BIG-IP Local Traffic Manager Implementations

BIG-IP Local Traffic ManagerTM:Implementations

Version 10.1

MAN-0293-01

Product VersionThis manual applies to version 10.1 of the BIG-IP product family.

Publication DateThis guide was published on December 14, 2009.

Legal Notices

CopyrightCopyright 2009, F5 Networks, Inc. All rights reserved.F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

TrademarksF5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, SSL Accelerator, SYN Check, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WAN Optimization Module, WOM, WANJet, WebAccelerator, WA, and ZoneRunner are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

PatentsThis product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354; 7,197,661; 7,206,282; 7,287,084. Other patents pending.

Export Regulation NoticeThis product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference WarningThis is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

FCC ComplianceThis equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.BIG-IP Local Traffic Manager: Implementations i

Canadian Regulatory ComplianceThis class A digital apparatus complies with Canadian I CES-003.

Standards ComplianceThis product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

AcknowledgmentsThis product includes software developed by Bill Paul.This product includes software developed by Jonathan Stone.This product includes software developed by Manuel Bouyer.This product includes software developed by Paul Richards.This product includes software developed by the NetBSD Foundation, Inc. and its contributors.This product includes software developed by the Politecnico di Torino, and its contributors.This product includes software developed by the Swedish Institute of Computer Science and its contributors.This product includes software developed by the University of California, Berkeley and its contributors.This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.This product includes software developed by Christopher G. Demetriou for the NetBSD Project.This product includes software developed by Adam Glass.This product includes software developed by Christian E. Hopps.This product includes software developed by Dean Huxley.This product includes software developed by John Kohl.This product includes software developed by Paul Kranenburg.This product includes software developed by Terrence R. Lambert.This product includes software developed by Philip A. Nelson.This product includes software developed by Herb Peyerl.This product includes software developed by Jochen Pohl for the NetBSD Project.This product includes software developed by Chris Provenzano.This product includes software developed by Theo de Raadt.This product includes software developed by David Muir Sharnoff.This product includes software developed by SigmaSoft, Th. Lockert.This product includes software developed for the NetBSD Project by Jason R. Thorpe.This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.This product includes software developed for the NetBSD Project by Frank Van der Linden.This product includes software developed for the NetBSD Project by John M. Vinopal.This product includes software developed by Christos Zoulas.This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.This product includes software developed by Balazs Scheidler , which is protected under the GNU Public License.This product includes software developed by Niels Mueller , which is protected under the GNU Public License.In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).This product includes software developed by the Apache Group for use in the Apache HTTP server project ii

(http://www.apache.org/).This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.This product includes software developed by Jared Minch.This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).This product includes cryptographic software written by Eric Young ([email protected]).This product contains software based on oprofile, which is protected under the GNU Public License.This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).This product includes software developed by the Apache Software Foundation .This product includes Hypersonic SQL.This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.This product includes software developed by the Internet Software Consortium.This product includes software developed by Nominum, Inc. (http://www.nominum.com).This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License.This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.This product includes the GeoPoint Database developed by Quova, Inc. and its contributors.BIG-IP Local Traffic Manager: Implementations iii

Table of Contents

Table of Contents

1Introducing Implementations for BIG-IP Local Traffic Manager

Introducing BIG-IP system implementations ............................................................................1-1Getting started .......................................................................................................................1-1Using the Configuration utility ............................................................................................1-1

About this guide ..............................................................................................................................1-2Additional information ..........................................................................................................1-2Stylistic conventions ..............................................................................................................1-3

Finding help and technical support resources ..........................................................................1-5

2Configuring nPath Routing

Introducing nPath routing .............................................................................................................2-1Configuring nPath routing .............................................................................................................2-2

Creating a custom Fast L4 profile ......................................................................................2-3Creating a server pool for nPath routing .........................................................................2-4Creating a virtual server ......................................................................................................2-4Configuring the virtual server on the content server loopback interface ................2-5Setting the route for inbound traffic .................................................................................2-5Enabling the connection.autolasthop bigdb key ..............................................................2-5

Setting timers for nPath configurations .....................................................................................2-6Guidelines for configuring timeouts for UDP traffic .....................................................2-6Guidelines for configuring timeouts for TCP traffic ......................................................2-6

3Basic Web Site and E-Commerce Configuration

Working with a basic web site and e-commerce configuration ..........................................3-1Configuring a basic e-commerce site .........................................................................................3-2

Creating load balancing pools .............................................................................................3-2Creating virtual servers ........................................................................................................3-3

4Installing a BIG-IP System without Changing the IP Network

Installing a BIG-IP system without changing IP networks ......................................................4-1Configuring the BIG-IP system for the same IP network ......................................................4-3

Removing the self IP addresses from the individual VLANs ........................................4-3Creating a VLAN group .......................................................................................................4-4Creating a self IP address for the VLAN group ..............................................................4-5Creating a pool of web servers ..........................................................................................4-5Creating a virtual server ......................................................................................................4-6

5Web Hosting for Multiple Customers

Introducing multiple customer hosting ......................................................................................5-1Hosting multiple customers using an external switch ............................................................5-2

Creating VLANs with tagged interfaces ...........................................................................5-2Creating load balancing pools .............................................................................................5-3Creating virtual servers ........................................................................................................5-3

Directly hosting multiple customers ..........................................................................................5-5BIG-IP Local Traffic Manager: Implementations vii

Creating VLANs with untagged interfaces .......................................................................5-6

Table of Contents

6Web Hosting for Multiple Customers Using Route Domains

Introduction .....................................................................................................................................6-1Prerequisite information ...............................................................................................................6-1Implementing route domains ........................................................................................................6-2Sample route domain implementation .......................................................................................6-6For more information ....................................................................................................................6-8

7A Simple Intranet Configuration

Working with a simple intranet configuration .........................................................................7-1Creating the simple intranet configuration ...............................................................................7-2

Creating pools ........................................................................................................................7-2Creating virtual servers ........................................................................................................7-3

8Load Balancing ISPs

Introducing ISP load balancing ......................................................................................................8-1Configuring ISP load balancing .....................................................................................................8-2

Creating pools for an additional Internet connection ...................................................8-2Creating virtual servers for an additional Internet connection ..................................8-3

Configuring address translation for outbound traffic .............................................................8-5

9Load Balancing HTTP Traffic with Source Address Affinity Persistence

Introducing basic HTTP load balancing ......................................................................................9-1Configuring HTTP load balancing with source address affinity persistence ......................9-2

Creating a pool .......................................................................................................................9-2Creating a virtual server ......................................................................................................9-3

10Load Balancing HTTP Traffic with Cookie Persistence

Introducing basic HTTP load balancing ................................................................................... 10-1Configuring HTTP load balancing with cookie persistence ............................................... 10-2

