Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP version v9.0 Configuration Guide for Local Traffic Management: Introducing Local Traffic Management
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


1

Introducing Local Traffic Management


Understanding BIG-IP local traffic management

The BIG-IP® local traffic management (LTM) system is specifically designed to manage your local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

This configuration guide applies to the set of local traffic management products that are part of the BIG-IP® family of products.

A commonly-used feature of the LTM system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The LTM system includes a variety of features that perform functions such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the LTM system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.

Summary of local traffic-management capabilities

When configured properly, the LTM system can perform a wide variety of traffic-management functions, such as:

  • Balancing traffic to tune and distribute server load on the network for scalability.
  • Off-loading standard server tasks, such as HTTP data compression, SSL authentication, and SSL encryption to improve server performance.
  • Monitoring the health and performance of servers on the network for availability.
  • Establishing and managing session and connection persistence.
  • Handling application-traffic authentication and authorization functions based on user name/password and SSL certificate credentials.
  • Managing packet throughput to optimize performance for specific types of connections.
  • Improving performance by aggregating multiple client requests into a server-side connection pool. This aggregation of client requests is part of the LTM system's OneConnectTM feature.
  • Applying configuration settings to customize the flow of application-specific traffic (such as HTTP and SSL traffic).
  • Customizing the management of specific connections according to user-written scripts based on the industry-standard Tool Command Language (Tcl).

While some of the functions on this list offer the basic ability to balance the load on your network servers, other functions on the list offer specialized abilities that are worth noting. These abilities include managing specific types of application traffic, optimizing server performance, and enhancing the security of your network. The following sections describe these specialized capabilities.

Managing specific types of application traffic

Applying configuration settings to customize the flow of application-specific traffic is a key feature of local traffic management. The LTM system can control many different kinds of traffic, each in a different way. You do this by establishing a policy for managing each type of network traffic. Examples of traffic types that the system can manage are: TCP, UDP, HTTP, FTP, SSL, Session Initiation Protocol (SIP), i-mode®, and Microsoft® Remote Desktop Protocol (MSRDP).

In addition to creating separate policies to systematically manage these different traffic types, you can also do the following:

  • Write iRulesTM to assign certain behaviors to individual application-specific connections. iRules can search the content of a particular type of traffic, such as an HTTP request or response, and direct the traffic accordingly.
  • Insert header data into application-specific requests, such as HTTP requests, and then direct the request based on that header data.
  • Implement session persistence. Using the LTM system's powerful configuration tools, you can configure session persistence, based on data such as HTTP cookies, source IP addresses, destination IP addresses, and SSL session IDs.
  • Monitor the health or performance of servers in a pool. For example, the LTM system can monitor Lightweight Directory Access Protocol (LDAP) servers on a network, and if the system determines that a target LDAP server is non-functional, the LTM system can redirect the request to a different LDAP server.
  • Use the dynamic ratio load-balancing algorithm to assess the current load on a particular type of server, such as a Windows Management Infrastructure (WMI) server, and then redirect a request based on that assessment. The ability to monitor servers corresponding to specific types of applications is a key tool for maintaining optimal performance of your network.

Optimizing performance

The LTM system includes several features designed to optimize server performance. Such features either offload labor-intensive traffic management tasks, such as SSL certificate verification, or enable the pooling, reuse, and overall persistence of server-side connections.

Offloading server tasks

The tasks that the LTM system can offload from a network server are:

  • SSL certificate-based authentication, including the checking of certificate revocation status through OCSP
  • SSL encryption and decryption
  • SSL certificate-based authorization using remote LDAP servers
  • HTTP data compression
  • The rewriting of MSRDP connections

Optimizing TCP and HTTP connections

The LTM system manages TCP and HTTP connections in certain ways to optimize server performance. Primary network optimization features are: OneConnectTM, HTTP pipelining, and rate shaping.

