Published on

Big-IP F5 References

Authors
  • Name
    Jackson Chen
K93100324 - BIG-IP LTM-DNS operations guide - BIG-IP LTM virtual servers

https://support.f5.com/csp/article/K93100324

A Forwarding (IP) virtual server forwards packets directly to the destination IP address specified in the client request. It uses the routing table to make forwarding decisions based on the destination address for the server-side connection flow. Also, it has no pool members to load balance.

You can use a Forwarding (IP) virtual server to forward IP traffic in the same way as any other router. To enable stateless forwarding, you have to set FastL4 profile options on the virtual server.

You can also define specific network destinations and source masks for virtual servers and/or enable them only on certain VLANs. This allows precise control of how network traffic is handled when forwarded.

For example, you can use a wildcard virtual server with Source Address Translation, enabled for outbound traffic, and then add an additional network virtual server with Source Address Translation, disabled for traffic destined for other internal networks. Or you can use a Performance (Layer 4) virtual server to select certain traffic for inspection by a firewall or IDS.

However, if you use a Performance (Layer 4) virtual server type, ensure that Translate address and Translate port options are disabled. These options are automatically disabled when a virtual server is configured with a network destination address.

K7595 - Overview of IP forwarding virtual servers

https://support.f5.com/csp/article/K7595

K10371011 - Overview of the Forwarding (Layer 2) virtual server

https://support.f5.com/csp/article/K10371011

VLANs VLAN Groups and VXLAN

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-13-1-0/5.html

F5 Inter VLAN Routing and Forwarding

Question relates to the basic functionality of the F5s when used with Layer 2 VLANs. Here’s the configuration I have to which the following questions relate: 

Remote clients (network 1.1.1.0) -> Firewall -> (Layer 2 VLAN 1) -> F5 -> (Layer 2 VLAN 2) -> Servers (network 2.2.2.0)

The remote clients target the VIP address configured on VLAN 1. The F5 then load balances to the servers situated on VLAN 2.

On the client -> server leg, the destination IP address is changed to one of the server addresses (network 2.2.2.0), as a function of load balancing, when exiting the F5 at VLAN 2. As no SNATs are in use here, does the source address of the outbound packet also get changed to an F5 interface address or does it remain as set by the originating client (network 1.1.1.0)? I’m assuming that in the absence of SNAT, the source addresses should remain unchanged, as is typically the case with IP.

On the server -> client leg (return journey), and assuming the source address was not changed at the F5 on the inbound leg, how will the F5 forward traffic between VLANs 1 and 2? I’ve read a little about IP and MAC Forwarding VSs, but only in the context of the inbound traffic, where specific servers are to be targeted. Static routes may also be the answer to forward traffic destined for network 1.1.1.0 that originates at the server network 2.2.2.0, though I’d prefer no to treat the F5 as a router.

Answer to the question about F5 VLAN routing and forwarding

Yes, the source IP for the server side connection will be the client IP if no SNAT is used. This creates a connection table entry. Assuming the device has a Self IP in VLAN1 and VLAN2, it'll route between the two just like a router, as long as a Virtual Server or NAT/SNAT has been created to handle the traffic.

You only need a routing/forwarding VS if you want to route traffic not handled by a VS.

For packets back to the client, the reverse occurs with everything changed back based on the connection table entry. Note that although it's easier to think of it that way no NAT or PAT is occurring. The client connection is terminated and a new one created server-side, with a different destination address and possibly port.

Note that as long as Auto Last Hop is enabled (which is the default) the return packets are sent to the originating MAC address. No route lookup is done.

This all applies whether the client is on a VLAN configured on the F5 or ten hops away.

K13876 - Overview of the Auto Last Hop setting (11.x - 17.x)

Recommendations that for most network configurations, Auto Last Hop is enabled by default. F5 strongly recommends that you leave Auto Last Hop enabled unless you have a specific reason for disabling it.

F5 Routing

https://www.kareemccie.com/2017/05/f5-deployment-methods.html

1. Linux Routing Table
a. Which is used for forwarding the management traffic through the management interface
b. The routes which are stored in teh Linux routing table are called the Management routes

2. TMM Routing Table
a. Which is used for forwarding the application traffic as well as management traffic through the TMM interfaces
b. The routes which are used for forward the traffic through TMM interfaces are called the TMM Routes
c. TMM routes can be present in Linux Routing Tables as well TMM Routing Table also.

Question: Which routing table that the F5 chooses when forwarding and receiving the traffic
1. Basically BIG IP routing table is a combination of Management or Linux Routing Table and TMM Routing Table
2. The routes in the TMM routing table are configured with the metric values less than the routes in the management routing table
3. If there is the same route present in both TMM routing table as well Management Routing table, 
    then route in TMM Routing table is chosen due to low metrics

We need to understand that
a. Whatever the traffic comes via F5 Self IP address gonna use TMM routing table,
b. Traffic comes from the management interface gonna use Management routing table

BIG IP system uses the management routes unless there are no routes present in the TMM routing table.


