F5-Ltm Ess WBT Labguide16 20101217

F5 Networks Training
BIG-IP LTM V10 Essentials
Web-Based Training Lab Guide
12 / 17 / 2010
BIG-IP LTM Essentials Web-Based Training Lab Guide 2010 F5 Networks, Inc.
P-2
Preface
BIG-IP LTM V10 Essentials

Web-based Training Student Lab Guide
Third Printing December 2010
This Lab Guide was written for BIG-IP LTM version 10.2.0. The lecture portions of the LTM Essentials web-based training
were written for version 10.0.1. Because F5 feels it is important to perform the hands-on labs on a current version of BIGIP, the Lab Guide is updated more frequently than the lecture portions. Most of the concepts discussed in the lecture
portion and lab steps in the lab guide apply to previous versions of BIG-IP LTM.
2010, F5 Networks, Inc. All rights reserved.
Support and Contact Information

Obtaining Technical Support
Web
tech.f5.com (Ask F5)
Phone
(206) 272-6888
Email (support issues)
support@f5.com
Email (suggestions)
feedback@f5.com
Contacting F5 Networks
Web
www.f5.com
Email
sales@f5.com & info@f5.com
F5 Networks, Inc.
F5 Networks, Ltd.
F5 Networks, Inc.
F5 Networks, Inc.
Corporate Office
401 Elliott Avenue West
Seattle, Washington 98119
United Kingdom
Chertsey Gate West
Chertsey Surrey KT16 8AP
Asia Pacific
5 Temasek Boulevard
#08-01/02 Suntec Tower 5
Japan
Akasaka Garden City 19F
4-15-1 Akasaka, Minato-ku
T (888) 88BIG-IP
T (206) 272-5555
F (206) 272-5557
Training@f5.com
United Kingdom
T (44) 0 1932 582-000
F (44) 0 1932 582-001
EMEATraining@f5.com
Singapore, 038985
T (65) 6533-6103
F (65) 6533-6106
APACTraining@f5.com
Tokyo 107-0052 Japan

T (81) 3 5114-3200
F (81) 3 5114-3201
JapanTraining@f5.com
BIG-IP LTM Essentials Web based Training Lab Guide 2010 F5 Networks, Inc.
Preface
Legal Notices
Copyright
Copyright 2010, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no
responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result
from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property
right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any
time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application
Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager,
GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link
Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity,
Secure Access Manager, SAM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS,
TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarks
or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written
consent.
Patents
This product protected by U.S. Patent[s] 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354; 7,197,661;
7,206,282; 7,287,084. Other patents pending.
Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States government may
consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may
be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC
rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed
and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of
this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will
be required to take whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate
this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information
Technology products at the time of manufacture.
P-3
Table of Contents
Lab Instructions: .........................................................................................................Lab-1
Connecting to the F5 Training Lab Environment ....................................................... Lab-1
The F5 Training Lab Network .................................................................................... Lab-3
F5 Training Lab limitations ........................................................................................ Lab-4
Lab 1: Initial Setup ........................................................................................................1-5

Lab Setup Utility ..................................................................................................... 1-6
Lab Configuration Utility........................................................................................ 1-9
Lab Configuration Backup ...................................................................................... 1-11
Lab 2: Traffic Processing .............................................................................................2-13

Lab Virtual Servers - Pools ..................................................................................... 2-14
Lab Network Map ................................................................................................... 2-18
Lab 3: Load Balancing .................................................................................................3-19

Labs Ratio Load Balancing ..................................................................................... 3-20
Labs Priority Group Activation ............................................................................... 3-21
Lab 4: Monitors .............................................................................................................4-23

Lab Monitors for Nodes .......................................................................................... 4-23
Lab Monitors for Pools and Members Lab #1 and 2 ............................................... 4-26
Lab 5: Profiles ...............................................................................................................5-31

No Lab for this Course Module............................................................................................ 5-31
Lab 6: Persistence ........................................................................................................6-33

Lab Source Address Persistence ............................................................................. 6-34
Lab Cookie Persistence ........................................................................................... 6-36
Lab Disabled Members ........................................................................................... 6-39
Lab 7: SSL Termination................................................................................................7-41

Lab Client SSL Termination ................................................................................... 7-42
Toc-2
Table of Contents
Lab 8: NATs and SNATs .............................................................................................. 8-45

Lab NAT Lab .......................................................................................................... 8-46
Labs SNAT Labs ..................................................................................................... 8-47
Lab 9: iRules ................................................................................................................. 9-49

Labs iRules Lab #1................................................................................................ 9-50
Labs iRules Lab #2................................................................................................ 9-53
Lab 10: Redundant Pair setup..................................................................................... 10-55

Lab Redundant Pair Setup ........................................................................................ 10-55
Lab Setup of BIG-IP #2 .......................................................................................... 10-57
Lab Synchronization ............................................................................................... 10-58
Lab 11: High Availability .............................................................................................. 11-59

Lab Network Failover ............................................................................................. 11-61
Lab Connection Mirroring ...................................................................................... 11-63
Lab Persistence Mirroring ....................................................................................... 11-65
Configuration Lab Project ............................................................................................ LP-67

Lab Configuration Project ........................................................................................ LP-68
Appendix A F5 Networks Products .......................................................................... A-1

F5 Networks Product Suite................................................................................................... A-1
Appendix B Additional Topics .................................................................................. B-1

F5 Networks Support and Documentation ........................................................................... B-1
Installation Information ........................................................................................................ B-7
Appendix C Other F5 Networks Training Courses .................................................. C-1

F5 Networks Instructor Led Courses .................................................................................... C-1
Introduction
Welcome to the BIG-IP LTM Essentials Web-Based Training Course Student Lab Guide. The purpose of the
BIG-IP LTM Essentials course is to introduce the basic information you need to set up and operate the BIG-IP
Local Traffic Manager (LTM) from F5 Networks. The purpose of this Lab Guide is to provide all the
information and exercises you need to work directly with a BIG-IP LTM system and solidify the concepts you
have learned in the associated Web-based training modules.
The hands-on lab exercises included in this course are critically important to your learning. These exercises are
especially helpful if you can do them as soon as possible after completing the associated training module.
Therefore, we recommend the following approach when taking this course:
Before beginning a module, register for lab time.
Work through the training module as close to the start of your lab time as possible.
After completing the training module, move into the lab exercises. Be sure to complete the entire
exercise, including the review questions at the end.
There are eleven modules in this course, each one taking approximately thirty minutes to complete. To
complete the entire course, including modules and labs, will take you about fourteen hours.
In addition to the lab exercises, this guide contains other useful information.
Appendix A provides some background information on F5 Networks and its products.
Appendix B explains the various customer support resources that are available. We highly
recommend that you review this listing. You may find some of these resources to be very valuable
while working your way through this course.
Appendix C contains an informative list of other training courses available from F5 Global
Training Services. After completing this introductory course, you may want to enroll in one or
more of these classes to gain a deeper understanding of BIG-IP LTM.
We hope you enjoy learning with these lab exercises!
Introduction
Module
Lab
Instructions
1 Lab Initial Setup
Lab-1
1-1
Connecting to the F5 Training Lab Environment

PLEASE NOTE: This lab is not a test environment and is strictly for use by students
taking the BIG-IP LTM Essentials Web-Based Training (WBT) course. Your user ID will
be time limited and you will be cut off after so many hours of connect time.
1. After logging in to F5 University, select the link for F5

Training Lab as shown to the right.
2. You should now be at the Lab web page where you
downloaded this Lab Guide.
3. Select the link for Lab registration.
4. When prompted, enter your email, first and last names
and then Launch Lab. You will be placed into your own
F5 Training Lab environment.
5. Your lab environment will take a couple minutes to initialize. Notice the message at top of
screen that says Your environment is X% ready.
6. The first time you connect you will need to install the Cloudshare plug-in and may need to
enable pop-ups for it to install. This is a first-time only install.
1-2
Lab-2
Module 1 Lab
Lab
Initial
Instructions
Setup
1. Each lab starts assuming an un-configured BIG-IP and then instructs you to restore a UCS
backup file that was captured at the end of the previous lab.
2. If during your lab time you wish to revert back to this un-configured state you may do so by
selecting Actions and then Revert Now.
3. Rather than restoring UCS files at the beginning of each new lab you may also work straight
through all the labs. From an instructional angle, F5 recommends doing the Module WBT,
then the lab for that Module. Then the next Module WBT and its corresponding lab.
4. Also, you can only enter the F5 Training Lab environment from
the links within F5 University (ie. the graphic to the right).
5. When ready to leave the F5 Training Lab Environment, use the

Logout button in the upper right corner of the screen shown below.
Module
Lab
Instructions
1 Lab Initial Setup
Lab-3
1-3
The F5 Training Lab Network

1. You will be connected to a Windows virtual machine that will be used to administer your
BIG-IP and as the client machine to drive traffic through BIG-IP LTM.
2. Your Windows virtual machine has both a 192.168.1.30/24 and a 10.10.1.30/16 IP Address
configured for the lab network shown below.
3. There is already a Management IP Address set on your BIG-IP to 192.168.1.245/24, and we
will setup the other 10.10 External and 172.16 Internal IP Addresses in Lab #1.
4. There are also three servers configured at 172.16.20.1, 172.16.20.2 and 172.16.20.3. You
will not be able to access these servers directly from your Windows client machine but these
are the servers to which we will load balance traffic starting in Lab #2.
1-4
Lab-4
Module 1 Lab
Lab
Initial
Instructions
Setup
F5 Training Lab limitations

1. The F5 Training Lab is running in a virtual lab environment and therefore does not have all
hardware features of BIG-IP available. For instance, you will not have a serial console
connection to your BIG-IP.
2. This lab environment only supports BIG-IP LTM, no other F5 products or BIG-IP modules
like GTM or ASM.
3. This lab environment has only been tested with the lab steps in this lab guide. If you do not
follow the steps in this lab guide, results will vary.
Module 1 Lab Initial Setup
1-5
Module 1 Lab Initial Setup and Access
Initial Setup Labs

Objective:
Perform initial setup of the BIG-IP LTM System
Explore the Web Configuration Utility
Make a backup of the BIG-IP System
Estimated Time: 30 minutes
LAB CONFIGURATION
1-6
Setup Utility Lab

Objective:
Run the Setup Utility and to configure system access parameters
Estimated time for completion: 20 minutes
Lab Requirements:
Reachable IP address on the management port
Valid License for the BIG-IP LTM Systems
Administration system with an IP address on the BIG-IP LTMs network
Current BIG-IP Settings

At this point, your BIG-IP system should already be licensed and the management port address still
set to the default IP Address of 192.168.1.245/24.
PC Configuration
Your PC is configured with two IP Addresses in order to reach both the Management and client
networks once they are configured on your BIG-IP.
PC Mgmt IP Address
PC Client IP Address
192.168.1.30/24
10.10.1.30/16.
Access the BIG-IP LTM System

1. Open a browser to https://192.168.1.245.
2. When prompted, accept the SSL certificate.
3. When prompted, login as admin with a password of admin.
Licensing Steps
1. You should first see the Setup Utilitys Welcome screen. Click Next.
2. Normally, you would need to license your BIG-IP System. For these labs, the systems should
already be licensed. Review the features that are licensed and then click Next.
Provisioning Steps
1. The second screen should be Provisioning. Verify that Local Traffic (LTM) is set to
Nominal, any other products are set to None (Disabled) and then click Next.
1-7
Setup Utility
1. Within the General Properties section, specify the following:
IP Address:
Network Mask:
Management Route:
Host Name:
Host IP Address:
High Availability:
Unit ID:
Time Zone:
192.168.1.245
255.255.255.0
Leave blank
bigip1.f5trn.com
Use Management Port IP Address
Redundant Pair
1
America/Los Angeles
2. Within the User Administration section, specify the following:

Root Account Password:
Root Account Confirm:
Admin Account Password:
Admin Account Confirm:
SSH Access:
SSH IP Allow:
default
default
admin
admin
Enabled
* All Addresses
3. Click Next.
NOTE: When you type in the admin password field you will be required to log back into
the system whether the password has been changed or not.
Once this first step of administrative access has been configured, you can configure self-IP addresses
and VLANs. We will choose the Basic Network Configuration option, which will step through
creating two VLANs, internal and external, and their IP addresses, and interfaces. Each self IP will
be assigned Port Lockdown settings. Port lockdown limits administrative access to the self IP
addresses. Because we have configured the system as a redundant pair, Allow Default should be
selected for Port Lockdown on self IPs of the internal VLAN to ensure the systems will be able to
communicate.
Because we have configured as a redundant pair, the administrator will also be prompted for a partner
address and a floating IP address for each VLAN. Generally, the partner address should be an
address on the internal VLAN to minimize security concerns. Floating addresses are shared between
the systems and used by the system that is currently active. These concepts are discussed in the
Redundant Pair module.
1-8

4. Select the Basic Network Configuration option by clicking Next, then specify the
following:
Internal Network Settings

Self-IP Address
Self-IP Netmask
Self-IP Port Lockdown
Floating IP Address
Floating IP Port Lockdown
Failover Peer
172.16.1.31
255.255.0.0
Allow Default
172.16.1.33
Allow Default
172.16.1.32
Internal VLAN Configuration

VLAN Name
VLAN Tag ID
VLAN Interfaces
internal (Read Only)

Auto
Untagged Port 1.2
5. Click the Next button to configure the External VLAN, then specify the following:
External Network Settings

Self-IP Address
Self-IP Netmask
Self-IP Port Lockdown
Default Gateway
Floating IP Address
Floating IP Port Lockdown
10.10.1.31
255.255.0.0
Allow 443
Leave blank
10.10.1.33
Allow 443
External VLAN Configuration

VLAN Name
VLAN Tag ID
VLAN Interfaces
external (Read only)

Auto
Untagged Port 1.1
6. Then click Finished.

