f5-ltm ess wbt labguide16 20101217

8/9/2019 F5-Ltm Ess Wbt Labguide16 20101217

1/108

BIG-IP® LTM Essentials Web-Based Training Lab Guide – © 2010 F5 Networks, Inc.

F5 Networks Training

BIG-IP® LTM V10 Essentials

Web-Based Training Lab Guide

12 / 17 / 2010


2/108

P-2 Preface

BIG-IP® LTM Essentials Web based Training Lab Guide – © 2010 F5 Networks, Inc.

BIG-IP LTM V10 Essentials

Web-based Training Student Lab Guide

Third Printing December 2010

This Lab Guide was written for BIG-IP® LTM version 10.2.0. The lecture portions of the LTM Essentials web-based trainingwere written for version 10.0.1. Because F5 feels it is important to perform the hands-on labs on a current version of BIG-IP, the Lab Guide is updated more frequently than the lecture portions. Most of the concepts discussed in the lectureportion and lab steps in the lab guide apply to previous versions of BIG-IP LTM.

© 2010, F5 Networks, Inc. All rights reserved.

Support and Contact InformationObtaining Technical Support

Web tech.f5.com (Ask F5)

Phone (206) 272-6888

Email (support issues) [email protected]

Email (suggestions) [email protected]

Contacting F5 Networks

Web www.f5.com

Email [email protected] & [email protected]

F5 Networks, Inc. F5 Networks, Ltd. F5 Networks, Inc. F5 Networks, Inc.

Corporate Office United Kingdom Asia Pacific Japan

401 Elliott Avenue West Chertsey Gate West 5 Temasek Boulevard Akasaka Garden City 19F

Seattle, Washington 98119 Chertsey Surrey KT16 8AP #08-01/02 Suntec Tower 5 4-15-1 Akasaka, Minato-ku

T (888) 88BIG-IP United Kingdom Singapore, 038985 Tokyo 107-0052 Japan

T (206) 272-5555 T (44) 0 1932 582-000 T (65) 6533-6103 T (81) 3 5114-3200

F (206) 272-5557 F (44) 0 1932 582-001 F (65) 6533-6106 F (81) 3 5114-3201

[email protected] [email protected] [email protected] [email protected]


3/108

Preface P-3


Legal NoticesCopyright

Copyright 2010, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no

responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may resultfrom its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual propertyright of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any

time without notice.

Trademarks

F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask F5, ApplicationSecurity Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager,GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, LinkController, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity,

Secure Access Manager, SAM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS,TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarksor service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express writtenconsent.

PatentsThis product protected by U.S. Patent[s] 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354; 7,197,661;

7,206,282; 7,287,084. Other patents pending.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States government mayconsider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

FCC Compl iance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCCrules. These limits are designed to provide reasonable protection against harmful interference when the equipment is

operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installedand used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation ofthis equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will

be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operatethis equipment under part 15 of the FCC rules.

Canadian Regulatory Compl iance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to InformationTechnology products at the time of manufacture.


4/108


5/108


Table of Contents

Lab Instructions: ......................................................................................................... Lab-1

Connecting to the F5 Training Lab Environment ....................................................... Lab-1The F5 Training Lab Network .................................................................................... Lab-3

F5 Training Lab limitations ........................................................................................ Lab-4

Lab 1: Init ial Setup ........................................................................................................ 1-5

Lab – Setup Utility ..................................................................................................... 1-6

Lab – Configuration Utility ........................................................................................ 1-9

Lab – Configuration Backup ...................................................................................... 1-11

Lab 2: Traff ic Processing ............................................................................................. 2-13

Lab – Virtual Servers - Pools ..................................................................................... 2-14

Lab – Network Map ................................................................................................... 2-18

Lab 3: Load Balanc ing ................................................................................................. 3-19Labs – Ratio Load Balancing ..................................................................................... 3-20

Labs – Priority Group Activation ............................................................................... 3-21

Lab 4: Monitors ............................................................................................................. 4-23

Lab – Monitors for Nodes .......................................................................................... 4-23

Lab – Monitors for Pools and Members Lab #1 and 2 ............................................... 4-26

Lab 5: Prof iles ............................................................................................................... 5-31

No Lab for this Course Module ............................................................................................ 5-31

Lab 6: Persis tence ........................................................................................................ 6-33

Lab – Source Address Persistence ............................................................................. 6-34

Lab – Cookie Persistence ........................................................................................... 6-36

Lab – Disabled Members ........................................................................................... 6-39

Lab 7: SSL Termination ................................................................................................ 7-41Lab – Client SSL Termination ................................................................................... 7-42


6/108

Toc-2 Table of Contents


Lab 8: NATs and SNATs .............................................................................................. 8-45

Lab – NAT Lab .......................................................................................................... 8-46

Labs – SNAT Labs ..................................................................................................... 8-47

Lab 9: iRules ................................................................................................................. 9-49

Labs – iRules Lab #1................................................................................................ 9-50

Labs – iRules Lab #2................................................................................................ 9-53

Lab 10: Redundant Pair setup ..................................................................................... 10-55

Lab –Redundant Pair Setup ........................................................................................ 10-55

Lab – Setup of BIG-IP #2 .......................................................................................... 10-57

Lab – Synchronization ............................................................................................... 10-58

Lab 11: High Avai labi li ty .............................................................................................. 11-59

Lab – Network Failover ............................................................................................. 11-61Lab – Connection Mirroring ...................................................................................... 11-63

Lab – Persistence Mirroring ....................................................................................... 11-65

Configuration Lab Project ............................................................................................ LP-67

Lab –Configuration Project ........................................................................................ LP-68

Appendix A – F5 Networks Products .......................................................................... A-1

F5 Networks Product Suite ................................................................................................... A-1

Appendix B – Addi tional Topics .................................................................................. B-1F5 Networks Support and Documentation ........................................................................... B-1

Installation Information ........................................................................................................ B-7

Appendix C – Other F5 Networks Training Courses .................................................. C-1

F5 Networks Instructor Led Courses .................................................................................... C-1


7/108


Introduction

Welcome to the BIG-IP LTM Essentials Web-Based Training Course Student Lab Guide. The purpose of the

BIG-IP LTM Essentials course is to introduce the basic information you need to set up and operate the BIG-IP

Local Traffic Manager (LTM) from F5 Networks. The purpose of this Lab Guide is to provide all the

information and exercises you need to work directly with a BIG-IP LTM system and solidify the concepts youhave learned in the associated Web-based training modules.

