BIG-IP

I talked about my F5 BIG-IP LTM VE home lab in this post, but I didn’t do a walkthrough on how to configure it after deployment. In this post, you will learn the initial configuration of the BIG-IP LTM virtual appliance.

The BIG-IP LTM VE version that I am using is the 90-day trial version so the wizard may be a little different than the newer version since this is an older version (11.3). The latest release of version 11 is 11.6, but the latest version at the time of writing is 12. I actually took two classes few weeks ago based on version 12 at F5 Networks’ Headquarters in Seattle, WA. The two classes were the following: Administering BIG-IP and Configuring BIG-IP LTM: Local Traffic Manager.

While the 90-day trial is based on 11.3 (F5 has decided to give trial users 13.1.x), the Setup Utility wizard is pretty similar so this guide is still relevant even using the older version of LTM VE. I might buy the lab version but for now this will do the job.

Setting the Management IP address

By default, the management interface of the VE has an IP address of 192.168.1.245/24. This is only true if the management interface is not on a network with DHCP server.

As one might say, such an odd number to pick for the default management IP address. Well, if you try to convert 245 to hexadecimal then you will get F5, as shown below. Very geeky in my opinion!

There are three ways to change the management IP address in the virtual appliance: Bash shell, TMSH (TMOS shell), and Web UI. Personally, I like both CLI methods – bash and TMSH. Both CLI methods are covered in this post.

Using Bash Shell

Easiest way of accessing the CLI is by console display – right click the BIG-IP LTM virtual machine and click Open Console in vSphere client. Alternatively, one can use terminal emulator to SSH to the BIG-IP LTM virtual machine using the default management IP address.

Step 1

Log in to the CLI using the default user account. Use root as username and default as password.

Step 2

Issue the config command in bash shell.

This will bring up the F5 Management Port Setup utility.

Step 3

Once you get the prompt, like the one above, hit OK. The next prompt will ask you if you want to use the automatic configuration, hit No.

Step 4

Enter desired IP address for the management interface and hit OK.

Step 5

Enter desired subnet mask for the management interface and hit OK.

Step 6

Management’s default gateway can be optional depending on how your setup. Since I have a management network and I want to access from any network, I do want to configure a default gateway so I can access the management IP from any VLAN. Otherwise, skip step 6 and 7.

Once you hit Yes, you will be prompted to enter the default gateway’s IP address and hit OK.

Step 7

Confirm the management IP address changes by hitting Yes. You will now be back to the bash shell. Exit out of the bash shell and go to Activating License section.

Using TMOS Shell (TMSH)

TMOS is a real-time, event-driven operating system designed specifically for application delivery networking. Through TMOS, you can configure all of the basic BIG-IP system routing and switching functions, as well as enhancements such as clusters, user roles, and administrative partitions.

According to the authors of F5 Networks Application Delivery Fundamentals Study Guide, TMOS and full proxy architecture were introduced back in 2004 when F5 Networks released BIG-IP LTM version 9.

Step 1

Same as step 1 in previous section, log in to the CLI using the default user account. Use root as username and default as password.

Step 2

Enter the TMOS shell then issue the syntax found below to assign the IP address to management interface.

[root@localhost:NO LICENSE:Standalone] config # tmsh
root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# create sys management-ip 192.168.99.51/255.255.255.0

To display the management interface’s IP address.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# list sys management-ip
sys management-ip 192.168.99.51/24 {
    description configured-statically
}

Step 3

Same as step 6 in previous section, the management’s default gateway is optional depending on the setup.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# create sys management-route default gateway 192.168.99.1

To display the management interface’s default gateway.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# list sys management-route
sys management-route default {
    gateway 192.168.99.1
    network default
}

Step 4

Save the configuration.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf

Activating License

Before you can do anything with BIG-IP LTM, you need to activate the license. To activate the license, you need to access the BIG-IP Configuration Utility. To access the BIG-IP Configuration Utility, open your favorite web browser and enter https://BIG-IP mgmt address here in the address bar. You will then be presented with a screen just like below. To log in, use the default username and password, which is admin/admin.

Once logged in, you will be presented with the Welcome screen. To begin the Setup Utility wizard, click Next to continue.

You will now be presented with a screen that shows you to activate the BIG-IP LTM license. Click Activate.

The next screen is where you enter the license key that you received from F5 Networks. Enter the license key and choose the activation method – automatic and manual.

Automatic Method

Automatic method is the fastest and easiest way to activate BIG-IP LTM. However, it requires an interface that has access to the Internet. In this scenario, management interface has access to the Internet. Click Next to continue.

