Professional Documents
Culture Documents
Implementations
Version 10.1
MAN-0293-01
Product Version
This manual applies to version 10.1 of the BIG-IP product family.
Publication Date
This guide was published on December 14, 2009.
Legal Notices
Copyright
Copyright 2009, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks,
Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise
Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser
Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local
Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity,
Protocol Security Module, PSM, SSL Accelerator, SYN Check, TMOS, Traffic Management Operating
System, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WAN Optimization Module,
WOM, WANJet, WebAccelerator, WA, and ZoneRunner are trademarks or service marks of F5 Networks,
Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
Patents
This product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354;
7,197,661; 7,206,282; 7,287,084. Other patents pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Bill Paul.
This product includes software developed by Jonathan Stone.
This product includes software developed by Manuel Bouyer.
This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its
contributors.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
This product includes software developed by Balazs Scheidler <bazsi@balabit.hu>, which is protected
under the GNU Public License.
This product includes software developed by Niels Mueller <nisse@lysator.liu.se>, which is protected
under the GNU Public License.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
ii
This product includes the standard version of Perl software licensed under the Perl Artistic License (
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product contains software based on oprofile, which is protected under the GNU Public License.
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License
(GPL).
This product includes software developed by the Apache Software Foundation <http://www.apache.org/>.
This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun
Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU
Public License.
This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser
General Public License, as published by the Free Software Foundation.
This product includes the GeoPoint Database developed by Quova, Inc. and its contributors.
iii
iv
Table of Contents
Table of Contents
1
Introducing Implementations for BIG-IP Local Traffic Manager
Introducing BIG-IP system implementations ............................................................................1-1
Getting started .......................................................................................................................1-1
Using the Configuration utility ............................................................................................1-1
About this guide ..............................................................................................................................1-2
Additional information ..........................................................................................................1-2
Stylistic conventions ..............................................................................................................1-3
Finding help and technical support resources ..........................................................................1-5
2
Configuring nPath Routing
Introducing nPath routing .............................................................................................................2-1
Configuring nPath routing .............................................................................................................2-2
Creating a custom Fast L4 profile ......................................................................................2-3
Creating a server pool for nPath routing .........................................................................2-4
Creating a virtual server ......................................................................................................2-4
Configuring the virtual server on the content server loopback interface ................2-5
Setting the route for inbound traffic .................................................................................2-5
Enabling the connection.autolasthop bigdb key ..............................................................2-5
Setting timers for nPath configurations .....................................................................................2-6
Guidelines for configuring timeouts for UDP traffic .....................................................2-6
Guidelines for configuring timeouts for TCP traffic ......................................................2-6
3
Basic Web Site and E-Commerce Configuration
Working with a basic web site and e-commerce configuration ..........................................3-1
Configuring a basic e-commerce site .........................................................................................3-2
Creating load balancing pools .............................................................................................3-2
Creating virtual servers ........................................................................................................3-3
4
Installing a BIG-IP System without Changing the IP Network
Installing a BIG-IP system without changing IP networks ......................................................4-1
Configuring the BIG-IP system for the same IP network ......................................................4-3
Removing the self IP addresses from the individual VLANs ........................................4-3
Creating a VLAN group .......................................................................................................4-4
Creating a self IP address for the VLAN group ..............................................................4-5
Creating a pool of web servers ..........................................................................................4-5
Creating a virtual server ......................................................................................................4-6
5
Web Hosting for Multiple Customers
Introducing multiple customer hosting ......................................................................................5-1
Hosting multiple customers using an external switch ............................................................5-2
Creating VLANs with tagged interfaces ...........................................................................5-2
Creating load balancing pools .............................................................................................5-3
Creating virtual servers ........................................................................................................5-3
Directly hosting multiple customers ..........................................................................................5-5
Creating VLANs with untagged interfaces .......................................................................5-6
vii
Table of Contents
6
Web Hosting for Multiple Customers Using Route Domains
Introduction .....................................................................................................................................6-1
Prerequisite information ...............................................................................................................6-1
Implementing route domains ........................................................................................................6-2
Sample route domain implementation .......................................................................................6-6
For more information ....................................................................................................................6-8
7
A Simple Intranet Configuration
Working with a simple intranet configuration .........................................................................7-1
Creating the simple intranet configuration ...............................................................................7-2
Creating pools ........................................................................................................................7-2
Creating virtual servers ........................................................................................................7-3
8
Load Balancing ISPs
Introducing ISP load balancing ......................................................................................................8-1
Configuring ISP load balancing .....................................................................................................8-2
Creating pools for an additional Internet connection ...................................................8-2
Creating virtual servers for an additional Internet connection ..................................8-3
Configuring address translation for outbound traffic .............................................................8-5
9
Load Balancing HTTP Traffic with Source Address Affinity Persistence
Introducing basic HTTP load balancing ......................................................................................9-1
Configuring HTTP load balancing with source address affinity persistence ......................9-2
Creating a pool .......................................................................................................................9-2
Creating a virtual server ......................................................................................................9-3
10
Load Balancing HTTP Traffic with Cookie Persistence
Introducing basic HTTP load balancing ................................................................................... 10-1
Configuring HTTP load balancing with cookie persistence ............................................... 10-2
Creating a custom persistence profile ........................................................................... 10-2
Creating a pool .................................................................................................................... 10-3
Creating a virtual server ................................................................................................... 10-3
11
Compressing HTTP Responses
Introducing HTTP data compression ...................................................................................... 11-1
Creating a custom HTTP profile .............................................................................................. 11-2
Creating a virtual server ............................................................................................................. 11-3
viii
Table of Contents
12
Configuring HTTPS Load Balancing
Introducing HTTPS load balancing ........................................................................................... 12-1
Creating an SSL key and certificate ......................................................................................... 12-2
Creating a custom SSL profile ................................................................................................... 12-4
Creating a pool ............................................................................................................................. 12-6
Creating a virtual server ............................................................................................................. 12-7
13
Configuring HTTPS Load Balancing with Data Compression
Introducing HTTPS load balancing with compression ......................................................... 13-1
Creating an SSL key and certificate ......................................................................................... 13-2
Creating a custom Client SSL profile ...................................................................................... 13-4
Creating a custom HTTP profile for compression .............................................................. 13-5
Creating a pool ............................................................................................................................. 13-7
Creating a virtual server ............................................................................................................. 13-8
14
Using RAM Cache for HTTP Traffic
Introducing HTTP RAM Cache ................................................................................................. 14-1
Creating a custom HTTP profile .............................................................................................. 14-2
Creating a virtual server ............................................................................................................. 14-3
15
Load Balancing Passive Mode FTP Traffic
Introducing FTP load balancing ................................................................................................. 15-1
Creating a custom FTP monitor ............................................................................................... 15-2
Creating a pool ............................................................................................................................. 15-3
Creating a virtual server ............................................................................................................. 15-4
16
Load Balancing Passive Mode FTP Traffic with Rate Shaping
Introducing FTP load balancing with rate shaping ................................................................ 16-1
Creating a custom FTP monitor ............................................................................................... 16-2
Creating a pool ............................................................................................................................. 16-3
Creating a rate class .................................................................................................................... 16-4
Creating a virtual server ............................................................................................................. 16-5
17
Setting up a One-IP Network Topology
Introducing the one-IP network topology ............................................................................. 17-1
Creating a pool for a one-IP network topology ................................................................... 17-2
Creating a virtual server ............................................................................................................. 17-3
Defining a default route .............................................................................................................. 17-4
Configuring a client SNAT ......................................................................................................... 17-5
ix
Table of Contents
18
Using Link Aggregation with Tagged VLANs
Introducing link aggregation with tagged VLAN interfaces ................................................ 18-1
Using the two-network aggregated tagged interface topology ......................................... 18-2
Aggregating the links .......................................................................................................... 18-3
Assigning a trunk to the VLANs ...................................................................................... 18-3
Creating a pool of web servers to load balance .......................................................... 18-4
Creating a virtual server to load balance the web servers ....................................... 18-5
Using the one-network aggregated tagged interface topology ......................................... 18-6
Removing the self IP addresses from the VLANs ....................................................... 18-7
Creating a VLAN group .................................................................................................... 18-7
Creating a self IP for the VLAN group .......................................................................... 18-8
19
Setting Up Packet Filtering
Introducing packet filtering ........................................................................................................ 19-1
Configuring packet filtering ........................................................................................................ 19-2
Creating a SNAT ................................................................................................................. 19-2
Creating a gateway pool .................................................................................................... 19-2
Creating a forwarding virtual server .............................................................................. 19-3
Creating a packet filter rule ............................................................................................. 19-4
20
Implementing Health and Performance Monitors
Introducing health and performance monitors ..................................................................... 20-1
Creating a custom monitor ....................................................................................................... 20-3
Creating a pool ............................................................................................................................. 20-4
Assigning a monitor to a pool .......................................................................................... 20-4
Excluding a pool member from a monitor .................................................................... 20-5
Creating a virtual server ............................................................................................................. 20-6
21
Load Balancing Traffic to IPv6 Nodes
Configuring the radvd service ................................................................................................... 21-1
Configuring IPv4-to-IPv6 load balancing ................................................................................. 21-2
Creating a pool of IPv6 nodes ......................................................................................... 21-2
Creating a virtual server ................................................................................................... 21-3
22
Mitigating Denial of Service and Other Attacks
Basic denial of service security overview ............................................................................... 22-1
Configuring adaptive connection reaping ............................................................................... 22-2
Logging adaptive reaper activity ...................................................................................... 22-3
Simple DoS prevention configuration ..................................................................................... 22-4
Setting the TCP and UDP connection timers .............................................................. 22-4
Creating an IP rate class and applying it to a virtual server ...................................... 22-5
Setting connection limits on the main virtual server .................................................. 22-6
Filtering out attacks with iRules ............................................................................................... 22-7
Filtering out a Code Red attack ...................................................................................... 22-7
Filtering out a Nimda attack ............................................................................................. 22-7
Table of Contents
How the BIG-IP system handles several common attacks ................................................. 22-8
SYN flood ............................................................................................................................. 22-8
ICMP flood (Smurf) ............................................................................................................ 22-9
UDP flood ............................................................................................................................. 22-9
UDP fragment .................................................................................................................... 22-10
Ping of Death ..................................................................................................................... 22-10
Land attack ......................................................................................................................... 22-10
Teardrop ............................................................................................................................. 22-11
Data attacks ....................................................................................................................... 22-11
WinNuke ............................................................................................................................ 22-11
Sub 7 .................................................................................................................................... 22-11
Back Orifice ........................................................................................................................ 22-12
23
Configuring Administrative Partitions to Control User Access
Introducing administrative partitions ....................................................................................... 23-1
Creating a partition ..................................................................................................................... 23-2
Configuring user access to a partition .................................................................................... 23-3
Viewing, managing, and creating objects in a partition ........................................................ 23-4
Viewing and managing system objects ........................................................................... 23-4
Creating BIG-IP system objects ....................................................................................... 23-5
24
Configuring Remote Authentication and Authorization for Administrative Traffic
Introducing remote authentication and authorization for BIG-IP system user accounts ....
