Manual Chapter : Configuring a BIG-IP System with iSession in Routed Mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring the BIG-IP system in routed mode

A routed deployment is one method of deploying a BIG-IP system directly in the path of traffic, such as between a WAN router and LAN switch. In routed mode, the BIG-IP system is nontransparent on the network, with separate LAN and WAN self IP addresses on each side. This setup ensures that requests from clients go to the BIG-IP system, which optimizes the traffic before it reaches the server.

Illustration of a routed deployment

This illustration shows a pair of BIG-IP systems in a routed deployment (Site B) on one side of the WAN, and a one-arm deployment on the other side.

Example of a routed deployment Example of a routed deployment

About symmetric optimization using iSession on BIG-IP systems

The BIG-IP systems work in pairs on opposite sides of the WAN to optimize the traffic that flows between them through an iSession connection. A simple point-to-point configuration might include BIG-IP systems in data centers on opposite sides of the WAN. Other configuration possibilities include point-to-multipoint (also called hub and spoke) and mesh deployments.

The following illustration shows an example of the flow of traffic across the WAN through a pair of BIG-IP devices. In this example, traffic can be initiated on both sides of the WAN.

Example of traffic flow through a BIG-IP pair with iSession connection Example of traffic flow through a BIG-IP pair with iSession connection

Each BIG-IP device is an endpoint. From the standpoint of each BIG-IP device, it is the local endpoint. Any BIG-IP device with which the local endpoint interacts is a remote endpoint. After you identify the endpoints, communication between the BIG-IP pair takes place in an iSession connection between the two devices. When you configure the local BIG-IP device, you also identify any advertised routes, which are subnets that can be reached through the local endpoint. When viewed on a remote system, these subnets appear as remote advertised routes.

To optimize traffic, you create iApps templates to select the applications you want to optimize, and the BIG-IP system sets up the necessary virtual servers and associated profiles. The system creates a virtual server on the initiating side of the WAN, with which it associates a profile that listens for TCP traffic of a particular type (HTTP, CIFS, FTP). The local BIG-IP system also creates a virtual server, called an iSession listener, to receive traffic from the other side of the WAN, and it associates a profile that terminates the iSession connection and forwards the traffic to its destination. For some applications, the system creates an additional virtual server to further process the application traffic.

The default iSession profile, which the system applies to application optimization, includes symmetric adaptive compression and symmetric data deduplication.

Before you begin configuring an iSession connection

Before you configure an iSession connection on the BIG-IP system, make sure that you have completed the following general prerequisites.

  • You must have an existing routed IP network between the two locations where the BIG-IP devices will be installed.
  • One BIG-IP system is located on each side of the WAN network you are using.
  • The BIG-IP hardware is installed with an initial network configuration applied.
  • F5 recommends that both units be running the same BIG-IP software version.
  • The Application Acceleration Manager license is enabled.
  • Application Acceleration Manager (AAM) is provisioned at the level Nominal.
  • The management IP address is configured on the BIG-IP system.
  • You must have administrative access to both the Web management and SSH command line interfaces on the BIG-IP system.
  • If there are firewalls, you must have TCP port 443 open in both directions. Optionally, you can allow TCP port 22 for SSH access to the command line interface for configuration verification, but not for actual BIG-IP iSession traffic. After you configure the BIG-IP system, you can perform this verification from the Configuration utility (Acceleration > Symmetric Optimization > Diagnostics).

Task summary

If you are configuring a BIG-IP system in routed mode, you configure separate self IP addresses for the internal and external interfaces. Also, you need to create a passthrough virtual server that you can use to verify the connection before you try to optimize traffic.

Note: Make sure that you associate the LAN and WAN VLANs with the appropriate interfaces (ports).

