F5 link controller


Published on

Published in: Technology
  • very good
    Are you sure you want to  Yes  No
    Your message goes here
  • good
    Are you sure you want to  Yes  No
    Your message goes here

F5 link controller

  1. 1. CONFIDENTIAL 1Link ControllerTeam TrainingPresented by:Denny PayneConsultant
  2. 2. CONFIDENTIAL 2Link Controller Overview• Purpose: Link Controller is designed to provide load balancing and/or failover for multiple locally attached ISP links.• Hardware & Licensing: Sold on 1500 and 3400 platforms, either standalone or as module on top of LTM/GTM• Focus of this presentation is v9, but most concepts apply to v4 as well
  3. 3. CONFIDENTIAL 3Link Controller Advantages Advantages to customer: - Eliminates BGP requirements - ISP’s not required to coordinate - New links can be added transparently - GUI management of zone files - ZoneRunner (v9) or NameSurfer (v4) Advantages over competition - Modular construction on TMOS - iRules and health checking capability
  4. 4. CONFIDENTIAL 4Link Controller Limitations• A standalone LC is a hybrid of LTM (BIG-IP) and GTM (3- DNS) with a subset of each feature set• No L7 iRules or health checking functionality• No advanced load balancing algorithms (obsv/pred)• No ability to resolve IP’s that it does not host (therefore no site-to-site failover or DR)• Must be locally attached to public IP blocks – Therefore, must sit outside the firewall – May not be desirable to do LC/LTM combo
  5. 5. CONFIDENTIALTypical Link Controller Deployment
  6. 6. CONFIDENTIAL 6Deployment considerations• LC’s hybrid design can be summed up by noting: – Outbound traffic is processed like LTM (BIG-IP) – Inbound traffic is processed like GTM (3-DNS) Link Controller must be the default gateway for the firewall
  7. 7. CONFIDENTIAL 7LC Quick Start• Define VLANs• Define Self IP’s• Create Gateway Pool• Create default route, reference Gateway pool• Define links• Define NTP server• Define Listeners for each link• Create outbound wildcard LB Virtual Server, reference the gateway pool• Create outbound SNATs or SNAT pools for each egress VLAN• Create Local Traffic Pools• Create Local Traffic Virtual Servers for each link• Create a WideIP
  8. 8. CONFIDENTIAL 8Inbound LC Transaction Internet client requests name resolution for gnu.es.f5net.com Internet DNS servers tell client that lc.es.f5net.com is the authoritative name server for the es.f5net.com zone Client queries lc.es.f5net.com for name resolution of gnu.es.f5net.com lc.es.f5net.com returns the IP address, the LTM virtual server on link1 The client sends it’s HTTP request to and the LC processes the request as per the configuration of that LTM virtual server and default pool
  9. 9. CONFIDENTIAL 9Outbound Traffic• Outbound traffic is handled in a manner similar to LTM server load balancing.• Create a pool containing each of the ISP router gateway addresses with service port “any”• Create a wildcard virtual server ( using all protocols, enabled on the internal VLAN and point it to the previously created pool.• Enable SNAT automap from the internal VLAN
  10. 10. CONFIDENTIALTypical Link Controller Deployment
  11. 11. CONFIDENTIAL 11Outbound Traffic options If desired, more specific virtual servers may be used to split up traffic in different ways. Example: create 3 pools, one with both gateways, another with only gateway 1 and a third with only gateway 2. Then create using pool 1, 0:0:0:0:80 using pool 2, and 0:0:0:0:25 using pool 3. This may be expanded upon with pool priority and/or iRules to produce the desired traffic flow Allow ANY IP over SNAT for icmp/ping.
  12. 12. CONFIDENTIAL 12Pool load balancing• Round robin and static ratio are available, but the typical setting will be dynamic ratio.• Dynamic ratio will use the link configuration settings (discussed in next section) to make load balancing decisions
  13. 13. CONFIDENTIAL 13Inbound Traffic• Inbound traffic is handled in the same manner as GTM (3-DNS) – Recall the limitation that it can only hand out addresses that it hosts• Requires DNS delegation – At minimum, LC must be authoritative for the domains that are load balanced/failed over – Can take over the entire domain if desired
  14. 14. CONFIDENTIAL 14DNS Listeners• Need a DNS listener on each ISP network – use floating address for redundant pair – For more than 2 ISP’s pick the 2 primary links since DNS typically will only use a ns1 and ns2 record No v4 equivalent, udp 53 should be allowed to floating IP’s on each ISP netblock