7. Since we previously completed Licensing and Provisioning, we should reboot the BIG-IP so
that our Licensing and Provisioning changes take effect. Select System / Configuration and
click the Reboot box under Operations.
Once the Basic Network Configuration is complete, the Welcome screen from the Overview section
appears. The administrator can choose to change many presentation options, enable SNMP including
downloading the MIB, access F5s knowledge database (Ask F5) or re-run the setup utility to change
addresses or access methods.
1-9
Configuration Utility Lab

Objective:
Access both the Web Configuration utility and Command Line (SSH) utility for BIG-IP
LTM system and get familiar with the interface
Lab Requirements:
External IP address of the BIG-IP LTM system
User ID and password of the BIG-IP LTM systems Web Configuration Utility
User ID and password of the BIG-IP LTM systems Command Line Interface
PC Configuration
Your PC is configured with two IP Addresses in order to reach both the Management and client
networks once they are configured on your BIG-IP.
Mgmt IP Address
Client IP Address
192.168.1.30/24
10.10.1.30/16.
The Web Configuration Utility

1. Open a browser window to https://10.10.1.31 to connect to the Web Configuration Utility.
2. Enter a user ID and password of admin / admin that you added during Setup.
3. Note options available on the Welcome page.
4. Click on the Network section, then note what is set for the Interfaces, Self IPs, and VLANs
options.
Command Line access (SSH)

1. Open an SSH session using Putty and attempt to connect the external IP Address of your
BIG-IP System (10.10.1.31).
2. Notice that you are not able to access your BIG-IP LTM. This is because Port Lockdown
for the external self-IP addresses defaults to Allow 443 only. Access to port 22 is prevented.
3. From the web GUI select Network / Self IPs and then click the 10.10.1.31 self IP Address.
4. Under Port Lockdown / Custom List, click the Port radio button, enter 22 as the port, click
Add, and then click Update.
5. Once port 22 has been added, you should be able to successfully use SSH to attach to your
BIG-IP System. You may be prompted to accept the SSH key, do so. When the logon
appears, enter root as the user ID and default as the password that you added during Setup.
6. If prompted for terminal type, select vt100.
Enter the command: b self show
1-10

What information is listed here?
7. Enter the command: b vlan show
8. Enter the command: b interface show
Verifying User Access

1. Logout of your SSH session.
2. Open a new SSH session but login and try the admin user. By default, you should not be
able to get in as admin.
3. From the Web Configuration Utility select System / Users and then select the link for the
admin User Name. Change the Terminal Access to Advanced Shell access, click Update,
and then test SSH access with the admin user ID again.
4. Open a new browser window but try to login using the root user ID. By default, you should
not be able to get into the Web Configuration utility with the root user ID.
1-11
Configuration Backup Lab

Objective:
Create a backup of the BIG-IP System on both the BIG-IP and your desktop.
Lab Requirements:
External IP address of the BIG-IP LTM system
Saving a configuration
1. From the Navigation pane, click the System section.
2. Select Archives, then click Create.
3. Within the General Properties section, specify the following:
File Name
Encryption
Private Keys
Version
Module1_End
Disabled
Include
BIG-IP Version (read only)
4. When complete, click Finished.

5. When complete, an OK button will appear. Click OK or select Archives again.
6. Select Module1_End.ucs (the name is a link) and notice you can click Download to save a
copy to your desktop. The Download option does not work in this F5 Training Lab
environment but will in yours.
7. If desired, the files contents can be viewed from the command line of your BIG-IP System.
From an SSH session, perform the following:
a.
Make a new directory for this lab: mkdir /var/tmp/test/
b.
Change to the new directory: cd /var/tmp/test/
c.
Copy the backup to the new directory:

cp /var/local/ucs/Module1_End.ucs Module1_End.ucs .
d.
Decompress the file and extract the file: tar -xvzf Module1_End.ucs. The
resulting files show the directory structure and all files stored in the *.ucs file.
Individual files can be viewed with cat, tail, more and other tools.
1-12
Module 2 Lab Processing Traffic
2-13

Objectives:
Configure pools for servers
Configure virtual servers and associate them with a pool
Verify functionality
Lab Requirements:
IP and port addresses available for use on BIG-IP LTM that can be reached by the client
systems
Actual servers with appropriate routes to return traffic through each BIG-IP LTM system
Restoring a Configuration from previous Lab

1. After connecting to F5 Training Lab, open a browser to https://192.168.1.245.
3. If you have an existing lab environment, skip to step 10 below.
4. If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.
5. On both the License and Resource Provisioning screens click Next.
6. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and change
High Availability setting to Redundant Pair.
7. Enter a Root Account password of default twice and an Admin Account password of
admin twice and then click Next.
8. You will be prompted to login again because of changing the Admin password.
9. After logging in, click the Finished button under Advanced Network Configuration.
10. From the Navigation pane, expand the System section, then select Archives.
11. Click the Module2_Lab_begin.ucs archive and then click the Restore button. An Ok button
appears to acknowledge the restore has started. It will take a minute, but watch this screen
and you should see messages that your restore completed successfully. You might receive
one error message but that is ok and is due to the F5 Training Lab environment only.
12. Because of the state of BIG-IP, we need to reboot so that our Licensing and Provisioning
takes effect. Select System / Configuration and click the Reboot box under Operations.
13. After Restore and Reboot, your configuration should be as if you had just finished all Module
1 labs. Please verify this is the case. Your configuration should be licensed, include 2
VLANs (Network / VLANs) named external and internal and have 4 self IPs (Network /
Self IPs) at 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.
2-14
Creating an HTTP Pool and Virtual Server Lab

Create a Pool
1. From the Navigation pane, expand the Local Traffic section.
2. Either select Pools and then the Create button or hover your mouse over Pools and then click
the
sign on the flyout menu.
3. In the Configuration section, enter the following:

Configuration Level
Name
Health Monitors
Basic
http_pool
Leave Blank
4. In the Resources section, enter the following:

Load Balancing Method
Priority Group Activation
New Members
For each, enter Address and
Service Port and press Add
Round Robin
Disabled
172.16.20.1 port 80
172.16.20.2 port 80
172.16.20.3 port 80
Create a Virtual Server that uses this pool

2. Either select Virtual Servers and click Create, or hover your mouse over Virtual Servers
and then click the
3. In the General Properties section, enter the following:

Name
Destination
Service Port
State
vs_http
10.10.1.100
80 (or HTTP)
Enabled
4. In the Configuration section, accept all defaults.

iRules
HTTP Class Profiles
Default Pool
Default Persistence Profile
Fallback Persistence Profile
Leave Blank
Leave Blank
http_pool
None
None
2-15
Verification through Statistics

1. Open a new browser session on your PC and point it to the virtual server at
http://10.10.1.100. Note the results and refresh the screen 5-10 times. You may need to
refresh using the Ctrl and F5 keys to force the browser not to use its cache.
2. View statistics and configuration information through:
a. Overview Section / Statistics / Local Traffic Tab
b. From the Statistics Type drop down list, choose Virtual Servers
c. From the Statistics Type drop down list, choose Pools
3. Did traffic go to each pool member?
4. Did each pool member manage the same number of connections?
5. Did each pool member manage the same number of bytes?
6. How many TCP connections are opened each time you refresh the browser page?
Expected Results and Troubleshooting
Expected result: 5 connections per refresh distribute evenly among the pool members.
The webpage consists of the index.html and 4 objects. The web servers have keep-alives
disabled.
If not, verify the following:
Is traffic getting to the virtual server?
Does 10.10.1.100 appear in your workstations ARP table?

Type arp -a at the workstations command prompt.
Does the Statistics page show traffic received by vs_http?

Verify that the address and port are correctly configured
Is traffic getting to the pool members?
If no traffic is going TO the pool members:
Verify http_pool has been assigned to vs_http
Verify the correct members address / port
If traffic goes TO pool member, but does not return:
Verify that self IP address 172.16.1.33 is configured on port 1.2 (this

address is the pool members default route.)
2-16
Creating an HTTPS Virtual Server and Pool Lab

2. Either select Virtual Servers and click Create or leave your mouse over Virtual Servers
and then click the
3. In the General Properties Section, enter the following:

Name
Destination
Service Port
State
vs_https
10.10.1.100
443 (or HTTPS)
Enabled
4. In the Configuration Section, accept all defaults.

5. Since we forgot to create the pool first, navigate to the Resources Section and click the +
character to the right of Default Pool.
6. In the Configuration section of the new pool, enter the following:
Configuration
Name
Health Monitors
Basic
https_pool
Leave Blank

New Members
Round Robin
Disabled
172.16.20.1 port 443
172.16.20.2 port 443
172.16.20.3 port 443
NOTE: Since the members IP addresses are the same, you could select Node List and
choose the members IP addresses from the drop-down list.
8. When the pool is complete, press Finished.

9. In the Virtual Servers Resources section, verify the following settings:
iRules
HTTP Class Profiles
Default Pool
Leave Blank
Leave Blank
https_pool
None
None
10. When complete, make sure to click Finished for the virtual server.
2-17

1. Open a new browser session on your PC and point it to the virtual server at
https://10.10.1.100. Note the results and refresh the screen 5-10 times.
a. Overview Section / Statistics / Local Traffic Tab
b. From the Statistics Type drop down list, choose Virtual Servers
c. From the Statistics Type drop down list, choose Pools
3. Did traffic go to each pool member?
4. Did each pool member manage the same number of connections?
5. Did each pool member manage the same number of bytes?
6. How many TCP connections are opened each time you refresh the browser page?
Statistics using the Command Line

1. Open an SSH client window using Putty, enter the external IP Address of your BIG-IP LTM
System (10.10.1.31) and make sure the protocol is set to SSH.
2. When prompted, enter root as the user ID and the password that was added during setup. A
password of default was suggested in Lab 1 and set in the Module2_Lab_begin.ucs file.
3. If prompted for terminal type, accept or enter vt100.
4. Enter the command bigtop. This command shows real time information on the virtual
servers and pool members that you have configured.
5. View the screen while refreshing your session to either http://10.10.1.100 or
https://10.10.1.100. What does bigtop show? Exit bigtop by pressing the q key.
6. Statistics for pools and virtual servers can be viewed by typing the following:
b pool <pool name> show
example: b pool http_pool show
b virtual <virtual name> show
example: b virtual vs_http show
Expected result: You may see six connections the first time you request the page, (due to
the SSL key exchange) but should see five connections per subsequent refresh. The
requests should be evenly distributed among the pool members.
If not, verify the following:
Confirm that the virtual server was created. Students often neglect to hit Finish
for the virtual server after hitting Finish for the pool.
Local Traffic / Virtual Servers
Is traffic getting to the virtual server?
2-18
Does 10.10.1.100 appear in your workstations ARP table? You may

need to clear your ARP table before testing to remove the entry from the
vs_http virtual server.
Does the Statistics page show traffic received by vs_https?

Verify that the address and port are correctly configured.
Is traffic getting to the pool members? Check Pool statistics:
If no traffic is going TO the pool members:

Verify https_pool has been assigned to vs_https
Verify the correct members address / port
If traffic goes TO pool member but does not return:
Verify that self IP address 172.16.1.33 is configured on port 1.2 (this

address is the pool members default route).
Network Map Lab

View Configuration and Status from Network Map
1. Open a browser session and access https://10.10.1.31.
2. Select Local Traffic / Network Map, then click Show Map.
3. Mouse over both virtual server and Pool objects and notice what information is displayed
about that object.
4. Select a Pool member and disable it.
a. From the Navigation pane, expand the Local Traffic section.
b. Select Pools.
c. Select http_pool.
d. Select Members.
e. Check the box to the left of the chosen member and click the Disable button.
5. Go back to Network Map and notice that status changed to disabled, indicated by a black
square.
6. Re-enable the disabled pool member for later labs.
7. Change the search field to 20.1 and then click Update Map. Notice that all members are still
listed, but matches are highlighted.
8. Select System / Preferences and change the Start Screen from Welcome to Network Map.
Close your browser session to the admin GUI, and then log back in to https://10.10.1.31 and
notice that your default screen is now Network Map.
Module 3 Lab Load Balancing
3-19

Objectives:
Choose differing load balancing methods and view the resulting behavior
Choose differing member priority and ratio values and view the resulting behavior
Lab Requirements:
Access to a BIG-IP LTM with at least a pool with two or more working members

2 labs. Please verify this is the case. Your configuration should include two pools named
http_pool and https_pool and two virtual servers named vs_http and vs_https. None of the
Pools or Pool Members should have Monitors assigned (blue square status).
3-20
Round Robin Load Balancing Lab

If not zero, reset the Statistics for http_pool
1. From the Navigation pane, expand the Overview section and select Statistics.
2. From the Display options sections, change the Statistics Type to Pools.
3. Select the checkbox adjacent http_pool, and click Reset.
View Results using Round Robin Load Balancing

1. Open a browser session and access http://10.10.1.100.
2. Refresh the screen a few times by pressing Ctrl+F5 (Ctrl+R if using FireFox).
3. Navigate back to the pools statistics page.
4. What are the results? Were the connection requests distributed evenly?
5. Reset the statistics for http_pool.
Ratio member Load Balancing Lab

Configure Member Ratios and Ratio (member) Load Balancing and test.
2. Select Pools.
3. Select http_pool.
4. Select Members.
5. Within the Load Balancing section, change the Load Balancing Method to Ratio (member)
and click Update.
6. Within the Configuration section of each member, set the ratio values as follows:
Member
172.16.20.1:80
172.16.20.2:80
172.16.20.3:80
Ratio
1
2
3
7. Open a new browser session and connect to http://10.10.1.100.

