Ltm Ess Wbt Labguide 121212

BIG-IP® LTM Essentials Web-Based Training Lab Guide – © 2012 F5 Networks, Inc.

F5 Networks Training

BIG-IP® LTM V10 Essentials

Web-Based Training Lab Guide

12/ 12 / 2012

P-2 Preface

BIG-IP® LTM Essentials Web based Training Lab Guide – © 2012 F5 Networks, Inc.

BIG-IP LTM V10 Essentials

Web-based Training Student Lab Guide

Fourth Printing December 2012

This Lab Guide was written for BIG-IP LTM version 10.2.4. The lecture portions of the LTM Essentials web-based training were written for version 10.0.1. Because F5 feels it is important to perform the hands-on labs on a current version of BIG-IP, the Lab Guide is updated more frequently than the lecture portions. Most of the concepts discussed in the lecture portion and lab steps in the lab guide apply to previous versions of BIG-IP LTM.

© 2012, F5 Networks, Inc. All rights reserved.

Support and Contact Information

Obtaining Technical Support

Web tech.f5.com (Ask F5)

Phone (206) 272-6888

Email (support issues) [email protected]

Email (suggestions) [email protected]

Contacting F5 Networks

Web www.f5.com

Email [email protected] & [email protected]

B

F5 Networks, Inc. F5 Networks, Ltd. F5 Networks, Inc. F5 Networks, Inc.

Corporate Office United Kingdom Asia Pacific Japan

401 Elliott Avenue West Chertsey Gate West 5 Temasek Boulevard Akasaka Garden City 19F

Seattle, Washington 98119 Chertsey Surrey KT16 8AP #08-01/02 Suntec Tower 5 4-15-1 Akasaka, Minato-ku

T (888) 88BIG-IP United Kingdom Singapore, 038985 Tokyo 107-0052 Japan

T (206) 272-5555 T (44) 0 1932 582-000 T (65) 6533-6103 T (81) 3 5114-3200

F (206) 272-5557 F (44) 0 1932 582-001 F (65) 6533-6106 F (81) 3 5114-3201

[email protected] [email protected] [email protected] [email protected]

mailto:[email protected]

Preface P-3


Legal Notices

Copyright

Copyright 2012, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5

assumes no responsibility for the use of this information, nor any infringement of patents or other

rights of third parties which may result from its use. No license is granted by implication or otherwise

under any patent, copyright, or other intellectual property right of F5 except as specifically described

by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication,

Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud

Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DSI, DNS

Express, DSC, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN],

F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global

Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6

Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your

way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security

Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real

Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express,

TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction,

UNITY, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM,

and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other

countries, and may not be used without F5's express written consent. All other product and company

names herein may be trademarks of their respective owners.

Materials

The material reproduced on this manual, including but not limited to graphics, text, pictures,

photographs, layout and the like ("Content"), are protected by United States Copyright law.

Absolutely no Content from this manual may be copied, reproduced, exchanged, published, sold or

distributed without the prior written consent of F5 Networks, Inc.

Patents

This product may be protected by U.S. Patents 6,311,278, 6,327,242, 6,374,300, 6,405,219,

6,473,802, 6,505,230, 6,640,240, 6,772,203, 6,970,933, 6,889,249, 7,047,301, 7,051,126, 7,102,996,

7,113,962, 7,114,180, 7,126,955, 7,146,354, 7,197,661, 7,206,282, 7,286,476, 7,287,084, 7,296,145,

7,296,263, 7,308,475, 7,343,413, 7,346,695, 7,349,391, 7,355,977, 7,376,967, 7,383,288, 7,395,349,

7,409,440, 7,409,460, 7,430,755, 7,441,045, 7,461,290, 7,472,413, 7,487,253, 7,490,162, 7,493,383,

7,505,455, 7,509,322, 7,512,673, 7,552,191, 7,558,848, 7,562,110, 7,567,573, 7,580,353, 7,590,625,

7,606,912, 7,639,700, 7,640,347, 7,640,580, 7,650,392, 7,657,618, 7,676,828, 7,697,427, 7,702,809,

7,705,829, 7,707,182, 7,707,287, 7,707,289, 7,710,867, 7,752,400, 7,768,823, 7,774,484, 7,774,835,

7,783,781, 7,788,335, 7,822,839, 7,826,487, 7,831,712, 7,882,084, 7,916,728, 7,916,730, 7,921,282,

7,945,678, 7,953,838, 7,958,222, 7,958,347, 7,975,025, 7,996,886, 8,004,971, 8,005,953, 8,010,668,

8,015,314, 8,024,443, 8,024,483. Other patents may be pending. This patent list is complete as of

January 10, 2012.

P-4 Preface


Disclaimer

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5

assumes no responsibility for the use of this information, nor any infringement of patents or other

rights of third parties which may result from its use. No license is granted by implication or otherwise

under any patent, copyright, or other intellectual property right of F5 except as specifically described

by applicable user licenses. F5 reserves the right to change specifications at any time without notice.


Table of Contents

Lab Instructions: ......................................................................................................... 0-1

Introduction ................................................................................................................ 0-1

Connecting to the F5 Training Lab ............................................................................. 0-2

F5 Training Lab Network ........................................................................................... .0-7

F5 Training Lab Limitations………………………………………………………….0-8

Lab 1: Initial Setup ........................................................................................................ 1-9

Lab – Setup Utility ..................................................................................................... 1-10

Lab – Configuration Utility ........................................................................................ 1-13

Lab – Configuration Backup ...................................................................................... 1-15

Lab 2: Traffic Processing ............................................................................................. 2-17

Lab – Virtual Servers - Pools ..................................................................................... 2-18

Lab – Create an HTTPS Virtual Server ..................................................................... 2-20

Lab – Network Map………………………………………………………………….2-22

Lab 3: Load Balancing ................................................................................................. 3-23

Labs – Round Robin………………………………………………………………….3-24

Labs – Ratio Load Balancing ..................................................................................... .3-24

Labs – Priority Group Activation ............................................................................... .3-26

Lab 4: Monitors ............................................................................................................. 4-27

Lab – Monitors for Nodes .......................................................................................... 4-28

Lab – Monitors for Pools and Members Lab #1 and 2 ............................................... 4-30

Lab 5: Profiles ............................................................................................................... 5-35

No Lab for this Course Module ............................................................................................ 5-35

Lab 6: Persistence ........................................................................................................ 6-37

Lab – Source Address Persistence ............................................................................. 6-38

Lab – Cookie Persistence ........................................................................................... 6-40

Lab – Disabled Members ........................................................................................... 6-43

TOC-2 Table of Contents


Lab 7: SSL Termination ............................................................................................... 7-45

Lab – Client SSL Termination ................................................................................... 7-46

Lab 8: NATs and SNATs .............................................................................................. 8-49

Lab – NAT Lab .......................................................................................................... 8-50

Labs – SNAT Labs ..................................................................................................... 8-51

Lab 9: iRules ................................................................................................................. 9-53

Labs – iRules Lab #1................................................................................................ 9-54

Labs – iRules Lab #2................................................................................................ 9-57

Lab 10: Redundant Pair setup ..................................................................................... 10-59

Lab – Environment does not support Redundant pair

Lab 11: High Availability .............................................................................................. 11-61

Lab – Environment does not support High Availability

Configuration Lab Project ............................................................................................ LP-63

Lab –Configuration Project ........................................................................................ LP-64

Appendix A – High Availability .................................................................................... A-71

Steps to configure High Availability ................................................................................... A-71


Introduction

Welcome to the BIG-IP LTM Essentials Web-Based Training Course Student Lab Guide. The purpose of the

BIG-IP LTM Essentials course is to introduce the basic information you need to set up and operate the BIG-IP

Local Traffic Manager (LTM) from F5 Networks. The purpose of this Lab Guide is to provide all the

information and exercises you need to work directly with a BIG-IP LTM system and solidify the concepts you

have learned in the associated Web-based training modules.

The hands-on lab exercises included in this course are critically important to your learning. These exercises are

especially helpful if you can do them as soon as possible after completing the associated training module.

Therefore, we recommend the following approach:

After completing the training module, move into the lab exercises. Be sure to complete the entire

exercise, including the review questions at the end.

There are eleven lecture modules in this course, each one taking approximately thirty minutes to

complete. Nine of the lecture topics include corresponding lab sections. To complete the entire course,

including modules and labs, will take you about fourteen hours.

In addition to the lab exercises, this guide contains other useful information.

Appendix A provides steps to configure High Availability in BIG-IP version 10.

We hope you enjoy learning with these lab exercises!


1-2 Module 1 Lab – Initial Setup 0-2 Module 0 Lab – Lab Access

Connecting to the F5 Training Lab Environment

PLEASE NOTE: This lab is not a test environment and is strictly for use by students taking the BIG-IP LTM Essentials Web-Based Training (WBT) course. Your user ID will be time limited and you will be cut off after 2 hours of connect time.

1. After logging in to F5 University, download the Lab Guide.

2. Run connectivity checker. The Java Runtime player is a one-time install.

3. Click Create a Lab Session

4. You should receive the following message, “Your virtual lab environment has been

created…”

5. Open your email and you should see: “F5 University Lab is Available”.

If not in inbox, check your “Junk Email.”

6. In the email, scroll down and copy the unique password.

7. Click the link Connect to your lab environment.


Module 1 Lab – Initial Setup 1-3 Module 0 Lab – Lab Access 0-3

8. Paste your password and click submit.

9. Your SmartClient should be in the “Running” state.

If not, be patient. Depending on system usage, it can take between 2 and 5 minutes to change

from the “Busy” state to “Running”.

10. Click the Management Ubuntu Client icon and begin your lab.

An alternative method is available:

You can use the RDP (Remote Desktop) Client.

Refer to your email, and click on the RDP icon to

launch.



