Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Oct 12, 2015

Cisco CSS 11503 to BIG-IP

Hi,

 

I have assigned task of migrating CSS (version sg0820801) config to BIG-IP 2000s. Basically it's simple config. Around 50 content objects (LTM VS), each using least connection for average 4 services (F5 pool members) with TCP monitor and source IP persistence. This part is easy.

 

However there are parts that are not so obvious:

 

  • ip opportunistic disable - seems to be no relevant as BIG-IP by default is using Auto Last Hop - at least that is my understanding of what this setting on CSS is responsible for - but I could be wrong.
  • flow permanent port1 10001/ cmd-sched record reclaim_port1 0,5,10,15,20,25,30,35,40,45,50,55 * * * * "no flow permanent port1;flow permanent port1 10001" - keeping flow even if there is no traffic or 3WHS was not finished, clean idle flows (guess connection table in F5) for 5 minutes. Idle TCP connection is handled by Idle Timeout in TCP profile, not sure what about not fully established connections - 3WHS not completed.
  • circuit VLAN518 description "Public network"

ip address 192.168.1.1 255.255.255.0 ip virtual-router 1 priority 101 preempt ip redundant-interface 1 192.168.1.100 ip redundant-vip 1 192.168.1.101 ip critical-service 1 upstream_downstream

 

circuit VLAN412 description "Private internal network"

 

ip address 192.168.2.1 255.255.255.0 ip virtual-router 2 priority 101 preempt ip redundant-interface 2 192.168.2.100 ip critical-service 2 upstream_downstream

 

service upstream_downstream ip address 192.168.2.103 keepalive type script ap-kal-pinglist "192.168.1.254 172.16.1.42 172.16.1.43" active

 

owner HTTP

 

content HTTP_Rule_10023 add service service1-http-10023 add service service2-http-10023 sticky-inact-timeout 60 advanced-balance sticky-srcip balance leastconn port 10023 add service service3-http-10023 vip address 192.168.1.101 protocol tcp add service service4-http-10023 active What seems to be VRRP related settings - this is however standalone CSS without any HA config. So I wonder why it's used. Anyway ip redundant-interface looks like floating IP on F5, ip redundant-vip as VIP. What puzzles me is ip critical-service. Seems like kind of transparent monitor for upstream connectivity. Referenced service is using script that is pinging three IP - Def Gateway and some IPs reachable via DG (script ap-kal-pinglist "192.168.1.254 172.16.1.42 172.16.1.43"). Don't know logic of the script yet (all IPs has to be reachable, one IP etc.). But assume that if script fails service is marked down then VIP is marked down - wonder what could be setup for F5? Why it's used for both external interface and internal?

 

  • Another issue is usage of owner for content objects. There are few owner defs each with some content objects. Seems as closets to that is Partition on F5 but for sure? owner HTTP

content HTTP_Rule_10023

 

  • I wonder as well which F5 TCP profile can be closest to TCP config of CSS.

I would like as well thanks John Alam for creating conversion scripts and his patience to answer my questions.

 

Any ideas/references/real life experience will be of great help for me.

 

Piotr

 

application delivery
deployment
design
LTM
performance
TMOS
No RepliesBe the first to reply