F5命令行配置配置手册
bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics.
Config Configures the IP address, network mask, and gateway on the management (MGMT) port.
Use this command at the BIG-IP system prompt prior to licensing the the BIG-IP system, and do not confuse it with the bigpipe config command or the BIG-IP Configuration utility.
halt Shuts down the BIG-IP software application.
hostname Displays the name you have given to the BIG-IP system.
printdb Prints the values of one or more entries in the bigdbTM database. reboot Reboots the BIG-IP system.
ssh and scp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system.
自定义Bigpipe shell名称
bp> shell prompt
bp> shell prompt BIG-IP>
系统Shell名称将变成:
BIG-IP>
此特性避开此限制,在Linux命令前加”!”.
BIG-IP>!ls //查看目录
BIG-IP>!ifconfig //查看接口配置
?Routes
?Self IP addresses
?Packet Filters
?Trunks (802.3ad Link Aggregation)
?Spanning Tree Protocol (STP)
?VLANs and VLAN groups
?ARP
配置Packet Filtering
命令: bigpipe packet filter
你可以定义一个包过滤规则来提供访问控制,速率shaping,审计. 配置路由
命令:route (
F5的Show Tech
[root@XXXX:Standby] config # qkview
Getting systemwide backup configuration files.
Getting AOM information.
Getting last 175 lines of log files.
Getting last 175 lines of gzipped log files.
Getting md5 sum information.
Getting core file list.
Getting Public Certificate information.
Getting tmctl information.
completed... 6 of 161 checks produced no data
Diagnostic information has been saved in file /var/tmp/https://www.wendangku.net/doc/e96028520.html,-tech.out Please send this file to support@https://www.wendangku.net/doc/e96028520.html,.
bigtop - display real-time statistics
-bytes display counts in bytes (vs bits)
-pkts display counts in packets (vs bits)
-reqs display counts in requests (vs connections)
-vips
-nodes
-once print once and exit
-delay
-scroll disable full-screen mode
-nosort disable sorting
-conn sort by connection count (vs byte count)
-delta sort by count since last sample (vs total)
-n print IP address and services in numeric format
-vname display virtual servers by name (vs IP address)
-help, -h print this message
日志文件系统
1. Access the BIG-IP system prompt.
2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command.
3. Type the following command:
resize-logFS
This command prompts you for the desired file size in gigabytes.
4. At the prompt, type an integer.
The minimum allowed value is 1, and the maximum allowed value is 10.
A prompt appears that allows you to confirm the specified file size.
5. Type Y.
A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size.
6. Type Y.
A confirmation prompt appears.
7. Type Y.
The system displays messages indicating that the reboot operation is about to occur.
8. Wait for the reboot operation to finish.
When the system becomes available again, the newly-specified disk space for the log file will be in effect.
WARNING
Do not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files.
启用/禁用虚拟服务或虚拟地
To enable or disable a virtual server, use the appropriate command syntax:
bp> virtual
To enable or disable a virtual address, use the appropriate command syntax:
bp> virtual address
从服务中移出单个的Node
You can remove an individual node from service, or return an individual node to service from the bigpipe shell command line.
To remove an individual node from service, use the following command:
bp> node
To return an individual node to service, use this command:
bp> node
查看修改F5系统配置文件
器来编辑或者查看这些文件,当你没有条件使用浏览器时,有时候修改配置文件很有必要.这就需要F5的无浏览器配置模式和命令行配置模式
Important:
在你编辑完bigip.conf or bigip_base.conf 重启MCPD service之前, 你必须运行bigpipe load 确保MCPD service 使用的是当前的配置数据
alert.conf Stores definitions of SNMP traps (system default alerts).
user_alert.conf Stores definitions of SNMP traps (user-defined alerts).
/config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs.
Note that after you edit bigip.conf, and before you restart the MCPD service, you must run the bigpipe load command.
/config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. Note that after you edit bigip_base.conf, and before you restart the MCPD service, you must run the bigpipe load command.
/config/bigip.license Stores authorization information for the BIG-IP system.
/etc/bigconf.conf Stores the user preferences for the Configuration utility.
/config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with browsers, and how key information is generated.
/config/user.db Holds various configuration information. This file is known as the bigdb database. /config/bigconfig/httpd.conf Holds configuration information for the web server.
/config/bigconfig/users The web server password file. Contains the user names and passwords of the people permitted to access whatever is provided by the webserver.
/etc/hosts Stores the hosts table for the BIG-IP system.
/etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system.
/etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system.
