基礎資訊
拓撲圖
F5 版本
Web: Statistics->Dashboard
tmsh:
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys version
Sys::Version
Main Package
Product BIG-IP
Version 15.1.3
Build 0.0.11
Edition Final
Date Thu Apr 8 01:36:32 PDT 2021
配置路由相關
使用Safari登入https://172.25.78.240/
使用者名 admin
密碼 admin
配置vlan
Network->VLANs->Create->填寫name->選擇interface->Tagging 選擇Untagged->add->Finished
配置ip
Network->Self IPs->Create->填寫name->填寫IP->填寫netmask->選擇剛建立的VLAN->Finished
配置路由
Network->Routes->Create->填寫name->填寫Destination->填寫Netmask->填寫Gateway Address->Finished
huawei
#
interface 10GE1/0/13
undo portswitch
description to_f5_1-1
ip binding vpn-instance F5_UP
ipv6 enable
ip address 192.168.100.1 255.255.255.0
ipv6 address 2001::109:2/112
device transceiver 10GBASE-FIBER
#
ipv6 route-static vpn-instance DCS_UP 2001::108:0 112 2001::109:1
linux
ip -6 addr add 2001::100:1/112 dev eth1
ip route add 192.168.201.0/24 via 10.92.100.1
ip -6 route add 2001::108:0/112 via 2001::100:1
toa測試
配置profile
## tmsh配置
create ltm profile tcp option-set tcp-options "{254 last}"
profile配置檢查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile tcp option-set
ltm profile tcp option-set {
app-service none
tcp-options "{254 last}"
}
配置irule
官方連接配接教學
Local Traffic ->iRules->Create
v4
when SERVER_INIT {
scan [IP::client_addr] {%d.%d.%d.%d} a b c d
TCP::option set 254 [binary format H4cccc [format %x [TCP::client_port]] $a $b $c $d] all
log local5. "insert ip to tcp option [IP::client_addr]:[TCP::client_port]"
}
v6
when RULE_INIT {
# Initialize the array used to expand compressed IPv6 groups to 16 bit
array set static::ipv6_grp_filler {
"1" "000"
"2" "00"
"3" "0"
"4" ""
}
# Initialize the array used to expand compressed IPv6 addresses to 128 bit
array set static::ipv6_addr_filler {
"0" "0000:0000:0000:0000:0000:0000:0000:0000"
"5" "0000:0000:0000:0000:0000:0000:0000"
"10" "0000:0000:0000:0000:0000:0000"
"15" "0000:0000:0000:0000:0000"
"20" "0000:0000:0000:0000"
"25" "0000:0000:0000"
"30" "0000:0000"
"35" "0000"
"40" ""
}
# Initialize the array used to perform a IPv4 (decimal 0-255) to IPv6 (hex 00-FF) conversation.
for { set i 0 } { $i <= 255 } { incr i } {
set static::ipv6_dec_map($i) [format %02x $i]
}
#
# Example procedure calls (samples can be removed)
#
set input "2001:0001:0022:0333:4444:0:0:0:1%1"
set output [call compress_ipv6_addr $input]
log local0.debug "Input: $input Output: $output"
set input "2001:ef:123::192.168.1.1%2"
set output [call expand_ipv6_addr $input]
log local0.debug "Input: $input Output: $output"
}
proc compress_ipv6_addr { addr } {
# Enumerate and store IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
# X encode (e.g. :0001 becomes :X1) leading zeros on the individual IPv6 address groups (left orientated searches)
set addr [string map [list ":0000" ":X" ":000" ":X" ":00" ":X" ":0" ":X" "|0000" "X" "|000" "X" "|00" "X" "|0" "X" ] "|$addr|"]
# Restoring the required X encoded zeros (e.g. :X: becomes :0:) while removing any other X encodings and | separators (right orientated searches)
set addr [string map [list "X:" "0:" "X|" "0" "X." "0." "X" "" "|" "" ] $addr]
# Find the longest range of consecutive zero value IPv6 address groups and then replace the most significant groups with the :: notation.
