Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP Local Traffic Management: 8 - Managing Protocol Profile
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


8

Managing Protocol Profiles


Introducing protocol profiles

Some of the profiles that you can configure are known as Protocol profiles. The Protocol profiles types are:

  • Fast L4
  • Fast HTTP
  • TCP
  • UDP

For each Protocol profile type, the BIG-IP system provides a pre-configured profile with default settings. In most cases, you can use these default profiles as is. If you want to change these settings, you can configure protocol profile settings when you create a profile, or after profile creation by modifying the profile's settings.

The remainder of this chapter lists the traffic-management settings contained in the Fast L4, Fast HTTP, TCP, and UDP profiles. For information on configuring other types of profiles, see the following:

Configuring a Fast L4 profile

The purpose of a Fast L4 profile is to help you manage Layer 4 traffic more efficiently. When you assign a Fast L4 profile to a virtual server, the Packet Velocity® ASIC (PVA) hardware acceleration within the BIG-IP system can process some or all of the Layer 4 traffic passing through the system. By offloading Layer 4 processing to the PVA hardware acceleration, the BIG-IP system can increase performance and throughput for basic routing functions (Layer 4) and application switching (Layer 7).

You can use a Fast L4 profile with these types of virtual servers-- Performance (Layer 4), Forwarding (Layer 2), and Forwarding (IP). Therefore, you can use a Fast L4 profile when you do not need the following traffic management features:

  • HTTP optimizations
  • TCP optimizations
  • OneConnectTM
  • iRulesTM for non-Layer 4 events
  • Session persistence types other than source address affinity or destination address affinity persistence
  • HTTP data compression
  • Remote authentication
  • HTTP pipelining

Understanding Fast L4 profile settings

You can use the default fastl4 profile as is, or create a custom Fast L4 profile. For your typical needs, most of the default values for the Fast L4 profile settings suffice. The specific settings that you might want to change are Reset on Timeout and Idle Timeout.

Note

Any changes you make to an existing Fast L4 profile take effect on a connection only after the Idle Timeout value has expired or the connection is closed.

Table 8.1 lists and describes the settings of a Fast L4 profile.

Table 8.1 Settings of a Fast L4 profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
fastL4
Reset on Timeout
If this setting is enabled and a TCP connection exceeds the timeout value for idle connections, the BIG-IP system sends a reset in addition to deleting the connection.
Enabled
Reassemble IP Fragments
If this setting is enabled, the BIG-IP system reassembles IP fragments.
Disabled
Idle Timeout
This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
300
TCP Handshake Timeout
Specify: Specifies the acceptable duration for a TCP handshake, that is, the maximum idle time between a client SYN and a client ACK. If the TCP handshake takes longer than the timeout, the system automatically closes the connection.
Disabled: Specifies that the system does not apply a timeout to a TCP handshake.
Indefinite: Specifies that the acceptable duration for a TCP handshake is indefinite.
5
Max Segment Size Override
Overrides the maximum segment size (MSS), which is 1460. Possible values are:
Disabled: Specifies that you want the maximum segment size to remain at 1460.
Specify. Permits you to override the maximum segment size (1460) by specifying a number. Note that specifying a 0 value is equivalent to retaining the default value (Disabled).
Disabled
PVA Acceleration
This setting specifies the maximum acceleration mode that you prefer the system to use. Note that depending on the virtual server configuration, the system might or might not accelerate traffic in this mode. Possible values are Full, Assisted, or None. Additional information on this setting follows this table.
Full
IP ToS to Client
This setting specifies the Type of Service level that the BIG-IP system assigns to UDP packets when sending them to clients.
Pass Through
IP ToS to Server
This setting specifies the Type of Service level that the BIG-IP system assigns to UDP packets when sending them to servers
Pass Through
Link QoS to Client
This setting specifies the Quality of Service level that the BIG-IP system assigns to UDP packets when sending them to clients.
Pass Through
Link QoS to Server
This setting specifies the Quality of Service level that the BIG-IP system assigns to UDP packets when sending them to servers.
Pass Through
TCP Timestamp Mode
Specifies the action that the BIG-IP system should take on TCP timestamps. Possible values are: Preserve, Strip, and Rewrite.
Preserve
TCP Window Scale Mode
Specifies the action that the BIG-IP system should take on TCP windows. Possible values are: Preserve, Strip, and Rewrite.
Preserve
Generate Internal Sequence Numbers
Enables the BIG-IP system to generate its own sequence numbers for SYN packets, according to RFC 1948. When enabled, this setting allows timestamp recycling.
Disabled
Strip Sack OK
Enables the BIG-IP system to block a TCP SackOK option from passing to the server on an initiating SYN.
Disabled
RTT from Client
Specifies that the BIG-IP system should use TCP timestamp options to measure the round-trip time to the client.
Disabled
RTT from Server
Specifies that the BIG-IP system should use TCP timestamp options to measure the round-trip time to the server.
Disabled
Loose Initiation
Specifies, when checked (enabled), that the system initializes a connection when it receives any TCP packet, rather that requiring a SYN packet for connection initiation. The default is disabled. We recommend that if you enable the Loose Initiation setting, you also enable the Loose Close setting.
Important: Enabling loose initiation can permit stray packets to pass through the system. This can pose a security risk and reduce system performance.
Disabled
Loose Close
Specifies, when checked (enabled), that the system closes a loosely-initiated connection when the system receives the first FIN packet from either the client or the server.
Disabled
TCP Close Timeout
Specifies the length of time in seconds that a connection can remain idle before deletion, once the system receives a CLOSE packet for that connection. The TCP Close Timeout value must be less than the Idle Timeout value. Also, the TCP Close Timeout value is valid only if you enable the Loose Initiation or the Loose Close settings.
5

