F5 101 – Part 3: Maintaining Application Delivery Controller (ADC) Part 2

  1. Monitoring Demo Part 3

So in the GUI we are here in the Virtual Server list page. If I hit refresh, you will see now the test underscore Vs is gone, okay? Because we deleted in our tmSh. Now I just want to show you how to view statistics under Statistics module Statistics and look local traffic. You have many different options here. If I select Virtual Server, you will see the bits, the packets, the connection per virtual server. And if you want to view the detail, you can just click this details. Now this details is also the one we can see in tmSh. I will show it to you in a bit. Right now if I click Virtual address, this is a specific IP. So if there are two or three virtual servers using the same IP address, there are just one virtual address. We also have pools. This is most of the time we use in our load balancing testing. We also have I rules, I rules. We test this once. When we are doing I rules, we see the total execution of a specific I rules are incrementing. Okay? We also have nodes, as you can see.

We have statistics that bit the packets and the connection per node basis. We also have translations. We’re going to talk about translation in the next few videos. Now I want to show you the CLI conversion of that statistics. I need to go to tmSh and under tmSh I need to go to LTM module, let’s say Virtual Server. If I do show, this will give me the statistics. As you can see, the availability is unknown because we haven’t associated help monitor and you see the bits in and out, the packets in and out, the current connections and the maximum connections.

Now, if I go to pulls component and if I do show, also give us the same path. The thing about this is it doesn’t give us the pool member specific statistics. You only see the availability. Yes, available members. We have three pool members in this pool. We also have bits in out, packets in and out. But I don’t see the statistics for pool numbers one, two and three. Why is that? Well, because you need to still need to add detail. If I add details, as you can see, it will give us statistics per pool member. Okay? Pool member one. Now, pool number two, and this is pool member three. Now, we also have an option. If I do show members, this will also gives me full member statistics view. So we’ve already compared the GUI statistics and CLI statistics. We also showed you how to create delete configuration objects using CLI tmSh. Okay, now here’s the question. Why do we need to use CLI? Because CLI, maybe to you or maybe to me is a little more complex. It’s very difficult to manage and sometimes it’s a bit confusing. Why do we need CLI?

Well, first there are some commands or some output that is only available in CLI but that is for more advanced purposes or advanced task. Now for me CLI and CLI tools, especially in advance shell, we can use TCP dump, we can use grip, we can add script. That is one advantage and we can only do that in our advanced shell and that is via CLI. Now, for tmSh, there is one good reason why you want to use tmSh and not via GUI.

Okay, let’s say we have 20 or 50 virtual servers and you need to do something in that virtual server. Let’s say we need to enable Autumn app for every single virtual server. Which one is easier? You click every single virtual server in your GUI and enable automap or you just go to CLI and from there you change automap configuration by creating a template and edit it. Make sure it’s all for your egg edit in a notepad, copy paste back to your tmSh. In a few seconds you can actually make the configuration or your toss done. But if you do that in the GUI, it makes take a little while because clicking many virtual servers is not so easy and it’s not very fast. So tmSh is really good if you are doing bulk configuration changes.

  1. Device and Software Upgrade Part 1

If you think virus and malware can only exist in your PCs or desktop, well think again. These viruses can also exist in your network and security appliances. And it’s even worse because your network devices can easily spread viruses services because traffic is already directly connected to your endpoint devices such as servers and PCs. Now to resolve these security vulnerabilities, all you need to do is upgrade your software. We also have some bugs and this may exist also in your software and operating system. It can exist in a Microsoft operating system such as Windows or any Linux distro. It may also exist in your network and security appliance and this bugs is always very common. To resolve this bug issue, all you need to do is upgrade your software. We also have available features. Now in an appliance or a software application there will always be additional features. It can be security, it can be a new policy, it can be a new feature such as automation okay? Or any GUI options or new GUI configuration options.

Now to get this new feature, what do you need to do? Upgrade your software. We also have tech support or technical support. Have you ever tried calling your technical support team and they ask you what’s the current image that is installed? And sometimes they will tell you your software image is outdated, we can no longer support it. It really depends on the vendor. Sometimes they will recommend to upgrade your software image to this specific version. Okay, but again the reason why you are calling because you are experiencing issues. Sometimes the only resolution to those issues is guess what? What? You’re right. Upgrade your software. F Five Platform Lifecycle this is the policy that defines the stages of the life cycle from initial release through retirement. This policy also describes the levels of support available for customers.

