Applies To:

Show Versions Show Versions

Manual Chapter: Introducing the Traffic Management
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP® system is a set of application delivery products that work together to ensure high availability, improved performance, application security, and access control.
One of the primary functions of the BIG-IP system is to direct different types of protocol and application traffic to an appropriate destination server. The system accomplishes this through its Local Traffic Manager module, which can forward traffic directly to a load balancing server pool, or send traffic to a next-hop router, a pool of routers, or directly to a selected node on the network.
Other modules available on the BIG-IP system provide critical functions such as applying security policies to network traffic, accelerating HTTP connections, and optimizing connections across a wide-area network.
Figure 1.1 shows the most basic BIG-IP system configuration.
The foundation of the BIG-IP system from a software perspective is the F5 Networks Traffic Management Operation SystemTM (TMOSTM). TMOS is a real-time, event-driven operating system designed specifically for application delivery networking. Through TMOS, you can configure all of the basic BIG-IP system routing and switching functions, as well as enhancements such as clusters, user roles, and administrative partitions. On top of TMOS runs a set of independent modules that you can configure.
You can run various product modules on top of TMOS to provide comprehensive traffic management for many types of traffic. When installed and licensed, each module is fully integrated with TMOS to meet specific traffic management, performance, or security needs:
BIG-IP Local Traffic Manager
BIG-IP® Local Traffic ManagerTM is a required module that you use to customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using local traffic management features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while still meeting certain security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.
BIG-IP Global Traffic Manager
BIG-IP® Global Traffic ManagerTM provides intelligent traffic management to your globally available network resources. Through the Global Traffic Manager, you can select from an array of load balancing modes, ensuring that your clients access the most responsive and robust resources at any given time. In addition, the Global Traffic Manager provides extensive monitoring capabilities, so information on the health of any given resource is always available. For more information, see the Configuration Guide for BIG-IP® Global Traffic Management.
BIG-IP Link Controller
BIG-IP® Link ControllerTM seamlessly monitors availability and performance of multiple WAN connections to intelligently manage bi-directional traffic flows to a site, providing fault tolerant, optimized Internet access regardless of connection type or provider. The Link Controller ensures that traffic is always sent over the best available link to maximize user performance, and minimize bandwidth cost to a data center. For more information, see the Configuration Guide for BIG-IP® Link Controller.
BIG-IP Application Security Manager
BIG-IP® Application Security ManagerTM provides web application protection from application-layer attacks. Application Security Manager protects Web applications from both generalized and targeted application layer attacks including buffer overflow, SQL injection, cross-site scripting, and parameter tampering. For more information, see the Configuration Guide for BIG-IP® Application Security Management.
BIG-IP Protocol Security Module
BIG-IP® Protocol Security Module provides security checks for HTTP, FTP, and SMTP traffic. Protocol Security Module is available as a module for BIG-IP® Local Traffic Manager. Additionally, Protocol Security Module is a component of Application Security Manager. For more information, see the Configuration Guide for BIG-IP® Protocol Security Module.
BIG-IP WebAccelerator System
The BIG-IP® WebAcceleratorTM system is an advanced web application delivery solution designed to overcome performance issues involving browsers, web application platforms, and network latency. By modifying the web browser's behavior and interaction with web applications, and by compressing and caching dynamic and static content, the WebAccelerator system decreases bandwidth usage, and ensures that clients get the most efficient access to content. For more information, see the Configuration Guide for the BIG-IP® WebAcceleratorTM System and the Policy Management Guide for the BIG-IP® WebAcceleratorTM System.
BIG-IP WAN Optimization Module
The BIG-IP® WAN Optimization Module incorporates WAN optimization technology that minimizes bandwidth use between multiple sites by reducing the transmission of redundant data, particularly for data replication. Working in symmetric pairs, the WAN Optimization modules provide increased application performance and improved backup and recovery times between distant data centers and offices. WAN Optimization accelerates many types of applications, including file transfer, email, and client-server applications, using technologies such as symmetric adaptive compression and data deduplication. For more information, see the Configuration Guide for the BIG-IP® WAN Optimization Module.
The BIG-IP system offers a browser-based utility for managing the BIG-IP system, and, as an alternative, various command line utilities. For more information, see Using the Configuration utility, following, and Using the command line utilities.
The Configuration utility is the browser-based graphical user interface for the BIG-IP system. In the Configuration utility, the Main tab provides access to the application security configuration objects, as well as the network, system, and local traffic configuration objects. The Help tab contains context-sensitive online help for each screen.
Figure 1.2 shows the Welcome screen of the Configuration utility.
The identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Activation Successful, which appears after a successful licensing process.
The navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and the Search tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The Search tab provides a quick way to locate local traffic objects.
The menu bar
The menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object.
The body
The body is the screen area where the configuration settings display.
When you create BIG-IP system objects, such as VLANs and virtual servers, you can use the Basic/Advanced Configuration setting to perform either basic or advanced configuration:
You choose a basic configuration when you want to primarily use the default values for your object settings. When you choose a basic configuration, the Configuration utility displays only those few settings that you would most likely need to modify. The other settings remain hidden and retain their default values. Choosing a basic configuration is an easy way to create configuration objects.
You choose an advanced configuration when you want to modify many of the values for your object settings. When you choose an advanced configuration, the Configuration utility displays all of the objects settings and allows you to modify any of them.
In the Configuration utility, not only can you configure TMOS and the BIG-IP product modules, but you can also monitor current system performance, and download administrative tools such as the SNMP MIBs or the SSH client. For a list of browser versions that the Configuration utility supports, see the release notes for this product on the AskF5SM Knowledge Base web site,
For example, if the management IP address of the BIG-IP device is, type in the address box. The logon screen of the Configuration utility opens.
Click OK.
By default, the Welcome screen of the Configuration utility opens.
Note: If you receive an Access Denied message, the user role assigned to your user account does not grant you permission to access the Configuration utility. Please see your system administrator for assistance.
The BIG-IP Configuration Utility works with a majority of the commonly-available web browsers, for example, Microsoft® Internet Explorer® and Mozilla® Firefox®. For the most current list of the supported browsers for the Configuration utility, refer to the current release note on the AskF5SM Knowledge Base web site,
One of the tasks you can perform with the Configuration utility is setting user preferences. Setting user preferences customizes the way that the Configuration utility displays information for you. For example, when you display a list of objects such as the virtual servers that you have created, the utility normally displays ten objects, or records, per screen. However, you can change this value so that the utility displays more, or fewer, than ten records per screen.
Table 1.1, following, lists and describes the preferences that you can configure to customize the display of the Configuration utility. Following this table is the procedure for configuring these preferences.
Specifies, for all list screens, the number of records that the system displays by default.
Specifies the screen that displays when you open a new browser session for this system. Possible values are: Welcome, Traffic Summary, Performance, Statistics, and Virtual Servers.
Specifies, when checked, that the system expands the configuration options from Basic to Advanced. The Basic setting displays the most common and more frequently-edited settings for a feature, while the Advanced setting displays all of the settings for a feature.
Note: This is a display feature only; when you select Basic, any options that remain hidden still apply to the configuration, with their default values.
Specifies, when checked, that the system displays host names, rather than IP addresses, if the IP address has host name associated with it.
Specifies the format for the statistical data. Select Normalized if you want the system to display rounded values. Select Unformatted if you want the system to display the actual values to all places. Note that you can override the default format on the individual statistics screens.
Specifies the refresh interval for displaying statistical data. Possible values are: 10 seconds, 20 seconds, 30 seconds, 60 seconds, 3 minutes, and 5 minutes.
Specifies whether the BIG-IP system encrypts all archives (.ucs files) that you create. Possible values are:
On Request -- Causes the encryption of archives to be optional.
On -- Causes the BIG-IP system to automatically encrypt all archives that you create. When you select this value, you must create a passphrase when you create an archive.
Off -- Prevents you from encrypting any archive that you create. When you select this value, the Encryption setting on the New Archive screen becomes unavailable.
Specifies the interval, in seconds, that a connection can remain idle before the system closes the connection.
Specifies whether the system presents on the logon screen the text you specify in the Security banner text to show on the login screen setting. If you clear (disable) this option, the system presents an empty frame in the right portion of the logon screen.
Specifies the text to present on the logon screen when the Show the security banner on the login screen setting is enabled.
Welcome to the BIG-IP Configuration Utility. Log in with your user name and password using the fields on the left.
Specifies the text to present above the user name box (the first of the two text boxes) on the logon screen.
Specifies the text to present above the password box (the second of the two text boxes) on the logon screen.
On the Main tab of the navigation pane, expand System, and click Preferences.
The Preferences screen opens.
Click Update.
In addition to using the Configuration utility, you can manage the BIG-IP system using command line utilities such as the bigpipe utility and the Traffic Management Shell (tmsh). For more information, see the Bigpipe Utility Reference Guide, and the Traffic Management Shell (tmsh) Reference Guide.
You can also use several other utilities if a BIG-IP system administrator has granted you access to the BIG-IP system prompt. By default, only the root account has access to the BIG-IP system prompt. F5 Networks recommends that you do not give advanced shell access to users who are assigned the user role of Resource Administrator unless they must use the tcpdump or ssldump utilities, or manage certificate and key files from the console. Instead, F5 Networks recommends that you give these users bigpipe shell and tmsh access only.
