The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP system's multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
The BIG-IP local traffic management system is specifically designed to manage your local network traffic. Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.
This configuration guide applies to the set of local traffic management products that are part of the BIG-IP system family of products.
A commonly-used feature of the BIG-IP system is its ability to intercept and redirect incoming network traffic, for the purpose of intelligently tuning the load on network servers. However, tuning server load is not the only type of local traffic management. The BIG-IP system includes a variety of features that perform functions such as inspecting and transforming header and content data, managing SSL certificate-based authentication, and compressing HTTP responses. In so doing, the BIG-IP system not only directs traffic to the appropriate server resource, but also enhances network security and frees up server resources by performing tasks that web servers typically perform.
When configured properly, the BIG-IP system can perform a wide variety of traffic-management functions, such as:
While some of the functions on this list offer the basic ability to balance the load on your network servers, other functions on the list offer specialized abilities that are worth noting. These abilities include managing specific types of application traffic, optimizing server performance, and enhancing the security of your network. The following sections describe these specialized capabilities.
Applying configuration settings to customize the flow of application-specific traffic is a key feature of local traffic management. The BIG-IP system can control many different kinds of traffic, each in a different way. You do this by establishing a policy for managing each type of network traffic. Examples of traffic types that the system can manage are: TCP, UDP, HTTP, FTP, SSL, Session Initiation Protocol (SIP), i-mode®, and Microsoft® Remote Desktop Protocol (MSRDP).
In addition to creating separate policies to systematically manage these different traffic types, you can also do the following:
The BIG-IP system includes several features designed to optimize server performance. Such features either offload labor-intensive traffic management tasks, such as SSL certificate verification, or enable the pooling, re-use, and overall persistence of server-side connections.
The tasks that the BIG-IP system can offload from a network server are:
The BIG-IP system manages TCP and HTTP connections in certain ways to optimize server performance. Primary network optimization features are: OneConnectTM, HTTP pipelining, HTTP data compression, RAM caching, and rate shaping.
The OneConnectTM feature contains the following components:
The OneConnect feature is disabled by default, but can easily be enabled by configuring a OneConnect profile. For more information on OneConnect, see Chapter 5, Understanding Profiles, and Chapter 6, Managing HTTP and FTP Traffic.
In addition to the OneConnect feature, the BIG-IP system has the ability to process pipelined requests. This means that the BIG-IP system can process a client request even if the previous request has not yet received a response. Pipelining is an optimization feature available for HTTP/1.1 requests only.
For more information on HTTP pipelining, see Chapter 6, Managing HTTP and FTP Traffic .
To reduce the load on your back-end servers, you can configure an HTTP profile to compress HTTP responses. When the BIG-IP system compresses HTTP responses, the back-end servers processing the HTTP traffic no longer need to use resources to perform data compression.
The BIG-IP system can store HTTP objects in the BIG-IP system's RAM. Subsequent connections can then re-use these objects, to reduce the amount of load on back-end servers.
Rate shaping is a feature that allows you to categorize certain types of connections into rate classes, for the purpose of customizing the throughput of those connections. This is useful, for example, when you want to optimize web-server performance for preferred Internet customers.
The BIG-IP system includes significant TCP optimizations, such as in-order delivery and content spooling.
Security is an important consideration in managing local network traffic. Accordingly, the BIG-IP system contains a number of features designed to assist in preventing security breaches. These features pertain not only to authenticating and authorizing users and applications, but also to detecting intrusions and mitigating DOS attacks.
In general, when the BIG-IP system detects a security problem, it can take actions such as:
An important consideration for any networked environment is the authentication and authorization mechanism that you use to authenticate users and their client requests and to control user and application access to server resources. To this end, the BIG-IP system supports Pluggable Authentication Module (PAM) technology, and provides a complete set of PAM authentication modules that you can choose from to handle your authentication or authorization needs.
The authentication modules that the BIG-IP system provides are as follows:
Not only can you control authentication and authorization of application traffic, you can also control access to BIG-IP system resources by BIG-IP system administrators. User roles such as Administrator, Operator, and Guest define both the scope of user access to system objects, and the types of tasks users can perform on those objects.
Once you have set up your base network and you have administrative access to the BIG-IP system, and at least a default VLAN assignment for each interface, the next step is to configure a network for managing traffic targeted to your internal servers.
