HP ProCurve Application Integration GuideDelivering HP ProCurve Switching and Threat Management Services (TMS) Scalability and Availability with F5 Networks BIG-IP Local Traffic Manager (LTM)

Introduction ......................................................................................................................................... 3

Solution architecture ............................................................................................................................. 3 Description ....................................................................................................................................... 3 Typical topologies ............................................................................................................................. 3 Solution components ......................................................................................................................... 6

Solution configuration ........................................................................................................................... 6 Test configuration .............................................................................................................................. 6 Test topology .................................................................................................................................... 7 Configuration steps ........................................................................................................................... 7

Solution test results ............................................................................................................................... 8 Test objectives .................................................................................................................................. 8 Test cases ......................................................................................................................................... 8 Test results ........................................................................................................................................ 9 Conclusion ....................................................................................................................................... 9

Design considerations ......................................................................................................................... 10 Best practices ................................................................................................................................. 10

References .........................................................................................................................................11 Solution information .........................................................................................................................11 Product documentation .....................................................................................................................11 Technical training courses ..................................................................................................................11 Support ..........................................................................................................................................11

Appendix A: configuration information ................................................................................................. 12 ProCurve switch VLAN and route configuration ................................................................................... 12 ProCurve Threat Management Services zl Module installation and configuration ..................................... 12 BIG-IP LTM platform configuration ..................................................................................................... 13 BIG-IP LTM network configuration ...................................................................................................... 13 BIG-IP LTM local traffic management configuration .............................................................................. 14

3

IntroductionApplication Delivery Controllers (ADC) offer a set of critical network and application services which help reduce equipment and support costs by optimizing the utilization and performance of applications, servers, firewalls and other inline networking equipment. The ADC solutions jointly offered by HP ProCurve and F5 enable large enterprise companies to improve application performance, availability and scalability.

Two key use models are detailed:

•AtypicalEnterpriseDataCenterserverscalabilityandavailabilityconfigurationusingloadbalancing,SSLacceleration, connection mirroring, and session persistence.

•AProCurveThreatManagementServices(TMS)“Sandwich”designedtoincreaseoverallTMSscalabilityandavailability while ensuring Data Center security.

A wide range of tests were performed designed to assure solution interoperability and key functionality. The test cases, results and best practices are discussed below.

Solution architecture DescriptionThe Solution consists of ProCurve Data Center focused switching products, the ProCurve Threat Management Services (TMS) module, F5 BIG-IP Local Traffic Manager (LTM) Application Delivery Controllers in both single tier and multi tier (sandwich) arrangements.

The combination of ProCurve and F5 Networks to provide switching, TMS, and ADC components enables some unique capabilities compared to other competitive options. These capabilities include:

•Businesscontinuityandresiliencyforcriticalnetworksystemsandapplications.

•Applicationfluencyenablingnetwork-speedfullpayloadinspection,andprogrammable,event-basedtrafficmanagement to understand and act upon application flows.

•ReducedServerandBandwidthCost–Triplesservercapacitythrougharichsetofinfrastructureoptimizationcapabilities, and reduces bandwidth significantly through intelligent HTTP compression, bandwidth management, and more.

•Industry-leadingPerformance–Deliverstheindustryleadingtrafficmanagementsolutiontosecure,deliverand optimize application performance. As a leader, BIG-IP LTM delivers best-in class SSL TPS, bulk encryption, and one of the highest levels of concurrent SSL connections.

Typical topologiesThis diagram represents a common use model where F5 products with two layers of ADC managing both the inbound and outbound network traffic through multiple in-line ProCurve Threat Management Services (TMS) Modules.This“TMSSandwich”providesscalability,availability,andvirtualizationformultipleTMSModulesusing advanced load balancing features.

4

This diagram also illustrates high resiliency within the data center through the use of redundant switches and ADC in active-standby mode.

