BIG-IP Local Traffic Manager Implementations

BIG-IP® Local Traffic Manager®:Implementations

Version 11.1

Table of Contents

Legal Notices...................................................................................................................................13

Acknowledgments..........................................................................................................................15

Chapter 1: Configuring a Simple Intranet..........................................................19Overview: A simple intranet configuration..............................................................................20

Task summary........................................................................................................................20

Creating a pool............................................................................................................21

Creating a virtual server..............................................................................................21

Chapter 2: Configuring ISP Load Balancing.....................................................23Overview: ISP load balancing.................................................................................................24

Illustration of ISP load balancing.................................................................................24

Task summary for ISP load balancing....................................................................................24

Creating a load balancing pool....................................................................................24

Creating a virtual server for inbound content server traffic..........................................25

Creating a virtual server for outbound traffic for routers..............................................26

Creating self IP addresses an external VLAN.............................................................26

Enabling SNAT automap for internal and external VLANs...........................................26

Chapter 3: Routing Based on XML Content......................................................29Overview: XML content-based routing...................................................................................30

Task summary........................................................................................................................30

Creating a custom XML profile....................................................................................31

Writing XPath queries..................................................................................................31

Creating a pool to manage HTTP traffic......................................................................32

Creating an iRule.........................................................................................................33

Viewing statistics about XML content-based routing...................................................34

Chapter 4: Configuring an EtherIP Tunnel.........................................................35Overview: Preserving BIG-IP connections during live virtual machine migration...................36

Illustration of EtherIP tunneling in a vMotion environment..........................................36

Task summary........................................................................................................................37

Creating a VLAN..........................................................................................................37

Creating an EtherIP profile..........................................................................................38

Creating an EtherIP tunnel object................................................................................38

Creating a VLAN group................................................................................................39

Creating a self IP for a VLAN.......................................................................................39

3

Table of Contents

Creating a self IP for a VLAN group............................................................................40

Creating a Virtual Location monitor.............................................................................41

Syncing the BIG-IP configuration to the device group.................................................41

Implementation results...........................................................................................................42

Chapter 5: Configuring nPath Routing..............................................................43Overview: Layer 2 nPath routing.............................................................................................44

About Layer 2 nPath routing configuration.............................................................................44

Guidelines for UDP timeouts..................................................................................................45

Guidelines for TCP timeouts...................................................................................................45

Task summary........................................................................................................................45

Creating a custom Fast L4 profile................................................................................46

Creating a server pool for nPath routing......................................................................46

Creating a virtual server for Layer 2 nPath routing......................................................46

Configuring the virtual address on the server loopback interface................................47

Setting the route for inbound traffic..............................................................................47

Configuring the Connection.Autolasthop bigdb key.....................................................47

Chapter 6: Configuring Layer 3 nPath Routing.................................................49Overview: Layer 3 nPath routing.............................................................................................50

Configuring Layer 3 nPath routing using TMSH.....................................................................50

Layer 3 nPath routing example...............................................................................................51

Chapter 7: Creating a Basic Web Site and E-commerce Configuration..........55Overview: Basic web site and eCommerce configuration......................................................56

Illustration of basic web site and eCommerce configuration........................................56

Task summary........................................................................................................................56


Creating a pool to manage HTTPS traffic....................................................................57

Creating a virtual server to manage HTTP traffic........................................................58

Creating a virtual server to manage HTTPS traffic......................................................58

Chapter 8: Installing a BIG-IP System Without Changing the IP Network......61Overview: Installing a BIG-IP system without changing the IP network.................................62

Task summary........................................................................................................................63

Removing the self IP addresses from the default VLANs............................................63

Creating a VLAN group................................................................................................63

Creating a self IP for a VLAN group............................................................................64

Creating a pool of web servers....................................................................................64


4

Table of Contents

Chapter 9: Web Hosting Multiple Customers Using an External Switch........67Overview: Web hosting multiple customers using an external switch.....................................68

Illustration for hosting multiple customers using an external switch.......................................68

Task summary for hosting multiple customers.......................................................................68

Creating a VLAN with a tagged interface.....................................................................69


Creating a virtual server for HTTP traffic.....................................................................70

Chapter 10:

Web Hosting Multiple Customers Using Untagged Interfaces....................71Overview: Web hosting multiple customers using untagged interfaces..................................72

Illustration for hosting multiple customers using untagged interfaces.........................72

Task summary for hosting multiple customers.......................................................................72

Creating a VLAN with an untagged interface...............................................................73


Creating a virtual server for HTTP traffic.....................................................................74

Chapter 11: Web Hosting Multiple Customers Using Route Domains............75Overview: Use of route domains to host multiple web customers on the BIG-IP system.......76

Illustration of sample BIG-IP configuration using route domains.................................77

Illustration of resulting route domain configuration......................................................77

Task summary........................................................................................................................78

Creating an administrative partition.............................................................................78

Creating a VLAN with a tagged interface.....................................................................79

Creating a self IP address for a default route domain in an administrative partition....79

Creating a route domain on BIG-IP LTM.....................................................................80



Adding routes that specify VLAN internal as the resource..........................................81

Chapter 12:

Managing Client-side HTTPS Traffic Using a Self-signed Certificate.........83Overview: Managing client-side HTTPS traffic using a self-signed certificate........................84

Task summary........................................................................................................................84

Creating a self-signed SSL certificate.........................................................................84

Creating a custom HTTP profile..................................................................................85

Creating a custom Client SSL profile...........................................................................85


Creating a virtual server for client-side HTTPS traffic.................................................86


5

Table of Contents

Chapter 13:

Managing Client and Server HTTPS Traffic using a Self-signed Certificate.89Overview: Managing client and server HTTPS traffic using a self-signed certificate.............90

Task summary........................................................................................................................90

Creating a self-signed SSL certificate.........................................................................90



Creating a custom Server SSL profile.........................................................................92

Creating a pool to manage HTTPS traffic....................................................................92

Creating a virtual server for client-side and server-side HTTPS traffic........................93


Chapter 14:

Managing Client-side HTTPS Traffic using a CA-signed Certificate...........95Overview: Managing client-side HTTPS traffic using a CA-signed certificate........................96

Task summary........................................................................................................................96

Requesting a certificate from a certificate authority....................................................96




Creating a virtual server for client-side HTTPS traffic.................................................98


Chapter 15: Implementing Proxy SSL on a Single BIG-IP System................101Overview: Direct client-server authentication with application optimization.........................102

Task summary......................................................................................................................102

Creating a custom Client SSL profile.........................................................................102

Creating a custom Server SSL profile.......................................................................103

Creating a load balancing pool..................................................................................104

Creating a virtual server for client-side and server-side SSL traffic...........................104

Implementation result...........................................................................................................105

Chapter 16:

Configuring HTTP Load Balancing with Source Address Affinity Persistence.107Overview: HTTP load balancing with source affinity persistence.........................................108

Task summary......................................................................................................................108

Creating a pool to manage HTTP traffic....................................................................108

Creating a virtual server for HTTP traffic...................................................................109

6

Table of Contents

Chapter 17: Configuring HTTP Load Balancing with Cookie Persistence....111Overview: HTTP load balancing with cookie persistence.....................................................112

Task summary......................................................................................................................112

Creating a custom cookie persistence profile............................................................112

Creating a pool to manage HTTP traffic....................................................................113


Chapter 18: Compressing HTTP Responses..................................................115Overview: Compressing HTTP responses...........................................................................116

Task summary......................................................................................................................116

Creating a customized HTTP compression profile....................................................116

Creating a virtual server for HTTP compression.......................................................117

Chapter 19: Using the Request Logging Profile.............................................119Overview: Configuring a request logging profile...................................................................120

Task summary for configuring request logging.....................................................................120

Creating a pool with request logging to manage HTTP traffic...................................120

Creating a request logging profile..............................................................................121

Configuring a virtual server for request logging.........................................................122

Deleting a request logging profile..............................................................................123

Request logging profile settings...........................................................................................123

Request logging parameters................................................................................................125

Chapter 20: Load Balancing Passive Mode FTP Traffic.................................129Overview: FTP passive mode load balancing.......................................................................130

Task Summary for load balancing passive mode FTP traffic................................................130

Creating a custom FTP monitor.................................................................................130

Creating a pool to manage FTP traffic.......................................................................132

Creating a virtual server for FTP traffic......................................................................132

Chapter 21:

Load Balancing Passive Mode FTP Traffic with Data Channel Optimization.135Overview: FTP passive mode load balancing with data channel optimization.....................136

Task Summary for load balancing passive mode FTP traffic................................................136

Creating a custom FTP profile...................................................................................136

Creating a custom FTP monitor.................................................................................137

Creating a pool to manage FTP traffic.......................................................................138

Creating a virtual server for FTP traffic......................................................................139


7

Table of Contents

Chapter 22: Referencing an External File from within an iRule....................141Overview: Referencing an external file from an iRule...........................................................142

iRule commands for iFiles.........................................................................................142

Task summary......................................................................................................................143

Importing a file to the BIG-IP system.........................................................................143

Creating an iFile........................................................................................................143

Writing an iRule that references an iFile....................................................................143


Chapter 23: Configuring the BIG-IP System as a DHCP Relay Agent...........145Overview: Managing IP addresses for DHCP clients...........................................................146

About the BIG-IP system as a DHCP relay agent.....................................................146

Task summary......................................................................................................................147

Creating a pool of DHCP servers..............................................................................147

Creating a DHCP Relay type virtual server...............................................................147


Chapter 24: Configuring the BIG-IP System for DHCP Renewal...................149Overview: Renewing IP addresses for DHCP clients...........................................................150

About DHCP renewal ...............................................................................................150

Task summary......................................................................................................................150

Creating a DHCP renewal virtual server....................................................................151


Chapter 25: Configuring a One-IP Network Topology....................................153Overview: Configuring a one-IP network topology...............................................................154

Illustration of a one-IP network topology for the BIG-IP system................................154

Task summary for a one-IP network topology for the BIG-IP system...................................154

Creating a pool for processing HTTP connections with SNATs enabled...................155


Defining a default route.............................................................................................156

Configuring a client SNAT..........................................................................................156

Chapter 26: Implementing Health and Performance Monitoring...................157Overview: Health and performance monitoring....................................................................158

Task summary......................................................................................................................158

Creating a custom monitor........................................................................................159


Creating a virtual server............................................................................................160

8

Table of Contents

Chapter 27: Preventing TCP Connection Requests From Being Dropped....161Overview: TCP request queuing...........................................................................................162

Preventing TCP connection requests from being dropped...................................................162

Chapter 28: Load Balancing to IPv6 Nodes....................................................165Overview: Load balancing to iPv6 nodes.............................................................................166

Task summary......................................................................................................................166

Configuring the radvd service (optional)....................................................................166


Creating a virtual server for IPv6 nodes....................................................................167

Chapter 29: Configuring DNS Express on BIG-IP Systems...........................169How do I configure DNS Express?.......................................................................................170

What is DNS Express?..............................................................................................170

Task summary......................................................................................................................170

Creating a DNS Express TSIG key............................................................................170

Creating a DNS Express zone...................................................................................171

Enabling DNS Express .............................................................................................171

Assigning a DNS profile to a virtual server................................................................172

Configuring the legacy DNS server to allow zone file transfers.................................172

Viewing information about DNS Express zones........................................................173


Chapter 30:

Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds.175Overview: Handling IPv6-only connection requests to IPv4-only servers............................176

Task summary......................................................................................................................176

Creating a custom DNS profile .................................................................................176

Assigning a DNS profile to a virtual server................................................................178

Implementation results.........................................................................................................178

Chapter 31: Mitigating Denial of Service Attacks...........................................179Overview: Mitigating Denial of Service and other attacks....................................................180

Denial of Service attacks and iRules....................................................................................180

iRules for Code Red attacks......................................................................................180

iRules for Nimda attacks............................................................................................180

Common Denial of Service attacks......................................................................................181

Task summary......................................................................................................................184

Configuring adaptive connection reaping..................................................................184

9

Table of Contents

Setting the TCP and UDP connection timers.............................................................185

Applying a rate class to a virtual server.....................................................................185

Calculating connection limits on the main virtual server............................................186

Setting connection limits on the main virtual server..................................................186

Setting the SYN Check activation threshold..............................................................186

Chapter 32: Configuring Remote CRLDP Authentication..............................187Overview of remote authentication for application traffic......................................................188

Task Summary.....................................................................................................................188

Creating a CRLDP configuration object for authenticating application traffic remotely.188

Creating a custom CRLDP profile.............................................................................189

Modifying a virtual server for CRLDP authentication.................................................189

Chapter 33: Configuring Remote LDAP Authentication.................................191Overview of remote LDAP authentication for application traffic............................................192

Task Summary.....................................................................................................................192

Creating an LDAP configuration object for authenticating application traffic remotely.192

Creating a custom LDAP profile................................................................................193

Modifying a virtual server for LDAP authentication....................................................193

Chapter 34: Configuring Remote RADIUS Authentication.............................195Overview of remote authentication for application traffic......................................................196

Task summary for RADIUS authentication of application traffic...........................................196

Creating a RADIUS server object for authenticating application traffic remotely.......196

Creating a RADIUS configuration object for authenticating application traffic remotely.197

Creating a custom RADIUS profile............................................................................197

Modifying a virtual server for RADIUS authentication...............................................198

Chapter 35: Configuring Remote SSL LDAP Authentication.........................199Overview of remote SSL LDAP authentication for application traffic....................................200

Task Summary.....................................................................................................................200

Creating an LDAP Client Certificate SSL configuration object..................................200

Creating a custom SSL Client Certificate LDAP profile.............................................201

Modifying a virtual server for SSL Client Certificate LDAP authorization..................201

Chapter 36: Configuring Remote SSL OCSP Authentication........................203Overview of remote authentication for application traffic......................................................204

Task Summary.....................................................................................................................204

Creating an SSL OSCP responder object for authenticating application traffic remotely.204

Creating an SSL OCSP configuration object for authenticating application traffic remotely.205

Creating a custom SSL OCSP profile........................................................................205

10

Table of Contents

Modifying a virtual server for SSL OCSP authentication...........................................205

Chapter 37: Configuring Remote TACACS+ Authentication..........................207Overview of remote authentication for application traffic......................................................208

Task Summary.....................................................................................................................208

Creating a TACACS+ configuration object.................................................................208

Creating a custom TACACS+ profile..........................................................................209

Modifying a virtual server for TACACS+ authentication.............................................210

Chapter 38: Configuring Kerberos Delegation................................................211Overview of remote authentication for application traffic......................................................212

Task Summary.....................................................................................................................212

Creating a Kerberos Delegation configuration object................................................212

Creating a Kerberos delegation profile object from the command line......................213


Creating a virtual server with Kerberos delegation and Client SSL profiles..............214

Chapter 39: Load Balancing Diameter Application Requests.......................215Overview: Diameter load balancing......................................................................................216

Task summary......................................................................................................................216

Creating a custom Diameter profile...........................................................................216

Creating a custom Diameter monitor.........................................................................216

Creating a pool to manage Diameter traffic...............................................................217

Creating a virtual server to manage Diameter traffic.................................................217

11

Table of Contents

12

Table of Contents

Legal Notices

Publication Date

This document was published on March 14, 2012.

Publication Number

MAN-0293-04

Copyright

Copyright © 2012, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, AdvancedRouting, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious,CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, EdgeGateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks,F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, IntelligentBrowser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules,iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local TrafficManager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, ProtocolSecurity Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYNCheck, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, TransparentData Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM,and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries,and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by U.S. Patents 6,327,242; 6,374,300; 6,473,802; 6,970,733; 7,051,126;7,102,996; 7,197,661; 7,287,084; 7,916,728; 7,916,730; 7,783,781; 7,774,484; 7,975,025; 7,996,886;8,004,971; 8,010,668. This list is believed to be current as of March 14, 2012.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

14

Legal Notices

Acknowledgments

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected underthe GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected underthe GNU Public License.

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developedby Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operatingsystems includes mainly non-profit oriented systems for research and education, including but not restrictedto NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997,1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standardversion of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems,Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser GeneralPublic License, as published by the Free Software Foundation.

This product includes software developed by the Computer Systems Engineering Group at LawrenceBerkeley Laboratory. Copyright ©1990-1994 Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: This product includes software developed by the Computer Systems EngineeringGroup at Lawrence Berkeley Laboratory.

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote productsderived from this software without specific prior written permission.

16

Acknowledgments

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software developed by Sony Computer Science Laboratories Inc. Copyright ©

1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions aremet:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESSOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INNO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes the GeoPoint Database developed by Quova, Inc. and its contributors.

This product includes software developed by Ian Gulliver ©2006, which is protected under the GNU GeneralPublic License, as published by the Free Software Foundation.

17

BIG-IP® Local Traffic Manager®: Implementations

18

Acknowledgments

Chapter

1

Configuring a Simple Intranet

Topics:

• Overview: A simple intranet configuration• Task summary

Overview: A simple intranet configuration

The simple intranet implementation is commonly found in a corporate intranet (see the following illustration).In this implementation, the BIG-IP® system performs load balancing for several different types of connectionrequests:

• HTTP connections to the company's intranet web site. The BIG-IP system load balances the two webservers that host the corporate intranet web site, Corporate.main.net.

• HTTP connections to Internet content. These are handled through a pair of cache servers that are alsoload balanced by the BIG-IP system.

• Non-HTTP connections to the Internet.

As the illustration shows, the non-intranet connections are handled by wildcard virtual servers; that is,servers with the IP address 0.0.0.0. The wildcard virtual server that is handling traffic to the cache serversis port specific, specifying port 80 for HTTP requests. As a result, all HTTP requests not matching an IPaddress on the intranet are directed to the cache server. The wildcard virtual server handling non-HTTPrequests is a default wildcard server. A default wildcard virtual server is one that uses only port 0. Thismakes it a catch-all match for outgoing traffic that does not match any standard virtual server or anyport-specific wildcard virtual server.

Task summary

To create this configuration, you need to complete these tasks.

Task list

Creating a pool

Creating a virtual server

20


Creating a pool

You can a create pool of servers that you group together to receive and process traffic, to efficiently distributethe load on your server resources.

1. On the Main tab, click Local Traffic > Pools.The Pool List screen opens.

2. Click Create.The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members. For example,in the illustration, the pool members for http_pool are 192.168.100.10:80 and 192.168.100.11:80.The pool members for specificport_pool are 192.168.100.20:80 and 192.168.100.21:80.

5. Click Finished.

The load balancing pool appears in the Pools list.


This task creates a destination IP address for application traffic. As part of this task, you must assign therelevant pool to the virtual server.

1. On the Main tab, click Local Traffic > Virtual Servers .The Virtual Server List screen displays a list of existing virtual servers.

2. Click the Create button.The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. In the Destination field, verify that the type of virtual server is Host, and in the Addressfield, type anIP address for the virtual server. For example, you can assign the IP address 192.168.200.30:80 to thevirtual server that processes HTTP traffic. For load balancing connections to cache servers, you canassign the address 0.0.0.0:80 to the virtual server, making it a wildcard virtual server. To create aforwarding virtual server, you can assign the address 0.0.0.0:0.

5. In the Service Port field, type 80, or select HTTP from the list.

6. In the Configuration area of the screen, locate the Type setting and select either Standard or Forwarding(IP).

7. From the HTTP Profile list, select an HTTP profile.

8. In the Resources area of the screen, from the Default Pool list, select a pool name.

9. Click Finished.

You now have a virtual server to use as a destination address for application traffic.

21


22


Chapter

2

Configuring ISP Load Balancing

Topics:

• Overview: ISP load balancing• Task summary for ISP load balancing

Overview: ISP load balancing

You might find that as your network grows, or network traffic increases, you require an additional connectionto the Internet. You can use this configuration to add an Internet connection to your existing network. Thefollowing illustration shows a network configured with two Internet connections.

Illustration of ISP load balancing

Task summary for ISP load balancing

There are number of tasks you must perform to implement load balancing for ISPs.

Task list

Creating a load balancing pool

Creating a virtual server for inbound content server traffic

Creating a virtual server for outbound traffic for routers

Creating self IP addresses an external VLAN

Enabling SNAT automap for internal and external VLANs


You can a create load balancing pool, which is a logical set of devices, such as web servers, that you grouptogether to receive and process traffic, to efficiently distribute the load on your resources. Using thisprocedure, create one pool that load balances the content servers, and one pool to load balance the routers.

24





4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move themonitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

5. From the Load Balancing Method list, select how the system distributes traffic to members of thispool.

The default is Round Robin.

6. For the Priority Group Activation setting, select the way to handle priority groups:

• Retain the default option, Disabled to disable priority groups.• Select Less than, and type the minimum number of members in the Available Members field that

must remain available in each priority group in order for traffic to remain confined to that group.

7. Using the New Members setting, add each resource that you want to include in the pool:

a) Either type an IP address in the Address field, or select a node address from the Node List.b) Type a port number in the Service Port field, or select a service name from the list.c) To specify a priority group, type a priority number in the Priority field.d) Click Add.

8. Click Repeat and create another pool.

9. Click Finished.

The load balancing pools appear in the Pools list.

Creating a virtual server for inbound content server traffic

You must create a virtual server to load balance inbound connections. The default pool that you assign asa resource in this procedure is the pool of internal servers.




4. For the Destination setting, in the Address field, type the IP address you want to use for the virtualserver.

The IP address you type must be available and not in the loopback network.

5. Type a port number in the Service Port field, or select a service name from the Service Port list.

6. If the traffic to be load balanced is of a certain type, select the profile type that matches the connectiontype.To load balance HTTP traffic, locate the HTTP Profile setting and select http.


8. Click Finished.

25


The virtual server is configured to load balance inbound connections to the servers.

Creating a virtual server for outbound traffic for routers

You must create a virtual server to load balance outbound connections. The default pool that you assign asa resource in this procedure is the pool of routers.







6. Click Finished.

The virtual server is configured to load balance outbound connections to the routers.

Creating self IP addresses an external VLAN

You must assign two self IP addresses to the external VLAN.

1. On the Main tab, click Network > Self IPs.The Self IPs screen opens.

2. Click Create.The New Self IP screen opens.

3. In the IP Address field, type an IP address.

This IP address should represent the network of the router.

The system accepts IP addresses in both the IPv4 and IPv6 formats.

4. In the Netmask field, type the network mask for the specified IP address.

5. Select External from the VLAN list.

6. Click Repeat.


This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnelsetting.


8. Click Finished.The screen refreshes, and displays the new self IP address in the list.

The self IP address is assigned to the external VLAN.