Task list

Creating VLANs

Create VLANs for the internal and external interfaces on the BIG-IP system.
  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Click Create. The New VLAN screen opens.
  3. In the Name field, type lan.
  4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting, click an internal interface (port) in the Available list, and move the selected interface to the Untagged or Tagged list, depending on your network configuration. This VLAN is for the traffic that the BIG-IP system you are configuring will optimize.
  6. Click Repeat. The VLAN lan is added to the VLAN list, and the New VLAN screen opens.
  7. In the Name field, type wan.
  8. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN.
  9. For the Interfaces setting, click an external interface (port) in the Available list, and move the selected interface to the Untagged or Tagged list, depending on your network configuration. This VLAN terminates the existing inbound iSession connections.
  10. Click Finished. The screen refreshes, and displays the two new VLANs in the list.

Creating self IP addresses for internal and external VLANs

VLANs must exist on the BIG-IP system for both internal and external interfaces (ports).
Self IP addresses enable the BIG-IP system, and other devices on the network, to route application traffic through the associated VLAN. Create self IP addresses on the BIG-IP device to assign to the internal and external VLANs.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a descriptive name for the self IP, for example lan.
  4. In the IP Address field, type an IP address that is not in use and resides on the internal VLAN.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select lan, which is the VLAN group you created.
  7. In the Traffic Group field, clear the check box, and select traffic-group-local-only (non-floating) from the drop-down menu.
  8. Click Repeat. The screen refreshes, and displays a new self IP screen.
  9. In the Name field, type a descriptive name for the self IP, for example wan.
  10. In the IP Address field, type an IP address that is not in use and resides on the external VLAN.
  11. In the Netmask field, type the network mask for the specified IP address.
  12. From the VLAN/Tunnel list, select the external VLAN, for example, wan.
  13. From the Port Lockdown list, select Allow None. This selection avoids potential conflicts (for management and other control functions) with other TCP applications. However, to access any of the services typically available on a self IP address, select Allow Custom, so that you can open the ports that those services need.
  14. In the Traffic Group field, clear the check box, and select traffic-group-local-only (non-floating) from the drop-down menu.
  15. Click Finished. The screen refreshes, and displays the new self IP address.

Creating a default gateway

You must define a route on the local BIG-IP system for sending traffic to its destination. In the example shown, the route defined uses the default gateway to send traffic to the router.
  1. On the Main tab, click Network > Routes.
  2. Click Add. The New Route screen opens.
  3. In the Name field, type a name for the default gateway, such as default-gateway.
  4. In the Destination field, type the IP address 0.0.0.0. An IP address of 0.0.0.0 in this field indicates that the destination is a default route.
  5. In the Destination field, type the destination IP address for the route.
  6. In the Destination field, type the 6rd IPv6 network address.
  7. In the Netmask field, type 0.0.0.0, the network mask for the default route.
  8. From the Resource list, select Use Gateway. The gateway represents a next-hop or last-hop address in the route.
  9. For the Gateway Address setting, select IP Address and type the IP address of the gateway.

Creating a passthrough virtual server

A virtual server represents a destination IP address for application traffic. You can use a passthrough virtual server to verify a connection before trying to optimize traffic using an iSession connection.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting:
    1. For Type, select Network.
    2. In the Address field, type the IP address 0.0.0.0.
    3. In the Mask field, type the netmask 0.0.0.0.
  5. From the Service Port list, select *All Ports.
  6. For the State setting, retain the default value, Enabled.
  7. In the Configuration area of the screen, from the Type list, select Forwarding (IP).
  8. From the Protocol list, select *All Protocols.
  9. From the VLAN Traffic and Tunnel Traffic list, select All VLANs and Tunnels.
  10. Click Finished.
The purpose of this virtual server is to forward all IP traffic. You will create a separate virtual server for optimized traffic when you configure an iSession connection and deploy applications using iApps templates.

Checking connectivity

Important: Use this task as a checkpoint before proceeding with iSessionsetup.
You can verify connectivity from the command-line interface.
  1. Ping the gateway using the command-line access to the BIG-IP system.
  2. Ping end-to-end across the WAN. In the example shown, this is between Server 1 and Server 2.
  3. Initiate a TCP file transfer between Server 1 and Server 2.