The hands-on lab exercises included in this course are critically important to your learning. These exercises areespecially helpful if you can do them as soon as possible after completing the associated training module.

Therefore, we recommend the following approach when taking this course:

• Before beginning a module, register for lab time.

• Work through the training module as close to the start of your lab time as possible.

• After completing the training module, move into the lab exercises. Be sure to complete the entireexercise, including the review questions at the end.

There are eleven modules in this course, each one taking approximately thirty minutes to complete. To

complete the entire course, including modules and labs, will take you about fourteen hours.

In addition to the lab exercises, this guide contains other useful information.

• Appendix A provides some background information on F5 Networks and its products.

• Appendix B explains the various customer support resources that are available. We highlyrecommend that you review this listing. You may find some of these resources to be very valuable

while working your way through this course.

• Appendix C contains an informative list of other training courses available from F5 GlobalTraining Services. After completing this introductory course, you may want to enroll in one or

more of these classes to gain a deeper understanding of BIG-IP LTM.

We hope you enjoy learning with these lab exercises!


8/108

Introduction



9/108


Module 1 Lab – Initial Setup 1-1Lab Instructions Lab-1

Connecting to the F5 Training Lab Environment

PLEASE NOTE: This lab is not a test environment and is strictly for use by studentstaking the BIG-IP LTM Essentials Web-Based Training (WBT) course. Your user ID willbe time limited and you will be cut off after so many hours of connect time.

1. After logging in to F5 University, select the link for F5Training Lab as shown to the right.

2. You should now be at the Lab web page where youdownloaded this Lab Guide.

3. Select the link for Lab registration.

4. When prompted, enter your email, first and last namesand then Launch Lab. You will be placed into your own

F5 Training Lab environment.

5. Your lab environment will take a couple minutes to initialize. Notice the message at top ofscreen that says “Your environment is X% ready”.

6. The first time you connect you will need to install the Cloudshare plug-in and may need toenable pop-ups for it to install. This is a first-time only install.


10/108


1-2 Module 1 Lab – Initial SetupLab-2 Lab Instructions

1. Each lab starts assuming an un-configured BIG-IP and then instructs you to restore a UCS backup file that was captured at the end of the previous lab.

2. If during your lab time you wish to revert back to this un-configured state you may do so byselecting Actions and then Revert Now.

3. Rather than restoring UCS files at the beginning of each new lab you may also work straightthrough all the labs. From an instructional angle, F5 recommends doing the Module WBT,

then the lab for that Module. Then the next Module WBT and its corresponding lab.

4. Also, you can only enter the F5 Training Lab environment fromthe links within F5 University (ie. the graphic to the right).

5. When ready to leave the F5 Training Lab Environment, use theLogout button in the upper right corner of the screen shown below.


11/108


Module 1 Lab – Initial Setup 1-3Lab Instructions Lab-3

The F5 Training Lab Network1. You will be connected to a Windows virtual machine that will be used to administer your

BIG-IP and as the client machine to drive traffic through BIG-IP LTM.

2. Your Windows virtual machine has both a 192.168.1.30/24 and a 10.10.1.30/16 IP Address

configured for the lab network shown below.

3. There is already a Management IP Address set on your BIG-IP to 192.168.1.245/24, and wewill setup the other 10.10 External and 172.16 Internal IP Addresses in Lab #1.

4. There are also three servers configured at 172.16.20.1, 172.16.20.2 and 172.16.20.3. Youwill not be able to access these servers directly from your Windows client machine but these

are the servers to which we will load balance traffic starting in Lab #2.


12/108


1-4 Module 1 Lab – Initial SetupLab-4 Lab Instructions

F5 Training Lab limitations1. The F5 Training Lab is running in a virtual lab environment and therefore does not have all

hardware features of BIG-IP available. For instance, you will not have a serial console

connection to your BIG-IP.

2. This lab environment only supports BIG-IP LTM, no other F5 products or BIG-IP moduleslike GTM or ASM.

3. This lab environment has only been tested with the lab steps in this lab guide. If you do notfollow the steps in this lab guide, results will vary.


13/108


Module 1 Lab – Initial Setup 1-5Module 1 Lab – Initial Setup 1-5

Module 1 Lab – Initial Setup and Access

Initial Setup Labs

Objective:

Perform initial setup of the BIG-IP LTM System

Explore the Web Configuration Utility

Make a backup of the BIG-IP System

Estimated Time: 30 minutes

L ABCONFIGURATION


14/108


1-6 Module 1 Lab – Initial Setup1-6 Module 1 Lab – Initial Setup

Setup Utility Lab

Objective:

Run the Setup Utility and to configure system access parameters Estimated time for completion: 20 minutes

Lab Requirements:

Reachable IP address on the management port

Valid License for the BIG-IP LTM Systems

Administration system with an IP address on the BIG-IP LTM’s network

Current BIG-IP Settings

At this point, your BIG-IP system should already be licensed and the management port address stillset to the default IP Address of 192.168.1.245/24.

PC Configuration

Your PC is configured with two IP Addresses in order to reach both the Management and client

networks once they are configured on your BIG-IP.

PC Mgmt IP Address 192.168.1.30/24

PC Client IP Address 10.10.1.30/16.

Access the BIG-IP LTM System

1. Open a browser to https://192.168.1.245. 2. When prompted, accept the SSL certificate.

3. When prompted, login as admin with a password of admin.

Licensing Steps

1. You should first see the Setup Utility’s Welcome screen. Click Next.

2. Normally, you would need to license your BIG-IP System. For these labs, the systems shouldalready be licensed. Review the features that are licensed and then click Next.

Provisioning Steps

1. The second screen should be Provisioning. Verify that Local Traffic (LTM) is set toNominal, any other products are set to None (Disabled) and then click Next.


15/108



Setup Utilit y

1. Within the General Properties section, specify the following:

IP Address: 192.168.1.245

Network Mask: 255.255.255.0

Management Route: Leave blankHost Name: bigip1.f5trn.com

Host IP Address: Use Management Port IP Address

High Availability: Redundant Pair

Unit ID: 1

Time Zone: America/Los Angeles

2. Within the User Administration section, specify the following:

Root Account Password: default

Root Account Confirm: default

Admin Account Password: admin Admin Account Confirm: admin

SSH Access: Enabled

SSH IP Allow: * All Addresses

3. Click Next.

NOTE: When you type in the admin password field you will be required to log back intothe system whether the password has been changed or not.

