Bigipv9tech Intro v10

BIG-IP LTMLocal Traffic Management Introduction

Billy Chuang, Presales ManagerKen Wong, Presales Consultant

© F5 Networks

Agenda

• Introduction• TCP overview• Start Up• Basic Concept• Monitoring• Profile• Session Persistence• SSL Acceleration• HTTP Compression

2

© F5 Networks

ApplicationDeliveryNetwork

Users Data Center

The Leader in Application Delivery Networking

SAPMicrosoft

Oracle

At HomeIn the OfficeOn the Road

F5 ensures applications running over the network are always secure, fast and available

© F5 Networks

Applications & Storage

InternationalData Center

F5’s ADN – Freeing IT, Optimizing Business

Enterprise Manager /ControlPoint

TMOS

iControl

BIG-IP Global Traffic

ManageriSession

FirePassSSL VPN

BIG-IP LocalTraffic

ManagerBIG-IP

ApplicationSecurityManagerBIG-IP Web

Accelerator

BIG-IP LinkController ARX

File/Data Virtualization

Business Goal: Achieve these objectives in the most operationally efficient manner

PC - Home

PC - LAN

WLAN

Cell

Remote - WAN

© F5 Networks

Consolidation by Virtualization

EMC

PC - Home

App. Server

App. Server

Web Server

Web Server

Web Server

App. Server

App. Server

Web Server

Web Server

Web Server

PC - LAN

WLAN

Windows file storage

Windows file storage

NetApp

Cell

Remote - WAN

File

Sto

rage

Virt

ualiz

ation

ARX

Appl

icati

on S

erve

r Virt

ualiz

ation

LTM

Web

Ser

ver V

irtua

lizati

on

LTM

Data

Cen

ter &

Link

Virt

ualiz

ation

GTM& LC

© F5 Networks

F5 Product Family• Traffic Management

– Optimize application traffic within data centre– Manage traffic across data centres– High availability for applications and shared

services between data centres across the WAN• Acceleration

– Accelerates http traffic by up to 200% to 500%– LAN-like performance over the WAN– Improve performance without adding expensive

bandwidth• Security

– Application firewall– Allows clientless secure remote access to internal

corporate network and resources• Data Solutions

– Intelligent file virtualization– Decouples access from physical file location

F5 ARX Series

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Link Controller

BIG-IP Application Security Manager

BIG-IP WebAccelerator

FirePass

© F5 Networks

BIG-IP Hardware Line-upPrice

Function / Performance

BIG-IP 3600

Dual core CPU8 10/100/1000 + 2x 1GB SFP1x 160 GB HD + 8GB CF4 GB memorySSL @ 10K TPS / 2 Gb bulk1 Gbps max software compression2 Gbps Traffic1 Advanced Product Module

BIG-IP 8900

BIG-IP 1600

Dual core CPU4 10/100/1000 + 2x 1GB SFP1x 160GB HD4 GB memorySSL @ 5K TPS / 1 Gb Bulk1 Gbps max software compression1 Gbps Traffic1 Basic Product Module

2 x Dual core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memorySSL @ 25K TPS / 4 Gb bulk5 Gbps max hardware compression6 Gbps TrafficMultiple Product Modules

BIG-IP 69002 x Quad core CPU16 10/100/1000 + 8x 1GB SFP2x 320 GB HD (S/W RAID) + 8GB CF16 GB memorySSL @ 58K TPS / 9.6Gb bulk6 Gbps max hardware compression12 Gbps TrafficMultiple Product Modules

© F5 Networks

On-Demand & Dynamic Application Security

Leading Value• World’s first on-demand scaling Web Application Firewall• Advanced security • Integrated security performance• Application insight/visibility

BIG-IP Local Traffic

Manager + BIG-IP

Application Security

Manager

Better security 2x+ performance!

http://mainstreet/sites/MarCom/Corporate_MarCom/Graphics_Library/Product%20Images/VIPRION%20images/viprion-3-4-angle-view.png

© F5 Networks

Ultimate Reliability

Client Server

Multi-Level Redundancy• Blade failure will not cause chassis failure• Redundant and hot swappable components