The next screen will ask you to read and accept the EULA. Click Accept to continue.

Once EULA has been accepted, a new screen will appear. This may take less than a minute or so and continue button will appear. Click the Continue button and you will be redirected to the resource provisioning page. Skip to the Resource Provisioning section of this post if you chose this method. If not, go to the next section.

Manual Method

The manual method is for environment where management interface is on a network that is not allowed to access the Internet. It involves more steps than automatic method.

Follow the steps shown in the screen. First step is to copy all text found in the dossier box. Alternatively, download the dossier file.

The second step is to go to the F5’s licensing site by clicking the link found in step 2 section of the screen. Paste the dossier to the box. Alternatively, upload the dossier file. Click Next to continue.

The next screen will ask you to read and accept the F5 Networks’ EULA. Click the check box to accept the EULA and click Next.

The next screen is where you can copy the license information for your BIG-IP LTM. Alternatively, you can download the license file.

Once pasted to License section (step 3) of the Setup utility, click Next. You will then be presented with a screen just like below. Wait for less than a minute or so to finish. Once BIG-IP is done configuring the system, click continue button.

Upon clicking the continue button, you will now be redirected to the resource provisioning page.

Resource Provisioning

The license you receive from F5 Networks will determine what software modules you can use. The 90-day trial license will have license for both LTM (Local Traffic Manager) and AVR (Application Visibility and Responsibility). I am only interested in LTM at this time so that’s the only one I am going to provision.

This section also allows you to change the provisioning for the management. For the most part, you can pick the small option especially in a home lab environment. For the LTM, we can technically provision it to dedicated since that is the only thing we’re running but you can leave it at nominal, which is the the default.

Platform

This part of the setup utility wizard allows you to make configuration to the management interface’s IP address details (again), host name, time zone, user account passwords, etc. The SSH Allow section acts as an ACL to allow certain IP addresses and/or ranges. Once you make changes to the account passwords, you will be logged out and need to log back in.

Network Configuration

Once you log back in, you will be in the network section. You have ability to continue the setup utility or finish it. In this post, I will go through the standard network configuration.

Redundancy

You will now be directed to the redundancy portion of the setup utility. This section is about High Availability feature. At this time, I suggest to uncheck both boxes and just configure it in the future when it is needed. This will be covered in future blog post. Once both boxes are unchecked, click Next to continue.

VLANs

Next up is the network configuration for the internal interface. As you know, this interface will be facing your internal servers that will be load balanced by BIG-IP LTM.

In my case, my home lab uses 10.2.0.0/24 as the internal network.

For the port lockdown, you can leave this at the default setting (Allow Default), since it’s only for home lab environment. Adjust accordingly. The Allow Default setting specifies that connections to the self IP address are allowed from the following protocols and services:

For the VLAN interfaces, you will need to know the network mapping during the BIG-IP LTM VE virtual machine deployment. If you used ESXi for deployment, it should be similar to the one below. Once you figured out which interface number it is for your internal, click Next to continue.

The next screen will ask you to configure the external interface. I left the Port Lockdown to the default. Adjust this setting based on your environment. Since this is just a home lab, I left it alone. Click the Finished button once the required settings are entered.

You will now be redirected to the home page. This will always be the page you will see every time you log back into BIG-IP Configuration utility.

Start your Application Delivery Controller training now!

The initial configuration of BIG-IP LTM is quite easy especially when the default settings are accepted. The only part that I struggled with at first was the associating the TMM (Traffic Management Microkernel) interfaces. Other than that, it was really easy to deploy the virtual appliance and do the initial configuration.

With the free 90-day license for BIG-IP LTM, people who are interested in learning F5 will be able to practice using the software. While 90 days is plenty of time, one could extend the trial by requesting a few more license keys for free. As far as I know, there is no limit on how many ones could request. Just do not abuse it.

You might also like to read

F5 BIG-IP LTM VE Home Lab

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

I mentioned that I was building an F5 BIG-IP home lab here and I just finished building it a week ago. I wanted to share how mine was set up and possibly help a few people on how to build one. While mine was built in an ESXi host, it might work on other versions of hypervisor as well.

There is a lot of players out there in the Application Delivery Controller (ADC) space but F5 controls 52% share, according to Dell’Oro Group’s 2014 report. Some of the players in the ADC space are the following: Citrix, A10, Radware, Fortinet (acquired Coyote Point), etc. I’ve seen job postings for network engineer positions where they require or desire people with F5, Citrix, or A10 experience. That said, it’s probably best to learn about ADC or commonly called as load balancer. Depending on the organization, some actually let the server team handle everything from install, configure, and maintain. However, there are several numbers of organizations that let the network team handles the load balancers.

