F5 BIG-IP v13 企业级负载均衡系统配置最佳实践
概述
F5 BIG-IP v13 是业界领先的应用交付控制器(ADC)平台,为企业级应用提供高性能的负载均衡、安全防护和流量管理功能。本文将详细介绍F5 BIG-IP v13的系统配置最佳实践,帮助网络工程师构建稳定、安全、高效的负载均衡环境。
系统架构设计
#
1. 硬件规划与选型
– **性能需求分析**:根据业务流量预估选择合适型号
– **高可用性设计**:推荐Active-Standby或Active-Active部署
– **网络接口规划**:管理口、业务口、HA同步口分离
#
2. 初始系统配置
##
2.1 基础网络配置
管理IP配置
tmsh create /net self mgmt_self address 10.0.0.10/24
VLAN配置
tmsh create /net vlan internal { interfaces add { 1.1 } }
tmsh create /net vlan external { interfaces add { 1.2 } }
默认路由配置
tmsh create /net route default gw 10.0.0.1
##
2.2 系统参数优化
调整TCP参数
tmsh modify /sys db tcp.ecn.value "enabled"
tmsh modify /sys db tcp.timestamps.value "enabled"
内存优化
tmsh modify /sys db tm.reqpool.global.size "default"
tmsh modify /sys db connection.mirroring.mode "replicate"
核心功能配置
#
3. 虚拟服务器配置
##
3.1 HTTP负载均衡配置
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
##
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
F5 BIG-IP v13 是业界领先的应用交付控制器(ADC)平台,为企业级应用提供高性能的负载均衡、安全防护和流量管理功能。本文将详细介绍F5 BIG-IP v13的系统配置最佳实践,帮助网络工程师构建稳定、安全、高效的负载均衡环境。
系统架构设计
#
1. 硬件规划与选型
– **性能需求分析**:根据业务流量预估选择合适型号
– **高可用性设计**:推荐Active-Standby或Active-Active部署
– **网络接口规划**:管理口、业务口、HA同步口分离
#
2. 初始系统配置
##
2.1 基础网络配置
管理IP配置
tmsh create /net self mgmt_self address 10.0.0.10/24
VLAN配置
tmsh create /net vlan internal { interfaces add { 1.1 } }
tmsh create /net vlan external { interfaces add { 1.2 } }
默认路由配置
tmsh create /net route default gw 10.0.0.1
##
2.2 系统参数优化
调整TCP参数
tmsh modify /sys db tcp.ecn.value "enabled"
tmsh modify /sys db tcp.timestamps.value "enabled"
内存优化
tmsh modify /sys db tm.reqpool.global.size "default"
tmsh modify /sys db connection.mirroring.mode "replicate"
核心功能配置
#
3. 虚拟服务器配置
##
3.1 HTTP负载均衡配置
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
##
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
– **性能需求分析**:根据业务流量预估选择合适型号
– **高可用性设计**:推荐Active-Standby或Active-Active部署
– **网络接口规划**:管理口、业务口、HA同步口分离
2. 初始系统配置
##
2.1 基础网络配置
管理IP配置
tmsh create /net self mgmt_self address 10.0.0.10/24
VLAN配置
tmsh create /net vlan internal { interfaces add { 1.1 } }
tmsh create /net vlan external { interfaces add { 1.2 } }
默认路由配置
tmsh create /net route default gw 10.0.0.1
##
2.2 系统参数优化
调整TCP参数
tmsh modify /sys db tcp.ecn.value "enabled"
tmsh modify /sys db tcp.timestamps.value "enabled"
内存优化
tmsh modify /sys db tm.reqpool.global.size "default"
tmsh modify /sys db connection.mirroring.mode "replicate"
核心功能配置
#
3. 虚拟服务器配置
##
3.1 HTTP负载均衡配置
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
##
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
管理IP配置
tmsh create /net self mgmt_self address 10.0.0.10/24
VLAN配置
tmsh create /net vlan internal { interfaces add { 1.1 } }
tmsh create /net vlan external { interfaces add { 1.2 } }
默认路由配置
tmsh create /net route default gw 10.0.0.1
2.2 系统参数优化
调整TCP参数
tmsh modify /sys db tcp.ecn.value "enabled"
tmsh modify /sys db tcp.timestamps.value "enabled"
内存优化
tmsh modify /sys db tm.reqpool.global.size "default"
tmsh modify /sys db connection.mirroring.mode "replicate"
调整TCP参数
tmsh modify /sys db tcp.ecn.value "enabled"
tmsh modify /sys db tcp.timestamps.value "enabled"
内存优化
tmsh modify /sys db tm.reqpool.global.size "default"
tmsh modify /sys db connection.mirroring.mode "replicate"
核心功能配置
#
3. 虚拟服务器配置
##
3.1 HTTP负载均衡配置
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
##
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
3. 虚拟服务器配置
##
3.1 HTTP负载均衡配置
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
##
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
创建Pool
