F5 configuration - 360文档中心

F5配置指导书

F5配置指导书一．F5的登陆方式：a.web interface :https://xx.xx.xx.xx(必须在同一网段)mand line : (1)登陆到https://xx.xx.xx.xx后下载SSH client 软件即可（2）console 用串口线将终端与F5的termial端口连起来F5有两个管理口初始默认ip地址：192.168.1.245/24 和192.168.245.245/24 二．Config配置：除了用config 外，用https登陆后选setup utility 进行配置是一样的默认初始用户密码：root/default用超级终端登陆：（19200 ）在登陆进去以后输入config 命令：接着选a,回车，选y 、回车系统提示你选键盘类型：Choose your keyboard type from the list below.：US - Standard 101 key接着系统提示你输入root 密码接着系统提示你输入hostname接下来，系统会出现如下画面：如果有两台bigip ,选it is a redundant BIG-IP system(两台作冗余) ,否则选it is no a redundant BIG-IP system.下面以两台BIG-IP 为例：一台的unit number 为1 另一台的则为2 ，其中failover ip 为对端bigip内网的ip地址，两台的配置相对应。

接下来系统让你选端口的类型：按C键continue 就可以了接下来系统出现如下画面：在该界面可以自己添加，删除,重新划分vlan (一般划分3个vlan (internal ,external ,admin ), 看自己喜好):该界面表示是否对该端口进行加密检查，一般内网disable 外网选enabled .内网和外网均要配别名，其中内网的别名作服务器的网关，外网的别名作vip 或proxy.的端口号，端口号的编排规则：从上往下，从左往右接着：在该地方配置路由器的ip地址，配置webserver ,三个vlan 的servername 同以前配的hostname一致，接下来系统要求你输入用https方式登陆webserver时的用户名和密码，一般用户名为admin/admin对于support password 和dns,ntp（时钟同步）回车即可，一般不需要配置。

F5配置手册(内部)

[取值范围] 必须符合 DNS 域名标准。主机部分以字母开头且不少于 2
位的字符串。
[示例] 主机为：ljxc-3600-1
备机为：ljxc-3600-2
可用模式，包括：
Single Device：单机模式 Redundant Pair：双机模
式
[配置值] Redundant Pair
图2-4 重启提示
F5 Netwotks
2. 单击“确定”。进入 Dossier 生成界面。
3. 选择“Copy/Paste Text”。页面中“Step1:Dossier”右边的由数字和字母组成的文件即为 Dossier 文件，如图 2-5 所示。
图2-5 生成 Dossier（Copy/Paste Text）
此时 LCD 屏幕上会出现配置好的 IP 地址。
如果通过 LCD 按键修改完 IP 地址以后，地址无法成功变更（例如出现 IP 地址为全零的情况），可能是管理口 IP 地址与系统内已配臵的 IP 发生冲突。若出现这种情况，请关机重启后，重新选定 IP 地址或网段来设臵管理网口地址。
----结束
9 / 42
F5 与其它设备互联的 IP 地址，每台 F5 设备的 Internal-Vlan Self IP 均是不同的。
两台 F5 在 Internal-Vlan 上的浮动地址，该地址会漂移在 Active 的 BIGIP 设备上，主要用于后端服务器指往下一段 IP 的网关地址，在 Redundence 结构下，两台 F5 的 Internal Vlan Shared IP 的地址是相同的。
1.1.2 VLAN 划分
根据现网组网模式，F5 上需要划分 3 个 VLAN，如表 1-1 所示。

F5负载均衡运维配置手册V1.0

F5负载均衡运维配置手册安全与终端产品开发部2010年7月14日版本号：V1.0配置更改记录V1.0 2010年7月14日完成增加F5 Node、Pool、VS的配置。

前言本手册包含F5负载均衡WEB界面具体应用及配置操作。

此手册以F5负载均衡V9版本进行制定。

目录第一章：F5负载均衡网络配置第二章:F5负载均衡应用配置第三章：F5负载均衡运维管理第一章：F5负载均衡网络配置(一)F5负载均衡网络配置1.IE浏览器里面输入https://192.168.112.1482.回车后，出现安全警告信息，点击YES。

3.弹出对话框，输入用户名和密码。

4.进入F5_web界面后，点击进入NetWork选项。

通过此选项可以配置F5的缺省路由、自定义路由、划分VLAN、接口地址及对应的端口。

5.点击左侧VALNS后，如图显示：目前有6条vlan，分别为电信2条（CTC、CTC02）、网通2条（CUC、CUC02）、F5双机之间通讯1条（HA）、与NOKIA防火墙直连并接入我司内网（internal）。

点击Create，可以创建新的Vlan并对应相应的端口。

定义路由。

如需创建新的路由，可点击右侧Add选项。

Create选项。

网络配置部分完毕。

第二章:F5负载均衡应用配置(二)F5负载均衡应用配置将内网1台服务器映射为1个外网IP1.点击Nodes旁边或者右侧创建新的Nodes。

2.进入创建界面后，如下配置：○1添加某应用的内网ip地址（Address）○2添加某应用的名称（Name）3.点击Loacl Traffic界面点击Pools，右侧显示为已经建立完成的Pool。

点击Pools旁边或者右侧创建新的Pool。

○1将configuration改为Advanced○2创建名称（Name）○3选择健康检测类型（Health Monitors），根据应用的类型来选择，最基本的可以选择Available下拉框里面的geteway_icmp基于某个应用端口的可以选择对应F5的端口检测模板或者自定义检测端口类型。

F5负载均衡设备运维指导手册

f5负载均衡设备运维指导手册f5负载均衡设备运维指导手册f5负载均衡设备运维指导手册11文档目的12适用范围21前期环境准备22初始化设备连接23license激活24基本选项配置1725操作系统20251上传操作系统文件21252安装操作系统2326补丁升级25261上传补丁文件25262安装升级补丁2727切换启动分区3028安装其他分区3331前期准备3332配置管理接口3333建立trunk3534建立failovervlan3735建立业务vlan3836配置vlan地址39361配置实地址40362配置浮动地址4137路由配置42371配置静态路由42372配置缺省路由4441基本选项配置4442高可用配置45421配置同步47422失效安全4843网络时间协议4944snmp配置5145syslog配置5346audit配置5347用户配置55f5负载均衡设备运维指导手册471userlist配置55472用户认证配置5648增加界面友好性6051前期准备6052新建httpprofile6053新建oneconnect6254新建httpclass6355新建irules6556新建pool6757新建vs7158配置备份和恢复7761主备机切换7762查看f5性能曲线7863查看f5业务数据量8064snmp监控8265syslog日志8266ping监控8267qkview附录一无法访问ltm管理ip9091console串口参数9092查看系统版本9093查看接口统计信息9194查看系统平台信息9195查看各分区系统信息9296修改系统日期和时间9297查看设备cpu信息9398查看系统启动分区和当前使用的系统分区9399查看设备当前运行的主备状态93910主备设备切换94911查看log信息94912系统iso文件和补丁程序存储位置95913查看cpu利用率95914查看内存使用95915清除告警96916load命令96917保存配置97f5负载均衡设备运维指导手册概述11文档目的本文档作为负载均衡资源池建设项目的运维指导文档为负载均衡资源池建设提供业务上线指导和日常运行维护的操作说明

