Upgrading Big-IP 10.2.0 1755.1 to 10.2.0 1789.0

1. Download the image or *.iso file from the F5 support site.

2. SCP to the Big-IP device and copy the iso file to the directory /shared/images

3. Apply the following command to install the Hotfix image. Note, the Hotfix image can be installed in an empty partition:

bigpipe software desired HD1.3 product BIG-IP version 10.2.0 build 1789.0

4. Configure the device to boot from the location where the new image is installed:
switchboot -b
e.g. switchboot -b HD1.3

5. Reboot the entire device. Apply the command:
full_box_reboot

Cisco Flexlinks

Cisco Flexlinks provide a layer 2 redundant link solution. It is often considered an alternate solution to Spanning-Tree protocol where STP is undesired. With Flexlinks redundant paths are manually configured by the network administrator, in comparison to STP where the redundant paths are calculated and formed dynamically by the Spanning-Tree protocol.

Advantages:
* Spanning-Tree Protocol Independant.
* No BPDUs across links.
* Fast convergence - testing shows convergence at approximately 110ms.
* Traffic can be load shared across the redundant links.
* Neighbouring switches are not affected by local network Spanning-Tree recalculations.
* Failure of an Etherchannel where STP is not running between interconnecting neighbours can cause network loops and subsequent broadcast storms.

Disadvantages
* Maximum of 16 Flexlink pairs.
* RSTP convergence can be quicker - sub-second.
* Dynamic loop prevention.
* Less administrative management.
* Etherchannel can load-balance and provide redundancy.
* Does not support load-balancing, only load sharing (allocation of VLANs per link).

Testing Scenarios:
3750 (Flexlink) -to- 3750 (STP)

TOP-SWITCH#show run int gi 1/0/21
Building configuration...

Current configuration : 351 bytes
!
interface GigabitEthernet1/0/21
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 237
switchport mode trunk
switchport backup interface Gi1/0/23
switchport backup interface Gi1/0/23 mmu primary vlan 237
switchport backup interface Gi1/0/23 preemption mode forced
switchport backup interface Gi1/0/23 preemption delay 60
end

TOP-SWITCH#show run int gi 1/0/23
Building configuration...

Current configuration : 135 bytes
!
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 237
switchport mode trunk
end

TOP-SWITCH#

Middle-Switch#show run int fa 2/0/45
Building configuration...

Current configuration : 156 bytes
!
interface FastEthernet2/0/45
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 237
switchport mode trunk
spanning-tree portfast
end

Middle-Switch#show run int fa 2/0/47
Building configuration...

Current configuration : 156 bytes
!
interface FastEthernet2/0/47
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 237
switchport mode trunk
spanning-tree portfast
end

Middle-Switch#

Diagnostics:
=======================
TOP-SWITCH#show interfaces switchport backup detail

Switch Backup Interface Pairs:

Active Interface Backup Interface State
------------------------------------------------------------------------
GigabitEthernet1/0/21 GigabitEthernet1/0/23 Active Up/Backup Standby


Interface Pair : Gi1/0/21, Gi1/0/23
Preemption Mode : forced
Preemption Delay : 60 seconds
Bandwidth : 100000 Kbit (Gi1/0/21), 100000 Kbit (Gi1/0/23)
Mac Address Move Update Vlan : 237

TOP-SWITCH#

TOP-SWITCH#show mac-address-table move update
Switch-ID : 033d.ae01.6210
Dst mac-address : 0120.d100.0010
Vlans/Macs supported : 1023/6272
Default/Current settings: Rcv Off/Off, Xmt Off/Off
Max packets per min : Rcv 40, Xmt 60

Rcv packet count : 0
Rcv conforming packet count : 0
Rcv invalid packet count : 0
Rcv packet count this min : 0
Rcv threshold exceed count : 0
Rcv last sequence# this min : 0
Rcv last interface : None
Rcv last src-mac-address : 0000.0000.0000
Rcv last switch-ID : 0000.0000.0000

