Saturday, 26 October 2019

F5 Inteview questions

1.What is TMM?
Ans:-- TMM is Known Traffic Management Microkernel.It is basically the brain of BIGIP.TMM handles all of BIG-IP's local traffic functinality such as-
   a.Intelligent load balancing
   b.Compression
   c.SSL
   d.iRules
   e.Packet Filters etc.

2.What are three main components in F5 HA which we need to configure?
Ans:--   a.Traffic Group
         b.Device Trust
         c.Device Group

Traffic Group:--Is collection of F5 Components whichis VS,Self IP and Pool Member
Device Trust:--Is like building trust between two F5 in HA(It can use your Failover port)
Device Group:--It means you are building HA it will be your two devices collection.
3.Which configuration Files gets synced in HA and which configuration files does not get sync in HA?
Ans:---
/config/bigip.conf--gets sync in F5 but /config/bigip-base.conf does not get sync.
bigip_conf---It contains all your network related setting which are Self Ip,Vlan.

4.Which port is used for network failover when we configure F5 in HA?
Ans:--Port no 1026 UDP.
5.Suppose I need to upgrade i need to see whats difference between my current version and the version going to upgrade?
Ans:--ihealth diagnostic tool where you can just collect qkview and upload and you can use ihealth upgrade advisor which will help you to understand
ihealth.f.com---
6.By default F5 stores how many files or log files in LTM ans suppose I want to see logs for one month ago will i able to see?

Ans:--By default F5 stores 8 files logs and you can see that from cli.
to see logs of ltm.3.gz--you need to run zcat ltm.3.gz--to review contents

7.What is config sync process in LTM?
Ans:--Configuration syncronization which is used to synchronize configuration from active to standby
8.What is command to see how many TMM processes are running and How much is the CPU utilization ?
Ans:--show sys cpu in CLI or show systmm-info
9.What is command to do failover from CLI?
Ans:--run sys failover standby so device will become standby
10.What is the command to see top processes in F5 whaen CPU utilization is high?
Ans:--Go to CLI and run command top


Thursday, 24 October 2019

Address Translation and the F5 BIG-IP

We’ll dive into detail explanations on the 3 ways the BigIP can perform address translation:

  • SNAT
  • NAT
  • Virtual Servers

    • What is SNAT?

      I’ve seen SNAT referenced two ways in F5s documentation, Source Network Address Translation, and Secure Network Address Translation, both of which are correct. “Source” makes it’s easier to understand, because you are translating the “source” addresses of the client initiating traffic or as the devices references it the “origin”. It’s “Secure” because you can’t initiate traffic to a SNAT, the “translation” addresses are never known by the host initiating the traffic. In short a SNAT is made of up three components:
      • Translation – Options: an IP address (single address), a SNAT Pool (multiple addresses), or an Automap(self IP(s) of the Local Traffic Manager). This is what the Source address of the client is translated to.
      • Origin – Options: All addresses (everything coming in on the VLAN you specify, or an Address list (specific addresses you provide). These are indeed the source addresses of the client.
      • VLAN Traffic – Options: All Vlans (every VLAN), Enabled on (only on the vlans specified), or Disabled on (on all vlans except the ones you specify)
      The most common misunderstanding is how SNAT can be used. Unlike a traditional NAT, you can’t send traffic to a SNAT address.  SNATs are either global (ie traffic coming through a LTM), or they can be associated with a Virtual Server.   The first option is the hardest to get your head around, the second option, associating with a Virtual Server, is a lot easier to grasp and is usually everyone’s first exposure to SNAT, using “SNAT automap” applied to a virtual server.  In both examples SNAT is generally used to solve routing issues and can be used with a variety of mappings but not limited to, one to one, many to one, all to one, etc etc.  Let’s dive into the first option and see if we can get a better understanding of SNAT not applied to a Virtual Server, but affecting the LTM globally.