24-1
Configuring the BIG-IP system to use remote authentication of user accounts .......... 24-2
Configuring access control for BIG-IP system users ........................................................... 24-6
Understanding the remoterole command .................................................................... 24-7
Using the remote role command .................................................................................... 24-7
Using variable substitution ................................................................................................ 24-8
Propagating remote authentication and
authorization data to multiple BIG-IP devices ..................................................................... 24-11
25
Configuring Remote Authentication for Application Traffic
Introducing remote authentication for application traffic .................................................. 25-1
Configuring authentication that uses a remote LDAP or Active Directory server ..... 25-2
Creating an LDAP configuration object ........................................................................ 25-2
Creating an LDAP authentication profile ...................................................................... 25-6
Modifying a virtual server for LDAP authentication ................................................... 25-6
Configuring authentication that uses a remote RADIUS server ....................................... 25-8
Creating a RADIUS server object ................................................................................... 25-8
Creating a RADIUS configuration object ...................................................................... 25-9
Creating a RADIUS profile ............................................................................................. 25-10
Modifying a virtual server for RADIUS authentication ............................................ 25-10
Configuring authentication that uses a remote TACACS+ server ................................ 25-12
Creating a TACACS+ configuration object ................................................................ 25-12
Creating a TACACS+ profile ......................................................................................... 25-13
Modifying a virtual server for TACACS+ authentication ........................................ 25-14
xi
Table of Contents
26
Configuring Kerberos Delegation
Introducing Kerberos delegation infrastructure ................................................................... 26-1
Configuring the BIG-IP system for Kerberos delegation .................................................... 26-2
Adding a DNS server to the BIG-IP system ................................................................. 26-2
Joining the BIG-IP system to the trusted domain ........................................................ 26-3
Creating the Kerberos delegation configuration .................................................................. 26-4
Configuring Kerberos delegation using the Configuration utility ............................ 26-4
Configuring Kerberos delegation from the command line ....................................... 26-7
Authenticating Client Traffic ..................................................................................................... 26-9
27
Configuring Multiple Authentication Servers
Introducing multiple authentication server configuration .................................................. 27-1
Meeting prerequisites .................................................................................................................. 27-2
Configuring BIG-IP system objects .......................................................................................... 27-2
28
Load Balancing Diameter Application Requests
Introducing Diameter load balancing ....................................................................................... 28-1
Creating a custom Diameter profile ........................................................................................ 28-2
Creating a custom Diameter monitor .................................................................................... 28-2
Creating a Diameter load balancing pool ............................................................................... 28-3
Creating a virtual server for Diameter traffic ....................................................................... 28-3
Glossary
Index
xii
1
Introducing Implementations for BIG-IP
Local Traffic Manager
Getting started
Before you begin implementing a solution in this guide, we recommend that
you familiarize yourself with additional resources such as other BIG-IP
system guides and online help, and review the stylistic conventions that
appear in this chapter. For more information, see About this guide, on page
1-2.
Then, we recommend that you run the Setup utility on the BIG-IP system to
configure basic network and network elements such as static and floating
self IP addresses, interfaces, and VLANs. After running the Setup utility,
you can use this guide to implement specific configuration scenarios. For
information on running the Setup utility, see BIG-IP Systems: Getting
Started Guide.
1-1
Chapter 1
Additional information
In addition to this guide, there are other sources of the documentation you
can use in order to work with the BIG-IP system. The following guides are
available in PDF format from the Ask F5SM web site,
http://support.f5.com:
1-2
Stylistic conventions
To help you easily identify and understand important information, all of our
documentation uses the stylistic conventions described here.
1-3
Chapter 1
or
b self <ip_Address> show
...
Description
Indicates that the command continues on the following line, and that users should type the entire
command without typing a line break.
< >
Identifies a user-defined parameter. For example, if the command has <your name>, type in your
name, but do not include the brackets.
[]
1-4
1-5
Chapter 1
1-6
2
Configuring nPath Routing
Note
The type of virtual server that processes the incoming traffic must be a
transparent, non-translating type of virtual server.
In bypassing the BIG-IP system on the return path, nPath routing departs
significantly from a typical load-balancing configuration. In a typical
load-balancing configuration, the destination address of the incoming packet
is translated from that of the virtual server to that of the server being load
balanced to, which then becomes the source address of the returning packet.
A default route set to the BIG-IP system then sees to it that packets returning
BIG-IP Local Traffic Manager: Implementations
2-1
Chapter 2
to the originating client return through the BIG-IP system, which translates
the source address back to that of the virtual server. The nPath configuration
differs from the typical load-balancing configuration, as you can see in the
following section.
Note
Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic
features do not work properly if Layer 7 traffic bypasses the BIG-IP system
on the return path. An example of such a feature is HTTP response
compression.
The default route on the content servers must be set to the routers
internal address (10.1.1.1 in Figure 2.1, on page 2-1) rather than to the
BIG-IP systems floating self-IP address (10.1.1.10). This causes the
return packet to bypass the BIG-IP system.
If you plan to use an nPath configuration for TCP traffic, you must create
a Fast L4 profile with the following custom settings:
Enable the Loose Close setting. When you enable the Loose Close
setting, the TCP protocol flow expires more quickly, once a TCP FIN
packet is seen. (A FIN packet indicates the tearing down of a
previous connection.)
Set the TCP Close Timeout setting to the same value as the profile
idle timeout if you expect half closes. If not, you can set this value to
5 seconds.
Because address translation and port translation have been turned off,
when the incoming packet arrives at the pool member it is load balanced
to the virtual server address (176.16.1.1 in Figure 2.1, on page 2-1), not
to the address of the server. For the server to respond to that address, that
address must be configured on the loopback interface of the server and
configured for use with the server software.
You need to complete the following tasks to configure the BIG-IP system to
use nPath routing:
Create a custom Fast L4 profile.
Create a pool that contains the content servers.
Define a virtual server with port and address translation disabled and
assign the custom Fast L4 profile to it.
Configure the virtual server address on each server loopback interface.
Set the default route on your servers to the routers internal IP address.
2-2
You perform the tasks contained in this guide using the Configuration
utility; however, the procedures do not include the step of logging on to the
Configuration utility. Before you begin the tasks, log on to the Configuration
utility.
2-3
Chapter 2
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. To create a new pool, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. Type a pool name and add the member addresses for each of the
servers.
4. Click Finished.
2-4
You need to set this route only if the virtual server is on a different subnet
than the router.
For information about how to define this route, please refer to the
documentation provided with your router.
2-5
Chapter 2
2-6
3
Basic Web Site and E-Commerce
Configuration
To set up load balancing for these sites, you need to create two pools that are
referenced by two virtual servers, one for each site. Even though the sites
are related and they may even share the same IP address, each requires its
own virtual server because it uses a different port to support its particular
protocol: port 80 for the HTTP traffic going to www.siterequest.com, and
port 443 for the SSL traffic going to store.siterequest.com. Note that this is
true even when there is a port 80 and port 443 on the same physical server,
as in the case of Server2.
Note
All examples in this document use only private class IP addresses. When you
set up the configurations we describe, you must use valid IP addresses
suitable to your own network in place of our sample addresses.
3-1
Chapter 3
3-2
3-3
Chapter 3
3-4
4
Installing a BIG-IP System without Changing
the IP Network
The existing data center structure does not support load balancing or high
availability. Figure 4.2, on page 4-2 is an example of the data center
topology after you add the BIG-IP system.
4-1
Chapter 4
Both the internal and external interfaces of the BIG-IP system are on the
same IP network, 10.0.0.0, but they are effectively on different LANs.
Figure 4.2 introduces a second switch. This switch is eliminated in a
configuration using a BIG-IP system.
4-2
This example assumes that you are using the default internal and external
VLAN configuration with self IP addresses on each of the VLANs that are on
the same IP network on which you are installing the BIG-IP system.
Important
The default route on each content server should be set to the IP address of
the router. In this example, you set the default route to 10.0.0.2.
We recommend that you perform this step from the console or from a self IP
address you are not going to delete. If you are connected from a remote
workstation through a self IP address that you are going to delete, you will
be disconnected when you delete it.
4-3
Chapter 4
4-4
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as myweb_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
In our example, pool members are 10.0.0.3:80 and 10.0.0.4:80.
5. Click Finished.
4-5
Chapter 4
4-6
5
Web Hosting for Multiple Customers
5-1
Chapter 5
5-2
4. For the Interfaces setting, from the Available box select the name
of an interface on your internal network, and click the Move button
(<<) to move the interface name to the Tagged box.
This assigns the selected interface to the VLAN, as a tagged
interface. In our example, the interface is 5.1.
5. Click Finished.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as
customerA_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 5.1, on page 5-1, the pool members for
vlanA are 10.1.1.1:80 and 10.1.1.2:80. The pool members for
vlanB are 10.1.2.1:80 and 10.1.2.2:80, and the pool members for
vlanC are 10.1.3.1:80 and 10.1.3.2:80.
5. Click Finished.
5-3
Chapter 5
3. In the Name box, type a name for the virtual server, such as
vs_customerA.
