Manual Chapter : Configuring a BIG-IP System with iSession in Routed Mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Configuring a BIG-IP System with iSession in Routed Mode

Overview: Configuring the BIG-IP system in routed mode

A routed deployment is one method of deploying a BIG-IP® system directly in the path of traffic, such as between a WAN router and LAN switch. In routed mode, the BIG-IP system is nontransparent on the network, with separate LAN and WAN self IP addresses on each side. This setup ensures that requests from clients go to the BIG-IP system, which optimizes the traffic before it reaches the server.

Illustration of a routed deployment

This illustration shows a pair of BIG-IP® systems in a routed deployment (Site B) on one side of the WAN, and a one-arm deployment on the other side.

Example of a routed deployment

Example of a routed deployment

About symmetric optimization using iSession on BIG-IP systems

The BIG-IP® systems work in pairs on opposite sides of the WAN to optimize the traffic that flows between them through an iSession™ connection. A simple point-to-point configuration might include BIG-IP systems in data centers on opposite sides of the WAN. Other configuration possibilities include point-to-multipoint (also called hub and spoke) and mesh deployments.

The following illustration shows an example of the flow of traffic across the WAN through a pair of BIG-IP devices. In this example, traffic can be initiated on both sides of the WAN.

Example of traffic flow through a BIG-IP pair with iSession connection

Example of traffic flow through a BIG-IP pair with iSession connection

Each BIG-IP device is an endpoint. From the standpoint of each BIG-IP device, it is the local endpoint. Any BIG-IP device with which the local endpoint interacts is a remote endpoint. After you identify the endpoints, communication between the BIG-IP pair takes place in an iSession connection between the two devices. When you configure the local BIG-IP device, you also identify any advertised routes, which are subnets that can be reached through the local endpoint. When viewed on a remote system, these subnets appear as remote advertised routes.

To optimize traffic, you create iApps™ templates to select the applications you want to optimize, and the BIG-IP system sets up the necessary virtual servers and associated profiles. The system creates a virtual server on the initiating side of the WAN, with which it associates a profile that listens for TCP traffic of a particular type (HTTP, CIFS, FTP). The local BIG-IP system also creates a virtual server, called an iSession listener, to receive traffic from the other side of the WAN, and it associates a profile that terminates the iSession connection and forwards the traffic to its destination. For some applications, the system creates an additional virtual server to further process the application traffic.

The default iSession profile, which the system applies to application optimization, includes symmetric adaptive compression and symmetric data deduplication.

Before you begin configuring an iSession connection

Before you configure an iSession™ connection on the BIG-IP® system, make sure that you have completed the following general prerequisites.

  • You must have an existing routed IP network between the two locations where the BIG-IP devices will be installed.
  • One BIG-IP system is located on each side of the WAN network you are using.
  • The BIG-IP hardware is installed with an initial network configuration applied.
  • F5® recommends that both units be running the same BIG-IP software version.
  • The Application Acceleration Manager™ license is enabled.
  • Application Acceleration Manager (AAM) is provisioned at the level Nominal.
  • The management IP address is configured on the BIG-IP system.
  • You must have administrative access to both the Web management and SSH command line interfaces on the BIG-IP system.
  • If there are firewalls, you must have TCP port 443 open in both directions. Optionally, you can allow TCP port 22 for SSH access to the command line interface for configuration verification, but not for actual BIG-IP iSession traffic. After you configure the BIG-IP system, you can perform this verification from the Configuration utility ( Acceleration > Symmetric Optimization > Diagnostics ).

Task summary

If you are configuring a BIG-IP® system in routed mode, you configure separate self IP addresses for the internal and external interfaces. Also, you need to create a passthrough virtual server that you can use to verify the connection before you try to optimize traffic.

Note: Make sure that you associate the LAN and WAN VLANs with the appropriate interfaces (ports).