 

Configuring PVA hardware acceleration

Once you implement a Fast L4 profile, the BIG-IP system automatically selects the most efficient PVA hardware acceleration mode for Layer 4 traffic. Possible modes are Full, Assisted, and None.

The particular hardware acceleration mode that the BIG-IP system selects depends on these factors:

  • The Fast L4 profile settings
    The mode that the BIG-IP selects is influenced by the way that you configure the settings of the Fast L4 profile.
  • The virtual server configuration
    The mode that the BIG-IP system selects is influenced by the specific features that you assigned to the virtual server (such as pools, SNAT pools, and iRules).
  • A monitor assigned to associated nodes
    For full PVA acceleration, you must assign monitors to the relevant nodes.
  • The value of the PVA Acceleration setting
    The PVA Acceleration setting in the Fast L4 profile defines the maximum amount of hardware acceleration that you want to allow, for Layer 4 traffic passing through the virtual server. Therefore, if you set the value to:
    • Full: The system can set hardware acceleration to any of the three modes (Full, Assisted, or None), depending on the virtual server configuration. This is the default value.
    • Assisted: The system can set hardware acceleration to either Assisted or None mode, depending on the virtual server configuration.
    • None: The system does not perform hardware acceleration.

One reason that you might want to set the maximum hardware acceleration setting to less than Full is for viewing connections with the bigpipe conn show command. This command only shows Layer 4 connections when the hardware acceleration mode is set to Assisted or None. If the mode is set to Full, the bigpipe conn show command shows no Layer 4 connections.

Depending on the current mode to which hardware acceleration is automatically set, the BIG-IP system accelerates Layer 4 traffic as described in Table 8.2 .

Table 8.2 Effect of PVA hardware acceleration mode on Layer 4 traffic
Hardware Acceleration Mode
Result
Full
The hardware acceleration processes all Layer 4 traffic. Layer 4 traffic is not managed through the use of BIG-IP software features. In this case, the BIG-IP system treats client-side and server-side packets as part of the same connection.
An example of using hardware acceleration in Full mode is when you want to load balance Layer 4 traffic to two servers, using the Round Robin load balancing method, with no session persistence or iRules.
Assisted
The BIG-IP system load balances all SYN packets, while the hardware acceleration assists with the remaining packets, including the tearing down of connections.
An example of using hardware acceleration in Assisted mode is when you want to load balance Layer 4 traffic using a dynamic load balancing method, or using a simple iRule that examines the IP addresses contained in the packets.
Note: When the BIG-IP system sets the hardware acceleration mode to Assisted, a Fast L4 profile is compatible with SNATs and SNAT pools, as well as with source address affinity persistence.
None
The hardware acceleration does not process any Layer 4 traffic. The BIG-IP application manages all Layer 4 traffic. In this case, the BIG-IP system treats client-side and server-side packets as separate connections.
An example of using hardware acceleration in None mode is when you want to load balance traffic using an HTTP profile, as well as an iRule that performs delayed binding and cookie session persistence.