      Global traffic and SNAT

      Outbound Traffic- Translating the source address of many hosts on an internal non Internet routable subnet to one external Internet routable address is a common problem solved with SNAT.  Think about how your home router works, it’s not the same but is a similar concept.  When traffic hits the BigIP the ”origin” would equate to an “address list” you specify with all the hosts in it or “all addresses” for that specific VLAN, the “Translation” would be one single address.(in this example).  The destination addresses now sees the “Translation” address as your new source.  When traffic returns to the BigIP from the destination it is then translated back to the original origin address.  It’s important to note, by default SNATs are allowed on all VLANs, but you can get more granular and split them out between multiple VLANs.

      Virtual Servers and SNAT

      Inbound Traffic- Virtual Servers can have SNATs applied to them effectively changing the source of the Client initiating traffic to the VS. Here’s the really cool part about SNATing, with SNAT anything you can route to you can load balance to! That my F5ers is a beautiful thing! You see, in most cases, the servers you want to load balance are NOT going to have the BigIP as their gateway, so unless you translate the source address to something that belongs to the BigIP, you’re going to end up routing “around” the BigIP and not “through” the BigIP.  Resulting in your VS not working and what we call asymmetrical routing, a fancy term for traffic taking different routing paths in one direction or the other. Asymmetrical routing is not always going to break traffic, but when dealing with a stateful device, something that maintains a connection like the Full Proxy BigIP, asymmetrical routing can break your communication.

      What is SNAT automap, a simple explanation

      Everyone’s first exposure to SNAT is usually SNAT automap. A lot of organizations at some point just turn this on without a good understanding of SNAT. Hopefully after reading this article you have a better understanding of the inner workings of SNAT. The SNAT automap feature is going change the source address of the communication to the self-ip of the exit interface in a specific order of preference. Again, this is so the communication comes back to the Load Balancer. Otherwise the destination host would route around the load balancer when communicating back to the client – resulting in asymmetric traffic. Unless of course the servers have the Local Traffic Manager (LTM) as their gateway, which I discuss in the “inline” section below.

      SNAT automap order of preference

      AJ asked a good question in the comments below that merits an update to this article, and it pertains to “order of preference”. Automap is going to select the source address from available Self-IPs in a specific order of preference as follows:
      1. Floating Self-IP addresses on the egress VLAN
      2. Floating self IP addresses on different VLANs
      3. Non-floating self IP addresses on the egress VLAN
      4. Non-floating self IP addresses on different VLANs
      One of the main reason it prefers the float is, you got it AJ, in scenarios where there is a HA configuration and a failover event occurs we want to make sure the return traffic follows the newly activated device / traffic group.

      Alternative to SNAT,  Inline

      An Alternative to SNAT would be an Inline design. Having the servers in your pool Inline means they will need the Load Balancer as their Gateway address.  As inconvenient as this might sound vs. the “anything you can route to you can load balance” approach, there are definitely reasons why one might choose to go inline vs SNAT.  The one major thing you lose with SNAT, or gain depending on your perspective, is the clients source address. With an inline approach, you preserve the source address.  Some applications and logging systems want to see the “real” source IP of a connection.  When you use SNAT, that is replaced by one of the options you specify.   One could also make the argument an Inline approach is slightly faster than a SNAT approach, but again.. that might start an argument 😉

      How do I capture my source address with SNAT?

      So now you’re SNATing, you feel cool, you look cool, well you are cool!  You’re load balancing anything you can route to, life is good and server administers are happy they didn’t have to jack around their servers and change their gateway. Until they look in their logs and are confused what happened to all the source address information! Fortunately, if you’re dealing with web based traffic we can still provide this information to them, it’s just going to require a little bit of reconfiguration on their side as well as yours. Enter the XFF header option! The X-Forwarded-For header option when enabled will capture the source address of the client and append it in the header.  The logging server would then need to be configured to grab this value instead of looking at the actual source address. I’d like to note a few gotchas / limitations here:
      • Encrypted Web Traffic – If your web traffic is encrypted you’re going to need to terminate SSL at the BIG-IP. In other words you’re going to need to host the certificate / key and associate them in a clientside ssl profile with the virtual server(s) in question. This might seem like a pain at first, but trust me, it’s a GOOD thing. Managing your SSL certs/keys on the F5 will save you time, money, and a lot of headaches. You’ll even save precious CPU cycles on your servers if you choose not to re-encrypt on the serverside.
      • Non Web Traffic – If you’re not dealing with web traffic your options are limited. The only way you will be able to log the client source address is to capture it from an iRule and log it locally at the BIG-IP device. Script away and you could even ship that info off automatically to the people or systems who need it.

