Configuration Files /config/bigip.conf main configuration file containing objects for local application traffice such as pools, virtuals servers, pools etc. /config/bigip.license system licenses /config/bigip_base.conf networking components (bigpipe base load) not sync`d for HA setups. /config/bigip_local.conf stores virtuals servers for GTM /config/bigip_sys.conf stores the Linux/UNIX configuration objects /etc/alertd/alert.conf defines custom SNMP OID`s. UCS (User Configuration Set) A … Read more
Within this article we will look at the configuration steps required adding headers to your HTTP based traffic. The 2 headers we will look at are X-Forwarded-Proto and X-Forwarded-For. These headers are described below. X-Forwarded-Proto – Inserts the protocol used between the client and the intermediary device (such as the LoadBalancer). Typically used when protocol … Read more
The F5 LTM provides the ability to configure a HA (High-Availability) based setup. Configuring HA ensures that traffic is still processed even in the event of a failure (such as a software or hardware). Within this article we will explain and discuss a Active / Standby HA F5 setup. This allows one unit to pass … Read more
When running the BIG-IP LTM (10.2.3) virtual appliance on ESX4 you may observe that only the management interface is seen by the system. [root@localhost:Active] config # b interface showINTERFACEKey Speed Pkts Pkts Drop Coll Bits Bits Errs Trunk Mbps in out in outmgmt UP 100 FD 511 8 0 0 266144 5056 0 Solution To … Read more
Overview The OneConnect feature works with HTTP Keep-Alives to minimize the number of server-side TCP connections by reusing existing connections for further HTTP requests.“OneConnect” has 2 methods. They are : OneConnect Profile and OneConnect transformations. Both of which are explained within this article. HTTP Requests Overview HTTP/1.1 requests – HTTP/1.1 dictates that HTTP Keep-Alive connections … Read more
When running the BIG-IP LTM (10.1) Virtual appliance on ESX4 you may observe the following error message (within the /var/log/message file): Unable to attach to PCI device 02:02.00 for Interface 1.1 This results in both interfaces forming the status of un-initialized and in turn failing to pass traffic. Solution To resolve this define each interface … Read more
Adaptive Reapers Adaptive reapers provide the ability for the system to automatically clear connections at the point of a predefined threshold being reached. This provides both system and connection stability during the point of a Denial of Service attack.At the point memory usage reaches the low water mark threshold (default %85) all half open connections … Read more
The Brocade ADX offers 2 methods in which to configure FTP SLB (Server Load Balancing). These methods are : Layer 3 – Uses the sticky and concurrent connection settings to provide FTP SLB.Layer 4-7 – Provides FTP SLB via the use of FTP application awareness (introduced in version 12.3.1d). 1. Layer 3 To Load-balance either … Read more
Installation and upgrade of software on the F5 LTM is extremely straight forward. Each image is installed onto a slot, the slot can then be upgraded or re-imaged. 1. Transfer Image Create a directory ‘[root@f5:Active] config # mkdir /shared/images/legacy’ Copy the iso image to the directory ‘/shared/images/legacy’ using scp. Move to the directory ‘[root@f5:Active] config … Read more
Within this article we will look at the two ways in which to NAT traffic. Source NAT Pool This examples provides the commands required to configure source NAT via the use of a pool and ACL. This allows you to source NAT a number of internal hosts behind the ADX to a single IP address. … Read more
Nested CSW rules provides the ability to perform Boolean (AND, OR etc) based conditions on standard csw rules. Within this example we will be : Redirecting any request that has a host header of ‘PRODUCTION.example.com’ and containing a URL request for /FOLDER/index.html to ‘/REDIRECT/index.html’ Balancing any request that has a host header of ‘STAGING.example.com’ and … Read more
Below shows the basic steps for upgrading a Brocade ADX. Copy Image First of all the image is copied from a TFTP server. Note : The option ‘secondary’ is used to ensure that the primary image is not overwritten. adx# copy tftp flash [tftp server ip] ASR12301c.bin secondary Check Flash Next, check the image has … Read more
The Brocade ADX offers 2 main persistence methods ; sticky and cookie. Within this article we will look at both of these methods and the various configuration options of each one. Types Sticky With sticky traffic is sent to the same server based on the clients IP for duration of the sticky timeout duration. Sticky also … Read more
What is MTU ? When sending traffic across a network, computers use something called an MTU (Maximum Transmission Unit). This (network interface) setting dictates the size of the largest frame it can send across the network. Below shows the MTU default, Network MTU(Bytes) X.25 576 IEEE 802.3/802.2 1492 Ethernet 1500 FDDI 4352 Token Ring 17914 … Read more
Issue The Cisco CSS is showing a high level of CPU usage, even though the networking throughput does not appear excessively high nor is there a large number of EQL or DQL`s configured. CSS11501# sh system-resources cpu Chassis CPU Utilizations Module Name Module 5Sec 1Min 5Min —————————————————- CSS501-SCM-INT 1 90% 88% 75% CSS501-SSL-C-INT 2 0% … Read more
A typical issue when SSL termination is performed on the load balancer is that URL redirects from the backend servers still contain a ‘http://’ prefix rather then ‘https://’ Within this article we will show the required commands for creating a Content Switching Policy that will rewrite any URL`s containing a ‘http://’ prefix to ‘https://’ for … Read more
