F5 BIG-IP LTM v10速查手册-new platform rv1

bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics.Config Configures the IP address, network mask, and gateway on the management (MGMT) port.Use this command at the BIG-IP system prompt prior to licensing the the BIG-IP system, and do not confuse it with the bigpipe config command or the BIG-IP Configuration utility.halt Shuts down the BIG-IP software application.hostname Displays the name you have given to the BIG-IP system.printdb Prints the values of one or more entries in the bigdbTM database. reboot Reboots the BIG-IP system.ssh and scp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system.自定义Bigpipe shell名称bp> shell prompt <string>bp> shell prompt BIG-IP>系统Shell名称将变成:BIG-IP>此特性避开此限制,在Linux命令前加”!”.BIG-IP>!ls //查看目录BIG-IP>!ifconfig //查看接口配置•Routes•Self IP addresses•Packet Filters•Trunks (802.3ad Link Aggregation)•Spanning Tree Protocol (STP)•VLANs and VLAN groups•ARP配置Packet Filtering命令: bigpipe packet filter你可以定义一个包过滤规则来提供访问控制,速率shaping,审计. 配置路由命令:route (<route key list> | all | inet | inet6)F5的Show Tech[root@XXXX:Standby] config # qkviewGetting systemwide backup configuration files.Getting AOM information.Getting last 175 lines of log files.Getting last 175 lines of gzipped log files.Getting md5 sum information.Getting core file list.Getting Public Certificate information.Getting tmctl information.completed... 6 of 161 checks produced no dataDiagnostic information has been saved in file /var/tmp/-tech.out Please send this file to **************.bigtop - display real-time statistics-bytes display counts in bytes (vs bits)-pkts display counts in packets (vs bits)-reqs display counts in requests (vs connections)-vips <n> number of virtual servers to print-nodes <n> number of nodes to print-once print once and exit-delay <n> number of seconds between samples (default 4)-scroll disable full-screen mode-nosort disable sorting-conn sort by connection count (vs byte count)-delta sort by count since last sample (vs total)-n print IP address and services in numeric format-vname display virtual servers by name (vs IP address)-help, -h print this message日志文件系统1. Access the BIG-IP system prompt.2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command.3. Type the following command:resize-logFSThis command prompts you for the desired file size in gigabytes.4. At the prompt, type an integer.The minimum allowed value is 1, and the maximum allowed value is 10.A prompt appears that allows you to confirm the specified file size.5. Type Y.A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size.6. Type Y.A confirmation prompt appears.7. Type Y.The system displays messages indicating that the reboot operation is about to occur.8. Wait for the reboot operation to finish.When the system becomes available again, the newly-specified disk space for the log file will be in effect.WARNINGDo not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files.启用/禁用虚拟服务或虚拟地To enable or disable a virtual server, use the appropriate command syntax:bp> virtual <virtual addr>:<virtual port> enable | disableTo enable or disable a virtual address, use the appropriate command syntax:bp> virtual address <virtual addr> enable | disable从服务中移出单个的NodeYou can remove an individual node from service, or return an individual node to service from the bigpipe shell command line.To remove an individual node from service, use the following command:bp> node <node addr>:<node port> downTo return an individual node to service, use this command:bp> node <node addr>:<node port> up查看修改F5系统配置文件器来编辑或者查看这些文件,当你没有条件使用浏览器时,有时候修改配置文件很有必要.这就需要F5的无浏览器配置模式和命令行配置模式Important:在你编辑完bigip.conf or bigip_base.conf 重启MCPD service之前, 你必须运行bigpipe load 确保MCPD service 使用的是当前的配置数据alert.conf Stores definitions of SNMP traps (system default alerts).user_alert.conf Stores definitions of SNMP traps (user-defined alerts)./config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs.Note that after you edit bigip.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. Note that after you edit bigip_base.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip.license Stores authorization information for the BIG-IP system./etc/bigconf.conf Stores the user preferences for the Configuration utility./config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with browsers, and how key information is generated./config/user.db Holds various configuration information. This file is known as the bigdb database. /config/bigconfig/httpd.conf Holds configuration information for the web server./config/bigconfig/users The web server password file. Contains the user names and passwords of the people permitted to access whatever is provided by the webserver./etc/hosts Stores the hosts table for the BIG-IP system./etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system./etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system./etc/rateclass.conf Stores rate class definitions./etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes. /etc/snmpd.conf Stores SNMP configuration settings./etc/snmptrap.conf Stores SNMP trap configuration settings./config/ssh Contains the SSH configuration and key files./etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH./config/routes Contains static route information.[root@ISAG-2:Standby] config # find_keysISAG-2 koradsatn. omtitra eodISAG-2 junl trig Cmi nevl5scnsdt md.6koradsatn. omtitra eodFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVALicense file location is: /sda.1/config/bigip.licenseFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVAUnmounting unneeded partitions... ISAG-2 junl trig Cmi nevl5scnsn Cmi nevl5scnsree aamd.<>junl trig Cmi nevl5scns<6>EXT3-fs: mounted filesystem with ordered data mode.ISAG-2 junl trig Cmi nevl5scns<6>kjournald starting. Commit interval 5 secondscompleteAbove information can be found in /tmp/keys.outManaging Local Application Traffic•Setting up load balancing•Controlling HTTP traffic•Implementing HTTP and TCP optimization profiles•Authenticating application traffic•Implementing persistence•Enhancing the performance of the BIG-IP system•Managing health and performance monitors•Implementing iRules设置VirtualServer负载均衡1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication.2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile.3. Access the bigpipe shell.4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step.5. Create one or more load balancing pools, using the pool command.6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default.