4. In the Destination box, verify that the type of virtual server is Host,
and in the Address box, type an IP address for the virtual server,
such as 10.1.10.10:80.
5. In the Service Port box, type 80, or select HTTP from the list.
6. In the Configuration area of the screen, locate the HTTP Profile
setting and select http.
7. In the Resources area of the screen, locate the Default Pool setting
and select the pool corresponding to the virtual server you are
creating.
For example, for vs_customerA, you would select the pool
customerA_pool. For vs_customerB, you would select the pool
customerB_pool, and so on.
8. Click Finished.
5-4
In Figure 5.2, two BIG-IP system interfaces are assigned to each VLAN. For
example, interfaces 1.1 and 1.2 are assigned to the vlanA VLAN. Each
interface is assigned to a VLAN as an untagged interface.
The first scenario, shown in Figure 5.1, on page 5-1, requires an additional
switch, but requires the use of only one interface on the internal network.
The second scenario, shown in Figure 5.2, removes the need for an
additional switch, but requires the use of multiple BIG-IP system interfaces.
5-5
Chapter 5
Once you have created your VLANs and assigned untagged interfaces to
them, you can create the pools and virtual servers, just as you did in the
section Hosting multiple customers using an external switch, on page 5-2.
5-6
6
Web Hosting for Multiple Customers Using
Route Domains
Introduction
Prerequisite information
Implementing route domains
Sample route domain implementation
For more information
Introduction
Using the route domains feature of the BIG-IP system, you can provide
hosting service for multiple customers by isolating each type of application
traffic within a defined address space on the network. This enhances
security and dedicates BIG-IP resources to each application.
By implementing route domains, you can use duplicate IP addresses on the
network, as long as each of the duplicate addresses resides in a separate
route domain and is isolated on the network through a separate VLAN. For
example, if you are processing traffic for two different customers, you can
create two separate route domains. The same node address (such as
10.0.10.1) can reside in each route domain, in the same pool or in different
pools, and you can assign a different monitor to each of the two
corresponding pool members.
Prerequisite information
Using the remainder of this chapter, you can set up a basic configuration
with two route domains. Before you follow the step-by-step procedure,
however, you must gather the following information for each type of
application traffic:
Two interface numbers
Two self IP addresses, one per VLAN
Pool member addresses and service
A virtual server address and service
6-1
Chapter 6
The tables in the procedure show only those settings that you need to
explicity configure. Settings for which you can use the default values are not
shown.
After you complete this procedure, each administrative partition contains
one route domain, and the route domain in each partition is designated as the
default route domain for the partition. With this configuration, you do not
need to specify the %ID notation in any BIG-IP system addresses that you
create.
Required Action
Name
Description
c) Click Finished.
6-2
3. Create two VLANs, one for the external network and one for the
internal network:
a) Expand Network, and click VLANs.
b) Click the Create button, and specify values for these settings.
Setting
Required Action
Name
Interfaces
c) Click Finished.
d) Repeat steps 3b and 3c for the second VLAN. An example of a
name for the second VLAN is internal_App_A.
Required Action
ID
Description
Strict Isolation
VLANs
Partition Default
Route Domain
c) Click Finished.
6-3
Chapter 6
Required Action
IP Address
Netmask
VLAN
From the VLAN list, select the first of the VLANs that
you created in step 3.
c) Click Finished.
d) Repeat steps 5b and 5c. For the VLAN setting, select the second
VLAN that you created in step 3.
Required Action
Name
New Members
c) Click Finished.
6-4
b) Click the Create button, and specify values for these settings.
For all other virtual server settings, you can use the default
values.
Setting
Required Action
Name
Destination
Default Pool
c) Click Finished.
Required Action
Type
Select Route.
Destination
Netmask
Resource Type
c) Click Finished.
d) Repeat steps 8b and 8c for each route that you add. Add one route
for each pool member IP address.
You can also add a default route for this route domain. (Each
route domain on the BIG-IP system can contain a default route.)
6-5
Chapter 6
Figure 6.2 Application traffic for customers A and B, separated by route domains
6-7
Chapter 6
6-8
7
A Simple Intranet Configuration
7-1
Chapter 7
As Figure 7.1, on page 7-1 shows, the non-intranet connections are handled
by wildcard virtual servers, that is, servers with the IP address 0.0.0.0. The
wildcard virtual server that is handling traffic to the cache servers is port
specific, specifying port 80 for HTTP requests. This way all HTTP requests
not matching an IP address on the intranet are directed to the cache server.
The wildcard virtual server handling non-HTTP requests is a default
wildcard server. A default wildcard virtual server is one that uses only port
0. This makes it a catch-all match for outgoing traffic that does not match
any standard virtual server or any port-specific wildcard virtual server.
Creating pools
The first task in a basic configuration is to define the two load balancing
pools: a pool for the intranet content servers, and a pool for the Internet
cache servers.
To create pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as http_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 7.1, on page 7-1, the pool members for
http_pool are 192.168.100.10:80 and 192.168.100.11:80. The pool
members for specificport_pool are 192.168.100.20:80 and
192.168.100.21:80.
5. Click Finished.
7-2
7-3
Chapter 7
7-4
8
Load Balancing ISPs
8-1
Chapter 8
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as content_pool or
router_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 8.1, on page 8-1, the pool members for pool
content_pool are 10.1.1.1:80, 10.1.1.2:80, and 10.1.1.3:80. The
pool members for pool router_pool are 192.168.100.1:0 and
192.168.200.1:0.
5. Click Finished.
8-2
8-3
Chapter 8
4. In the Destination box, verify that the type of virtual server is Host,
and in the Address box, type an IP address for the virtual server.
For example, you can assign the IP address 0.0.0.0:0 to the virtual
server, making it a wildcard virtual server.
5. In the Resources area of the screen, locate the Default Pool setting
and select the pool corresponding to the virtual server you are
creating.
For example, for vs_routers, you would select the pool
router_pool.
6. Click Finished.
8-4
8-5
Chapter 8
8-6
9
Load Balancing HTTP Traffic with Source
Address Affinity Persistence
9-1
Chapter 9
Creating a pool
The first task in a basic configuration is to create a load balancing pool to
load balance HTTP connections. Use the Configuration utility to create this
pool.
9-2
9-3
Chapter 9
9-4
10
Load Balancing HTTP Traffic with Cookie
Persistence
10 - 1
Chapter 10
10 - 2
Creating a pool
The next task is to create a load balancing pool to which to load balance
HTTP connections.
10 - 3
Chapter 10
Note
You can also use HTTP Cookie Insert persistence wtih a Performance
(HTTP) type of virtual server.
10 - 4
11
Compressing HTTP Responses
If you want to enable HTTP compression for specific connections, you can
write an iRule that specifies the HTTP:compress enable command.
Using the BIG-IP system HTTP compression feature, you can include or
exclude certain types of URIs or files that you specify. This is useful
because some URI or file types might already be compressed. F5 does not
recommend using CPU resources to compress already-compressed data
because the cost of compressing the data usually outweighs the benefits.
Examples of regular expressions that you might want to specify for
exclusion are .*\.pdf, .*\.gif, or .*\.html.
To configure HTTP data compression, you need to:
Create a custom HTTP profile.
Create a virtual server to process compressed HTTP responses.
For more detailed, background information on configuring compression and
virtual servers, see the Configuration Guide for BIG-IP Local Traffic
Manager.
11 - 1
Chapter 11
11 - 2
9. For all other settings in the Compression area of the screen, retain
the default values, or configure them to suite your needs.
10. Click Finished.
After you have created a custom HTTP profile and a virtual server, you can
test the configuration by attempting to pass HTTP traffic through the virtual
server. Check to see that the BIG-IP system includes and excludes the
responses that you specified in the custom profile, and that the system
compresses the data as specified.
11 - 3
Chapter 11
11 - 4
12
Configuring HTTPS Load Balancing
Client-side SSL
A common way to configure the BIG-IP system is to enable client-side
SSL, which enables the system to decrypt client requests before sending
them on to a server, and encrypt server responses before sending them
back to the client. In this case, you need to install only one key/certificate
pair on the system.
Server-side SSL
Another way to configure the BIG-IP system is to enable server-side
SSL, which enables the system to encrypt requests that the BIG-IP
system sends to the target web server, decrypt the response. In this case,
you need to install a second key/certificate pair on the system (in addition
to the key/certificate pair that you install for client-side SSL).
12 - 1
Chapter 12
12 - 2
12 - 3
Chapter 12
12 - 4
12 - 5
Chapter 12
Creating a pool
The next task in this process is to create a load balancing pool to load
balance connections. After you create the pool, you assign it to a virtual
server that you create.
12 - 6
After you have created the required SSL key/certificate pairs, one or two
custom SSL profiles, a load balancing pool, and a virtual server, you can test
the configuration by attempting to pass SSL traffic through the virtual server
to the pool.
12 - 7
Chapter 12
12 - 8
13
Configuring HTTPS Load Balancing with
Data Compression
13 - 1
Chapter 13
13 - 2
13 - 3
Chapter 13
13 - 4
13 - 5
Chapter 13
13 - 6
Creating a pool
The next task in the process is to create a load balancing pool to load
balance HTTPS connections. After you create the pool, you assign it to a
virtual server that you create.
13 - 7
Chapter 13
You can now test the configuration by attempting to pass SSL traffic
through the virtual server. Check to see that the BIG-IP system includes and
excludes the responses that you specified in the custom HTTP profile, and
that the system compresses the data as specified.
13 - 8
14
Using RAM Cache for HTTP Traffic
Static content
This feature is also useful if a site consists of a large quantity of static
content such as CSS, javascript, or images and logos.
Content compression
For compressible data, the RAM Cache can store data for clients that can
accept compressed data. When used in conjunction with the compression
feature on the BIG-IP system, the RAM Cache takes stress off of the
BIG-IP system and the content servers.
14 - 1
Chapter 14
14 - 2
14 - 3
Chapter 14
14 - 4
15
Load Balancing Passive Mode FTP Traffic
15 - 1
Chapter 15
15 - 2
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool.