At the heart of the BIG-IP system are virtual servers and load balancing pools. Virtual servers receive incoming traffic, perform basic source IP and destination IP address translation, and direct traffic to servers, which are grouped together in load balancing pools.
To configure a basic local traffic management system, you use the Configuration utility. With this utility, you can create a complete set of configuration objects that work together to perform local traffic management. Each object has a set of configuration settings that you can use as is or change to suit your needs. These objects are:
When you create configuration objects, you can choose to perform either basic or advanced configuration:
The three most important objects in the BIG-IP system that you must configure for local traffic management are:
When you create a virtual server, you specify the type of virtual server you want, that is, a host virtual server or a network virtual server. Then you can attach various properties and resources to it, such as application-specific profiles, session persistence, and user-written scripts called iRules that define pool-selection criteria. All of these properties and resources, when associated with a virtual server, determine how the BIG-IP system manages local traffic.
When you create and configure a virtual server, you use the part of the Configuration utility screen shown in Figure 1.1 .
For more information on virtual servers, see Chapter 2, Configuring Virtual Servers .
A load balancing pool is a collection of internal servers that you group together to service client requests. A server in a pool is referred to as a pool member. Using the default load balancing algorithm, known as Round Robin, the BIG-IP system sends a client request to a member of that pool.
To implement a load balancing pool, you first create the pool, and then you associate the pool name with an existing virtual server. A virtual server sends client requests to the pool or pools that are associated with it. The virtual server screen shown in Figure 1.1 includes a setting, Default Pool, for specifying a pool name.
Pools have settings associated with them, such as IP addresses for pool members, load balancing modes, and health and performance monitors. When you create a pool, you can use the default values for some of these settings, or change them to better suit your needs.
To create and configure a load balancing pool, you use the Pools screen of the Configuration utility. Figure 1.2 shows part of this screen.
For more information on load balancing pools, see Chapter 4, Configuring Load Balancing Pools .
A profile is a group of configuration settings that apply to a specific type of network traffic, such as HTTP connections. If you want the virtual server to manage a type of traffic, you can associate the applicable profile with the virtual server, and the virtual server applies that profile's settings to all traffic of that type.
For example, you might want the BIG-IP system to compress HTTP response data. In this case, you can configure an HTTP profile to enable compression, and associate the profile with a virtual server. Then, when the virtual server processes an HTTP request, the BIG-IP system compresses the response.
There are several types of profiles that you can create for your own needs. They are: HTTP, FTP, Persistence, Fast L4, Fast HTTP, TCP, UDP, Client and Server SSL, Authentication, OneConnect, Statistics, and Stream. When you create a profile, you can use the default values for the settings, or change them to better suit your needs.
For example, when you create and configure an HTTP profile, you use the part of the Configuration utility screen shown in Figure 1.3 .
For more information on configuring profiles, see Chapter 5, Understanding Profiles , and one of the following chapters:
All users need to use the web-based Configuration utility in order to license the system for the first time.
In addition to setting up the management network and initial traffic management software configuration, you use the Configuration utility to configure and monitor the BIG-IP system. You can use the Configuration utility to perform additional configuration steps necessary for your configuration. In the Configuration utility, you can also monitor current system performance. Most procedures in this guide use the Configuration utility.
For information on setting user preferences for the Configuration utility, see the BIG-IP® Network and System Management Guide. For information on supported browsers, see the release notes on AskF5sm.
This guide describes how to configure the BIG-IP local traffic management system to manage traffic coming into, or leaving, the local traffic network. Before you can configure the features described in this guide, you must install the BIG-IP system, license the system, and use the Setup utility to set up the network configuration.
In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The information is organized into the guides and documents described below. The following printed documentation is included with the BIG-IP system.
The following guides are available in PDF format from the AskF5SM web site, http://tech.f5.com. These guides are also available from the first Web page you see when you log in to the administrative web server on the BIG-IP system.
To help you easily identify and understand important information, our documentation uses the stylistic conventions described below.
All examples in this documentation use only private class IP addresses. When you configure your own system, you must use valid IP addresses suitable to your own network in place of our sample addresses.
To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a virtual server is a specific combination of a virtual address and virtual port, associated with a content site that is managed by a BIG-IP system or other type of host server.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, you can set the Idle Timeout value to 5.
We use italic text to denote a reference to another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two. For example, for installation instructions, refer to Chapter 1, Installing the Software, in the Installation, Licensing, and Upgrades for BIG-IP® Systems guide.
You can find additional technical documentation and product information in the following locations: