For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeff_46763's avatar
Jeff_46763
Icon for Nimbostratus rankNimbostratus
Apr 15, 2014

Viprion Initial Build Scripts Available?

Hi Everyone,

 

I'm in a large company that is now moving into a 3rd party datacenter. We used to have our own datacenter where we can touch the equipment, but no longer. We have to provide build instructions to the provider to build the F5's. Since this is a whole new concept to me, I was wondering if anyone has been through this, and have any scripts that can help??

 

Im looking to hand these over to the provider, a set of TMSH script, that will build the viprion from start to finish. Not the VIPs or anything like that....more of (guests, self ip's, vlans, interfaces, dns, etc...) I think something like this would be a lot easier than a whole bunch of screenshots to them, as mistakes can happen. I'd rather have a copy/paste script if possible. Suggestions??

 

Thanks

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
design
LTM
security
TMSH

1 Reply

  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Apr 17, 2014

    This isn't exactly what you're looking for and was only done in virtual edition, but maybe it will give you a start. This was done for version 11.4 and I believe some things have changed in 11.5. If you don't have the ability to test and customize this, then this is not "Complete" for VIPRION because it doesn't go into the cluster management IP and blade clustering configurations.

    this assumes you have console access to both systems or you can ssh into the mgmt. interface.
This was documented on BIG-IP Virtual Edition and would need to be edited for F5 physical hardware if the port designations are different.


Log into the mgmt port and license the device and do resource provisioning
license
If this is a virtual edition and you have the registration key
run util get-dossier –b 
This outputs a dossier. Copy all the text up to the next user prompt.
If you are logged in as root, copy the text until you get to “root@”
Log in to Activate.f5.com and input the dossier.

If this is physical hardware


 basic VLAN configuration
create net vlan external { interfaces replace-all-with { 1.1 } }
create net vlan internal { interfaces replace-all-with { 1.2 } }
create net vlan ha { interfaces replace-all-with { 1.3 } }

From ltm1
 assumes that management IP has already been configured or pulled from DHCP
 self IPs
create net self external_local address 10.1.1.1/16 vlan external
create net self internal_local address 10.2.1.1/16 vlan internal
create net self ha_local address 1.1.1.1/24 vlan ha allow-service default
 device object bigip1 is created on boot
modify cm device bigip1 hostname ltm1.dsc.net configsync-ip 1.1.1.1 unicast-address {{ ip 1.1.1.1 }}
 rebuild and re-associate dtdi with self-device
delete cm trust-domain all

From ltm2
 assumes that management IP has already been configured
 self IPs
create net self external_local address 10.1.1.2/16 vlan external
create net self internal_local address 10.2.1.2/16 vlan internal
create net self ha_local address 1.1.1.2/24 vlan ha allow-service default
 device object
modify cm device bigip1 hostname ltm2.dsc.net configsync-ip 1.1.1.2 unicast-address {{ ip 1.1.1.2 }}
 rebuild and re-associate dtdi with self-device
delete cm trust-domain all

From ltm1
establishing trust (ltm1 -> ltm2)
modify cm trust-domain Root ca-devices add { 1.1.1.2 } name ltm2.dsc.net username admin password admin
 ltm1 and ltm2 exchange trust and device information

making ltm1 and ltm2 a redundant pair
create cm device-group ha_cluster { type sync-failover devices add { bigip1 ltm2.dsc.net } }

Disable the GUI startup wizard
modify sys global-settings gui-setup disabled

 by default, the “traffic-group-1” exists and will be used for traffic objects