08448380779 Call Girls In Greater Kailash - I Women Seeking Men
F5 link controller
1. CONFIDENTIAL 1
Link Controller
Team Training
Presented by:
Denny Payne
Consultant
2. CONFIDENTIAL 2
Link Controller Overview
• Purpose: Link Controller is designed to provide
load balancing and/or failover for multiple locally
attached ISP links.
• Hardware & Licensing: Sold on 1500 and 3400
platforms, either standalone or as module on top
of LTM/GTM
• Focus of this presentation is v9, but most
concepts apply to v4 as well
3. CONFIDENTIAL 3
Link Controller Advantages
Advantages to customer:
- Eliminates BGP requirements
- ISP’s not required to coordinate
- New links can be added transparently
- GUI management of zone files
- ZoneRunner (v9) or NameSurfer (v4)
Advantages over competition
- Modular construction on TMOS
- iRules and health checking capability
4. CONFIDENTIAL 4
Link Controller Limitations
• A standalone LC is a hybrid of LTM (BIG-IP) and GTM (3-
DNS) with a subset of each feature set
• No L7 iRules or health checking functionality
• No advanced load balancing algorithms (obsv/pred)
• No ability to resolve IP’s that it does not host (therefore no
site-to-site failover or DR)
• Must be locally attached to public IP blocks
– Therefore, must sit outside the firewall
– May not be desirable to do LC/LTM combo
6. CONFIDENTIAL 6
Deployment considerations
• LC’s hybrid design can be summed up by noting:
– Outbound traffic is processed like LTM (BIG-IP)
– Inbound traffic is processed like GTM (3-DNS)
Link Controller must be the default gateway for
the firewall
7. CONFIDENTIAL 7
LC Quick Start
• Define VLANs
• Define Self IP’s
• Create Gateway Pool
• Create default route, reference Gateway pool
• Define links
• Define NTP server
• Define Listeners for each link
• Create outbound wildcard LB Virtual Server, reference the gateway
pool
• Create outbound SNATs or SNAT pools for each egress VLAN
• Create Local Traffic Pools
• Create Local Traffic Virtual Servers for each link
• Create a WideIP
8. CONFIDENTIAL 8
Inbound LC Transaction
Internet client requests name resolution for
gnu.es.f5net.com
Internet DNS servers tell client that lc.es.f5net.com is the
authoritative name server for the es.f5net.com zone
Client queries lc.es.f5net.com for name resolution of
gnu.es.f5net.com
lc.es.f5net.com returns the IP address 10.1.10.100, the
LTM virtual server on link1
The client sends it’s HTTP request to 10.1.10.100:80
and the LC processes the request as per the
configuration of that LTM virtual server and default pool
9. CONFIDENTIAL 9
Outbound Traffic
• Outbound traffic is handled in a manner similar to
LTM server load balancing.
• Create a pool containing each of the ISP router
gateway addresses with service port “any”
• Create a wildcard virtual server (0.0.0.0:0) using
all protocols, enabled on the internal VLAN and
point it to the previously created pool.
• Enable SNAT automap from the internal VLAN
11. CONFIDENTIAL 11
Outbound Traffic options
If desired, more specific virtual servers may be used to
split up traffic in different ways.
Example: create 3 pools, one with both gateways,
another with only gateway 1 and a third with only gateway
2.
Then create 0.0.0.0:0 using pool 1, 0:0:0:0:80 using pool
2, and 0:0:0:0:25 using pool 3.
This may be expanded upon with pool priority and/or
iRules to produce the desired traffic flow
Allow ANY IP over SNAT for icmp/ping.
12. CONFIDENTIAL 12
Pool load balancing
• Round robin and static ratio are available, but the
typical setting will be dynamic ratio.
