Wednesday, 2 June 2021

Processing the traffic

 

Basic terminology

  • NODE = Real IP address of server
  • Pool Member = Real IP address + Port
  • Pool = Grouping of pool members
  • Pool members do not have to listen on the same port. They can be on same IP address and different port number.
  • Virtual Server = IP address + port often called a listener as it is actively listening for inbound traffic to process it and load balance to its pool. BIG-IP is default deny device. So without configuring any listener BIG-IP donot process any client traffic.

 Processing the traffic

Before virtual server can process the traffic you have to map it to a pool. When packet arrive, BIG-IP translates the destination IP address from virtual server to real server. The client sees the pool of servers as a single server (virtual server). You can also configure so BIG-IP translates the virtual server destination port to the real server destination port.

Step by step traffic processing

  1. 1.client resolves the virtual server address via its configured DNS service
  2. 2.client initiate request to virtual server destination IP address and by Internet routing process the packet arrives to BIG-IP device
  3. 3.BIG-IP takes the packet and process it by virtual server configuration. By default LTM translates destination. address to pool member, but leaves the source address untouched.
  4. 4.BIG-IP uses combination of monitor results, persistence, load balancing method and other settings to choose pool member.

And here is the catch called „golden rule“. The RESPONSE packet must traverse through the BIG-IP otherwise it will not work. The BIG-IP is the one who translates the packet, i.e. the return way must go through it. If client machine has configured default gateway on different location than BIG-IP we got asymmetric routing problem. To solve this issue the pool members must have either default gateway configured on BIG-IP device or we have to use SNAT (secure nat or source nat).

It is important to realize that BIG-IP is doing much more than just NAT. It implements something called „full proxy architecture“. It handles separate client and server connections, this means it has separate tcp connections for client and for the server. Look at picture.


Configuring pools and Virtual servers

Go to Local traffic and pools, click on create. To configure virtual server go to local traffic and click on virtual server, create new. An important feature in web configuration utility is Network Map (in Local traffic also). Network Map allows you to see all configuration for virtual servers in one screen, including the virtual server, irules and pool member statuses. This can be very useful when all you need is quick overview/status of your BIG-IP configuration.

Statistics

You may also need to check statistics of how the BIG-IP distributes the packets along the pool and how big traffic you are actually processing. You can check statistics two ways. From the overview, statistics, local traffic and choose what you want to see (pools, nodes). Or directly from every local traffic tab (virtual servers, pools) there is statistics header menu. Check the screen.



Logs

Navigate to System – Logs to see the actual logs.

Disable vs Forced offline

You can put pool member to forced offline or to disabled status. What is the difference? Disable status disable all new connections but processes all ongoing persistence sessions and connections. Forced offline disables all new connections and ongoing persistence sessions but keeps the ongoing connections.

 





No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...