8. Refresh the screen 5-10 times by pressing Ctrl-F5.
9. View the pool statistics. What are the results?
3-21
Expected result: Traffic will be distributed to the members with a 1:2:3 ratio.
Configuration reset if continuing to other Module Labs

If you are not going to perform the Priority Group Activation Lab, but want to continue using
your existing configuration with other Modules Labs, reset http_pool and members to the
following settings:
Load Balancing: Round Robin
3-22
Priority Group Activation Lab

Configure Priority Group Activation
2. Select Pools.
4. Select Members.
5. In the Load Balancing section, change the Priority Group Activation setting to Less than ,
the number of Available Members to 2, and click Update.
6. Within the Configuration section of each member, set the Priority values as follows:
Member
172.16.20.1:80
172.16.20.2:80
172.16.20.3:80
Ratio
1
2
3
Priority Group
1
4
4

11. Disable the member 172.16.20.2:80.
15. Re-enable the member 172.16.20.2:80.
In step (9), 172.16.20.1:80 should receive no traffic. The traffic will be distributed to the
other members with a 2:3 ratio
In step (14), 172.16.20.2:80 should receive no traffic. The traffic will be distributed to the
other members with a 1:3 ratio

If you want to continue using your existing configuration with other Modules Labs, reset
http_pool and members to the following settings:
Load Balancing: Round Robin
Priority Group Activation: Disabled
Module 4 Lab Monitors
4-23

Objective:
Associate nodes with monitors
Create custom monitors
Lab Requirements:
Access to a BIG-IP LTM with at least one pool with two working members
Some knowledge of the traffic sent by the members

13. Your configuration should be as if you had just finished all Module 3 labs. Please verify this
is the case. Your configuration should be licensed and include two Pools named http_pool
and https_pool and two Virtual Servers named vs_http and vs_https. None of the Pools or
Pool Members should have Monitors assigned (blue square status).
4-24
Monitor for Nodes Lab

Check Current Node States
1. From the Navigation pane, select the Local Traffic section.
2. Select Nodes.
3. What are the nodes statuses?
4. Will BIG-IP LTM distribute traffic to nodes that are Unknown?
Assign a Default Monitor to all Nodes

2. Select Nodes.
3. Above the list of nodes, select Default Monitor.
4. From the list of Available monitors, select icmp, press the move to the left button (<<), and
press Update.
5. Recheck the Node states (either follow directions above or select Node List from the current
location).
NOTE: Each time the Node List tab is pressed, the screen will refresh.
6. What are the nodes statuses? Was the change immediate?
Create a custom ICMP monitor

2. Either select Monitors and then the Create button or leave your mouse over Monitors and
then click the

Name
Type
my_icmp
ICMP
4. In the Configuration Section, enter the following:

Interval
Timeout
Transparent
10
31
No
4-25
Assign the custom monitor to selected nodes

2. Select Nodes and then select the node at 172.16.20.1.
Name
Health Monitors
Select Monitors
Availability
Requirement
Additional Settings
Leave Blank
Node Specific
my_icmp in Active column
All
Leave as Defaults
4. When complete, click Update.

5. What are the nodes statuses?
Disassociate all monitors for selected node

2. Select Nodes.
3. Select the node 172.16.20.2.
Health Monitors
Additional Settings
None
Leave as Default
5. When complete, press Update.

6. What us the nodes status? Was the change immediate?
Conclusion
At this point, each node is being tested differently. Node 172.16.20.1 has a specific assignment,
my_icmp. Node 172.16.20.2 has no monitor assigned. Node 172.16.20.3 is using the Node Default
monitor, which is currently icmp. This is not a recommended configuration; rather it is used to
demonstrate the three ways monitors can be associated with nodes.
4-26
Monitors for Pools and Members Lab #1

Objective:
Associate members with monitors
Check Current Member States

2. Select Pools.
4. Select the Members tab.
5. What are the members statuses?
6. Will BIG-IP LTM distribute traffic to members that are Unknown?
Assign a Standard Monitor to a Pool

1. Navigate to Local Traffic / Pools / http_pool / Members and note the members states.
Select the Properties tab.
Configuration
Health Monitors
Basic
http
3. When complete, press Update.

4. Recheck the Member states (either follow directions above or select Members from the
current location).
NOTE: Each time the Members tab is pressed, the screen will refresh.
5. What are the members statuses? Was the change immediate?
Create a New HTTP-based Monitor

then click the

Name
Type
Import Settings
my_http
HTTP
http

Configuration
Basic
Send String
GET /index.html\r\n
Receive String
Server
Leave other settings at default
Assign the Custom Monitor to Selected Members

2. Select Pools.
5. Select the member 172.16.20.2:80.
Configuration
Advanced
Health Monitors
Member Specific
Select Monitors
my_http

8. What are the members statuses? Was there any change?
Disassociate all monitors for selected member

2. Select Pools.
3. Select the pool http_pool.
5. Select the member at 172.16.20.3:80.
4-27
4-28

Configuration Level
Advanced
Health Monitors
None

8. What are the members statuses? Was the change immediate?
Conclusion
At this point, each member is being tested differently. Member 172.16.20.1:80 is set to inherit from
pool where the pool has http assigned. Member 172.16.20.2:80 has a specific assignment, my_http.
Member 172.16.20.3:80 has no assigned monitor. This configuration is not recommended; rather it is
used to demonstrate the three ways monitors can be associated with members.
4-29
Monitors for Pools and Members Lab #2

Objective:
Associate members with monitors
Check Current Member States

2. Select Pools.
3. Select https_pool, and then select the Members tab.
4. What are the members statuses?
Create a New HTTPS-based Monitor

then click the

Name
Type
Import Settings
my_https
HTTPS
https

Configuration Level
Basic
Send String
GET /index.html\r\n
Receive String
Server 2
4-30
Assign the Custom Monitor to a Pool

2. Select Pools.
3. Select https_pool.
Configuration
Health Monitors
Basic
my_https

6. What are the members statuses? Why? Was the change immediate?
7. What is the status of the Virtual Server?
Check Status of Nodes and Members from Network Map

1. From the Navigation pane, expand the Local Traffic section, select the Network Map and
click Show Map.
2. Moving the mouse over certain Pool members, notice that the Parent Node state can be
different than the Pool member. Why is this happening? Remember that we can and have
assigned different monitors to Nodes and Pool Members.
Change the Definition of the Custom Monitor

2. Select Monitors.
3. Select my_https.
4. In the Configuration Section, change the Receive String to Server [1-3]
6. What is the status of members in https_pool? Was the change immediate?
NOTE: [1-3] is a simple regular expression that matches any single character in the
range from 1 to 3.

If you want to continue using your existing configuration with other Modules Labs, make sure all
pool members for both http_pool and https_pool are in one of the following states:
Available or Green
Unknown or Blue
Module 5 Lab Profiles

Note: No Lab for Module 5 Profiles
There is no Lab for Module 5 Profiles. There are labs using Profiles in both Modules 6,
Persistence, and 7 Labs, SSL Termination.
5-31
5-32
Module 6 Lab Persistence
6-33
Module 6 Labs Persistence

Objective:
Configure Source Address Persistence
Lab Requirements:
Two or more working members in https_pool
A virtual server at https://10.10.1.100 associated with https_pool

13. Your configuration should be as if you had just finished all Module4 Labs since there werent
any labs for Module 5. Please verify this is the case. Your configuration should be licensed
and include two Pools named http_pool and https_pool and two Virtual Servers named
vs_http and vs_https. The Pools and Pool Members should have various Monitors assigned
but no Pool Members should be marked Offline (red).
6-34
Source Address Persistence Lab

Repeating behavior before persistence
1. Make sure the Load Balancing method for https_pool is set to Round Robin, Priority Group
Activation is disabled, and that all pool members have a connection limit of 0.
NOTE: This is not required for persistence. Instead, it ensures that reuse of a single
server is due to persistence and not a load balancing choice.
2. Next, access and reset the statistics for the https_pool.
3. Open a new browser session and connect to https://10.10.1.100.
4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.
Expected result: All pool members should receive approximately equal amounts of
traffic. If not, ensure that step (1) was followed.
Configure a Source Address Affinity Persistence Profile

2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to
expand Profiles Persistence and click the
sign.

Name
Pr_Src_Persist
Persistence Type
Source Address Affinity
Parent Profile
source_addr
4. In the Configuration Section, leave all fields at the default settings except for the following:
Timeout
Click on the Custom checkbox for Timeout

and then set the Timeout to 15 seconds.
Mask
Click on the Custom checkbox for Mask and

the set the Mask to 255.255.255.0.
Associate a Virtual Server with the Persist_Source Profile

6-35
2. Select Virtual Servers.

3. Select the virtual server of interest, vs_https.
4. Select the Resources tab.
5. Under the Load Balancing section, enter the following:
Default Pool
https_pool
Pr_Src_Persist
None
Demonstrating behavior after setting up persistence

1. Access and reset the statistics for the https_pool.
2. Open a new browser session and connect to https://10.10.1.100
3. Refresh the screen 5-10 times by clicking Refresh or pressing Ctrl-F5.
5. Stop refreshing the screen for at least 15 seconds.
6. Refresh again. At this point, you should be load balanced to another server.
7. From a separate browser session, view the Persistent Statistics.
a. From the Navigation Pane, expand the Overview section.
b. Select Statistics.
c. With the Display Options section, set the following:
Statistics Type
Persistence Records
Data Format
Normalized
Auto Refresh
Disabled
8. Leave the * in the search field (show all records) and click Search or Refresh.
9. If no persistent sessions currently appear, refresh your screen connecting to
https://10.10.1.100 and then refresh the Persistence Records Statistics again.
10. Why might the persistent connection not appear the first time?
Expected result: While the persistence record is active, all traffic from that client will be
directed to a single pool member. Since the persistence record is configured to remain
for only 15 seconds, it may time out before you navigate to the persistence statistics.
6-36
Cookie Persistence Lab

Objective:
Configure Cookie persistence
Lab Requirements:
Two or more working members in http_pool
A virtual server at http://10.10.1.100 associated with http_pool
Repeating behavior before persistence

1. Make sure the Load Balancing method for http_pool is set to Round Robin and Priority
Group Activation is disabled.
NOTE: This is not required for persistence. Instead, it ensures that reuse of a single
server is due to persistence and not a load-balancing choice.
2. Access and reset the statistics for the http_pool.
4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.
Creating a Custom HTTP Cookie Insert Persistence Profile:

2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to
expand Profiles Persistence and click the
sign.

Name
Pr_Cookie_Persist
Persistence Type
Cookie
Parent Profile
Cookie
6-37
1. In the Configuration Section, leave all settings at default except for the following:
Expiration
Check the Custom checkbox for Expired,

then uncheck Session Cookie and set the
Expiration to 2 days
Associating a Virtual Server with the Cookie Persistence Profile

3. Select the Virtual Server of interest, vs_http.
4. Select the Resources tab.
5. Within the Load Balancing section, enter the following:
Default Pool
http_pool
Pr_Cookie_Persist
None

NOTE: You should see an error requiring an HTTP profile in order to use the cookie
persistence profile, follow the steps below.
Associating the Virtual Server with an HTTP Profile

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option.
3. Select the Properties tab.
4. Within the Configuration section, set the HTTP Profile to http.
6. Re-add the Pr_Cookie_Persist profile above on vs_http Resources tab as the Default
Persistence profile and click Update.
Demonstrating behavior after persistence

1. Access and reset the statistics for the http_pool.
2. Open a new browser session and connect to http://10.10.1.100
3. Refresh the screen 5-10 times by pressing Refresh or CTRL-F5.
5. Click on the Display Cookie link in the web page to view the cookie.
6-38

Expected result: All traffic will be directed to one member. If not, ensure that the browser you are
using allows cookies to be saved.
Disable Persistence for this Virtual Server

4. Select the Resources Tab.
5. Under the Load Balancing section, enter the following:
Default Pool
http_pool
None
None
6-39
Disabled Members Lab

Objective:
See the interaction between persistence and the disabled status
Lab Requirements:
vs_https with resources https_pool and Pr_Src_Persist profile
NOTE: You may want to extend the persistence timeout value in the Persist_Source
profile before beginning this lab.
Establish a persistent session and disable a member

2. Select Pools then select https_pool.
4. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.
5. Note the member to which you have connected.
6. From the Members tab, click the box adjacent the member you are persisting to and click
Disabled.
7. Refresh the browser session at https://10.10.1.100.
Did you remain on the same member?
8. From the Members tab, select IP address of the member to which you have the persistence
session.
9. Select the Forced Offline radio button and click Update.
10. Refresh the browser session at https://10.10.1.100.
Did you remain on the same member?
Establish a persistent session and disable a node

1. From the Navigation pane, expand the Local Traffic section and then select Nodes.
2. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.
3. Note the node to which you have connected.
4. From the Nodes list, select the box adjacent the node and click the Disable button.
5. Refresh the browser session at https://10.10.1.100. Did you remain on the same node?
Re-Enable nodes and members

For later labs, ensure all nodes and members are enabled.
6-40
Module 7 Lab SSL Termination
7-41

Objective:
Create self-signed certificates
Create a Clientssl profiles
Create a virtual server that will use the clientssl profile and load balance traffic
Lab Requirements:
An existing pool of members at port 80 (http_pool)
Access to a web browser

is the case. Your configuration should be licensed and include two Pools named http_pool
and https_pool and two Virtual Servers named vs_http and vs_https. The Pools and Pool
Members should have various Monitors assigned but no Pool Members should be marked
Offline (red) or Disabled (black). The vs_https Virtual Server should have a Source Address
Persistence Profile assigned on the Resources tab.
7-42
Client SSL Lab

Behavior before configuration: SSL traffic is encrypted from client.
1. Open a Web browser. to https://10.10.1.100.
2. Depending on the browser, you may see a lock in the lower right corner of the window; it
indicates the session is encrypted and secure. Alternately, find the certificate that is being
used for the session. Typically, you can right click on the web page, choose Properties and
click the Certificate button.
3. Note the pool member address and port in the body of the web page (172.16.20.x:443).
Generate a certificate
2. Either select SSL Certificates and click Create or hover your mouse over SSL Certificates
and then click the
3. In the General Properties section, enter the name TestCertificate.

4. In the Certificate Properties section, enter the following:
Issuer
Common Name
Division
Organization
Locality
State or Province
County
E-Mail Address
Lifetime
Self
www.test.com
Training
F5 Networks
Seattle
Washington
US
Leave blank
365
5. In the Key Properties, choose the 1024 for the size.

