Command Line Love

1. Copy files directly from source BIG-IP to destination BIG-IP device via SFTP or SCP protocols which would keep these files encrypted during transfer

Certificates are stored in this directory : /config/filestore/files_d/Common_d/certificate_d

Private keys are stored in this directory : /config/filestore/files_d/Common_d/certificate_key_d

2. Once you copy certificates and keys from one BIGIP to another you need to 'install' them so they appear in the GUI. To do so, run below commands on destination BIG-IP device :

for keys :

tmsh install /sys crypto key <key_name> from-local-file <key_path_and_name>

for certs :

tmsh install /sys crypto cert <cert_name> from-local-file <cert_path_and_name>

For example, to import the SSL key named testkey2.key, you type the following command:

tmsh install /sys crypto key testkey2.key from-local-file /config/filestore/files_d/Common_d/certificate_key_d/testkey2.key

TMSH SCRIPT Examples

testv82_node

#!bin/bash

node1="test_81"

ip1="1.1.1.81"

node2="test_82"

ip2="2.2.2.82"

tmsh create ltm node $node1 address $ip1

tmsh create ltm node $node2 address $ip2

------------

testv82_vs

#!bin/bash

partition="lab_dc1_dc2"

pool_name="test_82_pool"

pool_member1="test_81:81"

pool_member2="test_82:82"

monitor="http"

vs_name="test_82_vs"

vs_ip_and_port="10.212.0.82:80"

profile="http"

snat_type="snat pool"

snat_pool="snat-pool-south"

persistance="source_addr"

------------

tmsh create ltm pool /$partition/$pool_name members add { $pool_member1 $pool_member2 } monitor $monitor

tmsh create ltm virtual /$partition/$vs_name destination $vs_ip_and_port mask 255.255.255.255 profiles add { $profile } source-address-translation { type $snat_type $snat_pool } pool /$partition/$pool_name persist replace-all-with { $persistance }

sh -x /tmp/dr_scripts/testv82_vs

---

#!bin/bash

pool_name="service_pool"

pool_member1="node_172.16.63.114:443"

pool_member2="node_172.21.73.83:443"

monitor="service_mon"

tmsh create ltm monitor http $monitor

tmsh create ltm pool $pool_name members add { $pool_member1 $pool_member2 } monitor $monitor

--------------------

script

#!bin/bash

echo -n "what is the service name ? "

read service_name

echo -n "whats is the IP and Ports example 192.168.10.10:443 ? "

read ip_and_port

echo -n "whats is the pool member 1 IP and port example node_192.168.10.10:443 ? "

read node_and_port1

echo -n "whats is the pool member 2 IP and port example node_192.168.10.10:443 ? "

read node_and_port

#vars

vs_name="$service_name"_vs

vs_ip_and_port="$ip_and_port"

pool1=$node_and_port1

pool2=$node_and_port2

profile="$service_name"_http

snat_type="automap"

persistance1="$service_name"_cookie-persistence

persistance2="$service_name"_int_source-addr-persistence

tcp_client="$service_name"_tcp-wan-optimized

tcp_server="$service_name"_tcp-lan-optimized

pool_name="$service_name"_pool

pool_member1="$pool1"

pool_member2="$pool2"

monitor="$service_name"_mon

tmsh create ltm monitor http $monitor

tmsh create ltm pool $pool_name members add { $pool_member1 $pool_member2 } monitor $monitor

tmsh create ltm profile tcp $tcp_client

tmsh create ltm profile tcp $tcp_server

tmsh create ltm profile http $profile

tmsh create ltm persistence cookie $persistance1

tmsh create ltm persistence source-addr $persistance2

tmsh create ltm virtual $vs_name destination $vs_ip_and_port mask 255.255.255.255 pool $pool_name profiles replace-all-with { $profile { } $tcp_server { context serverside } $tcp_client { context clientside } } source-address-translation { type $snat_type } persist replace-all-with { $persistance1 } fallback-persistence $persistance2

sh -x /tmp/dr_scripts/testv82_vs

View Last saved config difference

sdiff -s /config/bigip.conf /config/bigip.conf.bak

Example after adding a node

[donald@gateway2:Active:Disconnected] ~ # sdiff -s /config/bigip.conf /config/bigip.conf.bak

ltm node /Common/one2499 { <

address 1.2.3.99 <

} <

Listing self IP addresses, routes, pools, and nodes using tmsh

Self IP addresses: tmsh -q -c "cd / ; list net self recursive one-line"
Network routes: tmsh -q -c "cd / ; list net route recursive one-line"
Network route domains: tmsh -q -c "cd / ; list net route-domain recursive one-line"
Virtual servers: tmsh -q -c "cd / ; list ltm virtual recursive one-line"
Pools: tmsh -q -c "cd / ; list ltm pool recursive one-line"
Nodes: tmsh -q -c "cd / ; list ltm node recursive one-line"

