F5 Balanceo para equipos , Lecture notes of Culture and Globalization

Download F5 Balanceo para equipos and more Lecture notes Culture and Globalization in PDF only on Docsity!

An Introduction to the

F5 Networks HMS v

First Edition

Table of Contents

• Preface
  • About The Author
  • Acknowledgements
  • Feedback
  • Disclaimers
• Introduction
  • The Book Series
  • Who is This Book For?
  • Why Write This Book?
  • How This Book is Organised
  • What Is an Application Delivery Controller (ADC)?
• The Host Management Subsystem (HMS)
  • Serial Console
  • Management Network Interface
    • MDI/MDIX Support
    • Routing..............................................................................................................................
  • HMS Access Methods
  • Default User Accounts..........................................................................................................
  • tmsh......................................................................................................................................
    • Command Set
    • Modules & Module Navigation
  • Advanced Shell
  • Appliance Mode
  • Why Use the CLI?
  • GUI Configuration Utility
  • Why Use the GUI?
  • Dashboard
  • Module Statistics
    • Traffic Summary Statistics
    • Local Traffic Statistics
  • Network Statistics
  • Memory Statistics
• Performance Statistics
• Disk Management
  • Logical Volume Management (LVM)
  • Software & Hotfix Images
  • RAID
  • diskinit...............................................................................................................................
  • image2disk
• Multiboot
• Object Names
• Configuration Files
• Configuration Changes
• Configuration Load Issues
• Simple Network Management Protocol (SNMP)
• Local Host File.......................................................................................................................
• Domain Name System (DNS)
• Network Time Protocol (NTP)
  • HMS Logging
  • Viewing Logs
  • Routing..............................................................................................................................
• Simple Mail Transport Protocol (SMTP) eMail
• Security Features
  • Appliance Mode................................................................................................................
  • Disabling Root Account Access
  • Management Interface Source IP Address Restrictions
  • Global SSH Access
  • Management Interface Login Logging
  • Configuration Utility Banners & Login Prompts
  • SSH Banners & Login Prompts
  • Configuration Utility Idle Time
  • SSH Idle Time
    • Configuration Utility Maximum HTTP Connections
    • User Roles
    • Local Password Policy
    • Remote User Authentication (AAA)..................................................................................
• Advanced Shell Commands......................................................................................................
  • Config
  • Bigtop
  • Bigstart
  • OpenSSL................................................................................................................................
  • Grep
  • Switchboot
  • tclsh
  • zebos
  • Integrated Management Interface (IMI) Shell (IMISH)
  • rdexec
  • rdsh
  • tcpdump
  • ssldump
  • curl
  • ifconfig
  • route
  • cpcfg
  • dig

Preface

About The Author

Steven Iveson, a child of the seventies born in London, lives in a small town in East Yorkshire

in the north east of England with his wife Sam and their four children. He’s worked in the IT

industry for over 15 years in a variety of roles for companies and clients including; BP, BT, EDS, UBS, Fuji Bank, Reuters and Lloyds Banking Group.

Steve first encountered a BIG-IP Controller in 2004 and has been working with TMOS and

LTM since 2005; predominantly in financial services and internet facing environments.

Steve’s iRules have been featured in a DevCentral 20 Lines or Less article, he’s made over

2000 posts on the DevCentral forums and he’s been F5 certified since 2010.

Acknowledgements

Most of the information found in this book is available elsewhere, I’ve mostly just searched

for it, gathered it up, put the pieces together and presented it in what I hope is a useful

format and organised structure. That being the case, I’m keen to acknowledge those that

have produced the materials which have formed the basis of this book.

Thanks to the many who’ve taken the time to contribute to DevCentral (DC) to inform,

educate and assist others, myself included.

A special mention to the following F5 staff members and DC contributors: Colin Walker, an

iRules guru, Joe Pruitt (username: Joe) who created DevCentral and now manages F5’s

Facebook pages amongst other things, Aaron Hooley (username: hoolio) who’s made over

12 thousand posts on DC and Nitass Sutaveephamochanon (username: nitass).

Thanks to Paul Cantle and ProCloudHost for hosting my test environment:

http://www.procloudhost.net/.

And finally, thanks to Jakub Steiner (aka Jimmac) who designed and created the icon used

on the front cover of this book.

Feedback

Feedback, comments and corrections are more than welcome at: f5books@iveson.eu.

Or you can join this book’s Linkedin group by searching Linkedin for: ‘All Things F5’.

