LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables LTM Fundamentals Hands-On Exercise Guide F5 vLab version: 11.4.0.7 Written for: TMOS® Architecture v11.4.0 VMware Workstation 9.0.0 Virtual images: BIGIP-11.4.0.2384.0-scsi.ova LAMP 3.2 Last Updated: 11/18/2013 ©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. TABLE OF CONTENTS Table of Contents 3 Introduction 5 Module 1 Exercises – Initial Installation 7 Exercise 1.1 – VMware Workstation Configuration 7 Exercise 1.2 – Initial BIG-IP Configuration 13 Exercise 1.3 – User Access and System Preferences 23 Module 2 Exercises – Processing Traffic 29 Exercise 2.1 – Create an HTTP Pool and Virtual Server 29 Exercise 2.2 – Network Map 33 Module 3 Exercises – Virtual Servers 35 Exercise 3.1 – Virtual Server Priority 35 Exercise 3.2 – Forwarding and Reject Virtual Servers 39 Module 4 Exercises – Pools 43 Exercise 4.1 – Install Required Software 43 Exercise 4.2 – Create a Web Load Test 45 Exercise 4.3 –Load Balancing Methods 47 Exercise 4.4 –Priority Group Activation 49 Module 5 Exercises – Monitors 51 Exercise 5.1 – Using Monitors with Nodes 51 Exercise 5.2 – Using Monitors with Pools 55 Exercise 5.3 – Using an Inband Monitor 61 Exercise 5.4 – Using Manual Resume 63 Module 6 Exercises – Using Profiles 65 Exercise 6.1 – Using an HTTP Profile 65 Exercise 6.2 – Using a Stream Profile 69 Module 7 Exercises – Performance Profiles 71 Exercise 7.1 – Using Compression and Acceleration 71 Module 8 Exercises – Persistence Profiles 77 Exercise 1.8A – Using Source Address Persistence 77 Exercise 1.8B – Using Cookie Persistence 79 Exercise 1.8C – View Persistence with Disabled and Offline Pool Members 81 Exercise 1.8D – Using Match Across Virtual Servers 83 Module 9 Exercises – SSL Termination 85 Exercise 1.9A – Supporting SSL Traffic 85 Exercise 1.9B – Enabling SSL Offload 89 Module 10 Exercises – NATs and SNATs 93 Exercise 1.10A – Using a NAT 93 Exercise 1.10B – Using SNATs 95 Module 10 Exercises – iRules 99 Exercise 1.11A – Writing your First iRule 99 Exercise 1.11B – Using iRule Events 105 Exercise 1.11C – Using Variables 109 Exercise 1.11D – Using TCL and iRules Commands 113 Exercise 1.11E – Using Conditional Statements 119 Exercise 1.11F – Working with Lists 127 Exercise 1.11G – Using iRules Best Practices 133 Module 11 Exercises – iApps 135 Exercise 1.12A – Working with iApp Application Services 135 Exercise 1.12B – Working with iApp Templates 143 INTRODUCTION Welcome to the F5 LTM Fundamentals Hands-on Exercise Guide. This guide provides hands-on experience with F5 BIG-IP® Local Traffic Manager™ (LTM). You can use these exercises and the virtual environment (vLab) – this includes VMware Workstation and BIG-IP® Virtual Edition (VE) – as a learning tool or to give customer demonstrations. Note, this guide is written for the following product and vLab version: * TMOS architecture v11.4.0 * VMware Workstation 9.0.0 * Virtual images: ? BIGIP 11.4.0.2384.0-scsi-ova ? LAMP 3.2 ? DoS_Tool 3.0 MODULE 1 EXERCISES – INITIAL INSTALLATION EXERCISE 1.1 – VMWARE WORKSTATION CONFIGURATION These steps guide you through requesting for a VMware Workstation license from IT, installing and configuring the VMware Workstation environment, downloading and installing the VMware images used in the environment, and making some required manual changes to the LAMP back-end server images. * Only perform this exercise if this is a first time setup of the vLab. * Use a Windows environment with this setup guide. * Estimated completion time: 15 minutes TASK 1 – Request a VMware Workstation License and Install the Trial Version ? Access https://f5.service-now.com (login using your Olympus credentials). ? From the left navigation menu, select Service Catalog. ? Under Software Requests, select VMware. ? Select the Desktop license. ? In the Select License Type list box, select Workstation (WIN/Linux). ? In the Business Justification field, type F5 vLab, and then click Order Now. You will receive your VMware Workstation license from IT. In the meantime you have 30 days to use the trial version of VMware Workstation. ? Access http://www.vmware.com/products/workstation/overview.html. ? Download and install the trial version of VMware Workstation 9. ?NOTE: These exercises are tested for VMware Workstation version 9. There may be issues with other versions. ? TASK 2 – Set Up the VMware Network Environment You will configure three VMware networks. VMnet1 acts as the Out of Band Management network for accessing the BIG-IP Configuration Utility. VMnet2 acts as the external network for users accessing virtual servers. VMnet3 acts as the internal VLAN where the back-end Web servers are located. ? Launch VMware Workstation, and then select Edit > Virtual Network Editor. ? Remove any existing VMnets EXCEPT for VMnet0. ? Click the Add Network button, and add VMnet1, VMnet2 and VMnet3. ? Select VMnet1, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.1.0, o In the Subnet mask field enter 255.255.255.0. ?NOTE: You will use this network to manage the BIG-IP VE system. This configures your local workstation with a VMware network adapter IP address of 10.128.1.1. ? ? Select VMnet2 and configure as follows: o Enable the NAT (shared host’s IP address with VMs) option. o Select the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.10.0. o In the Subnet mask field enter 255.255.255.0. o Click the NAT Settings button. o In the Gateway IP field enter 10.128.10.2, and then click OK. ?NOTE: These NAT settings enable the BIG-IP VE system reach the Internet through your workstation’s network adapter. This configures your local workstation with a VMware network adapter IP address of 10.128.10.1. ? Select VMnet3, and configure as follows: o Enable the Host-only (connect VMs internally in a private network) option. o Clear the Connect a host virtual adapter to this network checkbox. o Clear the Use local DHCP service to distribute IP address to VMs checkbox. o In the Subnet IP field enter 10.128.20.0. o In the Subnet mask field enter 255.255.255.0. ?NOTE: Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to the internal network. This will avoid asymmetric routing issues and also enable you to demonstrate secure remote access and full proxy features. ? Click OK. TASK 3 – Download the Virtual Images Download the BIG-IP image file to your local workstation, and then download and unzip the VMware back-end server images. ? Access and log in to the F5 product download page at https://downloads.f5.com/esd/productlines.jsp. ? Click BIG-IP v11 x / Virtual Edition, and ensure that 11.4.1 is selected in the product version list box. ? Click Virtual-Edition, and then accept the license agreement. ? Click BIGIP-11.4.1.608.0-scsi.ova. ? Click the best download link for your location. ? Save the file to a directory on your local workstation. ?NOTE: Ensure the location of this directory has at least 6GB of free disk space. ? Access ftp://wafer.f5net.com/outgoing/F5_Virtual_Environment_Setup_VMware/. ? Download the following files: o Exercise_Files.zip o LAMP_3.2.7z ? Unzip each downloaded file in the local directory you created earlier in this task. TASK 4 – Install the BIG-IP VE System VMware Image Use VMware Workstation to open and install the BIG-IP VE image file. ? In VMware Workstation, go to File > Open. ? Navigate to the location where you saved the BIG-IP image file, then select the BIGIP-11.4.1.608.0-scsi.ova image file, and then click Open. ? Name the new virtual machine BIGIP_A1_v11.4. ? Enter or browse to a location with at least 4GB of free disk space and click Import. ? Click the Accept button. It will take a few minutes for the image to import. ? After the import completes, select BIGIP_A1_v11.4 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Custom (VMnet1) Network Adapter 2 Custom (VMnet2) Network Adapter 3 Custom (VMnet3) Network Adapter 4 Bridged (Automatic) ? Click OK. TASK 5 – Install the LAMP VMware Image Use VMware Workstation to open and install the LAMP VMware server images. ? In VMware Workstation, go to File > Open. ? Select the LAMP_3.2.vmx image file, and then click Open. ? In the VMware Workstation dialog box, click Take Ownership. ? Select LAMP_3.2 from the Library menu, and then click Edit virtual machine settings. ? Map the network adapters to the appropriate VMware networks using the following table: Network Adapter Connect at power on (yes) Custom (VMnet1) Network Adapter 2 Connect at power on (no) Custom (VMnet2) Network Adapter 3 Connect at power on (yes) Custom (VMnet3) Network Adapter 4 Connect at power on (no) Bridged ? Click OK. TASK 6 – Edit the Settings of the LAMP Image The LAMP image requires some manual network configuration changes. ? Select LAMP_3.2 from the Library menu, and then click Power on this virtual machine. ? Within the VMware Workstation window, leave Ubuntu selected and press the Enter key. ? After the image powers on, within the VMware Workstation window (and within the LAMP desktop) click Login. ? Click the Applications Menu icon on the top-left of the screen, and then select Settings Manager. ? In the Hardware section, click Network Connections. ? Select Wired connection 1, and then click Edit. ? From the Device MAC address list box, select the MAC address for eth0. ? Click Save, and then repeat these steps for the following: o Wired connection 2 --> eth1 o Wired connection 3 --> eth2 o Wired connection 4 --> eth3 ? Delete Wired connection 5 – Wired connection 8. ?NOTE: The wired connection entries will not be removed from the Network Connections list until you reboot the image. ? Close the Network Connections and Settings dialog boxes. ? In VMware Workstation, right-click LAMP_3.2 in the Library menu and select Power > Power Off. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > Take Snapshot. ? Name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. EXERCISE 1.2 – INITIAL BIG-IP CONFIGURATION In this exercise you will configure the BIG-IP management interface, you’ll use TMSH to create a VLAN and a self IP address, and you’ll request and install a BIG-IP VE license key. * Your workstation needs Internet access to complete the licensing portion of this exercise. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 25 minutes TASK 1 –Configure BIG-IP Management Interface Settings Power on the BIG-IP VE image, configure the management interface settings, and then use TMSH to create the external VLAN, self IP address, and default gateway route. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ?NOTE: You may experience issues when attempting to power on the BIG-IP virtual machine. If you receive an incompatibility message regarding 64-bit operation, complete Task 1.1. ? After the BIG-IP VE system has powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 ? TASK 1.1 –Configure your System BIOS and BIG-IP Management Interface Settings Complete this task ONLY if you receive an incompatibility message regarding 64-bit operation. ? You may receive the following dialog box: This is an issue with the Intel virtualization. To resolve it, you must reconfigure your system BIOS ? Access your system BIOS. To find the disabled virtualization features, perform the following, depending on the model of your devices: o Go to Configuration, and then enable Intel Virtual Technology. o Go to Security > Virtualization, and then enable Intel (R) Virtualization Technology and Intel (R) VT- d Feature. ? Press F10 to save and exit the system BIOS. The system reboots and you can proceed. ? Launch VMware Workstation. ? Click BIG_A1_v11.4 from the Library menu, and then click Power on this virtual machine ? After the BIG-IP VE system powers on, you are presented with the localhost login screen. ? Log in to the BIG-IP system using the following credentials: localhost login: root Password: default ? At the CLI prompt, type: config ? Configure the management interface using the following information: IP Address 10.128.1.245 Network Mask 255.255.255.0 Default Route 10.128.1.1 TASK 2 –Generate an Evaluation License Key Use the Eval Key Generator on the F5 Licensing Tools Web page to generate a BIG-IP VE system license. ? Use a Web browser to access the F5 Licensing Tools Web site at http://license.f5net.com ? Click Eval Key Generator, and log in using your Olympus credentials. ?NOTE: Ensure you are not selecting Dev Key Generator. ? Leave the Generate Eval Base Keys option selected. ? From the Product Line list box, select BIG-IP. ? From the Product list box, select F5-BIG-VE-LAB-LIC. ?NOTE: Ensure you are selecting the license above before moving on. ? Select the 45 Days option, and then click Next. ? On the License Configuration Options page change the Number of Product Keys to Generate to 10. ? Select the GTM, VE and the BIG-IP, LAB (LTM,APM,ASM,AM, GTM), VE checkboxes, and then click Next. The evaluation key is emailed to your F5.com address. ? Once the F5 Development Registration Key email is delivered to your inbox, open it and copy one of the registration keys. TASK 3 – Access the BIG-IP VE System Access the management port of the BIG-IP VE system using a Web browser. ? Open up a Web browser and access https://10.128.1.245. ? Proceed with the untrusted security certificate. ? Log in to the BIG-IP system using the following credentials: Username: admin Password: admin The BIG-IP VE system does not yet have a license. TASK 4 – Activate the BIG-IP System Use the manual licensing method with the registration key emailed to you to activate the BIG-IP VE system. ? On the Welcome page, click Next. ? On the License page, click Activate. ? In the Base Registration Key field, paste the registration key text. ? For Activation Method, select Manual. ? Click Next. ? Select and copy all of the dossier text to your clipboard. ? Click the F5 Licensing Server link. ? Paste the dossier text in the field, and then click Next. ? Accept the license agreement, and then click Next. ? Select and copy all of the license key text to your clipboard, and then close the Activate F5 Product Web page. ? On the Setup Utility > License page, paste the license key text into the Step 3: License field, and then click Next. The BIG-IP VE system configuration updates. This takes several seconds. ? After the configuration changes complete, log in to the BIG-IP VE system. ? TASK 5 – Complete the Setup Utility Complete the remaining steps of the Setup Utility. ? On the Resource Provisioning page, ensure only Local Traffic (LTM) is set to Nominal and click Next. ? On the Device Certificate page click Next. ? On the Platform page, configure these settings using the following information: Host Name bigipA1.f5demo.com Root Account (Password and Confirm) default Admin Account (Password and Confirm) admin ? Click Next. ? You are prompted to log out and log back in to the BIG-IP VE system. Click OK. ? Log back in to the BIG-IP VE system. ? Under Standard Network Configuration, click Next. ? Clear the Display configuration synchronization options checkbox. ? Click Next. ? In the Internal Network Configuration and Internal VLAN Configuration sections, configure these settings using the following information: Self IP Address 10.128.20.