5

This next diagram shows another high value basic use model for F5 BIG-IP LTM ADC and HP ProCurve SwitchinginaconsolidatedEnterpriseDataCenter.ThissolutiontopologydepictsF5BIG-IPLTMprovidingserver scalability, availability, and virtualization using advanced server load balancing (SLB) features. This solution also provides reduced server processing load with BIG-IP LTM’s SSL offload capabilities by centralizing SSL encryption and certificate management on the F5 device rather than each server. The purpose of including this second solution is to demonstrate the ease in adding this application server solution to an existing TMS firewall solution or vice versa.

6

Solution componentsThe following products could be considered when deploying such a solution. The specific test hardware is detailed in section 3 and represents a subset of the potential set of equipment.

ProCurve switches•8212coreDataCenterswitch-ShouldbeequippedwithfullHWredundancyincludingpowersupplies,

fabric modules, fans & management modules. Other 3rd party core switches could also be used here if full hitless redundancy is required.

•5406distributionlayerswitch-Forlargersystemsthiscouldbean8212or5412.Selectionof5400vs.8200 will depend on the customer’s tolerance for switch failure.

•6600-24G-4XGTopofRackSwitchesifServershaveGigNICs.For10GNICsusethe6600-24XG.

•Theotherswitchesandworkstationsshownintheaboveblueprintsarenotrelevanttothesespecificsolutionsso any industry standard, enterprise class products could be used.

ProCurve Threat Management Services zl Module (TMS)•ProCurveTMSmodulefor5400or8200ChassisSwitches

•10Gthroughput

F5 BIG-IP LTM ADC platformsThe recommended platform will depend on the required performance of each device such as maximum throughput, maximum SSL acceleration, add-on software modules, and maximum L4 and L7 connections.

•AppliancePlatforms:BIG-IP1600,3600,6900or8900

•ChassisPlatforms:VIPRIONwith1to4blades

Servers•Couldbeanyindustrygradeserver.Couldbetowers,Rack-mounted,suchastheProLiantfamilyorbladed

chassis such as the HP c-Class server. The servers can be either physical or virtual.

Solution configurationTest configuration

Equipment Software/Firmware Version Model Number Comments

HP ProCurve Switch 5412zl K.14.09 J8698A

HP ProCurve TMS zl Module Services Module Agent: B.01.04.01

BIOS:HP01R1O1

EEPROM:0001

OPTROM:A.01.06

TMS: ST.1.0.090213

J9156A

F5 Networks BIG-IP 3600 BIG-IP 9.4.6 Build 401.0 Final BIG-IP 3600 Series

F5 Networks BIG-IP 6900 BIG-IP 9.4.6 Build 401.0 Final BIG-IP 6900 Series

HP ProLiant DL320 G5p MicrosoftWindows2003withSP2+ DL320 Clients and Servers

HP ProCurve Switch 6600 K.14.09 J9263A

HP ProCurve Switch 2626 H.08.05 J4900B Management Switch

7

Thisdiagramdetailedthetestconfigurationdesignedtorepresentthe“TMSSandwich”usemodelwhichisasuperset of the basic server scalability and availability use case and therefore represents both use cases.

Configuration stepsConfiguring the TMS Sandwich is a task for technical consultants possessing moderate to strong experience with the technologies employed. Configuration of the tested solution required the following steps:

•ProCurveSwitchVLANandRouteConfiguration

•ProCurveThreatManagementServiceszlModuleInstallationandConfiguration

•BIG-IPPlatformConfiguration

•BIG-IPNetworkConfiguration

•MultipleSpanningTreeConfiguration

•BIG-IPLocalTrafficManagementConfiguration-BIG-IP3600Nodes,Pools,HealthMonitors,DefaultGateway,WildcardVirtualServer,VirtualServers,Redundancy,andConfigSync

•BIG-IPLocalTrafficManagementConfiguration-BIG-IP6900Nodes,Pools,HealthMonitors,DefaultGateway,WildcardVirtualServer,VirtualServers,Redundancy,andConfigSync

For more configuration details, refer to Appendix A.

Test topology

8

Solution test resultsTest objectivesThe goal of these set of tests was to assure functionality and interoperability of the ProCurve and F5 devices in both TMS sandwich and server scalability and availability topologies and to provide a guide for those designing similar systems.