Introduction

The Book Series

This is a sample chapter from the second book in a planned series covering the complete

range of LTM features and concepts, core TMOS technologies and relevant fundamental

topic areas, the others (in an unconfirmed order of likely publication) are;

 An Introduction to F5 Networks LTM iRules (published)  An Introduction to F5 Networks, BIG-IP, TMOS and LTM v11 – Available April 2013  F5 Networks BIG-IP Application, Protocol and Networking Fundamentals  F5 Networks LTM iRules in Detail  F5 Networks BIG-IP Administrator (System, Network and Basic LTM Configuration)  F5 Networks BIG-IP Application Firewall Manager  F5 Networks BIG-IP LTM Design  F5 Networks BIG-IP LTM Advanced Configuration  F5 Networks BIG-IP & TMOS v11 Security  F5 Networks BIG-IP & TMOS v11 Operations & Troubleshooting

Who is This Book For?

The book this chapter is taken from is a detailed feature reference and guide to BIG-IP, TMOS and LTM v11; it also serves as an introduction and guide to ADC technology in general and also F5 Networks the company and its product range.

Those looking for a concise and complete, bias-free overview and explanation of available BIG-IP hardware, TMOS and LTM features and protocol support will find everything they need within the full book.

Those evaluating or considering LTMs use, the use of any ADC or wishing to compare LTM to other vendors’ products will find the full book an invaluable time saver.

As the BIG-IP hardware and operating system (TMOS) are the foundation upon which LTM and many other modules are built, a great deal of the full book's content will also be useful to those interested in other TMOS modules.

In addition, those studying for the Application Delivery Fundamentals exam will find a great deal of F5-specific exam blueprint topics covered.

Why Write This Book?

So, why write this book and the others in the series? Well, simply put, despite the market share, success and popularity of F5's products, there are no other books available. There are

reasons for this; the F5 Networks documentation and manuals are of a very high quality and the DevCentral community and Ask F5 support sites are unusually helpful and useful.

Have I just explained why this book is irrelevant? No, here's why a book is needed;

 The manuals are not available in printed, ePub or Kindle formats as this book is.  BIG-IP, TMOS, Linux and LTM are all complex products and the manuals generally don't provide any context around how these interact and operate.  F5 Networks' products are very different to those of other networking vendors; this book should help reduce the steep learning curve those new to F5 normally face.  There's very little 'unofficial' F5 Networks information available outside of company approved and controlled sites.  There are a multitude of TMOS and LTM manuals, blog posts, web pages and wiki’s in a variety of formats, totalling many thousands of pages; this book and the others in the series 'bring it all together' into a single place and trim the fat.  F5 Networks marketing and feature data can be confusing and is quite dispersed; again, this book brings it all together and provides many cross references.  This book provides generic information on the features, uses and benefits of application delivery controller (ADC) and application delivery networking (ADN) technology in general.  The context sensitive help within the TMOS GUI rarely provides the level of detail required to be useful.

How This Book is Organised

 This chapter, Chapter 1 – Introduction provides some background of load balancing and Application Delivery Controller technologies.  Chapter 2 – The Host Management Subsystem offers information on the management and administration features available within TMOS and accessed through the HMS.  Chapter 3 – Advanced Shell Commands details usage and syntax for a number the most commonly used and most useful Linux commands available in the HMS Advanced Shell.

The full book features the following additional chapters as well as expanded versions of the ones in this book;

 BIG-IP describes the BIG-IP hardware, its components and capabilities as well as the Virtual Edition and also explores purchasing, sizing and physical vs. virtual considerations.  Traffic Management Operating System steps through the TMOS software components and interfaces.  The Traffic Management Microkernel moves on to detailed information on the features and capabilities of TMOS’s core software. Targeted functional round ups are

Just so you fully understand the TCP/IP implications, it is worth noting that when load balancing at layer three (network) or above;

 NAT of the destination IP address occurs when the inbound traffic is sent to a real server host. In reality, as the load balancer is acting as a proxy it’s not actually NAT; the inbound connection is terminated and a new outbound one created with a different destination IP address. Of course it’s far easier to think of it as NAT.  Translation of the destination TCP or UDP port occurs when the inbound traffic is sent to a real server host (if the Virtual Server and real server listening ports are different). As with NAT, port translation isn’t really occurring but it’s probably easier to think of it like that.  NAT of the source IP address occurs when the outbound traffic is sent back to the client (this is the reverse of the inbound NAT).  Translation of the source TCP or UDP port occurs when the outbound traffic is sent back to the client (if the Virtual Server and real server listening ports are different) (this is the reverse of the inbound port translation).  This all occurs transparently to the connecting client host.  This ‘NATting’ does not need to be configured, it is automatic; even where the Virtual Address is IPv6 and the real servers use IPv4.