F5命令行配置配置手册

bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics.Config Configures the IP address, network mask, and gateway on the management (MGMT) port.Use this command at the BIG-IP system prompt prior to licensing the the BIG-IP system, and do not confuse it with the bigpipe config command or the BIG-IP Configuration utility.halt Shuts down the BIG-IP software application.hostname Displays the name you have given to the BIG-IP system.printdb Prints the values of one or more entries in the bigdbTM database. reboot Reboots the BIG-IP system.ssh and scp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system.自定义Bigpipe shell名称bp> shell prompt <string>bp> shell prompt BIG-IP>系统Shell名称将变成:BIG-IP>此特性避开此限制,在Linux命令前加”!”.BIG-IP>!ls //查看目录BIG-IP>!ifconfig //查看接口配置•Routes•Self IP addresses•Packet Filters•Trunks (802.3ad Link Aggregation)•Spanning Tree Protocol (STP)•VLANs and VLAN groups•ARP配置Packet Filtering命令: bigpipe packet filter你可以定义一个包过滤规则来提供访问控制,速率shaping,审计. 配置路由命令:route (<route key list> | all | inet | inet6)F5的Show Tech[root@XXXX:Standby] config # qkviewGetting systemwide backup configuration files.Getting AOM information.Getting last 175 lines of log files.Getting last 175 lines of gzipped log files.Getting md5 sum information.Getting core file list.Getting Public Certificate information.Getting tmctl information.completed... 6 of 161 checks produced no dataDiagnostic information has been saved in file /var/tmp/-tech.out Please send this file to **************.bigtop - display real-time statistics-bytes display counts in bytes (vs bits)-pkts display counts in packets (vs bits)-reqs display counts in requests (vs connections)-vips <n> number of virtual servers to print-nodes <n> number of nodes to print-once print once and exit-delay <n> number of seconds between samples (default 4)-scroll disable full-screen mode-nosort disable sorting-conn sort by connection count (vs byte count)-delta sort by count since last sample (vs total)-n print IP address and services in numeric format-vname display virtual servers by name (vs IP address)-help, -h print this message日志文件系统1. Access the BIG-IP system prompt.2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command.3. Type the following command:resize-logFSThis command prompts you for the desired file size in gigabytes.4. At the prompt, type an integer.The minimum allowed value is 1, and the maximum allowed value is 10.A prompt appears that allows you to confirm the specified file size.5. Type Y.A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size.6. Type Y.A confirmation prompt appears.7. Type Y.The system displays messages indicating that the reboot operation is about to occur.8. Wait for the reboot operation to finish.When the system becomes available again, the newly-specified disk space for the log file will be in effect.WARNINGDo not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files.启用/禁用虚拟服务或虚拟地To enable or disable a virtual server, use the appropriate command syntax:bp> virtual <virtual addr>:<virtual port> enable | disableTo enable or disable a virtual address, use the appropriate command syntax:bp> virtual address <virtual addr> enable | disable从服务中移出单个的NodeYou can remove an individual node from service, or return an individual node to service from the bigpipe shell command line.To remove an individual node from service, use the following command:bp> node <node addr>:<node port> downTo return an individual node to service, use this command:bp> node <node addr>:<node port> up查看修改F5系统配置文件器来编辑或者查看这些文件,当你没有条件使用浏览器时,有时候修改配置文件很有必要.这就需要F5的无浏览器配置模式和命令行配置模式Important:在你编辑完bigip.conf or bigip_base.conf 重启MCPD service之前, 你必须运行bigpipe load 确保MCPD service 使用的是当前的配置数据alert.conf Stores definitions of SNMP traps (system default alerts).user_alert.conf Stores definitions of SNMP traps (user-defined alerts)./config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs.Note that after you edit bigip.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. Note that after you edit bigip_base.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip.license Stores authorization information for the BIG-IP system./etc/bigconf.conf Stores the user preferences for the Configuration utility./config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with browsers, and how key information is generated./config/user.db Holds various configuration information. This file is known as the bigdb database. /config/bigconfig/httpd.conf Holds configuration information for the web server./config/bigconfig/users The web server password file. Contains the user names and passwords of the people permitted to access whatever is provided by the webserver./etc/hosts Stores the hosts table for the BIG-IP system./etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system./etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system./etc/rateclass.conf Stores rate class definitions./etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes. /etc/snmpd.conf Stores SNMP configuration settings./etc/snmptrap.conf Stores SNMP trap configuration settings./config/ssh Contains the SSH configuration and key files./etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH./config/routes Contains static route information.[root@ISAG-2:Standby] config # find_keysISAG-2 koradsatn. omtitra eodISAG-2 junl trig Cmi nevl5scnsdt md.6koradsatn. omtitra eodFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVALicense file location is: /sda.1/config/bigip.licenseFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVAUnmounting unneeded partitions... ISAG-2 junl trig Cmi nevl5scnsn Cmi nevl5scnsree aamd.<>junl trig Cmi nevl5scns<6>EXT3-fs: mounted filesystem with ordered data mode.ISAG-2 junl trig Cmi nevl5scns<6>kjournald starting. Commit interval 5 secondscompleteAbove information can be found in /tmp/keys.outManaging Local Application Traffic•Setting up load balancing•Controlling HTTP traffic•Implementing HTTP and TCP optimization profiles•Authenticating application traffic•Implementing persistence•Enhancing the performance of the BIG-IP system•Managing health and performance monitors•Implementing iRules设置VirtualServer负载均衡1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication.2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile.3. Access the bigpipe shell.4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step.5. Create one or more load balancing pools, using the pool command.6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default.配置克隆Pool克隆Pool设计是用于入侵检测,你可以针对一个VS设置一个克隆Pool,这个克隆的VS接收世的流量和普通Pool一样,你就可以复制流量到入侵检测系统中.1. Access the bigpipe shell.2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument.配置最后一跳Pool默认,BIG-IP系统自动启用最后一跳特性是,如果你想禁用这个特性.然后自己手工定义一个最后一跳路由器,你可以建立一个最后一跳pool并且指定其属于某个VS当中.1. Access the bigpipe shell.2. Use the pool command to create a last hop pool that contains the router inside addresses.3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server.If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server.配置SNATs这里有两种基础方法来建议一个SNAT,你可以直接将一个转换地址委派给一个或多个源IP地址,或者你可以配置一个SNAT pool,然后委派这个SNAT pool到某个源IP地址,在较新的版本中,BIG-IP自动从SNAT Pool中选择一个转换地址Note that you can assign these types of mappings from within an iRule.To map a single translation address to an original address1. Access the bigpipe shell.2. Designate an IP address as a translation address, using the snat translation command.3. Map the translation address to one or more original IP addresses, using the snat command or the rule command.To map a SNAT pool to an original address1. Access the bigpipe shell.2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command.3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command.配置HTTP traffic你可以配置BIG-IP来控制HTTP流量:配置HTTP压缩,HTTP请求重定向,HTTP请求重写,插入和插除HTTP头,启用或者禁用cookie加密和SYN cookie支持,配置HTTP 类Profile, HTTP响应数据组块控制.Configuring HTTP compression配置BIG-IP系统压缩HTTP 服务响应1. Access the bigpipe shell.2. Configure the compression-related settings of an HTTP profile,using the profile http command.3. Assign the HTTP profile to a virtual server, using the virtual command.Redirecting HTTP requests你可以配置HTTP Profile来重定向HTTP请求,并且在这个Profile中定义一个Fallback主机1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Rewriting HTTP redirections你可以配置HTTP Profile来重写HTTP的重定向规则1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument.For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax:profile http myHTTPprofile { redirect rewrite matching }3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Inserting and erasing HTTP headers你可以配置HTTP Profile来插入一个头文件到HTTP请求,或者从HTTP请求中移出一个头文件1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options.3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling cookie encryption你可以使用Profile http中的两个选项来启用或者禁用cookie加密1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling SYN cookie support为了管理DOS攻击,你可以在一个Fast L4 Profile中配置SYN Cookie选项启用或者禁用SYN Cookie支持功能◆如果BIG-IP系统包含了Packet Velocity ASIC (PVA)技术,使用profile fastl4命令,定义一个hardware syncookie(enable | disable | default)选项,同样,你可以根据需求设置以下的变量通过db命令.•pva.SynCookies.Full.ConnectionThreshold (default: 500000)•pva.SynCookies.Assist.ConnectionThreshold (default: 500000)•pva.SynCookies.ClientWindow (default: 0)值得注意的是这个hardware syncookie 特性目前只可用于D84和D88平台.在其实平台设备这个特性无效.所以如果你在D84和D88上设置software syncookie 特性,SYN Cookie只通过软件处理◆如果BIG-IP系统不包含Packet Velocity ASIC(PVA)技术,使用profile fastl4 命令,指定为software syncookie (enable | disable | default) option.Configuring the HTTP Class profileBIG-IP系统包含一种Profile叫做HTTP Class Profile,你可以使用你定义的标准来用分类HTTP流量,当你分类流量的时候,你转地流量的原则是根据审查目标流量的头文件或者内容来定.如果BIG-IP系统包含Application Security Manager (ASM)或者WebAcclerator模块,你可以配置系统来先发送HTTP流量到那个模块,然后再发送到最终目标,例如,你可以使用HTTP Class Profile来对Virtual Server下命令,要求它发送流量先经过ASM然后再转发到负载均衡Pool.Unchunking and rechunking HTTP response data如果你想要监控内容你可以取消或者重新对HTTP响应进行组块操作,只需要配置HTTP Profile来启用unchunking功能.1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile and specify the response argument.3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command.你能够设备的保持有以下几种:实施Session保持•Cookie•Destination Address Affinity•Microsoft Remote Desktop Protocol (MSRDP)•Hash•Session Initiation Protocol (SIP)•Source Address Affinity•SSL•Universal具体操作:1. Access the bigpipe shell.2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement.3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command.实施连接保持为了实施连接保持,你可以添加一个Keep-Alive头文件到HTTP /1.0头文件里(如果不存在).(默认HTTP/1.1连接包含Keep-Alive支持),你同样可以启用connection pooling特性,它可以保持服务器端的连接打开,重新用来供其它客户端请求所使用.你可以通过修改HTTP或者Fast HTTP Profile文件来启用keep-alive支持和Connection pools.同样可以修改OncConnect Profile来实现.To add Keep-Alive headers into HTTP requests1. Access the bigpipe shell.2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts aConnection:Keep-Alive header into any HTTP /1.0 request that does not already contain one.3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command.To enable connection pooling1. Access the bigpipe shell.2. Using the profile oneconnect command, configure a profile for connection pooling.3. Assign the profile to a virtual server, using the profile argument with the virtual command.小提示:你同样可以通过配置Fast HTTP Profile来配置连接保持,在BIGPIPE SHEEL中使用fasthttp命令.加强BIG-IP性能BIG-IP系统.设置连接Qos和数据包TOS等级你可以使用bigpipe工具来设置QoS和TOS等级,你不仅可以对所有具有目标负载均衡Pool的流量做,同时你也可以对自定义的流量做,例如:Layer 4 ,TCP 和UDP流量.1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both.•If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos toserver, ip tos to client, and ip tos to server.•If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile.2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax:bp> virtual <virtual server name> list设置空闲超时时间(Idle timeout time)或者修改一个Fast L4,Fast HTTP,TCP,或者UDP Profile.1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command.2. Specify the idle timeout argument to set a timeout value.3. Verify that the profile you created or modified is assigned to a virtual server.实施速率整形Virtual Server或者Packet Filter规则中.1. Access the bigpipe shell.2. Create one or more rate classes, using the rate class command.3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command.Implementing iRulesiRule特性强大而灵活,值得注意的是它可以增强BIG-IP系统能力.一个iRule可以引用任意object,它不管这个被引用的object处理哪个分区里.例如;一个iRule属于分区A,但包含指定一个Pool属于分区B的语句.1. Access the bigpipe shell.2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command.3. Assign the iRule to a virtual server, using the virtual command in one of the following ways:•To associate multiple iRules with a virtual server, use this syntax:bp> virtual <virtual_server_name> rule <iRule1_name> \ <iRule2_name> ...•To remove the assignment of an iRule from a virtual server, use this syntax:bp> virtual <virtual_server_name> rule none•To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common.bp> virtual all rule none•To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule <iRule_name>Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRuleassignments, we do not recommend use of this command.。

