1CONFIDENTIAL

Link ControllerTeam TrainingLink ControllerTeam Training

Presented by: Denny Payne Consultant

2CONFIDENTIAL

Link Controller Overview

Purpose: Link Controller is designed to provide load balancing and/or failover for multiple locally attached ISP links.

Hardware & Licensing: Sold on 1500 and 3400 platforms, either standalone or as module on top of LTM/GTM

Focus of this presentation is v9, but most concepts apply to v4 as well

3CONFIDENTIAL

Link Controller Advantages

• Advantages to customer: - Eliminates BGP requirements- ISP’s not required to coordinate- New links can be added transparently- GUI management of zone files

- ZoneRunner (v9) or NameSurfer (v4)

• Advantages over competition- Modular construction on TMOS- iRules and health checking capability

4CONFIDENTIAL

Link Controller Limitations

• A standalone LC is a hybrid of LTM (BIG-IP) and GTM (3-DNS) with a subset of each feature set

• No L7 iRules or health checking functionality

• No advanced load balancing algorithms (obsv/pred)

• No ability to resolve IP’s that it does not host (therefore no site-to-site failover or DR)

• Must be locally attached to public IP blocks– Therefore, must sit outside the firewall

– May not be desirable to do LC/LTM combo

CONFIDENTIAL

Typical Link Controller Deployment

6CONFIDENTIAL

Deployment considerations

• LC’s hybrid design can be summed up by noting:– Outbound traffic is processed like LTM (BIG-IP)

– Inbound traffic is processed like GTM (3-DNS)

• Link Controller must be the default gateway for the firewall

7CONFIDENTIAL

LC Quick Start

1. Define VLANs2. Define Self IP’s3. Create Gateway Pool4. Create default route, reference Gateway pool5. Define links6. Define NTP server7. Define Listeners for each link8. Create outbound wildcard LB Virtual Server, reference the gateway

pool9. Create outbound SNATs or SNAT pools for each egress VLAN10. Create Local Traffic Pools11. Create Local Traffic Virtual Servers for each link12. Create a WideIP

8CONFIDENTIAL

Inbound LC Transaction

Internet client requests name resolution for gnu.es.f5net.comInternet DNS servers tell client that lc.es.f5net.com is the authoritative name server for the es.f5net.com zoneClient queries lc.es.f5net.com for name resolution of gnu.es.f5net.comlc.es.f5net.com returns the IP address 10.1.10.100, the LTM virtual server on link1The client sends it’s HTTP request to 10.1.10.100:80 and the LC processes the request as per the configuration of that LTM virtual server and default pool

9CONFIDENTIAL

Outbound Traffic

Outbound traffic is handled in a manner similar to LTM server load balancing.

Create a pool containing each of the ISP router gateway addresses with service port “any”

Create a wildcard virtual server (0.0.0.0:0) using all protocols, enabled on the internal VLAN and point it to the previously created pool.

Enable SNAT automap from the internal VLAN

CONFIDENTIAL

Typical Link Controller Deployment

11CONFIDENTIAL

Outbound Traffic options

• If desired, more specific virtual servers may be used to split up traffic in different ways.

• Example: create 3 pools, one with both gateways, another with only gateway 1 and a third with only gateway 2.Then create 0.0.0.0:0 using pool 1, 0:0:0:0:80 using pool 2, and 0:0:0:0:25 using pool 3.

• This may be expanded upon with pool priority and/or iRules to produce the desired traffic flow

• Allow ANY IP over SNAT for icmp/ping.

12CONFIDENTIAL

Pool load balancing

Round robin and static ratio are available, but the typical setting will be dynamic ratio.

Dynamic ratio will use the link configuration settings (discussed in next section) to make load balancing decisions

13CONFIDENTIAL

Inbound Traffic

• Inbound traffic is handled in the same manner as GTM (3-DNS)– Recall the limitation that it can only hand out addresses

that it hosts

• Requires DNS delegation– At minimum, LC must be authoritative for the domains

that are load balanced/failed over

– Can take over the entire domain if desired

14CONFIDENTIAL

DNS Listeners

• Need a DNS listener on each ISP network – use floating address for redundant pair– For more than 2 ISP’s pick the 2 primary links since

DNS typically will only use a ns1 and ns2 record

• No v4 equivalent, udp 53 should be allowed to floating IP’s on each ISP netblock