Xmt packet count : 0
Xmt packet count this min : 0
Xmt threshold exceed count : 0
Xmt pak buf unavail cnt : 0
Xmt last interface : None
TOP-SWITCH#

Aspera FASP ( Fast and Secure Protocol )

Aspera transfers use one TCP port for session initialization and control, and one UDP port for data transfer. The TCP port is usually either 22 (default port for SSH) or 33001, and the UDP port is by default 33001.
Control: TCP Port 22 (SSH)
Data: UDP Port 33001-33020

Both connections are initiated by the client. The UDP is negotiated between the server and client. Unix servers are are to run parrallel connections over the single port 33001. Windows operating systems require that unique ports for each transfer - a range of ports from 33001-33020 should be opened for multiple connections to the server.

Risks:
======
1) Firewalls can interpret the number of UDP transactions (2000+ per second) as a denial of server attack. Security features such as Screens available on the Juniper SRX will need to be tuned to allow the high number of transactions. The UDP flood event is identified in the Junos logs as:
RT_IDS: RT_SCREEN_UDP: UDP flood! source: 1.1.1.1:33001, destination: 2.2.2.2:8883, zone name: Untrust, interface name: reth3.0

This has the potential of allowing the sending of a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left (Ref: Hack blog).

2) The applications can also pose a considerable risk to enterprise network bandwidth, potentially impacting business-critical applications. Since their data transfer rate is adapted to the available bandwidth on the end-to-end path, enterprises can protect their critical network segments by using appropriate bandwidth controls. On the Palo Alto Networks Next Generation Firewalls, the App-ID technology identifies all traffic from this application as FASP. Security and QoS policies can then be configured, based on the application, to deny, allow, or rate-limit the traffic according to defined bandwidth limits. Whatever application and bandwidth usage policies businesses come up with, Network and Security administrators will need to equip themselves with the right tools to enforce them (Ref: Palo Alto Networks).

Upgrading F5 Big-IP from version 9.3.x or 9.4.x to 10.x

Upgrading Big-IP from version 9.3.x or 9.4.x to 10.x
======================================================
This installation was performed on a Big-IP 3600. Hardware details are as follows:
PLATFORM INFORMATION --
| Marketing Name: BIG-IP 3600
| BIOS Rev: AMIBIOS(C)2006 American Megatrends, Inc. F5 Platform: MERCURY OBJ-0272-03 BIOS S10.0 Date:04/24/2009
| base MAC: 00:00:00:00:00:00
+-> SYSTEM INFO
| Type: C103
| Chassis serial: f5-yyyy-xxxx Level 200 part: 200-0293-11 REV A
| Memory: 3.437GB
+-> HARDWARE CARDS
| | Type: pic Model: F5 cpld
| | version: 0x13
| | Type: crypto Model: Cavium NITROX-PX
| | version: CNPx-MC-SSL-MAIN-MC1-0001
+-> CPU 0
| | Type: Intel(R) Core(TM)2 Duo CPU E6400 @ 2.13GHz Speed: 2133.469MHz
| | Temp: 37degC Fan speed: 10546rpm


1. Download the iso and md5 files from the F5 website.

2. SCP to your F5 Big-IP appliance.

3. Transfer files downloaded in step 1 to the directory “/shared/images”. Create this directory if it does not exist.

4. Login to the CLI of the device using the root account. Verify the integrity of the images. Apply the following commands:

md5sum /shared/images/BIGIP-10.0.1.283.0.iso
cat /shared/images/BIGIP-10.0.1.283.0.md5

Visually check that the hash values outputs are identical.

5. Login to the CLI of the device using the root account. Install the configuration utility “image2disk” – the iso image contains the image2disk utility. Apply the following command to install the utlity:

im /shared/images/BIGIP-10.0.1.283.0.iso

The process copies over the image2disk installation utility, and then presents a status message, which lets you know that the im command is no longer supported, and tells you how to proceed.