6. Click Finished.
7. If you get an error saying the certificate already exists then change the name and continue.
Create a Client SSL Profile:

2. Either select Profiles / SSL click Client and then click Create or use the flyout menus to
expand Profiles SSL Client and click the
sign.
3. In the General Properties section, enter the name Pr_Client_SSL and accept clientssl as the
parent profile.
4. From the Configuration section, check the custom button to the right of Certificate and
Key, and choose TestCertificate or your new name from the drop-down list.
7-43
5. Click Finished.
Creating the Virtual Server

and then click the Create option on the flyout menu.
Name
Destination
Service Port
State
vs_ssl
10.10.1.102
443 (or HTTPS)
Enabled
4. In the Configuration section, accept all defaults except the SSL Profile (Client) option, and
choose the Pr_Client_SSL profile youve just created.
5. In the Resources section, select http_pool as the Default Pool.
6. Click Finished.
Behavior after configuration

1. Open a Web browser.
2. Go to https://10.10.1.102. When prompted, accept the SSL certificate.
NOTE: The browser session is encrypted on the client side, but not on the server side.
3. Note the Pool Member address:port in the body of the web page (172.16.20.Y:80).
Unless otherwise configured, the traffic is encrypted from client to the BIG-IP LTM System, but
unencrypted between the BIG-IP system and the pool members.
7-44
Module 8 Lab NATs and SNATs
8-45
Module 8 Labs NATs and SNATs

Lab Objectives:
You will configure a NAT to pass traffic between an external device and a specific internal node.
Either device can initiate this connection.
Lab Requirements:
One or more servers on the internal side of the BIG-IP system
An available IP address to use for the NAT

is the case. Your configuration should be licensed and include three Pools named ssl_pool,
http_pool and https_pool and three Virtual Servers named vs_ssl, vs_http and vs_https. The
Pools and Pool Members should have various Monitors assigned but no Pool Members
should be marked Offline (red) or Disabled (black). The vs_https Virtual Server should have
a Source Address Persistence Profile assigned on the Resources tab.
8-46
Configuring a NAT Lab

The Network Address Translation screen displays the NAT address and the associated node address
for each NAT.
Configure a NAT
2. Either select SNATs, the NAT List tab, and Create, or use the flyout menus to expand
SNATs NATs and click the
sign.

NAT Address
10.10.1.200
Origin Address
172.16.20.2
State
Enabled
4. In the Configuration section leave everything at defaults:

ARP
Enabled
VLAN Traffic
All VLANs
5. Click Finished.
Testing the NAT - Inbound

1. Open a browser session to http://10.10.1.200.
2. Note the content of the Web screen.
3. Using Putty, open an SSH session to 10.10.1.200 port 22.
4. Login with a user ID of student and password of student.
5. Note that you can connect to multiple services through the NAT and that the connection
always connects to 172.16.20.2.
NOTE: While the configured NAT would provide outbound connections as well, the
routing tables on the server do not allow it in the classroom environment.
Delete the NAT

2. Select SNATs and then the NAT List tab.
3. Check the box next to the NAT you just created, 10.10.1.200, and then click the Delete
button.
4. Click Delete to confirm the deletion
8-47
SNAT Labs
Lab Requirements:
Access to a BIG-IP LTM System
An available IP address to use for the SNAT
Testing Behavior without the SNAT

1. Open a browser session to both http://10.10.1.100 and https://10.10.1.100.
2. Verify your IP address at the Web server by clicking the link that says Show Source IP
Address. You should see your PC unchanged address: 10.10.1.30.
3. The Servers reside at IP Addresses 172.16.20.1, 172.16.20.2 and 172.16.20.3. The reason
they can return the response traffic to your PC at 10.10.1.30 through your BIG-IP is because
they each contain the following Server Route:
Destination
10.10.1/24
Gateway
172.16.1.33
SNAT within Virtual Server Lab

Configure the vs_https virtual server to use SNAT Automap
1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, and select
vs_https.
2. In the General Properties section, select the Advanced option, and scroll down to the
bottom of the configuration screen.
3. In the SNAT Pool option, select Automap and then the Update button.
Testing the SNAT

1. Open a browser session to http://10.10.1.100.
2. Verify your IP address at the Web server by clicking the link that says Show Source IP
Address. Your address should still be 10.10.1.30
3. Now open a browser session to https://10.10.1.100, click the link to check the source IP and
notice your source address has changed to 172.16.1.33, the internal floating self IP Address
of your BIG-IP.
SNAT for a List of Devices Lab

8-48

2. Either select SNATs and Create, or use the flyout menus to expand SNATs and click the
sign.
3. In the General Properties section, the Name SNAT_NW_10X.
Translation
IP Address: 172.16.1.201
Origin
Address List (next option will appear)
Address List
Type Network
Address 10.0.0.0
Netmask 255.0.0.0
Click Add
VLAN Traffic
All VLANs
Stateful Failover Mirror
Unchecked
5. Click Finished.
Testing the SNAT

1. Test the results by connecting to http://10.10.1.100 and https://10.10.1.100. View your
source IP address. What are the results?
Connection
To http://10.10.X.100
To https://10.10.X.100
Source IP at Server
Which SNAT
2. What SNATing is taking place for each Virtual Server?

3. Expected results: you should be successful to both of your virtual servers. Your traffic to
https://10.10.1.100 will be SNATed to 172.16.1.33. Your traffic to http://10.10.1.100 will
be SNATed to 172.16.1.201.
4. How could you change your SNAT definition to allow traffic from the 192.168.0.0/16
network to be SNATed also?
Delete the SNATs

Remove SNAT option from Virtual Server configurations
1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, vs_https, and
set the SNAT Pool option to None.
2. From the Navigation pane, select SNATs menu, the SNAT named SNAT_NW_10X, and
then click Delete.
3. Notice when testing that your source address is once again 10.10.1.30, but you still get
response packets back from servers because of the routes on the servers.
Module 9 Lab iRules
9-49
Module 9 Labs iRules

Objective:
Configure a series of iRules, pools, and virtual servers in order to demonstrate a variety
of rule features and functions.
Estimated time for completion: 30 minutes.
Lab Requirements:
External IP address of the Virtual Server
IP Address(es) of internal node (s)

is the case. Your configuration should be licensed and include three Pools named ssl_pool,
http_pool and https_pool and three Virtual Servers named vs_ssl, vs_http and vs_https. The
Pools and Pool Members should have various Monitors assigned but no Pool Members
should be marked Offline (red) or Disabled (black). The vs_https Virtual Server should have
9-50
Module 9 Lab iRules

a Source Address Persistence Profile assigned on the Resources tab. Although they wont
cause issues with this lab, all NATs and SNATs should have been deleted at the end of Lab 8.
iRules Lab #1
Create and use an iRule that processes requests based on the file extension.
iRules Lab 1 Steps

1. The necessary pools are created.
2. iRules that reference the pools are created.
3. Virtual Servers that reference the iRules are created.
Create a Pool
2. Either select Pools and then click Create, or use the flyout menus to expand Pools and click
the
sign.

Configuration level
Basic
Name
pool1
Health Monitors
Leave Blank

Round Robin
Disabled
New Members
Enter and press Add
IP: 172.16.20.1
Port: * All Services
Create another Pool

1. Create pool2 that contains one member, 172.16.20.2:* (Port is All Services).
Create a Rule using this pool

2. Either select iRules and click Create or leave your mouse over iRules and then click the
Module 9 Lab iRules
9-51
3. In the Properties section, enter the following:

Name
rule_txt_end
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "txt"} {
pool pool1
}
}
Definition
Create a Virtual Server using this rule

and then click the

Name
vs_rule_txt
Destination
10.10.1.101
Service Port
80 (or HTTP)
State
Enabled
4. In the Configuration section, leave all fields at their default except the following:
HTTP Profile
http
5. In the Resources section, leave all fields at their default except the following:
iRules
rule_txt_end

1. Open a new browser session on your PC and direct it to your Virtual Server address and files:
a.
http://10.10.1.101/file.txt
b.
http://10.10.1.101/text.txt
c.
http://10.10.1.101
NOTE: Currently, you should get an error message (Cannot display webpage for IE and
Connection reset for Firefox) page not found for url http://10.10.1.101 because there is
no Default Pool or an else leg for the iRule. Also, files such as file.txt, text.txt and
text.one, only exist on Server 1 (172.16.20.1)
9-52
Module 9 Lab iRules

a.
Overview Section / Statistics / Choose from Statistics Type drop-down list.
b.
Local Traffic Section / Virtual Servers / Statistics
c.
Local Traffic Section / Pools / Statistics
3. Which node is traffic being directed to for each address above?
Add a Default Pool to the Virtual Server and Test

1. Navigate to the resources for the Virtual Server vs_rule_txt and specify pool2 as the default
pool.
2. Open a new browser, test client connections and explain your results.
a. http://10.10.1.101/file.txt
b. http://10.10.1.101/text.txt
c. http://10.10.1.101
NOTE: Now http://10.10.1.101 should work and send you to Pool2.
Add an Else leg to iRule and Test

1. Disassociate the default pool (pool2) from virtual server vs_rule_txt.
2. Change rule_txt_end to add an else leg for pool2 like:
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "txt"} {
pool pool1
}
else { pool pool2 }
}
3. Open a new browser, test client connections and explain your results.
a. http://10.10.1.101/file.txt
b. http://10.10.1.101/text.txt
c. http://10.10.1.101
Module 9 Lab iRules
9-53
iRules Lab#2
Lab 2 Overview
Create and use an iRule that processes requests based on the TCP port.
Create a third Pool

1. Create pool3 that contains one member, 172.16.20.3:* (Port is All Services).
Create a Rule for TCP port

2. Either select iRules and click Create or leave your mouse over iRules and then click the
3. In the Properties section, enter the following:
Name
rule_tcp_port
Definition
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 80} {
pool pool1
}
elseif { [TCP::local_port] == 443 } {
pool pool2
}
}
Create a Virtual Server using this rule

and then click the
9-54
Module 9 Lab iRules

Name
vs_tcpport
Destination
10.10.1.103
Service Port
* All Ports
State
Enabled

5. In the Resources section, leave all fields at their default except the following:
iRules
rule_tcp_port
Default Pool
pool3

1. Open a new browser session on your PC and direct it to your Virtual Server address and files:
a. http://10.10.1.103
b. https://10.10.1.103
c. Using Putty, open an SSH session to 10.10.1.103 port 22.
NOTE: You can verify that your SSH session went to Pool3 using Statistics.
a.
Overview Section / Statistics / Choose from Statistics Type drop-down list.
b.
Local Traffic Section / Virtual Servers / Statistics
c.
Local Traffic Section / Pools / Statistics
3. To which node is traffic being directed for each client request above and why?
Module 10 Labs
Lab Redundant
RedundantPair
Pair
10-55
Module 10 Labs Setting up a Redundant Pair

Lesson Objective:
During this lesson, you will learn how to setup a redundant pair of BIG-IP systems.
Setup utility
Configuring a pair of BIG-IP systems is very similar to configuring a single BIG-IP system. When
you choose Redundant Pair for the High Availability option in the setup utility, there are a few
additional parameters than must be set. You must set each systems Unit ID, specify a partner
address, and set floating (shared) IP addresses for each VLAN.
Restoring BIG-IP #1 config from previous Lab

11. Click the Module10_Lab_begin.ucs archive and then click the Restore button. An Ok
button appears to acknowledge the restore has started. It will take a minute, but watch this
screen and you should see messages that your restore completed successfully. You might
receive one error message but that is ok and is due to the F5 Training Lab environment only.
10-56
Module
Module10
10Labs
Lab Redundant Pair
13. The configuration for BIG-IP #1 should be as if you had just finished all Module9 Labs.
Please verify this is the case. Your configuration should be licensed and include five Pools,
two iRules, five Virtual Servers, and Monitors assigned to some but not all Pool Members.
No Pool Members should be marked Offline (red) or Disabled (black). Finally, the vs_https
Virtual Server should have a Source Address Persistence Profile assigned.
Configuration of BIG-IP #1 and BIG-IP #2

BIG-IP #1 should now be configured like the diagram shown below and also have Virtual Servers,
Pools, Monitors and Profiles. On the next page we will configure BIG-IP #2 from a clean system.
BIG-IP Redundant Pair Configuration
Module 10 Labs
Lab Redundant
RedundantPair
Pair
10-57
Setup of BIG-IP #2 Lab

NOTE: The second system in your lab pair is licensed but not currently configured.
Connect to https://192.168.1.246 and run the Setup Utility using the configuration
options below.
Step
Management Port IP address
Management Port Netmask
Hostname
High Availability
Unit ID
root password
admin password
SSH Access
System Y
192.168.1.246
255.255.255.0
bigip2.f5trn.com
Redundant Pair
2
default
admin
* All Addresses
VLAN Name on 1.2

Self IP Address
Netmask
Port Lockdown
Floating IP
Failover Peer IP
Port Association
Internal
172.16.1.32
255.255.0.0
Allow Default
172.16.1.33
172.16.1.31
1.2 Untagged
VLAN Name on 1.1

Self IP Address
Netmask
Port Lockdown
Default Gateway
Floating IP
Port Association
External
10.10.1.32
255.255.0.0
Allow Default
Leave Blank
10.10.1.33
1.1 Untagged
Status of BIG-IP #1 and BIG-IP #2

Note: You may notice that both BIG-IP #1 and #2 are in an Active state. This is not a
desired state, but we will wait to resolve this in the next Module 11 Lab when we setup
Network Failover.
10-58
Module
Module10
10Labs
Lab Redundant Pair
Synchronization Lab
Synchronization should always be from the systems whose configuration is desired. In our case, we
wish to Synchronize the BIG-IP #1 configuration to BIG-IP #2 since it has no configuration.
BIG-IP #2 configuration before Synchronization

At this point, the BIG-IP #2 should have a base configuration set with passwords, VLANs and Self
IPs. Verify the Self IPs (Network / Self IPs) for BIG-IP #2 are set to 10.10.1.xx, 10.10.1.33,
172.16.1.xx and 172.16.1.33.
Synchronizing Configuration from BIG-IP #1 to #2

1. Open a browser to https://192.168.1.245. (BIG-IP #1)
2. From the Navigation pane of the active system, expand the System section.
3. Either select High Availability and then the ConfigSync tab or use the flyout menus to
expand High Availability ConfigSync and click ConfigSync.
4. Click the Synchronize TO Peer button for a push operation to BIG-IP #2.
5. At the Synchronize this BIG-IP LTM to its failover partner prompt, click OK.
The synchronization process takes 15-60 seconds.
6. Verify your configuration was copied to the second System.
At this point, the BIG-IP #1 and #2 system configurations should be similar. Verify that
BIG-IP #2 has the same Virtual Servers, Pools, Profiles, Monitors and iRules as BIG-IP
#1. The License, Hostname and Self IPs (Network / Self IPs) should be different.
If the Self IPs are the same for both systems, verify the following:
The hostnames (System / Platform) should be different (bigip1 and bigip2)
If BIG-IP #2 does not have Virtual Servers from BIG-IP #1, verify the following:
Were there errors during Synchronization? (System / Logs / System)
Did you Synchronize the wrong way? (from BIG-IP #2 to #1)
Module 11 Labs Redundant Pair and High Availability
11-59
Module 11 Labs High Availability

Lesson Objective:
During this lesson, you will failover features of a redundant pair of BIG-IP systems.
Restoring BIG-IP #1 from previous Lab

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
After connecting to F5 Training Lab, open a browser to https://192.168.1.245.