Creating a custom persistence profile ........................................................................... 10-2Creating a pool .................................................................................................................... 10-3Creating a virtual server ................................................................................................... 10-3

11Compressing HTTP Responses

Introducing HTTP data compression ...................................................................................... 11-1Creating a custom HTTP profile .............................................................................................. 11-2Creating a virtual server ............................................................................................................. 11-3viii

Table of Contents

12Configuring HTTPS Load Balancing

Introducing HTTPS load balancing ........................................................................................... 12-1Creating an SSL key and certificate ......................................................................................... 12-2Creating a custom SSL profile ................................................................................................... 12-4Creating a pool ............................................................................................................................. 12-6Creating a virtual server ............................................................................................................. 12-7

13Configuring HTTPS Load Balancing with Data Compression

Introducing HTTPS load balancing with compression ......................................................... 13-1Creating an SSL key and certificate ......................................................................................... 13-2Creating a custom Client SSL profile ...................................................................................... 13-4Creating a custom HTTP profile for compression .............................................................. 13-5Creating a pool ............................................................................................................................. 13-7Creating a virtual server ............................................................................................................. 13-8

14Using RAM Cache for HTTP Traffic

Introducing HTTP RAM Cache ................................................................................................. 14-1Creating a custom HTTP profile .............................................................................................. 14-2Creating a virtual server ............................................................................................................. 14-3

15Load Balancing Passive Mode FTP Traffic

Introducing FTP load balancing ................................................................................................. 15-1Creating a custom FTP monitor ............................................................................................... 15-2Creating a pool ............................................................................................................................. 15-3Creating a virtual server ............................................................................................................. 15-4

16Load Balancing Passive Mode FTP Traffic with Rate Shaping

Introducing FTP load balancing with rate shaping ................................................................ 16-1Creating a custom FTP monitor ............................................................................................... 16-2Creating a pool ............................................................................................................................. 16-3Creating a rate class .................................................................................................................... 16-4Creating a virtual server ............................................................................................................. 16-5

17Setting up a One-IP Network Topology

Introducing the one-IP network topology ............................................................................. 17-1Creating a pool for a one-IP network topology ................................................................... 17-2Creating a virtual server ............................................................................................................. 17-3Defining a default route .............................................................................................................. 17-4Configuring a client SNAT ......................................................................................................... 17-5BIG-IP Local Traffic Manager: Implementations ix

Table of Contents

18Using Link Aggregation with Tagged VLANs

Introducing link aggregation with tagged VLAN interfaces ................................................ 18-1Using the two-network aggregated tagged interface topology ......................................... 18-2

Aggregating the links .......................................................................................................... 18-3Assigning a trunk to the VLANs ...................................................................................... 18-3Creating a pool of web servers to load balance .......................................................... 18-4Creating a virtual server to load balance the web servers ....................................... 18-5

Using the one-network aggregated tagged interface topology ......................................... 18-6Removing the self IP addresses from the VLANs ....................................................... 18-7Creating a VLAN group .................................................................................................... 18-7Creating a self IP for the VLAN group .......................................................................... 18-8

19Setting Up Packet Filtering

Introducing packet filtering ........................................................................................................ 19-1Configuring packet filtering ........................................................................................................ 19-2

Creating a SNAT ................................................................................................................. 19-2Creating a gateway pool .................................................................................................... 19-2Creating a forwarding virtual server .............................................................................. 19-3Creating a packet filter rule ............................................................................................. 19-4

20Implementing Health and Performance Monitors

Introducing health and performance monitors ..................................................................... 20-1Creating a custom monitor ....................................................................................................... 20-3Creating a pool ............................................................................................................................. 20-4

Assigning a monitor to a pool .......................................................................................... 20-4Excluding a pool member from a monitor .................................................................... 20-5

Creating a virtual server ............................................................................................................. 20-6

21Load Balancing Traffic to IPv6 Nodes

Configuring the radvd service ................................................................................................... 21-1Configuring IPv4-to-IPv6 load balancing ................................................................................. 21-2

Creating a pool of IPv6 nodes ......................................................................................... 21-2Creating a virtual server ................................................................................................... 21-3

22Mitigating Denial of Service and Other Attacks

Basic denial of service security overview ............................................................................... 22-1Configuring adaptive connection reaping ............................................................................... 22-2

Logging adaptive reaper activity ...................................................................................... 22-3Simple DoS prevention configuration ..................................................................................... 22-4

Setting the TCP and UDP connection timers .............................................................. 22-4Creating an IP rate class and applying it to a virtual server ...................................... 22-5Setting connection limits on the main virtual server .................................................. 22-6

Filtering out attacks with iRules ............................................................................................... 22-7Filtering out a Code Red attack ...................................................................................... 22-7x

Filtering out a Nimda attack ............................................................................................. 22-7

Table of Contents

How the BIG-IP system handles several common attacks ................................................. 22-8SYN flood ............................................................................................................................. 22-8ICMP flood (Smurf) ............................................................................................................ 22-9UDP flood ............................................................................................................................. 22-9UDP fragment .................................................................................................................... 22-10Ping of Death ..................................................................................................................... 22-10Land attack ......................................................................................................................... 22-10Teardrop ............................................................................................................................. 22-11Data attacks ....................................................................................................................... 22-11WinNuke ............................................................................................................................ 22-11Sub 7 .................................................................................................................................... 22-11Back Orifice ........................................................................................................................ 22-12

23Configuring Administrative Partitions to Control User Access

Introducing administrative partitions ....................................................................................... 23-1Creating a partition ..................................................................................................................... 23-2Configuring user access to a partition .................................................................................... 23-3Viewing, managing, and creating objects in a partition ........................................................ 23-4

Viewing and managing system objects ........................................................................... 23-4Creating BIG-IP system objects ....................................................................................... 23-5

24Configuring Remote Authentication and Authorization for Administrative Traffic

Introducing remote authentication and authorization for BIG-IP system user accounts ....24-1Configuring the BIG-IP system to use remote authentication of user accounts .......... 24-2Configuring access control for BIG-IP system users ........................................................... 24-6

Understanding the remoterole command .................................................................... 24-7Using the remote role command .................................................................................... 24-7Using variable substitution ................................................................................................ 24-8

Propagating remote authentication and authorization data to multiple BIG-IP devices ..................................................................... 24-11

25Configuring Remote Authentication for Application Traffic

Introducing remote authentication for application traffic .................................................. 25-1Configuring authentication that uses a remote LDAP or Active Directory server ..... 25-2

Creating an LDAP configuration object ........................................................................ 25-2Creating an LDAP authentication profile ...................................................................... 25-6Modifying a virtual server for LDAP authentication ................................................... 25-6

Configuring authentication that uses a remote RADIUS server ....................................... 25-8Creating a RADIUS server object ................................................................................... 25-8Creating a RADIUS configuration object ...................................................................... 25-9Creating a RADIUS profile ............................................................................................. 25-10Modifying a virtual server for RADIUS authentication ............................................ 25-10

