Published on

Big-IP F5

Authors
  • Name
    Jackson Chen

Obtain F5 Trial Key

https://f5.com/trials

Register for 30 days trial keys

F5 Traffic Management Microkernel (TMM)

K14340 - TMM is a multi-threaded process

Automating F5 Application Services

https://www.f5.com/services/resources/white-papers/automating-f5-application-services--a-practical-guide-

Overview of TCP connection setup for BIG-IP LTM virtual server types

https://support.f5.com/csp/article/K8082

The BIG-IP virtual server type specifies the attributes for a virtual server. For example, a Standard virtual server has a different set of attributes and is used to process traffic differently than a Forwarding virtual server. The virtual server type can be found in the Configuration utility by navigating to Local Traffic > Virtual Servers, clicking a specific virtual server, and then viewing the Type drop-down box. There are following connection setup characteristics for BIG-IP LTM virtual server types:

Standard virtual server

Performance Layer4 virtual server

Performance HTTP virtual server

Forwarding Layer 2 virtual server

Forwarding IP virtual server

Reject virtual server

Network Traffic Flow In and Out Via F5 and Firewall

https://www.f5.com/services/resources/white-papers/load-balancing-101-firewall-sandwiches

Forwarding IP virtual server

The Forwarding IP virtual server type uses the Fast L4 profile. An IP forwarding virtual server forwards the packet directly to the next hop IP address specified in the client request. Therefore, when the BIG-IP LTM system evaluates the packet for processing, the system looks only at the destination IP address. The Forwarding IP virtual server processes connections on a packet-by-packet basis.

The Forwarding IP virtual server operates on a packet-by-packet basis with the following TCP behavior: the initial SYN request is sent from the client to the BIG-IP LTM virtual server. The BIG-IP LTM virtual server passes the SYN request to the next IP address in the associated VLAN, based on the destination IP address.

Forwarding_VIP_Flow_Diagram
Overview of IP Forwarding Virtual Servers

https://support.f5.com/csp/article/K7595

An IP forwarding virtual server accepts traffic that matches the virtual server address and forwards it to the destination IP address that is specified in the request rather than load balancing the traffic to a pool. Address translation is disabled when you create an IP forwarding virtual server, leaving the destination address in the packet unchanged. When creating an IP forwarding virtual server, as with all virtual servers, you can create either a host IP forwarding virtual server, which forwards traffic for a single host address, or a network IP forwarding virtual server, which forwards traffic for a subnet.

Load Balancing VMware Unified Access Gateway

https://www.f5.com/pdf/solution-center/load-balancing-vmware-unified-access-gateway-servers-deployment-guide.pdf

Configuration

Interface Tagged or Untagged

Tagged means the VLAN dot1q header is going to be added to the frame and sent to the downstream device. This is normally done to trunk interfaces (or VLAN "Trunking") on a switch so it knows what VLAN the frame belongs to.

Untagged means the frame gets sent out the port with no VLAN information. This is configured on an access port, such as wireless access point.

Normally, you will probably set both of these as tagged interfaces so you can use multiple VLANs per interface instead of building a new interface for each and every VLAN if it was an untagged interface.

When deploy virtual F5, the VM network interface is "connected" to the distributed port group. The distributed port group has VLAN association, therefore, the F5 interface will be untagged.

You could ping the F5 interface and watch the ping result by toggle the F5 interface between tagged and untagged.

When deploy physical F5, then configure the F5 interface to tagged.

VLANs and Interfaces

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-tmos-routing-administration-14-1-0/vlans-vlan-groups-and-vxlan.html

By default, the BIG-IP® system includes VLANs named internal and external. When you initially ran the Setup utility, you assigned the following to each of these VLANs:

  1. A static and a floating self IP address
  2. A VLAN tag
  3. One or more BIG-IP system interfaces

VLANs internal and external reside in partition Common. VLANs are directly associated with the F5 interfaces on the BIG-IP® system.

    --------- External -----------
                 | Default Gateway (0.0.0.0 - Global Gateway)
                 |
                 |       
    NIC3         | NIC1
   - HA---- BIG IP F5 ------ NIC4 - Management
                 |          (Hidden from GUI)
                 |
                 |NIC3 (eth2)
    -------- Internal Network ----------

Static route may need to be added to internal interface to reach network that are not included in internal network VLAN. This will enable virtual server (VIP) able to ruote traffic to the required backend systems.

About VLANs and interfaces

VLANs are directly associated with the physical interfaces on the BIG-IP® system.

Interface assignments

For each VLAN that you create, you must assign one or more BIG-IP® system interfaces to that VLAN. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages. You can assign not only individual interfaces to the VLAN, but also trunks.

Creating a VLAN

  1. On the Main tab, click Network -> VLANs
  2. Click Create and enter the unique name for the VLAN
  3. In Tag field, type a number tab, between 1-4094 for the VLAN. If leave blank, BIG IP system will automatically assign a VLAN tag
  4. For the Interface settings a) From the Interface list, select an interface number. Select the required interface. b) From the Tagging list, select Untaggeg, and click Add

SNAT or NONE

Understanding the SNAT interaction with the BIG-IP APM system https://support.f5.com/csp/article/K33368912

Network Access clients are unable to access internal networks when the Network Access resource SNAT Pool setting is set to None

https://support.f5.com/csp/article/K11142554

Symptoms

As a result of the SNAT Pool setting being set to None, you may encounter the following symptoms:

Network Access clients are unable to access internal networks when connecting to the BIG-IP APM Network Access resource. tcpdump indicates that traffic from the Network Access client, such as Internet Control Message Protocol (ICMP) packets or TCP SYN requests, is not being replied to through the BIG-IP APM system.

Enable SNAT

Edit the required virtual server, and configure SNAT to Automap

Not Configuring to Use SNAT

When virtual server configuration Source Address Translation (SNAT) is set to none, the F5 pool members are required to be able to route the traffic back to the source system (the system that initialising the traffic to the VIP), either by network route or having static route configured at the member node system using subnet static route, or host static route (/32) using F5 internal floating IP as the default gateway.

Advantage: The monitoring system will see the traffic sources are comming from external client or systems for auditing.

Configuring to Use SNAT

When VIP configuration Source Address Translation is set to either Auto Map or SNAT, the F5 pool members return the traffic back to F5 internal IP address, no network route or pool member static route configuration is required. All traffic is route through F5 for incoming and outgoing traffic.

Disadvantage: The monitoring system will see all traffic in and out of F5, rather than the external systems. Advantage: No network route or member node static route requires

NTP Health Checks

https://weberblog.net/f5-big-ip-application-level-ntp-health-checks/

Build a Custom UDP Monitor

Custom UDP monitor send string:

\xe3\x00\x03\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00%NTPMON%

The receive string that can be used is:

^.{24}%NTPMON%.{16}$

Using this custom monitor will stop the need of adding an ICMP health check to test whether the system is still up and adds a (partial) application level NTP check to the pool member.

Load Balancing NTP via F5 LTM

https://weberblog.net/load-balancing-ntp-via-f5-big-ip-ltm/

Add Remote syslog Server

1. Log into TMOS shell (tmsh)
tmsh

2. Add a sinlge syslog remote server: 
modify /sys syslog remote-servers add {<name> {host <IP address or FQDN> remote-port<port>}}
modify /sys syslog remote-servers add {mysyslog {host 172.28.31.40 remote-port 514}}  # Example
save /sys config    # Save the configuration
perform ConfigSync to synchronize the changes to the other devices in the device group

3. Add multiple syslog remote serverws
modify /sys syslog remote-servers add {<name> {host <IP address or FQDN> remote-port<port>} <name> {host <IP address or FQDN> remote-port<port>}}
modify /sys syslog remote-servers add {mysyslog1 {host 172.28.31.40 remote-port 514} mysyslog2 {host 172.28.31.41 remote-port 514}} 

4. Management Console
a. System > Logs > Configuratio > Remote Logging
b. In Remote IP, ther the destination syslog server IP address, or FQDN (DNS server configuration required)
c. In Remote Port, enter the remote syslog server UDP port (default 514)
d. Click Add, then select Update
e. Perform ConfigSync to synchronize the changes to the other devices in the device group

Note:
We could add the syslog F5 VIP to F5 remote syslog server to load balancing F5 syslog.

