You are on page 1of 102

BIG-IP LTM

Local Traffic Management Introduction

Billy Chuang, Presales Manager


Ken Wong, Presales Consultant

© F5 Networks
2

Agenda

• Introduction
• TCP overview
• Start Up
• Basic Concept
• Monitoring
• Profile
• Session Persistence
• SSL Acceleration
• HTTP Compression
© F5 Networks
The Leader in Application Delivery Networking

Users Data Center

Application
Delivery
At Home Network SAP
In the Office Microsoft
On the Road Oracle

F5 ensures applications running over the network are always


secure, fast and available
© F5 Networks
F5’s ADN – Freeing IT, Optimizing Business
International
Data Center
Cell

PC - Home Enterprise Manager /


ControlPoint
Applications &
BIG-IP Link BIG-IP Local
Storage
BIG-IP Controller Traffic BIG-IP
ARX
Global Manager Application
FirePass File/Data
Traffic Security
SSL VPN Virtualization
Manager BIG-IP Web Manager
Remote - iSession
Accelerator
WAN

iControl

PC - LAN
TMOS

WLAN

Business Goal: Achieve these objectives in the most operationally efficient


manner
© F5 Networks
Consolidation by Virtualization

Cell Web Server


Data Center & Link Virtualization

Application Server Virtualization


NetApp
App. Server

File Storage Virtualization


Web Server Virtualization
PC - Home
Web Server

EMC
App. Server
Web Server

Windows file
Remote - WAN storage
Web Server
App. Server

Web Server
PC - LAN Windows file
storage
App. Server

Web Server
WLAN
GTM © F5 Networks
LTM LTM ARX
& LC
F5 Product Family
• Traffic Management
– Optimize application traffic within data centre
BIG-IP Local Traffic Manager
– Manage traffic across data centres
BIG-IP Link Controller
– High availability for applications and shared
services between data centres across the WAN BIG-IP Global Traffic Manager
• Acceleration
– Accelerates http traffic by up to 200% to 500% BIG-IP WebAccelerator

– LAN-like performance over the WAN


– Improve performance without adding expensive
bandwidth FirePass

• Security
– Application firewall BIG-IP Application Security Manager

– Allows clientless secure remote access to internal


corporate network and resources
• Data Solutions F5 ARX Series

– Intelligent file virtualization


– Decouples access from physical file location

© F5 Networks
BIG-IP Hardware Line-up
Price
BIG-IP 8900

BIG-IP 6900
2 x Quad core CPU
16 10/100/1000 + 8x 1GB SFP
2x 320 GB HD (S/W RAID) + 8GB CF
16 GB memory
SSL @ 58K TPS / 9.6Gb bulk
6 Gbps max hardware compression
12 Gbps Traffic
BIG-IP 3600 2 x Dual core CPU
16 10/100/1000 + 8x 1GB SFP Multiple Product Modules
2x 320 GB HD (S/W RAID) + 8GB CF
8 GB memory
SSL @ 25K TPS / 4 Gb bulk
BIG-IP 1600 Dual core CPU
5 Gbps max hardware compression
6 Gbps Traffic
8 10/100/1000 + 2x 1GB SFP
Multiple Product Modules
1x 160 GB HD + 8GB CF
4 GB memory
SSL @ 10K TPS / 2 Gb bulk
1 Gbps max software compression
Dual core CPU
4 10/100/1000 + 2x 1GB SFP 2 Gbps Traffic
1x 160GB HD 1 Advanced Product Module
4 GB memory
SSL @ 5K TPS / 1 Gb Bulk
1 Gbps max software compression
1 Gbps Traffic
1 Basic Product Module

Function / Performance
© F5 Networks
On-Demand & Dynamic Application Security

c al Traffic
P Lo IP
BIG-I er + BIG- y
g it
Mana ion Secur
cat
Appli anager
M

Leading Value
• World’s first on-demand scaling Web Application Firewall
• Advanced security
• Integrated security performance
• Application insight/visibility

Better security  2x+ performance!


