BIGIP_LTM_iRule.ppt

BIG IPV9 0iRule F5Producttraining 20 4 06 BasicReview 3 25 04 VirtualServertoPoolMembers Internet 172 16 20 4 8080 172 16 20 1 80 172 16 20 2 4002 172 16 20 3 80 VirtualServer 216 34 94 17 80 PoolMembers Mapsto ProfileDependencies Somecan tbecombinedinVS Somedependentonothers ThinkintermsofOSIModel TCP HTTP Cookie UDP FTP L3Network L2DataLink L1Physical TrafficFlow BigPicture VirtualServer NAT SNAT Clientside Nodeside AddressTranslation AddressnotTranslated ForwardingVS TransparentVS WhatisLayer7Switching ApplicationDataorientedEg HTTPURL HTTPHeader DelaybindingrequiredExtramemorybuffersessionExtraprocessingpower ASIC CPU WhatisiRule AniRuleisascriptthatyouwriteifyouwanttomakeuseofsomeoftheextendedcapabilitiesoftheBIG IPthatareunavailableviatheCLIorGUI basedontheToolCommandLanguage Tcl programmingstandard Architecture TM OS Howconsolidationisachieved ReacttoaSingleCommunication OneDirection PacketBased LegacyApproach TMOSArchitecture SSL Compression ClientSide ServerSide TCPExpress Server TCPExpress Caching Microkernel TMOSTrafficPluginsHigh performanceNetworkingMicrokernelPowerfulApplicationProtocolSupportiControl ExternalmonitoringandcontroliRules NetworkProgrammingLanguage HighPerformanceHW iRules Client iControlAPI TCPProxy OneConnect XML RateShaping TrafficShield WebAccel 3rdParty iRulebasicelement EventdeclarationOperatorsiRulescommand BasiciRuleFormat Eventdeclarations Operators iRulecommands Eventdeclarations Eventdeclarations when eventtype Anexample whenCLIENT ACCEPTED if IP addr IP remote addr equals10 1 1 80 poolmy pool1 Eventtypes GlobaleventsHTTPeventsSSLeventsAuthenticationeventsReferrencetoLTM config guide pdfpage302 303 table13 2 Eventtypes GlobalEvents CLIENT ACCEPTEDCLIENT DATALB SELECTED beforesendtoserver LB FAILED nonodeavailableforthisvs SERVER CONNECTEDSERVER DATARULE INITCLIENT CLOSEDSERVER CLOSED NomatterwhatL7iRules GlobalEventcantakeeffective CLIENT ACCPTED CLIENT DATA LB SELECTED LB FAILED SERVER ACCPTED SERVER DATA CLIENT CLOSED SERVER CLOSED RULE INIT START L7Eventtypes HTTPEvents HTTP REQUESTHTTP REQUEST DATAHTTP RESPONSEHTTP RESPONSE DATAHTTP RESPONSE CONTINUE HTTP REQUEST HTTP REQUEST DATA HTTP RESPOND HTTP RESPOND DATA START HTTP RESPOND CONTINUE TMOSArchitecture Server iRules Client ClientSideEventClient acceptClient dataCache requestDNS requestHTTP REQUESTHTTP REQUEST DATARTSP REQUEST ServerSideEventServer connectServer dataCache responseDNS responseHTTP RESPONSEHTTP RESPONSE DATARTSP RESPONSE Operator ComparetwooperandsTCLstandardEg RelationalOperatorsEg Contains matches equals end withLogicalOperatorsEg and or not iRulescommand Statementcommandactiontaken eg Usepool SNAT logQuerycommandqueryinfo data eg HTTP header IP remote addrDatamanipulationcommandperformdatamanipulation eg HTTP headerremove HTTP headeraddUtilitycommandParsingandmanipulatingcontent eg Decode uri iRuleEvents GlobalEvents L3 4ClientAccepted Syn SynAck AckServerData htmlpagetoclientHTTPEvents L7 HTTPrequestorHTTPresponseSSLEventsClientSSLhandshakeAuthenticationEventsAuthFailure ProfileDependencies Somecan tbecombinedinVS Somedependentonothers ThinkintermsofOSIModel TCP HTTP Cookie UDP FTP iRuleConcepts Syntax iRulesOftenSelectPoolBasicSyntaxIf then else whenEVENT if conditional statementaction when condition true Example1 Layer7contentswitching ruleBrowserType whenHTTP REQUEST if HTTP uri ends with jpg poolcache pool else poolmain pool ruleBrowserType whenHTTP REQUEST if HTTP headerUser Agent contains MSIE poolIE pool elseif HTTP headerUser Agent contains Mozilla poolMz pool Example2 Layer3IPdecision whenCLIENT ACCEPTED if IP addr IP client addr equals10 10 10 10 poolmy pool whenHTTP REQUEST if IP hops 10 COMPRESS disable Example3 Layer4decision whenCLIENT ACCEPTED if TCP client port 1000 poolslow pool else