Always Available

© F5 Networks

Physical Server

VirtualMachines

Physical Server

VirtualMachines

Servers

Servers

Servers

On Demand – Zero Reconfiguration

• Automatic addition of power• No need to overprovision• Fixed and predictable opex

© F5 Networks

Industry Leading Performance

Single Blade 4 Blade SystemL7 Fast HTTP Inf/Inf 800,000 Rps 3,200,000 RpsL7 Full Proxy Inf/Inf 300,000 Rps 1,200,000 RpsSSL TPS 50,000 200,000SSL Gbps 9 Gbps 36 GbpsL4 Conn/s (1-1) 250,000 cps 1,000,000 cpsCompression 4.5 Gbps 16 GbpsL4 Throughput 10 Gbps 36 GbpsL7 Throughput 10 Gbps 36 Gbps

© F5 Networks

12

TCP Overview

© F5 Networks

13

TCP Segment Structure

© F5 Networks

14

Connection Setup 3-way-handshake

© F5 Networks

15

Tear Down A Connection

© F5 Networks

16

Some Useful Tools

• Putty , FileZilla • Wireshark/tcpdump• HttpWatch,IE

© F5 Networks

17

Quick start

• Power On• License• Basic preparation

© F5 Networks

18

First Power ON

Initial IP Address is 192.168.1.245 / 24

© F5 Networks

19

Setup / Configuration Access

Two methods1. Web Interface

• https (remote)

2. Command Line• ssh (remote)• Serial Terminal

© F5 Networks

20

Internet

License Process – Automated

Run Setup utility

• Enter Registration Key

PC BIG-IPLicense the box

• Get License from F5• Select parameters

F5 License Server activate.F5.com

© F5 Networks

21

License Process – Manual

PC

BIG-IP

F5 License Server activate.F5.com

Internet

• Copy Product Dossier to PC

• Paste Product Dossier to F5

• Move PC to Internet

• Download License to PC

• Upload & Install License file

Run Setup utility

Manually License the box

PC

• https://activate.F5.com

• Move PC back

© F5 Networks

22

Setup Utility

https://Management IP Address

© F5 Networks

23

Setup Utility – Network

© F5 Networks

24

BIG-IP Admin Users

© F5 Networks

25

User Authentication Process

© F5 Networks

26

Configuration Worksheet

© F5 Networks

27

Basic Network Configuration

• VLAN• Trunk Port• Spanning Tree• Self-IP

© F5 Networks

28

Virtual LAN (VLAN)

• VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space

• Reduce the size of broadcast domains.• Functionally-related hosts no longer need to

physically reside together to achieve optimal network performance.

• Enhance security on your network by segmenting hosts that must transmit sensitive data

BIG-IP system as being a multilayer switch instead of a standard IP route.

© F5 Networks

29

Spanning Tree

• Support standard– STP (IEEE 802.1D-1998)– RSTP (IEEE 802.1w, 802.1t, 802.1D-2004)– MSTP (802.1s)

On networks that contain redundant paths between layer 2 devices, a common problem is bridging loops. Bridging loops occur because layer 2 devices do not create boundaries for broadcasts or packet floods. Consequently, layer 2 devices can use redundant paths to forward the same frames to each other continuously, eventually causing the network to fail.

Spanning tree protocols block redundant paths on a network, thus preventing bridging loops.

© F5 Networks

30

Trunk Port

A trunk is a logical grouping of interfaces functions as a single interface, BIG-IP system uses a trunk to distribute traffic across multiple links, in a process known as link aggregation.

• Up to aggregate 8 Links• IEEE standard 802.3ad, LACP

© F5 Networks

31

Self-IP

Major Purpose• Default route for each destination Server in VLAN• IP interface to send message to local subnet hosts• Management Interface IP, default for HTTPS and SSH

A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN groups.

Two typesStatic, a IP address owned by itself.Floating, a IP address shared in a Redundant pair and only activate in Active Unit.

