Add to collection(s) Add to saved
  1. No category
Uploaded by Abhishek Aggarwal

F5 LTM Revisit

advertisement 
F5 201 Exam Preparation
F5 LTM Revisit
Load Balancing Revisit
Load Balancing Using Member
•
10.10.1.30
If http_pool uses Leas Connections (member) then
10.10.0.0/16
…next connection request to member
with fewest connections
http_vs = 10.10.1.100:80
http_pool
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1
172.16.20.2
http_pool
107
108
99
ssh_pool
2
3
25
172.16.20.3
Load Balancing Revisit
Load Balancing Using Node
•
10.10.1.30
If http_pool uses Leas Connections (node) then
10.10.0.0/16
…next connection request to node
with fewest connections
http_vs = 10.10.1.100:80
http_pool
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1
172.16.20.2
http_pool
107
108
99
ssh_pool
2
3
25
172.16.20.3
Load Balancing Failure Mechanism
Priority Group Activation
•
Pool member is grouped by priority values
•
Controlled by Less than Value / Minimum available pool members
•
Disabled by default and priority values are set to 0
•
Persistent connection are still allowed to pool members that’s already de-activated
Fallback Host
•
Client would be redirected to destination if all member fails
•
Works only for HTTP Traffic
•
Implemented under HTTP Profile
Load Balancing Revisit
Static Load Balancing
Failure Mechanism
•
Round Robin (default)
•
Priority Group Activation
•
Ratio
•
Fallback Host
Dynamic Load Balancing
Member and Node Load Balancing
•
Least Connections
•
Member = IP + Port
•
Fastest
•
Node = IP only
•
Weighted Least Connections
•
Least Session
•
Observed
•
Predictive
Nodes
Node
•
IP address
•
Can be named
•
Can be re-used when adding members to a pool
•
Automatically created when Pool Member is added in a Pool
•
Can be managed individually – Ratio, Health Monitor, Conn Limit and FQDN etc.
Node Default
•
Where Health Monitor is applied, effect all Nodes
Nodes
Load Balancing Using Node
•
10.10.1.30
If http_pool uses Leas Connections (node) then
10.10.0.0/16
…next connection request to node
with fewest connections
http_vs = 10.10.1.100:80
http_pool
ssh_vs = 10.10.1.102:22
ssh_pool
http_pool
ssh_pool
1 2
3 4
172.16.20.1
172.16.20.2
http_pool
107
108
99
ssh_pool
2
3
25
172.16.20.3
Pools
Pool
•
Load Balancing component
•
Container of Pool Members (Node + Port)
•
Where Pool Member is managed (enabled, disabled, force offline etc)
•
Where Health Monitors can be enabled and will by default inherit by Pool Members
•
Can be re-used in multiple VS
Pool Member
•
IP / Node + Port
•
Is exclusive to a specific Pool (can’t be re-used)
•
Pool Member Port doesn’t need to match Virtual Server port as it can be translated
(same as IP Address)
•
Can be managed individually – Ratio, Priority, Value, Health Monitor, Conn Limit etc.
•
Requires at least one available pool member to make a Pool Available
Pools
Advanced Options
•
Multiple Health Monitors
•
Slow Ramp – In Seconds
•
Action on Service Down – None, Reject, Drop, Reselect
•
ToS
•
QoS
•
Any many more
Virtual Servers
Virtual Server / VS / VIP
•
Traffic / Application Object and Listener represented by an IP address and Port Number
•
Communicates to the client of behalf of the servers and distribute traffic to across multiple servers
•
Translates both IP Address and Port
•
Treat vary various types of traffic based on settings
• Settings include Layer 4, Application and SSL Profiles, Compression, iRule, Persistnce, Pool Association etc
Virtual Server Types
•
•
•
•
•
•
•
•
Standard
Forwarding (Layer 2)
Forwarding (IP)
Performance (HTTP)
Performance (Layer4)
Stateless
Reject
DHCP
Virtual Servers
Virtual Server Order of Precedence
Virtual Server
Desination Address
•
<address>:<port>
10.10.10.100/32:80
10.10.10.100:80 – both address and port match
•
<address>:*
10.10.10.101/32:*
10.10.10.101:22 – address match with wildcard port
•
<network>:<port>
10.10.10.0/24:80
10.10.10.102:80 – address within the range with specific port
•
<network>:*
10.10.10.0/24:*
10.10.10.102:22 – address within the range with wildcard port
•
*:<port>
*:80
10.10.100.10:80 – wildcard address with specific port
•
*:*
*.*
10.10.100.10:22 - wildcard address and wildcard port
Virtual Server vs Virtual Address
•
Virtual Server Destination consist of IP address and Service Port
•
Virtual Address is IP Address of a Virtual Server
•
http_vs – 10.10.10.100:80
•
https_vs – 10.10.10.100:443
Standard Virtual Servers
Standard
•
Full Proxy – Three-way TCP handshake on both client and server side connection
•
Optimize TCP connections to clients
•
Load balance application traffic to a pool of servers
•
iRule can process most request.