© F5 Networks
Ultimate Reliability

Client Server

Multi-Level Redundancy
• Blade failure will not cause chassis failure
• Redundant and hot swappable components
Always Available
© F5 Networks
On Demand – Zero Reconfiguration
Virtual
Machines

Servers

Physical Server

Virtual
Machines
Servers

• Automatic addition of power Physical Server


Servers
• No need to overprovision
• Fixed and predictable opex
© F5 Networks
Industry Leading Performance

Single Blade 4 Blade System


L7 Fast HTTP Inf/Inf  800,000 Rps 3,200,000 Rps
L7 Full Proxy Inf/Inf 300,000 Rps 1,200,000 Rps
SSL TPS 50,000 200,000
SSL Gbps 9 Gbps 36 Gbps
L4 Conn/s (1-1) 250,000 cps 1,000,000 cps
Compression 4.5 Gbps 16 Gbps
L4 Throughput 10 Gbps 36 Gbps
L7 Throughput 10 Gbps 36 Gbps

© F5 Networks
12

TCP Overview

© F5 Networks
13

TCP Segment Structure

© F5 Networks
14

Connection Setup 3-way-handshake

© F5 Networks
15

Tear Down A Connection

© F5 Networks
16

Some Useful Tools

• Putty , FileZilla
• Wireshark/tcpdump
• HttpWatch,IE

© F5 Networks
17

Quick start

• Power On
• License
• Basic preparation

© F5 Networks
18

First Power ON

Initial IP Address is 192.168.1.245 / 24

© F5 Networks
19

Setup / Configuration Access

Two methods
1. Web Interface
• https (remote)

2. Command Line
• ssh (remote)
• Serial Terminal

© F5 Networks
20

License Process – Automated


F5 License Server
License the box PC activate.F5.com
BIG-IP
• Enter Registration Key
• Select parameters Internet
• Get License from F5
Run Setup utility

© F5 Networks
21

License Process – Manual


Manually License the box BIG-IP
• Copy Product Dossier to PC F5 License Server
PC
• Move PC to Internet activate.F5.com

• https://activate.F5.com
• Paste Product Dossier to F5 PC
• Download License to PC Internet
• Move PC back
• Upload & Install
License file
Run Setup utility

© F5 Networks
22

Setup Utility

https://Management IP Address

© F5 Networks
23

Setup Utility – Network

© F5 Networks
24

BIG-IP Admin Users

© F5 Networks
25

User Authentication Process

© F5 Networks
26

Configuration Worksheet

© F5 Networks
27

Basic Network Configuration

• VLAN
• Trunk Port
• Spanning Tree
• Self-IP

© F5 Networks
28

Virtual LAN (VLAN)


BIG-IP system as being a multilayer switch instead of a standard IP
route.

• VLAN is a logical subset of hosts on a local area


network (LAN) that operate in the same IP address
space
• Reduce the size of broadcast domains.
• Functionally-related hosts no longer need to
physically reside together to achieve optimal
network performance.
• Enhance security on your network by segmenting
hosts that must transmit sensitive data

© F5 Networks
29

Spanning Tree
On networks that contain redundant paths between layer 2 devices, a common problem is bridging
loops. Bridging loops occur because layer 2 devices do not create boundaries for broadcasts or
packet floods. Consequently, layer 2 devices can use redundant paths to forward the same frames
to each other continuously, eventually causing the network to fail.

Spanning tree protocols block redundant paths on a network, thus preventing bridging loops.

• Support standard
– STP (IEEE 802.1D-1998)
– RSTP (IEEE 802.1w, 802.1t, 802.1D-2004)
– MSTP (802.1s)

© F5 Networks
30

Trunk Port

A trunk is a logical grouping of interfaces functions as a single interface,


BIG-IP system uses a trunk to distribute traffic across multiple links, in
a process known as link aggregation.