Test cases•BIG-IP LTM connection persistence – HTTP cookie Insert: The Client makes a web page address. BIG-IP

VirtualServerPersistenceissetto“CookieInsert”persistence.BIG-IPinsertsaBIG-IPspecificcookieintheserver response to the Client along with the requested web page. The cookie sent to the client is valid for a predeterminedperiodoftime.Whilethecookieisvalid,theClientwillbedirectedtotheServerfillingtherequest when the cookie was issued.

•BIG-IP LTM connection persistence—source address: The Client requests a web page. BIG-IP Virtual Server Persistenceissetto“SourceAddress”persistence.FortheperiodoftimespecifiedintheSourceAddressPersistenceProfile,theClientwillbedirectedtotheServerthatfilledthefirstrequest.Whenthetimeexpires,a different server is possible, but the Client will be ‘glued’ (persisted) to the new server for the Source Address Persistence time period.

•BIG-IP LTM HTTPS to HTTP redirection—client-side SSL acceleration: Client makes an HTTPS request for a web page to a BIG-IP Virtual Server configured for client-side SSL acceleration. BIG-IP terminates the SSL connectionandredirectstherequesttoaPoolofHTTPNodesinsteadofaPoolofHTTPSNodes.Whentherequest if filled by the server, BIG-IP re-encrypts the response and sends it to the Client via SSL.

•ProCurve switch/F5 BIG-IP interoperability—copper and optical link tests:LinkTestofESXOpticalandCopper between BIG-IP Platform and ProCurve Switches. Create a trunk between ProCurve and BIG-IP comprisedofcopperandfibrelinkswithLACP.Reduce/Increasenumberoflinks.TestsingleESXandsingleCopper Link under load.

•ProCurve switch/F5 BIG-IP interoperability: LACP trunk tests: The intent of this test is to prove that ProCurve Switches and BIG-IP Trunks function correctly. The tests include support of LACP (active, and passive) and will include both copper and fibre connections. Individual links which comprise the Trunks will be enabled or disabled (or link pulls can be used if preferred).

•Load balance across application servers—FTP server:UseFTPastheapplicationtoloadbalance.IXLoadwillmake hundreds of ftp requests directed to BIG-IP’s FTP Virtual Server. Load must be spread across ftp pool members associated with the virtual server

•Load balance across Threat Management Services zl Modules: Test load balancing in both directions: From Client to Server; and from Server to Client.

•Load Balance across web servers—HTTP server:UseHTTPastheWebServerprotocoltoloadbalance.IXIAixLoad will make hundreds of HTTP requests directed to BIG-IP’s HTTP Virtual Server. Load must be spread across HTTP pool members associated with that Virtual Server.

•Load balance across web servers—HTTPS (SSL) server:UseHTTPSastheWebServerprotocoltoloadbalance.IXIAixLoadwillmakehundredsofHTTPSrequestsdirectedtoBIG-IP’sHTTPSVirtualServer.Loadmust be spread across HTTPS pool members associated with that Virtual Server.

•Connection mirroring between BIG-IP redundant pair—FTP server: Start an FTP file transfer and fail over to the standby BIG-IP. The file transfer was observed to continue through the newly active BIG-IP.

•BIG-IP redundant pair device failover: Test BIG-IP Failover, Serial Cable Failover, Network Failover, Mirrored Connection Failover, and VLAN Failsafe

•Dual power supply equipped BIG-IP platform with single power supply failure: Loaded BIG-IP looses a single power supply, users do not loose connectivity as evidenced by continuous throughput.

•Layer failures:SolutionLayerFail/Recovery.Iftwocomponentsinthesamelayerfail,notrafficshouldgetthrough. This test confirms that there are no unexpected data paths in the solution.

9

•MSTP path failures: Assure that the solution is resilient to link failures that force MSTP to adapt to keep a full bandwidth or partial bandwidth path open to ingress and egress. It is not intended to guarantee correct operation of MSTP with BIG-IP, but to make sure that solution paths do not lock in a condition that will not recover or limit accessibility.

•Solution multi-unit failures: Validate that Clients can always have access web servers and application servers when experiencing a combination of multi-unit failures.

