DNSSEC AND GTM
Download
Report
Transcript DNSSEC AND GTM
WA v11 New function and
Changes
Lin Jing
2011/11/7
www.dnssecchina.com
www.cnadn.net
www.myf5.net
2
Version history
version
author
date
Note
V1.0
Lin jing
2011.11.7
First version
3
New in V11
•
•
•
•
Rewrite architecture
GUI changes
Support snmp in wa module
Dashboard include WAM now
4
Platform changes
•
•
•
•
Can be in 1600
Will not support 4500
64 68 84 need 4G memory
VE, Vipron don’t support now, will be supported future
5
Architecture Changes history
• In v9, using Sandwich with an internal vs, this cause
performance traffic stats not accurate. Performance is
not good as this tcp talking channel. WA have its own
compression which is easily confused with TMM
compression. Use PVAC which stand in host.
• In v10, removing Sandwich, use MPI instead of internal
vs, This becomes efficient. But requests/response still
being moved between tmm and wa. Still use PVAC.
• V11, Most are moved into tmm, no more pvac process,
Now it is wamd(only service for some functions). Use
new MPIv2. Compression performed by hardware card
now.
6
V9 Sandwich
192.168.1.101:* > 192.168.1.100:80
• client1
192.168.1.101
GET / HTTP/1.1
Host: website.com
TMM
Virtual Server
192.168.1.100:80
192.168.1.100:443
HTTP, HTTP class,
[ iRules, Compression,
OneConnect, SSL ]
Client: TMM - 127.1.1.2:*
TMM
Virtual Server
127.1.1.2:8080
LB, [ SSL Re-encryption,
de-OneConnect ]
192.168.1.101:* > 10.10.10.101:80
GET / HTTP/1.1
Host: website.com
server1
10.10.10.101:80
Server: TMM - 127.1.1.254:8081
VLAN TMM0
GET / HTTP/1.1
Host: website.com
WAClientIP: 192.168.1.101
WALBServer: pool SamplePool member 10.10.10.101:80
WASnat: snat automap
WAServerSSL: serverssl
GET / HTTP/1.1
Host: website.com
WAClientIP: 192.168.1.101
WALBServer: pool SamplePool member 10.10.10.101:80
WASnat: snat automap
WAServerSSL: serverssl
VLAN TMM0
Server: PVAC - 127.0.0.1:8081
Client Side
Context
Client: PVAC - 127.1.1.1:*
PVAC
127.0.0.1:8081
Server Side
Context
7
V10 architecture
8
V11 architecture
9
V11 configurations changes
• Totally integrate with tmos, so ucs,qkview.scf include
them.
• We can use tmsh to config wa now
• Don’t support symmetric deployment in v11
• Don’t support url normalization in v11
• No pvsystem.conf?
• IBR prefix changes to wa;****
• http class no more for enable wa for a vs, now it is for
disable wa for a vs.
• Use wa application which in webacceleration profile to
enable wa
10
Process changes
•
•
•
•
•
•
•
Comm_srv, hds_prune, pvac ………removed
New wamd introduced
Wamd works for
-Invalidation and triggers
-document linearization
-performance monitoring
Compression runs in tmm with benefit of hardware card,
but still controlled in WAM module, a compression profile
is must in vs now.
11
Performance statistics changes
• Dashboard now support wa module, these data are from
TMM directly, It’s almost real time data
• Support snmp to get WA performance now:
• http://www.adntech.org/bbs/viewthread.php?tid=3976&e
xtra=page%3D1
• Mysql still there to maintain history data, now need open
this function on the GUI manually.
12
Cache behavior changes
•
•
•
•
•
•
•
No hds for disk cache now
New name datastor/metastor
Datastor is for raw disk access, it is on disk
Metastor is a logic layer on top of datastor
Is there ramcache like before?
-Yes, but its name is Small objects cache(SOC)
-Only cache less thank 4k objects. Numbers of small
objects controlled by “Maximum Entries” of profile.
