Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
163 Cards in this Set
- Front
- Back
|
What are somethings a Virtual Server object does |
1) Distribute client requests across multiple servers to balance server load |
|
|
Can a virtual server share an IP address with a vlan node |
Yes. Create a vlan group that includes the node's vlan, assign a self-ip address to the vlan group, disable the virtual server on the relative vlan. |
|
|
What is a virtual server |
A traffic-management object represented by IP and service port number. Virtual servers increase the availability of resources for processing client requests. |
|
|
What is a forwarding virtual server |
Just like other virtual servers but has no pool members to load balance. It just forwards the packets directly to the destination IP. |
|
|
What are some things LTM does with a forwarding virtual server |
adds, tracks and reaps connections. You can also view statistics. |
|
|
What is a performance (HTTP) virtual server |
A virtual server with which you associate a fast HTTP profile. Together the vs and profile increase the speed at which the VS processes HTTP requests. |
|
|
What is a performance (L4) VS |
A VS that has a fast L4 profile. Speeds up processing of L4 requests. |
|
|
What can a VS do with DHCP |
You can createa VS that relays DHCP between clients and servers in different networks. Known as a DHCP relay agent. |
|
|
What does a DHCP relay agent VS do |
Listens for DHCP client messages being broadcast on the subnet and relays to the server which then sends them back via the f5. |
|
|
What is the criteria for virtual server precedence |
1) First precedent of the algorithm chooses the virtual server that has the longest subnet match for the incoming connection 2) If the number of bits in subnet mask match then the virtual server that has a port match. 3) If no port match is found it uses the wildcard server if a wildcard VS is defined |
|
|
What are the results of the algorithm for order of precedence in VS precedence |
address:port |
|
|
What type of proxy in the LTM TMOS |
Full Proxy for VS configured with a TCP profile. |
|
|
What allows the LTM to maintain compatibility to disparate server OSes |
TCP Profile |
|
|
In full proxy architecture how with the LTM appear |
As a TCP peer to both the client and the server by associating 2 independent TCP connections with the end to end session. |
|
|
Standard virtual server requires |
TCP or UDP profile. HTTP, FTP, SSL profiles are optional. |
|
|
Describe the TCP connection setup for a standard virtual server |
3 way TCP handshake occurs on the clientside before the LTM initiates the TCP handshake on the server side. |
|
|
What are the VS Status indicators for enabled and able to receive traffic |
Green Circle |
|
|
What is the VS status indicator for enabled but unavailable, may become available later. For example: Connection limit exceeded. |
Yellow Triangle |
|
|
What is the VS status indicator for enabled but offline. Must actively enable. |
Red Diamond |
|
|
What is the VS status indicator for Operational but set to disabled. Must actively enable. |
Black Circle |
|
|
What is the VS status indicator for Unknown |
Blue Square |
|
|
Can you create a many to one relationship between Virtual Servers and Virtual Server Addresses |
Yes. 10.1.1.1:80, 10.1.1.1:443, 10.1.1.1:21 for example |
|
|
How do you create a virtual address |
Created indirectly when you first create a virtual server. LTM associates the virtual address with a MAC address. LTM responds to ARP requests and sends gratuitous ARP requests |
|
|
Things to check when troubleshooting VS connectivity |
1) DNS |
|
|
What are examples of VS resources |
POols, iRules and persistence profiles |
|
|
Easy way to see if a VS is unavailable due to lack of resources |
LTM -> Network Map |
|
|
What will a virtual server with an unknown status due with traffic? |
Take in traffic and send on to the resources even if they are not online. |
|
|
Difference between a disabled pool member and pool member marked down by a monitor |
Disabled pool member continues to process persistent and active connections |
|
|
What is the pool member status icon for available and processing |
Green circle |
|
|
What is the pool member status icon for no pool members available but could become available later such as when the concurrent connections to the pool member in question no longer exceeds connection limit |
Yellow Triangle |
|
|
What is the pool member status icon for all pool members unavailable such as EAV monitor has detcted that the pool member is unavailable |
Red Diamond |
|
|
What is the pool member status icon for status of at least one pool member = unknown. |
Blue Square |