• Up to aggregate 8 Links
• IEEE standard 802.3ad, LACP

© F5 Networks
31

Self-IP
A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. By
virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses
spanning the hosts in the VLAN, rather than a single host address. You can associate self IP
addresses not only with VLANs, but also with VLAN groups.

Major Purpose
• Default route for each destination Server in VLAN
• IP interface to send message to local subnet hosts
• Management Interface IP, default for HTTPS and SSH

Two types
Static, a IP address owned by itself.
Floating, a IP address shared in a Redundant pair and only activate in Active Unit.

© F5 Networks
32

Basic Concept

• Virtual Server & Node Concepts


• Configuring Virtual Servers & Pools
– Virtual Server & Pool Lab
• Load Balancing Modes
• Configuring Load Balancing

© F5 Networks
33

Pool - Grouping of Nodes

Internet Clients

Router

BIG-IP Controller

Servers

© F5 Networks
34

Pool Members and Nodes

Internet

• Nodes refer to
Pool Members IP Pool Members
Address only

17

17
17

17
2.1
2.1

2.1

2.1
6.2

6.2
6.2

6.2
0.2
0.1

0.3

0.4
:40

:80
:80

:80
02

80
© F5 Networks
35

Virtual Server

Internet Virtual Server


• Basic mechanism to manage traffic
• IP Address + Service (Port) Combination
• One Virtual Server points to one or more
216.34.94.17:80
Nodes

17

17

17
2.1

2. 1

2.1
6.2

6.2

6.2
0.2

0.3

0.4
:40

:8 0

:80
02

80
© F5 Networks
36

Virtual Server - Address Translation

Internet

216.34.94.17:80 Virtual Server Address

BIG-IP performs
network address
Network
translation to real
Address
server addresses such
Translation
that all machines are
viewed as one Virtual
Server
Real Server
172.

172.
172.

172.
Address
16.2

16.2
16.2

16.2
0.2:4

0.4:8
0.1:8

0.3:8
00

080
0

0
2

© F5 Networks
37

Network Flow - Packet #1


www.f5.com

Internet

216.34.94.17:80 DNS Server


resolves www.f5.com to
BIG-IP Virtual Server
Address 216.34.94.17:80
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
38

Network Flow - Packet #1


207.17.117.20

Packet # 1
Internet Src - 207.17.117.20:4003
Dest – 216.34.94.17:80

216.34.94.17:80 BIG-IP translates Dest


Address to Node based on
Load Balancing

Packet # 1
Src – 207.17.117.20:4003
Dest – 172.16.20.1:80
17

17
17

17
2.

2.
2.

2.1
16

16
16

6.
.20

.2
.20

20

0.4
.2
.1:

.3:
:40

:80
80

80
02

80

© F5 Networks
39

Network Flow – Packet #1 Return


207.17.117.20

Packet # 1 - return
Internet Dest - 207.17.117.20:4003
Src – 216.34.94.17:80

216.34.94.17:80
BIG-IP translates Src
Address back to Virtual
Server Address

Packet # 1 - return
Dest – 207.17.117.20:4003
Src – 172.16.20.1:80
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
40

Network Flow - Packet #2


207.17.117.21

Packet # 2
Internet Src - 207.17.117.21:4003
Dest – 216.34.94.17:80

216.34.94.17:80

Packet # 2
Src – 207.17.117.21:4003
Dest – 172.16.20.2:4002
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
41

Network Flow – Packet #2 Return


207.17.117.21

Packet # 2 - return
Internet Dest - 207.17.117.21:4003
Src – 216.34.94.17:80

216.34.94.17:80

Packet # 2 - return
Dest – 207.17.117.21:4003
Src – 172.16.20.2:4002
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
42

Network Flow - Packet #3


207.17.117.25

Packet # 3
Internet Src - 207.17.117.25:4003
Dest – 216.34.94.17:80

216.34.94.17:80

Packet # 3
Src – 207.17.117.25:4003
Dest – 172.16.20.4:8080
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
43

Network Flow – Packet #3 Return


207.17.117.25

Packet # 3 - return
Internet Dest - 207.17.117.25:4003
Src – 216.34.94.17:80

216.34.94.17

Packet # 3 - return
Dest – 207.17.117.25:4003
Src – 172.16.20.4:8080
17

17

17
17
2.

