Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP Local Traffic Management: 1 - Introducing Local Traffic Management
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


1

Introducing Local Traffic Management


Introducing the BIG-IP system

The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP system's multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.

  • BIG-IP® Local Traffic Manager
    The BIG-IP system includes local traffic management features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.
  • BIG-IP® Global Traffic Manager
    BIG-IP® Global Traffic Manager provide intelligent traffic management to your globally available network resources. Through the Global Traffic Manager, you can select from an array of load balancing modes, ensuring that your clients access the most responsive and robust resources at any given time. In addition, the Global Traffic Manager provides extensive monitoring capabilities so the health of any given resource is always available. For more information, see the Configuration Guide for BIG-IP® Global Traffic Management.
  • BIG-IP® Link Controller
    BIG-IP® Link Controller seamlessly monitors availability and performance of multiple WAN connections to intelligently manage bi-directional traffic flows to a site - providing fault tolerant, optimized Internet access regardless of connection type or provider. BIG-IP® Link Controller ensures that traffic is always sent over the best available link to maximize user performance and minimize bandwidth cost to a data center. For more information, see the Configuration Guide for BIG-IP® Link Controller.
  • BIG-IP®Application Security Management
    BIG-IP® Application Security Management provides web application protection from application-layer attacks. BIG-IP® Application Security Management protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, cross-site scripting, and parameter tampering. For more information, see the Configuration Guide for BIG-IP® Application Security Management.

Understanding BIG-IP local traffic management

The BIG-IP local traffic management system is specifically designed to manage your local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

This configuration guide applies to the set of local traffic management products that are part of the BIG-IP system family of products.

A commonly-used feature of the BIG-IP system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The BIG-IP system includes a variety of features that perform functions such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the BIG-IP system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.

Summary of local traffic-management capabilities

When configured properly, the BIG-IP system can perform a wide variety of traffic-management functions, such as:

  • Balancing traffic to tune and distribute server load on the network for scalability.
  • Off-loading standard server tasks, such as HTTP data compression, SSL authentication, and SSL encryption to improve server performance.
  • Monitoring the health and performance of servers on the network for availability.
  • Establishing and managing session and connection persistence.
  • Handling application-traffic authentication and authorization functions based on user name/password and SSL certificate credentials.
  • Managing packet throughput to optimize performance for specific types of connections.
  • Improving performance by aggregating multiple client requests into a server-side connection pool. This aggregation of client requests is part of the BIG-IP system's OneConnectTM feature.
  • Applying configuration settings to customize the flow of application-specific traffic (such as HTTP and SSL traffic).
  • Customizing the management of specific connections according to user-written scripts based on the industry-standard Tool Command Language (Tcl).

While some of the functions on this list offer the basic ability to balance the load on your network servers, other functions on the list offer specialized abilities that are worth noting. These abilities include managing specific types of application traffic, optimizing server performance, and enhancing the security of your network. The following sections describe these specialized capabilities.

Managing specific types of application traffic

Applying configuration settings to customize the flow of application-specific traffic is a key feature of local traffic management. The BIG-IP system can control many different kinds of traffic, each in a different way. You do this by establishing a policy for managing each type of network traffic. Examples of traffic types that the system can manage are: TCP, UDP, HTTP, FTP, SSL, Session Initiation Protocol (SIP), i-mode®, and Microsoft® Remote Desktop Protocol (MSRDP).

In addition to creating separate policies to systematically manage these different traffic types, you can also do the following:

  • Write iRulesTM to assign certain behaviors to individual application-specific connections. iRules can search the content of a particular type of traffic, such as an HTTP request or response, and direct the traffic accordingly.
  • Insert header data into application-specific requests, such as HTTP requests, and then direct the request based on that header data.
  • Implement session persistence. Using the BIG-IP system's powerful configuration tools, you can configure session persistence, based on data such as HTTP cookies, source IP addresses, destination IP addresses, and SSL session IDs.
  • Monitor the health or performance of servers in a pool. For example, the BIG-IP system can monitor Lightweight Directory Access Protocol (LDAP) servers on a network, and if the system determines that a target LDAP server is non-functional, the BIG-IP system can redirect the request to a different LDAP server.
  • Use the dynamic ratio load-balancing algorithm to assess the current load on a particular type of server, such as a Windows Management Infrastructure (WMI) server, and then redirect a request based on that assessment. The ability to monitor servers corresponding to specific types of applications is a key tool for maintaining optimal performance of your network.