Navigation Tips

To access the Management IP Address of the BIG-IP, click the

Firefox Web Browser. This Configuration Utility is the main

method you will use in this course.

It is often referred to as the “GUI”.

To access Command Line Utility, click the PuTTY SSH Client

icon.

It is often referred to as the “CLI”.

To access Linux Terminal click Terminal. If needed, you can

ping the other devices on the network to ensure connectivity.

To access current Lab Guide and FAQ, click Home Folder.

You can open the current Lab Guide and FAQ (Frequently

Asked Questions).

Keep track of your time with this 2-hour timer.



To toggle between the Firefox Web Browser and the PuTTY SSH Client:

If you minimize the Firefox Web Browser and click the PuTTY SSH icon to access the

Command Line Utility.

To return to the Firefox Web Browser:

Click the Firefox Web Browser icon. In other words, you can click on the icon and toggle

between the different applications.

Lab Login Information:

Account Login Password

BIG-IP Configuration Utility

(GUI)

admin admin

BIG-IP Command Line (CLI) root default

Ubuntu Client student student

In the Lab Instructions, you are often instructed to:

Open a new browser session on your PC and point it to the virtual server at

http://10.10.1.100.

To do this, click the + icon and Open a new tab as indicated below:

General Information

1. Each lab starts assuming an un-configured BIG-IP and then instructs you to restore a UCS

backup file that was captured at the end of the previous lab.

2. You can only enter the F5 Training Lab environment from the

links within F5 University.

3. You can leave at any time by exiting out.

4. The system will time out after 2 hours.

5. To begin again, you will have to create a new Lab Session within F5

University.

http://10.10.1.100/



Timer

You can turn on the timer to help you track your time.

Click the alarm clock icon.

From the Alarms menu, click the check

mark.

Click X to Exit.

Current Lab Guide & FAQ

To obtain the most current version of the Lab Guide and Frequently Asked Questions from the shared

folder:

Click the shared folder icon.

Click the shared folder in the left column.

If you get this error, click OK and try

again.

Click to select the FAQ or Lab Guide

PDF.



The F5 Training Lab Network 1. You will be connected to a Ubuntu desktop that will be used to administer your BIG-IP and

as the client machine to drive traffic through BIG-IP LTM.

2. Your Windows virtual machine has both a 192.168.1.30/24 and a 10.10.1.30/16 IP Address

configured for the lab network shown below.

3. There is already a Management IP Address set on your BIG-IP to 192.168.1.31/24, and we

will setup the other 10.10 External and 172.16 Internal IP Addresses in Lab #1.

4. There are also three servers configured at 172.16.20.1, 172.16.20.2 and 172.16.20.3. You

will not be able to access these servers directly from your Windows client machine but these

are the servers to which we will load balance traffic starting in Lab #2.



F5 Training Lab limitations 1. The F5 Training Lab is running in a virtual lab environment and therefore does not have all

hardware features of BIG-IP available. For instance, you will not have a serial console

connection to your BIG-IP.

2. This lab environment only supports BIG-IP LTM, no other F5 products or BIG-IP modules

like GTM or ASM.

3. This lab environment has only been tested with the lab steps in this lab guide. If you do not

follow the steps in this lab guide, results will vary.


Module 1 Lab – Initial Setup 1-9 Module 1 Lab – Initial Setup 1-9

Module 1 Lab – Initial Setup and Access

Initial Setup Labs

Objective:

Perform initial setup of the BIG-IP LTM System

Explore the Web Configuration Utility

Make a backup of the BIG-IP System

Estimated Time: 30 minutes

LAB CONFIGURATION


1-10 Module 1 Lab – Initial Setup 1-10 Module 1 Lab – Initial Setup

Setup Utility Lab

Objective:

Run the Setup Utility and to configure system access parameters

Estimated time for completion: 20 minutes

Lab Requirements:

Reachable IP address on the management port

Valid License for the BIG-IP LTM Systems

Administration system with an IP address on the BIG-IP LTM’s network

Current BIG-IP Settings

At this point, your BIG-IP system should already be licensed and the management port address set to

the IP Address of 192.168.1.31/24.

PC Configuration

Your PC is configured with two IP Addresses in order to reach both the Management and client

networks once they are configured on your BIG-IP.

PC Mgmt IP Address 192.168.1.30/16

PC Client IP Address 10.10.1.30/16.

Access the BIG-IP LTM System

1. Click the Management Ubuntu Client.

2. Click the Firefox Web Browser. When prompted, login as admin with a password of

admin.

Licensing Steps

1. You should first see the Setup Utility Welcome screen. Click Next.

2. Normally, you would need to license your BIG-IP System. For these labs, the systems should

already be licensed. Review the features that are licensed and then click Next.

Provisioning Steps

1. The second screen should be Provisioning. Verify that Local Traffic (LTM) is set to

Nominal, any other products are set to None (Disabled) and then click Next.



Setup Utility

1. Within the General Properties section, specify the following:

IP Address: 192.168.1.31

Network Mask: 255.255.0.0

Management Route: 192.168.255.254

Host Name: bigip1.f5trn.com

Host IP Address: Use Management Port IP Address

High Availability: Redundant Pair

Unit ID: 1

Time Zone: America/Los Angeles

2. Within the User Administration section, specify the following:

Root Account Password: default

Root Account Confirm: default

Admin Account Password: admin

Admin Account Confirm: admin

SSH Access: Enabled

SSH IP Allow: * All Addresses

3. Click Next.

NOTE: When you type in the admin password field you will be required to log back into the system whether the password has been changed or not.

Once this first step of administrative access has been configured, you can configure self-IP addresses

and VLANs. We will choose the Basic Network Configuration option, which will step through

creating two VLANs, internal and external, and their IP addresses, and interfaces. Each self IP will

be assigned Port Lockdown settings. Port lockdown limits administrative access to the self IP

addresses. Because we have configured the system as a redundant pair, Allow Default should be

selected for Port Lockdown on self IP’s of the internal VLAN to ensure the systems will be able to

communicate.

Because we have configured as a redundant pair, the administrator will also be prompted for a partner

address and a floating IP address for each VLAN. Generally, the partner address should be an

address on the internal VLAN to minimize security concerns. Floating addresses are shared between

the systems and used by the system that is currently active. These concepts are discussed in the

Redundant Pair module.



4. Select the Basic Network Configuration option by clicking Next, then specify the

following:

Internal Network Settings

Self-IP Address 172.16.1.31

Self-IP Netmask 255.255.0.0

Self-IP Port Lockdown Allow Default

Floating IP Address 172.16.1.33

Floating IP Port Lockdown

Allow Default

Failover Peer 172.16.1.32

Internal VLAN Configuration

VLAN Name internal (Read Only)

VLAN Tag ID Auto

VLAN Interfaces Untagged – Port 1.2

5. Click the Next button to configure the External VLAN, then specify the following:

External Network Settings

Self-IP Address 10.10.1.31

Self-IP Netmask 255.255.0.0

Self-IP Port Lockdown Allow 443

Default Gateway Leave blank

Floating IP Address 10.10.1.33

Floating IP Port Lockdown Allow 443

External VLAN Configuration

VLAN Name external (Read only)

VLAN Tag ID Auto

VLAN Interfaces Untagged – Port 1.1

6. Then click Finished.

7. Since we previously completed Licensing and Provisioning, we should reboot the BIG-IP so

that our Licensing and Provisioning changes take effect. Select System / Configuration and

click the Reboot box under Operations and click OK.

Once the Basic Network Configuration is complete, the Welcome screen from the Overview section

appears. The administrator can choose to change many presentation options, enable SNMP including

downloading the MIB, access F5’s knowledge database (Ask F5) or re-run the setup utility to change

addresses or access methods.



Configuration Utility Lab

Objective:

Access both the Web Configuration utility and Command Line (SSH) utility for BIG-IP LTM

system and get familiar with the interface


Lab Requirements:

External IP address of the BIG-IP LTM system

User ID and password of the BIG-IP LTM system’s Web Configuration Utility

User ID and password of the BIG-IP LTM system’s Command Line Interface

PC Configuration

Your PC is configured with two IP Addresses in order to reach both the Management and client

networks once they are configured on your BIG-IP.

Mgmt IP Address 192.168.1.30/24

Client IP Address 10.10.1.30/16.

The Web Configuration Utility

1. Open a browser window to https://10.10.1.31 to connect to the Web Configuration Utility

(GUI).

2. Enter a user ID and password of admin / admin that you added during Setup.

3. Note options available on the Welcome page.

4. Click on the Network section, then note what is set for the Interfaces, Self IPs, and VLANs

options.

Command Line access (SSH)

1. Open an SSH session by clicking on the Putty icon and attempt to connect the external IP

Address of your BIG-IP System (10.10.1.31).

2. Notice that you are not able to access your BIG-IP LTM. This is because Port Lockdown

for the external self-IP addresses defaults to Allow 443 only. Access to port 22 is prevented.

3. From the web GUI select Network / Self IPs and then click the 10.10.1.31 self IP Address.

4. Under Port Lockdown / Allow Custom List, click the Port radio button, enter 22 as the port,

click Add, and then click Update.

5. Once port 22 has been added, you should be able to successfully use SSH to attach to your

BIG-IP System. You may be prompted to accept the SSH key, do so. When the logon

appears, enter root as the user ID and default as the password that you added during Setup.

6. If prompted for terminal type, select vt100.

Enter the command: b self show



What information is listed here?

7. Enter the command: b vlan show


8. Enter the command: b interface show


Verifying User Access

1. Logout of your SSH session.

2. Open a new SSH session but login and try the admin user. By default, you should not be

able to get in as admin.

3. From the Web Configuration Utility select System / Users and then select the link for the

admin User Name. Change the Terminal Access to Advanced Shell access, click Update,

and then test SSH access with the admin user ID again.