Table 1.2 lists and describes additional tools that you can use to manage the BIG-IP system from the BIG-IP system prompt.
Configures the IP address, network mask, and gateway on the management (MGMT) port. Use this command at the BIG-IP system prompt prior to licensing the BIG-IP system, and do not confuse it with the command bigpipe config or the BIG-IP Configuration utility.
Synchronizes the FIPS hardware security modules (HSMs) of a redundant system. Note that synchronizing the HSMs provides the ability to exchange keys between the units of a redundant system.
Identifies any unintended modifications to BIG-IP system files. Note that a hot fix (patch) is an intended modification that will not be identified by the sys-icheck command.
Runs the sys-icheck command, and if there are no system integrity issues, returns the system to the factory default state. Note that if you have applied hot fixes (patches) to your system, for sys-reset to run, you must specify an override option.
-w Use this option to report Warn issues, as well as the default, Error issues.
-i Use this option to report Info and Warn issues, as well as the default, Error issues.
As stated previously, TMOS is a real-time, event-driven operating system designed specifically for application delivery networking. TMOS is designed to meet the performance, security, availability, and management needs of applications, as enterprises conduct business through the Internet. To successfully meet these needs, TMOS features the following architectural elements:
Proxy architecture
Through the TMOS proxy architecture, the BIG-IP system can inspect traffic, optimize application performance, and off load downstream servers. TMOS enables the BIG-IP system to actively participate in the data flow so that the system can deliver advanced functions such as secure network address translation, termination of SSL sessions to enable security inspections, and cookie encryption. The TMOS proxy architecture also ensures that downstream servers can focus on supplying application services without regard to the application delivery infrastructure.
High-speed performance
TMOS is specifically designed for high performance. For example, TMOS separates client-side flows from server-side flows for customized acceleration, and minimizes overhead energy spent on process context switching and resource allocation, in ways that network devices built on a general-purpose architecture cannot match. The TMOS focus on application delivery allows intelligent parallel processing for security, availability, and performance.
Modular functionality
Protecting enterprise investments in application delivery requires the ability to readily add features without embarking on costly network infrastructure upgrades. To that end, TMOS serves as the foundation of the BIG-IP system to enable enterprises to plug in other BIG-IP products for functions such as link controls to optimize the use of ISP connections, global traffic management to meet business continuity requirements between data centers, and application firewalls to provide security at the application layer.
To initially configure the BIG-IP system, see the BIG-IP® Systems: Getting Started Guide. After completing the initial configuration, you can configure TMOS to further customize the system. For example, the most basic system configuration that results from running the Setup utility includes two virtual local area networks (VLANs) with one or more BIG-IP system interfaces (ports) assigned to each VLAN. Using the BIG-IP systems browser-based Configuration utility, you can customize this configuration by assigning additional interfaces to each VLAN or configuring the BIG-IP system to send traffic for multiple VLANs through the same interface.
TMOS consists of several fundamental network-related components that you can configure to meet the exact needs of your network environment.
A BIG-IP platform has several interfaces for switching or routing traffic from various hosts or other devices on the network. Interfaces are the hardware ports that the BIG-IP system uses to send and receive traffic. When you create a virtual local area network (VLAN) on the BIG-IP system, you can assign multiple interfaces to that VLAN. You can also assign the same interface to multiple VLANs. For more information, see Chapter 9, Working with Interfaces.
When you connect multiple switches to a BIG-IP system in parallel, you can configure your hosts to make use of spanning tree protocols. Spanning tree protocols provide path redundancy while preventing unwanted loops in the network. You can view spanning tree instances, configure global spanning tree options, and configure spanning tree settings for each interface. For optimal performance, you can use spanning tree protocols in conjunction with the trunks feature. For more information, see Chapter 15, Configuring Spanning Tree Protocols.
Trunks are a feature you can use to aggregate your links. When you create trunks, you group interfaces together to function as one larger interface and to provide redundancy if one interface in the trunk becomes unavailable. When that occurs, traffic can be processed on another interface in the trunk. For more information, see Chapter 13, Working with Trunks.
A virtual local area network, or VLAN, is a logical collection of hosts on the network. Each VLAN has one or more BIG-IP system interfaces associated with it. VLANs have these primary advantages:
VLANs define boundaries for a broadcast domains.
