Bigipv9tech Intro v10
Transcript of Bigipv9tech Intro v10
BIG-IP LTMLocal Traffic Management Introduction
Billy Chuang, Presales ManagerKen Wong, Presales Consultant
© F5 Networks
Agenda
• Introduction• TCP overview• Start Up• Basic Concept• Monitoring• Profile• Session Persistence• SSL Acceleration• HTTP Compression
2
© F5 Networks
ApplicationDeliveryNetwork
Users Data Center
The Leader in Application Delivery Networking
SAPMicrosoft
Oracle
At HomeIn the OfficeOn the Road
F5 ensures applications running over the network are always secure, fast and available
© F5 Networks
Applications & Storage
InternationalData Center
F5’s ADN – Freeing IT, Optimizing Business
Enterprise Manager /ControlPoint
TMOS
iControl
BIG-IP Global Traffic
ManageriSession
FirePassSSL VPN
BIG-IP LocalTraffic
ManagerBIG-IP
ApplicationSecurityManagerBIG-IP Web
Accelerator
BIG-IP LinkController ARX
File/Data Virtualization
Business Goal: Achieve these objectives in the most operationally efficient manner
PC - Home
PC - LAN
WLAN
Cell
Remote - WAN
© F5 Networks
Consolidation by Virtualization
EMC
PC - Home
App. Server
App. Server
Web Server
Web Server
Web Server
App. Server
App. Server
Web Server
Web Server
Web Server
PC - LAN
WLAN
Windows file storage
Windows file storage
NetApp
Cell
Remote - WAN
File
Sto
rage
Virt
ualiz
ation
ARX
Appl
icati
on S
erve
r Virt
ualiz
ation
LTM
Web
Ser
ver V
irtua
lizati
on
LTM
Data
Cen
ter &
Link
Virt
ualiz
ation
GTM& LC
© F5 Networks
F5 Product Family• Traffic Management
– Optimize application traffic within data centre– Manage traffic across data centres– High availability for applications and shared
services between data centres across the WAN• Acceleration
– Accelerates http traffic by up to 200% to 500%– LAN-like performance over the WAN– Improve performance without adding expensive
bandwidth• Security
– Application firewall– Allows clientless secure remote access to internal
corporate network and resources• Data Solutions
– Intelligent file virtualization– Decouples access from physical file location
F5 ARX Series
BIG-IP Local Traffic Manager
BIG-IP Global Traffic Manager
BIG-IP Link Controller
BIG-IP Application Security Manager
BIG-IP WebAccelerator
FirePass
© F5 Networks
BIG-IP Hardware Line-upPrice
Function / Performance
BIG-IP 3600
Dual core CPU8 10/100/1000 + 2x 1GB SFP1x 160 GB HD + 8GB CF4 GB memorySSL @ 10K TPS / 2 Gb bulk1 Gbps max software compression2 Gbps Traffic1 Advanced Product Module
BIG-IP 8900
BIG-IP 1600
Dual core CPU4 10/100/1000 + 2x 1GB SFP1x 160GB HD4 GB memorySSL @ 5K TPS / 1 Gb Bulk1 Gbps max software compression1 Gbps Traffic1 Basic Product Module
2 x Dual core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memorySSL @ 25K TPS / 4 Gb bulk5 Gbps max hardware compression6 Gbps TrafficMultiple Product Modules
BIG-IP 69002 x Quad core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF16 GB memorySSL @ 58K TPS / 9.6Gb bulk6 Gbps max hardware compression12 Gbps TrafficMultiple Product Modules
© F5 Networks
On-Demand & Dynamic Application Security
Leading Value• World’s first on-demand scaling Web Application Firewall• Advanced security • Integrated security performance• Application insight/visibility
BIG-IP Local Traffic
Manager + BIG-IP
Application Security
Manager
Better security 2x+ performance!
