Big -IP load balancer {F5}

We can use this as (ADC)application

delivery controller.

Types of modules in F5
1. LTM:- Local traffic manager
2. GTM:- Global traffic manager
3. ASM:- Application security manager
4. APM:- Access policy manager

F5 works in L7/Application layer

Different models of F5
 2000 series
 4000 series
 5000 series
 7000 series
 10000 series
 11000 series
 VIPRION 4480
 VIPRION 4800

Advantages of F5 load balancer

 Scale the application
infrastructure.
 Eliminate downtime.
 Improve application
performance.
 Secure your application
performance & Data.
 Increase server capacity,
bandwidth.
 Customize the delivery of the
app for your needs.
 Basic deployment of LTM

Types of plane
 Management plane
 Control plane Important point
 TMM:- Traffic
management
microkernel
,it is heart of
TMOS.

Full proxy:-two tcp handshake is

performed.one is b/w client and LB
&second is b/w LB and pool
member.
Basic prerequisite for understanding
 Node:- Server represented by
the Ip address of the device in a
network.
 Pool member:-combination of
node & service port.
 Pool:- Object that groups pool
member together to receive and
process network by the specified
LB-algo.
 Server:-Associated with pool.
Allows big-ip system to send,
 receive, process & relay network
traffic to the pool.

One armed deployement

In this, the vir-server is on the same

vlan & subnet , can use the server
default route.

By default destination nat works in

LB.
When the LB gets the packet from
client it sends to the server but the
reply packet is directly sent to
routers gateway by the server{this
is known as asymmetric routing}
Two armed deployment
In this topology, the server (virtual)
is on different vlan from the pool
members, which requires that big-
ip system route traffic between
them.
 Configuration
How to provide mgmt ip to f5
1. Log in to the command line interface (CLI) of the system using an account with admin
access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

 Configure the management IP address.

1. system mgmt-ip config [ipv4|ipv6] system address <ip-address>

 Configure the default gateway, if not using DHCP

2. system mgmt-ip config [ipv4|ipv6] gateway<gateway-ip>

 Commit the configuration changes.

3. Commit

Licencing the big-ip system

Navigate to system utility>Licence>click
the activate tab
>>done
How to activate module
Navigate to system utility>resource
provisioning.
 Provisioning has three part
dedicated, nominal, minimum.

Types of provisioning
 Dedicated:-it is selected
when we are sure that LB is
 going to use only one module
through out.
 Nominal:-it is suggested by
F5 for production least amount
of resource required for module
is provided.
 Minimum:-it provides fix
resources for module to run.

Networking for f5
No. of interface required:-
 MGMT interface
 Internal interface
 External interface
 High Availability

Process of network configuration

Navigate to network>Interface>
 1.1(internal)
 1.2(external)
 1.3(high availability)

VLAN:- taged:- more than one vlan

from interface.
Untagged:-one vlan -one
interface.

Self Ip:- ip on interface.

Step wise configuration

  Local traffic
i. Node:-add server.
ii. Pool member:-create
pool and add node list.
iii. Virtual server:-add vip
and provide pool to it.

Types of virtual server:-

 Standard
 Forwarding (L2)
 Forwarding (ip)
 Performance(L4)
 Stateless
 Reject
 DHCP
 Internal
 Message Routing
 Standard with tcp profile
(1) When to work with F5 as L4
packets.
(2) We can’t feed http packets in
this.(when working in L4 )
(3) As http is not present we can’t
do compression.

Forwarding (L2)
 it does not do load balancing
 no pool member
 F5 works in inline mode
 Does only switching
 It does not work in full proxy.
Forwarding (ip)
 It does not do load balancing
 No pool member
 Only does routing
 It does not work in full proxy.
  Does not capture any packet
Performance (L4) profile
 It uses dedicated chip present in F5
PVA (packet velocity acceleration chip).
 It increases the speed due which
virtual server processes traffic fastly.
 It does not work in full proxy.

Stateless
 A stateless virtual server accepts
traffic that matches the virtual server’s
address and manages load.
 The packet to the pool members
without attempting to match the
packet to a pre-existing connection in
the connection table.
Reject
 Rejects the client’s request.

Types of persistence & how to configure it

 Cookie persistence
(a) Insert:-LTM inserts special
cookie.
(b) Rewrite:-webserver creates
blank cookie, LTM rewrites it.
(c) Passive:- Webserver creates
special cookie LTM doesn’t
change it.

 SSL persistence
i) Based on ssl session id
 ii) Remains constant when client ip
add changes
iii) Persistence lost if browser changes
ssl session id.

 SIP (session Initiation protocol)

i) Support call id persistence from
proxy servers that support Sip
ii) Mostly used in telephony &
multimedia.
 Destination Address persistence
i) Traffic load-balanced across multiple
ISP’s.
ii) Client source address varies with
ISP’s choice traffic LB across multiple
caches.
iii) Cache is separated by destination.
Configuration of persistence:-
 Navigate to load
traffic>profile>persistence>create a
new persistence(or use default).
 Navigate to virtual
server>resources>default persistence
profile.
 Update.
 Introduction to I-rules
 I-rules are simple programs.
 It extends BIG-IP functionality that
is not built into F5.
 Allows the inspection &
modification of traffic & BIG-IP
behaviour.
 I-rule helps in intercept, inspect,
direct & redirect traffic according to
behaviour of application.
 Common tasks done by i-rule
i) Block specific clients.
ii) Redirect client to different site.
iii) Turn Snat on or off for specific
clients.
iv) Inspect and modify server
responses.
v) Select a different pool based upon
client request .
vi) Generate http responses without
using a pool member.

When desired function is a

feature built into BIG-IP software
then i-rule should not be applied.
To access i-rule
 Navigate to local traffic
 Then click i-rule editor
 To apply i-rule in a virtual server

Important to know about i-rule

(a) An i-rule does nothing if not
exposed to traffic.
 (b) In most cases i-rules are
attached to a virtual server.
(c) This is done on the “resources ”
tab when viewing the virtual
server configuration.

i-rules are event driven

types of event
 Client_accepted
 http-request
 LB_selected
 LB_failed
 Server_connected
 http_response
 Types of load balancing algorithm

Mostly round robin is used.

APM{access policy manager}

It provides:-

 Remote access solution

(a) Network access-ssl vpn
 (b) Portal access-reverse proxy web
application.
(c) Application tunnel-single
application tunnel including
remote desktop.

 Policy enforcement point

(a) Authentication and
authorization.
(b) Endpoint inspection.
(c) Access control lists.
(d) Dynamic resource assignment
(per-user or group basis).
(e) Single sign-on (including
Kerberos, SALM, OAuth).
Event to understand APM
 Challenge
(a) Company hosts webpage for
customers and employees in data
centre.
(b) Company wants to add
authentication to see whoever is
using it.
 Solution
(a) Company provisions APM on
LTM application delivery
controller {ADC}.
(b) Creates an access policy that
prompts the user for their
credential and checks them
against active directory domain
controller.
 How to configure this:-
 Navigate to
access>>authentication>>active
directory.
 Click create
 Add a name for the AAA server
 Specify the AD domain name
 Don’t specify a pool of server
 Finish

Now we have to create access

profile
 Navigate to
access>>profile>>access profile
(per-session policies)
 Add a name for the access
profile
 Select all language
 Select all to work with any
profile
  Finish

Remember there is one to one

co-relation between access
profile & access policy.
 Click edit link

It will redirect to another page