|
|
Some reasons why a pool member status might be unknown |
1) One or more pool members has no associated monitor 3) Pool member's IP address not configured |
|
|
What monitor types are not available for association with pools |
Monitors specifically designed to monitor nodes, that is monitors going to an IP address only and not an IPaddress and port. |
|
|
What specific monitors are unavailable for monitoring pools |
1) ICMP |
|
|
What happens when you associate a health monitor with an entire pool instead of individual server |
LTM automatically associates that monitor with all pool members and pool members you add later |
|
|
You can associate multiple monitors with the same pool. For example |
HTTP and HTTPS monitors |
|
|
Describe flexibility of monitoring |
You can monitor multiple processes on the same server and port by associating that server with multiple pools. |
|
|
What does a green circle mean for pool member monitors |
Set to enabled |
|
|
What does a yellow triangle mean for pool member monitors |
Pool member is unavailable but could become availabile later |
|
|
What does a red diamond mean for pool member monitors |
Unavailable because parent node is down, a monitor has marked it as down or a user has disabled the pool member. |
|
|
What does a black circle mean for pool member monitors |
Pool member is set to disabled although a monitor has marked it up. The parent node could also be down. Must enable manually. |
|
|
What does a black diamond mean for pool member monitors |
Set to disabled and is offline because parent node is down or a user disabled or a monitor marked as down. |
|
|
What does a blue square mean for pool member monitors |
Pool member or node has no monitor associated with it. |
|
|
List the ratio-based load balancing methods |
Ratio (node, member and sessions) |
|
|
Difference between connection limit and connection rate limit |
Connection limit = max concurrent connections |
|
|
Point of Persistence |
Ensure client requests are directed to the same pool member through the life of the session or subsequent sessions as required by an app |
|
|
What can session persistence track |
Session data such as the specific pool member User /password |
|
|
Define Cookie Persistence |
Uses an HTTP cookie to allow the client to reconnect to the same server |
|
|
Destination address affinity |
AKA Sticky Persistence, supports TCP and UDP protocols and directs session to the same server based on dest IP |
|
|
Hash persistence |
Create a persistence hash based on an existing iRule |
|
|
MSRDP Persistence |
Maintains persistence specifically for RDP |
|
|
SIP Persistence |
Type of persistence to receive SIP messages sent through UDP, SCTP or TCP |
|
|
Source Address Affinity Persistence |
AKA Simple Persistence, supports TCP and UDP directs based on source IP of the packet |
|
|
SSL Persistence |
Tracks non terminated SSL sessions using SSL session ID. Maintained even when client IP address changes. |
|
|
Universal Persistence |
An expression you write that defines what to persist on in a packet. |
|
|
What is required for fallback persistence |
An IP address based persistence type |
|
|
What's an easy way to see if the client is connecting to the same server resources for validating persistence |
Watermarks on the application pages. If no watermark then |
|
|
Where to find source address persistence methods for troubleshooting |
GUI: Statistics -> Module Statistics -> Local Traffic and select Persistence Records from statistics Type. |
|
|
How to start EUD |
Boot off of CD, USB or select EUD option from boot menu |
|
|
How do you exit EUD |
Use option 21. DO NOT REBOOT |
|
|
Where is EUD report stored |
eud.log is in /shared/log |
|
|
Describe the LCD screen |
Info menu: Find info about LCD and its function |
|
|
How to configure LED alarms |
/etc/alertd/alert.conf. lcdwarn function defines which alerts will modify alarm LED indicator |
|
|
LED alarm logs are stored where |
/var/log/ltm |
|
|
Describe LED buttons |
X for menu |
|
|
What are the log message categories for syslog local logging |
System Messages |
|
|
How do you syslog irules |
Define the local facility |
|
|
Where are packet filter events stored |
/var/log/pktfilter |
|
|
What is required for a stateful failover environment |
Pair configured to mirror current connection table, persistence records and SNAT table. |
|
|
What's one way f5 deals with congestion |
TCP profile has Nagles algorithm setting which reduces congestion by aggregating smaller TCP packets into larger ones. |
|
|
How to view Performance statistics in conf util |
Stastics -> Performance |
|
|
Port lockdown: allow default |