Task list

Creating VLANs

Create VLANs for the internal and external interfaces on the BIG-IP® system.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type lan.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting, click an internal interface (port) in the Available list, and move the selected interface to the Untagged or Tagged list, depending on your network configuration.
    This VLAN is for the traffic that the BIG-IP system you are configuring will optimize.
  6. Click Repeat.
    The VLAN lan is added to the VLAN list, and the New VLAN screen opens.
  7. In the Name field, type wan.
  8. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  9. For the Interfaces setting:
    1. From the Interface list, select an interface number or trunk name.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface or trunk that you want to assign to the VLAN.
  10. Click Finished.
    The screen refreshes, and displays the two new VLANs in the list.

Creating self IP addresses for internal and external VLANs

VLANs must exist on the BIG-IP® system for both internal and external interfaces (ports).
Self IP addresses enable the BIG-IP system, and other devices on the network, to route application traffic through the associated VLAN. Create self IP addresses on the BIG-IP device to assign to the internal and external VLANs.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a descriptive name for the self IP, for example lan.
  4. In the IP Address field, type an IP address that is not in use and resides on the internal VLAN.
  5. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  6. From the VLAN/Tunnel list, select lan, which is the VLAN group you created.
  7. In the Traffic Group field, clear the check box, and select traffic-group-local-only (non-floating) from the drop-down menu.
  8. Click Repeat.
    The screen refreshes, and displays a new self IP screen.
  9. In the Name field, type a descriptive name for the self IP, for example wan.
  10. In the IP Address field, type an IP address that is not in use and resides on the external VLAN.
  11. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  12. From the VLAN/Tunnel list, select the external VLAN, for example, wan.
  13. From the Port Lockdown list, select Allow None.
    This selection avoids potential conflicts (for management and other control functions) with other TCP applications. However, to access any of the services typically available on a self IP address, select Allow Custom, so that you can open the ports that those services need.
  14. In the Traffic Group field, clear the check box, and select traffic-group-local-only (non-floating) from the drop-down menu.
  15. Click Finished.
    The screen refreshes, and displays the new self IP address.

Creating a default gateway

You must define a route on the local BIG-IP® system for sending traffic to its destination. In the example shown, the route defined uses the default gateway to send traffic to the router.
  1. On the Main tab, click Network > Routes .
  2. Click Add.
    The New Route screen opens.
  3. In the Name field, type a name for the default gateway, such as default-gateway.
  4. In the Destination field, type the IP address 0.0.0.0.
    An IP address of 0.0.0.0 in this field indicates that the destination is a default route.
  5. In the Destination field, type the destination IP address for the route.
  6. In the Destination field, type the network of the destination server.
    In our example, this address is 10.1.1.0.
  7. In the Destination field, type the 6rd IPv6 network address.
  8. In the Netmask field, type 0.0.0.0, the network mask for the default route.
  9. From the Resource list, select Use Gateway.
    The gateway represents a next-hop or last-hop address in the route.
  10. For the Gateway Address setting, select IP Address and type the IP address of the gateway.

Creating a passthrough virtual server

A virtual server represents a destination IP address for application traffic. You can use a passthrough virtual server to verify a connection before trying to optimize traffic using an iSession™ connection.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Destination Address/Mask field, type a wildcard network address in CIDR format, such as 0.0.0.0/0 for IPv4 or ::/0 for IPv6, to accept any traffic.
  4. From the Service Port list, select *All Ports.
  5. For the State setting, retain the default value, Enabled.
  6. In the Configuration area of the screen, from the Type list, select Forwarding (IP).
  7. From the Protocol list, select *All Protocols.
  8. From the VLAN Traffic and Tunnel Traffic list, select All VLANs and Tunnels.
  9. Click Finished.
The purpose of this virtual server is to forward all IP traffic. You will create a separate virtual server for optimized traffic when you configure an iSession connection and deploy applications using iApps™ templates.