© F5 Networks

32

Basic Concept

• Virtual Server & Node Concepts• Configuring Virtual Servers & Pools

– Virtual Server & Pool Lab• Load Balancing Modes• Configuring Load Balancing

© F5 Networks

33

Pool - Grouping of Nodes

Internet Clients

Router

BIG-IP Controller

Servers

© F5 Networks

34

Pool Members and Nodes

Internet172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

Pool Members

• Nodes refer to Pool Members IP Address only

© F5 Networks

35

Virtual Server

Internet172.16.20.4:8080

172.16.20.2:4002172.16.20.3:80

Virtual Server• Basic mechanism to manage traffic• IP Address + Service (Port) Combination• One Virtual Server points to one or more

Nodes 216.34.94.17:80

© F5 Networks

36

Virtual Server - Address Translation

BIG-IP performs network address translation to real server addresses such that all machines are viewed as one Virtual Server Real Server

Address

Network Address Translation

Virtual Server Address

Internet

216.34.94.17:80

172.16.20.4:8080

172.16.20.1:80

172.16.20.2:4002

172.16.20.3:80

© F5 Networks

37

Network Flow - Packet #1

resolves www.f5.com to BIG-IP Virtual Server Address 216.34.94.17:80

Internet

172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

www.f5.com

DNS Server216.34.94.17:80

© F5 Networks

38


BIG-IP translates Dest Address to Node based on Load Balancing

InternetPacket # 1 Src - 207.17.117.20:4003Dest – 216.34.94.17:80

172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

Packet # 1 Src – 207.17.117.20:4003Dest – 172.16.20.1:80

207.17.117.20

216.34.94.17:80

© F5 Networks

39

Network Flow – Packet #1 Return

BIG-IP translates Src Address back to Virtual Server Address

InternetPacket # 1 - return Dest - 207.17.117.20:4003Src – 216.34.94.17:80

172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

Packet # 1 - return Dest – 207.17.117.20:4003Src – 172.16.20.1:80

207.17.117.20

216.34.94.17:80

© F5 Networks

40



172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

Packet # 2 Src – 207.17.117.21:4003Dest – 172.16.20.2:4002

207.17.117.21

216.34.94.17:80

© F5 Networks

41



172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80


207.17.117.21

216.34.94.17:80

© F5 Networks

42



172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80

Packet # 3 Src – 207.17.117.25:4003Dest – 172.16.20.4:8080

207.17.117.25

216.34.94.17:80

© F5 Networks

43



172.16.20.4:8080

172.16.20.1:80172.16.20.2:4002172.16.20.3:80


207.17.117.25

216.34.94.17

© F5 Networks

44

Basic Setup STEP

POOL

VirtualServer

Member Member Member

Node

Node

Node

© F5 Networks

45

Configuring Pools

© F5 Networks

46

Configuring Virtual Servers

Scroll down

© F5 Networks

47

Statistics• Summary• Virtual Servers • Pools• Nodes

© F5 Networks

48

Load Balancing

© F5 Networks

49

Round Robin

Clients

Router

BIG-IP Controller

Servers

Client requests are distributed evenly

1 2 3 4

5 6 7 8

Internet

© F5 Networks

50

Ratio

Clients

Router

BIG-IP Controller

Servers

Administrator sets ratio for distributing Client requests 3:2:1:1

1 2 3 4

8 9 10 11

Internet

5 7

12 14

6

13

© F5 Networks

51

Fastest

Clients

Router

BIG-IP Controller

Servers

Next requests go to Node with fastest response time

25

Internet

10ms 10ms 10ms 17msCurrent Response Times

14

36

© F5 Networks

52

Fastest

Clients

Router

BIG-IP Controller

Servers

Some time later, response times change

102104

Internet

10ms 10ms 7ms 7msCurrent Response Times

101103

© F5 Networks

53

Least Connections

Clients

Router

BIG-IP Controller

Servers1

2

Internet

Next requests goes to Node with fewest open connections

459 460 461 470Current Connections

3

4 5 6

© F5 Networks

54

Least Connections

Clients

Router

BIG-IP Controller

Servers

Internet

Some time later, number of connections change

61

63

280 290 111 112Current Connections

62

© F5 Networks

55

Priority Group Activation

Clients

Router

BIG-IP Controller

Servers1 35

2

4 6

Internet

Priority 1Priority 2

If you set Priority Group Activation to 2, and 3 of the highest priority nodes are available, then lower priority nodes will not be used.

