F5 Networks Training BIG IP LTM V10 Essentials

F5 Networks Training
®
BIG-IP LTM V10 Essentials
Web-Based Training Lab Guide
/ / 20
BIG-IP® LTM Essentials Web-Based Training Lab Guide – © 2010 F5 Networks, Inc.
P-2 Preface
BIG-IP® LTM V10 Essentials

Web-based Training Student Lab Guide
First Printing February 2010
This Lab Guide was written for BIG-IP® LTM version 10.1.0. The lecture portions of the LTM Essentials web-based training
were written for the previous version, 10.0.1. Because F5 feels it is important to perform the hands-on labs on a current
version, the Lab Guide will be updated more frequently than the lecture portions. Most of the concepts discussed in the
lecture portion and lab steps in the lab guide apply to previous versions of BIG-IP LTM.
© 2010, F5 Networks, Inc. All rights reserved.
Support and Contact Information

Obtaining Technical Support
Web tech.f5.com (Ask F5)
Phone ( 206) 272-6888
Email (support issues) support@f5.com
Email (suggestions) feedback@f5.com
Contacting F5 Networks
Web www.f5.com
Email sales@f5.com & info@f5.com
F5 Networks, Inc. F5 Networks, Ltd. F5 Networks, Inc. F5 Networks, Inc.

Corporate Office United Kingdom Asia Pacific Japan
401 Elliott Avenue West Chertsey Gate West 5 Temasek Boulevard Akasaka Garden City 19F
Seattle, Washington 98119 Chertsey Surrey KT16 8AP #08-01/02 Suntec Tower 5 4-15-1 Akasaka, Minato-ku
T (888) 88BIG-IP United Kingdom Singapore, 038985 Tokyo 107-0052 Japan
T (206) 272-5555 T (44) 0 1932 582-000 T (65) 6533-6103 T (81) 3 5114-3200
F (206) 272-5557 F (44) 0 1932 582-001 F (65) 6533-6106 F (81) 3 5114-3201
Training@f5.com EMEATraining@f5.com AP ACTraining@f5.com JapanTraining@f5.com
BIG-IP® LTM Essentials Web based Training Lab Guide – © 2010 F5 Networks, Inc.
Preface P-3
Legal Notices
Copyright
Copyright 2010, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no
responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result
from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property
right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any
time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application
Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager,
GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link
Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity,
Secure Access Manager, SAM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS,
TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarks
or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written
consent.
Patents
This product protected by U.S. Patent[s] 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354; 7,197,661;
7,206,282; 7,287,084. Other patents pending.
Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States government may
consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may
be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC
rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed
and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of
this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will
be required to take whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate
this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information
Technology products at the time of manufacture.
Table of Contents
Lab Instructions: .........................................................................................................Lab-1

Connecting to the F5 Training Lab Environment ....................................................... Lab-1
The F5 Training Lab Network .................................................................................... Lab-3
F5 Training Lab limitations ........................................................................................ Lab-4
Lab 1: Initial Setup ........................................................................................................1-5

Lab – Setup Utility ..................................................................................................... 1-6
Lab – Configuration Utility........................................................................................ 1-9
Lab – Configuration Backup ...................................................................................... 1-11
Lab 2: Traffic Processing .............................................................................................2-13

Lab – Virtual Servers - Pools ..................................................................................... 2-13
Lab – Network Map ................................................................................................... 2-18
Lab 3: Load Balancing .................................................................................................3-19

Labs – Ratio Load Balancing ..................................................................................... 3-20
Labs – Priority Group Activation ...............................................................................3-21
Lab 4: Monitors .............................................................................................................4-23

Lab – Monitors for Nodes .......................................................................................... 4-23
Lab – Monitors for Pools and Members Lab #1 ........................................................ 4-26
Lab – Monitors for Pools and Members Lab #2 ........................................................ 4-27
Lab 5: Profiles ...............................................................................................................5-31

No Lab for this Course Module............................................................................................ 5-31
Lab 6: Persistence ........................................................................................................6-33

Lab – Source Address Persistence ............................................................................. 6-33
Lab – Cookie Persistence ........................................................................................... 6-36
Lab – Disabled Members ........................................................................................... 6-37
Lab 7: SSL Termination................................................................................................7-41

Lab – Client SSL Termination ................................................................................... 7-41
Toc-2 Table of Contents
Lab 8: NATs and SNATs .............................................................................................. 8-45

Lab – NAT Lab .......................................................................................................... 8-45
Labs – SNAT Labs ..................................................................................................... 8-47
Lab 9: iRules ................................................................................................................. 9-49

Labs – iRules Lab #1................................................................................................ 9-49
Labs – iRules Lab #2................................................................................................ 9-53
NOTE: Currently the F5 Training Lab environment does not support Redundant Pair. In the future
when Redundant Pair is supported the lab steps will be similar to Appendix D.
Labs 10 and 11, Redundant Pair and High Availability ............................................. 10-55
No Labs for these Modules yet, see Appendix D ................................................................. 10-55
Configuration Lab Project ............................................................................................ LP-57

Lab –Configuration Project ........................................................................................LP-57
Appendix A – F5 Networks Products .......................................................................... A-1

F5 Networks ......................................................................................................................... A-1
BIG-IP LTM ......................................................................................................................... A-4
Other F5 Products ................................................................................................................. A-5
Appendix B – Additional Topics .................................................................................. B-1

F5 Networks Support and Documentation ........................................................................... B-1
Installation Information ........................................................................................................ B-7
Appendix C – Other F5 Networks Training Courses .................................................. C-1

F5 Networks Instructor Led Courses .................................................................................... C-1
Appendix D – Labs 10 and 11, Redundant Pair and High Availability ..................... D-1
Lab –Redundant Pair Setup ........................................................................................ D-1
Lab – Synchronization ............................................................................................... D-3
Lab – Network Failover ............................................................................................. D-5
Lab – Failover Triggers .............................................................................................. D-7
Lab – Connection Mirroring ...................................................................................... D-8
Lab – Persistence Mirroring ....................................................................................... D-9
Introduction
Welcome to the BIG-IP LTM Essentials Web-Based Training Course Student Lab Guide. The purpose of the
BIG-IP LTM Essentials course is to introduce the basic information you need to set up and operate the BIG-IP
Local Traffic Manager (LTM) from F5 Networks. The purpose of this Lab Guide is to provide all the
information and exercises you need to work directly with a BIG-IP LTM system and solidify the concepts you
have learned in the associated Web-based training modules.
The hands-on lab exercises included in this course are critically important to your learning. These exercises are
especially helpful if you can do them as soon as possible after completing the associated training module.
Therefore, we recommend the following approach when taking this course:
• Before beginning a module, register for lab time.
• Work through the training module as close to the start of your lab time as possible.
• After completing the training module, move into the lab exercises. Be sure to complete the entire
exercise, including the review questions at the end.
There are eleven modules in this course, each one taking approximately thirty minutes to complete. To
complete the entire course, including modules and labs, will take you about fourteen hours.
In addition to the lab exercises, this guide contains other useful information.
• Appendix A provides some background information on F5 Networks and its products.
• Appendix B explains the various customer support resources that are available. We highly
recommend that you review this listing. You may find some of these resources to be very valuable
while working your way through this course.
• Appendix C contains an informative list of other training courses available from F5 Global
Training Services. After completing this introductory course, you may want to enroll in one or
more of these classes to gain a deeper understanding of BIG-IP LTM.
We hope you enjoy learning with these lab exercises!
Introduction
Module
Lab Instructions
1 Lab – Initial Setup Lab-1
1-1
Connecting to the F5 Training Lab Environment

PLEASE NOTE: This lab is not a test environment and is strictly for use by students
taking the BIG-IP LTM Essentials Web-Based Training (WBT) course. Your user ID will
be time limited and you will be cut off after so many hours of connect time.
1. After logging in to F5 University, select the link for F5

Training Lab as shown to the right.
2. You should now be at the Lab web page where you
downloaded this Lab Guide.
3. Select the link for Lab registration.
4. When prompted, enter your email, first and last name
again, then click Launch Lab. You'll be put into your own
F5 Training Lab environment.
NOTE: In the future you will not be prompted for credentials. Your user ID and email
will be passed from F5 University to the F5 Lab environment using SSO or single sign-
on. For now, you should enter the same info that you used for F5 University.
5. Your lab environment will take a couple minutes to initialize. Notice the message at top of
screen that says “Your environment is X% ready”.
6. The first time you connect you will need to install the Cloudshare plug-in and may need to
enable pop-ups for it to install. This is a first-time only install.
1-2
Lab-2 Module 1 Lab
Lab
– Initial
Instructions
Setup
1. Each lab starts assuming an un-configured BIG-IP and then instructs you to restore a UCS
backup file that was captured at the end of the previous lab.
2. If during your lab time you wish to revert back to this un-configured state you may do so by
selecting Actions and then Revert Now.
3. Rather than restoring UCS files at the beginning of each new lab you may also work straight
through all the labs. From an instructional angle, F5 recommends doing the Module WBT,
then the lab for that Module. Then the next Module WBT and its corresponding lab.
4. Also, you can only enter the F5 Training Lab environment from
the links within F5 University (ie. the graphic to the right).
5. When ready to leave the F5 Training Lab environment,

use the Logout button in the upper-right corner of the screen.
Module
Lab Instructions
1 Lab – Initial Setup Lab-3
1-3
The F5 Training Lab Network

1. You will be connected to a Windows virtual machine that will be used as both a client
machine to drive traffic through BIG-IP LTM and to administer your BIG-IP.
2. Your Windows virtual machine has both a 192.16.1.30/24 and a 10.10.1.30/16 IP Address
configured for the lab network shown below.
3. There is already a Management IP Address set on your BIG-IP to 192.168.1.245/24, and we
will setup the other 10.10 External and 172.16 Internal IP Addresses in Lab #1.
4. There are also three servers configured at 172.16.20.1, 172.16.20.2 and 172.16.20.3. You
will not be able to access these servers directly from your Windows client machine but these
are the servers to which we will load balance traffic starting in Lab #2.
1-4
Lab-4 Module 1 Lab
Lab
– Initial
Instructions
Setup
F5 Training Lab limitations

1. The F5 Training Lab is running in a virtual lab environment and therefore does not have all
hardware features of BIG-IP available. For instance, you will not have a serial console
connection to your BIG-IP.
2. This lab environment only supports BIG-IP LTM, no other F5 products or BIG-IP modules
like GTM or ASM.
3. This lab environment has only been tested with the lab steps in this lab guide. If you do not
follow the steps in this lab guide, results will vary.
NOTE: The F5 Training Lab environment does not currently support redundant pair, but
will in the future. Appendix D has potential lab steps for when redundant pair is
supported by the F5 Training Lab.
Module 1 Lab – Initial Setup 1-5
Module 1 Lab – Initial Setup and Access
Initial Setup Labs

Objective:
Perform initial setup of the BIG-IP LTM System
Explore the Web Configuration Utility
Make a backup of the BIG-IP System
Estimated Time: 30 minutes
LAB CONFIGURATION
1-6 Module 1 Lab – Initial Setup
Setup Utility Lab

Objective:
Run the Setup Utility and to configure system access parameters
Estimated time for completion: 20 minutes
Lab Requirements:
Reachable IP address on the management port
Valid License for the BIG-IP LTM Systems
Administration system with an IP address on the BIG-IP LTM’s network
Current BIG-IP Settings

At this point, your BIG-IP system should already be licensed and the management port address still
set to the default IP Address of 192.168.1.245/24.
PC Configuration
Your PC is configured with two IP Addresses in order to reach both the Management and client
networks once they are configured on your BIG-IP.
PC Mgmt IP Address 192.168.1.30/24
PC Client IP Address 10.10.1.30/16.
Access the BIG-IP LTM System

1. Open a browser to https://192.168.1.245.
2. When prompted, accept the SSL certificate.
3. When prompted, login with the username admin and a password of admin.
Licensing Steps
1. You should first see the Setup Utility’s Welcome screen. Click Next.
2. Normally, you would need to license your BIG-IP System. For these labs, the systems should
already be licensed. Review the features that are licensed and then click Next.
Provisioning Steps
1. The second screen should be Provisioning. Verify that BIG-IP LTM is set to something other
than None and click Next.
Setup Utility
1. Within the General Properties section, specify the following:
IP Address: 192.168.1.245
Network Mask: 255.255.255.0
Management Route: Leave blank
Host Name: bigip1.f5trn.com
Host IP Address: Use Management Port IP Address
High Availability: Redundant Pair
Unit ID: 1
Time Zone: America/Los Angeles
2. Within the User Administration section, specify the following:
Root Account Password: default
Root Account Confirm: default
Admin Account Password: admin
Admin Account Confirm: admin
SSH Access: Enabled
SSH IP Allow: * All Addresses
3. Click Next.
NOTE: When you type in the admin password field you will be required to log back into
the system whether the password has been changed or not.
Once this first step of administrative access has been configured, you can configure self-IP addresses
and VLANs. We will choose the Basic Network Configuration option, which will step through
creating two VLANs, internal and external, and their IP addresses, and interfaces. Each self IP will
be assigned Port Lockdown settings. Port lockdown limits administrative access to the self IP
addresses. Because we have configured the system as a redundant pair, Allow Default should be
selected for Port Lockdown on self IP’s of the internal VLAN to ensure the systems will be able to
communicate.
Because we have configured as a redundant pair, the administrator will also be prompted for a partner
address and a floating IP address for each VLAN. Generally, the partner address should be an
address on the internal VLAN to minimize security concerns. Floating addresses are shared between
the systems and used by the system that is currently active. These concepts are discussed in the
Redundant Pair module.
4. Select the Basic Network Configuration option by clicking Next, then specify the
following:
Internal Network Settings

Self-IP Address 172.16.1.31
Self-IP Netmask 255.255.0.0
Self-IP Port Lockdown Allow Default
Floating IP Address 172.16.1.33
Floating IP Port Lockdown Allow Default
Failover Peer 172.16.1.32
Internal VLAN Configuration

VLAN Name internal (Read Only)
VLAN Tag ID Auto
VLAN Interfaces Untagged – Port 1.2
5. Click the Next button to configure the External VLAN, then specify the following:
External Network Settings

Self-IP Address 10.10.1.31
Self-IP Netmask 255.255.0.0
Self-IP Port Lockdown Allow 443
Default Gateway Leave blank
Floating IP Address 10.10.1.33
Floating IP Port Lockdown Allow 443
External VLAN Configuration

VLAN Name external (Read only)
VLAN Tag ID Auto
VLAN Interfaces Untagged – Port 1.1
6. Then click Finished.