Listing active BIG-IP GTM systems in GTM sync group

tmsh show gtm iquery | awk '/Server|Configuration|Gtm::/ { if (/Server /) server=$2 ; else if (/Gtm::/) ip=$2 ; else if (/Configuration Time.*:..$/) print server " (" ip"), " $(NF-1) " " $NF}'

Displaying and deleting connection table entries

cs-client-addr The (client) source IP address on the clientside of the connection

cs-client-port The (client) source port on the clientside of the connection

cs-server-addr The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address)

cs-server-port The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)

ss-client-addr The (client) source IP address on the serverside of the connection (i.e. the SNAT address)

ss-client-port The (client) source port on the serverside of the connection (i.e. the SNAT port)

ss-server-addr The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)

ss-server-port The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

#To display the BIG-IP connection table entries for a particular virtual server, use the following tmsh command syntax:

tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>

#For example, to display the BIG-IP connection table entries for 10.10.2.2:443 virtual server, you would type the following command:

tmsh show /sys connection cs-server-addr 10.10.2.2 cs-server-port 443

#To display the BIG-IP connection table entries for a particular client IP address, use the following tmsh command syntax:

tmsh show /sys connection cs-client-addr <client_ip>

#For example, to display the BIG-IP connection table entries for 10.10.20.2 client IP address, you would type the following commnad:

tmsh show /sys connection cs-client-addr 10.10.20.2

#To display the BIG-IP connection table entries for a particular pool member, use the following tmsh command syntax:

tmsh show /sys connection ss-server-addr <pool_member_ip> ss-server-port <pool_member_port>

#For example, to display the BIG-IP connection table entries for 192.168.10.2:80 pool member, you would type the following command:

tmsh show /sys connection ss-server-addr 192.168.10.2 ss-server-port 80

#To display additional information about particular connection such as Idle timeout, number of packets sent etc, use the following tmsh command syntax:

tmsh show /sys connection cs-client-addr <client_ip> cs-client-port <client_port> cs-server-addr <vs_ip> cs-server-port <vs_port> all-properties

#For example, to display specific details of connection established between 10.10.20.2:51435 (client) and 10.10.2.2:443 (virtual server), you would type the #following command:

tmsh show /sys connection cs-client-addr 10.10.20.2 cs-client-port 51435 cs-server-addr 10.10.2.2 cs-server-port 443 all-properties

#To delete the BIG-IP connection table entries for a particular client IP and virtual server, use the following tmsh command syntax:

tmsh delete /sys connection cs-client-addr <client_ip> cs-server-addr <vs_ip> cs-server-port <vs_port>

#For example, to delete the BIG-IP connection table entries for 10.10.20.2 client IP address and 10.10.2.2:443 virtual server, you would type the following #command:

tmsh delete /sys connection cs-client-addr 10.10.20.2 cs-server-addr 10.10.2.2 cs-server-port 443

#Show connection

tmsh show sys connection

show sys connection cs-client-addr 10.10.10.77 all-properties

List profiles and virtual servers

If you want to list which profile (e.g. fastL4) or a specific profile name has the virtual servers configured, run the following command:

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|fastL4'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|My_Profile_Name'

If you want to list which pool or a specific pool name has the virtual servers configured, run the following command:

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|Pool'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|My_Pool_Name'

If you want to list the IP address of the member and which monitor has the pool configured, run the following command:

# tmsh list ltm pool all-properties | egrep -i 'ltm pool|address|monitor'

# tmsh list ltm pool all-properties | egrep -i 'ltm pool|address|My_Monitor_Name'

See below for some other examples of useful CLI commands for virtual servers:

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|persist' -A1

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|My_Persist_Profile_Name'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|clientssl|serverssl'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|My_clientssl_Profile_Name|My_serverssl_Profile_Name'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|destination|translate-address|translate-port'

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|destination|rules' -A1

# tmsh list ltm virtual all-properties | egrep -i 'ltm virtual|destination|My_iRule_Name'