This full proxy functionality provides a method of implementing abstraction, intelligent traffic handling, acceleration and optimisation and modification and control of (mostly) TCP/IP transported network and application traffic between hosts. Those hosts don't actually have to be clients and servers, in the physical sense; they can be routers or any other kind of device.

Although originally created and still frequently implemented with client/server HTTP traffic and performance in mind, an ADC can be used with almost any form of TCP/IP-based protocol and/or application communications and with any host with a TCP/IP stack.

Keep in mind that from a TCP/IP perspective, when operating in full-proxy mode, a load balancer/ADC is an endpoint in communications (unlike a router for instance). It plays the role of server to the connecting client (it terminates the clients connection) and client to the real servers (it initiates a connection).

Less intelligent and flexible packet-based (not full-proxy based, often referred to as half- proxy) transparent layer four and even layer two load balancing is also available. This is modelled on the architecture of older, earlier generation load balancers, which might not sound attractive (and layer 4 load balancing is now a commodity) but still offers superior performance. The load balancer is not acting as an endpoint when operating in this mode; it’s operating more like a router with some extra bells and whistles. Operations could include NAT, PAT, connection and TCP/IP header modification, connection reuse and perhaps even simply data rewriting.

You might also like to know that prior to the introduction of load balancers; server or application load balancing was generally achieved through DNS round robin and/or application specific software load balancing.

Returning to the more advanced ADC features, there are a few terms used frequently in this book and commonly within the ADC arena that are worth describing in more detail;

 Acceleration; this term is (and has been historically) used to describe any number of functions used to improve real server, network and application performance. Now that the term Optimisation is also prevalent, it’s worth noting that generally, Acceleration features are not solely client focussed and are unaware of the connecting client device type (mobile phone, PC, tablet etc.) even if aware of the client’s protocol level capabilities (TCP stack, browser type etc.). Also, application content itself is not modified significantly with the obvious exception of compression. LTM Related Acceleration features would include; HTTP compression, basic caching, TCP enhancements and multiplexing, QoS, load balancing itself and SSL offload. Some of the WebAccelerator (WA) module’s features, global server load balancing (GSLB) and data deduplication are also examples of acceleration.  Asymmetric Acceleration; acceleration is transparently provided by only one of the two parties, or hosts, involved in a particular communication (a connection, a session, whatever). In our context, this is the ADC/load balancer, but in others it could involve use of a WAN Optimisation device. No special software is required on the client, which is effectively unaware of the acceleration. Asymmetric Acceleration is typically cheaper than Symmetric Acceleration as only a single device (or HA Pair) needs to be purchased.  Symmetric Acceleration; acceleration is provided (transparently or not) by both parties, or hosts, involved in a particular communication. Those two parties would typically either be two devices, one at either end of a WAN link or an ADC and client host with acceleration software installed. In the first case, no special software is required on the client hosts using the WAN, the acceleration is transparent. In the second, the client is actively aware of and participating in Acceleration. Symmetric Acceleration is typically more expensive than Asymmetric Acceleration as either two

feature set will continue this trend and strengthen the ADCs position and value in the network.

As the market and devices have matured over time, increasing and more sophisticated and complex use of the ability to manipulate traffic at the ADC has developed. These features and their uses and benefits are explained in more detail in the following chapters of the book.

The Host Management Subsystem (HMS)

The HMS and Traffic Management Microkernel are pretty tightly coupled and it’s not always

easy to distinguish between the two. As the HMS is all about management and TMM

network and application traffic management I’ve used that to divide the two and this

chapter will focus entirely on the management and administration features available within

TMOS and accessed through the HMS. Note that some of these features may rely on TMM

functions and services in order to operate.

Note that the HMS dedicated network interface has a TMM independent routing table using

eth0. Also note that Network Failover relies on the HMS network interface and IP address

and therefore changes to the management address may cause HA failures unless planned

for.

Serial Console

Unlike most network devices, the serial console is configured with a baud of 19200 by default. Other settings are the standard VT100/8-N-1.

Once connected you can use the serial console to access the Advanced Shell (if available), tmsh, AOM, MOS and EUD as appropriate. Further information on the commands available to you can be found in the following sections.