Configuring authentication that uses a remote TACACS+ server ................................ 25-12Creating a TACACS+ configuration object ................................................................ 25-12Creating a TACACS+ profile ......................................................................................... 25-13Modifying a virtual server for TACACS+ authentication ........................................ 25-14BIG-IP Local Traffic Manager: Implementations xi

Table of Contents

Configuring SSL-based authorization using a remote LDAP server ............................... 25-15Creating an SSL CLient Certificate LDAP configuration object ............................ 25-15Creating an SSL Client Certificate LDAP authentication profile ........................... 25-16Modifying a virtual server for SSL Client Certificate LDAP authorization .......... 25-17

Configuring SSL certificate revocation using an OCSP responder ................................. 25-18Creating an SSL OCSP responder object ................................................................... 25-18Creating an SSL OCSP configuration object .............................................................. 25-19Creating an SSL OCSP profile ....................................................................................... 25-19Modifying a virtual server for SSL OCSP authentication ......................................... 25-20

Configuring a CRLDP authentication module ..................................................................... 25-21Creating a CRLDP server object .................................................................................. 25-21Creating a CRLDP configuration object ...................................................................... 25-22Creating a CRLDP profile ............................................................................................... 25-23Modifying a virtual server for CRLDP authentication .............................................. 25-24

26Configuring Kerberos Delegation

Introducing Kerberos delegation infrastructure ................................................................... 26-1Configuring the BIG-IP system for Kerberos delegation .................................................... 26-2

Adding a DNS server to the BIG-IP system ................................................................. 26-2Joining the BIG-IP system to the trusted domain ........................................................ 26-3

Creating the Kerberos delegation configuration .................................................................. 26-4Configuring Kerberos delegation using the Configuration utility ............................ 26-4Configuring Kerberos delegation from the command line ....................................... 26-7

Authenticating Client Traffic ..................................................................................................... 26-9

27Configuring Multiple Authentication Servers

Introducing multiple authentication server configuration .................................................. 27-1Meeting prerequisites .................................................................................................................. 27-2Configuring BIG-IP system objects .......................................................................................... 27-2

28Load Balancing Diameter Application Requests

Introducing Diameter load balancing ....................................................................................... 28-1Creating a custom Diameter profile ........................................................................................ 28-2Creating a custom Diameter monitor .................................................................................... 28-2Creating a Diameter load balancing pool ............................................................................... 28-3Creating a virtual server for Diameter traffic ....................................................................... 28-3

Glossary

Indexxii

1Introducing Implementations for BIG-IP Local Traffic Manager

Introducing BIG-IP system implementations

About this guide

Finding help and technical support resources

Introducing Implementations for BIG-IP Local Traffic Manager

Introducing BIG-IP system implementationsIn a typical configuration, the BIG-IP system functions as a device on the network, directing different types of protocol and application traffic to an appropriate destination server. The system accomplishes this by forwarding the traffic to a load balancing server pool, sending the traffic directly to a specific server node, or sending it to a next-hop router or a pool of routers. The most basic configuration of the BIG-IP system includes two virtual local area networks (VLANs) with one or more BIG-IP interfaces (ports) assigned to each VLAN. Using the BIG-IP systems browser-based Configuration utility, you can implement many configuration scenarios simply by using the default VLAN configuration, and then creating Local Traffic ManagerTM objects such as a customized virtual server, traffic profile, and load balancing pool.

Note

BIG-IP Local Traffic Manager is one of several products that constitute the BIG-IP product family. All products in the BIG-IP product family run on the powerful Traffic Management Operating System, commonly referred to as TMOS. For an overview of the complete BIG-IP product offering, see the introductory chapter of the TMOS Management Guide for BIG-IP Systems.

Getting startedBefore you begin implementing a solution in this guide, we recommend that you familiarize yourself with additional resources such as other BIG-IP system guides and online help, and review the stylistic conventions that appear in this chapter. For more information, see About this guide, on page 1-2.Then, we recommend that you run the Setup utility on the BIG-IP system to configure basic network and network elements such as static and floating self IP addresses, interfaces, and VLANs. After running the Setup utility, you can use this guide to implement specific configuration scenarios. For information on running the Setup utility, see BIG-IP Systems: Getting Started Guide.

Using the Configuration utilityAfter running the Setup utility, you use the Configuration utility to perform additional configuration steps necessary for your configuration. For information on using the Configuration utility, see BIG-IP Systems: Getting Started Guide.For a list of browser versions that the Configuration utility supports, see the BIG-IP Local Traffic Manager: Implementations 1 - 1

release notes for this product on the Ask F5SM web site, http://support.f5.com.

Chapter 1

About this guideThe chapters contained in this guide provide step-by-step procedures for implementing complete traffic management solutions using the Configuration utility. For example, Chapter 3, Basic Web Site and E-Commerce Configuration, describes how to configure the BIG-IP system objects that you need to set up an array of web servers that process e-commerce traffic.

Additional informationIn addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The following guides are available in PDF format from the Ask F5SM web site, http://support.f5.com:

BIG-IP Systems: Getting Started GuideThis guide provides detailed information about licensing and provisioning the BIG-IP system, as well as installing upgrades. The guide also provides a brief introduction to the features of BIG-IP system and the tools for configuring the system.

TMOS Management Guide for BIG-IP SystemsThis guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system, such as routes, VLANs, and user accounts.

Configuration Guide for BIG-IP Local Traffic ManagerTMThis guide contains any information you need for configuring specific features of the BIG-IP system to manage local network traffic.

BIG-IP Application Security Manager: Getting Started GuideThis guide describes how to set up BIG-IP Application Security Manager to configure security policies.

Configuration Guide for BIG-IP Protocol Security ModuleThis guide provides the procedures for configuring BIG-IP Protocol Security Module.

Configuration Guide for the BIG-IP WebAcceleratorTM SystemThis guide describes the core BIG-IP WebAccelerator concepts and provides the procedures for configuring and monitoring the WebAccelerator system.

Bigpipe Utility Reference GuideThis guide contains information about using the bigpipe utility commands to manage the BIG-IP system.

Traffic Management Shell (tmsh) Reference GuideThis guide contains information about using the Traffic Management Shell (tmsh) commands to manage the BIG-IP system.1 - 2


Stylistic conventionsTo help you easily identify and understand important information, all of our documentation uses the stylistic conventions described here.

Using the examplesAll examples in this document use only private class IP addresses. When you set up the implementations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.

Identifying new termsTo help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a floating IP address is an IP address assigned to a VLAN and shared between two computer systems.

Identifying references to productsWe refer to all products in the BIG-IP product family as BIG-IP systems. We refer to the software modules by their name; for example, we refer to the Local Traffic Manager module as simply the Local Traffic Manager. If configuration information relates to a specific hardware platform, we note the platform.