Once the Basic Network Configuration is complete, the Welcome screen from the Overview section
appears. The administrator can choose to change many presentation options, enable SNMP including
downloading the MIB, access F5’s knowledge database (Ask F5) or re-run the setup utility to change
addresses or access methods.
Configuration Utility Lab

Objective:
Access both the Web Configuration utility and Command Line (SSH) utility for BIG-IP
LTM system and get familiar with the interface
Lab Requirements:
External IP address of the BIG-IP LTM system
User ID and password of the BIG-IP LTM system’s Web Configuration Utility
User ID and password of the BIG-IP LTM system’s Command Line Interface
PC Configuration
Your PC is configured with two IP Addresses in order to reach both the Management and client
networks once they are configured on your BIG-IP.
Mgmt IP Address 192.168.1.30/24
Client IP Address 10.10.1.30/16.
The Web Configuration Utility

1. Open a browser window to https://10.10.1.31 to connect to the Web Configuration Utility.
2. Enter a user ID and password of admin / admin that you added during Setup.
3. Note options available on the Welcome page.
4. Click on the Network section, then note what is set for the Interfaces, Self IPs, and VLANs
options.
Command Line access (SSH)

1. Open an SSH session using Putty and attempt to connect the external IP Address of your
BIG-IP System (10.10.1.31).
2. Notice that you are not able to access your BIG-IP LTM. This is because Port Lockdown
for the external self-IP addresses defaults to Allow 443 only. Access to port 22 is prevented.
3. From the web GUI select Network / Self IPs and then click the 10.10.1.31 self IP Address.
4. Under Port Lockdown / Custom List, click the Port radio button, enter 22 as the port, click
Add, and then click Update.
5. Once port 22 has been added, you should be able to successfully use SSH to attach to your
BIG-IP System. You may be prompted to accept the SSH key, do so. When the logon
appears, enter root as the user ID and default as the password that you added during Setup.
6. If prompted for terminal type, select vt100.
Enter the command: b self show
What information is listed here?

7. Enter the command: b vlan show
8. Enter the command: b interface show
Verifying User Access

1. Logout of your SSH session.
2. Open a new SSH session but login and try the admin user. By default, you should not be
able to get in as admin.
3. From the Web Configuration Utility select System / Users and then select the link for the
admin User Name. Change the Terminal Access to Advanced Shell access, click Update,
and then test SSH access with the admin user ID again.
4. Open a new browser window but try to login using the root user ID. By default, you should
not be able to get into the Web Configuration utility with the root user ID.
Configuration Backup Lab

Objective:
Create a backup of the BIG-IP System on both the BIG-IP and your desktop.
Lab Requirements:
External IP address of the BIG-IP LTM system
Saving a configuration
1. From the Navigation pane, click the System section.
2. Select Archives, then click Create.
3. Within the General Properties section, specify the following:
File Name Module1_End
Encryption Disabled
Private Keys Include
Version BIG-IP Version (read only)
4. When complete, click Finished.

5. When complete, an OK button will appear. Click OK or select Archives again.
6. Select Module1_End.ucs (the name is a link) and notice you can click Download to save a
copy to your desktop. The Download option does not work in this F5 Training Lab
environment but will in yours.
7. If desired, the files contents can be viewed from the command line of your BIG-IP System.
From an SSH session, perform the following:
a. Make a new directory for this lab: mkdir /var/tmp/test/
b. Change to the new directory: cd /var/tmp/test/
c. Copy the backup to the new directory:
cp /var/local/ucs/Module1_End.ucs Module1_End.ucs .
d. Decompress the file and extract the file: tar -xvzf Module1_End.ucs. The
resulting files show the directory structure and all files stored in the *.ucs file.
Individual files can be viewed with cat, tail, more and other tools.
Module 2 Lab – Processing Traffic 2-13
Module 2 Lab – Processing Traffic

Objectives:
Configure pools for servers
Configure virtual servers and associate them with a pool
Verify functionality
Lab Requirements:
IP and port addresses available for use on BIG-IP LTM that can be reached by the client
systems
Actual servers with appropriate routes to return traffic through each BIG-IP LTM system
Restoring a Configuration from previous Lab

1. After connecting to F5 Training Lab, open a browser to https://192.168.1.245.
2. If you have an existing lab environment, skip to step 9 below.
3. If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.
4. On both the License and Resource Provisioning screens click Next.
5. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and change
High Availability setting to Redundant Pair.
6. Enter a Root Account password of default twice and an Admin Account password of
admin twice and then click Next.
7. You will be prompted to login again because of changing the Admin password.
8. After logging in, click the Finished button under Advanced Network Configuration.
9. From the Navigation pane, expand the System section, then select Archives.
10. Click the Module2_Lab_begin.ucs archive and then click the Restore button. An Ok button
appears to acknowledge the restore has started. It will take a minute, but watch this screen
and you should see messages that your restore completed successfully. You might receive
one error message but that is ok and is due to the F5 Training Lab environment only.
11. After Restore, your configuration should be as if you had just finished all Module 1 labs.
Please verify this is the case. Your configuration should be licensed, include 2 VLAN’s
(Network / VLANs) named external and internal and have 4 self IP’s (Network / Self IPs) at
10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.
2-14 Module 2 Lab – Processing Traffic
Creating an HTTP Pool and Virtual Server Lab

Create a Pool
1. From the Navigation pane, expand the Local Traffic section.
2. Either select Pools and then the Create button or hover your mouse over Pools and then click
the sign on the flyout menu.
3. In the Configuration section, enter the following:
Configuration Level Basic
Name http_pool
Health Monitors Leave Blank
4. In the Resources section, enter the following:

Load Balancing Method Round Robin
Priority Group Activation Disabled
New Members 172.16.20.1 port 80
For each, enter Address and 172.16.20.2 port 80
Service Port and press Add 172.16.20.3 port 80
Create a Virtual Server that uses this pool

2. Either select Virtual Servers and click Create, or hover your mouse over Virtual Servers
and then click the sign on the flyout menu.
3. In the General Properties section, enter the following:
Name vs_http
Destination 10.10.1.100
Service Port 80 (or HTTP)
State Enabled
4. In the Configuration section, accept all defaults.
iRules Leave Blank
HTTP Class Profiles Leave Blank
Default Pool http_pool
Default Persistence Profile None
Fallback Persistence Profile None
Verification through Statistics

1. Open a new browser session on your PC and point it to the virtual server at
http://10.10.1.100. Note the results and refresh the screen 5-10 times. You may need to
refresh using the Ctrl and F5 keys to force the browser not to use its cache.
2. View statistics and configuration information through:
a. Overview Section / Statistics / Local Traffic Tab
b. From the Statistics Type drop down list, choose Virtual Servers
c. From the Statistics Type drop down list, choose Pools
3. Did traffic go to each pool member?
4. Did each pool member manage the same number of connections?
5. Did each pool member manage the same number of bytes?
6. How many TCP connections are opened each time you refresh the browser page?
Expected Results and Troubleshooting

Expected result: 5 connections per refresh distribute evenly among the pool members.
The webpage consists of the index.html and 4 objects. The web servers have keep-alives
disabled.
If not, verify the following:
• Is traffic getting to the virtual server?
Does 10.10.1.100 appear in your workstation’s ARP table?
Type arp -a at the workstation’s command prompt.
Does the Statistics page show traffic received by vs_http?
Verify that the address and port are correctly configured
Is traffic getting to the pool members?
• If no traffic is going TO the pool members:
Verify http_pool has been assigned to vs_http
Verify the correct members address / port
• If traffic goes TO pool member, but does not return:
Verify that self IP address 172.16.1.33 is configured on port 1.2 (this
address is the pool members’ default route.)
Creating an HTTPS Virtual Server and Pool Lab

2. Either select Virtual Servers and click Create or leave your mouse over Virtual Servers
3. In the General Properties Section, enter the following:
Name vs_https
Service Port 443 (or HTTPS)
State Enabled
4. In the Configuration Section, accept all defaults.
5. Since we “forgot” to create the pool first, navigate to the Resources Section and click the “+”
character to the right of Default Pool.
6. In the Configuration section of the new pool, enter the following:
Configuration Basic
Name https_pool

New Members 172.16.20.1 port 443
For each, enter Address and 172.16.20.2 port 443
Service Port and press Add 172.16.20.3 port 443
NOTE: Since the member’s IP addresses are the same, you could select Node List and
choose the member’s IP addresses from the drop-down list.
8. When the pool is complete, press Finished.

9. In the Virtual Server’s Resources section, verify the following settings:
iRules Leave Blank
HTTP Class Profiles Leave Blank
Default Pool https_pool
10. When complete, make sure to click Finished for the virtual server.

1. Open a new browser session on your PC and point it to the virtual server at
https://10.10.1.100. Note the results and refresh the screen 5-10 times.
a. Overview Section / Statistics / Local Traffic Tab
b. From the Statistics Type drop down list, choose Virtual Servers
c. From the Statistics Type drop down list, choose Pools
3. Did traffic go to each pool member?
4. Did each pool member manage the same number of connections?
5. Did each pool member manage the same number of bytes?
6. How many TCP connections are opened each time you refresh the browser page?
Statistics using the Command Line

1. Open an SSH client window using Putty, enter the external IP Address of your BIG-IP LTM
System (10.10.1.31) and make sure the protocol is set to SSH.
2. When prompted, enter root as the user ID and the password that was added during setup. A
password of default was suggested in Lab 1 and set in the Module2_Lab_begin.ucs file.
3. If prompted for terminal type, accept or enter vt100.
4. Enter the command bigtop. This command shows real time information on the virtual
servers and pool members that you have configured.
5. View the screen while refreshing your session to either http://10.10.1.100 or
https://10.10.1.100. What does bigtop show? Exit bigtop by pressing the q key.
6. Statistics for pools and virtual servers can be viewed by typing the following:
b pool <pool name> show
example: b pool http_pool show
b virtual <virtual name> show
example: b virtual vs_http show

Expected result: You may see six connections the first time you request the page, (due to
the SSL key exchange) but should see five connections per subsequent refresh. The
requests should be evenly distributed among the pool members.
If not, verify the following:
• Confirm that the virtual server was created. Students often neglect to hit Finish
for the virtual server after hitting Finish for the pool.
Local Traffic / Virtual Servers
• Is traffic getting to the virtual server?
Does 10.10.1.100 appear in your workstation’s ARP table? You may

need to clear your ARP table before testing to remove the entry from the
vs_http virtual server.
Does the Statistics page show traffic received by vs_https?
Verify that the address and port are correctly configured.
• Is traffic getting to the pool members? Check Pool statistics:
If no traffic is going TO the pool members:
Verify https_pool has been assigned to vs_https
Verify the correct members address / port
• If traffic goes TO pool member but does not return:
Verify that self IP address 172.16.1.33 is configured on port 1.2 (this
address is the pool members default route).
Network Map Lab

View Configuration and Status from Network Map
1. Open a browser session and access https://10.10.1.31.
2. Select Local Traffic / Network Map, then click Show Map.
3. Mouse over both virtual server and Pool objects and notice what information is displayed
about that object.
4. Select a Pool member and disable it.
a. From the Navigation pane, expand the Local Traffic section.
b. Select Pools.
c. Select http_pool.
d. Select Members.
e. Check the box to the left of the chosen member and click the Disable button.
5. Go back to Network Map and notice that status changed to disabled, indicated by a black
square.
6. Re-enable the disabled pool member for later labs.
7. Change the search field to 20.1 and then click Update Map. Notice that all members are still
listed, but matches are highlighted.
8. Select System / Preferences and change the Start Screen from Welcome to Network Map.
Close your browser session to the admin GUI, and then log back in to https://10.10.1.31 and
notice that your default screen is now Network Map.
Module 3 Lab – Load Balancing 3-19
Module 3 Lab – Load Balancing
Objectives:
Choose differing load balancing methods and view the resulting behavior
Choose differing member priority and ratio values and view the resulting behavior
Lab Requirements:
Access to a BIG-IP LTM with at least a pool with two or more working members

11. Your configuration should be as if you had just finished all Module 2 labs. Please verify this
is the case. Your configuration should be licensed and include two pools named http_pool
and https_pool and two virtual servers named vs_http and vs_https. None of the Pools or
Pool Members should have Monitors assigned (blue square status).
3-20 Module 3 Lab – Load Balancing
Round Robin Load Balancing Lab

If not zero, reset the Statistics for http_pool
1. From the Navigation pane, expand the Overview section and select Statistics.
2. From the Display options sections, change the Statistics Type to Pools.
3. Select the checkbox adjacent http_pool, and click Reset.
View Results using Round Robin Load Balancing

1. Open a browser session and access http://10.10.1.100.
2. Refresh the screen a few times by pressing Ctrl+F5 (Ctrl+R if using FireFox).
3. Navigate back to the pools statistics page.
4. What are the results? Were the connection requests distributed evenly?
5. Reset the statistics for http_pool.
Ratio member Load Balancing Lab

Configure Member Ratios and Ratio (member) Load Balancing and test.
2. Select Pools.
3. Select http_pool.
4. Select Members.
5. Within the Load Balancing section, change the Load Balancing Method to Ratio (member)
and click Update.
6. Within the Configuration section of each member, set the ratio values as follows:
Member Ratio
172.16.20.1:80 1
172.16.20.2:80 2
172.16.20.3:80 3
7. Open a new browser session and connect to http://10.10.1.100.