Note:
NTP, SNMP, syslog, Sflow, remote authentication will always use the management default route,
unless a TMM interface has layer 2 connectivity to the IPs of those services, 
or you have a more specific route defined in TMM.
K99422936: How virtual servers use routes

The BIG-IP system contains two sets of routing tables:

  1. The Linux routing tables, for routing administrative traffic through the management interface
  2. A special TMM routing table, for routing application and administrative traffic through the TMM interfaces

As a BIG-IP administrator, you can configure the system so that the BIG-IP system can use these routing tables to route both management and application traffic successfully.

How to add static route

Before adding a route, if the IP addresses in the route pertain to any route domains, verify that the relevant route domains are present on the system.

Perform this task when you want to explicitly add a route for a destination that is not on the directly-connected network. Depending on the settings you choose, the BIG-IP system can forward packets to a specified network device (such as a next-hop router or a destination server), or the system can drop packets altogether.

1. On the Main tab, click Network > Routes .
2. Click Add.
    The New Route screen opens.
3. In the Name field, type a unique user name.
    This name can be any combination of alphanumeric characters, including an IP address.
4. In the Description field, type a description for this route entry.
    This setting is optional.
5. In the Destination field, type either the destination IP address for the route, 
    or IP address 0.0.0.0 for the default route.

This address can represent either a host or a network. 
Also, if you are using the route domains and the relevant route domain is the partition default route domain, 
you do not need to append a route domain ID to this address.

6. In the Netmask field, type the network mask for the destination IP address.
7. From the Resource list, specify the method through which the system forwards packets:

Option          Description
----------------------------------------------------------
Use Gateway 
    Select this option when you want the next hop in the route to be a network IP address. 
    This choice works well when the destination is a pool member on the same internal network as this gateway address.
Use Pool    
    Select this option when you want the next hop in the route to be a pool of routers instead of a single next-hop router. 
    If you select this option, verify that you have created a pool on the BIG-IP system, with the routers as pool members.
Use VLAN/Tunnel
    Select this option when you want the next hop in the route to be a VLAN or tunnel. 
    This option works well when the destination address you specify in the routing entry is a network address.
    Selecting a VLAN/tunnel name as the resource implies that the specified network is directly connected to the BIG-IP system. 
    In this case, the BIG-IP system can find the destination host simply by sending an ARP request to the hosts in the specified VLAN, 
    thereby obtaining the destination host’s MAC address.
Reject  
    Select this option when you want the BIG-IP system to reject packets sent to the specified destination.

8. In the MTU field, specify in bytes a maximum transmission unit (MTU) for this route.
9. Click Finished.

After you perform this task, a static route is defined on the BIG-IP system with IP addresses that can pertain to one or more route domains.

You should define a default route for each route domain on the system. Otherwise, certain types of administrative traffic that would normally use a TMM interface might instead use the management interface.

Commands on F5 LTM for verify routing

a. To check the routing table: tmsh show /net route b. To check the configured static routes: tmsh list /net route c. To check the management route: list /sys management-route d. To check the Management Interface IP address: list /sys management-ip

Useful F5 commands

To check BIG IP version: tmsh show /sys version To check BIG IP hardware and serial number: tmsh show /sys hardware To check self IP address: tmsh show sys self-ip To check Persistence Records: tmsh show ltm persistence persist-records To check failover status: tmsh show /sys failover To check interface status: tmsh show /net interface To check CPU status: tmsh show /sys cpu

ntp

bigstart stop ntpd
bigstart start ntpd
ntpq -np    # query ntp with peer

list listening ports

ss -ltu     # better result
netstat -ltu

F5 HTTP profile - X-Forwarder-For

When using connection pooling, which allows clients to make use of existing server-side connections, you can insert the X-Forwarded For header with the client IP address into a request. When you configure the BIG-IP system to insert this header, the target server can identify the request as coming from a client other than the client that initiated the connection.

http-xft

# http-xft
Settings
    insert X-Forwarded-For : Enabled
F5 HTTP profile

https://my.f5.com/manage/s/article/K40243113

How to enter tmos.ltm

To configure F5 using command interface and commands, enter tmsh config mode, and run ltm commands.

