BIGIP_LTM_iRule2887.pptx

BIG-IP V9.0iRuleF5 Product training20/4/062Basic Review3/25/043Virtual Server to Pool MembersInternet172.16.20.4:8080172.16.20.1:80172.16.20.2:4002172.16.20.3:80Virtual Server216.34.94.17:80Pool MembersMaps to4Profile DependenciesSome cant be combined in VSSome dependent on othersThink in terms of OSI ModelTCPHTTPCookieUDPFTPL3 NetworkL2 Data LinkL1 Physical5Traffic Flow Big PictureVirtual ServerNATSNATClient sideNode sideAddress TranslationAddress not TranslatedForwarding VSTransparent VS6What is Layer 7 Switching Application Data orientedEg.HTTP URL,HTTP Header.Delay binding requiredExtra memory buffer sessionExtra processing power(ASIC/CPU)7What is iRuleAn iRule is a script that you write if you want to make use of some of the extended capabilities of the BIG-IP that are unavailable via the CLI or GUI.based on the Tool Command Language(Tcl)programming standard http:/ F5 extension 8Architecture9TM/OSHow consolidation is achieved?React to a Single Communication,One DirectionPacket BasedReact to a Real Time,Two-Way Conversation Translate Between PartiesFlow BasedLegacy Approach10TMOS Architecture SSLCompressionClientSideServerSideTCP ExpressServerTCP ExpressCachingMicrokernelTMOS Traffic PluginsHigh-performance Networking MicrokernelPowerful Application Protocol SupportiControl External monitoring and controliRules Network Programming LanguageHigh Performance HWiRulesClientiControl APITCP ProxyOneConnectXMLRate ShapingTrafficShieldWeb Accel3rd PartyApplicationDeliveryNetwork11iRule basic elementEvent declarationOperatorsiRules command12Basic iRule FormatEvent declarations OperatorsiRule commands13Event declarationsEvent declarations=when event typeAn example:when CLIENT_ACCEPTED if IP:addr IP:remote_addr equals 10.1.1.80 pool my_pool114Event typesGlobal eventsHTTP eventsSSL eventsAuthentication eventsReferrence to LTM_config_guide.pdf page 302,303,table 13.215Event types:Global EventsCLIENT_ACCEPTEDCLIENT_DATALB_SELECTED(before send to server)LB_FAILED(no node available for this vs)SERVER_CONNECTEDSERVER_DATARULE_INITCLIENT_CLOSEDSERVER_CLOSEDNo matter what L7 iRules,Global Event can take effective.16CLIENT_ACCPTEDCLIENT_DATALB_SELECTEDLB_FAILEDSERVER_ACCPTEDSERVER_DATACLIENT_CLOSEDSERVER_CLOSEDRULE_INITSTART17L7 Event types:HTTP EventsHTTP_REQUESTHTTP_REQUEST_DATAHTTP_RESPONSEHTTP_RESPONSE_DATAHTTP_RESPONSE_CONTINUE18HTTP_REQUESTHTTP_REQUEST_DATAHTTP_RESPONDHTTP_RESPOND_DATASTARTHTTP_RESPOND_CONTINUE19TMOS Architecture ServeriRulesClientClientSideServerSideTCP ProxyClient Side EventClient_acceptClient_dataCache_requestDNS_requestHTTP_REQUESTHTTP_REQUEST_DATARTSP_REQUEST.Server Side EventServer_connectServer_dataCache_responseDNS_responseHTTP_RESPONSEHTTP_RESPONSE_DATARTSP_RESPONSE.20OperatorCompare two operandsTCL standardEg.=Relational OperatorsEg.Contains,matches,equals,end_withLogical OperatorsEg.and,or,not21iRules commandStatement command action taken,eg.Use pool,SNAT,logQuery command query info/data,eg.HTTP:header,IP:remote_addrData manipulation command perform data manipulation,eg.HTTP:header remove,HTTP:header addUtility commandParsing and manipulating content,eg.Decode_uri 22iRule EventsGlobal Events(L3/4Client Accepted Syn,SynAck,AckServer Data html page to clientHTTP Events(L7)HTTP request or HTTP responseSSL EventsClient SSL handshakeAuthentication EventsAuth Failure23Profile DependenciesSome cant be combined in VSSome dependent on othersThink in terms of OSI ModelTCPHTTPCookieUDPFTPNetworkData LinkPhysical24iRule Concepts&SyntaxiRules Often Select PoolBasic SyntaxIf then else when EVENT if conditional_statement action_when_condition_true 25Example 1:Layer 7 content switchingrule BrowserType when HTTP_REQUEST if HTTP:uri ends_with“jpg pool cache_pool else pool main_pool rule BrowserType when HTTP_REQUEST if HTTP:header User-Agent contains“MSIE”pool IE_pool elseif HTTP:header User-Agent contains“Mozilla”pool Mz_pool 26Example 2:Layer 3 IP decisionwhen CLIENT_ACCEPTED if IP:addr IP:client_addr equals 10.10.10.10 pool my_pool when HTTP_REQUEST if IP:hops=10 COMPRESS:disable 27Example 3:Layer 4 decisionwhen CLIENT_ACCEPTED if TCP:client_port 1000 pool slow_pool else pool fast_pool when RULE_INIT array set:active_clients when CLIENT_ACCEPTED set client_ip IP:remote_addr if info exists:active_clients($client_ip)if$:active_clients($client_ip)5 reject return else incr:active_clients($client_ip)else set:active_clients($client_ip)1 when CLIENT_CLOSED if info exists:active_clients($client_ip)incr:active_clients($client_ip)-1 if$:active_clients($client_ip)=0 unset:active_clients($client_ip)28Configuring iRulesCreate Rule29Configuring iRulesCreate Pools firstCreate Rule nextThen point VS to Rule30DevCentralOfficially supported by marketingCommunity is mostly made up of volunteers especially those from F5 Product Development.What about Support?What can DevCentral do better?Having trouble searching?Check this out:Rules Wiki31Lab setupConnect WiFi SSID:MaskedRiderWEP:ab12cd34efChannel:6IP address192.168.0.1-253/24BIGIP v9192.168.0.254Admin logon:admin/f5trainingTraining web server 192.168.20.1-3student no.