Setting up an iSession connection using the Quick Start screen

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP system that is provisioned for acceleration.
Use the Quick Start screen to quickly set up symmetric optimization on a single screen of the BIG-IP system using the default settings. To optimize WAN traffic, you must configure symmetric optimization on both sides of the WAN.
  1. On the Main tab, click Acceleration > Quick Start > Symmetric Properties.
  2. In the WAN Self IP Address field, type the local endpoint IP address, if it is not already displayed. This IP address must be in the same subnet as a self IP address on the BIG-IP system, and to make sure that dynamic discovery properly detects this endpoint, the IP address must be the same as a self IP address on the BIG-IP system.
  3. Verify that the Discovery setting is set to Enabled. If you disable the Discovery setting, or discovery fails, you must manually configure any remote endpoints and advertised routes.
  4. Specify the VLANs on which the virtual servers on this system receive incoming traffic.
    Option Description
    LAN VLANs Select the VLANs that receive incoming LAN traffic destined for the WAN.
    WAN VLANs Select the VLANs that receive traffic from the WAN through an iSession connection.
  5. In the Authentication area, for the Outbound iSession to WAN setting, select the SSL profile to use for all encrypted outbound iSession connections. To get WAN optimization up and running, you can use the default selection serverssl, but you need to customize this profile for your production environment.
  6. For the Inbound iSession from WAN setting, leave the default selection wom-default-clientssl or select another SSL profile for which the Non-SSL Connections setting is enabled.
  7. In the IP Encapsulation area, from the IP Encapsulation Type list, select the encapsulation type, if any, for outbound iSession traffic.
    1. If you select FEC, select a FEC profile from the FEC Profile list that appears, or retain the default, default-ipsec-policy-isession.
    2. If you select IPsec, select an IPsec policy from the IPSEC Policy list that appears, or retain the default, default-ipsec-policy-isession.
    3. If you select IPIP, the system uses the IP over IP tunneling protocol, and no additional encapsulation setting is necessary.
    4. If you select GRE, select a GRE profile from the GRE Profile list that appears, or retain the default, gre.
  8. Click Apply.
This example shows a completed Quick Start screen.
Example of completed Quick Start screen Example of completed Quick Start screen
To complete the setup, repeat this task on the BIG-IP system on the other side of the WAN. After you configure the iSession endpoints, use an iApp template to select the application traffic for optimization. Click Acceleration > Quick Start > Deploy Applications. Click Create, from the Template list select f5.replication, and follow the online instructions.

Validating iSession configuration

At this point, you have finished configuring the iSession connection on BIG-IP systems at opposite sides of the WAN, and the systems have discovered their remote endpoints.
Important: Use this task as a checkpoint to allow for troubleshooting before you complete the setup.
You can validate the configuration using the browser and command-line interfaces.
  1. Run diagnostics to verify the configuration.
    1. On the Main tab, click Acceleration > Symmetric Optimization > Diagnostics.
    2. Next to Diagnose WOM Configuration, click Run.
    3. Correct any configuration errors as indicated on the screen.
  2. Transfer data between the servers at the two sites, and verify that the transfer was successful.
  3. Using the command-line interface, enter tmsh show wom remote-endpoint all, and verify the remote endpoint IP address and the STATE: Ready message. The following listing is an example of the results for this command. ----------------------------------------------------------- Remote endpoint: 10.150.3.1 ----------- ----------------------------------------------------------- Status HOSTNAME: clientside3600.example.net MGMT ADDR: 192.X.X.X VERSION: 11.4.0 UUID: 1a28:79aa:d38:6914:e76a:5b9a:b76:1657 enabled STATE: ready ----------- BEHIND NAT: no CONFIG STATUS: none DEDUP CACHE: 43.5G REFRESH count: 0 REFRESH timestamp: 12/31/12 16:00:00 ALLOW ROUTING: disabled ----------------------------------------------------------- Endpoint Isession Statistic: _tunnel_data_10.150.3.1 ----------------------------------------------------------- Connections Current Maximum Total Connections OUT IDLE: 0 0 0 Connections OUT ACTIVE: 0 0 0 Connections IN ACTIVE: 1 1 1 Direction Action Raw Opt Out (to WAN) bits Deduplication 838.8M 839.4M Out (to WAN) bits Compression 841.9M 842.0M Direction Action Opt Raw In (from WAN) bits Decompression 1.2K 1.2K In (from WAN) bits Deduplication 1.2K 880
  4. Using the browser interface, view the green status indicator on the Remote Endpoints screen.
  5. On the Main tab, click Acceleration > Dashboard > WAN Optimization, and view the traffic optimization data.