OneConnect

The OneConnectTM feature contains the following components:

  • Content Switching
    When an HTTP client sends multiple requests within a single connection, the LTM system is able to process each of those requests individually, sending those requests to different destination servers if necessary. This feature is enabled automatically and does not require configuration.
  • Connection Pooling
    With this feature, the LTM system combines server-side connections that are not in use, so that other clients can use them. This can significantly reduce the number of servers required to process client requests. By default, this feature is disabled, but can be easily enabled using a OneConnect profile.
  • OneConnect transformation
    Sometimes, for HTTP/1.0 requests, you might want to add Keep-Alive support to HTTP Connection headers, to ensure that server-side connections remain open. This manipulation of HTTP Connection headers is a feature known as OneConnect transformation. This feature works best when used in conjunction with connection pooling.

For more information on OneConnectTM, see Chapter 5, Understanding Profiles , and Chapter 6, Managing HTTP and FTP Traffic .

HTTP pipelining

In addition to the OneConnectTM feature, the LTM system has the ability to process pipelined requests. This means that the LTM system can process a client request even if the previous request has not yet received a response. Pipelining is an optimization feature available for HTTP/1.1 requests only.

For more information on HTTP pipelining, see Chapter 6, Managing HTTP and FTP Traffic .

Rate shaping

Rate shaping is a feature that allows you to categorize certain types of connections into rate classes, for the purpose of customizing the throughput of those connections. This is useful, for example, when you want to optimize web-server performance for preferred Internet customers.

TCP optimizations

The LTM system includes significant TCP optimizations, such as in-order delivery and content spooling.

Enhancing network security

Security is an important consideration in managing local network traffic. Accordingly, the LTM system contains a number of features designed to assist in preventing security breaches. These features pertain not only to authenticating and authorizing users and applications, but also to detecting intrusions and mitigating DOS attacks.

In general, when the LTM system detects a security problem, it can take actions such as:

  • Reject a client request based on SSL certificate verification
  • Reject and discard unauthorized packets
  • Alert system administrators to an attack or infiltration attempt
  • Direct suspicious traffic to specific target servers
  • Log authentication failures
  • Prevent SYN flooding

An important consideration for any networked environment is the authentication and authorization mechanism that you use to authenticate users and their client requests and to control user and application access to server resources. To this end, the LTM system supports Pluggable Authentication Module (PAM) technology, and provides a complete set of PAM authentication modules that you can choose from to handle your authentication or authorization needs.

The authentication modules that the LTM system provides are as follows:

  • An LDAP module
    Uses a remote LDAP server to perform user name/password user authentication.
  • A RADIUS module
    Uses a Remote Authentication Dial In User Service (RADIUS) server to perform user name/password user authentication.
  • A TACACS+ module
    Uses a remote Terminal Access Controller Access Control System (TACACS+) server to perform user name/password user authentication.
  • An SSL Client Certificate LDAP module
    Uses a remote LDAP server to perform SSL certificate-based authorization of client SSL traffic.
  • An OCSP module
    Uses a remote Online Certificate Status Protocol (OCSP) server to provide up-to-date SSL certificate revocation status for the purpose of authenticating client and server SSL traffic.

Overview of local traffic management configuration

Once you have set up your base network and you have administrative access to the LTM system, and at least a default VLAN assignment for each interface, the next step is to configure a network for managing traffic targeted to your internal servers.

At the heart of the LTM system are virtual servers and load balancing pools. Virtual servers receive incoming traffic, perform basic source IP and destination IP address translation, and direct traffic to servers, which are grouped together in load balancing pools.

