Overview

Skill Level: Intermediate

This document provides details to a technical audience as to some of the critical activities that are required after deployment of the F5 Networks BIG-IP Virtual Edition appliance. This covers both Cloud Foundation (VCF) and vCenter instances.

Ingredients

The F5 Networks BIG-IP service suite has been successfully deployed.  The deployment includes a pair of BIG-IP Virtual Edition virtual machines; Each with 4 configured network interfaces.

Step-by-step

  1. Provisioning BIG-IP VE Instance

    Before running the setup wizard, it is strongly recommended to provision the external and internal interfaces. To configure these interfaces, log into the vCenter console and navigate to “Hosts and Clusters”. Expand the local cluster in the navigation panel on the left and locate the bigip1 and bigip2 virtual machines.  Right click on either BIG-IP virtual machine and select the “Edit Settings…” menu item.   The internal network is connected to Network adapter 2 and the external network is connected to Network adapter 3.   Review these settings and if they are not correct use the drop-down menu to select the appropriate internal and external networks to be managed.  Then return to the Network Configuration Utility.

    recipe-1-figure-1 

     Accessing the BIG-IP Management Console

    1. Go to https://console.ng.bluemix.net/infrastructure/vmware-solutions/console.
    2. Log into the console with the shared IBM iD
    3. This is where details such as IP Address, Hostnames, Usernames and Passwords are stored for the VMware Cloud Foundation Instance
    4. Click on the Services tab to get a list of installed and available services.   Click on Installed services and locate the for F5 on IBM Cloud.
    5. Click View Details. 

     

    recipe-1-figure-2

    Accessing the tmsh command-line console

    1. Log into SoftLayer VPN (https://knowledgelayer.softlayer.com/topic/vpn)
    2. Open a putty session or use an ssh client to open an ssh connection to the BIG-IP VM.
    3. Enter root as the user and use the password that is listed on the service detail panel.

     

  2. Running the BIG-IP configuration wizard

    Begin by clicking the “View BIG-IP Primary Web UI” button on the services panel.  This will open a new browser page to the login screen. Login to the web console using the admin user and password. This will automatically open the Welcome page to the Setup Utility.

    recipe-1-figure-4

    Click Next… on the Setup Utility Welcome page to get started. 

    recipe-1-figure-5

    On the General Properties panel, review the settings to confirm they match the order. Pay careful attention to the bandwidth settings. If these settings do not match the order specification, do not continue with the configuration and contact customer support. After confirming the installed features match the order, click Next… to go to the Resource Allocation page.

    recipe-1-figure-06

    The Resource Allocation page lists all the licensed components running on the Bip-IP virtual appliance. Provisioning is optional at this point if you are not sure what settings to select then use the default settings and click Next… Provisioning the device may trigger a system reset in which case the setup utility will be restarted and will require logging in again.

  3. Security Configuration

    The next panel is used to configure the device certificates.  By default, BIG-IP VE is deployed with a self-signed certificate.  Use the Import… button to replace the self-signed certificate with your own private key file. 

    Once the proper certificate files are installed, press Next…  to go to Platform setup. 

    recipe-1-figure-08

    On the Platform setup page, it is required that the root user and admin user passwords be entered.  Obtain these passwords from the Installed Services panel on the IBM Bluemix portal as shown in Step 1.   If you wish to change one of both passwords, you may do so now.

    Note: If you opt to change the passwords please make a note of the new passwords. The new passwords will NOT be displayed on the installed services panel.  The service panel will continue to display the original passwords. IBM cannot recover lost passwords!

    Enter the passwords exactly as they appear on the Installed Services panel then click Next… The wizard will require you to login again once the passwords have been entered.

    Warning: Type each password individually. Do not cut and paste the original passwords into the wizard. Doing so can introduce white space or inadvertently omit characters. If this happens it may be impossible to log back into the web UI and you will be forced to re-install the service. Additional charges may apply.

    Under General Properties Leave the Management Port, Host Name and Host IP Address with the default values. Change to the appropriate Time Zone and click Next…

  4. Network Configuration

    After completing the above steps 1 through 3, and logging back into the web console, you will be prompted to continue with “Standard Network Configuration” or “Advanced Configuration”.  Click the Standard Network Configuration to continue.

    recipe-1-figure-09

    On the Redundant Device Wizard Options panel, accept the defualt setting and click Next….