Enabling SNAT automap for internal and external VLANs

You can configure SNAT automapping on the BIG-IP system for internal and external VLANs.

1. On the Main tab, click Local Traffic > SNATs .The SNAT List screen displays a list of existing SNATs.

26


2. Click Create.

3. Name the new SNAT.

4. From the Translation list, select automap.

5. For the VLAN List setting, in the Available field, select external and external, and using the Movebutton, move the VLANs to the Selected field.

6. Click Finished.

SNAT automapping on the BIG-IP system is configured for internal and external VLANs.

27


28


Chapter

3

Routing Based on XML Content

Topics:

• Overview: XML content-based routing• Task summary

Overview: XML content-based routing

You can use the BIG-IP® system to perform XML content-based routing whereby the system routes requeststo an appropriate pool, pool member, or virtual server based on specific content in an XML document. Forexample, if your company transfers information in XML format, you could use this feature to examine theXML content with the intent to route the information to the appropriate department.

You configure content-based routing by creating an XML profile and associating it with a virtual server.In the XML profile, define the matching content to look for in the XML document. Next, specify how toroute the traffic to a pool by writing simple iRules®. When the system discovers a match, it triggers an iRuleevent, and then you can configure the system to route traffic to a virtual server, a pool, or a node. You canallow multiple query matches, if needed.

This example shows a simple XML document that the system could use to perform content-based routing.It includes an element called FinanceObject used in this implementation.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:eai="http://192.168.149.250/eai_enu/"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"> <soapenv:Header/> <soapenv:Body> <eai:SiebelEmployeeDeletesoapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <FinanceObject xsi:type="xsd:string">Route to Financing</FinanceObject> <SiebelMessage xsi:type="ns:ListOfEmployeeInterfaceTopElmt"xmlns:ns="http://www.siebel.com/xml"> <ListOfEmployeeInterface xsi:type="ns:ListOfEmployeeInterface"> <SecretKey>123456789</SecretKey> <Employee>John</Employee> <Title>CEO</Title> </ListOfEmployeeInterface> </SiebelMessage> </eai:SiebelEmployeeDelete> </soapenv:Body></soapenv:Envelope>

Task summary

You can perform tasks to enable XML content-based routing whereby the system routes requests to anappropriate pool, pool member, or virtual server based on specific content in an XML document.

Task list

Creating a custom XML profile

Writing XPath queries

Creating a pool to manage HTTP traffic

Creating an iRule

30


Viewing statistics about XML content-based routing

Creating a custom XML profile

To implement content-based routing, you first need to use the BIG-IP® Configuration utility to create anXML profile. XML profiles specify the content to look for in XML documents. In the XML profile, youdefine XPath queries to locate items in an XML document.

1. On the Main tab, click Local Traffic > Profiles > Services > XML.

2. On the New XML Profile screen, click Create.

3. In the Name field, type a unique name for the XML profile, such as cbr_xml_profile.

4. In the Settings area, select the Custom check box at right.The Namespace Mappings and XPath Queries settings become available.

5. If you want to reference XML elements with namespaces in XPath queries, from Namespace Mappings,select Specify.The screen displays the Namespace Mappings List settings.

6. Add namespaces to the list:

a) In the Prefix field, type the namespace prefix.b) In the Namespace field, type the URL that the prefix maps to.c) Click Add to add the namespace to the Namespace Mappings List.

7. To define the matching criteria in the XML document, from XPath Queries, select Specify.The screen displays the XPath Queries settings.

8. Add XPath queries to the list:

a) In the XPath field, type an XPath expression.For example, to look for an element called FinanceObject, type //FinanceObject.

b) Click Add to add the XPath expression to the XPath Queries list.

You can define up to three XPath queries.

The expression is added to the list.

9. To allow each query to have multiple matches, select Multiple Query Matches.

10. Click Finished.The system creates an XML profile.

Writing XPath queries

You can write up to three XPath queries to define the content that you are looking for in XML documents.When writing XPath queries, you use a subset of the XPath syntax described in the XML Path Language(XPath) standard at http://www.w3.org/TR/xpath.

These are the rules for writing XPath queries for XML content-based routing.

1. Express the queries in abbreviated form.

2. Map all prefixes to namespaces.

3. Use only ASCII characters in queries.

4. Write queries to match elements and attributes.

5. Use wildcards as needed for elements and namespaces; for example, //emp:employee/*.

6. Do not use predicates in queries.

31


Syntax for XPath expressionsThis table shows the syntax to use for XPath expressions.

DescriptionExpression

Selects all child nodes of the named node.Nodename

Selects all attribute nodes of the named node.@Attname

Indicates XPath step./

Selects nodes that match the selection no matterwhere they are in the document.

//

XPath query examplesThis table shows examples of XPath queries.

DescriptionQuery

Selects the root element a./a

Selects all b elements wherever they appear in the document.//b

Selects any element in a namespace bound to prefix b, which is a child of the root element a./a/b:*

Selects elements in the namespace of element c, which is bound to prefix b, and is a child of elementa.

//a/b:c


For implementing content-based routing, you can create one or more pools that contain the servers whereyou want the system to send the traffic. You write an iRule to route the traffic to the pool.

If you want to specify a default pool to which to send traffic when it does not match the content you arelooking for, repeat the procedure to create a second pool. You specify the default pool in the virtual server.Alternatively, you can create a node or a virtual server to route traffic to instead of creating a pool.



3. In the Name field, type a name for the pool, such as finance_pool.

4. For the Health Monitors setting, from the Available list, select the http monitor, and click << to movethe monitor to the Active list.







32


a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 80 in the Service Port field, or select HTTP from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

8. Click Finished.

The new pool appears in the Pools list.

Creating an iRule

You create iRules® to automate traffic forwarding for XML content-based routing. When a match occurs,an iRule event is triggered, and the iRule directs the individual request to a pool, a node, or virtual server.This implementation targets a pool.

1. On the Main tab, click Local Traffic > iRules .

2. Click Create.

3. In the Name field, type a 1- to 31-character name, such as XML_CBR_iRule.

4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.

For complete and detailed information iRules syntax, see the F5 Networks DevCentral websitehttp://devcentral.f5.com.

5. Click Finished.

Example of an iRule for XML content-based routing

This example shows an iRule that queries for an element called FinanceObject in XML content and ifa match is found, an iRule event is triggered. The system populates the values of the Tcl variables($XML::count, $XML::queries, and $XML::values). Then the system routes traffic to a pool calledfinance_pool.

when XML_CONTENT_BASED_ROUTING{ for {set i 0} { $i < $XML::count } {incr i} { log local0. $XML::queries($i) log local0. $XML::values($i) if {($XML::queries($i) contains "FinanceObject")} { pool finance_pool } }}

Tcl variables in iRules for XML routingThis table lists and describes the Tcl variables in the sample iRule.

DescriptionTcl variable

Shows the number of matching queries.$XML::count

Contains an array of the matching query names.$XML::queries

Holds the values of the matching elements.$XML::values

33


Viewing statistics about XML content-based routing

You can view statistics about XML content-based routing to make sure that the routing is working.

Note: The system first checks for a match, then checks for malformedness of XML content. So ifthe system detects a match, it stops checking, and may not detect any subsequent parts of thedocument that are malformed.

1. On the Main tab, click Statistics > Module Statistics > Local Traffic .The Local Traffic Statistics screen opens.

2. From the Statistics Type list, select Profiles Summary.

3. In the Global Profile Statistics area, for the Profile Type XML, click View in the Details.The system displays information about the number of XML documents that were inspected, the numberof documents that had zero to three matches, and the number of XML documents that were found to bemalformed.

34


Chapter

4

Configuring an EtherIP Tunnel

Topics:

• Overview: Preserving BIG-IP connectionsduring live virtual machine migration

• Task summary• Implementation results

Overview: Preserving BIG-IP connections during live virtual machinemigration

In some network configurations, the BIG-IP® system is configured to send application traffic to destinationservers that are implemented as VMware® virtual machines (VMs). These VMs can undergo live migration,using VMware vMotion™ and an iSession™ tunnel, across a wide area network (WAN) to a host in anotherdata center.

To preserve any existing connections between the BIG-IP system and a virtual machine while the virtualmachine migrates to another data center, you can create an EtherIP tunnel.

An EtherIP tunnel is an object that you create on each of two BIG-IP systems that sit on either side of aWAN. The EtherIP tunnel uses the industry-standard EtherIP protocol to tunnel Ethernet and IEEE 802.3media access control (MAC) frames across an IP network. The two EtherIP tunnel objects together form atunnel that logically connects two data centers. When the application traffic that flows between one of theBIG-IP systems and the VM is routed through the EtherIP tunnel, connections are preserved during andafter the VM migration.

After you have configured the BIG-IP system to preserve connections to migrating VMs, you can create aVirtual Location monitor for the pool. A Virtual Location monitor ensures that the BIG-IP system sendsconnections to a local pool member rather than a remote pool one, when some of the pool members havemigrated to a remote data center.

Tip: The BIG-IP system that is located on each end of an EtherIP tunnel can be part of a redundantsystem configuration. Make sure that both units of any redundant system configuration reside onthe same side of the tunnel.

Illustration of EtherIP tunneling in a vMotion environment

36


Task summary

Implement an EtherIP tunneling configuration to prevent the BIG-IP® system from dropping existingconnections to migrating virtual machines in a vMotion environment. To set up this configuration, you mustverify a few prerequisite tasks, as well as create some configuration objects on the BIG-IP system.

Important: Perform these tasks on the BIG-IP system in both the local data center and the remotedata center.

Prerequisites

Before you begin configuring EtherIP tunneling, verify that these BIG-IP objects and module exist on theBIG-IP system:

This profile creates an iSession tunnel to optimize the live migrationof virtual machine servers from one data center to another.

An iSession profile

This pool represents a collection of virtual machines on a host serverin the data center.

A load balancing pool

This virtual server load balances application traffic and optimizesvMotion traffic. This virtual server must reference the iSession profileand the load balancing pool.

A standard TCP or UDP virtualserver

These VLANs are named external and internal.The default VLANs

This module directs traffic to the correct BIG-IP® Local TrafficManager™ virtual server.

BIG-IP Global Traffic Manager™

Task list

Creating a VLAN

Creating an EtherIP profile

Creating an EtherIP tunnel object

Creating a VLAN group

Creating a self IP for a VLAN

Creating a self IP for a VLAN group

Creating a Virtual Location monitor

Syncing the BIG-IP configuration to the device group

Creating a VLAN

VLANs represent a collection of hosts that can share network resources, regardless of their physical locationon the network.

1. On the Main tab, click Network > VLANs.The VLAN List screen opens.

2. Click Create.The New VLAN screen opens.

3. In the Name field, type a unique name for the VLAN.

37


Names can contain only letters, numbers, and the underscore character.

4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you wantthe BIG-IP system to automatically assign a VLAN tag.

The VLAN tag identifies the traffic from hosts in the associated VLAN.

5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add theselected interface or trunk to the Untagged list. Repeat this step as necessary.

6. From the Configuration list, select Advanced.

7. Select the Source Check check box if you want the system to verify that the return route to an initialpacket is the same VLAN from which the packet originated.

8. If you want to base redundant-system failover on VLAN-related events, check the Fail-safe box.

9. In the MTU field, retain the default number of bytes (1500).

10. Click Finished.The screen refreshes, and displays the new VLAN in the list.

Creating an EtherIP profile

An EtherIP profile is a required component of an EtherIP tunnel in a vMotion™ environment. An EtherIPprofile manages application traffic that traverses an EtherIP tunnel, for the purpose of preserving connectionswhen a virtual machine is migrating to another data center. You must perform this task using the TrafficManagement shell (tmsh), a command-line utility.

1. On the BIG-IP®system, start a console session.

2. Type a user name and password, and press Enter.

3. At the system prompt, type tmsh, and press Enter.This opens the Traffic Management shell (tmsh).

4. At the tmsh prompt, type net tunnel, and press Enter.

5. Type create etherip etherip_profile_name, and press Enter.This command creates an EtherIP profile, assigning all of the default values.

6. Type save / sys config, and press Enter.

7. To exit the Traffic Management shell (tmsh), type quit, and press Enter.

You now have an EtherIP profile that you can specify when you create an EtherIP tunnel object.

Creating an EtherIP tunnel object

Prerequisites: You must know the self IP address of the instance of the VLAN that exists, or will exist, onthe BIG-IP® system in the other data center.

The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to enable the BIG-IP system topreserve any current connections to a server that is migrating to another data center by way of vMotion™.You must perform this task using the Traffic Management shell (tmsh), a command-line utility.

1. On the BIG-IP system, start a console session.

2. Type a user name and password, and press Enter.

3. At the system prompt, type tmsh and press Enter.This opens the Traffic Management shell (tmsh).

4. Type net tunnels, and press Enter.

5. Type the following command, and then press Enter:

38


Note that the self IP addresses that you specify are those that you create for the VLAN on both the localand the remote BIG-IP system.

create tunnel tunnel_name profile etherip local-addresslocal_self_ip_address remote-address remote_self_ip_address

6. Type save / sys config, and press Enter.

7. To exit the Traffic Management shell (tmsh), type quit, and press Enter.

The BIG-IP system configuration now includes a tunnel object.


VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.

1. On the Main tab, click Network > VLANs > VLAN Groups.The VLAN Groups list screen opens.

2. Click Create.The New VLAN Group screen opens.

3. In the General Properties area, in the VLAN Group field, type a unique name for the VLAN group.


4. For the VLANs setting, move the VLANs that you want to include in the group from the Available listto the Members list.

5. From the Transparency Mode list, select a transparency mode, or retain the default setting,Transparent.

The transparency mode determines the level of exposure of remote MAC addresses within the VLANgroup traffic.

PurposeMode

The MAC addresses of remote systems are exposed in Layer 2 trafficforwarding.

Transparent

Similar to Transparent mode, except the locally-unique bit is set in theMAC addresses of remote systems.

Translucent

The system uses proxy ARP with Layer 3 forwarding, so the MAC addressesof remote systems are not exposed.

Opaque

6. Select the Bridge All Traffic check box if you want the VLAN group to forward all frames, includingnon-IP traffic.

The default setting is disabled (not selected).

7. Leave the Bridge in Standby check box selected if you want the VLAN group to forward frames evenwhen the system is the standby unit of a redundant system.

8. Click Finished.

Creating a self IP for a VLAN

Ensure that you have at least one VLAN or VLAN group configured before you create a self IP address.

Self IP addresses enable the BIG-IP® system, and other devices on the network, to route application trafficthrough the associated VLAN or VLAN group.

1. On the Main tab, click Network > Self IPs.

39


The Self IPs screen opens.


3. In the Name field, type a unique name for the self IP.



This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnelsetting.



6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address. If creating a selfIP address for an address space:

• On the internal network, select the VLAN that is associated with an internal interface or trunk.• On the external network, select the VLAN that is associated with an external interface or trunk.

7. From the Port Lockdown list, select Allow Default.


The BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.



After you have created the VLAN group, create a self IP address for the VLAN group. The self IP addressfor the VLAN group provides a route for packets destined for the network. With the BIG-IP® system, thepath to an IP network is a VLAN. However, with the VLAN group feature used in this procedure, the pathto the IP network 10.0.0.0 is actually through more than one VLAN. As IP routers are designed to haveonly one physical route to a network, a routing conflict can occur. The self IP address feature on the BIG-IPsystem allows you to resolve the routing conflict by associating a self IP address with the VLAN group.




This IP address should represent the address space of the VLAN group that you specify with theVLAN/Tunnel setting.



5. From the VLAN/Tunnel list, select the VLAN group with which to associate this self IP address.




40



When the BIG-IP® system is directing application traffic to pool members that are implemented as virtualmachines, you should configure a Virtual Location type of monitor on the BIG-IP system. A Virtual Locationmonitor determines if a pool member is local to the data center or remote, and assigns a priority group tothe pool member accordingly. The monitor assigns remote pool members a lower priority than local members,thus ensuring that the BIG-IP directs application requests to local pool members whenever possible.

1. On the Main tab, click Local Traffic > Monitors .The Monitor List screen opens.

2. Click Create.The New Monitor screen opens.

3. Type my_virtual_location_monitor in the Name field.

4. From the Type list, select Virtual Location.


6. Retain the default value (in seconds) of 5 in the Interval field.

7. Retain the default value of Disabled in the Up Interval list.

8. Retain the default value (in seconds) of 0 in the Time Until Up field.

9. Retain the default value (in seconds) of 16 in the Timeout field.

10. Type the name of the pool that you created prior to configuring EtherIP tunneling in the Pool Namefield.

11. Click Finished.

After configuring the Virtual Location monitor, the BIG-IP system assigns each member of the designatedpool a priority group value to ensure that incoming connections are directed to a local pool member wheneverpossible.

F5 Networks recommends that you verify that BIG-IP® Global Traffic Manager™(GTM™) has automaticallyassigned a BIG-IP type of monitor to BIG-IP® Local Traffic Manager™(LTM®). A BIG-IP type of monitorcan use the priority group assigned to each pool member to retrieve a gtm_score value.

Syncing the BIG-IP configuration to the device group

Prerequisite: Ensure that all devices targeted for config sync are members of a device group.

To ensure that the entire redundant system configuration operates properly within the device group, youmust synchronize the BIG-IP® configuration data from the local device to all devices in the group.

Important: Perform the following procedure on one of the two devices.

Note: When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IPaddresses only. Static self IP addresses are not synchronized.

1. On the Main tab, click Device Management > Device Groups.This displays a list of existing device groups, if any.

2. In the Group Name column, click the name of the relevant device group.

3. On the menu bar, click Config Sync.

4. Click Synchronize TO Group.

41


Except for static self IP addresses, the entire set of BIG-IP configuration data is replicated on each devicein the device group.

Task summary


Task summary

Implementation results

After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configurationprocedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.

After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated)virtual machine servers.

42


Chapter

5

Configuring nPath Routing

Topics:

• Overview: Layer 2 nPath routing• About Layer 2 nPath routing configuration• Guidelines for UDP timeouts• Guidelines for TCP timeouts• Task summary

Overview: Layer 2 nPath routing

With the Layer 2 nPath routing configuration, you can route outgoing server traffic around the BIG-IP®

system directly to an outbound router. This method of traffic management increases outbound throughputbecause packets do not need to be transmitted to the BIG-IP system for translation and then forwarded tothe next hop.

Note: The type of virtual server that processes the incoming traffic must be a transparent,non-translating type of virtual server.

In bypassing the BIG-IP system on the return path, Layer 2 nPath routing departs significantly from a typicalload-balancing configuration. In a typical load-balancing configuration, the destination address of theincoming packet is translated from that of the virtual server to that of the server being load balanced to,which then becomes the source address of the returning packet. A default route set to the BIG-IP systemthen sees to it that packets returning to the originating client return through the BIG-IP system, whichtranslates the source address back to that of the virtual server. The nPath configuration differs from thetypical load-balancing configuration, as illustrated in the following section.

Note: Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not workproperly if Layer 7 traffic bypasses the BIG-IP system on the return path.

About Layer 2 nPath routing configuration

The Layer 2 nPath routing configuration differs from the typical BIG-IP® load balancing configuration inthe following ways:

• The default route on the content servers must be set to the router's internal address (10.1.1.1 in theillustration) rather than to the BIG-IP system's floating self IP address (10.1.1.10). This causes the returnpacket to bypass the BIG-IP system.

• If you plan to use an nPath configuration for TCP traffic, you must create a Fast L4 profile with thefollowing custom settings:

• Enable the Loose Close setting. When you enable this setting, the TCP protocol flow expires morequickly, after a TCP FIN packet is seen. (A FIN packet indicates the tearing down of a previousconnection.)

44


• Set the TCP Close Timeout setting to the same value as the profile idle timeout if you expect halfcloses. If not, you can set this value to 5 seconds.

• Because address translation and port translation have been disabled, when the incoming packet arrivesat the pool member it is load balanced to the virtual server address (176.16.1.1 in the illustration), notto the address of the server. For the server to respond to that address, that address must be configuredon the loopback interface of the server and configured for use with the server software.

Guidelines for UDP timeouts

When you configure nPath for UDP traffic, the BIG-IP® system tracks packets sent between the same sourceand destination address to the same destination port as a connection. This is necessary to ensure the clientrequests that are part of a session always go to the same server. Therefore, a UDP connection is really aform of persistence, because UDP is a connectionless protocol.

To calculate the timeout for UDP, estimate the maximum amount of time that a server transmits UDPpackets before a packet is sent by the client. In some cases, the server might transmit hundreds of packetsover several minutes before ending the session or waiting for a client response.

Guidelines for TCP timeouts

When you configure nPath for TCP traffic, the BIG-IP® system recognizes only the client side of theconnection. For example, in the TCP three-way handshake, the BIG-IP system sees the SYN from the clientto the server, and does not see the SYN acknowledgment from the server to the client, but does see theacknowledgment of the acknowledgment from the client to the server. The timeout for the connection shouldmatch the combined TCP retransmission timeout (RTO) of the client and the node as closely as possible toensure that all connections are successful.

The maximum initial RTO observed on most UNIX and Windows® systems is approximately 25 seconds.Therefore, a timeout of 51 seconds should adequately cover the worst case. When a TCP session isestablished, an adaptive timeout is used. In most cases, this results in a faster timeout on the client and node.Only in the event that your clients are on slow, lossy networks would you ever require a higher TCP timeoutfor established connections.

Task summary

There are several tasks you perform to create a Layer 2 nPath routing configuration.

Task list

Creating a custom Fast L4 profile

Creating a server pool for nPath routing

Creating a virtual server for Layer 2 nPath routing

Configuring the virtual address on the server loopback interface

Setting the route for inbound traffic

45


Configuring the Connection.Autolasthop bigdb key

Creating a custom Fast L4 profile

The first task you must complete to create a Layer 2 nPath routing configuration is to create a custom FastL4 profile.

1. On the Main tab, click Local Traffic > Profiles > Protocol > Fast L4 .The Fast L4 screen opens.

2. Click Create.The New Fast L4 Profile screen opens.

3. In the Name field, type a name for the profile.

Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.

4. Select the Custom check box.The fields in the Settings area become available for revision.

5. Select the Loose Close check box.

6. Set the TCP Close Timeout setting, according to the type of traffic the virtual server is going to handle.

7. Click Finished.

The custom Fast L4 profile appears in the list of Fast L4 profiles.

Creating a server pool for nPath routing

After you create a custom Fast L4 profile, you need to create a server pool.








6. Click Finished.

Creating a virtual server for Layer 2 nPath routing

After you create a server pool, you need to create a virtual server that references the profile and pool youcreated.

