Network Manage Tech E..

 
当需要针对F5做大批量配置时，如果直接使用bigpipe shell批量配置，很容易导致发生HA切换。针对此情况，F5提供一个bigpipe merge的命令，能快速完成大批量配置的部署，同时不会发生HA切换。
 

bigpipe merge使用方法：

Due to this change, each time a bigpipe command is executed, all configuration object types are queried so that the parameters passed to the bigpipe utility can be validated. This results in extra time needed to run the command.
 
源文档 <http://support.f5.com..

 
We can capture the packets sent to CPU by following steps. There is no CPU consuming when doing SPAN.
 
1，Choose an administratively shut down port for the SPAN source interface
 Router(config)#monitor session 1 source interface <<empty administratively down port>>
 
2，Choose a destination port, connect the PC to this port
 Router(config)#monitor session 1 destination interface <<sniffer port>>
 
3，Loginto the SP, set the SPA..

Technorati 标签: ASA5585,测试,failover,asdm 1， ASA5585概况 1.1， ASA5585性能指标 1.2， 本测试文档目标 ① 掌握关键部署技术，并搭建ASA5580最佳部署实践； ② 熟练ASA5580运维技能； ③ 线下设计模拟部署线上环境。 1.3， 关键测试点 ① HA routed方式部署； ② Global policy； ③ Redundancy interface； ④ Sla track； ⑤ Interface distribute across io-bridge：特指asa5580硬件架构设计，适当部署ASA5580可以提高其性能，而ASA5585没有这个限制； ⑥ Two link down； ⑦ Configure virtual mac address to avoid the interruption of network traffic； ⑧ Upgrade software online。 1.4， 几个重要命令 ① Writer memory； ② Writer standby； ③ No failover active in active unit，failover active in standby unit； ④ asp load-balance per-packet； ⑤ show cpu usage detailed； ⑥ failover key； ⑦ failover reset； ASA配置案例集锦： http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html 2， 测试拓扑 2.1， 设备准备和模拟拓扑 ASA5585-20 2台； L3层交换机 2台，通过vlan隔离来模拟图中的6台交换机； 网线若干； 2.2， Redundant interface测试 Redundant interface概念：在ASA上启用一个逻辑接口redundant interface，绑定多个物理接口，其中一个接口作为active，而另一个为backup。即traffic走在active接口上。当active失效后，backup interface马上转为active，接管流量。配置如下： SW1# interface Vlan38 ip address 192.168.255.34 255.255.255.248 end interface GigabitEthernet1/1 switchport access vlan 38 switchport mode access spanning-tree portfast interface GigabitEthernet1/2 switchport access vlan 38 switchport mode access spanning-tree portfast end ASA5585-A-D01# interface Redundant1 member-interface GigabitEthernet0/0 member-interface GigabitEthernet0/1 nameif Outside2C7609 security-level 0 ip address 192.168.255.35 255.255.255.248 ! interface GigabitEthernet0/0 no nameif no security-level no ip address interface GigabitEthernet0/1 no nameif no security-level no ip address ASA5585-A-D01# ping 192.168.255.34 repeat 10000 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! /Success rate is 99 percent (9999/10000), round-trip min/avg/max = 1/1/30 ms 验证结果： 1，互联交换机上的两个互联端口不配置port-channel： ① 当active interface fail后，ping包丢一个； ② 当failed interface become normal后，其不会抢占active mode，且不丢包。 2，互联交换机上的两个互联端口配置port-channel： ③ 当active interface fail后，ping包丢一个； ④ 当failed interface become normal后，数据包全部丢弃。 因此，上联交换机不能配置portchannel。 而交换机和FW都配置portchannel后，测试结果： ⑤ 当active interface fail后，ping包丢一个； ⑥ 当failed interface become normal后，其不会抢占active mode，且不丢包。 ------------------------------------------------ 为什么存在redundant接口：由于在8.3之前的ASA版本上不支持portchannel，因此设计了redundant接口技术，但是明显portchannel的实现优势更大。 