      What is a NAT?

      NATs are a one to one mapping between addresses. Unlike SNATs and Virtual servers, NATs can be used for traffic initiated in both Directions. You can Send Traffic to the NAT address or the Origin address can send traffic to any address – as long as that origin address passes through the BIG-IP of course ;). NATs are not connection based like SNATs, ie they are not tracked by the BigIP. A NAT is made up of two major components:
      • NAT address – The NATs address is the routable address on the external network of the BIG-IP system. It should not be the same address of the mgmt IP as well as the originating or translated IP address defined for a SNAT.
      • Origin Address – You can think of this as the internal address. I know, I know.. confusing, because “origin” when talking SNAT is an external address or address list, but in this case you need to think of it differently. It’s important to note a Virtual Server can’t use this IP address.

      Why Do I Need SNAT?

      To put it simply, you need SNAT when using the BIG-IP because the F5 is a stateful Full Proxy. Traffic passing through it needs to return through it, otherwise the connection will break. I’ve put together this picture to depict a common inbound SNAT scenario, where the servers do NOT point to the BIG-IP as their GW, rather they point to a layer 3 device – router. Step 5a depicts the scenario where SNAT IS turned on at the VIP, and traffic is sent back to the F5 BIG-IP that is part of the directly connected subnet of the pool members.
      Another common situation you should be mindful of when deciding if SNAT is needed or not is to consider if servers will ever need to source traffic to VIPs that have pool members on the same subnet as the servers originating communication. If they do, then you definitely want to consider using SNAT, or using an iRule to SNAT traffic sourced by the servers. If you don’t use SNAT in that situation the return traffic from the servers will go directly back to the source host on the same subnet bypassing the F5 BIG-IP and breaking communication. Ty Iyad for bringing up that situation in the comments – it’s an important one to consider!
    Here’s a detailed description of the traffic path with NO SNAT enabled.
    1. The client with the source address of 10.10.100.75 makes a request to 10.10.10.50, a VIP that lives on the BIG-IP. Since it’s not directly connected to the client, it sends the traffic to its’ gateway – 10.10.100.1
    2. The router receives the traffic and forwards it out of the directly connected VIP 10.10.10.50
    3. The VIP receives the traffic, since NO SNAT is enabled, it does not change the source address of the communication, and forwards it to the respective pool member, lets pick 172.16.1.19. At this point the source of the communication is still the client, 10.10.100.75, destined for 172.16.1.19.
    4. This is the point where the communication starts to go bad, and breaky breaky begins. The pool member 172.16.1.19 receives the traffic, and since 10.10.100.75 isn’t directly connected, it sends the traffic out of its’ default gateway – 172.16.1.1.
    5. The router receives the traffic sourced from the pool member destined back to the client. The router sends the traffic out of its’ directly connected subnet and back to the client. The client is expecting the VIP of 10.10.10.50 to respond back, not the pool member. The client doesn’t recognize the connection and the communication breaks – this is known as asymmetric routing around a stateful device.
    Do you see how this could have be fixed? You have two options:
    1. Change the gateways of the servers to the BIG-IP inside trusted subnet floating IP of 172.16.1.5, this will not only fix the asymmetric routing, but it preserves the real source IP of the communication. You can imagine this communication coming back down step 3 since they’re on the same subnet and directly connected.
    2. Turn SNAT on at the 10.10.10.50 VIP. If you used SNAT Automap, it would use the Floating IP to source communication to the pool members. You can see this alternative directly connected traffic path depicted in (5a) – this is known as symmetric routing through a stateful device.

What are the different types of proxies?



--> Proxy is a hardware or software solution that acts as an intermediary between a client and the server.

--> There are different types of proxy solutions are available.

i) Forward Proxy

--> Forward Proxy takes connections from the clients present in inside network ( Intranet) and connect them to servers outside on the Internet.