/tmp/rpmdisk.173hO1 /shared/images
info: media has tm_install version 2.6.2, release 40.0
info: adding bin/../isolinux/install/tm_install.rpm to system...
info: media has perl-RPM2 version 0.67, release 10.0.0.4598.0
info: adding bin/../isolinux/install/perl-RPM2.rpm to system...
The im utility is no longer used to upgrade software images.
Please use 'image2disk'. For help, use 'image2disk -h'.
You must always install to an image location that is not in use.
Here is your current image-location status:
HD1.1 active no default no title BIG-IP 9.1.2 Build 40.2
HD1.2 active yes default yes title BIG-IP 9.3.1 Build 37.1


6. Determine which HD slot to install the new in using the switchboot utility. You must install the image on an inactive slot. Apply the following command:

switchboot –l

Sample output:
[root@F5:Active] / # switchboot –l
Current boot image:
HD1.1 - BIG-IP 9.4.8 Build 355.0
Default boot image:
HD1.1 - BIG-IP 9.4.8 Build 355.0
Available boot image(s):
HD1.1 - BIG-IP 9.4.8 Build 355.0
HD1.2 - BIG-IP 9.4.8 Build 355.0
[root@F5:Active] / #

7. Install the new image. This step will reformat the disk to use Logical Volume Management. Apply the following command as the root using the CLI:
image2disk --instslot=HD1.2 --format=volumes /shared/images/BIGIP-10.0.1.283.0.iso
The upgrade process installs the software on the inactive installation location (--instslot) that you specify. This process usually takes between three minutes and seven minutes.

8. Reboot the into the volume where you installed the new image:
switchboot -b HD1.2
reboot

Installing Hotfixes 10.x
1. Download the Hot fix files from F5:
• Hotfix-BIGIP-10.0.1-402.7-HF4.iso
• Hotfix-BIGIP-10.0.1-402.7-HF4.md5

2. SCP to the device and copy the downloaded hot fix files to the directory “/shared/images”. Login to the CLI and verify the files are recognised by the device. Apply the following command:
bigpipe software list
Sample output:
[admin@F5:Active] images # bigpipe software list
software {
desired {
HD1.1 {}
HD1.2 {
product "BIG-IP"
version "10.0.1"
build "283.0"
active enable
}
HD1.3 {}
}
hotfixes "Hotfix-BIGIP-10.0.1-402.7-HF4.iso"
images "BIGIP-10.0.1.283.0.iso"
}
[admin@F5:Active] images #
3. Verify the integrity of the files. Apply the following commands:
md5sum /shared/images/Hotfix-BIGIP-10.0.1-402.7-HF4.iso
cat /shared/images/Hotfix-BIGIP-10.0.1-402.7-HF4.md5

Visually check the hash values are the same from the output.

4. Verify the disk formatting scheme used by the device. Apply the following command:

lvscan
Sample output:
[admin@F5:Active] images # lvscan
lvscan -- ACTIVE "/dev/vg-db-sda/dat.share.1" [30 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/dat.log.1" [7 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.1.root" [256 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.1._config" [512 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.1._var" [3.25 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.1._usr" [1 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.2.root" [256 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.2._config" [512 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.2._var" [3.25 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.2._usr" [1 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.3.root" [256 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.3._config" [512 MB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.3._var" [3.25 GB] contiguous
lvscan -- ACTIVE "/dev/vg-db-sda/set.3._usr" [1 GB] contiguous
lvscan -- 14 logical volumes with 52 GB total in 2 volume groups
lvscan -- 14 active logical volumes

[admin@F5:Active] images #

5. The Big-IP image and hotfix file into a volume which is NOT active. Check which volume is active – apply the following command:
bigpipe software
Sample output:
[admin@F5:Active] images # bigpipe software
SOFTWARE
+-> SOFTWARE STATUS
| Key Slot Product Version Build Active Status
| HD1.1 0 none none none no complete
| HD1.2 0 BIG-IP 10.0.1 283.0 yes complete
| HD1.3 0 none none none no complete
[admin@F5:Active] images #