When you create the pool, you assign the custom FTP monitor that you
created in the previous task.
After creating the pool, you assign it to the virtual server that you create.
15 - 3
Chapter 15
15 - 4
16
Load Balancing Passive Mode FTP Traffic
with Rate Shaping
16 - 1
Chapter 16
After you create the custom FTP monitor, you can create a load balancing
pool for your FTP traffic.
16 - 2
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool.
When you create the pool, you assign the custom FTP monitor that you
created in the previous task.
After you create the pool, you assign it to the virtual server that you create in
the next task.
16 - 3
Chapter 16
16 - 4
16 - 5
Chapter 16
16 - 6
17
Setting up a One-IP Network Topology
To set up this configuration, you need to complete the following tasks on the
BIG-IP system:
Create a load balancing pool for the content servers.
Create a virtual server to load balance traffic to the content server pool.
Define a default route for the external VLAN.
Configure a SNAT for the client.
17 - 1
Chapter 17
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. From the Configuration list, select Advanced.
4. In the Name box, type a name for the pool, such as server_pool.
5. For the Health Monitors setting, from the Available box select
http, and click the Move button (<<) to move the monitor name to
the Active box.
6. For the Allow SNAT setting, verify that the value is Yes.
7. For the remaining settings in the Configuration area of the screen,
retain the default values.
8. In the Resources area of the screen, use the default values for the
Load Balancing Method and Priority Group Activation settings.
9. For the New Members setting, add the pool members:
a) Click the New Address option.
b) In the Address box, type the IP address of a server in the pool.
c) In the Service Port box, type 80, or select HTTP.
d) Click Add.
e) Repeat steps b, c, and d for each server in the pool.
10. Click Finished.
17 - 2
17 - 3
Chapter 17
Note
If you are defining a default route for a route domain other than route
domain 0 (the default route domain), the procedure varies slightly. For
more information, see the TMOS Management Guide for BIG-IP
Systems.
17 - 4
17 - 5
Chapter 17
17 - 6
18
Using Link Aggregation with Tagged VLANs
18 - 1
Chapter 18
Figure 18.1 An example of an aggregated two-interface load balancing configuration with two IP networks
This example assumes that you are using the default internal and external
VLAN configuration. It also assumes that the self IP addresses on each
VLAN are on the same IP networks as the BIG-IP system.
18 - 2
To aggregate links
1. On the Main tab of the navigation pane, expand Network, and click
Trunks.
The Trunks screen opens.
2. On the upper-right corner of the screen, click Create.
The New Trunk screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a trunk.
3. In the Name box, type a name for the trunk, such as trunk1.
4. For the Interfaces setting, locate the Available box and select an
interface.
Note: The lowest-numbered interface is the controlling or reference
interface.
5. Using the Move button, move the interface number to the Members
box.
6. Repeat step 5 for all interfaces that you want to include as trunk
members.
7. For the LACP setting, check the box.
This enables dynamic link aggregation.
8. Click Finished.
You should perform this task from the management interface; otherwise you
will be disconnected from the BIG-IP system.
18 - 3
Chapter 18
3. For the Interfaces setting, locate the Available box and select the
name of the trunk that you created in the previous procedure.
4. Click the Move button to move the trunk name to the Tagged box.
This assigns the trunk to the VLAN, as a tagged interface.
5. Click Update.
6. Return to the list of existing VLANs.
7. Repeat steps 2 - 5 for VLAN external.
8. Click Update.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as myweb_pool.
4. For the New Members setting, add the pool members:
a) Click the New Address option.
b) In the Address box, type the IP address of a web server in the
pool.
c) From the Service Port list, select a service.
d) Click Add.
e) Repeat steps b, c, and d for each server in the pool.
5. Click Finished.
18 - 4
18 - 5
Chapter 18
You configure the one-network topology in exactly the same way as the
two-network topology (allowing for the fact that the virtual server address
will now belong to the same network as the servers), with one additional
step: the internal and external VLANs need to be grouped. Therefore, to
configure the BIG-IP system for this implementation, you must complete
the following tasks:
Configure the tagged interfaces, load balancing pool, virtual server, and
trunk exactly as in the two-network configuration.
For more information, see Using the two-network aggregated tagged
interface topology, on page 18-2.
Remove the self IP addresses from the internal and external VLANs.
Combine the internal and external VLANs into a VLAN group.
Assign a self IP address to the VLAN group.
18 - 6
You should perform this task from the management interface; otherwise you
will be disconnected from the BIG-IP system.
A VLAN group name can be used anywhere that a VLAN name can be used.
18 - 7
Chapter 18
18 - 8
19
Setting Up Packet Filtering
19 - 1
Chapter 19
Creating a SNAT
The first task in implementing packet filtering is to create a SNAT.
To create a SNAT
1. On the Main tab of the navigation pane, expand Local Traffic, and
click SNATs.
The SNATs screen opens.
2. In the upper-right corner, click Create.
The New SNAT screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a SNAT.
3. In the Name box, type a unique name for the SNAT.
4. From the Translation list, select Automap.
5. From the VLAN Traffic list, select Enabled On.
This displays the VLAN List setting.
6. For the VLAN List setting, from the Available box select internal
and external, and click the Move button (<<) to move the VLAN
names to the Selected box.
7. Click Finished.
19 - 2
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
The members you add are router IP addresses.
5. Click Finished.
19 - 3
Chapter 19
19 - 4
20
Implementing Health and Performance
Monitors
Monitor types
Every monitor, whether pre-configured or custom, is a certain type of
monitor. Each type of monitor checks the status of a particular protocol,
service, or application. For example, one type of monitor is HTTP. An
HTTP type of monitor allows you to monitor the availability of the
HTTP service on a pool, pool member, or node. A WMI type of monitor
allows you to monitor the performance of a pool, pool member, or node
that is running the Windows Management Instrumentation (WMI)
software. An ICMP type of monitor simply determines whether the status
of a node is up or down.
Monitor settings
Every monitor consists of settings with values. The settings and their
values differ depending on the type of monitor. In some cases, the
BIG-IP system assigns default values. For example, Figure 20.1 shows
the settings and default values of an ICMP-type monitor.
Name my_icmp
Type ICMP
Interval 5
Timeout 16
Transparent No
Alias Address * All Addresses
20 - 1
Chapter 20
20 - 2
20 - 3
Chapter 20
Creating a pool
When you create the pool to load balance traffic, you assign the custom
monitor that you created in the previous section to a load balancing pool.
Then, after creating the pool, you assign it to the virtual server that you
create in the next section.
20 - 4
20 - 5
Chapter 20
4. In the Members column, click the address of the pool member for
which you want to assign a unique monitor.
This displays the properties of that pool member.
5. From the Configuration list, select Advanced.
This displays the Health Monitors setting.
6. From the Health Monitors list, select Member Specific.
7. Click Update.
20 - 6
21
Load Balancing Traffic to IPv6 Nodes
All IPv6 addresses that you define on the BIG-IP system must reside in route
domain 0.
7. Verify that the IPv6 nodes have auto-configured their addresses for
this prefix.
8. Take note of the addresses of the HTTP service IPv6 nodes.
These addresses are required for the next step in the process,
configuring IPv4-to-IPv6 load balancing.
21 - 1
Chapter 21
All IPv6 addresses that you define on the BIG-IP system must reside in route
domain 0.
21 - 2
21 - 3
Chapter 21
21 - 4
22
Mitigating Denial of Service and Other
Attacks
High performance
BIG-IP system can handle tens of thousands of Layer 4 (L4) connections
per second. It would take a very determined attack to affect either the
BIG-IP system itself, or the site, if sufficient server resources and
bandwidth are available.
This chapter describes several configurations that help mitigate DoS attacks.
The configurations described include:
How to configure the adaptive reapers to allow the BIG-IP system to
respond to attacks, following.
A basic configuration to defend against denial of service attacks, on page
22-4.
Several examples of iRulesTM syntax you can use to filter out specific
known attacks, on page 22-7.
For more information about these tasks, click the Help tab in the
Configuration utility, or see the Configuration Guide for BIG-IP Local
Traffic Manager.
22 - 1
Chapter 22
The adaptive reaper settings do not apply to SSL connections. However, you
can set TCP and UDP connection timeouts that reap idle SSL connections.
For more information see Setting the TCP and UDP connection timers, on
page 22-4.
Tip
Setting both of the adaptive reaper values to 100 disables this feature.
22 - 2
When the adaptive reaper high water limit is reached, the LCD displays the
message Blocking DoS Attack.
3. Choose the logging level for the adaptive reaper. The following
levels display the message Blocking DoS Attack on the LCD when
the Reaper High Water Mark is exceeded:
Emergency
Alert
Critical
Error
Warning
The following levels do not display the Blocking DoS Attack
message on the LCD.
Notice
Informational
4. Type the following command to set the adaptive reaper logging
level, where <log level> is the logging level:
bp db Log.DosProtect.Level "<log level>"
22 - 3
Chapter 22
22 - 4
The rate class module requires a license key. If you do not have this
functionality and you would like to purchase a license key, contact F5
Networks.
After you create a rate class, you can apply it to the virtual servers in the
configuration.
22 - 5
Chapter 22
22 - 6
Figure 22.1 A sample iRule for filtering out a Code Red attack
22 - 7
Chapter 22
Take care any time you lower the idle session reaping time outs. It is
possible that valid connections will be reaped if the application cannot
respond in time.
SYN flood
A SYN flood is an attack against a system for the purpose of exhausting that
systems resources. An attacker launching a SYN flood against a target
system attempts to occupy all available resources used to establish TCP
connections by sending multiple SYN segments containing incorrect IP
addresses. Note that the term SYN refers to a type of connection state that
occurs during establishment of a TCP/IP connection.
More specifically, a SYN flood is designed to fill up a SYN queue. A SYN
queue is a set of connections stored in the connection table in the
SYN-RECEIVED state, as part of the standard three-way TCP handshake. A
SYN queue can hold a specified maximum number of connections in the
SYN-RECEIVED state.