tcpdump Traffic Analysis

https://clouddocs.f5.com/training/community/adc/html/class4/module1/lab01.html

https://www.tcpdump.org/manpages/tcpdump.1.html

# list all the available interfaces for packet capture
    tcpdump -D      # uppercase D

    # Network interface
        internal
        external
        eth0
        0.0     # all interface

# switches
    -i  # capture traffic on a specific interface
    -n  # disable name resolution of host names
    -nn # disable name resolution of both host names and port numbers
    -e  # print link-level header, print MAC layer addresses
    -v  # print parsing and printing, produce (slightly more) verbose output
    -vv     # even more verbose output
    -vvv    # even more verbose output
    -p      # No-promiscuouse-mode

# Realtime packets capture
tcpdump -nnpvi internal
tcpdump -nnpvei  internal
tcpdump -nnpi any   # any interface
tcpdump -ni eth0 net 1.2.3
    # capture management interface and network 1.2.3.x
tcpdum -ni eth0 net 1.2.3 | grep 4.5.6.7
    # capture management interface and network 1.2.3.x, and
        associate with ip 4.5.6.7
tcpdump -i 1.1     # capture traffic on interface 1.1
tcpdum -i <vlan>    # capture traffic on <vlan>
tcpdump -ni 0.0     # capture traffic on all interface, except management interface

# filter icmp traffic
tcpdum -ni eth0  'ip[q]==1'

# Ping on specific F5 self-ip
ping -I 1.2.3.4  6.7.8.9
    # Ping from ip 1.2.3.4 to 6.7.8.9



# F5 log
tail -f /var/log/ltm

# Shutdown and restart interface
ifconfig internal down  # shutdown internal interface
ifconfig internal up    # Enable internal interface

# Display ARP table - Address Resolution Protocol
arp -a      # It also shows all the entries of the ARP cache and table
arp -a | grep -v <IP | part of IP address>  # Example:  arp -a | grep -v x.y

# Capture traffic to pcap file
tcpdump -nn -s0 -i 0.0:nnnp -w /shared/tmp/Cxxxx_tcpdump_$(date +%d_%b_%H_%M_%S)_$HOSTNAME.pcap host x.x.x.x or host y.y.y.y or host z.z.z.z 

x.x.x.x = IP address of client connecting to the virtual server. Or if this IP address is unknown, the IP address of the virtual server.
y.y.y.y = IP address of first pool member
z.z.z.z = IP address of second pool member.
The -i 0.0:nnnp flag will capture traffic on all VLANs and it will also enable the F5 Ethernet Trailer. The F5 Ethernet trailer will gather F5 specific information which can be analyzed in Wireshark.
F5 daemons or services

https://support.f5.com/csp/article/K14736

# Restart F5 service
1. Using tmsh
tmsh stop /sys service <service name>
tmsh start /sys service <service name>
tmsh restart /sys service <service name>
tmsh show /sys service <service name>

Note:
a. To restart all services, enter the following command:
    tmsh restart /sys service all

b. To restart multiple services, use the following syntax:
    tmsh restart /sys service <service> <service>

2. Using bigstart command
bigstart stop <service name>
bigstart start <service name>
bigstart restart <service name>
bigstart status <service name>

3. Using the Configuration utility
a. Log in to the Configuration utility.
b. Go to System > Services.
c. In the Service column, locate the name of the service you want to start, stop, or restart.
d. Select the check box next to the service name.
e. Select Start, Stop, or Restart.
f. Select OK.

# View the status of the service daemon
tmsh show /sys service <service-name>

Managing Static Routes

https://support.f5.com/csp/article/K13833

Configure F5 Active Directory Remote Authentication

F5 uses local users as default login, we could configure F5 to allow administrators logging to F5 using Active Directory logon credentials.

https://somoit.net/f5-big-ip/authentication-using-active-directory

# From F5 management console, navigate to System -> Users -> Authentication
1. Set the User Directory value to Remote - Active Directory (Select from options)
2. In Authentication Windows, enter the configuration
# Authentication section
User Directory: Remote - Active Directory
Host:   Active Directory domain controller FQDN or IP address
Port:   389 (ldap) or 636 (ldaps)
Remote Directory Tree:  The LDAP directory tree where the Active Directory users accounts locate
    OU=admins,ou=Testings,dc=f5local,dc=local
Scope:  one (select from options)
Bind:   CN=F5ldap,ou=services,dc=f5local,dc=local
User Template: (blank)
Check Member Attribute in Group: Enabled    # This will enable F5 to check login user group membership
SSL:    Disabled (ldap)  Enabled (ldaps)

# External Users section
Role: No Access     Note: Will use Remote Role Groups for group member access
Partition: All
Terminal Access: Disabled

# From F5 management console, navigate to System -> Users -> Remote Role Groups
Group Name: Admins
Line Order: 1000
Attribute String: memberOF=cn=admins,ou=Groups,dc=f5local,dc=local  # The login user requires to be member of admins group
Remote Access: Enabled
AssingRole: Administrator
Terminal Access: Disabled/tmsh

Configuring an HTTP virtual server to redirect to HTTPS using an iRule

https://support.f5.com/csp/article/K10090418

The method that F5 recommends for redirecting traffic from an HTTP virtual server to an HTTPS virtual server is to use an iRule. The BIG-IP system comes with a default F5 verified iRule named _sys_https_redirect that is provided for this purpose. You can do one of the following:

  1. Configure the HTTP virtual server to use the default _sys_https_redirect iRule.
  2. Create a new iRule using the _sys_https_redirect iRule code as a template, and then make changes to the code to suit your environment.

You can use a custom iRule to redirect HTTP requests if your HTTPS virtual server uses a port other than the default port 443

# Procedure
1. Log in to the BIG-IP Configuration utility.
2. Go to Local Traffic > Virtual Servers.
3. Select the HTTP virtual server you want to redirect.
4. For HTTP Profile (Client), select the HTTP profile you want to use. For example, http.
    Note: For versions prior to to BIG-IP 14.x, set HTTP Profile to the HTTP profile you want to use.
5. Select Update.
6. Select the Resources tab.
7. For iRules, select Manage.
8. For Available, select _sys_https_redirect and move it to the Enabled list.
9. Select Finished.

# tmsh commands
1. Log in to tmsh by typing the following command:
tmsh
2. Modify the HTTP virtual server that you want to redirect to so that it uses HTTP or the HTTP profile you want by using the following command syntax:
modify ltm virtual <virtual server name> profiles add { <name of HTTP profile> }

For example, for an HTTP virtual server named my_http_vs80, enter the following command:
modify ltm virtual <my_http_vs80> profiles add {http}

3. Modify the HTTP virtual server that you want to redirect to use the _sys_https_redirect iRule by using the following command syntax:
modify /ltm virtual <virtual server name> rule { _sys_https_redirect }

For example, for an HTTP virtual server named my_http_vs80, enter the following command:
modify /ltm virtual my_http_vs80 rule { _sys_https_redirect }
How to create custom iRule to HTTPS on non-standard port
1. Log in to the BIG-IP Configuration utility.
2. Go to Local Traffic > iRules.
3. Select Create.
4. Enter the Name you want for this custom iRule.
    For example:    redirect_8443
5. For Definition , enter the following iRules syntax:
    when HTTP_REQUEST {
    HTTP::redirect https://[getfield [HTTP::host] ":" 1]:<destination port>[HTTP::uri]
    }

For example, if your HTTPS virtual server is configured for a non-standard port or 8443, enter the following iRule:
    when HTTP_REQUEST {
    HTTP::redirect https://[getfield [HTTP::host] ":" 1]:8443[HTTP::uri]
    }
6. Select Finished.

Load Balancing VMware Unified Access Gateway (UAG)

Load Balancing VMware Unified Access Gateway Deployment Guide Load Balancing VMware Unified Access Gateway Deployment Guide

Load Balancers and Thycotic Secret Server

https://www.ibm.com/support/pages/load-balancers-and-secret-server

https://thycotic.force.com/support/s/article/Clustered-Secret-Server-with-Load-Balancer

iRule Usage

Configuring an iRule to select an alternate Pool from the Default Pool based on client IP address

https://support.f5.com/csp/article/K43431442

You can configure a virtual server to select an alternate pool to the one assigned by default within the virtual server configuration, based on the client's IP address. This can be done using an iRule.