Allows OSPF, iquery (tcp/udp 4353), 443, SNMP (161 UDP/TCP), ssh, tcp/udp dns, RIP and network failover (udp 1026). tmsh list net self-allow for a list |
|
|
Port lockdown: allow none |
everything except ICMP and if in a redundant pair ports that are listed as exceptions are always allowed. ICMP is always allowed, even in custom |
|
|
Default value for packet filter VLAN setting |
All Vlans |
|
|
What is the goal of PAM |
To separate an application, such as BIGIP from its underlying authentication technology |
|
|
How does BIgip normally route remote auth traffic |
Through TMM (Traffic Management MicroKernel) switch interface, that is the interface associated with a vlan and self-ip rather than through mgmt interface. |
|
|
What happens if TMM service is stopped with regards to authentication |
Remote authentication is not available |
|
|
How do you configure and manage auth profiles |
Conf Utility > Main -> Local Traffic -> Authentication |
|
|
What are the Bigip Authentication modules |
LDAP, Radius, TACACS+, SSL Client cert LDAP, OCSP, CRLDP, Kerberos. |
|
|
When opening a case with f5 support what details are required for the description |
1) Symptoms |
|
|
When opening a case with f5 what is the definition of a 'site down' impact |
All network traffic has ceased, critical business impact |
|
|
When opening a case with f5 what is the definition of a 'site at risk' impact |
Primary unit has failed leaving no redundancy. Site is at risk of going down. |
|
|
When opening a case with f5 what is the definition of a 'Performance degrated' impact |
Partially functioning network traffic causing some applications to be unreachable |
|
|
What is required when opening a case: |
1) Description of symptoms/issue |
|
|
How much log info does qkview collect |
5 MB |
|
|
Example of creating a tarball of logs |
tar -czpf /var/log/* |
|
|
What are some info you can provide when opening a case |
qkview |
|
|
Severity 1 case |
1 hour response. Critical business activities down. Device(s) not powering up and/or not passing traffic. |
|
|
Severity 2 case |
1 hour response. Software or hardware conditions preventing or significantly impairing high-level commerce or business activities. |
|
|
Severity 3 case |
4 hour business response. Degrade service or functionality in normal busines or commerce activities. |
|
|
Severity 4 case |
24 hour response. Questions such as how-to, non-critical troubleshooing, requests for enhancements |
|
|
Difference between quantitative and qualitative |
Quantitative observation = Observations that can be precisely measure, eg 20 extra seconds per connection. |
|
|
Network Map shows: |
Virtual Servers |
|
|
Network map icons |
Green circle = enabled and available |
|
|
Difference between a node and a pool member |
Node has an IP |
|
|
What does the analytics module require for monitoring |
The analytics (AVR) module requires an Analytics profile for each application you want to monitor. |
|
|
How many analytics profiles can a VS have associated? |
One |
|
|
What can you customize in analytics profiles |
1) What statistics to collect |
|
|
Syntax for saving ucs |
tmsh save /sys ucs |
|
|
Command to verify that the new or replaced SSH keys from UCS are synchronized |
keyswap.sh sccp |
|
|
Load UCS w/o license |
load /sys ucs no-license |
|
|
List tasks that can be automated by the Enterprise Manager |
Configuration |
|
|
Default number of rotating UCS archives EM will create |
10 |
|
|
What is a pinned archive? |
A UCS archive of a device at a certain place in time |
|
|
Example of EM sub-task |
After installing a new version as a regular task the subtask might be to reboot. |
|
|
Where are custom EM events applied |
To individual devices or a device group |
|
|
What happens when you setup a daily rotating archive schedule in EM? |
EM creates a UCS archive on each day that the managed device configuration changes. |
|
|
What can EM do with SSL certificates |
Monitor expiration status of all the certificates on the managed device. View status of both traffic and system certificates. |
|
|
Difference between EM system and traffic certs |
System = web certs that allow clients to login to conf util |
|
|
EM Certificate status flags |
Red = Cert expired. |
|
|
What does the cpcfg command do |
Allows you to copy a configuration from a specified source boot location to a specified target boot location. |
|
|
What reasons might cpcfg fail |
if you run cpcfg and the target boot location is an earlier version that the source or is the active boot location |
|
|
List possible issues with upgrades |
known issues with release |
|
|
"What is the qkview utility?"
|
"An executable program that generates machine–readable (XML_ diagnostic data from the BIG–IP or Enterprise Manager System.
