BIGIP-LTM Introduction

Date: 07. 05 2007F5 TrainingBeyond TechnologyF5 LTM 简介东软移动互联网开发部 王旭Date: 07. 05 2007F5 Training议程ƒ ƒ ƒ ƒ 应用交换机的作用 应用交换机产品的发展历史 F5 BIGIP 简介 讨论Date: 07. 05 2007F5 Training应用交换机的作用智能客户端 网络管件Routers智能应用SwitchesFirewalls应用流量管理 安全远程访问 Web应用安全Date: 07. 05 2007F5 Training应用交换机的基本工作ƒ 截获和检查流量,保证只有合适的数据包才能通过 ƒ 服务器监控和健康检查,随时了解服务器群的可用性 状态 ƒ 负载均衡和应用交换功能,通过各种策略导向到合适 的服务器 ƒ 会话的保持以实现与应用系统完美结合截取 监控 负载均衡 保持Date: 07. 05 2007F5 Training议程ƒ ƒ ƒ ƒ 应用交换机的作用 应用交换机产品的发展历史 F5 BIGIP 简介 讨论Date: 07. 05 2007F5 Training应用交换机的发展优化的中央处理 交换机 中央CPU 专有优化OS 分布式ASICBIGIP 2000 BIGIP 2400 Alteon 2424中央分布式 交换机?交换机 功能服务器BIGIP 520Alteon AD3 Cisco CSS专有L4 ASIC/NP 中央CPU 专有优化OS专有OSFoundryNetScelar2001年出品，但 目前还是serverArray TM1996 19971998~20012002~20032004Date: 07. 05 2007F5 Training第6代的应用交换机管理Date: 07. 05 2007F5 Training第6代应用交换机-先进的ASICDRAMƒ 全球唯一的四七层ASIC• 专有CAM • 专有 DRAM/SDRA M • 内置DDOS攻 击防护 • PVA 2 /PVA10CAMASICSDRAMDate: 07. 05 2007第六代应用交换机-先进的软件结 构基础管理平台系统管理 健康检查 WEB界面F5 Training管理系统流量处理微内核管理CPU高速硬件平台Date: 07. 05 2007F5 Training第六代应用交换机-Full Proxy结构TrafficShield Web Accel Microkernel Rate Shaping TCP Express Compression TCP Express OneConnect TCP ProxyClient Side Server SideCachingClientXMLSSL3rd PartyServeriRules High Performance HW iControl APIƒ ƒ ƒ ƒ ƒTMOS Traffic Plug-ins High-Performance Networking Microkernel Powerful Application Protocol Support iControl – External Monitoring and Control iRules – Network Programming LanguageDate: 07. 05 2007F5 Training议程ƒ ƒ ƒ ƒ 应用交换机的作用 应用交换机产品的发展历史 F5 BIGIP 简介 讨论Date: 07. 05 2007F5 TrainingF5 BIGIP产品简介840010Gbps Platform数据中心整合68002-46400Gbps Platforms多服务应用3400500 Mbps1500- 1 Gbps Platforms应用交换Date: 07. 05 2007F5 TrainingBIG-IP LTM 1500ƒ 2个千兆光纤端口，4个千兆电口 ƒ 内置独立管理机-生产系统与管理系统分离，进一步提高 系统可靠性 ƒ 768MB内存，单CPU ƒ BIGIP 1500 LTM• 全面支持多应用负载均衡：12种负载均衡算法 • 可编程控制架构：50多个事件，200多个函数处理 • 内置100TPS SSL加速功能，独立NP处理SSL对称算法和非对称算 法 • 多种可扩展模块：SSL加速、带宽控制、内存Cache、HTTP压缩Date: 07. 05 2007F5 TrainingBIGIP LTM 3400ƒ 2个千兆光纤端口，8个千兆电口 ƒ 内置独立管理机-生产系统与管理系统分离，进一步提高系 统可靠性 ƒ Packet Velocity ASIC 2提供高性能四-七层处理 ƒ 1GB内存，超线程2.8Ghz CPU ƒ BIGIP 3400 LTM• • • • 全面支持多应用负载均衡：12种负载均衡算法 可编程控制架构：50多个事件，200多个函数处理 内置100TPS SSL加速功能，独立NP处理SSL对称算法和非对称算法 多种可扩展模块：SSL加速、带宽控制、内存Cache、HTTP压缩Date: 07. 05 2007F5 TrainingBIG-IP LTM 6400/6800ƒ ƒ ƒ ƒ ƒ4个千兆光纤端口，16个千兆电口 内置独立管理机-生产系统与管理系统分离，进一步提高系统可靠性 Packet Velocity ASIC 2提供高性能四-七层处理 2GB内存，双64位高速CPU BIGIP 6400 LTM • 全面支持多应用负载均衡：12种负载均衡算法 • 可编程控制架构：50多个事件，200多个函数处理 • 内置100TPS SSL加速功能，独立NP处理SSL对称算法和非对称算法 • 多种可扩展模块：SSL加速、带宽控制、内存Cache、HTTP压缩、 Application SecurityDate: 07. 05 2007F5 TrainingBIGIP LTM 8400ƒ 2个万兆端口，12个光/电千兆端口 ƒ 内置独立管理机-生产系统与管理系统分离，进一步 提高系统可靠性 ƒ Packet Velocity ASIC 10提供高性能四-七层处理 ƒ 高达10Gbps的吞吐能力 ƒ 2GB内存，双64位高速CPUDate: 07. 05 2007F5 TrainingBIGIP LTM的主要性能技术参数BIG-IP 1500 v9 四层会话数/秒 七层会话数/秒 最大吞吐能力 最大并发连接数 最大SSL TPS 最大 SSL 吞吐率 最大 SSL 并发连接数 最大压缩字节/秒 交换背板 60,000 22,000 500Mb/s 4 Million 2,000 500Mb/s 100,000 100Mb/s 14Gb/s BIG-IP 3400 v9 110,000 50,000 1Gb/s 4 Million 5,000 1Gb/s 200,000 500Mb/s 22 Gb/s BIG-IP 6400 v9 220,000 75,000 2Gb/s 8 Million 15,000 2Gb/s 500,000 2Gb/s 44 Gb/s BIG-IP 6800 v9 220,000 110,000 4Gb/s 8 Million 20,000 2Gb/s 500,000 2Gb/s 44 Gb/sDate: 07. 05 2007F5 Training用户 Users手机全新的体系结构 统一的网络/应用基础设施服务交付客户关 系管理 数据库 Siebel BEA应用Legacy .NET SAP个人数字助 理优化 安全笔记本 台式机流量管理 操作系统PeopleSoft IBM 企业资 源规划 SFA （销售 力量 自动化） 定制应用托管主机(TM/OS)Date: 07. 05 2007F5 Training能够对应用流进行管理• 独立的连接控制 • 支持所有的IP应用 • 高性能的应用构架 • 双向、全面的负载检查 • 基于会话的控制系统通用检查引擎（UIE）TM/OS 快速应用代理客户端 服务器端Date: 07. 05 2007F5 Training全新等级的智能特性基于数 据包针对单一通信作出反应、单向基于流TM/OS实时双向会话，在多个对象间传输 能够理解全部会话Date: 07. 05 2007F5 Training为网络注入智力 TMOS客户端HTTP TM filter TCP TM filter SSL TM filterTCP proxy服务器端TCP TM filterClient Server Side Side Received Send RequestRequestƒ 开放的一体化应用服务 ƒ 保证应用流畅 ƒ 无以伦比的性能 ƒ 结构化的管理能力Date: 07. 05 2007F5 Training最智能、最具适应性的解决方案iRules可编程的网络语言可编程 应用网络基于图形用户界面的应用简档（Profile）可重复策略统一的应用基础设施服务功能的适应性 及目标性安全 优化 交付 新的服务通用检查引擎（UIE）针对应用流的 完全可见性 及可控制性TM/OS 快速应用代理客户端压缩站点TCP优化 负载平衡服务器端Date: 07. 05 2007F5 TrainingBIG-IP-LTM-真正的应用交换机Date: 07. 05 2007F5 TrainingBIG-IP-LTM的工作模式用户请求 基于地址的流量 导向virtual addr192.168.101.1virtual addr192.168.101.2基于端口的流 量导向virtual server192.168.101.1:80virtual server192.168.101.1:443智能流量控制iRules pool(name= cgi_boxes)pool(name= asp_boxes)pool(name= ssl_boxes)（通过检查URL， Header，Cookie， TCP/UDP内容）membermembermembermembermembermembermembermembermember(server= (server= (server= 10.1.1.1:80) 10.1.1.2:80) 10.1.1.3:80)(server= (server= (server= 10.1.1.4:80) 10.1.1.5:80) 10.1.1.6:80)(server= (server= (server= 10.1.1.1:443) 10.1.1.2:443) 10.1.1.6:443)负载均衡Date: 07. 05 2007F5 TrainingBIG-IP-LTM基本功能-服务器负载均衡最多的负载均衡模式(12种) 其中观察模式,预测模式是F5的专利 会话保持技术最多(8种) 其中Cookie 会话保持技术向所有的 竞争对手收取专利费 服务器健康检查最彻底 专有的EAV、ECV健康检查模式 性能最好,速度最快: 270,000 S/S Lay4; 110,000 S/S Lay7;10Gbps; 会话保持数量第一达到:800万 支持最多的VIP : 4万个 唯一交换机厂商有开放的API1 2 3 3BIG-IP application switch combo Link Controller1 2Date: 07. 05 2007F5 Trainingƒ ƒƒƒƒ ƒƒ ƒ轮询（RoundRobin）：顺序循环将请求一次顺序循环地连接每个服务器。

