Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP version 9.2 Configuration Guide for Local Traffic Management: Introducing Local Traffic Management
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


1

Introducing Local Traffic Management


Introducing the BIG-IP system

The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP system's multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.

  • BIG-IP® Local Traffic Manager
    The BIG-IP system includes local traffic management features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for Local Traffic Management.
  • BIG-IP® Global Traffic Manager
    The Global Traffic Manager provide intelligent traffic management to your globally available network resources. Through the Global Traffic Manager, you can select from an array of load balancing modes, ensuring that your clients access the most responsive and robust resources at any given time. In addition, the Global Traffic Manager provides extensive monitoring capabilities so the health of any given resource is always available. For more information, see the Configuration Guide for Global Traffic Management.
  • BIG-IP® Link Controller
    The Link Controller seamlessly monitors availability and performance of multiple WAN connections to intelligently manage bi-directional traffic flows to a site - providing fault tolerant, optimized Internet access regardless of connection type or provider. The Link Controller ensures that traffic is always sent over the best available link to maximize user performance and minimize bandwidth cost to a data center. For more information, see the Configuration Guide for the BIG-IP Link Controller.
  • BIG-IP®Application Security Module
    The Application Security Module provides web application protection from application-layer attacks. The Application Security Module protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, cross-site scripting, and parameter tampering. For more information, see the Configuration Guide for the BIG-IP Application Security Module.

Understanding BIG-IP local traffic management

The BIG-IP® local traffic management (LTM) system is specifically designed to manage your local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

This configuration guide applies to the set of local traffic management products that are part of the BIG-IP® family of products.

A commonly-used feature of the LTM system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The LTM system includes a variety of features that perform functions such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the LTM system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.

Summary of local traffic-management capabilities

When configured properly, the LTM system can perform a wide variety of traffic-management functions, such as:

  • Balancing traffic to tune and distribute server load on the network for scalability.
  • Off-loading standard server tasks, such as HTTP data compression, SSL authentication, and SSL encryption to improve server performance.
  • Monitoring the health and performance of servers on the network for availability.
  • Establishing and managing session and connection persistence.
  • Handling application-traffic authentication and authorization functions based on user name/password and SSL certificate credentials.
  • Managing packet throughput to optimize performance for specific types of connections.
  • Improving performance by aggregating multiple client requests into a server-side connection pool. This aggregation of client requests is part of the LTM system's OneConnectTM feature.
  • Applying configuration settings to customize the flow of application-specific traffic (such as HTTP and SSL traffic).
  • Customizing the management of specific connections according to user-written scripts based on the industry-standard Tool Command Language (Tcl).

While some of the functions on this list offer the basic ability to balance the load on your network servers, other functions on the list offer specialized abilities that are worth noting. These abilities include managing specific types of application traffic, optimizing server performance, and enhancing the security of your network. The following sections describe these specialized capabilities.

Managing specific types of application traffic

Applying configuration settings to customize the flow of application-specific traffic is a key feature of local traffic management. The LTM system can control many different kinds of traffic, each in a different way. You do this by establishing a policy for managing each type of network traffic. Examples of traffic types that the system can manage are: TCP, UDP, HTTP, FTP, SSL, Session Initiation Protocol (SIP), i-mode®, and Microsoft® Remote Desktop Protocol (MSRDP).

In addition to creating separate policies to systematically manage these different traffic types, you can also do the following:

  • Write iRulesTM to assign certain behaviors to individual application-specific connections. iRules can search the content of a particular type of traffic, such as an HTTP request or response, and direct the traffic accordingly.
  • Insert header data into application-specific requests, such as HTTP requests, and then direct the request based on that header data.
  • Implement session persistence. Using the LTM system's powerful configuration tools, you can configure session persistence, based on data such as HTTP cookies, source IP addresses, destination IP addresses, and SSL session IDs.
  • Monitor the health or performance of servers in a pool. For example, the LTM system can monitor Lightweight Directory Access Protocol (LDAP) servers on a network, and if the system determines that a target LDAP server is non-functional, the LTM system can redirect the request to a different LDAP server.
  • Use the dynamic ratio load-balancing algorithm to assess the current load on a particular type of server, such as a Windows Management Infrastructure (WMI) server, and then redirect a request based on that assessment. The ability to monitor servers corresponding to specific types of applications is a key tool for maintaining optimal performance of your network.