Within this article we will show you the necessary steps required to create a sorry page (containing an image) that will be published when there are no available pool memebers for the spefic VIP (Virtual Server). Note : This example is based upon serving a png image. Encode Image First of the image that will … Read more
The F5 LTM allows for the transmission of syslog messages using TCP connections via the use of the syslog-ng daemon. Syntax In order to configure TCP syslog the following command(s) are used, bigpipe syslog include ‘”destination d_tcp { tcp(\”<SYSLOG IP>\” port(<PORT>));};log { source(local);\ destination(d_tcp);};”‘bigpipe save all Confirmation To confirm the configuration has been added use … Read more
Summary The Brocade ADX provides DoS protection within the hardware layer. This allows for a much greater total of DoS attacks to be processed.Such attacks that are recognised and protected against at the hardware layer are : deny-all fragments Fin-with-no-ack icmp-fragment ip-option land-attack large-icmp ping-of-death syn-and-fin-set syn-fragments TCP-no-flags unknown-ip-protocol xmas-tree At a software layer the following attacks … Read more
The Brocade ADX has a number of Load Balancing methods available. These are also known as predictors. Assignment Predictors can be assigned on a global level or on a per virtual server basis. Below shows the syntax:global – server predictor [BALANCING METHOD]virtual server – server [BALANCING METHOD] Types Below explains the various available … Read more
HealthCheck elements provides the ability to perform boolean based expressions against your healthchecks (AND, OR, and NOT).In this example we will configure a health check that bring up http on webserver1 if : the string STRING1 is matched within the content retrieved via a HTTP GET / from server 192.168.1.20 the string STRING2 is matched … Read more
A match-list provides the ability to content match string based values and mark the application (layer 7) based health-check as either up or down.When assigning a match-list health-check the match-list is assigned to a port policy. This port policy is then assigned to the virtual server. Steps 1. First we enable Layer 7 health-checks on … Read more
When disabling a service on the Brocade ADX you can either disable the port or real server. Below shows the necessary syntax: server real <NAME> <IP> disable server real <NAME> <IP> port ssl disable port http disable When either the server or port is disabled it is important to remember that new sessions are not … Read more
Port profiles provide the ability to configure custom settings for individual TCP/UDP ports. Any port that the ADX deems unknown, is in turn defined as UDP and will send any subsequent health-checks to the port via UDP. To use a unknown port a port profile must be configured. (config)# server port 8181(config-port-8181)# tcp keepalive use-master-state(config-port-8181)# … Read more
Below provides a basic example on how to configure a primary / backup setup. Traffic is only distributed to the primary server, at the point the primary node becomes offline traffic is distributed to the secondary server. server real RS_192.168.1.1 192.168.1.1 port http port http url “HEAD /” server real RS_192.168.1.2 192.168.1.2 backup port http port http url “HEAD /” … Read more
Content Switching provides the ability to distribute / rewrite traffic based upon a sessions Layer 7 payload. This feature also provides the ability to persist connections to a given server/server group. There are 4 main methods to Layer 7 switching: Cookie Switching – Uses either a server sent cookie or ADX injected cookie to direct … Read more
Port Alias`s provide the ability to bind a single Real Server to multiple Virtual Servers. This is achieved via the real-port option from within the bind command. Below shows an example, Create Real Server First the Real Server is created with a port alias. Here the real port will be port 80 and the alias … Read more
Though the Cisco CSS does not provide a direct command to display the CPU usage on a per process basis, this can be achieved via the following commands from within the llama debug utility. CSS# llama CSS(debug)# symbol-table load SPRITZ CSS(debug)# shell 1 1 spy CSS(debug)# shell 1 1 spyReport CSS(debug)# shell 1 1 spyStop … Read more
Summary Typically health-checks are assigned on a per virtual server basis. However this can become cumbersome if you have a large number of virtual servers configured.Via the use of a Port Policy health-checks are configured within the Port Policy. The Port Policy is then assigned to multiple Virtual Servers. Syntax Below shows the required commands … Read more
The Cisco CSS offers 2 address translation methods ; source groups and destination groups. Source Group When a connection is initiated outbound through the Cisco CSS (from any of the group services) the source IP is translated to the groups VIP address.Source group servers are defined using the add service [service name] command. Example : … Read more
The following commands are based upon Brocade ADX 12.4. Show Commands show ip int show interface(s) ip`s show default values show defaults show server global show global configured parameters show ip vrrp-extended brief show cluster status show server real show real server stats show server real http [real server] show real server http details for … Read more
Below provides the steps rename a virtual server, pool or any other object within the configuration of a F5 LTM. The steps provided involve the editing of the (bigip.conf) configuration file. This file is then verified for any potential issues before it is loaded and committed to the F5 LTM`s running configuration. Backup Configuration First … Read more