This is useful when some clients accessing the virtual server need to be sent to a different pool or server than what is associated with the Virtual server.

Creating an iRule to perform pool selection

Create an iRule to perform Pool selection and apply that iRule to the Virtual Server the client will connect to, using the following procedure. Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. In the BIG-IP Configuration utility, go to Local Traffic -> iRules and select Create.
  2. Give the iRule an appropriate name.
  3. For Description, enter the following:
when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals x.x.x.x] } {
     pool my_pool
 }
}
  1. Edit the 10.10.10.10 IP address in the iRule to reflect the IP you want to send to the alternate pool.
  2. Then edit the my_pool name to reflect the name of the alternate pool.
  3. Then select Finished to save the new iRule.
  4. Go to the virtual server, select the Resources tab.
  5. Select Manage iRules, and add the new iRule.

Alternately, an iRules data group containing a list of IP addresses can be used along with the class match iRules command to match the client's IP to a list of IP addresses.

Here's an example of such an iRule:
when CLIENT_ACCEPTED {
  if { [class match [IP::client_addr] equals DG] } {
     pool my_pool_a
  } else {
     pool my_pool_b
 }
}
Creating a Data Group

If using one of the iRules from the previous procedure that utilize Data Groups, perform the following procedure to create one: Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Go to Local Traffic > iRules > Data Group List.
  3. Select Create.
  4. For Name, enter a name for the data group.
  5. For Type, select Address.
  6. For Address, enter the IP address you want and select Add. Repeat to add more addresses as needed. You do not need to enter anything in for Value.
  7. Select Finished.

iRule for selecting a Pool or Pool-member based on HTTP Request URI contents

An iRule can be used to select a specific Pool or Pool-member based on the client's HTTP Request URI contents. This can be helpful when you want to direct certain client HTTP Requests to a different Pool than the Virtual Server's configured Default Pool, or to a specific Pool-member of a Pool, whether a member of the Default Pool or a different Pool.

  1. Create a new iRule similar to one of the two iRules below, depending on whether Pool or Pool-member selection is needed.
Pool selection iRule example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
when HTTP_REQUEST {
  if { [HTTP::uri] contains "*.css*" }{
    pool css_pool
  } elseif { [HTTP::uri] contains "*.jpg*" }{
    pool jpg_pool
  } else {
    pool html_pool
  }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pool-member selection iRule example:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
when HTTP_REQUEST {
  if { [HTTP::uri] contains "*.css*" }{
    pool css_pool member 10.10.10.10 80
  } elseif { [HTTP::uri] contains "*.jpg*" }{
    pool jpg_pool member 10.10.10.20 80
  } else {
    pool html_pool member 10.10.10.30 80
  }
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note: The Port# follows the Pool-member IP above.
  1. Assigned the new iRule to the pertinent Virtual Server.

iRules 101

https://community.f5.com/t5/technical-articles/irules-101-05-selecting-pools-pool-members-and-nodes/ta-p/277059

A very common use of iRules is to choose an appropriate destination based on the current traffic or request details.

iRules 101 – #01 – Introduction to iRules
iRules 101 – #02 – If and Expressions
iRules 101 – #03 – Variables
iRules 101 – #04 – Switch
iRules 101 – #05 – Selecting Pools, Pool Members, and Nodes
iRules 101 – #06 – When
iRules 101 – #07 – Catch
iRules 101 – #08 – Classes
iRules 101 – #09 – Debugging
iRules 101 – #10 – Regular Expressions
iRules 101 – #11 – Events
iRules 101 – #12 – The Session Command
iRules 101 – #13a – Nested Conditionals
iRules 101 – #13b – TCL String Commands Part 1
iRules 101 – #14 – TCL String Commands Part 2
iRules 101 – #15 – TCL List Handling Commands
iRules 101 – #16 – Parsing String with the TCL Scan Command
iRules 101 – #17 – Mapping Protocol Fields with the TCL Binary Scan Command

Overview of IP forwarding virtual servers

https://support.f5.com/csp/article/K7595?sr=53464747

An IP forwarding virtual server is useful when you want to configure the BIG-IP system to pass infrastructure-related traffic, such as ICMP traffic, or any traffic (*)

Impact of procedure: The impact of the following procedure depends on the changes you apply through the virtual server. Always ensure modifications are compatible with your environment. F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your specific environment.

# Creating an IP forwarding virtual server
1. Log in to the Configuration utility.
2. Go to Local Traffic > Virtual Servers.
3. Select Create.
4. Enter a Name for the virtual server.
5. For Type, select Forwarding (IP).
6. For Destination Address, enter the IP address for the virtual server. 
    Enter a Netmask if the destination is a network.
    For example:
    192.168.100.0/24 or 192.168.100.0/255.255.255.0
    
    Note: For BIG-IP versions prior to 11.6.0, if the destination is a single host, select Host. 
    If the destination is a network, select Network.

7. Enter a Service Port number or Select a service from the adjacent list. 
    Enter an asterisk character * to match all ports.
8. Clear the Notify Status to Virtual Address check box.
9. For Protocol, select a network protocol from the drop-down list. 
    You have the option to forward any protocol by selecting * All Protocols. 
    To specify a protocol by number, select Other. 
    You can view the list of protocol number assignments in /etc/protocols.
10. Configure other settings as needed.
11. Select Finished

Example of forwarding udp traffic

UDP is less stateful than TCP and does not typically require as long an idle timeout. To set a specific timeout for UDP traffic, you can create the wildcard forwarding virtual server described previously and a protocol-specific forwarding virtual server and profile similar to the following example.

ltm virtual /Common/vs_wildcard_forwarding_udp {
    destination /Common/0.0.0.0:0
    ip-forward
    ip-protocol udp
    mask any
    profiles {
        /Common/udp_fastl4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
}

ltm profile fastl4 /Common/udp_fastl4 {
    app-service none
    defaults-from /Common/fastL4
    idle-timeout 5
}

how to enable routing between two vlans in f5 bigip load balancer

You create a network VS (virtual server) of type forwarding (IP). Unless you want something slightly weird, set the protocol to 'all protocols' and you have the choice of enabling or disabling VLAN's and tunnels. Slightly unusual from a 'normal' VS there's no VS address or port. But you do specify a destination (e.g. 0.0.0.0/0 for all traffic).

The forwarding will respect your routing table. And you can apply iRules etc. You can SNAT etc as well if you really need to.

The world is your oyster as they say.

Normally you'd use floating self-ip's for the gateway address. And if you want to get really fancy you can use route domains etc.

VLANs VLAN Groups and VXLAN

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/4.html

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-tmos-routing-administration-14-1-0/vlans-vlan-groups-and-vxlan.html

K13833: Managing static routes in BIG-IP

https://support.f5.com/csp/article/K13833

F5 Self IP

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/5.html

How to Add TMM interfaces to the BIG-IP or BIG-IQ VE running on VMware ESXi

https://support.f5.com/csp/article/K12149

By default, when you deploy a BIG-IP or BIG-IQ VE or using an image (.ova file), the virtual machine guest environment includes the following four virtual network adapters:

  1. One for the management interface
  2. Two for the TMM interfaces
  3. One for high availability (HA) purposes

The software has no limitations on the number of interfaces that you can configure. However, F5 recommends that you do not configure more than 10 virtual network interfaces for each virtual machine.

Add up to two additional TMM interfaces (for a total of four)

You must reboot the system, and modifying the network interface disrupts traffic. F5 recommends that you perform the following procedure only during a scheduled maintenance window.

1. Log in to the BIG-IP or BIG-IQ VE system command line.
2. Ensure that the system properly detects the new interfaces when the system boots up later by forcing the mcpd process to reload the configuration. To do so, create a null file with the file name forceload in the directory
    /service/mcpd
    by entering the following command:
        touch /service/mcpd/forceload

3. Shut down the system by entering the following command:
    shutdown -h now

4. Start VMware vSphere Client.
5. Log in to the VMware vCenter server.
6. Right-click the virtual machine.
7. Select Edit Settings.
8. Under the Virtual Hardware tab, select ADD NEW DEVICE.
9. Select the Network Adapter device type.
10. Select VMXNET 3 as the adapter type.