4. Open a new browser window but try to login using the root user ID. By default, you should

not be able to get into the Web Configuration utility with the root user ID.



Configuration Backup Lab

Objective:

Create a backup of the BIG-IP System on both the BIG-IP and your desktop.


Lab Requirements:

External IP address of the BIG-IP LTM system

Saving a configuration

1. From the Navigation pane, click the System section.

2. Select Archives, then click Create.

3. Within the General Properties section, specify the following:

File Name Module1_End

Encryption Disabled

Private Keys Include

Version BIG-IP Version (read only)

4. When complete, click Finished.

5. When complete, an OK button will appear. Click OK or select Archives again.

6. Select Module1_End.ucs (the name is a link) and notice you can click Download to save a

copy to your desktop. The Download option does not work in this F5 Training Lab

environment but will in yours.

7. If desired, the files contents can be viewed from the command line of your BIG-IP System.

From an SSH session, perform the following:

a. Make a new directory for this lab: mkdir /var/tmp/test/

b. Change to the new directory: cd /var/tmp/test/

c. Copy the backup to the new directory:

cp /var/local/ucs/Module1_End.ucs Module1_End.ucs .

d. Decompress the file and extract the file: tar -xvzf Module1_End.ucs. The

resulting files show the directory structure and all files stored in the *.ucs file.

Individual files can be viewed with cat, tail, more and other tools.




Module 2 Lab – Processing Traffic 2-17 Module 2 Lab – Processing Traffic 2-17

Module 2 Lab – Processing Traffic

Objectives:

Configure pools for servers

Configure virtual servers and associate them with a pool

Verify functionality


Lab Requirements:

IP and port addresses available for use on BIG-IP LTM that can be reached by the client systems

Actual servers with appropriate routes to return traffic through each BIG-IP LTM system

Lab Instructions 1. If you are already logged in to the BIG-IP, skip to step 10.

2. After connecting to the F5 Training Lab, click the Management Ubuntu Client icon.

3. Click the Firefox Web Browser icon in the left panel. When prompted, login as admin with

a password of admin.

4. If starting with a new lab environment, on the Welcome / Setup Utility screen, click Next.

5. On both the License and Resource Provisioning screens, click Next.

6. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and change

High Availability setting to Redundant Pair.

7. Enter a Root Account password of default twice and an Admin Account password of

admin twice and then click Next.

8. You will be prompted to login again because of changing the Admin password.

9. After logging in, click the Finished button under Advanced Network Configuration.

10. From the Navigation pane, expand the System section, then select Archives.

11. Click the Module2_Lab_begin.ucs archive and then click the Restore button. An Ok button

appears to acknowledge the restore has started. It will take a minute, but watch this screen.

You will receive one error message but that is ok and is due to the F5 Training Lab

environment only.

12. After Restore and Reboot, your configuration should be as if you had just finished all Module

1 labs. Please verify this is the case. Your configuration should be licensed, include 2

VLAN’s (Network / VLANs) named external and internal and have 4 self IP’s (Network /

Self IPs) at 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.


2-18 Module 2 Lab – Processing Traffic 2-18 Module 2 Lab – Processing Traffic

Creating an HTTP Pool and Virtual Server Lab

Create a Pool

1. From the Navigation pane, expand the Local Traffic section.

2. Either select Pools and then the Create button or hover your mouse over Pools and then click

the sign on the flyout menu.

3. In the Configuration section, enter the following:

Configuration Level Basic

Name http_pool

Health Monitors Leave Blank

4. In the Resources section, enter the following:

Load Balancing Method Round Robin

Priority Group Activation Disabled

New Members

For each, enter Address and Service Port and press Add

172.16.20.1 port 80

172.16.20.2 port 80

172.16.20.3 port 80


Create a Virtual Server that uses this pool


2. Either select Virtual Servers and click Create, or hover your mouse over Virtual Servers

and then click the sign on the flyout menu.

3. In the General Properties section, enter the following:

Name vs_http

Destination 10.10.1.100

Service Port 80 (or HTTP)

State Enabled

4. In the Configuration section, accept all defaults.


iRules Leave Blank

HTTP Class Profiles Leave Blank

Default Pool http_pool

Default Persistence Profile None

Fallback Persistence Profile None




Verification through Statistics

1. Open a new browser session on your PC and point it to the virtual server at

http://10.10.1.100. Note the results and refresh the screen 5-10 times. You may need to

refresh using the Ctrl and F5 keys to force the browser not to use its cache.

2. View statistics and configuration information through:

a. Overview Section / Statistics / Local Traffic Tab

b. From the Statistics Type drop down list, choose Virtual Servers

c. From the Statistics Type drop down list, choose Pools

3. Did traffic go to each pool member?

4. Did each pool member manage the same number of connections?

5. Did each pool member manage the same number of bytes?

6. How many TCP connections are opened each time you refresh the browser page?

Expected Results and Troubleshooting

Expected result: 5 connections per refresh distribute evenly among the pool members. The

webpage consists of the index.html and 4 objects. The web servers have keep-alives disabled.

If not, verify the following:

Is traffic getting to the virtual server?

Does 10.10.1.100 appear in your workstation’s ARP table?

Type arp -a at the workstation’s command prompt.

Does the Statistics page show traffic received by vs_http?

Verify that the address and port are correctly configured

Is traffic getting to the pool members?

If no traffic is going TO the pool members:

Verify http_pool has been assigned to vs_http

Verify the correct members address / port

If traffic goes TO pool member, but does not return:

Verify that self IP address 172.16.1.33 is configured on port 1.2 (this

address is the pool members’ default route.)



Creating an HTTPS Virtual Server and Pool Lab 1. From the Navigation pane, expand the Local Traffic section.

2. Either select Virtual Servers and click Create or leave your mouse over Virtual Servers


3. In the General Properties Section, enter the following:

Name vs_https


Service Port 443 (or HTTPS)

State Enabled

4. In the Configuration Section, accept all defaults.

5. Since we “forgot” to create the pool first, navigate to the Resources Section and click the “+”

character to the right of Default Pool.

6. In the Configuration section of the new pool, enter the following:

Configuration Basic

Name https_pool





New Members


172.16.20.1 port 443

172.16.20.2 port 443

172.16.20.3 port 443

NOTE: Since the member’s IP addresses are the same, you could select Node List and choose the member’s IP addresses from the drop-down list.

8. When the pool is complete, press Finished.

9. In the Virtual Server’s Resources section, verify the following settings:

iRules Leave Blank

HTTP Class Profiles Leave Blank

Default Pool https_pool


Fallback Persistence Profile

None

10. When complete, make sure to click Finished for the virtual server.






1. Open a new browser session on your PC and point it to the virtual server at

https://10.10.1.100. Note the results and refresh the screen 5-10 times.


a. Overview Section / Statistics / Local Traffic Tab

b. From the Statistics Type drop down list, choose Virtual Servers

c. From the Statistics Type drop down list, choose Pools

3. Did traffic go to each pool member?

4. Did each pool member manage the same number of connections?

5. Did each pool member manage the same number of bytes?

6. How many TCP connections are opened each time you refresh the browser page?

Statistics using the Command Line

1. Open an SSH client window using Putty, enter the external IP Address of your BIG-IP LTM

System (10.10.1.31) and make sure the protocol is set to SSH.

2. When prompted, enter root as the user ID and the password that was added during setup. A

password of default was suggested in Lab 1 and set in the Module2_Lab_begin.ucs file.

3. If prompted for terminal type, accept or enter vt100.

4. Enter the command bigtop. This command shows real time information on the virtual

servers and pool members that you have configured.

5. View the screen while refreshing your session to either http://10.10.1.100 or

https://10.10.1.100. What does bigtop show? Exit bigtop by pressing the q key.

6. Statistics for pools and virtual servers can be viewed by typing the following:

b pool <pool name> show

example: b pool http_pool show

b virtual <virtual name> show

example: b virtual vs_http show


Expected result: You may see six connections the first time you request the page, (due to the SSL

key exchange) but should see five connections per subsequent refresh. The requests should be

evenly distributed among the pool members.

If not, verify the following:

Confirm that the virtual server was created. Students often neglect to hit Finish

for the virtual server after hitting Finish for the pool.

Local Traffic / Virtual Servers

Is traffic getting to the virtual server?



Does 10.10.1.100 appear in your workstation’s ARP table? You may

need to clear your ARP table before testing to remove the entry from the

vs_http virtual server.

Does the Statistics page show traffic received by vs_https?

Verify that the address and port are correctly configured.

Is traffic getting to the pool members? Check Pool statistics:

If no traffic is going TO the pool members:

Verify https_pool has been assigned to vs_https

Verify the correct members address / port

If traffic goes TO pool member but does not return:

Verify that self IP address 172.16.1.33 is configured on port 1.2 (this

address is the pool members default route).

Network Map Lab

View Configuration and Status from Network Map

1. Open a browser session and access https://10.10.1.31.

2. Select Local Traffic / Network Map, then click Show Map.

3. Mouse over both virtual server and Pool objects and notice what information is displayed

about that object.

4. Select a Pool member and disable it.

a. From the Navigation pane, expand the Local Traffic section.

b. Select Pools.

c. Select http_pool.

d. Select Members.

e. Check the box to the left of the chosen member and click the Disable button.

5. Go back to Network Map and notice that status changed to disabled, indicated by a black

square.

6. Re-enable the disabled pool member for later labs.

7. Change the search field to 20.1 and then click Update Map. Notice that all members are still

listed, but matches are highlighted.

8. Select System / Preferences and change the Start Screen from Welcome to Network Map.

Close your browser session to the admin GUI, and then log back in to https://10.10.1.31 and

notice that your default screen is now Network Map.


