F5 培訓(xùn)教材ppt課件

1、BIG-IP V9 Local Traffic ManagerF5 Networks Training7 / 20 / 2007BIG-IP V9 Local Traffic ManagerF5 Networks Training7 / 20 / 2007Introduction to F5Application Delivery NetworkingEnsures network applications are: Secure, Fast and AvailableF5 Products:BIG-IP Local Traffic ManagerBIG-IP Link ControllerB

2、IG-IP Global Traffic ManagerFirePassBIG-IP Application Security Manager WanJet / Web AcceleratorBIG-IP Local Traffic ManagerInternetLoad Balance ServersMonitor Server StatusBIG-IP Global Traffic Manager (3-DNS)InternetLoad Balance DNS requestsLets say f5 = one ofMonitor Server Status228300GTMf5 = ?2

3、2f5 = ?00f5 = ?22ISP #1ISP #2BIG-IP Link ControllerInternetLoad Balance ServersLB Inbound LinksLB Outbound Links3 Types of Load BalancingBIG-IP Enterprise ManagerLTMGTMCentralized version and backup management Centralized view of SSL certificates Device Inventory and ControlSupport for up to 300 dev

4、ices FirePassFirepassFile ServersWeb Serverstelnet to Hosts ServersTerm Services / CitrixDesktopSSL VPNPDACell phoneAuthenticationAuthorizationOr Full SSL VPNRemote Access thru Browser Authorization by GroupBIG-IP Application Security Manager (TrafficShield)Application Layer FirewallBlocks Known & U

5、nknown Web AttacksReverse ProxyApplication CloakingScrubs Outgoing Content7:80Internet5WanJetRemote OfficeMain Office Optimize the WAN LAN-like results Accelerate applications Configurable site-to-site encryption using SSL Web AcceleratorCustomerWeb Server Accelerates all web applications Faster end

6、-user response times Extends server capacity Reduces system load Reduces network bandwidth needs Transparent to applications & usersCourse Outline Day 1InstallationLoad BalancingMonitorsProfilesModule 1 - InstallationInternetBIG-IP LTMsClientsServersModule 1 - OutlineBIG-IP Platform OverviewInstalla

7、tion (Setup Utility)Configuration Utilities and User AccessBIG-IP Hardware PlatformsServer ApplianceApplication SwitchFor Current info - f5 Application Switch 3400 Processor boardSwitch boardProcessorSSL cardBASCCPASIC2Switch chipsDEFCF & HDCSwitch Platforms6800 / 64001500Platform Differences8800 (2

8、U)Dual Dual Core CPU, 4G Ram, ASIC1012 10/100/1G & 4Gbg ports6800 / 6400 (2U) Dual CPU, 2G Ram, ASIC216 10/100/1G & 4Gbg ports3400 (1U) Single CPU, 1G Ram, ASIC28 10/100/1G & 2Gbg ports1500 (1U) Single CPU, 768M Ram4 10/100/1G & 2Gbg portsIntegrated SSL AccelerationLCD panel control interfaceFor cur

9、rent info - f5PriceFunction / Performance2 x 2.4 GHz Opteron16 10/100/1000 + 4 SFPLayer 4 ASIC (PVA2)160GB HD + 512 CFSSL 20K TPS/ 2 Gb BulkFIPS SSL optionHW Compression optionASM /WA option4 Gbps TrafficBIG-IP 68002x 2.80GHz Opteron16 10/100/1000 + 4 SFP160GB HD + 512 CFLayer 4 ASIC (PVA2)HW Compre

10、ssion optionASM /WA optionSSL 15K TPS/2Gb Bulk2Gbps TrafficBIG-IP 64002 x 2.6 GHz Opteron 12 10/100/1000 or 12 SFPLayer 4 ASIC (PVA10)160 GB HD + 512 CFSSL 33K TPS/ 3 Gb BulkHW Compression optionASM /WA option6-10Gbps TrafficBIG-IP 84002 x 2.6 GHz Dual Core Opteron 12 10/100/1000 or 12 SFPLayer 4 AS

11、IC (PVA10)160 GB HD + 512 CFSSL 48K TPS/ 6 Gb BulkHW Compression optionASM /WA option7-10Gbps Traffic(7G L7, 6GSSL & Compress)BIG-IP 88001.8GHz Core2Duo4 10/100/1000 + 2 SFP160GB HDSSL 5K TPS/750Mb Bulk 750bps Traffic BIG-IP 1600DAGHSBCPUCPUCPUCPUDAGHSBCPUCPUCPUCPUDAGHSBCPUCPUCPUCPUDAGHSBCPUCPUCPUCP

