Lab 2: Work with SNAT, Profiles, and Monitors

In this lab you will experiment with using SNAT Auto Map for inbound requests as well as outbound requests from internal users. You’ll also use an HTTP and stream profile to make global modifications to text within a web site. Finally you’ll see how using health monitors ensures that you the BIG-IP knows which web servers are available for client requests.

Task 1 – Use SNAT AutoMap

  1. In the Configuration Utility, open the Pool List page and click Create.

  2. Use the following information for the new pool, and then click Finished.

    Form field Value
    Name lorax_pool
    New Members Address: 10.1.20.41 Service Port: 80 (Click Add)
      Address 10.1.20.42 Service Port: 80 (Click Add)
      Address: 10.1.20.43 Service Port: 80 (Click Add)

  3. Open the Virtual Server List page and click Create.

  4. Use the following information for the new virtual server, and then click Finished.

    Form field Value
    Name lorax_virtual
    Destination Address/ Mask 10.1.10.25
    Service Port 80
    Resources > Default Pool lorax_pool

  5. From the desktop open putty, and then connect to BIGIP_A and log in as root / default.

    image7

  6. At the CLI type (or copy and paste):

    tcpdump -i external port 80

  7. Open a second putty session and connect to BIGIP_A.

  8. At the CLI type (or copy and paste):

    tcpdump -i internal port 80

  9. Use a new tab to access http://10.1.10.25, and then close the tab.

    The page displays as expected.

  10. Examine the tcpdump windows.

    On the external VLAN the communication is between the client IP address (10.1.10.199) and the virtual server (10.1.10.25).

    On the internal VLAN the communication is between the client IP address (10.1.10.199) and a back-end web server (10.1.20.x).

  11. In both tcpdump sessions press the Enter key several times to move the log entries to the top of the window.

  12. In the Ravello window, open the Windows Server console and log in as f5demo\administrator / password.

  13. In the Windows Server image, go to Start > Control Panel, then go to Network and Internet > Network and Sharing Center, and then click Change adapter settings.

  14. Right-click on Local Area Connection 3 and select Properties.

  15. Select Internet Protocol Version 4 (TCP/IPv4) and select Properties.

    Currently the Windows Server’s default gateway is configured for the BIG-IP’s internal self IP address (10.1.20.241). The network administrator has chosen to modify the default gateway to an external router.

  16. Edit the Default gateway to 10.1.20.254, then click OK and Close.

  17. On the Windows desktop, use an incognito window to access http://10.1.10.25.

    The page fails to load because the web server is now sending its responses to the external router, not the BIG-IP system.

  18. Close the page, and then examine the tcpdump window.

    On the external VLAN the communication is still between the client IP address (10.1.10.199) and the virtual server (10.1.10.25).

    On the internal VLAN the requests are from the client IP address to a back-end web server, however there are no responses from the web server.

  19. Press the Enter key several times to move the log entries to the top of the window.

  20. In the Configuration Utility, click lorax_virtual.

  21. From the Source Address Translation list select Auto Map, and then click Update.

    image8

  22. Use an incognito window to access http://10.1.10.25, and then close the window.

    SNAT Auto Map ensures that responses to server request are always sent back to the BIG-IP system.

  23. Examine the tcpdump window.

    On the external VLAN the communication is still between the client IP address (10.1.10.199) and the virtual server (10.1.10.25).

    On the internal VLAN the communication is now between the BIG-IP internal floating self IP address (10.1.20.240) and a back-end web server (10.1.20.x).

Task 2 – Create a SNAT for Internal Resources

  1. Press the Enter key several times to move the log entries to the top of the window.

  2. On the Windows server, change the default gateway to 10.1.20.240 (the BIG-IP internal floating self IP address).

  3. On the Windows server, use Internet Explorer to access www.f5.com.

    The request fails as the internal resource has no access to the WAN (or the Internet).

  4. Close the page, then on the Windows desktop examine the tcpdump windows.

    No requests are being sent to the Internet by the BIG-IP system on behalf of the internal resource.

  5. In the Configuration Utility, open the Local Traffic > Address Translation > SNAT List page and click Create.

  6. Use the following information for the new SNAT, and then click Finished.

    Form field Value
    Name internal_snat
    Translation IP Address: 10.1.10.100
    Origin Address List
    Address/Prefix Length 10.1.20.0/24 (Click Add)

  7. On the Windows server, use Internet Explorer to access www.f5.com.

    The internal user now has public access to the internet using the SNAT IP address of 10.1.10.100.

  8. On the Windows desktop, examine the tcpdump windows.

    On the external VLAN the communication is between the SNAT IP address (10.1.10.100) and the Internet resources.

    On the internal VLAN the communication is between the internal client (10.1.20.251) and the Internet resources.