© F5 Networks
Ultimate Reliability
Client Server
Multi-Level Redundancy• Blade failure will not cause chassis failure• Redundant and hot swappable components
Always Available
© F5 Networks
Physical Server
VirtualMachines
Physical Server
VirtualMachines
Servers
Servers
Servers
On Demand – Zero Reconfiguration
• Automatic addition of power• No need to overprovision• Fixed and predictable opex
© F5 Networks
Industry Leading Performance
Single Blade 4 Blade SystemL7 Fast HTTP Inf/Inf 800,000 Rps 3,200,000 RpsL7 Full Proxy Inf/Inf 300,000 Rps 1,200,000 RpsSSL TPS 50,000 200,000SSL Gbps 9 Gbps 36 GbpsL4 Conn/s (1-1) 250,000 cps 1,000,000 cpsCompression 4.5 Gbps 16 GbpsL4 Throughput 10 Gbps 36 GbpsL7 Throughput 10 Gbps 36 Gbps
© F5 Networks
12
TCP Overview
© F5 Networks
13
TCP Segment Structure
© F5 Networks
14
Connection Setup 3-way-handshake
© F5 Networks
15
Tear Down A Connection
© F5 Networks
16
Some Useful Tools
• Putty , FileZilla • Wireshark/tcpdump• HttpWatch,IE
© F5 Networks
17
Quick start
• Power On• License• Basic preparation
© F5 Networks
18
First Power ON
Initial IP Address is 192.168.1.245 / 24
© F5 Networks
19
Setup / Configuration Access
Two methods1. Web Interface
• https (remote)
2. Command Line• ssh (remote)• Serial Terminal
© F5 Networks
20
Internet
License Process – Automated
Run Setup utility
• Enter Registration Key
PC BIG-IPLicense the box
• Get License from F5• Select parameters
F5 License Server activate.F5.com
© F5 Networks
21
License Process – Manual
PC
BIG-IP
F5 License Server activate.F5.com
Internet
• Copy Product Dossier to PC
• Paste Product Dossier to F5
• Move PC to Internet
• Download License to PC
• Upload & Install License file
Run Setup utility
Manually License the box
PC
• https://activate.F5.com
• Move PC back
© F5 Networks
22
Setup Utility
https://Management IP Address
© F5 Networks
23
Setup Utility – Network
© F5 Networks
24
BIG-IP Admin Users
© F5 Networks
25
User Authentication Process
© F5 Networks
26
Configuration Worksheet
© F5 Networks
27
Basic Network Configuration
• VLAN• Trunk Port• Spanning Tree• Self-IP
© F5 Networks
28
Virtual LAN (VLAN)
• VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space
• Reduce the size of broadcast domains.• Functionally-related hosts no longer need to
physically reside together to achieve optimal network performance.
• Enhance security on your network by segmenting hosts that must transmit sensitive data
BIG-IP system as being a multilayer switch instead of a standard IP route.
© F5 Networks
29
Spanning Tree
• Support standard– STP (IEEE 802.1D-1998)– RSTP (IEEE 802.1w, 802.1t, 802.1D-2004)– MSTP (802.1s)
On networks that contain redundant paths between layer 2 devices, a common problem is bridging loops. Bridging loops occur because layer 2 devices do not create boundaries for broadcasts or packet floods. Consequently, layer 2 devices can use redundant paths to forward the same frames to each other continuously, eventually causing the network to fail.
Spanning tree protocols block redundant paths on a network, thus preventing bridging loops.
© F5 Networks
30
Trunk Port
A trunk is a logical grouping of interfaces functions as a single interface, BIG-IP system uses a trunk to distribute traffic across multiple links, in a process known as link aggregation.
• Up to aggregate 8 Links• IEEE standard 802.3ad, LACP
© F5 Networks
31
Self-IP
Major Purpose• Default route for each destination Server in VLAN• IP interface to send message to local subnet hosts• Management Interface IP, default for HTTPS and SSH
A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN groups.
Two typesStatic, a IP address owned by itself.Floating, a IP address shared in a Redundant pair and only activate in Active Unit.