3-24 Module 3 Lab – Load Balancing 3-24 Module 3 Lab – Load Balancing

Module 3 Lab – Load Balancing

Objectives:

Choose differing load balancing methods and view the resulting behavior

Choose differing member priority and ratio values and view the resulting behavior


Lab Requirements:

Access to a BIG-IP LTM with at least a pool with two or more working members

















environment only.


2 labs. Please verify this is the case. Your configuration should include two pools named

http_pool and https_pool and two virtual servers named vs_http and vs_https. None of the

Pools or Pool Members should have Monitors assigned (blue square status).


Module 3 Lab – Load Balancing 3-25 Module 3 Lab – Load Balancing 3-25

Round Robin Load Balancing Lab

If not zero, reset the Statistics for http_pool

1. From the Navigation pane, expand the Overview section and select Statistics.

2. From the Display options sections, change the Statistics Type to Pools.

3. Select the checkbox adjacent http_pool, and click Reset.

View Results using Round Robin Load Balancing

1. Open a browser session and access http://10.10.1.100.

2. Refresh the screen a few times by pressing Ctrl+F5 (Ctrl+R if using FireFox).

3. Navigate back to the pools statistics page.

4. What are the results? Were the connection requests distributed evenly?

5. Reset the statistics for http_pool.

Ratio member Load Balancing Lab

Configure Member Ratios and Ratio (member) Load Balancing and test.


2. Select Pools.

3. Select http_pool.

4. Select Members.

5. Within the Load Balancing section, change the Load Balancing Method to Ratio (member)

and click Update.

6. Within the Configuration section of each member, set the ratio values as follows:

Member Ratio

172.16.20.1:80 1

172.16.20.2:80 2

172.16.20.3:80 3

7. Open a new browser session and connect to http://10.10.1.100.

8. Refresh the screen 5-10 times by pressing Ctrl-F5.

9. View the pool statistics. What are the results?



Expected result: Traffic will be distributed to the members with a 1:2:3 ratio.


3-26 Module 3 Lab – Load Balancing 3-26 Module 3 Lab – Load Balancing

Configuration reset if continuing to other Module Labs

If you are not going to perform the Priority Group Activation Lab, but want to continue using

your existing configuration with other Modules Labs, reset http_pool and members to the

following settings:

Load Balancing: Round Robin


Module 3 Lab – Load Balancing 3-27 Module 3 Lab – Load Balancing 3-27

Priority Group Activation Lab

Configure Priority Group Activation


2. Select Pools.


4. Select Members.

5. In the Load Balancing section, change the Priority Group Activation setting to Less than …,

the number of Available Members to 2, and click Update.

6. Within the Configuration section of each member, set the Priority values as follows:

Member Ratio Priority Group

172.16.20.1:80 1 1

172.16.20.2:80 2 4

172.16.20.3:80 3 4





11. Disable the member 172.16.20.2:80.




15. Re-enable the member 172.16.20.2:80.



In step (9), 172.16.20.1:80 should receive no traffic. The traffic will be distributed to the other

members with a 2:3 ratio

In step (14), 172.16.20.2:80 should receive no traffic. The traffic will be distributed to the other

members with a 1:3 ratio


If you want to continue using your existing configuration with other Modules Labs, reset

http_pool and members to the following settings:

Load Balancing: Round Robin

Priority Group Activation: Disabled


4-28 Module 4 Lab – Monitors 4-28 Module 4 Lab – Monitors

Module 4 Lab – Monitors

Objective:

Associate nodes with monitors

Create custom monitors


Lab Requirements:

Access to a BIG-IP LTM with at least one pool with two working members

Some knowledge of the traffic sent by the members

















environment only

12. Your configuration should be as if you had just finished all Module 3 labs. Please verify this

is the case. Your configuration should be licensed and include two Pools named http_pool

and https_pool and two Virtual Servers named vs_http and vs_https. None of the Pools or

Pool Members should have Monitors assigned (blue square status).


Module 4 Lab – Monitors 4-29 Module 4 Lab – Monitors 4-29

Monitor for Nodes Lab

Check Current Node States

1. From the Navigation pane, select the Local Traffic section.

2. Select Nodes.

3. What are the nodes’ statuses?

4. Will BIG-IP LTM distribute traffic to nodes that are Unknown?

Assign a Default Monitor to all Nodes


2. Select Nodes.

3. Above the list of nodes, select Default Monitor.

4. From the list of Available monitors, select icmp, press the move to the left button (<<), and

press Update.

5. Recheck the Node states (either follow directions above or select Node List from the current

location).

NOTE: Each time the Node List tab is pressed, the screen will refresh.

6. What are the nodes’ statuses? Was the change immediate?

Create a custom ICMP monitor


2. Either select Monitors and then the Create button or leave your mouse over Monitors and

then click the sign on the flyout menu.


Name my_icmp

Type ICMP

4. In the Configuration Section, enter the following:

Interval 10

Timeout 31

Transparent No




Assign the custom monitor to selected nodes


2. Select Nodes and then select the node at 172.16.20.1.


Name Leave Blank

Health Monitors Node Specific

Select Monitors my_icmp in Active column

Availability Requirement

All

Additional Settings Leave as Defaults

4. When complete, click Update.

5. What are the nodes’ statuses?

Disassociate all monitors for selected node


2. Select Nodes.

3. Select the node 172.16.20.2.


Health Monitors None

Additional Settings Leave as Default

5. When complete, press Update.

6. What us the node’s status? Was the change immediate?

Conclusion

At this point, each node is being tested differently. Node 172.16.20.1 has a specific assignment,

my_icmp. Node 172.16.20.2 has no monitor assigned. Node 172.16.20.3 is using the Node Default

monitor, which is currently icmp. This is not a recommended configuration; rather it is used to

demonstrate the three ways monitors can be associated with nodes.



Monitors for Pools and Members Lab #1

Objective:

Associate members with monitors



Check Current Member States


2. Select Pools.


4. Select the Members tab.

5. What are the members’ statuses?

6. Will BIG-IP LTM distribute traffic to members that are Unknown?

Assign a Standard Monitor to a Pool

1. Navigate to Local Traffic / Pools / http_pool / Members and note the members’ states.

Select the Properties tab.


Configuration Basic

Health Monitors http

3. When complete, press Update.

4. Recheck the Member states (either follow directions above or select Members from the

current location).

NOTE: Each time the Members tab is pressed, the screen will refresh.

5. What are the members’ statuses? Was the change immediate?

Create a New HTTP-based Monitor





Name my_http

Type HTTP

Import Settings http




Configuration Basic

Send String GET /index.html\r\n

Receive String Server

Leave other settings at default


Assign the Custom Monitor to Selected Members


2. Select Pools.



5. Select the member 172.16.20.2:80.


Configuration Advanced

Health Monitors Member Specific

Select Monitors my_http



8. What are the members’ statuses? Was there any change?

Disassociate all monitors for selected member


2. Select Pools.

3. Select the pool http_pool.


5. Select the member at 172.16.20.3:80.




Configuration Level Advanced

Health Monitors None



8. What are the members’ statuses? Was the change immediate?

Conclusion

At this point, each member is being tested differently. Member 172.16.20.1:80 is set to inherit from

pool where the pool has http assigned. Member 172.16.20.2:80 has a specific assignment, my_http.

Member 172.16.20.3:80 has no assigned monitor. This configuration is not recommended; rather it is

used to demonstrate the three ways monitors can be associated with members.



Monitors for Pools and Members Lab #2

Objective:

Associate members with monitors



Check Current Member States


2. Select Pools.

3. Select https_pool, and then select the Members tab.

4. What are the members’ statuses?

Create a New HTTPS-based Monitor





Name my_https

Type HTTPS

Import Settings https



Send String GET /index.html\r\n

Receive String Server 2





Assign the Custom Monitor to a Pool


2. Select Pools.

3. Select https_pool.


Configuration Basic

Health Monitors my_https


6. What are the members’ statuses? Why? Was the change immediate?

7. What is the status of the Virtual Server?

Check Status of Nodes and Members from Network Map

1. From the Navigation pane, expand the Local Traffic section, select the Network Map and

click Show Map.

2. Moving the mouse over certain Pool members, notice that the Parent Node state can be

different than the Pool member. Why is this happening? Remember that we can and have

assigned different monitors to Nodes and Pool Members.

Change the Definition of the Custom Monitor


2. Select Monitors.

3. Select my_https.

4. In the Configuration Section, change the Receive String to Server [1-3]


6. What is the status of members in https_pool? Was the change immediate?

NOTE: [1-3] is a simple regular expression that matches any single character in the range from 1 to 3.


If you want to continue using your existing configuration with other Modules Labs, make sure all

pool members for both http_pool and https_pool are in one of the following states:

Available or Green

Unknown or Blue


5-36 Module 5 Lab – Profiles 5-36 Module 5 Lab – Profiles

Module 5 Lab – Profiles

Note: No Lab for Module 5 Profiles

There is no Lab for Module 5 Profiles. There are labs using Profiles in both Modules 6,

Persistence, and 7 Labs, SSL Termination.


Module 5 Lab – Profiles 5-37 Module 5 Lab – Profiles 5-37


8-38 Module 8 Lab – NATs and SNATs 6-38 Module 6 Lab – Persistence

Module 6 Labs – Persistence

Objective:

Configure Source Address Persistence



Lab Requirements:

Two or more working members in https_pool

A virtual server at https://10.10.1.100 associated with https_pool

















environment only.

12. Your configuration should be as if you had just finished all Module4 Labs since there weren’t

any labs for Module 5. Please verify this is the case. Your configuration should be licensed

and include two Pools named http_pool and https_pool and two Virtual Servers named

vs_http and vs_https. The Pools and Pool Members should have various Monitors assigned

but no Pool Members should be marked Offline (red).