5400操作手册

CoaxStripper 5400同轴电缆剥线机简易操作说明Software version 1.00Edition 2 (06 / 00)These Operating Instructions are valid for all PowerStrip types.Schleuniger AG Bierigutstrasse 9 CH-3608 Thun Switzerland Tel. ++41 33 334 03 33 Fax ++41 33 334 03 34 sales@schleuniger.ch(Additional Schleuniger addresses see page 2)键盘操作板前移后退f1-f5这些键是对应于屏幕页底所显示的功能，这些键于不同的屏幕有不同的功能此键能返回到主菜单或者上一个板面删除键用以选择不同的可选项数字键用以输入数值小数点确认已经输入的数值或其他信息（输入键）加、减或上移、下移按下stop键，本机生产将立即停止，若要完全开机须按机背电源开关但若stop键与其他键同时作用，“single -step”功能将有以下结果：在主菜单，按下stop键，然后按下f1键。

“single -step”功能将被激活。

每次按下f1键，下一步则开始运作；在主菜单，按下stop键，然后按下f5键。

“single -step”功能将行之无效。

THE MENUS 菜单The Main Menu 主菜单CoaxStrip 5400 软件包括一个主菜单和5个子菜单。

当机器开关打开以后，主菜单便立即显示在屏幕上。

各个子菜单则通过f1-f5功能键来被激活并发挥作用。

功能键是与屏幕上方正在显示的图表相对应。

如果显示图表改变了，功能键的功能也随之改变。

例如：f1键是用于进入“程序设定菜单”，而在随后一图表中则用来输入线缆外径。

Menu “Schleuniger”Menu CS (Diagnosis and Settings)Menu “Cable Lists”Menu “Save/Load”Menu “Programming”f1进入程序设定菜单f2进入程序存取菜单f3进入线缆目录菜单f4进入诊断及调整菜单f5进入公司名录The Programming Menu （程序设定菜单）在主菜单下按f1键进入“Programming”(程序设定菜单)。

f5负载均衡配置

F5负载均衡配置概述在分布式系统中，负载均衡是一种常见的技术，它可以将流量分发到多个服务器上，以实现更好的性能和可靠性。

F5负载均衡器是一种常用的硬件设备，它可以提供高可用、高性能的负载均衡服务。

本文将介绍如何配置F5负载均衡器以实现一个可靠的负载均衡环境。

确定需求在开始配置前，我们首先需要确定我们的需求。

这包括但不限于以下几个方面：1.服务类型：我们需要确定我们要分发的流量是什么类型的服务，例如Web服务、数据库服务等。

2.负载均衡策略：我们需要确定我们要使用的负载均衡策略，例如轮询、最小连接数等。

3.服务器配置：我们需要确定我们要使用的服务器的数量和配置。

在本文中，我们将以一个Web服务为例来进行讲解。

安装F5负载均衡器首先，我们需要安装F5负载均衡器。

这个过程可能因为具体的型号和版本而有所不同，具体的安装步骤可以参考F5负载均衡器的官方文档。

配置服务一旦安装完成，我们就可以开始配置服务了。

以下是一个基本的配置示例：1. 登录到F5负载均衡器的管理界面。

2. 在主菜单中，选择“虚拟服务”。

3. 点击“添加虚拟服务”按钮。

4. 配置虚拟服务的属性，包括名称、端口和协议等。

5. 配置服务器池，添加要分发流量的服务器。

可以手动添加，也可以使用自动发现功能。

6. 配置负载均衡算法，选择适合的负载均衡策略。

7. 完成配置，保存并应用更改。

配置监控为了保证负载均衡器的可靠性，我们需要配置监控。

这样，负载均衡器可以定期检查服务器的可用性，以及确保流量只被分发到健康的服务器上。

以下是一个基本的监控配置示例：1. 登录到F5负载均衡器的管理界面。

2. 在主菜单中，选择“监控”。

3. 创建一个新的监控类型，例如HTTP检查。

4. 配置监控属性，包括服务器的IP和端口，以及检查的间隔和超时时间等。

5. 保存并应用更改。

高级配置除了基本的配置外，F5负载均衡器还提供了一些高级配置选项，可以进一步优化负载均衡环境的性能和可靠性。

F5 Config

F5 Config目录第一部分FIREPASS初始安装配置 (3)1、连接F IRE P ASS设备 (3)2、登陆F IRE P ASS设备 (4)3、F IRE P ASS网络配置 (6)4、命令行下配置F IRE P ASS (7)第二部分FIREPASS安全资源与用户组别的设置 (10)1、添加用户组 (11)2、在用户组中添加用户 (13)3、添加资源组 (13)4、在资源组中添加资源 (15)5、分配访问权限 (16)6、测试方案和方式 (17)第三部分FIREPASS设备优化功能配置 (19)1、登录界面的自定义 (19)2、包过滤 (20)3、备份和配置 (21)4、设备安全配置 (23)5、超时设置 (24)6、防暴力密码破解设置 (25)7、同一帐号同时登录会话数限制设置 (25)8、日志及报表 (26)9、系统监控 (29)10、RSA T OKEN第三方认证配置 (30)11、终端安全检查 (37)11、F AILOVER设备冗余性 (39)第一部分FirePass初始安装配置安装前的准备工作：1、准备螺丝刀，上架螺丝，网线等，将设备上架,记录firepass的SN和设备外形照片。

