F5: Difference between revisions

← Older edit

F5 (view source)

Revision as of 17:58, 13 June 2024

3,199 bytes added , 22 days ago

→‎Enable Internet Access on VMs

Amanjosan2008

Bureaucrats, Administrators

4,410

edits

Revision as of 16:58, 7 February 2023 (view source) Amanjosan2008 (talk \| contribs) (→‎Deploy F5 in KVM) ← Older edit		Latest revision as of 17:58, 13 June 2024 (view source) Amanjosan2008 (talk \| contribs) (→‎Enable Internet Access on VMs)
(62 intermediate revisions by the same user not shown)
Line 3: <br /> = ~~Interfaces~~Configuration = ; Interfaces * Control Plane Line 17 ⟶ 19: -> Only active on Active Unit -> Pcaps filter with this IP else it will have Monitoring traffic as well. ; Change Hostname: tmsh modify /sys global-settings hostname bigip1.example.net save /sys config = F5 Training = Line 105 ⟶ 113: = Deploy F5 in KVM = * Topology ~~[10.170.131.132:8443] ---------> [Mgmt-192.168.122.109:8443]~~ ~~[10.170.131.132:443] ----------> [VIP-192.168.122.110:443] --------------> [CentOS-192.168.122.98:80]~~ [client]-------------------------[ F5 ]------------------------[server] 192.168.45.121 192.168.45.21 \| 192.168.68.3 192.168.68.108 \| 192.168.30.217 \| \| {10.157.146.116} Host * Install [https://aman.awiki.org/wiki/Virtualization#KVM_Installation KVM] * Download the Image from F5 Portal: sudo mv BIGIP-16.1.3-0.0.12.qcow2 /var/lib/libvirt/images/ * Create 3 virtual bridge interfaces: * Install Ubuntu Server VM: sudo virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial' ;virbr0 (Ignore if already existing) vim virbr0.xml Add bridge details to the file: <syntaxhighlight lang=ini><network> <name>br0</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0'/> <ip address='192.168.30.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.30.50' end='192.168.30.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh net-define virbr0.xml sudo virsh net-start br0 sudo virsh net-autostart br0 sudo virsh net-list --all ip addr show dev virbr0 ;virbr1 vim virbr1.xml Add bridge details to the file: <syntaxhighlight lang=ini><network> <name>br1</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr1' stp='on' delay='0'/> <ip address='192.168.45.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.45.50' end='192.168.45.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh net-define virbr1.xml sudo virsh net-start br1 sudo virsh net-autostart br1 sudo virsh net-list --all ip addr show dev virbr1 ;virbr2 vim virbr2.xml Add bridge details to the file: <syntaxhighlight lang=ini><network> <name>br2</name> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr2' stp='on' delay='0'/> <ip address='192.168.68.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.68.50' end='192.168.68.200'/> </dhcp> </ip> </network> </syntaxhighlight> sudo virsh net-define virbr2.xml sudo virsh net-start br2 sudo virsh net-autostart br2 sudo virsh net-list --all ip addr show dev virbr2 * Install CentOS Server VM: sudo virt-install --name=CentOS --description="CentOS WebServer" --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.qcow2,bus=virtio,format=qcow2 --disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 --network=bridge=virbr0,model=virtio --graphics none --console pty,target_type=serial --vcpus=1 --cpu host --ram=1024 --os-type=linux --os-variant=rhel6 --import --autostart --noautoconsole * Install F5 VM: sudo virt-install \ --name=~~F5-BIGIP~~bigip \ --description="BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE)" \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.123.qcow2,bus=virtio,format=qcow2 \ --disk path=/var/lib/libvirt/images/BIGIP-16.1.4.3-0.0.123.