Upload
jimmy-saigon
View
5.873
Download
16
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1CONFIDENTIAL
Link ControllerTeam TrainingLink ControllerTeam Training
Presented by: Denny Payne Consultant
2CONFIDENTIAL
Link Controller Overview
Purpose: Link Controller is designed to provide load balancing and/or failover for multiple locally attached ISP links.
Hardware & Licensing: Sold on 1500 and 3400 platforms, either standalone or as module on top of LTM/GTM
Focus of this presentation is v9, but most concepts apply to v4 as well
3CONFIDENTIAL
Link Controller Advantages
• Advantages to customer: - Eliminates BGP requirements- ISP’s not required to coordinate- New links can be added transparently- GUI management of zone files
- ZoneRunner (v9) or NameSurfer (v4)
• Advantages over competition- Modular construction on TMOS- iRules and health checking capability
4CONFIDENTIAL
Link Controller Limitations
• A standalone LC is a hybrid of LTM (BIG-IP) and GTM (3-DNS) with a subset of each feature set
• No L7 iRules or health checking functionality
• No advanced load balancing algorithms (obsv/pred)
• No ability to resolve IP’s that it does not host (therefore no site-to-site failover or DR)
• Must be locally attached to public IP blocks– Therefore, must sit outside the firewall
– May not be desirable to do LC/LTM combo
CONFIDENTIAL
Typical Link Controller Deployment
6CONFIDENTIAL
Deployment considerations
• LC’s hybrid design can be summed up by noting:– Outbound traffic is processed like LTM (BIG-IP)
– Inbound traffic is processed like GTM (3-DNS)
• Link Controller must be the default gateway for the firewall
7CONFIDENTIAL
LC Quick Start
1. Define VLANs2. Define Self IP’s3. Create Gateway Pool4. Create default route, reference Gateway pool5. Define links6. Define NTP server7. Define Listeners for each link8. Create outbound wildcard LB Virtual Server, reference the gateway
pool9. Create outbound SNATs or SNAT pools for each egress VLAN10. Create Local Traffic Pools11. Create Local Traffic Virtual Servers for each link12. Create a WideIP
8CONFIDENTIAL
Inbound LC Transaction
Internet client requests name resolution for gnu.es.f5net.comInternet DNS servers tell client that lc.es.f5net.com is the authoritative name server for the es.f5net.com zoneClient queries lc.es.f5net.com for name resolution of gnu.es.f5net.comlc.es.f5net.com returns the IP address 10.1.10.100, the LTM virtual server on link1The client sends it’s HTTP request to 10.1.10.100:80 and the LC processes the request as per the configuration of that LTM virtual server and default pool
9CONFIDENTIAL
Outbound Traffic
Outbound traffic is handled in a manner similar to LTM server load balancing.
Create a pool containing each of the ISP router gateway addresses with service port “any”
Create a wildcard virtual server (0.0.0.0:0) using all protocols, enabled on the internal VLAN and point it to the previously created pool.
Enable SNAT automap from the internal VLAN
CONFIDENTIAL
Typical Link Controller Deployment
11CONFIDENTIAL
Outbound Traffic options
• If desired, more specific virtual servers may be used to split up traffic in different ways.
• Example: create 3 pools, one with both gateways, another with only gateway 1 and a third with only gateway 2.Then create 0.0.0.0:0 using pool 1, 0:0:0:0:80 using pool 2, and 0:0:0:0:25 using pool 3.
• This may be expanded upon with pool priority and/or iRules to produce the desired traffic flow
• Allow ANY IP over SNAT for icmp/ping.
12CONFIDENTIAL
Pool load balancing
Round robin and static ratio are available, but the typical setting will be dynamic ratio.