8. Refresh the screen 5-10 times by pressing Ctrl-F5.
9. View the pool statistics. What are the results?
Module 3 Lab – Load Balancing 3-21

Expected result: Traffic will be distributed to the members with a 1:2:3 ratio.
Configuration reset if continuing to other Module Labs

If you are not going to perform the Priority Group Activation Lab, but want to continue using
your existing configuration with other Modules Labs, reset http_pool and members to the
following settings:
Load Balancing: Round Robin
3-22 Module 3 Lab – Load Balancing
Priority Group Activation Lab

Configure Priority Group Activation
2. Select Pools.
4. Select Members.
5. In the Load Balancing section, change the Priority Group Activation setting to Less than …,
the number of Available Members to 2, and click Update.
6. Within the Configuration section of each member, set the Priority values as follows:
Member Ratio Priority Group
172.16.20.1:80 1 1
172.16.20.2:80 2 4
172.16.20.3:80 3 4
11. Disable the member 172.16.20.2:80.
15. Re-enable the member 172.16.20.2:80.

In step (9), 172.16.20.1:80 should receive no traffic. The traffic will be distributed to the
other members with a 2:3 ratio
In step (14), 172.16.20.2:80 should receive no traffic. The traffic will be distributed to the
other members with a 1:3 ratio
Configuration reset if continuing to other Module Labs

If you want to continue using your existing configuration with other Modules Labs, reset
http_pool and members to the following settings:
Load Balancing: Round Robin
Priority Group Activation: Disabled
Module 4 Lab – Monitors 4-23
Module 4 Lab – Monitors

Objective:
Associate nodes with monitors
Create custom monitors
Lab Requirements:
Access to a BIG-IP LTM with at least one pool with two working members
Some knowledge of the traffic sent by the members

is the case. Your configuration should be licensed and include two Pools named http_pool
and https_pool and two Virtual Servers named vs_http and vs_https. None of the Pools or
Pool Members should have Monitors assigned (blue square status).
4-24 Module 4 Lab – Monitors
Monitor for Nodes Lab

Check Current Node States
1. From the Navigation pane, select the Local Traffic section.
2. Select Nodes.
3. What are the nodes’ statuses?
4. Will BIG-IP LTM distribute traffic to nodes that are Unknown?
Assign a Default Monitor to all Nodes

2. Select Nodes.
3. Above the list of nodes, select Default Monitor.
4. From the list of Available monitors, select icmp, press the move to the left button (<<), and
press Update.
5. Recheck the Node states (either follow directions above or select Node List from the current
location).
NOTE: Each time the Node List tab is pressed, the screen will refresh.
6. What are the nodes’ statuses? Was the change immediate?
Create a custom ICMP monitor

2. Either select Monitors and then the Create button or leave your mouse over Monitors and
then click the sign on the flyout menu.
Name my_icmp
Type ICMP
4. In the Configuration Section, enter the following:

Interval 10
Timeout 31
Transparent No
Assign the custom monitor to selected nodes

2. Select Nodes and then select the node at 172.16.20.1.
Name Leave Blank
Health Monitors Node Specific
Select Monitors my_icmp in Active column
Availability All
Requirement
Additional Settings Leave as Defaults
4. When complete, click Update.
5. What are the nodes’ statuses?
Disassociate all monitors for selected node

2. Select Nodes.
3. Select the node 172.16.20.2.
Health Monitors None
Additional Settings Leave as Default
5. When complete, press Update.
6. What us the node’s status? Was the change immediate?
Conclusion
At this point, each node is being tested differently. Node 172.16.20.1 has a specific assignment,
my_icmp. Node 172.16.20.2 has no monitor assigned. Node 172.16.20.3 is using the Node Default
monitor, which is currently icmp. This is not a recommended configuration; rather it is used to
demonstrate the three ways monitors can be associated with nodes.
Monitors for Pools and Members Lab #1

Objective:
Associate members with monitors
Check Current Member States

2. Select Pools.
4. Select the Members tab.
5. What are the members’ statuses?
6. Will BIG-IP LTM distribute traffic to members that are Unknown?
Assign a Standard Monitor to a Pool

1. Once again navigate to Local Traffic, Pools, http_pool, Members. Note the members’ states.
Select the Properties tab.
Configuration Basic
Health Monitors http
3. When complete, press Update.
4. Recheck the Member states (either follow directions above or select Members from the
current location).
NOTE: Each time the Members tab is pressed, the screen will refresh.
5. What are the members’ statuses? Was the change immediate?
Create a New HTTP-based Monitor

Name my_http
Type HTTP
Import Settings http

Configuration Basic
Interval 5 seconds
Timeout 16 seconds
Send String GET /index.html
Receive String Server
User Name Leave Blank
Password Leave Blank
Reverse No
Transparent No
Assign the Custom Monitor to Selected Members

2. Select Pools.
5. Select the member 172.16.20.2:80.
Configuration Advanced
Ratio 1
Priority 1
Connection Limit 0
Health Monitors Member Specific
Select Monitors my_http
Availability Requirement All

8. What are the members’ statuses? Was there any change?
Disassociate all monitors for selected member

2. Select Pools.
3. Select the pool http_pool.
5. Select the member at 172.16.20.3:80.

Configuration Level Advanced
Ratio 1
Priority 1
Connection Limit 0
Health Monitors None

8. What are the members’ statuses? Was the change immediate?
Conclusion
At this point, each member is being tested differently. Member 172.16.20.1:80 is set to inherit from
pool where the pool has http assigned. Member 172.16.20.2:80 has a specific assignment, my_http.
Member 172.16.20.3:80 has no assigned monitor. This configuration is not recommended; rather it is
used to demonstrate the three ways monitors can be associated with members.
Monitors for Pools and Members Lab #2

Objective:
Associate members with monitors
Check Current Member States

2. Select Pools.
3. Select https_pool, and then select the Members tab.
4. What are the members’ statuses?
Create a New HTTPS-based Monitor

Name my_https
Type HTTPS
Import Settings https

Configuration Level Basic
Interval 5 seconds
Timeout 16 seconds
Send String GET /index.html
Receive String Server 2
Cipher List DEFAULT:+SHA:+3DES:+kEDH
User Name Leave Blank
Password Leave Blank
Reverse No
Assign the Custom Monitor to a Pool

2. Select Pools.
3. Select https_pool.
Configuration Basic
Health Monitors my_https

6. What are the members’ statuses? Why? Was the change immediate?
7. What is the status of the Virtual Server?
Check Status of Nodes and Members from Network Map

1. From the Navigation pane, expand the Local Traffic section, select the Network Map and
click Show Map.
2. Moving the mouse over certain Pool members, notice that the Parent Node state can be
different than the Pool member. Why is this happening? Remember that we can and have
assigned different monitors to Nodes and Pool Members.
Change the Definition of the Custom Monitor

2. Select Monitors.
3. Select my_https.
4. In the Configuration Section, change the Receive String to Server [1-3]
6. What are the members’ statuses? Why? Was the change immediate?
NOTE: [1-3] is a simple regular expression that matches any single character in the
range from 1 to 3.
Module 5 Lab – Profiles 5-31
Module 5 Lab – Profiles
Note: No Lab for Module 5 Profiles
There is no Lab for Module 5 Profiles. There are labs using Profiles in both Modules 6,
Persistence, and 7 Labs, SSL Termination.
5-32 Module 5 Lab – Profiles
Module 6 Lab – Persistence 6-33
Module 6 Labs – Persistence

Objective:
Configure Source Address Persistence
Lab Requirements:
Two or more working members in https_pool
A virtual server at https://10.10.1.100 associated with https_pool

11. Your configuration should be as if you had just finished all Module4 Labs since there weren’t
any labs for Module 5. Please verify this is the case. Your configuration should be licensed
and include two Pools named http_pool and https_pool and two Virtual Servers named
vs_http and vs_https. The Pools and Pool Members should have various Monitors assigned
but no Pool Members should be marked Offline (red).
6-34 Module 6 Lab – Persistence
Source Address Persistence Lab

Repeating behavior before persistence
1. Make sure the Load Balancing method for https_pool is set to Round Robin, Priority Group
Activation is disabled, and that all pool members have a connection limit of 0.
NOTE: This is not required for persistence. Instead, it ensures that reuse of a single
server is due to persistence and not a load balancing choice.
2. Next, access and reset the statistics for the https_pool.
3. Open a new browser session and connect to https://10.10.1.100.
4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.

Expected result: All pool members should receive approximately equal amounts of
traffic. If not, ensure that step (1) was followed.
Configure a Source Address Affinity Persistence Profile

2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to
expand Profiles Æ Persistence Æ and click the sign.
Name Pr_Src_Persist
Persistence Type Source Address Affinity
Parent Profile source_addr
4. In the Configuration Section, leave all fields at the default settings except for the following:
Timeout Click on the Custom checkbox for Timeout

and then set the Timeout to 15 seconds.
Mask Click on the Custom checkbox for Mask and
the set the Mask to 255.255.255.0.
Associate a Virtual Server with the Persist_Source Profile

2. Select Virtual Servers.
3. Select the virtual server of interest, vs_https.

4. Select the Resources tab.
5. Under the Load Balancing section, enter the following:
Default Pool https_pool

Default Persistence Profile Pr_Src_Persist
Demonstrating behavior after setting up persistence

1. Access and reset the statistics for the https_pool.
2. Open a new browser session and connect to https://10.10.1.100
3. Refresh the screen 5-10 times by clicking Refresh or pressing Ctrl-F5.
5. Stop refreshing the screen for at least 15 seconds.
6. Refresh again. At this point, you should be load balanced to another server.
7. From a separate browser session, view the Persistent Statistics.
a. From the Navigation Pane, expand the Overview section.
b. Select Statistics.
c. With the Display Options section, set the following:
Statistics Type Persistence Records

Data Format Normalized
Auto Refresh Disabled
8. Leave the * in the search field (show all records) and click Search or Refresh.
9. If no persistent sessions currently appear, refresh your screen connecting to
https://10.10.1.100 and then refresh the Persistence Records Statistics again.
10. Why might the persistent connection not appear the first time?

Expected result: While the persistence record is active, all traffic from that client will be
directed to a single pool member. Since the persistence record is configured to remain
for only 15 seconds, it may time out before you navigate to the persistence statistics.
Cookie Persistence Lab

Objective:
Configure Cookie persistence
Lab Requirements:
Two or more working members in http_pool
A virtual server at http://10.10.1.100 associated with http_pool
Repeating behavior before persistence

1. Make sure the Load Balancing method for http_pool is set to Round Robin and Priority
Group Activation is disabled.
NOTE: This is not required for persistence. Instead, it ensures that reuse of a single
server is due to persistence and not a load-balancing choice.
2. Access and reset the statistics for the http_pool.
4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.
Creating a Custom HTTP Cookie Insert Persistence Profile:

2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to
expand Profiles Æ Persistence Æ and click the sign.
Name PR_Cookie_Persist
Persistence Type Cookie
Parent Profile Cookie
1. In the Configuration Section, leave all settings at default except for the following:
Expiration Check the Custom checkbox for Expired,

then uncheck Session Cookie and set the
Expiration to 2 days
Associating a Virtual Server with the Cookie Persistence Profile

3. Select the Virtual Server of interest, vs_http.
4. Select the Resources tab.
5. Within the Load Balancing section, enter the following:

Default Persistence Profile Pr_Cookie_Persist

NOTE: You should see an error requiring an HTTP profile in order to use the cookie
persistence profile, follow the steps below.
Associating the Virtual Server with an HTTP Profile

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option.
3. Select the Properties tab.
4. Within the Configuration section, set the HTTP Profile to http.
6. Re-add the Pr_Cookie_Persist profile above on vs_https Resources tab as the Default
Persistence profile and click Update.
Demonstrating behavior after persistence

1. Access and reset the statistics for the http_pool.
2. Open a new browser session and connect to http://10.10.1.100
3. Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.
5. Click on the Display Cookie link in the web page to view the cookie.