Once this first step of administrative access has been configured, you can configure self-IP addresses

and VLANs. We will choose the Basic Network Configuration option, which will step throughcreating two VLANs, internal and external, and their IP addresses, and interfaces. Each self IP will

be assigned Port Lockdown settings. Port lockdown limits administrative access to the self IP

addresses. Because we have configured the system as a redundant pair, Allow Default should be

selected for Port Lockdown on self IP’s of the internal VLAN to ensure the systems will be able to

communicate.

Because we have configured as a redundant pair, the administrator will also be prompted for a partner

address and a floating IP address for each VLAN. Generally, the partner address should be an

address on the internal VLAN to minimize security concerns. Floating addresses are shared between

the systems and used by the system that is currently active. These concepts are discussed in the

Redundant Pair module.


16/108



4. Select the Basic Network Configuration option by clicking Next, then specify thefollowing:

Internal Network Settings

Self-IP Address 172.16.1.31

Self-IP Netmask 255.255.0.0Self-IP Port Lockdown Allow Default

Floating IP Address 172.16.1.33

Floating IP Port Lockdown Allow Default

Failover Peer 172.16.1.32

Internal VLAN Configuration

VLAN Name internal (Read Only)

VLAN Tag ID Auto

VLAN Interfaces Untagged – Port 1.2

5. Click the Next button to configure the External VLAN, then specify the following:

External Network Settings

Self-IP Address 10.10.1.31

Self-IP Netmask 255.255.0.0

Self-IP Port Lockdown Allow 443

Default Gateway Leave blank

Floating IP Address 10.10.1.33

Floating IP Port Lockdown Allow 443

External VLAN Configuration

VLAN Name external (Read only)

VLAN Tag ID Auto

VLAN Interfaces Untagged – Port 1.1

6. Then click Finished.

7. Since we previously completed Licensing and Provisioning, we should reboot the BIG-IP sothat our Licensing and Provisioning changes take effect. Select System / Configuration and

click the Reboot box under Operations.

Once the Basic Network Configuration is complete, the Welcome screen from the Overview section

appears. The administrator can choose to change many presentation options, enable SNMP including

downloading the MIB, access F5’s knowledge database (Ask F5) or re-run the setup utility to change

addresses or access methods.


17/108



Configuration Utility Lab

Objective:

Access both the Web Configuration utility and Command Line (SSH) utility for BIG-IPLTM system and get familiar with the interface

Estimated time for completion: 5 minutes

Lab Requirements:

External IP address of the BIG-IP LTM system

User ID and password of the BIG-IP LTM system’s Web Configuration Utility

User ID and password of the BIG-IP LTM system’s Command Line Interface

PC Configuration

Your PC is configured with two IP Addresses in order to reach both the Management and client

networks once they are configured on your BIG-IP.

Mgmt IP Address 192.168.1.30/24

Client IP Address 10.10.1.30/16.

The Web Configuration Utility

1. Open a browser window to https://10.10.1.31 to connect to the Web Configuration Utility.

2. Enter a user ID and password of admin / admin that you added during Setup.

3. Note options available on the Welcome page.

4. Click on the Network section, then note what is set for the Interfaces, Self IPs, and VLANs options.

Command Line access (SSH)

1. Open an SSH session using Putty and attempt to connect the external IP Address of yourBIG-IP System (10.10.1.31).

2. Notice that you are not able to access your BIG-IP LTM. This is because Port Lockdown for the external self-IP addresses defaults to Allow 443 only. Access to port 22 is prevented.

3. From the web GUI select Network / Self IPs and then click the 10.10.1.31 self IP Address.

4. Under Port Lockdown / Custom List, click the Port radio button, enter 22 as the port, clickAdd , and then click Update.

5. Once port 22 has been added, you should be able to successfully use SSH to attach to yourBIG-IP System. You may be prompted to accept the SSH key, do so. When the logon

appears, enter root as the user ID and default as the password that you added during Setup.

6. If prompted for terminal type, select vt100.

Enter the command: b self show


18/108



What information is listed here?

7. Enter the command: b vlan show


8. Enter the command: b interface show


Verifying User Access

1. Logout of your SSH session.

2. Open a new SSH session but login and try the admin user. By default, you should not beable to get in as admin.

3. From the Web Configuration Utility select System / Users and then select the link for theadmin User Name. Change the Terminal Access to Advanced Shell access, click Update,

and then test SSH access with the admin user ID again.

4. Open a new browser window but try to login using the root user ID. By default, you should

not be able to get into the Web Configuration utility with the root user ID.


19/108



Configuration Backup Lab

Objective:

Create a backup of the BIG-IP System on both the BIG-IP and your desktop. Estimated time for completion: 5 minutes

Lab Requirements:

External IP address of the BIG-IP LTM system

Saving a configuration

1. From the Navigation pane, click the System section.

2. Select Archives, then click Create.

3. Within the General Properties section, specify the following:

File Name Module1_End

Encryption Disabled

Private Keys Include

Version BIG-IP Version (read only)

4. When complete, click Finished.

5. When complete, an OK button will appear. Click OK or select Archives again.

6. Select Module1_End.ucs (the name is a link) and notice you can click Download to save a

copy to your desktop. The Download option does not work in this F5 Training Labenvironment but will in yours.

7. If desired, the files contents can be viewed from the command line of your BIG-IP System.From an SSH session, perform the following:

a. Make a new directory for this lab: mkdir /var/tmp/test/

b. Change to the new directory: cd /var/tmp/test/

c. Copy the backup to the new directory:

cp /var/local/ucs/Module1_End.ucs Module1_End.ucs .

d. Decompress the file and extract the file: tar -xvzf Module1_End.ucs. The

resulting files show the directory structure and all files stored in the *.ucs file.Individual files can be viewed with cat, tail, more and other tools.


20/108




21/108


Module 2 Lab – Processing Traffic 2-13Module 2 Lab – Processing Traffic 2-13

Module 2 Lab – Processing Traffic

Objectives:

Configure pools for servers Configure virtual servers and associate them with a pool

Verify functionality


Lab Requirements:

IP and port addresses available for use on BIG-IP LTM that can be reached by the clientsystems

Actual servers with appropriate routes to return traffic through each BIG-IP LTM system

Restoring a Configuration from previous Lab1. After connecting to F5 Training Lab, open a browser to https://192.168.1.245.