Optimizing performance

The LTM system includes several features designed to optimize server performance. Such features either offload labor-intensive traffic management tasks, such as SSL certificate verification, or enable the pooling, reuse, and overall persistence of server-side connections.

Offloading server tasks

The tasks that the LTM system can offload from a network server are:

  • SSL certificate-based authentication, including the checking of certificate revocation status through OCSP
  • SSL encryption and decryption
  • SSL certificate-based authorization using remote LDAP servers
  • HTTP data compression
  • The rewriting of MSRDP connections

Optimizing TCP and HTTP connections

The LTM system manages TCP and HTTP connections in certain ways to optimize server performance. Primary network optimization features are: OneConnectTM, HTTP pipelining, and rate shaping.

OneConnect

The OneConnectTM feature contains the following components:

  • Content Switching
    When an HTTP client sends multiple requests within a single connection, the LTM system is able to process each of those requests individually, sending those requests to different destination servers if necessary. This feature is enabled automatically and does not require configuration.
  • Connection Pooling
    With this feature, the LTM system combines server-side connections that are not in use, so that other clients can use them. This can significantly reduce the number of servers required to process client requests. By default, this feature is disabled, but can be easily enabled using a OneConnect profile.
  • OneConnect transformation
    Sometimes, for HTTP/1.0 requests, you might want to add Keep-Alive support to HTTP Connection headers, to ensure that server-side connections remain open. This manipulation of HTTP Connection headers is a feature known as OneConnect transformation. This feature works best when used in conjunction with connection pooling.

For more information on OneConnectTM, see Chapter 5, Understanding Profiles , and Chapter 6, Managing HTTP and FTP Traffic .

HTTP pipelining

In addition to the OneConnectTM feature, the LTM system has the ability to process pipelined requests. This means that the LTM system can process a client request even if the previous request has not yet received a response. Pipelining is an optimization feature available for HTTP/1.1 requests only.

For more information on HTTP pipelining, see Chapter 6, Managing HTTP and FTP Traffic .

Rate shaping

Rate shaping is a feature that allows you to categorize certain types of connections into rate classes, for the purpose of customizing the throughput of those connections. This is useful, for example, when you want to optimize web-server performance for preferred Internet customers.

TCP optimizations

The LTM system includes significant TCP optimizations, such as in-order delivery and content spooling.

Enhancing network security

Security is an important consideration in managing local network traffic. Accordingly, the LTM system contains a number of features designed to assist in preventing security breaches. These features pertain not only to authenticating and authorizing users and applications, but also to detecting intrusions and mitigating DOS attacks.

In general, when the LTM system detects a security problem, it can take actions such as:

  • Reject a client request based on SSL certificate verification
  • Reject and discard unauthorized packets
  • Alert system administrators to an attack or infiltration attempt
  • Direct suspicious traffic to specific target servers
  • Log authentication failures
  • Prevent SYN flooding

An important consideration for any networked environment is the authentication and authorization mechanism that you use to authenticate users and their client requests and to control user and application access to server resources. To this end, the LTM system supports Pluggable Authentication Module (PAM) technology, and provides a complete set of PAM authentication modules that you can choose from to handle your authentication or authorization needs.

The authentication modules that the LTM system provides are as follows:

  • An LDAP module
    Uses a remote LDAP server to perform user name/password user authentication.
  • A RADIUS module
    Uses a Remote Authentication Dial In User Service (RADIUS) server to perform user name/password user authentication.
  • A TACACS+ module
    Uses a remote Terminal Access Controller Access Control System (TACACS+) server to perform user name/password user authentication.
  • An SSL Client Certificate LDAP module
    Uses a remote LDAP server to perform SSL certificate-based authorization of client SSL traffic.
  • An OCSP module
    Uses a remote Online Certificate Status Protocol (OCSP) server to provide up-to-date SSL certificate revocation status for the purpose of authenticating client and server SSL traffic.

Overview of local traffic management configuration

Once you have set up your base network and you have administrative access to the LTM system, and at least a default VLAN assignment for each interface, the next step is to configure a network for managing traffic targeted to your internal servers.