Expected result: All traffic will be directed to one member. If not, ensure that the browser you are
using allows cookies to be saved.
Disable Persistence for this Virtual Server

4. Select the Resources Tab.
5. Under the Load Balancing section, enter the following:

Disabled Members Lab

Objective:
See the interaction between persistence and the disabled status
Lab Requirements:
vs_https with resources https_pool and Pr_Src_Persist profile
NOTE: You may want to extend the persistence timeout value in the Persist_Source
profile before beginning this lab.
Establish a persistent session and disable a member

2. Select Pools then select https_pool.
4. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.
5. Note the member to which you have connected.
6. From the Members tab, click the box adjacent the member you are persisting to and click
Disabled.
7. Refresh the browser session at https://10.10.1.100.
Did you remain on the same member?
8. From the Members tab, select IP address of the member to which you have the persistence
session.
9. Select the Forced Offline radio button and click Update.
10. Refresh the browser session at https://10.10.1.100.
Did you remain on the same member?
Establish a persistent session and disable a node

1. From the Navigation pane, expand the Local Traffic section and then select Nodes.
2. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.
3. Note the node to which you have connected.
4. From the Nodes list, select the box adjacent the node and click the Disable button.
5. Refresh the browser session at https://10.10.1.100. Did you remain on the same node?
Re-Enable nodes and members

For later labs, ensure all nodes and members are enabled.
Module 7 Lab – SSL Termination 7-41
Module 7 Lab – SSL Termination

Objective:
Create self-signed certificates
Create a Clientssl profiles
Create a virtual server that will use the clientssl profile and load balance traffic
Lab Requirements:
An existing pool of members at port 80 (http_pool)
Access to a web browser

and https_pool and two Virtual Servers named vs_http and vs_https. The Pools and Pool
Members should have various Monitors assigned but no Pool Members should be marked
Offline (red) or Disabled (black). The vs_https Virtual Server should have a Source Address
Persistence Profile assigned on the Resources tab.
7-42 Module 7 Lab – SSL Termination
Client SSL Lab

Behavior before configuration: SSL traffic is encrypted from client.
1. Open a Web browser. to https://10.10.1.100.
2. Depending on the browser, you may see a lock in the lower right corner of the window; it
indicates the session is encrypted and secure. Alternately, find the certificate that is being
used for the session. Typically, you can right click on the web page, choose “Properties” and
click the Certificate button.
3. Note the pool member address and port in the body of the web page (172.16.20.x:443).
Generate a certificate
2. Either select SSL Certificates and click Create or hover your mouse over SSL Certificates
3. In the General Properties section, enter the name TestCertificate.
4. In the Certificate Properties section, enter the following:
Issuer Self
Common Name www.test.com
Division Training
Organization F5 Networks
Locality Seattle
State or Province Washington
County US
E-Mail Address Leave blank
Lifetime 365
5. In the Key Properties, choose the 1024 for the size.
6. Click Finished.
Create a Client SSL Profile:

2. Either select Profiles / SSL click Client and then click Create or use the flyout menus to
expand Profiles Æ SSL Æ Client Æ and click the sign .
3. In the General Properties section, enter the name Pr_Client_SSL and accept clientssl as the
parent profile.
4. From the Configuration section, check the custom button to the right of Certificate and Key.
For both certificate and key, choose TestCertificate from the drop-down list.
5. Click Finished.
Module 7 Lab – SSL Termination 7-43
Creating the Virtual Server

and then click the Create option on the flyout menu.
Name vs_ssl
Service Port 443 (or HTTPS)
State Enabled
4. In the Configuration section, accept all defaults except the SSL Profile (Client) option, and
choose the Pr_Client_SSL profile you’ve just created.
5. In the Resources section, select http_pool as the Default Pool.
6. Click Finished.
Behavior after configuration

1. Open a Web browser.
2. Go to https://10.10.1.102.
NOTE: The browser session is encrypted on the client side, but not on the server side.
3. Note the Pool Member address:port in the body of the web page (172.16.20.Y:80).
Unless otherwise configured, the traffic is encrypted from client to the BIG-IP LTM System, but
unencrypted between the BIG-IP system and the pool members.
7-44 Module 7 Lab – SSL Termination
Module 8 Lab – NATs and SNATs 8-45
Module 8 Labs – NATs and SNATs

Lab Objectives:
You will configure a NAT to pass traffic between an external device and a specific internal node.
Either device can initiate this connection.
Lab Requirements:
One or more servers on the internal side of the BIG-IP system
An available IP address to use for the NAT

Persistence Profile assigned on the Resources tab.
8-46 Module 8 Lab – NATs and SNATs
Configuring a NAT Lab

The Network Address Translation screen displays the NAT address and the associated node address
for each NAT.
Configure a NAT
2. Either select SNATs, the NAT List tab, and Create, or use the flyout menus to expand
SNATs Æ NATs Æ and click the sign.
NAT Address 10.10.1.200

Origin Address 172.16.20.2
State Enabled
4. In the Configuration section leave everything at defaults:
ARP Enabled
VLAN Traffic All VLANs
5. Click Finished.
Testing the NAT - Inbound

1. Open a browser session to http://10.10.1.200.
2. Note the content of the Web screen.
3. Using Putty, open an SSH session to 10.10.1.200 port 22.
4. Login with a user ID of student and password of student.
5. Note that you can connect to multiple services through the NAT and that the connection
always connects to 172.16.20.2.
NOTE: While the configured NAT would provide outbound connections as well, the
routing tables on the server do not allow it in the classroom environment.
Delete the NAT

2. Select SNATs and then the NAT List tab.
3. Check the box next to the NAT you just created, 10.10.1.200, and then click the Delete
button.
4. Click Delete to confirm the deletion
Module 8 Lab – NATs and SNATs 8-47
SNAT Labs
Lab Requirements:
Access to a BIG-IP LTM System
An available IP address to use for the SNAT
Testing Behavior without the SNAT

1. Open a browser session to both http://10.10.1.100 and https://10.10.1.100.
2. Verify your IP address at the Web server by clicking the link that says Show Source IP
Address. You should see your PC unchanged address: 10.10.1.30.
3. The Servers reside at IP Addresses 172.16.20.1, 172.16.20.2 and 172.16.20.3. The reason
they can return the response traffic to your PC at 10.10.1.30 through your BIG-IP is because
they each contain the following Server Route:
Destination Gateway
10.10.1/24 172.16.1.33
SNAT within Virtual Server Lab

Configure the vs_https virtual server to use SNAT Automap
1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, and select
vs_https.
2. In the General Properties section, select the Advanced option, and scroll down to the
bottom of the configuration screen.
3. In the SNAT Pool option, select Automap and then the Update button.
Testing the SNAT

1. Open a browser session to http://10.10.1.100.
2. Verify your IP address at the Web server by clicking the link that says Show Source IP
Address. Your address should still be 10.10.1.30
3. Now open a browser session to https://10.10.1.100, click the link to check the source IP and
notice your source address has changed to 172.16.1.33, the internal floating self IP Address
of your BIG-IP.
SNAT for a List of Devices Lab

8-48 Module 8 Lab – NATs and SNATs
2. Either select SNATs and Create, or use the flyout menus to expand SNATs and click the
sign.
3. In the General Properties section, the Name SNAT_NW_10X.
Translation IP Address: 172.16.1.201

Origin Address List (next option will appear)
Type – Network
Address – 10.0.0.0
Address List
Netmask – 255.0.0.0
Æ Click Add
VLAN Traffic All VLANs
Stateful Failover
Unchecked
Mirror
5. Click Finished.
Testing the SNAT

1. Test the results by connecting to http://10.10.1.100 and https://10.10.1.100. View your
source IP address. What are the results?
Connection Source IP at Server Which SNAT
To http://10.10.X.100
To https://10.10.X.100
2. What SNATing is taking place for each Virtual Server?
3. Expected results: you should be successful to both of your virtual servers. Your traffic to
https://10.10.1.100 will be SNATed to 172.16.1.33. Your traffic to http://10.10.1.100 will
be SNATed to 172.16.1.201.
4. How could you change your SNAT definition to allow traffic from the 192.168.0.0/16
network to be SNATed also?
Delete the SNATs

Remove SNAT option from Virtual Server configurations
1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, vs_https, and
set the SNAT Pool option to None.
2. From the Navigation pane, select SNATs menu, the SNAT named SNAT_NW_10X, and
then click Delete.
3. Notice when testing that your source address is once again 10.10.1.30, but you still get
response packets back from servers because of the routes on the servers.
Module 9 Lab – iRules 9-49
Module 9 Labs – iRules

Objective:
Configure a series of iRules, pools, and virtual servers in order to demonstrate a variety
of rule features and functions.
Estimated time for completion: 30 minutes.
Lab Requirements:
External IP address of the Virtual Server
IP Address(es) of internal node (s)

Persistence Profile assigned on the Resources tab. Although they won’t cause issues with this
lab, all NATs and SNATs should have been deleted at the end of Lab 8.
9-50 Module 9 Lab – iRules
iRules Lab #1
Create and use an iRule that processes requests based on the file extension.
iRules Lab 1 Steps

1. The necessary pools are created.
2. iRules that reference the pools are created.
3. Virtual Servers that reference the iRules are created.
Create a Pool
2. Either select Pools and then click Create, or use the flyout menus to expand Pools and click
the sign.
Configuration level Basic

Name pool1

New Members IP: 172.16.20.1
Enter and press Add Port: * All Services
Create another Pool

1. Create pool2 that contains one member, 172.16.20.2:* (Port is “All Services”).
Create a Rule using this pool

2. Either select iRules and click Create or leave your mouse over iRules and then click the
sign on the flyout menu.
3. In the Properties section, enter the following:
Name rule_txt_end
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "txt"} {
pool pool1
Definition }
}
Create a Virtual Server using this rule

Name vs_rule_txt
Service Port 80 (or HTTP)
State Enabled
4. In the Configuration section, leave all fields at their default except the following:
HTTP Profile http
5. In the Resources section, leave all fields at their default except the following:
iRules rule_txt_end

1. Open a new browser session on your PC and direct it to your Virtual Server address and files:
a. http://10.10.1.101/file.txt
b. http://10.10.1.101/text.txt
c. http://10.10.1.101
NOTE: Currently, you should get an HTTP404 msg page not found for url
http://10.10.1.101 because we don’t have a Default Pool or an else leg for the iRule.
Also, files such as file.txt, text.txt and text.one, only exist on Server 1 (172.16.20.1)

a. Overview Section / Statistics / Choose from Statistics Type drop-down list.
b. Local Traffic Section / Virtual Servers / Statistics
c. Local Traffic Section / Pools / Statistics
3. Which node is traffic being directed to for each address above?
Add a Default Pool to the Virtual Server and Test

1. Navigate to the resources for the Virtual Server vs_rule_txt and specify pool2 as the default
pool.
2. Open a new browser, test client connections and explain your results.
c. http://10.10.1.101
NOTE: Now http://10.10.1.101 should work and send you to Pool2.
Add an Else leg to iRule and Test

1. Disassociate the default pool (pool2) from virtual server vs_rule_txt.
2. Change rule_txt_end to add an else leg for pool2 like:
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "txt"} {
pool pool1
}
else { pool pool2 }
}
3. Open a new browser, test client connections and explain your results.
c. http://10.10.1.101
iRules Lab#2
Lab 2 Overview
Create and use an iRule that processes requests based on the TCP port.
Create a third Pool

1. Create pool3 that contains one member, 172.16.20.3:* (Port is “All Services”).
Create a Rule for TCP port

2. Either select iRules and click Create or leave your mouse over iRules and then click the
sign on the flyout menu.
3. In the Properties section, enter the following:
Name rule_tcp_port
Definition when CLIENT_ACCEPTED {
if {[TCP::local_port] equals 80} {
pool pool1
}
elseif { [TCP::local_port] equals 443 } {
pool pool2
}
}
Create a Virtual Server using this rule

Name vs_tcpport
Service Port * All Ports
State Enabled
4. In the Configuration section, accept all defaults.

5. In the Resources section, leave all fields at their default except the following:
iRules rule_tcp_port
Default Pool pool3

1. Open a new browser session on your PC and direct it to your Virtual Server address and files:
a. http://10.10.1.103
b. https://10.10.1.103
c. Using Putty, open an SSH session to 10.10.1.103 port 22.
NOTE: You can verify that your SSH session went to Pool3 using Statistics.
a. Overview Section / Statistics / Choose from Statistics Type drop-down list.
b. Local Traffic Section / Virtual Servers / Statistics
c. Local Traffic Section / Pools / Statistics
3. To which node is traffic being directed for each client request above and why?
Module 10 and 11 Lab – Redundant Pair and High Availability 10-55
Module 10 and 11 Labs –

Redundant Pair and High Availability
NOTE: Currently the F5 Training Lab environment does not support Redundant Pair. In
the future when Redundant Pair is supported the lab steps will be similar to Appendix D.
10-56 Module 10 and 11 Lab – Redundant Pair and High Availability
Lab Project LP-57
Configuration Lab Project

Lab Objectives:
During this lab, you will work with many of the concepts that you learned in Modules 1 to 8. In
Modules 1 through 8, the Lab steps were very specific and told the student exactly what to do. One
of the objectives of this Lab Configuration Project is to see if the student remembers how to configure
each feature. Therefore the lab steps in this Configuration Project are not specific but rather given at
a much higher level. Another objective of this Configuration Project is to give the student an
opportunity to configure all features together rather than individually. Upon completion, you will
have configured a BIG-IP system with working virtual servers, profiles, monitors and pools.
There are two stages to this lab:

1. Create new pools, profiles, monitors and virtual servers.
2. Verify the configuration works as expected.

11. After Restore, your configuration should be as if you had just finished all Module 1 labs.
Please verify this is the case. Your configuration should be licensed, include 2 VLAN’s
(Network / VLANs) named external and internal and have 4 self IP’s (Network / Self IPs) at
10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.
LP-58 Lab Project
Reconfigure the BIG-IP LTM System

A. Create Monitors according to the following table
Name Type Settings Associations
Interval – 5, Timeout – 16
http_pool
my_http http Receive String – Server
(Once pool is created, below.)
Others – leave at defaults
B. Assign Monitors according to the following table

Name Type Settings Associations
Node Default
icmp (Default Monitor) icmp Use all default settings
C. Create Pools according to the following table

Name Load Balance Members Port Ratio Priortity Monitors
172.16.20.1 22 1 1
ssh_pool Round Robin 172.16.20.2 22 1 1
172.16.20.3 22 1 1
Ratio Member
172.16.20.1 80 2 1
Priority Group
http_pool 172.16.20.2 80 2 4 my_http
Activation
172.16.20.3 80 1 4
Less than 2
172.16.20.1 443 1 1
https_pool Round Robin 172.16.20.2 443 1 1
172.16.20.3 443 1 1
D. Create Profiles as listed in the following table

Name Profile Type Parent Profile Settings
Source Timeout of 30 seconds and
Pr_Src_Persist Persistence source_addr
Address mask of 255.255.255.0
Certificate of TestCertificate
Pr_SSL_term SSL Client clientssl
and a Key of TestCertificate
Lab Project LP-59
E. Create Virtual Servers according to the following table

NOTE: Remember that Persistence Profiles are configured on the Resources tab of the
Virtual Server and all other Profile types on the Properties tab.
Name IP Address Port Resources Profiles & SNAT

vs_ssh 10.10.1.100 22 ssh_pool Defaults only
vs_http 10.10.1.100 80 http_pool SNAT Automap
vs_https 10.10.1.100 443 https_pool Pr_Src_Persist
vs_ssl 10.10.1.102 443 http_pool Pr_SSL_term
Save your new configuration

1. Backup your new configuration as Lab_Project.ucs.
LP-60 Lab Project
Verification
Activity Questions Working?
Open a Browser and connect to Are you load balancing?
http://10.10.1.100 Why or why not?
Refresh the screen 5-10 times
Open a Browser and connect to

Are you load balancing?
https://10.10.1.100
Why or why not?
Refresh the screen 5-10 times
View the node statistics
Open a Putty SSH session to: Were you able to connect?