•Solution single unit failures: Test is to assure users can always have access web servers and application servers during a single unit failure of components.

•TMS failures: Threat Management Service zl Module Failures solution reacts as expected

•TMS signature detection no load: This test will ensure the operation of the IPS in detecting attacks caused by Karalon Traffic IQ Pro

•TMS signature detection with load: TMS under a 50% load is still able to detect attacks caused by Karalon Traffic IQ Pro

•TMS signature download: Test signature update in different modes (Manual, Automatic)

•TMS traffic inbound—allow:DUTmustallowaccessrequestsfromEXT->INTforallowedprotocols(HTTP,HTTPS, FTP and Telnet) then limit the Allows to occur only from specified Clients.

•TMS inbound traffic—deny:TestDescription:DUTmustdenyaccessrequestsfromEXT->INTofthefollowingprotocol (HTTP, HTTPS, FTP, and Telnet)

•TMS outbound traffic—allow:DUTmustsupportaccessrequestsfromINT->EXTofthefollowingprotocol(HTTP, HTTPS, FTP, and Telnet)

•TMS traffic outbound—deny:DUTmustdenyaccessrequestsfromINT->EXTofthefollowingprotocol(HTTP,HTTPS, FTP, and Telnet)

Test resultsAll of the test cases achieved the expected results and therefore passed. No exceptions were required for this solution.

BIG-IP Failover Testing had some impressive results:

•SerialCableFailoverimmediatelyinitiatedfailovertothestandby.Theinitiationtookunderasecond.TheStandby became Active in our test setup in seconds.

•VLANFailsaferecoveredinanaverageof6secondsaccordingtoourtests.VLANFailsafeforcesafailoverevent if the VLAN it is monitoring goes silent for a configurable period of time.

ConclusionThe ProCurve-F5 Networks solutions were tested for compatibility and interoperability using ProCurve 5400 Series Switches and F5 Networks BIG-IP Local Traffic Manager Platforms 3600 and 6900.

The TMS Sandwich solution was comprised of multiple Threat Management Services zl Modules and ProCurve switches interoperating with BIG-IP Platforms running LTM version 9.4.6 software without error. The bi-directional load balancing of multiple TMS Modules provided by the BIG-IP LTM Platforms executed flawlessly.

Adding additional TMS zl Modules to the testing was accomplished by hot-plugging the module into the ProCurve 5400 switch. Configuration of the new module did not interrupt operation of the other TMS Modules. Once the new module was added to BIG-IP Pools on the BIG-IP Platforms, the load was distributed to the new module. Adding a new TMS zl Module is easily accomplished. Availability was proven using high stress loads. In every case, failover scenarios were completed correctly.

One test case involved BIG-IP LTM’s Connection Mirroring feature. The Connection Mirroring feature was implemented in BIG-IP LTM to keep stateful protocols and application connections alive during device failover events. The feature was impressive to see as FTP gets complete after the standby BIG-IP became Active. It should be noted that enabling BIG-IP LTM Connection Mirroring system overhead may reduce BIG-IP LTM Platform performance. If the feature is required for a customer, the size of the BIG-IP Platforms involved may needtobeincreased.Wenotedonlybriefdelays(~3to5second)whenrunningFTPgetsoflargefilesduringfailover events with Connection Mirroring enabled.

10

BIG-IP LTM Client-Side SSL Acceleration allows Clients to make requests via SSL without requiring SSL processing by the servers. The BIG-IP terminates the HTTPS client session and initiates a HTTP request to the BIG-IP HTTP Server Pool. The redirection allows the Server filling the request to simply provide the data as required. The Server does not have to handle the SSL handshake with the Client. This feature, if implemented reduces server load, saving money, as well as significantly reducing the number of certificates purchased and maintained.

Design considerationsBest practices•BIG-IP backup/restore: Optimizing BIG-IP LTM Platforms in this solution may involve a series of trial

configurations. Always make a configuration backup using BIG-IP System Archives process before and afteranychangeismadetotheconfiguration.EventhoughBIG-IPhasaconfigurationsynchronizationutility (ConfigSync) for redundant pair deployments, the utility will not overwrite fundamental BIG-IP Platform configuration that is unique to a platform. As a result, it is necessary to backup each BIG-IP Platform to preserve the data unique to that platform.