switch -glob -- $addr {
"*::*" { #Already compressed }
"0:0:0:0:0:0:0:0" { set addr "::" }
"0:0:0:0:0:0:0:*" { set addr ":[string range $addr 13 end]" }
"*:0:0:0:0:0:0:0" { set addr "[string range $addr 0 end-13]:" }
"0:0:0:0:0:0:*" { set addr ":[string range $addr 11 end]" }
"*:0:0:0:0:0:0:*" { set addr "[substr $addr 0 ":"]::[findstr $addr ":0:0:0:0:0:0:" 13]" }
"*:0:0:0:0:0:0" { set addr "[string range $addr 0 end-11]:" }
"0:0:0:0:0:*" { set addr ":[string range $addr 9 end]" }
"*:0:0:0:0:0:*" { set addr "[substr $addr 0 ":0:"]::[findstr $addr ":0:0:0:0:0:" 11]" }
"*:0:0:0:0:0" { set addr "[string range $addr 0 end-9]:" }
"0:0:0:0:*" { set addr ":[string range $addr 7 end]" }
"*:0:0:0:0:*" { set addr "[substr $addr 0 ":0:0:"]::[findstr $addr ":0:0:0:0:" 9]" }
"*:0:0:0:0" { set addr "[string range $addr 0 end-7]:" }
"0:0:0:*" { set addr ":[string range $addr 5 end]" }
"*:0:0:0:*" { set addr "[substr $addr 0 ":0:0:0:"]::[findstr $addr ":0:0:0:" 7]" }
"*:0:0:0" { set addr "[string range $addr 0 end-5]:" }
"0:0:*" { set addr ":[string range $addr 3 end]" }
"*:0:0:*" { set addr "[substr $addr 0 ":0:0:"]::[findstr $addr ":0:0:" 5]" }
"*:0:0" { set addr "[string range $addr 0 end-3]:" }
}
# Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the compressed IPv6 address
return "$addr$id"
}
proc expand_ipv6_addr { addr } {
if { [catch {
# Enumerating and storing IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
# Parsing the first IPv6 address block of a possible :: notation by splitting the block into : separated IPv6 address groups
set blk1 ""
foreach grp [split [getfield $addr "::" 1] ":"] {
# Check if current group contains a IPv4 address notation
if { $grp contains "." } then {
# The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $grp {%d.%d.%d.%d} oct1 oct2 oct3 oct4
# Convert the four IPv4 address octets into two IPv6 address groups by querying the $static::ipv6_dec_map array
append blk1 "$static::ipv6_dec_map($oct1)$static::ipv6_dec_map($oct2) $static::ipv6_dec_map($oct3)$static::ipv6_dec_map($oct4) "
set oct4 ""
} else {
# The current group contains just a IPv6 address notation. Filling up the IPv6 address group with leading zeros by querying the $static::ipv6_grp_filler array
append blk1 "$static::ipv6_grp_filler([string length $grp])$grp "
}
}
# Parsing the second IPv6 address block of a possible :: notation by splitting the block into : IPv6 address separated groups
set blk2 ""
foreach grp [split [getfield $addr "::" 2] ":"] {
# Check if current group contains a IPv4 address notation
if { $grp contains "." } then {
# The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $grp {%d.%d.%d.%d} oct1 oct2 oct3 oct4
# Convert the four IPv4 address octets into two IPv6 address groups by querying the $static::ipv6_dec_map array
append blk2 "$static::ipv6_dec_map($oct1)$static::ipv6_dec_map($oct2) $static::ipv6_dec_map($oct3)$static::ipv6_dec_map($oct4) "
set oct4 ""
} else {
# The current group contains just a IPv6 address notation. Filling up the IPv6 address group with leading zeros by querying the $static::ipv6_grp_filler array
append blk2 "$static::ipv6_grp_filler([string length $grp])$grp "
}
}
# Joining the first and second block of the possible :: notation while expanding the address to 128bit length by querying the $static::ipv6_addr_filler array
set addr "[join "$blk1$static::ipv6_addr_filler([string length "$blk1$blk2"]) $blk2" ":"]"
}] } then {
# log local0.debug "errorInfo: [subst \$::errorInfo]"
# return "errorInfo: [subst \$::errorInfo]"
return ""
}
# Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the expanded IPv6 address notation
#return "$addr$id"
return $addr
}
#For v14+, you can insert option in initial SYN
when SERVER_INIT {
log local5. "The IP address was [IP::client_addr]"
set ip [IP::client_addr]
set big6 [call expand_ipv6_addr $ip]
set nosep [string map {: ""} $big6]
log local5. "ClientIP: $ip big6: $big6 nosep: $nosep"
log local5. "Client port in hex: [format %x [TCP::client_port]]"
TCP::option set 253 [binary format H* [format %x [TCP::client_port]]$nosep] all
}
irule配置檢查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule test_toa4
ltm rule test_toa4 {
when SERVER_INIT {
scan [IP::client_addr] {%d.%d.%d.%d} a b c d
TCP::option set 254 [binary format H4cccc [format %x [TCP::client_port]] $a $b $c $d] all
log local5. "insert ip to tcp option [IP::client_addr]:[TCP::client_port]"
}
}
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule test_toa6
ltm rule test_toa6 {
when RULE_INIT {
# Initialize the array used to expand compressed IPv6 groups to 16 bit
array set static::ipv6_grp_filler {
"1" "000"
"2" "00"
"3" "0"
"4" ""
}
..........