•
Most option are available (if not all) such as Layer 4, HTTP, FTP, SSL profiles, Persistence, Pool etc
Virtual Server LAN Settings
•
Enabled on all VLANs (default)
•
Recommended to disabled VLAN/s that is not processed by Virtual Server
Forwarding Virtual Servers
Forwarding Virtual Servers
•
Forwards traffic directly to the destination IP address specified by the client request.
•
Use routing table to make forwarding decisions
•
Pool association is not support / Load Balancing is disabled
•
Processed in Layer 2 or 3 (IP)
Resolving Duplicate IP Address Issue
•
Enabling only the VLAN where VS traffic listens to
•
Disable ARP under Virtual Address
•
Local Traffic ► Virtual Servers : Virtual Address List
Health Monitors Revisit
Layer 7
10.10.1.30
http_vs = 10.10.1.100:80
http_pool
SYN
HTTP GET
SYN/ACK
HTTP RESPONSE
ACK
http_pool
172.16.20.1:80
172.16.20.2:80
172.16.20.3 :80
•
Accurate Content Checking
•
Examines Single Request/Response such http, https
•
Built-in request/response such as FTP, SIP, Oracle, IMAP
•
Multiple request/responses – Scripted and External
Health Monitors Revisit
Built-in Application Check Monitor
•
Connects to monitored resources
•
Logs in using credentials
•
Navigates to a specific directory
•
Example: FTP
Assigning Multiple Monitors
•
Select Advanced under Pool Configuration
•
Specify Availability Requirement (At least)
Manual Resume
•
Pool Member wouldn’t be marked Available when it goes back online
•
Must be manually enabled
•
Used commonly during Server maintenance and troubleshooting
HTTP Health Monitors
Customizing HTTP Monitor
•
Send String
•
Receive String
•
Receive Disable String
Regex in the Receive String
•
Match one from the group
172.16.20.1 | 172.16.20.2
•
Wildcards
.
•
Bracket Expressions
[1-5] [a-d] [^f]
?
*
Objects Status
Traffic Object Status
•
Determine availability of Configuration objects such as Virtual Server, Pools, Pool Members and Nodes
•
Network Map - Summarized view all configured traffic objects
Symbol
Description
Green Circle
Available
Blue Square
Unknown
Yellow Triangle
Enable but Unavailable
Red Diamond
Offline
Black Icons
Manually Disabled
Black Diamond
Manually Forced Offline
Gray Icons
Parent Object has disabled the object
Objects Status
Disabled vs Force Offline
•
Both will no longer accept new connections
•
Both still accepts traffic from an active connections (ssh and ftp)
•
Disabled still accepts traffic from existing persistence records
•
Force Offline drops traffic even from existing persistence records
SNAT Revisit
Translation
SRC IP – 10.10.1.30
DST IP – 10.10.1.100
10.10.1.30
DST IP – 10.10.1.30
SRC IP – 10.10.1.100
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
DST IP – 172.16.1.33
SRC IP – 172.16.20.1
172.16.20.1 :80
172.16.20.2 :80
IP Address / Range of IP Address
•
SNAT Pool
•
Auto Map
Configuration
http_vs = 10.10.1.100:80
SRC IP – 172.16.1.33
DST IP – 172.16.20.1
•
172.16.20.3 :80
•
SNAT List / Manual
•
Virtual Server
SNAT Revisit
SNAT Pool
•
Pool where you can add one more pool translated IP Address
•
Use to resolve SNAT Port Exhaustion
SNAT List
•
Manual SNAT configuration
•
Define the source of IP Address / Range
•
Define Translated IP – Automap, SNAT Pool, or Specific IP
•
Applies to all Virtual Server when SNAT in VS is not configured
SNAT in Virtual Server
•
Takes Precedence over SNAT List
Profiles Revisit
Profiles Types
•
Layer 4 / Protocols:
Layer 4 / Protocols – TCP, UDP
Optimization – Mobile, LAN, WAN
•
Layer 7 / Services
HTTP
FTP
•
HTTP Profiles
•
Acceleration Profiles
HTTP Compression
HTTP Caching / Web Acceleration
•
Persistence Profiles
•
Profile Dependencies
Some profiles are dependent on others
Some profiles can’t be combined on one virtual server
TCP Profiles
TCP Profile Performance
10.10.1.30
Latency - compute-intensive processing such as SSL
•
Congestions – cause by too much data received.
TCP Profile Performance Settings
http_vs = 10.10.1.100:80
http_pool
SYN
SYN/ACK
ACK
172.16.20.1:80
•
172.16.20.2:80
172.16.20.3 :80
•
Nagles algorithm – reduce network congestion
•
Memory Management - proxy buffer levels and window size
•
TTL, TCP Flags, ToS, QoS etc.