1. On the Main tab, click Local Traffic > Virtual Servers .

46


The Virtual Server List screen displays a list of existing virtual servers.






6. From the Type list, select Performance (Layer 4).

7. From the Protocol list, select one of the following:

• UDP• TCP• * All Protocols

8. From the Protocol Profile (Client) list, select a predefined or user-defined Fast L4 profile.

9. Clear the Address Translation Enabled check box.

10. Clear the Port Translation Enabled check box.

11. In the Resources section, from the Default Pool list, select a user-defined pool.

12. Click Finished.

Configuring the virtual address on the server loopback interface

You must place the IP address of the virtual server (176.16.1.1 in the illustration) on the loopback interfaceof each server. Most UNIX variants have a loopback interface named lo0. Consult your server operatingsystem documentation for information about configuring an IP address on the loopback interface. Theloopback interface is ideal for the nPath configuration because it does not participate in the ARP protocol.

Setting the route for inbound traffic

For inbound traffic, you must define a route through the BIG-IP® system self IP address to the virtual server.In the example, this route is 176.16.1.1, with the external self IP address 10.1.1.10 as the gateway.

Note: You need to set this route only if the virtual server is on a different subnet than the router.

For information about how to define this route, please refer to the documentation provided with your router.

Configuring the Connection.Autolasthop bigdb key

To ensure that nPath routing works correctly, you must verify that the bigdb configuration keyconnection.autolasthop is set to enable. This is relevant for both IPv4 and IPv6 addressing formats. Toverify that this bigdb key is enabled, type this command at the tmsh prompt:

modify sys db Connection.Autolasthop value enable

47


48


Chapter

6

Configuring Layer 3 nPath Routing

Topics:

• Overview: Layer 3 nPath routing• Configuring Layer 3 nPath routing using

TMSH• Layer 3 nPath routing example

Overview: Layer 3 nPath routing

Using Layer 3 nPath routing, you can load balance traffic over a routed topology in your data center. In thisdeployment, the server sends its responses directly back to the client, even when the servers, and anyintermediate routers, are on different networks. This routing method uses IP encapsulation to create auni-directional outbound tunnel from the server pool to the server.

You can also override the encapsulation for a specified pool member, and either remove that pool memberfrom any encapsulation or specify a different encapsulation protocol. The available encapsulation protocolsare IPIP and GRE.

Figure 1: Example of a Layer 3 routing configuration

This illustration shows the path of a packet in a deployment that uses Layer 3 nPath routing through a tunnel.

1. The client sends traffic to a Fast L4 virtual server.2. The pool encapsulates the packet and sends it through a tunnel to the server.3. The server removes the encapsulation header and returns the packet to the network.4. The target application receives the original packet, processes it, and responds directly to the client.

Configuring Layer 3 nPath routing using TMSH

Before performing this procedure, determine the IP address of the loopback interface for each server in theserver pool.

Use Layer 3 nPath routing to provide direct server return for traffic in a routed topology in your data center.

50


1. On the BIG-IP® system, start a console session.

2. Create a server pool with an encapsulation profile.

tmsh create ltm pool npath_ipip_pool profiles add { ipip } members add { 10.7.1.7:any 10.7.1.8:any 10.7.1.9:any }

This command creates the pool npath_ipip_pool, which has three members that specify all services:10.7.1.7:any, 10.7.1.8:any, and 10.7.1.9:any, and applies IPIP encapsulation to outboundtraffic.

3. Create a profile that disables hardware acceleration.

tmsh create ltm profile fastl4 fastl4_npath pva-acceleration none

This command disables the Packet Velocity® ASIC acceleration mode in the new Fast L4 profile namedfastl4_npath.

4. Create a virtual server that has address translation disabled, and includes the pool with the encapsulationprofile.

tmsh create ltm virtual npath_udp destination 176.16.1.1:anypool npath_ipip_pool profiles add { fastl4_npath } translate-addressdisabled ip-protocol udp

This command creates a virtual server named npath_udp that intercepts all UDP traffic, does not useaddress translation, and does not use hardware acceleration. The destination address 176.16.1.1matches the IP address of the loopback interface on each server.

These implementation steps configure only the BIG-IP device in a deployment example. To configure otherdevices in your network for L3 nPath routing, consult the device manufacturer's documentation for settingup direct server return (DSR) for each device.

Layer 3 nPath routing example

The following illustration shows one example of an L3 nPath routing configuration in a network.

51


Figure 2: Example of a Layer 3 routing configuration

The following examples show the configuration code that support the illustration.

Client configuration:

# ifconfig eth0 inet 10.102.45.10 netmask 255.255.255.0 up# route add –net 10.0.0.0 netmask 255.0.0.0 gw 10.102.45.1

BIG-IP® device configuration:

# - create node pointing to server's ethernet address# ltm node 10.102.4.10 {# address 10.102.4.10# }# - create transparent monitor# ltm monitor tcp t.ipip {# defaults-from tcp# destination 10.102.3.202:http# interval 5# time-until-up 0# timeout 16# transparent enabled# }# - create pool with ipip profile# ltm pool ipip.pool {# members {# 10.102.4.10:any { - real server's ip address# address 10.102.4.10# }# }# monitor t.ipip - transparent monitor# profiles {# ipip# }# }# - create FastL4 profile with PVA disabled# ltm profile fastl4 fastL4.ipip {

52


# app-service none# pva-acceleration none# }# - create FastL4 virtual with custom FastL4 profile from previous step# ltm virtual test_virtual {# destination 10.102.3.202:any - server's loopback address# ip-protocol tcp# mask 255.255.255.255# pool ipip.pool - pool with ipip profile# profiles {# fastL4.ipip { } - custom fastL4 profile# }# translate-address disabled - translate address disabled# translate-port disabled# vlans-disabled# }

Linux DSR server configuration:

# modprobe ipip# ifconfig tunl0 10.102.4.10 netmask 255.255.255.0 up# ifconfig lo:0 10.102.3.202 netmask 255.255.255.255 -arp up# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce# echo 0 >/proc/sys/net/ipv4/conf/tunl0/rp_filter

53


54


Chapter

7

Creating a Basic Web Site and E-commerce Configuration

Topics:

• Overview: Basic web site and eCommerceconfiguration

• Task summary

Overview: Basic web site and eCommerce configuration

The most common use for the BIG-IP® system is distributing traffic across an array of web servers that hoststandard web traffic, including eCommerce traffic. The following illustration shows a configuration wherea BIG-IP system load balances two sites: www.siterequest.com and store.siterequest.com.The www.siterequest.com site provides standard web content, and the store.siterequest.comsite is the e-commerce site that sells items to www.siterequest.com customers.

Illustration of basic web site and eCommerce configuration

Task summary

You can implement a basic configuration for load balancing application traffic to a web site, as well as loadbalancing secure traffic to an eCommerce site.

Prerequisites

• Verify that you have created two VLANs on the BIG-IP® system. One VLAN should reside on theexternal network and another on the internal network.

• Verify that you have created a self IP address for each VLAN.

Task list


Creating a pool to manage HTTPS traffic

Creating a virtual server to manage HTTP traffic

Creating a virtual server to manage HTTPS traffic


Use this procedure to create a pool to manage HTTP connections.

1. On the Main tab, click Local Traffic > Pools.

56


The Pool List screen opens.











8. Click Finished.



You can a create pool (a logical set of devices, such as web servers, that you group together to receive andprocess HTTPS traffic) to efficiently distribute the load on your server resources.




4. Assign the https or https_443 health monitor from the Available list by moving it to the Active list.






7. Add each resource that you want to include in the pool using the New Members setting:

a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 443 in the Service Port field, or select HTTPS from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

57


8. Click Finished.

The HTTPS load balancing pool now appears in the Pool List screen.

Creating a virtual server to manage HTTP traffic

You can create a virtual server to manage HTTP traffic as either a host virtual server or a network virtualserver.







6. From the HTTP Profile list, select http .

7. From the HTTP Compression Profile list, select one of the following profiles:

• httpcompression.• wan-optimized-compression.• A customized profile.

8. (Optional) In the Web Acceleration Profile list, select one of the following profiles:

• optimized-acceleration.• optimized-caching.• webacceleration.• A customized profile.


10. Click Finished.

The HTTP virtual server appears in the list of existing virtual servers on the Virtual Server List screen.

Creating a virtual server to manage HTTPS traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manageHTTPS traffic.






5. Type 443 in the Service Port field, or select HTTPS in the list.

58


6. Select http in the HTTP Profile list.



8. In the Web Acceleration Profile list, select one of the following profiles:


9. For the SSL Profile (Client) setting, in the Available field, select clientssl, and using the Move button,move the name to the Selected field.

10. Click Finished.

The HTTPS virtual server appears in the Virtual Server List screen.

59


60


Chapter

8

Installing a BIG-IP System Without Changing the IP Network

Topics:

• Overview: Installing a BIG-IP system withoutchanging the IP network

• Task summary

Overview: Installing a BIG-IP system without changing the IP network

A combination of several features of the BIG-IP®system allows you to place a BIG-IP system in a networkwithout changing the existing IP network. The following illustration shows the data center topology beforeyou add the BIG-IP system. The data center has one LAN, with one IP network, 10.0.0.0. The datacenter has one router to the Internet, two web servers, and a back-end mail server.

The existing data center structure does not support load balancing or high availability. The followingillustration shows an example of the data center topology after you add the BIG-IP system.

62


Task summary

To configure the BIG-IP® system for this implementation, you must perform a few key tasks. The exampleshown in the illustration is based on the use of the default internal and external VLAN configuration withself IP addresses on each of the VLANs that are on the same IP network on which you are installing theBIG-IP system.

Important: The default route on each content server should be set to the IP address of the router.In this example, you set the default route to 10.0.0.2.

Task list

Removing the self IP addresses from the default VLANs



Creating a pool of web servers


Removing the self IP addresses from the default VLANs

Remove the self IP addresses from the individual VLANs. After you create the VLAN group, you willcreate another self IP address for the VLAN group for routing purposes. The individual VLANs no longerneed their own self IP addresses.


2. Select the check box for each IP address and VLAN that you want to delete.

3. Click Delete.

4. Click Delete.

The self IP address is removed from the Self IP list.


VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.

1. On the Main tab, click Network > VLANs > VLAN Groups.The VLAN Groups list screen opens.

2. From the VLAN Groups menu, choose List.

3. Click Create.The New VLAN Group screen opens.

4. In the General Properties area, in the VLAN Group field, type a unique name for the VLAN group.


5. For the VLANs setting, from the Available field select the internal and external VLAN names, andclick << to move the VLAN names to the Members field.

6. Click Finished.

63




Self IP addresses enable the BIG-IP® system, and other devices on the network, to route application trafficthrough the associated VLAN or VLAN group.



3. In the IP Address field, type a self IP address for the VLAN group. In the example shown, this IPaddress is 10.0.0.6.


5. From the VLAN list, select the name of the VLAN group you previously created.




Creating a pool of web servers

You can a create pool of web servers that you group together to receive and process traffic, to efficientlydistribute the load on your server resources.




4. In the Resources area of the screen, use the New Members setting to add the pool members. In ourexample, pool members are 10.0.0.3:80 and 10.0.0.4:80.

5. Click Finished.



A virtual server represents a destination IP address for application traffic.




4. In the Destination field, verify that the type of virtual server is Host, and in the Address field, type anIP address. Continuing with our example, this address would be 10.0.0.5.

5. From the Service Port list, select *All Ports.


64


You now have a destination IP address on the BIG-IP® system for application traffic.

65


66


Chapter

9

Web Hosting Multiple Customers Using an External Switch

Topics:

• Overview: Web hosting multiple customersusing an external switch

• Illustration for hosting multiple customersusing an external switch

• Task summary for hosting multiple customers

Overview: Web hosting multiple customers using an external switch

You can use the BIG-IP® system to provide hosting services, including application delivery, for multiplecustomers.

To host multiple web customers, you can incorporate an external switch into the configurations. In thisillustration, the BIG-IP system has an interface (5.1) assigned to three VLANs on a network. The threeVLANs are vlanA, vlanB, and vlanB. Interface 5.1 processes traffic for all three VLANs. Note that eachVLAN contains two servers, and serves a specific customer.

Tip: An alternate way to implement web hosting for multiple customers is to use the route domainsfeature.

Illustration for hosting multiple customers using an external switch

Task summary for hosting multiple customers

Perform these tasks to host multiple customers using an external switch.

Task list

Creating a VLAN with a tagged interface


Creating a virtual server for HTTP traffic

68



When you create a VLAN with tagged interfaces, each of the specified interfaces can process traffic destinedfor that VLAN.







5. For the Interfaces setting, click an interface number or trunk name in the Available list, and use theMove button to add the selected interface or trunk to the Tagged list. Repeat this step as necessary.

You can use the same interface for other VLANs later, as long as you always assign the interface as atagged interface.





The new VLAN appears in the VLAN list.


You can a create load balancing pool (a logical set of devices, such as web servers, that you group togetherto receive and process traffic) to efficiently distribute the load on your server resources.









• Retain the default option, Disabled to disable priority groups.

69


• Select Less than, and type the minimum number of members in the Available Members field thatmust remain available in each priority group in order for traffic to remain confined to that group.



8. Click Finished.










6. From the HTTP Profile list, select http.


8. Click Finished.


70


Chapter

10

Web Hosting Multiple Customers Using Untagged Interfaces

Topics:

• Overview: Web hosting multiple customersusing untagged interfaces

• Task summary for hosting multiple customers

Overview: Web hosting multiple customers using untagged interfaces

One way to implement web hosting for multiple customers is to use multiple interfaces on the BIG-IP®

system to directly host traffic for multiple customers, without the need for an external switch. With thisscenario, you must configure the VLANs with untagged instead of tagged interfaces. As shown in thefollowing illustration, two BIG-IP system interfaces are assigned to each VLAN. For example, interfaces1.1 and 1.2 are assigned to VLAN vlanA. Each interface is assigned to a VLAN as an untagged interface.

Tip: An alternate way to implement web hosting for multiple customers is to use the route domainsfeature.

Illustration for hosting multiple customers using untagged interfaces

Task summary for hosting multiple customers

Perform these tasks to host multiple customers using tagged interfaces on VLANs.

Task list

Creating a VLAN with an untagged interface



72


Creating a VLAN with an untagged interface

You can create a VLAN that uses untagged interfaces.







5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add theselected interface or trunk to the Untagged list. Repeat this step as necessary.


The interfaces that you specified in this task process traffic for this VLAN only.














a) Either type an IP address in the Address field, or select a node address from the Node List.b) Type a port number in the Service Port field, or select a service name from the list.c) To specify a priority group, type a priority number in the Priority field.

73


d) Click Add.

8. Click Finished.












8. Click Finished.


74


Chapter

11

Web Hosting Multiple Customers Using Route Domains

Topics:

• Overview: Use of route domains to hostmultiple web customers on the BIG-IPsystem

• Task summary

Overview: Use of route domains to host multiple web customers on theBIG-IP system

Using the route domains feature of the BIG-IP® system, you can provide hosting service for multiplecustomers by isolating each type of application traffic within a defined address space on the network. Thisenhances security and dedicates BIG-IP resources to each application.

Implementing route domains also allows you to use duplicate IP addresses on the network, as long as eachof the duplicate addresses resides in a separate route domain and is isolated on the network through a separateVLAN. For example, if you are processing traffic for two different customers, you can create two separateroute domains. The same node address (such as 10.0.10.1) can reside in each route domain, in the samepool or in different pools, and you can assign a different monitor to each of the two corresponding poolmembers.

A good example of the use of traffic isolation on a network is an ISP that services multiple customers, whereeach customer deploys a different application. The first illustration shows two route domain objects on aBIG-IP system, where each route domain corresponds to a separate customer, and thus, resides in its ownpartition. Within each partition, the ISP created the network objects and local traffic objects required forthat customer's application (AppA or AppB).

The sample configuration results in the BIG-IP system segmenting traffic for two different applicationsinto two separate route domains. The routes for each application's traffic cannot cross route domain boundariesbecause cross-routing restrictions are enabled on the BIG-IP system by default. The second illustrationshows the resulting route isolation for AppA and AppB application traffic.

76


Illustration of sample BIG-IP configuration using route domains

Illustration of resulting route domain configuration

77


Task summary

Perform these tasks to host multiple web customers using route domains.

Task list

Creating an administrative partition


Creating a self IP address for a default route domain in an administrative partition

Creating a route domain on BIG-IP LTM



Adding routes that specify VLAN internal as the resource

Creating an administrative partition

An administrative partition creates an access control boundary for users and applications.

1. On the Main tab, expand System and click Users.The Users List screen opens.

2. On the menu bar, click Partition List.

3. Click Create.The New Partition screen opens.

4. Name the partition.


5. (Optional) Type a description in the Description field.

6. For the Device Group setting, choose an action:

ResultAction

Choose this option if you want the folder corresponding to this partition to inheritthe value of the device group attribute from folder root.

Retain thedefault value.

Choose this option if you do not want the folder corresponding to this partition toinherit the value of the device group attribute from folder root.

Clear the checkbox and selectthe name of adevice group.

7. For the Traffic Group setting, choose an action:

ResultAction

Choose this option if you want the folder corresponding to this partition to inheritthe value of the traffic group attribute from folder root.

Retain the defaultvalue.

Choose this option if you do not want the folder corresponding to this partition toinherit the value of the traffic group attribute from folder root.

Clear the checkbox and select thename of a trafficgroup.

78


8. Click Finished.

The new partition appears in the partition list.


When you create a VLAN with tagged interfaces, each of the specified interfaces can process traffic destinedfor that VLAN.







5. For the Interfaces setting, click an interface number or trunk name in the Available list, and use theMove button to add the selected interface or trunk to the Tagged list. Repeat this step as necessary.

You can use the same interface for other VLANs later, as long as you always assign the interface as atagged interface.





The new VLAN appears in the VLAN list.

Creating a self IP address for a default route domain in an administrative partition

Prerequisite: Ensure that you have created an internal VLAN and an external VLAN on the BIG-IP system.

Using this procedure, you must create two self IP addresses on the BIG-IP system. One self IP address isassociated with the internal VLAN, and the other is associated with the external VLAN. Self IP addressesenable the BIG-IP system and other devices on the network to route application traffic through the associatedVLAN.




This IP address should represent the address space of the VLAN that you specify with the VLAN setting.Because the route domain that you previously created is the default route domain for the administrativepartition, you do not need to append the route domain ID to this IP address.



79


5. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address. If creating a selfIP address for an address space:

• On the internal network, select the VLAN that is associated with an internal interface or trunk.• On the external network, select the VLAN that is associated with an external interface or trunk.


The BIG-IP system has a self IP address that is associated with the internal or external network.

Creating a route domain on BIG-IP LTM

Ensure that an external and internal VLAN exist on BIG-IP® LTM®, before you create a route domain.

You can create a route domain on BIG-IP LTM to segment (isolate) network traffic on your network.

1. On the Main tab, click Network > Route Domains.The Route Domain List screen opens.

2. Click Create.The New Route Domain screen opens.

3. Type an ID number for the route domain.This is the ID number that you will append later to any relevant IP addresses that you create on theBIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses.

4. In the Description field, type a description of the route domain.This route domain applies to traffic for application MyApp.

5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain fromcrossing into another route domain.

6. From the Parent Name list, retain the default value.

7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Memberslist.

8. From the Partition Default Route Domain list, select Make this route domain the Partition DefaultRoute Domain.

With this setting, you can designate this route domain to be the default route domain for the currentadministrative partition.

9. Click Finished.The system displays a list of route domains on the BIG-IP system.







80










8. Click Finished.











The web customer now has a destination IP address on the BIG-IP system for application traffic.

Adding routes that specify VLAN internal as the resource

Prerequisite: You must set your current administrative partition to the partition in which you want a specificcustomer's configuration to reside.

You must add a route for each destination IP address pertaining to the route domain. A destination addressin this case is typically a node address for a pool member.

1. On the Main tab, click Network > Routes.

2. Click Add.The New Route screen opens.

3. From the Type list, select Route.

4. In the Destination field, type the destination IP address in the route.

81


As long as the relevant route domain is the default route domain in the current administrative partition,you do not need to append the route domain ID to this address.

5. In the Netmask box, type the network mask for the destination IP address.

6. From the Resource list, select Use VLAN.

A VLAN represents the VLAN through which the packets flow to reach the specified destination.

7. From the VLAN list, select Internal.

8. At the bottom of the screen, click Finished.

The BIG-IP system now includes routes to the nodes in the load balancing pool for a specific route domain.

82


Chapter

12

Managing Client-side HTTPS Traffic Using a Self-signedCertificate

Topics:

• Overview: Managing client-side HTTPStraffic using a self-signed certificate


Overview: Managing client-side HTTPS traffic using a self-signed certificate

When you want to manage HTTP traffic over SSL, you can configure the BIG-IP® system to perform theSSL handshake that target web servers typically perform.

A common way to configure the BIG-IP system is to enable client-side SSL, which enables the system todecrypt client requests before forwarding them to a server, and to encrypt server responses before returningthem to the client. In this case, you need to install only one SSL key/certificate pair on the BIG-IP system.

This implementation uses a self-signed certificate to authenticate HTTPS traffic.

Task summary

To implement client-side authentication using HTTP and SSL with a self-signed certificate, you perform afew basic configuration tasks.

Task list

Creating a self-signed SSL certificate

Creating a custom HTTP profile

Creating a custom Client SSL profile


Creating a virtual server for client-side HTTPS traffic


If you are configuring the BIG-IP system to manage client-side HTTP traffic, you create a self-signedcertificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system tomanage server-side HTTP traffic, you create a second self-signed certificate to authenticate and secure theserver-side HTTP traffic.

1. On the Main tab, click Local Traffic > SSL Certificates.This displays a list of existing SSL certificates.

2. On the upper-right corner of the screen, click Create.

3. In the Name field, type a name for the certificate, such as my_clientside_cert ormy_serverside_cert.

4. From the Issuer list, select Self.

5. In the Common Name field, type either the IP address for the virtual server you will create later on, ora DNS name that resolves to the virtual server’s IP address.

6. In the Division field, type your company name.

7. In the Organization field, type your department name.

8. In the Locality field, type your city name.

9. In the State or Province field, type your state or province name.

10. From the Country list, select the name of your country.

11. In the E-mail Address field, type your email address.

84

Managing Client-side HTTPS Traffic Using a Self-signed Certificate

12. In the Challenge Password field, type a password.

13. In the Confirm Password field, re-type the password you typed in the Challenge Password field.

14. In the Key Properties area of the screen, from the Size list, select 1024.

15. Click Finished.


An HTTP profile defines the way that you want the BIG-IP®system to manage HTTP traffic.