2.1

2.
2.
16

16
16
6.
.2

.2
.2
20
0.1

0.4
0.
.2

3:8
:4
:80

:80
00

80
2

© F5 Networks
44

Basic Setup STEP

Node
Node
POOL
Node

Member Member Member

Virtual
Server

© F5 Networks
45

Configuring Pools

© F5 Networks
46

Configuring Virtual Servers

Scroll down

© F5 Networks
47

Statistics
• Summary
• Virtual Servers
• Pools
• Nodes

© F5 Networks
48

Load Balancing

© F5 Networks
49

Round Robin

Internet Clients

Router

Client requests are BIG-IP Controller


distributed evenly

1 2 3 4
Servers
5 6 7 8
© F5 Networks
50

Ratio

Internet Clients

Router

Administrator sets ratio


for distributing Client
BIG-IP Controller
requests 3:2:1:1

1 5 7 2 6 3 4
Servers
8 12 14 9 13 10 11
© F5 Networks
51

Fastest

Internet Clients

Router

Next requests go to
Node with fastest BIG-IP Controller
response time

1 2 3 Servers
4 5 6

10ms 10ms 10ms 17ms


Current Response Times

© F5 Networks
52

Fastest

Internet Clients

Router

Some time later, response


times change BIG-IP Controller

101 102 Servers


103 104

10ms 10ms 7ms 7ms


Current Response Times

© F5 Networks
53

Least Connections

Internet Clients

Router

Next requests goes to Node


with fewest open BIG-IP Controller
connections

1
2 3 Servers
4 5 6

459 460 461 470


Current Connections

© F5 Networks
54

Least Connections

Internet Clients

Router
Some time later, number of
connections change
BIG-IP Controller

61 Servers
62 63

280 290 111 112


Current Connections

© F5 Networks
55

Priority Group Activation

Internet Clients
If you set Priority Group
Activation to 2, and 3 of the
highest priority nodes are
Router
available, then lower
priority nodes will not be
used. BIG-IP Controller

Priority 2 Priority 1

1 2 3 Servers
4 5 6

© F5 Networks
56

Priority Group Activation

Internet Clients

If number of nodes falls


below Priority Group
Activation (2), then the Router
next highest priority nodes
are used also.
BIG-IP Controller

Priority 2 Priority 1

1 2 3 4 Servers
5 6 7 8

© F5 Networks
57

Ratio & Priority Group Activation

© F5 Networks
59

Pool Member vs. Node

Load Balancing by:


• Pool Member
– IP Address & service
• Node
– Total services for one IP Address

© F5 Networks
60

If using Member
Internet
If http pool uses Least Connections
(member) load balancing method,
then…

Next http requests goes to Pool


Member with fewest http connections 1
2

http 107 108 99


ftp 2 3 25

Current Connections

© F5 Networks
61

If using Node
Internet

Next http requests go to IP Address


with fewest total connections
1
2

http 107 108 99


ftp 2 3 25

Current Connections

© F5 Networks
62

Configuring Load Balancing

© F5 Networks
63

Health Monitor

• Monitor Concepts
• Configuring Monitors
• Assigning Monitors
• Monitor Dependence

© F5 Networks
64

Monitor Concepts
• Address Check
– Node – IP Address
• Service Check
– Pool and/or Members – IP : port
• Content Check
– IP : port plus check data returned
• Interactive Check

© F5 Networks
65

Address Check
Internet

Steps
– Packets sent to IP
Addresses ICMP echo request
– If no response, then
no traffic sent to
associated Nodes ICMP echo reply

– Example - ICMP

17

17
17

2.1

2 .1
2. 1

6.2

6.2
6.2

0.2

0.3
0.1

© F5 Networks
66

Service Check Internet

Steps
– Opens TCP connection (IP TCP Connection
Address : service)
– Connection closed
– If TCP connection fails, then no
traffic sent to associated Nodes
– Example – TCP