配置克隆Pool克隆Pool设计是用于入侵检测,你可以针对一个VS设置一个克隆Pool,这个克隆的VS接收世的流量和普通Pool一样,你就可以复制流量到入侵检测系统中.1. Access the bigpipe shell.2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument.配置最后一跳Pool默认,BIG-IP系统自动启用最后一跳特性是,如果你想禁用这个特性.然后自己手工定义一个最后一跳路由器,你可以建立一个最后一跳pool并且指定其属于某个VS当中.1. Access the bigpipe shell.2. Use the pool command to create a last hop pool that contains the router inside addresses.3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server.If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server.配置SNATs这里有两种基础方法来建议一个SNAT,你可以直接将一个转换地址委派给一个或多个源IP地址,或者你可以配置一个SNAT pool,然后委派这个SNAT pool到某个源IP地址,在较新的版本中,BIG-IP自动从SNAT Pool中选择一个转换地址Note that you can assign these types of mappings from within an iRule.To map a single translation address to an original address1. Access the bigpipe shell.2. Designate an IP address as a translation address, using the snat translation command.3. Map the translation address to one or more original IP addresses, using the snat command or the rule command.To map a SNAT pool to an original address1. Access the bigpipe shell.2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command.3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command.配置HTTP traffic你可以配置BIG-IP来控制HTTP流量:配置HTTP压缩,HTTP请求重定向,HTTP请求重写,插入和插除HTTP头,启用或者禁用cookie加密和SYN cookie支持,配置HTTP 类Profile, HTTP响应数据组块控制.Configuring HTTP compression配置BIG-IP系统压缩HTTP 服务响应1. Access the bigpipe shell.2. Configure the compression-related settings of an HTTP profile,using the profile http command.3. Assign the HTTP profile to a virtual server, using the virtual command.Redirecting HTTP requests你可以配置HTTP Profile来重定向HTTP请求,并且在这个Profile中定义一个Fallback主机1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Rewriting HTTP redirections你可以配置HTTP Profile来重写HTTP的重定向规则1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument.For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax:profile http myHTTPprofile { redirect rewrite matching }3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Inserting and erasing HTTP headers你可以配置HTTP Profile来插入一个头文件到HTTP请求,或者从HTTP请求中移出一个头文件1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options.3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling cookie encryption你可以使用Profile http中的两个选项来启用或者禁用cookie加密1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling SYN cookie support为了管理DOS攻击,你可以在一个Fast L4 Profile中配置SYN Cookie选项启用或者禁用SYN Cookie支持功能◆如果BIG-IP系统包含了Packet Velocity ASIC (PVA)技术,使用profile fastl4命令,定义一个hardware syncookie(enable | disable | default)选项,同样,你可以根据需求设置以下的变量通过db命令.•pva.SynCookies.Full.ConnectionThreshold (default: 500000)•pva.SynCookies.Assist.ConnectionThreshold (default: 500000)•pva.SynCookies.ClientWindow (default: 0)值得注意的是这个hardware syncookie 特性目前只可用于D84和D88平台.在其实平台设备这个特性无效.所以如果你在D84和D88上设置software syncookie 特性,SYN Cookie只通过软件处理◆如果BIG-IP系统不包含Packet Velocity ASIC(PVA)技术,使用profile fastl4 命令,指定为software syncookie (enable | disable | default) option.Configuring the HTTP Class profileBIG-IP系统包含一种Profile叫做HTTP Class Profile,你可以使用你定义的标准来用分类HTTP流量,当你分类流量的时候,你转地流量的原则是根据审查目标流量的头文件或者内容来定.如果BIG-IP系统包含Application Security Manager (ASM)或者WebAcclerator模块,你可以配置系统来先发送HTTP流量到那个模块,然后再发送到最终目标,例如,你可以使用HTTP Class Profile来对Virtual Server下命令,要求它发送流量先经过ASM然后再转发到负载均衡Pool.Unchunking and rechunking HTTP response data如果你想要监控内容你可以取消或者重新对HTTP响应进行组块操作,只需要配置HTTP Profile来启用unchunking功能.1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile and specify the response argument.3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command.你能够设备的保持有以下几种:实施Session保持•Cookie•Destination Address Affinity•Microsoft Remote Desktop Protocol (MSRDP)•Hash•Session Initiation Protocol (SIP)•Source Address Affinity•SSL•Universal具体操作:1. Access the bigpipe shell.2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement.3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command.实施连接保持为了实施连接保持,你可以添加一个Keep-Alive头文件到HTTP /1.0头文件里(如果不存在).(默认HTTP/1.1连接包含Keep-Alive支持),你同样可以启用connection pooling特性,它可以保持服务器端的连接打开,重新用来供其它客户端请求所使用.你可以通过修改HTTP或者Fast HTTP Profile文件来启用keep-alive支持和Connection pools.同样可以修改OncConnect Profile来实现.To add Keep-Alive headers into HTTP requests1. Access the bigpipe shell.2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts aConnection:Keep-Alive header into any HTTP /1.0 request that does not already contain one.3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command.To enable connection pooling1. Access the bigpipe shell.2. Using the profile oneconnect command, configure a profile for connection pooling.3. Assign the profile to a virtual server, using the profile argument with the virtual command.小提示:你同样可以通过配置Fast HTTP Profile来配置连接保持,在BIGPIPE SHEEL中使用fasthttp命令.加强BIG-IP性能BIG-IP系统.设置连接Qos和数据包TOS等级你可以使用bigpipe工具来设置QoS和TOS等级,你不仅可以对所有具有目标负载均衡Pool的流量做,同时你也可以对自定义的流量做,例如:Layer 4 ,TCP 和UDP流量.1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both.•If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos toserver, ip tos to client, and ip tos to server.•If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile.2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax:bp> virtual <virtual server name> list设置空闲超时时间(Idle timeout time)或者修改一个Fast L4,Fast HTTP,TCP,或者UDP Profile.1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command.2. Specify the idle timeout argument to set a timeout value.3. Verify that the profile you created or modified is assigned to a virtual server.实施速率整形Virtual Server或者Packet Filter规则中.1. Access the bigpipe shell.2. Create one or more rate classes, using the rate class command.3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command.Implementing iRulesiRule特性强大而灵活,值得注意的是它可以增强BIG-IP系统能力.一个iRule可以引用任意object,它不管这个被引用的object处理哪个分区里.例如;一个iRule属于分区A,但包含指定一个Pool属于分区B的语句.1. Access the bigpipe shell.2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command.3. Assign the iRule to a virtual server, using the virtual command in one of the following ways:•To associate multiple iRules with a virtual server, use this syntax:bp> virtual <virtual_server_name> rule <iRule1_name> \ <iRule2_name> ...•To remove the assignment of an iRule from a virtual server, use this syntax:bp> virtual <virtual_server_name> rule none•To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common.bp> virtual all rule none•To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule <iRule_name>Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRuleassignments, we do not recommend use of this command.。

