F5负载均衡设备培训.ppt

BIG-IP V9,F5 Networks Training,2/1/2005,BIG-IP V9,F5 Networks Training,11/1/2004,Module 1-Installation,Internet,BIG-IPs,Clients,Servers,Module 1-Outline,BIG-IP Platform OverviewInstallation(Setup Utility)Configuration Utilities and User Access,Initial BIG-IP Setup,Config utilityIP Address for Management interfaceLicenseSetup utilityRoot passwordIP Address for VLANsAssign interfaces to VLANsWeb Admin passwordSSH Access,config Utility,Initial IP Address is 192.168.1.245,Internet,License Process Automated,Run Setup utility,Enter Registration Key,PC,BIG-IP,License the box,Get License from F5,Select parameters,F5 License Server activate.F,License Process Manual,PC,BIG-IP,F5 License Server activate.F,Internet,Copy Product Dossier to PC,Paste Product Dossier to F5,Move PC to Internet,Download License to PC,Upload&Install License file,Run Setup utility,Manually License the box,PC,https:/activate.F,Move PC back,Setup Utility,https:/Management IP Address,Setup Utility Network,Web Configuration utility,Setup/Configuration Access,Two methodsWeb Interface https(remote)Command Linessh(remote)Serial Terminal,BIG-IP Backup Process,Stores the configuation in a single fileCan be copied to another system,User Authentication Process,BIG-IP Admin Users,Module 2 Load Balancing,1,2,3,4,5,6,7,8,Internet,Module 2 Outline,Virtual Servers,Members&Nodes Configuring Virtual Servers&PoolsVirtual Server&Pool LabLoad Balancing ModesConfiguring Load BalancingLoad Balancing Labs,Pool-Grouping of Members,Internet,Clients,Router,BIG-IP Controller,Servers,Pool Members and Nodes,Internet,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Pool Members,Nodes refer to Pool Members IP Address only,Virtual Server,Internet,172.16.20.4:8080,172.16.20.2:4002,172.16.20.3:80,Virtual Server,Basic mechanism to manage trafficIP Address+Service(Port)CombinationVirtual servers normally Associated with one or more member,216.34.94.17:80,Virtual Server to Pool Members,Internet,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Virtual Server,216.34.94.17:80,Pool Members,Maps to,Virtual Server-Address Translation,BIG-IP performs network address translation to real server addresses such that all machines are viewed as one Virtual Server,Real Server Address,Network Address Translation,Virtual Server Address,Internet,216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Network Flow-Packet#1,resolves to BIG-IP Virtual Server Address 216.34.94.17:80,Internet,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,DNS Server,216.34.94.17:80,Network Flow-Packet#1,BIG-IP translates Dest Address to Node based on Load Balancing,Internet,Packet#1 Src-207.17.117.20:4003Dest 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#1 Src 207.17.117.20:4003Dest 172.16.20.1:80,207.17.117.20,216.34.94.17:80,Network Flow Packet#1 Return,BIG-IP translates Src Address back to Virtual Server Address,Internet,Packet#1-return Dest-207.17.117.20:4003Src 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#1-return Dest 207.17.117.20:4003Src 172.16.20.1:80,207.17.117.20,216.34.94.17:80,Network Flow-Packet#2,Internet,Packet#2 Src-207.17.117.21:4003Dest 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#2 Src 207.17.117.21:4003Dest 172.16.20.2:4002,207.17.117.21,216.34.94.17:80,Network Flow Packet#2 Return,Internet,Packet#2-return Dest-207.17.117.21:4003Src 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#2-return Dest 207.17.117.21:4003Src 172.16.20.2:4002,207.17.117.21,216.34.94.17:80,Network Flow-Packet#3,Internet,Packet#3 Src-207.17.117.25:4003Dest 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#3 Src 207.17.117.25:4003Dest 172.16.20.4:8080,207.17.117.25,216.34.94.17:80,Network