配置snat
Local Traffic ->SNAT pool List->Create
配置pool和vs
配置pool
Local Traffic->Pools->Create
Pool 配置檢查
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm pool
ltm pool test {
members {
10.92.128.119:http {
address 10.92.128.119
session monitor-enabled
state up
}
}
monitor tcp
}
配置vs
Local Traffic->Virtual Server->Create
vs檢查配置
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual test_vs4
ltm virtual test_vs4 {
creation-time 2021-07-23:02:03:21
destination 192.168.201.2:http
ip-protocol tcp
last-modified-time 2021-07-23:02:10:52
mask 255.255.255.255
pool test
profiles {
option-set { }
}
rules {
test_toa4
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool a
type snat
}
translate-address enabled
translate-port enabled
vs-index 5
}
ipv6配置檢查(ipv6的vs配置省略)
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual testv6
ltm virtual testv6 {
creation-time 2021-07-22:20:31:35
destination 2001::108:1.http
disabled
ip-protocol tcp
last-modified-time 2021-07-23:01:46:56
pool test
profiles {
option-set { }
}
rules {
test_toa6
}
serverssl-use-sni disabled
source-address-translation {
pool a
type snat
}
translate-address enabled
translate-port enabled
vs-index 4
}
client通路指令
[root@localhost ~]# curl 192.168.201.2
[root@localhost ~]# curl -g -6 "http://[2001::108:1]:80"
rs解析(nginx日志,v4為例)
[root@dev227 ~]# tail -f /var/log/nginx/access.log
192.168.202.4 - - [23/Jul/2021:16:03:38 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
10.92.100.119 - - [23/Jul/2021:17:19:53 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
192.168.202.3 - - [23/Jul/2021:17:24:22 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
10.92.100.119 - - [23/Jul/2021:17:24:43 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
192.168.202.4 - - [23/Jul/2021:17:28:21 +0800] "GET / HTTP/1.1" 200 4833 "-" "curl/7.29.0" "-"
wireshark解析
結論:
- f5可以對資料包進行源目ip(fullnat)轉換。
- 可以通過irule進行option字段的插入,option kind字段(253或254)可通過irule指定。
- toa子產品可以進行解析。
- ipv4和ipv6均可執行。
現有問題:
1、irule是否有官方配置。
2、irule對性能影響。
3、profile有啥用,如果Protocol Profile (Client)不配置option-set,則rs抓包找不到option字段,但是如果profile随便配置參數,并不影響irule對option kind的配置。
基礎配置測試
健康檢查
Local Traffic->Monitors->create->Type選tcp
修改interval時間,最小值1s,預設5s。
修改timeout時間,最小值1s,預設16s。
輪詢政策
Local Traffic-> Pools->Pool List->選擇一個執行個體->Members->Load Balancing Method
| 中文名 | 英文名 |
|---|---|
| 輪詢 | Round Robin |
| 權重輪詢 | Ratio (member) |
| 最小連接配接數 | Least Connection (member) |
源位址哈希:
Local Traffic->Virtual Servers->Virtual Server List->選擇一個執行個體->Resources->Default Persistence Profile->source_addr
前一個session中斷15s能保持源位址hash。
長連接配接逾時時間設定
Local Traffic->Profile->tcp->Type選tcp->選一個執行個體->Timer Management->Custom->Idle Timeout->修改時間
預設300s。
session同步
隻分為開啟和不開啟,開啟則立即同步所有session,即使tcp三次捂手未完成,也會同步過去。
在ha模式下可以開啟,相關文檔連接配接 Managing Connection Mirroring
效果:首先需要一個traffic-group-1,group中有兩個裝置,分别是Bigip_A和Bigip_C,當Bigip_A不可用,group中的Bigip_C将成為主用,對現有連接配接進行轉發。适用于FTP和Telnet這種長連接配接應用。
應用範圍:VS、SNAT、persistence profile
開啟步驟:
1、配置一個同步位址Device Management > Devices > Device Connectivity > Mirroring > Primary Local Mirror Address >VLAN HA