Optimizing performance

The BIG-IP system includes several features designed to optimize server performance. Such features either offload labor-intensive traffic management tasks, such as SSL certificate verification, or enable the pooling, re-use, and overall persistence of server-side connections.

Offloading server tasks

The tasks that the BIG-IP system can offload from a network server are:

  • SSL certificate-based authentication, including the checking of certificate revocation status through the use of certificate revocation lists (CRLs) or Online Certificate Status Protocol (OCSP).
  • SSL encryption and decryption
  • SSL certificate-based authorization using remote LDAP servers
  • HTTP data compression and RAM caching
  • Authentication and authorization of application traffic when using remote authentication servers such as LDAP and RADIUS servers
  • The rewriting of Microsoft® Remote Desktop connections

Optimizing TCP and HTTP connections

The BIG-IP system manages TCP and HTTP connections in certain ways to optimize server performance. Primary network optimization features are: OneConnectTM, HTTP pipelining, HTTP data compression, RAM caching, and rate shaping.

OneConnect

The OneConnectTM feature contains the following components:

  • Content Switching
    When an HTTP client sends multiple requests within a single connection, the BIG-IP system is able to process each of those requests individually, sending those requests to different destination servers if necessary.
  • Connection Pooling
    With this feature, the BIG-IP system combines server-side connections that are not in use, so that other clients can use them. This can significantly reduce the number of servers required to process client requests.
  • OneConnect transformation
    Sometimes, for HTTP/1.0 requests, you might want to add Keep-Alive support to HTTP Connection headers, to ensure that server-side connections remain open. This manipulation of HTTP Connection headers is a feature known as OneConnect transformation.

The OneConnect feature is disabled by default, but can easily be enabled by configuring a OneConnect profile. For more information on OneConnect, see Chapter 5, Understanding Profiles, and Chapter 6, Managing HTTP and FTP Traffic.

HTTP pipelining

In addition to the OneConnect feature, the BIG-IP system has the ability to process pipelined requests. This means that the BIG-IP system can process a client request even if the previous request has not yet received a response. Pipelining is an optimization feature available for HTTP/1.1 requests only.

For more information on HTTP pipelining, see Chapter 6, Managing HTTP and FTP Traffic .

HTTP data compression

To reduce the load on your back-end servers, you can configure an HTTP profile to compress HTTP responses. When the BIG-IP system compresses HTTP responses, the back-end servers processing the HTTP traffic no longer need to use resources to perform data compression.

RAM caching

The BIG-IP system can store HTTP objects in the BIG-IP system's RAM. Subsequent connections can then re-use these objects, to reduce the amount of load on back-end servers.

Rate shaping

Rate shaping is a feature that allows you to categorize certain types of connections into rate classes, for the purpose of customizing the throughput of those connections. This is useful, for example, when you want to optimize web-server performance for preferred Internet customers.

TCP optimizations

The BIG-IP system includes significant TCP optimizations, such as in-order delivery and content spooling.

Enhancing network security

Security is an important consideration in managing local network traffic. Accordingly, the BIG-IP system contains a number of features designed to assist in preventing security breaches. These features pertain not only to authenticating and authorizing users and applications, but also to detecting intrusions and mitigating DOS attacks.

In general, when the BIG-IP system detects a security problem, it can take actions such as:

  • Reject a client request based on SSL certificate verification
  • Reject and discard unauthorized packets
  • Alert system administrators to an attack or infiltration attempt
  • Direct suspicious traffic to specific target servers
  • Log authentication failures
  • Prevent SYN flooding

An important consideration for any networked environment is the authentication and authorization mechanism that you use to authenticate users and their client requests and to control user and application access to server resources. To this end, the BIG-IP system supports Pluggable Authentication Module (PAM) technology, and provides a complete set of PAM authentication modules that you can choose from to handle your authentication or authorization needs.

The authentication modules that the BIG-IP system provides are as follows:

  • An LDAP module
    Uses a remote LDAP server to perform user name/password user authentication.
  • A RADIUS module
    Uses a Remote Authentication Dial In User Service (RADIUS) server to perform user name/password user authentication.
  • A TACACS+ module
    Uses a remote Terminal Access Controller Access Control System (TACACS+) server to perform user name/password user authentication.
  • An SSL Client Certificate LDAP module
    Uses a remote LDAP server to perform SSL certificate-based authorization of client SSL traffic.
  • An SSL OCSP module
    Uses a remote Online Certificate Status Protocol (OCSP) server to provide up-to-date SSL certificate revocation status for the purpose of authenticating client and server SSL traffic.

