Welcome to the BIG-IP® Controller Administrator Guide. This guide describes the advanced features included in the BIG-IP Controller. The Administrator guide also includes the software specifications for the BIG-IP Controller platform and reviews some sample configurations that can help you in planning your own configuration. This book is a part of a series of three guides:
The BIG-IP Controller is a network appliance that manages and balances traffic for networking equipment such as web servers, cache servers, routers, firewalls, and proxy servers. A variety of useful features meets the special needs of e-commerce sites, Internet service providers, and managers of large intranets. The system is highly configurable, and its web-based and command line configuration utilities allow for easy system set up and monitoring.
Adding a BIG-IP Controller to your network ensures that your network remains reliable. The BIG-IP Controller continually monitors the servers and other equipment it manages, and never attempts to send connections to servers that are down or too busy to handle the connection. The BIG-IP Controller uses a variety of methods to monitor equipment, from simple pings to more advanced methods, such as Extended Content Verification that verifies whether a server returns specific site content. The BIG-IP Controller also offers several layers of redundancy that ensure its own reliability.
The BIG-IP platform supports both TCP and UDP protocols, and also supports popular network services including:
The BIG-IP Controller supports administrative protocols, such as Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) (outbound only), for performance monitoring and notification of system events. The BIG-IP Controller's SNMP agent allows you to monitor status and current traffic flow using popular network management tools, including the Configuration utility. The SNMP agent provides useful data such as packets in and out per second, and current connections being handled for each virtual server. You may also want to take advantage of Telnet, FTP, and the F-Secure SSH client (distributed only in the US). The F-Secure SSH client provides a secure UNIX shell connection to the BIG-IP Controller from a remote workstation.
The BIG-IP Controller offers a variety of security features that protect both the controller itself, and the network equipment that it manages. Each of the following features can help prevent potentially hostile attacks on your site or equipment.
In addition to these features, BIG-IP Controllers distributed in the US support encrypted administrative connections using F-Secure SSH for shell connections, and SSL protocol for connections to the web-based configuration utility.
The BIG-IP Controller is a highly scalable and versatile solution. You can actually configure a single BIG-IP Controller to manage thousands of virtual servers, though most common configurations are significantly smaller. The number of servers, firewalls, or routers that a single BIG-IP Controller can load balance is limited only by the capacity of your network media, such as Ethernet. The BIG-IP Controller supports a variety of media options, including Fast Ethernet, Gigabit Ethernet, and FDDI. The maximum number of concurrent connections that a BIG-IP Controller can manage is determined by the amount of RAM in your particular BIG-IP Controller hardware configuration.
The BIG-IP platform provides the following web-based and command line administrative tools that make for easy setup and configuration.
The First-Time Boot utility is a wizard that walks you through the initial system set up. The utility helps you quickly define basic system settings, such as a root password and the IP addresses for the interfaces that connect the BIG-IP Controller to the network. The First-Time Boot utility also helps you configure access to the BIG-IP web server, which hosts the web-based Configuration utility.
The Configuration utility is a web-based application that you use to configure and monitor the load balancing setup on the BIG-IP Controller. In the Configuration utility, you can configure virtual servers, define IP and rate filters, and also configure system objects including the SNMP agent and system settings. The Configuration utility allows you to monitor network traffic, current connections, and the operating system itself, and it also provides convenient access to downloads such as the SNMP MIB. The Configuration utility requires Netscape Navigator version 4.5 or later, or Microsoft Internet Explorer version 4.1 or later.
The BIG/pipeTM utility is the command line counter-part to the Configuration utility. Using BIG/pipe commands, you can configure virtual servers, open ports to network traffic, and configure a wide variety of features. To monitor the BIG-IP Controller, you can use certain BIG/pipe commands, or you can use the BIG/topTM utility, which provides real-time system monitoring. You can use the command line utilities directly on the BIG-IP Controller, or you can execute commands via a remote shell, such as the SSH client (US only), or a Telnet client.