As you see, we have the end of software development and this marks the end of regular support. It is also the beginning of our extended support and after that it will cease considering the repair, maintenance of the confirmed software or firmware defects by default end of software development date defaults to three years after the end of sale. Here’s the recommended steps for upgrading our F five big IP software. So first you need to know, you need to determine which software version that you need to use so you can download this on downloads F Five. You may also refer to my other course titled building F Five Big IP Lab for free to know more about creating an account and downloading software images. Now, prepare for the software upgrade by obviously logging into your big IP device and it is also recommended to access your device via console. So we’re going to import also the big IP configuration or you can just save or archive your existing configuration. We also getting h a support during upgrade. Well, this is if you have high availability pair or setup upgrade software on a VCMP system.

So guys, this will be skipped in our lab demo because we’re doing it in a standalone mode and we don’t have VCMP system. Now install and upgrade to a new volume over an existing volume. Now, the process of installation is first we’re going to import it, import the new software image and we’re going to create new volume for our HD. So HD One is already taken so we’re going to use HD One Two and then we proceed with the actual installation. Now, the software installation, it’s a long process. One of the process is it will reboot our device. This may take a couple of more minutes or even more. Okay? And once you verify that the booting has been complete, you may now log in and from your GUI or CLI you can verify if the new version is now running correctly. Now, to import the new software image you may go to System Module and select Software Management.

And as you can see, there is an Import button here. You have to click it and select the image version that you want to import and then later install. So this is the new version. We click Import button, it will start importing. This may take a couple of minutes or even more. Now, once the image has already been uploaded you need to check this tick box and click Install. But it will ask you to specify the volume of a specific hard drive. So in our case we’re using HD One Two and we click Install. Now, this is to verify that the installation is progressing.

Now, after the installation has been completed you need to go to the boot locations and verify if the new software version is now installed in our new hard drive HD One Two. Now, it is not yet activated yet because as you can see, the currently running version is still the 13 one three. We need to click this link and we need to verify that we are upgrading from version 13 one to version 14 one. We also optionally upload or copy the configuration from the old software image to the new software image and then click Activate. Now, once the deactivation process is complete, we can verify if the new image is now running. You may go to System Module Configuration General and from here we verify that the software version 14 one is running. You can also log into CLI tmSh to verify the status of the software images.

  1. Device and Software Upgrade Part 2

There are many reasons why you want to do device upgrade. First is the software compatibility. We have a link here and let’s visit it. We are now in our F five hardware software compatibility matrix. If I scroll down you will see compatibility matrix for big IPI series platforms. Let’s go down and check the big IP IP standard series platforms. As you can see some of the models like 1601, 600, LC and 3600 900 these are all end of new software support and end of software development and this devices these models are not even support operating to 1314 and 15 x software. It is limited only up to the twelve x. Now there are also devices that are end of new software support and this will still be supported maybe more or less two or more years. We have compatibility still up to $15 so this is fine. Now the 800 platform surprisingly even though it’s end of new software support and end of software development you can still upgrade it up to 14 dot x.

Now if I scroll down further we have the 10,000 and the 10,200 V. It is end of new software support and still can be upgradable up to 15 x. Another reason is for hardware specific features. Let’s say you have an existing big IP device and it doesn’t have VCMP feature and your company or your management requires you to enable VCMP because you want to create multiple VIP instance running in multiple software versions. So what you need to do is find a hardware that supports VCMP. Let’s say you also have a virtual edition big IP device. Now this virtual edition big IP devices only runs on software and obviously they don’t have PBA and SSL acceleration. So if you’re requiring these features, the only option you have is to upgrade your big IP to a hardware platform.