Checking connectivity

Important: Use this task as a checkpoint before proceeding with iSession™setup.
You can verify connectivity from the command-line interface.
  1. Ping the gateway using the command-line access to the BIG-IP® system.
  2. Ping end-to-end across the WAN. In the example shown, this is between Server 1 and Server 2.
  3. Initiate a TCP file transfer between Server 1 and Server 2.

Setting up an iSession connection using the Quick Start screen

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP® system that is provisioned for acceleration.
Use the Quick Start screen to quickly set up symmetric optimization on a single screen of the BIG-IP system using the default settings. To optimize WAN traffic, you must configure symmetric optimization on both sides of the WAN.
  1. On the Main tab, click Acceleration > Quick Start > Symmetric Properties .
  2. In the WAN Self IP Address field, type the local endpoint IP address, if it is not already displayed.
    This IP address must be in the same subnet as a self IP address on the BIG-IP system, and to make sure that dynamic discovery properly detects this endpoint, the IP address must be the same as a self IP address on the BIG-IP system.
  3. Verify that the Discovery setting is set to Enabled.
    If you disable the Discovery setting, or discovery fails, you must manually configure any remote endpoints and advertised routes.
  4. Specify the VLANs on which the virtual servers on this system receive incoming traffic.
    Option Description
    LAN VLANs Select the VLANs that receive incoming LAN traffic destined for the WAN.
    WAN VLANs Select the VLANs that receive traffic from the WAN through an iSession™ connection.
  5. In the Authentication area, for the Outbound iSession to WAN setting, select the SSL profile to use for all encrypted outbound iSession connections.
    To get WAN optimization up and running, you can use the default selection serverssl, but you need to customize this profile for your production environment.
  6. For the Inbound iSession from WAN setting, leave the default selection wom-default-clientssl or select another SSL profile for which the Non-SSL Connections setting is enabled.
  7. In the IP Encapsulation area, from the IP Encapsulation Type list, select the encapsulation type, if any, for outbound iSession traffic.
    1. If you select FEC, select a FEC profile from the FEC Profile list that appears, or retain the default, default-ipsec-policy-isession.
    2. If you select IPsec, select an IPsec policy from the IPSEC Policy list that appears, or retain the default, default-ipsec-policy-isession.
    3. If you select IPIP, the system uses the IP over IP tunneling protocol, and no additional encapsulation setting is necessary.
    4. If you select GRE, select a GRE profile from the GRE Profile list that appears, or retain the default, gre.
  8. Click Apply.
This example shows a completed Quick Start screen.
Example of completed Quick Start screen

Example of completed Quick Start screen

To complete the setup, repeat this task on the BIG-IP system on the other side of the WAN. After you configure the iSession™ endpoints, use an iApp template to select the application traffic for optimization. Click Acceleration > Quick Start > Deploy Applications . Click Create, from the Template list select f5.replication, and follow the online instructions.

Validating iSession configuration

At this point, you have finished configuring the iSession™ connection on BIG-IP® systems at opposite sides of the WAN, and the systems have discovered their remote endpoints.
Important: Use this task as a checkpoint to allow for troubleshooting before you complete the setup.
You can validate the configuration using the browser and command-line interfaces.
  1. Run diagnostics to verify the configuration.
    1. On the Main tab, click Acceleration > Symmetric Optimization > Diagnostics .
    2. Next to Diagnose WOM Configuration, click Run.
    3. Correct any configuration errors as indicated on the screen.
  2. Transfer data between the servers at the two sites, and verify that the transfer was successful.
  3. Using the command-line interface, enter tmsh show wom remote-endpoint all, and verify the remote endpoint IP address and the STATE: Ready message.
    The following listing is an example of the results for this command.
    -----------------------------------------------------------
    Remote endpoint: 10.150.3.1                   -----------
    -----------------------------------------------------------
    Status
        HOSTNAME: clientside3600.example.net
        MGMT ADDR: 192.X.X.X  VERSION: 11.4.0
        UUID: 1a28:79aa:d38:6914:e76a:5b9a:b76:1657
        enabled                      STATE: ready -----------
        BEHIND NAT: no
        CONFIG STATUS: none
        DEDUP CACHE: 43.5G
        REFRESH count: 0             REFRESH timestamp: 12/31/12 16:00:00
        ALLOW ROUTING: disabled
    
