Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks
Uploaded by Abhishek Aggarwal

4+F5+LTM+Basics

advertisement 
F5 201 Exam Preparation
F5 LTM Basics
Load Balancing
10.10.1.30
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
Virtual Server = Listener
Pool = Container of Pool Members
Pool Member = Node + Port
Node = IP address
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
http_pool
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
Load Balancing
10.10.1.30
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
Virtual Server = Listener
Pool = Container of Pool Members
Pool Member = Node + Port
Node = IP address
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
http_pool
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
Lab Balancing
Static Load Balancing
Failure Mechanism
•
Round Robin (default)
•
Priority Group Activation
•
Ratio
•
Failback Host
Dynamic Load Balancing
•
Least Connections
•
Fastest
•
Weighted Least Connections
•
Least Session
•
Observed
•
Predictive
Static Load Balancing
Round Robin
•
10.10.1.30
Connection distributed evenly across all available members
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1
4
172.16.20.1
2
5
172.16.20.2
3
6
172.16.20.3
Static Load Balancing
Ratio (Member or Node)
•
10.10.1.30
Connection distributed in weighted round robin pattern
using ratios you define
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1
4
Ratio Value
2 6
5
3
172.16.20.1
172.16.20.2
172.16.20.3
2
3
1
Dynamic Load Balancing
Lease Connections (Member or Node)
•
10.10.1.30
Next connection goes to member or node with fewest open
connections
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1 5
3
Connections
2 6
4
172.16.20.1
172.16.20.2
172.16.20.3
100
103
100
103
110
Dynamic Load Balancing
Lease Connections (Member or Node)
•
10.10.1.30
Next connection goes to member or node with fewest open
connections
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1 5 9
3 7
Connections
2 6
4
8
10
172.16.20.1
172.16.20.2
172.16.20.3
100
103
103
100
110
Dynamic Load Balancing
Fastest (Member or Node)
•
10.10.1.30
Next connection goes to member or node with fewest
outstanding Layer 7 request
10.10.0.0/16
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_vs = 10.10.1.100:80
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
5
7
Outstanding L7 Requests
1 2 6
3 4 8
172.16.20.1
172.16.20.2
172.16.20.3
14
17
10
14
Dynamic Load Balancing
Least Sessions
•
10.10.1.30
Next connection goes to a member or node with fewest
exiting persistence records
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1 6
3
5
8
Persistence Records
2 7
4
172.16.20.1
172.16.20.2
172.16.20.3
7
57
57
Dynamic Load Balancing
Weighted Least Connection
•
10.10.1.30
Next connection goes to a member with fewest existing
connections as a percentage of its connection limit.
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
5
7
% of Connection Limit
1 2 6
3 4 8
172.16.20.1
172.16.20.2
172.16.20.3
50
25
20
25
Dynamic Load Balancing
Observed
•
10.10.1.30
10.10.0.0/16
Calculates dynamic ratio values based on number of L4
connections last observed. Next connection goes to
member or node with highest calculated ratio.
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_vs = 10.10.1.100:80
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1
3
Ratio Value
2
4
172.16.20.1
172.16.20.2
172.16.20.3
2
3
3
Dynamic Load Balancing
Predictive
•
10.10.1.30
10.10.0.0/16
Calculates dynamic ratio value based on current
connections compared to previous connections. Next
connection to member or node with highest ratio.