© F5 Networks

56

Priority Group Activation

Clients

Router

BIG-IP Controller

Servers1

5

Internet

Priority 1Priority 2

32 4

6 7 8

If number of nodes falls below Priority Group Activation (2), then the next highest priority nodes are used also.

© F5 Networks

57

Ratio & Priority Group Activation

© F5 Networks

59

Pool Member vs. Node

Load Balancing by:• Pool Member

– IP Address & service• Node

– Total services for one IP Address

© F5 Networks

60

If using MemberInternet

Next http requests goes to Pool Member with fewest http connections

Current Connections

http 107 108 99ftp 2 3 25

12

If http pool uses Least Connections (member) load balancing method, then…

© F5 Networks

61

If using Node

12

Internet

Next http requests go to IP Address with fewest total connections

Current Connections

http 107 108 99ftp 2 3 25

© F5 Networks

62

Configuring Load Balancing

© F5 Networks

63

Health Monitor

• Monitor Concepts• Configuring Monitors• Assigning Monitors• Monitor Dependence

© F5 Networks

64

Monitor Concepts

• Address Check– Node – IP Address

• Service Check– Pool and/or Members – IP : port

• Content Check– IP : port plus check data returned

• Interactive Check

© F5 Networks

65

Address Check

Steps– Packets sent to IP

Addresses– If no response, then

no traffic sent to associated Nodes

– Example - ICMP

Internet

172.16.20.1

172.16.20.2

172.16.20.3

ICMP echo request

ICMP echo reply

© F5 Networks

66

Service Check

Steps– Opens TCP connection (IP

Address : service)– Connection closed– If TCP connection fails, then no

traffic sent to associated Nodes– Example – TCP

Internet

172.16.20.1:80172.16.20.2:80172.16.20.3:80

TCP Connection

© F5 Networks

67

Content Check Internet

172.16.20.1:80172.16.20.2:80172.16.20.3:80

Steps– Opens TCP connection (IP Address :

service)– Sends a request– Response returns data– Connection closed – If Receive Rule not found in data, then

no traffic sent to associated Nodes– Example – http

http GET /

© F5 Networks

68

Content check – network packets

TCP sync

TCP sync ack

TCP ack

TCP push“ HTTP GET /”TCP ack

TCP push “HTTP 200 “don’t hack” ”TCP ack

TCP ack

TCP finish

© F5 Networks

69

Interactive Check

Internet

172.16.20.1:21172.16.20.2:21172.16.20.3:21

Steps– Opens TCP connection (IP Address : service)– Interactive conversation to simulate real-

world– Connection closed – If expected results do not occur, then no

traffic sent to associated Nodes– Example – FTP, SQL request

conversation

© F5 Networks

70

Configuring Monitors

• Create or select Monitor– System supplied templates– User defined from template

• Assign Monitor– Single Node – IP Address– All Nodes– Pool - IP : port – Pool Member - IP : port – Define to check different IP : port

© F5 Networks

71

Creating Monitors

© F5 Networks

72

Additional Monitor Parameters

• Receive Rule– If content found, Node

marked Up

• Reverse Receive Rule – If content found, Node

marked Down• Transparent

– If Path Available, Node marked Up

– Used for monitoring Links

© F5 Networks

73

Monitor Timers

• Frequency (Interval)• Timeout

• Recommended – 3n + 1

0s

5s

10s

15s

Try 1

Try 2

Try 3

Try 4

Response 1 ( < 16s)16s

Response 2 ( >16s)22s

Server UP

Server Down

© F5 Networks

76

Application Dependence

• Multi-tiers application• Co-related application

172.16.20.1:80

172.16.20.1:ICMP

172.16.20.1:443

172.16.20.1 Node OK

172.16.20.1:80

172.16.20.2:80

172.16.20.3:80

SERVER POOL OK

Virtual Service

POOL members

172.16.20.97:9000

172.16.20.98:9000

172.16.20.99:9000

© F5 Networks

78

Profile Concepts

A Profile is:• Single place to define traffic behavior

– SSL, compression, persistence…• Apply behavior to multiple VS’s• User defined built from template• Dependent on other profiles