 

Configuring a Fast HTTP profile

The Fast HTTP profile is a configuration tool designed to speed up certain types of HTTP connections. This profile combines selected features from the TCP, HTTP, and OneConnect profiles into a single profile that is optimized for the best possible network performance. When you associate this profile with a virtual server, the virtual server processes traffic packet-by-packet, and at a significantly higher speed.

You might consider using a Fast HTTP profile when:

  • You do not need features such as session persistence, remote server authentication, SSL traffic management, and TCP optimizations, nor HTTP features such as data compression, pipelining, and RAM Cache.
  • You do not need to maintain source IP addresses.
  • You want to reduce the number of connections that are opened to the destination servers.
  • The destination servers support connection persistence, that is, HTTP/1.1, or HTTP/1.0 with Keep-Alive headers. Note that IIS servers support connection persistence by default.
  • You need basic iRule support only (such as limited Layer 4 support and limited HTTP header operations). For example, you can use the iRule events CLIENT_ACCEPTED, SERVER_CONNECTED, and HTTP_REQUEST.

A significant benefit of using a Fast HTTP profile is the way in which the profile supports connection persistence. Using a Fast HTTP profile ensures that for client requests, the BIG-IP system can transform or add an HTTP Connection header to keep connections open. Using the profile also ensures that the BIG-IP system pools any open server-side connections. This support for connection persistence can greatly reduce the load on destination servers by removing much of the overhead caused by the opening and closing of connections. For more information on HTTP header transformation, see Chapter 6, Managing HTTP and FTP Traffic . For more information on the pooling of server-side connections, see Chapter 11, Using Additional Profiles .

Note

The Fast HTTP profile is incompatible with all other profile types. Also, you cannot use this profile type in conjunction with VLAN groups, or with the IPv6 address format.

Understanding Fast HTTP profile settings

You can use the default fasthttp profile as is, or create a custom Fast HTTP profile. Table 8.3 lists and describes the settings of the Fast HTTP profile

Table 8.3 Settings of a Fast HTTP profile
Setting
Description
Default Value
Name
Specifies a unique name for the profile.
No default value
Parent Profile
Specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
fasthttp
Reset on Timeout
Specifies, when checked (enabled), that the system sends a TCP RESET packet when a connection times out, and deletes the connection.
Enabled (Checked)
Idle timeout
This setting specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion because it has no traffic. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
300
Maximum Segment Size Override
Specifies a maximum segment size (MSS) override for server-side connections. The default setting is 0, which corresponds to an MSS of 1460. To override this size, you can specify any integer between 536 and 1460.
0
Client Close Timeout
Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet to the client. This setting overrides the Idle Timeout setting. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
5
Server Close Timeout
Specifies the number of seconds after which the system closes a client connection, when the system either receives a server FIN packet or sends a FIN packet to the server. This setting overrides the Idle Timeout setting. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
5
Unclean Shutdown
Specifies how the system handles closing connections. Possible values are: Disabled, Enabled, and Fast. For more information, see the online help.
Disabled
Force HTTP 1.0 Response
Specifies, when checked (enabled), that the server sends responses to clients in the HTTP/1.0 format. This effectively disables client chunking and pipelining.
Disabled (Cleared)
Maximum Pool Size
Specifies the maximum number of connections a load balancing pool can accept. A setting of 0 specifies that there is no maximum; that is, a pool can accept an unlimited number of connections.
2048
Minimum Pool Size
Specifies the minimum number of connections that a load balancing pool can accept. A setting of 0 specifies that there is no minimum.
0
Ramp-Up Increment
Specifies the increment in which the system makes additional connections available, when all available connections are in use.
4
Maximum Reuse
Specifies the maximum number of times that the system can re-use a current connection.
0
Idle Timeout Override
Specifies the number of seconds after which a server-side connection in a pool is eligible for deletion, when the connection has no traffic. This setting overrides the Idle Timeout setting. Possible values are: Specify, Disabled, and Indefinite. For more information, see the online help.
Disabled
Replenish
Specifies whether the BIG-IP system should maintain a steady-state maximum number of back-end connections. If you disable this setting, the system does not keep a steady-state maximum of connections to the back end, unless the number of connections to the pool drops below the value specified in the Minimum Pool Size setting.
Enabled (Checked)
Parse Requests
Specifies, when checked (enabled), that the system parses the HTTP data in the connection stream. Note that if you are using a Fast HTTP profile for non-HTTP traffic, you should disable this setting to shield against dynamic denial-of-service (DDOS) attacks.
Enabled (Checked)
Maximum Header Size
Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision.
32768
Maximum Requests
Specifies the maximum number of requests that the system allows for a single client-side connection. When the specified limit is reached, the final response contains a Connection: close header is followed by the closing of the connection. The default setting of 0 means that the system allows an infinite number of requests per client-side connection.
0
Insert XForwarded For
Specifies whether the system inserts the XForwarded For: header in an HTTP request with the client IP address, to use with connection pooling. Possible settings are Enabled and Disabled. For more information, see the online help.
Disabled
Request Header Insert
Specifies a string that the system inserts as a header in an HTTP request. If the header exists already, the system does not replace it.
No default value