外网F5配置步骤：一、登录到F5 BIG-IP管理界面：1、初次使用：①、打开F5 BIG-IP电源，用一根网线（直连线和交叉线均可）连接F5 BIG-IP的3.1管理网口和笔记本电脑的网口，将笔记本电脑的IP地址配置为“192.168.1.*”，子网掩码配置为“255.255.255.0”。

②、用浏览器访问F5 BIG-IP的出厂默认管理IP地址https://192.168.1.245或https://192.168.245.245③、输入出厂默认用户名：admin，密码：admin④、点击Activate进入F5 BIG-IP License申请与激活页面，激活License。

⑤、修改默认管理密码。

2、以后登录：通过F5 BIG-IP的自身外网IP登录。

①、假设设置的F5自身外网IP为61.1.1.2，就可以通过https://61.1.1.2/登录。

②、还可以通过SSH登录，用户名为root，密码跟Web管理的密码相同。

二、创建两个VLAN：internal和external，分别表示内网和外网。

1、创建VLAN：internal（内网）在“Network→VLANs”页面点击“create”按钮：①、Name栏填写：internal（填一个英文名称）②、Tag栏填写：4093（填一个数字）③、Interfaces栏：将Available列的“1.1”拉到Untagged列。

1.1表示F5 BIG-IP的第一块网卡。

2、创建VLAN：external（外网）在“Network→VLANs”页面点击“create”按钮创建VLAN：①、Name栏填写：external（填一个英文名称）②、Tag栏填写：4094（填一个数字）③、Interfaces栏：将Available列的“1.2”拉到Untagged列。