10.10.1.100:22 Which node did you
After connecting, login connect to?
User-id: student Password: Do you have an open
student connection?
View the node statistics
Open a Browser and connect Are you load balancing?
(again) to https://10.10.1.100 Why or why not?
Refresh the screen 5-10 times Are you connecting to the
View the node statistics same node as you did in
test 2, above?
Open a Browser and connect to What is your source

both https://10.10.1.100 and address for http and https?
http://10.10.1.100 Why are they different?
Click the link to show source
address
Open a Browser and connect to Is the session secure?
https://10.10.1.102 Is the data from BIG-IP
LTM to the Server
encrypted?
Lab Project LP-61
Review Questions
1. Which admin users’ passwords are changed by the BIG-IP setup utility, and what access do
they have?
2. What is a node? A pool and pool member? A profile? A virtual server?
3. List the load balancing modes.
4. How are monitors created, and what can they be assigned to?
5. If a particular node is in a node disabled condition, will any types of client requests still be
directed to that pool member?
6. What is the difference between the client SSL and server SSL Profiles?
7. Why would you use SNATs?
LP-62 Lab Project
Answers to Configuration Project Questions
Activity Questions Answers
Refresh Yes, but should only be using

Are you load balancing? Nodes 20.2 & 20.3 because they
http://10.10.1.100
Why or why not? have higher priorities for Priority
Group Activation
Actually this is a trick question.
Refresh The first request is load balanced
Are you load balancing?
https://10.10.1.100 but subsequent requests within
Why or why not?
the 30 second timeout window
should persist to same Node.
Did you connect? Should have connected ok.
SSH to: 10.10.1.100:22
Which node did you You have to go to statistics to
Login with user ID and
connect to? figure out which node and your
password of student
Do you have an open SSH connection remains open
View the node statistics until you exit putty or logoff.
connection?
Your previous 30 second
Are you load balancing? persistence record should have
Refresh (again) Why or why not? timed out by now. The first
https://10.10.1.100 Are you connecting to the request should go to a different
same node as 2 steps member than previous session
above? and then should persist for
another 30 seconds.
http should have a source IP of
What is source address
For both https and http 172.16.1.33 because of SNAT
for http and https?
Click link source address Automap, and https should have
Why are they different?
a source IP of 10.10.1.30.
Is the session secure? The session should be secure
Browser session to Is the data encrypted (using https) from client PC to
https://10.10.1.102 from the Server to the BIG-IP, then unencrypted (http)
BIG-IP LTM? from BIG-IP to Server.
Lab Project LP-63
Answers to Review Questions

1. Which admin users passwords are changed by the BIG-IP setup utility, and what access
do they have (web GUI or Command Line)?
• root – and it should have access only to command line not the web GUI.
• admin – and it should initially have access only to the web GUI, but command line
access can be added
2. What is a node? A pool and pool member? A virtual server?
• Node is IP Address only of a server where Pool Member typically contains both IP
Address and Port
• A Pool is a group of Pool Members, and the Virtual Server is the client representation of
the application. Clients seldom know there are multiple Pool Members behind a Virtual.
3. List the load balancing modes.
• Round Robin is the default load balancing mode but we can also use Ratio, Least
Connections, Fastest, Observed and Predictive.
• F5 Networks continues to add new features to BIG-IP LTM including new load balancing
modes, so you might see more depending on what version you are running.
4. How are monitors created, and what can they be assigned to?
• Just like other objects, they are created by selecting Monitors and clicking the create
button or the sign from the flyout menu.
• Monitors also need to be assigned before they will be used. Monitors can be assigned to
all Nodes or an individual Node, or at the Pool level or to an individual Pool Member
5. If a particular node is in a node disabled condition, will any types of client requests still
be directed to that pool member?
• Yes, client requests can still be directed to a disabled Node if there is still a persistent
session (i.e. within the timeout window)
• On the other hand, if the Node is administratively “Forced Offline” rather than Disabled
then no more client requests will be sent until the Node is Enabled again.
6. What is the difference between the client SSL and server SSL Profiles?
• The Client SSL Profile encrypts (https) network traffic between the client and BIG-IP.
• The Server SSL Profile encrypts (https) network traffic between BIG-IP and the servers.
7. Why would you use SNATs?
• SNATs are used to fix or assist with routing issues. There are MANY ways a SNAT can
be used to resolve the many different types of routing issues, two are listed below.
o RFC1918 (non-routable) client traffic outbound to internet
o Pool Members default route cannot be pointed at BIG-IP, but remember… If
BIG-IP changes an IP Address then response packet must return through BIG-IP.
LP-64 Lab Project
Appendix A
Appendix A: F5 Networks – the Company and

its Products
As the pioneer in Application Delivery Networks, F5 continues to lead the industry by driving more
intelligence into the network to deliver advanced application agility. F5 products ensure the secure
and optimized delivery of applications to any user, using any device, anywhere in the world. Through
its flexible and cohesive architecture, F5 delivers unmatched value by improving the way
organizations serve their employees, customers and constituents—while dramatically lowering
operational costs.
F5’s application delivery network products provide:
Application Optimization
F5's architecture automatically assigns every application the right mix of availability,
security, and performance at the network level, further optimizing their performance.
Application Security
F5's Application Traffic Management architecture supports integrated security features
that protect the delivery of applications by enforcing security policies at the edge of the
network, before a session is allowed.
Application Delivery
F5's architecture delivers the raw horsepower, based on tightly integrated security,
availability, scalability - all of which work together to deliver exceptional throughput and
transaction performance.
F5 Product Suite Overview

F5 products address the three main areas of Application Delivery Networking: Application Security,
Application Optimization and Application Availability.
Regardless of your network application pain, F5 has a solution. And because we recognize that each
network issue has an impact upon other critical areas, F5 products share powerful attributes across the
industry's only integrated platform - TMOS. TMOS includes the iControl API, which allows F5
products to communicate with each other and implement extremely flexible policies in the form of
iRules. An active developer community, unique to F5, creates and shares customized iRules for
enforcing virtually any kind of application-delivery behavior.
The result is elegant and powerful solutions to protect you from security threats, network failures and
traffic congestion, while putting in place an architecture for the future.
F5 Products include:
BIG-IP Local Traffic Manager (LTM)
BIG-IP Global Traffic Manager (GTM)
BIG-IP Link Controller (LC)
BIG-IP Application Security Manager (ASM)
Appendix A
BIG-IP WebAccelerator (WA)

BIG-IP Web Optimization Module (WOM)
Enterprise Manager (EM)
ARX and Data Manager
FirePass
BIG-IP - Traffic Management

From basic local and wide area load balancing, to link traffic management, to applications that require
special handling and augmented security, F5 has the solution to fit every business need, and every
business budget.
BIG-IP® Local Traffic Manager (LTM)
Network intelligence on a cost-effective, integrated SSL hardware platform for

flexible, fast, secure IP-centric traffic management
BIG-IP® LTM is a local area application traffic management solution. BIG-IP LTM provides the
benefits of traffic management, traditionally reserved for Web-only applications, to all IP based
applications and Web services. BIG-IP LTM ensures business continuity, security and performance
by intercepting, inspecting, transforming, and directing application and Web services requests, based
on values found in the header or payload. BIG-IP LTM products also include SSL acceleration to
offload this processing-intensive function from the application servers themselves, increasing
application performance.
BIG-IP® Global Traffic Manager (GTM previously 3-DNS®)
Wide-area network high-availability, intelligent load balancing

The BIG-IP® GTM System provides wide-area traffic management and high availability of IP
applications/services running across multiple data centers. With GTM, businesses can ensure optimal
reliability and fast performance across all of their Internet sites, no matter where they are in the world.
GTM adds intelligence to industry-standard DNS, and ensures that end users are sent to a site that is
available and provides the best response. Its unique intelligence can examine the health of data
centers, the network, and the geography of users, then direct traffic based on customizable business
rules.
BIG-IP® Link Controller (LC)
High availability and intelligent routing for multi-homed networks

As enterprises increase their use of the Internet to deliver their business-critical applications,
maintaining only one link to the public network represents a single point of failure and serious
network vulnerability. The BIG-IP® Link Controller monitors availability and performance of
multiple WAN connections to intelligently manage traffic flows to and from a site - providing fault
tolerant, optimized Internet access.
Appendix A
BIG-IP® Application Security Manager (ASM previously TrafficShield™)
Application Firewall
BIG-IP® ASM provides comprehensive security for IP-based applications and services, protecting
them against known and unknown external threats at the network and application layers. ASM is an
Application Firewall, a new class of device which protects applications from hackers and other
malicious attacks.
ASM offers several modules for filtering out malicious requests, scrubbing data sent to users, and
cloaking application infrastructure. The core functionality is a powerful application firewall that
checks every user request against a known set of user interactions with the Web application, rejecting
any request not known to be legal.
Unlike network firewall products that focus on protecting against network level attacks or pure
Intrusion Prevention Systems that focus on preventing ever increasing quantities of known attacks.
ASM offers organizations a complete Web application protection system capable of blocking a broad
range of network, and Web application attacks.
BIG-IP Web Accelerator™ (WA)
Application Optimization
Mobile workers access enterprise applications from coffee shops, airports and offices. These workers
expect their web applications—e-mail, ERP, sales force automation—to perform well in all locations.
If any part of the application delivery system falters, end-to-end performance degrades and
productivity suffers.
WebAccelerator™ is an advanced application delivery solution that provides superior web
application performance for mobile workers. WebAccelerator speeds up web applications such as
Hyperion™, Peoplesoft™, Plumtree™, SAP™, Siebel™ and others, often increasing performance by
200% to 500%.
BIG-IP Web Optimization Module (WOM)
Application Delivery
BIG-IP® WOM is an appliance-based solution that delivers LAN-like application performance over
the WAN. WOM accelerates applications including: file transfer, e-mail, client-server applications,
data replication, and others, resulting in predictable, fast performance for all WAN users.
Enterprise Manager (EM)
Simplified multi-F5 device management and control

The Enterprise Manager (EM) provides a single, centralized management and operational interface
for F5 devices. It makes configuring and managing multiple F5 devices easy by allowing
administrators to affect changes across many devices or objects - reducing overhead and saving time.
With Enterprise Manager you’ll:
Reduce your labor costs for managing multiple F5 devices
Archive and safeguard device configurations for contingency planning
Easily and quickly roll-out software upgrades and security patches
Receive alerts that help you keep a healthy environment and take proactive actions
Appendix A
ARX and Data Manager
Intelligent File Virtualization

Information Lifecycle Management (ILM) holds tremendous promise for the enterprise, yet its
adoption has been slowed by factors such as proprietary vendor approaches, complexity and lack of
internal coordination. Increasingly enterprises are using intelligent file virtualization to create storage
tiers and to use those tiers more efficiently, without many of the drawbacks associated with traditional
ILM approaches. Intelligent file virtualization offers a simple, open approach to automated storage
tiering that can be deployed rapidly to provide a dramatic positive economic impact to enterprises.
FirePass®
SSL VPN Remote Access

F5's FirePass Controller provides secure remote access to corporate applications and data via standard
Web browser technology. It enables companies to extend secure remote access to anyone connected
to the Internet using desktops, laptops, PDAs, kiosks and more - while eliminating the need for
complex IPSec VPNs. FirePass is the first SSL VPN solution with complete cross-platform support.
Extending its support for any IP application to Macintosh, PocketPC and Linux clients, in addition to
Windows, and expanding client and application security for Web, email and file application access,
FirePass supports access to Web hosts, terminal servers, client-server applications, legacy hosts,
mobile devices and Windows desktops, without pre-installed client software.
iControl® SDK
Software Development Kit

The iControl® architecture and SDK provide an interface between 3rd party solutions and F5's suite
of products. This interface creates the opportunity for application developers, ISV's, hardware
manufacturers, service providers, and others to add value to their solutions by allowing
direct communication with our suite to create a true application-aware network. For more
information please visit http://devcentral.f5.com
Appendix B B-1
F5 Customer Support
Network Support Center
F5® Technical Support is designed to remotely assist you with specific break-fix issues regarding
ongoing maintenance of your F5 products. All F5 products come with a one year manufacturer's
hardware warranty and 90 days of software media warranty. Technical support is limited to F5
products with active support contracts. Subscribers who require additional levels of support from our
support team may opt to upgrade to Premium Support, which includes 24 x 7 support.
Ask F5
Ask F5 is an online knowledgebase accessible 24x7 through our technical support website. Ask F5
gives you real-time access to in-depth product and technical support information, by providing a
simple, English language query-based search. Ask F5 provides unlimited access at no additional
charge for all F5 customers covered under an F5 annual service agreement.
Web Support Portal

The F5 Web Support Portal provides you with more flexibility and better, faster access to F5 support,
24 x 7. Quickly initiate new support cases, immediately receive an automated case number, read case
details and updates on your open cases, upload troubleshooting attachments, and more. You never
have to remember phone numbers or wait on hold, and online help is always available.
DevCentral
DevCentral is a community of experienced F5 users who regularly post answers based on real-life
knowledge. To assist DevCentral members, F5 provides technical documentation, tips, access to free
sample downloads, and a confidential discussion forum for receiving answers to technical questions.
DevCentral is free of charge to our customers for building iRules and iControl applications, and the
forum is monitored by F5 engineers and experts who offer assistance on technical questions including
design, architecture, troubleshooting, and general assistance with building iRules and iControl
applications.
Documentation for Support