Local Traffic Management configuration information (Nodes, Pools, Monitors, Virtual Servers, etc.) can be restored on one BIG-IP Platform and, using ConfigSync, restored to its peer in a redundant pair deployment.

•BIG-IP hardware platform configuration:EachBIG-IPPlatformplaysadifferentnetworkroleinthesolutionandmusthavethenetwork-relatedconfigurationfoundintheNetworkconfigurationtab(Interfaces,Routes,Self IPs, Spanning Tree, Trunks, and VLANs) must be completed independently.

•BIG-IP local traffic manager redundant pair configuration synchronization: Local Traffic Manager Configuration (Virtual Servers, Profiles, Pools, Nodes, Monitors, SSL Certificates, etc) should be completed on one of the BIG-IP in each redundant pair. Once the configuration has been completed and verified on one oftheBIG-IP,useSystem->HighAvailability->ConfigSynctoconfiguretheotherBIG-IPinthepairing.Whenusing ConfigSync, exercise care when selecting the correct direction (Synchronize TO peer or Synchronize FROMPeer).Gettingthedirectionofthesyncwrongisadefinitetimesink.SeeBIG-IPBackup/Restoreaboveto help avoid or recover from this situation.

•BIG-IP device failover: BIG-IP devices should always be deployed in a redundant pair running in active-standbymode.Eitherserialornetworkfailovermustbeconfiguredbetweeneachpair.

•BIG-IP power supply failover:EachBIG-IPshouldbeequippedwithdualpowersupplies.

•BIG-IP link failover: Configure several methods of link failover as opposed to one. For example, Adding VLAN Failsafe forces failover when the configured VLAN goes silent. Trunking multiple interfaces will allow network traffic to flow as long as one interface in the trunk survives.

•TMS expansion limits: A maximum of four TMS zl Modules are supported in each ProCurve Switch in this solution. The tested TMS Sandwich employed two ProCurve switches containing TMS zl Modules. If one of the two switches fails, the other switch must contain a sufficient number of TMS zl Modules to support the cumulative TMS maximum load.

If more TMS zl Modules are required, additional switches can be added in pairs to host additional TMS zl Modules.

TMS zl Modules can be configured in a high availability mode. This mode is not supported in this solution. All the TMS zl Module in this solution perform independently. Modules are not aware of other modules presence or state.

•TMS QoS/ToS: At present, TMS zl Modules do not support QoS/ToS principals. If a TMS zl Module is overloaded, it drops packets without regard to priority. If the TMS Firewall Solution must support QoS/ToS prioritized packet traffic, a diligent effort should be made to scale the firewall to minimize possibility of overloading the solution.

•TMS signatures: The Threat Management Services zl Module should be updated with the threat signatures on a regular basis. The frequency of updates can be set using the Management Services zl Module GUI.

•TMS modules require ProCurve zl switches: The Threat Management Services zl Modules must be installed in ProCurve model zl switches. Older ProCurve switches may be available but cannot be used with TMS zl Modules.

11

•BIG-IP training: BIG-IP LTM offers many features that can be used to optimize network and application traffic. It is highly recommended that product training be obtained before attempting to optimize this solution for a customer.

•BIG-IP help:UsetheBIG-IPLTMWebConfigurationUtilityHelptabwhenselectingoptionsorconfiguringBIG-IP.Readingthehelpscreenaddsinsighttotheterminologyusedandthemeaningofscreenchoices.