    -----------------------------------------------------------
        Endpoint Isession Statistic: _tunnel_data_10.150.3.1
    -----------------------------------------------------------
    Connections                        Current  Maximum   Total
        Connections OUT IDLE:                0        0       0
        Connections OUT ACTIVE:              0        0       0
        Connections IN ACTIVE:               1        1       1
    Direction                           Action      Raw     Opt
        Out (to WAN) bits        Deduplication   838.8M  839.4M
        Out (to WAN) bits          Compression   841.9M  842.0M
    Direction                           Action      Opt     Raw
        In (from WAN) bits       Decompression     1.2K    1.2K
        In (from WAN) bits       Deduplication     1.2K     880      
                      
  4. Using the browser interface, view the green status indicator on the Remote Endpoints screen.
  5. On the Main tab, click Acceleration > Dashboard > WAN Optimization , and view the traffic optimization data.

Viewing pertinent configuration details from the command line

Ensure that you have configured the BIG-IP® system in a routed mode deployment.
You can view details of the routed mode deployment configuration from the command line.
  1. Log on to the command-line interface using the root account.
  2. At the command prompt, type tmsh list all-properties.
    The following listing is an example of the pertinent information displayed on the command line for a routed mode configuration.
        ltm profile tcp wom-tcp-lan-optimized {
        abc enabled
        ack-on-push enabled
        app-service none
        close-wait-timeout 5
        cmetrics-cache disabled
        congestion-control high-speed
        defaults-from tcp-lan-optimized
        deferred-accept disabled
        delay-window-control disabled
        delayed-acks disabled
        description none
        dsack disabled
        ecn disabled
        fin-wait-timeout 5
        idle-timeout 600
        init-cwnd 0
        init-rwnd 0
        ip-tos-to-client 0
        keep-alive-interval 1800
        limited-transmit enabled
        link-qos-to-client 0
        max-retrans 8
        md5-signature disabled
        md5-signature-passphrase none
        nagle enabled
        partition Common
        pkt-loss-ignore-burst 0
        pkt-loss-ignore-rate 0
        proxy-buffer-high 1228800
        proxy-buffer-low 98304
        proxy-mss disabled
        proxy-options disabled
        receive-window-size 65535
        reset-on-timeout enabled
        rfc1323 enabled
        selective-acks enabled
        selective-nack disabled
        send-buffer-size 65535
        slow-start disabled
        syn-max-retrans 3
        syn-rto-base 0
        tcp-options none
        time-wait-recycle enabled
        time-wait-timeout 2000
        verified-accept disabled
        zero-window-timeout 20000
    }
    ltm profile tcp wom-tcp-wan-optimized {
        abc enabled
        ack-on-push disabled
        app-service none
        close-wait-timeout 5
        cmetrics-cache enabled
        congestion-control high-speed
        defaults-from tcp-wan-optimized
        deferred-accept disabled
        delay-window-control disabled
        delayed-acks disabled
        description none
        dsack disabled
        ecn disabled
        fin-wait-timeout 5
        idle-timeout 600
        init-cwnd 0
        init-rwnd 0
        ip-tos-to-client 0
        keep-alive-interval 1800
        limited-transmit enabled
        link-qos-to-client 0
        max-retrans 8
        md5-signature disabled
        md5-signature-passphrase none
        nagle enabled
        partition Common
        pkt-loss-ignore-burst 8
        pkt-loss-ignore-rate 10000
        proxy-buffer-high 196608
        proxy-buffer-low 131072
        proxy-mss disabled
        proxy-options disabled
        receive-window-size 2048000
        reset-on-timeout enabled
        rfc1323 enabled
        selective-acks enabled
        selective-nack enabled
        send-buffer-size 2048000
        slow-start disabled
        syn-max-retrans 3
        syn-rto-base 0
        tcp-options none
        time-wait-recycle enabled
        time-wait-timeout 2000
        verified-accept disabled
        zero-window-timeout 300000
    }
    ltm virtual isession-virtual {
        app-service none