17

17
17

2.1

2.1
2.1

6.2

6.2
6.2

0.2

0.3
0.1

:8 0

:80
: 80
© F5 Networks
67

Content Check Internet

Steps
– Opens TCP connection (IP Address :
service)
– Sends a request http GET /
– Response returns data
– Connection closed
– If Receive Rule not found in data, then
no traffic sent to associated Nodes
– Example – http

17
17

17
2.1
2.1

2.1
6.2
6.2

6.2
0.2
0.1

0.3
:80
:80

:80
© F5 Networks
68

Content check – network packets

TCP sync

TCP sync ack


TCP ack

TCP push“ HTTP GET /”


TCP ack

TCP push “HTTP 200 “don’t hack” ”


TCP ack

TCP finish
TCP ack

© F5 Networks
69

Interactive Check
Internet

Steps
– Opens TCP connection (IP Address : service)
– Interactive conversation to simulate real-
world
– Connection closed conversation
– If expected results do not occur, then no
traffic sent to associated Nodes
– Example – FTP, SQL request

17
17

17
2.1

2.1
2.1

6.2

6.2
6.2

0.2

0.3
0.1

:21

:21
:21

© F5 Networks
70

Configuring Monitors
• Create or select Monitor
– System supplied templates
– User defined from template
• Assign Monitor
– Single Node – IP Address
– All Nodes
– Pool - IP : port
– Pool Member - IP : port
– Define to check different IP : port

© F5 Networks
71

Creating Monitors

© F5 Networks
72

Additional Monitor Parameters

• Receive Rule
– If content found, Node
marked Up
• Reverse Receive Rule
– If content found, Node
marked Down
• Transparent
– If Path Available, Node marked
Up
– Used for monitoring Links
© F5 Networks
73

Monitor Timers

• Frequency (Interval)
• Timeout
Try 1
0s

5s Try 2

10s Try 3

Try 4
15s
• Recommended – 3n + 1 16s
Server UP Response 1 ( < 16s)

22s
Response 2 ( >16s)
Server Down

© F5 Networks
74

Assigning Monitors to Nodes

For one Node


© F5 Networks
75

Assigning Monitors to Pools

For one Member

Inherit from Pool


© F5 Networks
76

Application Dependence
172.16.20.1 Node OK

Virtual Service
172.16.20.1:ICMP
SERVER POOL OK
172.16.20.1:80

172.16.20.1:443

172.16.20.1:80
172.16.20.2:80
172.16.20.3:80 POOL members

• Multi-tiers application
172.16.20.97:9000
172.16.20.98:9000

• Co-related application 172.16.20.99:9000

© F5 Networks
77

Profile

© F5 Networks
78

Profile Concepts

A Profile is:
• Single place to define traffic behavior
– SSL, compression, persistence…
• Apply behavior to multiple VS’s
• User defined built from template
• Dependent on other profiles

© F5 Networks
79

Profile Dependencies

Think in terms of
OSI Model Cookie

Some dependent on HTTP FTP

others
Some can’t be
combined in VS TCP UDP

Network

Data Link

Physical

© F5 Networks
80

Profile Types

• Protocol – connection oriented


• Service – data type oriented
• Persistence – session oriented
• SSL – encryption oriented
• Authentication – security oriented

© F5 Networks
81

Profile Configuration Concepts

• Created from Default Profiles


• Defaults can be modified, not deleted
• Custom and Parent relationship
• Saved in /config/profile_base.conf