Viewing pertinent configuration details from the command line

Ensure that you have configured the BIG-IP system in a routed mode deployment.
You can view details of the routed mode deployment configuration from the command line.
  1. Log on to the command-line interface using the root account.
  2. At the command prompt, type tmsh list all-properties. The following listing is an example of the pertinent information displayed on the command line for a routed mode configuration. ltm profile tcp wom-tcp-lan-optimized { abc enabled ack-on-push enabled app-service none close-wait-timeout 5 cmetrics-cache disabled congestion-control high-speed defaults-from tcp-lan-optimized deferred-accept disabled delay-window-control disabled delayed-acks disabled description none dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 600 init-cwnd 0 init-rwnd 0 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled partition Common pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 1228800 proxy-buffer-low 98304 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled rfc1323 enabled selective-acks enabled selective-nack disabled send-buffer-size 65535 slow-start disabled syn-max-retrans 3 syn-rto-base 0 tcp-options none time-wait-recycle enabled time-wait-timeout 2000 verified-accept disabled zero-window-timeout 20000 } ltm profile tcp wom-tcp-wan-optimized { abc enabled ack-on-push disabled app-service none close-wait-timeout 5 cmetrics-cache enabled congestion-control high-speed defaults-from tcp-wan-optimized deferred-accept disabled delay-window-control disabled delayed-acks disabled description none dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 600 init-cwnd 0 init-rwnd 0 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled partition Common pkt-loss-ignore-burst 8 pkt-loss-ignore-rate 10000 proxy-buffer-high 196608 proxy-buffer-low 131072 proxy-mss disabled proxy-options disabled receive-window-size 2048000 reset-on-timeout enabled rfc1323 enabled selective-acks enabled selective-nack enabled send-buffer-size 2048000 slow-start disabled syn-max-retrans 3 syn-rto-base 0 tcp-options none time-wait-recycle enabled time-wait-timeout 2000 verified-accept disabled zero-window-timeout 300000 } ltm virtual isession-virtual { app-service none auth none auto-lasthop default clone-pools none cmp-enabled yes connection-limit 0 description none destination 10.150.2.1:any enabled fallback-persistence none gtm-score 0 http-class none ip-protocol tcp last-hop-pool none mask 255.255.255.255 mirror disabled nat64 disabled partition Common persist none pool none profiles { isession { context clientside } wom-default-clientssl { context clientside } wom-tcp-lan-optimized { context serverside } wom-tcp-wan-optimized { context clientside } } rate-class none rules none snat none source-port preserve traffic-classes none translate-address enabled translate-port disabled vlans none vlans-disabled } ltm virtual pass-through { app-service none auth none auto-lasthop default clone-pools none cmp-enabled yes connection-limit 0 description none destination 0.0.0.0:any enabled fallback-persistence none gtm-score 0 http-class none ip-forward ip-protocol any last-hop-pool none mask any mirror disabled nat64 disabled partition Common persist none pool none profiles { fastL4 { context all } } rate-class none rules none snat none source-port preserve traffic-classes none translate-address disabled translate-port disabled vlans none vlans-disabled } net interface 1.1 { app-service none description none enabled flow-control tx-rx force-gigabit-fiber disabled mac-address 0:1:d7:b3:d5:c4 media none media-active 1000T-FD media-fixed auto media-max 1000T-FD media-sfp auto mtu 1500 prefer-port sfp stp enabled stp-auto-edge-port enabled stp-edge-port true stp-link-type auto vendor none } net interface 1.2 { app-service none description none enabled flow-control tx-rx force-gigabit-fiber disabled mac-address 0:1:d7:b3:d5:c5 media none media-active none media-fixed auto media-max 1000T-FD media-sfp auto mtu 1500 prefer-port sfp stp enabled stp-auto-edge-port enabled stp-edge-port true stp-link-type auto vendor none } net route dgw { description