The following commands are based upon F5 LTM 10.1.0 (and higher) bigpipe bigtop show statistic summary b self show show self IP`s b vlan show show vlans b interface show show interfaces b pool [pool name] show show pool b virtual [virtual name] show show vs b snat list list snats b route domain list … Read more
Symptoms Slow network performance when accessing back-end servers through a Cisco CSS running 8.20.3.03 (or higher). Background Cisco CSS 8.20.3.02 (and lower) did not support window scaling. This meant that the initial window scale option announced within the 3 way handshake was not propagated to the server. This issue was resolved within 8.20.3.03 (CSCsk92868), however … Read more
What is an iRule ? iRules are built using a TCL-based scripting language allowing arbitrary manipulation of traffic flowing through the BIG-IP, including real-time modification of defined data. Components of an iRule A typical iRule contains four main components. These are : rule NAME { when EVENT { if { conditional_statement } { action_when_condition_true } … Read more
Below shows a number of iRule examples that you may find useful when creating or deploying iRules on the BIGIP F5 device. For the latest in iRule tips and tricks hop over to our iRule Cookbook – click here WWW redirect This simple iRule redirects any HTTP traffic without the prepending www to a www … Read more
A monitor is a test that the LTM can perform on either a node of member. A monitor typically tests for a specific response within a specified time period. BigIP uses the results of this to decide on whether traffic should be sent to the node or pool member. Types of Monitoring There 4 main … Read more
Introduction The BigIP F5 provide 2 ways in which SSL is processed. These are : Client SSL – F5 decrypts the encrypted traffic inbound from the client.Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers. There are a number of advantages to SSL termination on the F5, which are … Read more
Via the use of administrative states, the administrator has the power to gracefully select a pool members state. States There are 3 administrative states: Enabled – This is the default state. All connection types are passed to the pool member and the monitor continues to determine the state of the member.Disabled – Only new connections … Read more
Persistence When an application maintains the session, a persistent session between the client and server must be correctly maintained to ensure the server can continue to process client requests. A typical example is web based shopping carts, this normally requires the user to maintain persistence to a single server during the lifetime of the session. … Read more
The BigIP F5 LTM supports various load balancing methods. These methods are categorized as either Static or Dynamic. Dynamic load balancing methods are considered balancing methods that take the server performance into consideration.This article also explains how the BigIP F5 LTM can balance traffic outside of the fore-mentioned Static and Dynamic balancing methods. Static Round … Read more
A sorry server provides HA (Primary/Secondary) based balancing for your backend servers. This allows traffic to only route to the sorry server in the event of the primary service becoming unreachable. Below details the configuration. This example sets server 1 as the primary server and server 2 as the secondary server. Configure Services service server1 … Read more
Introduction Output drops are a result of the traffic rate exceeding the maximum bandwidth specification of a given interface. Given that this is normally an outcome to interface congestion the following steps explain the commands used to clarify the total interface usage in both terms of Mbits and overall utilization. Output Drop Totals To confirm … Read more
Big IP`s F5 LTM offers 2 types of NAT. These are SNAT and NAT. SNAT (Secure Network Address Translation) provides source NAT. The SNAT option ‘Automap’ enables source NAT`ing (SNAT) based on the IP address of the egress interface. NAT (Network Address Translation) – NAT provides a static one to one NAT translation. Configuring SNAT … Read more
1. INTRODUCTION The Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation. 2. ROLES Spanning Tree defines 3 port roles. They are: Root Port Designated Port Blocking (Alternative Port) 3. … Read more
Link State Tracking is a feature (within Cisco Switches) that binds the link state of multiple interfaces. This provides the ability to “down” interfaces based upon the link state of upstream interfaces. The diagram below shows a simple of example of an scenario where link state tracking would be required. As you can see from … Read more
Introduction DMVPN (Dynamic Multipoint Virtual Private Network) is a feature within the Cisco IOS based router family which provides the ability to dynamically build IPSEC tunneling between peers based on an evolved iteration of hub and spoke tunneling. DMVPN uses a combination of the following technologies : Multipoint GRE (mGRE) Next-Hop Resolution Protocol (NHRP) Dynamic … Read more
IPv4 is the current protocol used for sending data over the internet. The main issue with IPv4 is its limited address space. With the amount of available IPv4 address rapidly shrinking IPv6 overcomes this by introducing 128 bit addresses and a much larger address space to that of IPv4. 1. Changes Introduced by IPv6 Summary … Read more
Below shows the configuration for one side of a Site to Site VPN between 2 Cisco routers using pre-shared keys. router(config)# crypto isakmp enable Phase 1 router(config)# crypto isakmp policy 10 router(config-isakmp)# authenticaton pre-share router(config-isakmp)# encryption [?] router(config-isakmp)# group [?] router(config-isakmp)# hash [?] router(config-isakmp)# lifetime 86400 router(config)# crypto isakmp identity address router(config)# cryption isakmp [key] … Read more