Traditionally, network administrators have deployed routers within the same IP network, to define smaller broadcast boundaries. A better solution is to use VLANs. When a host in a VLAN sends a broadcast message to find the MAC address of a destination host, the message is sent to only those hosts in the VLAN. Using VLANs to control the boundaries of broadcast domains prevents messages from flooding the network, thus enhancing network performance.
VLANs ease system and network maintenance
Normally, the way to enable hosts to share network resources, such as storage devices and printers, has been to group hosts into the same physical location. Continually moving and re-cabling hosts to other locations on the network, as well as manually updating routing tables, can be a costly and time-consuming task for a system or network administrator. Using VLANs, you can avoid these problems. All hosts that you group within a VLAN can share network resources, regardless of their physical location on the network.
To enhance performance and flexibility, the BIG-IP system comes with two existing virtual local area networks (VLANs), one for your external network, and one for your internal network. Each of these VLANs has an interface already assigned to it. You can use these two VLANs as is, you can assign additional interfaces to these VLANs, or you can create more VLANs. A key feature of the BIG-IP system is that a single interface can forward traffic for multiple VLANs. For more information, see Chapter 7, Configuring VLANs and VLAN Groups.
Each VLAN you create has its own self IP address. The BIG-IP system uses this address as the source IP address when sending requests to hosts in a VLAN, and hosts in a VLAN use this IP address as the destination IP address when sending responses to the BIG-IP system.
When you first ran the Setup utility, you assigned a self IP address to the internal VLAN, and another self IP address to the external VLAN. As you create other VLANs, you assign self IP addresses to them, too. Also, units of a redundant system can share a self IP address, to ensure that the BIG-IP system can process server responses successfully when failover has occurred. For more information, see Chapter 8, Configuring Self IP Addresses.
Another feature that BIG-IP network administrators should familiarize themselves with is the TMOS routing table and the ability to add static routes to it. Using the routes feature, you can explicitly add routes that you want the BIG-IP system to use when functioning as a Layer 3 device to forward packets around the network. Optionally, if you want to use the same IP address for more than one node on the network, you can create route domains. For more information, see Chapter 10, Configuring Routes and Route Domains.
If you want the BIG-IP system to create and update its routes dynamically, you can use the optional set of advanced routing modules. For more information, see Chapter 11, Configuring Advanced Routing Modules.
The Address Resolution Protocol, or ARP, feature gives you the ability to view or add entries to the ARP cache, which the BIG-IP system uses to match IP addresses to Media Access Control (MAC) addresses when using Layer 3 to send packets to destination hosts. When you want to eliminate the need to use IP routing to send ARP requests from one VLAN to another, you can enable the proxy ARP feature. A host configured with the proxy ARP feature can send ARP requests to another VLAN using Layer 2 forwarding instead of IP routing. For more information, see Chapter 12, Configuring Address Resolution Protocol.
A powerful security feature that the BIG-IP system offers is packet filtering. Using packet filtering, you can control and restrict the types of traffic passing through the BIG-IP system. Besides defining the action that the BIG-IP system should take when receiving a packet (accept, discard, or reject), you can exempt certain types of traffic from packet filtering, based on protocol, IP address, MAC address, or VLAN. For more information, see Chapter 14, Configuring Packet Filters.
In addition to containing network-related configuration objects, TMOS contains several fundamental system-related objects that you can configure.
These objects include creating and maintaining administrative user accounts, configuring System Network Management Protocol (SNMP), and configuring and maintaining redundant systems.
You partially configure some of these options by running the Setup utility on the BIG-IP system. Once you have run the Setup utility, you can use the Configuration utility to complete the configuration of these options and to manage the BIG-IP system on an ongoing basis.
You can create administrative partitions for local traffic-management objects (such as virtual servers and pools) and then give BIG-IP system administrators access to individual partitions. This imposes a finer granularity of access control on BIG-IP system users.
User accounts for BIG-IP system administrators can reside either locally on the BIG-IP system, or remotely on a separate authentication server such as a Lightweight Directory Access Protocol (LDAP), Active Directory, or Remote Authentication Dial-in User Service (RADIUS) server. You can also manage the three special user accounts root, admin, and support.
For each new user account that you create, you can assign a user role that defines the type and level of access granted to that user. The available user roles are: Administrator, Resource Administrator, User Manager, Manager, Application Editor, Application Security Policy Editor, Operator, Guest, and No Access.
If BIG-IP system user accounts are stored remotely on a an authentication server, you can assign privileges (such as user role and partition access) on a group basis. A powerful remoterole command on the BIG-IP system can interoperate with the remote server to determine user groups and then assign a different set of privileges to each group.