  9. Close the putty sessions.

Task 3 – Use Profiles with a Virtual Server

  1. Use a new tab to access http://10.1.10.25, and then select the links at the top of the page and examine the text on each page.

    The pages make several references to the company name Lorax Investments. Lorax Investments has been acquired by Smithy Financial. Instead of updating all the web site code we’ll use profiles on the BIG-IP system to update the web site.

  2. Close the tab.

  3. In the Configuration Utility, open the Local Traffic > Profiles > Other > Stream page and click Create.

  4. Use the following information for the profile, and then click Finished.

    Form field Value
    Name name_change
    Source Lorax Investments
    Target Smithy Financials

  5. Open the Virtual Server List page and click lorax_virtual.

  6. From the Configuration list select Advanced.

    image9

  7. From the HTTP Profile list select http.

  8. From the Stream Profile list select name_change.

    image10

  9. In the Acceleration section, from the HTTP Compression Profile list select httpcompression.

  10. From the Web Acceleration Profile list select optimized-caching, and then click Update.

  11. Use an incognito window to access http://10.1.10.25, and then select the links at the top of the page.

    Although the logo need to be updated, all the text on all pages now references Smithy Financials.

Task 4 – Work with Monitors

  1. Edit the URL to http://10.1.10.25/health_check.html

    We’re going to use this web page to identify if the web server is up or down.

  2. Close the health check page.

  3. In the Configuration Utility, open the Local Traffic > Monitors page and click Create.

  4. Use the following information for the monitor, and then click Finished.

    Form field Value
    Name lorax_monitor
    Type http
    Interval 4
    Timeout 13
    Send String GET /health_check.html\r\n
    Receive String Server_Up
    Receive Disable String Server_Down

  5. Open the Pool List page and click lorax_pool.

  6. Identify the current Availability status of the pool.

    Unknown identifies when a pool or node doesn’t have a configured monitor.

  7. Add lorax_monitor to the Active list and click Update.

    The Availability of the pool changes to Available (Enabled).

  8. Open the Local Traffic > Nodes > Node List page.

    Notice that all the nodes currently display unknown.

  9. Open the Local Traffic > Nodes > Default Monitor page.

  10. Add gateway_icmp to the Active list and click Update.

  11. Return to the Nodes >ode List page.

    All nodes now display. This means that they are all sending icmp responses.

  12. Open the Local Traffic > Network Map page and view the status for lorax_virtual.

    The virtual server, pool, and all three pool members display available.

  13. Use your mouse to hover over the pool members.

    All three nodes also display available.

Sub-Task 1 – Take 10.1.20.41:80 Offline

  1. On the Windows server go to Start > Computer, and then navigate to C:\inetpub\wwwroot\lorax_public_site_41.

    This is the directory is used for pool member 10.1.20.41:80. The health_check.html web page currently exists on this pool member.

  2. Delete health_check.html.

  3. Wait 13 seconds, and then in the Configuration Utility on the Network Map page click Update Map.

    image11

  4. Use your mouse to hover over the pool members.

    The first pool member is offline, and all three nodes display available.

Sub-Task 2 – Disable 10.1.20.42:80

  1. On the Windows server navigate to C:\inetpub\wwwroot\lorax_public_site_42.

  2. Right-click health_check and select Open with > WordPad.

  3. In the <p> tag, edit the text to Server_Down, and then click Save.

    This file is used by pool member 10.1.20.42:80. This pool member will now match the disable string identified in the monitor.

  4. Wait 13 seconds, and then in the Configuration Utility on the Network Map page click Update Map.

    The second pool member is now disabled; however, the virtual server and pool still display available.

Sub-Task 3 – Take Node 10.1.20.43 Offline

  1. On the Windows server, for Local Area Connection 3 open the Internet Protocol Version 4 (TCP/IPv4) properties.

  2. Click Advanced, and in the list of IP addresses scroll down to 10.1.20.43 and click Remove, then click OK three times and then click Close.

  3. Wait 13 seconds, and then in the Configuration Utility on the Network Map page, click Update Map.

  4. Use your mouse to hover over the pool members.

    image12

    The virtual server and pool display disabled but available. Node 10.1.20.43 now displays offline, which causes pool member 10.1.20.43:80 to display offline.

Sub- Task 4 – Bring 10.1.20.42:80 Back Online

  1. On the Windows server, in the health_check WordPad document, edit the text back to Server_Up, then click Save, and then close WordPad.

  2. In the Configuration Utility on the Network Map page click Update Map.

    Because pool member 10.1.20.42:80 is available, the virtual server and pool once again display available.

  3. Use an incognito window to access http://10.1.10.25.

    The page displays, with all page elements coming from 10.1.20.42:80.

  4. Close the page.