Identifying references to objects, names, and commandsWe apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, with the bigpipe self show command, you can specify a specific self IP address to show by specifying an IP address for the variable.

Identifying references to other documentsWe use italic text to denote a reference to another document or section of a document. We use bold, italic text to denote a reference to a book title. For example, for installation instructions, see the guide titled BIG-IP Systems: Gettng Started Guide.

Identifying command syntaxWe show complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. BIG-IP Local Traffic Manager: Implementations 1 - 3

Chapter 1

For example, the following command shows the configuration of the specified pool name:bigpipe self show

or

b self show

Table 1.1 explains additional special conventions used in command line syntax.

Item in text Description

\ Indicates that the command continues on the following line, and that users should type the entire command without typing a line break.

< > Identifies a user-defined parameter. For example, if the command has , type in your name, but do not include the brackets.

| Separates parts of a command.

[] Indicates that syntax inside the brackets is optional.

... Indicates that you can type a series of items.

Table 1.1 Command line syntax conventions1 - 4


Finding help and technical support resourcesYou can find additional technical documentation and product information in the following locations:

Online help for local traffic managementThe Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.

Welcome screen in the Configuration utilityThe Welcome screen in the Configuration utility contains links to many useful web sites and resources, including: The F5 Networks Technical Support web site The F5 Solution Center The F5 DevCentral web site Plug-ins, SNMP MIBs, and SSH clients

F5 Networks Technical Support web siteThe F5 Networks Technical Support web site, http://support.f5.com, provides the latest documentation for the product, including: Release notes for the BIG-IP system, current and past Updates for guides (in PDF form) Technical notes Answers to frequently asked questions The Ask F5SM Knowledge Base

To access this site, you need to register at http://support.f5.com.BIG-IP Local Traffic Manager: Implementations 1 - 5

Chapter 11 - 6

2Configuring nPath Routing

Introducing nPath routing

Configuring nPath routing

Setting timers for nPath configurations

Configuring nPath Routing

Introducing nPath routingWith the nPath routing configuration, you can route outgoing server traffic around the BIG-IP system directly to an outbound router. This method of traffic management increases outbound throughput because packets do not need to be transmitted to the BIG-IP system for translation and forwarding to the next hop. Figure 2.1 shows an nPath configuration.

Figure 2.1 An example of nPath implementation

Note

The type of virtual server that processes the incoming traffic must be a transparent, non-translating type of virtual server.

In bypassing the BIG-IP system on the return path, nPath routing departs significantly from a typical load-balancing configuration. In a typical load-balancing configuration, the destination address of the incoming packet BIG-IP Local Traffic Manager: Implementations 2 - 1

is translated from that of the virtual server to that of the server being load balanced to, which then becomes the source address of the returning packet. A default route set to the BIG-IP system then sees to it that packets returning

Chapter 2

to the originating client return through the BIG-IP system, which translates the source address back to that of the virtual server. The nPath configuration differs from the typical load-balancing configuration, as you can see in the following section.

Note

Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not work properly if Layer 7 traffic bypasses the BIG-IP system on the return path. An example of such a feature is HTTP response compression.

Configuring nPath routingThe nPath routing configuration differs from the typical BIG-IP load balancing configuration in the following ways:

The default route on the content servers must be set to the routers internal address (10.1.1.1 in Figure 2.1, on page 2-1) rather than to the BIG-IP systems floating self-IP address (10.1.1.10). This causes the return packet to bypass the BIG-IP system.

If you plan to use an nPath configuration for TCP traffic, you must create a Fast L4 profile with the following custom settings: Enable the Loose Close setting. When you enable the Loose Close

setting, the TCP protocol flow expires more quickly, once a TCP FIN packet is seen. (A FIN packet indicates the tearing down of a previous connection.)

Set the TCP Close Timeout setting to the same value as the profile idle timeout if you expect half closes. If not, you can set this value to 5 seconds.

Because address translation and port translation have been turned off, when the incoming packet arrives at the pool member it is load balanced to the virtual server address (176.16.1.1 in Figure 2.1, on page 2-1), not to the address of the server. For the server to respond to that address, that address must be configured on the loopback interface of the server and configured for use with the server software.

You need to complete the following tasks to configure the BIG-IP system to use nPath routing: Create a custom Fast L4 profile. Create a pool that contains the content servers. Define a virtual server with port and address translation disabled and

assign the custom Fast L4 profile to it. Configure the virtual server address on each server loopback interface.2 - 2

Set the default route on your servers to the routers internal IP address.


Ensure that the bigdb configuration key connection.autolasthop is enabled. Alternatively, on each content server, you can add a return route to the client.

For more information about these tasks, click the Help tab in the Configuration utility, or see the Configuration Guide for BIG-IP Local Traffic Manager.

Note

You perform the tasks contained in this guide using the Configuration utility; however, the procedures do not include the step of logging on to the Configuration utility. Before you begin the tasks, log on to the Configuration utility.

Creating a custom Fast L4 profileThe first task you must complete to create an nPath routing configuration is to create a custom Fast L4 profile.

To create a custom Fast L4 profile

1. On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.The HTTP Profiles screen opens.

2. From the Protocol menu, choose Fast L4.The Fast L4 Profiles screen opens.

3. To create a custom profile, click Create.The New Fast L4 Profile screen opens.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a Fast L4 profile.

4. In the New Fast L4 Profile screen, set the following attributes:

a) In the Name box, type a name for the profile.b) Check the Loose Close box. c) Set the TCP Idle Timeout setting according to the type of traffic

the virtual server is going to handle. For additional information about setting this timeout, see Setting timers for nPath configurations, on page 2-6.

5. Click Finished.BIG-IP Local Traffic Manager: Implementations 2 - 3

Chapter 2

Creating a server pool for nPath routingAfter you create a custom Fast L4 profile, you need to create a server pool.

To create a pool

1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools.The Pools screen opens.

2. To create a new pool, click Create.The New Pool screen opens.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.

3. Type a pool name and add the member addresses for each of the servers.

4. Click Finished.

Creating a virtual serverAfter you create a server pool, you need to create a virtual server that references the custom Fast L4 profile and pool you created in the previous two tasks.

To create a standard virtual server

1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Servers screen opens.

2. To create a new virtual server, click Create.The New Virtual Server screen opens.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a virtual server.

3. Type the virtual server name, select a destination type, and type the IP address.

4. For the Type setting, select Performance (Layer 4).5. Set the following attributes:

a) For Protocol, select either UDP, TCP, or *All Protocols from the list.

b) For Protocol Profile (Client), select the name of the custom Fast L4 profile that you created.

c) Clear the Address Translation check box to disable address translation.2 - 4


d) Clear the Port Translation check box to disable port translation.e) In the Resources section, choose the pool you created that

contains the content servers.

