基础信息
拓扑图
F5 版本
Web: Statistics->Dashboard
tmsh:
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys version
Sys::Version
Main Package
Product BIG-IP
Version 15.1.3
Build 0.0.11
Edition Final
Date Thu Apr 8 01:36:32 PDT 2021
配置路由相关
使用Safari登录https://172.25.78.240/
用户名 admin
密码 admin
配置vlan
Network->VLANs->Create->填写name->选择interface->Tagging 选择Untagged->add->Finished
配置ip
Network->Self IPs->Create->填写name->填写IP->填写netmask->选择刚建立的VLAN->Finished
配置路由
Network->Routes->Create->填写name->填写Destination->填写Netmask->填写Gateway Address->Finished
huawei
#
interface 10GE1/0/13
undo portswitch
description to_f5_1-1
ip binding vpn-instance F5_UP
ipv6 enable
ip address 192.168.100.1 255.255.255.0
ipv6 address 2001::109:2/112
device transceiver 10GBASE-FIBER
#
ipv6 route-static vpn-instance DCS_UP 2001::108:0 112 2001::109:1
linux
ip -6 addr add 2001::100:1/112 dev eth1
ip route add 192.168.201.0/24 via 10.92.100.1
ip -6 route add 2001::108:0/112 via 2001::100:1
toa测试
配置profile
## tmsh配置
create ltm profile tcp option-set tcp-options "{254 last}"
profile配置检查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile tcp option-set
ltm profile tcp option-set {
app-service none
tcp-options "{254 last}"
}
配置irule
Local Traffic ->iRules->Create
v4
when SERVER_INIT {
scan [IP::client_addr] {%d.%d.%d.%d} a b c d
TCP::option set 254 [binary format H4cccc [format %x [TCP::client_port]] $a $b $c $d] all
log local5. "insert ip to tcp option [IP::client_addr]:[TCP::client_port]"
}
v6
when RULE_INIT {
# Initialize the array used to expand compressed IPv6 groups to 16 bit
array set static::ipv6_grp_filler {
"1" "000"
"2" "00"
"3" "0"
"4" ""
}
# Initialize the array used to expand compressed IPv6 addresses to 128 bit
array set static::ipv6_addr_filler {
"0" "0000:0000:0000:0000:0000:0000:0000:0000"
"5" "0000:0000:0000:0000:0000:0000:0000"
"10" "0000:0000:0000:0000:0000:0000"
"15" "0000:0000:0000:0000:0000"
"20" "0000:0000:0000:0000"
"25" "0000:0000:0000"
"30" "0000:0000"
"35" "0000"
"40" ""
}
# Initialize the array used to perform a IPv4 (decimal 0-255) to IPv6 (hex 00-FF) conversation.
for { set i 0 } { $i <= 255 } { incr i } {
set static::ipv6_dec_map($i) [format %02x $i]
}
#
# Example procedure calls (samples can be removed)
#
set input "2001:0001:0022:0333:4444:0:0:0:1%1"
set output [call compress_ipv6_addr $input]
log local0.debug "Input: $input Output: $output"
set input "2001:ef:123::192.168.1.1%2"
set output [call expand_ipv6_addr $input]
log local0.debug "Input: $input Output: $output"
}
proc compress_ipv6_addr { addr } {
# Enumerate and store IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
# X encode (e.g. :0001 becomes :X1) leading zeros on the individual IPv6 address groups (left orientated searches)
set addr [string map [list ":0000" ":X" ":000" ":X" ":00" ":X" ":0" ":X" "|0000" "X" "|000" "X" "|00" "X" "|0" "X" ] "|$addr|"]
# Restoring the required X encoded zeros (e.g. :X: becomes :0:) while removing any other X encodings and | separators (right orientated searches)
set addr [string map [list "X:" "0:" "X|" "0" "X." "0." "X" "" "|" "" ] $addr]
# Find the longest range of consecutive zero value IPv6 address groups and then replace the most significant groups with the :: notation.
