F5 Big-IP NAT session reset

作者:

有時在測試的時候 覺得修改好的NAT設定, 不是預期的效果, 好大機會是還未生效

tmsh show /sys connection

注意, 如果在production裏刪除session有可能用戶會發生連接中斷, 登入了的網站需要重新登入

tmsh delete /sys connection

或者指定某個IP session

tmsh delete /sys connection cs-client-addr 192.168.0.11

F5 BIG-IP NAT load balancer

作者:

預設路由10.0.0.254

設定2個SNAT

設定2個Pool, 留意優先次序

when CLIENT_ACCEPTED {
if { [IP::addr [LB::server addr] equals "8.8.8.8"] } {
pool Pool_10
snatpool SNAT_10
}
elseif { [IP::addr [LB::server addr] equals "8.8.4.4"] } {
pool Pool_20
snatpool SNAT_20
}
else {
snat automap
}
}



除了8.8.8.8和8.8.4.4, 其他的走預設路由

F5 BIG-IP NAT

作者:

測試環境主要在VM裏

假設Interface之前都已經設定好, 首先設定Routing

然後增加一個NAT設定

F5 BIG-IP interface show UNINITIALIZED

作者:

如圖看到Interface全部都是UNINITIALIZED

按Create

看情怳選擇, 我是用Routed Mode

新増2個vLan, 我這個案例是沒有使用vLan Tag, Tag 4094和4093不是802.11的vLan Tag, 只是F5的一個記號, 隨便打就可以

2個Interface已經變成UP

EIGRP Metric 計算

作者:

以下為預設value

K1 = K3 = 1
K2 = K4 = K5 = 0

Metric公式

Metric = 256*((K1*Scaled Bw) + (K2*Scaled Bw)/(256 – Load) + (K3*Scaled Delay)*(K5/(Reliability + K4)))

由於K2, K4, K5預設都是0的原因, 所以公式簡化如下

Metric = 256*(Scaled Bw + Scaled Delay)

離題一下, 我自己試過代入1和0到最原始的公式, (K5/(Reliability + K4))如果是0的話, 應該(K3*Scaled Delay)*0都是0, 不知道為什麼簡化後, Scaled Delay還在, 官方文件說有就有吧

The minimum bandwidth (Bw) of the route, in kilobits per second. It can be 0 or any positive integer. The bandwidth for the formula is scaled and inverted by using the following formula:
Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)

Route delay, in tens of microseconds
Scaled Delay = (Delay/10)

Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-s/ire-15-s-book/ire-wid-met.pdf

R1

int f0/0
no shut
ip add 192.168.12.1 255.255.255.0

router eigrp 1
no auto
network 192.168.12.0 0.0.0.255

R2

int f0/0
no shut
ip add 192.168.23.2 255.255.255.0

int f0/1
no shut
ip add 192.168.12.2 255.255.255.0

router eigrp 1
no auto
network 192.168.23.0 0.0.0.255
network 192.168.12.0 0.0.0.255

R3

int l0
no shut
ip add 192.168.10.3 255.255.255.0

int f0/1
no shut
ip add 192.168.23.3 255.255.255.0

router eigrp 1
no auto
network 192.168.10.0 0.0.0.255
network 192.168.23.0 0.0.0.255

下圖查看有沒有更改metric設定

由於沒有看到metric的設定, 所以可以用簡化公式計算

Metric = 256*(Scaled Bw + Scaled Delay)

Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)
Scaled Delay = (Delay/10)

先看192.168.0.0/24的FD是甚麼計算出來
BW = (10^7/8000000)=1.25=1
Delay = (5000/10)=500
Metric = 256*(1 + 500)=128256

再來看看192.168.23.0/24
BW = (10^7/100000)=100
Delay = (100/10)=10
Metric = 256*(100+10)=28160

再來看看R2到R3的192.168.0.0/24, 由於這個網段需要經過next hop 192.168.23.3, 所以BW會R2和R3選最小的, Delay會相加
BW = (10^7/100000)=100
Delay = (100+5000/10)=510
Metric = 256*(100+510)=156160

再來就就是R1去192.168.0.0/24的FD

BW = (10^7/100000)=100
Delay = (100+100+5000/10)=520
Metric = 256*(100+520)=158720

EIGRP offset-list

作者:

現在PC2到PC1的路經: PC2 -> R2 -> R1 -> PC1

利用eigrp的offset-list更改路由, PC2 -> R2 -> R3 -> R1 -> PC1

PC1

ip 10.1.1.10/24 10.1.1.1

PC2

ip 20.1.1.10/24 20.1.1.2

R1

int f0/0
no shut
ip add 12.1.1.1 255.255.255.0

int f0/1
no shut
ip add 13.1.1.1 255.255.255.0

int f1/0
no shut
ip add 10.1.1.1 255.255.255.0

router eigrp 1
no auto
network 12.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255

R2

int f0/0
no shut
ip add 12.1.1.2 255.255.255.0

int f0/1
no shut
ip add 23.1.1.2 255.255.255.0

int f1/0
no shut
ip add 20.1.1.2 255.255.255.0

router eigrp 1
no auto
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255

R3

int f0/0
no shut
ip add 13.1.1.3 255.255.255.0

int f0/1
no shut
ip add 23.1.1.3 255.255.255.0

router eigrp 1
no auto
network 13.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255

PC1 和 PC2已經可以互ping對方 及使用最低的FD連接

現在用offset-list在R2的f0/0, 面向R1發佈增加metric, 由於這個動作是發佈出去, 所以是out

R2

access-list 1 permit 10.1.1.0 0.0.0.255

router eigrp 1
offset-list 1 out 3000 f0/0

12.1.1.1由原來28160增加3000變成31160比23.1.1.3更低

Cisco Policy Based Routing(PBR)

作者:

PC1: 10.0.0.1
Server1: 192.168.5.1

(config)#access-list 100 permit ip host 10.0.0.1 host 192.168.5.1
(config)#route-map PC1toServer1 permit
(config-route-map)# match ip address 100
(config-route-map)# set ip next-hop 172.17.0.1
(config)#int e1/0
(config-if)#ip policy route-map PC1toServer1

# show route-map
route-map PC1toServer1, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 172.17.0.1
Policy routing matches: 9 packets, 540 bytes

#sh ip policy
Interface Route map
Ethernet1/0 PC1toServer1

Bind9 DDNS Ubuntu 22.04

作者:

以下設定在DDNS的Server

apt install bind9

建立一個 ddns 帳號

tsig-keygen -a hmac-sha512 ddns >> /tmp/ddns.key
cat /tmp/ddns.key

key "ddns" {
algorithm hmac-sha512;
secret "lTeWMnY036W3A/Sb775mbAG9QHNiaK+DoQbFyT7k7BDtt12eMIb9ldd0tticGZ2PoSyWnVvB2yR+7zVyBzge2w==";
};

將上面的key貼在下面的設定檔, named.yourddnsdomain.com必須已經預先設定好

vi /etc/bind/named.conf.default-zones
key "ddns" {
algorithm hmac-sha512;
secret "lTeWMnY036W3A/Sb775mbAG9QHNiaK+DoQbFyT7k7BDtt12eMIb9ldd0tticGZ2PoSyWnVvB2yR+7zVyBzge2w==";
};

zone “yourddnsdomain.com" IN {
type master;
file “/var/cache/bind/named.yourddnsdomain.com";
also-notify { xxx.xxx.xxx.xxx; };
update-policy { grant ddns name subdomain.yourddnsdomain.com. A; };
};

以下設定在DDNS的Client

apt install bind9

Copy剛才在Server產生的ddns.key到Client /root/ddns.key

vi /root/do-nsupdate
#!/bin/bash

updateServer=ns1.masterdns.com
updateDomain=subdomain.yourddnsdomain.com
encryptKeyPath="/root/ddns.key"
checkIPWeb="http://checkip.amazonaws.com/"

CURRENT_IP=$(nslookup $updateDomain $updateServer| grep Address | grep -v “#53")
CURRENT_IP=$(echo ${CURRENT_IP:9})

EXT_IP=$(curl $checkIPWeb)

if [ $CURRENT_IP != $EXT_IP ]; then
KEY=$encryptKeyPath

cat <<EOF | nsupdate -k “$KEY"
server $updateServer
update delete $updateDomain. A
update add $updateDomain. 3600 A $EXT_IP
send
EOF
fi

chmod 755 /root/do-nsupdate
vi /etc/crontab
*/5 * * * * root /root/do-nsupdate