2、连接好电源线，打开电源开关，打开firepass 4140的前面板，打开设备上的电源开关按钮，然后按设备面板上标有对号标记的按钮开机；1、连接FirePass设备1、使用一根交叉网线将PC连接到FirePass 4100的Management接口上；2、将PC的本机地址改变成192.168.0.0/24中除192.168.0.99（FirePass设备Management接口的默认IP）以外的任意地址；3、打开FirePass 4100电源开关（电源开关在机器后面板左部），再按前面板的“√”按钮，FirePass 4100的启动时间大约需要5分钟左右的时间。

注：系统启动后，在液晶信息屏你可以看到三种信息循环显示，依次是：管理端口的IP地址以及完整的域名日期和时间软件版本以及build numbers2、登陆FirePass设备1、打开浏览器，输入：https://192.168.0.99/admin/，会出现一个证书警告的信息，点击“是”；2、出现登陆界面，系统默认的用户名：admin，密码：admin；3、进入到FirePass的Web管理界面后，系统将提示您License没有被激活，然后我们将设备的license激活。

F5负载均衡用户指导手册

以下是F5 BIG-IP用作HTTP负载均衡器的主要功能：①、F5 BIG-IP提供12种灵活的算法将所有流量均衡的分配到各个服务器，而面对用户，只是一台虚拟服务器。

②、F5 BIG-IP可以确认应用程序能否对请求返回对应的数据。

假如F5 BIG-IP后面的某一台服务器发生服务停止、死机等故障，F5会检查出来并将该服务器标识为宕机，从而不将用户的访问请求传送到该台发生故障的服务器上。

这样，只要其它的服务器正常，用户的访问就不会受到影响。

宕机一旦修复，F5 BIG-IP 就会自动查证应用已能对客户请求作出正确响应并恢复向该服务器传送。

③、F5 BIG-IP具有动态Session的会话保持功能。

④、F5 BIG-IP的iRules功能可以做HTTP内容过滤，根据不同的域名、URL，将访问请求传送到不同的服务器。

下面，结合实例，配置F5 BIG-IP LTM v9.x：①、如图，假设域名被解析到F5的外网/公网虚拟IP：61.1.1.3（vs_squid），该虚拟IP下有一个服务器池（pool_squid），该服务器池下包含两台真实的Squid服务器（192.168.1.11和192.168.1.12）。

②、如果Squid缓存未命中，则会请求F5的内网虚拟IP：192.168.1.3（vs_apache），该虚拟IP下有一个默认服务器池（pool_apache_default），该服务器池下包含两台真实的Apache服务器（192.168.1.21和192.168.1.22），当该虚拟IP匹配iRules规则时，则会访问另外一个服务器池（pool_apache_irules），该服务器池下同样包含两台真实的Apache服务器（192.168.1.23和192.168.1.24）。

③、另外，所有真实服务器的默认网关指向F5的自身内网IP，即192.168.1.2。

④、所有的真实服务器通过SNAT IP地址61.1.1.4访问互联网。

F5详细配置手册

F5详细配置⼿册F5 BIG-IP负载均衡器配置指导书⽬录添加“只读”权限的管理员帐号.............................................................................................对某⼀Virtual Server⽤TCPDUMP命令⽆法抓到包如何处理............................................⼀、⽹络结构与IP地址规划本⼿册以移动W AP/彩信⽹关为例⽹络拓扑结构如下图所⽰：整个数据⽹络设备，采⽤两台防⽕墙、两台BIG-IP 3400负载均衡器、及两台交换机、⽹络设备都采⽤主、备设备，以实现设备、链路的冗余备份，以消除单点故障。

这⾥部署负载均衡器的⽬的主要是为了增加服务器的数量，以提升系统的处理能⼒。

但对外仍然是⼀个IP地址。

相关的IP地址规划如下：注：以上的IP地址规划是测试环境的IP地址设置，需要根据现⽹环境中的IP地址规划进⾏修改。

⼆、配置BIGIP3400负载均衡设备本章将主要描述BIGIP3400负载均衡设备的配置⽅法及配置内容。

旁路/直连的选择2.1.1路由/直连模式的介绍⽹络连接的物理结构如下结构：Ip规划说明：图中bigip为负载均衡交换机，bigip上⾯使⽤公开的ip地址，bigip下⾯同负载均衡的服务器使⽤不公开的ip地址。

但对外提供服务则使⽤公开的ip。

2.1.2旁路模式的介绍⽹络连接的物理结构如下结构：Ip规划说明：图中bigip为负载均衡交换机，bigip和负载均衡的服务器均使⽤公开的ip 地址。

2.1.3 路由/直连模式同旁路模式的⽐较（1）流量⾛向不⼀样；路由/直连模式的流量⾛向如下：如上图，bigip同客户端的流量在bigip的上联接⼝，bigip同服务器的流量在下⾯的接⼝。

旁路模式的流量⾛向如下：如上图，bigip⽆论同客户端还是同服务器的通讯流量均在bigip的⼀个接⼝上。

F负载均衡器简明配置手册(A concise configuration manual for the F load balancer)