switch -glob -- $addr {
"*::*" { #Already compressed }
"0:0:0:0:0:0:0:0" { set addr "::" }
"0:0:0:0:0:0:0:*" { set addr ":[string range $addr 13 end]" }
"*:0:0:0:0:0:0:0" { set addr "[string range $addr 0 end-13]:" }
"0:0:0:0:0:0:*" { set addr ":[string range $addr 11 end]" }
"*:0:0:0:0:0:0:*" { set addr "[substr $addr 0 ":"]::[findstr $addr ":0:0:0:0:0:0:" 13]" }
"*:0:0:0:0:0:0" { set addr "[string range $addr 0 end-11]:" }
"0:0:0:0:0:*" { set addr ":[string range $addr 9 end]" }
"*:0:0:0:0:0:*" { set addr "[substr $addr 0 ":0:"]::[findstr $addr ":0:0:0:0:0:" 11]" }
"*:0:0:0:0:0" { set addr "[string range $addr 0 end-9]:" }
"0:0:0:0:*" { set addr ":[string range $addr 7 end]" }
"*:0:0:0:0:*" { set addr "[substr $addr 0 ":0:0:"]::[findstr $addr ":0:0:0:0:" 9]" }
"*:0:0:0:0" { set addr "[string range $addr 0 end-7]:" }
"0:0:0:*" { set addr ":[string range $addr 5 end]" }
"*:0:0:0:*" { set addr "[substr $addr 0 ":0:0:0:"]::[findstr $addr ":0:0:0:" 7]" }
"*:0:0:0" { set addr "[string range $addr 0 end-5]:" }
"0:0:*" { set addr ":[string range $addr 3 end]" }
"*:0:0:*" { set addr "[substr $addr 0 ":0:0:"]::[findstr $addr ":0:0:" 5]" }
"*:0:0" { set addr "[string range $addr 0 end-3]:" }
}
# Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the compressed IPv6 address
return "$addr$id"
}
proc expand_ipv6_addr { addr } {
if { [catch {
# Enumerating and storing IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
# Parsing the first IPv6 address block of a possible :: notation by splitting the block into : separated IPv6 address groups
set blk1 ""
foreach grp [split [getfield $addr "::" 1] ":"] {
# Check if current group contains a IPv4 address notation
if { $grp contains "." } then {
# The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $grp {%d.%d.%d.%d} oct1 oct2 oct3 oct4
# Convert the four IPv4 address octets into two IPv6 address groups by querying the $static::ipv6_dec_map array
append blk1 "$static::ipv6_dec_map($oct1)$static::ipv6_dec_map($oct2) $static::ipv6_dec_map($oct3)$static::ipv6_dec_map($oct4) "
set oct4 ""
} else {
# The current group contains just a IPv6 address notation. Filling up the IPv6 address group with leading zeros by querying the $static::ipv6_grp_filler array
append blk1 "$static::ipv6_grp_filler([string length $grp])$grp "
}
}
# Parsing the second IPv6 address block of a possible :: notation by splitting the block into : IPv6 address separated groups
set blk2 ""
foreach grp [split [getfield $addr "::" 2] ":"] {
# Check if current group contains a IPv4 address notation
if { $grp contains "." } then {
# The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $grp {%d.%d.%d.%d} oct1 oct2 oct3 oct4
# Convert the four IPv4 address octets into two IPv6 address groups by querying the $static::ipv6_dec_map array
append blk2 "$static::ipv6_dec_map($oct1)$static::ipv6_dec_map($oct2) $static::ipv6_dec_map($oct3)$static::ipv6_dec_map($oct4) "
set oct4 ""
} else {
# The current group contains just a IPv6 address notation. Filling up the IPv6 address group with leading zeros by querying the $static::ipv6_grp_filler array
append blk2 "$static::ipv6_grp_filler([string length $grp])$grp "
}
}
# Joining the first and second block of the possible :: notation while expanding the address to 128bit length by querying the $static::ipv6_addr_filler array
set addr "[join "$blk1$static::ipv6_addr_filler([string length "$blk1$blk2"]) $blk2" ":"]"
}] } then {
# log local0.debug "errorInfo: [subst \$::errorInfo]"
# return "errorInfo: [subst \$::errorInfo]"
return ""
}
# Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the expanded IPv6 address notation
#return "$addr$id"
return $addr
}
#For v14+, you can insert option in initial SYN
when SERVER_INIT {
log local5. "The IP address was [IP::client_addr]"
set ip [IP::client_addr]
set big6 [call expand_ipv6_addr $ip]
set nosep [string map {: ""} $big6]
log local5. "ClientIP: $ip big6: $big6 nosep: $nosep"
log local5. "Client port in hex: [format %x [TCP::client_port]]"
TCP::option set 253 [binary format H* [format %x [TCP::client_port]]$nosep] all
}
irule配置检查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule test_toa4
ltm rule test_toa4 {
when SERVER_INIT {
scan [IP::client_addr] {%d.%d.%d.%d} a b c d
TCP::option set 254 [binary format H4cccc [format %x [TCP::client_port]] $a $b $c $d] all
log local5. "insert ip to tcp option [IP::client_addr]:[TCP::client_port]"
}
}
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule test_toa6
ltm rule test_toa6 {
when RULE_INIT {
# Initialize the array used to expand compressed IPv6 groups to 16 bit
array set static::ipv6_grp_filler {
"1" "000"
"2" "00"
"3" "0"
"4" ""
}
..........