poolfast pool whenRULE INIT arrayset active clients whenCLIENT ACCEPTED setclient ip IP remote addr if infoexists active clients client ip if active clients client ip 5 rejectreturn else incr active clients client ip else set active clients client ip 1 whenCLIENT CLOSED if infoexists active clients client ip incr active clients client ip 1if active clients client ip 0 unset active clients client ip ConfiguringiRules CreateRule ConfiguringiRules CreatePoolsfirstCreateRulenextThenpointVStoRule DevCentral OfficiallysupportedbymarketingCommunityismostlymadeupofvolunteersespeciallythosefromF5ProductDevelopment WhataboutSupport WhatcanDevCentraldobetter Havingtroublesearching Checkthisout RulesWiki Labsetup ConnectWiFiSSID MaskedRiderWEP ab12cd34efChannel 6IPaddress192 168 0 1 253 24BIGIPv9192 168 0 254Adminlogon admin f5trainingTrainingwebserver192 168 20 1 3 Lab1 BasicSetup Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose setupbasicloadbalanceconfiguration Step1 createapoolincluding3trainingserverStep2 createavirtualServerwithyournameasdescriptionandbindyourownpoolasresourceStep3 testthevirtualserverandcheckthestatistic Lab2 loggingiRule Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose logcustominformationbyiRules Step1 createaiRuletologclientsourceIPaddressandsourceportStep2 addyouriRuleintoVirtualserverStep3 accessthevirtualserverandchecktheBIGIPlogbycommand tail f var log ltm grep whenCLIENT ACCEPTED loglocal0 TCPsession IP client addr TCP client port Lab3 poolselection Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose selectadedicatedpoolforaspecificClient Step1 createanewpoolcreateaiRuletoselectayourname2poolforyourIPaddressStep2 addyouriRuleintoVirtualserverStep3 accessthevirtualserverandchecktheBIGIPlogbycommand tail f var log ltm grepStep4 askyourclassmatetoaccessyourVSandcheckthelog whenCLIENT ACCEPTED if IP addr IP client addr equals poolyourname2loglocal0 TCPsession IP client addr TCP client port selectedyourname2pool else poolyournameloglocal0 TCPsession IP client addr TCP client port selecteddefaultpool Lab4 Objecttypeswitching Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose selectadedicatedpoolforaspecificClient Step1 createanewpoolcreateaiRuletoselectayourname2poolforyourIPaddressStep2 addyouriRuleintoVirtualserverStep3 accessthevirtualserverandchecktheBIGIPlogbycommand tail f var log ltm grepStep4 askyourclassmatetoaccessyourVSandcheckthelog whenHTTP REQUEST seturi HTTP uri loglocal0 TheURIis uri if uriends with gif poolyourpool else HTTP uri poolyourpool2 Lab5 manipulateHTTPHeader Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose rewriteWEBserverHeaderforsecuritythread Step1 installaHTTPwatchStep2 accessyourVSandcheckthehttpheader server valueStep3 createaiRuletorewriteServerresponseHTTPheader server toyourname Step4 addyouriRuleintoVirtualserverStep5 accessthevirtualserverandchecktheBIGIPlogbycommand tail f var log ltm grep whenHTTP RESPONSE loglocal0 OriginalServertypeis HTTP headerServer HTTP headerreplace Server F5 server loglocal0 HEADERmodifiedis HTTP headerServer Lab6 SelectiveSNATaddress Internet 192 168 0 x 24 192 168 20 1 80 192 168 20 2 80 192 168 20 3 80 Purpose specifyaSNATaddressforaselectedsourceIPaddresswhenaccessVS Hints search snat irulescommandandexampleatWiki ThankYou iRuleV4vsV9 WhatcanV9reallydothatV4can t Uselessruleformorefunctionality Rulescanbewrittentoutilizedynamicdata eg apoolnamecancomefromaheaderorcookie CompleteuniversalpersistencePersistencerecordscanbeaddedbasedondatafromtheresponse AbilitytomaintainstateSessiontablecantrackarbitraryinformationforaperiodoftime Variablescanreferencedataforthelifeoftheconnection Globalvariablescanreferencedataindefinitely WhatcanV9reallydothatV4can t Manipulatetheresponse Insertorremoveheadersandcookiesintheresponse Sanitizeheaders