50:10 destination 192.168.45.21:http ip-protocol tcp last-modified-time 2024-05-01:02:29:35 mask 255.255.255.255 pool myPool profiles { tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { pool mySNatIP type snat } translate-address enabled translate-port enabled vlans { ExternalVlan } vlans-enabled vs-index 2 } </pre> === Enable Internet Access on VMs === ; On VMs: * Add Interface for the common network on host to the VMs: sudo virsh attach-interface --type bridge --source virbr0 --model virtio client ; On Host: sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables --table nat --append POSTROUTING --out-interface ens192 -j MASQUERADE # ens192 is default exit interface in Host sudo iptables --insert FORWARD --in-interface virbr0 -j ACCEPT # virbr0 is newly added interface in VM == UCS Backup == tmsh save sys ucs $(echo $HOSTNAME \| cut -d'.' -f1)-$(date +%H%M-%m%d%y) scp root@192.168.30.217:/var/local/ucs/labdevice-0305-061324.ucs . <br /> ;References <references/> <br /> <br /> <br /> {{DISQUS}}