Flow Packet#3 Return,Internet,Packet#3-return Dest-207.17.117.25:4003Src 216.34.94.17:80,172.16.20.4:8080,172.16.20.1:80,172.16.20.2:4002,172.16.20.3:80,Packet#3-return Dest 207.17.117.25:4003Src 172.16.20.4:8080,207.17.117.25,216.34.94.17,Configuring Pools,Configuring Virtual Servers,Scroll down,Statistics,SummaryVirtual Servers PoolsNodes,Logs,Load Balancing Modes,Round RobinRatioLeast ConnectionsFastestObservedPredictiveDynamic RatioPriority Group ActivationFallback Host,Static,Dynamic,Failure Mechanisms,Round Robin,Clients,Router,BIG-IP Controller,Servers,Client requests are distributed evenly,1,2,3,4,5,6,7,8,Internet,Ratio,Clients,Router,BIG-IP Controller,Servers,Administrator sets ratio for distributing Client requests 3:2:1:1,1,2,3,4,8,9,10,11,Internet,5,7,12,14,6,13,Fastest,Clients,Router,BIG-IP Controller,Servers,Next requests go to Node with fastest response time,2,5,Internet,1,4,3,6,Fastest,Clients,Router,BIG-IP Controller,Servers,Some time later,response times change,102,104,Internet,101,103,Least Connections,Clients,Router,BIG-IP Controller,Servers,1,2,Internet,Next requests goes to Node with fewest open connections,3,4,5,6,Least Connections,Clients,Router,BIG-IP Controller,Servers,Internet,Some time later,number of connections change,61,63,62,Observed,Clients,Router,BIG-IP Controller,Servers,Next requests goes to Node with combination of fewest connections and best response,1,2,Internet,Predictive,Clients,Router,BIG-IP Controller,Servers,1,2,Internet,Next requests goes to Node with combination of fewest connections and best response over time,Priority Group Activation,Clients,Router,BIG-IP Controller,Servers,1,3,5,2,4,6,Internet,Priority 1,Priority 2,If you set Priority Group Activation to 2,and 3 of the highest priority members are available,then lower priority members will not be used.,Priority Group Activation,Clients,Router,BIG-IP Controller,Servers,1,5,Internet,Priority 1,Priority 2,3,2,4,6,7,8,If number of members falls below Priority Group Activation(2),then the next highest priority members are used also.,Fallback Host,Clients,Router,BIG-IP Controller,Servers,Internet,If all members fail,then client is sent an http redirect to and alternate server.,Pool Member vs.Node,Load Balancing by:Pool Member IP Address&serviceNodeTotal services for one IP Address,If using Member,Internet,Next http requests goes to Pool Member with fewest http connections,Current Connections,1,2,If http pool uses Least Connections(member)load balancing method,then,If using Node,1,2,Internet,Next http requests go to IP Address with fewest total connections,Current Connections,Configuring Load Balancing,Ratio&Priority Group Activation,Module 3 Monitors,Internet,172.16.20.3:80,Module 3-Outline,Monitor ConceptsConfiguring MonitorsAssigning MonitorsNode and Member StatusHealth Monitor Labs,Monitor Concepts,Address CheckNode IP AddressService CheckIP:portContent CheckIP:port plus check data returnedInteractive CheckPath Check,Address Check,StepsPackets sent to IP AddressesIf no response,then no traffic sent to members using that node address Example-ICMP,Internet,172.16.20.1,172.16.20.2,172.16.20.3,ICMP,Service Check,StepsOpens TCP connection(IP Address:service)Connection closedIf TCP connection fails,then no traffic sent to associated MembersExample TCP,Internet,172.16.20.1:80,172.16.20.2:80,172.16.20.3:80,TCP Connection,Content Check,Internet,172.16.20.1:80,172.16.20.2:80,172.16.20.3:80,StepsOpens TCP connection(IP Address:service)Sends a requestResponse returns dataConnection closed If Receive Rule not found in data,then no traffic sent to associated MembersExample http,http GET/,Interactive Check,Internet,172.16.20.1:80,172.16.20.2:80,172.16.20.3:80,StepsOpens