6. Click Finished.

Configuring the virtual server on the content server loopback interface

You must place the IP address of the virtual server (176.16.1.1 in Figure 2.1 on page 2-1) on the loopback interface of each server. Most UNIX variants have a loopback interface named lo0. Microsoft Windows has an MS Loopback interface in its list of network adaptors. For some versions of Windows, you must install the loopback interface using the installation CD. Consult your server operating system documentation for information about configuring an IP address on the loopback interface. The loopback interface is ideal for the nPath configuration because it does not participate in the ARP protocol.

Setting the route for inbound trafficFor inbound traffic, you must define a route through the BIG-IP system self IP address to the virtual server. In the example, this route is 176.16.1.1, with the external self IP address 10.1.1.10 as the gateway.

Note

You need to set this route only if the virtual server is on a different subnet than the router.

For information about how to define this route, please refer to the documentation provided with your router.

Enabling the connection.autolasthop bigdb keyTo ensure that npath routing works correctly, you must ensure that the bigdb configuration key connection.autolasthop is set to enable. This is relevant for both IPv4 and IPv6 addressing formats. To ensure that this bigdb key is enabled, type this command:bigpipe db connection.autolasthop enableBIG-IP Local Traffic Manager: Implementations 2 - 5

Chapter 2

Setting timers for nPath configurationsWhen you create an nPath configuration, the BIG-IP system sees only client requests. Therefore, the timer for the connection timeout is only reset when clients transmit. In general, this means the timeout for an nPath connection should be at least twice as long as for a comparable connection where BIG-IP system sees both client requests and node responses. Following are descriptions of scenarios for setting the timers for UDP and TCP traffic.

Guidelines for configuring timeouts for UDP trafficWhen you configure nPath for UDP traffic, the BIG-IP system tracks packets sent between the same source and destination address to the same destination port as a connection. This is necessary to ensure that client requests that are part of a session always go to the same server. Therefore, a UDP connection is really a form of persistence, since UDP is a connectionless protocol. To calculate the timeout for UDP, estimate the maximum amount of time that a server transmits UDP packets before a packet is sent by the client. In some cases, the server might transmit hundreds of packets over several minutes before ending the session or waiting for a client response.

Guidelines for configuring timeouts for TCP trafficWhen you configure nPath for TCP traffic, the BIG-IP system sees only the client side of the connection. For example, in the TCP three-way handshake, the BIG-IP system sees the SYN from the client to the server, and does not see the SYN acknowledgement from the server to the client, and does see the acknowledgement of the acknowledgement from the client to the server. The timeout for the connection should match the combined TCP retransmission timeout (RTO) of the client and the node as closely as possible to ensure that all connections are successful. The maximum initial RTO observed on most UNIX and Windows systems is approximately 25 seconds. Therefore, a timeout of 51 seconds should adequately cover the worst case. Once a TCP session is established, an adaptive timeout is used. In most cases, this results in a faster timeout on the client and node. Only if your clients are on slow, lossy networks should you ever need a higher TCP timeout for established connections.2 - 6

3Basic Web Site and E-Commerce Configuration

Working with a basic web site and e-commerce configuration

Configuring a basic e-commerce site

Basic Web Site and E-Commerce Configuration

Working with a basic web site and e-commerce configuration

The most common use for the BIG-IP system is distributing traffic across an array of web servers that host standard web traffic, including e-commerce traffic. Figure 3.1 shows a configuration where a BIG-IP system load balances two sites: www.siterequest.com and store.siterequest.com. The www.siterequest.com site provides standard web content, and the store.siterequest.com site is the e-commerce site that sells items to www.siterequest.com customers.

Figure 3.1 A basic load balancing configuration

To set up load balancing for these sites, you need to create two pools that are referenced by two virtual servers, one for each site. Even though the sites are related and they may even share the same IP address, each requires its own virtual server because it uses a different port to support its particular protocol: port 80 for the HTTP traffic going to www.siterequest.com, and port 443 for the SSL traffic going to store.siterequest.com. Note that this is true even when there is a port 80 and port 443 on the same physical server, as in the case of Server2.

Note

All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses BIG-IP Local Traffic Manager: Implementations 3 - 1

suitable to your own network in place of our sample addresses.

Chapter 3

Configuring a basic e-commerce siteTo configure the e-commerce site, you need to complete the following tasks in order: Create the load balancing pools.

Create a pool to load balance HTTP connections, and a pool to load balance SSL connections.

Create virtual servers for the inbound traffic.Create the virtual servers that reference the HTTP and SSL pools.

Creating load balancing poolsThe first task in a basic configuration is to define the two load balancing pools: a pool to load balance HTTP connections, and a pool to load balance SSL connections. As shown in Figure 3.1, on page 3-1, the two servers for the HTTP pool are 192.168.100.1:80 and 192.168.100.2:80 (Server1 and Server 2). The two servers for the SSL pool are 192.168.100.2:443 and 192.168.100.3:443 (Server2 and Server 3).Use the Configuration utility to create these two pools. For additional information about configuring a pool, see the online help.

To create a pool for load balancing HTTP traffic


2. In the upper-right corner of the screen, click Create.The New Pool screen opens.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool.

3. In the Name box, type a name for the pool.In the example in Figure 3.1, on page 3-1, this pool name is http_pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members.In the example in Figure 3.1, on page 3-1, these pool members are 192.168.100.1:80 and 192.168.100.2:80.

5. Click Finished.3 - 2

Basic Web Site and E-Commerce Configuration

To create a pool for load balancing SSL traffic



3. In the Name box, type a name for the pool.In the example in Figure 3.1, on page 3-1, this pool name is ssl_pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members.In the example in Figure 3.1, on page 3-1, these pool members are 192.168.100.2:443 and 192.168.100.3:443.

5. Click Finished.

Creating virtual serversThe next task in a basic configuration is to define the virtual servers that reference the HTTP and SSL pools, respectively. You use the Configuration utility to create these virtual servers. For additional information about configuring a virtual server, click the Help button.

To define a virtual server for HTTP traffic

1. On the Main tab of the navigation pane expand Local Traffic, and click Virtual Servers.The Virtual Servers screen opens.

2. In the upper-right corner of the screen, click Create.The New Virtual Server screen opens.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a virtual server.