TCP Profiles
TCP Profiles for Different Environments
•
Layer 4 Profiles
tcp
f5-tcp-wan
•
f5-tcp-lan
f5-tcp-mobile
Legacy TCP Profiles
tcp-legacy
tcp-wan-optimized
tcp-lan-optimized
tcp-mobile-optimized
f5-tcp-progressive
HTTP Profiles
HTTP Profiles Options
•
Client address insertion
- Retention of original client source address after translation (SNAT)
- Customize HTTP or XForwarded For header
•
OneConnect
- Allows HTTP clients to reuse server-side connections
•
Chunking
- Allows iRules and compression to function with chunked http data
•
HTTP Compression vs HTTP Caching / Web Accelaration
Dependencies
•
Compression, Cookie Persistence, Web Acceleration, Fallback Host, iRule with
HTTP event require HTTP Profile
SSL Profile Revisit
SSL Termination / SSL Offload
10.10.1.30
https_vs = 10.10.1.100:443
172.16.20.2
Client SSL Profile
•
Client Side - Encrypted Traffic
•
Server Side - Unencrypted Traffic
Limitation Without SSL Termination
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
172.16.20.1
•
172.16.20.3
•
No HTTP Profiles
•
No HTTP Compression, Web Acceleration, Cookie Persistence
•
No Security Inspection
•
Limited iRules
SSL Profile Revisit
SSL Termination with Re-Encryption
10.10.1.30
https_vs = 10.10.1.100:443
172.16.20.2
Client and Server SSL Profile
•
Client Side - Encrypted Traffic
•
Server Side – Encrypted Traffic
Disadvantage of Re-Encryption
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
172.16.20.1
•
172.16.20.3
•
Certificate and Keys are required on both BIG-IP and Servers
•
More Resource Consumption on Server side
•
Complex Troubleshooting
Persistence Revisit
10.10.1.30
10.10.1.40
http_vs = 10.10.1.100:80
http_pool
172.16.20.1
172.16.20.2
172.16.20.3
Persistence Revisit
Persistence Options
Source Address Affinity
Cookie Persistence
• Based on source IP address
• Based on contents of browser cookie
SSL
• Based on SSL ID sessions using Session ID
Universal
• Customize your own persistence criteria
Destination Address Affinity
SIP
• Based on destination IP address
• Call-ID persistence (telephony and multi-media)
Persistence Revisit
Fallback Persistence
10.10.1.30
10.10.1.40
http_vs = 10.10.1.100:80
http_pool
172.16.20.1
172.16.20.2
172.16.20.3
•
No cookies? What’s next
•
Source and Destination Address are the only two options
Universal Persistence
Universal Persistence
•
Greatest flexibility in defining persistence
•
Customizable based on packet information that will be used for persistence criteria
•
Based on header or content data that is specific to your application
•
Coupled with an iRule
Associated iRule
when HTTP_REQUEST {
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}
Universal Persistence
http://10.10.1.100/env.cgi?user=spoonman&pw=abc
Persistence
Value
10.10.1.30
10.10.1.40
spoonman
Persistence
Mode
Universal
http_vs = 10.10.1.100:80
http_pool univ_pers
when HTTP_REQUEST
{
if { [HTTP::uri] contains "user=" } {
persist uie [ findstr [HTTP::uri] "user=" 5 "&" ]
}
}
172.16.20.1
172.16.20.2
172.16.20.3
Virtual
Server
Pool
Pool Member
http_vs
http_pool
172.16.20.1:80
Age
13 sec
iRule Revisit
HTTP_REQUEST
10.10.1.30
http_vs = 10.10.1.100:80
VLAN Internal
Self IP Address - 172.16.1.31/16
Floating IP – 172.16.1.33/16
172.16.20.1 :80
172.16.20.2 :80
172.16.20.3 :80
•
Fully parse and inspect client HTTP headers
•
Requires HTTP Profile
•
Not include HTTP request body
iRule Revisit
Logging from iRule
•
Great tool for troubleshooting and testing
•
Writes to local logs by default
log local0. “Destination: [HTTP:host]”
iRule Variable
•
Piece of data stored in memory
•
Named and re-used
set dest [HTTP:host]
log local0. “Destination: $dest”
iRule Revisit
Chrome User Agent
10.10.1.30
▰
10.10.1.40
Mozilla/5.0 (Windows NT 6.1, WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Internet Explorer User Agent
▰
Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3;
Trident/7.0; rv:11.0) like Gecko
Firefox User Agent
http_vs = 10.10.1.100:80
▰
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0)
Gecko/20100101 Firefox/52.0
when HTTP_REQUEST {
if { [HTTP::header User-Agent] contains "Chrome" } {
pool pool1
} elseif { [HTTP::header User-Agent] contains "MSIE" } {
pool pool3
} else {
pool pool2 }
}
172.16.20.1
172.16.20.2
172.16.20.3
Related documents
Math 1210-90 Calculus I Examination 2, Oct 23,25, 2003
Math 1210-90 Calculus I Examination 2, Oct 23,25, 2003
Swimming Pool: Description
Swimming Pool: Description
CPW/ELDW – Center for Community Organizing, Slovakia
CPW/ELDW – Center for Community Organizing, Slovakia
Download
advertisement