配置snat
Local Traffic ->SNAT pool List->Create
配置pool和vs
配置pool
Local Traffic->Pools->Create
Pool 配置检查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm pool
ltm pool test {
members {
10.92.128.119:http {
address 10.92.128.119
session monitor-enabled
state up
}
}
monitor tcp
}
配置vs
Local Traffic->Virtual Server->Create
vs检查配置
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual test_vs4
ltm virtual test_vs4 {
creation-time 2021-07-23:02:03:21
destination 192.168.201.2:http
ip-protocol tcp
last-modified-time 2021-07-23:02:10:52
mask 255.255.255.255
pool test
profiles {
option-set { }
}
rules {
test_toa4
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool a
type snat
}
translate-address enabled
translate-port enabled
vs-index 5
}
ipv6配置检查(ipv6的vs配置省略)
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual testv6
ltm virtual testv6 {
creation-time 2021-07-22:20:31:35
destination 2001::108:1.http
disabled
ip-protocol tcp
last-modified-time 2021-07-23:01:46:56
pool test
profiles {
option-set { }
}
rules {
test_toa6
}
serverssl-use-sni disabled
source-address-translation {
pool a
type snat
}
translate-address enabled
translate-port enabled
vs-index 4
}
client访问命令
[root@localhost ~]# curl 192.168.201.2
[root@localhost ~]# curl -g -6 "http://[2001::108:1]:80"
rs解析(nginx日志,v4为例)
[root@dev227 ~]# tail -f /var/log/nginx/access.log
192.168.202.4 - - [23/Jul/2021:16:03:38 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
10.92.100.119 - - [23/Jul/2021:17:19:53 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
192.168.202.3 - - [23/Jul/2021:17:24:22 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
10.92.100.119 - - [23/Jul/2021:17:24:43 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
192.168.202.4 - - [23/Jul/2021:17:28:21 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
wireshark解析
结论:
- f5可以对数据包进行源目ip(fullnat)转换。
- 可以通过irule进行option字段的插入,option kind字段(253或254)可通过irule指定。
- toa模块可以进行解析。
- ipv4和ipv6均可执行。
现有问题:
1、irule是否有官方配置。
2、irule对性能影响。
3、profile有啥用,如果Protocol Profile (Client)不配置option-set,则rs抓包找不到option字段,但是如果profile随便配置参数,并不影响irule对option kind的配置。
基础配置测试
健康检查
Local Traffic->Monitors->create->Type选tcp
修改interval时间,最小值1s,默认5s。
修改timeout时间,最小值1s,默认16s。
轮询策略
Local Traffic-> Pools->Pool List->选择一个实例->Members->Load Balancing Method
| 中文名 | 英文名 |
|---|---|
| 轮询 | Round Robin |
| 权重轮询 | Ratio (member) |
| 最小连接数 | Least Connection (member) |
源地址哈希:
Local Traffic->Virtual Servers->Virtual Server List->选择一个实例->Resources->Default Persistence Profile->source_addr
前一个session中断15s能保持源地址hash。
长连接超时时间设置
Local Traffic->Profile->tcp->Type选tcp->选一个实例->Timer Management->Custom->Idle Timeout->修改时间
默认300s。
session同步
只分为开启和不开启,开启则立即同步所有session,即使tcp三次捂手未完成,也会同步过去。
在ha模式下可以开启,相关文档连接 Managing Connection Mirroring
效果:首先需要一个traffic-group-1,group中有两个设备,分别是Bigip_A和Bigip_C,当Bigip_A不可用,group中的Bigip_C将成为主用,对现有连接进行转发。适用于FTP和Telnet这种长连接应用。
应用范围:VS、SNAT、persistence profile
开启步骤:
1、配置一个同步地址Device Management > Devices > Device Connectivity > Mirroring > Primary Local Mirror Address >VLAN HA
2、为每个vs配置session同步 Local Traffic > Virtual Servers > Configuration > Advanced > Connection Mirroring > Update
3、配置persistence Local Traffic > Profiles > Persistence > Mirror Persistence
log
web: System > Logs : System
HA配置
High Availability (HA) Failover
connnection输出
[root@test:Active:Standalone] config # tmsh