We also have workload requirements. So let’s say you have an existing big IP and you purchased this when your company was still small and after a year or two your business has grown and the traffic from many different clients is always busy. So your hardware specifications that exist or is not enough for your current environment. The only options you have is either purchase a new device or devices or upgrade your hardware platforms. Now you may use another hardware for an active standby set up or to make it scalable especially for redundancy you can do Active, Active or N plus one setup. Best practice to upgrade hardware or software personally I recommend to open a case first because they can also recommend if your hardware is recommended for a software or hardware upgrade and the idea of someone or a team that will support you during upgrade is always good. Imagine if you are experiencing issues while doing hardware or software upgrade. At least you have someone or a team to rely on configuration issues or even security and bug related issues. Second is read notes. Now, this is the easiest task among all of these in the list because you can always do this anytime or almost any time while during break, before going to sleep, or even during the upgrade license, well, always verify if the license is compatible to the new software or to the new hardware. Ihealth we’re going to talk about Ihealth in a bit, but Ihealth this is a tool for us to monitor and verify if our big IP requires upgrade both hardware and software. It also provides us diagnostics. It will tells us some security potential, security risk, bugs, and other useful information.

Before doing upgrades, it is always best to save or archive your configuration, because if something goes wrong, at least your configuration or last known configuration is saved and you can always restore it. And lastly, after the upgrade, it is a best practice to test if your configuration still exists and if your application objects are still working properly. I have here a pair of big IP device. Now, our task is to upgrade the second and the first big IP devices. Now, assuming this is the Active device and this is the Standby, my personal recommendation is again open a case. And the reason is if there’s something wrong during the upgrade, you already have a support. Whether it’s a configuration issue or bug related issue, someone will assist you. And notes you can do this any time before the upgrade process. So that is my personal recommendation. Read Notes like compatibility, or if there is an existing bug on this particular software version and UCS Archive saving configuration. This is very important. Imagine the device failed during upgrade and now you need to restore your previous configuration. If you don’t save it, you have another problem.

Well, in this case, you can do this because it’s active standby. Assuming that the Active device working properly, you can always push the configuration to the second device. But UCS Archive is always recommended before doing an upgrade. All right, since we’re doing Active and Standby, we do the upgrade first on the Standby device. Why? Because the Active device is already receiving and sending traffic to the client and to our servers. Upgrading the Standby device is better because if there’s something wrong on the Standby device, there will be no impact in our network and application. Okay? Now, when you do the upgrade, always make sure that the load is active on the Active device, right? Because you may be doing Active Active and there’s a traffic group that is active on the second device. Make sure that you fail over that traffic group to the first device. Okay? Make sure the second device, at least in this case, is running 100% Standby.

Now, when you do an upgrade, always make sure that you have the correct components, such as the software. What else? If you’re doing a hardware upgrade, always make sure that all of the hardware components are all with you. Now, assuming that you have or before completing the upgrade. One more thing. When you’re doing upgrade or before doing an upgrade, always make sure that you have a console access. Why is that? Because in the process of upgrade, you may lose your management connectivity. And take note, during the software upgrade, it will reboot your device. What if there’s something wrong during the boot process? Okay, so console access is a must. There’s also some issues or potential issues that the GUI may not work, and maybe SSH as well. So if this management applications Https and SSH is not working, at least you already have an access via console. So I will add here console access. Now, assuming the software upgrade is already successful, and as I mentioned, this will reboot your big IP device.

Now let’s say it put properly. You can now access your big IP device again via GUI. The first thing you need to do is verify if the software version is correct. Next is verify if the configuration is still there. But if the configuration is not there, you can do a push or a config sync from the first big IP device to the second big IP device. Now, let’s say configurations are existing, you didn’t experience any issues, but you still know 100% if these configurations are working. What I recommend is this. Create a test objects, virtual servers, pools and even IRS or snaps profiles. Create test objects and put it in a traffic group, let’s say traffic group two or traffic group three. Make that traffic group active on the second device. Okay? And allow clients to test if they are working properly. Especially I rules, because in the past I experienced I rule issues after software upgrade, some of the commands and my entire Iru scripts are not working properly after the software upgrade. So that’s one thing, that’s one point that I need you to verify. And lastly, you need to fail over your first device, the current active device, to standby, so that the second device will become active. Okay? Now this time, upgrade your first device or the old primary device. The good thing is you’ve already succeeded upgrading the second big IP. So you will just repeat the same steps.