To configure a basic local traffic management system, you use the Configuration utility. With this utility, you can create a complete set of configuration objects that work together to perform local traffic management. Each object has a set of configuration settings that you can use as is or change to suit your needs. These objects are:

  • Virtual servers
    Virtual servers receive requests and distribute them to pool members.
  • Load balancing pools
    Load balancing pools contain servers to which requests can be sent for processing.
  • Nodes
    Nodes represent server IP addresses on your network that you can enable and disable, and for which you can obtain status.
  • Profiles
    Profiles contain settings that define the behavior of various traffic types.
  • Monitors
    Monitors track the current health or performance of pool members.
  • iRules
    iRules can define criteria for pool-member selection, as well as perform content transformations, logging, custom protocol support, and so on.
  • Rate Shaping
    Rate shaping controls bandwidth consumption.
  • SSL Certificates
    The SSL Certificates object allows you to generate SSL certificate requests and install SSL certificates on the LTM system, for the purpose of terminating and initiating SSL connections.
  • SNATs
    Secure Network Address Translations (SNATs) translate the source IP address in a client request, allowing multiple hosts to share the same address.
  • Statistics
    Statistics show metrics related to various types of connections.

When you create configuration objects, you can choose to perform either basic or advanced configuration:

  • Basic
    You choose a basic configuration when you want to primarily use the default values for your object settings. When you choose a basic configuration, the Configuration utility displays only those few settings that you would most likely need to modify. The other settings remain hidden and retain their default values. Choosing a basic configuration is an easy way to create configuration objects.
  • Advanced
    You choose an advanced configuration when you want to modify many of the values for your object settings. When you choose an advanced configuration, the Configuration utility displays all of the object's settings and allows you to modify any of them.

The three most important objects in the LTM system that you must configure for local traffic management are:

  • Virtual servers
  • Load balancing pools
  • Profiles

Configuring virtual servers

When you create a virtual server, you specify the type of virtual server you want, that is, a host virtual server or a network virtual server. Then you can attach various properties and resources to it, such as application-specific profiles, session persistence, and user-written scripts called iRules that define pool-selection criteria. All of these properties and resources, when associated with a virtual server, determine how the LTM system manages local traffic.

When you create and configure a virtual server, you use the part of the Configuration utility screen shown in Figure 1.1 .

 

 

Figure 1.1 The Configuration utility screen for creating a virtual server

For more information on virtual servers, see Chapter 2, Configuring Virtual Servers .

Configuring load balancing pools

A load balancing pool is a collection of internal servers that you group together to service client requests. A server in a pool is referred to as a pool member. Using the default load balancing algorithm, known as Round Robin, the LTM system sends a client request to a member of that pool.

To implement a load balancing pool, you first create the pool, and then you associate the pool name with an existing virtual server. A virtual server sends client requests to the pool or pools that are associated with it. The virtual server screen shown in figure 1.1 includes a setting, Default Pool, for specifying a pool name.

Pools have settings associated with them, such as IP addresses for pool members, load balancing modes, and health and performance monitors. When you create a pool, you can use the default values for some of these settings, or change them to better suit your needs.

When you create and configure a load balancing pool, you use the Pool screen of the Configuration utility. Figure 1.2 shows part of this screen.

 

 

Figure 1.2 The Configuration utility screen for creating a load balancing pool

For more information on load balancing pools, see Chapter 4, Configuring Load Balancing Pools .

Configuring profiles

A profile is a group of configuration settings that apply to a specific type of network traffic, such as HTTP connections. If you want the virtual server to manage a type of traffic, you can associate the applicable profile with the virtual server, and the virtual server applies that profile's settings to all traffic of that type.

For example, you might want the LTM system to compress HTTP response data. In this case, you can configure an HTTP profile to enable compression, and associate the profile with a virtual server. Then, when the virtual server processes an HTTP request, the LTM system compresses the response.

There are several types of profiles that you can create for your own needs. They are: FastL4, TCP, UDP, One Connect, Stream, HTTP, FTP, Client SSL, Server SSL, Persistence, and Authentication. When you create a profile, you can use the default values for the settings, or change them to better suit your needs.

For example, when you create and configure an HTTP profile, you use the part of the Configuration utility screen shown in Figure 1.3 .

