For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Jun 07, 2018

Migrating from BigIP 2000 series to BigIP 2600 series

We currently have a BigIP 2000 LTM HA pair running v12.1.3.3 (we will be upgrading to 13.x soon). We purchased a comparable BigIP 2600 LTM HA pair. We are planning a migration to the 2600.   ...
application delivery
BIG-IP
LTM
AceDawg_204810's avatar
AceDawg_204810
Icon for Cirrus rankCirrus
Jun 07, 2018

Hi Danny,

 

There's one VERY important question that I don't think has been addressed: what modules are you running on the 2000s? In my experience, the modules may dictate the migration path. UCS, SCF or bigip.conf are your basic options. This is the way I've approached similar migrations in the past:

 

LTM: export SSL certificates and SCF file. Edit SCF file keeping LTM objects

 

LTM and GTM/DNS: export SSL certificates and SCF file. Edit SCF file keeping GTM and LTM objects

 

APM: export UCS file. Verify your interfaces are offline on new environment. Import UCS file using "no-platform-check no-license " options

 

ASM: export ASM profiles. Load ASM profiles to new environment then load LTM objects (see LTM procedure above)

 

AceDawg_204810's avatar
AceDawg_204810
Icon for Cirrus rankCirrus
Jun 07, 2018

Hi Danny,

If I am following you correctly, it sounds like you are changing some of the networking for this project (e.g. VIP addresses). Correct me if I am wrong but I assume you'll be changing DNS entries to point to the new VIPs. If my assumptions are correct, then this is the procedure I would use:

NOTE: I would download the trial version of BIGIP (https://devcentral.f5.com/articles/getting-started-with-big-ip-ve-trial-22469) and test in a VMWare environment before going to prod

STRONG NOTE: Be sure to verify that the backend servers/nodes are NOT using the F5 as their default gateway. If they are, then it will change the way you approach the networking portion of your migration. You may have to involve the server team in the event this is the case (we can discuss further). Look for FTP and SMTP virtual servers in your F5 environment. While not an exclusive list, typically, these are the devices that fall under this category.

  1. UI (2000): System->File Management->SSL Certificate List->Select pertinent certificates->[Archive]
  2. UI (LAB or 2600): System->File Management->SSL Certificate List->[Import]->Import Type: Archive

  3. TMSH (2000): tmsh save sys config file devicename_datestamp.scf no-passphrase: 

    tmsh save sys config file danny2000_20180607.scf no-passphrase

  4. Download scf file (e.g. danny2000_20180607.scf) to your local workstation

  5. Using notepad++, hand edit the danny2000_20180607.scf file removing all stanzas EXCEPT for those beginning with ltm. In other words, you would only keep the ltm objects (see below):

    ltm default-node-monitor {
    rule /Common/icmp
}
ltm node /Common/10.33.13.232 {
    address 10.33.13.232
}
ltm pool /Common/SOMEPOOL_HTTP {
    description SOMEPOOL_HTTP
    members {
        /Common/10.33.13.232:80 {
            address 10.33.13.232
        }
    }
    monitor /Common/SOMEMONITOR_HTTP
}
ltm monitor http /Common/SOMEMONITOR_HTTP {
    adaptive disabled
    defaults-from /Common/http
    description SOMEMONITOR_HTTP
    destination *.*
    interval 5
    ip-dscp 0
    recv none
    recv-disable none
    send "GET /\r\n"
    time-until-up 0
    timeout 16
}
ltm rule /Common/MOBILECARE-TEST-X-FORWARDED {
    when HTTP_REQUEST {

     if {[HTTP::header exists X-Forwarded-For]}{
          HTTP::header replace X-Forwarded-For [IP::client_addr]

     } else {
          HTTP::header insert X-Forwarded-For [IP::client_addr]
     }
}
}
ltm virtual /Common/SOMEVIRTUAL_HTTP {
    description SOMEVIRTUAL_HTTP
    destination /Common/10.0.0.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/SOMEPOOL_HTTP
    profiles {
        /Common/tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

  6. Using notepad++, change the VIP addresses on the ltm virtual server objects

  7. TMSH (LAB or 2600): Perform test import of the modified danny2000_20180607.scf file and address issues: 
    tmsh load sys config file danny2000_20180607.scf merge verify
  8. TMSH (LAB or 2600): Perform import of the modified danny2000_20180607.scf file: 
    tmsh load sys config file danny2000_20180607.scf merge
  9. TMSH (LAB or 2600): Configure networking (VLANS, self-ip addresses, default router, etc.)
  10. Create local host entry on workstation to test functionality
  11. If all works out, modify DNS to point to new VIP

Admittedly, this is a more iterative approach than the others presented. Since this is a year long "rolling" migration as opposed to a cut migration, it gives you ample opportunity to address issues, test and truly dig into environment. Also gives you an opportunity to address oddities that inevitably leak into most F5 setups (e.g. naming conventions, profiles, etc.).