Professional Documents
Culture Documents
© F5 Networks
2
Agenda
• Introduction
• TCP overview
• Start Up
• Basic Concept
• Monitoring
• Profile
• Session Persistence
• SSL Acceleration
• HTTP Compression
© F5 Networks
The Leader in Application Delivery Networking
Application
Delivery
At Home Network SAP
In the Office Microsoft
On the Road Oracle
iControl
PC - LAN
TMOS
WLAN
EMC
App. Server
Web Server
Windows file
Remote - WAN storage
Web Server
App. Server
Web Server
PC - LAN Windows file
storage
App. Server
Web Server
WLAN
GTM © F5 Networks
LTM LTM ARX
& LC
F5 Product Family
• Traffic Management
– Optimize application traffic within data centre
BIG-IP Local Traffic Manager
– Manage traffic across data centres
BIG-IP Link Controller
– High availability for applications and shared
services between data centres across the WAN BIG-IP Global Traffic Manager
• Acceleration
– Accelerates http traffic by up to 200% to 500% BIG-IP WebAccelerator
• Security
– Application firewall BIG-IP Application Security Manager
© F5 Networks
BIG-IP Hardware Line-up
Price
BIG-IP 8900
BIG-IP 6900
2 x Quad core CPU
16 10/100/1000 + 8x 1GB SFP
2x 320 GB HD (S/W RAID) + 8GB CF
16 GB memory
SSL @ 58K TPS / 9.6Gb bulk
6 Gbps max hardware compression
12 Gbps Traffic
BIG-IP 3600 2 x Dual core CPU
16 10/100/1000 + 8x 1GB SFP Multiple Product Modules
2x 320 GB HD (S/W RAID) + 8GB CF
8 GB memory
SSL @ 25K TPS / 4 Gb bulk
BIG-IP 1600 Dual core CPU
5 Gbps max hardware compression
6 Gbps Traffic
8 10/100/1000 + 2x 1GB SFP
Multiple Product Modules
1x 160 GB HD + 8GB CF
4 GB memory
SSL @ 10K TPS / 2 Gb bulk
1 Gbps max software compression
Dual core CPU
4 10/100/1000 + 2x 1GB SFP 2 Gbps Traffic
1x 160GB HD 1 Advanced Product Module
4 GB memory
SSL @ 5K TPS / 1 Gb Bulk
1 Gbps max software compression
1 Gbps Traffic
1 Basic Product Module
Function / Performance
© F5 Networks
On-Demand & Dynamic Application Security
c al Traffic
P Lo IP
BIG-I er + BIG- y
g it
Mana ion Secur
cat
Appli anager
M
Leading Value
• World’s first on-demand scaling Web Application Firewall
• Advanced security
• Integrated security performance
• Application insight/visibility
Client Server
Multi-Level Redundancy
• Blade failure will not cause chassis failure
• Redundant and hot swappable components
Always Available
© F5 Networks
On Demand – Zero Reconfiguration
Virtual
Machines
Servers
Physical Server
Virtual
Machines
Servers
© F5 Networks
12
TCP Overview
© F5 Networks
13
© F5 Networks
14
© F5 Networks
15
© F5 Networks
16
• Putty , FileZilla
• Wireshark/tcpdump
• HttpWatch,IE
© F5 Networks
17
Quick start
• Power On
• License
• Basic preparation
© F5 Networks
18
First Power ON
© F5 Networks
19
Two methods
1. Web Interface
• https (remote)
2. Command Line
• ssh (remote)
• Serial Terminal
© F5 Networks
20
© F5 Networks
21
• https://activate.F5.com
• Paste Product Dossier to F5 PC
• Download License to PC Internet
• Move PC back
• Upload & Install
License file
Run Setup utility
© F5 Networks
22
Setup Utility
https://Management IP Address
© F5 Networks
23
© F5 Networks
24
© F5 Networks
25
© F5 Networks
26
Configuration Worksheet
© F5 Networks
27
• VLAN
• Trunk Port
• Spanning Tree
• Self-IP
© F5 Networks
28
© F5 Networks
29
Spanning Tree
On networks that contain redundant paths between layer 2 devices, a common problem is bridging
loops. Bridging loops occur because layer 2 devices do not create boundaries for broadcasts or
packet floods. Consequently, layer 2 devices can use redundant paths to forward the same frames
to each other continuously, eventually causing the network to fail.