F5 LTM 配置参数说明Local Trafficvirtual serversStandard General Properties基本的VS类型。

Name：Type：Host or NetworkAddress：Mask：Service portStateconfigurationType(standard)Protocol(tcp)Protocol profile(client)Protocol profile(server)Oneconnect profileHTTP profileFTP profileSSL Profile (Client)SSL Profile (Server)Authentication ProfilesStream ProfileStatistics ProfileVLAN TrafficConnection LimitConnection MirroringAddress TranslationPort TranslationSNAT poolClone Pool (Client)Clone Pool (Server)Last Hop PoolType(standard)Protocol（udp)Protocol profile(Client)Protocol profile(server)Statistics profileVLAN TrafficConnection LimitConnection MirroringAddress TranslationPort TranslationSNAT poolClone Pool (Client)Clone Pool (Server)Last Hop PoolForwarding layer2Type(forwarding layer2)该VS类型可应用在对二层地址的ProtocolProtocol profile(Client)Statistics ProfileVLAN TrafficConnection LimitConnection MirroringSNAT poolClone Pool (Client)Clone Pool (Server)Last Hop Pool Forwarding IP Type(forwarding IP)该VS类型应用在直接转发IP数据ProtocolProtocol profile(Client)Statistics ProfileVLAN TrafficConnection LimitConnection MirroringSNAT poolClone Pool (Client)Clone Pool (Server)Last Hop Pool Performance HTTP Type(performance HTTP)该VS类型结合Fast HTTP profiProtocolProtocol profile(Client)Statistics ProfileVLAN TrafficConnection LimitConnection MirroringClone Pool (Client)Clone Pool (Server)Last Hop Pool Performance layer4Type(performance layer4)该VS类型结合Fast L4 profileProtocolProtocol profile(Client)Statistics profileVLAN TrafficConnection LimitConnection MirroringAddress TranslationPort TranslationSNAT poolClone Pool (Client)Clone Pool (Server)Last Hop Pool Performance reject Type(performance reject)该vs类型将拒绝到该vs的所有流ProtocolStatistics ProfileVLAN TrafficProfilesService-http General PropertiesName：Parent ProfileSettingFallback HostHeader InsertHeader EraseResponse ChunkingOneConnect TransformationsRedirect RewriteMaximum Header SizePipeliningInsert XForwarded ForLWS Maximum ColumnsLWS SeparatorMaximum RequestsCompressionCompressionURI CompressionURI ListContent CompressionContent ListPreferred MethodMinimum Content LengthCompression Buffer Sizegzip Compression Levelgzip Memory Levelgzip Window SizeVary HeaderHTTP/1.0 RequestsKeep Accept EncodingCPU SaverCPU Saver High ThresholdCPU Saver Low Thresholdservice-ftp General PropertiesName：Parent ProfilesettingsTranslate ExtendedData Portpersist-cookie General PropertiesName:Persistence type-cookieParent Profileconfigurationcookie method-http cookie insertcookie name:Expiration: Session Cookiecookie method-cookie hashcookie name:Hash offsetHash LengthTimeoutMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across Poolscookie method-http cookie passiveCookie Name:cookie method-http cookie rewriteCookie NameExpiration: Session CookieGeneral Propertiespersist-destination addressName:Persistence type-destinatiParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsMaskTimeoutpersist-hash General PropertiesName:Persistence type-hashParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsiRuleTimeoutGeneral Propertiespersist-microsoft remote deName:Persistence type-microsoftParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsTimeoutHas Session Directory persist-sip General PropertiesName:Persistence type-sipParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsTimeoutpersist-source_addr General PropertiesName:Persistence type-source_adParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsTimeoutMaskproxy mappingpersist-ssl General PropertiesName:Persistence type-sslParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsTimeoutpersist-universal General PropertiesName:Persistence type-universalParent ProfileconfigurationMirror PersistenceMatch Across ServicesMatch Across Virtual ServeMatch Across PoolsiRuleTimeoutName:Parent ProfilesettingsReset on TimeoutReassemble IP FragmentsIdle TimeoutTCP Handshake TimeoutMaximum Segment Size OverrPVA AccelerationIP ToS to ClientIP ToS to ServerLink QoS to ClientLink QoS to ServerTCP Timestamp ModeTCP Window Scale ModeGenerate Internal SequenceStrip Sack OKRTT from ClientRTT from ServerLoose InitiationLoose CloseTCP Close Timeoutprotocol-fasthttp General PropertiesName:Parent ProfileSettingsReset on TimeoutIdle