none gw 10.150.2.254 mtu 0 network default partition Common } net self WAN-side { address 10.150.2.1/24 allow-service none app-service none description none floating disabled inherited-traffic-group false partition Common traffic-group traffic-group-local-only unit 0 vlan WAN } net self Lan-side { address 10.150.4.1/24 allow-service { default } app-service none description none floating disabled inherited-traffic-group false partition Common traffic-group traffic-group-local-only unit 0 vlan LAN } net vlan LAN { app-service none auto-lasthop default description none failsafe disabled failsafe-action failover-restart-tm failsafe-timeout 90 interfaces { 1.6 { app-service none untagged } } learning enable-forward mac-masquerade none mtu 1500 partition Common source-checking disabled tag 4093 } net vlan WAN { app-service none auto-lasthop default description none failsafe disabled failsafe-action failover-restart-tm failsafe-timeout 90 interfaces { 1.1 { app-service none untagged } } learning enable-forward mac-masquerade none mtu 1500 partition Common source-checking disabled tag 4094 } sys datastor { cache-size 788 description none disk enabled high-water-mark 90 low-water-mark 80 store-size 247580 } sys disk application-volume datastor { logical-disk HD1 owner datastor preservability discardable resizeable false size 247580 volume-set-visibility-restraint none sys log-rotate { common-backlogs 24 common-include none description none include none mysql-include none syslog-include none tomcat-include none wa-include none } sys management-route default { app-service none description none gateway 192.31.3.129 mtu 1500 network default } sys provision wom { app-service none cpu-ratio 0 description none disk-ratio 0 level nominal memory-ratio 0 } sys provision woml { app-service none cpu-ratio 0 description none disk-ratio 0 level none memory-ratio 0 } wom advertised-route Sever-side { app-service none description none dest 10.150.4.0/24 include enabled label serverside metric 0 origin configured } wom deduplication { description none dictionary-size 256 disk-cache-size 247580 enabled max-endpoint-count 1 } wom endpoint-discovery { auto-save enabled description none discoverable enabled discovered-endpoint enabled icmp-max-requests 1024 icmp-min-backoff 5 icmp-num-retries 10 max-endpoint-count 0 mode enable-all } wom local-endpoint { addresses { 10.150.2.1 } allow-nat enabled description none endpoint enabled ip-encap-mtu 0 ip-encap-profile { "" } ip-encap-type none no-route passthru server-ssl serverssl snat none tunnel-port https } wom profile isession isession-http { adaptive-compression enabled app-service none compression enabled compression-codecs { deflate lzo bzip2 } } wom local-endpoint { addresses { 10.150.2.1 } allow-nat enabled description none endpoint enabled ip-encap-mtu 0 ip-encap-profile { "" } ip-encap-type none no-route passthru server-ssl serverssl snat none tunnel-port https } wom profile isession isession-http { adaptive-compression enabled app-service none compression enabled compression-codecs { deflate lzo bzip2 } data-encryption disabled deduplication enabled defaults-from isession deflate-compression-level 1 description none mode enabled partition Common port-transparency enabled reuse-connection enabled target-virtual virtual-match-all } wom remote-endpoint Sever-side { address 10.150.3.1 allow-routing enabled app-service none description none endpoint enabled ip-encap-mtu 0 ip-encap-profile none ip-encap-type default origin configured server-ssl none snat default tunnel-encrypt enabled tunnel-port https } wom server-discovery { auto-save enabled description none filter-mode exclude idle-time-limit 0 ip-ttl-limit 5 max-server-count 50 min-idle-time 0 min-prefix-length-ipv4 32 min-prefix-length-ipv6 128 mode enabled rtt-threshold 10 subnet-filter none time-unit days }

Implementation result

After you complete the tasks in this implementation, the BIG-IP system is configured in a routed deployment. For symmetric optimization using an iSession connection, you must also configure the BIG-IP system on the other side of the WAN. The other BIG-IP deployment can be in bridge, routed, or one-arm mode.