12、UFabricFabricFabricFabricBIG-IP 36002.13 GHz Opteron8 10/100/1000 + 2 SFP160 GB HD + 8GB CFSSL 10K TPS/ 2 Gb BulkFIPS SSL optionASM /WA option1.5Gbps TrafficLegacy Platforms51002400Switch Platforms5100/5110 24 10/100 & 4G2400 16 10/100 & 2G1000 8 10/100 & 1GIntegrated SSL Acceleration520 / 540Server

13、 Appliance520/540 2 10/100 NICsNo Integrated SSLMainly 3-DNS Current BIG-IP LTM Software LevelsPlatformV4.xV9.01600,3600NV9.46800, 6400, 3400, 1500NY5100, 2400, 1000YY520, 540YV9.2Initial BIG-IP LTM SetupConfig utilityIP Address for Management interfaceLicenseSetup utilityRoot passwordIP Address for

14、 VLANsAssign interfaces to VLANsWeb Admin passwordSSH AccessInterface Naming (3400 chassis)1.12.110/100/1000 Ports numbered:top to bottom, left to right1.8Mini Gbg Ports start at 2.1mgmteth0Management Port is eth0usbconsolefailoverMgmt URLHttps45Admin/adminInternetLicense

15、Process Automated Run Setup utility Enter Registration KeyPCBIG-IPLicense the box Get License from F5 Select parametersF5 License Server activate.F5Reboot (v9.2)License Process Manual PCBIG-IPF5 License Server activate.F5InternetCopy Product Dossier to PCPaste Product Dossier to F5Move PC to Interne

16、tDownload License to PCUpload & Install License fileRun Setup utilityManually License the boxPChttpsactivate.F5Move PC backReboot (v9.2)Setup UtilityhttpsManagement IP AddressSetup Utility Network Web Configuration utilitySetup / Configuration AccessTwo methodsWeb Interface https (remote)Command Lin

17、essh (remote)Serial TerminalBIG-IP LTM Backup ProcessStores configuration in one fileIf copied to another system, then re-licenseUser Authentication ProcessBIG-IP LTM Admin UsersModule 2 Load Balancing12345678InternetModule 2 OutlineVirtual Servers, Members & Nodes Configuring Virtual Servers & Pool

18、sVirtual Server & Pool LabLoad Balancing ModesConfiguring Load BalancingLoad Balancing LabsPools, Members and NodesNode = IP address:80:80:80Pool Member = Node + PortPool = Group of pool membersPool Members and NodesInternet:8080:80:4002:80Pool MembersNodes refer to Pool Members IP Address onlyVirtu

19、al ServerInternet:8080:4002:80Virtual ServerIP Address + Service (Port) Combination“Listens for and manages traffic 7:80 Normally Associated with a PoolVirtual Server - Address TranslationBIG-IP LTM performs network address translation to real server addresses such that all machines are viewed as on

20、e Virtual ServerReal Server AddressNetwork Address TranslationVirtual Server AddressInternet7:80:8080:80:4002:80Network Flow - Packet #1resolves f5 to BIG-IP LTM Virtual Server Address 7:80 Internet:8080:80:4002:80f5DNS Server7:80Network Flow - Packet #1LTM translates Dest Address to Node based on L

21、oad BalancingInternetPacket # 1 Src - 0:4003Dest 7:80:8080:80:4002:80Packet # 1 Src 0:4003Dest :8007:80Network Flow Packet #1 Return LTM translates Src Address back to Virtual Server AddressInternetPacket # 1 - return Dest - 0:4003Src 7:80:8080:80:4002:80Packet # 1 - return Dest 0:4003Src :8007:80Ne

22、twork Flow - Packet #2InternetPacket # 2 Src - 1:4003Dest 7:80:8080:80:4002:80Packet # 2 Src 1:4003Dest :400217:80Network Flow Packet #2 Return InternetPacket # 2 - return Dest - 1:4003Src 7:80:8080:80:4002:80Packet # 2 - return Dest 1:4003Src :400217:80Network Flow - Packet #3InternetPacket # 3 Src

23、 - 5:4003Dest 7:80:8080:80:4002:80Packet # 3 Src 5:4003Dest :808057:80Network Flow Packet #3 Return InternetPacket # 3 - return Dest - 5:4003Src 7:80:8080:80:4002:80Packet # 3 - return Dest 5:4003Src :808057Configuring PoolsConfiguring Virtual ServersScroll downStatisticsSummaryVirtual Servers Pools