Spanning tree protocols block redundant paths on a network, thus preventing bridging loops.
• Support standard
– STP (IEEE 802.1D-1998)
– RSTP (IEEE 802.1w, 802.1t, 802.1D-2004)
– MSTP (802.1s)
© F5 Networks
30
Trunk Port
• Up to aggregate 8 Links
• IEEE standard 802.3ad, LACP
© F5 Networks
31
Self-IP
A self IP address is an IP address that you associate with a VLAN, to access hosts in that VLAN. By
virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses
spanning the hosts in the VLAN, rather than a single host address. You can associate self IP
addresses not only with VLANs, but also with VLAN groups.
Major Purpose
• Default route for each destination Server in VLAN
• IP interface to send message to local subnet hosts
• Management Interface IP, default for HTTPS and SSH
Two types
Static, a IP address owned by itself.
Floating, a IP address shared in a Redundant pair and only activate in Active Unit.
© F5 Networks
32
Basic Concept
© F5 Networks
33
Internet Clients
Router
BIG-IP Controller
Servers
© F5 Networks
34
Internet
• Nodes refer to
Pool Members IP Pool Members
Address only
17
17
17
17
2.1
2.1
2.1
2.1
6.2
6.2
6.2
6.2
0.2
0.1
0.3
0.4
:40
:80
:80
:80
02
80
© F5 Networks
35
Virtual Server
17
17
17
2.1
2. 1
2.1
6.2
6.2
6.2
0.2
0.3
0.4
:40
:8 0
:80
02
80
© F5 Networks
36
Internet
BIG-IP performs
network address
Network
translation to real
Address
server addresses such
Translation
that all machines are
viewed as one Virtual
Server
Real Server
172.
172.
172.
172.
Address
16.2
16.2
16.2
16.2
0.2:4
0.4:8
0.1:8
0.3:8
00
080
0
0
2
© F5 Networks
37
Internet
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
38
Packet # 1
Internet Src - 207.17.117.20:4003
Dest – 216.34.94.17:80
Packet # 1
Src – 207.17.117.20:4003
Dest – 172.16.20.1:80
17
17
17
17
2.
2.
2.
2.1
16
16
16
6.
.20
.2
.20
20
0.4
.2
.1:
.3:
:40
:80
80
80
02
80
© F5 Networks
39
Packet # 1 - return
Internet Dest - 207.17.117.20:4003
Src – 216.34.94.17:80
216.34.94.17:80
BIG-IP translates Src
Address back to Virtual
Server Address
Packet # 1 - return
Dest – 207.17.117.20:4003
Src – 172.16.20.1:80
17
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
40
Packet # 2
Internet Src - 207.17.117.21:4003
Dest – 216.34.94.17:80
216.34.94.17:80
Packet # 2
Src – 207.17.117.21:4003
Dest – 172.16.20.2:4002
17
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
41
Packet # 2 - return
Internet Dest - 207.17.117.21:4003
Src – 216.34.94.17:80
216.34.94.17:80
Packet # 2 - return
Dest – 207.17.117.21:4003
Src – 172.16.20.2:4002
17
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
42
Packet # 3
Internet Src - 207.17.117.25:4003
Dest – 216.34.94.17:80
216.34.94.17:80
Packet # 3
Src – 207.17.117.25:4003
Dest – 172.16.20.4:8080
17
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
43
Packet # 3 - return
Internet Dest - 207.17.117.25:4003
Src – 216.34.94.17:80
216.34.94.17
Packet # 3 - return
Dest – 207.17.117.25:4003
Src – 172.16.20.4:8080
17
17
17
17
2.