ReferencesPlease refer to the following tools for additional information on the joint HP ProCurve and F5 BIG IP LTM solution:

Solution information•ProCurve-F5BIGIPLTMsolutionbrief:http://procurve.com/docs/one/F5-Big-IP-Solution-Brief.pdf

•ProCurveONE:www.procurve.com/one

Product documentationHP ProCurve product documentation can be found at: http://www.procurve.com/customercare/support/manuals/index.htm

F5 Networks product documentation can be found at: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg_1600_3600.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg_6900.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/CLI_guide_943.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_ilu_setup_943.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip_nsm_guide_943.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/LTM_config_guide_943.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_sol_guide_943.html

Technical training coursesPlease refer to the following link for more information on the ProCurve technical certification programs: http://www.procurve.com/network-training/certifications/technical.htm

Please refer to the following link for more information on F5 technical certification programs: http://www.f5.com/training-support/certification

SupportFor technical support on HP products, consult the support pages at http://www.procurve.com/customercare/index.htm

For technical support on F5 Networks products, please visit: http://www.f5.com/training-support/customer-support/

12

Appendix A: configuration informationProCurve switch VLAN and route configuration5412zl-2# config

5412zl-2(config) vlan 20

5412zl-2(vlan-20) ip addr 125.1.20.1/24

5412zl-2(vlan-20) tagged A1, A11

5412zl-2(vlan-20) exit

5412zl-2(config) vlan 30

5412zl-2(vlan-30) ip address 125.1.30.1/24

5412zl-2(vlan-30) tagged A4, A8

5412zl-2(vlan-30) exit

5412zl-2(config) ip route 125.1.40.0 255.255.255.0 125.1.30.105

5412zl-2(config) write memory

ProCurve Threat Management Services zl Module installation and configurationFor details regarding the installation and management of HP ProCurve Threat Management Services zl Modules (TMS zl Modules) used in this solution, please refer to the following documents:

Installation and getting started guide: http://cdn.procurve.com/training/Manuals/TMSzlModule-GettingStarted-050109-59925504.pdf

Management and configuration guide: http://cdn.procurve.com/training/Manuals/TMSzlModule-MgmtCfg-050109-59900224.pdf

For this solution, TMS zl Module configuration is broken into five steps:

Step 1: Add each TMS zl Module to VLAN20 and VLAN 30

5412zl-2# config

5412zl-2(config)# show vlan 1

5412zl-2(config)# vlan 20

5412zl-2(vlan-20)# tagged D1

5412zl-2(vlan-20)# exit

5412zl-2(config)# vlan 30

5412zl-2(vlan-30)# tagged D1

5412zl-2(vlan-30)# exit

5412zl-2(config)# write memory

Step 2: Configure the TMS zl to create a Management zone for the TMS zl Module’s GUI interface by creating an Internal zone and assign it a virtual IP address

5412zl-2# services D 2

5412zl-2(tms-module-D)# configure terminal

5412zl-2(tms-module-D:config)# management zone internal

5412zl-2(tms-module-D:config)# vlan 30 zone internal

5412zl-2(tms-module-D:config)# vlan 30 ip address 125.1.30.150 255.255.255.0

13

Step 3:CreateanExternalzoneandassignitavirtualIPaddress

5412zl-2(tms-module-D:config)# vlan 20 zone external

5412zl-2(tms-module-D:config)# vlan 20 ip address 125.1.20.150 255.255.255.0

Step 4: Configure three static routes for each TMS

5412zl-2(tms-module-D:config)# ip route 125.1.10.0/24 125.1.20.105

5412zl-2(tms-module-D:config)# ip route 125.1.40.0/24 125.1.30.105

5412zl-2(tms-module-D:config)# ip route 0.0.0.0/0 125.1.20.105

5412zl-2(tms-module-D:config)# write memory

Step 5: Using a supported internet browser, log into the TMS zl Module’s GUI interface and configure the Threat Management Services as required for the customer. Access the management interface using a supported webbrowser:https://125.1.XX.150

BIG-IP LTM platform configurationFor details relating to installation and configuration of the BIG-IP 3600 & 6900 platforms, refer to the appropriate Platform Guide for the BIG-IP Platform(s) and BIG-IP LTM version in place. For the platforms and version 9.4.6 used in this document, these can be found at:https://support.f5.com/kb/en-us/products/big-ip_ltm/versions.9_4_6.html

Set-up the BIG-IP management interface for each BIG-IP platformOnce the BIG-IP Platform has powered up, use the six round menu buttons to navigate the front panel menu.