TimeoutMaximum Segment Size OverrClient Close TimeoutServer Close TimeoutUnclean ShutdownForce HTTP 1.0 ResponseOneConnectMaximum Pool SizeMinimum Pool SizeRamp-Up IncrementMaximum ReuseIdle Timeout OverrideReplenishHTTPParse RequestsMaximum Header SizeMaximum RequestsInsert XForwarded ForHeader InsertName:Parent ProfileSettingsReset On TimeoutTime Wait RecycleProxy Maximum SegmentProxy OptionsProxy Buffer LowProxy Buffer HighIdle TimeoutTime WaitFin WaitClose WaitSend BufferReceive WindowKeep Alive IntervalMaximum Syn RetransmissionMaximum Segment RetransmisIP ToSLink QoSSelective ACKsExtended Congestion NotifiExtensions for High PerforLimited Transmit RecoverySlow StartDeferred AcceptBandwidth DelayNagle’s AlgorithmAcknowledge on PushMD5 SignatureMD5 Signature PassphraseGeneral PropertiesName:Parent ProfileSettingsIdle TimeoutIP ToSLink QoSDatagram LBSSL-clientssl General PropertiesName:Parent ProfileconfigurationCertificateKeyPass PhraseConfirm Pass PhraseChainTrusted Certificate AuthorCiphersOptionsModSSL MethodsCache SizeCache TimeoutAlert TimeoutHandshake TimeoutRenegotiate PeriodRenegotiate SizeRenegotiate Max Record DelUnclean ShutdownStrict ResumeNon-SSL ConnectionsClient AuthenticationClient CertificateFrequencyCertificate Chain TraversaAdvertised Certificate AutCertificate Revocation Lis SSL-serverssl General PropertiesName:Parent ProfileconfigurationCertificateKeyPass PhraseConfirm Pass PhraseChainTrusted Certificate AuthorCiphersOptionsModSSL MethodsCache SizeCache TimeoutAlert TimeoutHandshake TimeoutRenegotiate PeriodRenegotiate SizeUnclean ShutdownStrict ResumeServer AuthenticationServer CertificateFrequencyCertificate Chain TraversaAuthenticate NameCertificate Revocation Lis Authentication-profiles General PropertiesName:TypeParent ProfileConfigurationModeConfigurationRuleIdle TimeoutGeneral Properties Authentication-configuratioName:TypeConfigurationHostsSearch Type-userUser Base DNUser KeyCache SizeSecureAdmin DNAdmin PasswordConfirm Admin PasswordGroup Base DNGroup KeyGroup Member KeyValid GroupsRole KeyValid RolesSearch Type-certificate mapUser Base DNUser KeyCertificate Map Base DNCertificate Map KeyUse Serial Certificate MapCache SizeCache TimeoutSecureAdmin DNAdmin PasswordConfirm Admin PasswordGroup Base DNGroup KeyGroup Member KeyValid GroupsRole KeyValid RolesSearch Type-certificateUser Base DNUser KeyObject ClassCache SizeCache TimeoutSecureAdmin DNAdmin PasswordConfirm Admin PasswordGroup Base DNGroup KeyGroup Member KeyValid GroupsRole KeyValid RolesOther-oneconnect General PropertiesName:Parent ProfileSettingsSource MaskMaximum SizeMaximum AgeMaximum ReuseIdle Timeout OverrideOther-statistics General PropertiesName:Paren ProfileSettingsField 1Field 2Field 3 …Field 32Other-stream General PropertiesName:Paren ProfileSettingsSourceTargetiRulePropertiesNameDefinitionPoolConfigurationNameHealth MonitorsAvailability RequirementAllow SNATAllow NATAction On Service DownSlow Ramp TimeIP ToS to ClienIP ToS to ServerLink QoS to ClientLink QoS to ServerResourcesLoad Balancing MethodPriority Group ActivationNew Members-addressNew Members-service port NodeGeneral PropertiesAddressNameConfigurationHealth MonitorsSelect MonitorsAvailability RequirementRatioConnection LimitMonitorGateway ICMP General Properties利用ICMP（ping）检查node状态NameTypeImport SettingsConfigurationIntervalTimeoutTransparentAlias AddressAlias Service PortICMP General Properties利用ICMP（ping）检查node状态NameTypeImport SettingsConfigurationIntervalTimeoutTransparentAlias AddressTCP_echo General Properties利用TCP三次握手进行健康性检NameTypeImport SettingsConfigurationIntervalTimeoutTransparentAlias Address HTTP General Properties 验证HTTP 服务健康性，主要通NameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringUser NamePasswordReverseTransparentAlias AddressAlias Service Port HTTPs General Properties 验证HTTPs服务的健康性，主要NameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringCipher ListUser NamePasswordCompatibilityClient CertificateReverseAlias AddressAlias Service Port FTP General Properties 验证FTP服务的健康性，通过doNameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordPath / FilenameModeAlias AddressAlias Service PortDebugTCP General Properties 