At the heart of the LTM system are virtual servers and load balancing pools. Virtual servers receive incoming traffic, perform basic source IP and destination IP address translation, and direct traffic to servers, which are grouped together in load balancing pools.

To configure a basic local traffic management system, you use the Configuration utility. With this utility, you can create a complete set of configuration objects that work together to perform local traffic management. Each object has a set of configuration settings that you can use as is or change to suit your needs. These objects are:

  • Virtual servers
    Virtual servers receive requests and distribute them to pool members.
  • Nodes
    Nodes represent server IP addresses on your network that you can enable and disable, and for which you can obtain status.
  • Load balancing pools
    Load balancing pools contain servers to which requests can be sent for processing.
  • Application-type profiles
    Application-type profiles contain settings that define the behavior of various traffic types, such as TCP, HTTP, and SSL.
  • SSL Certificates
    The SSL Certificates object allows you to generate SSL certificate requests and install SSL certificates on the LTM system, for the purpose of terminating and initiating SSL connections.
  • Remote authentication
    The remote authentication feature allows you to use a remote server to authenticate application traffic. Examples of remote authentication servers are LDAP, RADIUS, and OCSP servers.
  • Session Persistence profiles
    Session persistence profiles allow you to implement session persistence based on a variety of criteria such as HTTP cookies, source IP addresses, and destination IP addresses.
  • Monitors
    Monitors track the current health or performance of pool members.
  • SNATs
    Secure Network Address Translations (SNATs) translate the source IP address in a client request, allowing multiple hosts to share the same address.
  • Rate Shaping
    Rate shaping controls bandwidth consumption.
  • iRules
    iRules can define criteria for pool-member selection, as well as perform content transformations, logging, custom protocol support, and so on.

When you create configuration objects, you can choose to perform either basic or advanced configuration:

  • Basic
    You choose a basic configuration when you want to primarily use the default values for your object settings. When you choose a basic configuration, the Configuration utility displays only those few settings that you would most likely need to modify. The other settings remain hidden and retain their default values. Choosing a basic configuration is an easy way to create configuration objects.
  • Advanced
    You choose an advanced configuration when you want to modify many of the values for your object settings. When you choose an advanced configuration, the Configuration utility displays all of the object's settings and allows you to modify any of them.

The three most important objects in the LTM system that you must configure for local traffic management are:

  • Virtual servers
  • Load balancing pools
  • Profiles

Configuring virtual servers

When you create a virtual server, you specify the type of virtual server you want, that is, a host virtual server or a network virtual server. Then you can attach various properties and resources to it, such as application-specific profiles, session persistence, and user-written scripts called iRules that define pool-selection criteria. All of these properties and resources, when associated with a virtual server, determine how the LTM system manages local traffic.

When you create and configure a virtual server, you use the part of the Configuration utility screen shown in Figure 1.1 .

 

 

Figure 1.1 The Configuration utility screen for creating a virtual server

For more information on virtual servers, see Chapter 2, Configuring Virtual Servers .

Configuring load balancing pools

A load balancing pool is a collection of internal servers that you group together to service client requests. A server in a pool is referred to as a pool member. Using the default load balancing algorithm, known as Round Robin, the LTM system sends a client request to a member of that pool.

To implement a load balancing pool, you first create the pool, and then you associate the pool name with an existing virtual server. A virtual server sends client requests to the pool or pools that are associated with it. The virtual server screen shown in Figure 1.1 includes a setting, Default Pool, for specifying a pool name.

Pools have settings associated with them, such as IP addresses for pool members, load balancing modes, and health and performance monitors. When you create a pool, you can use the default values for some of these settings, or change them to better suit your needs.

When you create and configure a load balancing pool, you use the Pool screen of the Configuration utility. Figure 1.2 shows part of this screen.

 

 

Figure 1.2 The Configuration utility screen for creating a load balancing pool

For more information on load balancing pools, see Chapter 4, Configuring Load Balancing Pools .

Configuring profiles

A profile is a group of configuration settings that apply to a specific type of network traffic, such as HTTP connections. If you want the virtual server to manage a type of traffic, you can associate the applicable profile with the virtual server, and the virtual server applies that profile's settings to all traffic of that type.