Module 8 Lab – NATs and SNATs 8-39 Module 6 Lab – Persistence 6-39

Source Address Persistence Lab

Repeating behavior before persistence

1. Make sure the Load Balancing method for https_pool is set to Round Robin, Priority Group

Activation is disabled, and that all pool members have a connection limit of 0.

NOTE: This is not required for persistence. Instead, it ensures that reuse of a single server is due to persistence and not a load balancing choice.

2. Next, access and reset the statistics for the https_pool.

3. Open a new browser session and connect to https://10.10.1.100.

4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.



Expected result: All pool members should receive approximately equal amounts of traffic. If not,

ensure that step (1) was followed.

Configure a Source Address Affinity Persistence Profile


2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to

expand Profiles Persistence and click the sign.


Name Pr_Src_Persist

Persistence Type Source Address Affinity

Parent Profile source_addr

4. In the Configuration Section, leave all fields at the default settings except for the following:

Timeout Click on the Custom checkbox for Timeout and then set the Timeout to 15 seconds.

Mask Click on the Custom checkbox for Mask and the set the Mask to 255.255.255.0.


Associate a Virtual Server with the Persist_Source Profile


2. Select Virtual Servers.



3. Select the virtual server of interest, vs_https.

4. Select the Resources tab.

5. Under the Load Balancing section, enter the following:

Default Pool https_pool

Default Persistence Profile Pr_Src_Persist

Fallback Persistence Profile None


Demonstrating behavior after setting up persistence

1. Access and reset the statistics for the https_pool.

2. Open a new browser session and connect to https://10.10.1.100

3. Refresh the screen 5-10 times by clicking Refresh or pressing Ctrl-F5.


5. Stop refreshing the screen for at least 15 seconds.

6. Refresh again. At this point, you should be load balanced to another server.

7. From a separate browser session, view the Persistent Statistics.

a. From the Navigation Pane, expand the Overview section.

b. Select Statistics.

c. With the Display Options section, set the following:

Statistics Type Persistence Records

Data Format Normalized

Auto Refresh Disabled

8. Leave the * in the search field (show all records) and click Search or Refresh.

9. If no persistent sessions currently appear, refresh your screen connecting to

https://10.10.1.100 and then refresh the Persistence Records Statistics again.

10. Why might the persistent connection not appear the first time?


Expected result: While the persistence record is active, all traffic from that client will be directed

to a single pool member. Since the persistence record is configured to remain for only 15 seconds,

it may time out before you navigate to the persistence statistics.



Cookie Persistence Lab

Objective:

Configure Cookie persistence



Lab Requirements:

Two or more working members in http_pool

A virtual server at http://10.10.1.100 associated with http_pool

Repeating behavior before persistence

1. Make sure the Load Balancing method for http_pool is set to Round Robin and Priority

Group Activation is disabled.

NOTE: This is not required for persistence. Instead, it ensures that reuse of a single server is due to persistence and not a load-balancing choice.

2. Access and reset the statistics for the http_pool.


4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.


Creating a Custom HTTP Cookie Insert Persistence Profile:


2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to

expand Profiles Persistence and click the sign.


Name Pr_Cookie_Persist

Persistence Type Cookie

Parent Profile Cookie



1. In the Configuration Section, leave all settings at default except for the following:

Expiration Check the Custom checkbox for Expired, then uncheck Session Cookie and set the Expiration to 2 days


Associating a Virtual Server with the Cookie Persistence Profile



3. Select the Virtual Server of interest, vs_http.

4. Select the Resources tab.

5. Within the Load Balancing section, enter the following:


Default Persistence Profile Pr_Cookie_Persist


None


NOTE: You should see an error requiring an HTTP profile in order to use the cookie persistence profile, follow the steps below.

Associating the Virtual Server with an HTTP Profile

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option.


3. Select the Properties tab.

4. Within the Configuration section, set the HTTP Profile to http.


6. Re-add the Pr_Cookie_Persist profile above on vs_http Resources tab as the Default

Persistence profile and click Update.

Demonstrating behavior after persistence

1. Access and reset the statistics for the http_pool.

2. Open a new browser session and connect to http://10.10.1.100

3. Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.


5. Click on the Display Cookie link in the web page to view the cookie.




Expected result: All traffic will be directed to one member. If not, ensure that the browser you are

using allows cookies to be saved.

Disable Persistence for this Virtual Server




4. Select the Resources Tab.

5. Under the Load Balancing section, enter the following:




None




Disabled Members Lab

Objective:

See the interaction between persistence and the disabled status


Lab Requirements:

vs_https with resources https_pool and Pr_Src_Persist profile

NOTE: You may want to extend the persistence timeout value in the Persist_Source profile before beginning this lab.

Establish a persistent session and disable a member


2. Select Pools then select https_pool.


4. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.

5. Note the member to which you have connected.

6. From the Members tab, click the box adjacent the member you are persisting to and click

Disabled.

7. Refresh the browser session at https://10.10.1.100.

Did you remain on the same member?

8. From the Members tab, select IP address of the member to which you have the persistence

session.

9. Select the Forced Offline radio button and click Update.

10. Refresh the browser session at https://10.10.1.100.

Did you remain on the same member?

Establish a persistent session and disable a node

1. From the Navigation pane, expand the Local Traffic section and then select Nodes.

2. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.

3. Note the node to which you have connected.

4. From the Nodes list, select the box adjacent the node and click the Disable button.

5. Refresh the browser session at https://10.10.1.100. Did you remain on the same node?

Re-Enable nodes and members

For later labs, ensure all nodes and members are enabled.




8-46 Module 8 Lab – NATs and SNATs 7-46 Module 7 Lab – SSL Termination

Module 7 Lab – SSL Termination

Objective:

Create self-signed certificates

Create a Clientssl profiles

Create a virtual server that will use the clientssl profile and load balance traffic

Lab Requirements:

An existing pool of members at port 80 (http_pool)

Access to a web browser

















environment only.


is the case. Your configuration should be licensed and include two Pools named http_pool

and https_pool and two Virtual Servers named vs_http and vs_https. The Pools and Pool

Members should have various Monitors assigned but no Pool Members should be marked

Offline (red) or Disabled (black). The vs_https Virtual Server should have a Source Address

Persistence Profile assigned on the Resources tab.


Module 8 Lab – NATs and SNATs 8-47 Module 7 Lab – SSL Termination 7-47

Client SSL Lab

Behavior before configuration: SSL traffic is encrypted from client.

1. Open a Web browser. to https://10.10.1.100.

2. Depending on the browser, you may see a lock in the lower right corner of the window; it

indicates the session is encrypted and secure. Alternately, find the certificate that is being

used for the session. Typically, you can right click on the web page, choose “View Page

Information” and click the Security tab.

3. Note the pool member address and port in the body of the web page (172.16.20.x:443).

Generate a certificate


2. Either select SSL Certificates and click Create or hover your mouse over SSL Certificates


3. In the General Properties section, enter the name StudentCertificate.

4. In the Certificate Properties section, enter the following:

Issuer Self

Common Name www.student.com

Division Training

Organization F5 Networks

Locality Seattle

State or Province Washington

County US

E-Mail Address Leave blank

Lifetime 365

5. In the Key Properties, choose the 1024 for the size.

6. Click Finished.

Create a Client SSL Profile:


2. Either select Profiles / SSL click Client and then click Create or use the flyout menus to

expand Profiles SSL Client and click the sign.

3. In the General Properties section, enter the name Pr_Client_SSL and accept clientssl as the

parent profile.

4. From the Configuration section, check the Custom button to the right of Certificate and

Key, and choose StudentCertificate or your new name from the drop-down list.

5. Click Finished.


8-48 Module 8 Lab – NATs and SNATs 7-48 Module 7 Lab – SSL Termination

Creating the Virtual Server



and then click the Create option on the flyout menu.


Name vs_ssl


Service Port 443 (or HTTPS)

State Enabled

4. In the Configuration section, accept all defaults except the SSL Profile (Client) option, and

choose the Pr_Client_SSL profile you’ve just created.

5. In the Resources section, select http_pool as the Default Pool.

6. Click Finished.

Behavior after configuration

1. Open a Web browser.

2. Go to https://10.10.1.102. When prompted, accept the SSL certificate.

NOTE: The browser session is encrypted on the client side, but not on the server side.

3. Note the Pool Member address:port in the body of the web page (172.16.20.Y:80).

Unless otherwise configured, the traffic is encrypted from client to the BIG-IP LTM System, but

unencrypted between the BIG-IP system and the pool members.


Module 8 Lab – NATs and SNATs 8-49 Module 7 Lab – SSL Termination 7-49


10-50 Module 10 Lab – Redundant Pair 8-50 Module 8 Lab – NATs and SNATs

Module 8 Labs – NATs and SNATs

Lab Objectives:

You will configure a NAT to pass traffic between an external device and a specific internal node.

Either device can initiate this connection.

Lab Requirements:

One or more servers on the internal side of the BIG-IP system

An available IP address to use for the NAT

















environment only.


is the case. Your configuration should be licensed and include three Pools named ssl_pool,

http_pool and https_pool and three Virtual Servers named vs_ssl, vs_http and vs_https. The

Pools and Pool Members should have various Monitors assigned but no Pool Members

should be marked Offline (red) or Disabled (black). The vs_https Virtual Server should have

a Source Address Persistence Profile assigned on the Resources tab.


Module 10 Lab – Redundant Pair 10-51 Module 8 Lab – NATs and SNATs 8-51

Configuring a NAT Lab The Network Address Translation screen displays the NAT address and the associated node address

for each NAT.

Configure a NAT


2. Either select SNATs, the NAT List tab, and Create, or use the flyout menus to expand

SNATs NATs and click the sign.