tmsh create ltm pool web_pool {
members add {
192.168.1.10:80
192.168.1.11:80
}
monitor http
load-balancing-mode least-connections-member
}
创建Virtual Server
tmsh create ltm virtual web_vs {
destination 203.0.113.10:80
ip-protocol tcp
pool web_pool
profiles {
http { }
tcp { }
}
source-address-translation {
type automap
}
}
3.2 SSL卸载配置
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
导入SSL证书
tmsh install sys crypto cert from-local-file \
/var/tmp/server.crt cert-name web_cert
tmsh install sys crypto key from-local-file \
/var/tmp/server.key key-name web_key
创建Client SSL Profile
tmsh create ltm profile client-ssl clientssl_secure {
cert-key-chain {
default {
cert web_cert
key web_key
}
}
ciphers "DEFAULT:!SSLv3:!TLSv1"
options { dont-insert-empty-fragments }
}
更新Virtual Server支持SSL
tmsh modify ltm virtual web_vs {
destination 203.0.113.10:443
profiles add { clientssl_secure }
}
#
4. 健康检查配置
##
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
4.1 自定义健康检查
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
HTTP健康检查
tmsh create ltm monitor http custom_http_monitor {
interval 5
timeout 16
send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
recv "200 OK"
}
TCP健康检查
tmsh create ltm monitor tcp custom_tcp_monitor {
interval 10
timeout 31
send "PING\r\n"
recv "PONG"
}
##
4.2 高级健康检查策略
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
创建健康检查规则
tmsh create ltm rule health_check_rule {
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/health" } {
HTTP::respond 200 content "OK"
}
}
}
安全配置
#
5. 访问控制与防火墙
##
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
5.1 iRules安全防护
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
DDoS防护规则
tmsh create ltm rule ddos_protection {
when CLIENT_ACCEPTED {
连接速率限制
if { [class match [IP::client_addr] equals blacklist] } {
reject
}
新建连接限制
set conn_rate [table lookup -subtable conn_rate [IP::client_addr]]
if { $conn_rate > 100 } {
log local0. "DDoS attack detected from [IP::client_addr]"
reject
}
table set -subtable conn_rate [IP::client_addr] "1" 60 10
}
}
##
5.2 网络防火墙配置
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
#
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
创建安全策略
tmsh create security firewall policy web_firewall {
rules {
allow_http {
ip-protocol tcp
destination { ports { 80 443 } }
action accept
}
deny_all {
action drop
}
}
}
应用防火墙策略
tmsh modify ltm virtual web_vs {
security-firewall-policy web_firewall
}
6. WAF配置(Web应用防火墙)
##
6.1 ASM策略配置
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
##
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
创建安全策略
tmsh create security firewall policy asm_policy {
enforcement-mode blocking
protocol-independent-mode enabled
OWASP Top 10防护
attack-signatures {
include-all
}
文件上传防护
file-types {
block { "exe" "bat" "sh" }
}
}
6.2 自定义防护规则
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
SQL注入防护
tmsh create security firewall rule sql_injection_protection {
description "SQL Injection Protection"
condition {
http-uri contains { "union" "select" "insert" "delete" }
}
action block
}
高可用性配置
#
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
7. 设备集群配置
##
7.1 配置同步
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
##
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
配置设备信任
tmsh modify cm device bigip1 {
configsync-ip 10.0.0.10
mirror-ip 10.0.0.10
}
tmsh modify cm device bigip2 {
configsync-ip 10.0.0.11
mirror-ip 10.0.0.11
}
创建同步组
tmsh create cm sync-group sync_group {
devices add { bigip1 bigip2 }
auto-sync enabled
}
7.2 故障切换配置
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