3. If you have an existing lab environment, skip to step 10 below.

4. If starting with a new lab environment, on the Welcome / Setup Utility screen click Next.

5. On both the License and Resource Provisioning screens click Next.

6. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and changeHigh Availability setting to Redundant Pair.

7. Enter a Root Account password of default twice and an Admin Account password ofadmin twice and then click Next.

8. You will be prompted to login again because of changing the Admin password.

9. After logging in, click the Finished button under Advanced Network Configuration.

10. From the Navigation pane, expand the System section, then select Archives.

11. Click the Module2_Lab_begin.ucs archive and then click the Restore button. An Ok buttonappears to acknowledge the restore has started. It will take a minute, but watch this screen

and you should see messages that your restore completed successfully. You might receive

one error message but that is ok and is due to the F5 Training Lab environment only.

12. Because of the state of BIG-IP, we need to reboot so that our Licensing and Provisioningtakes effect. Select System / Configuration and click the Reboot box under Operations.

13. After Restore and Reboot, your configuration should be as if you had just finished all Module1 labs. Please verify this is the case. Your configuration should be licensed, include 2

VLAN’s (Network / VLANs) named external and internal and have 4 self IP’s (Network /

Self IPs) at 10.10.1.31, 10.10.1.33, 172.16.1.31 and 172.16.1.33 configured.


22/108


2-14 Module 2 Lab – Processing Traffic2-14 Module 2 Lab – Processing Traffic

Creating an HTTP Pool and Virtual Server Lab

Create a Pool

1. From the Navigation pane, expand the Local Traffic section.

2. Either select Pools and then the Create button or hover your mouse over Pools and then click

the sign on the flyout menu.

3. In the Configuration section, enter the following:

Configuration Level Basic

Name http_pool

Health Monitors Leave Blank

4. In the Resources section, enter the following:

Load Balancing Method Round Robin

Priority Group Activation Disabled

New Members

For each, enter Address andService Port and press Add

172.16.20.1 port 80

172.16.20.2 port 80

172.16.20.3 port 80


Create a Virtual Server that uses this pool


2. Either select Virtual Servers and click Create, or hover your mouse over Virtual Servers

and then click the sign on the flyout menu.

3. In the General Properties section, enter the following:

Name vs_http

Destination 10.10.1.100

Service Port 80 (or HTTP)

State Enabled

4. In the Configuration section, accept all defaults.


iRules Leave BlankHTTP Class Profiles Leave Blank

Default Pool http_pool

Default Persistence Profile None

Fallback Persistence Profile None



23/108



Verification through Statistics

1. Open a new browser session on your PC and point it to the virtual server athttp://10.10.1.100. Note the results and refresh the screen 5-10 times. You may need to

refresh using the Ctrl and F5 keys to force the browser not to use its cache.

2. View statistics and configuration information through:

a. Overview Section / Statistics / Local Traffic Tab

b. From the Statistics Type drop down list, choose Virtual Servers

c. From the Statistics Type drop down list, choose Pools

3. Did traffic go to each pool member?

4. Did each pool member manage the same number of connections?

5. Did each pool member manage the same number of bytes?

6. How many TCP connections are opened each time you refresh the browser page?

Expected Results and Troubleshooting

Expected result: 5 connections per refresh distribute evenly among the pool members.The webpage consists of the index.html and 4 objects. The web servers have keep-alives

disabled.

If not, verify the following:

• Is traffic getting to the virtual server?

Does 10.10.1.100 appear in your workstation’s ARP table?

Type arp -a at the workstation’s command prompt.

Does the Statistics page show traffic received by vs_http?

Verify that the address and port are correctly configured

Is traffic getting to the pool members?

• If no traffic is going TO the pool members:

Verify http_pool has been assigned to vs_http

Verify the correct members address / port

• If traffic goes TO pool member, but does not return:

Verify that self IP address 172.16.1.33 is configured on port 1.2 (thisaddress is the pool members’ default route.)


24/108



Creating an HTTPS Virtual Server and Pool Lab1. From the Navigation pane, expand the Local Traffic section.

2. Either select Virtual Servers and click Create or leave your mouse over Virtual Servers

and then click the sign on the flyout menu.3. In the General Properties Section, enter the following:

Name vs_https


Service Port 443 (or HTTPS)

State Enabled

4. In the Configuration Section, accept all defaults.

5. Since we “forgot” to create the pool first, navigate to the Resources Section and click the “+”character to the right of Default Pool.

6. In the Configuration section of the new pool, enter the following:

Configuration Basic

Name https_pool

Health Monitors Leave Blank


Load Balancing Method Round Robin

Priority Group Activation Disabled

New Members

For each, enter Address andService Port and press Add

172.16.20.1 port 443

172.16.20.2 port 443

172.16.20.3 port 443

NOTE: Since the member’s IP addresses are the same, you could select Node List andchoose the member’s IP addresses from the drop-down list.

8. When the pool is complete, press Finished.

9. In the Virtual Server’s Resources section, verify the following settings:

iRules Leave Blank

HTTP Class Profiles Leave BlankDefault Pool https_pool



10. When complete, make sure to click Finished for the virtual server.


25/108



Verification through Statistics

1. Open a new browser session on your PC and point it to the virtual server athttps://10.10.1.100. Note the results and refresh the screen 5-10 times.

2. View statistics and configuration information through:

a. Overview Section / Statistics / Local Traffic Tab b. From the Statistics Type drop down list, choose Virtual Servers

c. From the Statistics Type drop down list, choose Pools

3. Did traffic go to each pool member?

4. Did each pool member manage the same number of connections?

5. Did each pool member manage the same number of bytes?

6. How many TCP connections are opened each time you refresh the browser page?

Statist ics using the Command Line

1. Open an SSH client window using Putty, enter the external IP Address of your BIG-IP LTMSystem (10.10.1.31) and make sure the protocol is set to SSH.

2. When prompted, enter root as the user ID and the password that was added during setup. A password of default was suggested in Lab 1 and set in the Module2_Lab_begin.ucs file.

3. If prompted for terminal type, accept or enter vt100.

4. Enter the command bigtop. This command shows real time information on the virtualservers and pool members that you have configured.