1.2表示F5 BIG-IP的第二块网卡。

三、创建F5 BIG-IP的自身IP：分别对应internal（内网）和external（外网）。

Deploying the BIG-IP LTM System v9 with Oracle E-Business Suite 11iIntroducing the BIG-IP and Oracle 11i configurationOracle and F5 have developed and tested an effective way to direct trafficfor Oracle E-Business Suite 11i deployments using the BIG-IP applicationtraffic management device. When deployed with Oracle 11i, the BIG-IPproduct ensures fast delivery, always-on access, peak security and easyexpansion for applications running on Oracle.With Oracle E-Business Suite 11i and F5 Networks award-winningapplication traffic management products, enterprises achieve increasedsecurity, a higher level of availability and better performance from theirOracle-based applications, while increasing the return on investment of theire-business infrastructures.For more information on the BIG-IP system, see/f5products/products/bigip/For more information on the Oracle E-Business Suite 11i, see/applications/home.htmlPrerequisites and configuration notesThe following are prerequisites for this Deployment Guide:◆You must have an Oracle 11i deployment running version 11.5.9 or later,with the latest recommended patches.◆You have configured your Oracle 11i deployment according to theprocedures outlined in Option 2.2, HTTP Layer Hardware LoadBalancing, of the following Oracle MetaLink document:/metalink/plsql/ml2_documents.showFrameDocument?p_database_id=NOT&p_id=217368.1You need a MetaLink user account to access this file. If you do not havean account, contact Oracle.◆The BIG-IP system must be running version 9.0 or later (the step-by-stepconfiguration procedures in this Deployment Guide are for 9.0 or later,for versions 4.5.x and 4.6.x, see/solutions/deployment/oracle_11i_dg.html).◆Briefly review the basic configuration tasks and the few pieces ofinformation, such as IP addresses, that you should gather in preparationfor completing the BIG-IP system configuration.NoteAll of the configuration procedures in this Deployment Guide are performedon the BIG-IP system. For specific information on how to configure Oracle11i, consult the Oracle Documentation.This document is written with the assumption that you are familiar with boththe BIG-IP system and Oracle 11i. For more information on configuringthese products, consult the appropriate documentation.1 - 1Deploying the BIG-IP System v9 with Oracle E-Business Suite 11iBIG-IP® Deployment Guide 1 - 2Configuration exampleThe BIG-IP system provides intelligent traffic management and highavailability for Oracle 11i deployments. Through advanced health checkingcapabilities, the BIG-IP product recognizes when resources are unavailableor under-performing and directs traffic to another resource. The BIG-IPdevice tracks Oracle end-user sessions, which ensures the client maintainssession state with the servers. The following diagram shows an exampledeployment with Oracle 11i and the BIG-IP system.Figure 1.1BIG-IP Oracle 11i configuration exampleConfiguring the BIG-IP system for deployment with Oracle 11iTo configure the BIG-IP for directing traffic to the Oracle devices, you needto complete the following procedures:•Connecting to the BIG-IP device using the Configuration utility•Creating the HTTP health monitor•Creating the pool•Creating a profile•Creating the virtual server•Synchronizing the BIG-IP configuration if using a redundant systemThe BIG-IP system offers both web-based and command line configurationtools, so that users can work in the environment that they are mostcomfortable with. This Deployment Guide contains procedures to configurethe BIG-IP system using the BIG-IP web-based Configuration utility only.If you are familiar with using the bigpipe command line interface you canuse the command line to configure the BIG-IP device, however, werecommend using the Configuration utility.For an added level of automation and intelligence, you can also use theiControl programmatic interface. iControl has proven itself as the first andonly Web services (SOAP/XML) API and SDK for network devices.iControl sets a new standard for how applications can monitor, control, andautomate network device functions to provide optimal management andoperation efficiency in the datacenter. iControl provides a powerful optionfor enabling applications to work more cohesively with the network forenhanced control, performance, and reliability. For more information oniControl, visit /.TipWe recommend you save your existing BIG-IP configuration before youbegin the procedures in this Deployment Guide. To save your BIG-IPconfiguration, see Appendix A: Backing up and restoring the BIG-IPsystem configuration, on page 1-14.Connecting to the BIG-IP device using the Configuration utilityUse the following procedure to access the BIG-IP web-based Configurationutility using a web browser.To connect to the BIG-IP system using the Configurationutility1.In a browser, type the following URL:https://<administrative IP address of the BIG-IP device>A Security Alert dialog box appears, click Yes.The authorization dialog box appears.1 - 3Deploying the BIG-IP System v9 with Oracle E-Business Suite 11i2.Type your user name and password, and click OK.The Welcome screen opens.Once you are logged onto the BIG-IP system, the Welcome screenof the new Configuration utility opens. From the Configurationutility, you can configure and monitor the BIG-IP system, as well asaccess online help, download SNMP MIBs and Plug-ins, and evensearch for specific objects.Creating the HTTP health monitorThe first step is to set up health monitors for the Oracle devices. Thisprocedure is optional, but very strongly recommended. For thisconfiguration, we use the default ICMP health monitor (configured after thepool in the Adding an ICMP monitor section), and as well as a slightlycustomized HTTP monitor.The HTTP monitor is an Extended Content Verification (ECV) monitor,which checks nodes (IP address and port combinations), and can beconfigured to use send and recv statements in an attempt to retrieve explicitcontent from nodes. We configure the health monitors first in version 9.0, asECV health monitors are now associated at the pool level.To configure a health monitor from the BIG-IPConfiguration utility1.On the Main tab, expand Local Traffic, and then click Monitors.The Monitors screen opens.2.Click the Create button.The New Monitor screen opens.3.In the Name box, type a name for the Monitor.In our example, we type oracle_http_monitor.4.From the Type list, select http.The HTTP Monitor configuration options appear.5.In the Configuration section, in the Interval and Timeout boxes,type an Interval and Timeout. We recommend at least a 1:3 +1 ratiobetween the interval and the timeout (for example, the defaultsetting has an interval of 5 and an timeout of 16). In our example,we use a Interval of 30 and a Timeout of 91.6.In the Send String and Receive Rule sections, you can add a SendString and Receive Rule specific to the device being checked.Important Note:When using the GET send string, you must end the string byincluding the HTTP protocol at the end of the statement. Use thefollowing syntax:GET <fully qualified path name> HTTP/1.0For example:GET /www/support/customer_info_form.html HTTP/1.0BIG-IP® Deployment Guide 1 - 41 - 5Figure 1.2 Creating the HTTP Monitor7.Click the Finished button.The new monitor is added to the Monitor list.Creating the poolThe first procedure in this configuration is to configure a pool for the Oracle devices. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. In this Deployment Guide, we configure one pool for our Oracle devices.To create the application server pool from theConfiguration utility1.On the Main tab, expand Local Traffic.Deploying the BIG-IP System v9 with Oracle E-Business Suite 11i2.Click Pools.The Pool screen opens.3.In the upper right portion of the screen, click the Create button.The New Pool screen opens.Note:For more (optional) pool configuration settings, from theConfiguration list, select Advanced. Configure these settings asapplicable for your network.4.In the Name box, enter a name for your pool.In our example, we use oracle_http.5.In the Health Monitors section, select the name of the monitor youcreated in the Creating the HTTP health monitor section, and clickthe Add (<<) button. In our example, we selectoracle_http_monitor.6.From the Load Balancing Method list, choose your preferred loadbalancing method (different load balancing methods may yieldoptimal results for a particular network).In our example, we select Predictive (member).7.In this pool, we leave the Priority Group Activation Disabled.8.In the New Members section, make sure the New Address optionbutton is selected.Tip: As this is the second pool you are creating, you can click theNode List option button, then select the Oracle server IP Addressesfrom the list, so you do not have to type them again.9.In the Address box, add the first server to the pool. In our example,we type 150.150.150.7.10.In the Service Port box, type the service number you want to usefor this device, or specify a service by choosing a service name fromthe list.In our example, we type 8000.11.Click the Add button to add the member to the list.12.Repeat steps 9-11 for each server you want to add to the pool.In our example, we repeat these steps three times for the remainingservers, 150.150.150.8 and .9 (see Figure1.3).BIG-IP® Deployment Guide 1 - 613.Click the Finished button.Figure 1.3 Adding the oracle_http poolAdding an ICMP monitorWe recommend that in addition to the HTTP monitor, you also add a simpleICMP monitor to the Oracle nodes. An ICMP type of monitor simplydetermines whether the status of a node is up or down. In the followingprocedure, we should you how to create default ICMP monitor.To create an ICMP monitor1.On the Main tab, expand Local Traffic.2.Click Nodes.The Node screen opens showing all currently configured nodes.3.On the Menu bar, click Default Monitor.The Default Monitor screen opens.4.From the Available list, select icmp, and click the Add (<<) buttonto add it to the Active list (see Figure 1.4).5.Click the Update button.1 - 7Deploying the BIG-IP System v9 with Oracle E-Business Suite 11i BIG-IP® Deployment Guide 1 - 8Figure 1.4 Adding a default ICMP monitor TipIf you do not want the ICMP check to monitor all of your nodes, you can remove the monitor from specific nodes. To remove the monitor: From the Nodes screen click the Address of the nodes you do not want to monitor with the ICMP check, and from the Health Monitors list, select None , then click the Update button.Creating a profileBIG-IP version 9.0 and later use profiles. A profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.Chose from the following two profile types, based on your configuration:◆HTTP Most Oracle deployments use a standard HTTP profile. If your Oracle deployment does not use SSL, follow the procedure Creating an HTTP profile .