Connections in the SYN-RECEIVED state are considered to be half-open
and waiting for an acknowledgement from the client. When a SYN flood
causes the maximum number of allowed connections in the
SYN-RECEIVED state to be reached, the SYN queue is said to be full, thus
preventing the target system from establishing other legitimate connections.
A full SYN queue therefore results in partially-open TCP connections to IP
addresses that either do not exist or are unreachable. In these cases, the
connections must reach their timeout before the server can continue
fulfilling other requests.
22 - 8
The SYN Check feature complements the existing adaptive reaper feature in
the BIG-IP system. While the adaptive reaper handles established
connection flooding, SYN Check prevents connection flooding altogether.
That is, while the adaptive reaper must work overtime to flush connections,
the SYN Check feature prevents the SYN queue from becoming full, thus
allowing the target system to continue to establish TCP connections.
You can configure the BIG-IP system to activate the SYN Check feature
when some threshold of connections has been reached on the system.
UDP flood
The UDP flood attack is most commonly a distributed denial-of-service
attack (DDoS), where multiple remote systems are sending a large flood of
UDP packets to the target.
The BIG-IP system handles these attacks similarly to the way it handles a
SYN flood. If the port is not listening, the BIG-IP system drops the packets.
If the port is listening, the reaper removes the false connections.
22 - 9
Chapter 22
Setting the UDP idle session timeout to between 5 and 10 seconds reaps
these connections quickly without impacting users with slow connections.
However, with UDP this may still leave too many open connections, and
your situation may require a setting of between 2 and 5 seconds.
UDP fragment
The UDP fragment attack is based on forcing the system to reassemble
huge amounts of UDP data sent as fragmented packets. The goal of this
attack is to consume system resources to the point where the system fails.
The BIG-IP system does not reassemble these packets, it sends them on to
the server if they are for an open UDP service. If these packets are sent with
the initial packet opening the connection correctly, then the connection is
sent to the back-end server. If the initial packet is not the first packet of the
stream, the entire stream is dropped.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Ping of Death
The Ping of Death attack is an attack with ICMP echo packets that are
larger than 65535 bytes. Since this is the maximum allowed ICMP packet
size, this can crash systems that attempt to reassemble the packet.
The BIG-IP system is hardened against this type of attack. However, if the
attack is against a virtual server with the Any IP feature enabled, then these
packets are sent on to the server. It is important that you apply the latest
update patches to your servers.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Land attack
A Land attack is a SYN packet sent with the source address and port the
same as the destination address and port.
The BIG-IP system is hardened to resist this attack. The BIG-IP system
connection table matches existing connections so that a spoof of this sort is
not passed on to the servers. Connections to the BIG-IP system are checked
and dropped if spoofed in this manner.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
22 - 10
Teardrop
A Teardrop attack is carried out by a program that sends IP fragments to a
machine connected to the Internet or a network. The Teardrop attack
exploits an overlapping IP fragment problem present in some common
operating systems. The problem causes the TCP/IP fragmentation
re-assembly code to improperly handle overlapping IP fragments.
The BIG-IP system handles these attacks by correctly checking frame
alignment and discarding improperly aligned fragments.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Data attacks
The BIG-IP system can also offer protection from data attacks to the servers
behind the BIG-IP system. The BIG-IP system acts as a port-deny device,
preventing many common exploits by simply not passing the attack through
to the server.
For information about iRule examples for thwarting two common data
attacks, see Filtering out attacks with iRules, on page 22-7.
WinNuke
The WinNuke attack exploits the way certain common operating systems
handle data sent to the NetBIOS ports. NetBIOS ports are 135, 136, 137 and
138, using TCP or UDP. The BIG-IP system denies these ports by default.
On the BIG-IP system, do not open these ports unless you are sure your
servers have been patched against this attack.
Sub 7
The Sub 7 attack is a Trojan horse that is designed to run on certain common
operating systems. This Trojan horse allows the system to be controlled
remotely.
This Trojan horse listens on port 27374 by default. The BIG-IP system does
not allow connections to this port from the outside, so a compromised server
cannot be controlled remotely.
Do not open high ports (ports above 1024) without explicit knowledge of
what applications will be running on these ports.
22 - 11
Chapter 22
Back Orifice
Back Orifice is a Trojan horse that is designed to run on certain common
operating systems. This Trojan horse allows the system to be controlled
remotely.
This Trojan horse listens on UDP port 31337 by default. The BIG-IP system
does not allow connections to this port from the outside, so a compromised
server cannot be controlled remotely. Do not open high ports (ports above
1024) without explicit knowledge of what will be running on these ports.
22 - 12
23
Configuring Administrative Partitions to
Control User Access
Partitions
Partitions represent containers for BIG-IP system objects. You can use
partitions to limit user access to certain objects. For more information on
partitions, see the TMOS Management Guide for BIG-IP Systems.
User accounts
User accounts grant administrative access to the BIG-IP system. The
properties that you set on a user account determine that users
permissions for administering BIG-IP system resources. For more
information on user accounts, see the TMOS Management Guide for
BIG-IP Systems.
User roles
One of the properties that you set on a user account is the user role. A
user role determines that users permissions, that is, the specific objects
that the user can access and the tasks that the user can perform. The user
roles that you can assign to a user account are: Administrator, Resource
Administrator, User Manager, Manager, Application Editor,
Application Security Policy Editor, Operator, or Guest.You can also
specify that a user account has no access to system resources. For
descriptions of these user roles, see the TMOS Management Guide for
BIG-IP Systems.
23 - 1
Chapter 23
Creating a partition
When you first install the BIG-IP system, a default partition exists, known
as partition Common. Partition Common contains certain objects that the
system automatically creates during installation, such as the admin user
account, the default profiles, and the pre-configured health and performance
monitors.
Some types of BIG-IP system objects reside in partitions, while others do
not. In general, most local-traffic objects reside in partitions. Network
objects, such as self IP addresses, VLANs, interfaces, and so on, cannot
reside in partitions.
At a minimum, most BIG-IP system user accounts have Read access to
objects in partition Common, regardless of their user roles. User accounts
that have the Administrator and Resource Administrator roles assigned
to them not only can view the objects in Common, but also can create,
modify, and delete objects in that partition.
While managing partition Common is useful as a starting point for
controlling user access to BIG-IP system objects, creating other partitions
offers a much finer degree of access control for administrative users.
The first step in giving a user the authority to manage objects in a specific
partition is to create the partition. Once you have created the partition, you
choose the user that you want to manage the objects in the new partition.
Finally, you modify the properties of that users account, to assign both the
appropriate user role and the partition that you want to authorize the user to
manage. Once you have granted authority to the user to manage the
partition, the user can then manage those objects in certain ways, such as
creating HTTP virtual servers and profiles, within that partition.
Important
To create a partition
1. On the Main tab of the navigation pane, expand System, and click
Users,
The Users screen opens.
2. On the menu bar, click Partitions List.
This displays the list of partitions that you are allowed to view.
3. In the upper-right corner of the screen, click Create.
4. In the Name box, type a unique name for the partition, such as
partition_App1.
23 - 2
23 - 3
Chapter 23
23 - 4
23 - 5
Chapter 23
23 - 6
24
Configuring Remote Authentication and
Authorization for Administrative Traffic
By using all of the above features together, you can define user privileges on
a group-wise basis, and you can centrally manage all BIG-IP user accounts,
thus negating any need to create and manage user accounts separately on
each individual BIG-IP device on the network.
Note
24 - 1
Chapter 24
24 - 3
Chapter 24
24 - 4
3. Click Change.
4. From the User Directory list, select Remote - TACACS+.
5. From the Configuration list, select Advanced.
Additional settings appear on the screen.
6. In the Servers box, type an IP address and click Add.
7. In the Secret box, type the TACACS+ secret.
8. In the Confirm Secret box, re-type the TACACS+ secret that you
specified in the Secret box.
9. From the Encryption list, retain the default value (Enabled) or
select Disabled. This setting is optional.
10. In the Service Name box, type the name of a service.
11. In the Protocol Name box, type the name of a protocol. This setting
is optional.
12. From the Authentication list, select either Authenticate to first
server or Authenticate to each server until success.
13. From the Accounting Information list, select either Send to first
available server or Send to all servers.
14. From the Debug Logging list, select either Disabled or Enabled.
15. Click Finished.
24 - 5
Chapter 24
You can use the Configuration utility to change the values that the BIG-IP
system uses as the default values when assigning privileges to remote user
accounts.
If you want to use non-default values for all of the user accounts represented
by Other External Users, you have two options:
For detailed descriptions of the user roles that you can assign to accounts,
see the TMOS Management Guide for BIG-IP Systems.
24 - 6
For example, suppose that your BIG-IP system user accounts are stored on
an LDAP remote authentication server and that those accounts are divided
between the groups BigIPOperatorsGroup and BigIPManagersGroup. In
this case, you can type the following remoterole command sequence to
define the privileges for those groups:
bigpipe remoterole role info BigIPOperatorsGroup { attribute
"memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net" console disable line order 1
role operator user partition App_A } role info BigIPManagersGroup { attribute
"MemberOF=cn=BigIPManagersGroup,cn=users,dc=dev,dc=net" console enable line order 2
role manager user partition App_B }
24 - 7
Chapter 24
Table 24.1 shows the resulting configuration, where each group has a set of
privileges assigned to it:
Group Name
Assigned Privileges
BigIPOperatorsGroup
console disable
role operator
user partition App_A
BigIPManagersGroup
console enable
role manager
user partition App_B
Note
Example
Suppose that you configure a remote RADIUS authentication server to
return a vendor-specific attribute and three variables, and their values.
F5-LTM-User-Info-1 = DC1
F5-LTM-User-Role = 400
Note: See Considerations for variable evaluation, on page 24-9 for more
information.
F5-LTM-User-Partition = App_C
F5-LTM-User-Console = 1
24 - 8
Missing variables
When a variable does not exist in the authentication attributes, the system
assigns these privileges to the user account:
Role = No Access
Partition = None
Terminal access = Disabled
24 - 9
Chapter 24
24 - 10
No matching attributes
If the user is properly authenticated but there is no match on any of the
remoterole attributes, the system assigns the default privileges. For more
information on default privileges for remote user accounts, see
Configuring access control for BIG-IP system users, on page 24-6.
