F5: Difference between revisions
Content added Content deleted
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
[[Category:LoadBalancers]] |
|||
__TOC__ |
|||
<br /> |
|||
= Interfaces = |
= Interfaces = |
||
Line 18: | Line 21: | ||
;LTM How BIG IP process Traffic |
;LTM How BIG IP process Traffic |
||
* Node - represent the Ip address |
* Node - represent the Ip address |
||
Line 44: | Line 46: | ||
* Check the status of nodes and pool members, if any pool member response time is not good or is not responding Big IP will not send the request to that node. |
* Check the status of nodes and pool members, if any pool member response time is not good or is not responding Big IP will not send the request to that node. |
||
;Monitor type |
;Monitor type: |
||
* Address check - BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the traffic further to that node. |
* Address check - BIG IP send ICMP request and wait for reply if there is no reply it considers nei down does not send the traffic further to that node. |
||
* Service check - will check TCP port number on which server is listening ,if no response it considers down ---- |
* Service check - will check TCP port number on which server is listening ,if no response it considers down ---- |
||
* Content check - we can check if the server is responding with right contest ,like for http request get/http .... request is send . |
* Content check - we can check if the server is responding with right contest ,like for http request get/http .... request is send . |
||
* Interactive check - TEST for FTP connection .once connection is open username and password is send then request is send get /file once file is received |
* Interactive check - TEST for FTP connection .once connection is open username and password is send then request is send get /file once file is received connection is closed . |
||
*F5 recommends time out = 3n+1 (frequency) for setting the monitor for http |
* F5 recommends time out = 3n+1 (frequency) for setting the monitor for http |
||
*Customization of monitor |
* Customization of monitor |
||
*Assign nodes to monitor |
* Assign nodes to monitor |
||
Line 63: | Line 65: | ||
to avoid this we use prescience profile so that return request for the client is send to same server. |
to avoid this we use prescience profile so that return request for the client is send to same server. |
||
* Persistence profile - is configured for clients and group of clients how BIG IP knows the returning client request need to send to same server, persistence profile is configured taking source IP address of http cookie |
* Persistence profile - is configured for clients and group of clients how BIG IP knows the returning client request need to send to same server, persistence profile is configured taking source IP address of http cookie. |
||
* SSL termination |
* SSL termination |
||
Line 71: | Line 73: | ||
* All virtual servers have layer four profile includes TCP, UDP, Fast, l4 |
* All virtual servers have layer four profile includes TCP, UDP, Fast, l4 |
||
* Profile types - service profile, persistence profile |
* Profile types - service profile, persistence profile, protocol profile, SSL profile, authentication profile, other profiles. |
||
== Persistence Types == |
== Persistence Types == |
||
* Source address persistence: keeps the track of source |
* Source address persistence: keeps the track of source IP address, administrator can set the net mask in persistence record so that all clients in same mask will assigned to same pool member. |
||
* Limitation -if the client address being |
* Limitation - if the client address being NAt'ed. |
||
* Cookie |
* Cookie persistence - only uses http protocol |
||
* Three modes : (insert ,rewrite ,passive ) mode. |
* Three modes : (insert ,rewrite ,passive ) mode. |
||
Insert mode -BIG ip create special cookie in HTTP |
Insert mode - BIG ip create special cookie in HTTP response to client . |
||
rewrite -pool member created |
rewrite - pool member created blanK cookie and big ip inserts special cookie |
||
passive -pool |
passive - pool member created special cookie and BIG IP let it pass through |
||
== SSL Profile == |
== SSL Profile == |
||
Line 103: | Line 105: | ||
= Deploy F5 in KVM = |
= Deploy F5 in KVM = |
||
[10.170.131.132:8443]---------[Mgmt-192.168.122.109:8443] |
[10.170.131.132:8443] ---------> [Mgmt-192.168.122.109:8443] |
||
[10.170.131.132:443]---------[VIP-192.168.122.110:443]--------------[CentOS-192.168.122.98:80] |