© F5 Networks
32
Basic Concept
• Virtual Server & Node Concepts• Configuring Virtual Servers & Pools
– Virtual Server & Pool Lab• Load Balancing Modes• Configuring Load Balancing
© F5 Networks
33
Pool - Grouping of Nodes
Internet Clients
Router
BIG-IP Controller
Servers
© F5 Networks
34
Pool Members and Nodes
Internet172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Pool Members
• Nodes refer to Pool Members IP Address only
© F5 Networks
35
Virtual Server
Internet172.16.20.4:8080
172.16.20.2:4002172.16.20.3:80
Virtual Server• Basic mechanism to manage traffic• IP Address + Service (Port) Combination• One Virtual Server points to one or more
Nodes 216.34.94.17:80
© F5 Networks
36
Virtual Server - Address Translation
BIG-IP performs network address translation to real server addresses such that all machines are viewed as one Virtual Server Real Server
Address
Network Address Translation
Virtual Server Address
Internet
216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80
172.16.20.2:4002
172.16.20.3:80
© F5 Networks
37
Network Flow - Packet #1
resolves www.f5.com to BIG-IP Virtual Server Address 216.34.94.17:80
Internet
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
www.f5.com
DNS Server216.34.94.17:80
© F5 Networks
38
Network Flow - Packet #1
BIG-IP translates Dest Address to Node based on Load Balancing
InternetPacket # 1 Src - 207.17.117.20:4003Dest – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 1 Src – 207.17.117.20:4003Dest – 172.16.20.1:80
207.17.117.20
216.34.94.17:80
© F5 Networks
39
Network Flow – Packet #1 Return
BIG-IP translates Src Address back to Virtual Server Address
InternetPacket # 1 - return Dest - 207.17.117.20:4003Src – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 1 - return Dest – 207.17.117.20:4003Src – 172.16.20.1:80
207.17.117.20
216.34.94.17:80
© F5 Networks
40
Network Flow - Packet #2
InternetPacket # 2 Src - 207.17.117.21:4003Dest – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 2 Src – 207.17.117.21:4003Dest – 172.16.20.2:4002
207.17.117.21
216.34.94.17:80
© F5 Networks
41
Network Flow – Packet #2 Return
InternetPacket # 2 - return Dest - 207.17.117.21:4003Src – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 2 - return Dest – 207.17.117.21:4003Src – 172.16.20.2:4002
207.17.117.21
216.34.94.17:80
© F5 Networks
42
Network Flow - Packet #3
InternetPacket # 3 Src - 207.17.117.25:4003Dest – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 3 Src – 207.17.117.25:4003Dest – 172.16.20.4:8080
207.17.117.25
216.34.94.17:80
© F5 Networks
43
Network Flow – Packet #3 Return
InternetPacket # 3 - return Dest - 207.17.117.25:4003Src – 216.34.94.17:80
172.16.20.4:8080
172.16.20.1:80172.16.20.2:4002172.16.20.3:80
Packet # 3 - return Dest – 207.17.117.25:4003Src – 172.16.20.4:8080
207.17.117.25
216.34.94.17
© F5 Networks
44
Basic Setup STEP
POOL
VirtualServer
Member Member Member
Node
Node
Node
© F5 Networks
45
Configuring Pools
© F5 Networks
46
Configuring Virtual Servers
Scroll down
© F5 Networks
47
Statistics• Summary• Virtual Servers • Pools• Nodes
© F5 Networks
48
Load Balancing
© F5 Networks
49
Round Robin
Clients
Router
BIG-IP Controller
Servers
Client requests are distributed evenly
1 2 3 4
5 6 7 8
Internet
© F5 Networks
50
Ratio
Clients
Router
BIG-IP Controller
Servers
Administrator sets ratio for distributing Client requests 3:2:1:1
1 2 3 4
8 9 10 11
Internet
5 7
12 14
6
13
© F5 Networks
51
Fastest
Clients
Router
BIG-IP Controller
Servers
Next requests go to Node with fastest response time
25
Internet
10ms 10ms 10ms 17msCurrent Response Times
14
36
© F5 Networks
52
Fastest
Clients
Router
BIG-IP Controller
Servers
Some time later, response times change
102104
Internet
10ms 10ms 7ms 7msCurrent Response Times
101103
© F5 Networks
53
Least Connections
Clients
Router
BIG-IP Controller
Servers1
2
Internet
Next requests goes to Node with fewest open connections
459 460 461 470Current Connections
3
4 5 6
© F5 Networks
54
Least Connections
Clients
Router
BIG-IP Controller
Servers
Internet
Some time later, number of connections change
61
63
280 290 111 112Current Connections
62
© F5 Networks
55
Priority Group Activation
Clients
Router
BIG-IP Controller
Servers1 35
2
4 6
Internet
Priority 1Priority 2
If you set Priority Group Activation to 2, and 3 of the highest priority nodes are available, then lower priority nodes will not be used.
© F5 Networks
56
Priority Group Activation
Clients
Router
BIG-IP Controller
Servers1
5
Internet
Priority 1Priority 2
32 4
6 7 8
If number of nodes falls below Priority Group Activation (2), then the next highest priority nodes are used also.