 

 

Figure 1.3 The Configuration screen for creating an HTTP profile

For more information on configuring profiles, see Chapter 5, Understanding Profiles , and one of the following chapters:

Introduction to the Configuration Guide for Local Traffic Management

This guide describes how to configure the BIG-IP local traffic management system to manage traffic coming into, or leaving, the local traffic network. Before you can configure the features described in this guide, you must install the BIG-IP system, license the system, and use the Setup utility to perform the management network configuration. For information about these tasks, refer to the Platform Guide: 1500, 3400, and 6400, and the Installation, Licensing, and Upgrades for BIG-IP Systems guide.

Using the Configuration utility

All users need to use the web-based Configuration utility in order to license the system for the first time.

In addition to setting up the management network and initial traffic management software configuration, you use the Configuration utility to configure and monitor the LTM system. You can use the Configuration utility to perform additional configuration steps necessary for your configuration. In the Configuration utility, you can also monitor current system performance. Most procedures in this guide use the Configuration utility.

The Configuration utility supports Netscape® Navigator™, version 7.1, or other browsers built on the same engine, such as Mozilla™, Firefox™, and Camino™; and Microsoft® Internet Explorer™ version 6.x and later.

Additional information

In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The information is organized into the guides and documents described below. The following printed documentation is included with the BIG-IP system.

  • Configuration Worksheet
    This worksheet provides you with a place to plan the basic configuration for the BIG-IP system.
  • BIG-IP Quick Start Instructions
    This pamphlet provides you with the basic configuration steps required to get the BIG-IP system up and running in the network.

The following guides are available in PDF format from the CD-ROM provided with the BIG-IP system. These guides are also available from the first Web page you see when you log in to the administrative web server on the BIG-IP system.

  • Platform Guide
    This guide includes information about the BIG-IP system. It also contains important environmental warnings.
  • Installation, Licensing, and Upgrades for BIG-IP Systems
    This guide provides detailed information about installing upgrades to the BIG-IP system. It also provides information about licensing the BIG-IP system software and connecting the system to a management workstation or network.

Stylistic conventions

To help you easily identify and understand important information, our documentation uses the stylistic conventions described below.

Using the solution examples

All examples in this documentation use only non-routable IP addresses. When you set up the solutions we describe, you must use IP addresses suitable to your own network in place of our sample addresses.

Identifying new terms

To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a virtual server is a specific combination of a virtual address and virtual port, associated with a content site that is managed by a BIG-IP system or other type of host server.

Identifying references to objects, names, and commands

We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, you can set the Idle Timeout value to 5.

Identifying references to other documents

We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, for installation instuctions, refer to Chapter 1, Installing the Software, in the Installation, Licensing, and Upgrades for BIG-IP Systems guide.

Finding additional help and technical support resources

You can find additional technical information about this product in the following locations:

  • Release notes
    Release notes for the current version of this product are available from the product web server home page, and are also available on the technical support site. The release notes contain the latest information for the current version, including a list of new features and enhancements, a list of fixes, and, in some cases, a list of known issues.
  • Online help
    You can find help online in three different locations:
    • The web server on the product has PDF versions of the guides included in the Software CD.
    • The web-based Configuration utility has online help for each screen. Simply click the Help tab.
  • AskF5 Technical Support web site
    The F5 Networks Technical Support web site, http://tech.f5.com, provides the latest documentation for the product, including technical notes, answers to frequently asked questions, updates for guides (in PDF format), and the AskF5 natural language question and answer engine. To access this site, you need to register at http://tech.f5.com.
  • F5 Solution Center
    The F5 Solution Center contains proven interoperability and integration solutions that empower organizations to deliver predictable and secure applications in an unpredictable network environment. The F5 Solution Center offers detailed documentation that demonstrates how to increase the return on investment (ROI) of your application and network infrastructures through superior reliability, security, and performance. You can access this site at http://www.f5.com/solutions.
Note

All references to hardware platforms in this guide refer specifically to systems supplied by F5 Networks, Inc. If your hardware was supplied by another vendor and you have hardware-related questions, please refer to the documentation from that vendor.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)