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \ ~~--network=bridge=virbr0,model=virtio \~~ ~~--network=bridge=virbr0,model=virtio \~~ --network=bridge=virbr0,model=virtio \ --network=bridge=virbr1,model=virtio \ --network=bridge=virbr2,model=virtio \ --graphics vnc,password=admin123,listen=0.0.0.0,port=5902 \ --console pty,target_type=serial \ ~~--serial tcp,host=:2223,mode=bind,protocol=telnet \~~ --vcpus=2 --cpu host --ram=8096 \ --os-type=linux --os-variant=rhel6.0 \ ~~--os-variant=rhel6 \~~ --import --autostart --noautoconsole * VM Operations and ~~infomration~~information: sudo virsh shutdown bigip sudo virsh destroy bigip Line 142 ⟶ 238: * Obtaining Console access: sudo virsh console ~~<vm-name>~~bigip * Default F5CLI Credentials: root / default * Set WebUI Credentials using below command: ~~<pre>~~ passwd admin ~~# config -> Assign IP address for management~~ ~~tmsh show sys management-ip --> notworking~~ ~~tmsh show running-config~~ * Iptables enable Web UI access using NAT from Host VM: ~~nano /etc/libvirt/hooks/qemu~~ sudo iptables -t nat -I PREROUTING -p tcp -d 10.157.146.116 --dport 8443 -j DNAT --to-destination 192.168.30.217:443 sudo iptables -I FORWARD -m state -d 192.168.30.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT * The above rules might not survive reboot of host, hardcoding them: ~~#!/bin/bash~~ sudo yum install iptables-services ~~# Hook to insert NEW rule to allow connection for VMs~~ sudo systemctl start iptables ~~# 192.168.122.0/24 is NATed subnet~~ sudo systemctl enable iptables ~~# virbr0 is networking interface for VM and host~~ sudo service iptables save ~~# -----------------------------------------------------------------~~ ~~# Written by Vivek Gite under GPL v3.x {https://www.cyberciti.biz}~~ ~~# -----------------------------------------------------------------~~ ~~# get count~~ ~~#################################################################~~ ~~## NOTE replace 192.168.2.0/24 with your public IPv4 sub/net ##~~ ~~#################################################################~~ ~~v=$(/sbin/iptables -L FORWARD -n -v \| /usr/bin/grep 192.168.122.109/32 \| /usr/bin/wc -l)~~ ~~# avoid duplicate as this hook get called for each VM~~ ~~[ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ * Apply License ~~chmod -v +x /etc/libvirt/hooks/qemu~~ tmsh install /sys license registration-key <KEY> * Save Config ~~vim /etc/ufw/before.rules~~ tmsh save /sys config * Increase bash Columns ~~# KVM/libvirt Forward Ports to guests with Iptables (UFW) #~~ vi /root/.bashrc nat ~~:PREROUTING ACCEPT [0:0]~~ ~~-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP"~~ ~~COMMIT~~ <syntaxhighlight lang="bash"> ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443~~ #!/bin/bash -i ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.109:80~~ # .bashrc ~~sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ ~~sudo service netfilter-persistent save~~ # User specific aliases and functions ~~curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip \| jq -M .~~ alias rm='rm -i' ~~192.168.122.145~~ alias cp='cp -i' ~~root/kIr@t#29~~ alias mv='mv -i' # Source global definitions ~~tmsh install /sys license registration-key <KEY>~~ if [ -f /etc/bashrc ]; then . /etc/bashrc fi resize() { old=$(stty -g) ~~tmsh~~ stty raw -echo min 0 time 5 modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } ~~save /sys config~~ printf '\033[18t' > /dev/tty ~~=== Install CentOS ===~~ IFS=';t' read -r _ rows cols _ < /dev/tty stty "$old" stty cols $cols stty rows $rows export COLUMNS=$cols export LINES=$rows } [[ $(tty) = '/dev/ttyS0' ]] && stty cols 1000 </syntaxhighlight> ~~wget https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2~~ stty -F /dev/ttyS0 rows 100 ~~virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe~~ stty -F /dev/ttyS0 cols 100 ~~Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe~~ == Prepare the Ubuntu Minimal Image == Download Image file: virt-builder --list virt-builder centos-7.5 --format qcow2 --size 20G -o centos75-client.qcow2 --root-password password # no root password set sudo mv centos75-client.qcow2 /var/lib/libvirt/images/ sudo cp /var/lib/libvirt/images/centos75-client.qcow2 /var/lib/libvirt/images/centos75-server.qcow2 === Install Client === * Start VM: <syntaxhighlight lang="bash"> sudo virt-install \ --name=~~CentOS~~client \ --description="Ubuntu Minimal Client" \ --disk path=/var/lib/libvirt/images/centos75-client.qcow2,bus=virtio,format=qcow2 \ --network=bridge=virbr1,model=virtio \ --graphics none \ --console pty,target_type=serial \ --vcpus=1 --cpu host --ram=1024 \ --os-type=linux \ --os-variant=rhel6.0 \ --import --autostart --noautoconsole </syntaxhighlight> * Obtaining Console access: sudo virsh console client * Basic config: sudo vi /etc/hostname # change hostname sudo yum install httpd sudo systemctl enable httpd sudo systemctl start httpd sudo systemctl status httpd sudo iptables -F === Install WebServer === * Start VM: <syntaxhighlight lang="bash"> sudo virt-install \ --name=server \ --description="CentOS WebServer" \ --disk path=/var/lib/libvirt/images/~~CentOS~~centos75-~~7-x86_64-GenericCloud~~server.qcow2,bus=virtio,format=qcow2 \ --network=bridge=virbr2,model=virtio \ ~~--disk path=/var/lib/libvirt/images/CentOS-7-x86_64-GenericCloud.DATASTOR.ALL.qcow2,size=8,bus=virtio,format=qcow2 \~~ ~~--network=bridge=virbr0,model=virtio \~~ --graphics none \ --console pty,target_type=serial \ --vcpus=1 --cpu host --ram=~~2048~~1024 \ --os-type=linux \ --os-variant=rhel6.0 \ --import --autostart --noautoconsole </syntaxhighlight> * Obtaining Console access: ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.110:443~~ sudo virsh console server ~~sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 80 -j DNAT --to-destination 192.168.122.110:80~~ sudo iptables -F ~~sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT~~ == F5 Configuration == === Manually assign Management IP address === tmsh modify sys global-settings mgmt-dhcp disabled tmsh create sys management-ip 192.168.30.217/24 tmsh create sys management-route default { gateway 192.168.30.1 network default } === Create VLAN === <pre> net vlan myVlan { fwd-mode l3 if-index 128 interfaces { 1.2 { } } sflow { poll-interval-global no sampling-rate-global no } tag 4094 } </pre> === Create SelfIP === <pre> net self SelfIpforPool { address 192.168.68.3/24 traffic-group traffic-group-local-only vlan myVlan } </pre> === Create Pool === <pre> ltm pool myPool { members { server1:http { address 192.168.68.108 logging enabled session monitor-enabled state up } } monitor http } </pre> === Create VS === <pre> ltm snat-translation 192.168.68.7 { address 192.168.68.7 inherited-traffic-group true traffic-group traffic-group-1 } ltm snatpool mySNatIP { members { 192.168.68.7 } } </pre> <pre> ltm virtual myVS { creation-time 2024-04-30:09:50:10 destination 192.168.45.21:http ip-protocol tcp last-modified-time 2024-05-01:02:29:35 mask 255.255.255.255 pool myPool profiles { tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { pool mySNatIP type snat } translate-address enabled translate-port enabled vlans { ExternalVlan } vlans-enabled vs-index 2 } </pre> === Enable Internet Access on VMs === ; On VMs: * Add Interface for the common network on host to the VMs: sudo virsh attach-interface --type bridge --source virbr0 --model virtio client ; On Host: sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables --table nat --append POSTROUTING --out-interface ens192 -j MASQUERADE # ens192 is default exit interface in Host sudo iptables --insert FORWARD --in-interface virbr0 -j ACCEPT # virbr0 is newly added interface in VM == UCS Backup == tmsh save sys ucs $(echo $HOSTNAME \| cut -d'.' -f1)-$(date +%H%M-%m%d%y) scp root@192.168.30.217:/var/local/ucs/labdevice-0305-061324.ucs . <br />