This automatically generates 5 mb of log files and includes them with qkview in a tar output" |
|
|
"What are core files?"
|
"Core files contain the contents of the system memory at the time a crash occurred."
|
|
|
"Where are core files located?"
|
"/var/savecore directory (9.0 – 9.2.5)
/var/core (9.3 and later)" |
|
|
"What is the network summary?"
|
"WebUi utility that shows a summary of local traffic objects, as well as a visual map of the virtual servers, pool, and pool members on the BIG–IP system"
|
|
|
"If you configure a pool, but no VS references that pool, will it show in the network map?"
|
"No."
|
|
|
"What is the network map?"
|
"A webUI map that presents a visaul hierarchy of the names and status of virtual servers, pools, pool members, nodes, and iRules defined on the system.
Tries to show all objects in context, starting with the virtual server at the top." |
|
|
"What is a virtual server?"
|
"A traffic management object on the BIG–IP system that is represented by an IP address and a service."
|
|
|
"To summarize, a virtual server can do the following:"
|
"1. Distribute client requests across multiple servers to balance server load
2. Apply various behavioral settings to a specific type of traffic 3. Enable persistence for a specific type of traffic 4. Direct traffic according to user–written iRules" |
|
|
"What is a pool?"
|
"A load balancing pool is a logical set of devices, such as web servers, that you group together to receive and process traffic."
|
|
|
"What is a pool members?"
|
"A logical object that represents a physical node (server), on the network."
|
|
|
"What is a node?"
|
"A logical object on the BIG–IP LTM system that identifies the IP address of a physical resource on the network."
|
|
|
"What is the difference between a node and a pool member?"
|
"A node is designated by the devices IP address only (10.10.10.10), while designation of a pool member includes an IP address and a server (10.10.10.10:80)"
|
|
|
"What is the difference between health monitors of a node and of a pool members?"
|
"A health monitor for a pool member reports the status of a service running on the device, whereas a health monitor associated with a node reports the status of the device itself."
|
|
|
"What is the main Dashaboard screen and what does it display?"
|
"The main Dashboard screen is of the system overview. This screen displays a graphical representation of CPU and Memory utiliation, Connections and Throughput of the system."
|
|
|
"What is Analytics?"
|
"Analytics is a module on the BIG–IP system that lets you analyze performance of web applications."
|
|
|
"What is Analytics also refered to as?"
|
"Application Visibility and Reporting"
|
|
|
"What are some things that Analytics shows?"
|
"– Transactions per second
– Server and Client Latency – Request and Response throughput – Sessions" |
|
|
"What all can you view metrics for with Analytics?"
|
"– Applications
– Virtual Servers – Pool Members – URLs – Specific Countries – Application Traffic" |
|
|
"What is an Analytics profile?"
|
"A set of definitions that determine the circumstances under which the system gathers, logs, notifies, and graphically displays information regarding traffic to an application"
|
|
|
"In the Analytics profile, you customize what? (4)"
|
"1. What statistics to collect
2. Where to collect data (locally, remotely, both) 3. Whether to capture traffic itself 4. Whether to send notifications" |
|
|
"What ways can you restoring configuration data? (4)"
|
"1. Configuration Utility
2. CLI using tmsh 3. On replacement RMA 4. Running later software version" |
|
|
"How to restart the system in the configuration utility?"
|
"System –> Configuration –> Reboot"
|
|
|
"When is the UCS archive actually restored when done on the same device it was taken?"
|
"After a reboot of the device"
|
|
|
"What is an alternative way to reactivate the BIG–IP system after a UCS restore done on a different device?"
|
"Replace the /config/bigip.license file with the original file.