Common Document requested
NOTE: Solution ID SOL135 has been copied here from the Ask F5 database for reference
purposes.
Solution ID: SOL135
Information required for opening a BIG-IP LTM or BIG-IP GTM support case
B-2 Appendix B
F5 Networks Technical Support can help resolve problems more quickly when you provide a full
description of the problem and the details of your configuration. To help you gather all the required
information, use the following guidelines to prepare for opening a case.
General Information
Provide the following information when you open a case with F5 Networks Technical Support:
A full description of the problem, including the following:
• The symptoms of the problem.
• The approximate time the problem first occurred.
• The number of times the problem has recurred.
• Any error output provided by the system.
• Steps to reproduce the problem.
• Any changes you made to the system before the problem first occurred.
• Any steps you have attempted to solve the problem.
A description of the impact the problem is having on your site, using the following definitions:
• Site Down - Your network or application is down or critical business functions
have stopped due to the problem.
• Site at Risk - Your network or application is severely and negatively impacted
by the problem.
• Performance Severely Degraded - The performance of your network or
application has been severely reduced due to the problem.
• Performance Impaired - Your network or application is suffering from reduced
performance, but otherwise continues to work as expected.
• General Assistance Required - The subject of the case does not currently
impact your network or application.
The hours that you are available to work on the problem and any alternative contacts that can work on
the problem if you are not available.
Remote access information, if possible.
Remote access to your network environment is important, because it is the most effective method for
collecting information and troubleshooting technical issues. If you cannot provide remote access, F5
Networks Technical Support will work directly with you to resolve the issue over the phone;
however, this method can often be more time consuming and may require file transfers, replication,
and additional testing.
Product specific information

Collect the following information from the affected system(s) and provide it when you open the case.
For information about sending this information to F5 Networks, refer to SOL2486: Providing files to
F5 Networks Technical Support.
Appendix B B-3
tech.out file
A tech.out file contains the configuration files that F5 Networks Technical Support most frequently
needs when troubleshooting a problem. A tech.out file is produced by the qkview utility and the terms
tech.out and qkview may be used interchangeably.
For more information about qkview, refer to SOL1858: Overview of the qkview utility.
Log files
The tech.out file contains the log files for the last day. If the problem has existed for more than a day,
provide all the log files on the system, by performing the following steps:
1. Log in to the command line.
2. Change directories to the /var/log directory, by typing the following command:
cd /var/log
3. Place all of the log files in a tar archive, by typing the following command:
tar -czpf /var/tmp/logfiles.tar.gz *
4. This command will create a tar archive named logfiles.tar.gz in the /var/tmp directory.
Packet traces
If the problem involves the network, perform a packet trace while the problem is occurring and
provide the packet trace when you open the case.
For more information about performing packet traces with tcpdump, refer to SOL2246: Performing a
packet trace and providing the results to F5 Networks Support.
UCS archive
If you cannot give F5 Support remote access to your system, you must provide a UCS archive of the
current configuration. For more information, refer to SOL2250: Overview of UCS archives.
Core files
Core files contain the contents of the system memory at the time a crash occurred. If the system has
been configured to save core files, they will be located in the /var/savecore directory. Provide any
existing core files when you open the case.
If the system is crashing and has not yet been configured to save core files, configure it so that a core
file will be saved the next time the crash occurs.
For more information, refer to the following Solutions:
For switch appliances: SOL2226: Saving core files on BIG-IP or 3-DNS Controllers that have limited
disk space
For server appliances and blade controllers: SOL266: Configuring the BIG-IP or 3-DNS Controller to
save a core dump
B-4 Appendix B
tcpdump
tcpdump is one of the main troubleshooting tools used by the F5 Networks Support group to
determine what is happening on a BIG-IP LTM System.
Functions and Syntax

tcpdump is a Unix command line interface (CLI) utility available on the BIG-IP LTM System. You
can run tcpdump by typing tcpdump with or without a variety of options, which offer a view of
packets entering and leaving the interfaces and /or VLANs on a BIG-IP LTM System. tcpdump is the
primary command line utility used for troubleshooting packet flow on the BIG-IP LTM System as
well as other network devices. Acting as a network analyzer, tcpdump allows network traffic to be
seen on the screen in real time or recorded to a file for playback later. tcpdump has several syntax
options and allows use of expressions to enable viewing specific types or amounts of traffic. A single
session of tcpdump will monitor only one interface at a time. However, instances may be run
simultaneously, allowing multiple interfaces to be viewed.
An example of common tcpdump syntax follows:
tcpdump -i external host 172.16.1.100 and port 80
This command causes tcpdump to monitor the external interface for any packets containing a source
or destination IP address of 172.16.1.100, a source or destination port 80, and display them on the
screen. The general syntax is:
tcpdump switches filters.
If you include multiple filters, they must be separated by Boolean arguments such as and, or and
not.
The table below lists some options for tcpdump.
Parameter Type Meaning

Specifies the interface to use. The first interface (often
-i <interface> Switch
external) is the default if this parameter is omitted.
-i <VLAN> Switch Specifies the VLAN to use.
-e Switch Displays MAC addresses.
Disables name resolution to enable display of IP address and
-n Switch
port numbers instead of names.
-X Switch Displays packets in hex and decodes in ASCII.
-s <value> Switch Specifies bytes packet size to display. Default is 76.
-w <value> Switch Writes output to specified file
-r <value> Switch Reads from specified file
host <ip> Filter Displays packets either to or from that host.
<protocol> Filter ICMP, UDP, ARP, etc.
port <port> Filter Displays packets either to or from the specified port.
Appendix B B-5
Saving Data to File

There are two methods to store tcpdump output to a file. The recommended method stores the data in
a compressed format so that other utilities, such as EtherReal or Wireshark can read the file.
Example:
tcpdump –w <filename> host 10.10.10.30 and port 80
F5 Professional Services
F5 Professional Services executes on the company's paradigm of innovation by delivering a full-range
of consulting services, including planning, design, deployments, upgrades, migrations, optimization
and application verification to ensure a highly available, scalable and secure infrastructure.
Design and Planning Services

Maximize your return on product investment. Allow our Professional Consultants to design an
optimal network architecture and create a comprehensive deployment plan to put it into production.
We design efficiency, flexibility, scalability and security into each and every project to fit your
business needs, utilizing F5 best practices for physical and logical topology and application traffic
management.
Installation Services
An F5 professional Consultant will work to ensure your F5 product is installed and running as
efficiently as possible. Network topology, load balancing design review, application tuning and
product orientation are included in this service. Network performance tuning and comprehensive
product training are not included.
Optimization Services
F5 Consultants can help you leverage the true power of advanced product features such as
compression, caching, and traffic shaping. Network performance tuning and application tuning are
also offered to optimize your F5 deployment.
Application Deployment Services

Get the most out of your load balanced applications by allowing an F5 product expert to assist with
application deployment. An F5 consultant will review your business goals, application architecture
and traffic management requirements to create a comprehensive deployment plan, then assist in its
implementation.
Upgrade and Migration Services

Take advantage of the latest and greatest traffic management features. Our seasoned consultants will
work with you to plan and execute upgrades to new software versions or hardware platforms. We are
also happy to assist you with migrations from competing traffic management products.
B-6 Appendix B
Design Review and Verification Services

Seek an expert’s opinion on your traffic management and network architecture. Our seasoned
consultants inspect aspects of your F5 device configuration and the surrounding network, making
recommendations and observations relevant to your business goals.
Custom Scripting and Monitor Development

Many applications require “outside the box” customization possible only by scripting: EAVs
(Extended Application Verification), complex monitors, iRules™, iControl®, and other complex
automated tasks can take your F5 investment to the next level. F5 Consultants have the requisite
extensive knowledge of F5 products’ internal workings to develop creative and compatible solutions
that address your specific requirements.
Appendix B B-7
Pre-Installation Information
Objective:
Now having a better understanding of the BIG-IP LTM Software and how it works, this section
conveys additional information to consider during a BIG-IP LTM System installation. You will learn
the types of hardware and networking questions that need to be answered before an installation takes
place.
Pre-installation hardware checklist

Network Hardware
1. What is the physical media type used in your environment?
2. If Fast Ethernet, do you use switched or shared media (or both)?
3. What brand/type of switches or hubs do you use?
4. What brand/type of routers do you use?
5. What IP network ranges do you use?
6. What are your future needs for IP addresses (considering growth)?
7. What routing protocols do you employ (both internally and at the border)?
8. What router redundancy methods do you employ?
9. Do you use multiple ISPs for link redundancy?
Servers
1. What type of hardware are your servers?
2. What OS are your servers?
Backend databases and application servers

1. What type of hardware are your backend database servers?
2. What backend database products do you use?
Oracle
MS SQL 6.5
Informix
B-8 Appendix B
Pre-installation network checklist

Wide Area
Describe any geographical disbursed fail-over sites do you have?
Do you do any load distribution across multiple geographic sites?
Is co-location or hosting part of your multi-site plans?
Bandwidth
What is the total amount of bandwidth into each geographical site?
What is the average amount of sustained throughput that you use?
Do you use any rate shaping or traffic prioritization products?
Backend database replication
• Transactio n level
• Batch replication
• Har dware mirroring
• Soft ware mirroring
Do you use any backend HA devices or software?

• Net work Appliance
• Qu alix
• Veritas
• W olfpack
What other backend content products do you use?

• O pentext
• Vinette Story server
• B roadVision
State maintenance
Do your applications require that the client return to the same server
for the entire session?
Security concerns/Architecture
How important is security to your site?
What type of firewall do you use?
Does your firewall perform NAT?
Describe the basic rule set used:
What type of proxy server do you use?
What type of cache server do you use?
What type of VPN do you use?
Network Management
How do you view or manage your network site?
What products do you use for network troubleshooting/monitoring?
• CA Unicenter
• HP Openview
• N etIQ
• Compaq Insight Manager
• MS- SMS
Administrative
How do you securely administer your server or backend database if your site is co-located?
Do you have a secure back channel or VPN via the internet for server or database administration?
Do you use and remote terminal software PC Anywhere, Remotely Possible, F-Secure SSH, Telnet, etc?
Appendix B B-9
Pre-Installation Checklist
Follow the steps below to ensure proper installation of your BIG-IP LTM System.
1. Provide 3 real internet addresses for a redundant BIG-IP LTM System configuration.
2. Provide a real internet address for each virtual IP address (VIP) or NAT.
3. Provide 3 internal IP addresses (e.g. 10.x.x.x, RFC 1918 etc.) [redundant BIG-IP LTM System
configuration].
4. Provide one internal IP address per node on the internal network.
5. Provide appropriate connectivity to physical segments.
6. Provide the IP addresses of the DNS servers (optional depending on implementation).
7. Provide access to the existing production content server(s), or an alternate content server.
8. Provide a monitor, keyboard and the appropriate power outlet for the monitor.
9. Provide one 110/220 power outlet for each BIG-IP LTM System unit.
10. Provide monitor A/B switch (optional).
11. Identify and provide access to any management workstations
(For example workstation running CA Unicenter or other monitoring tool).
12. Identify and provide access to a monitoring workstation (non-dedicated) for the SSH client software
(optional).
13. Designate an individual as the primary contact and “BIG-IP LTM System administrator” (tier 2 or 3).
14. Verify that each BIG-IP LTM external IP address can be accessed through incoming tcp port 22
(optional - to verify remote administration capability).
15. Verify that each BIG-IP LTM System can use outgoing tcp port 22 from tcp port 1023-1019 (optional).
16. Verify your ability to change DNS A records (for conversion from DNS round robin).
17. Create a DNS entry for each BIG-IP LTM administrative IP address (optional).
B-10 Appendix B
BIG-IP LTM System Worksheet
Appendix B B-11
Installing BIG-IP LTM V10.x software

Performing prerequisite Installation tasks
A basic installation consists of some prerequisite tasks that prepare you for installing the software.
These prerequisite tasks are the same, regardless of whether you are installing the software on a
system that is already running version 9.6.x or earlier versions of 10.x, or upgrading to version 10.x
from version 9.3.x or 9.4.x. These tasks involve:
Configuring the management interface
Establishing a connection to the system
Setting the active volume
Making sure the license is active and updated
Configuring the management interface

To install software upgrades and perform management tasks on the BIG-IP system, you must use the
management interface. When you initially set up the system hardware, you probably configured an IP
address, netmask, and default route for the management interface. If you did not, you can use the
default settings, or you can use the LCD controls to specify settings appropriate to your network.
To allow remote connections, the traffic management software comes with a default root account and
password and two pre-defined IP addresses. The preferred default IP address is 192.168.1.245. The
alternate IP address is 192.168.245.245. The default netmask is 255.255.255.0. To change the default
IP Address on the management port using the “config” command or the LCD front console refer
to the BIG-IP v10 Getting Started Guide.
Working with volumes

This version of the BIG-IP system software uses the volumes disk-formatting scheme. A specific
section of a hard drive is called a volume. Also called logical volume management (LVM), this
feature supports all platforms and modules available for the BIG-IP system. The volume holds a
complete version of the BIG-IP software. You can create additional volumes to hold additional
software versions, and you can delete existing volumes you no longer need.
To install the software, you boot to a volume that you do not want to upgrade, to serve as the source.
You cannot install to the active volume. LVM labels, disk names, partition and volume indexes, and
file system labels are used internally by the disk management system. At any given time, only one
volume may be the active partition. The active volume or partition contains the software that runs
when you start up or reboot the system. For more information on creating, deleting or setting the
active volume, refer to the BIG-IP v10 Getting Started Guide.
Activating the software license