Want to get started in learning Application Delivery?

There is no F5 Networks Press, like VMware Press or Cisco Press, so there are no official books released. That said, if you head over to Amazon to find out what books are in there, the top book is the F5 Networks Application Delivery Fundamentals Study Guide. This book, however, does not talk a whole lot about the BIG-IP LTM but focuses more on the TCP/IP side of things. It seems to be a good book to have so you can pass F5 Networks’ 101 exam (Application Delivery Fundamentals). I don’t have first hand experience with the book so just read through the reviews.

To get the official training books for BIG-IP LTM, then one has to sign up for the expensive training offered by a lot of training vendors including direct training from F5 Networks. That is, unfortunately, the only way to get very specific BIG-IP LTM book material(s).

Acquiring BIG-IP LTM

While there are used ones on eBay for people to buy, there is another way to build one using the BIG-IP LTM VE. There are three ways to acquire BIG-IP LTM VE, two of which are free (in exchange of some personal information) and one is a paid version. If one is only interested in playing with BIG-IP LTM, then the 90-day trial should suffice. One caveat is that the copy available for download is the 11.3 version and current version is 11.6, as of this writing.

The other free version is the 30-day evaluation, which includes licenses for a lot of their products, like Global Traffic Manager (GTM), Application Acceleration Manager, etc. The 30-day evaluation should be able to let one download the newest version. Last, but not the least, is actually purchasing a lab license which has a price tag of ~$99. The lab version includes licenses for the following products: Local Traffic Manager, Global Traffic Manager, Application Acceleration Manager, Advanced Firewall Manager, Access Policy Manager, and Application Security Manager. If one needs Carrier-Grade NAT and Policy Enforcement Manager, then it can be purchased for an additional fee. I personally opted for the 90-day trial version since I am currently interested in learning a bit of the LTM product.

BIG-IP LTM VE Setup

Upon deploying the OVA, it will ask to configure four network adapters. These four adapters are used for the following: Management, Internal, External and High Availability (HA). By default, network adapter 2 is for internal and network adapter 3 is for external. So if one follows the labeling during the OVA deployment, make sure to assign the right interface number once in the setup utility.

My network devices at home are not fancy so there are no features that are normally found on SMB or enterprise’s products. That said, my BIG-IP LTM home lab required some tweaking to make it look like they are on separate networks, which is going to be covered here.

Let’s start with the network adapter 1, which is the management network, is designed for managing the BIG-IP virtual appliance. My ESXi host has three physical network adapters. Two of the network adapters are connected to my home network, which is on the same network as the external. One of the network adapters is attached to a vSwitch designed for VMkernel connection types (vSphere VMotion, iSCSI, NFS, and host management). However, I added another port group, within the same vSwitch, which is for VM network traffic. This port group is designed for anything related to management traffic only. In the future, I might upgrade my network devices so that they support VLAN to separate a lot of my network traffic. To make it look like it is on a separate network address space, the VMs in this vSwitch are assigned an IP address within the 10.1.0.0/24 network. For my home devices connect to this, I have to add a secondary IP address within that subnet. Another way of accomplishing a separate network is to create another vSwitch with no physical adapter assigned to it, this is the host-only option in VMware Workstation. However, this would mean another VM has to be in the same vSwitch to access the management side of the BIG-IP LTM.

The network adapter 2 (external), which is also connected to my home network, is designed for clients connecting to a resource. In this lab setup, the resource is a website hosted on three web servers. The BIG-IP LTM, in this case, acts like as a reverse proxy.

The network adapter 3 (internal), which is connected to a vSwitch with no physical adapter assigned to it, is designed for the real servers for the resource that is being load balanced. As mentioned above, the resource is for a website so the three servers are web servers. The load balancers can pretty much spread the load to different types of servers. For example, RADIUS, database, FTP servers, etc. could be behind of the internal side.

The network adapter 4 (high availability), which is also connected to a vSwitch with no physical adapter assigned to it (separate from internal), is designed for network traffic between two identically configured BIG-IP devices that allows them to operate in a redundant fashion.

Thoughts

I truly believe in experiential learning. While reading books, watching training videos, or attending a class are helpful, they need to be reinforced by having experience with it. Yes, attending a class (most of the time a five-day class) does have a benefit of having a lab. However, attending a five-day class does not really make the concept stick without reading the books that came with it and also redoing the lab scenarios in their own time. Having said that, building a lab to play with would be beneficial for their employer and career in the long run.

You might also like to read

F5 BIG-IP LTM VE Initial Configuration

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.