Note: Other HTTP profile types (HTTP Compression and Web Acceleration) enable you to configurecompression and cache settings, as required. Use of these profile types is optional.

1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .The HTTP profile list screen opens.

2. Click Create.The New HTTP Profile screen opens.



4. From the Parent Profile list, select http.


6. Modify the settings, as required.

7. Click Finished.

The custom HTTP profile now appears in the HTTP profile list screen.


A Client SSL profile enables the BIG-IP® system to perform decryption and encryption for client-side SSLtraffic.

1. On the Main tab, click Local Traffic > Profiles > SSL > Client .The Client profile list screen opens.

2. Click Create.The New Client SSL Profile screen opens.



4. Select clientssl in the Parent Profile list.


This selection allows you to modify additional default settings.

6. Select the Custom check box for Configuration.The settings in the Configuration area become available for configuring.

7. Select the Custom check box for Client Authentication.The settings in the Client Authentication area become available for configuring.



85



10. Click Finished.














8. Click Finished.










6. From the HTTP Profile list, select the HTTP profile that you previously created.

86


7. For the SSL Profile (Client) setting, in the Available field, select the name of the Client SSL profileyou previously created, and using the Move button, move the name to the Selected field.

8. Click Finished.



After you complete the tasks in this implementation, the BIG-IP® system can authenticate and decryptHTTPS traffic coming from a client system. The BIG-IP system can also re-encrypt server responses beforesending them back to the client.

87


88


Chapter

13

Managing Client and Server HTTPS Traffic using aSelf-signed Certificate

Topics:

• Overview: Managing client and serverHTTPS traffic using a self-signed certificate


Overview: Managing client and server HTTPS traffic using a self-signedcertificate

One of the ways to configure the BIG-IP system to manage SSL traffic is to enable both client-side andserver-side SSL termination:

• Client-side SSL termination enables the system to decrypt client requests before sending them on to aserver, and encrypt server responses before sending them back to the client. This ensures that client-sideHTTPS traffic is encrypted. In this case, you need to install only one SSL key/certificate pair on theBIG-IP system.

• Server-side SSL termination enables the system to decrypt and then re-encrypt client requests beforesending them on to a server. Server-side SSL termination also decrypts server responses and thenre-encrypts them before sending them back to the client. This ensures security for both client- andserver-side HTTPS traffic. In this case, you need to install two SSL key/certificate pairs on the BIG-IPsystem. The system uses the first certificate/key pair to authenticate the client, and uses the second pairto request authentication from the server.

This implementation uses a self-signed certificate to authenticate HTTPS traffic.

Task summary

To implement client-side and server-side authentication using HTTP and SSL with a self-signed certificate,you perform a few basic configuration tasks.

Task list




Creating a custom Server SSL profile


Creating a virtual server for client-side and server-side HTTPS traffic


If you are configuring the BIG-IP system to manage client-side HTTP traffic, you create a self-signedcertificate to authenticate and secure the client-side HTTP traffic. If you are also configuring the system tomanage server-side HTTP traffic, you create a second self-signed certificate to authenticate and secure theserver-side HTTP traffic.

1. On the Main tab, click Local Traffic > SSL Certificates.This displays a list of existing SSL certificates.

2. On the upper-right corner of the screen, click Create.

3. In the Name field, type a name for the certificate, such as my_clientside_cert ormy_serverside_cert.

4. From the Issuer list, select Self.

90

Managing Client and Server HTTPS Traffic using a Self-signed Certificate

5. In the Common Name field, type either the IP address for the virtual server you will create later on, ora DNS name that resolves to the virtual server’s IP address.

6. In the Division field, type your company name.

7. In the Organization field, type your department name.

8. In the Locality field, type your city name.

9. In the State or Province field, type your state or province name.

10. From the Country list, select the name of your country.

11. In the E-mail Address field, type your email address.

12. In the Challenge Password field, type a password.

13. In the Confirm Password field, re-type the password you typed in the Challenge Password field.

14. In the Key Properties area of the screen, from the Size list, select 1024.

15. Click Finished.











7. Click Finished.









91









10. Click Finished.


A Server SSL profile enables the BIG-IP® system to perform decryption and encryption for server-side SSLtraffic.

1. On the Main tab, click Local Traffic > Profiles > SSL > Server .The SSL Server profile list screen opens.

2. Click Create.The New Server SSL Profile screen opens.



4. Select serverssl in the Parent Profile list.




7. Select the Custom check box for Server Authentication.The settings in the Server Authentication area become available for configuring.


9. Click Finished.

The custom Server SSL profile is listed in the Profiles:SSL:Server list.


You can a create pool (a logical set of devices, such as web servers, that you group together to receive andprocess HTTPS traffic) to efficiently distribute the load on your server resources.




4. Assign the https or https_443 health monitor from the Available list by moving it to the Active list.


92







a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 443 in the Service Port field, or select HTTPS from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

8. Click Finished.

The HTTPS load balancing pool now appears in the Pool List screen.

Creating a virtual server for client-side and server-side HTTPS traffic








6. From the HTTP Profile list, verify that the default HTTP profile, http, is selected.


8. For the SSL Profile (Server) setting, in the Available field, select the name of the Server SSL profileyou previously created, and using the Move button, move the name to the Selected field.

9. Click Finished.

The HTTPS virtual server now appears in the Virtual Server List screen.


After you complete the tasks in this implementation, the BIG-IP® system ensures that SSL authenticationand encryption occurs for both client-side and server-side HTTP traffic. The system performs these operationsaccording to the values you specify in the Client SSL and Server SSL profiles.

93


94


Chapter

14

Managing Client-side HTTPS Traffic using a CA-signedCertificate

Topics:

• Overview: Managing client-side HTTPStraffic using a CA-signed certificate


Overview: Managing client-side HTTPS traffic using a CA-signed certificate

When you want to manage HTTP traffic over SSL, you can configure the BIG-IP® system to perform theSSL handshake that target web servers normally perform.

A common way to configure the BIG-IP system is to enable client-side SSL, which enables the system todecrypt client requests before sending them on to a server, and encrypt server responses before sendingthem back to the client. In this case, you need to install only one SSL key/certificate pair on the BIG-IPsystem.

This implementation uses a certificate signed by a certificate authority (CA) to authenticate HTTPS traffic.

Task summary

To implement client-side authentication using HTTP and SSL with a certificate signed by a certificateauthority, you perform a few basic configuration tasks.

Task list

Requesting a certificate from a certificate authority





Requesting a certificate from a certificate authority

You can generate a certificate and copy it or submit it to a trusted certificate authority for signature.

1. On the Main tab, click Local Traffic > SSL Certificate List .The SSL Certificate List screen opens.

2. Click Create.

3. Name the SSL certificate with a unique name.

4. In the Issuer list, select Certificate Authority.

5. In the Common Name field, type a name.

6. Configure any additional Certificate Properties settings, as necessary.

7. For Key Properties, in the Size list, select a size in bits.

8. Click Finished.

9. Do one of the following to download the request into a file on your system.

• In the Request Text field, copy the certificate.• For Request File, click the button.

10. Follow the instructions on the web site for either pasting the copied request or attaching the generatedrequest file.

11. Click Finished.

96

Managing Client-side HTTPS Traffic using a CA-signed Certificate

The generated certificate is submitted to a trusted certificate authority for signature.











7. Click Finished.
















10. Click Finished.

97















8. Click Finished.










6. From the HTTP Profile list, select the HTTP profile that you previously created.


8. Click Finished.

98




After you complete the tasks in this implementation, the BIG-IP® system can authenticate and decryptHTTPS traffic coming from a client system. The BIG-IP system can also re-encrypt server responses beforesending them back to the client.

99


100


Chapter

15

Implementing Proxy SSL on a Single BIG-IP System

Topics:

• Overview: Direct client-server authenticationwith application optimization

• Task summary• Implementation result

Overview: Direct client-server authentication with application optimization

When setting up the BIG-IP® system to process application data, you might want the destination server toauthenticate the client system directly, for security reasons, instead of relying on the BIG-IP system toperform this function. Retaining direct client-server authentication provides full transparency between theclient and server systems, and grants the server final authority to allow or deny client access.

The feature that enables this direct client-server authentication is known as Proxy SSL. You enable thisfeature when you configure the Client SSL and Server SSL profiles.

Note: To use this feature, you must configure both a Client SSL and a Server SSL profile.

Without the Proxy SSL feature enabled, the BIG-IP system establishes separate client-side and server-sideSSL connections and then manages the initial authentication of both the client and server systems.

With the Proxy SSL feature, the BIG-IP system enables direct client-server authentication by establishinga secure SSL tunnel between the client and server systems and then forwarding the SSL handshake messagesfrom the client to the server and vice versa. After the client and server successfully authenticate each other,the BIG-IP system uses the tunnel to decrypt the application data and intelligently manipulate (optimize)the data as needed.

Task summary

To implement direct client-to-server SSL authentication, as well as application data manipulation, youperform a few basic configuration tasks. Note that you must create both a Client SSL and a Server SSLprofile, and enable the Proxy SSL feature in both profiles.

Before you begin, verify that the client system, server system, and BIG-IP® system contain the appropriateSSL certificates for mutual authentication.

Important: The BIG-IP certificate and key referenced in a Server SSL profile must match those ofthe server system.

Task list




Creating a virtual server for client-side and server-side SSL traffic


You perform this task to create a Client SSL profile that enables direct client-server authentication whilestill allowing the BIG-IP system to perform data optimization, such as decryption and encryption. Thisprofile applies to client-side SSL traffic only.

1. On the Main tab, click Local Traffic > Profiles > SSL > Client .

102


The Client profile list screen opens.





5. From the Certificate list, select the relevant certificate name.

6. From the Key list, select the relevant key name.

7. For the Proxy SSL setting, select the check box.



9. Modify all other settings, as required.

10. Click Finished.

The custom Client SSL profile now appears in the Client SSL profile list screen.


You perform this task to create a Server SSL profile that enables direct client-server authentication whilestill allowing the BIG-IP® system to perform data optimization, such as decryption and encryption. Thisprofile applies to server-side SSL traffic only.

Important: The certificate and key that you specify in this profile must match the certificate/keypair that you expect the back-end server to offer. If the back-end server has two or more certificatesto offer, you must create a separate Server SSL profile for each certificate and then assign all ofthe Server SSL profiles to a single virtual server.

1. On the Main tab, click Local Traffic > Profiles > SSL > Server .The SSL Server profile list screen opens.

2. Click Create.The New Server SSL Profile screen opens.



4. Select serverssl in the Parent Profile list.

5. From the Certificate list, select a relevant certificate name.

6. From the Key list, select a relevant key name.

7. For the Proxy SSL setting, select the check box.



9. Modify all other settings, as required.

10. Choose one of the following actions:

• If you need to create another Server SSL profile, click Repeat.• If you do not need to create another Server SSL profile, click Finished.

All relevant Server SSL profiles now appear on the SSL Server profile list screen.

103
















8. Click Finished.


Creating a virtual server for client-side and server-side SSL traffic

You can specify a virtual server to be either a host virtual server or a network virtual server to manageapplication traffic.







104



7. For the SSL Profile (Server) setting, in the Available field, select the applicable Server SSL profilenames, and using the Move button, move the names to the Selected field.

8. Assign other profiles to the virtual server if applicable.

9. From the Default Pool list, select the name of the pool that you created previously.

10. Click Finished.

The virtual server now appears in the Virtual Server List screen.

Implementation result

After you complete the tasks in this implementation, the BIG-IP® system ensures that the client system andserver system can initially authenticate each other directly. After client-server authentication, the BIG-IPsystem can intelligently decrypt and manipulate the application data according to the configuration settingsin the profiles assigned to the virtual server.

105


106


Chapter

16

Configuring HTTP Load Balancing with Source AddressAffinity Persistence

Topics:

• Overview: HTTP load balancing with sourceaffinity persistence

• Task summary

Overview: HTTP load balancing with source affinity persistence

Many computing environments want to use a BIG-IP® system to intelligently manage their HTTP traffic.You can easily control your HTTP traffic by implementing a BIG-IP system feature known as an HTTPprofile. An HTTP profile is a group of settings that affect the behavior of HTTP traffic. An HTTP profiledefines the way that you want the BIG-IP system to manage HTTP traffic.

You can use the default HTTP profile, with all of its default values, or you can create a custom HTTPprofile. This particular implementation uses the default HTTP profile.

When you configure the BIG-IP system to manage HTTP traffic, you can also implement simple sessionpersistence, also known as source address affinity persistence. Source address affinity persistence directssession requests to the same server based solely on the source IP address of a packet. To implement sourceaddress affinity persistence, the BIG-IP system offers a default persistence profile that you can implement.Just as for HTTP, you can use the default profile, or you can create a custom simple persistence profile.

Task summary

This implementation describes how to set up a basic HTTP load balancing scenario and source addressaffinity persistence, using the default HTTP and source address affinity persistence profiles.

Because this implementation configures HTTP load balancing and session persistence using the defaultHTTP and persistence profiles, you do not need to specifically configure these profiles. Instead, you simplyconfigure some settings on the virtual server when you create it.

Task list












• Retain the default option, Disabled to disable priority groups.

108

Configuring HTTP Load Balancing with Source Address Affinity Persistence

• Select Less than, and type the minimum number of members in the Available Members field thatmust remain available in each priority group in order for traffic to remain confined to that group.



8. Click Finished.












8. From the Default Persistence Profile setting, select source_addr.This implements simple persistence, using the default source address affinity profile.

9. Click Finished.


109


110

Configuring HTTP Load Balancing with Source Address Affinity Persistence

Chapter

17

Configuring HTTP Load Balancing with Cookie Persistence

Topics:

• Overview: HTTP load balancing with cookiepersistence

• Task summary

Overview: HTTP load balancing with cookie persistence

Many computing environments want to use a BIG-IP® system to intelligently manage their HTTP traffic.You can easily control your HTTP traffic by implementing a BIG-IP system feature known as an HTTPprofile. An HTTP profile is a group of settings that affects the behavior of HTTP traffic. An HTTP profiledefines the way that you want the system to manage HTTP traffic.

You can use the default HTTP profile, with all of its default values, or you can create a custom HTTPprofile. When you create a custom HTTP profile, you not only modify the setting values, but you can enablemore advanced features such as data compression of server responses.

When you configure the BIG-IP system to manage HTTP traffic, you can also implement cookie-basedsession persistence. Cookie persistence directs session requests to the same server based on HTTP cookiesthat the BIG-IP system stores in the client’s browser.

Task summary

This implementation describes how to set up a basic HTTP load balancing scenario and cookie persistence,using the default HTTP profile.

Because this implementation configures HTTP load balancing and session persistence using the defaultHTTP, you do not need to specifically configure this profile. Instead, you simply configure some settingson the virtual server when you create it.

Task list

Creating a custom cookie persistence profile



Creating a custom cookie persistence profile

A good way to implement cookie persistence is to create a custom cookie persistence profile.

1. On the Main tab, click Local Traffic > Profiles > Persistence .The Persistence profile list screen opens.

2. Click Create.The New Persistence Profile screen opens.



4. From the Persistence Type list, select Cookie.

5. From the Parent Profile list, select cookie.


7. From the Cookie Method list, select HTTP Cookie Insert.

8. Clear the Session Cookie check box.

112


9. Type 60 in the Minutes field.

10. Click Finished.

The custom cookie persistence profile appears in the Persistence list.














8. Click Finished.




Note: You can also use HTTP Cookie Insert persistence with a Performance (HTTP) type of virtualserver.






113





8. From the Default Persistence Profile setting, select the name of the custom cookie profile you createdearlier, such as mycookie_profile.This implements cookie persistence, using a custom cookie persistence profile.

9. Click Finished.


114


Chapter

18

Compressing HTTP Responses

Topics:

• Overview: Compressing HTTP responses• Task summary

Overview: Compressing HTTP responses

An optional feature of the BIG-IP® system is the system’s ability to off-load HTTP compression tasks fromthe target server. All of the tasks that you need to configure HTTP compression, as well as the compressionsoftware itself, are centralized on the BIG-IP system. The primary way to enable HTTP compression is byconfiguring an HTTP Compression type of profile and then assigning the profile to a virtual server. Thiscauses the system to compress HTTP content for any responses matching the values that you specify in theRequest-URI or Content-Type settings of the HTTP Compression profile.

Tip: If you want to enable HTTP compression for specific connections, you can write an iRule thatspecifies the HTTP:compress enable command. Using the BIG-IP system HTTP compression feature,you can include or exclude certain types of URIs or files that you specify. This is useful becausesome URI or file types might already be compressed. F5 Networks does not recommend using CPUresources to compress already-compressed data because the cost of compressing the data usuallyoutweighs the benefits. Examples of regular expressions that you might want to specify for exclusionare .*\.pdf, .*\.gif, or .*\.html.

Task summary

To configure HTTP data compression, you need to create an HTTP compression type of profile, as well asa virtual server.

Task list

Creating a customized HTTP compression profile

Creating a virtual server for HTTP compression

Creating a customized HTTP compression profile

If you need to adjust the compression settings to optimize compression for your environment, you canmodify a custom HTTP compression profile.

1. On the Main tab, click Local Traffic > Profiles > Services > HTTP Compression .The HTTP Compression profile list screen opens.

2. Click Create.The New HTTP Compression Profile screen opens.



4. From the Parent Profile list, select one of the following profiles:

• httpcompression.• wan-optimized-compression.


116



7. Click Finished.

The modified HTTP compression profile is available in the HTTP Compression list screen.

Creating a virtual server for HTTP compression

You can create a virtual server that uses an HTTP profile with an HTTP compression profile to compressHTTP responses.











9. Click Finished.

The virtual server with an HTTP profile configured with an HTTP compression profile appears in the VirtualServer list.

After you have created a custom HTTP Compression profile and a virtual server, you can test theconfiguration by attempting to pass HTTP traffic through the virtual server. Check to see that the BIG-IPsystem includes and excludes the responses that you specified in the custom profile, and that the systemcompresses the data as specified.

117


118


Chapter

19

Using the Request Logging Profile

Topics:

• Overview: Configuring a request loggingprofile

• Task summary for configuring requestlogging

• Request logging profile settings• Request logging parameters

Overview: Configuring a request logging profile

The request logging profile gives you the ability to configure data within a log file for requests and responsesin accordance with specified parameters.

Task summary for configuring request logging

Perform these tasks to log request and response data.

Creating a pool with request logging to manage HTTP traffic

Creating a request logging profile

Configuring a virtual server for request logging

Deleting a request logging profile

Creating a pool with request logging to manage HTTP traffic

For a basic configuration, you need to create a pool to manage HTTP connections.










7. Add the IP address for each logging server that you want to include in the pool, using the New Memberssetting:

a) Type an IP address in the Address, field or select a node address from the Node List.b) Type 80 in the Service Port field, or select HTTP from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

8. Click Finished.


120


Creating a request logging profile

You must have already created a pool that includes logging servers as pool members before you can createa request logging profile.

With a request logging profile, you can log specified data for HTTP requests and responses, and then usethat information for analysis and troubleshooting.

1. On the Main tab, click Local Traffic > Profiles > Other > Request Logging .The Request Logging profile list screen opens.

2. Click Create.The New Request Logging Profile screen opens.

3. From the Parent Profile list, select a profile from which the new profile inherits properties.

4. Select the Custom check box for the Request Settings area.The settings in the Request Settings area become available for configuring.

5. Configure the request settings, as necessary.

6. Select the Custom check box for the Response Settings area.The settings in the Response Settings area become available for configuring.

7. Configure the response settings, as necessary.

8. Click Finished.

This makes a request logging profile available to log specified data for HTTP requests and responses.

You must configure a virtual server for request logging.

Configuring a request logging profile for requests

Prerequisite: You must create a pool that includes logging servers as pool members.

You can use a request logging profile to log specified data for HTTP requests, and then use that informationfor analysis and troubleshooting.


2. Click Create.The New Request Logging Profile screen opens.


4. Select the Custom check box for the Request Settings area.The settings in the Request Settings area become available for configuring.

5. In the Request Settings area, from the Request Logging list, select Enabled.

6. In the Template field, type the request logging parameters for the entries that you want to include inthe log file.

7. From the HSL Protocol list, select a high-speed logging protocol.

8. From the Pool Name list, select the pool that includes the logging server as a pool member.

9. (Optional) You can also configure the error response settings.

a) From the Respond On Error list, select Enabled.b) In the Error Response field, type the error response strings that you want to include in the log file.

These strings must be well-formed for the protocol serving the strings.

c) Select the Close On Error check box to drop the request and close the connection if logging fails.

10. (Optional) You can also configure the logging request errors settings.

121


a) From the Log Logging Errors list, select Enabled.b) In the Error Template field, type the request logging parameters for the entries that you want to

include in the log file.c) From the HSL Error Protocol list, select a high-speed logging error protocol.d) From the Error Pool Name list, select a pool that includes the node for the error logging server as

a pool member.

11. Click Update.

This configures a request logging profile to log specified data for HTTP requests.

Configuring a request logging profile for responses

You must have already created a pool that includes logging servers as pool members before you can configurea request logging profile for responses.

With a request logging profile, you can log specified data for HTTP requests and responses, and then usethat information for analysis and troubleshooting.



3. Select the Custom check box for the Response Settings area.The settings in the Response Settings area become available for configuring.

4. In the Response Settings area, from the Response Logging list, select Enabled.

5. (Optional) Select the Log By Default check box.

The Log By Default check box is selected by default.

6. In the Template field, type the response logging parameters for the entries that you want to include inthe log file.

7. From the HSL Protocol list, select a high-speed logging protocol.

8. From the Pool Name list, select the pool that includes the node logging server as a pool member.

9. (Optional) Configure the logging request error settings.

a) From the Log Logging Errors list, select Enabled.b) In the Error Template field, type the response logging parameters for the entries that you want to

include in the log file.c) From the HSL Error Protocol list, select a high-speed logging error protocol.d) From the Error Pool Name list, select a pool that includes the node for the error logging server as

a pool member.

10. Click Update to save your changes.

This configures a request logging profile to log specified data for HTTP responses.

Configuring a virtual server for request logging

You can configure a virtual server to pass traffic to logging servers.


2. Click the name of the virtual server you want to modify.

3. Click the Resources tab.

4. From the Default Pool list, select a pool name that is configured with pool members for request logging.

122


5. Click the Properties tab.


7. From the Request Logging Profile list, select the profile you want to assign to the virtual server.

8. Click Update.

This virtual server can now pass traffic to the configured logging servers.