F5负载均衡器简明配置手册（A concise configuration manual forthe F5 load balancer）F5 load balancer brief configuration manualLoad balancers are commonly known as four - layer switches or seven - layer switches. The four layer switch mainly analyzes the IP layer and the TCP/UDP layer, and realizes the four layer traffic load balance. In addition to supporting the four layer load balancing, the seven layer switch also analyzes the application layer information, such as HTTP protocol, URI or Cookie information.I. F5 configuration steps:1, F5 network planning(1) network topology (specific to the distribution and connection of network device physical ports, the distribution and connection of server network card)(2) the allocation of IP addresses (specifically to the allocation of network devices and IP addresses of server NICs)(3) F5, VIP, member pool, node, load balancing algorithm and policy retention method2, F5 configuration before preparation(1) version checkingF5-portal-1:~# B versionKernel:BIG-IP Kernel 4.5PTF-07 Build18(2) time check - if not correct, please change in single user modeF5-portal-1:~# dateThu May 20 15:05:10 CST 2004(3) for the License site with the F5 yourself to the F5 website for licenseGeneral configuration for 3 and F5(1) in the case of security requirements, in the setup menu, you can open the telnet and FTP functions to facilitate future maintenance(2) configure the VLAN unique_mac option. This option is to make sure that the MAC addresses of different F5 on VLAN are different. By default, the MAC addresses of each of the F5's VLAN are the same. It is recommended to select this option when configured. You can use the command ifconfig - A to testSpecifically, system/Advanced, Properties/vlan, unique_mac(3) configure the SNAT any_ip option, which allows you toconvert Ping data streams to ensure that the machine within the network has snat. Ping is a third - tier packet, and by default, F5 does not convert Ping packets, that is, internal VLAN hosts cannot Ping external VLAN machines. (Note: telnet can also be used to verify.)Specifically, system/Advanced, Properties/snat, any_ip4, F5 initialization configurationIt is recommended that you initialize the F5 at the initial time with the command line (sometimes with the Web page initialization problem). Log on to the command line, and run the config or setup command to initialize the configuration. The initial run will prompt some license information.Default:~# config5, F5 double machine handover monitoring configuration (with F5 dual machine required)(1) select the corresponding VLAN in the web page, and select the failsafe in the arm. Timeout how long will it take to switch from the time the packet is not received from F5?. This configuration cannot be synchronized. It will need to be configured on the F5 host and standby machine simultaneously. Each VLAN can configure VLAN arm failsafe.Specific under Network(2) select system in the web page, and select the gatewayfailsafe in the redundant properties. Router is the address that needs to be monitored. This configuration cannot be synchronized. It will need to be configured on the F5 host and standby machine simultaneously. Only one gateway failsafe can be configured on a F5Specifically in system/redundant properties/gateway failsafe6, F5, MAC, masquerade configurationMac Masquerading is the MAC address of F5 Shared IP Address (Floating). F5, if this item is not configured, the MAC address of the shared IP Address is the same as the MAC address of the VLAN self IP Address of each F5.The general server is based on shared IP Address gateway, in two sets of F5 configuration of Mac Masquerade (the same MAC address), when the F5 is switched on, the server shared IP address MAC the same, ensure service without interruptionSpecific under Network7, F5's pool configuration(1) in the navigation panel of the configuration tool Web page, select the "Pools" tab in "Pools" and click the "ADD" button to add the server pool (Pool).(2) select the load balancing policy in the "Load Balancing Method" table in the Robin Properties (Pool), usually using the default policy: "Round,""(3) in the "Resouces" in the form of "Member Address" text box to enter the IP address input port service members, in the "Service" text box, click the "add to" Current Members "of the current membership list.(4) add all group members and click Done to complete the configuration.(5) select a particular pool in the "Pool Name" column in "Pools", and then select the "Persistence" tab in the pool property page.(6) select the session hold type in the "Persistence Type" table. Click the "Apply" application configuration.8, F5's virtual server configuration(1) in the navigation panel of the configuration tool Web page, select the "Virtual Servers" tab in "Virtual Servers", and click the "ADD" button to add the virtual server.(2) in the "Add Virtual Server" window "Address" text box, enter the virtual server IP address and port number, enter the service or choose an existing service name in the drop-down box in the Service text box, click "Next" to perform the next step.(3) click the "Next" on the "Configure Basic Properties" page of the "Add Virtual Server" window, and then proceed to the next step. In the "Select Physical Resources" window of the "Add Virtual Server" window, click the radio button "Pool", andselect the load balancing pool corresponding to the virtual server in the drop down box.(4) create a virtual server by pressing Done.9, F5 configuration of monitor(1) in the navigation panel of the configuration tool Web page, select the "Monitors" tab in "Monitor", and click the "ADD" button to add the monitor(2) select relevant association types, such as "Node Associations" tag, "Node Address Associations" label, and "Service Associations" label, as required.(3) in the selected Association tag, select the monitor name in the "Choose Monitor" table, click the ">" button, add to the "Monitor Rule" monitor specification text box. Monitoring rules can be one or more.(4) after selecting the monitoring rules, select the "Associate Current Monitor Rule" check box in the corresponding node. If you want to delete the monitor Association, select the "Delete Existing Assocation" check box for the corresponding node.(5) click on "Apply" to monitor the Association10, F5's SNAT configuration(1) in the navigation panel of the configuration tool Web page, select the "SNATs" tab in "NATs", and click the "ADD" buttonto add the SNAT address.(2) in the "Add SNAT" window "Translation Address" and "IP" text box, enter the SNAT address of the IP, and in the "Origin List" and "Origin Address" text box input node IP address or in the "Origin VLAN" in the drop-down box to choose the VLAN name, click the "add" Current "List list.(3) complete the SNAT IP address by pressing "Done".11 、 F5 main standby machine synchronization and switching checkSpecifically in system/Redundant Properties/synchonize Config...12, business verificationVerification of switch between main and standby machines in F5Verification of operation of F5 main and standby machinesAmong them, 1~6 is the basic configuration, 7~10 business configuration, 11~12 checksumTwo, F5 load balancer maintenance1, F5 node and application inspectionCheck node and application status by "System - > Network Map" pageGreen: node or virtual server is "UP""Red: node or virtual server status is "Down""Gray: nodes or virtual servers are disabled2, log check(1) day logs: check system, log, BIGIP, log and monitor logs from web to see if there is any exception in the log log.(2) log within 7 daysSystem log file - /var/log/messages message, system messageBIG-IP log file - /var/log/bigip"External", BIG-IP, eventsMonitor log file - /var/log/bigd"Internal", BIG-IP, Events3DNS log file - /var/log/3dns3DNS InformationOpen with gzcat, more, and VI commands3, F5 flow check(1) the basic maintenance of the business is mainly on the F5 to see whether the distribution of F5 to each node of connect is balanced or not, and there should be no magnitude difference(2) there should be no obvious magnitude difference in view of total and current entries in the connection item through the WEB->pool-> pool statistics(3) F5 qkview commandExecute qkview, and when the execution is complete, save the output information in the file "/var/tmp/-tech.out" for advanced technical support(4) F5 tcpdump commandTCPDUMP is a commonly used message analysis tool in Unix systems, and TCPDUMP is often used for fault location, such as session hold failure and SNAT communication problemsTcpdump [-adeflnNOpqRStvxX] [-c, count] [-F, file][-i, interface] [-m, module] [-r, file][-s, snaplen] [-T, type] [-w, file][-E, algo:secret] [expression]。

F5与深信服配置对比说明

F5与深信服配置对比说明1. F5设备的基础网络配置：1.1 F5配置接口地址接口配置F5接口配置VLANLIST，该VLANLIST类似于我们设备的交换口。

所有的地址也是配置在VLANLIST上，如下图：说明：在VLANLIST配置中，如果接口属于Untagged Interfaces 这一列，代表该接口相当于普通接口，对应我们设备的普通以太口即可，不具备vlan标识（VLAN ID）。

对应的深信服的配置：VLANlist相当于深信服设备上面的交换网口配置。

并且我们在替换过程中，只要替换F5设备上连接线的接口即可。

通讯地址和虚拟IP地址通讯IP配置示意图F5在配置ip地址时候，与我们设备不同，分为通讯ip地址和对外发布的虚拟ip地址：A、通讯ip和虚拟ip地址，两种地址都不是配置在接口上。

B、通讯ip主要进行路由转发,虚拟ip地址是对外发布的虚拟ip地址(相当于我们设备的ip 组)。

C、F5在配置通讯ip地址的时候，首先配置VLANLIST。

VLANLIST作用是将F5设备的物理接口划分在不同的VLANLIST中，然后针对VLANLIST进行ip地址配置。

（该功能相当于3层交换机的vlan配置，设置vlan号，配置vlan地址，配置vlan承载的物理接口）。

D、虚拟ip地址不需要配置在接口上，只需要在配置VS(虚拟服务)的时候，直接配置要配置的ip地址即可。

对应的深信服设备配置：在深信服设备配置的时候，只需要配置F5设备的对外地址即可。

对应的wan口方向的网关需要到路由配置中添加。

如下图：F5双机配置F5双机配置跟我们设备不一样。

F5要使用双机配置，需要三个同一网段的地址，主备机各一个地址，另外一个虚拟ip（类似于vrrp）。

双机工作模式同时只有一台设备在进行服务负载，但是客户的F5的主备设备都是可以通过各自的ip地址登陆的。

F5的双机连接线同时可以使用多条，（一根串口线，一根网口线）或者多跟网口线。

F5配置手册(内部)

N/A N/A 192.168.1.245
4094 2.1/2. 10.32.2.241 2
Shared IP N/A 10.32.2.243
Failover N/A 1.1 1.1.1.1
N/A
-vlan
2 备节点 Ljxc-36 Mgmt N/A N/A 10.168.47.169 N/A
00-2
需要配置的参数如表 2-1 所示，其他参数保持不变。 14 / 42
参数名
表2-1 系统属性参数如何理解……
如何设置……
F5 Netwotks
Host Name High availability
主机名，用来标识 F5 系统自身。
说明
负载均衡器双机系统的主机名必须不同，否则在双机同步时会产生错误，也可能导致 License 被破坏。
F5 Netwotks
1.1.3 IP 地址划分
每个 VLAN 必须采用不同的 IP 网段。F5 上必须配置的 IP 如表 1-2 所示。
表1-2 IP 地址划分
VLAN
IP
External-vlan self IP
shared IP
Internal-vlan self IP shared IP
Failover-vlan self IP
主要用于两台 BIGIP 之间的配置同步和 Session 同步。
说明通常情况下在端口数量足够的时候我们用一个单独的端口用于配臵和 Session 同步。如果在端口数量不足时，可不使用此 VLAN 而使用 internal-vlan 来进行配臵和 Session 同步。
1-3 / 42
2.1.2 登录负载均衡器管理页面
F5 Netwotks