    The next step is to configure BIG-IP to monitor traffic between virtual machines inside the cluster and traffic flowing in and out of the cluster.  If you have not done so already, you must identify both the internal and external network to which the BIG-IP device is currently connected.  To determine these networks, log into the vCenter console and navigate to “Hosts and Clusters”.  Expand the local cluster in the navigation panel on the left and locate the bigip1 and bigip2 virtual machines.  Right click on either BigIP virtual machine and select the “Edit Settings…” menu item.   The internal network is connected to Network adapter 2 and the external network is connected to Network adapter 3.   Review these settings and if they are not correct use the drop-down menu to select the appropriate internal and external networks to be managed.  Then return to the Network Configuration Utility.

    On the next panel enter the floating and dedicated IP address for the internal network.  You will need to remember the floating IP address as this will be used later during the configuration of the Secondary BIG-IP device.  Next, assign interface 1.1 to the internal network and make this interface Untagged.

     

    Table 1 List of network names and associated Vlan ids to be used during network configuration. Failure to assign the interface VLAN to the associated network will result in the BIG-IP virtual appliance not being able to connect to the network.

     Network Name Interface Vlan Tagging
     Management 1.0

    Untagged

     Internal 1.1 Untagged
    External 1.2 Untagged
    HA 1.3 Untagged

     

    Be sure to click the Add button when configuring the VLAN, otherwise the interface will not be configured correctly.

     

    recipe-1-figure-10a

    Click Next… and repeat for the external network settings.  Once again, remember the external floating IP address to be used later.   If you are unsure of the settings for netmask and gateway, these values may be obtained from the SoftLayer Web Portal.   You must assign interface 1.2 to the external network.

     

    Click Next…  to go to the High Availability Network Configuration panel.

     

  5. Configure HA

    Make sure the “Create VLAN HA” radio button is selected, then enter the HA address and netmask. The address can be from any private subnet that is not currently being used.   It is not necessary to enter a gateway since the HA network is a private VXLan and is only used as a peer-to-peer connection between the BigIP virtual appliances.   You will need to remember this information for configuring the secondary device.  For Interface, select 1.3. Tagging should be “untagged” and click Add.

    recipe-1-figure-11-1

    Set the MTU to 1600 when configuring the HA network.

     

    recipe-1-figure-12

    Click Next…

  6. NTP and DNS Configuration

    The NTP and DNS servers you select will vary depending on the installation and instance type.  For instances based on VMware Cloud Foundation,  it is generally safe to point to the SDDC Manager VSI for both the NTP and DNS services.    The DNS will typically be configured during installation, it is recommended to use the default settings. 

  7. Failover and Synchronization Setup

    On the Failover Configuration panel accept the default settings and click Next… This will bring up the Mirroring Configuration.   Use the HA address as primary mirror address and select internal as the secondary mirror address.  Or leave the secondary mirror address blank if desired.  Best practice is to accept the default settings for Unicast and Multicast failover configuration.  However, these settings may be changed if desired.

    When you arrive at the Discover Configured Peer panel,  click Next.. to complete the networking configuration

  8. HA Pair Synchronization

    Follow the instruction on the synchronization panels depending on which device is being configured.   The final pair synchronization must be performed after both device have been configured.    If this is the first device to be configured, return to the IBM Bluemix Installed Services panel, and open the console for the BigIP Secondary device.  You will repeat the above steps then, only after both BIG-IP devices have been configured will you proceed with HA Pair synchronization.

    Click Next… to go to Retrieve Device Credentials panel.   These credentials are for the other BIG-IP device – the one you are not currently logged into – the password can be obtained from the IBM Bluemix Services panel. (See Step 1).    If you are following this document, you should currently be logged into the BIG-IP Secondary device, therefore, enter the credentials for the BIG-IP Primary device.

    recipe-1-figure-16

    Click Retrieve Device Information.

    Verify the information matches the installed certificate and click Device Certificate Matches.   If this certificate does not match the expected values, return to the other device and import the desired certificates. 

    After selecting “Add Device”, you should notice the status change to Awaiting Initial Sync.   recipe-1-awaiting-sync Navigate to the Device Management menu in the left-side navigation panel.  Select Overview and verify that both devices show up as group members. 

    recipe-1-figure-17

     

    Click the Sync button at the bottom of the page.   This should change the status to In Sync.   This completes the Network and HA setup.

     

  9. Going Further..

    The next steps are for you to start configuring your BIG-IP Virtual Edition appliances with iRules to optimize access to your applications and to secure your workloads.

    You can find out more about the IBM and VMware partership at www.ibm.com/Cloud/VMware.

Join The Discussion