•PresstheredXbutton

•NavigatetoSystem>Management>MgmtIP

•EntertheIPaddressoftheManagementServer(125.1.XX.XX)usingthefourarrowbuttons

•Pressthegreencheck-symbolbutton

•InlikemannersetuptheMgmtMask(255.255.255.0)andMgmtGateway(125.1.XX.1)asappropriate

•Pressthedown-arrowbuttontoselect“commit’

•Pressthegreencheck-symbolbuttontwicetocommitthechange

•UsetheredX-symbolbuttontoreturntothemainmenu

Connect to the BIG-IP management interface for the BIG-IP platform to be configuredNOTE:BIG-IPPlatformsofferbothaSSHorserialconsolecommandlineinterface(CLI)andaWebbasedgraphical user interface (GUI). For this document, the GUI BIG-IP Configuration Utility will be used.

Using the management server; connect to BIG-IP Platform’s Management IP set above and launch the BIG-IP Configuration Utility.

https://125.1.XX.XX

The default user/password: admin/admin

Note:YoumaychoosetoconnectaLaptoptothe“MGMT”RJ-45connectorontheleftsideoftheBIG-IPplatform to perform configuration functions using the Mgmt IP configured earlier.

Configure the platform settings for BIG-IP platformsSee specific product documentation.

BIG-IP LTM network configurationConfigure BIG-IP network configurationNetwork Configuration includes:

•CreatingVLANs

•AddingInterfacestotheVLANs

Network Configuration must be performed on each BIG-IP Platform. See specific product documentation.

14

Configure self-IPs for BIG-IP platformsSelf-IP addresses are IP addresses that connect the BIG-IP platform interfaces to the networks. For this solution, they are comprised of interface addresses and Floating Self-IP Addresses (a floating IP address that always points to the Active BIG-IP platform in a redundant pair). See specific product documentation.

Configure a route for each BIG-IP platformSee specific product documentation.

Multiple spanning tree (MSTP) configuration Two MSTP Instances were created on each TMS Sandwich component (BIG-IP 3600-1, BIG-IP 3600-2, ProCurve 5412zl-2, ProCurve 5412zl-3, BIG-IP 6900-1, and BIG-IP 6900-2):

•Instance1includedallofVLAN20anditsinterfaces

•Instance2includedallofVLAN30anditsinterfaces

See specific product documentation.

Steps to configure MSTP on ProCurve 5400 series switches

5412zl-2# config

5412zl-2(config)# spanning-tree

5412zl-2(config)# spanning-tree instance 1 vlan 20

5412zl-2(config)# spanning-tree instance 2 vlan 30

5412zl-2(config)# span config-name firewall-san

5412zl-2(config)# span config-revision 0

5412zl-2(config)# spanning-tree instance 1 priority 0

5412zl-2(config)# spanning-tree instance 2 priority 0

5412zl-2(config)# spanning-tree priority 0

5412zl-2(config)# spanning-tree A1 priority 4

5412zl-2(config)# spanning-tree A4 priority 4

5412zl-2(config)# span force-version mstp-operation

5412zl-3(config)# write memory

BIG-IP LTM local traffic management configurationNode configuration for BIG-IP platformsBIG-IP LTM load balances objects in designated Pool(s). Pools are comprised of Nodes. For this solution, a NoderepresentsanindividualTMSzlModuleoranindividualWeborApplicationServerusedtoserviceincoming or outgoing Client requests. Nodes for the BIG-IP 3600 Platforms consist of the TMS zl Modules. See specific product documentation.

Health monitor, pools, gateway, virtual server, redundancy, and configSync configuration for BIG-IP platformsFor details relating to installation and configuration of the BIG-IP Platforms, refer to version specific documentation at https://support.f5.com/kb/en-us/products/big-ip_ltm.html?product=big-ip_ltm.

For this solution, the configuration process proceeded as follows:

•ConfigureaPoolwithHealthMonitors

•ConfigureaDefaultGateway

•ConfigureaVirtualServer

•ConfigureRedundancy

•ConfigureConfigSync

Technology for better business outcomes

To learn more, visit: www.hp.com/go/procurve www.f5.com© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA2-9421ENW,September2009