F5命令行配置配置手册

bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics.Config Configures the IP address, network mask, and gateway on the management (MGMT) port.Use this command at the BIG-IP system prompt prior to licensing the the BIG-IP system, and do not confuse it with the bigpipe config command or the BIG-IP Configuration utility.halt Shuts down the BIG-IP software application.hostname Displays the name you have given to the BIG-IP system.printdb Prints the values of one or more entries in the bigdbTM database. reboot Reboots the BIG-IP system.ssh and scp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system.自定义Bigpipe shell名称bp> shell prompt <string>bp> shell prompt BIG-IP>系统Shell名称将变成:BIG-IP>此特性避开此限制,在Linux命令前加”!”.BIG-IP>!ls //查看目录BIG-IP>!ifconfig //查看接口配置•Routes•Self IP addresses•Packet Filters•Trunks (802.3ad Link Aggregation)•Spanning Tree Protocol (STP)•VLANs and VLAN groups•ARP配置Packet Filtering命令: bigpipe packet filter你可以定义一个包过滤规则来提供访问控制,速率shaping,审计. 配置路由命令:route (<route key list> | all | inet | inet6)F5的Show Tech[root@XXXX:Standby] config # qkviewGetting systemwide backup configuration files.Getting AOM information.Getting last 175 lines of log files.Getting last 175 lines of gzipped log files.Getting md5 sum information.Getting core file list.Getting Public Certificate information.Getting tmctl information.completed... 6 of 161 checks produced no dataDiagnostic information has been saved in file /var/tmp/-tech.out Please send this file to **************.bigtop - display real-time statistics-bytes display counts in bytes (vs bits)-pkts display counts in packets (vs bits)-reqs display counts in requests (vs connections)-vips <n> number of virtual servers to print-nodes <n> number of nodes to print-once print once and exit-delay <n> number of seconds between samples (default 4)-scroll disable full-screen mode-nosort disable sorting-conn sort by connection count (vs byte count)-delta sort by count since last sample (vs total)-n print IP address and services in numeric format-vname display virtual servers by name (vs IP address)-help, -h print this message日志文件系统1. Access the BIG-IP system prompt.2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command.3. Type the following command:resize-logFSThis command prompts you for the desired file size in gigabytes.4. At the prompt, type an integer.The minimum allowed value is 1, and the maximum allowed value is 10.A prompt appears that allows you to confirm the specified file size.5. Type Y.A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size.6. Type Y.A confirmation prompt appears.7. Type Y.The system displays messages indicating that the reboot operation is about to occur.8. Wait for the reboot operation to finish.When the system becomes available again, the newly-specified disk space for the log file will be in effect.WARNINGDo not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files.启用/禁用虚拟服务或虚拟地To enable or disable a virtual server, use the appropriate command syntax:bp> virtual <virtual addr>:<virtual port> enable | disableTo enable or disable a virtual address, use the appropriate command syntax:bp> virtual address <virtual addr> enable | disable从服务中移出单个的NodeYou can remove an individual node from service, or return an individual node to service from the bigpipe shell command line.To remove an individual node from service, use the following command:bp> node <node addr>:<node port> downTo return an individual node to service, use this command:bp> node <node addr>:<node port> up查看修改F5系统配置文件器来编辑或者查看这些文件,当你没有条件使用浏览器时,有时候修改配置文件很有必要.这就需要F5的无浏览器配置模式和命令行配置模式Important:在你编辑完bigip.conf or bigip_base.conf 重启MCPD service之前, 你必须运行bigpipe load 确保MCPD service 使用的是当前的配置数据alert.conf Stores definitions of SNMP traps (system default alerts).user_alert.conf Stores definitions of SNMP traps (user-defined alerts)./config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs.Note that after you edit bigip.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. Note that after you edit bigip_base.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip.license Stores authorization information for the BIG-IP system./etc/bigconf.conf Stores the user preferences for the Configuration utility./config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with browsers, and how key information is generated./config/user.db Holds various configuration information. This file is known as the bigdb database. /config/bigconfig/httpd.conf Holds configuration information for the web server./config/bigconfig/users The web server password file. Contains the user names and passwords of the people permitted to access whatever is provided by the webserver./etc/hosts Stores the hosts table for the BIG-IP system./etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system./etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system./etc/rateclass.conf Stores rate class definitions./etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes. /etc/snmpd.conf Stores SNMP configuration settings./etc/snmptrap.conf Stores SNMP trap configuration settings./config/ssh Contains the SSH configuration and key files./etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH./config/routes Contains static route information.[root@ISAG-2:Standby] config # find_keysISAG-2 koradsatn. omtitra eodISAG-2 junl trig Cmi nevl5scnsdt md.6koradsatn. omtitra eodFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVALicense file location is: /sda.1/config/bigip.licenseFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVAUnmounting unneeded partitions... ISAG-2 junl trig Cmi nevl5scnsn Cmi nevl5scnsree aamd.<>junl trig Cmi nevl5scns<6>EXT3-fs: mounted filesystem with ordered data mode.ISAG-2 junl trig Cmi nevl5scns<6>kjournald starting. Commit interval 5 secondscompleteAbove information can be found in /tmp/keys.outManaging Local Application Traffic•Setting up load balancing•Controlling HTTP traffic•Implementing HTTP and TCP optimization profiles•Authenticating application traffic•Implementing persistence•Enhancing the performance of the BIG-IP system•Managing health and performance monitors•Implementing iRules设置VirtualServer负载均衡1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication.2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile.3. Access the bigpipe shell.4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step.5. Create one or more load balancing pools, using the pool command.6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default.配置克隆Pool克隆Pool设计是用于入侵检测,你可以针对一个VS设置一个克隆Pool,这个克隆的VS接收世的流量和普通Pool一样,你就可以复制流量到入侵检测系统中.1. Access the bigpipe shell.2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument.配置最后一跳Pool默认,BIG-IP系统自动启用最后一跳特性是,如果你想禁用这个特性.然后自己手工定义一个最后一跳路由器,你可以建立一个最后一跳pool并且指定其属于某个VS当中.1. Access the bigpipe shell.2. Use the pool command to create a last hop pool that contains the router inside addresses.3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server.If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server.配置SNATs这里有两种基础方法来建议一个SNAT,你可以直接将一个转换地址委派给一个或多个源IP地址,或者你可以配置一个SNAT pool,然后委派这个SNAT pool到某个源IP地址,在较新的版本中,BIG-IP自动从SNAT Pool中选择一个转换地址Note that you can assign these types of mappings from within an iRule.To map a single translation address to an original address1. Access the bigpipe shell.2. Designate an IP address as a translation address, using the snat translation command.3. Map the translation address to one or more original IP addresses, using the snat command or the rule command.To map a SNAT pool to an original address1. Access the bigpipe shell.2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command.3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command.配置HTTP traffic你可以配置BIG-IP来控制HTTP流量:配置HTTP压缩,HTTP请求重定向,HTTP请求重写,插入和插除HTTP头,启用或者禁用cookie加密和SYN cookie支持,配置HTTP 类Profile, HTTP响应数据组块控制.Configuring HTTP compression配置BIG-IP系统压缩HTTP 服务响应1. Access the bigpipe shell.2. Configure the compression-related settings of an HTTP profile,using the profile http command.3. Assign the HTTP profile to a virtual server, using the virtual command.Redirecting HTTP requests你可以配置HTTP Profile来重定向HTTP请求,并且在这个Profile中定义一个Fallback主机1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Rewriting HTTP redirections你可以配置HTTP Profile来重写HTTP的重定向规则1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument.For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax:profile http myHTTPprofile { redirect rewrite matching }3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Inserting and erasing HTTP headers你可以配置HTTP Profile来插入一个头文件到HTTP请求,或者从HTTP请求中移出一个头文件1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options.3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling cookie encryption你可以使用Profile http中的两个选项来启用或者禁用cookie加密1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling SYN cookie support为了管理DOS攻击,你可以在一个Fast L4 Profile中配置SYN Cookie选项启用或者禁用SYN Cookie支持功能◆如果BIG-IP系统包含了Packet Velocity ASIC (PVA)技术,使用profile fastl4命令,定义一个hardware syncookie(enable | disable | default)选项,同样,你可以根据需求设置以下的变量通过db命令.•pva.SynCookies.Full.ConnectionThreshold (default: 500000)•pva.SynCookies.Assist.ConnectionThreshold (default: 500000)•pva.SynCookies.ClientWindow (default: 0)值得注意的是这个hardware syncookie 特性目前只可用于D84和D88平台.在其实平台设备这个特性无效.所以如果你在D84和D88上设置software syncookie 特性,SYN Cookie只通过软件处理◆如果BIG-IP系统不包含Packet Velocity ASIC(PVA)技术,使用profile fastl4 命令,指定为software syncookie (enable | disable | default) option.Configuring the HTTP Class profileBIG-IP系统包含一种Profile叫做HTTP Class Profile,你可以使用你定义的标准来用分类HTTP流量,当你分类流量的时候,你转地流量的原则是根据审查目标流量的头文件或者内容来定.如果BIG-IP系统包含Application Security Manager (ASM)或者WebAcclerator模块,你可以配置系统来先发送HTTP流量到那个模块,然后再发送到最终目标,例如,你可以使用HTTP Class Profile来对Virtual Server下命令,要求它发送流量先经过ASM然后再转发到负载均衡Pool.Unchunking and rechunking HTTP response data如果你想要监控内容你可以取消或者重新对HTTP响应进行组块操作,只需要配置HTTP Profile来启用unchunking功能.1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile and specify the response argument.3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command.你能够设备的保持有以下几种:实施Session保持•Cookie•Destination Address Affinity•Microsoft Remote Desktop Protocol (MSRDP)•Hash•Session Initiation Protocol (SIP)•Source Address Affinity•SSL•Universal具体操作:1. Access the bigpipe shell.2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement.3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command.实施连接保持为了实施连接保持,你可以添加一个Keep-Alive头文件到HTTP /1.0头文件里(如果不存在).(默认HTTP/1.1连接包含Keep-Alive支持),你同样可以启用connection pooling特性,它可以保持服务器端的连接打开,重新用来供其它客户端请求所使用.你可以通过修改HTTP或者Fast HTTP Profile文件来启用keep-alive支持和Connection pools.同样可以修改OncConnect Profile来实现.To add Keep-Alive headers into HTTP requests1. Access the bigpipe shell.2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts aConnection:Keep-Alive header into any HTTP /1.0 request that does not already contain one.3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command.To enable connection pooling1. Access the bigpipe shell.2. Using the profile oneconnect command, configure a profile for connection pooling.3. Assign the profile to a virtual server, using the profile argument with the virtual command.小提示:你同样可以通过配置Fast HTTP Profile来配置连接保持,在BIGPIPE SHEEL中使用fasthttp命令.加强BIG-IP性能BIG-IP系统.设置连接Qos和数据包TOS等级你可以使用bigpipe工具来设置QoS和TOS等级,你不仅可以对所有具有目标负载均衡Pool的流量做,同时你也可以对自定义的流量做,例如:Layer 4 ,TCP 和UDP流量.1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both.•If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos toserver, ip tos to client, and ip tos to server.•If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile.2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax:bp> virtual <virtual server name> list设置空闲超时时间(Idle timeout time)或者修改一个Fast L4,Fast HTTP,TCP,或者UDP Profile.1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command.2. Specify the idle timeout argument to set a timeout value.3. Verify that the profile you created or modified is assigned to a virtual server.实施速率整形Virtual Server或者Packet Filter规则中.1. Access the bigpipe shell.2. Create one or more rate classes, using the rate class command.3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command.Implementing iRulesiRule特性强大而灵活,值得注意的是它可以增强BIG-IP系统能力.一个iRule可以引用任意object,它不管这个被引用的object处理哪个分区里.例如;一个iRule属于分区A,但包含指定一个Pool属于分区B的语句.1. Access the bigpipe shell.2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command.3. Assign the iRule to a virtual server, using the virtual command in one of the following ways:•To associate multiple iRules with a virtual server, use this syntax:bp> virtual <virtual_server_name> rule <iRule1_name> \ <iRule2_name> ...•To remove the assignment of an iRule from a virtual server, use this syntax:bp> virtual <virtual_server_name> rule none•To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common.bp> virtual all rule none•To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule <iRule_name>Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRuleassignments, we do not recommend use of this command.。