3. In the Name box, type a name for the virtual server, such as vs_http.

4. In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address for the virtual server, such as 192.168.200.10:80.

5. In the Service Port box, type 80, or select HTTP from the list.

6. In the Configuration area of the screen, locate the HTTP Profile setting and select http.BIG-IP Local Traffic Manager: Implementations 3 - 3

7. In the Resources area of the screen, locate the Default Pool setting and select http_pool.

8. Click Finished.

Chapter 3

To define a virtual server for SSL traffic



3. In the Name box, type a name for the virtual server, such as vs_ssl.


5. In the Service Port box, type 443, or select HTTPS from the list.

6. In the Configuration area of the screen, locate the SSL Profile (Client) setting and select clientssl.

7. In the Resources area of the screen, locate the Default Pool setting and select ssl_pool.


4Installing a BIG-IP System without Changing the IP Network

Installing a BIG-IP system without changing IP networks

Configuring the BIG-IP system for the same IP network

Installing a BIG-IP System without Changing the IP Network

Installing a BIG-IP system without changing IP networks

A combination of several features of the BIG-IP system allows you to place a BIG-IP system in a network without changing the existing IP network.Figure 4.1 shows the data center topology before you add the BIG-IP system. The data center has one LAN, with one IP network, 10.0.0.0. The data center has one router to the Internet, two web servers, and a back-end mail server.

Figure 4.1 Existing data center network structure

The existing data center structure does not support load balancing or high availability. Figure 4.2, on page 4-2 is an example of the data center topology after you add the BIG-IP system.BIG-IP Local Traffic Manager: Implementations 4 - 1

Chapter 4

Figure 4.2 New structure after adding the BIG-IP system

Both the internal and external interfaces of the BIG-IP system are on the same IP network, 10.0.0.0, but they are effectively on different LANs. Figure 4.2 introduces a second switch. This switch is eliminated in a configuration using a BIG-IP system.4 - 2


Configuring the BIG-IP system for the same IP network

To configure the BIG-IP system for this implementation, you must create a VLAN group, a pool of web servers, and a virtual server: More specifically, you must complete these tasks:

Remove the self IP addresses from the individual VLANsRouting is handled by the self IP address you create for the VLAN group.

Create a VLAN groupCreate a VLAN group that includes the internal and external VLANs. This enables Layer 2 forwarding. (Layer 2 forwarding causes the two VLANs to behave as a single network.)

Create a self IP for the VLAN groupThe self IP for the VLAN group provides a route for packets destined for the network.

Create a pool of web serversCreate a pool that contains the web servers that you want to load balance.

Create a virtual serverCreate a virtual server that load balances the web servers.

Note

This example assumes that you are using the default internal and external VLAN configuration with self IP addresses on each of the VLANs that are on the same IP network on which you are installing the BIG-IP system.

Important

The default route on each content server should be set to the IP address of the router. In this example, you set the default route to 10.0.0.2.

Removing the self IP addresses from the individual VLANsRemove the self IP addresses from the individual VLANs. After you create the VLAN group, you will create another self IP address for the VLAN group for routing purposes. The individual VLANs no longer need their own self IP addresses.

WARNING

We recommend that you perform this step from the console or from a self IP address you are not going to delete. If you are connected from a remote workstation through a self IP address that you are going to delete, you will be disconnected when you delete it.BIG-IP Local Traffic Manager: Implementations 4 - 3

Chapter 4

To remove the self IP addresses from the default VLANs

1. On the Main tab of the navigation pane, expand Network, and click Self IPs.The Self IPs screen opens.

2. Using the IP Address and VLANs columns, locate the self IP addresses for the VLANs internal and external.

3. To the left of each self IP address you want to delete, check the Select box.Note: If the Delete button is unavailable, this indicates that your user role does not grant you permission to delete a self IP address.

4. Click Delete.A confirmation screen appears.

5. Click Delete again.

Creating a VLAN groupCreate a VLAN group that includes the internal and external VLANs. Packets received by a VLAN in the VLAN group are copied onto the other VLAN in the group. This allows traffic to pass through the BIG-IP system on the same IP network.

To create a VLAN group

1. On the Main tab of the navigation pane, expand Network, and click VLANs.The VLANs screen opens.

2. From the VLAN Groups menu, choose List.This opens the VLAN Groups screen.

3. In the upper-right corner of the screen, click Create.This opens the New VLAN Group screen.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a VLAN group.

4. In the Name box, type the name myvlangroup.

5. For the VLANs setting, from the Available box select the internal and external VLAN names, and click the Move button (


Creating a self IP address for the VLAN groupThe self IP address for the VLAN group provides a route for packets destined for the network. With the BIG-IP system, the path to an IP network is a VLAN. However, with the VLAN group feature used in this example, the path to the IP network 10.0.0.0 is actually through more than one VLAN. Since IP routers are designed to have only one physical route to a network, a routing conflict can occur. The self IP address feature on the BIG-IP system allows you to resolve the routing conflict by putting a self IP address on the VLAN group.

To create a self IP address for a VLAN group

1. On the Main tab of the navigation pane, expand Network, and click Self IPs.The Self IPs screen opens.

2. In the upper-right corner of the screen, click Create.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a self IP address.

3. In the IP Address box, type a self IP address for the VLAN group.In the example shown in Figure 4.2, on page 4-2, this IP address is 10.0.0.6.

4. In the Netmask box, type a netmask for the self IP address.

5. For the VLAN setting, select the name myvlangroup from the list.

6. Click Finished.

Creating a pool of web serversAfter you create the network environment for the BIG-IP system, you can create the pool of web servers you want to load balance.

To create a pool



3. In the Name box, type a name for the pool, such as myweb_pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members.BIG-IP Local Traffic Manager: Implementations 4 - 5

In our example, pool members are 10.0.0.3:80 and 10.0.0.4:80.

5. Click Finished.

Chapter 4

Creating a virtual serverAfter you create the pool of web servers you want to load balance, you can create the virtual server.

To create a virtual server

1. On the Main tab, of the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Servers screen opens.


3. In the Name box, type a name for the virtual server, such as vs_myweb.

4. In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address.Continuing with our example, this address would be 10.0.0.5.

5. From the Service Port list, select *All Ports.

6. In the Resources area of the screen, locate the Default Pool setting and select the name of the pool you created using the previous procedure.In our example, this pool name is myweb_pool.


5Web Hosting for Multiple Customers

Introducing multiple customer hosting

Hosting multiple customers using an external switch

Directly hosting multiple customers

Web Hosting for Multiple Customers

Introducing multiple customer hostingYou can use the BIG-IP system to load balance and provide hosting services for multiple customers.

Note

An alternate way to implement web hosting for multiple customers is to use the route domains feature. For more information, see Chapter 6, Web Hosting for Multiple Customers Using Route Domains.

In the example shown in Figure 5.1, the BIG-IP system has an interface (5.1) assigned to three VLANs on a network. The three VLANs are vlanA, vlanB, and vlanC. Interface 5.1 processes traffic for all three VLANs. Note that each VLAN contains two servers, and serves a specific customer.

Figure 5.1 An example of multiple site hostingBIG-IP Local Traffic Manager: Implementations 5 - 1

Chapter 5

Hosting multiple customers using an external switchTo configure the BIG-IP system for this implementation, you must complete the following tasks: Create VLANs with tagged interfaces.

For more information on tagged interfaces, see the TMOS Management Guide for BIG-IP Systems.

Create load balancing pools.Create three pools of web servers, one pool for each VLAN, to which you want to load balance traffic.