Not only can you control authentication and authorization of application traffic, you can also control access to BIG-IP system resources by BIG-IP system administrators. User roles such as Administrator, Operator, and Guest define both the scope of user access to system objects, and the types of tasks users can perform on those objects.

Overview of local traffic management configuration

Once you have set up your base network and you have administrative access to the BIG-IP system, and at least a default VLAN assignment for each interface, the next step is to configure a network for managing traffic targeted to your internal servers.

At the heart of the BIG-IP system are virtual servers and load balancing pools. Virtual servers receive incoming traffic, perform basic source IP and destination IP address translation, and direct traffic to servers, which are grouped together in load balancing pools.

To configure a basic local traffic management system, you use the Configuration utility. With this utility, you can create a complete set of configuration objects that work together to perform local traffic management. Each object has a set of configuration settings that you can use as is or change to suit your needs. These objects are:

  • Virtual servers
    The primary function of a virtual server is to receive requests and distribute them to pool members according to criteria you specify.
  • Nodes
    Nodes represent server IP addresses on your network that you can enable and disable, and for which you can obtain status.
  • Load balancing pools
    Load balancing pools contain servers to which requests can be sent for processing.
  • Application-type profiles
    Application-type profiles contain settings that define the behavior of various application types that use protocols such as TCP, HTTP, and SSL.
  • Authentication-type profiles
    Authentication-type profiles provide authentication interoperability between remote authentication servers and the BIG-IP system.
  • SSL Certificates
    The SSL Certificates object allows you to generate SSL certificate requests and install SSL certificates on the BIG-IP system, for the purpose of terminating and initiating SSL connections.
  • Session Persistence profiles
    Session persistence profiles allow you to implement session persistence based on a variety of criteria such as HTTP cookies, source IP addresses, and destination IP addresses.
  • Monitors
    Monitors track the current health or performance of pool members.
  • SNATs
    Secure Network Address Translations (SNATs) translate the source IP address in a client request, allowing multiple hosts to share the same address.
  • Rate Shaping
    Rate shaping controls bandwidth consumption, using rate classes that you define.
  • iRulesTM
    iRules can define criteria for pool-member selection, as well as perform content transformations, logging, custom protocol support, and so on. For complete information on iRules, see the F5 Networks DevCentral web site, http://devcentral.f5.com.

When you create configuration objects, you can choose to perform either basic or advanced configuration:

  • Basic
    You choose a basic configuration when you want to primarily use the default values for your object settings. When you choose a basic configuration, the Configuration utility displays only those few settings that you would most likely need to modify. The other settings remain hidden and retain their default values. Choosing a basic configuration is an easy way to create configuration objects.
  • Advanced
    You choose an advanced configuration when you want to modify many of the values for your object settings. When you choose an advanced configuration, the Configuration utility displays all of the object's settings and allows you to modify any of them.

The three most important objects in the BIG-IP system that you must configure for local traffic management are:

  • Virtual servers
  • Load balancing pools
  • Profiles

Configuring virtual servers

When you create a virtual server, you specify the type of virtual server you want, that is, a host virtual server or a network virtual server. Then you can attach various properties and resources to it, such as application-specific profiles, session persistence, and user-written scripts called iRules that define pool-selection criteria. All of these properties and resources, when associated with a virtual server, determine how the BIG-IP system manages local traffic.

When you create and configure a virtual server, you use the part of the Configuration utility screen shown in Figure 1.1 .

 

 

Figure 1.1 The Configuration utility screen for creating a virtual server

For more information on virtual servers, see Chapter 2, Configuring Virtual Servers .

Configuring load balancing pools

A load balancing pool is a collection of internal servers that you group together to service client requests. A server in a pool is referred to as a pool member. Using the default load balancing algorithm, known as Round Robin, the BIG-IP system sends a client request to a member of that pool.

To implement a load balancing pool, you first create the pool, and then you associate the pool name with an existing virtual server. A virtual server sends client requests to the pool or pools that are associated with it. The virtual server screen shown in Figure 1.1 includes a setting, Default Pool, for specifying a pool name.

Pools have settings associated with them, such as IP addresses for pool members, load balancing modes, and health and performance monitors. When you create a pool, you can use the default values for some of these settings, or change them to better suit your needs.

To create and configure a load balancing pool, you use the Pools screen of the Configuration utility. Figure 1.2 shows part of this screen.

