Thursday 5 October 2023

iRule

 iRule: --

o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM).
o IRule is a powerful & flexible feature That you can use to manage your network traffic.
o It significantly enhances ability to customize content switching to suit your exact needs.
o iRule is a powerful and flexible feature of LTM based on F5's exclusive TMOS architecture.
o iRules are built using TCL-based scripting language allowing arbitrary manipulation of traffic.
o It manipulate traffic flowing through LTM, including real-time modification of defined data.
o iRule is scripting language that we use to take the advantages of extra features of BIG IP.
o Using iRules, it is possible to send traffic specific to individual pool members, Ports & URIs.
o iRules provides more advanced capabilities to LTM in order to meet specific requirements.
o iRules is based upon programming language called the Tool Command Language ( TCL).
o iRules are not enabled until it is applied to the virtual server (VS) in BIG IP System LTM.
o Once iRules is enabled on virtual server, it checks all the traffic passing via a virtual server.
o iRules allows LTM to modify server side & client-side traffic all way up to application layer.
o It is recommended to use an iRule is when you want to add some form of functionality.
o To application & that functionality is not already readily available via built-in configuration.
o iRules are user created Tool Command Language programs that are assigned to VS.
o Run (or triggered) by one or more user specified Events related to that Virtual Server (VS).
o TCL itself is a relatively simple programming language to write, read and understand.
o Tool Command Language (TCL) is the simple but still being very powerful and flexible.
o TCL support Variables, Functions, Operators, external files, encryption, external UDP etc.
o TCL also support TCP connections, Geolocation and security functions more other stuff.
o iRules can be created both in LTM GUI (the Configuration Utility) or at the CLI (using tmsh).
o iRules can be applied to Virtual Server types Standard, forwarding (L 2) & Forwarding (IP).
o iRules can be applied to Virtual Server types Performance (HTTP) & Performance (Layer 4).
o In F5 BIG-IP System LTM, iRules is a script that processes and directs network packets.
o In F5 BIG-IP System LTM, iRules is a script that direct traffic to specific Pool & Pool member.
o An iRule is a TCL script to give more control over how traffic is processed via the LTM.

Design Strategies in F5 LTM-

 Design Strategies in F5 LTM--


A key to an effective, resilient and robust network is a good design. Big IP design is a key for faster and more effective failover leading to greater availability and lesser convergence time.

A Big IP works like a switch, having VLAN’s and Spanning Tree Protocol. This enables the Big IP to fit right into your LAN design. You are offered with choices of Active/Standby (Failover) pair or Active/Active or as I like to call it, the “load balance your load balancer” pair, which doubles up on covering for each other. All this is feasible with the concept of “Floating IP”, “Gratuitous ARP” or “Mac Masquerading”.

When the initial configuration of Big IP is done, these are things you need to consider,

What business purpose will this need to serve?

How many businesses are going to be using it?

Where is the load balancer going to be located physically?

Where are the Servers that need to be load balanced going to be located?

Well I have assumed that the Big IP is rightly sized based on the Capacity Planning and licensed as per needs. The above questions will lead us to the answers for one of the most critical things in design, (i.e.) The number of VLAN’s that will be on the Big IP.

We have the following options when designing the Big IP deployments

One Arm Mode

Two Arm Mode

Multi Arm Mode

The number of Arm’s are nothing more but the number of VLAN’s that are created and active on the Big IP. We in this blog will only detail the One Arm Mode:

One Arm Mode is the most common kind of deployment seen nowadays. This is very easy to achieve, this means, creating just one VLAN on the Load Balancer, both the physical servers to be load balanced and the Clients that are try to reach the servers use the same VLAN. So if the Load balancer can reach the clients and servers using that VLAN, we are all set.

This causes the minimum impact on the existing LAN / WAN Design. But it is to be noted that for this to work, we need to enable SNAT (Source NAT) settings on our load balancer.

F5 Commands:

 F5 Commands:


The following command can be used to run through the logs and see the time difference of when a particular pool member went from down to up or up to down and then you can find the time difference between them using the log timestamp.

zegrep -i "monitor.*status" /var/log/ltm*

Full Proxy Architecture


 

F5 Deployment standards or Recommendations

 




F5 Deployment standards or Recommendations :--

. Decide whether you want to use One-Arm or Inline mode.
2. Decide if you want to use Separate internal/external vlans or one
vlan.
3. If using One Arm then SNAT is must.
4. Decide if you want to terminate SSL on F5 or on Server.
5. Which load balancing mechanism to use.
6. Which health monitor to user.
7. Use optimization profiles like one connect, compression etc
8. Use analytics profile to better analyze the traffic and usage
patterns.
9. If two devices then decide active/standby or active/active.
10. For better logging of traffic define some iRule.

11.++Persistence

12.++policy forwarding
13.++ Security Profile

DNS Records


 

Differences bw SNAT and Auto map

 Differences bw SNAT and Auto map :-



SNAT= Secure NAT.
Secure nat will use for symmetric routing.
Ex.
Path A Path B
Client----> F5---> Server<--Internet--Client.

Server to client reply will not go through the Path B.

For that on the F5 u need to enable "auto-map"

While client request will coming from F5, it will get NAT with local interface. Because of NAT server will think this is my local network let me give reply. Once reply given by server It will check translation table on f5, it will give reply to particular client.

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...