Skip to main content

Ansible with BIG-IP F5

Modern day infrastructure needs automation. Automation definitely brings benefits of increased productivity along with reduced cost. Let me demonstrate an automation technique that is very easy to use and in the same time very productive as well.

Why Ansible ?

  • Ansible is one of the configuration management tool which is free to use by anyone.
  • Ansible tends to be very consistent and lightweight.
  • Doesn't require agent on servers, uses native SSH
  • Very easy in compares to other automation management tools
The  list of benefits ansible provides can keep going. Let me today demonstrate you guys with a bit of ansible automation  making use with an application delivery controller named after BIG-IP F5.

INSTALLING ANSIBLE
There are mainly 3 components when it comes to ansible.
  • Managed Hosts 
  • Controller Hosts
  • Playbooks (Although for certain diagnostic Ad-hoc can be used )
We will be using Centos7 as our controller hosts and Big-IP F5 as our managed hosts.

The first and foremost package that require using ansible is extra package for enterprise linux and python.

[root@ansiblemax ~]# yum install epel-release ansible -y
[root@ansiblemax ~]# yum update -y
All the files for ansible lies within /etc/ansible/ directory

[root@ansiblemax /]# cd /etc/ansible/
[root@ansiblemax ansible]# ls
ansible.cfg  f5.yml  hosts

PLAYING WITH ANSIBLE
We will need to first play along with the hosts file which is also known as inventory and simply the mention the IP of the F5.
[root@ansiblemax ~]# vim hosts
[f5]
load_balancer ansible_host=10.10.253.220

We will need to save the file and exit out from it. Note : We can also create additional things like username , password for the F5 in the hosts file, but in our demonstration we will be calling out in the main playbook itself.

PLAYBOOK
The major component of the ansible and ought to be the most important one as well. IN order to create a playbook we need a file extension with .yml under the same directory . YAML was designed in a way that data structures would be easily readable by humans. Let me create a YAML file name f5.yml

A playbook always starts with --- and the configuration depends on the administrator of how they want to configure it. In my case I have used variable in the playbook itself. I would like to create a pool with a name of max_pool, nodes as well as virtual servers and also with their different properties. We will need to save the file and quit.

  ---
- hosts: f5

  vars:
    provider:
     password: susjoshi9851
     server: 10.10.253.220
     user: sushant
     validate_certs: no
     server_port: 443

  tasks:
  - name: Create a pool
    bigip_pool:
      provider: "{{ provider }}"
      lb_method: ratio-member
      name: max-pool
      slow_ramp_time: 5

  - name: Add members to pool
    bigip_pool_member:
     provider: "{{ provider }}"
     description: "webserver {{ item.name }}"
     host: "{{ item.host }}"
     name: "{{ item.name }}"
     pool: max-pool
     port: 80
    with_items:
     - host: 10.10.10.10
       name: web01
     - host: 10.10.10.20
       name: web02

  - name: Create a VIP
    bigip_virtual_server:
      provider: "{{ provider }}"
      description: max-vip
      destination: 172.16.100.100
      name: max-vip-1
      pool: max-pool
      port: 80
      snat: Automap
      profiles:
       - http
       - clientssl


Note : The most important thing is identation when it comes to creating a playbook and we should never be using tabs and should always be using spaces where required.

We need to now check whether or not any errors will be generated once we try to use of playbook.

[root@ansiblemax ansible]# ansible-playbook --syntax-check f5.yml

playbook: f5.yml
There seems to be no issue and now we can push the play and find out whether or not it works.

[root@ansiblemax ansible]# ansible-playbook f5.yml -u sushant -k
SSH password:

PLAY [f5] **************************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************
ok: [load_balancer]

TASK [Create a pool] ***************************************************************************************************************************************************************************
changed: [load_balancer]

TASK [Add members to pool] *********************************************************************************************************************************************************************
changed: [load_balancer] => (item={u'host': u'10.10.10.10', u'name': u'web01'})
changed: [load_balancer] => (item={u'host': u'10.10.10.20', u'name': u'web02'})

TASK [Create a VIP] ****************************************************************************************************************************************************************************
[WARNING]: The value 80 (type int) in a string field was converted to u'80' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.
changed: [load_balancer]

PLAY RECAP *************************************************************************************************************************************************************************************
load_balancer              : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
Bingo ! We have pushed the configuration and looks like the changes has taken effect. Let me now login inside the virtual F5 that I have loaded and find out whether or not the configuration has been reflected or not.

VERIFYING IN BIG-IP F5
We had created node,pool and virtual server by making use of ansible.

My image looks to be blurry, sorry for that  although our objective has been completed. We can also verify it through cli.



sushant@(sushant)(cfg-sync Standalone)(/Common)(tmos)# list /ltm node web01
ltm node web01 {
    address 10.10.10.10
}


sushant@(sushant)(cfg-sync Standalone)(/Common)(tmos)# list /ltm pool max-pool
ltm pool max-pool {
    load-balancing-mode ratio-member
    members {
        web01:http {
            address 10.10.10.10
            description "webserver web01"
        }
        web02:http {
            address 10.10.10.20
            description "webserver web02"
        }
    }
    slow-ramp-time 5
}



sushant@(sushant)(cfg-sync Standalone)(/Common)(tmos)# list /ltm virtual max-vip-1
ltm virtual max-vip-1 {
    creation-time 2021-06-22:19:10:17
    description max-vip
    destination 172.16.100.100:http
    ip-protocol tcp
    last-modified-time 2021-06-22:19:10:17
    mask 255.255.255.255
    metadata {
        f5-ansible.last_modified {
            value "2021-06-22 13:25:17.382305"
        }
        f5-ansible.version {
            value 2.9.21
        }
    }
    pool max-pool
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 5
}

We will be talking more about ansible on the upcoming blogs. Let me end here as it is becoming too lengthy.


 

Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more