2.1
2.
2.
16
16
16
6.
.2
.2
.2
20
0.1
0.4
0.
.2
3:8
:4
:80
:80
00
80
2
© F5 Networks
44
Node
Node
POOL
Node
Virtual
Server
© F5 Networks
45
Configuring Pools
© F5 Networks
46
Scroll down
© F5 Networks
47
Statistics
• Summary
• Virtual Servers
• Pools
• Nodes
© F5 Networks
48
Load Balancing
© F5 Networks
49
Round Robin
Internet Clients
Router
1 2 3 4
Servers
5 6 7 8
© F5 Networks
50
Ratio
Internet Clients
Router
1 5 7 2 6 3 4
Servers
8 12 14 9 13 10 11
© F5 Networks
51
Fastest
Internet Clients
Router
Next requests go to
Node with fastest BIG-IP Controller
response time
1 2 3 Servers
4 5 6
© F5 Networks
52
Fastest
Internet Clients
Router
© F5 Networks
53
Least Connections
Internet Clients
Router
1
2 3 Servers
4 5 6
© F5 Networks
54
Least Connections
Internet Clients
Router
Some time later, number of
connections change
BIG-IP Controller
61 Servers
62 63
© F5 Networks
55
Internet Clients
If you set Priority Group
Activation to 2, and 3 of the
highest priority nodes are
Router
available, then lower
priority nodes will not be
used. BIG-IP Controller
Priority 2 Priority 1
1 2 3 Servers
4 5 6
© F5 Networks
56
Internet Clients
Priority 2 Priority 1
1 2 3 4 Servers
5 6 7 8
© F5 Networks
57
© F5 Networks
59
© F5 Networks
60
If using Member
Internet
If http pool uses Least Connections
(member) load balancing method,
then…
Current Connections
© F5 Networks
61
If using Node
Internet
Current Connections
© F5 Networks
62
© F5 Networks
63
Health Monitor
• Monitor Concepts
• Configuring Monitors
• Assigning Monitors
• Monitor Dependence
© F5 Networks
64
Monitor Concepts
• Address Check
– Node – IP Address
• Service Check
– Pool and/or Members – IP : port
• Content Check
– IP : port plus check data returned
• Interactive Check
© F5 Networks
65
Address Check
Internet
Steps
– Packets sent to IP
Addresses ICMP echo request
– If no response, then
no traffic sent to
associated Nodes ICMP echo reply
– Example - ICMP
17
17
17
2.1
2 .1
2. 1
6.2
6.2
6.2
0.2
0.3
0.1
© F5 Networks
66
Steps
– Opens TCP connection (IP TCP Connection
Address : service)
– Connection closed
– If TCP connection fails, then no
traffic sent to associated Nodes
– Example – TCP
17
17
17
2.1
2.1
2.1
6.2
6.2
6.2
0.2
0.3
0.1
:8 0
:80
: 80
© F5 Networks
67
Steps
– Opens TCP connection (IP Address :
service)
– Sends a request http GET /
– Response returns data
– Connection closed
– If Receive Rule not found in data, then
no traffic sent to associated Nodes
– Example – http
17
17
17
2.1
2.1
2.1
6.2
6.2
6.2
0.2
0.1
0.3
:80
:80
:80
© F5 Networks
68
TCP sync
TCP finish
TCP ack
© F5 Networks
69
Interactive Check
Internet
Steps
– Opens TCP connection (IP Address : service)
– Interactive conversation to simulate real-
world
– Connection closed conversation
– If expected results do not occur, then no
traffic sent to associated Nodes
– Example – FTP, SQL request
17
17
17
2.1
2.1
2.1
6.2
6.2
6.2
0.2
0.3
0.1
:21
:21
:21
© F5 Networks
70
Configuring Monitors
• Create or select Monitor
– System supplied templates
– User defined from template
• Assign Monitor
– Single Node – IP Address
– All Nodes