 

 

Figure 1.2 The Configuration utility screen for creating a load balancing pool

For more information on load balancing pools, see Chapter 4, Configuring Load Balancing Pools .

Configuring profiles

A profile is a group of configuration settings that apply to a specific type of network traffic, such as HTTP connections. If you want the virtual server to manage a type of traffic, you can associate the applicable profile with the virtual server, and the virtual server applies that profile's settings to all traffic of that type.

For example, you might want the BIG-IP system to compress HTTP response data. In this case, you can configure an HTTP profile to enable compression, and associate the profile with a virtual server. Then, when the virtual server processes an HTTP request, the BIG-IP system compresses the response.

There are several types of profiles that you can create for your own needs. They are: HTTP, FTP, Persistence, Fast L4, Fast HTTP, TCP, UDP, Client and Server SSL, Authentication, OneConnect, Statistics, and Stream. When you create a profile, you can use the default values for the settings, or change them to better suit your needs.

For example, when you create and configure an HTTP profile, you use the part of the Configuration utility screen shown in Figure 1.3 .

 

Figure 1.3 The Configuration screen for creating an HTTP profile

For more information on configuring profiles, see Chapter 5, Understanding Profiles , and one of the following chapters:

Using the Configuration utility

All users need to use the web-based Configuration utility in order to license the system for the first time.

In addition to setting up the management network and initial traffic management software configuration, you use the Configuration utility to configure and monitor the BIG-IP system. You can use the Configuration utility to perform additional configuration steps necessary for your configuration. In the Configuration utility, you can also monitor current system performance. Most procedures in this guide use the Configuration utility.

For information on setting user preferences for the Configuration utility, see the BIG-IP® Network and System Management Guide. For information on supported browsers, see the release notes on AskF5sm.

About this guide

This guide describes how to configure the BIG-IP local traffic management system to manage traffic coming into, or leaving, the local traffic network. Before you can configure the features described in this guide, you must install the BIG-IP system, license the system, and use the Setup utility to set up the network configuration.

Additional information

In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The information is organized into the guides and documents described below. The following printed documentation is included with the BIG-IP system.

  • Configuration Worksheet
    This worksheet provides you with a place to plan the basic configuration for the BIG-IP system.
  • BIG-® Quick Start Instructions
    This pamphlet provides you with the basic configuration steps required to get the BIG-IP system up and running in the network.

The following guides are available in PDF format from the AskF5SM web site, http://tech.f5.com. These guides are also available from the first Web page you see when you log in to the administrative web server on the BIG-IP system.

  • Platform Guide
    This guide includes information about the BIG-IP system. It also contains important environmental warnings.
  • Installation, Licensing, and Upgrades for BIG-IP® Systems
    This guide provides detailed information about installing upgrades to the BIG-IP system. It also provides information about licensing the BIG-IP system software and connecting the system to a management workstation or network.
  • BIG-® Network and System Management Guide
    This guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system. With this guide, you can perform tasks such as configuring VLANs, assigning self IP addresses, creating administrative user accounts, and managing a redundant system.

Stylistic conventions

To help you easily identify and understand important information, our documentation uses the stylistic conventions described below.

Using the examples

All examples in this documentation use only private class IP addresses. When you configure your own system, you must use valid IP addresses suitable to your own network in place of our sample addresses.

Identifying new terms

To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a virtual server is a specific combination of a virtual address and virtual port, associated with a content site that is managed by a BIG-IP system or other type of host server.

Identifying references to objects, names, and commands

We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, you can set the Idle Timeout value to 5.

Identifying references to other documents

We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, for installation instructions, refer to Chapter 1, Installing the Software, in the Installation, Licensing, and Upgrades for BIG-IP® Systems guide.

Finding help and technical support resources

You can find additional technical documentation and product information in the following locations:

  • Online help for local traffic management
    The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.
  • Welcome screen in the Configuration utility
    The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including:
    • The F5 Networks Technical Support web site
    • The F5 Solution Center
    • The F5 DevCentral web site
    • Plug-ins, SNMP MIBs, and SSH clients
  • F5 Networks Technical Support web site
    The F5 Networks Technical Support web site, http://tech.f5.com, provides the latest documentation for the product, including:
    • Release notes for the BIG-IP system, current and past
    • Updates for guides (in PDF form)
    • Technical notes
    • Answers to frequently asked questions
    • The AskF5SM natural language question and answer engine
    To access this site, you need to register at http://tech.f5.com.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)