© F5 Networks

79

Profile Dependencies

Some can’t be combined in VS

Some dependent on others

Think in terms of OSI Model

TCP

HTTP

Cookie

UDP

FTP

Network

Data Link

Physical

© F5 Networks

80

Profile Types

• Protocol – connection oriented• Service – data type oriented• Persistence – session oriented• SSL – encryption oriented• Authentication – security oriented

© F5 Networks

81

Profile Configuration Concepts

• Created from Default Profiles• Defaults can be modified, not deleted• Custom and Parent relationship• Saved in /config/profile_base.conf

© F5 Networks

85

Source Address Persistence

• Based on Client Source IP Address• Netmask -> Address Range

12

3

12

3

205.229.151.10

205.229.152.11

If Netmask is 255.255.255.0

205.229.151.107

© F5 Networks

87

persist across_servicesConfiguration:

Virtual Server 150.150.1.1:80 PoolA

PoolA: 10.1.1.1:80 & 10.1.1.2:80

12

10.1.1.1 10.1.1.2

150.150.1.1

Clients connecting to either Virtual Server establish a single persistence record with the selected node address

12

Virtual Server 150.150.1.1:443 PoolB

PoolB: 10.1.1.1:443 & 10.1.1.2:443

© F5 Networks

88

Cookie Persistence

• Insert mode– BIG-IP Inserts a cookie into the stream

• Rewrite mode– Web server creates cookie and BIG-IP

Controller changes it• Passive mode

– Web server creates cookie and BIG-IP Controller Reads it

• Hash mode– Maps a cookie value to a specific node– Web server must generate a cookie

© F5 Networks

91

Client Server

HTTP request (no special cookie)

TCP handshake

TCP handshake

HTTP request (no special cookie)

HTTP reply (no special cookie)

HTTP reply (with inserted cookie)

pickserver

HTTP request (with same cookie)

TCP handshake

TCP handshake

HTTP request (with same cookie)

HTTP reply (no special cookie)

HTTP reply (updated cookie)

cookiespecifiesserver

First Hit

Second Hit

Cookie Insert Mode

© F5 Networks

93

Client

Server

HTTP request (no special cookie)TCP handshake

TCP handshakeHTTP request (no special cookie)HTTP reply (with cookie)

HTTP reply (with cookie)

pickserver

HTTP request (with same cookie)TCP handshake

TCP handshakeHTTP request (with same cookie)HTTP reply (with cookie)HTTP reply (with cookie)

cookie hash specifiesserver

First Hit

Second Hit

Third Hit

Server

TCP handshakeHTTP request (with same cookie)


cookie hash specifiesserver

TCP handshakeHTTP request (with same cookie)


Cookie Hash Mode

© F5 Networks

94

Configuring Cookie Persistence

• Then set Cookie Persist profile• Cookie Persist requires http profile

© F5 Networks

96

SSL Concepts

• Encrypted at each end• Certificates & Keys• SSL Accelerator Cards

– Processing work of encryption / decryption done by card

– Takes load off Server

Network Packet Encrypted

© F5 Networks

98

SSL Termination

Advantages• SSL key exchange done by hardware• SSL bulk encryption done by hardware• Centralize certificate management• Offload SSL traffic from Web Servers• Allows rule processing & cookie persistence

V9

© F5 Networks

99

Traffic Flow through BIG-IP

1. Client sends Encrypted packet

Internet2. BIG-IP takes packet off Network and Decrypts

3. VS load balances to Nodes

4. Response packet is Re-encrypted before external Network

Bigipv9tech Intro v10

Documents

Transcript of Bigipv9tech Intro v10