◆SSL If your Oracle E-Business Suite 11i deployment requires SSL, you need to create an SSL profile. Follow the procedure Creating a SSL profile . Creating an HTTP profileFor most Oracle deployments using HTTP, you could simply use the default HTTP profile. However, we recommend you create a new profile based on the HTTP profile, so in the future, if you need to change any of the profilesettings, you do not overwrite the default profile by mistake. Before youstart creating this profile, you can view the settings for the default HTTPprofile to see if it is applicable for your network (From the Local Trafficmenu, click Profiles, then click HTTP).To create a new HTTP profile based on the default HTTPprofile1.On the Main tab, expand Local Traffic.2.Click Profiles.The HTTP Profiles screen opens.3.In the upper right portion of the screen, click the Create button.The New HTTP Profile screen opens.4.In the Name box, type a name for this profile. In our example, wetype oracle_http_profile.5.Modify any of the settings as applicable for your network.6.Click the Finished button.For more information on creating or modifying profiles, or applying profilesin general, see the BIG-IP documentation.Creating a SSL profileIf your Oracle deployment uses SSL, you need to create an SSL profile.Before creating the SSL profile on the BIG-IP system, you must have acertificate/key pair issued by a recognized certificate authority. The appletused by Oracle 11i does not work with the BIG-IP device’s self-signedcertificates. For information on installing a key/certificate pair on theBIG-IP device, see the BIG Configuration Guide for Local TrafficManagement, Chapter 7, Managing SSL Traffic.ImportantTo prepare your Oracle 11i deployment for load balancing SSL, you mustfollow the procedures outlined in Option 2.2, HTTP Layer Hardware LoadBalancing, of the following Oracle MetaLink document:/metalink/plsql/ml2_documents.showFrameDocument?p_database_id=NOT&p_id=217368.1Specifically, option 2.2.3 contains steps relevant to the SSL accelerator.NoteIf you are not using SSL in your deployment, you do not need to perform thisprocedure.To create a new SSL profile based on the default SSLprofile1.On the Main tab, expand Local Traffic.1 - 9Deploying the BIG-IP System v9 with Oracle E-Business Suite 11i2.Click Profiles.The HTTP Profiles screen opens.3.From the Menu bar’s SSL menu, select Client.The Client SSL Profiles screen opens.4.In the upper right portion of the screen, click the Create button.The New Client SSL Profile screen opens.5.In the Name box, type a name for this profile. In our example, wetype oracle_https_profile.6.In the Configuration section, click a check in the Custom boxes forCertificate and Key, and select the appropriate certificate and keyfrom the list.Important: You must already have installed an SSL certificate andKey pair issued by a recognized certificate authority. If you do nothave an SSL certificate and key, you must obtain one, and then referto the BIG Configuration Guide for Local Traffic Managementguide for installation instructions.7.Modify any of the settings as applicable for your network.8.Click the Finished button.For more information on creating or modifying profiles, or applying profilesin general, see the BIG-IP documentation.Creating the virtual serverThe next step in this configuration is to define a virtual server thatreferences the profile and pool you created. For this virtual server, we usethe Cookie Persistence profile, which is cookie persistence, insert mode, therecommended persistence method for Oracle E-Business Suite.To create the HTTP virtual server using the Configurationutility1.On the Main tab, expand Local Traffic.2.Click Virtual Servers.The Virtual Server screen opens.3.In the upper right portion of the screen, click the Create button.The New Virtual Server screen opens.4.In the Name box, type a name for this virtual server. In ourexample, we type oracle_http_vs.If your Oracle deployment uses SSL, and you created an SSL profilein the preceding procedure, type oracle_ssl_vs.5.In the Destination section, select the Host option button.6.In the Address box, type the IP address of this virtual server. In ourexample, we use 192.168.200.10.7.In the Service Port box, there are two options depending on yourconfiguration:a)If you are using the standard configuration, and created an HTTPprofile in the preceding procedure; in the Service Port section,type 80, or select HTTP from the list.Figure 1.5 Adding an HTTP virtual serverb)If your Oracle deployment uses SSL, and you created an SSLprofile in the preceding procedure; in the Service Port section,type 443, or select HTTP from the list.Figure 1.6 Adding an SSL virtual server8.In the Configuration section, leave the Type list at the defaultsetting: Standard.Note:For more (optional) virtual server configuration settings,from the Configuration list, select Advanced. Configure thesesettings as applicable for your network.9.The next step is to select a profile. Depending on yourconfiguration, there are two options:a)If you are using the standard configuration, and created an HTTPprofile in the preceding procedure, in the HTTP Profile section,select the profile you created in the Creating an HTTP profilesection. In our example, we select oracle_http_profile from theDeploying the BIG-IP System v9 with Oracle E-Business Suite 11ilist.Configure the rest of the this section as applicable for yourenvironment.Figure 1.7 Selecting the HTTP profile for the virtual serverb)If your Oracle deployment uses SSL, and you created an SSLprofile in the preceding procedure, leave the HTTP Profilesection at None. In the SSL Profile section, select the profile youcreated in the Creating a SSL profile section. In our example, weselect oracle_ssl_profile.Figure 1.8 Selecting the SSL profile for the virtual server10.In the Resources section, from the Default Pool list, select the poolyou created in the Creating the pool section. In our example, weselect oracle_http.11.From the Default Persistence Profile list, select cookie.This sets the persistence method to cookie persistence, Insert mode,where the cookie expires at the end of the session. If want to modifythe default settings, including a specific expiration for the cookie,create a new persistence profile, based on the cookie profile.Figure 1.9 Resources section of the add virtual server page12.Click the Finished button.Synchronizing the BIG-IP configuration if using a redundant systemIf you are using a redundant BIG-IP configuration, the final step is tosynchronize the configuration to the peer BIG-IP device.To synchronize the configuration using the Configurationutility1.On the Main tab, expand System.2.Click High Availability.The Redundancy screen opens.3.On the Menu bar, click ConfigSync.4.Click the Self --> Peer button.The configuration synchronizes with its peer.Deploying the BIG-IP System v9 with Oracle E-Business Suite 11i Appendix A: Backing up and restoring the BIG-IPsystem configurationWe recommend saving your BIG-IP configuration before you begin thisconfiguration. When you save the BIG-IP configuration, it collects thefollowing critical data and compress it into a single User Configuration Set(UCS) file:•BIG-IP configuration files•BIG-IP license and passwords•SSL certificates•SSH keysSaving up and restoring the BIG-IP configurationThe Configuration Management screen allows you to save and restore allconfiguration files that you may edit to configure a BIG-IP system. Theseconfiguration files are called a User Configuration Set (UCS). TheConfiguration Management screen contains sections for saving andrestoring a configuration. The list boxes in these sections display only filesin the /usr/local/ucs directory. If you want to save or restore files fromanother directory, you must type the full path in the box.To save the BIG-IP configuration using the Configurationutility1.In the navigation pane, click System Admin.The User Administration screen displays.2.Click the Configuration Management tab.The Configuration Management screen displays.3.In the Save Current Configuration section, type the path whereyou want your configuration file saved or choose a path from the listbox. If no path is specified, the BIG-IP saves files to /usr/local/ucs.The BIG-IP appends the extension.ucs to file names without it.In our example, we type pre_oracle_backup.ucs.4.Click the Save button to save the configuration file.To restore a BIG-IP configuration1.In the navigation pane, click System Admin.The User Administration screen displays.2.Click the Configuration Management tab.The Configuration Management screen displays.3.In the Restore a Configuration section, choose the configurationfile you want to restore from the list box, or type the path where your configuration files were saved.4.Click the Restore button.To check the status of the restoration, click the View Log button.You should wait a few moments for the log file to start generating before you click View Log. Repeated clicking of this button will update your screen with the most current log file information until the restoration is complete.。