配置故障检测
tmsh modify cm device-group ha_group {
type sync-failover
auto-sync enabled
network-failover enabled
}
心跳检测配置
tmsh modify sys failover {
heartbeat-timeout 60
network-failover enabled
}
监控与维护
#
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
8. 系统监控配置
##
8.1 SNMP配置
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
##
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
启用SNMP
tmsh modify sys snmp communities {
public {
access ro
oid-subset .1
}
}
配置Trap接收器
tmsh modify sys snmp traps enabled
tmsh modify sys snmp trap-destinations {
snmp_server {
community public
host 192.168.1.100
version v2c
}
}
8.2 日志配置
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
配置远程日志
tmsh modify sys syslog remote-servers {
log_server {
host 192.168.1.101
remote-port 514
}
}
设置日志级别
tmsh modify sys log-config destination remote-high-speed-log-hsl {
pool log_pool
protocol tcp
}
#
9. 备份与恢复
##
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
9.1 配置备份
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
创建UCS备份
tmsh save sys ucs /var/local/ucs/backup_$(date +%Y%m%d).ucs
自动备份脚本
!/bin/bash
BACKUP_DIR="/var/local/backups"
DATE=$(date +%Y%m%d_%H%M%S)
tmsh save sys ucs ${BACKUP_DIR}/config_${DATE}.ucs
find ${BACKUP_DIR} -name "*.ucs" -mtime +30 -delete
##
9.2 恢复流程
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
从UCS恢复配置
tmsh load sys ucs /var/local/ucs/backup_20240101.ucs no-license
验证配置
tmsh list ltm virtual
tmsh list ltm pool
性能优化
#
10. 性能调优参数
##
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
10.1 TCP优化
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
TCP缓冲区优化
tmsh modify sys db tcp.advwinscale "2"
tmsh modify sys db tcp.sack "enabled"
tmsh modify sys db tcp.timestamps "enabled"
连接管理优化
tmsh modify ltm profile tcp tcp-optimized {
idle-timeout 300
nagle-algorithm disabled
}
##
10.2 内存与CPU优化
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
内存分配优化
tmsh modify sys db tm.reqpool.global.size "1024"
tmsh modify sys db connection.mirroring.mode "replicate"
CPU亲和性设置
tmsh modify sys db cpu.affinity.mask "0xff"
故障排除
#
11. 常见问题解决
##
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
11.1 连接问题排查
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
查看当前连接
tmsh show sys connection cs-server-addr 203.0.113.10
监控虚拟服务器状态
tmsh show ltm virtual web_vs
查看健康检查状态
tmsh show ltm pool web_pool members
##
11.2 性能问题诊断
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
#
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
查看系统性能
tmsh show sys performance
内存使用情况
tmsh show sys memory
CPU使用率
tmsh show sys cpu
12. 诊断工具使用
##
12.1 tcpdump抓包
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
##
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
抓取特定虚拟服务器流量
tcpdump -ni 0.0:nnnp host 203.0.113.10 -w /var/tmp/traffic.pcap
分析SSL握手
tcpdump -ni 0.0:nnnp port 443 -w /var/tmp/ssl.pcap
12.2 qkview收集诊断信息
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
生成诊断包
qkview -f /var/tmp/diagnostics.qkview
仅收集必要信息
qkview -s -f /var/tmp/minimal.qkview
最佳实践总结
#
13. 配置管理建议
13. 配置管理建议
1. **版本控制**:所有配置变更应通过变更管理系统
2. **文档化**:详细记录每个配置项的目的和参数
3. **测试验证**:在生产环境部署前进行充分测试
4. **备份策略**:定期备份配置并验证恢复流程
#
14. 安全建议
1. **最小权限原则**:仅开放必要的服务和端口
2. **定期更新**:及时应用安全补丁和版本更新
3. **监控告警**:配置安全事件监控和实时告警
4. **审计日志**:保留完整的操作和访问日志
#
15. 性能建议
1. **容量规划**:根据业务增长规划硬件资源
2. **监控基线**:建立性能基线,及时发现异常
3. **定期优化**:根据监控数据持续优化配置
4. **压力测试**:定期进行压力测试验证性能
结语
F5 BIG-IP v13 作为企业级负载均衡解决方案,通过合理的配置和优化,能够为关键业务应用提供高性能、高可用、高安全的服务保障。本文提供的配置最佳实践涵盖了从基础部署到高级优化的各个方面,帮助网络工程师构建稳定可靠的负载均衡环境。
**关键词**: F5 BIG-IP, 负载均衡, 系统配置, 高可用性, 安全防护, 性能优化, 企业网络