        auth none
        auto-lasthop default
        clone-pools none
        cmp-enabled yes
        connection-limit 0
        description none
        destination 10.150.2.1:any
        enabled
        fallback-persistence none
        gtm-score 0
        http-class none
        ip-protocol tcp
        last-hop-pool none
        mask 255.255.255.255
        mirror disabled
        nat64 disabled
        partition Common
        persist none
        pool none
        profiles {
            isession {
                context clientside
            }
            wom-default-clientssl {
                context clientside
            }
            wom-tcp-lan-optimized {
                context serverside
            }
            wom-tcp-wan-optimized {
                context clientside
            }
        }
        rate-class none
        rules none
        snat none
        source-port preserve
        traffic-classes none
        translate-address enabled
        translate-port disabled
        vlans none
        vlans-disabled
    }
    ltm virtual pass-through {
        app-service none
        auth none
        auto-lasthop default
        clone-pools none
        cmp-enabled yes
        connection-limit 0
        description none
        destination 0.0.0.0:any
        enabled
        fallback-persistence none
        gtm-score 0
        http-class none
        ip-forward
        ip-protocol any
        last-hop-pool none
        mask any
        mirror disabled
        nat64 disabled
        partition Common
        persist none
        pool none
        profiles {
            fastL4 {
                context all
            }
        }
        rate-class none
        rules none
        snat none
        source-port preserve
        traffic-classes none
        translate-address disabled
        translate-port disabled
        vlans none
        vlans-disabled
    }
    net interface 1.1 {
        app-service none
        description none
        enabled
        flow-control tx-rx
        force-gigabit-fiber disabled
        mac-address 0:1:d7:b3:d5:c4
        media none
        media-active 1000T-FD
        media-fixed auto
        media-max 1000T-FD
        media-sfp auto
        mtu 1500
        prefer-port sfp
        stp enabled
        stp-auto-edge-port enabled
        stp-edge-port true
        stp-link-type auto
        vendor none
    }
    net interface 1.2 {
        app-service none
        description none
        enabled
        flow-control tx-rx
        force-gigabit-fiber disabled
        mac-address 0:1:d7:b3:d5:c5
        media none
        media-active none
        media-fixed auto
        media-max 1000T-FD
        media-sfp auto
        mtu 1500
        prefer-port sfp
        stp enabled
        stp-auto-edge-port enabled
        stp-edge-port true
        stp-link-type auto
        vendor none
    }
    net route dgw {
        description none
        gw 10.150.2.254
        mtu 0
        network default
        partition Common
    }
    net self WAN-side {
        address 10.150.2.1/24
        allow-service none
        app-service none
        description none
        floating disabled
        inherited-traffic-group false
        partition Common
        traffic-group traffic-group-local-only
        unit 0
        vlan WAN
    }
    net self Lan-side {
        address 10.150.4.1/24
        allow-service {
            default
        }
        app-service none
        description none
        floating disabled
        inherited-traffic-group false
        partition Common
        traffic-group traffic-group-local-only
        unit 0
        vlan LAN
    }
    net vlan LAN {
        app-service none
        auto-lasthop default
        description none
        failsafe disabled
        failsafe-action failover-restart-tm
        failsafe-timeout 90
        interfaces {
            1.6 {
                app-service none
                untagged
            }
        }
        learning enable-forward
        mac-masquerade none
        mtu 1500
        partition Common
        source-checking disabled
        tag 4093
    }
    net vlan WAN {
        app-service none
        auto-lasthop default
        description none
        failsafe disabled
        failsafe-action failover-restart-tm
        failsafe-timeout 90
        interfaces {
            1.1 {
                app-service none
                untagged