Create virtual servers.Create three virtual servers that load balance traffic to the pools of web servers.

Creating VLANs with tagged interfacesThe first task in configuring the BIG-IP system for multiple-customer hosting is creating VLANs with tagged interfaces. In this procedure, you assign the same interface to each VLAN that you create, and you assign the interface as a tagged interface. (For more information on tagged interfaces, see the TMOS Management Guide for BIG-IP Systems.)For example, in Figure 5.1, on page 5-1, there are three VLANs, where each VLAN processes traffic for a different subnet. Thus, vlanA processes traffic for the 10.1.1 subnet, vlanB, processes traffic for the 10.1.2 subnet, and vlanC processes traffic for the 10.1.3 subnet. The interface assigned to all three VLANs is 5.1.

To create a VLAN with a tagged interface

1. On the Main tab of the navigation pane, expand Network, and click VLANs.The VLAN screen opens.

2. In the upper-right corner of the screen, click Create.This displays the settings to configure for the VLAN.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a VLAN.

3. Type the VLAN name and tag number.If you do not provide a tag number, the BIG-IP system automatically generates a number. In Figure 5.1, on page 5-1, an example of a VLAN name and tag number is vlanA, with a tag number of 0001.5 - 2


4. For the Interfaces setting, from the Available box select the name of an interface on your internal network, and click the Move button (

Chapter 5

3. In the Name box, type a name for the virtual server, such as vs_customerA.



6. In the Configuration area of the screen, locate the HTTP Profile setting and select http.

7. In the Resources area of the screen, locate the Default Pool setting and select the pool corresponding to the virtual server you are creating.For example, for vs_customerA, you would select the pool customerA_pool. For vs_customerB, you would select the pool customerB_pool, and so on.



Directly hosting multiple customersThe configuration shown in Figure 5.1, on page 5-1, uses an external switch between the BIG-IP system and the server nodes. However, another way to implement this solution is to remove the external switch, and instead use multiple interfaces on the BIG-IP system to directly host traffic for multiple customers. With this scenario, it is still necessary to configure the VLANs, but you must configure them with untagged instead of tagged interfaces. Figure 5.2 shows an example of this scenario.

Figure 5.2 Multiple customer hosting using VLAN switching

In Figure 5.2, two BIG-IP system interfaces are assigned to each VLAN. For example, interfaces 1.1 and 1.2 are assigned to the vlanA VLAN. Each interface is assigned to a VLAN as an untagged interface.The first scenario, shown in Figure 5.1, on page 5-1, requires an additional switch, but requires the use of only one interface on the internal network. The second scenario, shown in Figure 5.2, removes the need for an additional switch, but requires the use of multiple BIG-IP system interfaces.BIG-IP Local Traffic Manager: Implementations 5 - 5

Chapter 5

Creating VLANs with untagged interfacesThe first task in configuring the BIG-IP system for directly hosting multiple customers is to create VLANs, adding untagged interfaces to them. (For more information on tagged interfaces, see the TMOS Management Guide for BIG-IP Systems.)

To create VLANs with untagged interfaces

1. On the Main tab of the navigation pane, expand Network, and click VLANs.The VLAN screen opens.

2. In the upper-right corner of the screen, click Create.This displays the settings to configure for the VLAN.Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a VLAN.

3. Enter the VLAN name and tag number.If you do not provide a tag number, the BIG-IP system automatically generates a number. In Figure 5.2, on page 5-5, an example of a VLAN name and tag number is vlanA, with a tag number of 0001.

4. For the Interfaces setting, from the Available box select the name of an interface on your internal network, and click the Move button (>>) to move the interface name to the Untagged box.This assigns the selected interface to the VLAN, as an untagged interface. In Figure 5.2, on page 5-5, vlanA as interfaces 1.1 and 1.2 assigned to it. vlanB has interfaces 1.3 and 1.4 assigned to it, and vlanC has interfaces 1.5 and 1.6 assigned to it.

5. Click Finished.

Once you have created your VLANs and assigned untagged interfaces to them, you can create the pools and virtual servers, just as you did in the section Hosting multiple customers using an external switch, on page 5-2.5 - 6

6Web Hosting for Multiple Customers Using Route Domains

Introduction

Prerequisite information

Implementing route domains

Sample route domain implementation

For more information

Web Hosting for Multiple Customers Using Route Domains

IntroductionUsing the route domains feature of the BIG-IP system, you can provide hosting service for multiple customers by isolating each type of application traffic within a defined address space on the network. This enhances security and dedicates BIG-IP resources to each application.

By implementing route domains, you can use duplicate IP addresses on the network, as long as each of the duplicate addresses resides in a separate route domain and is isolated on the network through a separate VLAN. For example, if you are processing traffic for two different customers, you can create two separate route domains. The same node address (such as 10.0.10.1) can reside in each route domain, in the same pool or in different pools, and you can assign a different monitor to each of the two corresponding pool members.

Prerequisite informationUsing the remainder of this chapter, you can set up a basic configuration with two route domains. Before you follow the step-by-step procedure, however, you must gather the following information for each type of application traffic: Two interface numbers Two self IP addresses, one per VLAN Pool member addresses and service A virtual server address and serviceBIG-IP Local Traffic Manager: Implementations 6 - 1

Chapter 6

Implementing route domainsYou must perform this procedure for each type of application traffic that you want to isolate within a route domain.

Note

To perform this procedure, you must have the Administrator or Resource Administrator user role assigned to your user account.

Tip

The tables in the procedure show only those settings that you need to explicity configure. Settings for which you can use the default values are not shown.

After you complete this procedure, each administrative partition contains one route domain, and the route domain in each partition is designated as the default route domain for the partition. With this configuration, you do not need to specify the %ID notation in any BIG-IP system addresses that you create.

To isolate traffic for an application on the network

In this procedure, you use the System, Network, and Local Traffic navigation menus of the Configuration utility.

1. Create an administrative partition:

a) Expand System, click Users, and on the menu bar, click Partition List.

b) Click the Create button, and specify values for these settings.

c) Click Finished.

2. Using the Partition list box at the upper-right corner of the Configuration utility screens, set the current partition to the partition

Setting Required Action

Name Type a unique name for the partition. The name should indicate the application to which the partition pertains, for example, partition_App_A.

Description Optionally, type a description of the partition, for example: This partition contains BIG-IP objects for managing Application_A.6 - 2

that you created in step 1.


3. Create two VLANs, one for the external network and one for the internal network:

a) Expand Network, and click VLANs.b) Click the Create button, and specify values for these settings.

c) Click Finished.d) Repeat steps 3b and 3c for the second VLAN. An example of a

name for the second VLAN is internal_App_A.

4. Create a route domain object:a) On the navigation pane, click Route Domains.b) Click the Create button, and specify values for these settings.

c) Click Finished.