利用TCP三次握手进行健康性检NameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringReverseTransparentAlias AddressAlias Service Port TCP Half Open General Properties 利用TCP三次握手进行健康性检NameTypeImport SettingsConfigurationIntervalTimeoutAlias AddressAlias Service Port UDP General Properties 利用UDP进行健康性检查，发送NameTypeImport SettingsConfigurationIntervalTimeoutSend StringSend PacketsTimeout PacketsAlias AddressAlias Service Port External General Properties 利用external类型的monitor创NameTypeImport SettingsConfigurationIntervalTimeoutExternal ProgramArgumentsVariablesAlias AddressAlias Service Port POP3General Properties 利用该monitor类型对POP3邮件NameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordAlias AddressAlias Service PortDebugSMTP General Properties 利用该monitor类型对SMTP邮件NameTypeImport SettingsConfigurationIntervalTimeoutDomainAlias AddressAlias Service PortDebugMSSQL General Properties 利用该monitor类型对微软SQLNameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringUser NamePasswordDatabaseReceive RowReceive ColumnCountAlias AddressAlias Service Port Oracle General Properties 利用该monitor类型对Oracle 数NameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringUser NamePasswordDatabaseReceive RowReceive ColumnCountAlias AddressAlias Service PortDebugDebugIMAP General Properties对IMAP流量进行健康性检查，当NameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordFolderAlias AddressAlias Service PortDebugLDAP General Properties利用该monitor类型对LDAP serNameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordBaseFilterSecurityMandatory AttributesAlias AddressAlias Service PortDebugNNTP General Properties利用该monitor类型对网络新闻NameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordNewsgroupAlias AddressAlias Service Port RADIUS General Properties 利用该monitor类型对RADIUS服NameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordSecretNAS IP AddressAlias AddressAlias Service PortDebugReal Server General Properties 利用该monitor类型对pool\pooNameTypeImport SettingsConfigurationIntervalTimeoutMethodCommandMetricsAgentAlias AddressAlias Service Port Scripted General Properties 利用该monitor类型创建简单的NameTypeImport SettingsConfigurationIntervalTimeoutFile NameAlias AddressAlias Service PortDebugSIP General Properties利用该monitor类型对SIP呼叫INameTypeImport SettingsConfigurationIntervalTimeoutModeAdditional Accepted StatusAlias AddressAlias Service PortDebugSNMP DCA General Properties利用该monitor类型对运行SNMPNameTypeImport SettingsConfigurationIntervalTimeoutCommunityVersionAgent TypeCPU CoefficientCPU ThresholdMemory CoefficientMemory ThresholdDisk CoefficientDisk ThresholdVariablesAlias AddressAlias Service PortSNMP DCA Base General Properties利用该monitor类型对运行SNMPNameTypeImport SettingsConfigurationIntervalTimeoutCommunityVersionVariablesAlias AddressAlias Service PortSOAP General Properties利用该monitor类型测试基于SONameImport SettingsConfigurationIntervalTimeoutUser NamePasswordProtocolURL PathNamespaceMethodParameter NameParameter TypeParameter ValueReturn TypeReturn ValueExpect FaultAlias AddressAlias Service Port WAP General Properties 利用该monitor类型监视WAP服务NameTypeImport SettingsConfigurationIntervalTimeoutSend StringReceive StringSecretAccounting NodeAccounting PortServer IDCall IDSession IDFramed AddressAlias AddressAlias Service PortDebugWMI General Properties 利用该monitor类型检查运行WMNameTypeImport SettingsConfigurationIntervalTimeoutUser NamePasswordURLCommandMetricsAgentPostAlias AddressAlias Service Port SNATsSNAT List General PropertiesNameConfigurationTranslationOriginAddress list-addressAddress list-maskVLAN TrafficSNAT Pool List General PropertiesNameConfigurationmember list-addressSNAT Translation List General PropertiesIP AddressStateConfigurationARPConnection LimitTCP Idle TimeoutUDP Idle TimeoutIP Idle TimeoutNAT List General PropertiesNAT AddressOrigin AddressStateConfigurationARPVLAN Traffic NetworkInterfaceinterface list InterfacestatusnameMAC AddressMedia SpeedVLAN CountTrunkinterface mirroring ConfigurationInterface Mirroring StateDestination InterfaceMirrored InterfacesRoutePropertiestypeDestinationNetmaskResourceSelf IPsConfigurationIP AddressNetmaskVLANPort LockdownFloating IPUnit IDPacket FiltersGeneral PropertiesPacket FilteringUnhandled Packet ActionOptions-Filter establishedOptions-Send ICMP error onExemptionsProtocols-Always accept