© F5 Networks
82

Configuring Profiles

© F5 Networks
83

Configuring Profiles

Specify
Properties

Then Map to
Virtual Server

© F5 Networks
84

Persistence

1 1
2 2
3 3

© F5 Networks
85

Source Address Persistence

• Based on Client Source IP Address


• Netmask -> Address Range
205.229.151.10

205.229.151.107
205.229.152.11

If Netmask is
255.255.255.0

1 1
2 2
3 3
© F5 Networks
86

Configuring Source Address Persist


1. Configure Profile
2. Point Virtual Server
to Profile

© F5 Networks
87

persist across_services
Configuration:
Virtual Server 150.150.1.1:80  PoolA
PoolA: 10.1.1.1:80 & 10.1.1.2:80
Virtual Server 150.150.1.1:443  PoolB
PoolB: 10.1.1.1:443 & 10.1.1.2:443
150.150.1.1

Clients connecting to either Virtual Server


establish a single persistence record with
the selected node address

1
2
1
2 10.1.1.2
10.1.1.1

© F5 Networks
88

Cookie Persistence

• Insert mode
– BIG-IP Inserts a cookie into the stream
• Rewrite mode
– Web server creates cookie and BIG-IP
Controller changes it
• Passive mode
– Web server creates cookie and BIG-IP
Controller Reads it
• Hash mode
– Maps a cookie value to a specific node
– Web server must generate a cookie
© F5 Networks
89

How Cookie work ?

GET /

Domain Name
URI Path
Expire time GET /xxxx
Cookie:xxx=xxx Domain Name
URI Path
Expire time

© F5 Networks
90

Cookie Insert Mode

GET / pick
server

Domain Name
URI Path
Expire time

GET /xxxx
Cookie:xxx=xxx
cookie
specifies
server

© F5 Networks
91

Cookie Insert Mode

TCP handshake
First Hit

HTTP request (no special cookie)


pick
server TCP handshake
HTTP request (no special cookie)
HTTP reply (no special cookie)
HTTP reply (with inserted cookie)

Client TCP handshake Server


Second Hit

HTTP request (with same cookie)


cookie
specifies
server TCP handshake
HTTP request (with same cookie)
HTTP reply (no special cookie)
HTTP reply (updated cookie)

© F5 Networks
92

Session Cookie
• Cookie save in Memory
• Close Browser to clear Cookie
• Trigger load balance

© F5 Networks
93

Cookie Hash Mode

TCP handshake
First Hit

HTTP request (no special cookie)


pick TCP handshake Server
server
HTTP request (no special cookie)
HTTP reply (with cookie)
HTTP reply (with cookie)

TCP handshake
Second Hit

HTTP request (with same cookie)


cookie
Client hash
specifiesTCP handshake
server
HTTP request (with same cookie)
HTTP reply (with cookie)
HTTP reply (with cookie) Server

TCP handshake
Third Hit

HTTP request (with same cookie)


cookie TCP handshake
hash
specifiesHTTP request (with same cookie)
server
HTTP reply (with cookie)
HTTP reply (with cookie)

© F5 Networks
94

Configuring Cookie Persistence


• Cookie Persist requires http profile
• Then set Cookie Persist profile

© F5 Networks
95

SSL Acceleration

Encrypted

Decrypted

© F5 Networks
96

SSL Concepts

• Encrypted at each end


Network
• Certificates & Keys Packet
• SSL Accelerator Cards Encrypted

– Processing work of encryption /


decryption done by card
– Takes load off Server

© F5 Networks
97

SSL Termination

Encrypted

Decrypted

© F5 Networks
98

SSL Termination

Advantages
• SSL key exchange done by hardware
V9
• SSL bulk encryption done by hardware
• Centralize certificate management
• Offload SSL traffic from Web Servers
• Allows rule processing & cookie persistence

© F5 Networks
99

Traffic Flow through BIG-IP

1. Client sends Encrypted packet

2. BIG-IP takes packet off Internet


Network and Decrypts

3. VS load balances to Nodes

4. Response packet is Re-encrypted before


external Network

© F5 Networks
10
0
Server SSL

Encrypted

Decrypted inside BIG-IP

Encrypted

© F5 Networks
10
1

Generate Certificate

© F5 Networks
10
2

Create SSL Profile

Point VS to Profile

© F5 Networks
10
3

© F5 Networks

You might also like