  15. 15. CONFIDENTIAL 15Inbound Pools and VIPS• Inbound pools and VIPS are set up in nearly the same manner as LTM, with 2 key differences – Pools will usually only have 1 member, which is the NAT address for the application on the firewall – Need a virtual server on each ISP’s network that points to the same pool – These virtuals correspond to the DNS entries that LC will give out to clients for a given domain
  16. 16. CONFIDENTIALTypical Link Controller Deployment
  17. 17. CONFIDENTIAL 17Link Configuration• Define the links (one per ISP) and set up the relevant cost and/or bandwidth structure for each – Link capacity – Price per mb (prepaid vs burst cost)• Dynamic ratio will use these figures to determine load balancing – Not necessarily required to be real-world figures
  20. 20. CONFIDENTIAL 20WideIP Configuration• Final step is creation of WideIP’s – Domain name to virtual server mapping – Only allowed to use virtual servers that are hosted by the LC itself – No pools concept as on GTM• ZoneRunner entries created automatically – NameSurfer in v4
  21. 21. CONFIDENTIALTypical Link Controller Deployment
  22. 22. CONFIDENTIAL 22Special Considerations• IPSEC (VPN’s) – LC cannot terminate IPSEC tunnels – IPSEC typically cannot survive a NAT • Some IPSEC clients cannot resolve by name• Solution 1: Forward IPSEC directly to firewall or endpoint – Requires public IP block between LC and firewall – Requires IP forwarding virtual on LC from external to internal
  23. 23. CONFIDENTIAL 23IPSEC cont.• Solution 2: Implement an IPSEC solution that supports NAT traversal or “tunnel and transport mode” – Uses typical LC configuration (SNAT automap outbound and virtual -> pool inbound) – Checkpoint and PIX definitely support, others not verified
  24. 24. CONFIDENTIALTypical Link Controller Deployment
  25. 25. CONFIDENTIAL 25Special Considerations cont.• L2 Bridging not recommended – Supposedly can be configured on one link, with outbound wildcard VIP bound to internal child VLAN and doing SNAT automap – Proceed at own risk BIND vs ZoneRunner/NameSurfer – Customer may choose to use BIND to manage zone files (particularly if LC is taking over entire domain) – Typically, once done, cannot be reverted
  26. 26. CONFIDENTIAL 26How do I manage BIND zonefiles? BIND zone management is the same as in LTM, manual and not supported. ZoneRunner is NOT included in the LC software module. One can configure BIND manually, and maintain it through the CLI. – Configuration of BIND via CLI is not supported. – We will patch named if a bug is found in the named code and a new version is available to address that bug.
  27. 27. CONFIDENTIAL 27The LC Link Object: Basic View Link objects functionality is the same as that of 4.x, and consist of the following elements: – Name: Link object name – Router Address: The address of the gateway router for that ISP link – Uplink Address: The router’s IP address that connects to the ISP – Service Provider: Descriptive field used for a logical identification of that link’s service provider – Health Monitor: the bigip_link monitor is the recommended monitor for links
  28. 28. CONFIDENTIAL 28LC Objects LC UI objects inherited from LTM are configured in the same way they are configured on a LTM stand alone product. LC Links are configured in the Network section of the UI, but the link objects are stored in the wideip.conf file. – Links: Network->Links GTM inherited features are configured in the under the “Global Traffic” section of the UI. – GTM Listners: Global Traffic->Listeners – WideIPs: Global Traffic-> Inbound Link Traffic – Topology: Global Traffic->Topology Note: WideIP pools are not explicit objects in the UI. WideIP pools are automatically created by mcdp, their object names match that of their WideIP’s FQDN!
  29. 29. CONFIDENTIAL 29WideIP pools on a Link Controller The WideIP pool objects are not visible via the UI on Link Controller. If a problem exists with a WideIP pool it will be necessary to edit the wideip.conf file from the command line. WideIP pools get an object name that matches the WideIP’s FQDN, thus it is easy to determine which WideIP pool will need to be edited.Example: If an administrator attempts to create a WideIP from the UI, and the creation action fails due to a misconfiguration, the WideIP pool may get written out to the wideip.conf file, but the admin will not be able to see this from the UI.
  30. 30. CONFIDENTIAL 30Known Issues (as of 9.2.3)• Many hotfixes are available• /config/gtm/wideip.conf seems susceptible to corruption in various ways – IP’s configured in GUI and later removed are not always cleaned up properly. This can lead to odd behavior in the GUI. ZoneRunner issues