When prompted, login as admin with a password of admin.
If you have an existing lab environment, skip to step 10 below.
If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.
On both the License and Resource Provisioning screens click Next.
On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and change
Enter a Root Account password of default twice and an Admin Account password of
You will be prompted to login again because of changing the Admin password.
After logging in, click the Finished button under Advanced Network Configuration.
From the Navigation pane, expand the System section, then select Archives.
Click the Module11_Lab_BIGIP1.ucs archive and then click the Restore button. An Ok
Because of the state of BIG-IP, we need to reboot so that our Licensing and Provisioning
Your configuration should be as if you had just finished all Module 10 labs. Please verify
this is the case. BIG-IP #1 should be licensed and include five Pools, two iRules, five Virtual
Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should
be marked Offline (red) or Disabled (black). It should have a hostname of bigip1.f5trn.com
and Self IPs (Network / Self IPs) of 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33.
11-60
Restoring BIG-IP #2 from previous Lab

11. Click the Module11_Lab_BIGIP2.ucs archive and then click the Restore button. An Ok
13. Your configuration should be as if you had just finished all Module10 Labs. Please verify
this is the case. BIG-IP #2 should be licensed and include five Pools, two iRules, five Virtual
Servers, and Monitors assigned to some but not all Pool Members. No Pool Members should
be marked Offline (red) or Disabled (black). It should have a hostname of bigip2.f5trn.com
and Self IPs (Network / Self IPs) of 10.10.1.32, 10.10.1.33, 172.16.1.32 and 172.16.1.33.
11-61
Network Failover Lab

Objectives:
During this lab, you will configure network failover.
Determining State Prior to Configuration

1. Open an SSH session to each system, 10.10.1.31 and 10.10.1.32. Press Enter to update the
prompt repeatedly. Note that both systems are in Active state because we havent configured
Network Failover yet.
Note: The F5 virtual environment does not support the use of hardware failover cables.
Network Failover Configuration and Testing

1. This feature is not synchronized, so you must configure each system separately.
2. Navigate to System / High Availability / Network Failover.
3. On BIG-IP #1, Enter the following in the Configuration section:
Network Failover
Peer Management Address
Unicast
Multicast
Check the box

192.168.1.246
Configuration Identifier: peer_bigip2
Local Address: Self IP address 172.16.1.31
Remote Address: 172.16.1.32
Port: Blank (defaults to 1026)
Leave Blank

5. On BIG-IP #2, Enter the following in the Configuration section:
Network Failover
Peer Management Address
Unicast
Multicast
Check the box

192.168.1.245
Configuration Identifier: peer_bigip1
Local Address: Self IP address 172.16.1.32
Remote Address: 172.16.1.31
Port: Blank (defaults to 1026)
Leave Blank

7. When both systems have been set, note that the systems change to active-standby mode.
BIG-IP #2 should be the one to fallback to standby state because it is unit 2.
11-62
8. Normally you would remove the Ethernet cable but for remote labs we will disable Network
Failover on unit #2.
9. How quickly did the standby system change to the active role also?
10. If disabling Network Failover on unit #2 does not cause it to go active then you may need
to disable Network Failover on unit #1 also.
11. Note that when both systems are in active mode; both are trying to service all virtual servers,
NATs and SNATs.
12. Again, normally we would now replace the Ethernet cable but for remote labs we will enable
Network Failover again on both units.
13. Unit #2 should now fall back to standby state.
Force to Standby and Failover

1. On both BIG-IPs, navigate to System / High Availability / Redundancy.
2. Currently, BIG-IP #1 should be Active and BIG-IP #2 should be Standby.
3. On BIG-IP #1, click the Force to Standby button: Notice that BIG-IP #1 falls back to
Standby state, and BIG-IP #2 takes over the Active roll.
11-63
Connection Mirroring Lab

Objective:
During this lesson, you will learn how to configure connection mirroring.
Lab Requirements:
A working Active / Standby redundant pair of BIG-IPs.
Create an ssh Pool

1. Create a Pool with the following characteristics, Configuration section:
Configuration Level
Name
Health Monitors
Basic
ssh_pool
Leave Blank

New Members
Round Robin
Disabled
172.16.20.1 port 22
172.16.20.2 port 22
172.16.20.3 port 22
Create a Virtual Server that uses this pool

4. Create a Virtual Server with the following characteristics, General Properties section:
Name
Destination
Service Port
State
vs_ssh
10.10.1.100
22 (or SSH)
Enabled

6. In the Resources section, accept all defaults except the following:
Default Pool
ssh_pool
Synchronize the configuration

1. Synchronize from the same system (System / High Availability / ConfigSync) and click the
Synchronize TO Peer button.
2. Click OK when prompted.
11-64
Testing before Mirroring

1. Using an SSH client, such as Putty, open an SSH session to: 10.10.1.100:22.
2. Login as student / student.
3. Test your connection by typing ls <enter> or similar command.
Perform Failover
1. Force the Active system to standby (System / High Availability / Force to Standby).
2. Notice that the SSH connection has been lost.
Testing with Connection Mirroring enabled

1. From the same systems Navigation Pane, click Local Traffic / Virtual Servers and select
the SSH virtual server.
2. Select Advanced from the Configuration menu.
3. Check the Connection Mirroring checkbox.
4. Click Update to set changes.
5. Synchronize from the same system (System / High Availability / ConfigSync) and click the
Synchronize TO Peer button.
6. Click OK when prompted.
Establish a new SSH connection and Failover again

1. Using an SSH client such as Putty open an SSH session to: 10.10.1.100:22.
2. Login as student / student.
3. Test your connection by typing ls <enter> or similar command.
4. Force the Active system to standby. (System / High Availability / Force to Standby).
5. Test your connection by typing ls <enter> or similar command. Note the connection is
maintained.
11-65
Persistence Mirroring Lab

Objective:
During this lesson, you will learn how to activate persistence mirroring for a pool where simple
persistence in enabled.
Lab Requirements:
You must have a virtual server and pool appropriate for persistence other than cookie persistence.
Behavior Prior to Configuring Persistence Mirroring

Configure Persistence, Establish an https session
1. From the Navigation Pane, expand the Local Traffic section.
2. Select Virtual Servers and the virtual server vs_https.
3. Select the Resources tab, and ensure that Pr_Src_Persist is still listed as the Default
Persistence Profile.
4. Select Local Traffic / Profiles / Persistence and the Pr_Src_Persist profile. Set the
Timeout value to 30 seconds and click Update.
5. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize
TO Peer).
6. Open a browser session to: https://10.10.1.100.
7. Ensure your session persists by hitting the <Ctrl>-F5 key combination several times.
View the Persistence Record

1. View the persistence records on both systems.
a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display
Options section, choose Persistence Records.
b. From the Command Line, enter: b persist all show all
2. On the active system, you should see a record. On the standby, you should not.
3. Re-enter this command several times and notice the Age of the record changes.
4. Let the Age count up to 30 seconds and then re-enter the command again. What happened to
the persistence record?
5. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.
Did the Age count start over?
11-66
Perform Failover
1. Force the Active system to standby. (System / High Availability / Redundancy / Force to
Standby).
2. Refresh the session to https://10.10.1.100. While there is some chance the same node may
be chosen, the https session does not persist to the same server. If it does seem to persist to
the same node, failover again and test. You may need to refresh by pressing Ctrl-F5 to ensure
the browser does not simply display its cache.
Configuring Persistence Mirroring and Testing Subsequent Behavior

1. From the Navigation Pane, select Local Traffic menu, Profiles option, Persistence tab, and
then click the Pr_Src_Persist profile.
2. Check the Custom box for Mirror Persistence, check Enabled, and then click Update.
3. Synchronize from the same system (System / High Availability / ConfigSync / Synchronize
to Peer).
4. Make sure to check that the Mirror Persistence option was set on the other System for the
Pr_Src_Persist profile.
Re-establish the https session, failover and retest

1. Open a browser session to https://10.10.1.100.
2. Ensure your session persists by pressing the CTL-F5 several times.
3. Force the Active system to standby. (System / High Availability / Redundancy / Force to
Standby).
4. Refresh the browser session to https://10.10.1.100. Notice that the https session does persist
to the same server.
5. View the persistence records on both systems.
a. From the Configuration Utility, Navigate to Overview / Statistics. In the Display
Options section, choose Persistence Records.
b. From the Command Line, enter: b persist all show all
6. You should see a persistence record on both systems.
7. Re-enter this command several times and notice the Age of the record for each system. Does
the Age remain the same on both Systems?
8. Refresh the https://10.10.1.100 browser session again and then re-enter the command again.
Explain the Age count on each system?
Lab Project
LP-67
Configuration Lab Project

Lab Objectives:
During this lab, you will work with many of the concepts that you learned in Modules 1 to 8. In
Modules 1 through 8, the Lab steps were very specific and told the student exactly what to do. One
of the objectives of this Lab Configuration Project is to see if the student remembers how to configure
each feature. Therefore the lab steps in this Configuration Project are not specific but rather given at
a much higher level. Another objective of this Configuration Project is to give the student an
opportunity to configure all features together rather than individually. Upon completion, you will
have configured a BIG-IP system with working virtual servers, profiles, monitors and pools.
There are two stages to this lab:
1. Create new pools, profiles, monitors and virtual servers.
2. Verify the configuration works as expected.

3. If you have an existing lab environment from Lab 8, then skip to step 10 below.
1 labs. Please verify this is the case. Your configuration should be licensed, include 2
VLANs (Network / VLANs) named external and internal and have 4 self IPs (Network /
Self IPs) at 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.
LP-68
Lab Project
Reconfigure the BIG-IP LTM System

A. Create Monitors according to the following table
Name
Type
Settings
Associations
my_http
http
Interval 5, Timeout 16
Receive String Server
Others leave at defaults
http_pool
(Once pool is created, below.)
B. Assign Monitors according to the following table

Name
Type
Settings
Associations
icmp (Default Monitor)
icmp
Use all default settings
Node Default
C. Create Pools according to the following table

Name
Load Balance
Members
Port
Ratio
Priortity
ssh_pool
Round Robin
172.16.20.1
172.16.20.2
172.16.20.3
22
22
22
1
1
1
1
1
1
http_pool
Ratio Member
Priority Group
Activation
Less than 2
172.16.20.1
172.16.20.2
172.16.20.3
80
80
80
2
2
1
1
4
4
https_pool
Round Robin
172.16.20.1
172.16.20.2
172.16.20.3
443
443
443
1
1
1
1
1
1
Monitors
my_http
D. Create Profiles as listed in the following table

Name
Profile
Type
Parent Profile
Settings
Pr_Src_Persist
Persistence
Source
Address
source_addr
Timeout of 30 seconds and

mask of 255.255.255.0
Pr_SSL_term
SSL
Client
clientssl
Certificate of TestCertificate
and a Key of TestCertificate
Lab Project
LP-69
E. Create Virtual Servers according to the following table

NOTE: Remember that Persistence Profiles are configured on the Resources tab of the
Virtual Server and all other Profile types on the Properties tab.
Name
IP Address
Port
Resources
Profiles & SNAT
vs_ssh
10.10.1.100
22
ssh_pool
Defaults only
vs_http
10.10.1.100
80
http_pool
SNAT Automap
vs_https
10.10.1.100
443
https_pool
Pr_Src_Persist
vs_ssl
10.10.1.102
443
http_pool
Pr_SSL_term
Save your new configuration

1. Backup your new configuration as Lab_Project.ucs.
LP-70
Lab Project
Verification
Activity
Questions
Open a Browser and connect to

http://10.10.1.100
Refresh the screen 5-10 times
Are you load balancing?

Why or why not?

https://10.10.1.100
View the node statistics
Working?

Why or why not?
Open a Putty SSH session to:

10.10.1.100:22
After connecting, login
User-id: student Password:
student
Were you able to connect?

Which node did you
connect to?
Do you have an open
connection?
Open a Browser and connect

(again) to https://10.10.1.100

Why or why not?
Are you connecting to the
same node as you did in
test 2, above?

both https://10.10.1.100 and
http://10.10.1.100
Click the link to show source
address
What is your source

address for http and https?
Why are they different?

https://10.10.1.102
Is the session secure?

Is the data from BIG-IP
LTM to the Server
encrypted?
Lab Project
LP-71
Review Questions
1. Which admin users passwords are changed by the BIG-IP setup utility, and what access do
they have?
2. What is a node? A pool and pool member? A profile? A virtual server?
3. List the load balancing modes.
4. How are monitors created, and what can they be assigned to?
5. If a particular node is in a node disabled condition, will any types of client requests still be
directed to that pool member?
6. What is the difference between the client SSL and server SSL Profiles?
7. Why would you use SNATs?
LP-72
Lab Project
Answers to Configuration Project Questions

Activity
Questions
Answers

Why or why not?
Yes, but should only be using

Nodes 20.2 & 20.3 because they
have higher priorities for Priority
Group Activation

Why or why not?
Actually this is a trick question.

The first request is load balanced
but subsequent requests within
the 30 second timeout window
should persist to same Node.
Did you connect?

Which node did you
connect to?
Do you have an open
connection?
Should have connected ok.

