1 F5 BIG-IP Practice Labs Redouane MEDDANE
2 Table of Contents Lab 1: SSL Decryption on F5-BIG IP...............................................................3 Lab...
3 Lab 1: SSL Decryption on F5-BIG IP Create an SSL Certificate for external clients and internal servers. Create a custom ...
4 Issuer: Self Common Name: lab.local Division: lab Organization: local Locality: training State or Province: SJ Country: ...
5 General Properties section: Name: SSL_Profile Parent Profile: clientssl Configuration section: Certificate Key Chain: Ad...
6 Create a custom SSL Certificate for backend servers. System » File Management: SSL Certificate List » click Create.
7 General Properties section: Name: F5_SRV_Cert Certificate Properties section: Issuer: Self Common Name: server.com Divis...
8 Create a Server SSL profile called SSL_Profile_SRV with serverssl as its parent. Local Traffic » Profiles » SSL » Server...
9 Edit the virtual server called https_vs with an IP address of 10.10.1.101:443. In the Configuration section, under the S...
10 Ensure that the pool https_pool is assigned to the virtual server vs_https in the Resources section. Ensure that the po...
11 In Web browser of the Client PC, go to https://10.10.1.101. If prompted, accept the SSL certificate.
12 In the web browser, view the certificate for the Client Side Connection, you should see the F5_Cert certificate associa...
13
14 Apply this new iRule to the virtual server. Edit the virtual server called https_vs with an IP address of 10.10.1.101:4...
15 From the Admin PC, login as root and enter the TCPDUMP command at the bash prompt. Execute the TCPDUMP command to captu...
16 In Web browser of the Client PC, go to https://10.10.1.101. Notice the BIG-IP is load balancing to the pool member 172....
17 From the Admin PC, open a WinSCP session to your F5 BIG-IP using the following settings: File Protocol: SFTP Hostname: ...
18 Right click on one of the SSL packets and select Follow, TCP Stream. You should see the application data encrypted in t...
19 Now run the following command from the CLI of the BIG-IP System. Now the F5-201- Key.pms file can be retrieved from the...
20 Click the file folder for root directory, navigate to var then tmp directories and drag the file F5-201-Key.pms from th...
21 Open in Wireshark the previous SSL_201.cap file. Right click on the http request Get /HTTP/1.1 sent by the Client PC 10...
22 Right click on the http response HTTP/1.1 200 OK sent by the Server-2 172.16.1.2 and select Follow, TLS Stream. You can...
23
24
25 Lab 2: Multiple Default Gateways and Path Monitor Create a Custom ICMP Monitor Create a new ICMP monitor. General Prope...
26
27 Create a Pool using the information in the following settings. Configuration section: Configuration: Basic Name: ISP-Po...
28 To configure multiple default gateways on the BIG-IP system, you must configure a default gateway pool that contains th...
29
30 Verify the state of the ISP-Pool pool. Verify the state of the pool members. On ISP-3 disable the F0/0 interface. Verif...
31 On ISP-3 disable the F0/0 interface. Verify the state of the pool member ISP-2, it’s no longer available.
32
33 Lab 3: OSPF routing Protocol and Kernel Route Configure OSPF between the F5 BIG-IP and the router R1. In order to enabl...
34 If OSPF is enabled, the zebos check command returns output similar to the following. Access the F5 BIG-IP CLI and execu...
35 Check the routing table of R1, the Inter-Area route 10.1.5.0/24 is there. Check the routing table of F5 BIG-IP, the Int...
36 Enable the Route Advertisement option for the Virtual Address 10.100.1.1. Enable the Route Advertisement option for the...
37 Let’s check the routing table of F5 BIG-IP, the host routes now are installed as a “K” Kernel route source. By default ...
38 Let’s the Type-5 LSA for 10.100.1.1/32, the Advertising Router is 0.0.0.2 the router ID of F5 BIG-IP. Let’s the Type-5 ...
39 Let’s the Type-5 LSA for 10.100.1.3/32, the Advertising Router is 0.0.0.2 the router ID of F5 BIG-IP. Verify the connec...
40 From the Client PC access the url https://10.100.1.3, this should be successful.
41 Lab 4: iRule Script For Traffic Processing Create a pool using the following settings: Name: Internal_HTTP_Pool Healt M...
42
43 Create a virtual server named VS_HTTP_iRule with destination IP address and port 10.10.1.115:80. Dot not assign a defau...
44 Create a new iRule named iRule_For_Pool using the script below, this iRule will load balance to the pool based on the f...
45 Before associating the iRule to the Virtual Server, you need to assign an HTTP profile to virtual server VS_HTTP_iRule ...
46 Edit the virtual server VS_HTTP_iRule, on the Resources tab, in the iRules section, click the Manage button. Assign the...
47 Access the CLI of the F5 BIG-IP and execute the tail -f /var/log/ltm command to view log messages.
48 From Client-1 PC 10.10.1.200, connect to the virtual server at http://10.10.1.115. You should see the page contents bei...
49 From Client-2 PC 10.10.2.200, connect to the virtual server at http://10.10.1.115. You should see the page contents bei...
50 Configure SNAT Source NAT Auto Map so that the Client 's IP address is hidden and translated to the self IP of the BIG-...
51 View the HTTP header of the Client-1 PC, the X-Forwarded-For is not set. From Client-2 PC 10.10.2.200, connect to the v...
52 View the HTTP header of the Client-2 PC, the X-Forwarded-For is not set. When using SNAT to translate the source IP add...
53 log local0. "inserting XFF header for [IP::remote_addr]" http::header insert X-Forwarded-For [IP::remote_addr] From Cli...
54 From Client-2 PC, connect to http://10.10.1.115, you should see the page contents is delivered from pool member Server-...
55 Confirm the log messages from CLI. Collect Browser Version (User Agent) via iRule from client to discover which browser...
56 From Client-2 PC, connect to http://10.10.1.115 using firefox. In the log messages, you should see the BIG-IP collectin...
57 From Client-2 PC, connect to http://10.10.1.115 using chrome. In the log messages, you should see the BIG-IP collecting...
58 From Client-2 PC, connect to http://10.10.1.115 using internet explorer. In the log messages, you should see the BIG-IP...
59 Lab 5: High Speed Logging Create a pool using the following settings: Name: HSL_Pool_201 Member (s): 10.10.1.200:514
60 Create a remote high-speed log destination with the following settings: General Properties section Name: HSL_Dest_201 T...
61 Create a Syslog formatted logging destination with the following settings: General Properties section: Name: HSL_Dest_S...
62 Create a publisher, this is where the F5 BIG-IP will send log messages. General Properties section: Name: HSL_Publisher...
63
64 Create a logging filter in order to send all Severity Level 5 messages from the F5 BIG-IP to the published. General Pro...
65 From the Admin PC, login as root and enter the TCPDUMP command at the bash prompt as follow.
66 Generate log messages by setting the state for pool member 172.16.1.1:80 in pool http_pool to Forced Offline.
67 Return the CLI, you should see traffic captured by TCPDUMP transmitted from the BIG-IP system to the remote logging ser...
68 On the Syslog server ensure that the logs are received. Via CLI, view the local traffic using the tail -f /var/log/ltm ...
69 Add a remote syslog server with the IP address 10.10.1.200 and port 514.
70 From the CLI, execute the TCPDUMP command to capture log messages sent to 10.10.1.200 with destination port 514 on VLAN...