To install new versions of BIG-IP system software, you must have an active and updated license. An
active and updated license contains a valid service check date for the system software release you
plan to install and run. During installation and initialization, the system verifies the software release
check date in the software against the service check date in the license file on your system.
B-12 Appendix B
To activate the license for the system, you must have a base registration key. The base registration
key is a 27-character string that lets the license server know which F5 products you are entitled to
license. The base registration key is preinstalled on your system. If the system is not yet licensed, the
Configuration utility prompts you to enter the base registration key. You enter keys for additional
modules using settings in the Add-On Registration Key List area of the License screen.
Performing Software Installations

This section describes the method to install and upgrade BIG-IP version 10 systems. Version 10 uses
a new utility, image2disk, for both installations and upgrades. With image2disk you can install many
different versions of BIG-IP; you are no longer limited to two slots. However, if you later choose to
downgrade to version 9, you must reinstall the system and revert to two slots.
Upgrading from software versions earlier than 9.3.x

You cannot upgrade directly to version 10.x from BIG-IP version 4.x or from BIG-IP versions 9.0.x
through 9.2.x. You must perform an indirect upgrade, by first installing software version 9.3.x or
9.4.x, and then following the process for upgrading to version 10.x from version 9.3.x or 9.4.x. For
details about upgrading to version 9.3.x or 9.4.x, see the release notes for the associated release.
Upgrading from BIG-IP version 9.3 or 9.4

Image2disk did not exist with version 9. However, if you copy the ISO image for version 10 and run
the installation manager (IM), it will extract the image2disk utility.
1. Create a /shared/images directory
mkdir /shared/images
2. Copy the version 10 ISO to the /shared/images directory
Use a utility such as winscp or ftp
3. Run installation manager to extract the image2disk utility
im <ISO File name> Example: im BIGIP-10.0.0.5401.0.iso
Results:
[root@big1:Active] images # im BIGIP-10.0.0.5401.0.iso
/tmp/rpmdisk.SVfD7C /shared/images
info: system has tm_install-2.4-36.0
info: system has perl-RPM2-0.67-10.0.0.5401.0
The im utility is no longer used to upgrade software images.
Please use 'image2disk'. For help, use 'image2disk -h'.
You must always install to an image location that is not in
use.
Here is your current image-location status:
HD1.1 active yes default yes title BIG-IP 9.4.5 Build 1049.10
HD1.2 active no default no title BIG-IP 10.0.0 Build 5401.0
4. Install version 10 on the slot that is not currently active. See following steps.
Appendix B B-13
Version 10 Installation using image2disk

Image2disk has many parameters. You must specify the installation slot (instslot) and if the ISO is a
hotfix, you must include that parameter. Other parameters are optional.
The table below lists the common parameters. The general syntax is:
image2disk <parameters> /path/FileName.iso
Parameter Example Description
-- --instslot=HD1.1 Where to install the software. The slot
instslot=LOCATION cannot be the currently active slot.
--format=STYLE --format=volumes Version 9 does not support volumes.
--format=partitions Once the system is converted to volumes,
more than 2 images can be installed
simultaneously.
--hotfix --hotfix Used when the installation is a hotfix.
--nosaveconfig --nosaveconfig Whether to save and restore the current
configuration.
--nvlicenseok --nvlicenseok Allow installation even if the license is not
valid. Note that the installation will not
function until a valid license is obtained.
--setdefault --setdefault Change the default boot slot to the newly
installed image
--reboot --reboot Reboot after installation.
Assuming the system is currently booted to the image on slot HD1.1, the following command, run
from the /shared/images directory, would install a clean image of version 10 on slot 1.2, change the
default boot location to the new image, and reboot the system after installation.
image2disk --instslot=HD1.2 --nosaveconfig --setdefault --
reboot BIGIP-10.0.0.5401.0.iso
Assuming the system is currently booted to the image on slot HD1.1, the following command, run
from the /shared/images directory, would install a hotfix on the image in slot HD1.2, but leave the
current slot active.
image2disk --instslot=HD1.2 --hotfix Hotfix-BIGIP-10.0.0-
5460.HF1.iso
After any upgrade, you can confirm the installed versions by issuing the switchboot command.
Switchboot displays the version that is installed on each slot, shows which is the current default boot
slot, and allows you to change the default boot slot. The output shown below is of a system with
version 9.4.5 on slot 1.1 and version 10 with hotfix 1 on slot 1.2. Slot 1.1 is currently set as the
default boot slot.
B-14 Appendix B
Version 10 Management using the Configuration Utility

Version 10 also supports software version management through the Configuration Utility. This
includes importing ISO images, installing ISO images, changing the default boot partition, and
creating additional boot slots for systems that have been converted to the volume system.
The screen above shows the version of the current installations, the default boot image, and the
available images to install. The Import button would allow you to copy additional images from your
PC to the BIG-IP system.
The Hotfix List tab shows the list of Hotfixes on the system.
The Boot Locations tab shows the current default boot image but also allows you to change it.
The Volume Management tab shows the list of partitions or volumes (version 10 only). Once the
system is converted to volumes, additional volumes can be created.
Appendix B B-15
v10 Reload Steps

Note: The F5 Training lab environment does not support reload or re-install, so these steps
are listed for your reference only.
Download
1. Access the ISO and MD5 files per the instructor’s directions. Copy the files to the
/shared/images directory.
Verify the Download

1. Check the iso against the md5 file with the command
md5sum <filename> | diff -<filename.md5>
2. If they are not the same then download the file again.
Reboot and make other partition the active partition

1. Type switchboot and set the other partition as the default partition, then reboot.
Install
1. Install the iso with the command:
image2disk --instslot=HD1.x --nosaveconfig <filename>
Reboot and make other partition the active partition

1. Type switchboot and set the original partition as the default boot partition.
Verify Installation
1. After the system reboots, verify the version and note the hotfix.
b version
or tmsh> show /sys version and show /sys license
B-16 Appendix B
Appendix C
Appendix C: Additional Training from F5

Global Training Services
F5 offers extensive, expert training on F5 products for IT professionals. We help you achieve success
through career certifications while keeping you one step ahead of rapidly changing networking and
Internet technologies. Courses are presented in a hands-on lab format, combining theoretical content
with highly interactive exercises to help IT professionals experience real-world applications and
solutions. These services are delivered through F5 and F5-authorized training centers located around
the world.
Following is a list of available courses along with a brief description of each one:
BIG-IP LTM - ADVANCED TOPICS
Prerequisite: BIG-IP LTM Essentials
This two-day course builds on the foundation of the BIG-IP LTM Essentials course to give
networking professionals an in-depth understanding of the BIG-IP LTM system. It also covers less
commonly used but more powerful ways of using the many features of the BIG-IP LTM system.
In addition, significant time is spent using the command line tools to configure the BIG-IP LTM
system. This hands-on course includes lectures, labs and discussions. Students will learn about
command line functions, advanced configurations, and advanced troubleshooting.
ARCHITECTING BIG-IP INTO AN APPLICATION DELIVERY NETWORK
Prerequisite: BIG-IP LTM – Advanced Topics
This two-day course gives networking professionals an understanding of how to architect and
design BIG-IP devices into an application delivery network. The course builds on the foundation
of the BIG-IP Local Traffic Manager (LTM) Essentials and Advanced Topics courses,
demonstrating the next steps for implementing BIG-IP in a way that effectively delivers your
client applications. The labs for the course involve design exercises and group discussions. Based
on the knowledge gained in other BIG-IP LTM courses, you will work with other students to build
network designs that incorporate BIG-IP LTM to accomplish customer goals. The course will
cover many network design options, as well as best practices for given customer scenarios. The
course will also explore other design options available using BIG-IP Global Traffic Manager,
BIG-IP Link Controller, BIG-IP Application Security Manager, BIG-IP Message Security
Module, and BIG-IP WebAccelerator.
TROUBLESHOOTING BIG-IP LTM
Prerequisite: Participants should have passed the BIG-IP LTM Essentials certification test or successfully
completed the BIG-IP LTM Essentials course.
This two-day course gives networking professionals hands-on knowledge of how to troubleshoot a
BIG-IP LTM system using a number of troubleshooting techniques and troubleshooting and
system tools. This course includes lectures, labs, and discussions.
CONFIGURING BIG-IP WITH IRULES
Prerequisite: BIG-IP LTM Essentials
This three-day course gives networking professionals an understanding of how to configure a

BIG-IP system with iRules. The course builds on the foundation of the BIG-IP Local Traffic
Manager (LTM) Essentials course, demonstrating how to logically plan and write iRules to help
Appendix C
monitor and manage common tasks involved with processing traffic on the BIG-IP. Course Labs
consist of writing, applying and evaluating the effect of iRules on LTM traffic. This hands-on
course includes lectures, labs, and discussions.
BIG-IP GLOBAL TRAFFIC MANAGER
The BIG-IP Global Traffic Manager course is designed for networking professionals to renew
their understanding of DNS network systems and wide-area networks, master pre-installation
information gathering, and apply this information to the process of installing a GTM System.
Utilizing both simulated installation activities and hands-on exercises, participants gain real-time
experience setting up and configuring both primary and secondary GTM Systems, WAN systems,
integrating multiple GTM Systems, and migrating DNS systems to a GTM. Participants will also
gain knowledge of the essential GTM management interfaces that assist network managers. In
addition, this course covers configuring, monitoring and testing GTM Systems and networks, as
well as dynamic and static load balancing, and GTM report screens.
BIG-IP LINK CONTROLLER

BIG-IP Link Controller is a two-day course that provides network professionals an understanding
of how to define, monitor, and load balance bi-directional traffic flow between multiple links to
meet business performance and cost priorities.
Participants will gain knowledge of essential BIG-IP LTM features such as virtual servers, pools,
monitors and SNATs along with BIG-IP GTM features such as DNS, WideIPs, and Listeners and
how these integrate into the Link Controller System. This hands-on course includes lectures, labs
and discussions.
BIG-IP APPLICATION SECURITY MANAGER

This four-day course covers ways to manage Web-based and XML application attacks and the use
of Application Security Manager to defend against these attacks. The course covers installation,
configuration, management, security policy building, traffic learning, and implementation of
Application Security Manager in both stand-alone and modular configurations. This class includes
lectures, labs, demonstrations, and discussions.
BIG-IP WEBACCELERATOR
The WebAccelerator Module course is designed for customers running the WebAccelerator
Module on TMOS™ and is designed to help network professionals improve web site customer
experience. The course focuses on typical HTTP processes and how the WebAccelerator Module
can take advantage of those processes to decrease response time while ensuring data accuracy and
integrity.
Using lectures and hands-on exercises, participants gain real-time experience setting up and
configuring the necessary portions of the Local Traffic Manager (LTM) system as well as typical
WebAccelerator Module settings. From the LTM framework, these settings include pools, profiles
and virtual servers. In addition discussion and labs will focus on the WebAccelerator Module
framework, include editing standard policies to affect how the traffic is manipulated as it is
processed by the system. Participants will see how the changes improve the user experience
through tools such as HttpWatch.
CONFIGURING & ADMINISTERING ARX

This three-day course is designed to help students learn about the architecture, configuration,
administration and basic troubleshooting of the ARX product family. Students will learn to pre-
qualify storage to be virtualized, design namespaces for CIFS, NFS or multiprotocol
environments, configure file, age, and load balancing, etc. This hands-on course includes lectures,
labs, and discussions.
Appendix C
FIREPASS V6.X
This three-day course provides security and network professionals with a functional understanding
of the FirePass® Controller. The course includes installation, configuration, management and
troubleshooting on a FirePass system. Lectures, demonstrations, hands-on labs and discussions
will be incorporated.
For more details about course offerings, pricing, schedules, and registration, see the following web
site: http://www.f5.com/training-support/global-training/
Appendix C
Module 10DLab
Appendix - Module
– Redundant
10 Lab Pair
– Redundant Pair 10-1
D-1
Module 10 Labs – Setting up a Redundant Pair
the future when Redundant Pair is supported the lab steps will be similar to the following:
Redundant Pair Setup Lab

Lesson Objective:
During this lesson, you will learn how to setup a redundant pair of BIG-IP systems.
Setup utility
Configuring a pair of BIG-IP systems is very similar to configuring a single BIG-IP system. When
you choose “Redundant Pair” for the High Availability option in the setup utility, there are a few
additional parameters than must be set. You must set each system’s Unit ID, specify a partner
address, and set floating (shared) IP addresses for each VLAN.
Restoring BIG-IP #1 config from previous Lab

10. Click the Module10_Lab_begin.ucs archive and then click the Restore button. An Ok
button appears to acknowledge the restore has started. It will take a minute, but watch this
screen and you should see messages that your restore completed successfully. You might
receive one error message but that is ok and is due to the F5 Training Lab environment only.
10-2
D-2 Appendix D - Module 10 Lab – Redundant Pair
11. The configuration for BIG-IP #1 should be as if you had just finished all Module9 Labs.
Please verify this is the case. Your configuration should be licensed and include five Pools,
two iRules, five Virtual Servers, and Monitors assigned to some but not all Pool Members.
No Pool Members should be marked Offline (red) or Disabled (black). Finally, the vs_https
Virtual Server should have a Source Address Persistence Profile assigned.
Configuration of BIG-IP #1 and BIG-IP #2

BIG-IP #1 should now be configured like the diagram shown below and also have Virtual Servers,
Pools, Monitors and Profiles. On the next page we will configure BIG-IP #2 from a clean system.
BIG-IP Redundant Pair Configuration
Module 10DLab
Appendix - Module
– Redundant
10 Lab Pair
– Redundant Pair 10-3
D-3
Setup of BIG-IP #2 Lab

NOTE: The second system in your lab pair is licensed but not currently configured, run
the Setup Utility using the configuration options below.
Step System Y
Management Port IP address 192.168.1.xx
Management Port Netmask 255.255.255.0
Hostname bigip2.f5trn.com
High Availability Redundant Pair
Unit ID 2
root password default
admin password admin
SSH Access * All Addresses
VLAN Name on 1.2 Internal

Self IP Address 172.16.1.xx
Netmask 255.255.0.0
Port Lockdown Allow Default
Floating IP 172.16.1.33
Failover Peer IP 172.16.1.31
Port Association 1.2 Untagged
VLAN Name on 1.1 External

Self IP Address 10.10.1.xx
Netmask 255.255.0.0
Port Lockdown Allow 443 & 22
Default Route Leave Blank
Floating IP 10.10.1.33
Port Association 1.1 Untagged
Status of BIG-IP #1 and BIG-IP #2

Note: You may notice that both BIG-IP #1 and #2 are in an Active state. This is not a
desired state, but we will wait to resolve this in the next Module 11 Lab when we setup
Network Failover.
10-4
D-4 Appendix D - Module 10 Lab – Redundant Pair
Synchronization Lab
Synchronization should always be from the system’s whose configuration is desired. In our case, we
wish to Synchronize the BIG-IP #1 configuration to BIG-IP #2 since it has no configuration.
BIG-IP #2 configuration before Synchronization

At this point, the BIG-IP #2 should have a base configuration set with passwords, VLANs and Self
IPs. Verify the Self IPs (Network / Self IPs) for BIG-IP #2 are set to 10.10.1.xx, 10.10.1.33,
172.16.1.xx and 172.16.1.33.
Synchronizing Configuration from BIG-IP #1 to #2

1. Open a browser to https://192.168.1.245. (BIG-IP #1)
2. From the Navigation pane of the active system, expand the System section.
3. Either select High Availability and then the ConfigSync tab or use the flyout menus to
expand High Availability Æ ConfigSync and click ConfigSync.
4. Click the Synchronize TO Peer button for a push operation to BIG-IP #2.
5. At the Synchronize this BIG-IP LTM to its failover partner prompt, click OK.
The synchronization process takes 15-60 seconds.
6. Verify your configuration was copied to the second System.