[10.170.131.132:443] ----------> [VIP-192.168.122.110:443] --------------> [CentOS-192.168.122.98:80] |
||
* Download the Image from F5 Portal: |
* Download the Image from F5 Portal: |
||
Line 111: | Line 113: | ||
<pre> |
<pre> |
||
virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial' |
virt-install --name ubuntu-trusty --ram 256 --disk path=/var/kvm/images/trusty.img,size=3 --vcpus 1 --os-type linux --os-variant ubuntutrusty --graphics none --console pty,target_type=serial --location 'http://fr.archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/' --extra-args 'console=ttyS0,115200n8 serial' |
||
sudo virt-install --name bigip\ |
sudo virt-install --name bigip\ |
||
Line 139: | Line 140: | ||
--os-variant=rhel6 \ |
--os-variant=rhel6 \ |
||
--import --autostart --noautoconsole |
--import --autostart --noautoconsole |
||
sudo virsh shutdown bigip |
sudo virsh shutdown bigip |
||
sudo virsh destroy bigip |
sudo virsh destroy bigip |
||
sudo virsh undefine --domain bigip |
sudo virsh undefine --domain bigip |
||
sudo virsh list --all |
sudo virsh list --all |
||
sudo virsh net-dhcp-leases default |
|||
sudo virsh net-dhcp-leases default |
sudo virsh net-dhcp-leases default |
||
10.170.131.132 |
10.170.131.132 |
||
192.168.122.109 |
192.168.122.109 |
||
sudo virsh console bigip |
sudo virsh console bigip |
||
Line 164: | Line 160: | ||
tmsh show sys management-ip --> notworking |
tmsh show sys management-ip --> notworking |
||
tmsh show running-config |
tmsh show running-config |
||
nano /etc/libvirt/hooks/qemu |
nano /etc/libvirt/hooks/qemu |
||
#!/bin/bash |
#!/bin/bash |
||
Line 184: | Line 177: | ||
# avoid duplicate as this hook get called for each VM |
# avoid duplicate as this hook get called for each VM |
||
[ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
[ $v -le 2 ] && /sbin/iptables -I FORWARD 1 -o virbr0 -m state -s 10.170.131.0/24 -d 192.168.122.109/32 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
||
chmod -v +x /etc/libvirt/hooks/qemu |
chmod -v +x /etc/libvirt/hooks/qemu |
||
Line 195: | Line 187: | ||
-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP" |
-A PREROUTING -d 10.170.131.132 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.109:443 -m comment --comment "Port443 for BigIP" |
||
COMMIT |
COMMIT |
||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443 |
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 8443 -j DNAT --to-destination 192.168.122.109:8443 |
||
Line 202: | Line 192: | ||
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
||
sudo service netfilter-persistent save |
sudo service netfilter-persistent save |
||
curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip | jq -M . |
curl -sk -u root:kIr@t#29 -H "Content-Type: application/json" -X GET https://192.168.122.109/mgmt/tm/sys/management-ip | jq -M . |
||
192.168.122.145 |
192.168.122.145 |
||
root/kIr@t#29 |
root/kIr@t#29 |
||
tmsh install /sys license registration-key |
tmsh install /sys license registration-key <KEY> |
||
tmsh install /sys license registration-key CEGMC-JBZNW-LGQZT-GPNOL-WHXDLFL |
|||
tmsh |
tmsh |
||
modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } |
modify /security firewall management-ip-rules rules add { example_mgmt_rule { action accept destination { addresses add { 192.168.122.109 } ports add { 443 } } ip-protocol tcp log yes place-before first source { addresses add { 10.170.131.1-10.170.131.254 } ports none } status enabled uuid auto-generate } } |
||
save /sys config |
save /sys config |
||
=== Install CentOS === |
=== Install CentOS === |
||
Line 226: | Line 210: | ||
virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
virt-customize -a CentOS-7-x86_64-GenericCloud-2111.qcow2 --root-password password:DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
||
Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
Now able to login to new guest as root / DDYrTXJZTJldOqimb68ZK5KCmRpbdBOe |
||
sudo virt-install \ |
sudo virt-install \ |
||
Line 241: | Line 223: | ||
--os-variant=rhel6 \ |
--os-variant=rhel6 \ |
||
--import --autostart --noautoconsole |
--import --autostart --noautoconsole |
||
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.110:443 |
sudo iptables -t nat -I PREROUTING -p tcp -d 10.170.131.132 --dport 443 -j DNAT --to-destination 192.168.122.110:443 |
||
Line 247: | Line 228: | ||
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
sudo iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT |
||
</pre> |
</pre> |
||
<br /> |
|||
;References |
|||
<references/> |
|||
<br /> |
|||
<br /> |
|||
<br /> |
|||
{{DISQUS}} |