71 Generate some log messages about local traffic, for example modify the monitor on pool http_pool so that the monitor he...
72
73 Open a WinSCP session to your F5 BIG-IP using the following settings: File Protocol: SFTP Hostname: 192.168.1.31 Port n...
74 Filter the messages on wireshark using the string syslog.facility == 16 and click Apply button.
75 You should a log messages about the change of status for the objects pool member, pool and virtual server. Below an exa...
76
77 Lab 6: F5 BIG-IP iHealth Diagnostics Tool On the Configuration Utility, navigate to System-Support, then click the New ...
78 Click the Download button to download the qkview file to your Admin PC.
79 From the Admin PC, access the URL ihealth.f5.com. Sign in using the iHealth credentials. Click the Upload button to con...
80
81 After the analysis is complete, click on the qkview to view its contents. You can see the results of the analysis.
82 You can retrieve the objects configuration under the Config Explorer such the Virtual Servers and Pools as shown below.
83
84 From the iHealth portal you can also execute some TMSH commands such show /ltm virtual all-properties and show /ltm poo...
85
86 In the Graph section, you can a graph about the Active Connections, SSL Transactions, CPU usage etc…
87 You can also retrieve the logs files and config files in the Files section. In the Diagnostics section, you can find bu...
88
89 Lab 7: F5 BIG-IP High Availability On BIGIP-A.lab.local, use the Setup Utility, then click the Next button.
90 The setup utility wizard allows you to make configuration to the management interface, 192.168.1.31 in this case, host ...
91 Configure the internal network and VLAN by making the following settings: Self IP Address: 172.16.1.31
92 Netmask: 255.255.0.0 Port Lockdown: Allow Default Floating IP Address: 172.16.1.33 Port Lockdown: Allow Default Interna...
93 Configure High availability network/VLAN. High Availability Network Configuration section High Availability VLAN: Click...
94 Configure configsync. Leave the configuration to default.
95 Configure mirroring. Leave the configuration to default
96 Before continuing with the BIGIP-A.lab.local setup utility, repeat the same steps for BIGIP- B.lab.local. Return to BIG...
97 The Remote Device Credentials screen appears. Enter the configuration information according to the settings below: Devi...
98 In the Sync-Failover Group Properties section, change the Name of the device group to: GR-lab-local. Click the Add Devi...
99 Review device group information.
100 On both BIG-IP Systems. Navigate to Device Management » Devices. You should see both BIGIP-A.lab.local and BIGIP-B.lab...
101 On both BIG-IP Systems. Navigate to Device Management » Device Groups and click on the entry for GR-lab-local. You sho...
102 Notice the status of the BIG-IP devices both will be "Awaiting Initial Sync." BIGIP- A.lab.local will be "ONLINE (STAN...
103 If you the synchronization fails, run the following tmsh command on both BIG-IP Systems.
104
105 After synchronization, the BIGIP-A.lab.local shown the STANDBY status. After synchronization, the BIGIP-B.lab.local sh...
106
107 Sync the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local. Navigate to Device Management » Overview and at th...
108 On BIGIP-A.lab.local verify that you see the http_pool pool. Verify that BIGIP-A.lab.local can also synchronize to BIG...
109
110 On BIGIP-A.lab.local, synchronize your configuration to BIGIP-B.lab.local. Select BIGIP- A.lab.local and click the Syn...
111 On BIGIP-B.lab.local, verify that you now have a virtual server called http_vs with an IP address:port of 10.10.1.100:...
112
113 On BIGIP-A.lab.local, navigate to Device Management » Traffic Groups, edit the traffic- group-1, the BIGIP-A.lab.local...
114 Change active to standby modes. On BIGIP-B.lab.local that is active for traffic-group-1, click the traffic-group-1 lin...
115 The BIGIP-B.lab.local switches from Active to Standby while the BIGIP-A.lab.local switches from Standby to Active. SSH...
116 Configure the nodes with the default gateway 172.16.1.33. From the Client PC, access the url http://10.10.1.100 , the ...
117 On the BIGIP-B.lab.local create a new Self IP based on the following: Configuration section: Name: 172.16.2.32 IP Addr...
118 On BIGIP-B.lab.local create a Pool using the information in the following table. Local Traffic » Pools » Pool List, th...
119 When complete, click Finished
120 Create a new virtual server on BIGIP-B.lab.local using the following settings: Local Traffic » Virtual Servers » Virtu...
121
122 On the BIGIP-B.lab.local, navigate to Local Traffic » Virtual Servers» Virtual Address List and edit the entry for 10....
123 Synchronize the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local. Notice the BIGIP-B.lab.local is the Active ...
124
125 On the BIGIP-B.lab.local, navigate to Device Management » Traffic Groups. Select traffic-group-2, click the Force to S...
126 Now the BIGIP-B.lab.local is active for traffic-group-1 and standby for traffic-group-2. Now the BIGIP-A.lab.local is ...
127 The result is that both BIGIP-A.lab.local and BIGIP-B.lab.local are Actives as each is processing traffic for a traffi...
128 From the Client PC, enter the url https://10.10.1.101 in the browser. The attempts failed, the traffic is sent to the ...
129 To ensure the response traffic from the nodes return through the correct device BIGIP- A.lab.local, we need SNAT (Sour...
130 From the Client PC, enter the url https://10.10.1.101 in the browser. The attempts now is successful. SSH to BIGIP-A.l...
131 Configure the VLAN Failsafe trigger. On BIGIP-A.lab.local, create an additional VLAN, called Vlan-test. General Proper...
132 The BIGIP-A.lab.local detects a failure for the vlan-test resulting in the FAILSAFE FAULT state.
133 On BIGIP-A.lab.local and BIGIP-B.lab.local watch the log file with: tail -f /var/log/ltm. Notice on both BIG-IP system...
134 The BIGIP-A.lab.local is now standby for both traffic groups. Remove the vlan-test vlan created previously and ensure ...
135 On BIGIP-A.lab.local, disable the 1.2 interface, this is the external interface. Navigate to Networks » Interfaces. Ed...
136 You should see the BIGIP-B.lab.local standby for both traffic groups. You should see the BIGIP-A.lab.local active for ...
137 From the Client PC, access the urls http://10.10.1.100 and https://10.10.1.101 . The attempts should be successful and...
138
139 Lab 8: Connection and Persistence Mirroring on BIG-IP HA Configure Connection Mirroring The BIGIP-A.lab.local is activ...
140 On BIGIP-B.lab.local create a Pool using the information in the following table. Local Traffic » Pools » Pool List, th...
141 Create a new virtual server on BIGIP-B.lab.local using the following settings: Local Traffic » Virtual Servers » Virtu...
142
143 On the BIGIP-B.lab.local, navigate to Local Traffic » Virtual Servers» Virtual Address List and edit the entry for 10....
144 Synchronize the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local.
145 On BIGIP-A.lab.local make sure the virtual server telnet_vs and the pool telnet_pool are synchronized. From the Client...
146
147 On BIGIP-B.lab.local, navigate to Device Management » Traffic Groups, edit the traffic- group-1, and display the failo...
148 From the Server cmd, execute the arp -a command to display the arp table. Notice the MAC address 00-0C-29-6c-8b-22 ass...
149 On BIGIP-B.lab.local, navigate to Device Management » Traffic Groups. Click Force to Standby for traffic-group-1. Noti...