© F5 Networks
57
Ratio & Priority Group Activation
© F5 Networks
59
Pool Member vs. Node
Load Balancing by:• Pool Member
– IP Address & service• Node
– Total services for one IP Address
© F5 Networks
60
If using MemberInternet
Next http requests goes to Pool Member with fewest http connections
Current Connections
http 107 108 99ftp 2 3 25
12
If http pool uses Least Connections (member) load balancing method, then…
© F5 Networks
61
If using Node
12
Internet
Next http requests go to IP Address with fewest total connections
Current Connections
http 107 108 99ftp 2 3 25
© F5 Networks
62
Configuring Load Balancing
© F5 Networks
63
Health Monitor
• Monitor Concepts• Configuring Monitors• Assigning Monitors• Monitor Dependence
© F5 Networks
64
Monitor Concepts
• Address Check– Node – IP Address
• Service Check– Pool and/or Members – IP : port
• Content Check– IP : port plus check data returned
• Interactive Check
© F5 Networks
65
Address Check
Steps– Packets sent to IP
Addresses– If no response, then
no traffic sent to associated Nodes
– Example - ICMP
Internet
172.16.20.1
172.16.20.2
172.16.20.3
ICMP echo request
ICMP echo reply
© F5 Networks
66
Service Check
Steps– Opens TCP connection (IP
Address : service)– Connection closed– If TCP connection fails, then no
traffic sent to associated Nodes– Example – TCP
Internet
172.16.20.1:80172.16.20.2:80172.16.20.3:80
TCP Connection
© F5 Networks
67
Content Check Internet
172.16.20.1:80172.16.20.2:80172.16.20.3:80
Steps– Opens TCP connection (IP Address :
service)– Sends a request– Response returns data– Connection closed – If Receive Rule not found in data, then
no traffic sent to associated Nodes– Example – http
http GET /
© F5 Networks
68
Content check – network packets
TCP sync
TCP sync ack
TCP ack
TCP push“ HTTP GET /”TCP ack
TCP push “HTTP 200 “don’t hack” ”TCP ack
TCP ack
TCP finish
© F5 Networks
69
Interactive Check
Internet
172.16.20.1:21172.16.20.2:21172.16.20.3:21
Steps– Opens TCP connection (IP Address : service)– Interactive conversation to simulate real-
world– Connection closed – If expected results do not occur, then no
traffic sent to associated Nodes– Example – FTP, SQL request
conversation
© F5 Networks
70
Configuring Monitors
• Create or select Monitor– System supplied templates– User defined from template
• Assign Monitor– Single Node – IP Address– All Nodes– Pool - IP : port – Pool Member - IP : port – Define to check different IP : port
© F5 Networks
71
Creating Monitors
© F5 Networks
72
Additional Monitor Parameters
• Receive Rule– If content found, Node
marked Up
• Reverse Receive Rule – If content found, Node
marked Down• Transparent
– If Path Available, Node marked Up
– Used for monitoring Links
© F5 Networks
73
Monitor Timers
• Frequency (Interval)• Timeout
• Recommended – 3n + 1
0s
5s
10s
15s
Try 1
Try 2
Try 3
Try 4
Response 1 ( < 16s)16s
Response 2 ( >16s)22s
Server UP
Server Down
© F5 Networks
74
Assigning Monitors to Nodes
For one Node
© F5 Networks
75
Assigning Monitors to Pools
For one Member
Inherit from Pool
© F5 Networks
76
Application Dependence
• Multi-tiers application• Co-related application
172.16.20.1:80
172.16.20.1:ICMP
172.16.20.1:443
172.16.20.1 Node OK
172.16.20.1:80
172.16.20.2:80
172.16.20.3:80
SERVER POOL OK
Virtual Service
POOL members
172.16.20.97:9000
172.16.20.98:9000
172.16.20.99:9000
© F5 Networks
77
Profile
© F5 Networks
78
Profile Concepts
A Profile is:• Single place to define traffic behavior
– SSL, compression, persistence…• Apply behavior to multiple VS’s• User defined built from template• Dependent on other profiles
© F5 Networks
79
Profile Dependencies
Some can’t be combined in VS
Some dependent on others
Think in terms of OSI Model
TCP
HTTP
Cookie
UDP
FTP
Network
Data Link
Physical
© F5 Networks
80
Profile Types