• -SOC are in tmm memory, owner by each TMM, but can
be copied from other tmm(Refer to ramcache with cmp)
13
Cache behavior
14
Web acceleration profile
• This profile provides ram rache controlling and wa cache
controlling as well.
• Some of items have differrent meaning with wa or
without wa
15
Profile-cache size
Cache size
Minimum reserved size
for WAM
Maximum size for RAM
cache
16
profile-maximum
Maximum entries
-Size of resource and entity caches for
WAM
-Does not limit metastor/datastor
object retention
-Maximum total entries for RAM cache
17
profile-maximum
Refer to the slide note
18
profile-uri
AFFECTS
RAMCACHE
ONLY
19
Profile-webacceleration
20
Profile-compression
• When enable WA, wa policy override this profile, But
performed by the profile.
• It is normal TMOS compression profile if no wa
• So we can think it as :
-Config in wa but need profile to support to use hardware
card
21
Profile-compression
22
Profile-compression
23
Profile-compression
24
Changes in WA policy GUI
• Remove some navigation
BIG-IP v10.2.2
BIG-IP v11.0
25
Applications
If want history
data, need
enable it here
26
Proxy assembly
27
Policy proxying
28
Policy lifetime, WA self cache setting
29
Policy lifetime, client cache setting
30
Policy lifetime, client cache setting
31
Policy lifetime, client cache setting
32
New irule event in v11 of wa
• HTTP_REQUEST_RELEASE
– Fires on the server-side of the HUD chain, after all
modules have processed a client request
• HTTP_RESPONSE_RELEASE
– Fires on the client-side of the HUD chain, after all
modules have processed a server response
33
Upgrade to v11
•
•
•
•
•
•
•
•
Only support v10 ucs
Only support volumes
Check vs if applied a compression profile
Check vs if applied a webacceleration profile
If the max size is ok for your situation.
X-wa-info header disabled by default
Performance reporting disabled
Unmapped host is handled now? Check it in applications
34
Troubleshooting tips
•
•
Dashboard? It is real time data, 5 minutes from tmm
Plug-in logging
– /var/log/tmm
– /var/log/ltm
•
wamd logging
– /var/log/wa/wamd.log
– /var/log/wa/wam.provisioning.log
– /var/log/daemon.log
Performance Statistics logging
– /var/log/wa/stats
– /var/log/mysql.out
– /var/lib/mysql/mysql.err
•
•
Datastor logging
– /var/log/datastor
– /var/log/datastor.provision
35
Troubleshooting x-wa-info
• Turn on it on application, if possible turn on debug(per
Support center request)
36
S code
37
C code
•
C-Code:
–
•
•
Indicates which defined Application was used to handle the incoming
request
– Number changes each time a policy is published to that Application
A-Code:
–
•
•
X-WA-Info: [S10201.C76511.A13938.RA0.U2264335089].[OT/html.OG/pages].[P/0.0].[O/0.1].[EH0/0].[DH0/0]
Indicates which node within the Policy matched the incoming request
R-Code:
–
•
X-WA-Info: [S10201.C76511.A13938.RA0.U2264335089].[OT/html.OG/pages].[P/0.0].[O/0.1].[EH0/0].[DH0/0]
X-WA-Info: [S10201.C76511.A13938.RA0.U2264335089].[OT/html.OG/pages].[P/0.0].[O/0.1].[EH0/0].[DH0/0]
Identifies the application match of a response to the Policy as defined
by object extension, content type or node rule
– Value of zero indicates match on the request
38
How to decode wa-info
• wainfodecode [wa-info header]
•
X-WA-Info:[S10201.C100017.A13710.RA0.U794647444].[OT/html.OG/pages]
[root@bigip11:Active] config # wainfodecode
[S10201.C100017.A13710.RA0.U794647444].[OT/html.OG/pages]
S10201: Response was served from the origin web server, because the request was
for new content.
C100017: Local-policy: /Common/Generic Policy - Enhanced
A13710: Request Policy Node: Pages
RA0: Response match did not supersede request match
UCI hash: 2f5d5b94
Object type: html
Object group: pages
[root@bigip11:Active] config #