150 Now the BIGIP-A.lab.local is active for traffic-group-1 and traffic-group-2. Since the BIGIP-A.lab.local is the active...
151 From the Client PC, open another telnet session to: 10.10.1.103:23. The current active device BIGIP-A.lab.local redire...
152 On BIGIP-A.lab.local, navigate to Network » Interfaces. Notice the MAC address 00-0c- 29-0a-7c-9f of the interface 1.1...
153 Configure connection mirroring and synchronize the configuration On BIGIP-A.lab.local navigate to Local Traffic » Virt...
154 From the Client PC, open a telnet session to: 10.10.1.103:23. Login as server I server, type any command. Force the BI...
155 Test the connection to 10.10.8.103:23 again by executing the previously command. Note that the connection was maintain...
156 Make sure the BIGIP-B.lab.local is active for traffic-group-2 and standby for traffic-group- 1.
157 Configure a Source Address Affinity persistence profile and assign it to a virtual server http_vs. Create a Persistenc...
158 Assign Lab-persist-src to http_vs Navigate to Local Traffic » Virtual Servers. Edit the virtual server http_vs, click ...
159 Synchronize the configuration from BIGIP-A.lab.local to BIGIP-B.lab.local.
160 From the Client PC, open a browser session to: http://10.10.1.100. Ensure your session is persisting by hitting Ctrl-F...
161 View persistence records on both BIG-IP systems. Use the tmsh command: tmsh show ltm persistence persist-records. You ...
162 Refresh the session to http://10.10.1.100. While there is some chance the same pool member may be chosen, it is not du...
163 You can use the tmsh show /cm failover-status command to view the status of the BIGIP System. On BIGIP-A.lab.local not...
164 Access the TMOS CLI using the tmsh command on BIGIP-B.lab.local and verify the mirror option is disabled for the persi...
165 On BIGIP-A.lab.local verify the status is Chances Pending using the show /cm sync- status command. On BIGIP-A.lab.loca...
166 On BIGIP-A.lab.local verify the status is In Sync using the show /cm sync-status command. On BIGIP-B.lab.local verify ...
167 From the Client PC, open a browser session to http://10.10.1.100. Ensure your session persists by pressing the Ctrl-F5...
168 Now that Persistence Mirroring is enabled, you should see a persistence record on both the Active and Standby systems....
169 Now the BIGIP-B.lab.local is Active for traffic-group-1 and traffic-group-2. From the Client PC, refresh the browser s...
  1. 1. 1 F5 BIG-IP Practice Labs Redouane MEDDANE
  2. 2. 2 Table of Contents Lab 1: SSL Decryption on F5-BIG IP...............................................................3 Lab 2: Multiple Default Gateways and Path Monitor ................................. 25 Lab 3: OSPF routing Protocol and Kernel Route ......................................... 33 Lab 4: iRule Script For Traffic Processing.................................................... 41 Lab 5: High Speed Logging.......................................................................... 59 Lab 6: F5 BIG-IP iHealth Diagnostics Tool ................................................... 77 Lab 7: F5 BIG-IP High Availability................................................................ 89 Lab 8: Connection and Persistence Mirroring on BIG-IP HA ..................... 139
  3. 3. 3 Lab 1: SSL Decryption on F5-BIG IP Create an SSL Certificate for external clients and internal servers. Create a custom SSL Certificate for Client PC. System » File Management: SSL Certificate List » click Create. General Properties section: Name: F5_Cert Certificate Properties section:
  4. 4. 4 Issuer: Self Common Name: lab.local Division: lab Organization: local Locality: training State or Province: SJ Country: United States Lifetime: 365 Key Properties section: Key Type: RSA Size: 2048 When complete, click Finished Create a Client SSL profile called SSL_Profile with clientssl as its parent. Local Traffic » Profiles » SSL » Client and click Create.
  5. 5. 5 General Properties section: Name: SSL_Profile Parent Profile: clientssl Configuration section: Certificate Key Chain: Add the F5_Cert created previously When complete, click Finished
  6. 6. 6 Create a custom SSL Certificate for backend servers. System » File Management: SSL Certificate List » click Create.
  7. 7. 7 General Properties section: Name: F5_SRV_Cert Certificate Properties section: Issuer: Self Common Name: server.com Division: server Organization: F5 admin Locality: training State or Province: SJ Country: United States Lifetime: 365 Key Properties section: Key Type: RSA Size: 2048 When complete, click Finished
  8. 8. 8 Create a Server SSL profile called SSL_Profile_SRV with serverssl as its parent. Local Traffic » Profiles » SSL » Server and click Create. General Properties section: Name: SSL_Profile_SRV Parent Profile: serverssl Configuration section: Certificate: F5_SRV_Cert Key: F5_SRV_Cert When complete, click Finished
  9. 9. 9 Edit the virtual server called https_vs with an IP address of 10.10.1.101:443. In the Configuration section, under the SSL Profile (Client), move the SSL_Profile from the Available profiles to the Selected profiles. Under the SSL Profile (Server), move the SSL_Profile_SRV from the Available profiles to the Selected profiles.
  10. 10. 10 Ensure that the pool https_pool is assigned to the virtual server vs_https in the Resources section. Ensure that the pool https_pool has two pool members, 172.16.1.1:443 and 172.16.1.2:443.
  11. 11. 11 In Web browser of the Client PC, go to https://10.10.1.101. If prompted, accept the SSL certificate.
  12. 12. 12 In the web browser, view the certificate for the Client Side Connection, you should see the F5_Cert certificate associated to the SSL Client Profile. To capture the SSL session data. Configure an iRule to get the pre-master session data from the F5 itself. Configure an iRule as follows.
  13. 13. 13
  14. 14. 14 Apply this new iRule to the virtual server. Edit the virtual server called https_vs with an IP address of 10.10.1.101:443. on the Resources tab, in the iRules section, click the Manage button. Assign the iRule SSL_iRule to the virtual server by moving its entry from the Available column to the Enabled column.
  15. 15. 15 From the Admin PC, login as root and enter the TCPDUMP command at the bash prompt. Execute the TCPDUMP command to capture log messages sent from Client PC 10.10.1.200 to 172.16.1.0/24 the subnet of the backend servers with destination port 443 on VLAN internal. This traffic should be saved in a file in the /var/tmp/directory, the name of the folder is SSL_201.cap on the BIG-IP system. Execute the TCPDUMP command to capture log messages sent from Client PC 10.10.1.200 to 172.16.1.0/24 the subnet of the backend servers with destination port 443 on VLAN internal.
  16. 16. 16 In Web browser of the Client PC, go to https://10.10.1.101. Notice the BIG-IP is load balancing to the pool member 172.16.1.2:80. Return the CLI, you should see traffic captured by TCPDUMP for SSL traffic exchanged between the Client PC 10.10.1.200 and the server-2 172.16.1.2.
  17. 17. 17 From the Admin PC, open a WinSCP session to your F5 BIG-IP using the following settings: File Protocol: SFTP Hostname: 192.168.1.31 Port number: 22 Username: root Password: root Click the file folder for root directory, navigate to var then tmp directories and drag the file SSL_201.cap from the F5 BIG-IP to the Admin PC. Open the file using wireshark.
  18. 18. 18 Right click on one of the SSL packets and select Follow, TCP Stream. You should see the application data encrypted in the wireshark.
  19. 19. 19 Now run the following command from the CLI of the BIG-IP System. Now the F5-201- Key.pms file can be retrieved from the F5 and put into Wireshark. From the Admin PC, open a WinSCP session to your F5 BIG-IP.
  20. 20. 20 Click the file folder for root directory, navigate to var then tmp directories and drag the file F5-201-Key.pms from the F5 BIG-IP to the Admin PC. Open Wireshark, go to Edit/Preferences. Expand Protocols menu, then select TLS. Browse to the pre-master session key file F5-201-Key.pms and click OK.
  21. 21. 21 Open in Wireshark the previous SSL_201.cap file. Right click on the http request Get /HTTP/1.1 sent by the Client PC 10.10.1.200 and select Follow, TLS Stream. You will now see unencrypted SSL data sent by the Client PC in the capture as follows:
  22. 22. 22 Right click on the http response HTTP/1.1 200 OK sent by the Server-2 172.16.1.2 and select Follow, TLS Stream. You can see unencrypted HTTP response sent by the Server-2.
  23. 23. 23
  24. 24. 24
  25. 25. 25 Lab 2: Multiple Default Gateways and Path Monitor Create a Custom ICMP Monitor Create a new ICMP monitor. General Properties section: Name: GW_Monitor Type: Gateway ICMP Configuration section: Interval:3 seconds Timeout: 10 seconds Set Transparent to Yes Specify Alias IP Address 8.8.8.8 The monitor packet will be sent with the MAC address of the pool member and the IP address defined as the “alias” in the monitor definition. When complete, click Finished
  26. 26. 26
  27. 27. 27 Create a Pool using the information in the following settings. Configuration section: Configuration: Basic Name: ISP-Pool Health Monitor: GW_Monitor Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled ISP-1 Member: Node Name: ISP-1 Address: 211.1.1.254 Service Port: * All Services Click Add ISP-2 Member: Node Name: ISP-2 Address: 222.2.2.254 Service Port: * All Services Click Add When complete, click Finished
  28. 28. 28 To configure multiple default gateways on the BIG-IP system, you must configure a default gateway pool that contains the IP addresses of the routers that the BIG-IP system will use as gateways, including a gateway monitor. You can then configure that pool as the default gateway pool for the BIG-IP system. To assign the pool you created as the default gateway for the BIG-IP system, perform the following configuration. Go to Network > Routes. Select Add. Enter a name for the route, such as Default_Gateway. Enter 0.0.0.0 for the Destination. Enter 0.0.0.0 for the Netmask. For Resource, select Use Pool. Select the default gateway pool ISP-Pool you created previously. Click Finished.
  29. 29. 29
  30. 30. 30 Verify the state of the ISP-Pool pool. Verify the state of the pool members. On ISP-3 disable the F0/0 interface. Verify the state of the pool member ISP-1, it’s no longer available.
  31. 31. 31 On ISP-3 disable the F0/0 interface. Verify the state of the pool member ISP-2, it’s no longer available.
  32. 32. 32
  33. 33. 33 Lab 3: OSPF routing Protocol and Kernel Route Configure OSPF between the F5 BIG-IP and the router R1. In order to enable OSPF we need to do it via Route Domain configuration. Click Finished.
  34. 34. 34 If OSPF is enabled, the zebos check command returns output similar to the following. Access the F5 BIG-IP CLI and execute the imish command to access the ZebOS router shell). To access the privileged mode, type the enable command, and in order to configure OSPF, execute the conf t command to access the global configuration mode. Configure OSPF on F5 BIG-IP using the following commands. The internal subnet 10.1.5.0/24 in area 1 while the external subnet 10.10.1.0/24 in area 0. Configure OSPF the router R1 with the following commands. On F5 BIG-IP and R1, verify the neighbor relationship using the sh ip os nei command. The adjacency should be Full.
  35. 35. 35 Check the routing table of R1, the Inter-Area route 10.1.5.0/24 is there. Check the routing table of F5 BIG-IP, the Inter-Area route 172.20.1.0/24 is learned. Let’s verify the RIB of F5 BIG-IP using the sh ip route command, the virtual Addresses 10.100.1.1, 10.100.1.2 and 10.100.1.3 are not there. So how to advertise these routes so that the router R1 learns these subnets in order to allow the reachability and the load balancing toward the internal servers? Return to the GUI configuration of F5 BIG-IP the virtual-address list.
  36. 36. 36 Enable the Route Advertisement option for the Virtual Address 10.100.1.1. Enable the Route Advertisement option for the Virtual Address 10.100.1.2. Enable the Route Advertisement option for the Virtual Address 10.100.1.3.
  37. 37. 37 Let’s check the routing table of F5 BIG-IP, the host routes now are installed as a “K” Kernel route source. By default the dynamic routing protocol would redistribute connected interfaces on the F5 LTM. If you configure redistribute static, then the protocol would also advertise those static routes via dynamic protocol. However, the Virtual Address routes are neither connected nor static type. So, it is defined a new type known as kernel. That's why we need to redistribute kernel routes into the protocol for making the Virtual Address to be reachable from the Client PC. To do this, execute the redistribute kernel command. Let’s verify the routing table of R1. Now the Virtual Addresses 10.100.1.1, 10.100.1.2 and 10.100.1.3 are learned as an OE2 routes.
  38. 38. 38 Let’s the Type-5 LSA for 10.100.1.1/32, the Advertising Router is 0.0.0.2 the router ID of F5 BIG-IP. Let’s the Type-5 LSA for 10.100.1.2/32, the Advertising Router is 0.0.0.2 the router ID of F5 BIG-IP.
  39. 39. 39 Let’s the Type-5 LSA for 10.100.1.3/32, the Advertising Router is 0.0.0.2 the router ID of F5 BIG-IP. Verify the connectivity to the virtual servers. From the Client PC access the url http://10.100.1.1, this should be successful. From the Client PC access the url https://10.100.1.2, this should be successful.
  40. 40. 40 From the Client PC access the url https://10.100.1.3, this should be successful.
  41. 41. 41 Lab 4: iRule Script For Traffic Processing Create a pool using the following settings: Name: Internal_HTTP_Pool Healt Monitors: http Member (s): 172.16.1.10:80 Create another pool using the following settings: Name: Other-HTTP-Pool Healt Monitors: http Member (s): 172.16.1.20:80
  42. 42. 42
  43. 43. 43 Create a virtual server named VS_HTTP_iRule with destination IP address and port 10.10.1.115:80. Dot not assign a default pool.
  44. 44. 44 Create a new iRule named iRule_For_Pool using the script below, this iRule will load balance to the pool based on the first three octets 10.10.1 of the client 's IP address to pool Internal_HTTP_Pool and all other clients to pool Other-HTTP-Pool.
  45. 45. 45 Before associating the iRule to the Virtual Server, you need to assign an HTTP profile to virtual server VS_HTTP_iRule as shown below.
  46. 46. 46 Edit the virtual server VS_HTTP_iRule, on the Resources tab, in the iRules section, click the Manage button. Assign the iRule iRule_For_Pool to the virtual server by moving its entry from the Available column to the Enabled column.
  47. 47. 47 Access the CLI of the F5 BIG-IP and execute the tail -f /var/log/ltm command to view log messages.
  48. 48. 48 From Client-1 PC 10.10.1.200, connect to the virtual server at http://10.10.1.115. You should see the page contents being delivered from the pool member Server-1 172.16.1.10:80. Check the log messages, the logs indicate the connections are sent to pool Internal_HTTP_Pool.
  49. 49. 49 From Client-2 PC 10.10.2.200, connect to the virtual server at http://10.10.1.115. You should see the page contents being delivered from the pool member Server-1 172.16.1.20:80. Check the log messages, the logs indicate the connections are sent to pool Other-HTTP- Pool.
  50. 50. 50 Configure SNAT Source NAT Auto Map so that the Client 's IP address is hidden and translated to the self IP of the BIG-IP. Edit the virtual server VS_HTTP_iRule, in the Configuration Section, select Auto Map option for Source Address Translation. From Client-1 PC 10.10.1.200, connect to the virtual server at http://10.10.1.115. View the client IP address, it should have changed from 10.10.1.200 to 172.16.1.33 which is the floating self IP address of VLAN internal, the egress VLAN for traffic flowing from the BIG-IP to the pool members.
  51. 51. 51 View the HTTP header of the Client-1 PC, the X-Forwarded-For is not set. From Client-2 PC 10.10.2.200, connect to the virtual server at http://10.10.1.115. View the client IP address, it should have changed from 10.10.2.200 to 172.16.1.33 which is the floating self IP address of VLAN internal, the egress VLAN for traffic flowing from the BIG-IP to the pool members.
  52. 52. 52 View the HTTP header of the Client-2 PC, the X-Forwarded-For is not set. When using SNAT to translate the source IP address of incoming connections, the internal servers that receive these connections will see the request as originating from the SNAT address and not the original client source IP address. By enabling the X-Forwarded-For header feature, the BIG-IP inserts a header into the server-side connection which contains the original client IP address. To set the X-Forwarded-For in the HTTP header, modify the iRule by adding the following code.
  53. 53. 53 log local0. "inserting XFF header for [IP::remote_addr]" http::header insert X-Forwarded-For [IP::remote_addr] From Client-1 PC, connect to http://10.10.1.115, you should see the page contents is delivered from pool member Server-1 172.16.1.10:80, click in the HTTP header, you should see the original IP address 10.10.1.200 in the XFF field.
  54. 54. 54 From Client-2 PC, connect to http://10.10.1.115, you should see the page contents is delivered from pool member Server-2 172.16.1.20:80, click in the HTTP header, you should see the original IP address 10.10.2.200 in the XFF field.
  55. 55. 55 Confirm the log messages from CLI. Collect Browser Version (User Agent) via iRule from client to discover which browser and version used to access the virtual server. Add the following code. log local0. "User-Agent:[HTTP::header "User-Agent"]"
  56. 56. 56 From Client-2 PC, connect to http://10.10.1.115 using firefox. In the log messages, you should see the BIG-IP collecting the information Firefox with the version.
  57. 57. 57 From Client-2 PC, connect to http://10.10.1.115 using chrome. In the log messages, you should see the BIG-IP collecting the information chrome with the version.
  58. 58. 58 From Client-2 PC, connect to http://10.10.1.115 using internet explorer. In the log messages, you should see the BIG-IP collecting the information MSIE with the version.
  59. 59. 59 Lab 5: High Speed Logging Create a pool using the following settings: Name: HSL_Pool_201 Member (s): 10.10.1.200:514
  60. 60. 60 Create a remote high-speed log destination with the following settings: General Properties section Name: HSL_Dest_201 Type: Remote High-Speed Log Pool Settings section Pool Name: HSL_Pool_201 Protocol: UDP Distribution: adaptive Click the Finished button.
  61. 61. 61 Create a Syslog formatted logging destination with the following settings: General Properties section: Name: HSL_Dest_Syslog_201 Type: Remote Syslog Pool Settings section: Syslog Format: Syslog Forward to: HSL_Dest_201 Click the Finished button.
  62. 62. 62 Create a publisher, this is where the F5 BIG-IP will send log messages. General Properties section: Name: HSL_Publisher_201 Log Destinations section: Destinations: Move HSL_Dest_Syslog_201 from the Available column to the Selected column. Click the Finished button.
  63. 63. 63
  64. 64. 64 Create a logging filter in order to send all Severity Level 5 messages from the F5 BIG-IP to the published. General Properties section Name: HSL_MCPD_Filter_201 Configuration section Severity: Notice Source: mcpd Log Publisher: HSL_Publisher_201 Click the Finished button.
  65. 65. 65 From the Admin PC, login as root and enter the TCPDUMP command at the bash prompt as follow.
  66. 66. 66 Generate log messages by setting the state for pool member 172.16.1.1:80 in pool http_pool to Forced Offline.
  67. 67. 67 Return the CLI, you should see traffic captured by TCPDUMP transmitted from the BIG-IP system to the remote logging server 10.10.1.200. The logs indicate that the state is changed for the pool member 172.16.1.1:80.
  68. 68. 68 On the Syslog server ensure that the logs are received. Via CLI, view the local traffic using the tail -f /var/log/ltm command and notice the the messages send to the HSL server 10.10.1.200 are not present in the local log because the HSL logging filter. But other messages that do not match the HSL filter are there for example the TCPDUMP command execution.
  69. 69. 69 Add a remote syslog server with the IP address 10.10.1.200 and port 514.
  70. 70. 70 From the CLI, execute the TCPDUMP command to capture log messages sent to 10.10.1.200 with destination port 514 on VLAN external. this traffic should be saved in a file in the /var/tmp/directory, the name of the folder is F5-Admin-Syslog on the BIG-IP system.
  71. 71. 71 Generate some log messages about local traffic, for example modify the monitor on pool http_pool so that the monitor health check will fail for all pool members, the pool and virtual server will be marked as unavailable. Then assign the http monitor so that the objects pool members, pool and virtual server will be marked UP.
  72. 72. 72
  73. 73. 73 Open a WinSCP session to your F5 BIG-IP using the following settings: File Protocol: SFTP Hostname: 192.168.1.31 Port number: 22 Username: root Password: root Click the file folder for root directory, navigate to var then tmp directories and drag the file F5-Admin-Syslog from the F5 BIG-IP to the Admin PC. Open the file using wireshark. Many log messages are displayed
  74. 74. 74 Filter the messages on wireshark using the string syslog.facility == 16 and click Apply button.
  75. 75. 75 You should a log messages about the change of status for the objects pool member, pool and virtual server. Below an example for the the pool http_pool and the pool member 172.16.1.1:80.
  76. 76. 76
  77. 77. 77 Lab 6: F5 BIG-IP iHealth Diagnostics Tool On the Configuration Utility, navigate to System-Support, then click the New Support Snapshot button. Generate a qkview file on your BIG-IP. In the Health Utility select the Generate QKView option, click the Start button.
  78. 78. 78 Click the Download button to download the qkview file to your Admin PC.
  79. 79. 79 From the Admin PC, access the URL ihealth.f5.com. Sign in using the iHealth credentials. Click the Upload button to continue. Click the Choose button and select the qkview file. Click the Upload QKView(s) button.
  80. 80. 80
  81. 81. 81 After the analysis is complete, click on the qkview to view its contents. You can see the results of the analysis.
  82. 82. 82 You can retrieve the objects configuration under the Config Explorer such the Virtual Servers and Pools as shown below.
  83. 83. 83
  84. 84. 84 From the iHealth portal you can also execute some TMSH commands such show /ltm virtual all-properties and show /ltm pool members commands.
  85. 85. 85
  86. 86. 86 In the Graph section, you can a graph about the Active Connections, SSL Transactions, CPU usage etc…
  87. 87. 87 You can also retrieve the logs files and config files in the Files section. In the Diagnostics section, you can find bugs and vulnerabilities of your BIG-IP System related to the version of the product, unsecure password, linux kernel and so on. Each vulnerability has an Article Links with an identification that starts with the “K” followed by a number, this gives you to browse directly to the link in order to read the article, periodically F5 Networks publishes articles with an identifier to fix some bugs and vulnerabilities.
  88. 88. 88
  89. 89. 89 Lab 7: F5 BIG-IP High Availability On BIGIP-A.lab.local, use the Setup Utility, then click the Next button.
  90. 90. 90 The setup utility wizard allows you to make configuration to the management interface, 192.168.1.31 in this case, host name, time zone, user account passwords for CLI and GUI access. The SSH IP Allow section acts as an ACL to allow certain IP addresses and/or ranges the BIG-IP access. Once you make changes to the account passwords, you will be logged out and need to log back in using the new IP address and the new accounts. Click Next.
  91. 91. 91 Configure the internal network and VLAN by making the following settings: Self IP Address: 172.16.1.31
  92. 92. 92 Netmask: 255.255.0.0 Port Lockdown: Allow Default Floating IP Address: 172.16.1.33 Port Lockdown: Allow Default Internal VLAN Configuration section VLAN Name: internal VLAN Tag ID: auto VLAN Interfaces: Select VLAN interface 1.1 and add it Untagged to the Interfaces list. Click Next. Configure the external network and VLAN by making the following settings: Self IP Address: 10.10.1.31 Netmask: 255.255.0.0 Port Lockdown: Allow 443 Floating IP Address: 10.10.1.33 Port Lockdown: Allow Default External VLAN Configuration section VLAN Name: external VLAN Tag ID: auto VLAN Interfaces: Select VLAN interface 1.2 and add it Untagged to the Interfaces list. Click Next.
  93. 93. 93 Configure High availability network/VLAN. High Availability Network Configuration section High Availability VLAN: Click the Select existing VLAN radio button Select VLAN: internal Self IP Address: 172.16.1.31 Netmask: 255.255.0.0 High Availability VLAN Configuration section VLAN Name: internal VLAN Interfaces: 1.1 (untagged) Click Next. Configure NTP and DNS servers.
  94. 94. 94 Configure configsync. Leave the configuration to default.
  95. 95. 95 Configure mirroring. Leave the configuration to default
  96. 96. 96 Before continuing with the BIGIP-A.lab.local setup utility, repeat the same steps for BIGIP- B.lab.local. Return to BIGIP-A.lab.local setup utility, click the Next button in the Standard Pair Configuration section. Click Next under Discover Configured Peer Device.
  97. 97. 97 The Remote Device Credentials screen appears. Enter the configuration information according to the settings below: Device IP Address: 192.168.1.32 Administrator Username: admin Administrator Password: admin Click the Retrieve Device Information button. Click Device Certificate Matches.
  98. 98. 98 In the Sync-Failover Group Properties section, change the Name of the device group to: GR-lab-local. Click the Add Device button.
  99. 99. 99 Review device group information.
  100. 100. 100 On both BIG-IP Systems. Navigate to Device Management » Devices. You should see both BIGIP-A.lab.local and BIGIP-B.lab.local listed in the Device List.
  101. 101. 101 On both BIG-IP Systems. Navigate to Device Management » Device Groups and click on the entry for GR-lab-local. You should see both BIGIP-A.lab.local and BIGIP-B.lab.local listed in the Includes column.
  102. 102. 102 Notice the status of the BIG-IP devices both will be "Awaiting Initial Sync." BIGIP- A.lab.local will be "ONLINE (STANDBY)" and the BIGIP-B.lab.local "ONLINE (ACTIVE)". Synchronizing the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local. On BIGIP-B.lab.local, navigate to Device Management » Overview and at the Devices section, select BIGIP-B.lab.local. Click the Sync Device to Group button, and click the Sync button. Verify that Sync Summary now shows All devices in the device group are in sync.
  103. 103. 103 If you the synchronization fails, run the following tmsh command on both BIG-IP Systems.
  104. 104. 104
  105. 105. 105 After synchronization, the BIGIP-A.lab.local shown the STANDBY status. After synchronization, the BIGIP-B.lab.local shown the ACTIVE status. On BIGIP-B.lab.local create a Pool using the information in the following table. Local Traffic » Pools » Pool List, then click Create. Configuration section: Configuration: Basic Name: http_pool Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled Node Name: (Leave blank) New Members: Address:Port :172.16.1.1:80 Click Add Address:Port: 172.16.1.2:80 Click Add When complete, click Finished
  106. 106. 106
  107. 107. 107 Sync the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local. Navigate to Device Management » Overview and at the Devices section, select BIGIP- B.lab.local then click the Sync button.
  108. 108. 108 On BIGIP-A.lab.local verify that you see the http_pool pool. Verify that BIGIP-A.lab.local can also synchronize to BIGIP-B.lab.local by creating a new virtual server on BIGIP-A.lab.local using the following settings: Local Traffic » Virtual Servers » Virtual Server List, then click Create General Properties section: Name: http_vs Destination Type: Standard Address: 10.10.1.100 Service Port: 80 State: Enabled Resources section: Default Pool: http_pool When complete, click Finished
  109. 109. 109
  110. 110. 110 On BIGIP-A.lab.local, synchronize your configuration to BIGIP-B.lab.local. Select BIGIP- A.lab.local and click the Sync button.
  111. 111. 111 On BIGIP-B.lab.local, verify that you now have a virtual server called http_vs with an IP address:port of 10.10.1.100:80 using http_pool pool. On BIGIP-B.lab.local, navigate to Device Management » Traffic Groups, edit the traffic- group-1, the BIGIP-B.lab.local should be Active for this traffic group.
  112. 112. 112
  113. 113. 113 On BIGIP-A.lab.local, navigate to Device Management » Traffic Groups, edit the traffic- group-1, the BIGIP-A.lab.local should be standby for this traffic group.
  114. 114. 114 Change active to standby modes. On BIGIP-B.lab.local that is active for traffic-group-1, click the traffic-group-1 link. Click the Force to Standby button. On the pop-up window click the OK button to confirm the Force this Traffic Group to standby request.
  115. 115. 115 The BIGIP-B.lab.local switches from Active to Standby while the BIGIP-A.lab.local switches from Standby to Active. SSH to the Active device BIGIP-A.lab.local, from a command prompt, enter the tmsh run /sys failover standby command. Now the BIGIP-B.lab.local will be Active and BIGIP-B.lab.local the standby.
  116. 116. 116 Configure the nodes with the default gateway 172.16.1.33. From the Client PC, access the url http://10.10.1.100 , the access should be successful. On BIGIP-B.lab.local, create a new Traffic Group with the name traffic-group-2 and click the Finished button.