TCP connection(IP Address:service)Interactive conversation to simulate real-worldConnection closed If expected results do not occur,then no traffic sent to associated MembersExample SQL request,conversation,Path Check,StepsSends packet through,not to the deviceCan check IP Address,Service or ContentIf condition not met,then no traffic sent through associated member,Link Cntl,ISP2,ISP1,ISP1,Configuring Monitors,System Supplied Monitors(Templates)Address Checks(icmp)Service Checks(tcp)Content Checks(http)Interactive Checks(ftp)Availability:All templates can be customizedSome can be Assigned“as-is”Some can only be used as Templates for Custom Monitors,Creating Custom Monitors,Additional Monitor Parameters,Receive RuleIf content found,Node marked Up,Reverse Receive Rule If content found,Node marked Down,Transparent If Path Available,Node marked UpUsed for monitoring Links,Monitor Timers,Frequency(Interval)Timeout,Recommended 5n+1,Assigning Monitors,Default for all NodesSingle Node OptionsNode DefaultNode SpecificNoneDefault all Members of a PoolSingle Pool Member OptionsInherit from PoolMember SpecificNone,Assigning Monitors to Nodes,For one Node,Assigning Monitors to Pools,For one Member,Member and Node Status,Parent-Child StatusNodeMemberPoolVirtual Server,StatusAvailable Green CircleOffline Red DiamondUnknown Blue Square,Module 4 Profiles,Internet,Virtual Server,Profiles determine how Virtual Server traffic is processed on BIG-IP,Module 4 Outline,Profiles ConceptsProfile DependenciesProfile TypesConfiguring Profiles,Profile Concepts,A Profile is:Single place to define traffic behaviorSSL,compression,persistenceApply behavior to multiple VSsUser defined built from templateDependent on other profiles,Profile Scenario#1 Persistence,1,2,3,1,2,3,Scenario#2 SSL Termination,Decrypted,Encrypted,Profile Dependencies,Some cant be combined in VS,Some dependent on others,Think in terms of OSI Model,TCP,HTTP,Cookie,UDP,FTP,Profile Types,Protocol connection orientedService data type orientedPersistence session orientedSSL encryption orientedAuthentication security oriented,Profile Configuration Concepts,Created from Default ProfilesDefaults can be modified,not deletedCustom and Parent relationshipSaved in/config/profile_base.conf,Virtual Server Default Profiles,All Virtual Servers have at least one ProfileTCP:for virtual servers processing TCP dataUDP:for virtual servers processing UDP dataFastL4:for virtual servers that use acceleration(PVA),Configuring Profiles,Configuring Profiles,Specify Properties,Then Map to Virtual Server,Module 5-Persistence,Module 5 Outline,Source Address PersistenceSource Address Persist LabCookie PersistenceInsert,Rewrite,Passive&HashCookie Persist Lab,Source Address Persistence,Based on Client Source IP AddressNetmask-Address Range,1,2,3,1,2,3,205.229.151.10,205.229.152.11,If Netmask is 255.255.255.0,205.229.151.107,Configuring Source Address Persist,Point Virtual Server to Profile,Configure Profile,Cookie Persistence,Insert modeBIG-IP Inserts a cookie into the streamRewrite modeWeb server creates cookie and BIG-IP Controller changes itPassive modeWeb server creates cookie and BIG-IP Controller Reads itHash modeMaps a cookie value to a specific nodeWeb server must generate a cookie,Client,Server,pickserver,cookiespecifiesserver,Cookie Insert Mode,Client,Server,pickserver,cookiespecifiesserver,Cookie Rewrite Mode,Client,Server,pickserver,cookiespecifiesserver,Cookie Passive Mode,Client,Server,pickserver,cookie hash specifiesserver,Server,cookie hash specifiesserver,Cookie Hash Mode,Configuring Cookie Persistence,Then set Cookie Persist profile,Cookie Persist requires http profile,Member State,Node State,