Name Type a unique name for the VLAN, for example external_AppA.

Interfaces In the Available box, click an interface number and use the Move button to move the number to the Tagged box.Note: You can use the same interface for other VLANs later, as long as you always assign the interface as a tagged interface.


ID Type a unique number for the route domain, such as 1.

Description Type a description of the route domain, for example: This route domain pertains to Application_A.

Strict Isolation Verify that the Strict Isolation box is checked.

VLANs Using the Move button, assign the VLANs that you created in step 3.

Partition Default Route Domain

From the list, select Make this route domain the Partition Default Route Domain. Setting this value ensures that the %ID notation is not required in IP addresses for objects pertaining to this route domain.BIG-IP Local Traffic Manager: Implementations 6 - 3

Chapter 6

5. Create two self IP addresses, one for each VLAN:

a) Expand Network, and click Self IPs.b) Click the Create button, and specify values for these settings:.

c) Click Finished.d) Repeat steps 5b and 5c. For the VLAN setting, select the second

VLAN that you created in step 3.

6. Create a load balancing pool:

a) Expand Local Traffic, and click Pools.b) Click the Create button, and specify values for these settings:.

c) Click Finished.

7. Create a virtual server:

a) On the navigation pane, click Virtual Servers.


IP Address Type a unique IP address.

Netmask Type the netmask for the specified IP address.

VLAN From the VLAN list, select the first of the VLANs that you created in step 3.


Name Type a unique name for the pool.

New Members Add new pool members as needed.6 - 4


b) Click the Create button, and specify values for these settings. For all other virtual server settings, you can use the default values.

c) Click Finished.

8. Add routes for the application traffic:

a) Expand Network, and click Routes.b) Click the Add button, and specify values for the following

settings.

c) Click Finished.d) Repeat steps 8b and 8c for each route that you add. Add one route

for each pool member IP address.You can also add a default route for this route domain. (Each route domain on the BIG-IP system can contain a default route.)


Name Type a unique name for the pool.

Destination Type: Choose a virtual server type, either Host or Network. Address: Type an IP address for the virtual server. Netmask: Type a netmask for the virtual server address. Service Port: Select a service port from the list, or type a service port number.

Default Pool Specify the pool that you created in step 6.


Type Select Route.

Destination Type an IP address for a pool member that you created in step 6.

Netmask Type a netmask for the destination IP address.

Resource Type From the list, select either: Use Gateway, and specify a next-hop address. Use VLAN, and specify the internal VLAN you selected in step 3.BIG-IP Local Traffic Manager: Implementations 6 - 5

Chapter 6

Sample route domain implementationA good example of the use of traffic isolation on a network is an ISP that services multiple customers, where each customer deploys a different application. Figure 6.1 shows two route domain objects on a BIG-IP system, where each route domain corresponds to a separate customer and therefore resides in its own partition. Within each partition, the ISP created the network objects and local traffic objects required for that customers application (AppA or AppB).6 - 6

Figure 6.1 Configuring route domains in separate partitions


The configuration in Figure 6.1 results in the BIG-IP system segmenting traffic for two different applications into two separate route domains. The routes for each applications traffic cannot cross route domain boundaries because cross-routing restrictions are enabled on the BIG-IP system by default. Figure 6.2 shows the resulting route isolation for AppA and AppB application traffic.

Figure 6.2 Application traffic for customers A and B, separated by route domainsBIG-IP Local Traffic Manager: Implementations 6 - 7

Chapter 6

For more informationYou can find background information in these product guides:

TMOS Management Guide for BIG-IP Systems Configuration Guide for BIG-IP Local Traffic ManagerTM6 - 8

7A Simple Intranet Configuration

Working with a simple intranet configuration

Creating the simple intranet configuration

A Simple Intranet Configuration

Working with a simple intranet configurationThe simple intranet implementation described in this chapter is commonly found in a corporate intranet (see Figure 7.1). In this implementation, the BIG-IP system performs load balancing for several different types of connection requests:

HTTP connections to the companys intranet web site. The BIG-IP system load balances the two web servers that host the corporate intranet web site, Corporate.main.net.

HTTP connections to Internet content. These are handled through a pair of cache servers that are also load balanced by the BIG-IP system.

Non-HTTP connections to the Internet.

Figure 7.1 A simple intranet configuration BIG-IP Local Traffic Manager: Implementations 7 - 1

Chapter 7

As Figure 7.1, on page 7-1 shows, the non-intranet connections are handled by wildcard virtual servers, that is, servers with the IP address 0.0.0.0. The wildcard virtual server that is handling traffic to the cache servers is port specific, specifying port 80 for HTTP requests. This way all HTTP requests not matching an IP address on the intranet are directed to the cache server. The wildcard virtual server handling non-HTTP requests is a default wildcard server. A default wildcard virtual server is one that uses only port 0. This makes it a catch-all match for outgoing traffic that does not match any standard virtual server or any port-specific wildcard virtual server.

Creating the simple intranet configurationTo create this configuration, you need to complete the following tasks in order: Create load balancing pools.

Create pools for the intranet servers you want to load balance, and one for the cache server.

Create virtual servers.Create the virtual servers for each pool, and for the non-HTTP requests.

Creating poolsThe first task in a basic configuration is to define the two load balancing pools: a pool for the intranet content servers, and a pool for the Internet cache servers.

To create pool



3. In the Name box, type a name for the pool, such as http_pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members.For example, in Figure 7.1, on page 7-1, the pool members for http_pool are 192.168.100.10:80 and 192.168.100.11:80. The pool members for specificport_pool are 192.168.100.20:80 and 192.168.100.21:80.7 - 2

5. Click Finished.

A Simple Intranet Configuration

Creating virtual serversThe next task in a basic configuration is to create the virtual servers that reference http_pool and specificport_pool, respectively. You must also create a forwarding virtual server (with no pool) for remaining Internet traffic.

To create a virtual server



3. In the Name box, type a name for the virtual server, such as vs_http, vs_specificport, or vs_non-http.

4. In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address for the virtual server.For example, you can assign the IP address 192.168.200.30:80 to the virtual server that processes HTTP traffic. For load balancing connections to cache servers, you can assign the address 0.0.0.0:80 to the virtual server, making it a wildcard virtual server. To create a forwarding virtual server, you can assign the address 0.0.0.0:0.


6. In the Configuration area of the screen, locate the Type setting and do the following:

a) Select Standard if the virtual server is to process HTTP traffic to an intranet web site or to cache servers.

b) Select Forwarding (IP) if the virtual server is to forward outgoing non-HTTP traffic.

7. If you are creating a virtual server to process HTTP connections to an intranet web site, locate the HTTP Profile setting and select http.

8. In the Resources area of the screen, locate the Default Pool setting and select the pool corresponding to the virtual server you are creating.For example

Documents

BIG-IP Local Traffic Manager Implementations