You have to go to statistics to
figure out which node and your
SSH connection remains open
until you exit putty or logoff.

Why or why not?
Are you connecting to the
same node as 2 steps
above?
Your previous 30 second

persistence record should have
timed out by now. The first
request should go to a different
member than previous session
and then should persist for
another 30 seconds.
For both https and http

Click link source address
What is source address

for http and https?
Why are they different?
http should have a source IP of

172.16.1.33 because of SNAT
Automap, and https should have
a source IP of 10.10.1.30.
Browser session to
https://10.10.1.102
Is the session secure?

Is the data encrypted
from the Server to the
BIG-IP LTM?
The session should be secure

(using https) from client PC to
BIG-IP, then unencrypted (http)
from BIG-IP to Server.
Refresh
http://10.10.1.100
Refresh
https://10.10.1.100
SSH to: 10.10.1.100:22

Login with user ID and
password of student
Refresh (again)
https://10.10.1.100
Lab Project
LP-73
Answers to Review Questions

1. Which admin users passwords are changed by the BIG-IP setup utility, and what access
do they have (web GUI or Command Line)?
root and it should have access only to command line not the web GUI.
admin and it should initially have access only to the web GUI, but command line
access can be added
2. What is a node? A pool and pool member? A virtual server?
Node is IP Address only of a server where Pool Member typically contains both IP
Address and Port
A Pool is a group of Pool Members, and the Virtual Server is the client representation of
the application. Clients seldom know there are multiple Pool Members behind a Virtual.
3. List the load balancing modes.
Round Robin is the default load balancing mode but we can also use Ratio, Least
Connections, Fastest, Observed and Predictive.
F5 Networks continues to add new features to BIG-IP LTM including new load balancing
modes, so you might see more depending on what version you are running.
4. How are monitors created, and what can they be assigned to?
Just like other objects, they are created by selecting Monitors and clicking the create
button or the
sign from the flyout menu.
Monitors also need to be assigned before they will be used. Monitors can be assigned to
all Nodes or an individual Node, or at the Pool level or to an individual Pool Member
5. If a particular node is in a node disabled condition, will any types of client requests still
be directed to that pool member?
Yes, client requests can still be directed to a disabled Node if there is still a persistent
session (i.e. within the timeout window)
On the other hand, if the Node is administratively Forced Offline rather than Disabled
then no more client requests will be sent until the Node is Enabled again.
6. What is the difference between the client SSL and server SSL Profiles?
The Client SSL Profile encrypts (https) network traffic between the client and BIG-IP.
The Server SSL Profile encrypts (https) network traffic between BIG-IP and the servers.
7. Why would you use SNATs?
SNATs are used to fix or assist with routing issues. There are MANY ways a SNAT can
be used to resolve the many different types of routing issues, two are listed below.
o
RFC1918 (non-routable) client traffic outbound to internet
Pool Members default route cannot be pointed at BIG-IP, but remember If

BIG-IP changes an IP Address then response packet must return through BIG-IP.
LP-74
Lab Project
Appendix A
Appendix A:
F5 Networks the Company and its Products
As the pioneer in Application Delivery Networks, F5 continues to lead the industry by driving more
intelligence into the network to deliver advanced application agility. F5 products ensure the secure
and optimized delivery of applications to any user, using any device, anywhere in the world. Through
its flexible and cohesive architecture, F5 delivers unmatched value by improving the way
organizations serve their employees, customers and constituentswhile dramatically lowering
operational costs.
F5s application delivery network products provide:
Application Optimization
F5's architecture automatically assigns every application the right mix of availability,
security, and performance at the network level, further optimizing their performance.
Application Security
F5's Application Traffic Management architecture supports integrated security features

that protect the delivery of applications by enforcing security policies at the edge of the
network, before a session is allowed.
Application Delivery
F5's architecture delivers the raw horsepower, based on tightly integrated security,
availability, scalability - all of which work together to deliver exceptional throughput and
transaction performance.
F5 Product Suite Overview

F5 products address the three main areas of Application Delivery Networking: Application Security,
Application Optimization and Application Availability.
Regardless of your network application pain, F5 has a solution. In addition, because we recognize that
each network issue has an impact upon other critical areas, F5 products share powerful attributes
across the industry's only integrated platform - TMOS. TMOS includes the iControl API, which
allows F5 products to communicate with each other and implement extremely flexible policies in the
form of iRules. An active developer community, unique to F5, creates and shares customized iRules
for enforcing virtually any kind of application-delivery behavior.
The result is elegant and powerful solutions to protect you from security threats, network failures and
traffic congestion, while putting in place architecture for the future.
Appendix A
F5 Products include:
BIG-IP Local Traffic Manager (LTM)
BIG-IP Global Traffic Manager (GTM)
BIG-IP Link Controller (LC)
BIG-IP Application Security Manager (ASM)
BIG-IP Access Policy Manager (APM)
BIG-IP WebAccelerator (WAM)
BIG-IP WAN Optimization (WOM)
Enterprise Manager (EM)
FirePass
ARX
BIG-IP Edge Gateway
BIG-IP - Traffic Management

From basic local and wide area load balancing, to link traffic management, to applications that require
special handling and augmented security, F5 has the solution to fit every business need, and every
business budget.
BIG-IP Local Traffic Manager (LTM)

Network intelligence on a cost-effective, integrated SSL hardware platform for
flexible, fast, secure IP-centric traffic management
BIG-IP LTM is a local area application traffic management solution. BIG-IP LTM provides the
benefits of traffic management, traditionally reserved for Web-only applications, to all IP based
applications and Web services. BIG-IP LTM ensures business continuity, security and performance
by intercepting, inspecting, transforming, and directing application and Web services requests, based
on values found in the header or payload. BIG-IP LTM products also include SSL acceleration to
offload this processing-intensive function from the application servers themselves, increasing
application performance.
BIG-IP Global Traffic Manager (GTM )

Wide-area network high-availability, intelligent load balancing
The BIG-IP GTM System provides wide-area traffic management and high availability of IP
applications/services running across multiple data centers. With GTM, businesses can ensure optimal
reliability and fast performance across all of their Internet sites, no matter where they are in the world.
GTM adds intelligence to standard DNS, and ensures that end users are sent to a site that is available
and provides the best response. Its unique intelligence can examine the health of data centers, the
network, and the geography of users, then direct traffic based on customizable business rules.
Appendix A
BIG-IP Link Controller (LC)

High availability and intelligent routing for multi-homed networks
As enterprises increase their use of the Internet to deliver their business-critical applications,
maintaining only one link to the public network represents a single point of failure and serious
network vulnerability. The BIG-IP Link Controller monitors availability and performance of
multiple WAN connections to intelligently manage traffic flows to and from a site - providing fault
tolerant, optimized Internet access.
BIG-IP Application Security Manager (ASM)

Web Application Firewall
BIG-IP ASM provides comprehensive security for IP-based applications and services, protecting
them against known and unknown external threats at the network and application layers. ASM is an
Application Firewall, a new class of device that protects applications from hackers and other
malicious attacks.
ASM offers several modules for filtering out malicious requests, scrubbing data sent to users, and
cloaking application infrastructure. The core functionality is a powerful application firewall that
checks every user request against a known set of user interactions with the Web application, rejecting
any request not known to be legal.
Unlike network firewall products that focus on protecting against network level attacks or pure
Intrusion Prevention Systems that focus on preventing ever increasing quantities of known attacks.
ASM offers organizations a complete Web application protection system capable of blocking a broad
range of network, and Web application attacks.
BIG-IP Access Policy Manager (APM)

Simplified web access management
BIG-IP APM provides policy-based, context-aware access to users while simplifying authentication,
authorization, and accounting (AAA) management. By providing full AAA control directly on the
BIG-IP System, BIG-IP APM enables users to consolidate access infrastructure, reduce authentication
and authorization costs, and scale to support thousands of users simultaneously.
BIG-IP APM provides dynamic access control by creating L4 and L7 access control lists (ACLs)
based on user identity, IP address, and attributes such as group membership pulled from the directory.
In regards to authentication, BIG-IP APM supports Active Directory, Radius, Native RSA SecurID,
and LDAP accounting as well as authentication redundancy.
Appendix A
BIG-IP Web Accelerator (WAM)

Application Optimization
Mobile workers access enterprise applications from coffee shops, airports and offices. These workers
expect their web applicationse-mail, ERP, sales force automationto perform well in all locations.
If any part of the application delivery system falters, end-to-end performance degrades and
productivity suffers.
BIG-IP WebAccelerator is an advanced application delivery solution that provides superior web
application performance for mobile workers. WebAccelerator speeds up web applications such as
Hyperion, Peoplesoft, Plumtree, SAP, Siebel and others, often increasing performance by
200% to 500%.
BIG-IP WAN Optimization (WOM)

Optimize and accelerate mission-critical applications across the WAN
BIG-IP WOM overcomes network and application issues on the WAN to ensure that all users get the
application availability and performance they need to stay productive. These services are integrated
directly on BIG-IP Systems and include superior compression, encryption, and traffic control
capabilities that dramatically reduce bandwidth usage and enable users to improve quality of service
for the critical applications that drive businesses.
Key benefits of WOM are:
Encrypt and accelerate data between multiple BIG-IP devices
Reduce server usage and save on costly bandwidth upgrades with superior compression and TCP
optimization
Accelerate applications across the WAN to improve user performance and scalability
Enterprise Manager (EM)

Simplified multi-F5 device management and control
Enterprise Manager (EM) provides a single, centralized management and operational interface for F5
devices. It makes configuring and managing multiple F5 devices easy by allowing administrators to
affect changes across many devices or objects - reducing overhead and saving time. With Enterprise
Manager, you will:
Reduce your labor costs for managing multiple F5 devices
Archive and safeguard device configurations for contingency planning
Easily and quickly roll-out software upgrades and security patches
Receive alerts that help you keep a healthy environment and take proactive actions
Appendix A
FirePass
SSL VPN Remote Access
F5's FirePass Controller provides secure remote access to corporate applications and data via standard
Web browser technology. It enables companies to extend secure remote access to anyone connected
to the Internet using desktops, laptops, PDAs, kiosks and more - while eliminating the need for
complex IPSec VPNs. FirePass is the first SSL VPN solution with complete cross-platform support.
Extending its support for any IP application to Macintosh, PocketPC and Linux clients, in addition to
Windows, and expanding client and application security for Web, email and file application access,
FirePass supports access to Web hosts, terminal servers, client-server applications, legacy hosts,
mobile devices and Windows desktops, without pre-installed client software.
ARX
Intelligent File Virtualization
Information Lifecycle Management (ILM) holds tremendous promise for the enterprise, yet its
adoption has been slowed by factors such as proprietary vendor approaches, complexity and lack of
internal coordination. Increasingly enterprises are using intelligent file virtualization to create storage
tiers and to use those tiers more efficiently, without many of the drawbacks associated with traditional
ILM approaches. Intelligent file virtualization offers a simple, open approach to automated storage
tiering that can be deployed rapidly to provide a dramatic positive economic impact to enterprises.
BIG-IP Edge Gateway

Delivers secure and accelerated remote access to applications
As more mobile and remote workers access applications and data from many different devices and
locations, ensuring fast application performance for remote users is a growing concern for IT
organizations.
BIG-IP Edge Gateway is an access solution that brings together SSL VPN remote access, security,
application acceleration, and availability services for remote users. BIG-IP Edge Gateway drives
identity into the network to provide context-aware, policy controlled, secure remote access to
applications at LAN speed.
iControl SDK
Software Development Kit
The iControl architecture and SDK provide an interface between third party solutions and F5's suite
of products. This interface creates the opportunity for application developers, ISV's, hardware
manufacturers, service providers, and others to add value to their solutions by allowing
direct communication with our suite to create a true application-aware network. For more
information, please visit http://devcentral.f5.com.
Appendix A
Appendix B
B-1
F5 Customer Support
Network Support Center
F5 Technical Support is designed to remotely assist you with specific break-fix issues regarding
ongoing maintenance of your F5 products. All F5 products come with a one year manufacturer's
hardware warranty and 90 days of software media warranty. Technical support is limited to F5
products with active support contracts. Subscribers who require additional levels of support from our
support team may opt to upgrade to Premium Support, which includes 24 x 7 support.
Ask F5
Ask F5 is an online knowledgebase accessible 24x7 through our technical support website. Ask F5
gives you real-time access to in-depth product and technical support information, by providing a
simple, English language query-based search. Ask F5 provides unlimited access at no additional
charge for all F5 customers covered under an F5 annual service agreement.
Web Support Portal

The F5 Web Support Portal provides you with more flexibility and better, faster access to F5 support,
24 x 7. Quickly initiate new support cases, immediately receive an automated case number, read case
details and updates on your open cases, upload troubleshooting attachments, and more. You never
have to remember phone numbers or wait on hold, and online help is always available.
DevCentral
DevCentral is a community of experienced F5 users who regularly post answers based on real-life
knowledge. To assist DevCentral members, F5 provides technical documentation, tips, access to free
sample downloads, and a confidential discussion forum for receiving answers to technical questions.
DevCentral is free of charge to our customers for building iRules and iControl applications, and the
forum is monitored by F5 engineers and experts who offer assistance on technical questions including
design, architecture, troubleshooting, and general assistance with building iRules and iControl
applications.
Documentation for Support

Common Document requested
NOTE: Solution ID SOL135 has been copied here from the Ask F5 database for reference
purposes.
Solution ID: SOL135

Information required for opening a BIG-IP LTM or BIG-IP GTM support case
B-2
Appendix B
F5 Networks Technical Support can help resolve problems more quickly when you provide a full
description of the problem and the details of your configuration. To help you gather all the required
information, use the following guidelines to prepare for opening a case.
General Information
Provide the following information when you open a case with F5 Networks Technical Support:
A full description of the problem, including the following:
The symptoms of the problem.
The approximate time the problem first occurred.
The number of times the problem has recurred.
Any error output provided by the system.
Steps to reproduce the problem.
Any changes you made to the system before the problem first occurred.
Any steps you have attempted to solve the problem.
A description of the impact the problem is having on your site, using the following definitions:
Site Down - Your network or application is down or critical business functions

have stopped due to the problem.
Site at Risk - Your network or application is severely and negatively impacted

by the problem.
Performance Severely Degraded - The performance of your network or

application has been severely reduced due to the problem.
Performance Impaired - Your network or application is suffering from reduced

performance, but otherwise continues to work as expected.
General Assistance Required - The subject of the case does not currently
impact your network or application.
The hours that you are available to work on the problem and any alternative contacts that can work on
the problem if you are not available.
Remote access information, if possible.
Remote access to your network environment is important, because it is the most effective method for
collecting information and troubleshooting technical issues. If you cannot provide remote access, F5
Networks Technical Support will work directly with you to resolve the issue over the phone;
however, this method can often be more time consuming and may require file transfers, replication,
and additional testing.
Product specific information

