Getting Started BIG-IP Part2 AppDelivery Lab Guide PDF
Getting Started BIG-IP Part2 AppDelivery Lab Guide PDF
Getting Started BIG-IP Part2 AppDelivery Lab Guide PDF
Lab Guide
November, 2018
Legal Notices
Copyright 2018; F5 Networks; Inc. All rights reserved.
F5 Networks; Inc. (F5) believes the information it furnishes to be accurate and reliable. However; F5 assumes no responsibility for the use of this
information; nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or
otherwise under any patent; copyright; or other intellectual property right of F5 except as specifically described by applicable user licenses. F5
reserves the right to change specifications at any time without notice.
Trademarks
AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, APM, Application
Acceleration Manager, Application Security Manager, AskF5, ASM, BIG-IP, BIG-IP EDGE GATEWAY, BIG-IQ, Cloud Extender, Cloud
Manager, CloudFucious, Clustered Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS SWAT, Defense.Net,
defense.net [DESIGN], DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM,
ENGAGE, Enterprise Manager, F5, F5 [DESIGN], F5 Agility, F5 Certified [DESIGN], F5 Networks, F5 SalesXchange [DESIGN], F5 Synthesis,
f5 Synthesis, F5 Synthesis [DESIGN], F5 TechXchange [DESIGN], Fast Application Proxy, Fast Cache, FCINCO, Global Traffic Manager,
GTM, GUARDIAN, iApps, IBR, iCall, iControl, iHealth, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iQuery,
iRules, iRules OnDemand, iSession, L7 Rate Shaping, LC, Link Controller, LineRate, LineRate Point, LineRate Precision, LineRate Systems
[DESIGN], Local Traffic Manager, LROS, LTM, Message Security Manager, MobileSafe, MSM, OneConnect, Packet Velocity, PEM, Policy
Enforcement Manager, Protocol Security Manager, PSM, Ready Defense, Real Traffic Policy Builder, SalesXchange, ScaleN, SDAS (except in
Japan), SDC, Signaling Delivery Controller, Solutions for an application world, Software Designed Applications Services, Silverline, SSL
Acceleration, SSL Everywhere, StrongBox, SuperVIP, SYN Check, SYNTHESIS, TCP Express, TDR, TechXchange, TMOS, TotALL, TDR,
TMOS, Traffic Management Operating System, Traffix, Traffix [DESIGN], Transparent Data Reduction, UNITY, VAULT, vCMP, VE F5
[DESIGN], Versafe, Versafe [DESIGN], VIPRION, Virtual Clustered Multiprocessing, WebSafe, and ZoneRunner, are trademarks or service
marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and
company names herein may be trademarks of their respective owners.
Table of Contents
Labs .......................................................................................................................................... 1
Lab 1: Processing Traffic .......................................................................................................................................1
Lab 2: Resolving Routing Issues with SNAT Auto Map .......................................................................................7
Lab 3: Monitoring Application Health ................................................................................................................. 11
Lab 4: Modifying Traffic Behavior with Profiles ................................................................................................. 15
Lab Objectives
• Configure a virtual server that will load balance traffic to a back-end web application.
• Access the virtual server to ensure it is correctly delivering the web application.
• View traffic statistics on the BIG-IP system to confirm traffic flow.
Lab Requirements
You must have successfully completed the instructions entitled “Starting up the Lab Environment” in the
Getting Started Lab Introduction document.
Configuration utility
Configuration section
Name http_pool
Resources section:
Address: 172.16.20.1 Service Port 80, then click Add
New Members Address: 172.16.20.2 Service Port 80, then click Add
Address: 172.16.20.3 Service Port 80, then click Add
When complete, click… Finished
Configuration utility
Local Traffic » Virtual Servers » Virtual Server List, then click Create
4. Hard refresh the screen 5-10 times using Ctrl + F5. (This bypasses your browser’s cache and
forces content to be returned from the server again.) You should see the values on the page
change, depending on how your requests are load balanced.