2.3， Upgrade software ciscoasa# sh disk0: --#-- --length-- -----date/time------ path 13 32768 Apr 01 2011 10:56:16 coredumpinfo 14 43 Apr 01 2011 10:56:16 coredumpinfo/coredump.cfg 122 17676288 Apr 01 2011 10:57:20 asa824-smp-k8.bin 123 14812604 Apr 01 2011 10:57:56 asdm-635.bin 3 32768 Apr 01 2011 11:02:02 log 12 32768 Apr 01 2011 11:02:20 crypto_archive 125 12105313 Apr 01 2011 11:02:30 csd_3.5.841-k9.pkg 126 32768 Apr 01 2011 11:02:30 sdesktop 132 1462 Apr 01 2011 11:02:30 sdesktop/data.xml 127 2857568 Apr 01 2011 11:02:30 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 128 3203909 Apr 01 2011 11:02:32 anyconnect-win-2.4.1012-k9.pkg 129 4832344 Apr 01 2011 11:02:32 anyconnect-macosx-i386-2.4.1012-k9.pkg 130 5209423 Apr 01 2011 11:02:32 anyconnect-linux-2.4.1012-k9.pkg 2049605632 bytes total (1985347584 bytes free) ciscoasa# copy tftp: disk0: Address or name of remote host []? 192.168.1.2 Source filename []? asa841-smp-k8.bin Destination filename [asa841-smp-k8.bin]? Accessing tftp://192.168.1.2/asa841-smp-k8.bin...!!!!!!!!!!!!!!! --------------------------------------------------------------------------- ciscoasa# copy tftp: disk0: Address or name of remote host [192.168.1.2]? Source filename [asa841-smp-k8.bin]? asdm-641.bin Destination filename [asdm-641.bin]? Accessing tftp://192.168.1.2/asdm-641.bin...!!!!!!!!!!!!!!! ciscoasa(config)# sh disk0: --#-- --length-- -----date/time------ path 13 32768 Apr 01 2011 10:56:16 coredumpinfo 14 43 Apr 01 2011 10:56:16 coredumpinfo/coredump.cfg 122 17676288 Apr 01 2011 10:57:20 asa824-smp-k8.bin 123 14812604 Apr 01 2011 10:57:56 asdm-635.bin 133 30726144 Apr 27 2011 19:21:18 asa841-smp-k8.bin 3 32768 Apr 01 2011 11:02:02 log 12 32768 Apr 01 2011 11:02:20 crypto_archive 134 15841428 Apr 27 2011 19:23:37 asdm-641.bin 125 12105313 Apr 01 2011 11:02:30 csd_3.5.841-k9.pkg 126 32768 Apr 01 2011 11:02:30 sdesktop 132 1462 Apr 01 2011 11:02:30 sdesktop/data.xml 127 2857568 Apr 01 2011 11:02:30 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 128 3203909 Apr 01 2011 11:02:32 anyconnect-win-2.4.1012-k9.pkg 129 4832344 Apr 01 2011 11:02:32 anyconnect-macosx-i386-2.4.1012-k9.pkg 130 5209423 Apr 01 2011 11:02:32 anyconnect-linux-2.4.1012-k9.pkg 2049605632 bytes total (1938751488 bytes free) ciscoasa(config)# boot system disk0:/asa841-smp-k8.bin ciscoasa(config)# asdm image disk0:/asdm-641.bin ciscoasa(config)# wr Building configuration... Cryptochecksum: 23e278df 5d9abf13 31493b4e def0294e 3110 bytes copied in 2.40 secs (1555 bytes/sec) [OK] ciscoasa(config)# reload Proceed with reload? [confirm] ciscoasa(config)# 重启完成大概需要3分钟左右。 在线版本升级: ciscoasa(config)# boot system disk0:/asa841-smp-k8.bin ciscoasa(config)# asdm image disk0:/asdm-641.bin ciscoasa(config)# wr ciscoasa(config)#failover reload-standby //在active上重启standby设备； ………… ciscoasa(config)#no failover active //进行ha切换； ciscoasa(config)# reload 测试结果： 在没有进行ha切换的情况下直接reload，测试丢包4个。 2.4， Configure ssh admin prompt hostname state //会在提示符前显示当前FW的act/stdb状态； interface Management0/0 nameif management security-level 100 ip address 192.168.2.1 255.255.255.0 management-only ! crypto key generate rsa modulus 1024 ssh 192.168.2.0 255.255.255.0 management ssh timeout 30 ssh version 2 username asaAdmin password xxxxxx privilege 15 enable password xxxxxx password xxxxxx Ssh client登陆： To gain access to the ASA CLI using SSH, enter the username asa and the login password set by the password command. Then enter the username and password defined by the AAA server or local database. Standby设备同样可以通过ssh进行管理。 2.5， Configure ASDM admin http server enable 444 //端口默认为443 http 192.168.2.0 255.255.255.0 management Standby设备同样可以通过ASDM进行管理。 2.6， Using global access rules 这里是否表明了我们可以直接使用global access rules，而不需配置interface-specific access rules了？ Answer：可以不用interface-specific access rules了，没有其他影响。 2.7， Implicit permits