Deleting a request logging profile

A user-defined request logging profile must be available in order for you to delete it.

You can delete a user-defined request logging profile that is obsolete or no longer needed.


2. Select the check box for the applicable profile.

3. Click Delete.

4. Click Delete.

The profile is deleted.

Request logging profile settingsWith the request logging profile, you can specify the data and the format for HTTP requests and responsesthat you want to include in a log file.

General Properties

DescriptionValueSetting

Names must begin with a letter, and can contain onlyletters, numbers, and the underscore (_) character.

No defaultName

Specifies the selected predefined or user-definedprofile.

Selected predefined oruser-defined profile

Parent Profile

Request Settings


Enables logging for requests.DisabledRequest Logging

Specifies the directives and entries to be logged.Template

Specifies the protocol to be used for high-speed logging ofrequests.

UDPHSL Protocol

Defines the pool associated with the virtual server that islogged.

NonePool Name

Enables the ability to respond when an error occurs.DisabledRespond On Error

123



Specifies the response text to be used when an error occurs.

For example, the following response text provides contentfor a 503 error.

<html>

NoneError Response

<head> <title>ERROR</title> </head> <body> <p>503 ERROR-Service Unavailable</p> </body></html>

When enabled, and logging fails, drops the request andcloses the connection.

DisabledClose On Error

Enables the ability to log any errors when logging requests.DisabledLog Logging Errors

Defines the format for requests in an error log.NoneError Template

Defines the protocol to be used for high-speed logging ofrequest errors.

UDPHSL Error Protocol

Specifies the name of the error logging pool for requests.NoneError Pool Name

Response Settings


Enables logging for responses.DisabledResponse Logging

Defines whether to log the specified settings forresponses by default.

EnabledLog By Default

Specifies the directives and entries to be logged.NoneTemplate

Specifies the protocol to be used for high-speed loggingof responses.

HSLHSL Protocol

Defines the pool name associated with the virtual serverthat is logged.

NonePool Name

Enables the ability to log any errors when loggingresponses.

DisabledLog Logging Errors

Defines the format for responses in an error log.NoneError Template

Defines the protocol to be used for high-speed loggingof response errors.

UDPHSL Error Protocol

Specifies the name of the error logging pool forresponses.

NoneError Pool Name

124


Request logging parametersThis table lists all available parameters from which you can create a custom logging profile. These are usedto specify entries for the Template and Error Template settings For each parameter, the system writes tothe log the information described in the right column.

Table 1: Request logging parameters

Log file entry descriptionParameter

An entry for the slot number of the blade that handled the request.BIGIP_BLADE_ID

An entry of Cached status: true, if the response came from BIG-IP®

cache, or Cached status: false, if the response came from theserver.

BIGIP_CACHED

An entry for the configured host name of the unit or chassis.BIGIP_HOSTNAME

An entry for the IP address of a client, for example, 192.168.74.164.CLIENT_IP

An entry for the port of a client, for example, 80.CLIENT_PORT

A two-character entry for the day of the month, ranging from 1 (note theleading space) through 31.

DATE_D

An entry that spells out the name of the day.DATE_DAY

A two-digit entry for the day of the month, ranging from 01 through 31.DATE_DD

A three-letter entry for the day, for example, Mon.DATE_DY

A date and time entry in an HTTP format, for example, Tue, 5 Apr2011 02:15:31 GMT.

DATE_HTTP

A two-digit month entry, ranging from 01 through 12.DATE_MM

A three-letter abbreviation for a month entry, for example, APR.DATE_MON

An entry that spells out the name of the month.DATE_MONTH

A date and time entry in an NCSA format, for example,dd/mm/yy:hh:mm:ss ZNE.

DATE_NCSA

A two-digit year entry, ranging from 00 through 99.DATE_YY

A four-digit year entry.DATE_YYYY

The name of the httpclass profile that matched the request, or an emptyentry if a profile name is not associated with the request.

HTTP_CLASS

A flag summarizing the HTTP1.1 keep-alive status for the request:: aYif the HTTP1.1 keep-alive header was sent, or an empty entry if not.

HTTP_KEEPALIVE

An entry that defines the HTTP method, for example, GET, PUT, HEAD,POST, DELETE, TRACE, or CONNECT.

HTTP_METHOD

An entry that defines the HTTP path.HTTP_PATH

The text following the first ? in the URI.HTTP_QUERY

The complete text of the request, for example, $METHOD $URI$VERSION.

HTTP_REQUEST

125



The numerical response status code, that is, the status response codeexcluding subsequent text.

HTTP_STATCODE

The complete status response, that is, the number appended with anysubsequent text.

HTTP_STATUS

An entry for the URI of the request.HTTP_URI

An entry that defines the HTTP version.HTTP_VERSION

An NCSA Combined formatted log string, for example, $NCSA_COMMON$Referer ${User-agent} $Cookie.

NCSA_COMBINED

An NCSA Common formatted log string, for example, $CLIENT_IP -- $DATE_NCSA $HTTP_REQUEST $HTTP_STATCODE$RESPONSE_SIZE.

NCSA_COMMON

The elapsed time in milliseconds (ms) between receiving the request andsending the response.

RESPONSE_MSECS

An entry for the size of response in bytes.RESPONSE_SIZE

The elapsed time in microseconds (µs) between receiving the request andsending the response.

RESPONSE_USECS

An entry for the IP address of a server, for example, 10.10.0.1.SERVER_IP

An entry for the port of a server, for example, 80.SERVER_PORT

An entry for the self IP address of the BIG-IP-originated connection to theserver when SNAT is enabled, or an entry for the client IP address whenSNAT is not enabled.

SNAT_IP

An entry for the port of the BIG-IP-originated connection to the server whenSNAT is enabled, or an entry for the client port when SNAT is not enabled.

SNAT_PORT

A twelve-hour request-time qualifier, for example, AM or PM.TIME_AMPM

A compact twelve-hour time entry for request-time hours, ranging from 1through 12.

TIME_H12

A twelve-hour time entry for hours, for example, 12 AM.TIME_HRS

A twelve hour entry for request-time hours, ranging from 01 through 12.TIME_HH12

An entry for a compact request time of H:M:S, for example, 12:10:49.TIME_HMS

A twenty-four hour entry for request-time hours, ranging from 00 through23.

TIME_HH24

A two-digit entry for minutes, ranging from 00 through 59.TIME_MM

An entry for the request-time fraction in milliseconds (ms).TIME_MSECS

An entry for the time zone, offset in hours from GMT, for example, -11.TIME_OFFSET

A two-digit entry for seconds, ranging from 00 through 59.TIME_SS

A UNIX time entry for the number of seconds since the UNIX epoch, forexample, 00:00:00 UTC, January 1st, 1970.

TIME_UNIX

An entry for the request-time fraction in microseconds (µs).TIME_USECS

126



An entry for the current Olson database or tz database three-character timezone, for example, PDT.

TIME_ZONE

An entry for the IP address of a virtual server, for example,192.168.10.1.

VIRTUAL_IP

An entry for the name of a virtual server.VIRTUAL_NAME

An entry for the name of the pool containing the responding server.VIRTUAL_POOL_NAME

An entry for the port of a virtual server, for example, 80.VIRTUAL_PORT

The name of the Secure Network Address Translation pool associated withthe virtual server.

VIRTUAL_SNATPOOL_NAME

Undelineated strings return the value of the respective header.NULL

127


128


Chapter

20

Load Balancing Passive Mode FTP Traffic

Topics:

• Overview: FTP passive mode load balancing• Task Summary for load balancing passive

mode FTP traffic

Overview: FTP passive mode load balancing

You can set up the BIG-IP system to load balance passive mode FTP traffic. You do this by using the defaultFTP profile. An FTP profile determines the way that the BIG-IP system processes FTP traffic.

Task Summary for load balancing passive mode FTP traffic

You can perform these tasks to configure FTP passive mode load balancing.

Task list

Creating a custom FTP monitor

Creating a pool to manage FTP traffic

Creating a virtual server for FTP traffic


An FTP monitor requires a user name and password, and the full path to the file to be downloaded.

Create a custom FTP monitor to verify passive mode File Transfer Protocol (FTP) traffic. The monitorattempts to download a specified file to the /var/tmp directory. If the file is retrieved, the check issuccessful.

Note: The BIG-IP® system does not save the downloaded file.



3. Type a name for the monitor in the Name field.


4. From the Type list, select FTP.The screen refreshes, and displays the configuration options for the FTP monitor type.

5. From the Import Settings list, select an existing monitor.

The new monitor inherits initial configuration values from the existing monitor.

6. Type a number in the Interval field that indicates, in seconds, how frequently the system issues themonitor check. The default is 10 seconds.

7. Type a number in the Timeout field that indicates, in seconds, how much time the target has to respondto the monitor check. The default is 31 seconds.

If the target responds within the allotted time period, it is considered up. If the target does not respondwithin the time period, it is considered down.

8. Type a name in the User Name field.

9. Type a password in the Password field.

130


10. Type the full path and file name of the file that the system attempts to download in the Path/Filenamefield.

The health check is successful if the system can download the file.

11. For the Mode setting, select one of the following data transfer process (DTP) modes.

DescriptionOptions

The monitor sends a data transfer request to the FTP server. When the FTPserver receives the request, the FTP server initiates and establishes the dataconnection.

Passive

The monitor initiates and establishes the data connection with the FTP server.Port

12. In the Configuration area of the screen, select Advanced.


13. From the Up Interval list, do one of the following:

• Accept the default, Disabled, if you do not want to use the up interval.• Select Enabled, and specify how often you want the system to check the health of a resource that

is up.

14. Type a number in the Time Until Up field that indicates the number of seconds to wait after a resourcefirst responds correctly to the monitor before setting the resource to up.

The default value is 0 (zero), which disables this option.

15. Specify whether the system automatically enables the monitored resource, when the monitor check issuccessful, for Manual Resume.

This setting applies only when the monitored resource has failed to respond to a monitor check.

DescriptionOptions

The system does nothing when the monitor check succeeds, and you mustmanually enable the monitored resource.

Yes

The system automatically re-enables the monitored resource after the nextsuccessful monitor check.

No

16. For the Alias Address setting, do one of the following:

• Accept the *All Addresses default option.• Type an alias IP address for the monitor to check, on behalf of the pools or pool members with which

the monitor is associated.

If the health check for the alias address is successful, the system marks all associated objects up. If thehealth check for the alias address is not successful, then the system marks all associated objects down.

17. For the Alias Service Port setting, do one of the following:

• Accept the *All Ports default option.• Select an alias port or service for the monitor to check, on behalf of the pools or pool members with

which the monitor is associated.

If the health check for the alias port or service is successful, the system marks all associated objects up.If the health check for the alias port or service is not successful, then the system marks all associatedobjects down.

18. For the Debug setting, specify whether you want the system to collect and publish additional informationand error messages for this monitor.

131


You can use the log information to help diagnose and troubleshoot unsuccessful health checks. To viewthe log entries, see the System > Logs screens.

DescriptionOptions

The system redirects error messages and other information to a log file createdspecifically for this monitor.

Yes

The system does not collect additional information or error messages related tothis monitor. This is the default setting.

No

19. Click Finished.

You can associate the new custom monitor with the pool that contains the FTP resources.


To load balance passive mode FTP traffic, you create a load balancing pool. When you create the pool, youassign the custom FTP monitor that you created in the previous task.






5. From the Priority Group Activation list, select Disabled.


a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 21 in the Service Port field, or select FTP from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

7. Click Finished.

The pool to manage FTP traffic appears in the Pools list.


You can define a virtual server that references the FTP profile and the FTP pool.






132


5. In the Service Port field, type 21 or select FTP from the list.

6. From the FTP Profile list, do one of the following:

• Select ftp.• Select a custom profile.


8. Click Finished.

The custom FTP virtual server appears in the Virtual Servers list.

133


134


Chapter

21

Load Balancing Passive Mode FTP Traffic with Data ChannelOptimization

Topics:

• Overview: FTP passive mode load balancingwith data channel optimization

• Task Summary for load balancing passivemode FTP traffic

• Implementation result

Overview: FTP passive mode load balancing with data channel optimization

You can set up the BIG-IP system to load balance passive mode FTP traffic, with optimization of both theFTP control channel and the data channel.

By default, the BIG-IP system optimizes FTP traffic for the control channel, according to the configurationsettings in the default client and server TCP profiles assigned to the virtual server. When you use thisparticular implementation, you also configure the system to take advantage of those same TCP profilesettings for the FTP data channel. This provides useful optimization of the data channel payload.

Task Summary for load balancing passive mode FTP traffic

You can perform these tasks to configure FTP passive mode load balancing that optimizes traffic on boththe control channel and data channel.

Task list

Creating a custom FTP profile




Creating a custom FTP profile

You create a custom FTP profile when you want to fine-tune the way that the BIG-IP®system manages FTPtraffic. This procedure creates an FTP profile and optimizes the way that the BIG-IP system manages trafficfor the FTP data channel.

1. On the Main tab, click Local Traffic > Profiles > Services > FTP .The FTP profile list screen opens.

2. Click Create.The New FTP Profile screen opens.



4. In the Parent Profile list, select the default ftp profile.

5. On the right side of the screen, click the Custom check box.The settings in the Settings area become available for modification.

6. For the Inherit Parent Profile setting, click the check box.This enables optimization of data channel traffic.

7. Click Finished.

The custom FTP profile now appears in the FTP profile list screen.

136

Load Balancing Passive Mode FTP Traffic with Data Channel Optimization


An FTP monitor requires a user name and password, and the full path to the file to be downloaded.

Create a custom FTP monitor to verify passive mode File Transfer Protocol (FTP) traffic. The monitorattempts to download a specified file to the /var/tmp directory. If the file is retrieved, the check issuccessful.

Note: The BIG-IP® system does not save the downloaded file.





4. From the Type list, select FTP.The screen refreshes, and displays the configuration options for the FTP monitor type.



6. Type a number in the Interval field that indicates, in seconds, how frequently the system issues themonitor check. The default is 10 seconds.

7. Type a number in the Timeout field that indicates, in seconds, how much time the target has to respondto the monitor check. The default is 31 seconds.

If the target responds within the allotted time period, it is considered up. If the target does not respondwithin the time period, it is considered down.

8. Type a name in the User Name field.

9. Type a password in the Password field.

10. Type the full path and file name of the file that the system attempts to download in the Path/Filenamefield.

The health check is successful if the system can download the file.

11. For the Mode setting, select one of the following data transfer process (DTP) modes.

DescriptionOptions

The monitor sends a data transfer request to the FTP server. When the FTPserver receives the request, the FTP server initiates and establishes the dataconnection.

Passive

The monitor initiates and establishes the data connection with the FTP server.Port



13. From the Up Interval list, do one of the following:

• Accept the default, Disabled, if you do not want to use the up interval.• Select Enabled, and specify how often you want the system to check the health of a resource that

is up.

137


14. Type a number in the Time Until Up field that indicates the number of seconds to wait after a resourcefirst responds correctly to the monitor before setting the resource to up.

The default value is 0 (zero), which disables this option.

15. Specify whether the system automatically enables the monitored resource, when the monitor check issuccessful, for Manual Resume.

This setting applies only when the monitored resource has failed to respond to a monitor check.

DescriptionOptions

The system does nothing when the monitor check succeeds, and you mustmanually enable the monitored resource.

Yes

The system automatically re-enables the monitored resource after the nextsuccessful monitor check.

No

16. For the Alias Address setting, do one of the following:

• Accept the *All Addresses default option.• Type an alias IP address for the monitor to check, on behalf of the pools or pool members with which

the monitor is associated.

If the health check for the alias address is successful, the system marks all associated objects up. If thehealth check for the alias address is not successful, then the system marks all associated objects down.

17. For the Alias Service Port setting, do one of the following:

• Accept the *All Ports default option.• Select an alias port or service for the monitor to check, on behalf of the pools or pool members with

which the monitor is associated.

If the health check for the alias port or service is successful, the system marks all associated objects up.If the health check for the alias port or service is not successful, then the system marks all associatedobjects down.

18. For the Debug setting, specify whether you want the system to collect and publish additional informationand error messages for this monitor.

You can use the log information to help diagnose and troubleshoot unsuccessful health checks. To viewthe log entries, see the System > Logs screens.

DescriptionOptions

The system redirects error messages and other information to a log file createdspecifically for this monitor.

Yes

The system does not collect additional information or error messages related tothis monitor. This is the default setting.

No

19. Click Finished.

You can associate the new custom monitor with the pool that contains the FTP resources.


To load balance passive mode FTP traffic, you create a load balancing pool. When you create the pool, youassign the custom FTP monitor that you created in the previous task.


138






5. From the Priority Group Activation list, select Disabled.


a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 21 in the Service Port field, or select FTP from the list.c) (Optional) Type a priority number in the Priority field.d) Click Add.

7. Click Finished.

The pool to manage FTP traffic appears in the Pools list.


You can define a virtual server that references the FTP profile and the FTP pool.






5. In the Service Port field, type 21 or select FTP from the list.

6. From the FTP Profile list, select the custom profile that you created earlier.


8. Click Finished.

The custom FTP virtual server appears in the Virtual Servers list.


A BIG-IP system with this configuration can process FTP traffic in passive mode, in a way that optimizesthe traffic on both the control channel and the data channel. This optimization is based on the settings ofthe default client-side and server-side TCP profiles.

139


140


Chapter

22

Referencing an External File from within an iRule

Topics:

• Overview: Referencing an external file froman iRule


Overview: Referencing an external file from an iRule

Using the BIG-IP® Configuration utility or tmsh, you can import a file or URL from another system to theBIG-IP system, with content that you want an iRule to return to a client, based on some iRule event. Possibleuses for this feature are:

• To send a web page other than the page that the client requested. For example, you might want thesystem to send a maintenance page instead of the requested page.

• To send an image.• To use a file as a template and modify the file in the iRule before sending the file.• To download policy information from an external server and merge that data with a locally-stored policy.

The file that an iRule accesses is known as an iFile, and can be any type of file, such as a binary file or atext file. These files are read-only files.

This example shows an iRule that references an iFile named ifileURL, in partition Common:

ltm rule ifile_rule { when HTTP_RESPONSE { # return a list of iFiles in all partitions set listifiles [ifile listall]

log local0. "list of ifiles: $listifiles"

# return the attributes of an iFile specified array set array_attributes [ifile attributes "/Common/ifileURL"]

foreach {array attr} [array get array_attributes ] { log local0. "$array : $attr" }

# serve an iFile when http status is 404. set file [ifile get "Common/ifileURL"] log local0. "file: $ifile" if { [HTTP::status] equals "404" } { HTTP:Respond 200 ifile "/Common/ifileURL"

} } }

iRule commands for iFilesThis list shows the commands available for referencing an iFile within an iRule. All of these commandsreturn a string, except for the command [ifile attributes IFILENAME], which returns an array.

[ifile get IFILENAME][ifile listall][ifile attributes IFILENAME][ifile size IFILENAME][ifile last_updated_by IFILENAME][ifile last_update_time IFILENAME][ifile revision IFILENAME][ifile checksum IFILENAME][ifile attributes IFILENAME]

142


Task summary

You can import an existing file to the BIG-IP® system, create an iFile that is based on the imported file,and then write an iRule that returns the content of that file to a client system, based on an iRule event.

Task List

Importing a file to the BIG-IP system

Creating an iFile

Writing an iRule that references an iFile

Importing a file to the BIG-IP system

As a prerequisite, the file you want to import must reside on the BIG-IP® system you specify.

You can import a file from another system onto the BIG-IP system, as the first step in writing an iRule thatreferences that file.

1. From the Main tab, click System > File Management > iFile List > Import.

2. For the File Name setting, click Choose File.This allows you to browse for the file that you want to import to the BIG-IP system.

3. Browse for the file and click Open.The name of the file you select appears in the File Name setting.

4. In the Name field, type a new name for the file, such as 1k.html.The new file name appears in the list of imported files.

The result of this task is that the file you selected now resides on the BIG-IP system.

Creating an iFile

As a prerequisite, ensure that the current administrative partition is set to the partition in which you wantthe iFile to reside.

You perform this task to create an iFile that you can then reference in an iRule.

1. From the Main tab, click Local Traffic > iRules > iFile List.

2. Click Create.

3. In the Name field, type a new name for the iFile, such as ifileURL.

4. From the File Name list, select the name of the imported file object, such as 1k.html.

5. Click Finished.The new iFile appears in the list of iFiles.

The result of this task is that you now have a file that an iRule can reference.

Writing an iRule that references an iFile

You perform this task to create an iRule that references an iFile.

143


Note: If the iFile resides in partition /Common, then specifying the partition when referencing theiFile is optional. If the iFile resides in a partition other than /Common, such as /Partition_A,you must include the partition name in the iFile path name within the iRule.

1. From the Main tab, click Local Traffic > iRules > iRule List.

2. Click Create.

3. In the Name field, type a name between 1 and 31 characters, such as my_iRule.

4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.

For complete and detailed information iRules syntax, see the F5 Networks DevCentral web site(http://devcentral.f5.com).

5. Click Finished.This displays a list of iRules.


You now have an iRule that accesses a file on the BIG-IP®system, based on a particular iRule event.

144


Chapter

23

Configuring the BIG-IP System as a DHCP Relay Agent

Topics:

• Overview: Managing IP addresses for DHCPclients


Overview: Managing IP addresses for DHCP clients

When you want to manage Dynamic Host Configuration Protocol (DHCP) client IP addresses, you canconfigure the BIG-IP® system to act as a DHCP relay agent. A common reason to configure the BIG-IPsystem as a DHCP relay agent is when the DHCP clients reside on a different subnet than the subnet of theDHCP servers.

About the BIG-IP system as a DHCP relay agent

A BIG-IP® virtual server, configured as a Dynamic Host Configuration Protocol (DHCP) relay type, providesyou with the ability to relay DHCP client requests for an IP address to one or more DHCP servers, availableas pool members in a DHCP pool without load balancing, on different virtual local area networks (VLANs).The DHCP client request is relayed to all pool members, and the replies from all pool members are relayedback to the client.

Figure 3: A sample DHCP relay agent configuration

For example, a DHCP client sends a broadcast message to the destination IP address255.255.255.255:67, which is the destination address configured on the virtual server. A DHCP relaytype virtual server automatically uses port 67 for an IPv4 broadcast message or port 547 for an IPv6 broadcastmessage. The BIG-IP virtual server receives this message on the VLAN with self IP address 10.20.0.1and relays the DHCP request to all DHCP servers: 10.10.0.3 and 10.10.0.7.

All DHCP servers provide a DHCP response with available IP addresses to the BIG-IP virtual server, whichthen relays all responses to the client. The client accepts and uses only one of the IP addresses received.

Note: In this example, there is no hop between the DHCP client and the BIG-IP relay agent.However, a common topology is one that includes this hop, which is often another BIG-IP system.

Alternate configuration

If the DHCP client subnet includes a BIG-IP system that serves as a hop to the BIG-IP relay agent, youmust perform two additional configuration tasks:

• You must configure the BIG-IP relay agent to relay the client DHCP requests to the DHCP serverswithout losing the originating subnet (source) IP address. This originating source IP address is typicallya self IP address of the BIG-IP system that resides on the client subnet. You configure the BIG-IP relayagent to preserve the originating source IP address by creating a SNAT that specifies the originatingself IP address as both the origin address and the translation address. A SNAT configured in this way

146


prevents the BIG-IP relay agent, before sending the DHCP broadcast message to the DHCP servers,from translating the source IP address of the incoming DHCP request to a different address.

• You must add a route (to the BIG-IP relay agent) that specifies the originating source IP address as thedestination for DHCP responses. The DHCP servers use this route to send their responses back throughthe BIG-IP relay agent to the clients.

Task summary

You configure the BIG-IP system to act as a Dynamic Host Configuration Protocol (DHCP) relay agent bycreating a pool of DHCP servers and then creating a virtual server to manage DHCP client broadcastmessages.

Task list

Creating a pool of DHCP servers

Creating a DHCP Relay type virtual server

Creating a pool of DHCP servers

You must create a pool that includes Dynamic Host Configuration Protocol (DHCP) servers as pool membersbefore you create a DHCP relay type virtual server.




4. (Optional) Type a description for the pool.

5. (Optional) For the Health Monitors setting, in the Available list, select UDP, and click << to movethe monitor to the Active list.

6. From the Load Balancing Method list, select null.

7. For the Priority Group Activation setting, select Disabled.


a) (Optional) Type a name in the Node Name field, or select a node address from the Node List.

a) Type an IP address in the Address field, or select a node address from the Node List.b) Type 67 (IPv4) or 547 (IPv6) in the Service Port field.c) Click Add.

9. Click Finished.

A pool that includes DHCP servers as pool members is created.

Creating a DHCP Relay type virtual server

A DHCP relay type BIG-IP® virtual server provides you with the ability to relay DHCP client requests foran IP address to one or more DHCP servers, and provide DHCP server responses with an available IPaddress for the client.

147





4. (Optional) Type a description for the virtual server.

5. From the Type list, select DHCP Relay.

6. Do one of the following to configure a Destination type.

• Select Host, and type 255.255.255.255 in the Address field.• Select Network, type 255.255.255.255 in the Address field, and type 255.255.255.255

in the Mask field.

7. From the State list, select Enabled.

8. In the Configuration area for the VLAN and Tunnel Traffic setting, select the VLANs on the samenetwork as the DHCP clients to ensure that the BIG-IP system can accept the broadcast traffic from theclient.

9. From the Default Pool list, select the pool that is configured for DHCP servers.

10. Click Finished.

A DHCP relay type virtual server is configured to provide the ability to relay DHCP client requests for anIP address to one or more DHCP servers, and provide DHCP server responses with an available IP addressfor the client.


The BIG-IP® system is configured to manage Dynamic Host Configuration Protocol (DHCP) client IPaddresses, using a DHCP Relay type virtual server to manage DHCP client broadcast messages.

148


Chapter

24

Configuring the BIG-IP System for DHCP Renewal

Topics:

• Overview: Renewing IP addresses for DHCPclients


Overview: Renewing IP addresses for DHCP clients

You can configure the BIG-IP® system to manage DHCP renewal requests and responses.

About DHCP renewal

You can configure the BIG-IP system to act as a DHCP renewal system. A common reason to configurethe BIG-IP system as a renewal system is when the DHCP servers reside on a different subnet than that ofthe client systems, and the BIG-IP system is also configured as a DHCP relay agent. As a DHCP renewalsystem, the BIG-IP system manages the renewal of client IP addresses by DHCP servers before the addressesexpire.

During the renewal process, a DHCP client sends a renewal request, which is passed through a BIG-IPForwarding IP type of virtual server directly to the specific DHCP server that issued the initial client IPaddress. The DHCP server then sends a response to renew the lease for the client's IP address.

In the example shown in the illustration, a DHCP client sends a renewal message to the same BIG-IP systemthat initially acted as the DHCP relay agent. This renewal request is forwarded through a BIG-IP renewalvirtual server directly to DHCP server 1. DHCP server 1 then provides a response to renew the lease forthe client's IP address.

Figure 4: A sample DHCP renewal system configuration

Task summary

You configure a BIG-IP system to act as a Dynamic Host Configuration Protocol (DHCP) relay system bycreating a virtual server that specifically forwards DHCP renewal requests to the appropriate DHCP server.

Task list

Creating a DHCP renewal virtual server

150


Creating a DHCP renewal virtual server

A Dynamic Host Configuration Protocol (DHCP) renewal virtual server forwards a DHCP request messagefrom a DHCP client directly to a DHCP server, to automatically renew an IP address before it expires.




4. (Optional) Type a description for the virtual server.

5. From the Type list, select Forwarding (IP).

6. For a Destination type, select Host, and type the DHCP server IP address in the Address field.

Tip: If you have multiple DHCP servers, type 0.0.0.0 in the Address field.

7. In the Service Port field, type 67 (IPv4) or 547 (IPv6).

8. From the Protocol list, select UDP.

9. From the VLAN and Tunnel Traffic list, select the VLANs on the same network as the DHCP clients.

10. Click Finished.

The BIG-IP system is now configured with a virtual server that can forward DHCP renewal requests directlyto the appropriate DHCP server.


The BIG-IP® system is configured to forward DHCP client renewal requests to appropriate DHCP serversthat reside on a different subnet than the client systems. The BIG-IP also forwards the DHCP server responsesback to the client systems, therefore ensuring that client IP addresses do not expire.

151


152


Chapter

25

Configuring a One-IP Network Topology

Topics:

• Overview: Configuring a one-IP networktopology

• Task summary for a one-IP network topologyfor the BIG-IP system

Overview: Configuring a one-IP network topology

One configuration option you can use with the BIG-IP® system is a one-IP network topology. This differsfrom the typical two-network configuration in two ways:

• Because there is only one physical network, this configuration does not require more than one interfaceon the BIG-IP system.

• Clients need to be assigned SNATs to allow them to make connections to servers on the network in aload balancing pool.

Part of this configuration requires you to configure the BIG-IP system to handle connections originatingfrom the client. You must define a SNAT in order to change the source address on the packet to the SNATexternal address, which is located on the BIG-IP system. Otherwise, if the source address of the returningpacket is the IP address of the content server, the client does not recognize the packet because the clientsent its packets to the IP address of the virtual server, not the content server.

If you do not define a SNAT, the server returns the packets directly to the client without giving the BIG-IPsystem the opportunity to translate the source address from the server address back to the virtual server. Ifthis happens, the client might reject the packet as unrecognizable.

The single interface configuration is shown in the following illustration.

Illustration of a one-IP network topology for the BIG-IP system

Task summary for a one-IP network topology for the BIG-IP system

You can perform these tasks to configure a one-IP network topology.

Task list

Creating a pool for processing HTTP connections with SNATs enabled


154


Defining a default route

Configuring a client SNAT

Creating a pool for processing HTTP connections with SNATs enabled

Verify that all content servers for the pool are in the network of VLAN external.

For a basic configuration, you need to create a pool to manage HTTP connections. This pool enables SNATsfor any connections destined for a member of the pool.





5. For the Allow SNAT setting, verify that the value is Yes.

6. In the Resources area of the screen, use the default values for the Load Balancing Method and PriorityGroup Activation settings.



8. Click Finished.












8. Click Finished.


155


Defining a default route

Another task that you must perform to implement one-IP network load balancing is to define a default routefor the VLAN external.

1. On the Main tab, click Network > Routes.

2. Click Add.The New Route screen opens.

3. From the Type list, select Default IPv4 Gateway.

4. From the Resource list, select Use VLAN.

A VLAN represents the VLAN through which the packets flow to reach the specified destination.

5. Select external from the VLAN list.

6. At the bottom of the screen, click Finished.

The default route for the VLAN external is defined.

Configuring a client SNAT

To configure the BIG-IP® system to handle connections originating from the client, you can define a SNATto change the source address on the packet to the SNAT external address located on the BIG-IP system.

1. On the Main tab, click Local Traffic > SNATs .The SNAT List screen displays a list of existing SNATs.

2. Click Create.

3. Name the new SNAT.

4. In the Translation field, type the IP address that you want to use as a translation IP address.

5. From the Origin list, select Address List.

6. For each client to which you want to assign a translation address, do the following:

a) Select Host.b) Type a client IP address in the Address field.c) Click Add.

7. From the VLAN Traffic list, select Enabled on.

8. For the VLAN List setting, in the Available field, select external, and using the Move button, movethe VLAN name to the Selected field.

9. Click Finished.

The BIG-IP system is configured to handle connections originating from the client

156


Chapter

26

Implementing Health and Performance Monitoring

Topics:

• Overview: Health and performancemonitoring

• Task summary

Overview: Health and performance monitoring

You can set up the BIG-IP® system to monitor the health or performance of certain nodes or servers thatare members of a load balancing pool. Monitors verify connections on pool members and nodes. A monitorcan be either a health monitor or a performance monitor, designed to check the status of a pool, pool member,or node on an ongoing basis, at a set interval. If a pool member or node being checked does not respondwithin a specified timeout period, or the status of a pool member or node indicates that performance isdegraded, the BIG-IP system can redirect the traffic to another pool member or node.

Some monitors are included as part of the BIG-IP system, while other monitors are user-created. Monitorsthat the BIG-IP system provides are called pre-configured monitors. User-created monitors are called custommonitors.

Before configuring and using monitors, it is helpful to understand some basic concepts regarding monitortypes, monitor settings, and monitor implementation.

Every monitor, whether pre-configured or custom, is a certain type of monitor. Eachtype of monitor checks the status of a particular protocol, service, or application. For

Monitor types

example, one type of monitor is HTTP. An HTTP type of monitor allows you to monitorthe availability of the HTTP service on a pool, pool member, or node. A WMI type ofmonitor allows you to monitor the performance of a pool, pool member, or node that isrunning the Windows Management Instrumentation (WMI) software. An ICMP type ofmonitor simply determines whether the status of a node is up or down.

Every monitor consists of settings with values. The settings and their values differdepending on the type of monitor. In some cases, the BIG-IP system assigns default

Monitorsettings

values. For example, the following shows the settings and default values of an ICMP-typemonitor.

Name my_icmp Type ICMP Interval 5 Timeout 16 Transparent No Alias Address * All Addresses

Note: If you want to monitor the performance of a RealNetworks® RealServer server or aWindows®-based server equipped with Windows Management Instrumentation (WMI), you mustfirst download a special plug-in file onto the BIG-IP system.

Task summary

To implement a health or performance monitor, you perform these tasks.

Task list

Creating a custom monitor


158



Creating a custom monitor

Before creating a custom monitor, you must decide on a monitor type.

You can create a custom monitor when the values defined in a pre-configured monitor do not meet yourneeds, or no pre-configured monitor exists for the type of monitor you are creating.

Important: When defining values for custom monitors, make sure you avoid using any values thatare on the list of reserved keywords.





4. From the Type list, select the type of monitor.The screen refreshes, and displays the configuration options for the monitor type.





7. Configure all settings shown.

8. Click Finished.











159






8. Click Finished.











The web customer now has a destination IP address on the BIG-IP system for application traffic.

160


Chapter

27

Preventing TCP Connection Requests From Being Dropped

Topics:

• Overview: TCP request queuing• Preventing TCP connection requests from

being dropped

Overview:TCP request queuing

TCP request queuing provides the ability to queue connection requests that exceed the capacity of connectionsfor a pool, pool member, or node, as determined by the connection limit. Consequently, instead of droppingconnection requests that exceed the capacity of a pool, pool member, or node, TCP request queuing enablesthose connection requests to reside within a queue in accordance with defined conditions until capacitybecomes available.

When using session persistence, a request becomes queued when the pool member connection limit isreached.

Without session persistence, when all pool members have a specified connection limit, a request becomesqueued when the total number of connection limits for all pool members is reached.

Conditions for queuing connection requests include:

• The maximum number of connection requests within the queue, which equates to the maximum numberof connections within the pool, pool member, or node. Specifically, the maximum number of connectionrequests within the queue cannot exceed the cumulative total number of connections for each poolmember or node. Any connection requests that exceed the capacity of the request queue are dropped.

• The availability of server connections for reuse. When a server connection becomes available for reuse,the next available connection request in the queue becomes dequeued, thus allowing additional connectionrequests to be queued.

• The expiration rate of connection requests within the queue. As queue entries expire, they are removedfrom the queue, thus allowing additional connection requests to be queued.

Connection requests within the queue become dequeued when:

• The connection limit of the pool is increased.• A pool member's slow ramp time limit permits a new connection to be made.• The number of concurrent connections to the virtual server decreases below the connection limit.• The connection request within the queue expires.

Preventing TCP connection requests from being dropped

When you enable TCP request queuing, connection requests become queued when they exceed the totalnumber of available server connections.


2. Click a pool name in the Pool List.


4. In the Enable Request Queuing list, select Yes.

5. In the Request Queue Depth field, type the maximum number of connections allowed in the queue.

Note: If you type zero (0) or leave the field blank, the maximum number of queued connectionsis unlimited, constrained only by available memory.

162


6. In the Request Queue Timeout field, type the maximum number of milliseconds that a connection canremain queued.

Note: If you type zero (0) or leave the field blank, the maximum number of milliseconds isunlimited.

7. Click Update.

Connection requests become queued when they exceed the total number of available server connections.

163


164


Chapter

28

Load Balancing to IPv6 Nodes

Topics:

• Overview: Load balancing to iPv6 nodes• Task summary

Overview: Load balancing to iPv6 nodes

To set up the BIG-IP® system to function as an IPv4-to-IPv6 gateway, you can configure the radvd service.You configure the radvd service to send out ICMPv6 routing advisory messages, and to respond to ICMPv6route solicitation messages. When you perform this task, the BIG-IP system begins to supportauto-configuration of downstream nodes. Also, the downstream nodes automatically discover that the BIG-IPsystem is their router.

Task summary

When you configure IPv4-to-IPv6 load balancing, you must create a pool for load balancing traffic to IPv6nodes, and then create an IPv4 virtual server that processes application traffic.

Task list

Configuring the radvd service (optional)


Creating a virtual server for IPv6 nodes

Configuring the radvd service (optional)

Configuring the radvd service to perform these functions ultimately advertises the network’s global addressprefix on the internal VLAN.

Note: All IPv6 addresses that you define on the BIG-IP system must reside in route domain0.

1. Using a serial console or the IP address of the BIG-IP system management interface, access an operatingsystem prompt on the BIG-IP system.

2. Copy the file /etc/radvd.conf.example to a new file named /etc/radvd.conf.

3. Using the nano or vi text editor, open the file /etc/radvd.conf.

4. Using the example in the file, create an advertising configuration for the network’s global address prefix.

You should replace the prefix option with an address appropriate for your network.

5. Save the /etc/radvd.conf file and exit the editor.

6. Start the radvd service as follows: bigstart startup radvd

7. Verify that the IPv6 nodes have auto-configured their addresses for this prefix.

8. Take note of the addresses of the HTTP service IPv6 nodes. These addresses are required for the nextstep in the process, configuring IPv4-to-IPv6 load balancing.


The first task in configuring IPv4-to-IPv6 load balancing is to create a pool to load balance connections toIPv6 nodes. Use the Configuration utility to create this pool.

166














8. Click Finished.


Creating a virtual server for IPv6 nodes

You can define a virtual server that references the pool of IPv6 nodes.










8. (Optional) In the Web Acceleration Profile list, select one of the following profiles:

167




10. Click Finished.

The virtual server that references the pool of IPv6 nodes appears in the Virtual Servers list.

168


Chapter

29

Configuring DNS Express on BIG-IP Systems

Topics:

• How do I configure DNS Express?• Task summary• Implementation result

How do I configure DNS Express?

You can configure DNS Express™ on BIG-IP® systems to mitigate distributed denial-of-service attacks(DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IPsystem and any back-end DNS servers.

What is DNS Express?

DNS Express™ provides the ability for a BIG-IP® system to act as a high-speed, authoritative secondaryDNS server. This allows the system to:

• Perform zone transfers from multiple primary DNS servers that are responsible for different zones.• Perform a zone transfer from the local BIND server on the BIG-IP system.• Serve DNS records faster than the primary DNS servers.

Task summary

Perform these tasks to configure DNS Express™ on your BIG-IP® system.

Creating a DNS Express TSIG key

Creating a DNS Express zone

Enabling DNS Express

Assigning a DNS profile to a virtual server

Configuring the legacy DNS server to allow zone file transfers

Viewing information about DNS Express zones

Creating a DNS Express TSIG key

Ensure that your back-end DNS servers are configured for zone transfers using TSIG keys.

When you want to verify the identity of the authoritative server that is sending information about the zone,create a DNS Express™ TSIG key .

Note: This step is optional.

1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List.The DNS Express TSIG Key List screen opens.

2. Click Create.The New DNS Express TSIG Key screen opens.

3. In the Name field, type a name for the key.

4. From the Algorithm list, select one of the following.

DescriptionAlgorithm Name

Produces a 128-bit hash sequenceHMAC MD5

170


DescriptionAlgorithm Name

Produces a 160-bit hash sequenceHMAC SHA-1

Produces a 256-bit hash sequenceHMAC SHA-256

5. In the Secret field, type the phrase required for authentication of the key.

6. Click Finished.

Creating a DNS Express zone

If you are using back-end DNS servers, ensure that those servers are configured for zone transfers.

To implement DNS Express™ on a BIG-IP® system, create a DNS Express zone.

1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List.The DNS Express Zone List screen opens.

2. Click Create.The New DNS Express Zone screen opens.

3. In the Name field, type a name for the DNS Express zone.

4. In the Target IP Address field, type the IP address of the DNS server from which you want to transferrecords.

The default value 127.0.0.1 is for the BIND server on the BIG-IP system.

5. To configure the system to verify the identity of the authoritative server that is sending informationabout the zone, from the TSIG Key list, select a key.

6. To specify an action for the BIG-IP system to take when a DNS query does not match a wide IP or DNSExpress zone, from the Notify Action list, select one of the following.

DescriptionAction

The BIG-IP system processes the query.Consume

The BIG-IP system bypasses DNSSEC and the backend DNS serverhandles the query.

Bypass

The BIG-IP system repeats the DNS query.Repeat

7. Click Finished.

Enabling DNS Express

Create a custom DNS profile to enable DNS Express™, only if you want to use a back-end DNS server forname resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones.

Note: If you plan to use the BIND server on BIG-IP GTM™, you can use the default dns profile.

1. On the Main tab, click Local Traffic > Profiles > Services > DNS .The DNS profile list screen opens.

2. Click Create.The New DNS Profile screen opens.

3. Name the profile dns_express.

171



4. In the Parent Profile list, accept the default dns profile.


6. In the Global Traffic Management list, accept the default value Enabled.

7. From the DNS Express list, select Enabled.

8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a querythat is not for a wide IP or DNS Express zone.

DescriptionOption

The BIG-IP system forwards the connection request to another DNS server orDNS server pool. Note that if a DNS server pool is not associated with a listener

Allow

and the Use BIND Server on BIG-IP option is set to enabled, connectionrequests are forwarded to the local BIND server. (Allow is the default value.)

The BIG-IP system does not respond to the query.Drop

The BIG-IP system returns the query with the REFUSED return code.Reject

The BIG-IP system returns the query with a list of root name servers.Hint

The BIG-IP system returns the query with the NOERROR return code.No Error

9. From the Use BIND Server on BIG-IP list, select Disabled.

10. Click Finished.

Assign the profile to virtual servers or listeners.


If you plan to use the BIND server on the BIG-IP® system, you can assign the default DNS profile (dns)to a virtual server. If you plan to use a back-end DNS server and you created a custom DNS profile for DNSExpress, you can assign it to the virtual server.



3. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express.

4. Click Finished.

The traffic handled by this virtual server is protected by DNS Express.

Configuring the legacy DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND,available from O’Reilly Media.

To configure the legacy DNS server to allow zone file transfers to BIG-IP® system, add to the DNS serveran allow-transfer statement that specifies the IP address of the new BIG-IP system.

172


You can modify the following allow-transfer statement to use the IP address of yourBIG-IP system:

allow-transfer { localhost; <IP address of BIG-IP system>; };

Viewing information about DNS Express zones

You can view information about the zones that are protected by DNS Express™.

1. On the Main tab, click Statistics > Module Statistics > Local Traffic .The Local Traffic Statistics screen opens.

2. From the Statistics Type list, select DNS Express Zones.Information displays about the DNS Express zones.

DescriptionRecord type

Displays start of authority record information.SOA Records

Displays the number of resource records for thezone.

Resource Records


You now have an implementation in which the BIG-IP® system helps to mitigate DDoS attacks on yournetwork and to resolve more DNS queries faster.

173


174


Chapter

30

Load Balancing DNS Traffic Between IPv-6 Only and IPv-4Only Clouds

Topics:

• Overview: Handling IPv6-only connectionrequests to IPv4-only servers


Overview: Handling IPv6-only connection requests to IPv4-only servers

You can configure BIG-IP® Local Traffic Manager™ (LTM) and BIG-IP® Global Traffic Manager™ (GTM)systems to handle IPv6-only client connection requests to IPv4-only servers on your network by returningan AAAA record response to the client.

Figure 5: Mapping IPv6 addresses to IPv4 addresses

Task summary

Perform these tasks to configure BIG-IP systems to handle DNS queries from IPv6-only clients to IPv4-onlyservers on your network.

Creating a custom DNS profile


Creating a custom DNS profile

You can create a custom DNS profile to configure how the BIG-IP® system handles DNS connectionrequests.

1. On the Main tab, click Local Traffic > Profiles > Services > DNS .The DNS profile list screen opens.

2. Click Create.The New DNS Profile screen opens.

176

Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds



4. In the Parent Profile list, accept the default dns profile.


6. In the Global Traffic Management list, accept the default value Enabled.

7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mappingin DNS queries and responses.