负载均衡F5配置文档

BIGIP V9 标准配置文档目录1 连接BIGIP (3)1.1 Console方式 (3)1.2 网络方式 (3)1.2.1 基于Web方式 (3)1.2.1 基于SSH方式 (5)2 网络配置 (6)2.1 VLAN配置 (6)2.2 Self IP配置 (7)2.3 路由配置 (8)3 负载均衡配置 (8)3.1 Pool配置 (8)3.2 Virtual Server配置 (10)3.3 Monitor配置 (11)3.4 会话保持配置 (13)3.4.1 源IP会话保持配置 (13)3.4.2 Cookie会话保持配置 (16)4 SNAT配置 (17)5 Redundant配置 (18)5.1 BIGIP Redundant的概念 (18)5.2 Redundant配置 (19)补充说明 (20)1 连接BIGIP1.1 Console方式使用Console方式连接配置BIGIP需要有以下条件：1)Windows操作系统的PC一台2)PC有串口或者USB转串口设备3)Console一条使用方法如下：从开始->所有程序->附件->通迅->超级终端，打开超级终端。

参数设置如下图：1.2 网络方式1.2.1 基于Web方式1)打开浏览器（以IE为例），使用https://(BIGIP设备的IP地址)，如下图：2)回车后出现系统警告信息点击Yes3)然后系统提示输入基于WEB配置的用户名和密码默认用户名和密码均为admin。

点击OK，正确后能进入BIGIP的Web界面。

类似如下：1.2.1 基于SSH方式使用SSH2客户端，如Secure CRT，Putty或者SSH Secure Shell。

以SSH Secure Shell为例，如下图Host Name中输入你所连接到的VLAN的Self IP。

User Name中输入root。

下面根据提示输入相应密码即可进入BIGIP系统。

F5负载均衡器POOL配置

4.配置负载均衡Pool•负载均衡Pool简介•创建和修改负载均衡Pool•配置pool设置•配置Pool成员设置•管理pool和Pool成员负载均衡Pool简介在典型的客户端-服务器情形下，客户请求到达在请求标头中指定的目的地IP地址。

对于输入流量很大的站点来说，由于目的地服务器要处理大量请求，因而很快就会出现过载现象。

为解决这一难题，BIG-IP® 本地流量管理（LTM）系统将客户机请求分配到多个服务器上，而并非只是指定的目的地IP地址。

当创建负载均衡Pool时，您可以对LTM系统进行配置来解决此类问题。

什么是负载均衡Pool？负载均衡Pool是您组合起来接收和处理流量的一组设备，如Web服务器。

LTM系统将客户机流量请求发送到Pool成员中的任一服务器上，而不是发送到客户机请求指定的目的地IP地址。

当创建负载均衡Pool时，将服务器（称作Pool成员）分配到pool中，然后将pool与LTM系统中的Virtual Server相关联。

然后，LTM系统将进入Virtual Server中的流量传输到Pool成员。

单个服务器可隶属于一个或多个pool，这取决于您希望如何管理您的网络流量。

LTM系统选择将请求发送给哪个Pool成员由您指定给该pool的负载均衡法决定。

负载均衡法是一种算法，LTM系统利用它来选择处理请求的Pool成员。

例如，缺省负载均衡法是轮循，采用这种方法，LTM系统将每个输入请求发送到下一个可用的Pool成员，从而将请求平均分配到pool中的所有服务器上。

有关负载均衡法的完整列表，请参阅第4-9页上的“指定负载均衡法”。

负载均衡Pool的特性您可以配置LTM系统，以便对pool执行多种不同的操作。

您可以：•将状态Monitor和pool及Pool成员相关联；•激活或禁用SNAT连接；•若原定目标Pool成员不可用，重新连接到其它Pool成员；•在数据包内设置“服务质量”或“服务类型”级别；•指定pool的负载均衡运算法；•将Pool成员分配到pool内的优先组别。

F5配置管理守则(内部)