• Protocol – connection oriented• Service – data type oriented• Persistence – session oriented• SSL – encryption oriented• Authentication – security oriented
© F5 Networks
81
Profile Configuration Concepts
• Created from Default Profiles• Defaults can be modified, not deleted• Custom and Parent relationship• Saved in /config/profile_base.conf
© F5 Networks
82
Configuring Profiles
© F5 Networks
83
Configuring Profiles
Specify Properties
Then Map to Virtual Server
© F5 Networks
84
Persistence
12
3
12
3
© F5 Networks
85
Source Address Persistence
• Based on Client Source IP Address• Netmask -> Address Range
12
3
12
3
205.229.151.10
205.229.152.11
If Netmask is 255.255.255.0
205.229.151.107
© F5 Networks
86
Configuring Source Address Persist
2. Point Virtual Server to Profile
1. Configure Profile
© F5 Networks
87
persist across_servicesConfiguration:
Virtual Server 150.150.1.1:80 PoolA
PoolA: 10.1.1.1:80 & 10.1.1.2:80
12
10.1.1.1 10.1.1.2
150.150.1.1
Clients connecting to either Virtual Server establish a single persistence record with the selected node address
12
Virtual Server 150.150.1.1:443 PoolB
PoolB: 10.1.1.1:443 & 10.1.1.2:443
© F5 Networks
88
Cookie Persistence
• Insert mode– BIG-IP Inserts a cookie into the stream
• Rewrite mode– Web server creates cookie and BIG-IP
Controller changes it• Passive mode
– Web server creates cookie and BIG-IP Controller Reads it
• Hash mode– Maps a cookie value to a specific node– Web server must generate a cookie
© F5 Networks
89
How Cookie work ?
Domain NameURI PathExpire time
GET /
GET /xxxxCookie:xxx=xxx
Domain NameURI PathExpire time
© F5 Networks
90
Cookie Insert Mode
GET /
GET /xxxxCookie:xxx=xxx
Domain NameURI PathExpire time
pickserver
cookiespecifiesserver
© F5 Networks
91
Client Server
HTTP request (no special cookie)
TCP handshake
TCP handshake
HTTP request (no special cookie)
HTTP reply (no special cookie)
HTTP reply (with inserted cookie)
pickserver
HTTP request (with same cookie)
TCP handshake
TCP handshake
HTTP request (with same cookie)
HTTP reply (no special cookie)
HTTP reply (updated cookie)
cookiespecifiesserver
First Hit
Second Hit
Cookie Insert Mode
© F5 Networks
92
Session Cookie
• Cookie save in Memory• Close Browser to clear Cookie• Trigger load balance
© F5 Networks
93
Client
Server
HTTP request (no special cookie)TCP handshake
TCP handshakeHTTP request (no special cookie)HTTP reply (with cookie)
HTTP reply (with cookie)
pickserver
HTTP request (with same cookie)TCP handshake
TCP handshakeHTTP request (with same cookie)HTTP reply (with cookie)HTTP reply (with cookie)
cookie hash specifiesserver
First Hit
Second Hit
Third Hit
Server
TCP handshakeHTTP request (with same cookie)
HTTP reply (with cookie)
cookie hash specifiesserver
TCP handshakeHTTP request (with same cookie)
HTTP reply (with cookie)
Cookie Hash Mode
© F5 Networks
94
Configuring Cookie Persistence
• Then set Cookie Persist profile• Cookie Persist requires http profile
© F5 Networks
95
Decrypted
Encrypted
SSL Acceleration
© F5 Networks
96
SSL Concepts
• Encrypted at each end• Certificates & Keys• SSL Accelerator Cards
– Processing work of encryption / decryption done by card
– Takes load off Server
Network Packet Encrypted
© F5 Networks
97
SSL Termination
Decrypted
Encrypted
© F5 Networks
98
SSL Termination
Advantages• SSL key exchange done by hardware• SSL bulk encryption done by hardware• Centralize certificate management• Offload SSL traffic from Web Servers• Allows rule processing & cookie persistence
V9
© F5 Networks
99
Traffic Flow through BIG-IP
1. Client sends Encrypted packet
Internet2. BIG-IP takes packet off Network and Decrypts
3. VS load balances to Nodes
4. Response packet is Re-encrypted before external Network
© F5 Networks
100Server SSL
Encrypted
Encrypted
Decrypted inside BIG-IP
© F5 Networks
101
Generate Certificate
© F5 Networks
102
Create SSL Profile
Point VS to Profile
© F5 Networks
103