1. SSH to the active F5
2. Enter config mode
    [root@bigip-lab:Active] config tmsh     # enter tmsh configuation mode - using GUI configuration
    [root@bigip-lab:Active] tmsh    <----- using this command
3. Enter ltm
    root@bigip-lab(Active)(tmos)#  ltm             # enter ltm configuration
4. To see all available commands
    root@bigip-lab(Active)(tmos.ltm)# TAB       # press "tab" key

How to see or verify the ltm nodes, pools and virtual servers

# Once in ltm configuration, enter "list" and press TAB key to see what can be listed
    root@bigip-lab(Active)(tmos.ltm)# list "tab"    # to see list options
    Options:
    all-properties  current-module  no-default-properties  one-line     recursive

    Modules:
    /   /cm     /sys    /ltm        # and many more

    Components:   # below are some of the options
    default-node-monitor    nat     virtual-address     node        snat       virtual  
    policy      rule

Verify nodes

1. To see all the nodes, pool and virtual server in one-line output
    root@bigip-lab(Active)(tmos.ltm)# list one-line         # when prompt to display all (y/n), press y

2. To list all ltm monitor
    root@bigip-lab(Active)(tmos.ltm)# list monitor      # press ENTER
            Note:   it will show individual monitor configuration, for all monitors

3. To see the nodes 
a. without seeing the detail node configuration
    root@bigip-lab(Active)(tmos.ltm)# list node "tab"    # press Tab key

b. see detail node configuration
    root@bigip-lab(Active)(tmos.ltm)# list node     # press ENTER

c. To see/filte required nodes, using "grep", example
    root@bigip-lab(Active)(tmos.ltm)# list node | grep Lab*     # filter only lab node
     root@bigip-lab(Active)(tmos.ltm)# list node | grep Lab      # without "*" wildcard

d. To see individual node configuration
    root@bigip-lab(Active)(tmos.ltm)# list node <node-name/ip>  
             # if node has name, then use node name, otherwise using node-ip

Verify pools

# To see pools
a. without seeing the detail pool configuration
    root@bigip-lab(Active)(tmos.ltm)# list pool "tab"    # press Tab key

b. To see all pool and their detail configuration
    root@bigip-lab(Active)(tmos.ltm)# list pool "ENTER"     # press ENTER

c. To filter required pools, using "grep"
    root@bigip-lab(Active)(tmos.ltm)# list pool | grep safe*    # list pools contains "safe"

d. To see detail configuration of individual pool
    root@bigip-lab(Active)(tmos.ltm)# list pool <pool-name>
    root@bigip-lab(Active)(tmos.ltm)# list pool safeQ_4096_pool     # example

Verify virtual address or virtual servers

# To see all virtual servers or virtual-address
a. To see all virtual address without detail configuration, using "tab" key
    root@bigip-lab(Active)(tmos.ltm)# list virtual-address TAB      # press TAB key

b. To see all virtual servers without seeing the detail configuration
    root@bigip-lab(Active)(tmos.ltm)# list virtual SPACE TAB
        Note:
            i. Need to press SPACE after "virtual", because there are virtual and virtual-address
            ii. After press SPACE, then need to press TAB key

c. To see the detail configuration of individual virtual server
    root@bigip-lab(Active)(tmos.ltm)# list virtual <virtual-server-name>
         root@bigip-lab(Active)(tmos.ltm)# list virtual safeQ_4096_vs    # example

Other useful command - In tmsh mode

1. ssh to active F5
2. Enter tmsh mode
   root@bigip-lab(Active)# tmsh

## *** Using "show" command --- in tmsh mode ---
# list all ltm sys ip address with detail of individual configuration
root@bigip-lab(Active)(tmos)# show sys ip-address | grep ltm*

# list / show all ltm nodes
root@bigip-lab(Active)(tmos)# show ltm node SPACE TAB
    # press SPACE bar after "node" and then press ENTER to list all ltm nodes names

# list / show all ltm pools
root@bigip-lab(Active)(tmos)# show ltm pool SPACE TAB
    # press SPACE bar after "node" and then press ENTER to list all ltm nodes names

# list / show all ltm virtual servers
root@bigip-lab(Active)(tmos)# show ltm virtual SPACE TAB
    # press SPACE bar after "node" and then press ENTER to list all ltm nodes names

# Show/list login users
    root@bigip-lab(Active)(tmos)# show auth

# Show failover configuration
    root@bigip-lab(Active)(tmos)# show cm

# show network information, including 
    root@bigip-lab(Active)(tmos)# show net
        a. Routes
        b. Arp      # Arp table
        c. Net interface        # including self-ip and floating ips
        d. IPsec
        e. Interface Bits In (G) / Bits Out (B) / Pkts In / Pkts Out / Error

# Show system configuration
    root@bigip-lab(Active)(tmos)# show sys

# show apm  (authemtication )

# Show F5 version
    root@bigip-lab(Active)(tmos)# show cli

Other useful command - In tmsh.ltm mode

1. ssh to active F5
2. Enter tmsh mode
   root@bigip-lab(Active)# tmsh
3. Enter ltm config
   root@bigip-lab(Active)(tmos)# ltm

4. Type "show" to list options
   root@bigip-lab(Active)(tmos)# show SPACE TAB     # Press SPACE, then press TAB
Discuss on TwitterView on GitHub