NAT Address 10.10.1.200

Origin Address 172.16.20.2

State Enabled

4. In the Configuration section leave everything at defaults:

ARP Enabled

VLAN Traffic All VLANs

5. Click Finished.

Testing the NAT - Inbound

1. Open a browser session to http://10.10.1.200.

2. Note the content of the Web screen.

3. Using Putty, open an SSH session to 10.10.1.200 port 22.

4. Login with a user ID of student and password of student.

5. Note that you can connect to multiple services through the NAT and that the connection

always connects to 172.16.20.2.

NOTE: While the configured NAT would provide outbound connections as well, the routing tables on the server do not allow it in the classroom environment.

Delete the NAT


2. Select SNATs and then the NAT List tab.

3. Check the box next to the NAT you just created, 10.10.1.200, and then click the Delete

button.

4. Click Delete to confirm the deletion


10-52 Module 10 Lab – Redundant Pair 8-52 Module 8 Lab – NATs and SNATs

SNAT Labs

Lab Requirements:

Access to a BIG-IP LTM System

An available IP address to use for the SNAT

Testing Behavior without the SNAT

1. Open a browser session to both http://10.10.1.100 and https://10.10.1.100.

2. Verify your IP address at the Web server by clicking the link that says Show Source IP

Address. You should see your PC unchanged address: 10.10.1.30.

3. The Servers reside at IP Addresses 172.16.20.1, 172.16.20.2 and 172.16.20.3. The reason

they can return the response traffic to your PC at 10.10.1.30 through your BIG-IP is because

they each contain the following Server Route:

Destination Gateway

10.10.1/24 172.16.1.33

SNAT within Virtual Server Lab

Configure the vs_https virtual server to use SNAT Automap

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, and select

vs_https.

2. In the General Properties section, select the Advanced option, and scroll down to the

bottom of the configuration screen.

3. In the SNAT Pool option, select Automap and then the Update button.

Testing the SNAT

1. Open a browser session to http://10.10.1.100.

2. Verify your IP address at the Web server by clicking the link that says Show Source IP

Address. Your address should still be 10.10.1.30

3. Now open a browser session to https://10.10.1.100, click the link to check the source IP and

notice your source address has changed to 172.16.1.33, the internal floating self IP Address

of your BIG-IP.

SNAT for a List of Devices Lab



Module 10 Lab – Redundant Pair 10-53 Module 8 Lab – NATs and SNATs 8-53

2. Either select SNATs and Create, or use the flyout menus to expand SNATs and click the

sign.

3. In the General Properties section, the Name SNAT_NW_10X.


Translation IP Address: 172.16.1.201

Origin Address List (next option will appear)

Address List

Type – Network

Address – 10.0.0.0

Netmask – 255.0.0.0

Click Add

VLAN Traffic All VLANs

Stateful Failover Mirror Unchecked

5. Click Finished.

Testing the SNAT

1. Test the results by connecting to http://10.10.1.100 and https://10.10.1.100. View your

source IP address. What are the results?

Connection Source IP at Server Which SNAT

To http://10.10.X.100

To https://10.10.X.100

2. What SNATing is taking place for each Virtual Server?

3. Expected results: you should be successful to both of your virtual servers. Your traffic to

https://10.10.1.100 will be SNATed to 172.16.1.33. Your traffic to http://10.10.1.100 will

be SNATed to 172.16.1.201.

4. How could you change your SNAT definition to allow traffic from the 192.168.0.0/16

network to be SNATed also?

Delete the SNATs

Remove SNAT option from Virtual Server configurations

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, vs_https, and

set the SNAT Pool option to None.

2. From the Navigation pane, select SNATs menu, the SNAT named SNAT_NW_10X, and

then click Delete.

3. Notice when testing that your source address is once again 10.10.1.30, but you still get

response packets back from servers because of the routes on the servers.


10-54 Module 10 Lab – Redundant Pair 9-54 Module 9 Labs – iRules

Module 9 Labs – iRules

Objective:

Configure a series of iRules, pools, and virtual servers in order to demonstrate a variety of rule

features and functions.

Estimated time for completion: 30 minutes.

Lab Requirements:

External IP address of the Virtual Server

IP Address(es) of internal node (s)

















environment only.


is the case. Your configuration should be licensed and include three Pools named ssl_pool,

http_pool and https_pool and three Virtual Servers named vs_ssl, vs_http and vs_https. The

Pools and Pool Members should have various Monitors assigned but no Pool Members

should be marked Offline (red) or Disabled (black). The vs_https Virtual Server should have

a Source Address Persistence Profile assigned on the Resources tab. Although they won’t

cause issues with this lab, all NATs and SNATs should have been deleted at the end of Lab 8.


Module 10 Lab – Redundant Pair 10-55 Module 9 Labs – iRules 9-55

iRules Lab #1 Create and use an iRule that processes requests based on the file extension.

iRules Lab 1 Steps

1. The necessary pools are created.

2. iRules that reference the pools are created.

3. Virtual Servers that reference the iRules are created.

Create a Pool


2. Either select Pools and then click Create, or use the flyout menus to expand Pools and click

the sign.


Configuration level Basic

Name pool1





New Members

Enter and press Add

IP: 172.16.20.1

Port: * All Services


Create another Pool

1. Create pool2 that contains one member, 172.16.20.2:* (Port is “All Services”).

Create a Rule using this pool


2. Either select iRules and click Create or leave your mouse over iRules and then click the

sign on the flyout menu.



3. In the Properties section, enter the following:

Name rule_txt_end

Definition

when HTTP_REQUEST {

if {[HTTP::uri] ends_with "txt"} {

pool pool1

}

}


Create a Virtual Server using this rule





Name vs_rule_txt


Service Port 80 (or HTTP)

State Enabled

4. In the Configuration section, leave all fields at their default except the following:

HTTP Profile http

5. In the Resources section, leave all fields at their default except the following:

iRules rule_txt_end



1. Open a new browser session on your PC and direct it to your Virtual Server address and files:

a. http://10.10.1.101/file.txt

b. http://10.10.1.101/text.txt

c. http://10.10.1.101

NOTE: Currently, you should get an error message (Cannot display webpage for IE and Connection reset for Firefox) page not found for url http://10.10.1.101 because there is no Default Pool or an else leg for the iRule. Also, files such as file.txt, text.txt and text.one, only exist on Server 1 (172.16.20.1)




a. Overview Section / Statistics / Choose from Statistics Type drop-down list.

b. Local Traffic Section / Virtual Servers / Statistics

c. Local Traffic Section / Pools / Statistics

3. Which node is traffic being directed to for each address above?

Add a Default Pool to the Virtual Server and Test

1. Navigate to the resources for the Virtual Server vs_rule_txt and specify pool2 as the default

pool.

2. Open a new browser, test client connections and explain your results.



c. http://10.10.1.101

NOTE: Now http://10.10.1.101 should work and send you to Pool2.

Add an Else leg to iRule and Test

1. Disassociate the default pool (pool2) from virtual server vs_rule_txt.

2. Change rule_txt_end to add an else leg for pool2 like:

when HTTP_REQUEST {

if {[HTTP::uri] ends_with "txt"} {

pool pool1

}

else { pool pool2 }

}

3. Open a new browser, test client connections and explain your results.



c. http://10.10.1.101



iRules Lab#2

Lab 2 Overview

Create and use an iRule that processes requests based on the TCP port.

Create a third Pool

1. Create pool3 that contains one member, 172.16.20.3:* (Port is “All Services”).

Create a Rule for TCP port


2. Either select iRules and click Create or leave your mouse over iRules and then click the

sign on the flyout menu.

3. In the Properties section, enter the following:

Name rule_tcp_port

Definition when CLIENT_ACCEPTED {

if {[TCP::local_port] == 80} {

pool pool1

}

elseif { [TCP::local_port] == 443 } {

pool pool2

}

}


Create a Virtual Server using this rule







Name vs_tcpport


Service Port * All Ports

State Enabled


5. In the Resources section, leave all fields at their default except the following:

iRules rule_tcp_port

Default Pool pool3



1. Open a new browser session on your PC and direct it to your Virtual Server address and files:

a. http://10.10.1.103

b. https://10.10.1.103

c. Using Putty, open an SSH session to 10.10.1.103 port 22.

NOTE: You can verify that your SSH session went to Pool3 using Statistics.


a. Overview Section / Statistics / Choose from Statistics Type drop-down list.

b. Local Traffic Section / Virtual Servers / Statistics

c. Local Traffic Section / Pools / Statistics

3. To which node is traffic being directed for each client request above and why?


10-60 Module 10 Lab – Redundant Pair 10-60 Module 10 Labs – Setting up a Redundant Pair

Module 10 Labs – Setting up a Redundant Pair

Note: Lab for Module 10 Setting up a Redundant Pair

The Online Lab Environment does not support Setting up a Redundant Pair.

If you would like to get hands-on training with redundant systems, please enroll in Configuring

BIG-IP Local Traffic Manager (LTM) v11 instructor-led course. For current course offerings and

schedules, visit the Global Training page on F5.com.

The steps to set up a redundant pair can be found in Appendix A.


Module 10 Lab – Redundant Pair 10-61 Module 10 Labs – Setting up a Redundant Pair 10-61


10-62 Module 10 Lab – Redundant Pair 11-62 Module 11 Labs – High Availability

Module 11 Labs – High Availability

Note: Lab for Module 11 High Availability

The Online Lab Environment does not support High Availability.

If you would like to get hands-on training with high availability, please enroll in Configuring

BIG-IP Local Traffic Manager (LTM) v11 instructor-led course. For current course offerings and

schedules, visit the Global Training page on F5.com.

The steps to set up High Availability can be found in Appendix A.


Module 11 Labs – High Availability 11-63


10-64 Module 10 Lab – Redundant Pair LP-64 Lab Project

Configuration Lab Project

Lab Objectives:

During this lab, you will work with many of the concepts that you learned in Modules 1 to 8. In

Modules 1 through 8, the Lab steps were very specific and told the student exactly what to do. One

of the objectives of this Lab Configuration Project is to see if the student remembers how to configure

each feature. Therefore the lab steps in this Configuration Project are not specific but rather given at

a much higher level. Another objective of this Configuration Project is to give the student an

opportunity to configure all features together rather than individually. Upon completion, you will

have configured a BIG-IP system with working virtual servers, profiles, monitors and pools.

