Skip to content

Latest commit

 

History

History
116 lines (75 loc) · 2.87 KB

f5.md

File metadata and controls

116 lines (75 loc) · 2.87 KB

F5

Key Points

High end commercial load balancers. Expensive.

If you've worked in high scale enterprise you'll probably come across these or Citrix Netscalers or similar.

I ran 4 x F5 Big-IP 8900 (highest end single chassis units available) in dual HA configurations at each of 2 datacenters.

Types

  • LTM - Local Traffic Manager - VIPs - local network load balancer - Big-IPs
  • GTM - Global Traffic Manager - DNS GSLB - global server load balancer
  • ASM - L7 HTTP FW
  • EM - Enterprise Manager centralized management
  • FirePro - being built in to ASM SSL VPN

Traffic Flow

Client => GTM (DNS) => LTM VIP => server

General

F5 command line is Redhat Linux (/etc/redhat-release exists but is empty).

Guy on F5 course said his company puts Checkpoint firewalls in front of their F5s. Wonder how much additional protection this is really giving them if they're just punching a hole for TCP 443 anyway...

Config from scratch

  1. Interfaces & Trunks
  2. VLANs
  3. Self IPs
  4. Routes (default and internal)

Syslog

To add syslog to F5:

bigpipe syslog remote server { host1 { host 10.x.x.x } host2 { host 10.x.x.x }  }

or

b syslog include '"destination remote_server { tcp(\"xxx.xx.xx.xxx\" port (514));
tcp(\"xxx.xx.xx.xxx\" port (514));
};
log { source(local); filter(f_local0); destination(remote_server); };"'
b verify load
b load
bigpipe save

Misc

16384 default SYN Check Activation Threshold reminds me how Juniper SSGs aren't designed for this kind of web usage given they default to 128.

Share a * pool across 2 virtual servers.

BigPipe

bpsh - From advanced shell (linux) /usr/bin/bpsh, drops you in to a bigpipe shell. Can set this via web ui in user profile to drop user straight to bpsh only

bigtop to see real time sessions

b failover standby
b interface 1.2 disable

Dev Central

iRule editor from Dev Central

iRules are TCL code

For SSL must decrypt traffic on the BigIP to be able to inspect and use iRules

Use Network Failover on internal/external interfaces + Fail Safe to cause demotion to standby otherwise Active/Active split brain

Network Mirroring didn't work until after 1 double failover

Diagram

From the HariSekhon/Diagrams-as-Code repo:

F5 in Multi-Datacenter Java Stack

F5 in Multi-Datacenter Java Stack

Ported from private Knowledge Base page 2011+