5. View the screen while refreshing your session to either http://10.10.1.100 orhttps://10.10.1.100. What does bigtop show? Exit bigtop by pressing the q key.

6. Statistics for pools and virtual servers can be viewed by typing the following:

b pool show

example: b pool http_pool show

b virtual show

example: b virtual vs_http show


Expected result: You may see six connections the first time you request the page, (due tothe SSL key exchange) but should see five connections per subsequent refresh. The

requests should be evenly distributed among the pool members.

If not, verify the following:

• Confirm that the virtual server was created. Students often neglect to hit Finish for the virtual server after hitting Finish for the pool.

Local Traffic / Virtual Servers

• Is traffic getting to the virtual server?


26/108



Does 10.10.1.100 appear in your workstation’s ARP table? You mayneed to clear your ARP table before testing to remove the entry from the

vs_http virtual server.

Does the Statistics page show traffic received by vs_https?

Verify that the address and port are correctly configured.

• Is traffic getting to the pool members? Check Pool statistics:

If no traffic is going TO the pool members:

Verify https_pool has been assigned to vs_https

Verify the correct members address / port

• If traffic goes TO pool member but does not return:

Verify that self IP address 172.16.1.33 is configured on port 1.2 (thisaddress is the pool members default route).

Network Map LabView Configuration and Status from Network Map

1. Open a browser session and access https://10.10.1.31.

2. Select Local Traffic / Network Map, then click Show Map.

3. Mouse over both virtual server and Pool objects and notice what information is displayedabout that object.

4. Select a Pool member and disable it.

a. From the Navigation pane, expand the Local Traffic section.

b. Select Pools.

c. Select http_pool.

d. Select Members.

e. Check the box to the left of the chosen member and click the Disable button.

5. Go back to Network Map and notice that status changed to disabled, indicated by a blacksquare.

6. Re-enable the disabled pool member for later labs.

7. Change the search field to 20.1 and then click Update Map. Notice that all members are stilllisted, but matches are highlighted.

8. Select System / Preferences and change the Start Screen from Welcome to Network Map. Close your browser session to the admin GUI, and then log back in to https://10.10.1.31 and

notice that your default screen is now Network Map.


27/108


Module 3 Lab – Load Balancing 3-19Module 3 Lab – Load Balancing 3-19

Module 3 Lab – Load Balancing

Objectives:

Choose differing load balancing methods and view the resulting behavior

Choose differing member priority and ratio values and view the resulting behavior


Lab Requirements:

Access to a BIG-IP LTM with at least a pool with two or more working members






6. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and change

High Availability setting to Redundant Pair.7. Enter a Root Account password of default twice and an Admin Account password of

admin twice and then click Next.








13. After Restore and Reboot, your configuration should be as if you had just finished all Module2 labs. Please verify this is the case. Your configuration should include two pools named

http_pool and https_pool and two virtual servers named vs_http and vs_https. None of the

Pools or Pool Members should have Monitors assigned (blue square status).


28/108


3-20 Module 3 Lab – Load Balancing3-20 Module 3 Lab – Load Balancing

Round Robin Load Balancing Lab

If not zero, reset the Statistics for http_pool

1. From the Navigation pane, expand the Overview section and select Statistics.

2. From the Display options sections, change the Statistics Type to Pools.

3. Select the checkbox adjacent http_pool, and click Reset.

View Results using Round Robin Load Balancing

1. Open a browser session and access http://10.10.1.100.

2. Refresh the screen a few times by pressing Ctrl+F5 (Ctrl+R if using FireFox).

3. Navigate back to the pools statistics page.

4. What are the results? Were the connection requests distributed evenly?5. Reset the statistics for http_pool.

Ratio member Load Balancing Lab

Configure Member Ratios and Ratio (member) Load Balancing and test.


2. Select Pools.

3. Select http_pool. 4. Select Members.

5. Within the Load Balancing section, change the Load Balancing Method to Ratio (member)and click Update.

6. Within the Configuration section of each member, set the ratio values as follows:

Member Ratio

172.16.20.1:80 1

172.16.20.2:80 2

172.16.20.3:80 3

7. Open a new browser session and connect to http://10.10.1.100.8. Refresh the screen 5-10 times by pressing Ctrl-F5.

9. View the pool statistics. What are the results?

10. Reset the statistics for http_pool.


29/108


Module 3 Lab – Load Balancing 3-21Module 3 Lab – Load Balancing 3-21


Expected result: Traffic will be distributed to the members with a 1:2:3 ratio.

Configuration reset if continuing to other Module Labs

If you are not going to perform the Priority Group Activation Lab, but want to continue using

your existing configuration with other Modules Labs, reset http_pool and members to thefollowing settings:

Load Balancing: Round Robin


30/108


3-22 Module 3 Lab – Load Balancing3-22 Module 3 Lab – Load Balancing

Priority Group Activation Lab

Configure Priority Group Activation


2. Select Pools.

3. Select http_pool.

4. Select Members.

5. In the Load Balancing section, change the Priority Group Activation setting to Less than …, the number of Available Members to 2, and click Update.

6. Within the Configuration section of each member, set the Priority values as follows:

Member Ratio Priority Group

172.16.20.1:80 1 1

172.16.20.2:80 2 4

172.16.20.3:80 3 4

7. Open a new browser session and connect to http://10.10.1.100.

8. Refresh the screen 5-10 times by pressing Ctrl-F5.



11. Disable the member 172.16.20.2:80.


13. Refresh the screen 5-10 times by pressing Ctrl-F5.


15. Re-enable the member 172.16.20.2:80.



In step (9), 172.16.20.1:80 should receive no traffic. The traffic will be distributed to theother members with a 2:3 ratio

In step (14), 172.16.20.2:80 should receive no traffic. The traffic will be distributed to theother members with a 1:3 ratio

Configuration reset if continuing to other Module LabsIf you want to continue using your existing configuration with other Modules Labs, reset

http_pool and members to the following settings:

Load Balancing: Round Robin

Priority Group Activation: Disabled


31/108


Module 4 Lab – Monitors 4-23Module 4 Lab – Monitors 4-23

Module 4 Lab – Monitors

Objective:

Associate nodes with monitors

Create custom monitors


Lab Requirements:

Access to a BIG-IP LTM with at least one pool with two working members

Some knowledge of the traffic sent by the members
















13. Your configuration should be as if you had just finished all Module 3 labs. Please verify thisis the case. Your configuration should be licensed and include two Pools named http_pool

and https_pool and two Virtual Servers named vs_http and vs_https. None of the Pools or

Pool Members should have Monitors assigned (blue square status).