    Important: 
    By default, the wizard selects Flexible as the adapter type. 
    If you do not change this setting to VMXNET 3, the new interface does not function. 
11. Enter the remaining required information for the new virtual network adapter.
12. Select OK.
13. Power on the system

Note: 
Unless the newly added interface is associated with a VLAN, it shows as UNINITIALIZED. 
This is explained in K12697: Initialization of a TMM interface on BIG-IP Virtual Edition.
Add more TMM interfaces (for a total range between 5 and 10)
# Procedure
1. To add more TMM interfaces (for a total range between 5 and 10),
    you must first perform the previous procedure, 
    Add up to two additional TMM interfaces (for a total of four). 
    If you have already completed that procedure, continue to the following step.
2. Log in to the BIG-IP or BIG-IQ VE system command line.
3. Ensure that the system properly detects the new interface when the system boots up later by forcing the mcpd process to reload the configuration. 
To do so, create a null file with file name forceload in the /service/mcpd directory, by entering the following command:
    touch /service/mcpd/forceload

4. Shut down the system by entering the following command:
    shutdown -h now

5. Start VMware vSphere Client.
6. Log in to the VMware vCenter server.
7. Right-click the virtual machine.
8. Select Edit Settings.
9. Under the Virtual Hardware tab, select ADD NEW DEVICE.
10. Select the Network Adapter device type.
11. Select VMXNET 3 as the adapter type.

Important: By default, the wizard selects Flexible as the adapter type. 
If you do not change this setting to VMXNET 3, the new interface does not function.

12. Enter the remaining required information for the new virtual network adapter.
13. Select OK.
Note: 
    You should add only one new network interface at each iteration of this procedure.

14. Power on the system.
15. Perform the following steps to ensure that the new network interface is properly mapped:
    a. To map the new network interface and MAC address into the BIG-IP system database, 
    enter the following command:
        f5-swap-eth -w

    b. To review whether the new virtual network interface is added correctly, 
    you can view the file /etc/ethmap. To do so, enter the following command:
        cat /etc/ethmap

16. Optional: To add another virtual network adapter, repeat steps 2 through 15.

Note: 
    To add an interface to a VLAN or trunk, 
    refer to the Implementation manual for your version of the BIG-IP system.

Note: Unless the newly added interface is associated with a VLAN, it shows as UNINITIALIZED. 
This is explained in K12697: Initialization of a TMM interface on BIG-IP Virtual Edition.

Self IP address

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/5.html

Traffic groups

If you want the self IP address to be a floating IP address, that is, an address shared between two or more BIG-IP devices in a device group, you can assign a floating traffic group to the self IP address. A floating traffic group causes the self IP address to become a floating self IP address.

A floating self IP address ensures that application traffic reaches its destination. More specifically, a floating self IP address enables a source node to successfully send a request, and a destination node to successfully send a response, when the relevant BIG-IP device is unavailable.

If you want the self IP address to be a static (non-floating) IP address (used mostly for standalone devices), you can assign a non-floating traffic group to the self IP address. A non-floating traffic group causes the self IP address to become a non-floating self IP address. An example of a non-floating self IP address is the address that you assign to the default VLAN named HA, which is used strictly to process failover communications between BIG-IP devices, instead of processing application traffic.

Creating a self IP address

Before you create a self IP address, ensure that you have created a VLAN that you can associate with the self IP address.

A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group. When you do not intend to provision the vCMP feature, you typically create self IP addresses when you initially configure the BIG-IP system on the VIPRION platform.

If you plan to provision vCMP, however, you do not need to create self IP addresses during initial BIG-IP configuration. Instead, the host administrator creates VLANs for use by guests, and the guest administrators create self IP addresses to associate with those VLANs.

1. On the Main tab, click Network > Self IPs
2. Click Create. The New Self IP screen opens.
3. In the Name field, type a unique name for the self IP address.
4. In the IP Address field, type an IPv4 or IPv6 address. 
This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.
5. In the Netmask field, type the full network mask for the specified IP address.
6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
a. On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
b. On the external network, select the external VLAN that is associated with an external interface or trunk.
7. From the Port Lockdown list, select Allow Default.
8. From the Traffic Group list, retain the default value or select a traffic group.
9. Click Finished. The screen refreshes, and displays the new self IP address.

After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. If the self IP address is member of a floating traffic group and you configure the system for redundancy, the self IP address can fail over to another device group member if necessary. After creating the self IP address, ensure that you repeat this task to create as many self IP addresses as needed.

# Assigning a self IP address to a VLAN

The self IP address that you assign to a VLAN should represent an address space that includes the self IP addresses of the hosts that the VLAN contains. 

For example
    if the address of one destination server in a VLAN is 10.0.0.1 
    and the address of another server in the VLAN is 10.0.0.2, 
    you could assign a self IP address of 10.0.0.100, 
        with a netmask of 255.255.0.0, to the VLAN.
# Creating a self IP address
Note: Before you create a self IP address, ensure that you have created at least one VLAN or VLAN group.

A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.

1. On the Main tab, click Network Self IPs
2. Click Create.
    The New Self IP screen opens.
3. In the Name field, type a unique name for the self IP address.
4. In the IP Address field, type an IPv4 or IPv6 address.
This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.
5. In the Netmask field, type the full network mask for the specified IP address.
6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
    a. On the internal network, 
        select the internal or high availability VLAN that is associated with an internal interface or trunk.
    b. On the external network, 
        select the external VLAN that is associated with an external interface or trunk.
7. From the Port Lockdown list, select Allow Default.
8. For the Traffic Group setting, choose one of the following actions:
Action                                  Result
-----------------------------------------------------------
Retain the default setting, traffic-group-local-only (non-floating).    
        The system creates a non-floating self IP address that becomes a member of traffic-group-local-only.

Select the check box labeled Inherit traffic group from current partition / path.   
        The system creates a floating self IP address that becomes a member of traffic-group-1.

Select a traffic group from the Traffic Group list. 
    The system creates a floating self IP address that becomes a member of the selected traffic group.
--------------------------------------------------------------

9. From the Service Policy list, retain the default value of None, 
    or select a policy to associate with the self IP address.
    A service policy contains a timer policy, which defines custom timeouts for matched traffic types.
10. Click Finished.
    The screen refreshes, and displays the new self IP address.

After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. If the self IP address is member of a floating traffic group and you configure the system for redundancy, the self IP address can fail over to another device group member if necessary.

Floating IP - VIP

Floating ip is actully the VIP of the unit. and in some cases it also can be your pool members defult Gateway.

How to enable routing between two vlans in F5

https://community.f5.com/t5/technical-forum/howto-enable-routing-between-two-vlans-in-f5-bigip-load-balancer/td-p/239368

What is the different between self ip and floating ip

https://www.kareemccie.com/2020/04/what-is-difference-between-self-ip-and.html

How to Configure a BIG-IP System to Use a Floating Management IP Address (50122217)

https://kb.vmware.com/s/article/50122217

How to Clean Install F5

https://support.f5.com/csp/article/K13117

Create VLAN in F5

Create and modify VLANs using the tmsh utility

Create a VLAN with untagged interfacce

https://support.f5.com/csp/article/K14961#createuntagged

# Create a VLAN with an untagged interface
A VLAN can only be associated with a single untagged interface. 

1.  SSH to F5 and enter tmsh by entering the following command:
        tmsh

2. To create a VLAN on an untagged interface, use the following command syntax:
    create /net vlan <vlan_name> interfaces add { <interface> }

    For example:
    create /net vlan test-vlan interfaces add { 1.1 }

3. Save the change by entering the following command:
save /sys config

4. To view the BIG-IP system's VLAN configuration by entering the following command:
    show /net vlan
# Modify the untagged interface associated with an existing VLAN

Note: 
The replace-all-with command in this procedure replaces all interfaces currently associated 
with the VLAN with the specified untagged interface while leaving the VLAN otherwise intact.