2、為每個vs配置session同步 Local Traffic > Virtual Servers > Configuration > Advanced > Connection Mirroring > Update
3、配置persistence Local Traffic > Profiles > Persistence > Mirror Persistence
log
web: System > Logs : System
HA配置
High Availability (HA) Failover
connnection輸出
[root@test:Active:Standalone] config # tmsh
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys connection cs-server-port 80
Sys::Connections
10.92.100.119:52708 192.168.201.2:80 192.168.202.2:11793 10.92.128.119:81 tcp 1 (tmm: 2) none none
10.92.100.119:52706 192.168.201.2:80 192.168.202.3:15589 10.92.128.119:81 tcp 1 (tmm: 2) none none
10.92.100.119:52704 192.168.201.2:80 192.168.202.4:43873 10.92.128.119:81 tcp 1 (tmm: 2) none none
Total records returned: 3
root@(test)(cfg-sync Standalone)(Active)(/Common)(tmos)#
測試用的指令
kill -9 `ps -ef |grep 'nc 192'|grep -v grep|awk '{print $2}'`
kill -9 `ps -ef |grep 'nc 192'|grep -v grep|awk '{print $2}'|head -n 35`
ip addr add 10.92.100.118/24 dev eth1
ip addr add 10.92.100.117/24 dev eth1
ip addr add 10.92.100.116/24 dev eth1
ip addr add 10.92.100.115/24 dev eth1
ip addr add 10.92.100.114/24 dev eth1
ip addr add 10.92.100.113/24 dev eth1
ip addr add 10.92.100.112/24 dev eth1
ip addr add 10.92.100.111/24 dev eth1
ip addr add 10.92.100.109/24 dev eth1
ip addr add 10.92.100.108/24 dev eth1
ip addr add 10.92.100.107/24 dev eth1
ip addr add 10.92.100.106/24 dev eth1
ip addr add 10.92.100.105/24 dev eth1
ip addr add 10.92.100.104/24 dev eth1
ip addr add 10.92.100.103/24 dev eth1
ip addr add 10.92.100.102/24 dev eth1
ip addr add 10.92.100.101/24 dev eth1
nc -k -l -p 80 &
nc -k -l -p 81 &
nc -k -l -p 82 &
nc -k -l -p 83 &
while true;do echo `netstat -nt|grep 10.92.128.119:80 |wc -l` `netstat -nt|grep 10.92.128.119:81 |wc -l` `netstat -nt|grep 10.92.128.119:82 |wc -l` `netstat -nt|grep 10.92.128.119:83 |wc -l` date ;sleep 1 ;done
for i in `seq 100`;do echo 1 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 2 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 3 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 4 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 5 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 6 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 7 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 8 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 9 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
sleep 1
for i in `seq 100`;do echo 10 $i `date`;sleep 1;done | nc 192.168.201.2 80 &
for i in `seq 10000`;do echo 1 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.101 &
for i in `seq 10000`;do echo 2 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.102 &
for i in `seq 10000`;do echo 3 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.103 &
for i in `seq 10000`;do echo 4 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.104 &
for i in `seq 10000`;do echo 5 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.105 &