• Dynamic ratio will use the link configuration
settings (discussed in next section) to make load
balancing decisions
13. CONFIDENTIAL 13
Inbound Traffic
• Inbound traffic is handled in the same manner as
GTM (3-DNS)
– Recall the limitation that it can only hand out addresses
that it hosts
• Requires DNS delegation
– At minimum, LC must be authoritative for the domains
that are load balanced/failed over
– Can take over the entire domain if desired
14. CONFIDENTIAL 14
DNS Listeners
• Need a DNS listener on each ISP network – use
floating address for redundant pair
– For more than 2 ISP’s pick the 2 primary links since
DNS typically will only use a ns1 and ns2 record
No v4 equivalent, udp 53 should be allowed to
floating IP’s on each ISP netblock
15. CONFIDENTIAL 15
Inbound Pools and VIPS
• Inbound pools and VIPS are set up in nearly the
same manner as LTM, with 2 key differences
– Pools will usually only have 1 member, which is the
NAT address for the application on the firewall
– Need a virtual server on each ISP’s network that points
to the same pool
– These virtuals correspond to the DNS entries that LC
will give out to clients for a given domain
17. CONFIDENTIAL 17
Link Configuration
• Define the links (one per ISP) and set up the
relevant cost and/or bandwidth structure for each
– Link capacity
– Price per mb (prepaid vs burst cost)
• Dynamic ratio will use these figures to determine
load balancing
– Not necessarily required to be real-world figures
20. CONFIDENTIAL 20
WideIP Configuration
• Final step is creation of WideIP’s
– Domain name to virtual server mapping
– Only allowed to use virtual servers that are hosted by
the LC itself
– No pools concept as on GTM
• ZoneRunner entries created automatically
– NameSurfer in v4
22. CONFIDENTIAL 22
Special Considerations
• IPSEC (VPN’s)
– LC cannot terminate IPSEC tunnels
– IPSEC typically cannot survive a NAT
• Some IPSEC clients cannot resolve by name
• Solution 1: Forward IPSEC directly to firewall or
endpoint
– Requires public IP block between LC and firewall
– Requires IP forwarding virtual on LC from external to
internal
23. CONFIDENTIAL 23
IPSEC cont.
• Solution 2: Implement an IPSEC solution that
supports NAT traversal or “tunnel and transport
mode”
– Uses typical LC configuration (SNAT automap
outbound and virtual -> pool inbound)
– Checkpoint and PIX definitely support, others not
verified
25. CONFIDENTIAL 25
Special Considerations cont.
• L2 Bridging not recommended
– Supposedly can be configured on one link, with outbound
wildcard VIP bound to internal child VLAN and doing SNAT
automap
– Proceed at own risk
BIND vs ZoneRunner/NameSurfer
– Customer may choose to use BIND to manage zone files
(particularly if LC is taking over entire domain)
– Typically, once done, cannot be reverted
26. CONFIDENTIAL 26
How do I manage BIND zone
files?
BIND zone management is the same as in LTM,
manual and not supported.
ZoneRunner is NOT included in the LC software
module.
One can configure BIND manually, and maintain it
through the CLI.
– Configuration of BIND via CLI is not supported.
– We will patch named if a bug is found in the named code and a
new version is available to address that bug.
27. CONFIDENTIAL 27
The LC Link Object: Basic View
Link objects functionality is the same as that of 4.x, and consist of the
following elements:
– Name: Link object name
– Router Address: The address of the gateway router for that ISP link
– Uplink Address: The router’s IP address that connects to the ISP
– Service Provider: Descriptive field used for a logical identification of that link’s
service provider
– Health Monitor: the bigip_link monitor is the recommended monitor for links
28. CONFIDENTIAL 28
LC Objects
LC UI objects inherited from LTM are configured in the same way they are
configured on a LTM stand alone product.
LC Links are configured in the Network section of the UI, but the link objects are
stored in the wideip.conf file.
– Links: Network->Links
GTM inherited features are configured in the under the “Global Traffic” section of
the UI.
– GTM Listners: Global Traffic->Listeners
– WideIPs: Global Traffic-> Inbound Link Traffic
– Topology: Global Traffic->Topology
Note: WideIP pools are not explicit objects in the UI. WideIP pools are
automatically created by mcdp, their object names match that of their WideIP’s
FQDN!
29. CONFIDENTIAL 29
WideIP pools on a Link Controller
The WideIP pool objects are not visible via the UI on Link Controller.
If a problem exists with a WideIP pool it will be necessary to edit the
wideip.conf file from the command line.
WideIP pools get an object name that matches the WideIP’s FQDN, thus
it is easy to determine which WideIP pool will need to be edited.
Example:
If an administrator attempts to create a WideIP from the UI, and the
creation action fails due to a misconfiguration, the WideIP pool may get
written out to the wideip.conf file, but the admin will not be able to see
this from the UI.
30. CONFIDENTIAL 30
Known Issues (as of 9.2.3)
• Many hotfixes are available
• /config/gtm/wideip.conf seems susceptible to
corruption in various ways
– IP’s configured in GUI and later removed are not
always cleaned up properly. This can lead to odd
behavior in the GUI.
ZoneRunner issues