32/108


4-24 Module 4 Lab – Monitors4-24 Module 4 Lab – Monitors

Monitor for Nodes Lab

Check Current Node States

1. From the Navigation pane, select the Local Traffic section.

2. Select Nodes.

3. What are the nodes’ statuses?

4. Will BIG-IP LTM distribute traffic to nodes that are Unknown?

Assign a Defaul t Moni tor to all Nodes


2. Select Nodes.

3. Above the list of nodes, select Default Monitor.4. From the list of Available monitors, select icmp, press the move to the left button (


33/108



Assign the custom monitor to selected nodes


2. Select Nodes and then select the node at 172.16.20.1.

3. In the Configuration Section, enter the following:

Name Leave Blank

Health Monitors Node Specific

Select Monitors my_icmp in Active column

AvailabilityRequirement

All

Additional Settings Leave as Defaults

4. When complete, click Update.

5. What are the nodes’ statuses?

Disassociate all monitors for selected node


2. Select Nodes.

3. Select the node 172.16.20.2.


Health Monitors None

Additional Settings Leave as Default

5. When complete, press Update.

6. What us the node’s status? Was the change immediate?

Conclusion

At this point, each node is being tested differently. Node 172.16.20.1 has a specific assignment,

my_icmp. Node 172.16.20.2 has no monitor assigned. Node 172.16.20.3 is using the Node Default

monitor, which is currently icmp. This is not a recommended configuration; rather it is used to

demonstrate the three ways monitors can be associated with nodes.


34/108



Monitors for Pools and Members Lab #1

Objective:

Associate members with monitors



Check Current Member States


2. Select Pools.


4. Select the Members tab.

5. What are the members’ statuses?

6. Will BIG-IP LTM distribute traffic to members that are Unknown?

Assign a Standard Monitor to a Pool

1. Navigate to Local Traffic / Pools / http_pool / Members and note the members’ states.Select the Properties tab.


Configuration Basic

Health Monitors http3. When complete, press Update.

4. Recheck the Member states (either follow directions above or select Members from thecurrent location).

NOTE: Each time the Members tab is pressed, the screen will refresh.

5. What are the members’ statuses? Was the change immediate?

Create a New HTTP-based Monitor


2. Either select Monitors and then the Create button or leave your mouse over Monitors and

then click the sign on the flyout menu.

3. In the General Properties Section, enter the following:

Name my_http

Type HTTP

Import Settings http


35/108




Configuration Basic

Send String GET /index.html\r\n

Receive String ServerLeave other settings at default


Assign the Custom Moni tor to Selected Members


2. Select Pools.


4. Select the Members tab.5. Select the member 172.16.20.2:80.


Configuration Advanced

Health Monitors Member Specific

Select Monitors my_http

Leave other settings at default


8. What are the members’ statuses? Was there any change?

Disassociate all moni tors for selected member


2. Select Pools.

3. Select the pool http_pool.


5. Select the member at 172.16.20.3:80.


36/108




Configuration Level Advanced

Health Monitors None



8. What are the members’ statuses? Was the change immediate?

Conclusion

At this point, each member is being tested differently. Member 172.16.20.1:80 is set to inherit from

pool where the pool has http assigned. Member 172.16.20.2:80 has a specific assignment, my_http.

Member 172.16.20.3:80 has no assigned monitor. This configuration is not recommended; rather it is

used to demonstrate the three ways monitors can be associated with members.


37/108



Monitors for Pools and Members Lab #2

Objective:

Associate members with monitors



Check Current Member States


2. Select Pools.

3. Select https_pool, and then select the Members tab.

4. What are the members’ statuses?

Create a New HTTPS-based Monitor


2. Either select Monitors and then the Create button or leave your mouse over Monitors and

then click the sign on the flyout menu.


Name my_https

Type HTTPS

Import Settings https


Configuration Level Basic

Send String GET /index.html\r\n

Receive String Server 2




38/108



Assign the Custom Moni tor to a Pool


2. Select Pools.

3. Select https_pool.


Configuration Basic

Health Monitors my_https


6. What are the members’ statuses? Why? Was the change immediate?

7. What is the status of the Virtual Server?

Check Status of Nodes and Members from Network Map

1. From the Navigation pane, expand the Local Traffic section, select the Network Map andclick Show Map.

2. Moving the mouse over certain Pool members, notice that the Parent Node state can bedifferent than the Pool member. Why is this happening? Remember that we can and have

assigned different monitors to Nodes and Pool Members.

Change the Definition of the Custom Monitor


2. Select Monitors.

3. Select my_https.

4. In the Configuration Section, change the Receive String to Server [1-3]


6. What is the status of members in https_pool? Was the change immediate?

NOTE: [1-3] is a simple regular expression that matches any single character in therange from 1 to 3.

Configuration reset if continuing to other Module LabsIf you want to continue using your existing configuration with other Modules Labs, make sure all

pool members for both http_pool and https_pool are in one of the following states:

Available or Green

Unknown or Blue


39/108


Module 5 Lab – Profiles 5-31Module 5 Lab – Profiles 5-31

Module 5 Lab – Profiles

Note: No Lab for Module 5 Profiles

There is no Lab for Module 5 Profiles. There are labs using Profiles in both Modules 6,

Persistence, and 7 Labs, SSL Termination.


40/108


5-32 Module 5 Lab – Profiles5-32 Module 5 Lab – Profiles


41/108


Module 6 Lab – Persistence 6-33Module 6 Lab – Persistence 6-33

Module 6 Labs – Persistence

Objective:

Configure Source Address Persistence



Lab Requirements:

Two or more working members in https_pool

A virtual server at https://10.10.1.100 associated with https_pool
















13. Your configuration should be as if you had just finished all Module4 Labs since there weren’tany labs for Module 5. Please verify this is the case. Your configuration should be licensed

and include two Pools named http_pool and https_pool and two Virtual Servers named

vs_http and vs_https. The Pools and Pool Members should have various Monitors assigned

but no Pool Members should be marked Offline (red).