1. Log in to tmsh by entering the following command:
        tmsh

2. To modify the untagged interface for a VLAN, use the following command syntax:
    modify /net vlan <vlan_name> interfaces replace-all-with { <interface> }

    For example:
    modify /net vlan test-vlan interfaces replace-all-with { 1.3 }

3. Save the change by entering the following command:
    save /sys config

4. To view the BIG-IP system's VLAN configuration, enter the following command:
    show /net vlan
s
Create and modify VLANs using the GUI utility

https://support.f5.com/csp/article/K24122354

# Creating a VLAN with an untagged interface
Note: A VLAN can only be associated with a single untagged interface.

1. Log in to Configuration utility.
2. To create a VLAN on an untagged interface, 
    click on the 'create' option under Network > VLAN > VLAN List
3. Choose the properties of the new VLAN (Name, Interface, etc) ,
    and ensure to select the option 'Untagged' under the tagging field.
4. Once completed click on 'Finished' to save the changes.
5. To view the BIG-IP system's VLAN configuration under  Network > VLAN > VLAN List.

# Modifying the untagged interface associated with an existing VLAN
1. Log in to Configuration utility.
2. To modify the interface associated to an existing untagged VLAN , 
    click on the VLAN name under  Network > VLAN > VLAN List
3. Remove the unwanted interface from the Resources section 
    by click on the interface name and then click on the 'Delete' option.
4. Add the new interface from the Resources section 
    by click under Interface and then choose the interface from the option list.
5. Once completed click on 'Update'  at the bottom of the GUI menu to apply and update the changes.

Big IP F5 initial setup

https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ve-setup-vmware-esxi-13-1-0/3.html

One arm deployment

K54312549: Quick deployment: One-armed load balancing configuration

https://support.f5.com/csp/article/K54312549

In a one-armed configuration, the virtual server and the load balanced servers are in the same subnet, or VLAN, which is the one-arm in the configuration (a two-armed network consists of internal and external VLANs).

Prerequisities

1. Subnets for internal and management VLANs
2. Internal VLAN IPs for:
    BIG-IP system
    Two pool members
    Virtual server
    Client
2. Management VLAN IPs for: 
    BIG-IP system
    Client
    DNS server
    NTP server

After deploying F5 from the ova file, access the F5 direct console

## Setup after deploying the OVA file

1. Changing the management port IP address and netmask

This is the only step you need to use the console for. 
First, you connect the console port to get a command prompt, 
and then you use the config command to configure the IP.

When using the console, to move your cursor, select the Tab key, and to make selections, select Enter.

1. Use the console to log in to the BIG-IP system, and then enter the following command:
    config

    The F5 Management Port Setup Configuration Utility displays.

2. elect OK.
3. Select IPv4.
4. Select No.
5. Enter the IP address for the BIG-IP system on the management VLAN, and then select OK.
6. Enter the desired netmask or select OK to keep the default netmask.
7. Select No, if you don't need a management route, 
    otherwise select Yes and enter the default route.
8. Select Yes.
9. You can check your change by entering the following command:
    tmsh list /sys management-ip

    The new management port IP address displays.
Using the Setup Utility

Opening the management IP address from the client

Now you can open the management IP address directly from the client.

  1. In a browser, enter https:// followed by the IP address for the BIG-IP system on the management VLAN. Note: When the BIG-IP system uses a self-signed certification to connect to the Configuration utility, a warning displays .You can ignore it.
  2. Log in to the Configuration utility. The Setup Utility displays.
  3. Select Next.
Activating the license

You must activate the license for your BIG-IP system, which can take a few minutes. For more information, refer to K7752: Licensing the BIG-IP system.

Provisioning modules, selecting the device certificate, and configuring the platform

  1. After you activate your license, click Continue.

The Resource Provisioning page displays. In the License Status column, you can see the licensed modules. In the Provisioning column, the system enables BIG-IP LTM by default.

  1. Select Next.
  2. Select Next to use the self-signed certification to connect to the Configuration utility and for device trust when you use Device Services Clustering (DSC).
  3. On the Platform page, under General Properties, in Host Name, enter a fully qualified domain name (FQDN).
  4. Under User Administration, in Root Account, enter a password.
  5. Select Next.
  6. Select Finished. This demonstration exits the Setup utility to complete the rest of the configuration manually, but you can continue using it to set up the components listed on the Network page.
Setting up the configuration

Configuring the NTP and DNS servers

Configuring the network time protocol (NTP) server is important because the BIG-IP system uses the NTP for timestamps on logs, synchronization in DSC, and other features. This demonstration uses one NTP and DNS server, but you likely have multiple servers.

  1. Go to System > Configuration > Device > NTP.

  2. In Address, enter the client address, and then select Add.

  3. Select Update.

  4. On the Device menu, select DNS.

  5. In DNS Lookup Server List, enter the client address, and then select Add. Note: Normally, you use the address of your local DNS server.

  6. Select Update.

Creating a VLAN and self IP

Setting up a network has two parts: establishing a VLAN and assiging a self IP to the VLAN for the BIG-IP to communicate on.

  1. Go to Network > VLANs.
  2. Select Create.
  3. In Name, enter Internal.
  4. Under Resources, on the Tagging list, select Untagged, and then select Add.
  5. Select Finished.
  6. Go to Network > Self IPs.
  7. Click Create.
  8. In Name, enter a name for the self IP.
  9. In IP Address, enter your self IP address.
  10. In Netmask, enter the mask. This demonstration uses a 255.255.255.0 for a 24 bit mask.
  11. On the VLAN / Tunnel list, select Internal.
  12. On the Port Lockdown list, select Allow Default.
  13. Select Finished.
Creating a custom monitor
  1. Go to Local Traffic > Monitors.
  2. Select Create.
  3. In Name, enter a name for the monitor.
  4. On the Type list, select HTTP. This demonstration uses the default settings for the monitor.
  5. Select Finished. Note: The monitors send HTTP 0.9 requests by default. If you have a server that requires, for example, an HTTP 1.1 request, you have to change the default value in Send String to include a Host header, at minimum.
Setting up a virtual server and pool

This demonstration uses a basic HTTP virtual server.

  1. Go to Local Traffic > Virtual Servers.
  2. Select Create.
  3. In Name, enter a name for the virtual server.
  4. In Destination Address/Mask, enter your virtual server IP address.
  5. In Service Port, enter 80.
  6. Under Configuration, on the HTTP Profile (Client) list, select http to set up an HTTP profile so the BIG-IP system can parse the HTTP traffic and use iRules that trigger on HTTP events.
  7. In the Source Address Translation list, select Auto Map to set up SNAT.
  8. Under Resources, in Default Pool, select the Add (+) button.
  9. In Name, enter a name for the pool.
  10. In Health Monitors, under Available, find the monitor you just created and select Move Left (<<) to make it active.
  11. Under Resources, in New Members, in Address, enter the IP address for your first pool member.
  12. In Service Port, enter 80, and then click Add.
  13. Repeat the previous two steps to add your second pool member.
  14. Select Finished.
  15. Select Finished again to save the virtual server configuration.
Testing the setup
  1. Open a browser on the client and enter the IP address of the virtual server.
  2. Make several requests to the virtual server. You can see the system bounce between the two pool members, indicating that load balancing is working.

When using Cookie Insert persistence, the BIG-IP system receives a response from a pool member, and then inserts a cookie containing the pool member IP address and port information for the client. When the BIG-IP system receives the response from the client, it parses the cookie and knows which pool member to send it to. To set up persistence, you create a persistence profile, and then you attach the profile to the virtual server.

Cookie persistence is superior when clients reach the BIG-IP system through a NAT'd (network address translation) device, such as a router, and multiple clients are NAT'd to the same IP address.

  1. Return to the Configuration utility, and go to Local Traffic > Profiles > Persistence.
  2. Click Create.
  3. In Name, enter a name for the profile.
  4. In the Persistence Type list, select Cookie.
  5. Select Finished.
  6. Go to Local Traffic > Virtual Servers.
  7. In the row for the virtual server you created, under Resources, select Edit.
  8. In the Default Persistence Profile list, select the profile you just created. Optionally, you can configure a Fallback Persistence Profile, such as source_addr.
  9. Select Update.
  10. You can test persistence by repeating the steps in the Testing the setup section and observing that requests now go only to one server.