/etc/rateclass.conf Stores rate class definitions.
/etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes. /etc/snmpd.conf Stores SNMP configuration settings.
/etc/snmptrap.conf Stores SNMP trap configuration settings.
/config/ssh Contains the SSH configuration and key files.
/etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH.
/config/routes Contains static route information.
[root@ISAG-2:Standby] config # find_keys
ISAG-2 koradsatn. omtitra eod
ISAG-2 junl trig Cmi nevl5scnsdt md.6koradsatn. omtitra eod
Found license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVA
License file location is: /sda.1/config/bigip.license
Found license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVA
Unmounting unneeded partitions... ISAG-2 junl trig Cmi nevl5scnsn Cmi nevl5scnsree aamd.<>junl trig Cmi nevl5scns<6>EXT3-fs: mounted filesystem with ordered data mode.
ISAG-2 junl trig Cmi nevl5scns<6>kjournald starting. Commit interval 5 seconds
complete
Above information can be found in /tmp/keys.out
Managing Local Application Traffic
?Setting up load balancing
?Controlling HTTP traffic
?Implementing HTTP and TCP optimization profiles
?Authenticating application traffic
?Implementing persistence
?Enhancing the performance of the BIG-IP system
?Managing health and performance monitors
?Implementing iRules
设置VirtualServer负载均衡
1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication.
2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile.
3. Access the bigpipe shell.
4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step.
5. Create one or more load balancing pools, using the pool command.
6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default.
配置克隆Pool
克隆Pool设计是用于入侵检测,你可以针对一个VS设置一个克隆Pool,这个克隆的VS接收世的流量和普通Pool一样,你就可以复制流量到入侵检测系统中.
1. Access the bigpipe shell.
2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument.
配置最后一跳Pool
默认,BIG-IP系统自动启用最后一跳特性是,如果你想禁用这个特性.然后自己手工定义一个最后一跳路由器,你可以建立一个最后一跳pool并且指定其属于某个VS当中.
1. Access the bigpipe shell.
2. Use the pool command to create a last hop pool that contains the router inside addresses.
3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server.
If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server.
配置SNATs
这里有两种基础方法来建议一个SNAT,你可以直接将一个转换地址委派给一个或多个源IP地址,或者你可以配置一个SNAT pool,然后委派这个SNAT pool到某个源IP地址,在较新的版本中,BIG-IP自动从SNAT Pool中选择一个转换地址
Note that you can assign these types of mappings from within an iRule.
To map a single translation address to an original address
1. Access the bigpipe shell.
2. Designate an IP address as a translation address, using the snat translation command.
3. Map the translation address to one or more original IP addresses, using the snat command or the rule command.
To map a SNAT pool to an original address
1. Access the bigpipe shell.
2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command.
3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command.
配置HTTP traffic
你可以配置BIG-IP来控制HTTP流量:配置HTTP压缩,HTTP请求重定向,HTTP请求重写,插入和插除HTTP头,启用或者禁用cookie加密和SYN cookie支持,配置HTTP 类Profile, HTTP响应数据组块控制.
Configuring HTTP compression
配置BIG-IP系统压缩HTTP 服务响应
1. Access the bigpipe shell.
2. Configure the compression-related settings of an HTTP profile,using the profile http command.
3. Assign the HTTP profile to a virtual server, using the virtual command.
Redirecting HTTP requests
你可以配置HTTP Profile来重定向HTTP请求,并且在这个Profile中定义一个Fallback主机
1. Access the bigpipe shell.
2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection.
3. Verify that the HTTP profile you created or modified is assigned to a virtual server.
Rewriting HTTP redirections
你可以配置HTTP Profile来重写HTTP的重定向规则
1. Access the bigpipe shell.
2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument.
For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax:
profile http myHTTPprofile { redirect rewrite matching }
3. Verify that the HTTP profile you created or modified is assigned to a virtual server.
Inserting and erasing HTTP headers
你可以配置HTTP Profile来插入一个头文件到HTTP请求,或者从HTTP请求中移出一个头文件
1. Access the bigpipe shell.
2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options.
3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server.
Enabling or disabling cookie encryption
你可以使用Profile http中的两个选项来启用或者禁用cookie加密
1. Access the bigpipe shell.
2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options.
3. Verify that the HTTP profile you created or modified is assigned to a virtual server.
Enabling or disabling SYN cookie support
为了管理DOS攻击,你可以在一个Fast L4 Profile中配置SYN Cookie选项启用或者禁用SYN Cookie支持功能◆如果BIG-IP系统包含了Packet Velocity ASIC (PVA)技术,使用profile fastl4命令,定义一个hardware syncookie(enable | disable | default)选项,同样,你可以根据需求设置以下的变量通过db命令.