ARProtocols-Always accept imMAC AddressesIP AddressesVLANsRule ConfigurationNameOrderActionApply to VLANLoggingFilter ExpressionFilter Expression MethodProtocolsSource Hosts and NetworksDestination Hosts and NetwDestination PortSpanning TreePropertiesmodHello timeMaximum AgeForward DelayTrasmit Hold Count TrunksConfigurationNameInterfaceLACPLink Selection Policy VLANVLAN List General PropertiesNameTagResourcesInterface-untaggedInterface-taggedConfigurationSource CheckMTUMAC MasqueradeFail-safeFail-safe Timeout ARP ActionStatic List ConfigurationIP AddressMAC AddressOptions PropertiesDynamic TimeoutMaximum Dynamic EntriesRequest RetriesReciprocal UpdateSystemGeneral PropertiesDevice-General PropertiesHost NameVersionCPU CountActive CPUsCPU ModeNework BootQuiet BootDisplay LCD System MenuMemory Restart PercentDevice-NTP PropertiesAddressDevice-DNS PropertiesDNS Lookup Server List-addBIND Forwarder Server ListLocal Traffic-General PropertiesAuto Last HopMaintenance ModeVLAN-Keyed ConnectionsPath MTU DiscoveryReject Unmatched PacketsMaximum Node Idle TimeReaper High-water MarkReaper Low-water MarkSYN Check Activation ThresLayer2 Cache Aging TimeShare Single MAC AddressSNAT Packet ForwardingLocal Traffic-Persistence PropertiesManagement of DestinationMaximum EntriesProxy Address Data Group Device CertificatesDevice Certificate General PropertiesNameCertificate Subject(s)Certificate PropertiesExpiresVersionSerial NumberSubjectIssuerDevice Key Key PropertiesKey TypeSizeGeneral PropertiesTrusted Device CertificatesNameCertificate Subject(s)Certificate PropertiesExpiresVersionSerial NumberSubjectIssuerLicenceGeneral PropertiesLicense TypeLicensed DateActive ModulesOptional ModulesInactive ModulesPlatformGeneral PropertiesManagement Port-IP AddressManagement Port-Network MaManagement Port-ManagementHost NameHost IP AddressHigh AvailabilityUnit IDTime ZoneUser AdministrationRoot Account-Password:Root Account-Confirm:Admin Account-Password:Admin Account-Confirm:Support AccountSSH AccessSSH IP AllowHigh AvailabilityRedundancy General PropertiesPrimary Failover Address-SPrimary Failover Address-PSecondary Failover AddressSecondary Failover AddressRedundancy ModeCurrent Redundancy StateRedundancy State PreferencUnit IDNetwork FailoverLink Down Time on FailoverConfigSync ConfigurationConfigSync PeerConfigSync UserEncryptionDetect ConfigSync StatusStatus MessageLast Change(Self)Last Change(Peer)Last ConfigSyncSynchronizeFail-safe_system System Trigger PropertiesSwitch Board FailureSystem ServicesBIGDTMMMCPDSODBCM56XXDNAMEDFail-safe_Gateway ConfigurationGateway Pool NameUnit IDThresholdActionFail-safe_VLAN ConfigurationVLANTimeoutActionArchives General PropertiesFile NameEncryptionPrivate KeysVersionService System Services Listbig3dnamedntpdpostfixradvdsnmpdsshdPreferences System SettingsRecords Per ScreenStart ScreenAdvanced by DefaultDisplay Host Names When PoStatistics FormatScreen Refresh IntervalArchive EncryptionSNMPAgent-configuration Global SetupContact InformationMachine LocationSNMP AccessClient Allow List-typeClient Allow List-address:Client Allow List-mask:Agent-Access(v1,v2)Record PropertiesTypeCommunitySourceOIDAccessAgent-Access(v3)Record PropertiesUser NameAuthentication-typeAuthentication-Password:Authentication-Confirm:Privacy-ProtocolPrivacy-Password:Privacy-Confirm:Privacy-Use AuthenticationOIDAccessTraps-configuration ConfigurationAgent Start / StopAgent AuthenticationDeviceTraps-Destination Record PropertiesVersionCommunityDestinationPortLogsSystem EventPacket Filter EventLocal Traffic EventAudit EventOptions Local Traffic LoggingARP/NDPBigDBHTTPHTTP CompressionIPLayer 4MCPNetworkPacket Velocity® ASICiRulesSSLTraffic Management OSAudit LoggingAuditUsersusers-list Account PropertiesUser NameAuthentication-Password:Authentication-Confirm:Web User RoleConsoleAuthentication Authentication SourceUser DirectoryPassword PolicySecure Password EnforcemenMinimum LengthRequired Characters-NumeriRequired Characters-UppercRequired Characters-LowercRequired Characters-Other:Password MemoryMinimum DurationMaximum DurationExpiration Warning SupportsSupport SnapshotQkviewTCP DumpTCP Dump ConfigurationVLAN:Packets:Options:Timeout:ConsoleDescription设置vs的唯一名称。