To create an SCF
1. Access the bigpipe shell.
2. Run the command export, and include a name for the SCF, for
example:
bp> export myConfiguration053107
24 - 11
Chapter 24
24 - 12
25
Configuring Remote Authentication for
Application Traffic
25 - 1
Chapter 25
If the remote authentication server uses LDAP or Active Directory and is set
up to authenticate SSL authentication traffic, there is an additional feature
that you can enable. You can configure the BIG-IP system to perform the
server-side SSL handshake that the remote server would normally perform
when authenticating client traffic. In this case, there are some preliminary
tasks you must perform to prepare for remote authentication using SSL.
25 - 3
Chapter 25
Once you have performed these preliminary SSL tasks, you can enable
SSL-based remote server authentication. You do this as part of creating the
LDAP configuration object, which includes these Advanced settings:
SSL CA Certificate
This represents the name of the certificate that normally resides on the
remote authentication server.
SSL Client Key
This represents the name of the SSL key that the client sends to the
BIG-IP system. This key specification is only necessary when the remote
server requires a client certificate.
SSL Client Certificate
This represents the name of the SSL certificate that the client sends to the
BIG-IP system. This certificate specification is only necessary when the
remote server requires a client certificate.
Important
25 - 4
Note
25 - 5
Chapter 25
The virtual server to which you assign the profiles and the iRule must be a
Standard type of virtual server.
25 - 6
25 - 7
Chapter 25
25 - 8
25 - 9
Chapter 25
25 - 10
25 - 11
Chapter 25
25 - 12
Once you have created the TACACS+ configuration object, you must create
a custom TACACS+ profile and modify an HTTP virtual server.
25 - 13
Chapter 25
The virtual server to which you assign an authentication profile and iRule
must be a Standard type of virtual server.
25 - 14
25 - 15
Chapter 25
25 - 16
The virtual server to which you assign the profiles and the iRule must be a
Standard type of virtual server.
25 - 17
Chapter 25
25 - 18
25 - 19
Chapter 25
25 - 20
25 - 21
Chapter 25
25 - 22
25 - 23
Chapter 25
25 - 24
26
Configuring Kerberos Delegation
Infrastructure
Configuration Requirements
Client
Web server
BIG-IP system
Note
26 - 1
Chapter 26
If the test is successful, the system displays a list of the root name servers.
26 - 2
For example, if you want to add the DNS name server IP addresses
192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the
following command:
bigpipe dns nameservers 192.168.10.20 192.168.10.22 add
192.168.10.20
nameserver
192.168.10.22
This command prompts you for a password. Typically, the value of the
admin_principal argument is administrator; however, you can use any
administrator name. The host argument specifies the FQDN of the virtual
server you configure for traffic. Run this command for each virtual server
you plan to configure.
Important
For additional information about these commands, see the domaintool man
page.
BIG-IP Local Traffic Manager: Implementations
26 - 3
Chapter 26
26 - 4
6. In the Client Principal Name box, type the client principal name.
The client principal name is the name of the virtual server on the
BIG-IP system. Use the following format, where <name> is the
admin_principal name that you previously added to the domain:
HTTP/<name>
7. In the Server Principal Name box, type the server principal name.
The server principal name is the name of the web server. Use the
following format, where <FQDN> is the fully-qualified domain
name of the web server in the pool:
HTTP/<FQDN>
8. Click Finished.
26 - 5
Chapter 26
26 - 6
For the server principal, use the fully-qualified domain name (FQDN) of the
web server.
For each client principal, use the FQDN of the virtual server you plan to
create on the BIG-IP system.
Note
The Cookie Key value is an encryption key that encrypts cookie data. A
default value is supplied; however, you should change the default value so
that attackers who know this value cannot decrypt cookie data and
impersonate trusted users.
BIG-IP Local Traffic Manager: Implementations
26 - 7
Chapter 26
26 - 8
26 - 9
Chapter 26
26 - 10
27
Configuring Multiple Authentication Servers
As an alternative to associating the pool with the virtual server, you can
associate the pool with each proxy or authentication source directly.
The remainder of this chapter describes how to successfully create a
multiple authentication server configuration. For example purposes only, the
information is written for RADIUS servers, but it applies to LDAP or
TACACS+ servers also, except for some minor differences: If your servers
are LDAP or TACACS+ servers, any information about RADIUS secrets
does not apply. Also, you should replace any mention of a RADIUS
27 - 1
Chapter 27
Meeting prerequisites
Before continuing, you must ensure that the following requirements are met:
The RADIUS secret must be the same for all RADIUS servers.
The address of the virtual server that you create to reference the RADIUS
pool cannot be a loopback address.
The virtual server that references the RADIUS pool must be in the same
VLAN as the RADIUS servers.
For example, if the RADIUS server addresses are 10.1.1.10 and
10.1.1.11 and reside in the VLAN internal, then you must associate the
RADIUS pool with a virtual server that is routable to those addresses
(such as 10.1.1.99). This causes the source address of the RADIUS
traffic to be the self IP address of VLAN internal, rather than the virtual
server address.
Object
Configuration
utility screen
Monitors
Profiles
Profiles
Pools
Virtual Servers
27 - 2
27 - 3
Chapter 27
27 - 4
28
Load Balancing Diameter Application
Requests
To implement Diameter load balancing, you must have a user account with
the Administrator, Resource Administrator, or Manager user role assigned
to the account. You must also have access to the administrative partition in
which the local traffic objects will reside when you create them. For
information on creating partitions, as well as managing partitions and
partition access, see Chapter 23, Configuring Administrative Partitions to
Control User Access.
For more detailed, background information on configuring Diameter-related
local traffic objects, see the Configuration Guide for BIG-IP Local
Traffic ManagerTM.
28 - 1
Chapter 28
28 - 2
Required Value
Name
Destination
28 - 3
Chapter 28
Setting
Required Value
Diameter Profile
Default Pool
4. Click Finished.
After you have created the virtual server, you can test the configuration by
attempting to pass Diameter traffic through the virtual server.
28 - 4
Glossary
Glossary
active unit
In a redundant system configuration, the active unit is the system that
currently load balances connections. If the active unit in the redundant
system configuration fails, the standby unit assumes control and begins to
load balance connections. See also redundant system configuration.
ARP (Address Resolution Protocol)
ARP is an industry-standard protocol that determines a hosts Media Access
Control (MAC) address based on its IP address.
authentication
Authentication is the process of verifying a users identity when the user is
attempting to log on to a system.
authentication iRule
An authentication iRule is a system-supplied or user-created iRule that is
necessary for implementing a PAM authentication module on the BIG-IP
system. See also iRule, PAM (Pluggable Authentication Module).
authentication module
An authentication module is a PAM module that you create to perform
authentication or authorization of client traffic. See also PAM (Pluggable
Authentication Module).
authentication profile
An authentication profile is a configuration tool that you use to implement a
PAM authentication module. Types of authentication modules that you can
implement with an authentication profile are: LDAP, RADIUS, TACACS+,
SSL Client Certificate LDAP, and OCSP. See also PAM (Pluggable
Authentication Module).
authorization
Authorization is the process of identifying the level of access that a
logged-on user has been granted to system resources.
BIND (Berkeley Internet Name Domain)
BIND is the most common implementation of the Domain Name System
(DNS). BIND provides a system for matching domain names to IP
addresses. For more information, refer to
http://www.isc.org/products/BIND.
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication.
Glossary - 1
Glossary
Glossary - 2
Glossary
Glossary - 3
Glossary
external VLAN
The external VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports locked down. In a
normal configuration, this is typically a VLAN on which external clients
request connections to internal servers.
failover
Failover is the process whereby a standby unit in a redundant system
configuration takes over when a software failure or a hardware failure is
detected on the active unit.
floating self IP address
A floating self IP address is an additional self IP address for a VLAN that
serves as a shared address by both units of a BIG-IP redundant system
configuration.
forwarding virtual server
A forwarding virtual server is a virtual server that has no pool members to
load balance. The virtual server simply forwards the packet directly to the
destination IP address specified in the client request. See also virtual server.
gateway pool
A gateway pool is a pool of routers that you can create to forward traffic.
After creating a gateway pool, you can specify the pool as a gateway, within
a TMM routing table entry.
health monitor
A health monitor checks a node to see if it is up and functioning for a given
service. If the node fails the check, it is marked down. Different monitors
exist for checking different services.
ICMP (Internet Control Message Protocol)
ICMP is an Internet communications protocol used to determine information
about routes to destination addresses.
interface
The physical port on a BIG-IP system is called an interface.
internal VLAN
The internal VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports open. In a normal
configuration, this is a network interface that handles connections from
internal servers.
Glossary - 4
Glossary
iRule
An iRule is a user-written script that controls the behavior of a connection
passing through the BIG-IP system. iRules are an F5 Networks feature
and are frequently used to direct certain connections to a non-default load
balancing pool. However, iRules can perform other tasks, such as
implementing secure network address translation and enabling session
persistence.
Kerberos protocol
The Kerberos protocol is a network authentication protocol that allows
individuals communicating over a non-secure network to prove their
identity to one another in a secure manner. Kerberos is aimed primarily at a
client-server model, providing mutual authentication; both the user and the
server verify each other's identity.
LACP (Link Aggregation Control Protocol)
LACP is an industry-standard protocol that aggregates links in a trunk, to
increase bandwidth and provide for link failover.
Layer 1 through Layer 7
Layers 1 through 7 refer to the seven layers of the Open System
Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer,
Layer 3 represents the IP layer, and Layer 4 represents the transport layer
(TCP and UDP). Layer 7 represents the application layer, handling traffic
such as HTTP and SSL.
LDAP (Lightweight Directory Access Protocol)
LDAP is an Internet protocol that email programs use to look up contact
information from a server.
LDAP authentication module
An LDAP authentication module is a user-created module that you
implement on a BIG-IP system to authenticate client traffic using a remote
LDAP server.