Collect the following information from the affected system(s) and provide it when you open the case.
For information about sending this information to F5 Networks, refer to SOL2486: Providing files to
F5 Networks Technical Support.
Appendix B
B-3
tech.out file
A tech.out file contains the configuration files that F5 Networks Technical Support most frequently
needs when troubleshooting a problem. A tech.out file is produced by the qkview utility and the terms
tech.out and qkview may be used interchangeably.
For more information about qkview, refer to SOL1858: Overview of the qkview utility.
Log files
The tech.out file contains the log files for the last day. If the problem has existed for more than a day,
provide all the log files on the system, by performing the following steps:
1. Log in to the command line.
2. Change directories to the /var/log directory, by typing the following command:
cd /var/log
3. Place all of the log files in a tar archive, by typing the following command:
tar -czpf /var/tmp/logfiles.tar.gz *
4. This command will create a tar archive named logfiles.tar.gz in the /var/tmp directory.
Packet traces
If the problem involves the network, perform a packet trace while the problem is occurring and
provide the packet trace when you open the case.
For more information about performing packet traces with tcpdump, refer to SOL2246: Performing a
packet trace and providing the results to F5 Networks Support.
UCS archive
If you cannot give F5 Support remote access to your system, you must provide a UCS archive of the
current configuration. For more information, refer to SOL2250: Overview of UCS archives.
Core files
Core files contain the contents of the system memory at the time a crash occurred. If the system has
been configured to save core files, they will be located in the /var/savecore directory. Provide any
existing core files when you open the case.
If the system is crashing and has not yet been configured to save core files, configure it so that a core
file will be saved the next time the crash occurs.
For more information, refer to the following Solutions:
For switch appliances: SOL2226: Saving core files on BIG-IP or 3-DNS Controllers that have limited
disk space
For server appliances and blade controllers: SOL266: Configuring the BIG-IP or 3-DNS Controller to
save a core dump
B-4
Appendix B
tcpdump
tcpdump is one of the main troubleshooting tools used by the F5 Networks Support group to
determine what is happening on a BIG-IP LTM System.
Functions and Syntax

tcpdump is a Unix command line interface (CLI) utility available on the BIG-IP LTM System. You
can run tcpdump by typing tcpdump with or without a variety of options, which offer a view of
packets entering and leaving the interfaces and /or VLANs on a BIG-IP LTM System. tcpdump is the
primary command line utility used for troubleshooting packet flow on the BIG-IP LTM System as
well as other network devices. Acting as a network analyzer, tcpdump allows network traffic to be
seen on the screen in real time or recorded to a file for playback later. tcpdump has several syntax
options and allows use of expressions to enable viewing specific types or amounts of traffic. A single
session of tcpdump will monitor only one interface at a time. However, instances may be run
simultaneously, allowing multiple interfaces to be viewed.
An example of common tcpdump syntax follows:
tcpdump -i external host 172.16.1.100 and port 80
This command causes tcpdump to monitor the external interface for any packets containing a source
or destination IP address of 172.16.1.100, a source or destination port 80, and display them on the
screen. The general syntax is:
tcpdump switches filters.
If you include multiple filters, they must be separated by Boolean arguments such as and, or and
not.
The table below lists some options for tcpdump.
Parameter
Type
Meaning
-i <interface>
Switch
Specifies the interface to use. The first interface (often

external) is the default if this parameter is omitted.
-i <VLAN>
Switch
Specifies the VLAN to use.
-e
Switch
Displays MAC addresses.
-n
Switch
Disables name resolution to enable display of IP address and

port numbers instead of names.
-X
Switch
Displays packets in hex and decodes in ASCII.
-s <value>
Switch
Specifies bytes packet size to display. Default is 76.
-w <value>
Switch
Writes output to specified file
-r <value>
Switch
Reads from specified file
host <ip>
Filter
Displays packets either to or from that host.
<protocol>
Filter
ICMP, UDP, ARP, etc.
port <port>
Filter
Displays packets either to or from the specified port.
Appendix B
B-5
Saving Data to File

There are two methods to store tcpdump output to a file. The recommended method stores the data in
a compressed format so that other utilities, such as EtherReal or Wireshark can read the file.
Example:
tcpdump w <filename> host 10.10.10.30 and port 80
F5 Professional Services
F5 Professional Services executes on the company's paradigm of innovation by delivering a full-range
of consulting services, including planning, design, deployments, upgrades, migrations, optimization
and application verification to ensure a highly available, scalable and secure infrastructure.
Design and Planning Services

Maximize your return on product investment. Allow our Professional Consultants to design an
optimal network architecture and create a comprehensive deployment plan to put it into production.
We design efficiency, flexibility, scalability and security into each and every project to fit your
business needs, utilizing F5 best practices for physical and logical topology and application traffic
management.
Installation Services
An F5 professional Consultant will work to ensure your F5 product is installed and running as
efficiently as possible. Network topology, load balancing design review, application tuning and
product orientation are included in this service. Network performance tuning and comprehensive
product training are not included.
Optimization Services
F5 Consultants can help you leverage the true power of advanced product features such as
compression, caching, and traffic shaping. Network performance tuning and application tuning are
also offered to optimize your F5 deployment.
Application Deployment Services

Get the most out of your load balanced applications by allowing an F5 product expert to assist with
application deployment. An F5 consultant will review your business goals, application architecture
and traffic management requirements to create a comprehensive deployment plan, then assist in its
implementation.
Upgrade and Migration Services

Take advantage of the latest and greatest traffic management features. Our seasoned consultants will
work with you to plan and execute upgrades to new software versions or hardware platforms. We are
also happy to assist you with migrations from competing traffic management products.
B-6
Appendix B
Design Review and Verification Services

Seek an experts opinion on your traffic management and network architecture. Our seasoned
consultants inspect aspects of your F5 device configuration and the surrounding network, making
recommendations and observations relevant to your business goals.
Custom Scripting and Monitor Development

Many applications require outside the box customization possible only by scripting: EAVs
(Extended Application Verification), complex monitors, iRules, iControl, and other complex
automated tasks can take your F5 investment to the next level. F5 Consultants have the requisite
extensive knowledge of F5 products internal workings to develop creative and compatible solutions
that address your specific requirements.
Appendix B
B-7
Pre-Installation Information
Objective:
Now having a better understanding of the BIG-IP LTM Software and how it works, this section
conveys additional information to consider during a BIG-IP LTM System installation. You will learn
the types of hardware and networking questions that need to be answered before an installation takes
place.
Pre-installation hardware checklist

Network Hardware
1. What is the physical media type used in your environment?
2. If Fast Ethernet, do you use switched or shared media (or both)?
3. What brand/type of switches or hubs do you use?
4. What brand/type of routers do you use?
5. What IP network ranges do you use?
6. What are your future needs for IP addresses (considering growth)?
7. What routing protocols do you employ (both internally and at the border)?
8. What router redundancy methods do you employ?
9. Do you use multiple ISPs for link redundancy?
Servers
1. What type of hardware are your servers?
2. What OS are your servers?
Backend databases and application servers

1. What type of hardware are your backend database servers?
2. What backend database products do you use?
Oracle
MS SQL 6.5
Informix
B-8
Appendix B
Pre-installation network checklist

Wide Area
Describe any geographical disbursed fail-over sites do you have?
Do you do any load distribution across multiple geographic sites?
Is co-location or hosting part of your multi-site plans?
Bandwidth
What is the total amount of bandwidth into each geographical site?
What is the average amount of sustained throughput that you use?
Do you use any rate shaping or traffic prioritization products?
Backend database replication
Transaction level
Batch replication
Hardware mirroring
Software mirroring
Do you use any backend HA devices or software?
Network Appliance
Qualix
Veritas
Wolfpack
What other backend content products do you use?
Opentext
Vinette Story server
BroadVision
State maintenance
Do your applications require that the client return to the same server
for the entire session?
Security concerns/Architecture
How important is security to your site?
What type of firewall do you use?
Does your firewall perform NAT?
Describe the basic rule set used:
What type of proxy server do you use?
What type of cache server do you use?
What type of VPN do you use?
Network Management
How do you view or manage your network site?
What products do you use for network troubleshooting/monitoring?
CA Unicenter
HP Openview
NetIQ
Compaq Insight Manager
MS-SMS
Administrative
How do you securely administer your server or backend database if your site is co-located?
Do you have a secure back channel or VPN via the internet for server or database administration?
Do you use and remote terminal software PC Anywhere, Remotely Possible, F-Secure SSH, Telnet, etc?
Appendix B
B-9
Pre-Installation Checklist
Follow the steps below to ensure proper installation of your BIG-IP LTM System.
1.
Provide 3 real internet addresses for a redundant BIG-IP LTM System configuration.
2.
Provide a real internet address for each virtual IP address (VIP) or NAT.
3.
Provide 3 internal IP addresses (e.g. 10.x.x.x, RFC 1918 etc.) [redundant BIG-IP LTM System
configuration].
4.
Provide one internal IP address per node on the internal network.
5.
Provide appropriate connectivity to physical segments.
6.
Provide the IP addresses of the DNS servers (optional depending on implementation).
7.
Provide access to the existing production content server(s), or an alternate content server.
8.
Provide a monitor, keyboard and the appropriate power outlet for the monitor.
9.
Provide one 110/220 power outlet for each BIG-IP LTM System unit.
10. Provide monitor A/B switch (optional).

11. Identify and provide access to any management workstations
(For example workstation running CA Unicenter or other monitoring tool).
12. Identify and provide access to a monitoring workstation (non-dedicated) for the SSH client software
(optional).
13. Designate an individual as the primary contact and BIG-IP LTM System administrator (tier 2 or 3).
14. Verify that each BIG-IP LTM external IP address can be accessed through incoming tcp port 22
(optional - to verify remote administration capability).
15. Verify that each BIG-IP LTM System can use outgoing tcp port 22 from tcp port 1023-1019 (optional).
16. Verify your ability to change DNS A records (for conversion from DNS round robin).
17. Create a DNS entry for each BIG-IP LTM administrative IP address (optional).
B-10
Appendix B
BIG-IP LTM System Worksheet
Appendix B
B-11
Installing BIG-IP LTM V10.x software

Performing prerequisite Installation tasks
A basic installation consists of some prerequisite tasks that prepare you for installing the software.
These prerequisite tasks are the same, regardless of whether you are installing the software on a
system that is already running version 9.6.x or earlier versions of 10.x, or upgrading to version 10.x
from version 9.3.x or 9.4.x. These tasks involve:
Configuring the management interface
Establishing a connection to the system
Setting the active volume
Making sure the license is active and updated
Configuring the management interface

To install software upgrades and perform management tasks on the BIG-IP system, you must use the
management interface. When you initially set up the system hardware, you probably configured an IP
address, netmask, and default route for the management interface. If you did not, you can use the
default settings, or you can use the LCD controls to specify settings appropriate to your network.
To allow remote connections, the traffic management software comes with a default root account and
password and two pre-defined IP addresses. The preferred default IP address is 192.168.1.245. The
alternate IP address is 192.168.245.245. The default netmask is 255.255.255.0. To change the default
IP Address on the management port using the config command or the LCD front console refer
to the BIG-IP v10 Getting Started Guide.
Working with volumes

This version of the BIG-IP system software uses the volumes disk-formatting scheme. A specific
section of a hard drive is called a volume. Also called logical volume management (LVM), this
feature supports all platforms and modules available for the BIG-IP system. The volume holds a
complete version of the BIG-IP software. You can create additional volumes to hold additional
software versions, and you can delete existing volumes you no longer need.
To install the software, you boot to a volume that you do not want to upgrade, to serve as the source.
You cannot install to the active volume. LVM labels, disk names, partition and volume indexes, and
file system labels are used internally by the disk management system. At any given time, only one
volume may be the active partition. The active volume or partition contains the software that runs
when you start up or reboot the system. For more information on creating, deleting or setting the
active volume, refer to the BIG-IP v10 Getting Started Guide.
Activating the software license

To install new versions of BIG-IP system software, you must have an active and updated license. An
active and updated license contains a valid service check date for the system software release you
plan to install and run. During installation and initialization, the system verifies the software release
check date in the software against the service check date in the license file on your system.
B-12
Appendix B
To activate the license for the system, you must have a base registration key. The base registration
key is a 27-character string that lets the license server know which F5 products you are entitled to
license. The base registration key is preinstalled on your system. If the system is not yet licensed, the
Configuration utility prompts you to enter the base registration key. You enter keys for additional
modules using settings in the Add-On Registration Key List area of the License screen.
Performing Software Installations

This section describes the method to install and upgrade BIG-IP version 10 systems. Version 10 uses
a new utility, image2disk, for both installations and upgrades. With image2disk you can install many
different versions of BIG-IP; you are no longer limited to two slots. However, if you later choose to
downgrade to version 9, you must reinstall the system and revert to two slots.
Upgrading from software versions earlier than 9.3.x

You cannot upgrade directly to version 10.x from BIG-IP version 4.x or from BIG-IP versions 9.0.x
through 9.2.x. You must perform an indirect upgrade, by first installing software version 9.3.x or
9.4.x, and then following the process for upgrading to version 10.x from version 9.3.x or 9.4.x. For
details about upgrading to version 9.3.x or 9.4.x, see the release notes for the associated release.
Upgrading from BIG-IP version 9.3 or 9.4