15CONFIDENTIAL

Inbound Pools and VIPS

• Inbound pools and VIPS are set up in nearly the same manner as LTM, with 2 key differences– Pools will usually only have 1 member, which is the

NAT address for the application on the firewall

– Need a virtual server on each ISP’s network that points to the same pool

– These virtuals correspond to the DNS entries that LC will give out to clients for a given domain

CONFIDENTIAL

Typical Link Controller Deployment

17CONFIDENTIAL

Link Configuration

• Define the links (one per ISP) and set up the relevant cost and/or bandwidth structure for each– Link capacity

– Price per mb (prepaid vs burst cost)

• Dynamic ratio will use these figures to determine load balancing– Not necessarily required to be real-world figures

CONFIDENTIAL

CONFIDENTIAL

20CONFIDENTIAL

WideIP Configuration

• Final step is creation of WideIP’s– Domain name to virtual server mapping

– Only allowed to use virtual servers that are hosted by the LC itself

– No pools concept as on GTM

• ZoneRunner entries created automatically– NameSurfer in v4

CONFIDENTIAL

Typical Link Controller Deployment

22CONFIDENTIAL

Special Considerations

• IPSEC (VPN’s)– LC cannot terminate IPSEC tunnels– IPSEC typically cannot survive a NAT

• Some IPSEC clients cannot resolve by name

• Solution 1: Forward IPSEC directly to firewall or endpoint– Requires public IP block between LC and firewall– Requires IP forwarding virtual on LC from external to

internal

23CONFIDENTIAL

IPSEC cont.

• Solution 2: Implement an IPSEC solution that supports NAT traversal or “tunnel and transport mode”– Uses typical LC configuration (SNAT automap

outbound and virtual -> pool inbound)

– Checkpoint and PIX definitely support, others not verified

CONFIDENTIAL

Typical Link Controller Deployment

25CONFIDENTIAL

Special Considerations cont.

• L2 Bridging not recommended– Supposedly can be configured on one link, with outbound

wildcard VIP bound to internal child VLAN and doing SNAT automap

– Proceed at own risk

BIND vs ZoneRunner/NameSurfer– Customer may choose to use BIND to manage zone files

(particularly if LC is taking over entire domain)

– Typically, once done, cannot be reverted

26CONFIDENTIAL

How do I manage BIND zone files?

BIND zone management is the same as in LTM, manual and not supported.

ZoneRunner is NOT included in the LC software module.

One can configure BIND manually, and maintain it through the CLI.– Configuration of BIND via CLI is not supported.– We will patch named if a bug is found in the named code and a

new version is available to address that bug.

27CONFIDENTIAL

The LC Link Object: Basic View

Link objects functionality is the same as that of 4.x, and consist of the following elements:

– Name: Link object name

– Router Address: The address of the gateway router for that ISP link

– Uplink Address: The router’s IP address that connects to the ISP

– Service Provider: Descriptive field used for a logical identification of that link’s service provider

– Health Monitor: the bigip_link monitor is the recommended monitor for links

28CONFIDENTIAL

LC Objects

LC UI objects inherited from LTM are configured in the same way they are configured on a LTM stand alone product.

LC Links are configured in the Network section of the UI, but the link objects are stored in the wideip.conf file.

– Links: Network->Links

GTM inherited features are configured in the under the “Global Traffic” section of the UI.

– GTM Listners: Global Traffic->Listeners– WideIPs: Global Traffic-> Inbound Link Traffic– Topology: Global Traffic->Topology

Note: WideIP pools are not explicit objects in the UI. WideIP pools are automatically created by mcdp, their object names match that of their WideIP’s FQDN!

29CONFIDENTIAL

WideIP pools on a Link Controller

The WideIP pool objects are not visible via the UI on Link Controller.

If a problem exists with a WideIP pool it will be necessary to edit the wideip.conf file from the command line.

WideIP pools get an object name that matches the WideIP’s FQDN, thus it is easy to determine which WideIP pool will need to be edited.

Example:

If an administrator attempts to create a WideIP from the UI, and the creation action fails due to a misconfiguration, the WideIP pool may get written out to the wideip.conf file, but the admin will not be able to see this from the UI.

30CONFIDENTIAL

Known Issues (as of 9.2.3)

• Many hotfixes are available

• /config/gtm/wideip.conf seems susceptible to corruption in various ways– IP’s configured in GUI and later removed are not

always cleaned up properly. This can lead to odd behavior in the GUI.

• ZoneRunner issues