LDAP client certificate SSL authentication module
An LDAP client certificate SSL authentication module is a user-created
module that you implement on a BIG-IP system to authorize client traffic
using SSL client credentials and a remote LDAP server.
link aggregation
Link aggregation is the process of combining multiple links in order to
function as though it were a single link with higher bandwidth. Link
aggregation occurs when you create a trunk. See also trunk and LACP (Link
Aggregation Control Protocol).
Glossary - 5
Glossary
Glossary - 6
Glossary
Glossary - 7
Glossary
partition
A partition is a logical container that you create, containing a defined set of
BIG-IP system objects. You use partitions to control user access to the
BIG-IP system. See also user role.
performance monitor
A performance monitor gathers statistics and checks the state of a target
device.
persistence profile
A persistence profile is a configuration tool for implementing a specific type
of session persistence. An example of a persistence profile type is a cookie
persistence profile.
pool
A pool is a logical group of pool members. The BIG-IP system load
balances requests to the pool members within a pool, based on the load
balancing method and persistence method you choose when you configure
the pool. See also node and pool member.
pool member
A pool member is one of the members of a load balancing pool. A pool
member name indicates a node IP address and a service number. See also
node.
port
A port can be represented by a number that is associated with a specific
service supported by a host. Refer to the Services and Port Index for a list of
port numbers and corresponding services.
port-specific wildcard virtual server
A port-specific wildcard virtual server is a wildcard virtual server that uses a
port number other than 0. See also wildcard virtual server.
pre-configured monitor
A pre-configured monitor is a system-supplied health or performance
monitor. You can use a pre-configured monitor as is, but you cannot modify
or delete one. See also monitor.
profile
A profile is a configuration tool containing settings for defining the behavior
of network traffic. The BIG-IP system contains profiles for managing
FastL4, HTTP, TCP, FTP, SSL traffic, as well as for implementing
persistence and application authentication.
Glossary - 8
Glossary
profile setting
A profile setting is a configuration attribute within a profile that has a value
associated with it. You can configure a profile setting to customize the way
that the BIG-IP system manages a type of traffic.
profile type
A profile type is a category of profile that you use for a specific purpose. An
example of a profile type is an HTTP profile, which you configure to
manage HTTP network traffic.
protocol profile
A protocol profile is a profile that you create for controlling the behavior of
FastL4, TCP, UDP traffic.
RADIUS (Remote Authentication Dial-in User Service)
RADIUS is a service that performs remote user authentication and
accounting. Its primary use is for Internet Service Providers, though it can
also be used on any network that needs a centralized authentication and/or
accounting service for its workstations.
RADIUS authentication module
A RADIUS authentication module is a user-created module that you
implement on a BIG-IP system to authenticate client traffic using a remote
RADIUS server.
RAM cache
A RAM cache is a cache of HTTP objects stored in the BIG-IP systems
RAM that subsequent connections reuse to reduce the amount of load on the
back-end servers.
rate class
You create a rate filter from the Configuration utility or command line
utility. When you assign a rate class to a rate filter, a rate class determines
the volume of traffic allowed through a rate filter. See also rate shaping.
rate shaping
Rate shaping is a type of extended IP filter. Rate shaping uses the same IP
filter method but applies a rate class, which determines the volume of
network traffic allowed. See also rate class.
redundant system configuration
Redundant system configuration refers to a pair of units that are configured
for fail-over. In a redundant system configuration, there are two units, one
running as the active unit and one running as the standby unit. If the active
unit fails, the standby unit takes over and manages connection requests.
Glossary - 9
Glossary
responder object
See OCSP responder object.
route domain
A route domain is a BIG-IP system object that allows you to isolate a type of
application traffic to a defined address space on the network.
router
A router is a Layer 3 networking device. If no VLANs are defined on the
network, a router defines a broadcast domain.
secure network address translation (SNAT)
See SNAT (secure network address translation).
self IP address
Self IP addresses are the IP addresses owned by the BIG-IP system that you
use to access the internal and external VLANs.
service
Service refers to services such as TCP, UDP, HTTP, and FTP.
session persistence
A series of related connections received from the same client, having the
same session ID. When persistence is enabled, a BIG-IP system sends all
connections having the same session ID to the same node, instead of load
balancing the connections. Session persistence is not to be confused with
connection persistence.
Setup utility
The Setup utility walks you through the initial system configuration process.
You can run the Setup utility from the Configuration utility start page.
simple persistence
See source address affinity persistence.
SNAT (Secure Network Address Translation)
A SNAT is a feature you can configure on the BIG-IP system. A SNAT
defines a routable alias IP address that one or more nodes can use as a
source IP address when making connections to hosts ona network.
SNMP (Simple Network Management Protocol)
SNMP is the Internet standard protocol, defined in STD 15, RFC 1157,
developed to manage nodes on an IP network.
Glossary - 10
Glossary
Glossary - 11
Glossary
tagged interface
A tagged interface is an interface that you assign to a VLAN in a way that
causes the system to add a VLAN tag into the header of any frame passing
through that interface. Tagged interfaces are used when you want to assign a
single interface to multiple VLANs. See also VLAN (virtual local area
network).
TMM (Traffic Management Microkernel) service
The TMM service is the process running on the BIG-IP system that
performs most traffic management for the product.
transparent node
A transparent node appears as a router to other network devices, including
the BIG-IP system.
trunk
A trunk is a combination of two or more interfaces and cables configured as
one link.
user role
A user role is a type and level of access that you assign to a BIG-IP system
user account. By assigning user roles, you can control the extent to which
BIG-IP system administrators can view or modify the BIG-IP system
configuration.
virtual address
A virtual address is an IP address associated with one or more virtual servers
managed by the BIG-IP system. See also virtual server.
virtual port
A virtual port is the port number or service name associated with one or
more virtual servers managed by the BIG-IP system. A virtual port number
should be the same TCP or UDP port number to which client programs
expect to connect.
virtual server
Virtual servers are a specific combination of virtual address and virtual port,
associated with a content site that is managed by a BIG-IP system or other
type of host server.
VLAN (virtual local area network)
A VLAN is a logical grouping of interfaces connected to network devices.
You can use a VLAN to logically group devices that are on different
network segments. Devices within a VLAN use layer 2 networking to
communicate and define a broadcast domain.
Glossary - 12
Glossary
VLAN group
A VLAN group is two or more VLANs that you put together into a VLAN
group. A primary use of a VLAN group is to successfully route traffic when
both the source and the destination hosts reside on the same network.
VLAN name
A VLAN name is the symbolic name used to identify a VLAN. For
example, you might configure a VLAN named marketing, or a VLAN
named development. See also VLAN (virtual local area network).
VLAN tag
An IEEE standard, a VLAN tag is an identification number inserted into the
header of a frame that indicates the VLAN to which the destination device
belongs. VLAN tags are used when a single interface forwards traffic for
multiple VLANs.
wildcard virtual server
A wildcard virtual server is a virtual server that uses an IP address of
0.0.0.0, * or "any". A wildcard virtual server accepts connection requests
for destinations outside of the local network. Wildcard virtual servers are
included only in Transparent Node Mode configurations.
Glossary - 13
Glossary
Glossary - 14
Index
Index
A
access
to partitions 23-5
access control
configuring 24-7
tailoring 23-1
access control combinations 24-8
access control groups
See partitions.
access control process
See authorization steps.
access levels
for partition Common 23-2
See also user access.
access-control properties
configuring 24-6
Access-Request packets 25-9
ACK packets 2-2, 2-6
Active Directory remote authentication 24-2
adaptive connection reaping 22-2, 22-3
adaptive reaper 22-9
additional information
for Bigpipe Utility Reference Guide 1-2
for Configuration Guide for BIG-IP Local Traffic
Manager 1-2
for Configuration Worksheet 1-2
for Installation, Licensing, and Upgrades for BIG-IP
Systems 1-2
for Platform Guide 1-2
for TMOS Management Guide for BIG-IP Systems
1-2
address translation 2-1, 2-2, 8-5
admin account 23-2
administrative partitions
and route domains 6-6
defined 23-1
Administrator role
and object management 23-4
Administrator role access 23-2
aggregation, of links 18-1
application traffic
isolating 6-1
ARP protocol 2-5
authentication
for remote user accounts 24-1
authentication attributes 24-9, 24-10
authentication module types 25-8
authentication server types 24-2
authentication servers
as pool members 27-1
authorization data
propagating 24-1
authorization failure 24-9
authorization levels
determining 23-3
authorization properties
configuring 24-6
authorization steps 23-2
B
Back Orifice attacks 22-12
BIG-IP system
adding to network 4-1
configuring for same network 4-3
to replace switches 4-2
BIG-IP system bypass 2-1
BIG-IP system objects 23-1
bigpipe -? command 24-8
bigpipe shell
and user roles 23-2
broadcast addresses 2-4
built-in switching
for multiple customer hosting 5-5
C
cache servers 7-1
certificate installation 13-1
Certificate Revocation List Distribution Point protocol
See CRLDP authentication module.
certificates
requesting from CAs 12-3, 13-2
client credentials 25-8
client requests
and BIG-IP system 2-6
decrypting 12-7
Client SSL profiles
assigning 12-7, 13-8
creating 12-4, 13-4
defined 12-1, 13-1
command line interface
See bigpipe shell.
common configuration 7-1
compression
and iRules 11-1
and RAM Cache 14-1
configuring 13-5
compression tasks 11-1
configuration data
importing and exporting 24-11
configuration examples, Internet 3-1
Configuration utility
and online help 1-5
and Welcome screen 1-5
Configuration Worksheet 1-2
connection flooding 22-9
Index - 1
Index
E
e-commerce traffic
load balancing 3-1
expressions
for packet filtering 19-1
F
Fast L4 profiles
assigning 2-4
creating 2-2, 2-3
for nPath routing 2-2
files
including and excluding 11-1
FIN packets 2-2
flooding 22-9
formatting conventions 1-3
FTP monitors 15-2, 16-2
FTP pools
assigning 15-4
creating 15-3, 16-3
FTP profiles
assigning 15-4
defined 15-1
FTP traffic 15-1
FTP virtual servers
creating 15-4, 16-5
D
data attacks 22-11
data center topology 4-1
data compression
and RAM Cache 14-1
data propagation 24-7, 24-11
default HTTP profiles
described 10-1
using 9-1
default persistence profiles
described 10-1
using 9-1
default routes
for nPath routing 2-2
setting 2-2, 17-4
default wildcard servers 7-2
Denial-of-Service attacks 22-1, 22-8
Index - 2
G
gateways
and nPath routing 2-5
groups
assigning privileges to 24-7
for user access control 24-1
Guest role tasks 23-3
Index
H
health monitors
for Diameter servers 28-2
for remote authentication servers 27-1
help, online 1-5
high demand objects 14-1
high-water mark
See adaptive connection reaping.
hosting services
using route domains 6-1
HTTP compression tasks 11-1
HTTP connections 10-3
HTTP headers 14-1
HTTP methods 14-1
HTTP pools
assigning for compression 11-3, 28-4
assigning for RAM Cache 14-3
assigning for source address persistence 9-3
creating for cookie persistence 10-3
creating for source address persistence 9-2
HTTP profiles
creating for compression 11-2, 13-5
creating for LDAP authentication 25-16
creating for RAM Cache 14-2
defined 10-1
described 9-1
HTTP RAM Cache
See RAM Cache.