42/108


6-34 Module 6 Lab – Persistence6-34 Module 6 Lab – Persistence

Source Address Persistence Lab

Repeating behavior before persistence

1. Make sure the Load Balancing method for https_pool is set to Round Robin, Priority GroupActivation is disabled, and that all pool members have a connection limit of 0.

NOTE: This is not required for persistence. Instead, it ensures that reuse of a singleserver is due to persistence and not a load balancing choice.

2. Next, access and reset the statistics for the https_pool.

3. Open a new browser session and connect to https://10.10.1.100.

4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.



Expected result: All pool members should receive approximately equal amounts oftraffic. If not, ensure that step (1) was followed.

Configure a Source Address Affini ty Persistence Profi le


2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to

expand Profiles Persistence and click the sign.


Name Pr_Src_Persist

Persistence Type Source Address Affinity

Parent Profile source_addr

4. In the Configuration Section, leave all fields at the default settings except for the following:

Timeout Click on the Custom checkbox for Timeoutand then set the Timeout to 15 seconds.

Mask Click on the Custom checkbox for Mask andthe set the Mask to 255.255.255.0.


Associate a Vir tual Server wi th the Persist_Source Prof ile



43/108



2. Select Virtual Servers.

3. Select the virtual server of interest, vs_https.

4. Select the Resources tab.

5. Under the Load Balancing section, enter the following:

Default Pool https_pool

Default Persistence Profile Pr_Src_Persist



Demonstrating behavior after setting up persistence

1. Access and reset the statistics for the https_pool.

2. Open a new browser session and connect to https://10.10.1.100

3. Refresh the screen 5-10 times by clicking Refresh or pressing Ctrl-F5.


5. Stop refreshing the screen for at least 15 seconds.

6. Refresh again. At this point, you should be load balanced to another server.

7. From a separate browser session, view the Persistent Statistics.

a. From the Navigation Pane, expand the Overview section.

b. Select Statistics.

c. With the Display Options section, set the following:

Statistics Type Persistence Records

Data Format Normalized

Auto Refresh Disabled

8. Leave the * in the search field (show all records) and click Search or Refresh.

9. If no persistent sessions currently appear, refresh your screen connecting tohttps://10.10.1.100 and then refresh the Persistence Records Statistics again.

10. Why might the persistent connection not appear the first time?


Expected result: While the persistence record is active, all traffic from that client will bedirected to a single pool member. Since the persistence record is configured to remain

for only 15 seconds, it may time out before you navigate to the persistence statistics.


44/108



Cookie Persistence Lab

Objective:

Configure Cookie persistence



Lab Requirements:

Two or more working members in http_pool

A virtual server at http://10.10.1.100 associated with http_pool

Repeating behavior before persistence1. Make sure the Load Balancing method for http_pool is set to Round Robin and Priority

Group Activation is disabled.

NOTE: This is not required for persistence. Instead, it ensures that reuse of a singleserver is due to persistence and not a load-balancing choice.

2. Access and reset the statistics for the http_pool.


4. Refresh the screen 5-10 times by clicking Refresh or pressing the F5 key.


Creating a Custom HTTP Cookie Insert Persistence Profile:


2. Either select Profiles and the Persistence tab and click Create or use the flyout menus to

expand Profiles Persistence and click the sign.


Name Pr_Cookie_Persist

Persistence Type Cookie

Parent Profile Cookie


45/108



1. In the Configuration Section, leave all settings at default except for the following:

Expiration Check the Custom checkbox for Expired,then uncheck Session Cookie and set theExpiration to 2 days


Associating a Virtual Server wi th the Cookie Persistence Profi le



3. Select the Virtual Server of interest, vs_http.

4. Select the Resources tab.

5. Within the Load Balancing section, enter the following:

Default Pool http_poolDefault Persistence Profile Pr_Cookie_Persist



NOTE: You should see an error requiring an HTTP profile in order to use the cookiepersistence profile, follow the steps below.

Associating the Virtual Server with an HTTP Profi le

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option.


3. Select the Properties tab.

4. Within the Configuration section, set the HTTP Profile to http.


6. Re-add the Pr_Cookie_Persist profile above on vs_http Resources tab as the DefaultPersistence profile and click Update.

Demonstrating behavior after persistence

1. Access and reset the statistics for the http_pool.

2. Open a new browser session and connect to http://10.10.1.100

3. Refresh the screen 5-10 times by pressing “Refresh” or CTRL-F5.


5. Click on the Display Cookie link in the web page to view the cookie.


46/108




Expected result: All traffic will be directed to one member. If not, ensure that the browser you are

using allows cookies to be saved.

Disable Persistence for this Virtual Server




4. Select the Resources Tab.

5. Under the Load Balancing section, enter the following:

Default Pool http_pool





47/108



Disabled Members Lab

Objective:

See the interaction between persistence and the disabled status


Lab Requirements:

vs_https with resources https_pool and Pr_Src_Persist profile

NOTE: You may want to extend the persistence timeout value in the Persist_Sourceprofile before beginning this lab.

Establish a persistent session and disable a member1. From the Navigation pane, expand the Local Traffic section.

2. Select Pools then select https_pool.


4. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.

5. Note the member to which you have connected.

6. From the Members tab, click the box adjacent the member you are persisting to and clickDisabled.

7. Refresh the browser session at https://10.10.1.100.

Did you remain on the same member?

8. From the Members tab, select IP address of the member to which you have the persistencesession.

9. Select the Forced Offline radio button and click Update.

10. Refresh the browser session at https://10.10.1.100.Did you remain on the same member?

Establish a persistent session and disable a node

1. From the Navigation pane, expand the Local Traffic section and then select Nodes.

2. Open a separate browser to https://10.10.1.100. Refresh to verify that you are persisting.

3. Note the node to which you have connected.

4. From the Nodes list, select the box adjacent the node and click the Disable button.

5. Refresh the browser session at https://10.10.1.100. Did you remain on the same node?

Re-Enable nodes and members

For later labs, ensure all nodes and members are enabled.


48/108




49/108


Module 7 Lab – SSL Termination 7-41Module 7 Lab – SSL Termination 7-41

Module 7 Lab – SSL Termination

Objective:

Create self-signed certificates

Create a Clientssl profiles

Create a virtual server that will use the clientssl profile and load balance traffic

Lab Requirements:

An existing pool of members at port 80 (http_pool)

Access to a web browser
















13. Your configuration should be as if you had just finished all Module 6 labs. Please verify thisis the case. Your configuration should be licensed and include two Pools named http_pool

and https_pool and two Virtual Servers named vs_http and vs_https. The Pools and Pool

Members should have various Monitors assigned but no Pool Members should be marked

Offline (red) or Disabled (black). The vs_https Virtual Server should have a Source Address

Persistence Profile assigned on the Resources tab.