There are two stages to this lab:

1. Create new pools, profiles, monitors and virtual servers.

2. Verify the configuration works as expected.

















environment only.


1 labs. Please verify this is the case. Your configuration should be licensed, include 2

VLAN’s (Network / VLANs) named external and internal and have 4 self IP’s (Network /

Self IPs) at 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.


Lab Project LP-65

Reconfigure the BIG-IP LTM System

A. Create Monitors according to the following table

Name Type Settings Associations

my_http http

Interval – 5, Timeout – 16

Receive String – Server

Others – leave at defaults

http_pool

(Once pool is created, below.)

B. Assign Monitors according to the following table

Name Type Settings Associations

icmp (Default Monitor)

icmp Use all default settings Node Default

C. Create Pools according to the following table

Name Load Balance Members Port Ratio Priortity Monitors

ssh_pool Round Robin

172.16.20.1

172.16.20.2

172.16.20.3

22

22

22

1

1

1

1

1

1

http_pool

Ratio Member

Priority Group Activation

Less than 2

172.16.20.1

172.16.20.2

172.16.20.3

80

80

80

2

2

1

1

4

4

my_http

https_pool Round Robin

172.16.20.1

172.16.20.2

172.16.20.3

443

443

443

1

1

1

1

1

1

D. Create Profiles as listed in the following table

Name Profile Type Parent Profile Settings

Pr_Src_Persist Persistence Source Address

source_addr Timeout of 30 seconds and mask of 255.255.255.0

Pr_SSL_term SSL Client clientssl Certificate of TestCertificate and a Key of TestCertificate



E. Create Virtual Servers according to the following table

NOTE: Remember that Persistence Profiles are configured on the Resources tab of the Virtual Server and all other Profile types on the Properties tab.

Name IP Address Port Resources Profiles & SNAT

vs_ssh 10.10.1.100 22 ssh_pool Defaults only

vs_http 10.10.1.100 80 http_pool SNAT Automap

vs_https 10.10.1.100 443 https_pool Pr_Src_Persist

vs_ssl 10.10.1.102 443 http_pool Pr_SSL_term

Save your new configuration

1. Backup your new configuration as Lab_Project.ucs.


Lab Project LP-67

Verification

Activity Questions Working?

Open a Browser and connect to http://10.10.1.100

Refresh the screen 5-10 times

Are you load balancing?

Why or why not?

Open a Browser and connect to https://10.10.1.100


View the node statistics


Why or why not?

Open a Putty SSH session to: 10.10.1.100:22

After connecting, login

User-id: student Password: student


Were you able to connect?

Which node did you connect to?

Do you have an open connection?

Open a Browser and connect (again) to https://10.10.1.100




Why or why not?

Are you connecting to the same node as you did in test 2, above?

Open a Browser and connect to both https://10.10.1.100 and http://10.10.1.100

Click the link to show source address

What is your source address for http and https?

Why are they different?

Open a Browser and connect to https://10.10.1.102

Is the session secure?

Is the data from BIG-IP LTM to the Server encrypted?



Review Questions

1. Which admin users’ passwords are changed by the BIG-IP setup utility, and what access do

they have?

2. What is a node? A pool and pool member? A profile? A virtual server?

3. List the load balancing modes.

4. How are monitors created, and what can they be assigned to?

5. If a particular node is in a node disabled condition, will any types of client requests still be

directed to that pool member?

6. What is the difference between the client SSL and server SSL Profiles?

7. Why would you use SNATs?

This completes the BIG-IP LTM Essentials Web-Based Training Lab Guide.

Thank you for taking the time to complete the exercises.


Lab Project LP-69

Answers to Configuration Project Questions

Activity Questions Answers

Refresh

http://10.10.1.100


Why or why not?

Yes, but should only be using Nodes 20.2 & 20.3 because they have higher priorities for Priority Group Activation

Refresh

https://10.10.1.100


Why or why not?

Actually this is a trick question. The first request is load balanced but subsequent requests within the 30 second timeout window should persist to same Node.

SSH to: 10.10.1.100:22

Login with user ID and

password of student


Did you connect?

Which node did you connect to?

Do you have an open connection?

Should have connected ok.

You have to go to statistics to figure out which node and your SSH connection remains open until you exit putty or logoff.

Refresh (again)

https://10.10.1.100


Why or why not?

Are you connecting to the same node as 2 steps above?

Your previous 30 second persistence record should have timed out by now. The first request should go to a different member than previous session and then should persist for another 30 seconds.

For both https and http

Click link source address

What is source address for http and https?

Why are they different?

http should have a source IP of 172.16.1.33 because of SNAT Automap, and https should have a source IP of 10.10.1.30.

Browser session to

https://10.10.1.102

Is the session secure?

Is the data encrypted from the Server to the BIG-IP LTM?

The session should be secure (using https) from client PC to BIG-IP, then unencrypted (http) from BIG-IP to Server.



Answers to Review Questions

1. Which admin users passwords are changed by the BIG-IP setup utility, and what access

do they have (web GUI or Command Line)?

root – and it should have access only to command line not the web GUI.

admin – and it should initially have access only to the web GUI, but command line

access can be added

2. What is a node? A pool and pool member? A virtual server?

Node is IP Address only of a server where Pool Member typically contains both IP

Address and Port

A Pool is a group of Pool Members, and the Virtual Server is the client representation of

the application. Clients seldom know there are multiple Pool Members behind a Virtual.

3. List the load balancing modes.

Round Robin is the default load balancing mode but we can also use Ratio, Least

Connections, Fastest, Observed and Predictive.

F5 Networks continues to add new features to BIG-IP LTM including new load balancing

modes, so you might see more depending on what version you are running.

4. How are monitors created, and what can they be assigned to?

Just like other objects, they are created by selecting Monitors and clicking the create

button or the sign from the flyout menu.

Monitors also need to be assigned before they will be used. Monitors can be assigned to

all Nodes or an individual Node, or at the Pool level or to an individual Pool Member

5. If a particular node is in a node disabled condition, will any types of client requests still

be directed to that pool member?

Yes, client requests can still be directed to a disabled Node if there is still a persistent

session (i.e. within the timeout window)

On the other hand, if the Node is administratively “Forced Offline” rather than Disabled

then no more client requests will be sent until the Node is Enabled again.

6. What is the difference between the client SSL and server SSL Profiles?

The Client SSL Profile encrypts (https) network traffic between the client and BIG-IP.

The Server SSL Profile encrypts (https) network traffic between BIG-IP and the servers.

7. Why would you use SNATs?

SNATs are used to fix or assist with routing issues. There are MANY ways a SNAT can

be used to resolve the many different types of routing issues, two are listed below.

o RFC1918 (non-routable) client traffic outbound to internet

o Pool Members default route cannot be pointed at BIG-IP, but remember… If

BIG-IP changes an IP Address then response packet must return through BIG-IP.


Lab Project LP-71


10-72 Module 10 Lab – Redundant Pair A-72 Appendix A – Redundant Pair and High-Availability

Appendix A – Setting up a Redundant Pair and High Availability

Setting up a Redundant Pair

Configuration of BIG-IP #1 and BIG-IP #2

BIG-IP #1 should now be configured like the diagram shown below and also have Virtual Servers,

Pools, Monitors and Profiles. On the next page we will configure BIG-IP #2 from a clean system.

BIG-IP Redundant Pair Configuration


Appendix A – Redundant Pair and High-Availability A-73

Setup of BIG-IP #2 Lab

NOTE: The second system in your lab pair is licensed but not currently configured. Connect to https://192.168.1.246 and run the Setup Utility using the configuration options below.

Step System Y

Management Port IP address 192.168.1.246

Management Port Netmask 255.255.255.0

Hostname bigip2.f5trn.com

High Availability Redundant Pair

Unit ID 2

root password default

admin password admin

SSH Access * All Addresses

VLAN Name on 1.2 Internal

Self IP Address 172.16.1.32

Netmask 255.255.0.0

Port Lockdown Allow Default

Floating IP 172.16.1.33

Failover Peer IP 172.16.1.31

Port Association 1.2 Untagged

VLAN Name on 1.1 External

Self IP Address 10.10.1.32

Netmask 255.255.0.0

Port Lockdown Allow Default

Default Gateway Leave Blank

Floating IP 10.10.1.33

Port Association 1.1 Untagged

Status of BIG-IP #1 and BIG-IP #2

Note: You may notice that both BIG-IP #1 and #2 are in an Active state. This is not a desired state, but we will wait to resolve this in the next Module 11 Lab when we setup Network Failover.



Synchronization Lab Synchronization should always be from the system’s whose configuration is desired. In our case, we

wish to Synchronize the BIG-IP #1 configuration to BIG-IP #2 since it has no configuration.

BIG-IP #2 configuration before Synchronization

At this point, the BIG-IP #2 should have a base configuration set with passwords, VLANs and Self

IPs. Verify the Self IPs (Network / Self IPs) for BIG-IP #2 are set to 10.10.1.xx, 10.10.1.33,

172.16.1.xx and 172.16.1.33.

Synchronizing Configuration from BIG-IP #1 to #2

1. Open a browser to https://192.168.1.245. (BIG-IP #1)

2. From the Navigation pane of the active system, expand the System section.

3. Either select High Availability and then the ConfigSync tab or use the flyout menus to

expand High Availability ConfigSync and click ConfigSync.

4. Click the Synchronize TO Peer button for a push operation to BIG-IP #2.

5. At the Synchronize this BIG-IP LTM to its failover partner prompt, click OK.

The synchronization process takes 15-60 seconds.