In BIG-IP
version 10.2 hf1.0, when you click persist statistics in GUI, if there are so
many persist entries, the GUI will crash. However there is no any impact to
your product service.
Then
you could restart the httpd daemon. If it is not work, restart tomcat daemon too. Then the GUI will be get
well.
In CLI:
bigstart
status
bigstart
restart httpd
bigstart
restart tomcat

下面是BIG-IP系统中各个守护进程的解释，详见：http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8035.html?sr=12130346
The BIG-IP system
daemons perform a variety of functions, such as managing load-balanced traffic,
configuring and controlling the switch chips, monitoring the health and
performance of pool members, and performing high availability failover actions.
 
BIG-IP services
belong to one of two categories: core daemons, which start up when you boot the
BIG-IP syst..

详见：https://support.f5.com/kb/en-us/solutions/public/3000/200/sol3242.html
F5关于CPU分配设计
在介绍F5在设计CPU时，需要解释一下TMM。TMM即Traffic
Management Microkernel，自9.0开始，F5的所有load-balanced流量都有TMM来处理，而之前的版本都是使用kernel来处理。

CPU单核系统的设计：
BIG-IP 9.0.0到9.3.1，TMM进程会占据整个CPU。当TMM空闲时，会释放99%的CPU用于其他进程处理事务；而当TMM处理流量时，仅会释放20%的CPU用于其他进程处理事务。因此，系统top命令显示结果很可能会出现CPU占用100%的情况。F5官方推..

摘自于http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7301a.html，如下是该链接的全部内容。 The BIG-IP system is a secure device in its default configuration. The BIG-IP system denies all traffic except for the traffic types that you specifically identify, which provides for enhanced security because you control the traffic that is allowed to pass through the BIG-IP system based on the configuration. Although the BIG-IP system is designed as a deny-by-default device, configurati..

The meaning of ssl tps is intricate, and confused me for a long time. TPS means the transactions per second, but what ‘s the true meaning of transaction in ssl. As we all know, there are two leading products F5 BIG-IP and netscaler. And how to explain ssl tps about this two manufacturers. How to explain SSL TPS in BIG-IP? F5, the maximum tps is licensed to purchase. Usually, it has a small tps by default, and you can check  out the maximum number of clientside ssl tps by this command..

Technorati 标签: f5-ltm,performance消失,uptime 497 关于F5-LTM设备的performance图示突然消失（但其他一切正常包括生产业务和相关的snmp监控等）的情况，通过http://tech.f5.com查找相关case，发现为一个已知issue，详见：http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7036.html This is the result of a known issue which exists in the Linux 2.4 kernel used by some versions of BIG-IP. Affected Linux 2.4 kernels compute the system uptime based on the internal jiffies counter, which counts the ..

Most manufacturers would simply attempt to use SMP to distribute TMOS process across multiple processors—with shared memory, network card, and special purpose processors. Others might attempt to run multiple instances of the TMM on different processors—still with the requisite shared memory, network card, and special-purpose processors. Instead, CMP(clustered multiprocessing) enables load balancing of multiple processing cores, each with its own dedicated memory, network interface, and special-purpose processors. Each core runs its own, completely independent TMM process. By separating the dependencies between the instances, CMP allows more of the traffic management process virtually the entire process to be parallelized. This provides a substantial benefit to the overall performance of the system.The hardware that enables CMP is comprised of two important, proprietary F5 technologies: the Disaggregator and the High Speed Bridge (HSB).