F5 BIG-IP负载均衡器配置指导书目录一、ISMG网络结构与IP地址规划 (3)二、配置BIGIP3400负载均衡设备 (4)2.1设置负载均衡器管理网口地址 (4)2.2登录BIGIP的WEB管理界面 (5)2.3激活License (5)2.4初始化设置 (7)2.4.1BIG-IP 1上的平台(Platform)通用属性设置 (7)2.4.2修改系统时间 (8)2.4.4重新启动bigip (9)2.5配置网络层 (9)2.5.1划分vlan (9)2.5.2定义IP地址 (11)2.5.3配置路由 (13)2.6配置双机设置(High Availability) (14)2.6.1配置Redundant Pair的IP地址 (14)2.6.2配置双机自动切换机制FailSafe配置 (16)2.7配置服务器负载均衡 (17)2.7.1配置Monitor (17)2.7.2配置Profile (18)2.7.3配置负载均衡Pool (19)2.7.5建立Virtual server,实现对服务器的负载均衡 (20)2.7.5设置SNAT (23)2.8两台BIGIP配置同步 (26)2.9备份配置 (26)三、系统运行状态检查及维护 (27)3.1检查系统日志信息： (27)3.2检查Node状态 (28)3.3查看流量信息 (29)3.4查看系统当前性能参数 (29)3.5密码的更改 (30)3.6添加“只读”权限的管理员帐号 (30)3.7如何查询设备的序列号： (31)3.8如何采集信息提供他人进行故障诊断 (31)3.8对某一Virtual Server用TCPDUMP命令无法抓到包如何处理？ (32)一、网络结构与IP地址规划网络拓扑结构如下图所示：略相关的IP地址规划如下：注：以上的IP地址规划是测试环境的IP地址设置，需要根据现网环境中的IP地址规划进行修改。