6. Verify your configuration was copied to the second System.


At this point, the BIG-IP #1 and #2 system configurations should be similar. Verify that BIG-IP

#2 has the same Virtual Servers, Pools, Profiles, Monitors and iRules as BIG-IP #1. The License,

Hostname and Self IPs (Network / Self IPs) should be different.

If the Self IPs are the same for both systems, verify the following:

The hostnames (System / Platform) should be different (bigip1… and bigip2)

If BIG-IP #2 does not have Virtual Servers from BIG-IP #1, verify the following:

Were there errors during Synchronization? (System / Logs / System)

Did you Synchronize the wrong way? (from BIG-IP #2 to #1)



High Availability

Lesson Objective:

During this lesson, you will failover features of a redundant pair of BIG-IP systems.

Restoring BIG-IP #1 from previous Lab 1. After connecting to F5 Training Lab, open a browser to https://192.168.1.245.

2. When prompted, login as admin with a password of admin.

3. If you have an existing lab environment, skip to step 10 below.

4. If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.

5. On both the License and Resource Provisioning screens click Next.








11. Click the Module11_Lab_BIGIP1.ucs archive and then click the Restore button. An Ok

button appears to acknowledge the restore has started. It will take a minute, but watch this

screen and you should see messages that your restore completed successfully. You might

receive one error message but that is ok and is due to the F5 Training Lab environment only.

12. Because of the state of BIG-IP, we need to reboot so that our Licensing and Provisioning

takes effect. Select System / Configuration and click the Reboot box under Operations.

13. Your configuration should be as if you had just finished all Module 10 labs. Please verify

this is the case. BIG-IP #1 should be licensed and include five Pools, two iRules, five Virtual

Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should

be marked Offline (red) or Disabled (black). It should have a hostname of bigip1.f5trn.com

and Self IPs (Network / Self IPs) of 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33.



Restoring BIG-IP #2 from previous Lab 1. After connecting to F5 Training Lab, open a browser to https://192.168.1.246.

2. When prompted, login as admin with a password of admin.

3. If you have an existing lab environment, skip to step 10 below.

4. If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.

5. On both the License and Resource Provisioning screens click Next.








11. Click the Module11_Lab_BIGIP2.ucs archive and then click the Restore button. An Ok

button appears to acknowledge the restore has started. It will take a minute, but watch this

screen and you should see messages that your restore completed successfully. You might

receive one error message but that is ok and is due to the F5 Training Lab environment only.

12. Because of the state of BIG-IP, we need to reboot so that our Licensing and Provisioning

takes effect. Select System / Configuration and click the Reboot box under Operations.

13. Your configuration should be as if you had just finished all Module10 Labs. Please verify

this is the case. BIG-IP #2 should be licensed and include five Pools, two iRules, five Virtual

Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should

be marked Offline (red) or Disabled (black). It should have a hostname of bigip2.f5trn.com

and Self IPs (Network / Self IPs) of 10.10.1.32, 10.10.1.33, 172.16.1.32 and 172.16.1.33.



Network Failover Lab

Objectives:

During this lab, you will configure network failover.

Determining State Prior to Configuration

1. Open an SSH session to each system, 10.10.1.31 and 10.10.1.32. Press Enter to update the

prompt repeatedly. Note that both systems are in Active state because we haven’t configured

Network Failover yet.

Note: The F5 virtual environment does not support the use of hardware failover cables.

Network Failover Configuration and Testing

1. This feature is not synchronized, so you must configure each system separately.

2. Navigate to System / High Availability / Network Failover.

3. On BIG-IP #1, Enter the following in the Configuration section:

Network Failover Check the box

Peer Management Address 192.168.1.246

Unicast

Configuration Identifier: peer_bigip2

Local Address: Self IP address 172.16.1.31

Remote Address: 172.16.1.32

Port: Blank (defaults to 1026)

Multicast Leave Blank


5. On BIG-IP #2, Enter the following in the Configuration section:

Network Failover Check the box

Peer Management Address 192.168.1.245

Unicast

Configuration Identifier: peer_bigip1

Local Address: Self IP address 172.16.1.32

Remote Address: 172.16.1.31

Port: Blank (defaults to 1026)

Multicast Leave Blank


7. When both systems have been set, note that the systems change to active-standby mode.

BIG-IP #2 should be the one to fallback to standby state because it is unit 2.



8. Normally you would remove the Ethernet cable but for remote labs we will disable “Network

Failover” on unit #2.

9. How quickly did the standby system change to the active role also?

10. If disabling “Network Failover” on unit #2 does not cause it to go active then you may need

to disable Network Failover on unit #1 also.

11. Note that when both systems are in active mode; both are trying to service all virtual servers,

NATs and SNATs.

12. Again, normally we would now replace the Ethernet cable but for remote labs we will enable

“Network Failover” again on both units.

13. Unit #2 should now fall back to standby state.

Force to Standby and Failover

1. On both BIG-IPs, navigate to System / High Availability / Redundancy.

2. Currently, BIG-IP #1 should be Active and BIG-IP #2 should be Standby.

3. On BIG-IP #1, click the Force to Standby button: Notice that BIG-IP #1 falls back to

Standby state, and BIG-IP #2 takes over the Active roll.



Connection Mirroring Lab

Objective:

During this lesson, you will learn how to configure connection mirroring.

Lab Requirements:

A working Active / Standby redundant pair of BIG-IP’s.

Create an ssh Pool

1. Create a Pool with the following characteristics, Configuration section:


Name ssh_pool





New Members


172.16.20.1 port 22

172.16.20.2 port 22

172.16.20.3 port 22


Create a Virtual Server that uses this pool

4. Create a Virtual Server with the following characteristics, General Properties section:

Name vs_ssh


Service Port 22 (or SSH)

State Enabled


6. In the Resources section, accept all defaults except the following:

Default Pool ssh_pool


Synchronize the configuration

1. Synchronize from the same system (System / High Availability / ConfigSync) and click the

Synchronize TO Peer button.

2. Click OK when prompted.





Testing before Mirroring

1. Using an SSH client, such as Putty, open an SSH session to: 10.10.1.100:22.

2. Login as student / student.

3. Test your connection by typing ls <enter> or similar command.

Perform Failover

1. Force the Active system to standby (System / High Availability / Force to Standby).

2. Notice that the SSH connection has been lost.

Testing with Connection Mirroring enabled

1. From the same system’s Navigation Pane, click Local Traffic / Virtual Servers and select

the SSH virtual server.

2. Select Advanced from the Configuration menu.

3. Check the Connection Mirroring checkbox.

4. Click Update to set changes.

5. Synchronize from the same system (System / High Availability / ConfigSync) and click the

Synchronize TO Peer button.

6. Click OK when prompted.

Establish a new SSH connection and Failover again

1. Using an SSH client such as Putty open an SSH session to: 10.10.1.100:22.

2. Login as student / student.

3. Test your connection by typing ls <enter> or similar command.

4. Force the Active system to standby. (System / High Availability / Force to Standby).

5. Test your connection by typing ls <enter> or similar command. Note the connection is

maintained.



Persistence Mirroring Lab

Objective:

During this lesson, you will learn how to activate persistence mirroring for a pool where simple

persistence in enabled.

Lab Requirements:

You must have a virtual server and pool appropriate for persistence other than cookie persistence.

Behavior Prior to Configuring Persistence Mirroring

Configure Persistence, Establish an https session

1. From the Navigation Pane, expand the Local Traffic section.

2. Select Virtual Servers and the virtual server vs_https.

3. Select the Resources tab, and ensure that Pr_Src_Persist is still listed as the Default

Persistence Profile.

4. Select Local Traffic / Profiles / Persistence and the Pr_Src_Persist profile. Set the

Timeout value to 30 seconds and click Update.

5. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize

TO Peer).

6. Open a browser session to: https://10.10.1.100.

7. Ensure your session persists by hitting the <Ctrl>-F5 key combination several times.

View the Persistence Record

1. View the persistence records on both systems.

a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display

Options section, choose Persistence Records.

b. From the Command Line, enter: b persist all show all

2. On the active system, you should see a record. On the standby, you should not.

3. Re-enter this command several times and notice the Age of the record changes.

4. Let the Age count up to 30 seconds and then re-enter the command again. What happened to

the persistence record?

5. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.

Did the Age count start over?



Perform Failover

1. Force the Active system to standby. (System / High Availability / Redundancy / Force to

Standby).

2. Refresh the session to https://10.10.1.100. While there is some chance the same node may

be chosen, the https session does not persist to the same server. If it does seem to persist to

the same node, failover again and test. You may need to refresh by pressing Ctrl-F5 to ensure

the browser does not simply display its cache.

Configuring Persistence Mirroring and Testing Subsequent Behavior

1. From the Navigation Pane, select Local Traffic menu, Profiles option, Persistence tab, and

then click the Pr_Src_Persist profile.

2. Check the Custom box for Mirror Persistence, check Enabled, and then click Update.

3. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize

to Peer).

4. Make sure to check that the Mirror Persistence option was set on the other System for the

Pr_Src_Persist profile.

Re-establish the https session, failover and retest

1. Open a browser session to https://10.10.1.100.

2. Ensure your session persists by pressing the CTL-F5 several times.

3. Force the Active system to standby. (System / High Availability / Redundancy / Force to

Standby).

4. Refresh the browser session to https://10.10.1.100. Notice that the https session does persist

to the same server.

5. View the persistence records on both systems.

a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display

Options section, choose Persistence Records.

b. From the Command Line, enter: b persist all show all

6. You should see a persistence record on both systems.

7. Re-enter this command several times and notice the Age of the record for each system. Does

the Age remain the same on both Systems?

8. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.

Explain the Age count on each system?



Documents

Ltm Ess Wbt Labguide 121212