24、NodesLogsLoad Balancing ModesRound RobinRatioLeast ConnectionsFastestObservedPredictiveDynamic RatioPriority Group ActivationFallback HostStaticDynamicFailure MechanismsRound RobinClientsRouterBIG-IP LTM ControllerServersClient requests are distributed evenly12345678InternetRatioClientsRouterBIG-IP

25、LTM ControllerServersAdministrator sets ratio for distributing Client requests 3:2:1:11234891011Internet571214613Least ConnectionsClientsRouterBIG-IP LTM ControllerServers12InternetNext requests goes to Node with fewest open connections459460461470Current Connections3456Least ConnectionsClientsRoute

26、rBIG-IP LTM ControllerServersInternetSome time later, number of connections change6163280290111112Current Connections62FastestClientsRouterBIG-IP LTM ControllerServersNext requests go to Node with fastest response time25Internet10ms10ms10ms17msCurrent Response Times1436FastestClientsRouterBIG-IP LTM

27、 ControllerServersSome time later, response times change102104Internet10ms10ms7ms7msCurrent Response Times101103ObservedClientsRouterBIG-IP LTM ControllerServersNext requests goes to Node with combination of fewest connections and best response12InternetPredictiveClientsRouterBIG-IP LTM ControllerSe

28、rvers12InternetNext requests goes to Node with combination of fewest connections and best response over timePriority Group ActivationClientsRouterBIG-IP LTM ControllerServers135246InternetPriority 1Priority 4If you set Priority Group Activation to 2, and 3 of the highest priority members are availab

29、le, then lower priority members will not be used.Priority Group ActivationClientsRouterBIG-IP LTM ControllerServers15InternetPriority 1Priority 4324678If number of members falls below Priority Group Activation (2), then the next highest priority members are used also.Fallback HostClientsRouterBIG-IP

30、 LTM ControllerServersInternetIf all members fail, then client is sent an redirect to and alternate server.Pool Member vs. NodeLoad Balancing by:Pool Member IP Address & serviceNodeTotal services for one IP AddressIf using MemberInternetNext requests goes to Pool Member with fewest connectionsCurren

31、t Connectionshttp10710899ftp232512If pool uses Least Connections (member) load balancing method, thenIf using Node12InternetNext requests go to IP Address with fewest total connectionsCurrent Connectionshttp10710899ftp2325Configuring Load BalancingRatio & Priority Group ActivationModule 3 MonitorsIn

32、ternet:80Module 3 - OutlineMonitor ConceptsConfiguring MonitorsAssigning MonitorsNode and Member StatusHealth Monitor LabsMonitor ConceptsAddress CheckNode IP AddressService CheckIP : portContent CheckIP : port plus check data returnedInteractive CheckPath CheckAddress CheckStepsPackets sent to IP A

33、ddressesIf no response, then no traffic sent to members using that node address Example - ICMPInternetICMPService CheckStepsOpens TCP connection (IP Address : service)Connection closedIf TCP connection fails, then no traffic sent to associated MembersExample TCP Internet:80:80:80TCP ConnectionConten

34、t CheckInternet:80:80:80StepsOpens TCP connection (IP Address : service)Sends a requestResponse returns dataConnection closed If Receive Rule not found in data, then no traffic sent to associated MembersExample GET /Interactive CheckInternet:80:80:80StepsOpens TCP connection (IP Address : service)In

35、teractive conversation to simulate real-worldConnection closed If expected results do not occur, then no traffic sent to associated MembersExample SQL requestconversationPath CheckStepsSends packet through, not to the deviceCan check IP Address, Service or ContentIf condition not met, then no traffi

36、c sent through associated memberLink CntlISP2ISP1ISP1f5Configuring MonitorsSystem Supplied Monitors (Templates)Address Checks (icmp)Service Checks (tcp)Content Checks ()Interactive Checks (ftp)Availability:All templates can be customizedSome can be Assigned “as-is Some can only be used as Templates

37、for Custom MonitorsCreating Custom MonitorsAdditional Monitor ParametersReceive RuleIf content found, Node marked UpReverse Receive Rule If content found, Node marked DownTransparent If Path Available, Node marked UpUsed for monitoring LinksMonitor TimersFrequency (Interval)TimeoutRecommended 3n + 1Assigning MonitorsDefault for all NodesSingle Node OptionsNode DefaultNode SpecificNoneDefault all Members of a PoolSingle Pool Member OptionsInherit from PoolMember SpecificNoneAssigning Monitors to NodesFor one NodeAssigning Monitors to PoolsFor one MemberMember and Node StatusParent-Child S