.

When writing iRules, you can specify a number of events and commands that the Fast HTTP profile supports. For more information about these iRule events and commands, see the web site http://devcentral.f5.com, as well as Chapter 15, Writing iRules .

Configuring TCP profiles

TCP profiles are configuration tools that help you to manage TCP network traffic. Many of the configuration settings of TCP profiles are standard SYSCTL types of settings, while others are unique to the BIG-IP system.

TCP profiles are important because they are required for implementing certain types of other profiles. For example, by implementing TCP, HTTP, and OneConnect profiles, along with a persistence profile and a remote authentication profile, you can take advantage of these traffic management features:

  • Content spooling, to reduce server load
  • OneConnect, to pool server-side connections
  • Layer 7 session persistence, such as hash or cookie persistence
  • iRules for managing HTTP traffic
  • HTTP RAM Cache
  • HTTP data compression
  • HTTP pipelining
  • Application authentication using a remote server
  • Rewriting of HTTP redirections

The BIG-IP system contains a default TCP profile (tcp) that F5 Networks has created for you. You can implement this profile as is, or you can change the value of the settings to suit your needs.

Understanding TCP profile settings

You can use the default tcp profile as is, or create a custom TCP profile. Table 8.4 lists and describes the settings of a TCP profile.

Table 8.4 Settings of a TCP profile
Setting
Description
Default Value
Name
Specifies a unique name for the profile.
No default value
Parent Profile
Specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
tcp
Reset on Timeout
If this setting is enabled and a TCP connection exceeds the timeout value for idle connections, sends a reset in addition to deleting the connection.
Enabled (Checked)
Time Wait Recycle
Recycles the connection when a SYN packet is received in a TIME-WAIT state.
Enabled (Checked)
Delayed ACKs
If this setting is enabled, allows coalescing of multiple acknowledgement (ACK) responses.
Enabled (Checked)
Proxy Maximum Segment
Advertises the same maximum segment to the server as was negotiated with the client.
Disabled (Cleared)
Proxy Options
Advertises an option (such as timestamps) to the server only if it was negotiated with the client.
Disabled (Cleared)
Proxy Buffer Low
Specifies the proxy buffer level at which the receive window was opened.
4096
Proxy Buffer High
Specifies the proxy buffer level at which the receive window was closed.
16384
Idle Timeout
Specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
300
Time Wait
Specifies the number of milliseconds that a connection is in a TIME-WAIT state before entering the CLOSED state.
2000
FIN Wait
Specifies the number of seconds that a connection is in the FIN-WAIT or CLOSING state before quitting. A value of 0 represents a term of forever (or until the metrics of the FIN state).
5
Close Wait
Specifies the number of seconds that a connection remains in a LAST-ACK state before quitting. A value of 0 represents a term of forever (or until the metrics of the FIN state).
5
Send Buffer
Causes the BIG-IP system to send the buffer size, in bytes.
32768
Receive Window
Causes the BIG-IP system to receive the window size, in bytes.
32768
Keep Alive Interval
Causes the BIG-IP system to keep alive the probe interval, in milliseconds.
1800
Maximum SYN Retransmissions
Specifies the maximum number of retransmissions of SYN segments that the BIG-IP system allows.
3
Maximum Segment Retransmissions
Specifies the maximum number of retransmissions of data segments that the BIG-IP system allows.
8
IP ToS
Specifies the Type of Service level that the BIG-IP system assigns to TCP packets when sending them to clients.
0
Link QoS
Specifies the Quality of Service level that the BIG-IP system assigns to TCP packets when sending them to clients.
0
Selective ACKs
Specifies, when checked (enabled), that the system processes data using selective ACKs whenever possible, to improve system performance.
Enabled (Checked)
Extended Congestion Notification
Specifies, when checked (enabled), that the system uses the TCP flags CWR and ECE to notify its peer of congestion and congestion counter-measures.
Disabled (Cleared)
Extensions for High Performance (RFC 1323)
Specifies, when checked (enabled), that the system uses the timestamp and window scaling extensions for TCP (as specified in RFC 1323) to enhance high-speed network performance.