Dynamic ratio will use the link configuration settings (discussed in next section) to make load balancing decisions
13CONFIDENTIAL
Inbound Traffic
• Inbound traffic is handled in the same manner as GTM (3-DNS)– Recall the limitation that it can only hand out addresses
that it hosts
• Requires DNS delegation– At minimum, LC must be authoritative for the domains
that are load balanced/failed over
– Can take over the entire domain if desired
14CONFIDENTIAL
DNS Listeners
• Need a DNS listener on each ISP network – use floating address for redundant pair– For more than 2 ISP’s pick the 2 primary links since
DNS typically will only use a ns1 and ns2 record
• No v4 equivalent, udp 53 should be allowed to floating IP’s on each ISP netblock
15CONFIDENTIAL
Inbound Pools and VIPS
• Inbound pools and VIPS are set up in nearly the same manner as LTM, with 2 key differences– Pools will usually only have 1 member, which is the
NAT address for the application on the firewall
– Need a virtual server on each ISP’s network that points to the same pool
– These virtuals correspond to the DNS entries that LC will give out to clients for a given domain
CONFIDENTIAL
Typical Link Controller Deployment
17CONFIDENTIAL
Link Configuration
• Define the links (one per ISP) and set up the relevant cost and/or bandwidth structure for each– Link capacity
– Price per mb (prepaid vs burst cost)
• Dynamic ratio will use these figures to determine load balancing– Not necessarily required to be real-world figures
CONFIDENTIAL
CONFIDENTIAL
20CONFIDENTIAL
WideIP Configuration
• Final step is creation of WideIP’s– Domain name to virtual server mapping
– Only allowed to use virtual servers that are hosted by the LC itself
– No pools concept as on GTM
• ZoneRunner entries created automatically– NameSurfer in v4
CONFIDENTIAL
Typical Link Controller Deployment
22CONFIDENTIAL
Special Considerations
• IPSEC (VPN’s)– LC cannot terminate IPSEC tunnels– IPSEC typically cannot survive a NAT
• Some IPSEC clients cannot resolve by name
• Solution 1: Forward IPSEC directly to firewall or endpoint– Requires public IP block between LC and firewall– Requires IP forwarding virtual on LC from external to
internal
23CONFIDENTIAL
IPSEC cont.
• Solution 2: Implement an IPSEC solution that supports NAT traversal or “tunnel and transport mode”– Uses typical LC configuration (SNAT automap
outbound and virtual -> pool inbound)
– Checkpoint and PIX definitely support, others not verified
CONFIDENTIAL
Typical Link Controller Deployment
25CONFIDENTIAL
Special Considerations cont.
• L2 Bridging not recommended– Supposedly can be configured on one link, with outbound
wildcard VIP bound to internal child VLAN and doing SNAT automap
– Proceed at own risk
BIND vs ZoneRunner/NameSurfer– Customer may choose to use BIND to manage zone files
(particularly if LC is taking over entire domain)
– Typically, once done, cannot be reverted
26CONFIDENTIAL
How do I manage BIND zone files?
BIND zone management is the same as in LTM, manual and not supported.
ZoneRunner is NOT included in the LC software module.
One can configure BIND manually, and maintain it through the CLI.– Configuration of BIND via CLI is not supported.– We will patch named if a bug is found in the named code and a
new version is available to address that bug.
27CONFIDENTIAL
The LC Link Object: Basic View
Link objects functionality is the same as that of 4.x, and consist of the following elements:
– Name: Link object name
– Router Address: The address of the gateway router for that ISP link
– Uplink Address: The router’s IP address that connects to the ISP
– Service Provider: Descriptive field used for a logical identification of that link’s service provider
– Health Monitor: the bigip_link monitor is the recommended monitor for links
28CONFIDENTIAL
LC Objects
LC UI objects inherited from LTM are configured in the same way they are configured on a LTM stand alone product.
LC Links are configured in the Network section of the UI, but the link objects are stored in the wideip.conf file.
– Links: Network->Links
GTM inherited features are configured in the under the “Global Traffic” section of the UI.
– GTM Listners: Global Traffic->Listeners– WideIPs: Global Traffic-> Inbound Link Traffic– Topology: Global Traffic->Topology
Note: WideIP pools are not explicit objects in the UI. WideIP pools are automatically created by mcdp, their object names match that of their WideIP’s FQDN!
29CONFIDENTIAL
WideIP pools on a Link Controller
The WideIP pool objects are not visible via the UI on Link Controller.
If a problem exists with a WideIP pool it will be necessary to edit the wideip.conf file from the command line.
WideIP pools get an object name that matches the WideIP’s FQDN, thus it is easy to determine which WideIP pool will need to be edited.
Example:
If an administrator attempts to create a WideIP from the UI, and the creation action fails due to a misconfiguration, the WideIP pool may get written out to the wideip.conf file, but the admin will not be able to see this from the UI.
30CONFIDENTIAL
Known Issues (as of 9.2.3)
• Many hotfixes are available
• /config/gtm/wideip.conf seems susceptible to corruption in various ways– IP’s configured in GUI and later removed are not
always cleaned up properly. This can lead to odd behavior in the GUI.
• ZoneRunner issues