            }
        }
        learning enable-forward
        mac-masquerade none
        mtu 1500
        partition Common
        source-checking disabled
        tag 4094
    }
    sys datastor {
        cache-size 788
        description none
        disk enabled
        high-water-mark 90
        low-water-mark 80
        store-size 247580
    }
    sys disk application-volume datastor {
        logical-disk HD1
        owner datastor
        preservability discardable
        resizeable false
        size 247580
        volume-set-visibility-restraint none
    sys log-rotate {
        common-backlogs 24
        common-include none
        description none
        include none
        mysql-include none
        syslog-include none
        tomcat-include none
        wa-include none
    }
    sys management-route default {
        app-service none
        description none
        gateway 192.31.3.129
        mtu 1500
        network default
    }
    sys provision wom {
        app-service none
        cpu-ratio 0
        description none
        disk-ratio 0
        level nominal
        memory-ratio 0
    }
    sys provision woml {
        app-service none
        cpu-ratio 0
        description none
        disk-ratio 0
        level none
        memory-ratio 0
    }
    wom advertised-route Sever-side {
        app-service none
        description none
        dest 10.150.4.0/24
        include enabled
        label serverside
        metric 0
        origin configured
    }
    wom deduplication {
        description none
        dictionary-size 256
        disk-cache-size 247580
        enabled
        max-endpoint-count 1
    }
    wom endpoint-discovery {
        auto-save enabled
        description none
        discoverable enabled
        discovered-endpoint enabled
        icmp-max-requests 1024
        icmp-min-backoff 5
        icmp-num-retries 10
        max-endpoint-count 0
        mode enable-all
    }
    wom local-endpoint {
        addresses { 10.150.2.1 }
        allow-nat enabled
        description none
        endpoint enabled
        ip-encap-mtu 0
        ip-encap-profile { "" }
        ip-encap-type none
        no-route passthru
        server-ssl serverssl
        snat none
        tunnel-port https
    }
    wom profile isession isession-http {
        adaptive-compression enabled
        app-service none
        compression enabled
        compression-codecs { deflate lzo bzip2 }
    }
    wom local-endpoint {
        addresses { 10.150.2.1 }
        allow-nat enabled
        description none
        endpoint enabled
        ip-encap-mtu 0
        ip-encap-profile { "" }
        ip-encap-type none
        no-route passthru
        server-ssl serverssl
        snat none
        tunnel-port https
    }
    wom profile isession isession-http {
        adaptive-compression enabled
        app-service none
        compression enabled
        compression-codecs { deflate lzo bzip2 }
        data-encryption disabled
        deduplication enabled
        defaults-from isession
        deflate-compression-level 1
        description none
        mode enabled
        partition Common
        port-transparency enabled
        reuse-connection enabled
        target-virtual virtual-match-all
    }
    wom remote-endpoint Sever-side {
        address 10.150.3.1
        allow-routing enabled
        app-service none
        description none
        endpoint enabled
        ip-encap-mtu 0
        ip-encap-profile none
        ip-encap-type default
        origin configured
        server-ssl none
        snat default
        tunnel-encrypt enabled
        tunnel-port https
    }
    wom server-discovery {
        auto-save enabled
        description none
        filter-mode exclude
        idle-time-limit 0
        ip-ttl-limit 5
        max-server-count 50
        min-idle-time 0
        min-prefix-length-ipv4 32
        min-prefix-length-ipv6 128
        mode enabled
        rtt-threshold 10
        subnet-filter none
        time-unit days
    } 
                        

Implementation result

After you complete the tasks in this implementation, the BIG-IP® system is configured in a routed deployment. For symmetric optimization using an iSession™ connection, you must also configure the BIG-IP system on the other side of the WAN. The other BIG-IP deployment can be in bridge, routed, or one-arm mode.