Enabled (Checked)
Limited Transmit Recovery
Specifies, when checked (enabled), that the system uses limited transmit recovery revisions for fast retransmits (as specified in RFC 3042) to reduce the recovery time for connections on a lossy network.
Enabled (Checked)
Slow Start
Specifies, when checked (enabled), that the system uses larger initial window sizes (as specified in RFC 3390) to help reduce round trip times.
Enabled (Checked)
Deferred Accept
Specifies, when checked (enabled), that the system defers allocation of the connection chain context until the system has received the payload from the client. Enabling this setting is useful in dealing with 3-way handshake denial-of-service attacks.
Disabled (Cleared)
Bandwidth Delay
Specifies, when checked (enabled), that the system attempts to calculate the optimal bandwidth to use to the client, based on throughput and round-trip time, without exceeding the available bandwidth.
Enabled (Checked)
Nagle's Algorithm
Specifies, when checked (enabled), that the system applies Nagle's algorithm to reduce the number of short segments on the network. The default setting is disabled. Note that enabling this setting for interactive protocols such as telnet may cause degradation on high-latency networks.
Enabled (Checked)
Acknowledge on Push
Specifies, when enabled, significantly improved performance to Windows® and MacOS peers who are writing out on a very small send buffer.
Disabled (Cleared)
MD5 Signature
Specifies, when enabled, to use RFC2385 TCP-MD5 signatures to protect TCP traffic against intermediate tampering.
Disabled (Cleared)
MD5 Signature Passphrase
Specifies, when enabled, a plaintext passphrase which may be between 1 and 80 characters in length, and is used in a shared-secret scheme to implement the spoof-prevention parts of RFC2385.
No default value
Congestion Control
Specifies the congestion control mechanism that the BIG-IP system is to use. Possible values are:
None--No congestion control algorithm implemented.
High Speed--A more aggressive, loss-based algorithm.
New Reno--A modification to the Reno algorithm, that responds to partial acknowledgements when selective acknowledgements (SACK) are unavailable.
Reno--An implementation of the TCP Fast Recovery algorithm, based on the implementation in the BSD Reno release.
Scalable--A TCP algorithm modification that adds a scalable, delay-based and loss-based component into the Reno algorithm.
New Reno
Congestion Metrics Cache
Specifies, when checked (enabled), that the system uses a cache for storing congestion metrics.
Enabled (Checked)
Appropriate Byte Counting
(RFC 3465)
Increases the congestion window by basing the increase amount on the number of previously unacknowledged bytes that each ACK covers.
Enabled (Checked)
D-SACK (RFC 2883)
Specifies the use of the Selective ACKs (SACK) option to acknowledge duplicate segments.
Disabled (Cleared)

 

For most of the TCP profile settings, the default values usually meet your needs. However, if the link that clients are using to access the virtual server is slow, or if server response time exceeds the request time of clients, you can increase the content spooling settings of the profile:

  • Proxy Buffer Low
  • Proxy Buffer High
  • Send Buffer
  • Receive Window

Increasing the byte values of the these settings increases the amount of data that the BIG-IP system can buffer while waiting for a specific connection to accept that data.

Note

If you are using a TCP profile in a test environment, you can improve performance by disabling the Slow Start, Bandwidth Delay, and Nagle's Algorithm settings.

Configuring a UDP profile

The UDP profile is a configuration tool for managing UDP network traffic. Table 8.5 lists and describes the settings of a UDP profile

Table 8.5 Settings of a UDP profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
udp
Idle timeout
This setting specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion.
60
IP ToS
This setting specifies the Type of Service level that the BIG-IP system assigns to UDP packets when sending them to clients.
0
Link QoS
This setting specifies the Quality of Service level that the BIG-IP system assigns to UDP packets when sending them to clients.
0
Datagram LB
This setting specifies, when checked (enabled), that the system load balances UDP traffic packet-by-packet.
Disabled (Cleared)

.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)