5. Scroll down on the page to read a little about this web application. It is used throughout the
Getting Started Series labs.
a. Do you see traffic going both into and out of the virtual server?
b. What is the total number of connections made to the virtual server from the client?
c. What is the total number of bits sent out from the virtual server to the client?
7. Change the Statistics Type to Pools.
a. Do you see traffic going both into and out of the pool?
b. What is the total number of connections made to the pool as a whole, and how does that
compare with the total number of connections made to the virtual server?
c. Click the icon to determine what is the total number of connections to each pool
member? Are the totals roughly the same? Why?
d. What is the total number of bits sent out from the pool member to the BIG-IP system, and
how does that compare with the total bits sent out from the virtual server to the client?
e. Did each pool member send out the same number of bits? Why?
8. Reset the traffic statistics for the pool by selecting the checkboxes at the left of each pool member
entry, then clicking the Reset button, as shown below:
Expected Results
You should see the same amount of traffic going in and out of the virtual server as going in and out of the
pool as a whole. You should also see the same total number of connections on both the virtual server and
the pool as a whole.
Connections should be roughly evenly distributed between the three pool members, due to the pool’s load
balancing method, Round Robin.
The amount of traffic processed by each pool member depends on the requests for content that were made
to each pool member. Remember, a page is comprised of many elements – HTML, cascading style sheets,
images, scripts, etc. Each of these requests may require a separate load balanced connection to the back
end server. There is one image on the page – the blue gear image toward the top - that is exceptionally
large, and the pool member that served it will almost certainly show more bits out than the other pool
members.
Troubleshooting
If the BIG-IP local traffic statistics shows no connections to the virtual server:
• Look at your virtual server’s configuration to ensure its destination is set to 10.10.1.100 and its
service port is set to 80.
• Try to ping the virtual server from your Ubuntu client’s Linux terminal. If you can ping the
virtual server successfully, the issue is most likely associated with your BIG-IP configuration.
Confirm that your lab environment was properly initialized by viewing the self IPs defined on
your BIG-IP system. Navigate to Network > Self IPs. You should see the following:
If statistics show no connections to the pool, look at your virtual server’s configuration and ensure that its
Default Pool setting points to http_pool.
Lab Objectives
• Solve a common routing issue in a BIG-IP application delivery environment that occurs when a
node’s default gateway does not pass traffic back through the BIG-IP system.
Lab Requirements
You must have successfully completed the instructions entitled “Starting up the Lab Environment” in the
Getting Started Lab Introduction document.
Configuration utility
Configuration section
Configuration Basic
Name http_pool2
Resource section:
Address: 172.16.22.1 Service Port 80, then click Add
New Members Address: 172.16.22.2 Service Port 80, then click Add
Address: 172.16.22.3 Service Port 80, then click Add
When complete, click… Finished
Configuration utility
Local Traffic » Virtual Servers » Virtual Server List, then click Create
4. View statistics and validate that traffic is flowing to the back end servers, but no response is
coming back to BIG-IP.
Configuration utility
Expected Results
• Traffic is coming in to the virtual server, but virtually no traffic is going out, except for the
packets required to complete the client-side connection.
• More importantly, traffic is sent to the pool members, but nothing is returned. The server-side
TCP connection never completes.
5. Configure Source Address Translation with Auto Map. This setting changes the source address
from the client’s IP address to the floating self IP on VLAN internal (the egress VLAN). This will
cause the server response to go back through the BIG-IP system, rather than through the server’s
default gateway.
Configuration utility
Configuration section
Source Address Translation Select Auto Map
When complete, click… Update
6. Try connecting to http://10.10.1.102 again. Refresh the screen 5-10 times using Ctrl + F5.
- What is the client IP address as seen by the pool member?
- Is traffic going in and out of the pool members?
Expected Results
• You should see traffic going to and coming from the pool members
Lab Objectives
• Monitor the health of an HTTP web application
Lab Requirements
You must have successfully completed the instructions entitled “Starting up the Lab Environment” in the
Getting Started Lab Introduction document.