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys connection cs-server-port 80
Sys::Connections
10.92.100.119:52708 192.168.201.2:80 192.168.202.2:11793 10.92.128.119:81 tcp 1 (tmm: 2) none none
10.92.100.119:52706 192.168.201.2:80 192.168.202.3:15589 10.92.128.119:81 tcp 1 (tmm: 2) none none
10.92.100.119:52704 192.168.201.2:80 192.168.202.4:43873 10.92.128.119:81 tcp 1 (tmm: 2) none none
Total records returned: 3
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)#
测试用的命令
kill -9 `ps -ef |grep 'nc 192'|grep -v grep|awk '{print $2}'`
kill -9 `ps -ef |grep 'nc 192'|grep -v grep|awk '{print $2}'|head -n 35`
ip addr add 10.92.100.118/24 dev eth1
ip addr add 10.92.100.117/24 dev eth1
ip addr add 10.92.100.116/24 dev eth1
ip addr add 10.92.100.115/24 dev eth1
ip addr add 10.92.100.114/24 dev eth1
ip addr add 10.92.100.113/24 dev eth1
ip addr add 10.92.100.112/24 dev eth1
ip addr add 10.92.100.111/24 dev eth1
ip addr add 10.92.100.109/24 dev eth1
ip addr add 10.92.100.108/24 dev eth1
ip addr add 10.92.100.107/24 dev eth1
ip addr add 10.92.100.106/24 dev eth1
ip addr add 10.92.100.105/24 dev eth1
ip addr add 10.92.100.104/24 dev eth1
ip addr add 10.92.100.103/24 dev eth1
ip addr add 10.92.100.102/24 dev eth1
ip addr add 10.92.100.101/24 dev eth1
nc -k -l -p 80 &
nc -k -l -p 81 &
nc -k -l -p 82 &
nc -k -l -p 83 &
while true;do echo `netstat -nt|grep 10.92.128.119:80 |wc -l` `netstat -nt|grep 10.92.128.119:81 |wc -l` `netstat -nt|grep 10.92.128.119:82 |wc -l` `netstat -nt|grep 10.92.128.119:83 |wc -l` date ;sleep 1 ;done
for i in `seq 100`;do echo 1 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 2 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 3 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 4 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 5 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 6 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 7 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 8 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 9 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 10 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
for i in `seq 10000`;do echo 1 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.101 &
for i in `seq 10000`;do echo 2 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.102 &
for i in `seq 10000`;do echo 3 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.103 &
for i in `seq 10000`;do echo 4 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.104 &
for i in `seq 10000`;do echo 5 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.105 &
for i in `seq 10000`;do echo 6 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.106 &
for i in `seq 10000`;do echo 7 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.107 &
for i in `seq 10000`;do echo 8 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.108 &
for i in `seq 10000`;do echo 9 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.109 &
## F5
F5_V11 TMSH命令操作手册
查看当前系统配置:
# show running-config
# show running-config /net interface
# show running-config /ltm pool 保存base内容:
#save /sys base-config load base内容:
#load /sys base-config 保存系统配置:
#save /sys config load系统配置:
#load /sys config
#tmsh load sys config default ## V11恢复出厂配置
查看网络配置信息:
#list /net vlan
#list /net interface
#list /net arp
#list /net route