注：以下接口连接表还没有更新，需要由现场工程师更新的。

（商务智能)FBIGIPLTM 部署方案(组建网络部分)品质F5 BIG-IP LTM部署参考方案网络部署分析部分2009-02-18目录第1章、前言 (2)第2章、概述 (3)2.1文档目的 (3)2.2文档范围 (3)2.3目标读者 (3)第3章、F5 LTM组网原则 (3)3.1可用性 (4)3.2可靠性 (4)3.3扩展性 (4)3.4可管理 (5)第4章、F5 LTM组网结构 (5)4.1串行结构 (5)4.1.1串行组网方式一 (5)4.1.2串行组网方式二 (7)4.1.3两种方式比较分析 (8)4.2并行结构 (9)4.2.1接入方式一 (10)4.2.2接入方式二 (11)4.2.3接入方式三 (12)4.3 HA部署分析 (14)4.3.1部署方式一 (14)4.3.2部署方式二 (15)4.3.3部署方式三 (15)4.4 Channel部署 (16)4.5 组网结构对比总表 (18)第5章、F5 LTM网络配置 (20)5.1 F5 LTM端口类型 (20)5.2 F5 LTM端口连接方式 (21)5.2.1Trunk连接 (21)5.2.2Tag-base access to vlans连接 (22)5.2.3Port-based access vlan连接 (23)5.3 F5 LTM VLAN划分 (23)5.4 F5 LTM Self IP划分 (26)5.5 F5 LTM路由配置 (28)第1章、前言根据目前F5 BIG-IP LTM设备在网络环境中部署的需求不断增加，为了能够使BIG-IP LTM组建的网络环境更加有效提高网络安全、稳定性及业务的整体性能，我们对BIG-IP LTM在组网结构方面进行了细致分析，介绍使用现状，以便为部署F5 BIG-IP LTM设备的人员提供帮助和参考。

第2章、概述2.1文档目的该文档的主要目的是能够帮助部署F5 BIG-IP LTM人员，在BIG-IP LTM网络方面的组网结构选择、部署方法等提供有效的分析和参考，使F5 BIG-IP LTM 在网络环境中更加规范有效。

负载均衡设备之谈谈我们正在使用的F5 BIG-IP LTM2014-05-29 06:19:30标签：互联网nginx F5均衡器原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处、作者信息和本声明。

否则将追究法律责任。

/3984207/1418920具有一定服务器规模的互联网公司为了应对集群服务器管理问题，基本上使用F5负载均衡设备作为流量管理的入口，比如搜狐，新浪，金山等,目前在我们测试环境用的是F5 BIG-IP LTM，生产环境用的是F5 viprion。

F5 BIG-IP LTM ，中文说法是本地流量管理器,可以做4-7层负载均衡，4层负载均衡功能由F5专门的硬件模块负责，7层负载均衡功能由软件实现。

F5负载均衡器具有负载均衡应用交换会话交换状态监控智能网络地址转换通用持续性响应错误处理IPv6网关高级路由智能端口镜像SSL加速智能HTTP压缩TCP优化第7层速率整形内容缓冲内容转换连接加速高速缓存Cookie加密选择性内容加密应用攻击过滤拒绝服务(DoS)攻击和SYN Flood保护防火墙—包过滤包消毒等功能我们最近在做F5负载均衡设备7层路由切换到4层路由，将F5上的url irules规则下放到F5后端的nginx集群，从而充分减轻F5负载均衡的压力，充分发挥F5负载均衡的优势。

7层irules规则由于是由F5硬件设备上的软件模拟实现的功能，所以在效率方面没有硬件实现的四层负载均衡的效率高。

随着流量增加，七层规则会增加f5设备cpu的负载，尤其是在irules中对正则规则的使用会加剧F5性能的消耗。

从日常管理中，我们可以总结出F5在处理请求时的结构图：当一个用户访问 的时候，首先通过DNS服务器根据我们自己配置的name server服务器解析记录将 解析为对应的公网ip地址，比如电信线路的180.153.132.49。

用户向180.153.132.49发起访问请求，请求经过网络路由，到达F5设备。

F5BIG-IPLTM标准配置文档BIG-IP LTM 标准配置文档目录一、设备配置准备工作 (3)1.设备硬件环境准备 (3)2.工作站F5设备连接 (4)二、网络基础配置 (7)1.激活License (7)2.网络配置 (14)三、服务器负载均衡配置 (18)1.配置default_gateway_vs (18)2.针对服务建立相应VS (20)一、设备配置准备工作1.设备硬件环境准备1．BigIP 1500及随机器配置的电源线、Console线、网线等；2．工作站一台并且预装了下列软件工具：SSH工具软件如SecureCRT；SFTP工具软件如WinSCP；3．上网环境：需要上网激活F5设备；4．LTM实施完成后拓扑图：2.工作站F5设备连接1．将Console 线连接工作站COM 口和F5的console 口，网线连接工作站网口和F5的MGMT网口。