for i in `seq 10000`;do echo 6 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.106 &
for i in `seq 10000`;do echo 7 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.107 &
for i in `seq 10000`;do echo 8 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.108 &
for i in `seq 10000`;do echo 9 $i `date`;sleep 1;done | nc 192.168.201.2 80 -s 10.92.100.109 &
## F5
F5_V11 TMSH指令操作手冊
檢視目前系統配置:
# show running-config
# show running-config /net interface
# show running-config /ltm pool 儲存base内容:
#save /sys base-config load base内容:
#load /sys base-config 儲存系統配置:
#save /sys config load系統配置:
#load /sys config
#tmsh load sys config default ## V11恢複出廠配置
檢視網絡配置資訊:
#list /net vlan
#list /net interface
#list /net arp
#list /net route
#list /net self
#list /net self-allow
#list /net trunk
# list /ltm pool 檢視Pool配置資訊
# list /ltm pool [http-pool] 檢視vs配置資訊
# list /ltm virtual
# list /ltm virtual-address
檢視/sys配置資訊:
# list /sys db
# list /sys httpd allow
# list /sys management-ip(檢視裝置管理口位址)
# list /sys management-route(檢視裝置管理口路由)
# list /sys ntp(檢視ntp配置資訊)
# list /sys provision(檢視裝置子產品激活狀态)
# list /sys service(檢視服務開啟狀态)
# list /sys snmp(檢視snmp配置資訊)
# list /sys syslog(檢視syslog配置資訊)
show /net指令:
# show /cli history(檢視指令行曆史記錄)
# show /net arp(檢視arp映射資訊)
# show /net interface(檢視各個接口統計流量資訊)
# show /net route(檢視路由表)
# show /net vlan(檢視各個vlan流量統計資訊)
# show /net vlan-group
# show /net trunk(檢視trunk流量統計資訊)
show /sys指令:
# show /sys config-sync(檢視系統配置同步狀态資訊)
# show /sys connection
# show /sys connection | grep 1026 #檢視HA狀态,成對為正常
### 1.1.1.2:53527 1.1.1.1:1026 1.1.1.2:53527 1.1.1.1:1026 udp 0 (tmm: 1) none
### 1.1.1.1:48582 1.1.1.2:1026 1.1.1.1:4538 1.1.1.2:1026 udp 0 (tmm: 0) none
# show /sys console(檢視系統序列槽調試速率)
# show /sys cpu
# show /sys hardware(檢視系統硬體資訊)
# show /sys host-info
# show /sys raid(檢視硬碟raid狀态)
# show /sys performance system(檢視系統總體性能)
# show /sys software(檢視系統總體軟體資訊)
# show /sys ip-address(檢視系統ip位址,包括所有的vs、pool位址資訊)
# show /sys ip-address all-properties(檢視系統位址資訊,包括位址屬性)
# show /sys license(檢視系統license摘要資訊)
# show /sys license detail
# show /sys log ltm(檢視系統log資訊)
# show /sys mac-address(檢視系統中所有的mac位址資訊)
# show /sys mcp-state(檢視mcp運作狀态)
# show /sys memory(檢視系統記憶體統計資訊)
# show /sys ucs(檢視儲存的ucs檔案名稱)
# show /sys version(檢視系統軟體版本資訊)
# show /sys software(檢視系統軟體版本資訊)
#############################################
#SNAT Pool中添加位址
#tmsh
#ltm-->snat
#create snatpool my_snat_pool1 members add { 11.12.11.24 11.12.11.25 }
#############################################
導配置
#tmsh save sys ucs test.ucs
#/var/local/ucs (ucs目錄)
#tmsh load /sys ucs xxxx.ucs no-license(導入配置V11)
#load /sys ucs xxxx.ucs rma (v10-這裡面有個技巧輸入rma是不會恢複證書的是以不需要重新激活)
#save /sys config
#tmsh load sys ucs [ucs file name] no-platform-check no-license
save /sys config
(tmos.ltm)##show persistence persist-records all-properties (檢視會話保持表)
##tmsh show ltm persistence persist-records | grep 8.32 (檢視會話保持表)
(tmos.ltm)#delete persistence persist-records (删除會話保持)
幫助指令的使用:
# help /net
# help /net vlan
快捷鍵的使用:
Ctrl + C(放棄目前正在輸入的指令)