6. Install the Big-IP image and hotfix file into the inactive volume.

a) First install the Big-IP image. Apply the following command:
bigpipe software desired HD1.3 product BIG-IP version 10.0.1 build 283.0
Sample Output:
[admin@F5:Active] images # bigpipe software desired HD1.3 product BIG-IP version 10.0.1 build 283.0
[admin@F5:Active] images # bigpipe software
SOFTWARE
+-> SOFTWARE STATUS
| Key Slot Product Version Build Active Status
| HD1.1 0 none none none no complete
| HD1.2 0 BIG-IP 10.0.1 283.0 yes complete
| HD1.3 0 BIG-IP 10.0.1 283.0 no installing 0.000 pct
[admin@F5:Active] images # bigpipe software
SOFTWARE
+-> SOFTWARE STATUS
| Key Slot Product Version Build Active Status
| HD1.1 0 none none none no complete
| HD1.2 0 BIG-IP 10.0.1 283.0 yes complete
| HD1.3 0 BIG-IP 10.0.1 283.0 no installing 3.000 pct
[admin@F5:Active] images #
[admin@F5:Active] images # bigpipe software
SOFTWARE
+-> SOFTWARE STATUS
| Key Slot Product Version Build Active Status
| HD1.1 0 none none none no complete
| HD1.2 0 BIG-IP 10.0.1 283.0 yes complete
| HD1.3 0 BIG-IP 10.0.1 283.0 no complete

b) Apply the hotfix onto the Big-IP image. Apply the following commands:
bigpipe software desired HD1.3 product BIG-IP version 10.0.1 build 402.7
Sample Output:
[admin@F5:Active] images # bigpipe software desired HD1.3 product BIG-IP version 10.0.1 build 402.7
[admin@F5:Active] images # bigpipe software
SOFTWARE
+-> SOFTWARE STATUS
| Key Slot Product Version Build Active Status
| HD1.1 0 none none none no complete
| HD1.2 0 BIG-IP 10.0.1 283.0 yes complete
| HD1.3 0 BIG-IP 10.0.1 402.7 no installing hotfix
[admin@F5:Active] images #

c) Boot into the volume containing the hotfix. Apply the following command:

switchboot -b HD1.3
reboot

Sample Output:
[admin@F5:Active] images # switchboot -b HD1.3
[admin@F5:Active] images # reboot

Broadcast message from root (pts/0) (Tue Jan 25 12:00:58 2011):

The system is going down for reboot NOW!
[admin@F5:Active] images #

References
F5: Manual Chapter: Using the image2disk and diskinit Utilities
F5: SOL11496

Free up Junper SRX disk or storage space

1. Check the amount of disk usage:
show system storage
2. Perform an automated device storage/disk cleanup:
request system storage cleanup

Upgrade a standalone Cisco Catalyst 3750 (not in a Stack)

1. Download and save the required image from the Cisco website.
2. Ensure you have the minumum amount of storage space on your flash drive. For the IP Services image this is likely to be 16Mb.

Apply the command:

dir flash:

3. In this example I use TFTP32 to transfer files from my desktop to the switch.

Apply the command:
copy tftp:.bin flash:

4. Once the new IOS image has been transferred, configure the switch to boot with the new image the next time it reloads:

Apply the following commands:
config terminal
boot system flash:/.bin
exit
write memory
reload

Note: There is no need to change the config-register value as the it is fixed on the Catalyst 3750.

5. Type "yes" or press enter to confirm to reload.

6. Once reloaded check that you are using the new image:
show version

Route Distinguishers and Route Targets

A VRF represents an isolated instance on a device of a routing and forwarding table. A VRF belongs to a site and is assigned to a interface (logical or physical). This interface is used to peer to the CE to exchange routing updates and packets. These updates and packets are identified in the core (provider network) by a ROUTE DISTINGUISHER and thus making it unique where there is a overlap of addressing schemes from different VRFs.

A VPN is a service which provides security and isolation normally found in a private network over a shared provider infrastructure. The scope of a VPN is contained by what routing and forwarding is required by a organizations network. Therefore a VPN can entail multiple VRFs if it requires access to networks in different VRFs. The ROUTE TARGET is used to determine what routing information to import or export from a VRF and thus creating the scope of the VPN.