F5 New Installation Steps

  1. Gather the requisities information
a. F5 management interface TCP/IP configuration
b. All network interfaces and VLANs that F5 will be using
c. F5 HA network interface TCP/IP configuration
d. All required pools and pool members
e. Network flow control and connectivities
  1. Deploy new F5 from ova file
  2. After start F5 the first time, access F5 direct console
  3. Login direct console as root/default
  4. Enter config to configure management interface
# F5 management interface configuration utility
    config
  1. Access F5 management web interface https://ip-or-fqdn
  2. login as admin
# The default login credential admin / admin
Note:
a. After configure F5 management interface, admin will have the same password as root
b. You will be prompt to change admin password when login to web interface the first time
  1. Activate the new F5
Note:
Access System -> Platform

This will access the page as the initial setup:
a. Timezone
b. hostname
c. server SSl certificate
  1. By default, F5 will have four network interfaces
a. Management interface
    It does not show from Network -> Interfaces
b. Interfaces
    1.1 - internal 
    1.2 - external
    1.3 - F5 HA
Note
    check network adapter MAC addresses for more details

Add additional network interface when required

# Add more network interface if required
    when more than 4 interfaces

    Add more TMM interfaces
    https://support.f5.com/csp/article/K12149

*** Important: Can only add ONE network interface at a time ***
Following step a) to f)

a. ssh to F5 management IP
b. Create a null file with file name forceload in the /service/mcpd directory, 
    by entering the following command:
        touch /service/mcpd/forceload
c. Shut down the system by entering the following command:
    shutdown -h now
d. Add new network adapter (only one and then configure)
    Select VMXNET 3 as the adapter type
e. Power on F5
f. ssh to F5, and run
    f5-swap-eth -w
To map the new network interface and MAC address into the BIG-IP system database
    Verify the new network inferface has been successfully added, and verify MAC
    cat /etc/ethmap
  1. Create VLANs Create VLANs for HA, internal, external, and any additional networks that connect to network interfaces.
# For each VLAN, it requires
a. Name, such internal, external, HA
b. IP
c. Mask
d. Interface
    Select the F5 coresponding interface, such as 1.1, 1.2, 1.3, etc
e. Tag
    Select "untagged"
  1. Create Self IPs
# Create self IP (non floating ip), and 
    self IP (floating ip)
a. Create a Self IP for each interface, 1.1, 1.2, 1.3, etc
b. Create self floating IP for each interface, 1.1, 1.2, 1.3, etc
  1. Install the 2nd F5
  2. Configure the 2nd F5 and following step 1) to step 11)
Note:
Need to verify whether required to create self floating IPs for 2nd F5

Useful Commands

# display the MAC address assigned to each interface
tmsh show sys mac-address

tmsh show sys mac-address | grep -i interface

# MAC address assign for trunks
tmsh show sys mac-address | grep -i trunk

# MAC assign for VLANs
F5 store the assign in  vlan.macassignment  database
tmsh list /sys db vlan.macassignment

# display the MAC address assigned to each vlan
tmsh show net vlan

# display the MAC address assigned to each vlan for route domains
tmsh show net route-domain all

KB 15040 - Confgiure and display the management IP for the BIG-IP system
# display the IP address
tmsh list /sys management-ip

# display the management route
tmsh list /sys management-route

# view TMM routes
tmsh show /net route

# show linux routing table - Linux kernel routing table
netsh -rn

# View route in routing 

# Configure management IP
tmsh create /sys management-ip [ip address/netmask]
or
creat /sys management-ip [ip address/prefixlen]

Examples:
create /sys management-ip 192.168.1.254/255.255.255.0
create /sys management-ip 192.168.1.254/24

# configure a default management gateway
create /sys management-route default gateway <gateway ip address>

# save the changes
save /sys config partitions all

# F5 network adapter ordering
# management adapter does not show as 1.x interfacce
network adapter 1 - assign to management adapter
network adapter 2 (1.1)
network adapter 3 (1.2)
network adapter 4 (1.3) - HA

# ********** How to change management IP and gateway ************
1. access F5 console (physical / VM console)
2. login as root
3. run command
    config

# ********* How to change F5 hostname *************
1. ssh to F5 as root
2. Run commands
tmsh modify /sys global-settings hostname <new host name>
    # Note: The hostname need to be FQDN
    tmsh modify /sys global-settings hostname bigip1.example.net
3. Save the configuration
tmsh save /sys config

# How to find out F5 license
config # tmsh /show sys license
config # grep Reg /config/bigip.license

Troubleshooting

Viewing forwarding virtual server connections

You can view forwarding virtual server connections using the TMOS Shell (tmsh):

Impact of procedure: By narrowing the connection table output to a specific virtual server, this procedure should not have a negative impact on your system.

1. SSH to F5
2. Log in to tmsh on the command line by entering the following command:
    tmsh

3. View current virtual server connections by using the following syntax:
    show /sys connection virtual-server <vs name>

For example:
    show /sys connection virtual-server example_forwarding_vs

4. Type q to exit tmsh.

VLANs VLAN Groups and VXLAN

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/4.html

When BIG-IP system with one internal interface connects to an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a single-tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration of the left.

#---- Important Implementation -----
           -----------------------
                 F5 System
           -----------------------
                    *
                    *  <----- single interface connection to F5
                    *   (VLAN - vlan trunk)  <--- VMware dvPG-ServerTrunk, configured
                    *                           vlan ID a, vlan ID b, vlan ID c
                    *                            (seperated by ",")
                    *  Important: Each vlan will have a self IP (tagged) in F5
                    *
           --------------------------   <-- External switch (physical switch)
                 *      *        *     OR VMware vdPG-Servers  (virtual distributed port group)
                 *      *        *
                 *      *        *
                 *      *        *
                 *      *        *
          (vlan a)   (vlan b)   (vlan c) 

          Note:
          a. Each vlan ID will be configured with its own virtual distributed port group
            vdPG-vlanA  
                <-- servers that use vlan A will be configured using this vdPG with it network adapter
            vdPG-vlanB  
                <-- servers that use vlan B will be configured using this vdPG with it network adapter
            vdPG-vlanAc 
                <-- servers that use vlan C will be configured using this vdPG with it network adapter
        
          b. Therefore, the servers will be using "untagged" ports in vdPG ports
                                    

Important: If you are connecting another switch into a BIG-IP system interface, the VLAN tag that you assign to the VLAN on the BIG-IP system must match the VLAN tag on the interface of the other switch.

How to configure Active Standby F5

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-device-service-clustering-administration-14-1-0/creating-an-active-standby-configuration-using-the-setup-utility.html

  1. Create all the required VLANs, including external, internal as many subnet or vlan required for the internal network systems, such as internal servers vlan, internal sub-DMZ vlan, VMware unified access gateway vlan, HA vlan. The F5 management interface does not required vlan.
HA VLAN uses untagged.
  1. Create self IPs that are non-foloating, including external, internal or a self IP for each internal subnet VLAN, HA
  2. Create self IPs that are floating, for external, internal or all internal subnet VLANs
  3. Configure ConfigSync address, select a self IP address.
Do not select a management IP address
  1. Configuring failover and mirroring addresses

Typically, you specify the self IP address for the local VLAN HA, as well as the IP address for the management port of the local device.

When configuring failover and mirroring IP addresses, you select addresses of the local device only. 
Later, during the process of device discovery, the two devices in the device group discover each other's addresses.

a. From the Primary Local Mirror Address list, retain the default value, which is the self IP address for VLAN HA. b. From the Secondary Local Mirror Address list, select the address for VLAN internal.

  1. Discovering a peer device a. Under Standard Pair Configuration, Device xxxxx b. Under Discover Configured Peer Device, click Next c. Under Remote Device Credentials, specify the remote or the other F5 device Management IP address, Administrator Username, and Administrator Password. d. Click Retrieve Device Information.

After the second device has discovered the first device, the two devices have a trust relationship and constitute a two-member device group. Also, each device in the pair contains a default traffic group named Traffic-Group-1. By default, this traffic group contains the floating IP addresses that you defined for VLANs internal and external.

  1. Create traffic group and configure either manual or automatically sync configruation for the traffic group

Create Active Passive Failover F5 Manually

1. Specifying an IP address for config sync
Before configuring the config sync address, verify that all devices in the device group 
    are running the same version of BIG-IP system software.

You must perform this task locally on each device in the device group.