Ctrl + A(将光标移到最開始)
在tmsh模式下使用相關的測試指令:
# run util ping 1.1.1.1(執行ping操作)
# run util tcpdump(執行tcpdump抓包分析)
# run util tracepath 1.1.1.1(執行tracepath操作)
建立和删除pool: # create /ltm pool [abc] # delete /ltm pool [abc]
修改irules内容: # edit /ltm rule [replace-302] 安裝作業系統和
##################################################################################
##################################################################################
#上傳系統到/shared/images
#安裝系統更新檔:
#install sys software image BIGIP-10.0.0.5376.0.iso volume HD1.2
#install hotfix Hotfix-BIGIP-9.6.1-824.0-HF3.im volume HD1.1
#檢視安裝進度。。
##root@(big-ip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# quit
##[root@big-ip1:Active:Standalone] images # watch tmsh show sys software status
##################################################################################
##################################################################################
重置pool、vs的統計資訊:
# reset-stats /ltm pool
# reset-stats /ltm pool [http-pool]
# reset-stats /ltm virtual
# reset-stats /ltm virtual [vs-test-80]
啟動、停止、重新開機系統中某個服務:
# start /sys service [snmpd]
# stop /sys service [snmpd]
# restart /sys service [snmpd]
#bigstart status snmpd:檢視程序運作狀态
定義和删除别名:
# create /cli alias [xx] command ["save /sys config"]
# delete /cli alias [xx] 建立pool
并添加pool-member:
# create /ltm pool [abc] members add { 9.9.9.9:http 7.7.7.7:http } 對建立的
pool增加健康檢查方式:
# modify /ltm pool [abc] monitor http
# modify /ltm pool [abc] monitor http and https # modify /ltm pool [abc] monitor none 建立vs,使用源位址會話保持,并指定預設的pool
# create /ltm virtual abcd { destination 6.6.6.6:http persist replace-all-with { source_addr } pool a
quit:退出tmos
ifconfig 檢視所有IP
CRT---SFTP
sftp> cd /var/log #cd目錄
sftp> lcd c:\ #lcd本地目的
sftp> get ltm #擷取ltm的log
tcpdump -i eth1 -w /tmp/xxx.cap
#修改syslog
#modify syslog remote-servers delte XX
指令行登入裝置,
輸入:tmsh
輸入:edit sys syslog all-properties
将include none改為
include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_remote_loghost {
udp(\"145.0.132.11\" port(514));
udp(\"145.0.131.11\" port(514));
udp(\"145.0.133.11\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"
#儲存配置
save sys ucs config.ucs
#配置管理路由
create sys management-route NTP_192168882 network 192.168.88.2/32 gateway 192.168.122.1
#檢視管理路由
list sys management-route
針對vs雙側抓包
tcpdump -s0 -nni 0.0:nnnp host 12.207.208.160 or 12.207.208.161 or 12.207.208.224 or 12.207.208.225 -C 400 -W 25 -vvw /shared/capture/chucksum.pcap
# F5上執行,抓取tmm晶片上的cs和ss側的資料包,并展示詳細的F5資料資訊。
# 400MB一個包,循環25個,需要10G空間,一個包存大概10s。
# 0.0表示全部流量,後邊的nnn表示詳細程度,p展示經過nat的前後流量
tcpdump -i eth0 -nn -C 10 -W 5 -vvw a.pcap ## -C 每10MB儲存一個資料包 -W 循環5個
tcpdump -i eth0 -nn -G 60 -vvw a.pcap ## -G 每60s報錯一次
Capturing internal TMM information with tcpdump F5 Specific tcpdump Switches Overview of packet tracing with the tcpdump utility
檢視光子產品光衰
tmsh list sys db ddm.bcm56xxd.enable
tmsh modify sys db ddm.bcm56xxd.enable value <enable | disable>
tmsh show net interface-ddm <interface_key>
zgrep -i ddm /var/log/ltm* ##Viewing DDM log messages