2．如果工作站使用“超级终端”，COM 口设置如下：如果工作站使用SecureCRT ，设置如下：3．F5的MGMT网口默认的IP地址为192.168.1.245/24，因此，配置工作站网口的地址为192.168.1.200/24，以便与F5设备连接；4．工作站上ssh工具如SecureCRT设置如下：二、网络基础配置1.激活License1．系统时间修改：使用超级终端或者SecureCRT登录F5 BIG-IP的console口，输入命令：[root@localhost:Active] config # date查看当前系统时间：如果系统时间正确，则不作修改，退出console；如果系统时间不正确，使用下面两条命令修改到正确的时间：[root@localhost:Active] config # date MMDDhhmmYYYY[root@localhost:Active] config # hwclock --systohc2．登录F5 BIG-IP LTM设备并输入key，获取dossior.do文件在工作站使用IE浏览器，输入https://192.168.1.245登录BIG-IP点击“是”确认证书。

BIGIP标准配置文档目录1. 连接BIGIP (4)1.1 Console方式 (4)1.2 网络连接方式 (4)1.2.1 基于WEB方式 (4)1.2.2 基于SSH方式 (7)2.网络配置 (9)2.1 网络配置步骤及流程 (9)2.1.1 L2 Vlan 配置 (10)2.1.2 L3 self ip 配置 (11)2.2 服务器直连模式网络配置 (12)2.2.1 网络连接拓扑图 (12)2.2.2 VLAN划分 (12)2.2.3 IP地址划分 (13)2.3 服务器非直连模式网络配置 (14)2.3.1 网络拓扑结构 (14)2.3.2 VLAN划分 (14)2.3.3 IP地址划分 (15)2.4 透明模式网络配置 (16)2.4.1 网络拓扑结构 (16)2.4.2 VLAN划分 (16)2.4.3 IP地址划分 (16)2.5 静态路由的添加 (17)3.负载均衡配置 (17)3.2 Pool配置 (19)3.3 Virtual Server配置 (22)3.4 会话保持配置 (24)3.4.1 会话保持的概念 (24)3.4.2 Simple会话保持 (25)3.4.3 Cookie 会话保持 (26)3.5 iRules配置 (27)3.6 Monitor配置 (30)3.6.1 Monitor的添加 (30)3.6.2 Node Address Monitor配置 (33)3.6.3 Node Association Monitor配置 (35)3.6.4 Monitor 的验证 (36)4. SNAT配置 (37)4.1 SNAT的概念 (37)4.2 NAT配置 (38)4.3 SNAT配置 (39)4.3.1 SNAT IP配置 (39)4.3.2 SNAT AutoMap配置 (41)5. Redundent配置 (42)6. 系统维护部分配置 (42)6.1 SNMP配置 (42)6.2 Syslog配置 (43)6.3 NTP配置 (43)6.4 用户管理 (46)7. BIGIP命令行常用命令解释 (53)7.1 系统配置相关命令 (53)7.2 系统维护相关命令 (53)1.连接BIGIP1.1Console方式基于Console终端配置BIG-IP 的准备安装Windows操作系统的PC一台（装有超级终端）BIGIP设备自带的Console电缆一条使用超级终端建立一个连接，通过Console电缆一端连接BIGIP，一端连接COM，COM的参数设置如图：1.2网络连接方式1.2.1基于WEB方式在浏览器地址栏键入https://（BIGIP 设备IP地址），如下图：回车后，出现以下界面：此对话框为浏览器与BIGIP通讯交换的证书提示，点击“是”继续输入用户名和密码点击确定继续点击Configure your BIGIP Using Configration Utility进入BIGIP配置主界面。

F5 BIG-IP LTM负载均衡器配置指导书（v10)2022-04-25修订记录F5 BIG-IP LTM负载均衡器配置指导书目录第1章 F5 BIG-IP LTM简介 (1)1.1 负载均衡技术简介 (1)1.2 F5 BIG-IP LTM产品介绍 (1)1.3 产品面板简介 (3)1.4 配置方式 (5)1.5 基本概念 (6)第2章 BIG-IP LTM规划与配置准备工作 (8)2.1 BIG-IP LTM配置步骤 (8)2.2 组网规划 (8)2.2.1 规划准备要点 (9)2.2.2 组网图 (9)第3章基本配置 (11)3.1 通过LCD面板设置BIG-IP管理网口地址 (12)3.2 通过管理网口登录BIG-IP WebUI界面 (13)3.3 激活License (13)3.4 设置Platform (17)3.5 修改系统时钟 (19)3.6 配置网络 (19)3.6.1 划分VLAN (20)3.6.2 配置VLAN IP地址 (22)3.6.3 设置接口速率和双工类型 (24)3.6.4 配置静态路由 (24)3.6.5 配置Link Aggregation（可选） (26)第4章负载均衡业务配置 (27)4.1 节点配置 (27)4.2 配置负载均衡池 (28)4.3 配置虚拟服务器 (30)4.3.1 创建虚拟服务器 (30)4.3.2 将虚拟服务器和负载均衡器相关联和会话保持配置 (33)4.4 配置健康检查 (34)4.4.1 自定义节点状态监控 (35)4.4.2 监控与节点/负载均衡池相关联 (36)F5 BIG-IP LTM负载均衡器配置指导书4.4.3 检查系统状态 (38)4.5 配置SNAT (38)4.5.1 配置步骤 (39)4.5.2 验证SNAT配置 (41)第5章双机配置 (43)5.1 双机设置 (43)5.2 双机状态监控设置 (46)5.3 双机状态检查和配置同步 (48)第6章其他的组网方式 (49)6.1 单臂组网方式 (49)6.2 n-path组网方式 (50)F5 BIG-IP LTM负载均衡器配置指导书关键词：负载均衡池、虚拟服务器，节点、会话保持、监控、ECV、EAV、SNAT摘要：按照常见的配置步骤，本文对F5 BIG-IP LTM负载均衡器设备配置进行说明，并对负载均衡器的基本概念和F5设备使用过程中遇到的常见问题进行解答。