F5 BigIP V9/V10 System Install SOPHangZhou DigitalChinaShenKan2009-8-21目录前言 (3)一．安装前准备 (4)1. 设备及工具准备 (4)2. 线缆链接及串口预设 (4)2.1线缆连接 (4)2.2设置工作站COM口设置 (4)3. 准备安装版本文件及补丁文件 (6)二．V9系统安装 (7)1. 启动vmware (7)2. 设置vmware (8)3. 启动ISO镜像 (9)4. 安装BIGIP过程 (11)三．V10系统安装 (15)1. 上传安装文件 (15)2. 登录命令行安装 (15)2.1 安装设备 (15)2.2 image2disk安装 (16)2.3 参数说明 (16)3. Web页面安装 (17)4. 优盘或者光驱安装 (18)四．补丁安装 (19)1. V9补丁安装 (19)2. V10补丁安装 (20)五．License激活 (22)1．生成dossier文件 (22)2．登录F5官方激活页面，获取激活码 (22)3．设备激活 (25)前言F5之前大家都熟悉了V9的虚拟机安装方法，但随着LTM平台的升级，V10已经完全放弃了通过虚拟机安装的方式，并且在分区格式上都有了新的改变。

为了帮助大家更好的熟悉V10的安装，特写此文。

本人也在摸索中前进，错误在所难免。

望各位高手在实际安装过程中提出宝贵意见。

备注：F5之前的老平台1500/3400…等平台可以升级到最新V10版本，但新平台1600/3600…等最低支持V9.4.6。

所以在本次文章说明中，如果是安装V9.3.1及以下版本，需要在老平台上实验。

HA实验建议采用目前最新V9.4.7版本。

好了废话不说了，开始动手….一．安装前准备1. 设备及工具准备1.1 BigIP 1500和1600 各1台，如果不需要V9.3.1可以用2台1600。

1.2 工作站一台并且预安装了：Telnet管理工具例如 SecureCRT；SSH 工具例如 F-Secure SSH Client；VMware Workstation (最好高点的版本例如 4.5.2)1.3 各种连接线：网线（RJ45）, Console Cable ,等等1.4 上网环境：以便申请 license或其他上网需要2. 线缆链接及串口预设2.1线缆连接Console cable 连到 BigIP Console 口和工作站 COM 口，网线连到 BigIP的管理口 MGMT和工作站网卡。

F5 BIG-IP负载均衡器配置指导书目录一、ISMG网络结构与IP地址规划 (3)二、配置BIGIP3400负载均衡设备 (4)2.1设置负载均衡器管理网口地址 (4)2.2登录BIGIP的WEB管理界面 (5)2.3激活License (5)2.4初始化设置 (7)2.4.1BIG-IP 1上的平台(Platform)通用属性设置 (7)2.4.2修改系统时间 (8)2.4.4重新启动bigip (9)2.5配置网络层 (9)2.5.1划分vlan (9)2.5.2定义IP地址 (11)2.5.3配置路由 (13)2.6配置双机设置(High Availability) (14)2.6.1配置Redundant Pair的IP地址 (14)2.6.2配置双机自动切换机制FailSafe配置 (16)2.7配置服务器负载均衡 (17)2.7.1配置Monitor (17)2.7.2配置Profile (18)2.7.3配置负载均衡Pool (19)2.7.5建立Virtual server,实现对服务器的负载均衡 (20)2.7.5设置SNAT (23)2.8两台BIGIP配置同步 (26)2.9备份配置 (26)三、系统运行状态检查及维护 (27)3.1检查系统日志信息： (27)3.2检查Node状态 (28)3.3查看流量信息 (29)3.4查看系统当前性能参数 (29)3.5密码的更改 (30)3.6添加“只读”权限的管理员帐号 (30)3.7如何查询设备的序列号： (31)3.8如何采集信息提供他人进行故障诊断 (31)3.8对某一Virtual Server用TCPDUMP命令无法抓到包如何处理？ (32)一、网络结构与IP地址规划网络拓扑结构如下图所示：略相关的IP地址规划如下：注：以上的IP地址规划是测试环境的IP地址设置，需要根据现网环境中的IP地址规划进行修改。