?pva.SynCookies.Full.ConnectionThreshold (default: 500000)
?pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
?pva.SynCookies.ClientWindow (default: 0)
值得注意的是这个hardware syncookie 特性目前只可用于D84和D88平台.在其实平台设备这个特性无效.所以如果你在D84和D88上设置software syncookie 特性,SYN Cookie只通过软件处理
◆如果BIG-IP系统不包含Packet Velocity ASIC(PVA)技术,使用profile fastl4 命令,指定为software syncookie (enable | disable | default) option.
Configuring the HTTP Class profile
BIG-IP系统包含一种Profile叫做HTTP Class Profile,你可以使用你定义的标准来用分类HTTP流量,当你分类流量的时候,你转地流量的原则是根据审查目标流量的头文件或者内容来定.
如果BIG-IP系统包含Application Security Manager (ASM)或者WebAcclerator模块,你可以配置系统来先发送HTTP流量到那个模块,然后再发送到最终目标,例如,你可以使用HTTP Class Profile来对Virtual Server下命令,要求它发送流量先经过ASM然后再转发到负载均衡Pool.
Unchunking and rechunking HTTP response data
如果你想要监控内容你可以取消或者重新对HTTP响应进行组块操作,只需要配置HTTP Profile来启用unchunking功能.
1. Access the bigpipe shell.
2. Using the profile http command, create or modify an HTTP profile and specify the response argument.
3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command.
你能够设备的保持有以下几种:
实施Session保持
?Cookie
?Destination Address Affinity
?Microsoft Remote Desktop Protocol (MSRDP)
?Hash
?Session Initiation Protocol (SIP)
?Source Address Affinity
?SSL
?Universal
具体操作:
1. Access the bigpipe shell.
2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement.
3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command.
实施连接保持
为了实施连接保持,你可以添加一个Keep-Alive头文件到HTTP /1.0头文件里(如果不存在).(默认HTTP/1.1连接包含Keep-Alive支持),你同样可以启用connection pooling特性,它可以保持服务器端的连接打开,重新用来供其它客户端请求所使用.你可以通过修改HTTP或者Fast HTTP Profile文件来启用keep-alive支持和Connection pools.同样可以修改OncConnect Profile来实现.
To add Keep-Alive headers into HTTP requests
1. Access the bigpipe shell.
2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts a
Connection:Keep-Alive header into any HTTP /1.0 request that does not already contain one.
3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command.
To enable connection pooling
1. Access the bigpipe shell.
2. Using the profile oneconnect command, configure a profile for connection pooling.
3. Assign the profile to a virtual server, using the profile argument with the virtual command.
小提示:
你同样可以通过配置Fast HTTP Profile来配置连接保持,在BIGPIPE SHEEL中使用fasthttp命令.
加强BIG-IP性能
BIG-IP系统.
设置连接Qos和数据包TOS等级
你可以使用bigpipe工具来设置QoS和TOS等级,你不仅可以对所有具有目标负载均衡Pool的流量做,同时你也可以对自定义的流量做,例如:Layer 4 ,TCP 和UDP流量.
1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both.
?If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos to
server, ip tos to client, and ip tos to server.
?If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile.
2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax:
bp> virtual
设置空闲超时时间(Idle timeout time)
或者修改一个Fast L4,Fast HTTP,TCP,或者UDP Profile.
1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command.
2. Specify the idle timeout argument to set a timeout value.
3. Verify that the profile you created or modified is assigned to a virtual server.
实施速率整形
Virtual Server或者Packet Filter规则中.
1. Access the bigpipe shell.
2. Create one or more rate classes, using the rate class command.
3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command.
Implementing iRules
iRule特性强大而灵活,值得注意的是它可以增强BIG-IP系统能力.一个iRule可以引用任意object,它不管这个被引用的object处理哪个分区里.例如;一个iRule属于分区A,但包含指定一个Pool属于分区B的语句.
1. Access the bigpipe shell.
2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command.
3. Assign the iRule to a virtual server, using the virtual command in one of the following ways:
?To associate multiple iRules with a virtual server, use this syntax:
bp> virtual
?To remove the assignment of an iRule from a virtual server, use this syntax:
bp> virtual
?To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common.
bp> virtual all rule none
?To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule
Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRule
assignments, we do not recommend use of this command.