50/108


7-42 Module 7 Lab – SSL Termination7-42 Module 7 Lab – SSL Termination

Client SSL Lab

Behavior before configuration: SSL traffic is encrypted from client.

1. Open a Web browser. to https://10.10.1.100.

2. Depending on the browser, you may see a lock in the lower right corner of the window; itindicates the session is encrypted and secure. Alternately, find the certificate that is being

used for the session. Typically, you can right click on the web page, choose “Properties” and

click the Certificate button.

3. Note the pool member address and port in the body of the web page (172.16.20.x:443).

Generate a certif icate


2. Either select SSL Certificates and click Create or hover your mouse over SSL Certificates

and then click the sign on the flyout menu.

3. In the General Properties section, enter the name TestCertificate.

4. In the Certificate Properties section, enter the following:

Issuer Self

Common Name www.test.com

Division Training

Organization F5 Networks

Locality Seattle

State or Province WashingtonCounty US

E-Mail Address Leave blank

Lifetime 365

5. In the Key Properties, choose the 1024 for the size.

6. Click Finished.

7. If you get an error saying the certificate already exists then change the name and continue.

Create a Client SSL Prof ile:

1. From the Navigation pane, expand the Local Traffic section.2. Either select Profiles / SSL click Client and then click Create or use the flyout menus to

expand Profiles SSL Client and click the sign.

3. In the General Properties section, enter the name Pr_Client_SSL and accept clientssl as the parent profile.

4. From the Configuration section, check the custom button to the right of Certificate andKey, and choose TestCertificate or your new name from the drop-down list.


51/108


Module 7 Lab – SSL Termination 7-43Module 7 Lab – SSL Termination 7-43

5. Click Finished.

Creating the Virtual Server


2. Either select Virtual Servers and click Create or leave your mouse over Virtual Servers

and then click the Create option on the flyout menu.


Name vs_ssl


Service Port 443 (or HTTPS)

State Enabled

4. In the Configuration section, accept all defaults except the SSL Profile (Client) option, and

choose the Pr_Client_SSL profile you’ve just created.

5. In the Resources section, select http_pool as the Default Pool.

6. Click Finished.

Behavior after configuration

1. Open a Web browser.

2. Go to https://10.10.1.102. When prompted, accept the SSL certificate.

NOTE: The browser session is encrypted on the client side, but not on the server side.

3. Note the Pool Member address:port in the body of the web page (172.16.20.Y:80).

Unless otherwise configured, the traffic is encrypted from client to the BIG-IP LTM System, but

unencrypted between the BIG-IP system and the pool members.


52/108


7-44 Module 7 Lab – SSL Termination7-44 Module 7 Lab – SSL Termination


53/108


Module 8 Lab – NATs and SNATs 8-45Module 8 Lab – NATs and SNATs 8-45

Module 8 Labs – NATs and SNATs

Lab Objectives:

You will configure a NAT to pass traffic between an external device and a specific internal node.

Either device can initiate this connection.

Lab Requirements:

One or more servers on the internal side of the BIG-IP system

An available IP address to use for the NAT






6. On the Setup Utility / Platform screen enter a Host Name of bigip1.f5trn.com and changeHigh Availability setting to Redundant Pair.

7. Enter a Root Account password of default twice and an Admin Account password of









13. Your configuration should be as if you had just finished all Module 7 labs. Please verify thisis the case. Your configuration should be licensed and include three Pools named ssl_pool,http_pool and https_pool and three Virtual Servers named vs_ssl, vs_http and vs_https. The

Pools and Pool Members should have various Monitors assigned but no Pool Members

should be marked Offline (red) or Disabled (black). The vs_https Virtual Server should have

a Source Address Persistence Profile assigned on the Resources tab.


54/108


8-46 Module 8 Lab – NATs and SNATs8-46 Module 8 Lab – NATs and SNATs

Configuring a NAT LabThe Network Address Translation screen displays the NAT address and the associated node address

for each NAT.

Configure a NAT1. From the Navigation pane, expand the Local Traffic section.

2. Either select SNATs, the NAT List tab, and Create, or use the flyout menus to expand

SNATs NATs and click the sign.


NAT Address 10.10.1.200

Origin Address 172.16.20.2

State Enabled4. In the Configuration section leave everything at defaults:

ARP Enabled

VLAN Traffic All VLANs

5. Click Finished.

Testing the NAT - Inbound

1. Open a browser session to http://10.10.1.200.

2. Note the content of the Web screen.

3. Using Putty, open an SSH session to 10.10.1.200 port 22.

4. Login with a user ID of student and password of student.

5. Note that you can connect to multiple services through the NAT and that the connectionalways connects to 172.16.20.2.

NOTE: While the configured NAT would provide outbound connections as well, therouting tables on the server do not allow it in the classroom environment.

Delete the NAT


2. Select SNATs and then the NAT List tab.

3. Check the box next to the NAT you just created, 10.10.1.200, and then click the Delete button.

4. Click Delete to confirm the deletion


55/108


Module 8 Lab – NATs and SNATs 8-47Module 8 Lab – NATs and SNATs 8-47

SNAT Labs

Lab Requirements:

Access to a BIG-IP LTM System

An available IP address to use for the SNAT

Testing Behavior without the SNAT

1. Open a browser session to both http://10.10.1.100 and https://10.10.1.100.

2. Verify your IP address at the Web server by clicking the link that says Show Source IPAddress. You should see your PC unchanged address: 10.10.1.30.

3. The Servers reside at IP Addresses 172.16.20.1, 172.16.20.2 and 172.16.20.3. The reason

they can return the response traffic to your PC at 10.10.1.30 through your BIG-IP is becausethey each contain the following Server Route:

Destination Gateway

10.10.1/24 172.16.1.33

SNAT within Virtual Server Lab

Configure the vs_https virtual server to use SNAT Automap

1. From the Navigation pane, select Local Traffic menu, Virtual Servers option, and selectvs_https.

2. In the General Properties sect

f5-ltm ess wbt labguide16 20101217

Documents