注：以下接口连接表还没有更新，需要由现场工程师更新的。

BIGIP标准配置文档目录1. 连接BIGIP (4)1.1 Console方式 (4)1.2 网络连接方式 (4)1.2.1 基于WEB方式 (4)1.2.2 基于SSH方式 (7)2.网络配置 (9)2.1 网络配置步骤及流程 (9)2.1.1 L2 Vlan 配置 (10)2.1.2 L3 self ip 配置 (11)2.2 服务器直连模式网络配置 (12)2.2.1 网络连接拓扑图 (12)2.2.2 VLAN划分 (12)2.2.3 IP地址划分 (13)2.3 服务器非直连模式网络配置 (14)2.3.1 网络拓扑结构 (14)2.3.2 VLAN划分 (14)2.3.3 IP地址划分 (15)2.4 透明模式网络配置 (16)2.4.1 网络拓扑结构 (16)2.4.2 VLAN划分 (16)2.4.3 IP地址划分 (16)2.5 静态路由的添加 (17)3.负载均衡配置 (17)3.2 Pool配置 (19)3.3 Virtual Server配置 (22)3.4 会话保持配置 (24)3.4.1 会话保持的概念 (24)3.4.2 Simple会话保持 (25)3.4.3 Cookie 会话保持 (26)3.5 iRules配置 (27)3.6 Monitor配置 (30)3.6.1 Monitor的添加 (30)3.6.2 Node Address Monitor配置 (33)3.6.3 Node Association Monitor配置 (35)3.6.4 Monitor 的验证 (36)4. SNAT配置 (37)4.1 SNAT的概念 (37)4.2 NAT配置 (38)4.3 SNAT配置 (39)4.3.1 SNAT IP配置 (39)4.3.2 SNAT AutoMap配置 (41)5. Redundent配置 (42)6. 系统维护部分配置 (46)6.1 SNMP配置 (46)6.2 Syslog配置 (47)6.3 NTP配置 (47)6.4 用户管理 (50)7. BIGIP命令行常用命令解释 (57)7.1 系统配置相关命令 (57)7.2 系统维护相关命令 (57)1.连接BIGIP1.1Console方式基于Console终端配置BIG-IP 的准备安装Windows操作系统的PC一台（装有超级终端）BIGIP设备自带的Console电缆一条使用超级终端建立一个连接，通过Console电缆一端连接BIGIP，一端连接COM，COM的参数设置如图：1.2网络连接方式1.2.1基于WEB方式在浏览器地址栏键入https://（BIGIP 设备IP地址），如下图：回车后，出现以下界面：此对话框为浏览器与BIGIP通讯交换的证书提示，点击“是”继续输入用户名和密码点击确定继续点击Configure your BIGIP Using Configration Utility进入BIGIP配置主界面。

外网F5配置步骤： 一、登录到F5 BIG-IP管理界面： 1、初次使用： ①、打开F5 BIG-IP电源，用一根网线（直连线和交叉线均可）连接F5 BIG-IP的3.1管理网口和笔记本电脑的网口，将笔记本电脑的IP地址配置为“192.168.1.*”，子网掩码配置为“255.255.255.0”。

②、用浏览器访问F5 BIG-IP的出厂默认管理IP地址https://192.168.1.245或https://192.168.245.245 ③、输入出厂默认用户名：admin，密码：admin ④、点击Activate进入F5 BIG-IP License申请与激活页面，激活License。

⑤、修改默认管理密码。

2、以后登录： 通过F5 BIG-IP的自身外网IP登录。

①、假设设置的F5自身外网IP为61.1.1.2，就可以通过https://61.1.1.2/登录。

②、还可以通过SSH登录，用户名为root，密码跟Web管理的密码相同。

二、创建两个VLAN：internal和external，分别表示内网和外网。

1、创建VLAN：internal（内网） 在“Network→VLANs”页面点击“create”按钮： ①、Name栏填写：internal（填一个英文名称） ②、Tag栏填写：4093（填一个数字） ③、Interfaces栏：将Available列的“1.1”拉到Untagged列。

1.1表示F5 BIG-IP的第一块网卡。

2、创建VLAN：external（外网） 在“Network→VLANs”页面点击“create”按钮创建VLAN： ①、Name栏填写：external（填一个英文名称） ②、Tag栏填写：4094（填一个数字） ③、Interfaces栏：将Available列的“1.2”拉到Untagged列。

1.2表示F5 BIG-IP的第二块网卡。

负载均衡设备之谈谈我们正在使用的F5 BIG-IP LTM2014-05-29 06:19:30标签：互联网nginx F5均衡器原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处、作者信息和本声明。

否则将追究法律责任。

/3984207/1418920具有一定服务器规模的互联网公司为了应对集群服务器管理问题，基本上使用F5负载均衡设备作为流量管理的入口，比如搜狐，新浪，金山等,目前在我们测试环境用的是F5 BIG-IP LTM，生产环境用的是F5 viprion。

F5 BIG-IP LTM ，中文说法是本地流量管理器,可以做4-7层负载均衡，4层负载均衡功能由F5专门的硬件模块负责，7层负载均衡功能由软件实现。

F5负载均衡器具有负载均衡应用交换会话交换状态监控智能网络地址转换通用持续性响应错误处理IPv6网关高级路由智能端口镜像SSL加速智能HTTP压缩TCP优化第7层速率整形内容缓冲内容转换连接加速高速缓存Cookie加密选择性内容加密应用攻击过滤拒绝服务(DoS)攻击和SYN Flood保护防火墙—包过滤包消毒等功能我们最近在做F5负载均衡设备7层路由切换到4层路由，将F5上的url irules规则下放到F5后端的nginx集群，从而充分减轻F5负载均衡的压力，充分发挥F5负载均衡的优势。

7层irules规则由于是由F5硬件设备上的软件模拟实现的功能，所以在效率方面没有硬件实现的四层负载均衡的效率高。

随着流量增加，七层规则会增加f5设备cpu的负载，尤其是在irules中对正则规则的使用会加剧F5性能的消耗。

从日常管理中，我们可以总结出F5在处理请求时的结构图：当一个用户访问 的时候，首先通过DNS服务器根据我们自己配置的name server服务器解析记录将 解析为对应的公网ip地址，比如电信线路的180.153.132.49。

用户向180.153.132.49发起访问请求，请求经过网络路由，到达F5设备。