– Pool - IP : port
– Pool Member - IP : port
– Define to check different IP : port
© F5 Networks
71
Creating Monitors
© F5 Networks
72
• Receive Rule
– If content found, Node
marked Up
• Reverse Receive Rule
– If content found, Node
marked Down
• Transparent
– If Path Available, Node marked
Up
– Used for monitoring Links
© F5 Networks
73
Monitor Timers
• Frequency (Interval)
• Timeout
Try 1
0s
5s Try 2
10s Try 3
Try 4
15s
• Recommended – 3n + 1 16s
Server UP Response 1 ( < 16s)
22s
Response 2 ( >16s)
Server Down
© F5 Networks
74
Application Dependence
172.16.20.1 Node OK
Virtual Service
172.16.20.1:ICMP
SERVER POOL OK
172.16.20.1:80
172.16.20.1:443
172.16.20.1:80
172.16.20.2:80
172.16.20.3:80 POOL members
• Multi-tiers application
172.16.20.97:9000
172.16.20.98:9000
© F5 Networks
77
Profile
© F5 Networks
78
Profile Concepts
A Profile is:
• Single place to define traffic behavior
– SSL, compression, persistence…
• Apply behavior to multiple VS’s
• User defined built from template
• Dependent on other profiles
© F5 Networks
79
Profile Dependencies
Think in terms of
OSI Model Cookie
others
Some can’t be
combined in VS TCP UDP
Network
Data Link
Physical
© F5 Networks
80
Profile Types
© F5 Networks
81
© F5 Networks
82
Configuring Profiles
© F5 Networks
83
Configuring Profiles
Specify
Properties
Then Map to
Virtual Server
© F5 Networks
84
Persistence
1 1
2 2
3 3
© F5 Networks
85
205.229.151.107
205.229.152.11
If Netmask is
255.255.255.0
1 1
2 2
3 3
© F5 Networks
86
© F5 Networks
87
persist across_services
Configuration:
Virtual Server 150.150.1.1:80 PoolA
PoolA: 10.1.1.1:80 & 10.1.1.2:80
Virtual Server 150.150.1.1:443 PoolB
PoolB: 10.1.1.1:443 & 10.1.1.2:443
150.150.1.1
1
2
1
2 10.1.1.2
10.1.1.1
© F5 Networks
88
Cookie Persistence
• Insert mode
– BIG-IP Inserts a cookie into the stream
• Rewrite mode
– Web server creates cookie and BIG-IP
Controller changes it
• Passive mode
– Web server creates cookie and BIG-IP
Controller Reads it
• Hash mode
– Maps a cookie value to a specific node
– Web server must generate a cookie
© F5 Networks
89
GET /
Domain Name
URI Path
Expire time GET /xxxx
Cookie:xxx=xxx Domain Name
URI Path
Expire time
© F5 Networks
90
GET / pick
server
Domain Name
URI Path
Expire time
GET /xxxx
Cookie:xxx=xxx
cookie
specifies
server
© F5 Networks
91
TCP handshake
First Hit
© F5 Networks
92
Session Cookie
• Cookie save in Memory
• Close Browser to clear Cookie
• Trigger load balance
© F5 Networks
93
TCP handshake
First Hit
TCP handshake
Second Hit
TCP handshake
Third Hit
© F5 Networks
94
© F5 Networks
95
SSL Acceleration
Encrypted
Decrypted
© F5 Networks
96
SSL Concepts
© F5 Networks
97
SSL Termination
Encrypted
Decrypted
© F5 Networks
98
SSL Termination
Advantages
• SSL key exchange done by hardware
V9
• SSL bulk encryption done by hardware
• Centralize certificate management
• Offload SSL traffic from Web Servers
• Allows rule processing & cookie persistence
© F5 Networks
99
© F5 Networks
10
0
Server SSL
Encrypted
Encrypted
© F5 Networks
10
1
Generate Certificate
© F5 Networks
10
2
Point VS to Profile
© F5 Networks
10
3
© F5 Networks