Management Network Interface

This dedicated network interface is designed to provide an out of band management

interface to the AOM and HMS. Its IP address can be configured in a number of ways;

 Using the LCD panel on physical BIG-IP application switches (Press: X > System > Management)  Using the Advanced Shell config command (via Serial Console or SSH)  Using tmsh (via Serial Console or SSH)  Using the Configuration Utility

Management interface configuration is stored in the /config/bigip_base.conf file.

You should note that until v11.3 most security functions such as Packet Filters cannot be

applied to the management interface. Because of this, if the management interface cannot

be connected to a secure, trusted network, in-band management via TMM switch interfaces

should be used instead.

DHCP Address assignment is supported but be aware that IP address changes can cause

configuration load issues (fixed by manually editing the /config/bigip_base.conf file and

updating the IP address).

HMS Access Methods

You can access the HMS and other related TMOS operating systems in a wide variety of

ways, some of which we’ve already covered. Here’s the complete rundown;

 Serial Console; Advanced Shell, tmsh, AOM, MOS and EUD  Management Network Interface – SSH; Advanced Shell, tmsh and AOM  TMM Switch Interface/Self IP – SSH; Advanced Shell and tmsh  Management Network Interface – SCP/SFTP; Can be used to transfer files if Advanced Shell access is available  TMM Switch Interface/Self IP – SCP/SFTP; Can be used to transfer files if Advanced Shell access is available  Management Network Interface – HTTPS; Configuration Utility  TMM Switch Interface/Self IP – HTTPS; Configuration Utility

Default User Accounts

All BIG-IP systems have two default local user accounts;

 admin (password: admin) – this account does not have tmsh or Advanced Shell access by default  root (password: default)

You’re prompted to change both accounts’ passwords during initial system setup.

Use of the root account can be completely disabled.

Menu path to change the password for these accounts: System > Platform

Tmsh command path: [tmsh] modify auth password ‘ username’

tmsh

Traffic Management SHell tmsh is the F5 Networks specific interactive CLI shell and command set available through the HMS; used to manage, monitor and control all aspects of TMOS and TMOS based system modules such as LTM. Tmsh is powerful, scriptable, utilises variables and is highly structured and hierarchical. You won’t find years of bloat, legacy and tradition incorporated into tmsh; it was designed from the ground up for the modern networking and application delivery world.

Introduced with TMOS v10, tmsh was designed to replace the legacy bigpipe shell and command set, which was removed in v11. Tmsh scripts are based on TCL (as are iRules).

Terminal (SSH and serial console) access to tmsh for all users except root is disabled by default. If Appliance Mode (described shortly) is enabled, the root user cannot login by any

means and access to the Advanced Shell (described next) instead of tmsh is not available for any user.

You can identify when you’re in tmsh as the command prompt (by default at least) ends: (tmos)# but be aware this can be changed.

Context aware command descriptions are available in the common fashion; by entering a? character and full command help (in the form of man pages) is obtained using the help command. Help page searching is also available.

Command and object name completion using [TAB], regular expression and glob based wildcard search, configurable units of display for statistics, single-line multiple command entry (separate with a ‘;’), context sensitive help, command entry auditing (logging), command history, command abbreviations, keyboard shortcuts, user defined command aliases and grep output filtering are all supported.

Service Port display format, hostname lookup, prompt display, command history size and a host of other parameters and preferences can be configured to your taste.

Modules must be provisioned before you can use tmsh to configure them, however, you can provision modules using tmsh.

The tmsh prompt changes based on a device’s operational, HA and ConfigSync status (if relevant) but note that this is configurable. Possible prompt status displays may include;

 INOPERATIVE; The device has not loaded it’s configuration (yet)  LICENSE EXPIRED; The device’s license has expired  Online; The device is operating normally  Offline; The device has been forced offline or has not yet fully booted  Active; The device is the active unit  Standby; The device is the standby unit  Standalone; The device is the only unit, no HA is configured

Use the quit command to exit tmsh.

Use the modify /cli preference tcl-syntax-highlighting enabled command to enable TCL syntax highlighting when editing iRules or iApps templates.

Default configuration settings are not shown with the list command unless you specify the all-properties parameter.

There is no telnet command available in tmsh which some consider a major omission as it’s very useful for connectivity testing. However, there are two alternative commands that can

be used instead, as follows;

 [tmsh] run util traceroute -T -p nn (-T specifies TCP, -p nn specifies the port number)