(192.168.0.X)ip addressvirtual serversnat IP(192.168.20.x)11112112121312313141341415145151615616171671718178181918919201910202120112122211222232232Lab 1:Basic Setup Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:setup basic load balance configurationStep 1:create a pool including 3 training serverStep 2:create a virtual Server with your name as description and bind your own pool as resourceStep 3:test the virtual server and check the statistic33Lab 2:logging iRule Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:log custom information by iRulesStep 1:create a iRule to log client source IP address and source portStep 2:add your iRule into Virtual server Step 3:access the virtual server and check the BIGIP log by command:tail f/var/log/ltm|grep whenCLIENT_ACCEPTEDloglocal0.TCPsessionIP:client_addr:TCP:client_port34Lab 3:pool selection Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:select a dedicated pool for a specific ClientStep 1:create a new pool create a iRule to select a yourname2 pool for your IP addressStep 2:add your iRule into Virtual server Step 3:access the virtual server and check the BIGIP log by command:tail f/var/log/ltm|grep Step 4:ask your classmate to access your VS and check the logwhenCLIENT_ACCEPTEDifIP:addrIP:client_addrequalspoolyourname2loglocal0.TCPsessionIP:client_addr:TCP:client_portselectedyourname2poolelsepoolyournameloglocal0.TCPsessionIP:client_addr:TCP:client_portselecteddefaultpool35Lab 4:Object type switching Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:select a dedicated pool for a specific ClientStep 1:create a new pool create a iRule to select a yourname2 pool for your IP addressStep 2:add your iRule into Virtual server Step 3:access the virtual server and check the BIGIP log by command:tail f/var/log/ltm|grep Step 4:ask your classmate to access your VS and check the logwhenHTTP_REQUESTseturiHTTP:uriloglocal0.“TheURIis$uri”if$uriends_with.gifpoolyourpoolelseHTTP:uri/poolyourpool236Lab 5:manipulate HTTP Header Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:rewrite WEB server Header for security threadStep 1:install a HTTP watchStep 2:access your VS and check the http header“server”valueStep 3:create a iRule to rewrite Server response HTTP header“server”to your name.Step 4:add your iRule into Virtual server Step 5:access the virtual server and check the BIGIP log by command:tail f/var/log/ltm|grep whenHTTP_RESPONSEloglocal0.OriginalServertypeis:HTTP:headerServerHTTP:headerreplaceServerF5_serverloglocal0.HEADERmodifiedis:HTTP:headerServer37Lab 6:Selective SNAT address Internet192.168.0.x/24192.168.20.1:80192.168.20.2:80192.168.20.3:80Purpose:specify a SNAT address for a selected source IP address when access VS Hints:search“snat”irules command and example at http:/ WikiThank You!39iRuleV4 vs V940What can V9 really do that V4 cant?Use less rule for more functionality.Rules can be written to utilize dynamic data(eg:a pool name can come from a header or cookie).Complete universal persistencePersistence records can be added based on data from the response.Ability to maintain stateSession table can track arbitrary information for a period of time.Variables can reference data for the life of the connection.Global variables can reference data indefinitely.41What can V9 really do that V4 cant?Manipulate the response.Insert or remove headers and cookies in the response.Sanitize headers and cookies from the response.Encrypt headers,cookies or data in the response.Scrub data from the response.Perform different behavior based on the LB decision.Perform better validation of requests before going to the server.Sanitize headers and cookies from a request.Decrypt headers,cookies or data in a request.Requests can be rewritten to match requirements of the server.42What can V9 really do that V4 cant?Offload processing from servers.Rules can respond or redirect without even hitting a server.Dig deeper into protocols.Protocols can be proxied to get to the information that controls load-balancing and persistence.Granular control of Load-Balancing and OneConnectSplit generic transactions to different servers.43Backup44OperatorsRelational operatorscontainsmatchesequalsstarts_withends_withmatches_regexLogical operatorsnotandor45Event declarationiRule is event drivenBIGIP TMM trigger iRule based on an eventEg.CLIENT_ACCEPTEg.HTTP_REQUESTEg.HTTP_RESPONSE