BIGIP_LTM_iRule

BIG-IPV9.0iRuleF5Producttraining20/4/062BasicReview3/25/043VirtualServertoPoolMembersInternetVirtualServer216.34.94.17:80PoolMembersMapsto4ProfileDependenciesSomecan’tbecombinedinVSSomedependentonothersThinkintermsofOSIModelTCPHTTPCookieUDPFTPL3NetworkL2DataLinkL1Physical5TrafficFlow–BigPictureVirtualServerNATSNATClientsideNodesideAddressTranslationAddressnotTranslatedForwardingVSTransparentVS6WhatisLayer7Switching•ApplicationDataoriented–Eg.HTTPURL,HTTPHeader..•Delaybindingrequired•Extramemorybuffersession•Extraprocessingpower(ASIC/CPU)7WhatisiRule•AniRuleisascriptthatyouwriteifyouwanttomakeuseofsomeoftheextendedcapabilitiesoftheBIG-IPthatareunavailableviatheCLIorGUI.•basedontheToolCommandLanguage(Tcl)programmingstandard–http://tmml.sourceforge.net/doc/tcl/index.html•AdditionalF5extension8Architecture9TM/OSHowconsolidationisachieved?ReacttoaSingleCommunication,OneDirectionPacketBasedReacttoaRealTime,Two-WayConversationTranslateBetweenPartiesFlowBasedLegacyApproach10TMOSArchitectureSSLCompressionClientSideServerSideTCPExpressServerTCPExpressCachingMicrokernel•TMOSTrafficPlugins•High-performanceNetworkingMicrokernel•PowerfulApplicationProtocolSupport•iControl–Externalmonitoringandcontrol•iRules–NetworkProgrammingLanguageHighPerformanceHWiRulesClientiControlAPITCPProxyOneConnectXMLRateShapingTrafficShieldWebAccel3rdPartyApplicationDeliveryNetwork11iRulebasicelement•Eventdeclaration•Operators•iRulescommand12BasiciRuleFormatEventdeclarations{Operators{iRulecommands}}13Eventdeclarations•Eventdeclarations=when[eventtype]•Anexample:whenCLIENT_ACCEPTED{if{[IP::addr[IP::remote_addr]equals10.1.1.80]}{poolmy_pool1}}14Eventtypes•Globalevents•HTTPevents•SSLevents•AuthenticationeventsReferrencetoLTM_config_guide.pdfpage302,303,table13.215Eventtypes::GlobalEvents•CLIENT_ACCEPTED•CLIENT_DATA•LB_SELECTED(beforesendtoserver)•LB_FAILED(nonodeavailableforthisvs)•SERVER_CONNECTED•SERVER_DATA•RULE_INIT•CLIENT_CLOSED•SERVER_CLOSEDNomatterwhatL7iRules,GlobalEventcantakeeffective.16CLIENT_ACCPTEDCLIENT_DATALB_SELECTEDLB_FAILEDSERVER_ACCPTEDSERVER_DATACLIENT_CLOSEDSERVER_CLOSEDRULE_INITSTART17L7Eventtypes::HTTPEvents•HTTP_REQUEST•HTTP_REQUEST_DATA•HTTP_RESPONSE•HTTP_RESPONSE_DATA•HTTP_RESPONSE_CONTINUE18HTTP_REQUESTHTTP_REQUEST_DATAHTTP_RESPONDHTTP_RESPOND_DATASTARTHTTP_RESPOND_CONTINUE19TMOSArchitectureServeriRulesClientClientSideServerSideTCPProxyClientSideEventClient_acceptClient_dataCache_requestDNS_requestHTTP_REQUESTHTTP_REQUEST_DATARTSP_REQUEST....ServerSideEventServer_connectServer_dataCache_responseDNS_responseHTTP_RESPONSEHTTP_RESPONSE_DATARTSP_RESPONSE....20Operator•Comparetwooperands•TCLstandard–Eg.==•RelationalOperators–Eg.Contains,matches,equals,end_with•LogicalOperators–Eg.and,or,not21iRulescommand•Statementcommand–actiontaken,eg.Usepool,SNAT,log•Querycommand–queryinfo/data,eg.HTTP::header,IP::remote_addr•Datamanipulationcommand–performdatamanipulation,eg.HTTP::headerremove,HTTP::headeradd•Utilitycommand–Parsingandmanipulatingcontent,eg.Decode_uristring22iRuleEvents•GlobalEvents(L3/4–ClientAccepted–Syn,SynAck,Ack–ServerData–htmlpagetoclient•HTTPEvents(L7)–HTTPrequestorHTTPresponse•SSLEvents–ClientSSLhandshake•AuthenticationEvents–AuthFailure23ProfileDependenciesSomecan’tbecombinedinVSSomedependentonothersThinkintermsofOSIModelTCPHTTPCookieUDPFTPNetworkDataLinkPhysical24iRuleConcepts&Syntax•iRulesOftenSelectPool•BasicSyntax–If…then…else…whenEVENT{if{conditional_statementaction_when_condition_true}}25Example1:Layer7contentswitchingruleBrowserType{whenHTTP_REQUEST{if{[HTTP::uri]ends_with“jpg}{poolcache_pool}else{poolmain_pool}}}ruleBrowserType{whenHTTP_REQUEST{if{[[HTTP::headerUser-Agent]contains“MSIE”]}{poolIE_pool}elseif{[[HTTP::headerUser-Agent]contains“Mozilla”]}{poolMz_pool}}}26Example2:Layer3IPdecisionwhenCLIENT_ACCEPTED{if{[IP::addr[IP::client_addr]equals10.10.10.10]}{poolmy_pool}}whenHTTP_REQUEST{if{[IP::hops]=10}{COMPRESS::disable}}27Example3:Layer4decisionwhenCLIENT_ACCEPTED{if{[TCP::client_port]1000}{poolslow_pool}else{poolfast_pool}}whenRULE_INIT{arrayset::active_clients{}}whenCLIENT_ACCEPTED{setclient_ip[IP::remote_addr]if{[infoexists::active_clients($client_ip)]}{if{$::active_clients($client_ip)5}{rejectreturn}else{incr::active_clients($client_ip)}}else{set::active_clients($client_ip)1}}whenCLIENT_CLOSED{if{[infoexists::active_clients($client_ip)]}{incr::active_clients($client_ip)-1if{$::active_clients($client_ip)=0}{unset::active_clients($client_ip)}}}28ConfiguringiRulesCreateRule29ConfiguringiRules•CreatePoolsfirst•CreateRulenext•ThenpointVStoRule30DevCentral•Officiallysupportedbymarketing–CommunityismostlymadeupofvolunteersespeciallythosefromF5ProductDevelopment.•WhataboutSupport?•WhatcanDevCentraldobetter?•Havingtroublesearching?•Checkthisout:RulesWiki31Labsetup•ConnectWiFi–SSID:MaskedRider–WEP:ab12cd34ef–Channel:6•IPaddress–192.168.0.1-253/24•BIGIPv9–192.168.0.254–Adminlogon:admin/f5training–Trainingwebserver192.168.20.1-3studentno.(192.168.0.X)ipaddressvirtualserversnatIP(192.168.20.x)11112112