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_vs = 10.10.1.100:80
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
1 2
3 4
Ratio Value
172.16.20.1
172.16.20.2
172.16.20.3
1
4
1
Health Monitors
10.10.1.30
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
http_pool
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
Health Monitors
10.10.1.30
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
http_pool
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
Health Monitors
10.10.1.30
10.10.0.0/16
http_vs = 10.10.1.100:80
VLAN External
Self IP Address - 10.10.1.31/16
Floating IP – 10.10.1.33/16
http_pool
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
http_pool
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
Health Monitors
Health Monitors / Monitors
•
determine the availability and performance of hosts/devices, links, and services on a network
•
Gathers and checks information from host/device
specific resource for
expected response
defined time interval
Types of Resources
•
Nodes
•
Pools
•
Pool Members
•
Links (BIG-IP DNS only)
Health Monitors
Address Check Monitor
10.10.1.30
http_vs = 10.10.1.100:80
http_pool
ICMP ECHO
REQUEST
ICMP ECHO
REQUEST
ICMP ECHO
REQUEST
http_pool
172.16.20.1:80
172.16.20.2:80
172.16.20.3 :80
•
Ping an IP Address as a Health Test
•
Determines Availability of a device via IP
•
Marks node/member offline if no response within timeout
•
Example: ICMP
Health Monitors
Service Check Monitor
10.10.1.30
http_vs = 10.10.1.100:80
http_pool
SYN
SYN
SYN/ACK
RST
http_pool
172.16.20.1:80
172.16.20.2:80
172.16.20.3 :80
•
Opens a connection to pool members (service)
•
Determines Availability of a service
•
Marks pool member offline if no response within timeout
•
Example: TCP
Health Monitors
Content Check Monitor
10.10.1.30
http_vs = 10.10.1.100:80
http_pool
SYN
HTTP GET
SYN/ACK
HTTP RESPONSE
ACK
http_pool
172.16.20.1:80
172.16.20.2:80
172.16.20.3 :80
•
Opens a connection, send command, examine response
•
Determines Availability of a service and appropriate
content
•
Marks pool member offline if no successful response
withing timeout
•
Example: HTTP (custom)
Health Monitors
Monitor Interval and Timeout Settings
•
Interval – number of seconds between each test
– how often the monitor tests (default is 5 seconds)
•
Timeout – how long before the device is marked unavailable if there is no successful test
– default is 16 seconds
•
Recommended timeout = (3 x Interval) + 1
TEST
✓
TEST
-
TEST
-
TEST
- -
TEST
TEST
Health Monitors
Traffic Object Status
•
Determine availability of Configuration objects such as Virtual Server, Pools, Pool Members and Nodes
•
Network Map - Summarized view all configured traffic objects
Symbol
Description
Green Circle
Available
Blue Square
Unknown
Yellow Triangle
Enable but Unavailable
Red Diamond
Offline
Black Icons
Manually Disabled
Black Diamond
Manually Forced Offline
SNAT
SNAT is disabled by Default
SRC IP – 10.10.1.30
DST IP – 10.10.1.100
10.10.1.30
DST IP – 10.10.1.30
SRC IP – 10.10.1.100
http_vs = 10.10.1.100:80
SRC IP – 10.10.1.30
DST IP – 172.16.20.1
DST IP – 10.10.1.30
SRC IP – 172.16.20.1
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
•
Client Source IP is preserved
•
Servers requires route back to Client Source IP/Network
•
Asynchronous Routing
SNAT
Secure Network Address Translation (SNAT)
SRC IP – 10.10.1.30
DST IP – 10.10.1.100
10.10.1.30
DST IP – 10.10.1.30
SRC IP – 10.10.1.100
http_vs = 10.10.1.100:80
SRC IP – 172.16.1.33
DST IP – 172.16.20.1
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
DST IP – 172.16.1.33
SRC IP – 172.16.20.1
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
•
One-to-many mapping
•
Automap translates server-side source IP Address to
Internal Self-IP address or Floating IP Address
•
Resolve Asynchronous routing issue
•
Works with Load Balancing
NAT
Network Address Translation (NAT)
10.10.1.30
•
One-to-one mapping
•
Bi-directional “listener”
•
All ports are open
•
Load Balancing is disabled and other features
10.10.1.105:80
10.10.1.105
172.16.20.5 :80
172.16.20.6 :80
172.16.20.5
NAT
Network Address Translation (NAT)
10.10.1.30
•
One-to-one mapping
•
Bi-directional “listener”
•
All ports are open
•
Load Balancing is disabled and other features
10.10.1.105:22
10.10.1.105
172.16.20.5 :22
172.16.20.6 :22
172.16.20.5
Profiles
Profiles
•
Used to affect the behavior of certain types of network traffic.
•
Object that contains settings with values for controlling the behavior of network and applications:
•
Profile Types:
Layer 7 / Application / Services – HTTP, DNS, FTP
Layer 4 / Protocols – TCP, UDP
Authentication – LDAP, Radius
Persistence – Source Address, Cookie
Optimization – Mobile, LAN, WAN
•
All Profiles are associated to Virtual Server
•
Profile Dependencies
Some profiles are dependent on others
Some profiles can’t be combined on one virtual server
Services Profiles
HTTP Profiles
•
features that enables intelligent control of HTTP application traffic
•
allows F5 BIG-IP to inspect and insert headers into HTTP requests
•
enables compression of HTTP server responses
•
enables various types of HTTP optimization
FTP Profiles
•
Allows F5 BIG-IP to examines port 21 connection, sees the port command from the client, anticipates
the server initiating a connection to the client’s IP and the designated port
•
Without FTP Profile will, FTP won’t continue processing traffic via data channel
SSL Profiles
SSL Profiles
•
BIG-IP accepts and terminates client requests that are sent using fully encapsulated protocol and
provides number of configurable settings for managing client-side (or service-side) SSL connections.
•
Uses specialized hardware built for SSL Acceleration to remove processing bottlenecks and encrypt
data without having to change application code.