F5LinkController关于LinkController的说明（简称LC）F5的负载均衡有三大产品LTM（LocalTrafficManagement）：服务器负载均衡GTM（GlobalTrafficManagement）：全局多站点负载均衡LC（LinkController）：链路负载均衡LTM通常部署在serverfarm前面，实现对web或者应用服务器的负载均衡GTM的功能可以总结为一个智能的DNS服务器，其内核用的就是LinuxBund9，通过GTM做域名解析来将用户的访问数据流导向不同的站点或者数据中心，同时GTM还可以作为DNS服务器来使用LinkController：LC是LTM和GTM的结合体，LC可以实现简单的4层服务器负载均衡的功能和简单的GTM的功能；因此，LC对内可以实现服务器的负载均衡，对外可以实现多ISP链路接入的负载均衡，通过LC的职能DNS解析功能返回给不同的客户不同的DNS解析结果，这样就可以实现根据一定的策略使不同的用户从不同的ISP线路访问站点2配置过程确定网络结构图，确定应用的访问流程，确定详细地址和路由规划设备初始化LTM部分设置：主要是设置VirtualServer和Outbound流量的负载均衡LinkController部分设置：主要是通过域名解析的方式实现Inbound流量的负载均衡双机设置如何进行测试如何进行故障排查3第一部分设备初始化配置4，设备初始化内容安装BIG-IPVersion 的版本，最好是通过Vmware 全新安装的方式，不要通过IM 升级的方式打最新的Hotfix ，目前版本最新的Hotfix 版本为可以通过进行下载配置管理地址和管理路由如果使用默认地址，管理口为如果需要使用其它地址，可以在console 下通过config 命令进行修改，也可以通过液晶面板按键操作进行修改激活设备，申请license设置正确的时区，一般为asia/shanghai ，以及确认或者修改系统时间（在命令行下通过date 命令进行修改）设定管理员admin （Forweb ，默认为admin ），root （For CLI ，默认为default ）的密码5安装操作系统确认设备软件版本，要求为BIG-IPVersion，在CLI下用命令bversion查看如果不是，请安装BIG-IPVersion的版本，最好是通过Vmware全新安装的方式，不要通过IM升级的方式安装方法请参考相关《BIGIP设备操作系统安装手册》文档注意，在安装之前请备份/config/文件通常，该文件内容如下：[root@f5:Active]config#moreRegistrationKey:KQYHC-UMEAR-FHHUK-FJDPU-YFYHAKJ 设备重装后，该文件会丢失，而设备的license激活需要该文件，如果不慎丢失，需要开一个case要求F5T ac帮忙查找，会比较麻烦6，安装补丁要求安装最新的Hotfix ，目前版本最新的Hotfix 版本为可以通过进行下载，下载的时候需要申请一个F5网站的帐号，登陆后即可下载有了Hotfix 文件后，需要将文件上传到F5设备上，通常上传到/tmp 目录下F5设备不支持telnet 和ftpserver ，但是默认是一个SFTPserver ，可以通过SecureFTP 客户端直接连接到F5设备上，通过root 帐号登陆，进行文件的上传和下载；如果没有SecureFTP 客户端，也可以在笔记本上起一个FTP 服务器，再通过CLI 从F5设备连接到笔记本上来拉Hotfix 文件上传Hotfix 后，安装Hotfix 前，请通过console 连接到设备上，进入 /tmp 目录下，通过执行命令im （hotfix 文件名），安装将会自动完成安装完成后，设备会提示你对设备进行fullboxreboot ，即输入命令 /usr/bin/full_box_reboot ，等待设备重启完成，也可以将设备关电重启，完成后可以用命令bversion 进行验证7激活设备license设备激活后license如右图所示，请确认license的正确性8初始化基本设置设置管理口地址和管理路由，默认为设置HostName，注意要求为一个FQDN设置HighAvailability模式，此处为单机模式，选择SingleDevice，如果做双机，则要选择RedundantPair设置TimeZone，通常为Asia/shanghai设置Root和Admin密码，默认为root/default，admin/admin9第二部分LCOutbound流量均衡部分配置10LinkController实施前的准备确定网络结构图！确定网络结构图！确定网络结构图！确定应用的访问流程！确定应用的访问流程！确定应用的访问流程！确定合理正确的地址路由规划！确定合理正确的地址路由规划！确定合理正确的地址路由规划！11地址规划ISPCT ISPCNCVlanCT：F5LinkControllerVlanINTERNAL：Firewall WEB1WEB2办公网用户12VlanCNC：LCV9配置逻辑结果图-Outbound流量Link1Link2Default_Gateway_Pool VSiRulesLink1Link2InternalClientsLinkController13配置VLAN添加3个VLAN：CNCCTINTERNAL，并对每个VLAN划分端口14配置SELFIP按照地址规划配置每个VLAN的IP地址15配置一个Default_Gateway_Pool16配置默认路由配置默认路由，指向Default_Gateway_Pool17配置其它静态路由18配置OutboundVirtualServer（简称VS）19LCOutbound流量均衡部分配置说明这样，基本的Outbound负载均衡的配置就结束了，内部的用户，可以通过两条线路访问外面了下面我们要继续进一步讨论如何优化Outbound负载均衡的策略和满足一些特殊的需求，主要是通过iRules来实现的20Outbound的高级配置－根据运营商选择线路典型需求如下：对于去往中国电信的访问，走电信的线路CT_Pool，当电信的线路故障时，走网通的线路，对于去往中国网通的访问，走网通的线路CNC_Pool，当网通的线路故障时，走电信的线路，其他的访问在中国电信和中国网通之间负载均衡Default_Gateway_Pool配置过程：建立Pool建立电信/网通地址库的class建立Rules将Rules和VirtualServer进行绑定21由于当电信的线路故障时候需要用网通的线路做备份，所以在CT_Pool里面启用了”PriorityGroupActivation”，把电信线路的Priority设置高一些，而网通线路的Priority设置低一些。

F5配置及恢复

F5系统配置备份及恢复
2012-12-31 21:24:34| 分类：负载均衡F5BIG-IP|举报 |字号订阅
F5的设备配置可以保存为一个后缀为.ucs的文件，以便今后必要时进行系统恢复。该系统配置ucs文件是一个二进制文件，并不能阅读，如果用户只是想了解F5的配置内容，可以通过阅读/config目录下的bigip_base.conf和bigip.conf两个文件。其中，bigip_base.conf保存的是有关系统的网络配置（二/三层配置），而bigip.conf保存的是有关系统的业务配置内容（四/七层配置）。因此，为方便今后的维护，可以要求管理员同时备份当前配置的ucs文件和bigip_base.conf、bigip.conf文件。具体操作步骤如下：
local: big01_200302201025.ucs remote: big01_200302201025.ucs
227 Entering Passive Mode (172,168,10,99,4,53).
125 Data connection already open; Transfer starting.
ftp>ls
227 Entering Passive Mode (172,168,10,99,4,55).
125 Data connection already open; Transfer starting.
02-19-04 10:24AM 274511 big01_200302201025.ucs
备份当前配置到big01_200302201025.ucs这个文件中（文件名由管理员确定）
文件名推荐采用机器名_日期.ucs的形式
big01:~#cd /usr/local/ucs

F5配置

一、F5配置步骤：1、F5组网规划(1)组网拓朴图（具体到网络设备物理端口的分配和连接，服务器网卡的分配与连接）(2)IP地址的分配（具体到网络设备和服务器网卡的IP地址的分配）(3)F5上业务的VIP、成员池、节点、负载均衡算法、策略保持方法的确定2、F5配置前的准备工作(1)版本检查f5-portal-1:~# b versionKernel:BIG-IP Kernel 4.5PTF-07 Build18(2)时间检查－－如不正确，请到单用户模式下进行修改f5-portal-1:~# dateThu May 20 15:05:10 CST 2004(3)申请license－－现场用的F5都需要自己到F5网站上申请license3、F5的通用配置(1)在安全要求允许的情况下，在setup菜单中可以打开telnet及ftp功能，便于以后方便维护(2)配置vlan unique_mac选项，此选项是保证F5上不同的vlan 的MAC地址不一样。

在缺省情况下，F5的各个vlan的MAC地址是一样的，建议在配置时，把此项统一选择上。

可用命令ifconfig –a来较验具体是system/Advanced Properties/vlan unique_mac(3)配置snat any_ip选项选项，此选项为了保证内网的机器做了snat后，可以对ping 的数据流作转换。

Ping是第三层的数据包，缺省情况下F5是不对ping的数据包作转换，也就是internal vlan的主机无法ping external vlan的机器。

（注意：还可以采用telnet来验证。

）具体是system/Advanced Properties/snat any_ip4、F5 的初始化配置建议在对F5进行初始时都用命令行方式来进行初始化（用Web页面初始化的方式有时会有问题）。

登录到命令行上，运行config或setup命令可以进行初始化配置。