Configuration utility
Configuration utility
Configuration section
Move My_HTTP from the Available column to the
Health Monitors
Active column.
When complete, click… Update
3. Notice that the availability of the pool is now Available (Enabled), as indicated by a green circle
icon.
4. Click the Members tab and verify that the status of each member is Available as indicated by the
green circle icon.
Configuration utility
Configuration section
Send String GET /index.php\r\n
Receive String Server 2
When complete, click… Update
Configuration section
Send String GET /index.php\r\n
Receive String Server [1-3]
When complete, click… Update
11. Navigate to Local Traffic » Pools and click http_pool. Click the Members tab. What are the
pool members’ status now?
Expected Results
• When the receive string was set to “Server 2,” only the pool member 172.16.20.2:80 returned a
value that matched. The other two pool members 172.16.20.1:80 and 172.16.20.3:80 returned
“Server 1” and “Server 3” respectively. Therefore, they were marked by the monitor as
“unavailable” to process traffic after the default timeout value expired.
• After changing the receive string to “Server [1-3], all pool members returned a value that
matched. Therefore, you should see all pool members are “Available (Enabled) – Pool member is
available” as indicated by the green circle.
Lab Objectives
• Create a Client SSL profile, assign the profile to a virtual server, and observe the change in traffic
behavior between the BIG-IP system and the pool member.
Estimated time for completion: 20 minutes
Lab Requirements
You must have successfully completed the instructions entitled “Starting up the Lab Environment” in the
Getting Started Lab Introduction document.
Configuration utility
Local Traffic Virtual Servers : Virtual Server List, then click Create
2. Test connection to the virtual server by opening a web browser session to https://10.10.1.100.
3. If using Firefox, click I Understand the Risks. Click Add Exception. Click to deselect the
check next to Permanently store this exception. Click Confirm Security Exception.
4. You should see a Web page similar to those in the previous labs, with the exception of a red
background. The red background indicates that the content is encrypted, given that it is served
from port 443.
Generate a Certificate
In a production BIG-IP environment, you would almost certainly import and install a certificate from a
trusted Certificate Authority to use in conjunction with your Client SSL profile. In our lab environment,
we’ll mimic this behavior but create and test with a self-signed certificate instead.
5. Create a new self-signed certificate called TestCertificate.
Configuration utility
System » Certificate Management: Traffic Certificate Management: SSL Certificate
List and click Create
General Properties section
Name TestCertificate
Certificate Properties section
Issuer Self
Common Name www.testsite.com
Division Training
Organization F5 Networks
Locality Seattle
State or Province Washington
Country United States
Key Properties section
Size 2048 bits
When complete, click… Finished
Configuration Utility
Configuration utility
Local Traffic » Virtual Servers : Virtual Server List, then select ssl_vs
Configuration section
SSL Profile (Client) Pr_Client_SSL
When complete, click… Update
This will cause BIG-IP to terminate SSL encryption inside BIG-IP and send traffic over the server side
connection unencrypted.
8. Connect by opening a browser session to https://10.10.1.100. Refresh the screen using Ctrl + F5
to force the browser not to use its cache.
9. If using Firefox, click I Understand the Risks. Click Add Exception. Click to deselect the
check next to Permanently store this exception. Click Confirm Security Exception.
Expected Results
A Bad Request response is displayed. The reason is BIG-IP negotiates the cert and key exchange, but our
app breaks because we’re load balancing to a pool that is expecting encrypted traffic.
Since we’re sending unencrypted traffic across server side connection, we can load balance to a pool of
servers that is not expecting encrypted traffic.
11. Connect again to https://10.10.1.100 and you will see a blue background.
Expected Results
After changing the default pool to http_pool, you should see the output being served from port 80 even
though you connected to a port 443 virtual server.
You have completed the labs associated with this WBT. Please
terminate your lab session now.