--> Forward Proxies generally web proxies that provide the number of services but mainly focus on web services and content filtering.

-->   Forward Proxies also authenticate and authorize clients before allowing the access to the Internet.

ii) Reverse Proxy

-->  Reverse Proxy takes connections from the clients present on outside network ( Internet) and connect them to servers present in the private network.

--> Reverse Proxies basically used to protect the web servers.

--> Load Balancers, Application Delivery Controllers and Web Application Firewalls are good examples for Reverse Proxies.

--> Reverse proxies are good for traditional load balancing, optimization, SSL offloading, server-side caching, and security functionality.

--> Reverse Proxies are mainly focused on HTTP based applications, but nowadays they are supporting other applications such as RSTP, FTP and any general application that is forwarded via UDP or TCP.

iii) Half Proxy

--> Half Proxy either it can be Forward Proxy or Reverse Proxy.

--> In the case of Half Proxy, requests are processed by the proxy but responses do not return through the proxy, but rather are sent directly to the client.

--> This is useful particularly in case of streaming protocols.

--> This configuration is known as half proxy because only half the connection is proxies while the other half, the response is not.

iv) Full Proxy

--> A full proxy maintains two separate connections - one between the proxy and the client and one between the proxy and the destination server.

--> Full proxies can look at incoming requests and outbound responses and can manipulate both if the solution allows it.

--> Many reverse and forward proxies use a full proxy model today.

-->  A full proxy completely understands the protocols and is itself acts an endpoint and an originator for the protocols.

--> Full proxies are named because of they completely proxy connections - incoming and outgoing.




Where to Use SNAT in F5 LTM?

1) When the Internal Node Servers default gateway is not BIG IP LTM

--> It is not always possible to configure BIG IP LTM as internal node servers default gateway.

--> Internal Node Servers default gateway can be a router or layer 3 switch.

--> The problem with this type of setup is,it can prevent the response packet to go back to the client as BIG IP LTM is not a default gateway.

--> In the above scenario, the router is acting as the default gateway for the internal nodes.

1) The client sends the request packet to F5 Virtual Server IP Address.

2) F5 BIG IP LTM Changes the destination IP address from the virtual server IP address to pool member IP address selected based upon load balancing algorithm.

3) Pool member receives the request packet from F5 BIG IP LTM and sends the response packet to the router as it is acting as the default gateway.

4) The client is going to reject the packet as it does not have the connection with pool member.
--> With SNAT
1) The client sends the request packet to F5 Virtual Server IP Address.

2) F5 BIG IP LTM Changes the source IP address to SNAT IP Address and the destination IP address from the virtual server IP address to pool member IP address selected based upon load balancing algorithm.

3) Pool member receives the request packet from F5 BIG IP LTM and sends the response packet to the F5 LTM as both are in the same network.

4) The client is going to receive the packet from F5 BIG IP LTM.


2) Client and Servers in the same network
--> If both the server and client belongs to the same network then the traffic directly goes without consulting F5 BIG IP System.

--> With SNAT, we can change the source IP address that allows the server response to go via F5 BIG IP LTM.

1) The client sends the request packet to F5 Virtual Server IP Address.

2) F5 BIG IP LTM Changes the destination IP address from the virtual server IP address to pool member IP address selected based upon load balancing algorithm.

3) Pool member receives the request packet from F5 BIG IP LTM and sends the response packet directly to the client as both are on the same network.

4) The client is going to reject the packet as it does not have the connection with pool member.

With SNAT
1) The client sends the request packet to F5 Virtual Server IP Address.

2) F5 BIG IP LTM Changes the source IP address to SNAT IP Address and the destination IP address from the virtual server IP address to pool member IP address selected based upon load balancing algorithm.

3) Pool member receives the request packet from F5 BIG IP LTM and sends the response packet to the F5 LTM as both are in the same network.

4) The client is going to receive the packet from F5 BIG IP LTM.

3) Internal Server needs to send the traffic to the Internet

--> Internal server are having private IP address sometimes need to send traffic to the Internet.

--> SNAT allows the Internal server private IP address to be changed to the routable public IP address.

Ref: f5.com






iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...