BIG-IP Basic Nomenclature

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi welcome to this latest episode of light board lessons and today we're going to talk about the basic big-ip nomenclature and we started releasing back in January we started releasing some articles on you know dead central basics and we're really just kind of talking about the very basic things about f5 technology like what is a load bouncer and what is a proxy and and so I will point you to those articles as part of that we're going to talk about the basic big IP nomenclature kind of from you know starting at the hardware and climbing the stack up to what makes traffic flow through the box and so we're going to start with what is big IP and big IP is the platform and it doesn't matter if it's a hardware platform like our VIP Rhian which is our modular platform where you can slide modules in and out based upon your needs whether you need a 100 gig module or something less than that so you have your your VIP Rhian that is a chassis with blades and then I also have your appliances and these are the ones that you know they come and that's the way they are and if you need more compute power than you just buy more appliances and then we also have our virtual editions which you can get licenses for several different speeds and and and that's oh that's just a license key and you install the ISO in your own environment or you can spin up instances in Amazon or Azure or you know other the VMware enabled environments as well so a lot of different hypervisors that the virtual editions can run on and so we talked about big IP we have the hardware in the virtual hardware but then we also have the software and this is where are our modules come in so like our local traffic manager which is is kind of the core functionality of VIP and this is where some of the other technology we'll talk about a second your pools in your nodes and your SSL offloading you know that kind of exists there and then you have your access policy manager and your application security manager your advanced firewall manager and a lot of these are security related then you have your fib n F which is the global load balancing but also all DNS services and you know we could go on and on with all the different modules that are available for big IP but big I piece the platform and then hardware software modules that that are part of that platform and so after we start at the big IP then we actually are looking at you know within this hardware or this virtual hardware you know we start at the actually just draw one of these guys and we'll start at the network interface so you know we have either a physical NIC or a virtual NIC and this is how we're connecting to other networking devices in order to pass traffic and so that's a physical Nick in a box or a v-neck in a virtual in one of the virtual editions and then what you can do with these Nick's is you can actually aggregate them and and so this is link aggregation which is kind of the standard industry term thank you can learn the link aggregation control protocol LACP in order to control how those set up but you know like in the Cisco world you would call this ether channel but link aggregation and then then when you're actually configuring this say this is going to a switch when you're actually configuring this in the day IP you're going to configure a trunk and that trunk will be any number of of these network interfaces that are bundled together so if you're on an appliance that only has one gig NICs and you need four gigs then you would bundle four or eight depending on you know how much overhead or they are Mina how much extra bandwidth it you want to be able to plan for spikes and and stuff but you know you were going to trunk these together so you would actually define a trunk on the big IP and you would bundle these network interfaces together and so the next stepping stone above the trunk is to come to the VLAN and within the VLAN this is obviously a layer to construct and this is where we're actually going to have Ethernet frames going on the wire so across one of these trunks you would have your VLAN or it doesn't have to be a trunk play we have another network interface down here and we can say this is an appliance of six I haven't touched the hardware in a long time so there might be one with six I don't know but say there's six on this particular appliance and we want to have one VLAN that is dedicated to a particular NIC and so we could say I'm going to assign that interface which will say on this appliance is 1.6 and so with that particular ven I would have an untagged an untagged VLAN because of dedicating that Nick I don't need to pass tags for all on that Ethernet frame but if I want to use say a trunk so I want to use this trunk and I want to use VLANs two three and four on that I need to be able to segregate that traffic and so we add a VLAN tag so on this trunk that we've defined then I will have tagged VLANs two three and four but I don't have to do that on a trunk I could also just use this interface which I will say is 1.3 and they will tag VLANs four and five on that tag and so that's how you work with the different VLANs and and then so there's another concept on the big IP for VLANs and that's the concept of a VLAN group and so if I have a big IP and say you have an environment where you you have imagine for a second that that big IP is not there and so you've got your router and the Gateway