  117. 117. 117 On the BIGIP-B.lab.local create a new Self IP based on the following: Configuration section: Name: 172.16.2.32 IP Address: 172.16.2.32 Netmask: 255.255.0.0 VLAN/Tunnel: Internal Port Lockdown: Allow None Traffic Group: traffic-group-2 (floating) When complete, click ... Finished
  118. 118. 118 On BIGIP-B.lab.local create a Pool using the information in the following table. Local Traffic » Pools » Pool List, then click Create. Configuration section: Configuration: Basic Name: https_pool Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled Node Name: (Leave blank) New Members: Address:Port: 172.16.1.1:443 Click Add Address:Port: 172.16.1.2:443 Click Add
  119. 119. 119 When complete, click Finished
  120. 120. 120 Create a new virtual server on BIGIP-B.lab.local using the following settings: Local Traffic » Virtual Servers » Virtual Server List, then click Create General Properties section: Name: https_vs Destination Type: Standard Address: 10.10.1.101 Service Port: 443 State: Enabled Resources section: Default Pool: https_pool When complete, click Finished
  121. 121. 121
  122. 122. 122 On the BIGIP-B.lab.local, navigate to Local Traffic » Virtual Servers» Virtual Address List and edit the entry for 10.10.1.101. Change the Traffic Group to traffic-group-2 (floating). Click Update.
  123. 123. 123 Synchronize the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local. Notice the BIGIP-B.lab.local is the Active device for both traffic groups traffic-group-1 and traffic-group-2.
  124. 124. 124
  125. 125. 125 On the BIGIP-B.lab.local, navigate to Device Management » Traffic Groups. Select traffic-group-2, click the Force to Standby button. (Click the OK button or Force to Standby button to confirm.)
  126. 126. 126 Now the BIGIP-B.lab.local is active for traffic-group-1 and standby for traffic-group-2. Now the BIGIP-A.lab.local is active for traffic-group-2 and standby for traffic-group-1.
  127. 127. 127 The result is that both BIGIP-A.lab.local and BIGIP-B.lab.local are Actives as each is processing traffic for a traffic group. BIGIP-A.lab.local is processing the HTTPS traffic because the htts_vs belongs the traffic-group-2. BIGIP-B.lab.local is processing the HTTPS traffic because the http_vs belongs the traffic-group-1. From the Client PC, enter the url http://10.10.1.100 in the browser. This should be successfull, the traffic is sent to the virtual server http_vs, the vs_http belongs to traffic- group-1, since the BIGIP-B.lab.local is the Active device for this traffic group, it will process the traffic, the server responds to the default gateway 172.16.1.33 which belongs to the same traffic group.
  128. 128. 128 From the Client PC, enter the url https://10.10.1.101 in the browser. The attempts failed, the traffic is sent to the virtual server https_vs, the https_vs belongs to traffic-group-2, since the BIGIP-A.lab.local is the Active device for this traffic group, it will process the traffic, the server responds to the destination 10.10.1.200 to the default gateway 172.16.1.33 which belongs to the traffic-group-1, in this traffic group the BIGIP-B.lab.local is the Active device Since the default gateway on the servers is 172.16.1.33, the return traffic flows through the BIGIP-B.lab.local causing asymetric routing and the packets are dropped at the BIGIP- B.lab.local device.
  129. 129. 129 To ensure the response traffic from the nodes return through the correct device BIGIP- A.lab.local, we need SNAT (Source NAT). Edit the virtual server https_vs, in the Source Address Translation field, select Auto Map.
  130. 130. 130 From the Client PC, enter the url https://10.10.1.101 in the browser. The attempts now is successful. SSH to BIGIP-A.lab.local and BIGIP-B.lab.local. Issue the tmsh show cm failover-status command to determine the status of the device. Display the failover score with the tmsh run cm watch-trafficgroup-device command.
  131. 131. 131 Configure the VLAN Failsafe trigger. On BIGIP-A.lab.local, create an additional VLAN, called Vlan-test. General Properties section: Name: Vlan-test Configuration: Advanced Failsafe: Checked Failsafe: Timeout 15 Action: Failover When complete, click... Finished
  132. 132. 132 The BIGIP-A.lab.local detects a failure for the vlan-test resulting in the FAILSAFE FAULT state.
  133. 133. 133 On BIGIP-A.lab.local and BIGIP-B.lab.local watch the log file with: tail -f /var/log/ltm. Notice on both BIG-IP systems when the status change occurs when the active system fails over, the standby system will go active immediately. You should see the BIGIP-B.lab.local Active for both traffic groups.
  134. 134. 134 The BIGIP-A.lab.local is now standby for both traffic groups. Remove the vlan-test vlan created previously and ensure the BIGIP-B.lab.local is active for traffic-group-2. On BIGIP-A.lab.local, navigate to Network » VLANs. Edit external VLAN, select Advanced and configure the following values as parameters: Failsafe: Check box Timeout: 30 seconds Action: Failover When complete, click Finished.
  135. 135. 135 On BIGIP-A.lab.local, disable the 1.2 interface, this is the external interface. Navigate to Networks » Interfaces. Edit the interface 1.2 and Select Disable. Note: you can disable the interface using CLI with the Command Line: tmsh modify /net interface 1.1 disabled. Notice on both BIG-IP systems when the status change occurs when the active system fails over, the standby system will go active immediately.
  136. 136. 136 You should see the BIGIP-B.lab.local standby for both traffic groups. You should see the BIGIP-A.lab.local active for both traffic groups.
  137. 137. 137 From the Client PC, access the urls http://10.10.1.100 and https://10.10.1.101 . The attempts should be successful and the failover works.
  138. 138. 138
  139. 139. 139 Lab 8: Connection and Persistence Mirroring on BIG-IP HA Configure Connection Mirroring The BIGIP-A.lab.local is active for traffic-group-2 and standby for traffic-group-1. The BIGIP-B.lab.local is active for traffic-group-1 and standby for traffic-group-2.
  140. 140. 140 On BIGIP-B.lab.local create a Pool using the information in the following table. Local Traffic » Pools » Pool List, then click Create. Configuration section: Configuration: Basic Name: telnet_pool Resource section: Load Balancing Method: Round Robin Priority Group Activation: Disabled Node Name: (Leave blank) New Members: Address:Port :172.16.1.1:23 Click Add Address:Port: 172.16.1.2:23 Click Add When complete, click Finished
  141. 141. 141 Create a new virtual server on BIGIP-B.lab.local using the following settings: Local Traffic » Virtual Servers » Virtual Server List, then click Create General Properties section: Name: telnet_vs Destination Type: Standard Address: 10.10.1.103 Service Port: 23 State: Enabled Resources section: Default Pool: telnet_pool When complete, click Finished
  142. 142. 142
  143. 143. 143 On the BIGIP-B.lab.local, navigate to Local Traffic » Virtual Servers» Virtual Address List and edit the entry for 10.10.1.103. Make sure the Traffic Group is set to traffic-group-1.
  144. 144. 144 Synchronize the configuration from BIGIP-B.lab.local to BIGIP-A.lab.local.
  145. 145. 145 On BIGIP-A.lab.local make sure the virtual server telnet_vs and the pool telnet_pool are synchronized. From the Client PC, open a telnet session to: 10.10.1.103:23. Login as server I server. Test your connection by using the ipconfig command.
  146. 146. 146
  147. 147. 147 On BIGIP-B.lab.local, navigate to Device Management » Traffic Groups, edit the traffic- group-1, and display the failover objects processed by the current device. On BIGIP-B.lab.local, edit the traffic-group-2, and display the failover objects processed by the BIGIP-A.lab.local device.