For example, you might want the LTM system to compress HTTP response data. In this case, you can configure an HTTP profile to enable compression, and associate the profile with a virtual server. Then, when the virtual server processes an HTTP request, the LTM system compresses the response.

There are several types of profiles that you can create for your own needs. They are: FastL4, TCP, UDP, One Connect, Stream, HTTP, FTP, Client SSL, Server SSL, Persistence, and Authentication. When you create a profile, you can use the default values for the settings, or change them to better suit your needs.

For example, when you create and configure an HTTP profile, you use the part of the Configuration utility screen shown in Figure 1.3 .

 

 

Figure 1.3 The Configuration screen for creating an HTTP profile

For more information on configuring profiles, see Chapter 5, Understanding Profiles , and one of the following chapters:

Using the Configuration utility

All users need to use the web-based Configuration utility in order to license the system for the first time.

In addition to setting up the management network and initial traffic management software configuration, you use the Configuration utility to configure and monitor the LTM system. You can use the Configuration utility to perform additional configuration steps necessary for your configuration. In the Configuration utility, you can also monitor current system performance. Most procedures in this guide use the Configuration utility.

The Configuration utility supports Netscape® Navigator™, version 7.1, or other browsers built on the same engine, such as Mozilla™, Firefox™, and Camino™; and Microsoft® Internet Explorer™ version 6.x and later.

For information on setting user preferences for the Configuration utility, see the Network and System Management Guide.

About this guide

This guide describes how to configure the BIG-IP local traffic management system to manage traffic coming into, or leaving, the local traffic network. Before you can configure the features described in this guide, you must install the BIG-IP system, license the system, and use the Setup utility to set up the network configuration.

Additional information

In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The information is organized into the guides and documents described below. The following printed documentation is included with the BIG-IP system.

  • Configuration Worksheet
    This worksheet provides you with a place to plan the basic configuration for the BIG-IP system.
  • BIG-IP Quick Start Instructions
    This pamphlet provides you with the basic configuration steps required to get the BIG-IP system up and running in the network.

The following guides are available in PDF format from the CD-ROM provided with the BIG-IP system. These guides are also available from the first Web page you see when you log in to the administrative web server on the BIG-IP system.

  • Platform Guide
    This guide includes information about the BIG-IP system. It also contains important environmental warnings.
  • Installation, Licensing, and Upgrades for BIG-IP Systems
    This guide provides detailed information about installing upgrades to the BIG-IP system. It also provides information about licensing the BIG-IP system software and connecting the system to a management workstation or network.
  • Network and System Management Guide
    This guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system. With this guide, you can perform tasks such as configuring VLANs, assigning self IP addresses, creating administrative user accounts, and managing a redundant system.

Stylistic conventions

To help you easily identify and understand important information, our documentation uses the stylistic conventions described below.

Using the solution examples

All examples in this documentation use only non-routable IP addresses. When you set up the solutions we describe, you must use IP addresses suitable to your own network in place of our sample addresses.

Identifying new terms

To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a virtual server is a specific combination of a virtual address and virtual port, associated with a content site that is managed by a BIG-IP system or other type of host server.

Identifying references to objects, names, and commands

We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, you can set the Idle Timeout value to 5.

Identifying references to other documents

We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, for installation instructions, refer to Chapter 1, Installing the Software, in the Installation, Licensing, and Upgrades for BIG-IP Systems guide.

Finding help and technical support resources

You can find additional technical documentation and product information in the following locations:

  • Online help for local traffic management
    The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.
  • Welcome screen in the Configuration utility
    The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including:
    • The F5 Networks Technical Support web site
    • The F5 Solution Center
    • The F5 DevCentral web site
    • Plug-ins, SNMP MIBs, and SSH clients
  • F5 Networks Technical Support web site
    The F5 Networks Technical Support web site, http://tech.f5.com, provides the latest documentation for the product, including:
    • Release notes for the <product names>, current and past
    • Updates for guides (in PDF form)
    • Technical notes
    • Answers to frequently asked questions
    • The AskF5 natural language question and answer engine.
To access this site, you need to register at http://tech.f5.com.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)