DescriptionOption

The BIG-IP system does not map IPv4 addresses to IPv6 addresses.Disabled

The BIG-IP system receives an AAAA query and forwards the query to a DNS server.The BIG-IP system then forwards the first good response from the DNS server to the

Immediate

client. If the system receives an A response first, it appends a 96-bit prefix to therecord and forwards it to the client. If the system receives an AAAA response first,it simply forwards the response to the client. The system disregards the secondresponse from the DNS server.

The BIG-IP system receives an AAAA query and forwards the query to a DNS server.Only if the server fails to return a response does the BIG-IP system send an A query.

Secondary

If the BIG-IP system receives an A response, it appends a 96-bit user-configuredprefix to the record and forwards it to the client.

The BIG-IP system receives an AAAA query, but forwards an A query to a DNSserver. After receiving an A response from the server, the BIG-IP system appends a96-bit user-configured prefix to the record and forwards it to the client.

v4 Only

Important: Select this option only if you know that all your DNS servers areIPv4 only servers.

If you selected Immediate, Secondary, or V4 Only two new fields display.

8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responsesto an IPv6 request.

9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved networkefficiency for both Unicast and Multicast DNS-SD responses.

DescriptionOption

The BIG-IP system does not perform additional rewrite.Disabled

The BIG-IP system accepts only A records. The system appends the 96-bituser-configured prefix to a record and returns an IPv6 response to the client.

v4 Only

The BIG-IP system accepts only AAAA records and returns an IPv6 response tothe client.

v6 Only

The BIG-IP system accepts and returns both A and AAAA records. If the DNSserver returns an A record in the Additional section of a DNS message, the BIG-IP

Any

system appends the 96-bit user-configured prefix to the record and returns anIPv6 response to the client.

10. From the Use BIND Server on BIG-IP list, select Enabled.

177


Note: Enable this setting only when you want the system to forward non-wide IP queries to thelocal BIND server on BIG-IP GTM.

11. Click Finished.




3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping.

4. Click Update.

This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server.


You now have an implementation in which the BIG-IP® system handles connection requests from anIPv6-only client to an IPv4-only server.

178

Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds

Chapter

31

Mitigating Denial of Service Attacks

Topics:

• Overview: Mitigating Denial of Service andother attacks

• Denial of Service attacks and iRules• Common Denial of Service attacks• Task summary

Overview: Mitigating Denial of Service and other attacks

The BIG-IP® system contains several features that provide you with the ability to create a configurationthat contributes to the security of your network. In particular, the BIG-IP system is in a unique position tomitigate some types of denial-of-service (DoS) attacks that try to consume system resources in order todeny service to the intended recipients.

The following features of the BIG-IP system help it resist many types of DoS attacks:

• The BIG-IP kernel has a mechanism built in to protect against SYN Flood attacks by limiting simultaneousconnections, and tearing down connections that have unacknowledged SYN/ACK packets after sometime period as passed. (A SYN/ACK packet is a packet that is sent as part of the TCP three-wayhandshake).

• BIG-IP system can handle tens of thousands of Layer 4 (L4) connections per second. It would take avery determined attack to affect either the BIG-IP system itself, or the site, if sufficient server resourcesand bandwidth are available.

• SYN floods, or denial-of-service (DoS) attacks, can consume all available memory. The BIG-IP systemsupports a large amount of memory to help it resist DoS attacks.

Denial of Service attacks and iRules

You can create BIG-IP® iRules® to filter out malicious DoS attacks. After you identify a particular attack,you can write an iRule that discards packets containing the elements that identify the packet as malicious.

iRules for Code Red attacks

The BIG-IP® system is able to filter out the Code Red attack by using an iRule to send the HTTP requestto a dummy pool.

when HTTP_REQUEST { if {string tolower [HTTP::uri] contains "default.ida" } { discard } else { pool RealServerPool}

iRules for Nimda attacks

The Nimda worm is designed to attack systems and applications based on the Microsoft® Windows® operatingsystem.

when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { ($uri contains "cmd.exe") or ($uri contains "root.exe") or ($uri contains "admin.dll") } { discard } else {

180


pool ServerPool }}

Common Denial of Service attacksYou might want to know how the BIG-IP® system reacts to certain common attacks that are designed todeny service by breaking the service or the network devices. The following information lists the mostcommon attacks, along with how the BIG-IP system functionality handles the attack.

DescriptionAttack type

A SYN flood is an attack against a system for thepurpose of exhausting that system's resources. An

SYN flood

attacker launching a SYN flood against a targetsystem attempts to occupy all available resourcesused to establish TCP connections by sendingmultiple SYN segments containing incorrect IPaddresses. Note that the term SYN refers to a typeof connection state that occurs during establishmentof a TCP/IP connection.

More specifically, a SYN flood is designed to fill upa SYN queue. A SYN queue is a set of connectionsstored in the connection table in theSYN-RECEIVED state, as part of the standardthree-way TCP handshake. A SYN queue can holda specified maximum number of connections in theSYN-RECEIVED state.

Connections in the SYN-RECEIVED state areconsidered to be half-open and waiting for anacknowledgment from the client. When a SYN floodcauses the maximum number of allowed connectionsin the SYN-RECEIVED state to be reached, the SYNqueue is said to be full, thus preventing the targetsystem from establishing other legitimateconnections. A full SYN queue therefore results inpartially-open TCP connections to IP addresses thateither do not exist or are unreachable. In these cases,the connections must reach their timeout before theserver can continue fulfilling other requests.

The BIG-IP system includes a feature designed toalleviate SYN flooding. Known as SYN Check™,this feature sends information about the flow, in theform of cookies, to the requesting client, so that thesystem does not need to keep the SYN-RECEIVEDstate that is normally stored in the connection tablefor the initiated session. Because theSYN-RECEIVED state is not kept for a connection,

181



the SYN queue cannot be exhausted, and normalTCP communication can continue.

The SYN Check feature complements the existingadaptive reaper feature in the BIG-IP system. Whilethe adaptive reaper handles established connectionflooding, SYN Check prevents connection floodingaltogether. That is, while the adaptive reaper mustwork overtime to flush connections, the SYN Checkfeature prevents the SYN queue from becoming full,thus allowing the target system to continue toestablish TCP connections.

The ICMP flood, sometimes referred to as a Smurfattack, is an attack based on a method of making a

ICMP flood (Smurf)

remote network send ICMP Echo replies to a singlehost. In this attack, a single packet from the attackergoes to an unprotected network's broadcast address.Typically, this causes every machine on that networkto answer with a packet sent to the target. The BIG-IPsystem is hardened against these attacks because itanswers only a limited number of ICMP requests persecond, and then drops the rest. On the networkinside the BIG-IP system, the BIG-IP system ignoresdirected subnet broadcasts, and does not respond tothe broadcast ICMP Echo that a Smurf attacker usesto initiate an attack. You do not need to make anychanges to the BIG-IP system configuration for thistype of attack.

The UDP flood attack is most commonly adistributed denial-of-service attack (DDoS), where

UDP flood

multiple remote systems are sending a large flood ofUDP packets to the target. The BIG-IP systemhandles these attacks similarly to the way it handlesa SYN flood. If the port is not listening, the BIG-IPsystem drops the packets. If the port is listening, thereaper removes the false connections.

Setting the UDP idle session timeout to between 5and 10 seconds reaps these connections quicklywithout impacting users with slow connections.However, with UDP this may still leave too manyopen connections, and your situation may require asetting of between 2 and 5 seconds.

The UDP fragment attack is based on forcing thesystem to reassemble huge amounts of UDP data

UDP fragment

sent as fragmented packets. The goal of this attackis to consume system resources to the point wherethe system fails. The BIG-IP system does notreassemble these packets, it sends them on to theserver if they are for an open UDP service. If these

182



packets are sent with the initial packet opening theconnection correctly, then the connection is sent tothe back-end server. If the initial packet is not thefirst packet of the stream, the entire stream isdropped.

You do not need to make any changes to the BIG-IPsystem configuration for this type of attack.

The Ping of Death attack is an attack with ICMPecho packets that are larger than 65535 bytes. As

Ping of Death

this is the maximum allowed ICMP packet size, thiscan crash systems that attempt to reassemble thepacket. The BIG-IP system is hardened against thistype of attack. However, if the attack is against avirtual server with the Any IP feature enabled, thenthese packets are sent on to the server. It is importantthat you apply the latest update patches to yourservers.


A Land attack is a SYN packet sent with the sourceaddress and port the same as the destination address

Land

and port. The BIG-IP system is hardened to resistthis attack. The BIG-IP system connection tablematches existing connections so that a spoof of thissort is not passed on to the servers. Connections tothe BIG-IP system are checked and dropped ifspoofed in this manner.


A Teardrop attack is carried out by a program thatsends IP fragments to a machine connected to the

Teardrop

Internet or a network. The Teardrop attack exploitsan overlapping IP fragment problem present in somecommon operating systems. The problem causes theTCP/IP fragmentation re-assembly code toimproperly handle overlapping IP fragments. TheBIG-IP system handles these attacks by correctlychecking frame alignment and discarding improperlyaligned fragments.


The BIG-IP system can also offer protection fromdata attacks to the servers behind the BIG-IP system.

Data

The BIG-IP system acts as a port-deny device,preventing many common exploits by simply notpassing the attack through to the server.

183



The WinNuke attack exploits the way certaincommon operating systems handle data sent to the

WinNuke

NetBIOS ports. NetBIOS ports are 135, 136, 137and 138, using TCP or UDP. The BIG-IP systemdenies these ports by default. On the BIG-IP system,do not open these ports unless you are sure yourservers have been patched against this attack.

The Sub 7 attack is a Trojan horse that is designedto run on certain common operating systems. This

Sub 7

Trojan horse allows the system to be controlledremotely. This Trojan horse listens on port 27374by default. The BIG-IP system does not allowconnections to this port from the outside, so acompromised server cannot be controlled remotely.Do not open high ports (ports above 1024) withoutexplicit knowledge of what applications will berunning on these ports.

A Back Orifice attack is a Trojan horse that isdesigned to run on certain common operating

Back Orifice

systems. This Trojan horse allows the system to becontrolled remotely. This Trojan horse listens onUDP port 31337 by default. The BIG-IP system doesnot allow connections to this port from the outside,so a compromised server cannot be controlledremotely. Do not open high ports (ports above 1024)without explicit knowledge of what will be runningon these ports.

Task summary

There are several tasks you can perform to mitigate Denial-of-Service attacks.

Task list

Configuring adaptive connection reaping

Setting the TCP and UDP connection timers

Applying a rate class to a virtual server

Calculating connection limits on the main virtual server

Setting connection limits on the main virtual server

Setting the SYN Check activation threshold

Configuring adaptive connection reaping

The BIG-IP® system contains two global settings that provide the ability to reap connections adaptively.Connection reaping is a condition where connections are removed from the BIG-IP system when the

184


connection load uses enough memory to trigger the start of aggressive reaping. To prevent denial-of-serviceattacks, you can specify a low-water mark threshold and a high-water mark threshold:

• The low-water mark threshold determines at what point adaptive reaping becomes more aggressive.• The high-water mark threshold determines when unestablished connections through the BIG-IP system

will no longer be allowed. The value of this variable represents a percentage of memory utilization.

Once memory utilization has reached the high-water mark, connections are disallowed until the availablememory has been reduced to the low-water mark threshold.

Caution: The adaptive reaper settings do not apply to SSL connections. However, you can set TCPand UDP connection timeouts that reap idle SSL connections.

Note: There is generally no need to change these values as they represent an optimal solution formost BIG-IP system deployments.

Important: Setting both of the adaptive reaper values to 100 disables this feature.

1. On the Main tab, click System > Configuration.The General screen opens.

2. From the Local Traffic menu, choose General.The System screen opens.

3. In the Properties table:

a) Set the Reaper High-water Mark property to 95.b) Set the Reaper Low-water Mark property to 85.

4. Click Update.

Setting the TCP and UDP connection timers

You can set the TCP and UDP timers in the profile settings for the TCP profile and the UDP profiles. Youshould set these timers for the services that you use for your virtual servers. For example, you can set avalue of 60 for HTTP connections and 60 for SSL connections.

1. On the Main tab, click Local Traffic > Profiles.

2. From the Protocol menu, choose TCP or UDP.

3. Click the name of the profile type you want to configure.

4. Set the Idle Timeout setting to 60.

5. Click Update.

Applying a rate class to a virtual server

After you create a rate class, you can apply it to the virtual servers in the configuration.


2. In the Virtual Server list, click the virtual server that you want.

3. In the Configuration list, click Advanced.

4. In the Rate Class list, select a rate class.

185


5. Click Update.

The rate class is applied to the virtual server.

Calculating connection limits on the main virtual server

Use this procedure to set a connection limit.

Before you set a connection limit, use the following formula to figure out what to set the connectionlimit value to on the main virtual server: Connection Limit = Approximate Amount of RAMin KB * 0.8.

If you have 256 MB of RAM, the calculation looks like this: 256,000 * 0.8 = 20480In this case, you set the connection limit to 20480.

Setting connection limits on the main virtual server

Connection limits determine the maximum number of concurrent connections allowed on a virtual server.In this context, the main virtual server is the virtual server that receives the most traffic to your site.


2. Click the virtual server that you want to modify.


4. In the Connection Limit field, type the number that you calculated for the connection limit.


The virtual server is configured for the specified maximum number of concurrent connections.

Setting the SYN Check activation threshold

You can configure the BIG-IP® system to activate the SYN Check™ feature when some threshold ofconnections has been reached on the system.

1. On the Main tab, click System > Configuration.

2. From the Local Traffic menu, choose General.

3. In the SYN Check Activation Threshold field, type the number of connections that you want to definefor the threshold.

4. Click Update.

186


Chapter

32

Configuring Remote CRLDP Authentication

Topics:

• Overview of remote authentication forapplication traffic

• Task Summary

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP system to use this serverto authenticate any network traffic passing through the BIG-IP system. This type of traffic passes througha virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authenticationservers typically use one of these protocols:

• Lightweight Directory Access Protocol (LDAP)• Remote Authentication Dial-in User Service (RADIUS)• TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])• Online Status Certificate Protocol (OCSP)• Certificate Revocation List Distribution Point (CRLDP)• Kerberos

To configure remote authentication for this type of traffic, you must create a configuration object and aprofile that correspond to the type of authentication server you are using to store your user accounts. Forexample, if your remote authentication server is an LDAP server, you create an LDAP configuration objectand an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, youmust also create a third type of object. For RADIUS and CRLDP authentication, this object is referred toas a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task Summary

To configure remote authentication with CRLDP, you must create a configuration object and a profile thatcorrespond to the authentication server you are using to store your user accounts. You must also create athird type of object. This object is referred to as a server object.

Task list

Creating a CRLDP configuration object for authenticating application traffic remotely

Creating a custom CRLDP profile

Modifying a virtual server for CRLDP authentication

Creating a CRLDP configuration object for authenticating application traffic remotely

The CRLDP authentication module checks the revocation status of an SSL certificate, as part of authenticatingthat certificate. A CRLDP configuration object specifies information that the BIG-IP system needs to performthe remote authentication.

1. On the Main tab of the navigation pane, click Local Traffic > Profiles .

2. From the Authentication menu, choose Configurations.

3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_crldp_config.

5. From the Type list, select CRLDP.

6. In the Connection Timeout field, retain or change the time limit, in seconds, for the connection to theCertificate Revocation List Distribution Points (CRLDP) server.

188


7. In the Update Interval field, retain or change the interval, in seconds, for the system to use whenreceiving updates from the CRLDP server.

If you use the default value of 0 (zero), the CRLDP server updates the system according to the expirationtime specified for the CRL.

8. For the Use Issuer setting, retain the default value (cleared) or check the box.

When cleared (disabled), the BIG-IP system extracts the CRL distribution point from the incomingclient certificate. When checked (enabled), the BIG-IP system extracts the CRL distribution point fromthe signing certificate.

9. For the CRLDP Serverssetting, select a CRLDP server name in the Available list, and using the Movebutton, move the name to the Selected list.

10. Click Finished.

You now have a CRLDP configuration object that a CRLDP profile can reference.

Creating a custom CRLDP profile

The next task in configuring CRLDP-based remote authentication on the BIG-IP® system is to create acustom CRLDP profile.

1. On the Main tab, click Local Traffic > Profiles > Authentication > Profiles .The Profiles list screen opens.

2. Click Create.The New Authentication Profile screen opens.



4. Select CRLDP from the Type list.

5. Select ssl_crldp in the Parent Profile list.


7. Select a CRLDP configuration object from the Configuration list.

8. Click Finished.

Modifying a virtual server for CRLDP authentication

The final task in the process of implementing CRLDP authentication is to assign the custom CRLDP profileto a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTPprofile is assigned).


2. Click the name of a virtual server.


4. For the Authentication Profiles setting, in the Available field, select a custom CRLDP profile, andusing the Move button, move the custom CRLDP profile to the Selected field.


The virtual server is assigned the custom CRLDP profile.

189


190


Chapter

33

Configuring Remote LDAP Authentication

Topics:

• Overview of remote LDAP authentication forapplication traffic

• Task Summary

Overview of remote LDAP authentication for application traffic




Task Summary

To configure remote authentication for LDAP traffic, you must create a configuration object and a profilethat correspond to the LDAP authentication server you are using to store your user accounts. You must alsomodify the relevant virtual server.

Task list

Creating an LDAP configuration object for authenticating application traffic remotely

Creating a custom LDAP profile

Modifying a virtual server for LDAP authentication

Creating an LDAP configuration object for authenticating application traffic remotely

An LDAP configuration object specifies information that the BIG-IP system needs to perform the remoteauthentication. For example, the configuration object specifies the remote LDAP tree that the system usesas the source location for the authentication data.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_ldap_config.

5. From the Type list, select LDAP.

6. In the Remote LDAP Tree field, type the file location (tree) of the user authentication database on theLDAP or Active Directory server.

192


At a minimum, you must specify a domain component (that is, dc=value).

7. In the Hosts field, type the IP address of the remote LDAP or Active Directory server.

8. Click Add.The IP address of the remote LDAP or Active Directory server appears in the Hosts area.

9. Retain or change the Service Port value.

10. Retain or change the LDAP Version value.

11. Click Finished.

You now have an LDAP configuration object that the LDAP authentication profile can reference.

Creating a custom LDAP profile

The next task in configuring LDAP-based or Active Directory-based remote authentication on the BIG-IP®

system is to create a custom LDAP profile.





4. Select LDAP from the Type list.

5. Select ldap in the Parent Profile list.

6. Select the LDAP configuration object that you created from the Configuration list.

7. Click Finished.

The custom LDAP profile appears in the Profiles list.

Modifying a virtual server for LDAP authentication

The final task in the process of implementing authentication using a remote LDAP server is to assign thecustom LDAP profile and a default LDAP authentication iRule to a virtual server that is configured toprocess HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).


2. Click the name of a Standard-type of virtual server to which an HTTP profile has been assigned.


4. For the Authentication Profiles setting, in the Available field, select a custom LDAP profile, and usingthe Move button, move the custom LDAP profile to the Selected field.


The virtual server is assigned the custom LDAP profile.

193


194


Chapter

34

Configuring Remote RADIUS Authentication

Topics:


• Task summary for RADIUS authenticationof application traffic


As an administrator in a large computing environment, you can set up the BIG-IP® system to use this serverto authenticate any network traffic passing through the BIG-IP system. This type of traffic passes througha virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authenticationservers typically use one of these protocols:



Task summary for RADIUS authentication of application traffic

To configure remote authentication for RADIUS traffic, you must create a configuration object and a profilethat correspond to the RADIUS authentication server you are using to store your user accounts. You mustalso create a third type of object. This object is referred to as a server object.

Task list

Creating a RADIUS server object for authenticating application traffic remotely

Creating a RADIUS configuration object for authenticating application traffic remotely

Creating a custom RADIUS profile

Modifying a virtual server for RADIUS authentication

Creating a RADIUS server object for authenticating application traffic remotely

A RADIUS server object represents the remote RADIUS server that the BIG-IP system uses to accessauthentication data.


2. From the Authentication menu, choose RADIUS Servers.

3. Click Create.

4. In the Namefield, type a unique name for the server object, such asmy_radius_server.

5. In the Host field, type the host name or IP address of the RADIUS server.

196


6. In the Service Port field, type the port number for RADIUS authentication traffic, or retain the defaultvalue (1812).

7. In the Secret field, type the secret key used to encrypt and decrypt packets sent or received from theserver.

8. In the Confirm Secret field, re-type the secret you specified in the Secret field.

9. In the Timeout field, type a timeout value, in seconds, or retain the default value (3).

10. Click Finished.

You now have a RADIUS server object that the RADIUS configuration object can reference.


The BIG-IP system configuration must include at least one RADIUS server object.

You use a RADIUS authentication module when your authentication data is stored on a remote RADIUSserver. A RADIUS configuration object specifies information that the BIG-IP system needs to perform theremote authentication.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_radius_config.

5. From the Type list, select RADIUS.

6. For the RADIUS Serverssetting, select a RADIUS server name in the Available list, and using theMove button, move the name to the Selected list.

7. In the Client ID field, type a string for the system to send in the Network Access Server(NAS)-Identifier RADIUS attribute.

8. Click Finished.

You now have a RADIUS configuration object that a RADIUS profile can reference.

Creating a custom RADIUS profile

The next task in configuring RADIUS-based remote authentication on the BIG-IP® system is to create acustom RADIUS profile.





4. Select RADIUS from the Type list.

5. Select radius in the Parent Profile list.

6. Select the RADIUS configuration object that you created from the Configuration list.

7. Click Finished.

The custom RADIUS profile appears in the Profiles list.

Task summary for RADIUS authentication of application traffic

197





The final task in the process of implementing authentication using a remote RADIUS server is to assignthe custom RADIUS profile to a virtual server that is configured to process HTTP traffic (that is, a virtualserver to which an HTTP profile is assigned).




4. For the Authentication Profiles setting, in the Available field, select a custom RADIUS profile, andusing the Move button, move the custom RADIUS profile to the Selected field.


The virtual server is assigned the custom RADIUS profile.

198


Chapter

35

Configuring Remote SSL LDAP Authentication

Topics:

• Overview of remote SSL LDAPauthentication for application traffic

• Task Summary

Overview of remote SSL LDAP authentication for application traffic




Task Summary

To configure remote authentication for SSL LDAP traffic, you must create a configuration object and aprofile that correspond to the type of authentication server you are using to store your user accounts.