  148. 148. 148 From the Server cmd, execute the arp -a command to display the arp table. Notice the MAC address 00-0C-29-6c-8b-22 associated with the default gateway 172.16.1.33. On BIGIP-B.lab.local, navigate to Network » Interfaces. Notice the MAC address 00-0C- 29-6c-8b-22 of the interface 1.1. This is because the BIGIP-B.lab.local is the active device for traffic-group-1, this traffic group contains the failover object 10.10.1.103 (telnet_vs) and 172.16.1.33 (Floating Self IP).
  149. 149. 149 On BIGIP-B.lab.local, navigate to Device Management » Traffic Groups. Click Force to Standby for traffic-group-1. Notice that the telnet connection has been lost. Now the BIGIP-B.lab.local is standby for traffic-group-1 and traffic-group-2.
  150. 150. 150 Now the BIGIP-A.lab.local is active for traffic-group-1 and traffic-group-2. Since the BIGIP-A.lab.local is the active device for traffic-group-1, the floating self IP 172.16.1.33 is processed by the current active device.
  151. 151. 151 From the Client PC, open another telnet session to: 10.10.1.103:23. The current active device BIGIP-A.lab.local redirects the telnet session to one of the pool member. Display the arp table using the arp -a command. Notice the MAC address 00-0c-29-0a-7c-9f associated to the default gateway 172.16.1.33.
  152. 152. 152 On BIGIP-A.lab.local, navigate to Network » Interfaces. Notice the MAC address 00-0c- 29-0a-7c-9f of the interface 1.1. This is because the BIGIP-A.lab.local is now the active device for traffic-group-1, this traffic group contains the failover object 10.10.1.103 (telnet_vs) and 172.16.1.33 (Floating Self IP).
  153. 153. 153 Configure connection mirroring and synchronize the configuration On BIGIP-A.lab.local navigate to Local Traffic » Virtual Servers and select telnet_vs, the virtual server entry that corresponds to 10.10.B.103:23. Using the Advanced configuration option, enable the Connection Mirroring setting. Synchronize the changes from the BIGIP-A.lab.local to device group.
  154. 154. 154 From the Client PC, open a telnet session to: 10.10.1.103:23. Login as server I server, type any command. Force the BIGIP-A.lab.local device that is active for traffic-group-1 to standby.
  155. 155. 155 Test the connection to 10.10.8.103:23 again by executing the previously command. Note that the connection was maintained. Configure Persistence Mirroring Make sure the BIGIP-A.lab.local is active for traffic-group-1 and standby for traffic-group- 2.
  156. 156. 156 Make sure the BIGIP-B.lab.local is active for traffic-group-2 and standby for traffic-group- 1.
  157. 157. 157 Configure a Source Address Affinity persistence profile and assign it to a virtual server http_vs. Create a Persistence Profile based on the following: Navigate to Local Traffic » Profiles » Persistence » Create General Properties section: Name: Lab-persist-src Persistence Type: Source Address Affinity Configuration section: Timeout: 30 seconds. Mask:. When complete, click Finished
  158. 158. 158 Assign Lab-persist-src to http_vs Navigate to Local Traffic » Virtual Servers. Edit the virtual server http_vs, click the Resources Tab. Select the Default Persistence Profile: Lab-persist-src When complete, click Update
  159. 159. 159 Synchronize the configuration from BIGIP-A.lab.local to BIGIP-B.lab.local.
  160. 160. 160 From the Client PC, open a browser session to: http://10.10.1.100. Ensure your session is persisting by hitting Ctrl-F5 several times.
  161. 161. 161 View persistence records on both BIG-IP systems. Use the tmsh command: tmsh show ltm persistence persist-records. You should see a persistence record on the BIGIP-A.lab.local that is active for the traffic group traffic-group-1 containing the failover object 10.10.1.100, but not on the BIGIP- B.lab.local that is standby for that same traffic group. Force the BIG-IP device that is active for traffic-group-1 to standby. On BIGIP-A.lab.local, from a command prompt, enter the tmsh run /sys failover standby command.
  162. 162. 162 Refresh the session to http://10.10.1.100. While there is some chance the same pool member may be chosen, it is not due to persistence. You may need to refresh by pressing Ctrl-FS to ensure the browser does not use its cache. Make sure the BIGIP-A.lab.local is active for traffic-group-1 and standby for traffic-group- 2. Use the tmsh run /cm watch-trafficgroup-device command to to view dynamic information about the failover status of the devices in a device group to which the local device belongs. Use the Up and Down arrow keys on your keyboard so that the BIGIP-A.lab.local is active for traffic-group-1.
  163. 163. 163 You can use the tmsh show /cm failover-status command to view the status of the BIGIP System. On BIGIP-A.lab.local notice the status Active for traffic-group-1. On BIGIP-B.lab.local notice the status Active for traffic-group-2.
  164. 164. 164 Access the TMOS CLI using the tmsh command on BIGIP-B.lab.local and verify the mirror option is disabled for the persistence profice Lab-persist-src using the list ltm persistence source-add Lab-persist-src mirror command. You should see the persistence mirroring is disabled. Access the TMOS CLI using the tmsh command on BIGIP-A.lab.local and verify the mirror option is disabled for the persistence profice Lab-persist-src using the list ltm persistence source-add Lab-persist-src mirror command. You should see the persistence mirroring is disabled. On BIGIP-A.lab.local, enable the mirror persistence using the modify /ltm persistence source-add Lab-persist-src mirror enabled command.
  165. 165. 165 On BIGIP-A.lab.local verify the status is Chances Pending using the show /cm sync- status command. On BIGIP-A.lab.local verify the status is Chances Pending using the show /cm sync- status command. On BIGIP-A.lab.local synchronize the configuration to device group GR-lab-local using the run /cm config-sync to-group GR-lab-local command.
  166. 166. 166 On BIGIP-A.lab.local verify the status is In Sync using the show /cm sync-status command. On BIGIP-B.lab.local verify the status is In Sync using the show /cm sync-status command. On BIGIP-B.lab.local, verify the synchronization is fine. Verify the mirror option is enabled for the persistence profice Lab-persist-src using the list ltm persistence source-add Lab-persist-src mirror command. You should see the persistence mirroring is enabled.
  167. 167. 167 From the Client PC, open a browser session to http://10.10.1.100. Ensure your session persists by pressing the Ctrl-F5 several times. Notice the server IP address 172.16.1.1 that responds to the HTTP request. View persistence records on both BIG-IP systems. Use the tmsh command: tmsh show ltm persistence persist-records You should see a persistence record on the BIGIP-A.lab.local that is active for the traffic group traffic-group-1 containing the failover object 10.10.1.100, and also on the BIGIP- B.lab.local that is standby for that same traffic group.
  168. 168. 168 Now that Persistence Mirroring is enabled, you should see a persistence record on both the Active and Standby systems. Use the tmsh run /cm watch-trafficgroup-device command to to view dynamic information about the failover status of the devices in a device group to which the local device belongs and to force the BIGIP-A.lab.local into standby Use the Up and Down arrow keys on your keyboard so that the BIGIP-A.lab.local is standby for traffic-group-1. Now the BIGIP-A.lab.local is standby for traffic-group-1.
  169. 169. 169 Now the BIGIP-B.lab.local is Active for traffic-group-1 and traffic-group-2. From the Client PC, refresh the browser session to http://10.10.1.100. Notice that the http session does persist to the same server 172.16.1.1.