The BIG-IP Controller offers many different load balancing modes, including static and dynamic modes. A load balancing mode defines, in part, the logic that a BIG-IP Controller uses to determine which server should receive a particular connection on a specific port.
Static load balancing is based on pre-defined user settings, and does not take current performance into account. The BIG-IP Controller supports three static load balancing modes:
Dynamic load balancing modes use current performance information from each node to determine which node should receive each new connection. The different dynamic load balancing modes incorporate different performance factors:
The BIG-IP platform supports easy configuration of IP packet filtering. IP packet filtering allows you to control both in-bound and out-bound network traffic. For example, you can specify a single IP address, or a range of IP addresses, from which your site either accepts or denies network traffic. You can also specify one or more IP addresses to which you specifically want to allow or prevent out-bound connections.
The BIG-IP platform also supports rate classes, which are an extension to IP filters. A rate class defines a maximum outgoing packet rate (bits per second) for connections that are destined for a specific IP address or from a range of IP addresses. You can use rate classes to help control the amount and flow of specific network traffic. For example, you can offer faster connection speeds for high priority connections, such as paying customers on an e-commerce site.
Some e-commerce and other dynamic content sites occasionally require returning users to go the same server that hosted their last connection, rather than being load balanced to a random server. For example, if a customer reserves an airline ticket and holds it for 24 hours, the customer may need to return to a specific back-end server that stores the reservation information in order to purchase the ticket.
The BIG-IP Controller offers a variety of sophisticated persistence options that support this functionality. In addition to simple persistence and standard SSL persistence, the BIG-IP Controller supports cookie persistence. Cookie persistence is a unique implementation where the BIG-IP Controller stores persistence connection information in a cookie on the client, rather than in a table in its own memory. When the client returns and makes a persistence connection request, the BIG-IP Controller uses the information in the cookie to determine which back-end server should host the client connection.
The BIG-IP Controller supports other useful persistence options, including simple persistence for TCP and UDP (which bases connection information on source and destination IP address) and SSL persistence (which bases connection information on an SSL session ID).
The BIG-IP Controller platform offers three different systems, each of which can be stand-alone, or can run in redundant pairs:
Note: BIG-IP Controllers distributed outside of the United States to a select few countries, regardless of system type, do not support encrypted communications. They do not include the F-Secure SSH client, nor do they support SSL connections to the BIG-IP web server. Instead, you can use the standard Telnet, FTP, and HTTP protocols to connect to the unit and perform administrative functions.
In addition to this administrator guide, you can find technical documentation about the BIG-IP Controller in the following locations:
The BIG-IP Controller offers the following major new features in version 3.2, in addition to many smaller enhancements.
This version of the BIG-IP Controller is available as the Firewall Load Balancer (FLB). The FLB version of the BIG-IP Controller contains specific features for load balancing firewalls in your network. For more information, see Chapter 8, Using Firewall Load Balancing.
This version of the BIG-IP Controller provides a feature that allows you to use a RADIUS server on your network to authenticate users attempting to access the controller with SSH. This allows you to use the RADIUS server as a central repository of users that can access the BIG-IP Controller for administrative purposes. For more information, see Configuring RADIUS authentication, on page 2-33.
You can configure this version of the BIG-IP Controller to use new fastest server load balancing algorithms. The new algorithms use improved metrics to determine server response times in Fastest, Predictive, and Observed load balancing modes. For more information, see The BIG-IP Controller Reference Guide, BIG-IP System Control Variables.
With this version of the BIG-IP Controller SNAT is turned off for forwarding virtual servers. This means that the default SNAT ignores a new connection with a destination that matches a forwarding virtual server. This causes outbound connections to use either a forwarding virtual server or the default SNAT depending on the destination of the packet that initiates the connection. For more information, see The BIG-IP Controller Reference Guide, BIG-IP System Control Variables.
The LB and LB+ versions of the BIG-IP Controller now support SSH.
This version of the BIG/ip Controller contains SSH version 2.0.