#list /net self
#list /net self-allow
#list /net trunk
# list /ltm pool 查看Pool配置信息
# list /ltm pool [http-pool] 查看vs配置信息
# list /ltm virtual
# list /ltm virtual-address
查看/sys配置信息:
# list /sys db
# list /sys httpd allow
# list /sys management-ip(查看设备管理口地址)
# list /sys management-route(查看设备管理口路由)
# list /sys ntp(查看ntp配置信息)
# list /sys provision(查看设备模块激活状态)
# list /sys service(查看服务开启状态)
# list /sys snmp(查看snmp配置信息)
# list /sys syslog(查看syslog配置信息)
show /net命令:
# show /cli history(查看命令行历史记录)
# show /net arp(查看arp映射信息)
# show /net interface(查看各个接口统计流量信息)
# show /net route(查看路由表)
# show /net vlan(查看各个vlan流量统计信息)
# show /net vlan-group
# show /net trunk(查看trunk流量统计信息)
show /sys命令:
# show /sys config-sync(查看系统配置同步状态信息)
# show /sys connection
# show /sys connection | grep 1026 #查看HA状态,成对为正常
### 1.1.1.2:53527 1.1.1.1:1026 1.1.1.2:53527 1.1.1.1:1026 udp 0 (tmm: 1) none
### 1.1.1.1:48582 1.1.1.2:1026 1.1.1.1:4538 1.1.1.2:1026 udp 0 (tmm: 0) none
# show /sys console(查看系统串口调试速率)
# show /sys cpu
# show /sys hardware(查看系统硬件信息)
# show /sys host-info
# show /sys raid(查看硬盘raid状态)
# show /sys performance system(查看系统总体性能)
# show /sys software(查看系统总体软件信息)
# show /sys ip-address(查看系统ip地址,包括所有的vs、pool地址信息)
# show /sys ip-address all-properties(查看系统地址信息,包括地址属性)
# show /sys license(查看系统license摘要信息)
# show /sys license detail
# show /sys log ltm(查看系统log信息)
# show /sys mac-address(查看系统中所有的mac地址信息)
# show /sys mcp-state(查看mcp运行状态)
# show /sys memory(查看系统内存统计信息)
# show /sys ucs(查看保存的ucs文件名称)
# show /sys version(查看系统软件版本信息)
# show /sys software(查看系统软件版本信息)
#############################################
#SNAT Pool中添加地址
#tmsh
#ltm-->snat
#create snatpool my_snat_pool1 members add { 11.12.11.24 11.12.11.25 }
#############################################
导配置
#tmsh save sys ucs test.ucs
#/var/local/ucs (ucs目录)
#tmsh load /sys ucs xxxx.ucs no-license(导入配置V11)
#load /sys ucs xxxx.ucs rma (v10-这里面有个技巧输入rma是不会恢复证书的因此不需要重新激活)
#save /sys config
#tmsh load sys ucs [ucs file name] no-platform-check no-license
save /sys config
(tmos.ltm)##show persistence persist-records all-properties (查看会话保持表)
##tmsh show ltm persistence persist-records | grep 8.32 (查看会话保持表)
(tmos.ltm)#delete persistence persist-records (删除会话保持)
帮助命令的使用:
# help /net
# help /net vlan
快捷键的使用:
Ctrl + C(放弃当前正在输入的命令)
Ctrl + A(将光标移到最开始)
在tmsh模式下使用相关的测试命令:
# run util ping 1.1.1.1(执行ping操作)
# run util tcpdump(执行tcpdump抓包分析)
# run util tracepath 1.1.1.1(执行tracepath操作)
创建和删除pool: # create /ltm pool [abc] # delete /ltm pool [abc]
修改irules内容: # edit /ltm rule [replace-302] 安装操作系统和
##################################################################################
##################################################################################
#上传系统到/shared/images
#安装系统补丁:
#install sys software image BIGIP-10.0.0.5376.0.iso volume HD1.2
#install hotfix Hotfix-BIGIP-9.6.1-824.0-HF3.im volume HD1.1
#查看安装进度。。
##root@(big-ip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# quit
##[root@big-ip1:Active:Standalone] images # watch tmsh show sys software status
##################################################################################
##################################################################################
重置pool、vs的统计信息:
# reset-stats /ltm pool
# reset-stats /ltm pool [http-pool]
# reset-stats /ltm virtual
# reset-stats /ltm virtual [vs-test-80]
启动、停止、重启系统中某个服务:
# start /sys service [snmpd]
# stop /sys service [snmpd]
# restart /sys service [snmpd]
#bigstart status snmpd:查看进程运行状态
定义和删除别名:
# create /cli alias [xx] command ["save /sys config"]
# delete /cli alias [xx] 创建pool
并添加pool-member:
# create /ltm pool [abc] members add { 9.9.9.9:http 7.7.7.7:http } 对创建的
pool增加健康检查方式:
# modify /ltm pool [abc] monitor http
# modify /ltm pool [abc] monitor http and https # modify /ltm pool [abc] monitor none 创建vs,使用源地址会话保持,并指定缺省的pool
# create /ltm virtual abcd { destination 6.6.6.6:http persist replace-all-with { source_addr } pool a
quit:退出tmos
ifconfig 查看所有IP
CRT---SFTP
sftp> cd /var/log #cd目录
sftp> lcd c:\ #lcd本地目的
sftp> get ltm #获取ltm的log
tcpdump -i eth1 -w /tmp/xxx.cap
#修改syslog
#modify syslog remote-servers delte XX
命令行登录设备,
输入:tmsh
输入:edit sys syslog all-properties
将include none改为
include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_remote_loghost {
udp(\"145.0.132.11\" port(514));
udp(\"145.0.131.11\" port(514));
udp(\"145.0.133.11\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"
#保存配置
save sys ucs config.ucs
#配置管理路由
create sys management-route NTP_192168882 network 192.168.88.2/32 gateway 192.168.122.1
#查看管理路由
list sys management-route
针对vs双侧抓包
tcpdump -s0 -nni 0.0:nnnp host 12.207.208.160 or 12.207.208.161 or 12.207.208.224 or 12.207.208.225 -C 400 -W 25 -vvw /shared/capture/chucksum.pcap
# F5上执行,抓取tmm芯片上的cs和ss侧的数据包,并展示详细的F5数据信息。
# 400MB一个包,循环25个,需要10G空间,一个包存大概10s。
# 0.0表示全部流量,后边的nnn表示详细程度,p展示经过nat的前后流量
tcpdump -i eth0 -nn -C 10 -W 5 -vvw a.pcap ## -C 每10MB保存一个数据包 -W 循环5个
tcpdump -i eth0 -nn -G 60 -vvw a.pcap ## -G 每60s报错一次
Capturing internal TMM information with tcpdump F5 Specific tcpdump Switches Overview of packet tracing with the tcpdump utility
查看光模块光衰
tmsh list sys db ddm.bcm56xxd.enable
tmsh modify sys db ddm.bcm56xxd.enable value <enable | disable>
tmsh show net interface-ddm <interface_key>
zgrep -i ddm /var/log/ltm* ##Viewing DDM log messages
配置备份脚本
name=`/sbin/ifconfig mgmt |grep -w inet|awk -F ' ' '{print $2}'`
mv /var/local/ucs/${name}.ucs /var/local/ucs/${name}.ucs.bak
/bin/tmsh save sys ucs ${name}.ucs
riqi=`/bin/date +%Y%m%d`
/bin/tftp -m binary 192.168.8.2 -c put /var/local/ucs/${name}.ucs ${riqi}/${name}.ucs
/bin/tftp -m binary 192.168.8.3 -c put /var/local/ucs/${name}.ucs ${riqi}/${name}.ucs
# F5设备上的配置
mkdir tftp_save_ucs
chmod +x tftp_put_ucs.sh
crontab -e
0 17 * * * sh /config/tftp_save_ucs/tftp_put_ucs.sh
注:
使用tftp作为服务器,发现传输过去的时候文件大小发生了变化,文件改变大了,且md5值也不相同,但是文件内容肉眼看不出区别。经查询,传输模式有两种,一种是ASCII传输方式,一种是二进制模式。
ASCII模式和Binary模式的区别是回车换行的处理,Binary模式不对数据进行任何处理,ASCII模式将回车换行转换为本机的回车字符,比如:UNIX下是\n,Windows下是\r\n,Mac下是\r。
由于F5的ucs是二进制文件,所以建议使用Binary模式进行传输。使用代码如下:
tftp -m binary 192.168.8.3 -c put o.l 20210928/o.l
如果出现Transfer timed out.这种报错,一般是由于管理口的安全侧略引起的,需要在System ›› Platform ›› Security: Management Port放通制定策略,或者全放开。
用户名密码hash
当使用自动化的时候需要将用户名密码作为一个整体进行hash,这个方法进行hash。
Trunk接口的lacp配置
LACP mode
The LACP Mode setting appears on the Trunks screen only when you select the LACP setting. You use the LACP Mode setting to specify the method that LACP uses to send control packets to the peer system. The two possible modes are:
-
Active mode
You specify Active mode if you want the system to periodically send control packets, regardless of whether the peer system has issued a request. This is the default setting.