前提：ACS服务器搭建成功，Ad服务器搭建成功，ACS初始化配置完整，ACS同步Ad相应分组账号已完成，相应预先定义的配置项已经配置完成。

故以上这些部分配置在此省略。

1、ACS服务器上配置说明：配置之前确认F5与ACS网络是畅通的，如果不通，先调试网络。

先在ACS服务器配置好了，这里将ACS服务器相关的配置进行截图：如下：定义location：定义device type，如下图：添加F5，使用tacacs+认证，如下图：最后完成截图：定义identity Groups：定义Device Filters，如下图：将之前添加的F5设备，添加进去。

定义Shell Profies，Command Sets：如下图：创建一条Access Sevices如下图：分别配置identity，Group Mapping，Authorization。

以上按要求进行配置，并调用之前的预定义。

选择Identity Group ，选择Shell Profile，选择Command Sets，按预先的定义进行选择 。

再创建 一条 sevice selection Rules，如下：以上配置界面，就protocol，Device Filter，service选择之前预先定义的。

最后配置完成如下：2、F5配置F5详细配置如下：先用之前本地管理员账号登陆，页面如下。

选择system，如图：展开system，选择user，再选择Authentication， 如下图：如图，按以下配置：另外需要创建相应的账号，这个账号需要与ACS赋权的一致，否则不能访问。

点击create：ROLE，Partition Accesee，Terminal Access按要求选择相应的。

完成的最后截认：这个与ACS服务器上的需要一致，如图：最后验证，通过tacacs+认证登陆成功。

BIG-IP广域流量管理器产品资料在分布于全球各地的数据中心之间优化应用交付2345678专业服务与支持F5致力于帮助您从F5产品中获得最大的价值。

欲了解F5支持服务如何帮您提高投资回报(ROI)，缩短管理时间，降低管理费用，并且优化IT 基础架构的性能和可靠性，请联系: consulting@ 。

更多信息欲了解关于BIG-IP GTM 的更多信息，请使用 上的搜索功能访问以下资源及其他资源。

产品资料BIG-IP 系统硬件产品资料白皮书灾难恢复: 不仅是针对最坏情况做规划案例研究:American Imaging Management 公司© 2011 F5 Networks 公司。

保留所有权利。

F5、F5 Networks 、F5标识、BIG-IP 、FirePass 和iControl 为F5 Networks 公司在美国和其它国家的商标或注册商标。

F5公司上海代表处地址: 上海市卢湾区湖滨路222号企业天地1号写字楼1119室邮编: 200040电话: (+86) 21 6113 2588传真: (+86) 21 6113 2599地址: 北京市朝阳区建国路81号华贸中心1号写字楼1708室邮编: 100025电话: (+86) 10 5923 4000传真: (+86) 10 5923 4100 F5公司广州代表处地址: 广州市天河区珠江新城华夏路 10号富力中心写字楼1108室邮编: 510623电话: (+86) 20 3892 7557传真: (+86) 20 3892 7547 F5公司成都代表处地址: 成都市滨江东路9号香格里拉中心办公楼18层邮编: 610021电话: (+86) 28 6606 5210传真: (+86) 28 6606 5211。

F5BIGIPiRules编写宝典讲解F5 BIGIP iRules编写宝典1BIGIP V9的结构BIGIP具备世界领先的TM/OS操作系统，通过先进的功能强⼤的UIE（Universal Inspection Engine）来进⾏流量的监测，并通过灵活的iRules将流量进⾏分配、通⾏、阻断和指定带宽控制。

Rate Shaping 模块则负责流量的统计、整形和控制。

TM/OS结构图如下：图表 1 TM/OS结构图在设备底层，是F5独⼀⽆⼆的专⽤四七层ASIC芯⽚加上可⾼达80Gbps交换背板和2颗双核64位的⾼性能CPU。

最⼤吞吐能⼒可达到4GB。

TM/OS系统运⾏在⾼性能的硬件平台上。

通过独有的TCP Stack技术，提供⼤流量下的稳定⼯作平台，特别针对低带宽和⾼延迟客户端有独特的加速功能。

TM/OS通过UIE 和iRules提供双向基于流的监测和控制功能。

在TM/OS上，是BIGIP的各种功能和应⽤模块，分别从应⽤安全、应⽤加速和服务提交等三个⽅⾯对应⽤进⾏加速和全⾯的安全防护。

其典型功能包括内存Cache加速模块、SSL加速模块、防⽕墙模块、带宽控制模块、⾼级⽤户认证模块等。

所有的BIGIP设备均可通过iControl协议进⾏数据收集和设备管理。

iControl架构提供免费的开发包。

客户可以基于⾃⾝需求通过.NET或JA V A应⽤的⼆次开发⽅便的实现对BIGIP设备进⾏监控和管理。

也可通过第三⽅的管理⼯具对设备进⾏监控和管理。

2应⽤流量管理的实现BIGIP对应⽤流量管理的实现，主要通过Virtual Server、Profile、iRules、Pool、Member、Monitor和Persistent（会话保持）实现。

Member为每⼀个服务器的IP地址加上服务端⼝。

每⼀个Member代表⼀个应⽤程序。

在配置过程中，Member不需要单独添加，⽽在Pool的配置中进⾏。

通常，在⼀个对外提供同样功能Member组中，所有的Member必须保持内容上的⼀致。