is dot one and we'll say this network is 172 16.4 ok and this router gateway is point one and your server assets are back here and say this is 2.3 and dot 4 so with this not here pretend for a second this is just a dumb switch then everything is going to be able to communicate just fine but if I put a big IP in here and say this is my external VLAN now and this is my internal VLAN now I'm layer 2 segmented but I still have a single layer 3 network and so what I can do is I can define a VLAN group and I make the external VLAN and the internal VLAN part of that group and so now I can bridge traffic of across the big-ip so that anything that was there before layer three can still do what it needs to do but then we can take care of our take care of our load bouncing or application delivery services on the big-ip without interrupting or requiring a Ryoka texture of this network so that's what VLAN groups are are useful for and so climbing to the next layer 2 layer 3 we have the self IP and of course any routing and so the self IP is useful for getting traffic to the box or traffic from the box but not through the box you know you don't talk to self IPS for for traffic that's traversing the big IP and so if you want to communicate say you're setting up a local traffic in global traffic scenario and you need the the I query protocol for the fib NS to be able to talk to the big IP you know it's going to come to a self IP to do that and that's going to talk on TCP 4343 and so on the self IPS you can you know accept no traffic and you can accept default which has things like ssl port ssh I query of the ability to ping that interface or you can have a very custom lock down experience on what you're going to allow to yourself IP so if you know on say if you have like you know six interfaces connected to three public networks and then maybe four different DMVs internally but only one interface has to listen for I query traffic well then you don't necessarily want to allow that port on those other networks you can lock that down and so that's what the self IPC's willful also if you're sending traffic you know like your pool traffic your pool monitor traffic any of the other management services that might be running on your host OS on your big IP then you know it's going to go out from that self IP or the management board if you're doing all of your services on the management side but you know self ip's used in those those instances for its specially monitor traffic and then routing you can do static routing or dynamic routing the dynamic routing is an actual license that you can buy to do you know like OSPF or vgp or anything like that but static routing you add the route and incidentally we'll talk about a little bit more when we get the virtual servers but a static route on the Box does not mean that the traffic is going to pass through your box it means it knows how to get there but it doesn't mean that it's going to honor that route you need more configuration for for traffic that's coming through the box static routes as far as management traffic leaving leaving big IP locally you know those static routes are useful for that but anything traversing the box needs more than just a route and then the next construct we have is a node and a node you would consider like a host like a server you know and that server is or that host is an IP address so the big IP will store nodes and that that's just an IP address it could be ipv4 ipv6 but it's just an IP and then the next construct would be pools and so in the pool you have server services write anything anything on a well that's really terrible writing so it'd be a server service and so services are running on ports and so a pool anything you add to the pool is going to be an IP port accommodation and so that can be ipv4 ipv6 they can be port 80 and port 8080 or port fifty nine thousand six hundred and seventy two of the pool doesn't care how many different combinations of IPs and ports um it's just saying that this is a collection of services and as long as your application is running on all of those services when we pass traffic or when the big IP passes traffic to it it'll be able to respond but that pool is just a collection of services and our you know collection of IP ports in the configuration and you can do a lot of different things with pools you can set priorities as far as how many different servers you want active in that pool at a particular time you can set ratio so if you have a server from 2006 versus a server from 2017 probably the 2017 server can do a lot more from a compute perspective and so you could set that server to get a lot more of the traffic than the one from 2006 but you know a lot of different options that that you can set on excuse me on pools and then we also have snap and that's like a secure net address translation you can't actually address a snap well there's one unique case that you can but mostly snaps can't be address you can send traffic to them but they're useful in translating your source traffic into another address on the way back to server so that you can bring traffic back to the big IP and so if you have public public addresses coming in and you don't want to send the public address at the IP layer back to the server you would use a snap for that and then and then you can pass that into like a header to send that that source IP back but also that's useful for if you end of course there's direct snaps and then there's