配置備份腳本
name=`/sbin/ifconfig mgmt |grep -w inet|awk -F ' ' '{print $2}'`
mv /var/local/ucs/${name}.ucs /var/local/ucs/${name}.ucs.bak
/bin/tmsh save sys ucs ${name}.ucs
riqi=`/bin/date +%Y%m%d`
/bin/tftp -m binary 192.168.8.2 -c put /var/local/ucs/${name}.ucs ${riqi}/${name}.ucs
/bin/tftp -m binary 192.168.8.3 -c put /var/local/ucs/${name}.ucs ${riqi}/${name}.ucs
# F5裝置上的配置
mkdir tftp_save_ucs
chmod +x tftp_put_ucs.sh
crontab -e
0 17 * * * sh /config/tftp_save_ucs/tftp_put_ucs.sh
注:
使用tftp作為伺服器,發現傳輸過去的時候檔案大小發生了變化,檔案改變大了,且md5值也不相同,但是檔案内容肉眼看不出差別。經查詢,傳輸模式有兩種,一種是ASCII傳輸方式,一種是二進制模式。
ASCII模式和Binary模式的差別是回車換行的處理,Binary模式不對資料進行任何處理,ASCII模式将回車換行轉換為本機的回車字元,比如:UNIX下是\n,Windows下是\r\n,Mac下是\r。
ftp檔案上傳後大小改變問題解決 FTP檔案傳輸,傳輸的檔案和原檔案大小不一緻的原因
由于F5的ucs是二進制檔案,是以建議使用Binary模式進行傳輸。使用代碼如下:
tftp -m binary 192.168.8.3 -c put o.l 20210928/o.l
如果出現Transfer timed out.這種報錯,一般是由于管理口的安全側略引起的,需要在System ›› Platform ›› Security: Management Port放通制定政策,或者全放開。
使用者名密碼hash
當使用自動化的時候需要将使用者名密碼作為一個整體進行hash,這個方法進行hash。
Trunk接口的lacp配置
LACP mode
The LACP Mode setting appears on the Trunks screen only when you select the LACP setting. You use the LACP Mode setting to specify the method that LACP uses to send control packets to the peer system. The two possible modes are:
-
Active mode
You specify Active mode if you want the system to periodically send control packets, regardless of whether the peer system has issued a request. This is the default setting.
-
Passive mode
You specify Passive mode if you want the system to send control packets only when the peer system issues a request, that is, when the LACP mode of the peer system is set to Active.
If you set only one of the peer systems to Active mode, the BIG-IP system uses Active mode for both systems. Also, whenever you change the LACP mode on a trunk, LACP renegotiates the links that it uses for aggregation on that trunk.
Tip: We recommend that you set the LACP mode to Passive on one peer system only. If you set both systems to Passive mode, LACP does not send control packets.
性能測試
由于測試環境所限,隻有一個公用的client裝置進行壓測,壓測結果為2.1w cps。
線上f5的實時connection在5000多。
根據廠商提供的性能報告,四層吞吐量80G/s,建立可達68w,并發達4800w。
資料
廠商交流
1、Profile怎麼了解,有什麼作用,請細緻講解一下。【定義協定的配置檔案,可對tcp的預設屬性進行修改,如idle time。】
2、create ltm profile tcp option-set tcp-options "{254 last}" ,這條指令中,為什麼寫253或254對option kind不起作用,通過觀察rs接到的資料包裡的option kind隻跟irule有關,如果profile的參數任意寫,會導緻什麼問題。【需要開case,最終沒解釋通,已放棄追問】
3、Tmm是什麼概念,請詳細講解一下,文檔中有這麼一句話,tmm記憶體由tmm獨占管理,其他記憶體由linux核心管理,其他是指哪些記憶體。【f5底層是linux,tmm是f5自有管理系統,是以記憶體管理分兩部分,主要關注tmm記憶體變化】
4、rs上下線,是否有日志可查。【在log裡有,可配合syslog使用】
5、架構隻有主備和主主嗎,有沒有叢集方式,橫向擴充怎麼解決。【選用主備模式,且配置connection同步,橫向擴充可使用n+m架構】
6、vrf具體使用場景和架構。【vcmp虛拟化技術,虛拟成多個f5,58以上,路由domain方式可實作vrf效果】
7、在進行f5并發測試的時候,隻有4個并發請求的時候用時大概0-1s,但是當并發請求加到5個的時候耗時增加到了4-5s左右。後面進行分組并發測試,每組4個請求同時并發,第一組用時0-1s,但是第二組開始就會等待4s左右(此時我們的請求都已發送)。這樣就導緻并發請求的耗時與串行的耗時幾乎沒有差別,這個是f5的配置還是什麼問題?能不能減少中間停留的時間?【控制面就是慢,是事實,建議串行下發配置,并發可能出現未知報錯,甚至直接接口直接down掉】
8、流量強行打入備機,備機是否處理并轉發流量【不處理流量】
10、connecting mirring可否隻開啟會話表同步,不開啟業務流量同步【不能,如果啟用會話同步,必然需要同步業務流量,設計如此,無法修改】