-
Passive mode
You specify Passive mode if you want the system to send control packets only when the peer system issues a request, that is, when the LACP mode of the peer system is set to Active.
If you set only one of the peer systems to Active mode, the BIG-IP system uses Active mode for both systems. Also, whenever you change the LACP mode on a trunk, LACP renegotiates the links that it uses for aggregation on that trunk.
Tip: We recommend that you set the LACP mode to Passive on one peer system only. If you set both systems to Passive mode, LACP does not send control packets.
性能测试
由于测试环境所限,只有一个公用的client设备进行压测,压测结果为2.1w cps。
线上f5的实时connection在5000多。
根据厂商提供的性能报告,四层吞吐量80G/s,新建可达68w,并发达4800w。
[信息产业信息安全测评中心测试报告-BIG-IP i5600.pdf]
资料
非官方 F5 采用TCP::OPTION 方式做源地址插入 F5 load balancing BIG-IP系统iRules基本概念_v11.6.1 Configure F5 with High Speed Logging for Splunk
官方 Accessing TCP Options from iRules TCP::option Managing Local Traffic Profiles Common iControl REST API command examples Dynamic Routing Digital Diagnostics Monitoring DDM ##查看光模块光衰
厂商交流
1、Profile怎么理解,有什么作用,请细致讲解一下。【定义协议的配置文件,可对tcp的默认属性进行修改,如idle time。】
2、create ltm profile tcp option-set tcp-options "{254 last}" ,这条命令中,为什么写253或254对option kind不起作用,通过观察rs接到的数据包里的option kind只跟irule有关,如果profile的参数任意写,会导致什么问题。【需要开case,最终没解释通,已放弃追问】
3、Tmm是什么概念,请详细讲解一下,文档中有这么一句话,tmm内存由tmm独占管理,其他内存由linux内核管理,其他是指哪些内存。【f5底层是linux,tmm是f5自有管理系统,所以内存管理分两部分,主要关注tmm内存变化】
4、rs上下线,是否有日志可查。【在log里有,可配合syslog使用】
5、架构只有主备和主主吗,有没有集群方式,横向扩展怎么解决。【选用主备模式,且配置connection同步,横向扩展可使用n+m架构】
6、vrf具体使用场景和架构。【vcmp虚拟化技术,虚拟成多个f5,58以上,路由domain方式可实现vrf效果】
7、在进行f5并发测试的时候,只有4个并发请求的时候用时大概0-1s,但是当并发请求加到5个的时候耗时增加到了4-5s左右。后面进行分组并发测试,每组4个请求同时并发,第一组用时0-1s,但是第二组开始就会等待4s左右(此时我们的请求都已发送)。这样就导致并发请求的耗时与串行的耗时几乎没有区别,这个是f5的配置还是什么问题?能不能减少中间停留的时间?【控制面就是慢,是事实,建议串行下发配置,并发可能出现未知报错,甚至直接接口直接down掉】
8、流量强行打入备机,备机是否处理并转发流量【不处理流量】
10、connecting mirring可否只开启会话表同步,不开启业务流量同步【不能,如果启用会话同步,必然需要同步业务流量,设计如此,无法修改】