  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device ManagementDevices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. Near the top of the screen, click ConfigSync.
  5. From the Local Address list, retain the displayed IP address or select another address from the list.
F5 Networks recommends that you use the default value, 
    which is the self IP address for the internal VLAN. 
    This address must be a non-floating (static) self IP address and not a management IP address.
  1. Click Update.
After performing this task, the other devices in the device group can synchronize their configurations
    to the local device whenever a sync operation is initiated.
2. Specifying an IP address for connection mirroring

You can specify the local self IP address that you want other devices in a device group to use when mirroring their connections to this device. Connection mirroring ensures that in-process connections for an active traffic group are not dropped when failover occurs.

When performing this task, make sure you consider the following:

  1. You must perform this task locally on each device in the device group.
  2. Connection mirroring only functions between devices with identical hardware platforms.
  3. For the VLAN associated with the self IP address that you specify for connection mirroring, make sure that the VLAN's CMP Hash setting is set to the default value. Otherwise, the system cannot establish the HA connection.
# Process
1. Confirm that you are logged in to the device you want to configure.
2. On the Main tab, click Device ManagementDevices.
    This displays a list of device objects discovered by the local device.
3. In the Name column, click the name of the device to which you are currently logged in.
4. Near the top of the screen, click Mirroring.
5. For the Primary Local Mirror Address setting, 
    retain the displayed IP address or select another address from the list.
    Note:
        The recommended IP address is the self IP address for VLAN HA. You can also use VLAN internal.
6. For the Secondary Local Mirror Address setting, retain the default value of None, 
    or select an address from the list.

    This setting is optional. 
        The system uses the selected IP address in the event that the primary mirroring address becomes unavailable.

7. Click Update.
    In addition to specifying an IP address for mirroring, 
    you must also enable connection mirroring on the relevant virtual servers on this device.
3. Establishing device trust

Before you begin this task, verify that:

  1. Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
  2. The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain.

# Process
1. On the Main tab, click Device Management Device TrustDevice Trust Members.
2. Click Add.
3. From the Device Type list, select Peer or Subordinate.
4. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device 
    with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    a. If the BIG-IP device is an appliance, <------ This is mostly
        type a management IP address (IPv4 or IPv6) for the device.
    b. If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, 
        type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
    c. If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, 
        then type a cluster management IP address (IPv4 or IPv6) for the guest.
    d. If the BIG-IP device is an Amazon Web Services EC2 device, 
        type one of the Private IP addresses created for this EC2 instance.
5. Click Retrieve Device Information.
6. Verify that the certificate of the remote device is correct, 
    and then click Device Certificate Matches.
7. In the Name field, verify that the name of the remote device is correct.
8. Click Add Device.

After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.

4. Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

# Process
1. On the Main tab, click Device Management -> Device Groups
2. On the Device Groups list screen, click Create.
    The New Device Group screen opens.
3. In the Name field, type a name for the device group.
4. From the Group Type list, select Sync-Failover.
5. In the Description field, type a description of the device group.
6. From the Configuration list, select Advanced.
  1. For the Members setting, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. Also, for vCMP-provisioned systems on platforms that contain a hardware security module (HSM) supporting FIPS multi-tenancy, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.
8. From the Sync Type list:
a. Select Automatic with Incremental Sync when you want the BIG-IP system to automatically sync 
    the most recent BIG-IP configuration changes from a device to the other members of the device group. 
    In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
b. Select Manual with Incremental Sync when you want to manually initiate a config sync operation. 
    In this case, the BIG-IP system syncs the latest BIG-IP configuration changes from the device you choose to the other members of the device group. 
    We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
c. Select Manual with Full Sync when you want to manually initiate a config sync operation. 
    In this case, the BIG-IP system syncs the full set of BIG-IP configuration data from the device you choose to the other members of the device group. 
    We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  1. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value.

This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.

  1. For the Network Failover setting, select or clear the check box:

a. Select the check box if you want device group members to handle failover communications by way of network connectivity. This is the default value and is required for active-active configurations.

b. Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.

Note
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  1. In the Link Down Time on Failover field, use the default value of 0.0, or specify a new value.

This setting specifies the amount of time, in seconds, that interfaces for any external VLANs are down when a traffic group fails over and goes to the standby state. Specifying a value other than 0.0 for this setting causes other vendor switches to use the specified time to learn the MAC address of the newly-active device. This setting is a system-wide setting, and does not apply to this device group only. Specifying a value in this field causes the BIG-IP system to assign this value to the global bigdb variable failover.standby.linkdowntime. Click Finished.

5. Syncing the BIG-IP configuration to the device group

This task synchronizes the BIG-IP configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.

Important:
    It synchronizes the BIG-IP configuration data from the local device to the devices in the device group.
# Process
1. On the Main tab, click Device Management -> Overview
2. In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, 
    as well as a list of the individual devices within the device group.
3. In the Devices area of the screen, choose the device that shows a sync status of Changes Pending.
4. In the Sync Options area of the screen, select Push the selected device configuration to the group.
5. Click Sync.
    The BIG-IP system syncs the configuration data of the selected device to the other members of the device group.

6. Specifying IP addresses for failover communication

You perform this task to specify the local IP addresses that you want other devices in the device group to use for continuous health-assessment communication with the local device. You must perform this task locally on each device in the device group.

The IP addresses that you specify must belong to route domain 0.

  1. Confirm that you are logged in to the device you want to configure.
  2. On the Main tab, click Device ManagementDevices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. Near the top of the screen, click Failover Network.
  5. Click Add.
  6. From the Address list, select an IP address.
  7. From the Port list, select a port number.

We recommend using port 1026 for failover communication.

  1. To enable the use of a failover multicast address on a VIPRION platform (recommended), then for the Use Failover Multicast Address setting, select the Enabled check box.
  2. If you enabled Use Failover Multicast Address, either accept the default Address and Port values, or specify values appropriate for the device.

If you revise the default Address and Port values, but then decide to revert to the default values, click Reset Defaults.

  1. Click Finished.

How to force a BIG-IP Device to Standby or make a Device Active

https://support.f5.com/csp/article/K48443194

# Recommended Actions
1. Log into the Configuration utility of the  Active BIG-IP.
2. Go to Device Management.
3. Click on Devices.
4. Select the device that ends in Self.
5. Scroll down to the bottom of the page.
6. Select the button that says Force to Standby.
7. Verify that the device now shows ONLINE (Standby) and the peer shows ONLINE (Active).

Using tmsh commands

# Forcing an active device into standby mode
1. Log in to tmsh on the command line of the active device by entering the following command:
    tmsh

2. Force the device into standby mode by entering the following command:
    run /sys failover standby

3. The command prompt shows the failover status; 
    however, you can verify the status by using one or both of the following commands:
    show /cm traffic-group
    show /sys failover

4. Enter q to exit tmsh
Troubleshooting Network Connections

https://techdocs.f5.com/kb/en-us/products/arx/manuals/product/arx-cli-maintenance-6-3-0/troubleshootnet.html

Access F5 via putty or console, then enter tmsh Troubleshooting the network connections:

  1. PING

Using source-address to ping from the specific interface ping destination-ip source source-ip count number

Example ping 10.53.2.10 source 10.50.20.110 count 4

  1. Verify the status of the interface

    show interface show interface mgmt

  2. Verify routing

    show ip route

  3. Using traceroute

You can use the expect traceroute command to show each IP-router hop between the NSM and a given IP address. Like ping, the expect traceroute command is accessible from any mode: expect traceroute destination-address [timeout seconds]

where

destination-address is the IP-address for the traceroute, and timeout seconds (optional, 1-2096) limits the time for the traceroute process. If a hop is unreachable, the command outputs asterisks (*) until you interrupt it or it times out. Use Ctrl+C to interrupt the expect traceroute command. The packet starts at an inband (VLAN) management interface.

F5Host# expect traceroute 192.168.25.19

  1. ttcp

The program ttcp (Test TCP) is a utility for measuring network throughput, popular on Unix systems. It measures the network throughput between two systems using the TCP or optionally UDP protocols.

  1. PING an IP address

By default, the source IP is calculated based on the originating processors routing table. There are three types of internal IP addresses that you can use as sources for ping: proxy IPs, Virtual IPs, and management IPs. The network processors use proxy-IP addresses to communicate with servers. Use the show ip proxy-addresses command (see Showing all Proxy IPs) to list all proxy-IP addresses. Each network processor is assigned its own proxy-IP.

# List all proxy ip address
    show ip proxy-addresses

The network processors use virtual-IP (VIP) addresses to communicate with clients. Use the show global server command to list all VIPs.