At this point, the BIG-IP #1 and #2 system configurations should be similar. Verify that
BIG-IP #2 has the same Virtual Servers, Pools, Profiles, Monitors and iRules as BIG-IP
#1. The License, Hostname and Self IPs (Network / Self IPs) should be different.
If the Self IPs are the same for both systems, verify the following:
• The hostnames (System / Platform) should be different (bigip1… and bigip2)
If BIG-IP #2 does not have Virtual Servers from BIG-IP #1, verify the following:
• Were there errors during Synchronization? (System / Logs / System)
• Did you Synchronize the wrong way? (from BIG-IP #2 to #1)
Appendix D - Module 11 Lab – High Availability D-5
Module 11 Labs – High Availability
Restoring BIG-IP #1 from previous Lab

10. Click the Module11_Lab_BIGIP1.ucs archive and then click the Restore button. An Ok
11. Your configuration should be as if you had just finished all Module 10 labs. Please verify
this is the case. BIG-IP #1 should be licensed and include six Pools, two iRules, six Virtual
Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should
be marked Offline (red) or Disabled (black). It should have a hostname of bigip1.f5trn.com
and Self IPs (Network / Self IPs) of 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33.
Restoring BIG-IP #2 from previous Lab

1. After connecting to F5 Training Lab, open a browser to https://192.168.1.XX.
D-6 Appendix D - Module 11 Lab – High Availability
10. Click the Module11_Lab_BIGIP2.ucs archive and then click the Restore button. An Ok
11. Your configuration should be as if you had just finished all Module10 Labs. Please verify
this is the case. BIG-IP #2 should be licensed and include six Pools, two iRules, six Virtual
Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should
be marked Offline (red) or Disabled (black). It should have a hostname of bigip2.f5trn.com
and Self IPs (Network / Self IPs) of 10.10.1.XX, 10.10.1.33, 172.16.1.XX and 172.16.1.33.
Network Failover Lab
Objectives:
During this lab, you will configure network failover.
Determining State Prior to Configuration

1. Open an SSH session to each system, 10.10.1.31 and 10.10.1.XX. Press Enter to update the
prompt repeatedly. Note that both systems are in Active state because we haven’t configured
Network Failover yet.
Note: The F5 Training Lab environment does not support the failover cable.
Network Failover Configuration and Testing

1. This feature is not synchronized, so you must configure each system separately.
2. Navigate to System / High Availability / Network Failover.
3. On BIG-IP #1, Enter the following in the Configuration section:
Network Failover Check the box
Peer Management Address 192.168.1.XX
Configuration Identifier: peer_bigip2
Local Address: Self IP address 172.16.1.31
Unicast
Remote Address: 172.16.1.XX
Port: Blank (defaults to 1026)
Multicast Leave Blank
2. On BIG-IP #2, Enter the following in the Configuration section:

Network Failover Check the box
Peer Management Address 192.168.1.245
Configuration Identifier: peer_bigip1
Local Address: Self IP address 172.16.1.XX
Unicast
Remote Address: 172.16.1.31
Port: Blank (defaults to 1026)
Multicast Leave Blank
4. When both systems have been set, note that the systems change to active-standby mode.
BIG-IP #2 should be the one to fallback to standby state because it is unit 2.
5. Remove the Ethernet cable used for the VLAN of the self IP addresses used for network
failover addresses. In the course labs, this should be for port 1.2.
6. Alternate method for remote classes: disable the 1.2 interface.
a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and
click Disable.
b. Command Line: b interface 1.2 disable.
7. How quickly did the standby system assume the active role also?
8. Note that both systems are in active mode; both are trying to service all virtual servers, NATs
and SNATs.
9. Replace the Ethernet cable and note that Unit 2 reverts to standby mode. How quickly did it
revert to standby?
10. Alternate method for remote classes: enable the 1.2 interface.
a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2 and
click Enable.
b. Command Line: b interface 1.2 enable.
Failover Triggers Labs
Objective:
During this lab, you will learn how to configure automatic the VLAN Failsafe trigger.
VLAN Failsafe Lab

Enabling VLAN Failsafe
1. Navigate to System / High Availability / Fail-safe / VLANs and click Add.
2. In the Configuration section, select values for the following parameters:
VLAN Internal
Timeout 30 seconds
Action Failover

4. Configure the partner system as well; this setting is not synchronized.
5. On the active system, disconnect the Ethernet cable associated with the internal VLAN.
6. Alternate method for remote classes: disable the 1.2 interface.
a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2
and click Disable.
b. Command Line: b interface 1.2 disable.
7. Watch both systems to view when the state change occurs. When the active system fails
over, the standby system will go active almost immediately.
a. Configuration Utility: Refresh the page repeatedly.
b. Command Line: press in the Enter Key repeatedly.
c. Physical Box: View the STATUS light (Green – Active / Amber Standby).
8. Reconnect the Ethernet Cable.
9. Alternate method for remote classes: enable the 1.2 interface.
a. Configuration Utility: Networks / Interfaces / Check the box next to interface 1.2
and click Enable.
b. Command Line: b interface 1.2 enable.
10. Disable VLAN Failsafe on both systems before next lab.
Connection Mirroring Lab
Objective:
During this lesson, you will learn how to configure connection mirroring.
Lab Requirements:
Establish an SSH Connection to the virtual server. You must have a virtual server configured for port
22 and a pool of SSH servers assigned to that virtual server.
Behavior Prior to Configuring Connection Mirroring
Establish an SSH session

1. Using an SSH client, such as Putty, open an SSH session to: 10.10.1.100:22.
2. Login as student / student.
3. Test your connection by typing ls <enter> or similar command.
Perform Failover
1. Force the Active system to standby (System / High Availability / Force to Standby).
2. Notice that the SSH connection has been lost.
Configuring Connection Mirroring and Testing Subsequent Behavior
Configuring Connection mirroring and Synchronize the configuration

1. From the same system’s Navigation Pane, click Local Traffic / Virtual Servers and select
the SSH virtual server.
2. Select Advanced from the Configuration menu.
3. Check the Connection Mirroring checkbox.
4. Click Update to set changes.
5. Synchronize from the same system (System / High Availability / ConfigSync) and click the
Synchronize TO Peer button.
6. Click OK when prompted.
Establish SSH connection again and Failover again

1. Using an SSH client such as Putty open an SSH session to: 10.10.1.100:22.
2. Login as student / student.
3. Test your connection by typing ls <enter> or similar command.
4. Force the Active system to standby. (System / High Availability / Force to Standby).
5. Test your connection by typing ls <enter> or similar command. Note the connection is
maintained.
Persistence Mirroring Lab
Objective:
During this lesson, you will learn how to activate persistence mirroring for a pool where simple
persistence in enabled.
Lab Requirements:
You must have a virtual server and pool appropriate for persistence other than cookie persistence.
Behavior Prior to Configuring Persistence Mirroring
Configure Persistence, Establish an https session

1. From the Navigation Pane, expand the Local Traffic section.
2. Select Virtual Servers and the virtual server vs_https.
3. Select the Resources tab, and ensure that Pr_Src_Persist is still listed as the Default
Persistence Profile.
4. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize
TO Peer).
5. Open a browser session to: https://10.10.1.100.
6. Ensure your session persists by hitting the F5 key several times.
View the Persistence Record

1. View the persistence records on both systems.
a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display
Options section, choose Persistence Records.
b. From the Command Line, enter: b persist all show all
2. On the active system, you should see a record. On the standby, you should not.
3. Re-enter this command several times and notice the Age of the record changes.
4. Let the Age count up to 30 seconds and then re-enter the command again. What happened to
the persistence record?
5. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.
Did the Age count start over?
Perform Failover
1. Force the Active system to standby. (System / High Availability / Redundancy / Force to
Standby).
2. Refresh the session to https://10.10.1.100. While there is some chance the same node may
be chosen, the https session does not persist to the same server. If it does seem to persist to
the same node, failover again and test. You may need to refresh by pressing Ctrl-F5 to ensure
the browser does not simply display its cache.
Configuring Persistence Mirroring and Testing Subsequent Behavior
Configuring Persistence Mirroring and Synchronizing the configuration

1. From the Navigation Pane, select Local Traffic menu, Profiles option, Persistence tab, and
then click the Pr_Src_Persist profile.
2. Check the Custom box for Mirror Persistence, check Enabled, and then click Update.
3. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize
to Peer).
4. Make sure to check that the Mirror Persistence option was set on the other System for the
Pr_Src_Persist profile.
Re-establish the https session, failover and retest

1. Open a browser session to https://10.10.1.100.
2. Ensure your session persists by pressing the CTL-F5 several times.
3. Force the Active system to standby. (System / High Availability / Redundancy / Force to
Standby).
4. Refresh the browser session to https://10.10.1.100. Notice that the https session does persist
to the same server.
5. View the persistence records on both systems.
a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display
Options section, choose Persistence Records.
b. From the Command Line, enter: b persist all show all
6. You should see a persistence record on both systems.
7. Re-enter this command several times and notice the Age of the record for each system. Does
the Age remain the same on both Systems?
8. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.
Explain the Age count on each system?

F5 Networks Training BIG IP LTM V10 Essentials

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

F5 Networks Training BIG IP LTM V10 Essentials

Загружено:

Авторское право:

Доступные форматы

F5 Networks Training

Web-Based Training Lab Guide

BIG-IP® LTM V10 Essentials

First Printing February 2010

© 2010, F5 Networks, Inc. All rights reserved.

Support and Contact Information

F5 Networks, Inc. F5 Networks, Ltd. F5 Networks, Inc. F5 Networks, Inc.

Export Regulation Notice

Canadian Regulatory Compliance

Lab Instructions: .........................................................................................................Lab-1

Lab 1: Initial Setup ........................................................................................................1-5

Lab 2: Traffic Processing .............................................................................................2-13

Lab 3: Load Balancing .................................................................................................3-19

Lab 4: Monitors .............................................................................................................4-23

Lab 5: Profiles ...............................................................................................................5-31

Lab 6: Persistence ........................................................................................................6-33

Lab 7: SSL Termination................................................................................................7-41

Lab 8: NATs and SNATs .............................................................................................. 8-45

Lab 9: iRules ................................................................................................................. 9-49

Configuration Lab Project ............................................................................................ LP-57

Appendix A – F5 Networks Products .......................................................................... A-1

Appendix B – Additional Topics .................................................................................. B-1

Appendix C – Other F5 Networks Training Courses .................................................. C-1

We hope you enjoy learning with these lab exercises!

Connecting to the F5 Training Lab Environment

1. After logging in to F5 University, select the link for F5

5. When ready to leave the F5 Training Lab environment,

The F5 Training Lab Network

F5 Training Lab limitations

Module 1 Lab – Initial Setup and Access

Initial Setup Labs

Setup Utility Lab

Current BIG-IP Settings

Access the BIG-IP LTM System

Internal Network Settings

Internal VLAN Configuration

External Network Settings

External VLAN Configuration

6. Then click Finished.

Configuration Utility Lab

The Web Configuration Utility

Command Line access (SSH)

What information is listed here?

Verifying User Access

Configuration Backup Lab

4. When complete, click Finished.

Module 2 Lab – Processing Traffic

Restoring a Configuration from previous Lab

Creating an HTTP Pool and Virtual Server Lab

4. In the Resources section, enter the following:

5. When complete, click Finished.

Create a Virtual Server that uses this pool

6. When complete, click Finished.

Verification through Statistics

Expected Results and Troubleshooting

Creating an HTTPS Virtual Server and Pool Lab

7. In the Resources section, enter the following:

8. When the pool is complete, press Finished.

Verification through Statistics

Statistics using the Command Line

Expected Results and Troubleshooting

 Does 10.10.1.100 appear in your workstation’s ARP table? You may

Network Map Lab

Module 3 Lab – Load Balancing

Does 10.10.1.100 appear in your workstation’s ARP table? You may