HTTP traffic
controlling for compression 11-1
controlling for cookie persistence 10-1
controlling for source address persistence 9-1
HTTP virtual servers
creating for compression 11-3
creating for cookie persistence 10-3
creating for source address persistence 9-3
HTTPS pools
assigning 12-7, 13-8
creating 12-6, 13-7
HTTPS traffic 12-7
HTTPS virtual servers
creating 12-7, 13-8
I
ICMP floods 22-9
idle timeout values 2-2, 2-3
inbound traffic 8-3
inheritance prevention
for monitors 20-5
interfaces
and partitions 23-2
assigning as tagged 5-2
using link aggregation 18-1
Internet connections
adding more 8-1
example 8-1
load balancing 8-1
intranet configuration 7-1
creating 7-2
IP address translation 2-1
IP addresses
and loopback interfaces 2-5
and nPath routing 2-5
duplicating on network 6-1
removing from VLANs 18-7
IP aliases and nPath routing 2-5
IP network
changing 4-1
IP network topology
with single interface 4-1, 17-1
IP packets
recognition by clients 17-5
routing incorrectly 2-5
IPV6 nodes 21-2
iRules
for compression 11-1
K
key installation 13-1
L
L2 forwarding 4-1
LACP protocol 18-3
Land attacks 22-10
LDAP configuration objects
defined 25-2
LDAP profile type
defined 25-6
LDAP remote authentication 24-2
link aggregation
about 18-1
and network configurations 18-6
and VLAN groups 18-7
configuring 18-2
local traffic objects
and route domains 6-6
loopback interfaces 2-2, 2-5
low-water mark
See adaptive connection reaping.
Index - 3
Index
M
Manager role access 23-2
Manager role tasks 23-3
monitor inheritance 20-4
monitor settings 20-1
monitor types 20-1
monitors
assigning to pools 20-4
creating 20-3
creating for FTP servers 16-2
defined 20-1
for Diameter load balancing 28-2
for FTP servers 15-2
removing 20-5
MS Loopback interface 2-5
multiple customer hosting
about 5-1, 6-1
configuring 5-2, 6-2
creating pools for 5-3
creating VLAN tags for 5-2
using built-in switching 5-5
N
NAS-Identifier string 25-9
netmask 2-4
network
changing 4-1
network adapter list 2-5
network configurations
and link aggregation 18-2, 18-6
for IP network topology 17-1
network objects
and route domains 6-6
network prefixes 21-1
network traffic
and additional connections 8-1
and packet filters 19-1
managing 2-1
network traffic authentication types 25-1
node configuration
and radvd service 21-1
nodes
and Operator role 23-3
nPath routing 2-1, 2-5
nPath routing tasks 2-2
numeric values
for user privileges 24-9
Index - 4
Index
O
object creation
and partition location 23-5
object re-use 14-1
objects
and Guest role 23-3
defined 23-1
demand for 14-1
viewing and managing 23-4
OCSP authentication module
See SSL OCSP authentication module.
OCSP responder objects
creating 25-18
one-network topology 18-6
Online Certificate Status Protocol
See SSL OCSP authentication module.
online help 1-5
Operator role tasks 23-3
Other External Users account 24-6
outbound throughput
increasing 2-1
P
packet filter rules
creating 19-4
purpose of 19-1
packet filters 19-1, 19-4
packets
forwarding and rejecting 19-1
receiving and copying 4-4
recognition by clients 17-5
partition access
configuring 23-3
Partition Access list 23-4
partition Common
described 23-2
partition contents 23-1
partition property 24-6
partitioned objects
creating 23-5
described 23-2
partitions
and user roles 23-2
benefits of 23-2
creating 23-2
defined 23-1
selecting 23-5
password credentials 25-8
performance monitors 20-2
permissions
determining 23-1
See also user access.
persistence 2-6
implementing 9-1
See also cookie persistence.
persistence profiles
assigning for compression 13-8
assigning for FTP 15-4
assigning for HTTP 10-4
assigning for HTTPS 12-7
assigning for RAM Cache 14-3
creating 10-2
Ping of Death attacks 22-10
Platform Guide 1-2
pool member exclusion 20-4, 20-5
pool members
and Operator role 23-3
pools
creating for a basic configuration 7-2
creating for Diameter load balancing 28-3
creating for e-commerce 3-1, 3-2
creating for FTP servers 15-3
creating for HTTP 9-2, 10-3
creating for HTTPS 12-6, 13-7
creating for intranet configuration 7-2
creating for ISP load balancing 8-2
creating for link aggregation 18-4
creating for monitors 20-4
creating for multiple customer hosting 5-3
creating for nPath routing 2-4
creating for rate shaping 16-3
creating for routers 19-2
creating for single network 17-2
of web servers 4-5
port translation 2-2
ports
for e-commerce 3-1
pre-configured monitors 20-1
privileges
assigning 24-7
configuring 24-6
for individual accounts 24-6
See also access control
profiles
creating for HTTP 11-2, 25-16
protocols
for remote authentication servers 25-1
R
RADIUS authentication module
implementing 25-8
RADIUS authentication profiles
assigning 25-10
RADIUS configuration objects
creating 25-9
specifying in profile 25-10
RADIUS configuration overview 25-8
RADIUS profiles
creating 25-10
RADIUS secret 25-8
Index - 5
Index
Index - 6
route domains
and administrative partitions 6-2, 6-6
and BIG-IP system objects 6-6
and duplicate IP addresses 6-1
defined 6-1
router pools 19-2
routers
increasing throughput 2-1
routes
for nPath routing 2-5
for packets 4-5
routing conflicts 4-5
RTO 2-6
S
SCF
purpose of 24-11
SCFs
creating 24-11
secondary RADIUS servers
configuring 24-4
self IP addresses
and partitions 23-2
creating 18-8
creating for VLAN groups 4-5
for external VLAN 8-5
removing 4-3, 18-7
self-signed certificates 12-2, 13-2
server hosting 3-1
server load 14-1
server pools
for nPath routing 2-4
server responses
encrypting 12-1, 12-7, 13-1
session persistence
implementing 9-1
See also cookie persistence.
See also source address affinity persistence.
simple persistence
See source address affinity persistence.
Single Configuration File
and access control 24-1
See SCF.
Smurf attack 22-9
SNAT Automap
about 8-1
for VLANs 8-5
SNAT source translations 17-1
SNATs
creating 19-2
source address affinity persistence 9-1
source address translation 2-1
source IP addresses
and session persistence 9-2
Index
SSL certificates
importing 24-2
SSL Client Certificate LDAP configuration objects
creating 25-15
SSL Client Certificate LDAP profiles
creating 25-16
SSL handshaking
for compression 13-1, 13-2
for HTTPS 12-1, 12-2, 12-7
SSL keys and certificates
creating 12-2, 13-2
installing 13-1
SSL OCSP authentication module
defined 25-18
SSL OCSP configuration objects
creating 25-19
SSL OCSP profile type
defined 25-19
SSL OCSP responder objects
creating 25-18
SSL profiles
See Client SSL profiles.
SSL traffic authentication 24-2
state keeping 22-8
static content 14-1
style conventions 1-3
Sub 7 attacks 22-11
SYN Check feature, activating 22-9
SYN cookies 22-8, 22-9
SYN floods 22-8
SYN packets 2-2, 2-6
system access
controlling 23-1
system object creation
and partition location 23-5
system objects
viewing and managing 23-4
system resource exhaustion 22-8
T
TACACS+ configuration object
defined 25-12
TACACS+ configuration overview 25-12
TACACS+ profiles
creating 25-13
tagged interfaces 5-2, 18-1
TCP connections 22-8
TCP timers 2-6
TCP traffic
and nPath routing 2-2, 2-6
tcpdump utility 19-1
Teardrop attacks 22-11
terminal access property 24-6
throughput
increasing 2-1
U
UDP floods 22-9
UDP fragment attacks 22-10
UDP timers 2-6
UDP traffic
and nPath routing 2-6
universal access 23-5
URIs
including and excluding 11-1
user access
configuring 23-3
denial of 24-8
tailoring 23-1
to partition Common 23-2
user account duplication 24-7
user account objects
and manager role 23-3
user account properties
modifying 23-3
user accounts
defined 23-1
user authentication
configuring 24-1
user name credentials 25-8
user partition property 24-6
user privileges
assigning 24-7
user role property 24-6
user roles
and Diameter load balancing 28-1
and partition access 23-2
and route domains 6-2
defined 23-1
for partition creation 23-2
V
variable substituion
for access control 24-8
vendor-specific attributes 24-7, 24-8
virtual authentication servers
and VLANs 27-2
defined 27-1
virtual server addresses 2-2
Index - 7
Index
W
web server arrays 3-1
web server pools
creating 4-5
Welcome screen 1-5
wildcard virtual servers
defined 7-2
WinNuke attacks 22-11
Index - 8