# List virtual ip addresses (VIP)
    show global servers

There are two types of management interface: one in-band interface for each VLAN and one out-of-band (OOB) management interface. Use the show interface vlan command to list all VLAN-management interfaces.

# List all VLAN-management interfaces
    show interfaces vlan

    show interface mgmt

If you set a source IP without setting the source processor, the source IP determines the processor.

    ping ip-address [from slot.processor] source source-address [count number]
  1. Show routing table
    show ip route

    expect traceroute <ip-address>
  1. Testing Throughput with TTCP
    expect ttcp transmit <ip-address>

# Find the private subnet for the server switch
    show ron route

Troubleshooting from the field

tcpdump -ni any | grep 192.168.0.5      # view and traffic with the required ip address
netstat -ltu        # listening tcp and upd traffic
ss -ltu

# view the management ip
tmsh list /sys management-ip
tmsh list /sys management-route

# view all existing tmm routes
tmsh show /net route   
netsh -rn   # Linux kernel routing table
ip route show table main    # view routes in routing table

tcpdump -i eth0     # capture management traffic
tcpdump -i 0.0      # capture all other TMM interface traffic, exclude management

# Filter icmp on management eth0
tcpdump -ni eth0 '!p[q]==1'

# Show any traffic on network
tcpdump -ni eth0 net <network>      # Example,  tcpdump -ni eth0 net 1.2.3.0

# view ntp update status
ntpq -np        # ntpq query


# Troubleshooting network connectivity betweenn F5 and test VM
tcpdump -ni eth0 net 10.1.1.0   # When ping from F5 to the test VM
tcpdump -ni 0.0 net 10.1.1.0    # when ping from test VM to F5 interface

# verify routing
tmsh list /net route    # view tmm route
tmsh list /sys management-route     # verify management route
netstat -rn             # show both tmm & management route


How to create subpath VIP

When request sends to F5 VIP, depends on the subpath in the request, the traffic can be sent to required pool.

1. Create required pools
Create the pool with members listening on the required subpath

2. Create iRule for subpath
when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/subpath1" }
        pool subpath1_pool
    } elseif { [HTTP::uri] starts_with "/subpath2" }
        pool subpath2_pool
}

3. Create VIP with no default pool, and add the newly create subpaths iRule

Check persistent pofile

# list persistent profiles
ltm persistent 
    list        # ist all persistent profile

# create SafeQ ySoft source address persistent profile
ltm persistent source-adr SafeQ-source-addr-persistence {
    app-service     none
    default-from    source_addr
    match-across-services   enabled
    match-across-virtuals   enabled
    timeout     1800
}

iRule

https://clouddocs.f5.com/api/irules/

Welcome to the iRules wiki! An iRule is a powerful and flexible feature within the BIG-IP® local traffic management (LTM) system that you can use to manage your network traffic. The iRulesTM feature not only allows you to select pools based on header data, but also allows you to direct traffic by searching on any type of content data that you define. Thus, the iRules feature significantly enhances your ability to customize your content switching to suit your exact needs.

# the testing has been carried out by configuring the iRule, to accept TCP port between 21 and 9100
when CLIENT_ACCEPTED {
    if { ( [TCP::local_port] >= 21 && [TCP::local_port] <= 9100 ) } {
       return }
    else reject
}

Migrate virtual F5 to cross Single Sign On (SSO) vCenter or Failover between vSphere Cluster

When failover active F5 to standby F5 cross vSphere cluster, or migrate F5 to cross SSO vCenter, the distribute port groups which F5 self-IP and virtual servers IP are attached to need to change the Security settings, otherwise the commuication between active and passive F5 will fail, or the virtual IP (VIP) will fail.

# How to update or configure the distribute port group settings
1. Access the vSphere distributed port group, then edit the configuration
2. Navigate to Security, and update the settings
    a. Promiscuous Mode     Accept      (Default is Reject)
    b. MAC Address change   Reject
    c. Forged Transmits     Accept      (Defaujlt is Reject)

How to create node using ltm command

1. SSH to the active F5
2. Enter tmos config mode
    [root@bigip-lab:Active] config tmsh     # enter tmsh configuation mode to enter GUI tmsh configuration
    [root@bigip-lab:Active] tmsh

# Method 1 - Enter ltm config mode
1. Enter ltm
    root@bigip-lab(Active)(tmos) ltm             # enter ltm configuration
2. Create node, syntax
        create node <ip-address> [node-name]
    root@bigip-lab(Active)(tmos.ltm) create node 10.10.10.1 [labdc01.test.lab]
3. Verify the newly created node
    root@bigip-lab(Active)(tmos.ltm) list node 10.10.10.1

# Method 2 - Run ltm command in tmsh mode
1. Create node, syntax
        create ltm node <ip> [node-name]
    root@bigip-lab(Active)(tmos) create ltm node 10.10.10.2 [labdc02.test.lab]
2. Verify the newly created node
    root@bigip-lab(Active)(tmos) list ltm node 10.10.10.1

## Methods 3 - Create multiple nodes one line code, using the ; to separate the commands
# In ltm config
    root@bigip-lab(Active)(tmos.ltm) create node 10.10.10.1 [labdc01.test.lab] ; create node 10.10.10.2 [labdc02.test.lab]
b. In tmsh config
    root@bigip-lab(Active)(tmos) create ltm node 10.10.10.2 [labdc02.test.lab] ; create ltm node 10.10.10.2 [labdc02.test.lab]

List and create the pools, nodes and virtual servers - commands

List nodes, pool, virtual server

To verify or list the existing F5 configuration

1. ssh to active F5
2. Enter tmsh mode
    [root@labf5:Active: In Sync]# tmsh
3. Enter ltm configuration mode
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# ltm
4. list nodes
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list node TAB      # Press TAB
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list node | grep <node-name*>
            # To list nodes starts with "node-name"
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list node      # and press ENTER, to list the nodes details

5. list pools
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list pool TAB      # Press TAB
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list pool | grep <pool-name*>
            # To list nodes starts with "pool-name"
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list pool      # and press ENTER, to list the pool details

5. list virtual or virtual servers
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list virtual TAB      # Press TAB
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list virtual | grep <virtual-name*>
            # To list nodes starts with "virtual-name"
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list virtual      # and press ENTER, to list the virtual details

Create nodes

1. ssh to active F5
2. Enter tmsh mode
    [root@labf5:Active: In Sync]# tmsh
3. Enter ltm configuration mode
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# ltm
3. List nodes
    root@(labf5)(cfgsync In Sync) (Active)(tmos.ltm) list node TAB      # Press TAB
4. Create node or node
a. Create a single node, syntax
    create node <nodename> address <ip-address> description [Description of node]
        Note:   
            i. description need to be enclosed in [ ]  bracket
            ii. description is optional
    create node dc01.lab.local address 10.10.10.1 description [lab dc01]

    # To create multiple nodes - one line
    create node dc01.lab.local address 10.10.10.1 ; create node dc02.lab.local address 10.10.10.2

Create ltm pools

# Enter tmsh config
    [root@labf5:Active: In Sync]# tmsh
# list ltm pools
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# list ltm pool SPACE TAB      
        # list all virtual server and its configuration
        # press SPACE bar after pool, and press ENTER
        # This will list all pool name without detail configuration
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# list ltm virtual | grep safe*     # only list virtual server start with "safe"

# Create ltm pool
    create ltm pool safeQ_5024_pool load-balancing-mode round-robin
        monitor gateway_icmp        # enter the valid monitor method, example gateway_icmp if exist
        members add { spoc01.test.lab:5024 { address 10.10.10.10} spoc02.test.lab:5024 { 10.10.10.101} }

Create ltm virtual server

# Enter tmsh config
    [root@labf5:Active: In Sync]# tmsh

# List ltm virtual servers
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# list ltm virtual SPACE TAB
    root@(labf5)(cfgsync In Sync) (Active)(tmos)# list ltm virtual | grep safe*     # only list virtual server start with "safe"
# Create ltm virtual server - one line
    creat ltm virtual safeQ_5024_vs source 0.0.0.0/0 destination 10.255.0.10:5024 ip-protocol tcp
        mask 255.255.255.255 pool safeQ_5024_pool
        source-address-translation { type automap }
        translate-address enabled
        translate-port enabled