SSL Termination Advantage
•
Offloads SSL traffic and Hardware acceleration from servers
•
BIG-IP performs SSL key exchange and bulk encryption
•
Centralizes certificate management
•
Allows iRule processing, cookie persistence, security policies and many others.
Persistence
10.10.1.30
10.10.1.40
http_vs = 10.10.1.100:80
http_pool
172.16.20.1
172.16.20.2
172.16.20.3
Persistence
Persistence
•
Persistence is a type of profile.
•
Maintaining session from one client or group of clients to a single server
•
Bypass load balancing on succeeding connection
Persistence Types on BIG-IP System
•
Source Address Affinity – Based on source IP Address
•
Cookie Persistence – Based on contents of browser cookie
•
Destination Address Affinity – Based on destination IP address
•
SSL – Based on SSL sessions using session ID
•
Universal – Customize own persistence criteria
•
Hash – Create a persistence hash based on an existing iRule
Source Address Persistence
Persistence
Value
10.10.1.30
10.10.1.40
http_vs = 10.10.1.100:80
http_pool
172.16.20.1
172.16.20.2
172.16.20.3
Persistence
Mode
Virtual
Server
Pool
Pool Member
Age
10.10.1.30
Source
Address
http_vs
http_pool
172.16.20.1:80
130 sec
10.10.1.40
Source
Address
http_vs
http_pool
172.16.20.3:80
100 sec
Source Address Persistence
Persistence
Value
10.10.1.30
10.10.1.40
10.10.1.0
Persistence
Mode
Source
Address
Virtual
Server
Pool
Pool Member
http_vs
http_pool
172.16.20.1:80
Prefix Length
•
http_vs = 10.10.1.100:80
http_pool
172.16.20.1
172.16.20.2
172.16.20.3
24
Age
130 sec
Source Address Persistence
Consideration
•
Huge number of clients may connect to the same proxy server or same router (with NAT/PAT enabled)
•
Connections would appear as single source IP address
•
Uneven traffic distribution
Cookie Persistence
Cookie Persistence
•
Special cookie is inserted as the BIG-IP sends reply to the Client
•
Special cookie contains selected Pool Member
•
HTTP Profile is required
•
Default cookie name is BIGipServer <pool_name>
Types of Cookie Persistence
•
HTTP Cookie Insert
BIG-IP alone manages persistence cookie
•
HTTP Cookie Rewrite
BIG-IP rewrites cookie as the application sends it blank
•
HTTP Cookie Passive
Application alone manages persistence cookie
Cookie Persistence
HTTP Cookie Insert
10.10.1.30
http_vs = 10.10.1.100:80
172.16.20.1
172.16.20.2
172.16.20.3
•
BIG-IP alone manages persistence cookie
•
Always Send Cookie (Disabled by default)
Cookie Persistence
HTTP Cookie Rewrite
10.10.1.30
http_vs = 10.10.1.100:80
172.16.20.1
172.16.20.2
172.16.20.3
•
BIG-IP rewrites cookie as the application sends it blank
•
Always send cookie is ignored
Cookie Persistence
HTTP Cookie Passive
10.10.1.30
http_vs = 10.10.1.100:80
172.16.20.1
172.16.20.2
172.16.20.3
•
Application alone manages persistence cookie
•
BIG-IP lets cookie pass through
iRule
When to use iRule?
•
If functionality is not available on CLI and GUI
•
Custom Logging
•
Custom Selection
iRule is commonly use for:
•
Custom Pool and Server Selection
•
HTTP to HTTPS Redirection
•
Universal Persistence
•
Intelligent SNAT
iRules
Components
•
An event defines the activity that triggers the iRule
•
An operator is used in a conditional expression
•
A command indicates the action to perform
when EVENT {
if { conditional expression } {
action
} elseif { condition expression } {
action
} else {
action
}
}
iRules
iRule Event
10.10.1.30
•
Client Side
•
Server Side
http_vs = 10.10.1.100:80
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
iRules
Operators
Statement
Commands
•
equals (==)
•
if / elseif / else
•
TCP::payload
•
greater-than (>)
•
switch
•
IP::client_addr
•
less-than (<)
•
pool
•
HTTP::header
•
starts_with
•
log
•
contains
•
ends_with
iRules
when CLIENT_ACCEPTED {
if { [IP::client_addr] equals "10.10.1.30" } {
10.10.1.30
10.10.1.40
pool pool1
} elseif { [IP::client_addr] equals "10.10.1.40" } {
pool pool3
}
http_vs = 10.10.1.100:80
172.16.20.1
172.16.20.2
}
172.16.20.3
Download
advertisement