F5 Lab 1.1: Deployment and Management IP Setup

1. Lab Deployment

Recently, I have building F5 lab through PNETLAB on my 16 GB RAM laptop. When first come in to F5 lab deployment, I'm using BIGIP VE (Virtual Edition) version 16.0.0 software release. I build the lab topology as shown below:

The topology consists of 2 F5 BIGIP devices, 2 servers, and 2 PCs. While the connections consists of 3 parts External (198.51.100.0/24), Internal (192.0.2.0/24) and Management (192.168.1.0/24). On the lab, I will do some scenarios as published before on my post here. This article will be cover no.1 scenario. Let's jump in!

2. F5 Management Options

There are 2 user management interfaces to administer F5 device:

1. GUI-based: GUI based management interface on F5 device often called Configuration Utility. It can be accessed using management IP of the F5 device or using self IP address of F5 device. To access using self IP's need additional configuration due to default restriction on self IP configuration. The Configuration Utility available on HTTPS (TCP 443). Some of configuration specially for more advance configuration often not available on GUI and only can be made via CLI.

2. CLI-based: CLI based management interface on F5 device can be accessed using management IP of the F5 device or using self IP address of F5 device. To access using self IP's need additional configuration due to default restriction on self IP configuration. CLI-based is available over remote access via SSH protocol (TCP 22) and Serial Console. In CLI based there are 2 terminal access available, Linux Shell and TMOS (Traffic Management Operating System) Shell. The Linux Shell is terminal access to system level of the F5 device. It can be accessed F5 system directory such as configuration file directory, logging directory and other system files. TMOS Shell is terminal access to administer the F5 device for system configuration and modules installed configuration.

3. F5 Deployment and Management IP Configuration

When powered-on the F5 device, the device will boot up and runs all the services. Then, after successfully boot up the device will show up the login prompt like this:

The login prompt shows device and software information currently running. BIG-IP 16.0.0 Build 0.0.12 is the software version of the device also the kernel version information on the bottom. While the localhost is the default device name of the device. When login on the first time, by default using username "root" and "default" as the password of the root user.

When finish typing the root user and the default password, the device will be ask for changing the root user password. Well, this approach is good for security reason because sometime the administrator forget to change the default password and left the default password so the device will be unsecured. Another things that we should concern is by default there is two user accounts, first one is "root" and the second one is "admin". There's some different between this two:

1. Root account is the highest level privilege of F5 device using terminal access or CLI. So, when using this account will have authority to access and modify the system configuration including the Linux system from CLI.

2. Root account doesn't have GUI access.

3. Admin account is the highest level privilege of F5 device using GUI or Configuration Utility.

4. By default, admin account doesn't have terminal access or CLI. But, it can be changed.

5. When changing the root password on first time, the admin password also will be changed but F5 will mark as expired and ask to change the admin password when login using admin account on GUI for the fist time.

6. Root account can be disabled/enabled by modify configuration via CLI and add new alternate root username.

7. Default admin account can be disabled by modify configuration via GUI, but need to create alternate administrative account first.

After changing the default user and password, F5 device will successfully login to Linux Shell or Bash Shell and directed to /config directory.

If want to access TMOS shell, just type in "tmsh" and the prompt will change like this:

For the first time F5 doesn't have license installed as shown on picture above, to install the license need to access using GUI. By default, F5 GUI/Configuration Utility using management IP 192.168.1.245 with protocol HTTPS so it should be accessed using web browser to https://192.168.1.245. We can login using admin account and password with same password as root password.

If needed to change the default management IP immediately via CLI just type "config" on the Linux Shell and it will enter to F5 Management Port Setup. Here below the steps:

1. Click "OK"

2. Select the IP address version of the management IP address. If using IPv4 select IPv4, if using IPv6 select IPv6. I will using IPv4 address, so I select IPv4.

3. Select if the management IP using automatic addressing (DHCP) or static. I used static, so I select "No"

4. Insert the Management IP Address, in my case I used 192.168.1.2, hit "OK"

5. Insert the Subnet Mask of the Management IP. In my case, I used /24 so I input 255.255.255.0.

6. Define default route IP Address of the Management IP. I select "Yes" because my Management IP subnet have default route to be accessed by remote network.

7. Inset the Management Subnet Default Route. In my case, 192.168.1.254.

8. Review and confirm the IP addressing and default route configuration. If the configuration is correct, Hit "Yes" and management connectivity to the device will lose in a while.

9. Verify that the management interface (mgmt) on the device have been changed to latest configuration using command "ifconfig" on the Linux shell.

10. Test the F5 GUI/Configuration Utility access using the new Management IP address and login using root account password. The the F5 device will request to changed the password.

11. If the password successfully changed, the device will notify and will prompt again to login using the new password.

After the management IP address correctly configured, the password have been changed and the F5 GUI can be accessed. For the first time login, it will show "Setup Utility" as below:

The Setup Utility will guide the F5 administrator to configure some initial configurations such as Licensing, Resource Provisioning, System Device Configuration, Network VLAN, NTP, DNS and Redundancy. Not all configuration should be done using Setup Utility, some of configuration can be added later. The mandatory configuration to make F5 ready to used is Licensing, Resource Provisioning and System Device Configuration (Device Certificate and Platform).

Reference: https://my.f5.com/manage/s/article/K15632