If you don't you simply re–license the system." |
|
|
"According to the Study Guide, when should to create a UCS?"
|
"Prior to the change and after the change for both active and stand–by systems"
|
|
|
"What does the EM compare when it created a rotating archive?"
|
"It compares the most recently stored UCS archive file to the current configuration on the device at the specified interval. If there are any difference, EM stores a copy of the current configuration. If there are not, it does not store an additional copy (Read: extra space)"
|
|
|
"By default, the EM stores up to how many rotating archives?"
|
"Up to 10 rotating archives each, for itself and every managed device."
|
|
|
"What is a pinning archive?"
|
"EM created an archive of a specific UCS for a device. Pinned archives are stored until you delete them"
|
|
|
"Path to create a scheduled archive on the EM?"
|
"Enterprise Management –> Tasks –> Schedules –> Archive Collection –> Create"
|
|
|
"Where will you a see a task failure on the EM?"
|
"In the 'Task List'"
|
|
|
"What happens when you set a node or pool to Disabled?"
|
"The node or pool member continues to process persistent and active connections. It can accept new connections only if the connections belong to an existing persistence session."
|
|
|
"What happens when you set a node or pool to Forced Offline?"
|
"The node or pool members allows existing connections to time out, but no new connections are allowed."
|
|
|
"What is an example case for disabling a member?"
|
"If the administrator needs to make changes, such as configuration maintenance to a server, that is the resource of a pool, but wants to gracefully allow users to finish what they are doing."
|
|
|
"What is an example case for forcing down a member?"
|
"If the administrator needs to take a resource out of a pool immediately due to a critical misconfiguration or system error that is impacting business."
|
|
|
"If a virtual server is using persistence and the administrator sets the pool to 'Disabled,' what will happen?"
|
"The persistence record will be honored until it expires. Thus the administrator could disable a pool member and that member can still receive new connection from the existing persisted clients."
|
|
|
"If a virtual server is using persistence and the administrator sets the pool to 'Forced Offline,' what will happen?"
|
"The virtual service will not allow any new connections to the pool member even if persistence is configured on the virtual server."
|
|
|
"What can an administrator do if he needs to stop all connections immediately from a pool resource without any completion of the current connection?"
|
"Remove the pool member from the pool will kill all connections immediately. This is not recommended for day–to–day maintenance but is an option for emergencies."
|
|
|
"What is Port–Lockdown?"
|
"A BIG–IP security feature that allows you to specify particular protocols and services from which the self–IP address defined on the BIG–IP system can accept traffic."
|
|
|
"What are the Port–Lockdown settings?"
|
"– Allow Default
– Allow All – Allow Custom – Allow None –Allow Customer (Include Default)" |
|
|
"Port–Lockdown Allow Default port are?"
|
"– OSPF
– TCP 4353 iQuery – UDP 4353 iQuer – 443 HTTPS – TCP 161 SNMP – UDP 161 SNMP – 22 SSH – TCP 53 DNS – UDP 53 DNS – 520 RIP – 1026 Network Failover" |
|
|
"What is the default Port–Lockdown setting?"
|
"Version 10.x – Allow default
Version 11.x – None" |
|
|
"Command to modify Port–Lockdown settings from tmsh?"
|
"modify /net self allow–server"
|
|
|
"What are Packet Filters?"
|
"Packet filters enforce an access policy on incoming traffic. They apply to incoming traffic only. The primary purpose of a packet filter rule is to define the criteria that you want the BIG–IP system to use when filtering packets."
|
|
|
"Example criteria that you can specify in a packet filter are?"
|
"– Source IP
– Destination IP – Destination port" |
|
|
"What are the possible values for the order of packet filters?"
|
"– First
– Last – After" |
|
|
"What are the possible Packet Filter Actions?"
|
"– Accept
–Discard – Reject (sends rejection packet) – Continue (acknowledge packet for logging or statistical purposed)" |
|
|
"What is PAM technology?"
|
"PAM (Pluggable Authentication Module) allows you to choose from a number of different authentication and authorization schemes to use to authenticate or authorize network traffic."
|
|
|
"What are the BIG–IP Authentication Modules?"
|
"– LDAP
– RADIUS – TACACS+ – SSL client Certificate LDAP – Online Certificate Status Protocol – Certificate Revocation List Distribution Point – Kerberos Delegation" |
|
|
"Steps to configure DNS in Configuration Utility"
|
"System –> Configuration _> Device –> DNS –> DNS Lookup Server List"
|