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow Default VLAN Interfaces Untagged: 1.2 ? Click Next. ? ? In the External Network Configuration and External VLAN Configuration sections, configure these settings using the following information: External VLAN Create VLAN external Self IP Address 10.128.10.240 Self IP Netmask 255.255.255.0 Port Lockdown Allow 443 Default Gateway 10.128.10.2 VLAN Interfaces Untagged: 1.1 ? Click Finished. You are presented with the BIG-IP Web Configuration Utility. ? To find manuals and product information, click the User Documentation link to go to AskF5. The AskF5 knowledge base Web site displays. You can use this site to view knowledge base articles and download product manuals. ? Close the Ask F5 Web page. ? Click the Run the Setup Utility link. You can run the Setup Utility at any time. However, you can also make changes manually using the Network option on the left navigation menu. ? TASK 6 – Review Configuration Objects Use the Configuration Utility to view the TMOS objects created with the Setup Utility. ? Open the Network > VLANs > VLANs List page. The Setup Utility created two VLANs: external and internal. ? Open the Network > Self IPs page. The Setup Utility created two self IP addresses: Self IP Address VLAN 10.128.10.240 external 10.128.20.240 internal ? Open the Network > Routes page. The Setup Utility created the following route: Name Resource external_default_gateway 10.128.10.2 TASK 7 – Explore Command Line Access (CLI) and tmsh Access the BIG-IP system and view configuration details using an SSH client (such as Putty). ? Use an SSH client (such as Putty) to connect to the external self IP address 10.128.10.240. You are unable to open the BIG-IP system because the Port Lockdown option of the external self IP address is set to allow access for TCP port 443 only. ? In the Configuration Utility, open the Network > Self IPs page. ? Click 10.128.10.240. ? Add TCP port 22 to the Custom List. ? Click Update. ? Use the SSH client again to connect to 10.128.10.240. ? In the PuTTY Security Alert dialog box, click Yes. ? Log in to the BIG-IP CLI using the following credentials: Username: root Password: default ? At the CLI, type: tmsh list net se (and then press the Tab key) Question: Did autocorrect display options? _____________________ ? At the CLI, complete the following: tmsh list net self Question: What information is listed? ________________________________ ? At the CLI, type: tmsh ? At the tmos prompt, type: list net vl (and then type the Tab key) Questions: Did autocorrect display options? _______________________ Which options are available? _______________________________________ Why did the tmos prompt replace “list net vl” with “list net vlan”? _______________________________________________________________________ ? Press the Enter key. Question: What information is listed? ________________________________ ? At the tmos prompt, navigate to another location by typing the following: ltm node ? At the tmos prompt, type: ? TMOS displays the commands you can use at this point. ? At the tmos prompt, type: q (NOTE: This will exit the list of command presented by the “?”) create ? TMOS displays available commands and required objects. The create command requires a name to identify the node. ? At the tmos prompt, type: create test_node? The create command followed by a name requires a text name or an IP address. ? At the tmos prompt, type: create test_node address ? You must include an IP address. ? At the tmos prompt, type: create test_node address 10.20.30.40 list ? In the Configuration Utility, open the Local Traffic > Nodes > Node List page. You created a node on the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: delete test (and then press the Tab key) There is only one possible option, so autocorrect completes the next word. ? Press the Enter key to complete the delete command. ? In the Configuration Utility, refresh the Node List page. You’ve removed the node from the BIG-IP VE system. ? In the SSH client, at the tmos prompt, type: / (this brings you back to the root TMOS level) quit ? At the CLI, type: exit EXERCISE 1.3 – USER ACCESS AND SYSTEM PREFERENCES In this exercise you will verify the default capabilities of the built-in admin and root user accounts. You’ll then create a new BIG-IP user account and experiment with two user roles. Finally, you’ll examine the log files and create an archive file. * Required virtual images: BIGIP_A1_v11.4 * Estimated completion time: 15 minutes TASK 1 – Verifying User Access Attempt to log in using the SSH client and the admin user account. ? Open a new SSH session and connect to 10.128.10.240. ? Attempt to log in using the following credentials: Username: admin Password: admin By default, you cannot open an SSH session using the admin account. ? In the Configuration Utility, open the System > Users > User List page. ? Click admin. ? From the Terminal Access list box, select Advanced shell. ? Click Update. ? Use the SSH client again to connect to: 10.128.10.240, and then log in using the admin account. ? Close the SSH session. ? In the Configuration Utility, attempt to log back in to the BIG-IP VE system using the following credentials: Username: root Password: default You cannot log in to the Configuration Utility using the root account. You can only use the root account for CLI access. ? TASK 2 – Create a New BIG-IP User Account Use the Configuration Utility to create a new BIG-IP VE system user account for yourself and experiment with the different user roles. ? Log in to the BIG-IP system using the admin account. ? Open the System > Users > User List page. ? Create a new user account using the following information, and then click Finished. User Name your first name Password your last name (all lowercase) Role Operator Partition Access All Terminal Access tmsh ? Use the SSH client to access: 10.128.10.240, and then log in using your new user account. Question: Are you at the CLI prompt or the tmos prompt? _________________________ ? At the tmos prompt, type: ltm node create test_node address 10.20.30.40 You receive a syntax error: incomplete command. ? At the tmos prompt, type: create ? Your user account does not have privileges to create nodes. ? At the tmos prompt, type: quit Because you only have TMSH access, quitting TMSH ends the SSH session. ? In the Configuration Utility, click Log out. ? Log back into the Configuration Utility using your new user account. ? Open the Local Traffic > Pools > Pool List page. Question: Why are the Create and Delete buttons greyed out? ________________________________ ? Open the System > Users > User List page. ? Click your user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Log out, and then log back in using the admin account. ? Open the System > Users > User List page. ? Click your new user account and attempt to change the user role to Resource Administrator. Question: Were you successful? _______________________ ? Change the user’s Terminal Access to Advanced shell. ? Click Update. ? Log out, and then log in using your new user account with the WRONG password. (NOTE: You will view this failed login attempt in the LTM audit log.) ? Log in using your new user account with the correct password. ? Open the Local Traffic > Pools > Pool List page. You now have privileges to create and delete pools. TASK 3 – View Logging Information View recent security logging activity using an SCP client (such as WinSCP) to. ? Use an SCP client (such as WinSCP) to access 10.128.10.240 with your new user account and password. ? On the right-side navigate to the / level. ? Navigate to the /var/log directory. ? Open the secure log file and then scroll to the bottom. ? Locate the log entry for the failed login attempt by your user account. ? Close the secure log file and the SCP client. ? In the Configuration Utility, open the System > Logs > Audit > List page. ? Type fail in the search field, and then click Search. ? Locate the log entry for the failed login attempt by your user account. ? TASK 4 – Update System Preferences Update the BIG-IP VE system preferences with custom settings. ? Open the System > Preferences page. ? From the System Settings list, select Advanced. ? Change the Records Per Screen value to 20. ? From the Start Screen list box, select Statistics. ? Select the Redirect HTTP to HTTPS checkbox. ? Update the Idle Time Before Automatic Logout value to 100000. ? Update the Security Banner Text to Show on the Login Screen to: Welcome to the F5 BIG-IP VE (Virtual Edition) vLab environment. The vLab environment is intended for F5 Networks training and demonstration purposes only. You are not authorized to distribute the vLab to any other parties. ? Click Update. ? Click Log out. ? Change the URL to http://10.128.1.245. You are redirected to the HTTPS site, and the Login page now displays the custom message. ? Log in using your new user account. The startup page is now the Statistics page. ? TASK 5 – Create an Archive File Use the command line to create an archive file. ? Use the SSH client to connect to: 10.128.10.240, and then log in using your new user account. ? At the CLI, type: tmsh ? At the TMOS prompt, type: sys ucs ? ? Use the Enter key to scroll through the available commands. ? At the tmos prompt, type: q save ? 1.3_initial_setup_v11.4.1.1.ucs ? You can create a passphrase when needed. ? Press Enter to create the archive file. ? Quit TMSH, and then exit the SSH client. ? In the Configuration Utility open the System > Archives page. You created a new archive file on the BIG-IP VE system. MODULE 2 EXERCISES – PROCESSING TRAFFIC EXERCISE 2.1 – CREATE AN HTTP POOL AND VIRTUAL SERVER In this exercise you will configure a pool for HTTP Web servers, a virtual server that uses the HTTP pool, and then verify its functionality. You’ll then update the SNAT settings for the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Pool Create a pool containing three HTTP pool members. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Open a Web browser and access https://10.128.1.245. ? Log in with the new user account you created in Exercise 1.3. ? Open the Local Traffic > Pools > Pool List page, and then click Create. ? Create a pool using the following information: Name http_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 ? Click Finished. ? Open the Local Traffic > Nodes > Node List page. The BIG-IP VE system automatically creates a node for each pool member. ? TASK 2 – Create a Virtual Server that Uses the Pool Create an HTTP virtual server that uses the HTTP pool you created previously. ? Open the Local Traffic > Virtual Servers > Virtual Server List page, and then click Create. ? Create a virtual server using the following information: Name http_vs Type Standard Destination Host: 10.128.10.20 Service Port 80 (HTTP) State Enabled Default Pool http_pool ? Click Finished. TASK 3 – Verify the Virtual Server and Pool Functionality Access the virtual server and ensure that you’re receiving information from all three pool members. ? Use a new Web browser and access the virtual server at http://10.128.10.20. You should see page elements coming from all three of the pool members. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. Question: How many connections were opened to create the Web page? ___________ ? In the F5 vLab Test Web page, type Ctrl+F5 once, to force the browser to refresh without using its cache. ? In the Configuration Utility, from the Statistics Type list box, select Pools. Questions: Did traffic go to each pool member? _____________ Did each member manage approximately the same number of connections? __________ ? TASK 4 – Modify the Virtual Server SNAT Setting Identify the effects of adding SNAT Automap to the virtual server. ? In the F5 vLab Test Web page, review the Request Details and examine the Client IP address/port Questions: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Click http_vs. ? From the Source Address Translation list box, select Auto Map, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. Question: What is the client IP address? ________________________ Which device “owns” this IP address? ___________________________ ? Close the F5 vLab Test Web page. ? In the Configuration Utility, change the Source Address Translation back to None, and then click Update. EXERCISE 2.2 – NETWORK MAP In this exercise you will use the Network Map feature to examine availability information on virtual servers, pools, pool members, and nodes. * Estimated completion time: 10 minutes TASK 1 – View Configuration and Status from the Network Map ? In the Configuration Utility, open the Local Traffic > Network Map page. ? Use the mouse to hover over the virtual server and pool objects and notice the information displayed for each object. ? Hover over the pool member objects and notice the information displayed. ? Click the 10.128.20.11:80 pool member. The pool member properties page displays. ? In the Parent Node row, click 10.128.20.11. The node properties page displays. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? Open the Members page. ? Select the checkbox for 10.128.20.11:80, and then click Disable. ? Return to the Network Map page. ? In the Search box, type 20.12, and then click Update Map. All objects that match the search criteria are highlighted. ? Click the 10.128.20.11:80 pool member. ? In the State row, select the Enabled option to re-enable this pool member, and then click Update. ? TASK 2 – Reset Statistics Reset the statistics for the virtual server, the pool, and all of the pool members. ? Open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Virtual Servers. ? Select the http_vs checkbox, and then click Reset. ? From the Statistics Type list box, select Pools. ? Use the Select All checkbox to select the http_pool and all three members, and then click Reset. TASK 3 – View the Local Traffic Log File Use the Local Traffic log file to identify pool member availability. ? Open the System > Logs > Local Traffic page. ? Click the Timestamp column header to sort in descending order. (The most recent entry should be at the top of the list.) ? In the Search box type disabled, and then click Search. You can quickly identify when a pool member or node has been disabled. TASK 4 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page, and then click Create. ? Create an archive using the following information, and then click Finished. File Name 2.2_processing_traffic_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 3 EXERCISES – VIRTUAL SERVERS EXERCISE 3.1 – VIRTUAL SERVER PRIORITY In this exercise you will configure a pool and a virtual server that listen on all ports, and then test application access using the virtual server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Wildcard Pool Create a pool containing three pool members listening on all ports. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Pools > Pool List page. ? Create a new pool using the following information, and then click Finished. Name open_pool Load Balancing Method Round Robin Priority Group Activation Disabled New Members (Click Add for each entry) Address Service Port 10.128.20.11 * All Services 10.128.20.12 * All Services 10.128.20.13 * All Services ? Open the Local Traffic > Nodes > Node List page. Questions: Did BIG-IP LTM create new nodes for this pool? _________________ If no, why not? ____________________________________________________________ ? TASK 2 – Create a Wildcard Virtual Server Create a virtual server listening on all ports that references the pool you created in the previous task. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name open_vs Type Standard Destination Host: 10.128.10.20 Service Port * All Ports Default Pool open_pool TASK 3 – Verify the Virtual Server and Pool Functionality Access the wildcard virtual server and ensure that you’re receiving information from all three pool members. ? Open the Statistics > Module Statistics > Local Traffic page, and then select to view Virtual Server statistics. ? Verify that the statistics for all virtual servers are reset. ? Use a new Web browser and access the virtual server at http://10.128.10.20. ? In the Configuration Utility, on the Virtual Servers statistics page, click Refresh. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use an SSH client to access 10.128.10.20. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close Putty. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ ? Reset the virtual server statistics. ? Use a new Web browser to access the secure virtual server at https://10.128.10.20. ? In the Configuration Utility, refresh the Virtual Servers statistics. Question: Which virtual server processed this request? _________________________ The HTTP request was directed to http_vs, as this virtual server is more specific than open_vs. The SSH and HTTPS requests were directed to open_vs. ? Delete both the open_vs and the open_pool objects. EXERCISE 3.2 – FORWARDING AND REJECT VIRTUAL SERVERS In this exercise you will configure and test a forwarding network virtual server. You’ll then configure and test a reject virtual server for SSH access. Lastly, you’ll create a forwarding host virtual server for SSH access to a single server. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Disable the Current Virtual Server Disable the current HTTP virtual server, and add a route from your workstation to the 10.128.20.0 network. ? Open the Local Traffic > Virtual Servers > Virtual Server List page. ? Select the http_vs checkbox, and then click Disable. ?NOTE: You must disable this virtual server in order to use those you’ll create later in this exercise. ? Use a Web browser to attempt to access a Web server directly at http://10.128.20.13. The request fails, as you do not have direct access to the 10.128.20.0 network. ? On your workstation, open a command prompt. ?NOTE: You may need to run the command prompt as a local administrator. If so, go to the Start menu and type cmd, then right-click cmd.exe and select Run as administrator. ? At the command prompt, type: route add 10.128.20.0 mask 255.255.255.0 10.128.10.240 This adds a route to the 10.128.20.0 network through the external self IP address of the BIG-IP VE system. ?NOTE: You cannot run the route add command while connected to an F5 VPN. ? Leave the command prompt window open. ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request fails again, as the BIG-IP VE system does not have a listener to forward this request to the internal network. ? TASK 2 – Create a Forwarding (IP) Virtual Server Create a forwarding (IP) virtual server for the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Virtual Servers > Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name forward_vs Type Forwarding (IP) Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port * All Ports Protocol * All Protocols ? Use a Web browser again to attempt to access a Web server directly at http://10.128.20.13. The request is successful. Note in the Request Details section, the virtual server address is the same as the pool member address. The virtual server did not process the packet, but simply forwarded it to the internal network. ? Change the URL to https://10.128.20.12. ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Close the SSH session and the F5 vLab Test Web page. You now have access to all ports and all protocols on the 10.128.20.0 network. TASK 3 – Create a Reject Virtual Server Create a reject virtual server to reject SSH traffic going to the 10.128.20.0 network. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following information, and then click Finished. Name reject_vs Type Reject Destination Network: Address: 10.128.20.0 Mask: 255.255.255.0 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ? When your request times out, close the SSH session. ? Use a Web browser to access http://10.128.20.11. Although you still have HTTP access to 10.128.20.11, you no longer have SSH access to any hosts on the 10.128.20.0 network. ? Close the F5 vLab Test Web page. TASK 4 – Create a Forwarding Host Virtual Server Create another forwarding (IP) virtual server, enabling SSH traffic to 10.128.20.11 only. ? In the Configuration Utility, on the Virtual Server List page, create a virtual server using the following information, and then click Finished. Name ssh_vs Type Forwarding (IP) Destination Host: 10.128.20.11 Service Port 22 (SSH) ? Use an SSH client to connect to 10.128.20.11. ?NOTE: It’s not necessary to log into the CLI to complete this task. ? Open a new SSH session and connect to 10.128.20.12. ? When your request times out, close the SSH session. You now have access to all ports and protocols on the 10.128.20.0 network except for port 22. You only have access to port 22 on host 10.128.20.11. ? In the Configuration Utility, delete forward_vs, reject_vs, and ssh_vs. ? Re-enable http_vs. ? In the command prompt window, type: route DELETE 10.128.20.0 ? Close the command prompt. TASK 5 – Saving the Configuration Use the Configuration Utility to create an archive file. ? Open the System > Archives page. ? Create an archive using the following information, and then click Finished. File Name 3.2_virtual_servers_v11.4.1.1 Encryption Disabled Private Keys Include MODULE 4 EXERCISES – POOLS EXERCISE 4.1 – INSTALL REQUIRED SOFTWARE You will need to install and configure JMeter in order to use this exercise guide. * Do not perform exercise 4.1 if you already have JMeter installed. * Estimated completion time: 10 minutes TASK 1 – Download and Install JMeter Download and install JMeter. ? Use a Web browser to access http://jmeter.apache.org/download_jmeter.cgi. ? From the Binaries section, download either the TGZ or ZIP file of the latest version of Apache JMeter. ? Extract the downloaded file on your workstation. You will use the bin/jmeter.bat program to create a Web server load simulation. TASK 2 – Configure a Path Value for Java.exe In order to use JMeter your workstation must have a path variable value for accessing jave.exe. ? On your workstation open C:\Program Files. ? Open the Java folder. If there is no folder named Java, look in the Program Files (x86) folder. ? Open jre7, and then open bin. Verify that this folder contains the jave.exe executable file. ? Right-click in the address bar and select Copy address. ? Open the Start menu, and then type environment in the search bar. ? Click Edit environment variables for your account. ? ? In the Environment Variables dialog box, in the User variables for section, do one of the following: o If there is an existing path variable: ? Select path, and then click Edit. ? At the end of the existing Variable value, add a semi-colon, and then paste the address text. o If there is not an existing path variable: ? Click New. ? Name the new variable path. ? In the Variable value field, past the address text. ? Click OK twice. EXERCISE 4.2 – CREATE A WEB LOAD TEST Use JMeter to record a visit to your virtual server, and then create a load configuration to simulate 50 users accessing the recording. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Use JMeter to Record a Visit to the Web Site Use JMeter to record a series of requests to the http_vs virtual server. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file ?NOTE: If you do not have JMeter installed, return and complete Exercise 4.1. ? In the navigation panel, right-click Test Plan, and then select Add > Threads (Users) > Thread Group. ? Change the name to 10.128.10.20 Test. ? In the Number of Threads (Users) field, enter 100. ? In the Loop Count field, enter 3. ? Go to File > Save, and save the file as 10.128.10.20_Test.jmx. This will simulate 100 users accessing the BIG-IP VE system and visiting each page three times. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Config Element > HTTP Request Defaults. o In the Server Name or IP field, enter 10.128.10.20. o In the Port Number field, enter 80. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Home Page o In the Path field, enter / o Clear the Use KeepAlive checkbox. ? ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Welcome Page o In the Path field, enter /welcome.php o Clear the Use KeepAlive checkbox. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Listener > Summary Report. ? Click the Save button. TASK 2 – Use JMeter to Simulate Multiple Visits to the Web Site Use JMeter to play the recording to the downstream Web site. ? In JMeter, select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. TASK 3 – Verify Virtual Server and Pool Statistics View the virtual server and pool statistics, and then reset all statistics. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select to view the Pools statistics. Question: Were the connections distributed evenly between the three pool members? ________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.3 –LOAD BALANCING METHODS In this exercise you will change the load balancing method to Ratio and view the resulting behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Configure Ratio Member Load Balancing Update the http_pool by changing the load balancing method to Ratio (member), and then assign ratio values to the different pool members. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool. ? Open the Members page. ? In the Load Balancing section, from the Load Balancing Method list box, select Ratio (member). ? Click Update. ? In the Current Members section, click 10.128.20.11:80. ? Within the Configuration section, set the Ratio value to 4. ? Click Update, and then return to the Members page. ? Update the remaining pool members with the following information: Member Ratio 10.128.20.12:80 2 10.128.20.13:80 1 ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? In the Configuration Utility, view the Pools statistics. Questions: Were the connections distributed evenly? _____________ Were the connections distributed using a 4 – 2 – 1 ratio? _____________ ? Reset the statistics for the pool and all pool members. TASK 2 – Configure Weighted Least Connections Load Balancing Update the http_pool by assigning connection limit values to the different pool members and then changing the load balancing method to Weighted Least Connections (member). ? Click to edit the http_pool object, and then open the Members page. ? Update the pool members with the following information: Member Connection Limit 10.128.20.11: 80 1200 10.128.20.12: 80 250 10.128.20.13: 80 50 ?NOTE: Ensure that all three pool members have Connection Limit values before proceeding. ? Change the Load Balancing Method to Weighted Least Connections (member), and then click Update. ? In JMeter, select Summary Report, and then go to Run > Clear. ? Select 10.128.10.20 Test, and then go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 600, the test is complete. ? Close JMeter. ? In the Configuration Utility, view the Pools statistics. Question: Were the pool members utilized properly based on the configured connection limits? _________ ? Reset the statistics for the pool and all pool members. EXERCISE 4.4 –PRIORITY GROUP ACTIVATION In this exercise you will enable priority group activation, and then add two additional pool members to the HTTP pool. You’ll then examine how the BIG-IP system utilizes the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Enable Priority Group Activation Update the http_pool by enabling priority group activation, and then assign priority values to the different pool members. Add two additional members to the pool. ? Click to edit the http_pool object, and then open the Members page. ? In the Priority Group Activation list box, select Less than. ? In the Available Member(s) field, enter 2, and then click Update. ? Update the pool members with the following information: Member Priority Group 10.128.20.11: 80 8 10.128.20.12: 80 8 10.128.20.13: 80 4 ? Add new pool members using the following information: Address Service Port Ratio Priority Group Connection Limit 10.128.20.14 80 1 4 10 10.128.20.15 80 1 3 10 ? Use a Web browser to access http://10.128.10.20. ? Use Ctrl+F5 several times to refresh the page. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.11:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ With priority group activation set to 2 members, why are there now three members supplying content? ___________________________________________________________________________ ? In the Configuration Utility, disable pool member 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Question: Which members are supplying content for the request? _____________________________ ? In the Configuration Utility, disable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. Using priority group activation, we can always be assured that we have at least two pool members available to fulfill user requests. ? In the Configuration Utility, re-enable pool members 10.128.20.11:80 and 10.128.20.13:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. For the first couple of refreshes, content should still come from node #5 (10.128.20.15:80), because the connections had yet to close. Eventually you will notice requests come only from 10.128.20.11, 10.128.20.13, and 10.128.20.14. ? In the Configuration Utility, re-enable pool member 10.128.20.12:80. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh several times. After refreshing a couple of times, all requests now come from 10.128.20.11 and 10.128.20.12 only. ? Close the F5 vLab Test Web page. ? Update the http_pool by changing the Priority Group Activation value back to Disabled, and then click Update. ? Create an archive file named 4.4_pools_load_balancing_v11.4.1.1. MODULE 5 EXERCISES – MONITORS EXERCISE 5.1 – USING MONITORS WITH NODES In this exercise you will assign the default monitor to be used for all nodes, in addition to assigning a node- specific monitor as well as disassociating the default monitor from a node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Verify the Snapshot for the LAMP Image In these exercises you will make modifications to the LAMP VMware image. Ensure that you have a snapshot before moving on. ? In VMware Workstation, power off the LAMP_3.2 image. ? Right-click LAMP_3.2 and select Snapshot. ? If you do not have a snapshot named LAMP_3.2_Clean, select Take Snapshot, and name the snapshot LAMP_3.2_Clean, and then click Take Snapshot. ? Power on the BIGIP_A1_v11.4 and LAMP_3.2 images. TASK 2 – Assign a Default Monitor for all Nodes Assign the BIG-IP system default icmp monitor as the default monitor for all nodes. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Nodes > Node List page. ? Examine the Status of the listed nodes. ? Open the Default Monitor page. ? Select icmp from the Available list, then click <<, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. ? TASK 3 – Create a Custom ICMP Monitor Create a custom ICMP monitor that will be used with only one node. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a new monitor using the following information, and then click Finished. Name custom_icmp_monitor Type ICMP Parent Monitor icmp Interval 4 Timeout 13 Transparent No TASK 4 – Assign the Custom Monitor to a Specific Node Assign the custom icmp monitor to 10.128.20.12. ? Open the Local Traffic > Nodes > Node List page, and then click 10.128.20.12. ? Assign the monitor to the node using the following information: Health Monitors Node Specific Select Monitors: Active custom_icmp_monitor Availability Requirement All ? Click Update. ? TASK 5 – Assign No Monitors to a Specific Node Assign no monitors to 10.128.20.13. ? On the Node List page, click 10.128.20.13. ? From the Health Monitors list box, select None, and then click Update. ? Open the Node List page, and examine the Status of the listed nodes. The BIG-IP system default icmp monitor has been assigned to the Node Default monitor and these nodes are using that monitor: ? 10.128.20.11 ? 10.128.20.14 ? 10.128.20.15 The custom_icmp_monitor is assigned to node 10.128.20.12. There is no monitor assigned to node 10.128.20.13. This is not a recommended configuration. This set up is only to demonstrate three methods to assign monitors to nodes. EXERCISE 5.2 – USING MONITORS WITH POOLS In this exercise you will create a custom HTTP monitor and assign the monitor to the HTTP pool. You will then view the effects of using monitors on the virtual server, pool, pool members, and nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Check Current Pool Member Status Use the Pool List page to examine the current status of the members of the HTTP pool. ? Open the Local Traffic > Pools > Pool List page. ? Click http_pool, and then open the Members page. ? Examine the Status of the listed members. Question: Will BIG-IP LTM distribute traffic to pool members that are unknown? _____________ TASK 2 – Create a Custom HTTP Monitor Create a custom HTTP monitor that requests a specific Web page from the pool member and that verifies a specific text string is returned in the HTTP response. ? Open the Local Traffic > Monitors page, and then click Create. ? Create a monitor using the following, and then click Finished. Name custom_http_monitor Type HTTP Interval 4 Timeout 13 Send String GET /HealthCheck.html\r\n Receive String SERVER_UP TASK 3 – Assign the Custom Monitor to the Pool Assign custom_http_monitor to http_pool. ? Open the Local Traffic > Pools > Pool List page, and then click http_pool. ? For Health Monitors, select custom_http_monitor, click <<, and then click Update. TASK 4 – View the Network Map View the status of virtual server, pool, pool members, and nodes using Network Map. ? Open the Local Traffic > Network Map page. ? Use the mouse to hover over the different pool members. Question: Why is the status of node 10.128.20.13 different from the other nodes ___________________________________________________________________ TASK 5 – View the Effects of Using Monitors Make changes to the Web site on the LAMP image, and then view how the changes affect the Network Map. ? Use an SSH client to connect to the LAMP_3.2 image at 10.128.1.252. ? Log in using the following credentials: Username: root Password: default ? Access and view the Web server components on 10.128.20.11:80 by typing: cd /var/www/server/1 ls The HealthCheck.html Web page currently exists on pool member 10.128.20.11:80. ? To rename this Web page, type: mv HealthCheck.html NewHealthCheck.html This removes the HealthCheck.html Web page from pool member 10.128.20.11:80. ? ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. The virtual server and pool display available. Pool member 10.128.20.11:80 displays offline. These pool members display available: ? 10.128.20.12:80 ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 All the nodes display as available, except 10.128.20.13, which displays unknown. ? In the SSH session, to change contents of the HealthCheck.html Web page on 10.128.20.12:80 using visual editor, type: cd .. cd 2 vi HealthCheck.html ?NOTE: You can use the Tab key to autocomplete the Web page name. ? Arrow down to the SERVER_UP paragraph, and then arrow over to the word UP. ? Type X to delete UP. ? To save and quit visual editor, type: :wq The text string “SERVER_UP” will no longer be found in the HealthCheck.html Web page on pool member 10.128.20.12:80. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool still display available. Pool members 10.128.20.11:80 and 10.128.20.12:80 display offline. These pool members display available: ? 10.128.20.13:80 ? 10.128.20.14:80 ? 10.128.20.15:80 ? In the SSH session, to delete the IP address from 10.128.20.14:80, type: ip addr del 10.128.20.14/24 dev eth2 This removes the IP address from node 4. The BIG-IP VE system will not receive an ICMP response from the node. ? Wait 15 seconds, and then in the Configuration Utility on the Network Map page, click Update Map. ? Hover over each pool member. Node 10.128.20.14 now displays offline, which causes pool member 10.128.20.14:80 to display offline. ? Open the http_pool pool, and then open the Members page. o Update the Connection Limit of 10.128.20.13:80 to a value of 100. o Update the Connection Limit of 10.128.20.15:80 to a value of 5. ? In the location you extracted JMeter, go the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, right-click 10.128.10.20 Test, and then select Add > Sampler > HTTP Request. o Change the name to Big Text Page o In the Path field, enter /bigtext.php o Clear the Use KeepAlive checkbox. ? Select 10.128.10.20 Test, and then go to Run > Start. ? While the test runs, in the Configuration Utility continue to refresh the Network Map page. Eventually pool member 10.128.20.15:80 displays unavailable because it reaches the configured connection limit. ? Use a new Web browser to access http://10.128.10.20. The page will be slow to load, and there should only be page elements supplied by pool member 10.128.20.13:80. ? In the Configuration Utility, go to node 10.128.10.13, select Forced Offline, and then click Update. ? Open the Network Map page, and then click Update Map. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. Eventually you’ll receive a page error, as there will be no pool members left to fulfill the request. ? In JMeter, if the load test is still running, click the Stop button. ? Save the 10.128.10.20 Test, and then close JMeter. ? In the Configuration Utility, continue to click Update Map until pool member 10.128.20.15:80 is again available. ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. You receive the Web page. All elements come from pool member 10.128.20.15:80. ? In the SSH session, to replace the text string in the HealthCheck.html Web page on 10.128.20.12:80: o Type: vi HealthCheck.html o Arrow to the location where you removed the text UP. o Type an “i” to enter insert mode. o Type UP. o Type the following commands: :wq ? In the F5 vLab Test Web page, use Ctrl+F5 to refresh the page. There are now page elements coming from both 10.128.20.12:80 and 10.128.20.15:80. ? In the Configuration Utility on the Network Map page, click Update Map. The virtual server and pool again display available. Pool members 10.128.20.11:80 and 10.128.20.14:80 display offline. Pool member 10.128.20.13:80 displays forced offline. Pool members 10.128.12:80 and 10.128.20.15:80 display available. EXERCISE 5.3 – USING AN INBAND MONITOR In this exercise you experiment with using a combination of passive monitoring and active monitoring. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 –Create and Use an Inband Monitor Create a custom inband monitor with a retry time of 0. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following information, and then click Finished. Name custom_inband_monitor Type Inband Retry Time 0 seconds TASK 2 –Update the HTTP Monitor Configure custom_http_monitor to use the Up Interval setting. ? On the Monitors page, click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For the Up Interval value, select Enabled, then type 60 seconds, and then click Update. With this configuration, LTM uses the up interval setting for the active monitor (60 seconds) as long as the inband monitor identifies the pool member available. If the inband monitor identifies the pool member as suspect or offline, the regular interval is used for the active monitor (4 seconds) TASK 3 –Update the HTTP Pool Add custom_inband_monitor along with custom_http_monitor to http_pool. ? Open the Pool List page, and then click http_pool. ? From the Configuration list, select Advanced. ? Select custom_inband_monitor and click <<. ? From the Availability Requirement list box, select At Least, then type 1, and then click Update. ? In the F5 vLab Test Web page, use Ctrl+F5 several times to refresh the page. There are now page elements provided by 10.128.20.11:80 and 10.128.20.12:80. ? In the Configuration Utility, open the Network Map page. ? Click 10.128.20.11:80 and examine the Availability and Health Monitors statuses. ? Notice the custom_http_monitor fails, while the custom_inband_monitor succeeds. Because we modified the availability requirement to 1 health monitor, the pool member is identified as available. EXERCISE 5.4 – USING MANUAL RESUME In this exercise you will modify the active HTTP monitor to use manual resume. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 –Update the HTTP Monitor Modify custom_http_monitor to use manual resume. Also, remove custom_inband_monitor from http_pool. ? Open Monitors page, and then click custom_http_monitor. ? From the Configuration list box, select Advanced. ? For Up Interval, select Disabled. ? For Manual Resume, select Yes, and then click Update. ? Open the Pool List page, and then click http_pool. ? In the Active list, select custom_inband_monitor, and then click >>. ? From the Availability Requirement list box, select All, and then click Update. ? Wait 15 seconds, and then open the Network Map page. Pool member 10.128.20.11:80 again displays offline. TASK 2 –Update the Pool Members Replace the HealthCheck.html Web page on pool member 10.128.20.11:80. ? In the SSH session, to replace the HealthCheck.html Web page on 10.128.20.11:80, type: cd .. cd 1 mv NewHealthCheck.html HealthCheck.html ? Close the SSH session. ? In the Configuration Utility, on the Network Map page, click Update Map. ? Hover over pool member 10.128.20.11:80. The pool member 10.128.20.11:80 displays as forced offline, waiting for manual resume. ? ? Click 10.128.20.11:80. When a monitor is set for manual resume, a BIG-IP system administrator must manually enable the pool member after the monitor is again identified as available ? Select Enabled (All traffic allowed), and then click Update. ? Open the Network Map page. The pool member 10.128.20.11:80 is now available. TASK 3 –Reset the Environment To prepare for the next exercises, reset the environment, including restoring the Ubuntu image from the clean snapshot. ? Go to the 10.128.20.13 node. ? Change the State to Enabled, and then click Update. ? Open the Monitors page, and then click custom_http_monitor. ? For Manual Resume, select No, and then click Update. ? Create an archive file named 5.4_monitors_v11.4.1.1. ? In VMware Workstation, power off the LAMP3.2 image. ? Right-click LAMP_3.2 in the Library menu and select Snapshot > LAMP_3.2_Clean. ? Click Yes to restore LAMP_3.2. MODULE 6 EXERCISES – USING PROFILES EXERCISE 6.1 – USING AN HTTP PROFILE In this exercise you will create a custom HTTP profile and add it to the HTTP virtual server. You will then examine how the HTTP profile changes the traffic management behavior. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Create a Custom HTTP Profile Create a custom HTTP profile. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Profiles > Services > HTTP page, and then click Create. ? Create an HTTP profile using the following information, and then click Finished. Name custom_http_profile Fallback Host http://www.f5.com Fallback on Error Codes 404 500-503 Response Headers Allowed Content-Type Set-Cookie Location Insert X-Forwarded-For Enabled Maximum Requests 50 Notice the current inherited setting for Maximum Header Size is 32768 bytes. TASK 2 – Modify the Default HTTP Profile Make a couple of modifications to the BIG-IP system default http profile, and then examine which values were inherited by custom_http_profile. ? On the Profiles: Services: HTTP page, click http. ? Edit the profile using the following information:, and then click Update. Maximum Header Size 16384 Maximum Requests 30 ? On the Profiles: Services: HTTP page, click custom_http_profile. Questions: Did the custom profile inherit the maximum header size setting? ________________ Did the custom profile inherit the maximum requests setting? _______________ TASK 3 – Add the Custom HTTP Profile to a Virtual Server Add custom_http_profile to http_vs. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on This Host section, click the Request and Response Headers link. ? Leave this browser open. ? In the Configuration Utility, open the Virtual Server List page, and then click http_vs. ? In the Configuration section, from the HTTP Profile list box, select custom_http_profile. ? Click Update. ? Use a second Web browser to access http://10.128.10.20. ? Click the Request and Response Headers link. ? Using both Web browsers, examine the different Response Headers delivered to the Client sections. Questions: Why are there less response headers in the second version of this Web page? _______________________________________________________________ Which response headers that were exposed in the first version of this Web page could be exploited by a hacker? ________________________________________________________________ ? Using both Web browsers, examine the different Request Headers Received at the Server section. Question: On the second version, what is the X-Forwarded-For value? _________________________ ? Close the first Web browser. ? In the second Web browser, change the URL to http://10.128.10.20/badpage.php. Questions: What was the result of this request? ________________ Why were you redirected to www.f5.com? ___________________________________ ? Close the Web browser. TASK 4 – Update the Custom HTTP Profile Update custom_http_profile with additional settings. ? In the Configuration Utility, open the Local Traffic > Profiles > Services > HTTP page, and then click custom_http_profile. ? Edit the profile using the following information, and then click Update. Request Header Erase User-Agent Request Header Insert Bigip-Httpvs:10.128.20.10 Response Headers Allowed Content-Type Set-Cookie Location X-Injected ? Use a Web browser to access http://10.128.10.20, and then click Request and Response Headers. Questions: Is the new Bigip-Httpvs request header displaying? ________________ Are you still seeing the User-Agent header? __________________ EXERCISE 6.2 – USING A STREAM PROFILE In this exercise you will create a custom stream profile that will replace a static text string for responses from the customer’s Web site. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – View a Current Web Page View the text that needs to be replaced on the customer’s Web site. ? Use a new Web browser to access http://10.128.10.20. ? In the Content Examples on this Host section, click Stream Profile Example. This page has several references to the company’s previous name, Lorax Bank. Without going through the task of updating several pages across multiple Web servers, you’ll make this update on BIG-IP LTM using a stream profile. TASK 2 – Create a Stream Profile Create a custom stream profile that will find occurrences of the customer’s previous name and replace it with their updated company name. ? In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page, and then click Create. ? Create a stream profile using the following information, and then click Finished. Name custom_stream Source Lorax Bank Target Lorax Investments TASK 3 – Add the Custom Stream Profile to a Virtual Server Add custom_stream to http_vs. ? Open the Virtual Server List page, and then click http_vs. ? From the Configuration list box, select Advanced. ? In the Configuration section, from the Stream Profile list box, select custom_stream. ? In the Acceleration section, from the HTTP Compression Profile list box, select httpcompression, and then click Update. ? Return to the F5 vLab Test Web page and refresh the Welcome to Lorax Bank page. The stream profile replaced all occurrences of the string “Lorax Bank” with “Lorax Investments”. ? Close the Web browser. ? Create an archive file named 6.2_profiles_v11.4.1.1. MODULE 7 EXERCISES – PERFORMANCE PROFILES EXERCISE 7.1 – USING COMPRESSION AND ACCELERATION In this exercise you will use iMacros for Firefox to create a recording of a visit to the HTTP virtual server. You will then create several optimization profiles, including HTTP compression, caching, and TCP. You will create a similar HTTP pool and virtual server and add the profiles to the new virtual server. You’ll then record a similar visit to the Web site using iMacros for Firefox and identify improvements. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Install iMacros for Firefox Install iMacros for Firefox. ? Use a Web browser to access https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/. ? Download and install iMacros for Firefox. TASK 2 – Record BIG-IP LTM Performance without Optimization Clear the statistics, then update http_vs by removing the HTTP and stream profiles, and then record a visit to the HTTP virtual server using iMacros for Firefox. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Statistics > Module Statistics > Local Traffic page. ? Reset the virtual server, pool, and pool member statistics. ? Open the Virtual Server List page, and then click http_vs. ? From the HTTP Profile list box, select None. ? From the Stream list box, select None, and then click Update. ? Use a Mozilla Firefox browser to access http://10.128.10.20. ? Click I Understand the Risks, then click Add Exception, and then click Conform Security Exception. ? If it’s not already displayed, enable the iMacros pane. ? In the iMacros pane, select the Rec tab, and then click Record. ? ? Record the following series of clicks: o Click Welcome, and then click the banner at the top of the page to return to the home page. o Click HTTP Compress Example, and then click the banner at the top of the page. o Click Stream Profile Example, and then click the banner at the top of the page. o Click Mask Sensitive Content Example, and then click the Back button. o Click Simple HTTP Request, and then click the Back button. o Click Request and Response Headers, and then click the banner at the top of the page. ? Click Stop. ? Use Ctrl+F5 five times to refresh the page. ? Select the Welcome link, and then click on the banner at the top of the page to return to the home page. ? Click the Welcome link. ? Use Ctrl+F5 five times to refresh the page. ? Click the banner at the top return to the home page. ? HTTP Compress ? Multiple Stream Example. ? bigtext.txt. ? ? Change the U ? In the location you extracted JMeter, go to the /bin directory, and then launch the jmeter.bat file. ? Open 10.128.10.20 Test.jmx. ? In the navigation panel, select 10.128.10.20 Test. ? Change the Number of Threads (users) to 50. ? Change the Loop Count to 2. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. There is no compression taking place. ? Click the Back button, and then click the View link for Web Acceleration. There is no caching taking place. TASK 2 – Configure HTTP Compression and Fast Cache Create a custom HTTP compression profile and a custom Web acceleration profile. ? Open the Acceleration > Profiles > HTTP Compression page. ? Create an HTTP Compression profile using the following information, and then click Finished. Name custom_compression Parent Profile wan-optimized-compression Content Compression Content List… Content Type (Click Include after each entry) *.png *.jpg *.php Minimum Content Length 10 bytes gzip Compression Level 6 – Optimal Compression Browser Workarounds Enabled ? Open the Acceleration > Profiles > Web Acceleration page. ? Create a Web Acceleration profile using the following information, and then click Finished. Name custom_caching Parent Profile optimized-acceleration Cache Size 500 megabytes TASK 3 – Configure TCP Express and Content Spooling Enable TCP optimization between the client and BIG-IP LTM, and between BIG-IP LTM and the pool members. ? Open the Local Traffic > Profiles > Protocol > TCP page. ? Create a TCP profile using the following information, and then click Repeat. Name custom_tcp_server_profile Parent Profile tcp_lan_optimized ? Create another TCP profile using the following information, and then click Finished. Name custom_tcp_client_profile Parent Profile tcp_wan_optimized Delayed Acks Disabled Proxy Buffer High 196608 Selective NACK Enabled Nagle’s Algorithm Disabled TASK 4 – Configure OneConnect Create a custom OneConnect profile. ? Open the Local Traffic > Profiles > Other > OneConnect page. ? Create a OneConnect profile using the following information, and then click Finished. Name custom_oneconnect Source Mask 255.255.0.0 Maximum Size 12000 TASK 5 – Create a Pool and Virtual Server Create a new pool and virtual server to use with the new performance profiles. ? Create a pool using the following information, and then click Finished. Name http_pool2 Health Monitors custom_http_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 10.128.20.14 80 10.128.20.15 80 ? Create a virtual server using the following, and then click Finished. Name http_vs2 Destination 10.128.10.21 Service Port 80 (HTTP) Configuration Advanced Protocol Profile (Client) custom_tcp_client_profile Protocol Profile (Server) custom_tcp_server_profile HTTP Profile http Source Address Translation Auto Map OneConnect Profile custom_oneconnect HTTP Compression Profile custom_compression Web Acceleration Profile custom_caching Default Pool http_pool2 ? TASK 6 – Record BIG-IP LTM Performance with Optimization Record traffic statistics with BIG-IP LTM optimization configured. ? In JMeter, in the navigation panel, select HTTP Request Defaults. ? Change the Server Name or IP to 10.128.10.21. ? Select Summary Report, and then go to Run > Clear. ? Go to Run > Start. ? Select Summary Report to monitor the results. When the total # Samples value reaches 300, the test is complete. Questions: What is the Total Throughput value? ___________________ What is the Total KB/sec value? ____________________ What is the Total Avg. Bytes value? ___________________ ? In the Configuration Utility, view the Virtual Servers statistics. Questions: Was there a significant difference in the number of bits coming in or out of the virtual servers? _______________ How many maximum connections were opened for http_vs? ______________________ How many total connections were opened for http_vs? ________________________ How many maximum connections were opened for http_vs2? ______________________ How many total connections were opened for http_vs2? ________________________ ? Reset the statistics for both virtual servers. ? View the Pools statistics. Questions: Was there a significant difference in the number of bits coming in or out of the pools? _______________ Did caching lower the number of packets out for http_pool2? _____________ Did OneConnect lower the number of connections required for http_pool2? _____________ ? Reset the statistics for both pools and all pool members. ? From the Statistics Type list box, select Profiles Summary. ? Click the View link for HTTP Compression. Compression is now taking place for HTML content. ? Click the Back button, and then click the View link for Web Acceleration. There should now be many cache hits. ? Create an archive file named 7.1_performance_profiles_v11.4.1.1 MODULE 8 EXERCISES – PERSISTENCE PROFILES EXERCISE 1.8A – USING SOURCE ADDRESS PERSISTENCE In this exercise you will create a source address persistence profile and examine how it changes the BIG-IP load balancing decision. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 15 minutes TASK 1 – Update the HTTP Pool Update the HTTP pool to use round robin load balancing. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Pool List page, and then select http_pool. ? Select the Members tab. ? Change the Load Balancing Method to Round Robin. ? Open a new Web browser and access http://10.128.10.20. Question: Are requests coming from one or several pool members? ______________________ TASK 2 – Create a Source Address Persistence Profile Create a custom source address persistence profile and add it to the HTTP virtual server. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Click Create. ? Create a persistence profile using the following information: Name custom_source_addr Persistence Type Source Address Affinity Timeout 15 seconds Mask Specify: 255.255.255.0 ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Are requests coming from one or several pool members? ______________________ Which pool member is supplying the content for this request? ____________________ ? Wait at least 15 seconds and then use Ctrl+F5 to refresh the page again. Questions: Was the same pool member used for this request? _______________ If not, why not? _________________________________________________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? Select Persistence Records from the Statistics Type list. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. ? Refresh the Statistics page. ? Continue to click Refresh and note the value in the Age column. ? Close the http://10.128.10.20 Web browser. EXERCISE 1.8B – USING COOKIE PERSISTENCE In this exercise you will create a custom cookie persistence profile, and then add it in place of the source address persistence profile. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Create a Cookie Persistence Profile Create a custom cookie persistence profile, and then add it in place of the source address persistence profile. ? In the Configuration Utility, open the Local Traffic > Profiles > Persistence page. ? Create a persistence profile using the following information: Name custom_cookie Persistence Type Cookie Cookie Method HTTP Cookie Insert Cookie Name BIGIP_mycookie Expiration Session Cookie (cleared) 8 hours ? Click Finished. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_cookie. ? Click Update. Questions: Was the update successful? _______________ If not, why not? _________________________________________________________ ? Select the Properties tab. ? For HTTP Profile, select the default http profile. ? Repeat the steps above to update the persistence profile to custom_cookie. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? In the Content Examples on this Host section, select Display Cookie. ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page. ? ? Select Persistence Records from the Statistics Type list. Question: Is there a persistence record for this session? _______________ If not, why not? _________________________________________________________ EXERCISE 1.8C – VIEW PERSISTENCE WITH DISABLED AND OFFLINE POOL MEMBERS In this exercise you will examine how persistence works with both disabled and offline pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Update the Source Address Profile and the Virtual Server Update the timeout value in the source address persistence profile, and then update the HTTP virtual server to use the source address persistence profile. ? Open the Local Traffic > Profiles > Persistence page. ? Select custom_source_addr. ? Update the Timeout to 60 seconds. ? Open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Persistence Profile list, select custom_source_addr. ? Click Update. TASK 2 – View Effects of Disabled and Offline Pool Members Make a couple of modifications to the default http profile, and then examine which values were inherited by the custom HTTP profile. ? Open up a new Web browser and access https://10.128.10.20. Use Ctrl+F5 to refresh the page several times. ? Question: Which pool member are you currently persisting to? _______________ ? In the Configuration Utility, disable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can disabled pool members service client requests? ________________ ? In the Configuration Utility, select Forced Offline for the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Questions: Did you persist to the same pool member? _______________ Can offline pool members service client requests? ________________ ? In the Configuration Utility, re-enable the pool member from your answer above. ? Use Ctrl+F5 several times to refresh the http://10.128.10.20 Web site. Question: Did your persistence session go back to the original pool member? _______________ ? Close the Web browser. EXERCISE 1.8D – USING MATCH ACROSS VIRTUAL SERVERS In this exercise you will use persistence with two virtual servers. It’s critical that users are persisted to the same pool member, regardless of which virtual server they access. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Clear Statistics and View Access to Two Virtuals View how requests are currently being handled through both virtual servers. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs2. ? For Protocol Profile (Client), select tcp. ? For Protocol Profile (Server), select (Use Client Profile). ? For each of the following, select None. ? HTTP Profile ? OneConnect ? Click Update. ? Open the Statistics > Module Statistics > Local Traffic page. ? Ensure the statistics for both virtual servers and pools, and pool members have been reset. ? Open up a new Web browser and access https://10.128.10.20. ? Type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21. ? Type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ ? Reset the statistics for both pools and all pool members. ? TASK 2 – Enable Persistence for http_vs2 Add the source address persistence profile to second HTTP virtual server. ? Open the Virtual Servers page, and then select http_vs2. ? Select the Resources tab. ? For Default Persistence Profile, select custom_source_addr. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Questions: Are requests for http_pool persisting to one pool member? _______________ Are requests for http_pool2 persisting to one pool member? ________________ Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. TASK 3 – Enable Match Across Virtuals Servers Update the source address persistence profile to use the Match Across Virtual Servers option. ? Open the Persistence profiles page, and then select custom_source_addr. ? Enable Match Across Virtual Servers. ? Click Update. ? Open up a new Web browser and access https://10.128.10.20, and type Ctrl+F5 exactly three times. ? Open up a new Web browser and access https://10.128.10.21, and type Ctrl+F5 exactly three times. ? Close both Web browsers. ? In the Configuration Utility, refresh the pools statistics. Question: Are requests for each different pool persisting to the SAME pool member? ___________ ? Reset the statistics for both pools and pool members. ? Create an archive file named 1.8_persistence_profiles_v11.4.0.1. MODULE 9 EXERCISES – SSL TERMINATION EXERCISE 1.9A – SUPPORTING SSL TRAFFIC In this exercise you’ll setup the BIG-IP to support processing SSL traffic. First you’ll configure the BIG-IP to simply pass SSL traffic through to the pool members. Then you’ll configure the BIG-IP for SSL termination. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Create a Self-Signed Certificate Create a self-signed certificate for www.f5demo.com. ? In VMware Workstation, power on the BIGIP_A1_v11.4 and LAMP_3.2 images. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the System > File Management > SSL Certificate List page. ? Click Create. ? Create a self-signed certificate using the following information: Name custom_ssl_cert Type Self Common Name www.f5demo.com Lifetime 3650 days Key Type RSA Size 2048 bits Fill in the remaining fields however you like. ? Click Finished. TASK 2 – Create a Client SSL Profile Create a client SSL profile using the self-signed certificate. ? Open the Local Traffic > Profiles > SSL > Client page. ? Click Create. ? Create a client SSL profile using the following information: Name custom_client_ssl Certificate custom_ssl_cert Key custom_ssl_cert ? Click Finished. ? TASK 3 – Create a Custom HTTPS Monitor Create a custom HTTPS monitor that requests the index.php Web page from the pool member and then verifies that a text string is returned in the response. ? Open the Local Traffic > Monitors page. ? Create a monitor using the following: Name custom_https_monitor Type HTTPS Send String GET /index.php\r\n Receive String FSE vLab Test Web Site ? Click Finished. TASK 4 – Create an HTTPS Pool and Virtual Server Create a pool and a virtual server to support SSL traffic, and then test access using a Web browser. ? Open the Pool List page. ? Create a pool using the following: Name https_pool Health Monitors custom_https_monitor Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 443 10.128.20.12 443 10.128.20.13 443 10.128.20.14 443 10.128.20.15 443 ? Click Finished. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name https_vs Destination Host: 10.128.10.20 Service Port 443 (or HTTPS) Default Pool https_pool ? Click Finished. ? Open a new Web browser and access https://10.128.10.20. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. Each request is load balanced to different pool members. ? Close the Web browser. TASK 5 – Add Cookie Persistence to the HTTPS Virtual Server Attempt to add cookie persistence to the HTTPS virtual server and then verify the results. ? In the Configuration Utility, open the Virtual Server List page, and then select https_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Select the Resources tab. ? For Default Persistence Profile, select custom_cookie. ? Click Update. ? Open a new Web browser and access https://10.128.10.20. Questions: Did the Web page display? _____________ If not, why not? _______________________________________________________ TASK 6 – Enable SSL Termination with the HTTPS Virtual Server Enabled SSL termination on the HTTPS virtual server, and then verify the results. ? In the Configuration Utility, on the https_vs page, open the Properties page. ? For SSL Profile (Client), move custom_client_ssl from the Available list to the Selected list. ? For SSL Profile (Server), move serverssl from the Available list to the Selected list. ? Click Update. ? Refresh the https://10.128.10.20 Web browser. ? Use Ctrl+F5 several times to refresh the https://10.128.10.20 Web page. ? Update the URI to https://10.128.10.20/badpage.exe. Questions: Did the Web page display? _____________ Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ Is BIG-IP LTM processing the HTTP profile? _____________ ? Edit the URI to https://10.128.10.20. ? Right-click and select Properties. ? Click Certificates. Question: How can you identify that this is a self-signed certificate? _________________________ ? Close the Web browser. EXERCISE 1.9B – ENABLING SSL OFFLOAD In this exercise you will update the HTTPS virtual server to perform SSL offload, sending unencrypted traffic to the pool members. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 20 minutes TASK 1 – Import an SSL Certificate and Key Import the lamp.f5demo.com certificate and key. ? In the Configuration Utility, open the System > File Management > SSL Certificate List page. ? Click Import. ? From the Import Type list, select Certificate. ? In the Certificate Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.cer file, and then click Open. ? Click Import. ? Once the certificate has been imported, click Import again to import the corresponding key. ? From the Import Type list, select Key. ? In the Key Name box, leave Create New selected and type lamp. ? Click the Browse button. ? Navigate to the Exercise_Files folder and select the lamp.f5demo.com.key file, and then click Open. ? Click Import. TASK 2 – Create a Client SSL Profile Create a new custom client SSL profile using the lamp.f5demo.com certificate and key. ? Open the Local Traffic > Profiles > SSL > Client page. ? Create a client SSL profile using the following information: Name lamp_client_ssl Certificate lamp Key lamp ? Click Finished. TASK 3 – Update Your Local Hosts File Add an entry for your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Add an entry for: 10.128.10.30 lamp.f5demo.com ? Save and close the hosts file. TASK 4 – Create an Offload Virtual Server Create a new virtual server that will perform SSL offload. ? Open the Virtual Server List page. ? Create a virtual server using the following: Name offload_vs Destination Host: 10.128.10.30 Service Port 443 (or HTTPS) Configuration Advanced HTTP Profile custom_http_profile Stream Profile custom_stream SSL Profile (Client) lamp_client_ssl HTTP Compression Profile custom_compression Default Pool http_pool Default Persistence Profile custom_cookie ? Click Finished. ? Open a new Web browser and access https://lamp.f5demo.com. ? View the URI and the information in the Pool member address/port. Questions: Is the connection between the client and BIG-IP LTM secured? _____________ Is the connection between BIG-IP LTM and the pool member secured? _____________ Is cookie persistence working? _____________ ? Select the Request and Response Headers link. Question: Is the BIG-IP processing the HTTP profile? _____________ ? Click the Back button, and then select the Stream Profile Example link. Question: Is the BIG-IP processing the stream profile? _____________ TASK 5 – Verify the New Certificate Test the new certificate being used by the offload virtual server. ? Right-click the page and select Properties. ? Click Certificates. Question: Who issued this certificate? _____________________________ When does it expire? _________________________________ ? Close the Web browser. ? In the Configuration Utility, create an archive file named 1.9_ssl_termination_v11.4.0.1. MODULE 10 EXERCISES – NATS AND SNATS EXERCISE 1.10A – USING A NAT In this exercise you will configure a NAT to pass traffic between an external device and a specific internal node. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * Estimated completion time: 10 minutes TASK 1 – Configure a NAT Create a custom NAT to give external uses access to a specific node in the 10.128.20.0 network. ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Local Traffic > Address Translation > NAT List page. ? Click Create. ? Create a NAT using the following: Name custom_NAT NAT Address 10.128.10.200 Origin Address 10.128.20.13 State Enabled ? Click Finished. TASK 2 – Testing the NAT – Inbound Test the NAT by using open the new NAT address using several application services. ? Open a new Web browser and access http://10.128.10.200. Note that all items are coming from pool member #3 (10.128.20.13). ? Edit the URL to https://10.128.10.200. ? Using Putty, open an SSH session to 10.128.10.200. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. Note that you can connect to multiple services through the NAT and that you are always connected to 10.128.20.13. ? Close the Web browser and the Putty window. ? TASK 3 – Disable the NAT Disable the NAT to ensure that it won’t interfere with future exercises. ? In the Configuration Utility on the NAT List page, select custom_NAT. ? From the State list, select Disabled. ? Click Update. ? Confirm that the NAT is no longer available by opening a new Web browser and attempting to access http://10.128.10.200. EXERCISE 1.10B – USING SNATS In this exercise you will configure a SNAT to pass traffic between an external device and internal nodes. * Required virtual images: BIGIP_A1_v11.4, LAMP_3.2 * stimated completion time: 25 minutes TASK 1 – Testing Behavior without a SNAT Open the HTTP virtual server and examine what the back-end Web server sees as the client IP address. ? Open a new Web browser and access http://10.128.10.20. ? View the information in the Request Details section. Questions: What is the client IP address? __________________________ What device “owns” this IP address? _________________________________ TASK 2 – Using SNAT Auto Map with the HTTP Virtual Server Update the HTTP virtual server by enabling SNAT Auto Map. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? In the Configuration section, from the Source Address Translation list, select Auto Map. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: What is the client IP Address? __________________________ What device “owns” this IP address? ________________________ When using SNAT, how can we ensure that the back-end Web server can identify the true client IP address? _________________________________________________________________________ ? In the Configuration Utility, update http_vs by selecting custom_http_profile. ? In the http://10.128.10.20 Web page, select the Request and Response Headers link. Question: What is the X-Forwarded-For value? _________________________ ? Close the Web browser. TASK 3 – Create a SNAT Create a custom SNAT to give external uses in the 10.128.10.0 access to a several nodes in the 10.128.20.0 network. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Click Create. ? Create a SNAT using the following: Name custom_SNAT Translation IP Address: 10.128.20.201 Origin Address List Address List Network Address: 10.128.10.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? Open a new Web browser and access http://10.128.10.20. ? Update the URI to http://10.128.10.21. ? Update the URI to https://10.128.10.20. ? Close the Web browser. Questions: Did every connection use the new SNAT? __________________ If not, which one didn’t? __________________________________________________ ? Update the http_vs by selecting None for Source Address Translation. ? Update the http_vs2 by selecting None for Source Address Translation. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.21. ? Close the Web browser. ? TASK 4 – Create a SNAT Pool Create a SNAT pool and then use the SNAT pool with the a virtual server. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT Pool List page. ? Click Create. ? Create a SNAT pool using the following: Name custom_SNAT_pool Member List 10.128.20.222 10.128.20.223 10.128.20.224 (be sure to click Add) ? Click Finished. ? Open the Virtual Server List page, and then select http_vs2. ? For Source Address Translation, select SNAT. ? For SNAT Pool, select custom_SNAT_pool. ? Click Update. ? Open a new Web browser and access http://10.128.10.21. Question: Which IP address was used for the SNAT address? _____________________________ ? Close the Web browser. TASK 5 – Creating a SNAT for Internal Users Create a SNAT to give internal users access to external resources through BIG-IP LTM. ? In the VMware Workstation console, select the LAMP image and click Login. ? Open Firefox and attempt to access http://www.yahoo.com. ?NOTE: The request should fail. If your request is successful, it’s likely because you enabled Network Adapter 4 for the Ubuntu image in VMware Workstation. ? In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page. ? Create a SNAT using the following: Name internal_SNAT Translation IP Address: 10.128.1.100 Origin Address List Address List Network Address: 10.128.20.0 Mask: 255.255.255.0 (be sure to click Add) ? Click Finished. ? In the LAMP VMware image, refresh the http://www.yahoo.com Web page. ? In the Configuration Utility, create an archive file named 1.10_nat_snat_v11.4.0.1. TASK 6 – Delete the SNATs Delete both SNATs as they aren’t needed for the remaining exercises. ? In the Configuration Utility, on the SNAT List page, select the checkbox for both custom_SNAT and internal_SNAT, and then click Delete twice. MODULE 10 EXERCISES – IRULES EXERCISE 1.11A – WRITING YOUR FIRST IRULE In this exercise you’ll download and install the iRule Editor from DevCentral. You’ll then use the iRule Editor to connect to your BIG-IP and write your first iRule. You’ll then download an iRule from DevCentral and use the iRule as is. * Estimated completion time: 25 minutes TASK 1 – Download the iRule Editor Access and log in to DevCentral, and then download the iRule Editor. You do not need to perform this task if you already have the iRule Editor installed on your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iRules. ? On the left navigation menu select iRule Editor. ? Download and install the iRulerSetup.msi file. TASK 2 – Open the iRule Editor Open the iRule Editor and explore the application. ? From your Start menu, launch the F5 iRule Editor. ? Click the iRules Reference button. This opens the iRules Wiki Home page on DevCentral. ? Close the Web browser. ? Click the TCL Reference button. This opens the TCL command reference page. ? Click the set link. We’ll be covering the set command shortly. ? Close the Web browser. ? TASK 3 – Use the iRule Editor to Connect to Your BIG-IP Use the iRule Editor to connect to the external self IP address of your BIG-IP system. ? In the iRule Editor, select File > Connect. ? In the Hostname box type 10.128.10.240. ? In the Username and Password boxes enter the username and password you created in Exercise 1.1C. ? Click OK. Questions: Did you successfully connect? ________________ Which port is being used to connect to the BIG-IP system? __________________ ? Access https://10.128.1.245 and log in to the BIG-IP VE system. ? Open the Network > Self IPs page, and then select external_selfIP. ? Add the required port to the Custom List, and then click Update. ? In the iRule Editor, attempt to connect again using the same username and password. TASK 4 – Create Your First iRule Create a basic iRule to log information when a client connection is accepted by the BIG-IP. ? In the left navigation menu of the iRules Editor, select Local Traffic. ? Select File > New. ? Name the new iRule exercise_iRule. ? Select the Custom tab. ? Select the CLIENT_ACCEPTED event, and then click OK. ? Edit the text inside of the double-quotes to: "Client connection accepted" ? Select the View menu. By default, the iRule Editor displays several annotations to help you write iRules. ? Select both Whitespace and End of Line. ? Click Save. This will check the syntax of the iRule. You’ll get a notification at the bottom of the iRules Editor of any syntax errors. ? In the Configuration Utility, open the Local Traffic > iRules > iRules List page. The iRule was saved on the BIG-IP. ? Select exercise_iRule. Note how different it is viewing and editing an iRule in the Configuration Utility versus the iRule Editor. TASK 5 – Add the iRule to the HTTP Virtual Server Add the new iRule to the existing HTTP virtual server, and then verify the iRule. ? Open the Virtual Server List page, and then select http_vs. ? Ensure that the HTTP Profile is set to http. Click Update if necessary. ? Open the Resources page. ? For Default Persistence Profile, select None. ? Click Update. ?NOTE: We are removing persistence in order to use iRules for all BIG-IP LTM load balancing decisions. ? In the iRule section, click Manage. ? Move the exercise_iRule from the Available list to the Enabled list. ? Click Finished. ? ? Open Putty and access and log in to 10.128.10.240. ?NOTE: For easier viewing of log entries, we recommend resizing the Putty window, making it bigger both horizontally and vertically. ? At the CLI prompt, type: tail -f /var/log/ltm ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open up a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the iRule triggered? _______________ How many client connections were required for this request? _________________ TASK 6 – Save the Current iRule to your Offline iRules Create a new iRule, then copy your current iRule to the new iRule, and then copy the new iRule to your offline iRules. ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1A_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1A_iRule. ? Save exercise1A_iRule. ? Right-click exercise1A_iRule and select Copy Offline. The new iRules is saved under Offline iRules, which is stored on your local workstation. This will enable you use this iRule on any BIG-IP that you can connect to. ?NOTE: In the iRules exercises, we will continue to make modifications to the exercise_iRule, and then save the iRule from each exercise to your Offline iRules. This will enable us to continue to make updates to the iRule without needing to update the virtual server. TASK 7 – Using an iRule from DevCentral Use an iRule from DevCentral to prevent valid credit card numbers from being returned to users. ? Open a new Web browser and access http://10.128.10.20. ? Select the Mask Sensitive Content Example link. This page contains confidential information that we’d like prevent from being sent in an HTTP response. ? In the iRule Editor, use the iRules Reference button to access DevCentral. ? On the left navigation menu, select CodeShare. ? Find an iRule that scrubs out credit cards from HTTP traffic. (NOTE: Don’t use the iRule that uses a stream profile.) ? In the iRules Source section, click on the view source button. ? Select and copy all of the iRules code. ? In the iRule Editor, for exercise_iRule, delete the existing code, and the paste the contents of the credit card scrubber. ? Save the iRule. ? Use Ctrl+f5 to refresh the http://10.128.10.20/privatedata.html Web page. ? Close the Web browser. FOR EXTRA CREDIT ? Update the iRule to change the character used for scrubbing from “X” to “*”. ? Test by refreshing the credit card accounts page. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, select Local Traffic, and then select File > New. ? Name the new iRule exercise1B_iRule, use the Blank template, and then click OK. ? Copy the code from exercise_iRule and paste into exercise1B_iRule. ? Save exercise1B_iRule. ? Right-click exercise1B_iRule and select Copy Offline. EXERCISE 1.11B – USING IRULE EVENTS In this exercise you experiment with some of the events that you can use to trigger an iRule. * Estimated completion time: 20 minutes TASK 1 – Update the iRule with Multiple Events Update the exercise_iRule by adding several events. ? In the iRule Editor, select exercise1A_iRule and copy all of the code. ? Select exercise_iRule and delete all of the existing code, and then paste the copied text. ? Place the cursor at the beginning of line 1, and then type Enter a couple of times. ? At the beginning of line 1 start typing the word when. ? When the iRule Editor prompts for the word, type the Enter key to accept the full word when. ? After when, starting typing RULE_ and then hit Enter to accept the RULE_INIT event. ? After RULE_INIT, type a {, then type the Enter key twice, and then type a }. This is a good method for ensuring that you have a closing curly brace for every opening curly brace. ? Move your cursor after the indent in line 2. ? Type the following command and arguments: log local0. "iRule created or updated" ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? In the iRule Editor, save the exercise_iRule, and then view the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? Open a new Web browser and access http://10.128.10.20. ? View the Putty window. Questions: Was the RULE_INIT event triggered? ________________ Was the CLIENT_ACCPETED event triggered? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the CLIENT_ACCEPTED event: ? Save the iRule. ? In the http://10.128.10.20 Web page select the Welcome link. ? View the Putty window. Question: How many HTTP requests are needed to build this Web page? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the HTTP_REQUEST event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. Question: Was a different pool member selected for each HTTP request? ________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the LB_SELECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, add the following after the SERVER_CONNECTED event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? View the Putty window. TASK 2 – Enable Caching and Compression on the HTTP Virtual Server Enable both caching, compression, and OneConnect on the HTTP virtual server, and then examine the difference in the iRule results. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? HTTP Profile: custom_http_profile ? OneConnect Profile: custom_oneconnect ? HTTP Compression Profile: custom_compression ? Web Acceleration Profile: custom_caching ? Click Update. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? In Putty, type the Enter key five times. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. ? Close the Web browser. ? View the Putty window. Question: How did these profiles change the results of the iRule triggering? _______________________________________________________________________ ? In the Configuration Utility, on the http_vs Properties page, configure the following: ? HTTP Profile: http ? OneConnect Profile: None ? HTTP Compression Profile: None ? Web Acceleration Profile: None ? Click Update. ?NOTE: We are removing these profiles to ensure that BIG-IP LTM makes load balancing decisions for each request and doesn’t serve up content from its cache. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise2_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise2_iRule. ? Save exercise2_iRule. ? Right-click exercise2_iRule and select Copy Offline. EXERCISE 1.11C – USING VARIABLES In this exercise you will set variables in an iRule, and then reference and manipulate the variables. * Estimated completion time: 20 minutes TASK 1 – Set Variables in an iRule Update the exercise_iRule by setting several variables. ? In the iRule Editor, select exercise_iRule. ? Delete all of the existing events EXCEPT for the HTTP_REQUEST event. ? In the line directly after the when HTTP_REQUEST line, type: set name "Chris" (use your own first name) set last_name "Manly" (use your own last name) set price 9.95 set quantity 5 TASK 2 –Reference Variables in an iRule Update the exercise_iRule by referencing the variables you set in the previous task. ? Edit the log local0. message to: log local0. "$name $last_name made an HTTP request" ? Save the iRule. ? In the Putty window, type the Enter key a few times to move the existing log entries to the top of the window. ?NOTE: If you closed Putty, go back and repeat the steps in Exercise 1.11A, task 5 to access Putty and view the LTM log entries. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, create a second log entry: log local0. "Order made for $quantity items at $$price each" ?NOTE: Be sure to include two dollar signs before “price”. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Note that the iRule was able to identify that $price was referencing a variable, and the dollar sign before that was interpreted as a regular text string. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 3 – Manipulating Variables Update the exercise_iRule by using the append, incr, and expr commands. ? In the iRule Editor, in the line after setting your last name, type: append name " " (there should be one space between the quotes) append name $last_name ? Edit the first log local0. message to: "$name made an HTTP request" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after the final log local0. statement, type: incr quantity 2 log local0. "Due to our special, $name will receive $quantity items" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, in the line after setting the quantity, type: set total [expr { $price * $quantity } ] set tax [expr { $total * .09 } ] set grand_total [expr { $total + $tax } ] ? In the line after the final log local0. statement, type: log local0. "Total: $$total, tax: $$tax, for a grand total of $$grand_total" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise3_iRule using the Blank template. ? Copy the code from exercise_iRule and paste into exercise3_iRule. ? Save exercise3_iRule and then copy it to your Offline iRules. EXERCISE 1.11D – USING TCL AND IRULES COMMANDS In this exercise you will use several TCL and iRules commands to make your existing iRules based on dynamic connection information. * Estimated completion time: 30 minutes TASK 1 – Update the iRule using iRules Commands Update the iRule you created in exercise 2 by logging information based on the actual client connection. ? In the iRule Editor, select exercise2_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the CLIENT_ACCEPTED event as follows: ? Update the LB_SELECTED event as follows: ? Update the SERVER_CONNECTED event as follows: ? Update the HTTP_RESPONSE event as follows: ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.10.20/httprequest.php. ? ? View the Putty window. In the next section we will be discussing using conditional statements. Start thinking about the traffic management decisions you could make on the BIG-IP system using any of the information that you sent to the log file. ? Type the Enter key a few times to move the existing log entries to the top of the window. TASK 2 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4A_iRule. ? Copy the code from exercise_iRule and paste into exercise4A_iRule. ? Save exercise4A_iRule, and then copy it to your Offline iRules. TASK 3 – Update the iRule using HTTP Commands Experiment with the different HTTP commands that are available in an iRule. ? Select exercise_iRule. ? Delete all of the existing events EXCEPT for the when HTTP_REQUEST event. ? Update the HTTP_REQUEST event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? Edit the URI to http://10.128.10.20/httprequest.php?user=bob. Question: Which value changed between the two requests? _________________________________ ? Type the Enter key a few times to move the existing log entries to the top of the window. ? TASK 4 – Create a Custom Response Page Using the iRule, create a custom HTTP response page to be sent for all client requests. ? In the iRules Editor, select exercise_iRule. ? After the HTTP_REQUEST event add the following HTTP_RESPONSE event: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php?user=bob Web page. Question: Did you receive the custom Webpage? ___________________ In the next lesson we’ll cover using conditional statements. Be thinking about what information you could use to determine whether or not to display this error page for user requests. TASK 5 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4B_iRule. ? Copy the code from exercise_iRule and paste into exercise4B_iRule. ? Save exercise4B_iRule, and then copy it to your Offline iRules. TASK 6 – Use the Stream Command In Exercise 1.6B you used a Stream profile in the Configuration Utility. As you learned, one of the limitations of the Stream profile is that you can only find one text string to replace with another. You will now use the stream command in an iRule to find multiple text streams and replace them with different values. ? In the Configuration Utility, open the Virtual Servers page, and then select http_vs. ? Configure the following: ? Stream Profile: stream ? HTTP Compression Profile: custom_compression ? Click Update. ?NOTE: Even when you use the stream command in an iRule, you still need to include the default Stream profile, and in addition you need to ensure that the Web servers aren’t compressing content (which is achieved by using an HTTP compression profile). ? In the iRules Editor, select exercise_iRule. ? Delete all of the lines contained within the HTTP_RESPONSE event (but leave the event itself. ? Save the iRule. ? Open a new Web browser and access http://10.128.10.20/lorax.php. There are references to “Lorax Bank”, “Lorax Finances”, and “savings accounts”. ? In the iRule Editor, update the HTTP_RESPONSE event as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. The references to “Lorax Bank” have been replaced with “Lorax Investments”. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@} ?NOTE: Type all of the previous expression on one line. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/lorax.php Web page. All references to the previous entries have been replaced with the updated entries. ? Click on the top graphic to go back to the home page. ? From the http://10.128.10.20 page, select the Multiple Stream Example link. ?NOTE: The graphics in the second column on this page are “broken” links. ? Right-click on the page and select View Source. Question: What are the URLs that the broken image links are pointing to? ____________________________________________________________________ ? Close the source code page. ? Update the STREAM::expression as follows: {@Lorax Bank@Lorax Investments@ @Lorax Finances@Lorax Investments@ @savings accounts@investment accounts@ @http://server1.hostingsite.com/images@/images@} ? Save the updated iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/badlinks.html Web page. Question: Why did the first two pictures display properly, but the third picture still doesn’t display? _________________________________________________________________ ? Update the stream expression so that all three graphics display on the page. TASK 7 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise4C_iRule. ? Copy the code from exercise_iRule and paste into exercise4C_iRule. ? Save exercise4C_iRule, and then copy it to your Offline iRules. EXERCISE 1.11E – USING CONDITIONAL STATEMENTS In this exercise you will add conditional statements to your iRules, using both if, elseif, else statements, in addition to use the stream command access. * Estimated completion time: 40 minutes TASK 1 – Update the Custom Error Page iRule Update the iRule you created earlier that displays a custom error page by using a conditional statement to determine the HTTP response status and displaying the error page only when the user receives a 404 error. ? In the iRule Editor, select exercise4B_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? Update the HTTP_RESPONSE event as follows: ?NOTE: The indenting within the if command isn’t required; however it can make the iRule easier to read. ? Save the iRule and ensure you don’t receive any syntax errors. ? Open a new Web browser and access http://10.128.20.10. ? Edit the URI to http://10.128.20.10/index.html. ? Close the Web browser. Because this Web server doesn’t have an index.html file, it responded with a 404 error status. Instead of simply passing the 404 error to the client, we can present them with more useful information in the custom Web page. ? TASK 2 – Create Three Wildcard Pools In the next several iRule examples we’ll be making traffic management decisions. Create three pools to use within these iRules. ? In the Configuration Utility, open the Pool List page. ? Create a pool using the following: Name iRules_pool1 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.11 * (All Services) ? Create another pool using the following: Name iRules_pool2 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.12 * (All Services) ? Create another pool using the following: Name iRules_pool3 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.13 * (All Services) ? Create another pool using the following: Name iRules_pool4 Health Monitors gateway_icmp Load Balancing Method Round Robin Members (Use the Node List option) Node Service Port 10.128.20.14 * (All Services) ? TASK 3 – Use an iRule for Traffic Management Decisions Use the iRule to make traffic management decisions based on the requested file type. ? In the iRule Editor, update the HTTP_REQUEST event as follows: This iRule will identify the file type of the user request. If the file type is php, the request will be routed to the iRules_pool1 pool. Because we’re now using the iRule for traffic management decisions, we need to remove the default pool from the virtual server. ? Save the iRule. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Open the Resources page. ? For Default Pool, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.20/welcome.php. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/welcome.php Web page. Questions: Did the page display properly? ___________________ If yes, which pool supplied the welcome.php page? ______________________________ Which pool supplied the graphics? _______________________________ ? Click on the top graphic to go back to the home page. Questions: Did the page display properly? ___________________ If not, why not? ______________________________________________________ ? In the iRule Editor, update the HTTP_REQUEST as follows: Since we no longer have a default pool associated with the virtual server, it’s a good idea to have an else statement for requests that don’t match the if or the elseif conditions. ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20 Web page. Questions: Did the page display properly? ___________________ Which page supplied the index.php page? ________________________ Which pool supplied the F5 logo at the bottom of the page? _________________________ Why wasn’t this graphic supplied by iRules_pool2? _____________________________ TASK 4 – Manage Traffic Based on the Service Port Create a new iRule that will manage traffic based on the request’s application port. ? In the iRule Editor, create a new iRule using the blank template named wildcard_iRule. ? Use the following to create this iRule: ? Save the iRule. TASK 5 – Create a Wildcard Virtual Server Create a virtual server listening on all ports. ? In the Configuration Utility, open the Virtual Server List page. ? Create a virtual server using the following: Name wildcard_vs Destination Host: 10.128.10.40 Service Port * (All Ports) iRules wildcard_iRule Default Pool None ? Open a Web browser and access http://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to https://10.128.10.40. Question: Which pool supplied this request? ___________________ ? Edit the URI to http://10.128.10.40:8081. Question: Which pool supplied this request? ___________________ How was BIG-IP LTM able to view the iRule and made traffic management decisions when there’s no HTTP profile configured on the virtual server? ___________________________________________________________________________ ? Close the Web browser. ? TASK 6 – Update the iRule to Use the Switch Operator Update the wildcard_iRule to use the switch operator in place of the if, elseif, else statements. ? In the iRules Editor, update the wildcard_iRule as follows: In this statement, the -exact argument is optional. The $requestport variable is the value that we are comparing to either 80, 443, or 8081. The statements after the 80, 443, and 8081 are the actions to take if the port value matches. The default statement is for all requests that don’t match port 80, 443, or 8081. ? Save the iRule. ? Test by using a new Web browser to access http://10.128.10.40, http://10.128.10.40:8081, and https://10.128.10.40. ? Close the Web browser. ? In the configuration utility, access the Statistics > Module Statistics > Local Traffic page, and then view the Pools statistics. ? Reset the statistics for all pools and all pool members. ? Open a new Putty session and access 10.128.10.40. ?NOTE: It’s not necessary to log into the BIG-IP, receiving the login prompt is sufficient. ? In the configuration utility, refresh the pools statistics. Question: Which pool supplied this request? ___________________ ? Close Putty. ? Copy the wildcard_iRule to your Offline iRules. ? TASK 7 – Use the Switch Operator to Manage Traffic Based on the File Type Create an iRule to determine the requested file type. If the request is for an unauthorized file type we’ll present a custom error page for the user. Otherwise we’ll route all requests for graphic files to one pool, PHP pages to another pool, and all other requests to a third pool. ? Open a new Web browser and access http://10.128.10.20. ? Edit the URI to http://10.128.10.20/calc.exe. ? Attempt to run the application. ? Edit the URI to http://10.128.10.20/basic.css. ? Close the Web browser. Currently this Web application contains files that shouldn’t be accessed by users. We’ll use the iRule to block access to these file types. ? In the iRules Editor, select exercise_iRule. ? Delete the lines containing the if, elseif, and else statements. ? Update the HTTP_REQUEST event as follows: In this statement, the -glob argument enables us to use wildcard characters. The $httppath variable is the value that we are comparing. For each of the file types we are using the asterisk wildcard. If the $httppath variable ends with exe or css, the user will get a custom response page, and in addition we’ll send an entry to the log file. If the variable ends with jpg, gif, or png, the request is sent to iRules_pool1. If the variable ends with php the request is sent to iRules_pool2 and we send an entry to the log file. The default statement is for all requests that don’t match any of the listed file types. ? Save the iRule and ensure you don’t receive a syntax error. ? Open a new Web browser and access http://10.128.10.20. Questions: Which pool supplied the index.php page? ____________________ Why didn’t this request go to iRules_pool2? _____________________________________ Which pool supplied the F5 logo? ____________________ ? Select the Welcome link. Question: Which pool supplied the welcome.php page? ____________________ ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. Question: Were you able to open these sensitive files? _______________ ? View the Putty window. Questions: Did requests for images generate a log entry? ________________ Did requests for css files generate a log entry? ________________ Did requests for php pages generate a log entry? _______________ ? Close the Web browser. TASK 8 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise5_iRule. ? Copy the code from exercise_iRule and paste into exercise5_iRule. ? Save exercise5_iRule, and then copy it to your Offline iRules. EXERCISE 1.11F – WORKING WITH LISTS In this exercise you work with lists. First you’ll create a static list and experiment with different commands to manipulate the list. Next you’ll create a dynamic list containing HTTP request headers. * Estimated completion time: 30 minutes TASK 1 – Update the HTTP Virtual Server and the iRule Update the HTTP virtual server by using the HTTP pool as the default pool. ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? Select the Resources tab. ? From the Default Pool list, select http_pool, and then click Update. ? In the iRule Editor, delete all of the code in the exercise_iRule. TASK 2 – Work with a Static List Create a static list, and then use several list commands to manipulate the list. ? To create a new static list, add the following HTTP_REQUEST event to exercise_iRule. ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To sort the list, add the following lines at the end of the HTTP_REQUEST: set mylist [lsort $mylist] log local0. "Sorted first list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To add items to the list, add the following lines at the end of the HTTP_REQUEST: lappend mylist "rst" 222 log local0. "Second list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Were the new items added into the sorted order? ___________________ ? Add additional lines to the iRule to sort the list after the new items have been added and add an entry to the log file. After refreshing the http://10.128.10.20/httprequest.php Web page, the log entry should look like this: ? To insert an item to the list, add the following lines at the end of the HTTP_REQUEST: set mylist [linsert $mylist 1 "f5"] log local0. "Third list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How are the lappend and linsert commands different? _____________________________ In what position in the list was the new entry added? ________________ ? Once again, add additional lines to sort the new list and add an entry to the log file. ? To determine the number of items in the list, add the following line at the end of the HTTP_REQUEST: log local0. "Third list length: [llength $mylist]" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What are a couple of advantages of knowing the number of items in a list? ________________________________________________________________________ ? Add the following lines at the end of the HTTP_REQUEST: lset mylist 3 "456" log local0. "Fourth list: $mylist" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How is the lset command different from the lappend and linsert commands? __________________________________________________________________________ In what position in the list was the new entry added? ________________ ? To determine the value of an item in the list, add the following lines at the end of the HTTP_REQUEST: set item [lindex $mylist 3] log local0. "Item #4: '$item'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. ? To determine the index value of three different items, add the following lines at the end of the HTTP_REQUEST: set find1 [lsearch $mylist "rst"] set find2 [lsearch $mylist 222] set find3 [lsearch $mylist "deflmo"] log local0. "List item 'rst' at index # $find1" log local0. "List item '222' at index # $find2" log local0. "List item 'deflmo' at index # $find3" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: What index number is “222” at? __________________ Why is the third item displaying at index value -1? _________________________________ TASK 3 – Add Iteration to the iRule Use iteration to loop through the different items in the static list. ? In the iRule Editor, add the following lines at the end of the HTTP_REQUEST: set myaddress "401 Elliott Ave S, Seattle, WA 98119 USA" (use your own address) set mylist [split $myaddress " "] log local0. "First item: '[lindex $mylist 0]'" ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: Without using iteration, how would you create separate log messages for each list entry? __________________________________________________________________________ ? Replace the previous log local0 entry with the following: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What can you add to make these log entries more understandable? __________________________________________________________________________ FOR EXTRA CREDIT ? Update the iteration command so that the log message lists the correct item number: TASK 4 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6A_iRule. ? Copy the code from exercise_iRule and paste into exercise6A_iRule. ? Save exercise6A_iRule, and then copy it to your Offline iRules. ? TASK 5 – Use a Dynamic List in an iRule Use an iRule to gather information about the client request HTTP headers using the list commands. ? In the iRule Editor, update exercise_iRule as follows: ? Save the iRule. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Questions: How many HTTP headers are in your HTTP request? _________________ Which header is at index position 1? ___________________________ What is the index value for X-Forwarded-For? _________________ ? In the Configuration Utility, open the Virtual Server List page, and then select http_vs. ? For HTTP Profile, select custom_http_profile. ? Click Update. ? Use Ctrl+F5 to refresh the http://10.128.10.20/httprequest.php Web page. ? View the Putty window. Question: What changes occurred using this profile? ________________________________________ TASK 6 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise6B_iRule. ? Copy the code from exercise_iRule and paste into exercise6B_iRule. ? Save exercise6B_iRule, and then copy it to your Offline iRules. EXERCISE 1.11G – USING IRULES BEST PRACTICES In this exercise you work add comments and debugging statements for an iRule you created earlier. * Estimated completion time: 15 minutes TASK 1 – Add Comments to an iRule Update an iRule by adding several comments to make it easier to understand for other administrators. ? In the iRule Editor, select exercise5_iRule and copy all of the iRule code. ? Replace all of the previous code in exercise_iRule with the copied text. ? In the line directly after the when HTTP_REQUEST line, add the following comment: #Identify the requested page and store in a variable ? Continue to add the following comments: ? TASK 2 – Adding Debugging Statements for Logging Logging isn’t recommended for BIG-IP systems in production. Modify non-critical log statements to only run at specified times. ? In the line directly after the when HTTP_REQUEST line, add the following comment: set debug 1 ? Edit the log statement for PHP pages to the following: if { $debug } { log local0. "Request made for $httppath" } ? Add a the exact statement above for the switch default statement: ? Save the iRule. ? Open a new Web browser and open the http://10.128.10.20 Web page. ? Select the Welcome link. ? Click on the top graphic to go back to the home page. ? Select the Multiple Stream Example link. ? View the Putty window. For debugging purposes, we can see that requests are made for the root page “/”, php pages, and html pages. ? Type the Enter key a few times to move the existing log entries to the top of the window. ? In the iRule Editor, edit the debug statement: set debug 0 ? Save the iRule and then view the same pages as you did at the beginning of this task. ? Edit the URI to http://10.128.10.20/calc.exe. ? Edit the URI to http://10.128.10.20/basic.css. ? View the Putty window. We’ve now eliminated unnecessary logging, but can continue to log critical messages. TASK 3 – Save the Current iRule to your Offline iRules ? In the iRule Editor, create a new iRule named exercise7_iRule. ? Copy the code from exercise_iRule and paste into exercise7_iRule. ? Save exercise7_iRule, and then copy it to your Offline iRules. ? Close the iRule Editor ? In the Configuration Utility, create an archive file named 1.11_iRules_v11.4.0.1. MODULE 11 EXERCISES – IAPPS EXERCISE 1.12A – WORKING WITH IAPP APPLICATION SERVICES In the exercise you will create an iApp Application Service. You will then examine the effects of enabling and disabling strictness. You will use reentrancy to update the application, and then examine the various objects iApp created for the application. * Estimated completion time: 20 minutes TASK 1 – Create a Web Application Using iApp Create the Web application using an iApp Application Service. ? Open up a new Web browser and access https://10.128.1.245. ? Open the iApp > Application Services page. ? Click Create. ? Create an Application Service using the following information: Profile Name app_web Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.40 FQDN lamp.f5demo.com Create a new pool or use an existing one? Create a new pool Servers to reference Address Port 10.128.20.11 80 10.128.20.12 80 10.128.20.13 80 Health monitor Create new HTTP monitor HTTP URI to send /index.php Expected response Welcome ? Click Finished. ? TASK 2 – Update Your Local Hosts File Update the entry in your local hosts file for lamp.f5demo.com. ? Open Notepad as and select to Run as Administrator. (HINT: Right-click on Notepad in the Start menu.) ? Open the C:\Windows\System32\drivers\etc\hosts file. ? Update thelamp.f5demo.com entry: 10.128.10.40 lamp.f5demo.com ? Save and close the hosts file. TASK 3 – Test Access to the iApp Application Test access to the iApp application, and verify how traffic is being load balanced to pool members. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Why did only one pool member supply content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, open the Statistics > Module Statistics > Local Traffic page, and then select the Pools statistics. ? Reset the statistics for all pools and pool members. ? In the http://lamp.f5demo.com Web page, select the HTTP Compress Example link. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ ? Reset the statistics for all pools and pool members. ? Use Ctrl+F5 to refresh the http://www.f5demo.com/bigtext.php page. ? Close the Web browser. ? In the Configuration Utility, refresh the Pools statistics. Questions: How many Bits Out did this page create? ____________________ How many Packets Out did this page generate? ______________________ How many total requests were needed to generate this Web page? __________________ What caused the difference in traffic to the pool member? __________________________ TASK 4 – View and Update the Application Use iApp to update the previously deployed Web application. ? Open the iApp > Application Services page, and then select app_web. ? On the Components page, click app_web_vs. This navigates you to the virtual server Properties page. ? Attempt to update the Destination Address to 10.128.10.41. Question: Why couldn’t you update the virtual server IP address? __________________________ ? Open the iApp > Application Services page, and then select app_web. ? Select the Properties tab. ? From the Application Service list, select Advanced. ? Disable Strict Updates, and then click Update. ? Open the app_web_vs virtual server Properties page. ? Update the following: ? Destination Address: 10.128.10.41 ? OneConnect Profile: None ? HTTP Compression Profile: None. ? Web Acceleration Profile: None. ? Click Update. ? Select the Resources tab. ? From both the Default Persistence Profile and Fallback Persistence Profile lists, select None. ? Click Update. ? Open a new Web browser and access http://10.128.10.41. ? Close the Web browser. ? Open the iApp Application Services page, and then select app_web. ? Select the Reconfigure tab. Question: What is the virtual server IP address? __________________________ ? Without making any changes, click Finished. ? Open the app_web_vs virtual server Properties page. Question: Are the updates you just made still in effect? ____________________ If not, why not? _____________________________________________________________ ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: How many TCP profiles were created for this application? ___________ ? Open the iApp Application Services page, and then select app_web. ? Select the Properties tab. ? Re-enable Strict Updates, and then click Update. ? Select the Reconfigure tab. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Local area network (LAN) ? Click Finished. ? Open the Local Traffic > Profiles > Protocol > TCP page. Question: Why is there now only one TCP profile? _________________________________________ ? TASK 4 –Delete an iApp Application Service Create a new iApp Application Service using objects from another Application Service, and then attempt to delete both applications. ? Open the iApp > Application Services page. ? Create an Application Service using the following information: Profile Name app_web_backup Template f5.http Inline help? No Configuration mode Basic IP address for virtual server 10.128.10.41 FQDN (click the X to delete this option) Create a new pool or use an existing one? app_web_pool ? Click Finished. ? Open the Application Services page. ? Select the checkbox for app_web, and then click Delete twice. Question: Were you able to delete this application? ____________________ If not, why not? _____________________________________________________________ ? On the Application Services page, select app_web_backup. iApp created several objects for this profile: a virtual server, persistence profiles, an http profile, and several optimization profiles. ? Select the Properties tab. ? Click Delete, and then click OK. ? View the following Configuration Utility pages and verify that the application objects are deleted: ? Virtual Server List ? HTTP Profiles ? HTTP Compression Profiles ? Web Acceleration Profiles ? Persistence Profiles ? TCP Profiles ? TASK 5 – Update the Wildcard Pools Update the three wildcards pools you created in the iRules exercises. ? Open the Pool List page. ? Update the following pools: ? iRules_pool1: disable 10.128.20.11:0, add 10.128.20.11.80 ? iRules_pool2: disable 10.128.20.12:0, add 10.128.20.12:80 ? iRules_pool3: disable 10.128.20.13:0, add 10.128.20.13:80 TASK 6 – Reconfigure the Application Service Reconfigure the Application Service using the advanced settings. ? Open the iApp Application Services page, and then select app_web. Questions: How many profiles did iApp create for this application? _____________________ What type of persistence does this application use? ________________________________ ? Select the Reconfigure tab. ? In the Template Options section, select to use Advanced settings. ? In the Network section, specify the following: What type of network connects clients to the BIG-IP system? Wide area network (WAN) How have you configured routing on your web servers? Servers have a route to clients through the BIG-IP system ? In the Virtual Server and Pools section, specify the following: Which HTTP profile do you want to use? Create a new HTTP profile Should the BIG-IP system insert the X-Forwarded-For header? Do not insert X-Forwarded-For HTTP header Which persistence profile do you want to use? Do not use persistence Which load balancing method do you want to use? Weighted Least Connections (member) Do you want to give priority to specific groups of servers? Use Priority Group Activation What is the minimum number of active members in a group? 2 Which web servers should be included in this pool? Update the following: 10.128.20.11:80, Limit: 1000, Priority: 8 10.128.20.12:80, Limit: 800, Priority: 8 10.128.20.13:80, Limit: 800, Priority: 6 Add the following: 10.128.20.14, Limit: 1200, Priority: 10 10.128.20.15, Limit: 1200, Priority: 10 ? In the Delivery Optimization section, specify the following: Which Web Acceleration profile do you want to use for caching? Do not use caching Which compression profile do you want to use? Do not compress HTTP responses How do you want to optimize client-side connections? Create the appropriate tcp-optimized profile ? In the Server Offload section, specify the following: Which OneConnect profile do you want to use? Do not use OneConnect How do you want to optimize server-side connections? Create a profile based on tcp-lan-optimized How many seconds should Slow Ramp time last? 200 ? In the Application Health section, specify the following: How many seconds should pass between health checks? 10 ? Click Finished. ? Open a new Web browser and access http://lamp.f5demo.com. Questions: Which pool member(s) supplied content? __________________________________ Is SNAT enabled or disabled? _________________________ ? Select the Request and Response Headers link. Question: Is the X-Forwarded-For request header present? ________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the iRules section, specify the following: Do you want to add any custom iRules to this configuration? exercise7_iRule ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. Question: Did the BIG-IP make new traffic management decisions? _________________ ? In the Configuration Utility, reconfigure the app_web Application Service. ? In the SSL Encryption section, specify the following: How should the BIG-IP system handle SSL traffic? Encrypt to clients, plaintext to servers (SSL Offload) Which Client SSL profile do you want to use? Create a new Client SSL profile Which SSL certificate do you want to use? lamp.crt Which SSL private key do you want to use? lamp.key Note that the virtual server port changed from 80 to 443 after you selected to use SSL offload. ? In the Virtual Server and Pools section, specify the following: Do you want to redirect inbound HTTP traffic to HTTPS? Redirect HTTP to HTTPS From which port should HTTP traffic be redirected? 80 ? Click Finished. ? Use Ctrl+F5 to refresh the http://lamp.f5demo.com Web page. ? EXERCISE 1.12B – WORKING WITH IAPP TEMPLATES In this exercise you will view the list of system-supplied iApp Templates, and then view the properties of a Template. You’ll then find and download iApp Templates from the F5 downloads page and from DevCentral. * Estimated completion time: 20 minutes TASK 1 – View iApp Templates View the list of system-supplied iApp Templates. ? In the Configuration Utility, open the iApp > Templates page. ? Use the page list box to display all Templates on one page. Questions: How many Templates are currently used for Application Services? ________________ How can you tell that these are system-supplied Templates? __________________________ TASK 2 – View the Properties of an iApp Template View the properties of the f5.http system-supplied Template. ? On the Template List page select f5.http. Questions: What are the required BIG-IP modules? _______________________ What is the minimum BIG-IP version? ________________________ What is the maximum BIG-IP version? ________________________ ? View the contents of the Implementation, Presentation, and HTML Help sections. ? Change the first line of the HTML Help section to:

Web server iApp Template

Questions: Can you save this change? ________________ If not, why not? ________________________________________ TASK 3 – Download Updated iApp Templates from F5 Downloads Access and log in to the F5 Downloads page, then download the updated iApp Templates for v11.3 to your workstation. ? Open the F5 product version download page at https://downloads.f5.com/esd/productlines.jsp. ? Select BIG-IP v11 x / Virtual Edition. ? From the list box select 11.3.0. ? Select iApp-Templates. ? Accept the license agreement. ? Select iapps-1.0.0.8.0.zip. ? Select the best download for your location. ? Save and then unzip the file on your local workstation. This file contains updated versions of the Exchange 2010 – 2013 Client Access Server and the Citrix XenApp XenDesktop iApp Templates. TASK 4 – Download a Community-Contributed iApp Template from DevCentral Access and log in to DevCentral, then find and download a community-contributed iApp Template to your workstation. ? Open a new Web browser and access http://devcentral.f5.com. ? Login using your DevCentral user account, or create a DevCentral user account. ? On the left navigation menu select iApp. ? On the left navigation menu, select Samples. ? Under the Community-Contributed section, select MySQL Proxy iApp. ? Right-click on the green arrow, and then select Save Target As. ? Save and then unzip the file on your local workstation. ? Close the DevCentral Web page. TASK 5 – Import iApp Templates Into the BIG-IP Import iApp Templates into your BIG-IP system. ? In the Configuration Utility, open the iApp > Templates page. ? Click Import. ? Click Browse. ? Navigate to the location that you unzipped the downloaded Template files. ? Select f5.microsoft_exchange_2010_2013_cas.tmpl, and then click Open. ? Leave the Overwrite Existing Templates checkbox cleared and click Upload. ? Repeat the steps above to import mysql_proxy.2011-12-02.tmpl. ? Select the Application Services page, and then click Create. ? From the Templates list, select f5.microsoft_exchange_2010-2013_cas.v1.2.0cr1. You could now use this iApp Template for an application deployment. ? Create an archive file named 1.12_iApps_v11.4.0.1. Digital Commerce Solution – Storefront Integration Creating A Dynamic Storefront Home Page Page iv Proprietary and Confidential Information of Amdocs © 2012 - Proprietary and Confidential Information of F5 Networks Security Level Classification - Sensitive WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 49 Introduction WWFR vLab Guides – LTM Fundamentals Page | 5 Exercise 2.1C – Configuration Backup F5 Virtual Environment LTM Essentials Exercise Guide Page | 1 Exercise 1.1 – VMware Workstation Configuration WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 48 Exercise 1.2 – Initial BIG-IP Configuration Exercise 1.3 – User Access and System Preferences Exercise 2.1 – Create an HTTP Pool and Virtual Server Exercise 2.2 – Network Map Exercise 3.1 – Virtual Server Priority Exercise 3.2 – Forwarding and Reject Virtual Servers Exercise 4.1 – Install Required Software Exercise 4.2 – Create a Web Load Test Exercise 4.3 – Load Balancing Methods Exercise 1.4A – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 72 Exercise 5.1 – Using Monitors for Nodes Exercise 4.4 – Priority Group Activation Exercise 5.1 – Using Monitors for Nodes Exercise 5.1 – Using Monitors for Nodes WWFR vLab Guides – LTM Fundamentals Hands-On Exercise Guide Page | 71 Exercise 5.2 – Using Monitors with Pools Exercise 5.3 – Using an Inband Monitor Exercise 5.4 – Using Manual Resume Exercise 6.1 – Using an HTTP Profile Exercise 6.1 – Using an HTTP Profile Exercise 6.2 – Using a Stream Profile Exercise 1.7A – Using Compression and Acceleration Exercise 7.1 – Using Compression and Acceleration Exercise 1.6A – Using an HTTP Profile Exercise 1.8A – Using Source Address Persistence Exercise 1.8B – Using Cookie Persistence Exercise 1.8C – View Persistence with Disabled and Offline Pool Members Exercise 1.8D – Using Match Across Virtual Servers Exercise 1.9A – Supporting SSL Traffic Exercise 1.9A – Supporting SSL Traffic Exercise 1.9B – Enabling SSL Offload Exercise 1.9A – Supporting SSL Traffic Exercise 1.10A – Using a NAT Exercise 1.10B – Using SNATs Exercise 1.11A – Writing your First iRule Exercise 1.11B – Using iRule Events Exercise 1.11C – Using Variables Exercise 1.11D – Using TCL and iRules Commands Exercise 1.11E – Using Conditional Statements Exercise 1.11F – Working with Lists Exercise 1.11G – Using iRules Best Practices Exercise 1.12A – Working with iApp Application Services Exercise 1.12B – Working with iApp Templates Exercise 10.C – Using Variables