snap pools and with a snap pool so if you have a virtual server on the front side that is going to handle more than 64 K connections then you might exhaust ports on a single IP on the backside sending out to your array of servers and so if you have a pool you can fill that pool with many addresses and then and then that way you won't exhaust all of your source ports on your single stat if your connection count is too high and then the snap pools are smart enough that if you have multiple layer three members in your pool and you have multiple snaps that can handle those different you know destinations that it'll use the appropriate l-3 address from that pool so it's it's a pretty pretty cool stuff that you can do with with snaps and then and then of course the next level start back over here is profile if I could spell so the great thing about profile is it allows you to customize the experience on each one of your virtual servers and so if you have tcp characteristics for mobile versus tcp characteristics for desktop high-speed versus ISDN if you're if you're anywhere you might have an ISDN connection or dial-up shutter to think but you know dial-up is still out there in some places so is the tcp characteristics of that would be very different ssl characteristics from app to app are very different and so rather than trying to include everything together in one massive experience on a global level for the box or even you know to span multiple applications you can break down with various profiles whether it's ccp or SSL or or dns profile and you can get into the very specifics of what you need for that application so everything is tuned to make that application go fantastically for the characteristics of the clients that you have and so all of these basic building blocks you don't need them all to get an application running but you have all of this accessible to you to the final building block here which would be a virtual server and I left out policies you know there's certainly you know policies that you can apply to like for security purposes or for application purposes where you use a policy instead of scripting an eye rule we haven't even talked about eye rules but these are the very basic building blocks so there are other options but these are kind of the the big ones that you would that you would be concerned about leading up to deploying an application and so the virtual server and earlier I mentioned the route if you don't have a route the Box doesn't know where for the traffic to go but once you know where the traffic are once big-ip knows where the traffic can go the virtual server is acquired so that it will actually allow it to go our box the big IP is a default deny box and so unless you have a virtual server that will accept the traffic destination where it's sending then the routes don't really matter and so the virtual servers can be configured anywhere from handling l4 all the way to handling l7 traffic so an example would be if your if your load balancing a TCP app well HTTP is a TCP app but you don't necessarily need to configure it to listen for and validate HTTP protocol on that on that virtual server you can just keep it at l4 so that it doesn't do as much to it maybe you don't really need to inspect that you just need to low bounce it and so l4 profile would be very good for that however if you do need to validate a protocol at layer 7 and you might need access and we talked about those policies and we talked about those AI rules when you want to actually do things to manipulate or inspect or you know direct traffic and l7 you do need that l7 profile in order to you know for it to inspect and do those things so other things you can do with virtual servers is you can wildcard them so if you want to look at all DNS traffic that you don't really care what the destination is you can do it all zeroes : 53 if you care about the IP space but you don't care about the service you can wild-card the port you can wild-card IP n port or partial network and import all kinds of different things that you can do with virtual servers so I could go on and on and on in fact we could probably have 50 light boards for each one of these topics but I'll close for now thank you for joining me and we'll see out there in the community you
Info
Channel: F5 DevCentral
Views: 25,975
Rating: undefined out of 5
Keywords: f5, devcentral, lightboard, big-ip
Id: 2YRKTyMgV4M
Channel Id: undefined
Length: 19min 48sec (1188 seconds)
Published: Wed Apr 12 2017
Related Videos
What is a TLS Cipher Suite?
F5 DevCentral
74K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.4M
The Whole of A Level Maths | Pure | Revision for AQA, Edexcel, OCR AND WJEC
Science and Maths by Primrose Kitten
958K
BIG-IP DNS Load Balancing Introduction
F5 DevCentral
43K
What is a Proxy?
F5 DevCentral
258K
IPS vs WAF
F5 DevCentral
57K
The Art of Code - Dylan Beattie
NDC Conferences
3.4M
Breaking Down the TLS Handshake
F5 DevCentral
183K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
The Insane Engineering of James Webb Telescope
Real Engineering
1.8M
String Theory and the End of Space and Time with Robbert Dijkgraaf
Science & Cocktails
2.6M
#TECHTALK Sealed System Discussion Part 1
TMM Appliance Network
8.1K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.4M
SAML Overview
F5 DevCentral
305K
What is BIG-IP?
F5 DevCentral
84K
26. Chernobyl — How It Happened
MIT OpenCourseWare
1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.