Image2disk did not exist with version 9. However, if you copy the ISO image for version 10 and run
the installation manager (IM), it will extract the image2disk utility.
1. Create a /shared/images directory
mkdir /shared/images
2. Copy the version 10 ISO to the /shared/images directory
Use a utility such as winscp or ftp
3. Run installation manager to extract the image2disk utility
im <ISO File name> Example: im BIGIP-10.0.0.5401.0.iso
Results:
[root@big1:Active] images # im BIGIP-10.0.0.5401.0.iso
/tmp/rpmdisk.SVfD7C /shared/images
info: system has tm_install-2.4-36.0
info: system has perl-RPM2-0.67-10.0.0.5401.0
The im utility is no longer used to upgrade software images.
Please use 'image2disk'. For help, use 'image2disk -h'.
You must always install to an image location that is not in
use.
Here is your current image-location status:
HD1.1 active yes default yes title BIG-IP 9.4.5 Build 1049.10
HD1.2 active no default no title BIG-IP 10.0.0 Build 5401.0
4. Install version 10 on the slot that is not currently active. See following steps.
Appendix B
B-13
Version 10 Installation using image2disk

Image2disk has many parameters. You must specify the installation slot (instslot) and if the ISO is a
hotfix, you must include that parameter. Other parameters are optional.
The table below lists the common parameters. The general syntax is:
image2disk <parameters> /path/FileName.iso
Parameter
-instslot=LOCATION
--format=STYLE
Example
--instslot=HD1.1
--hotfix
--nosaveconfig
--hotfix
--nosaveconfig
--nvlicenseok
--nvlicenseok
--setdefault
--setdefault
--reboot
--reboot
--format=volumes
--format=partitions
Description
Where to install the software. The slot
cannot be the currently active slot.
Version 9 does not support volumes.
Once the system is converted to volumes,
more than 2 images can be installed
simultaneously.
Used when the installation is a hotfix.
Whether to save and restore the current
configuration.
Allow installation even if the license is not
valid. Note that the installation will not
function until a valid license is obtained.
Change the default boot slot to the newly
installed image
Reboot after installation.
Assuming the system is currently booted to the image on slot HD1.1, the following command, run
from the /shared/images directory, would install a clean image of version 10 on slot 1.2, change the
default boot location to the new image, and reboot the system after installation.
image2disk --instslot=HD1.2 --nosaveconfig --setdefault -reboot BIGIP-10.0.0.5401.0.iso
Assuming the system is currently booted to the image on slot HD1.1, the following command, run
from the /shared/images directory, would install a hotfix on the image in slot HD1.2, but leave the
current slot active.
image2disk --instslot=HD1.2 --hotfix Hotfix-BIGIP-10.0.05460.HF1.iso
After any upgrade, you can confirm the installed versions by issuing the switchboot command.
Switchboot displays the version that is installed on each slot, shows which is the current default boot
slot, and allows you to change the default boot slot. The output shown below is of a system with
version 9.4.5 on slot 1.1 and version 10 with hotfix 1 on slot 1.2. Slot 1.1 is currently set as the
default boot slot.
B-14
Appendix B
Version 10 Management using the Configuration Utility

Version 10 also supports software version management through the Configuration Utility. This
includes importing ISO images, installing ISO images, changing the default boot partition, and
creating additional boot slots for systems that have been converted to the volume system.
The screen above shows the version of the current installations, the default boot image, and the
available images to install. The Import button would allow you to copy additional images from your
PC to the BIG-IP system.
The Hotfix List tab shows the list of Hotfixes on the system.
The Boot Locations tab shows the current default boot image but also allows you to change it.
The Volume Management tab shows the list of partitions or volumes (version 10 only). Once the
system is converted to volumes, additional volumes can be created.
Appendix B
B-15
v10 Reload Steps

Note: The F5 Training lab environment does not support reload or re-install, so these steps
are listed for your reference only.
Download
1. Access the ISO and MD5 files per the instructors directions. Copy the files to the
/shared/images directory.
Verify the Download
1. Check the iso against the md5 file with the command
md5sum <filename> | diff -<filename.md5>
2. If they are not the same then download the file again.
Reboot and make other partition the active partition
1. Type switchboot and set the other partition as the default partition, then reboot.
Install
1. Install the iso with the command:
image2disk
--instslot=HD1.x
--nosaveconfig
<filename>
Reboot and make other partition the active partition

1. Type switchboot and set the original partition as the default boot partition.
Verify Installation
1. After the system reboots, verify the version and note the hotfix.
b version
or tmsh> show /sys version and show /sys license
B-16
Appendix B
Appendix C
Appendix C: Additional Training from F5

Global Training Services
F5 offers extensive, expert training on F5 products for IT professionals. We help you achieve success
through career certifications while keeping you one step ahead of rapidly changing networking and
Internet technologies. Courses are presented in a hands-on lab format, combining theoretical content
with highly interactive exercises to help IT professionals experience real-world applications and
solutions. These services are delivered through F5 and F5-authorized training centers located around
the world. Following is a list of available courses along with a brief description of each one:
BIG-IP LTM - ADVANCED TOPICS (Prerequisite: BIG-IP LTM Essentials)
This two-day course builds on the foundation of the BIG-IP LTM Essentials course to give
networking professionals an in-depth understanding of the BIG-IP LTM system. It also covers less
commonly used but more powerful ways of using the many features of the BIG-IP LTM system.
In addition, significant time is spent using the command line tools to configure the BIG-IP LTM
system. This hands-on course includes lectures, labs and discussions. Students will learn about
command line functions, advanced configurations, and advanced troubleshooting.
TROUBLESHOOTING BIG-IP LTM (Prerequisite: BIG-IP LTM Essentials)
This two-day course gives networking professionals hands-on knowledge of how to troubleshoot a
BIG-IP LTM system using a number of troubleshooting techniques and troubleshooting and
system tools. This course includes lectures, labs, and discussions.
CONFIGURING BIG-IP WITH IRULES (Prerequisite: BIG-IP LTM Essentials)
This three-day course gives networking professionals an understanding of how to configure a
BIG-IP system with iRules. The course builds on the foundation of the BIG-IP Local Traffic
Manager (LTM) Essentials course, demonstrating how to logically plan and write iRules to help
monitor and manage common tasks involved with processing traffic on the BIG-IP. Course Labs
consist of writing, applying and evaluating the effect of iRules on LTM traffic. This hands-on
course includes lectures, labs, and discussions.
BIG-IP GLOBAL TRAFFIC MANAGER (GTM) (Prerequisite: None but LTM Essentials helps)
The BIG-IP Global Traffic Manager course is designed for networking professionals to renew
their understanding of DNS network systems and wide-area networks, master pre-installation
information gathering, and apply this information to the process of installing a GTM System.
Utilizing both simulated installation activities and hands-on exercises, participants gain real-time
experience setting up and configuring both primary and secondary GTM Systems, WAN systems,
integrating multiple GTM Systems, and migrating DNS systems to a GTM. Participants will also
gain knowledge of the essential GTM management interfaces that assist network managers. In
addition, this course covers configuring, monitoring and testing GTM Systems and networks, as
well as dynamic and static load balancing, and GTM report screens.
BIG-IP APPLICATION SECURITY MANAGER (ASM) (Prerequisite: None)
This four-day course covers ways to manage Web-based and XML application attacks and the use
of Application Security Manager to defend against these attacks. The course covers installation,
configuration, management, security policy building, traffic learning, and implementation of
Application Security Manager in both stand-alone and modular configurations. This class includes
lectures, labs, demonstrations, and discussions.
Appendix C
ARCHITECTING BIG-IP IN AN APPLICATION DELIVERY NETWORK (Prereq: LTM Adv Topics)
This two-day course gives networking professionals an understanding of how to architect and
design BIG-IP devices into an application delivery network. The course builds on the foundation
of the BIG-IP Local Traffic Manager (LTM) Essentials and Advanced Topics courses,
demonstrating the next steps for implementing BIG-IP in a way that effectively delivers your
client applications. The labs for the course involve design exercises and group discussions. Based
on the knowledge gained in other BIG-IP LTM courses, you will work with other students to build
network designs that incorporate BIG-IP LTM to accomplish customer goals. The course will
cover many network design options, as well as best practices for given customer scenarios. The
course will also explore other design options available using BIG-IP Global Traffic Manager,
BIG-IP Link Controller, BIG-IP Application Security Manager, BIG-IP Message Security
Module, and BIG-IP WebAccelerator.
BIG-IP ACCESS POLICY MANAGER (APM) (Prerequisite: None)
This two and -day course provides security and network professionals with a functional
understanding of the BIG-IP Access Policy Manager (APM). The course includes installation,
configuration, management and troubleshooting on a BIG-IP APM. Students will build many
different Access Policies representing different customer scenarios using the Visual Policy Editor.
This hands-on course includes lectures, labs, and discussions.
BIG-IP WEBACCELERATOR (WAM) (Prerequisite: None)
This one day course is designed to help network professionals improve web site customer
experience using the WebAccelerator product. The course focuses on typical HTTP processes and
how the WebAccelerator Module can take advantage of those processes to decrease response time
while ensuring data accuracy and integrity. Using lectures and hands-on exercises, participants
gain real-time experience configuring WebAccelerator settings including editing standard policies
to affect how the traffic is manipulated as it is processed by the system.
BIG-IP WAN OPTIMIZATION (WOM) (Prerequisite: None)
This half day course is designed to help network professionals improve the performance of WAN
connections between Data Centers or Central and Remote Offices using the WAN Optimization
product. Using lectures and hands-on exercises, participants gain real-time experience configuring
WAN Optimization Module settings. In addition, students will edit the Quick Start template and
optimization policies to effect how the traffic is optimized as it is processed by the system.
BIG-IP LINK CONTROLLER (LC) (Prerequisite: None)
BIG-IP Link Controller is a two-day course that provides network professionals an understanding
of how to define, monitor, and load balance bi-directional traffic flow between multiple links to
meet business performance and cost priorities. Participants will gain knowledge of essential BIGIP LC features such as virtual servers, pools, monitors and SNATs along with BIG-IP GTM
features such as DNS, WideIPs, and Listeners and how these integrate into the Link Controller
System. This hands-on course includes lectures, labs and discussions.
Appendix C
CONFIGURING & ADMINISTERING ARX (Prerequisite: None)
This three-day course is designed to help students learn about the architecture, configuration,
administration and basic troubleshooting of the ARX product family. Students will learn to prequalify storage to be virtualized, design namespaces for CIFS, NFS or multiprotocol
environments, configure file, age, and load balancing, etc. This hands-on course includes lectures,
labs, and discussions.
TROUBLESHOOTING & MONITORING ARX (Prerequisite: Configuring and Administering ARX)
This two-day course provides students with a solid understanding of monitoring and
troubleshooting techniques for the ARX product family using the CLI and ARX Manager (GUI).
Students will learn to upgrade, monitor and troubleshoot namespaces, policies and authentication
in CIFS, NFS or multiprotocol environments with an emphasis on both problem determination and
avoidance. Students will also learn how to collect diagnostic information and packet captures that
will be useful when escalating issues to the F5 Support team. This hands-on course includes
lectures, labs, and discussions.
FIREPASS V6.X (Prerequisite: None)
This three-day course provides security and network professionals with a functional understanding
of the FirePass Controller. The course includes installation, configuration, management and
troubleshooting on a FirePass system. Lectures, demonstrations, hands-on labs and discussions
will be incorporated.
For more details about course offerings, pricing, schedules, and registration, see the following web
site: http://www.f5.com/training-support/global-training/
Appendix C

F5-Ltm Ess WBT Labguide16 20101217

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

F5-Ltm Ess WBT Labguide16 20101217

Caricato da

Copyright:

Formati disponibili

F5 Networks Training

BIG-IP LTM V10 Essentials

Web-Based Training Lab Guide

BIG-IP LTM V10 Essentials

Support and Contact Information

tech.f5.com (Ask F5)

Email (support issues)

sales@f5.com & info@f5.com

Tokyo 107-0052 Japan

Export Regulation Notice

Canadian Regulatory Compliance

Lab 1: Initial Setup ........................................................................................................1-5

Lab 2: Traffic Processing .............................................................................................2-13

Lab 3: Load Balancing .................................................................................................3-19

Lab 4: Monitors .............................................................................................................4-23

Lab 5: Profiles ...............................................................................................................5-31

Lab 6: Persistence ........................................................................................................6-33

Lab 7: SSL Termination................................................................................................7-41

Lab 8: NATs and SNATs .............................................................................................. 8-45

Lab 9: iRules ................................................................................................................. 9-49

Lab 10: Redundant Pair setup..................................................................................... 10-55

Lab 11: High Availability .............................................................................................. 11-59

Configuration Lab Project ............................................................................................ LP-67

Appendix A F5 Networks Products .......................................................................... A-1

Appendix B Additional Topics .................................................................................. B-1

Appendix C Other F5 Networks Training Courses .................................................. C-1

Before beginning a module, register for lab time.

Appendix A provides some background information on F5 Networks and its products.

We hope you enjoy learning with these lab exercises!

Connecting to the F5 Training Lab Environment

1. After logging in to F5 University, select the link for F5

5. When ready to leave the F5 Training Lab Environment, use the

The F5 Training Lab Network

F5 Training Lab limitations

Module 1 Lab Initial Setup

Module 1 Lab Initial Setup and Access

Initial Setup Labs

Perform initial setup of the BIG-IP LTM System

Explore the Web Configuration Utility

Make a backup of the BIG-IP System

Estimated Time: 30 minutes

Module 1 Lab Initial Setup

Setup Utility Lab

Run the Setup Utility and to configure system access parameters

Estimated time for completion: 20 minutes

Reachable IP address on the management port

Valid License for the BIG-IP LTM Systems

Administration system with an IP address on the BIG-IP LTMs network

Current BIG-IP Settings

Access the BIG-IP LTM System

Module 1 Lab Initial Setup

2. Within the User Administration section, specify the following:

Module 1 Lab Initial Setup

Internal Network Settings

Internal VLAN Configuration

internal (Read Only)

External Network Settings

External VLAN Configuration

external (Read only)

6. Then click Finished.

Module 1 Lab Initial Setup

Configuration Utility Lab

Estimated time for completion: 5 minutes