Task list

Creating an LDAP Client Certificate SSL configuration object

Creating a custom SSL Client Certificate LDAP profile

Modifying a virtual server for SSL Client Certificate LDAP authorization

Creating an LDAP Client Certificate SSL configuration object

An SSL Client Certificate LDAP configuration object specifies information that the BIG-IP system needsto perform the remote authentication. This configuration object is one of the required objects you need toimpose certificate-based access control on application traffic.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_ssl_ldap_config.

5. From the Type list, select SSL Client Certificate LDAP.

6. In the Hostsfield, type an IP address for the remote LDAP authentication server storing the authenticationdata, and click Add.The IP address appears in the Hosts area of the screen.

200


7. Repeat the previous step for each LDAP server you want to use.

8. From the Search Type list, select one of the following:

DescriptionOptions

Choose this option if you want the system to extract a user name from theclient certificate and search for that user name in the remote LDAP database.

User

Choose this option if you want the system to search for an existinguser-certificate mapping in the remote LDAP database.

Certificate Map

Choose this option if you want the system to search for a certificate stored inthe user's profile in the remote LDAP database.

Certificate

9. Click Finished.

You now have a configuration object that an SSL Client Certificate LDAP profile can reference.

Creating a custom SSL Client Certificate LDAP profile

The next task in configuring LDAP-based remote authentication on the BIG-IP®system is to create a customSSL Client Certificate LDAP profile.






5. Select SSL Client Certificate LDAP from the Type list.

6. Select ssl_cc_ldap in the Parent Profile list.

7. Select the name of a LDAP configuration object from the Configuration list.

8. Click Finished.

The custom SSL Client Certificate LDAP profile appears in the Profiles list.

Modifying a virtual server for SSL Client Certificate LDAP authorization

The final task in the process of implementing authorization using a remote LDAP server is to assign thecustom SSL Client Certificate LDAP profile and a default LDAP authentication iRule to a virtual serverthat is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).


2. Click the name of a Standard-type virtual server to which an HTTP server profile is assigned.


4. For the Authentication Profiles setting, in the Available field, select a custom SSL Client CertificateLDAP profile, and using the Move button, move the custom SSL CLient Certificate LDAP profile tothe Selected field.


201


The virtual server is assigned the custom SSL Client Certificate LDAP profile.

202


Chapter

36

Configuring Remote SSL OCSP Authentication

Topics:


• Task Summary





Task Summary

To configure remote authentication for this type of traffic, you must create a configuration object and aprofile that correspond to the type of authentication server you are using to store your user accounts.

When implementing an SSL OCSP authentication module, you must also create a third type of object. Thisobject is referred to as an OCSP responder.

Task list

Creating an SSL OSCP responder object for authenticating application traffic remotely

Creating an SSL OCSP configuration object for authenticating application traffic remotely

Creating a custom SSL OCSP profile

Modifying a virtual server for SSL OCSP authentication

Creating an SSL OSCP responder object for authenticating application traffic remotely

An SSL OCSP responder object is an object that you create that includes a URL for an external SSL OCSPresponder. You must create a separate SSL OCSP responder object for each external SSL OCSP responder.


2. From the Authentication menu, choose OCSP Responders.

3. Click Create.

4. In the Namefield, type a unique name for the responder object, such asmy_ocsp_responder.

204


5. In the URL field, type the URL that you want the BIG-IP system to use to contact the Online CertificateStatus Protocol (OCSP) service on the responder.

6. In the Certificate Authority File field, type the name of the file containing trusted Certificate Authority(CA) certificates that the BIG-IP system uses to verify the signature on the OCSP response.

You now have a responder that the SSL OCSP configuration object can reference.

Creating an SSL OCSP configuration object for authenticating application traffic remotely

The BIG-IP system configuration must include at least one SSL OCSP responder object.

An SSL OCSP authentication module checks the revocation status of an SSL certificate during remoteauthentication, as part of authenticating that certificate.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_ocsp_config.

5. From the Type list, select SSL OCSP.

6. For the Responders setting, select a responder server name from the Available list, and using the Movebutton, move the name to the Selected list.

7. Click Finished.

You now have an SSL OCSP configuration object that an SSL OCSP profile can reference.

Creating a custom SSL OCSP profile

The next task in configuring SSL OCSP-based remote authentication on the BIG-IP® system is to create acustom SSL OCSP profile.





4. Select SSL OCSP from the Type list.


6. Select an SSL OCSP configuration object from the Configuration list.

7. Select ssl_ocsp in the Parent Profile list.

8. Click Finished.

The custom SSL OCSP profile appears in the Profiles:Authentication:Profiles list.

Modifying a virtual server for SSL OCSP authentication

The final task in the process of implementing SSL OCSP authentication is to assign the custom SSL OCSPprofile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which anHTTP profile is assigned).

205





4. For the Authentication Profiles setting, in the Available field, select a custom SSL OSCP profile, andusing the Move button, move the custom SSL OSCP profile to the Selected field.


The virtual server is assigned the custom SSL OSCP profile.

206


Chapter

37

Configuring Remote TACACS+ Authentication

Topics:


• Task Summary





Task Summary


Task list

Creating a TACACS+ configuration object

Creating a custom TACACS+ profile

Modifying a virtual server for TACACS+ authentication

Creating a TACACS+ configuration object

A TACACS+ configuration object specifies information that the BIG-IP system needs to perform the remoteauthentication. For example, the configuration object specifies the IP address of the remote TACACS+server.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_tacacs_config.

5. From the Type list, select TACACS+.

6. For the Servers setting, select a server name in the Available list, and using the Move button, move thename to the Selected list.

208


7. In the Secret field, type the secret key used to encrypt and decrypt packets sent or received from theserver.

Do not use the pound sign ( # ) in the secret for TACACS+ servers.

8. In the Confirm Secret field, re-type the secret you specified in the Secret field.

9. From the Encryption list, select an encryption option:

DescriptionOptions

Choose this option if you want the system to encrypt the TACACS+packets.

Enabled

Choose this option if you want the system to send unencrypted TACACS+packets.

Disabled

10. In the Service Name field, type the name of the service that the user is requesting to be authenticatedfor use; typically, ppp.

Specifying the service enables the TACACS+ server to behave differently for different types ofauthentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell,tty-daemon, connection, system, and firewall.

11. In the Protocol Name field, type the name of the protocol associated with the value specified in theService Name field.

This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, stalk,vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, andunknown.

12. Click Finished.

You now have a configuration object that a TACACS+ authentication profile can reference.

Creating a custom TACACS+ profile

The next task in configuring TACACS+-based remote authentication on the BIG-IP® system is to create acustom TACACS+ profile.





4. Select TACACS+ from the Type list.

5. Select tacacs in the Parent Profile list.

6. Select the TACACS+ configuration object that you created from the Configuration list.

7. Click Finished.

The custom TACACS+ profile appears in the Profiles list.

209


Modifying a virtual server for TACACS+ authentication

The final task in the process of implementing authentication using a remote TACACS+ server is to assignthe custom TACACS+ profile and an existing default authentication iRule to a virtual server that is configuredto process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).




4. For the Authentication Profiles setting, in the Available field, select a custom TACACS+ profile, andusing the Move button, move the custom TACACS+ profile to the Selected field.


The virtual server is assigned the custom TACACS+ profile.

210


Chapter

38

Configuring Kerberos Delegation

Topics:


• Task Summary





Task Summary


Task list

Creating a Kerberos Delegation configuration object

Creating a Kerberos delegation profile object from the command line


Creating a virtual server with Kerberos delegation and Client SSL profiles

Creating a Kerberos Delegation configuration object

Use this procedure to create a configuration object for Kerberos delegation.



3. Click Create.

4. In the Namefield, type a unique name for the configuration object, such asmy_kerberos_config.

5. From the Type list, select Kerberos Delegation.

6. For the Enable Protocol Transition setting, retain the default value (cleared) or check the box.

7. In the Client Principal Name field, type the name of the client principal, using the format HTTP/[name],where name is the name of the virtual server you created to use here.

212


This principal might be in a different domain from the server principal. If so, you should use thedomaintool(1) utility to create this principal, because the client principal must have the OK toDelegate flag checked in the Microsoft Windows domain.

8. In the Server Principal Name field, type the name of the server principal (the back-end web server),using the format HTTP/[fqdn], where fqdn is the fully-qualified domain name.

This principal might be in a different domain from the client principal. If so, you should use thedomaintool(1) utility to add the domain. Also, you probably need to use the --dnsdomain optionto set up DNS-to-Kerberos realm mappings.

9. Click Finished.

Creating a Kerberos delegation profile object from the command line

You can create the Kerberos delegation profile object from the command line.

Set a cookie name and strong password for the cookie encryption key on the profile.In this example, the cookie name is kerbc and the key is kerbc: create profile authmy_kerberos_profile { configuration my_kerberos_config cookie-name kerbc

cookie-key kerbc defaults-from krbdelegate }

Note: The Cookie Key value is an encryption key that encrypts cookie data. A default value issupplied; however, you should change the default value so that attackers who know this valuecannot decrypt cookie data and impersonate trusted users.

The Kerberos delegation profile object is available.













213




8. Click Finished.


Creating a virtual server with Kerberos delegation and Client SSL profiles

You can create a virtual server with Kerberos delegation and Client SSL profiles.








7. From the Type list, select Standard.

8. From the Protocol list, select TCP.


10. From the SSL Profile (Client) list, select a custom Client SSL profile.

11. For the Authentication Profiles setting, in the Available field, select a custom Kerberos delegation,and using the Move button, move the custom Kerberos delegation to the Selected field.

12. From the Default Pool list, select a pool name.

13. Click Finished.

The virtual server with Kerberos delegation and Client SSL profiles appears in the Virtual Server list.

214


Chapter

39

Load Balancing Diameter Application Requests

Topics:

• Overview: Diameter load balancing• Task summary

Overview: Diameter load balancing

An optional feature of the BIG-IP® system is its ability to load balance and persist requests that applicationssend to servers running Diameter services. The BIG-IP system can also monitor each server to ensure thatthe Diameter service remains up and running.

Task summary

You implement Diameter load balancing by creating various local traffic objects in an administrativepartition.

Task list

Creating a custom Diameter profile

Creating a custom Diameter monitor

Creating a pool to manage Diameter traffic

Creating a virtual server to manage Diameter traffic

Creating a custom Diameter profile

The first task in configuring Diameter load balancing on the BIG-IP® system is to create a custom Diameterprofile.

1. On the Main tab, click Local Traffic > Profiles > Services > Diameter .The Diameter profile list screen opens.

2. Click Create.The New Diameter Profile screen opens.



4. Click Finished.

The custom Diameter profile appears in the New Diameter Profile list.

Creating a custom Diameter monitor

After you create a Diameter profile, you can create a custom Diameter monitor. The purpose of the Diametermonitor is to monitor the health of all servers running the Diameter service.

1. On the Main tab, click Local Traffic > Monitors.

2. Click Create.

3. In the Name field, type a unique name for the monitor, such as my_diameter_monitor.

4. From the Type list, select Diameter.

5. Retain the default values for all other settings.

6. Click Finished.

216


Creating a pool to manage Diameter traffic

The next step in a basic Diameter load balancing configuration is to define a load balancing pool that containsDiameter servers as its members.








6. Click Finished.

The pool is configured to manage Diameter servers as pool members.

Creating a virtual server to manage Diameter traffic

The final task in configuring Diameter load balancing is to define a virtual server that references the customDiameter profile and Diameter pool that you created in previous tasks.







6. From the Diameter Profile list, select a profile.


8. Click Finished.

The virtual server that references the custom Diameter profile and Diameter pool appears in the VirtualServer list.

217


218


Index

A

adaptive connection reapingconfiguring 184

address mapping, about IPv6 to IPv4 176address prefixes

advertising 166administrative partitions

creating 78allow-transfer statement, modifying for zone file transfers 172application traffic

isolating on network 78attacks

mitigating 180authentication

direct client-to-server 102of clients and servers 102with CRLDP 188with Kerberos delegation 212

B

bigdb keysfor nPath routing 47

BIG-IP monitor type 41BIG-IP system

installing on same network 62

C

certificatesrequesting from CAs 96

client-server authentication 102client-side authentication 96Client SSL profiles

creating 85, 91, 97, 102Code Red attacks

preventing with iRules 180compression profiles

configuring 116configuration synchronization

syncing to group 41connection reaping

configuring 184connections

and VM migration 36creating pools for 56, 86, 98, 108, 113dropping 42preserving 37queuing TCP connection requests 162

connection thresholds 186connection timers

setting 185

contentdefining with queries 31

content-based routingabout 30creating profile 31viewing statistics 34

control channel optimization 139cookie persistence

about 112cookie profiles

creating 112CRLDP authentication

configuring 188CRLDP configuration objects

creating 188custom DNS profiles

enabling DNS Express 171custom FTP monitors

and FTP load balancing 130, 137creating 130, 137

custom monitorscreating 159

D

datacenter topologyexample of 62

data channel optimization 139DDoS attacks, about mitigating 170default route

setting 63default routes 44denial-of-service attacks

filtering 180mitigating 180tasks for 184types of 180

denial-of-service-attackstypes of 181

destination IP addressescreating for HTTP traffic 109

DHCP lease expiration 151DHCP virtual servers

implementation results 148, 151overview of 150overview of managing 146tasks for 147, 150

Diameter configurationtasks for 216

Diameter monitorscreating 216

Diameter serversmonitoring 216

219

Index

Diameter service requestsload balancing 216

DNS Expressabout 170enabling 171

DNS Express profilesassigning to virtual servers 172

DNS Express TSIG key, creating 170DNS Express zones

and statistics 173creating 171

DNS profilesand IPv6 to IPv4 mapping 178assigning to virtual servers 178customizing to handle IPV6 to IPv4 address mapping 176enabling DNS Express 171

DNS serversand custom DNS Express profiles 172configuring to allow zone file transfers 172

Dos attack prevention 180DoS attacks, See denial-of-service attacksdownstream nodes

auto-configuring 166

E

eCommerce trafficload balancing 56

EtherIP configuration results 42EtherIP profile type

and self IP addresses 38purpose of 38

EtherIP protocol 36EtherIP tunneling 37EtherIP tunnels

and self IP addresses 38defined 36purpose of 38

external filesand iRules 142

external switchesincorporating into network 68

F

Fast L4 profilescreating for L2 nPath routing 46

file import 142, 143files

importing 143file transfers, See zone file transfers. 172FTP configuration

tasks for 130, 136FTP load balancing

and custom FTP monitors 130, 137FTP passive mode 130, 136FTP profiles 130

creating 136FTP traffic optimization 139

G

global address prefixesadvertising 166

H

health monitoringdescribed 158

health monitorsassigning to pools 69, 73, 80, 104, 159, 213described 158

high-water mark thresholds 184HTTP compression

configuring 116enabling 116

HTTP compression tasksoff-loading from server 116

HTTP profilescreating 85, 91, 97

HTTP responsescompressing 116

HTTPS configuration results 87, 99HTTPS traffic management

overview of 84, 96HTTP traffic

using cookie persistence 112using source address persistence 108

I

ifile commands 142iFiles

creating 143imported files

listing 143interfaces

tagging 69, 79IP address expiration 151IPv4-only servers

and mapping to IPv6-only clients 176passing traffic from IPv6-only clients 178

IPv4-to-IPv6 gatewaysconfiguring 166

IPv6 addressesload balancing to 166

IPv6-only clientsabout mapping to IPv4-only servers 176passing traffic to IPv4-only DNS servers 178

IPv6 routing and solicitation messages 166IPv6 to IPv4 mapping

and DNS profiles 176, 178configuring virtual servers 178

iRule commandsfor iFiles 142

iRule events 33, 143, 144iRule queries 33iRules

and external files 142and iFiles 143

220

Index

iRules (continued)and XML routing 33for attack prevention 180

iSession tunnelsdefined 36

K

Kerberos configuration objectscreating 212

L

LDAP protocol 192, 200live migration

and existing connections 37of virtual machines 36

load balancingand monitors 158

local pool membersload balancing to 36

loopback interfacefor nPath routing 47

low-water mark thresholds 184

M

MAC framestunneling 36

matching criteriadefining 31

memory utilizationand connection thresholds 184

mitigation of DDos attacks 170monitors

assigning to pools 69, 73, 80, 104, 159, 213for EtherIP tunneling 41for health checking 158for performance 158

monitor types 158

N

namespacesadding 31

network securityprotecting 180

network topologyfor one-IP configuration 154

Nimda worm attackpreventing with iRules 180

nPath routingand inbound traffic 47and server pools 46configuring for L3 50defined for L2 44defined for L3 50example 51for TCP and UDP traffic 45

O

OCSP protocol 204, 205OCSP responders

creating 204one-IP network topology

illustration of 154outgoing traffic

and L2 nPath routing 44and L3 nPath routing 50

P

packetsdiscarding 180

parametersfor request logging 125

partitions, See administrative partitionsperformance monitors

assigning to pools 69, 73, 80, 104, 159, 213described 158

pool membersas virtual machines 36

poolscreating 69, 73, 80, 104, 159, 213creating for DHCP servers 147creating for FTP traffic 132, 138creating for HTTP 32creating for HTTP traffic 56, 86, 98, 108, 113creating load balancing 21, 24, 166creating to manage Diameter traffic 217creating with request logging 120for HTTPS traffic 57, 92for HTTP traffic 155for L2 nPath routing 46for L3 nPath routing 50

profilecreating XML 31

profiles 38See also EtherIP profile type.creating CRLDP 189creating custom Fast L4 46creating custom SSL OCSP 205creating Diameter 216creating DNS 176creating for client-side SSL 85, 91, 97, 102creating for DNS Express 171creating for FTP 136creating for HTTP 85, 91, 97creating for server-side SSL 103creating LDAP 193creating RADIUS 197creating Server SSL 92creating SSL Client Certificate LDAP 201creating TACACS+ 209for cookie persistence 112for EtherIP tunneling 38for FTP traffic 130, 136for IPIP encapsulation 50for L3 nPath routing 50

221

Index

profiles (continued)See also EtherIP profile type.

Proxy SSL featureand Server SSL profiles 103described 102

R

RADIUS protocol 197RADIUS server objects

creating 196radvd service

configuring 166for IPv4-to-IPv6 gateways 166

remote CRLDP configurationtasks for 188

remote Kerberos configurationtasks for 212

remote LDAP configurationtasks for 192

remote pool membersload balancing to 36

remote RADIUS configurationtasks for 196

remote server authenticationand CRLDP protocol 188and Kerberos protocol 212and LDAP protocol 192and OCSP protocol 204and RADIUS protocol 196and SSL LDAP protocol 200and TACACS+ protocol 208

remote SSL LDAP configurationtasks for 200

remote SSL OCSP configurationtasks for 204

remote TACACS+ configurationtasks for 208

remote traffic authenticationwith CRLDP 188with Kerberos delegation 212

request loggingcode elements 125

request logging profilecreating 121deleting 123enabling for requests 121enabling for responses 122overview 120settings 123task summary 120

resource consumption 180responders

creating for OCSP 204route domains

about 76adding routes for 81and IPv6 addressing 166creating 80tasks for 78

routesand route domains 81defining default 156setting for inbound traffic 47

routingand XML content 30based on XML content 31

routing statisticsfor XML content 34

S

securityof network 180

self IP addressesand VLAN groups 40, 64creating 39, 40, 64for default route domains 79removing from VLANs 63

self IPsand VLANs 39

self-signed certificatescreating 84, 90for HTTPS traffic 84

server poolsfor L2 nPath routing 46

Server SSL profilescreating 103

SNATsconfiguring client 156

source address persistenceabout 108

SSL authenticationconfiguration results 93, 105

SSL encryptionconfiguration results 93, 105

SSL encryption/decryptionwith Proxy SSL feature 102

SSL OCSP authentication 204, 205SSL profiles

creating 102statistics

for XML routing 34viewing for DNS Express zones 173

switch configurationtasks for 68

switchesincorporating into network 68

SYN Check thresholdactivating 186

SYN Flood attacks 180

T

TACACS+ protocol 208tagged interfaces

configuring 69, 79for web hosting 72

Tcl variables 33

222

Index

TCP connection timerssetting 185

TCP requestsqueueing overview 162

TCP trafficand nPath routing 45

timerssetting 185

traffic distribution 56traffic forwarding

automating 33TSIG key, creating for DNS Express 170

U

UDP connection timerssetting 185

UDP trafficand nPath routing 45

untagged interfacesfor web hosting 73

V

virtual addressesand loopback interface 47

Virtual Location monitorscreating 41defined 36, 41

virtual machinesand pool members 36migrating 37

virtual serversand connection limits 186and cookie persistence 113and IPv6 to IPv4 mapping 178applying a rate class 185assigning a Request Logging profile 122assigning DNS Express profiles 172assigning DNS profiles 178creating 21, 81, 160creating DHCP relay type 147creating for application traffic 104creating for Diameter traffic traffic 217creating for FTP traffic 132, 139creating for HTTP compression 117creating for HTTPS traffic 58, 86, 93, 98creating for HTTP traffic 58creating for IPv6 nodes 167creating for Kerberos delegation 213creating for one-IP network 64creating for web hosting 70, 74, 155creating with Kerberos and SSL 214DHCP relay type overview 146DHCP renewal 150for DHCP renewal 151for inbound traffic 25for L2 nPath routing 44, 46for L3 nPath routing 50for outbound traffic 26

virtual servers (continued)modifying for CRLDP authentication 189modifying for LDAP authentication 193modifying for RADIUS authentication 198modifying for SSL Client Certificate LDAP authorization 201modifying for SSL OCSP authentication 205modifying for TACACS+ authentication 210passing traffic between IPv6-only clients and IPv4-only DNSservers 178setting connection limits on 186

Virtual serverscreating for HTTP traffic 109

VLAN externalcreating self IP addresses for 26

VLAN groupsand self IP addresses 40, 64creating 39, 63

VLANsand self IP addresses 39creating 37creating with tagged interfaces 69, 79creating with untagged interfaces 73enabling SNAT automap 26for eCommerce traffic 56removing self IP addresses 63

VMware vMotion 36

W

web customershosting 68

web hostingtasks for 68, 72with no external switch 72with route domains 78

web serversload balancing to 64

wide area networksand live migration 36

X

XML contentrouting 30

XML content-based routingand traffic forwarding 33

XML profilecreating 31

XML routingexample of 33

XPath queriescreating 31rules for writing 31

Z

zone file transfers, and configuring DNS servers 172zones

creating for DNS Express 171

223

Index

224

Index

Documents

BIG-IP Local Traffic Manager Implementations