System Network Management Protocol (SNMP) is an industry-standard protocol that allows you to manage the BIG-IP system remotely, along with other devices on the network. The BIG-IP system provides the SNMP agent and the MIB files that you need to manage the system remotely using SNMP. For more information, see Chapter 17, Configuring SNMP.
To ensure high-availability of the BIG-IP system, you can set up a redundant system configuration. Then, if one BIG-IP system becomes unavailable, another BIG-IP system can immediately and automatically take over to process the traffic.
When you first run the Setup utility on a BIG-IP system, you specify whether the system is a unit of a redundant pair. When you configure two BIG-IP systems to function as units of a redundant system, a process known as failover occurs when one of those units becomes unavailable for any reason. Failover ensures that the BIG-IP system can still process traffic when a unit is unavailable.
In addition to supporting redundant system configuration, TMOS monitors the heartbeat of several critical system daemons such as mcpd, sod, and tmrouted. Using the High Availability screens of the Configuration utility or using a command line interface, you can specify the action that the BIG-IP system should take if the system fails to detect a daemon heartbeat. This process of monitoring heartbeats and taking action is known as fail-safe.
Using the Syslog-ng utility, the BIG-IP system logs many different types of events related to the operating system, packet filtering, local traffic management, and auditing. You can use the Configuration utility to display each type of event. For specific types of local traffic events, because each individual event is associated with a severity, you can set a minimum log level on an event type. Setting a minimum log level on an event type affects which messages the system displays, based on event severity. For example, you can set a minimum log level of Warning on ARP-related events, which then causes the system to display only those ARP-related events that have a severity of Warning or higher (that is, more severe). For more information, see Chapter 19, Logging BIG-IP System Events.
Every BIG-IP system includes a set of essential configuration data that you create when you initially configure your system. To protect this data in the event of a system problem, you can create an archive, also known as a user configuration set (UCS). An archive is a backup copy of your configuration data that you create and store on the BIG-IP system. If your original configuration data becomes corrupted for some reason, you can use the archive to restore the data. As an added layer of protection, you can download your archives to a remote system, in case the BIG-IP system itself becomes unavailable. When the system is up and running again, you can upload the data back onto the system. For more information, see Chapter 18, Creating and Managing Archives.
In addition to creating a UCS, you can create a single configuration file, or SCF. An SCF is a replicated set of BIG-IP system configuration data that you can use to identically configure another BIG-IP system in one simple operation. For more information, see Chapter 4, Working with Single Configuration Files.
Before you use this guide, we recommend that you use the BIG-IP® Systems: Getting Started Guide to run the Setup utility on the BIG-IP system. The Setup utility configures basic network and network elements such as static and floating self IP addresses, interfaces, and VLANs, to name a few.
After running the Setup utility, you can further customize your system by using the Configuration utility to create local traffic management objects such as virtual servers, load balancing pools, and profiles.
Finally, you can return to this guide to adjust the elements you have configured, or to add additional ones as your needs change.
In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The following documentation is available in PDF format from the AskF5SM Knowledge Base web site, These guides are also available from the first web page you see when you access the Configuration utility on the BIG-IP system:
BIG-IP® Systems: Getting Started Guide
This guide contains detailed information about installing upgrades to the BIG-IP system. It also contains information about licensing and provisioning the BIG-IP system software, and connecting the system to a management workstation or network.
Configuration Guide for BIG-IP® Local Traffic Management
This guide contains any information you need for configuring the BIG-IP system to manage local network traffic. With this guide, you can perform tasks such as creating virtual servers and load balancing pools, configuring application and persistence profiles, implementing health monitors, and setting up remote authentication.
BIG-IP® Local Traffic Manager: Implementations
This guide contains complete procedures for implementing specific goals, such as processing SSL traffic with data compression, or assigning privileges to remotely-authenticated user accounts. This guide ties together the detailed information contained in the Configuration Guide to BIG-IP® Local Traffic Management to help you implement specific traffic-management configurations.
Bigpipe Utility Reference Guide
This guide contains all command and syntax information for the bigpipe utility, including the bigpipe shell.
Traffic Management Shell (tmsh) Reference Guide
This guide contains all command and syntax information for the Traffic Management shell.
If you have a VIPRION® system, you should also see the following guides:
Setting up the VIPRION® platform
This guide contains information on installing the VIPRION hardware and performing preliminary setup tasks.
Configuration Guide for the VIPRION® System
This guide contains procedures for initially configuring the VIPRION® system for processing application traffic. This guide also includes information on setting up a redundant system configuration and configuring the advanced routing modules.
To help you easily identify and understand important information, all of our documentation uses the stylistic conventions described here.
All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
To help you identify sections where a term is defined, the term itself is shown in bold italic text. For example, a floating IP address is an IP address assigned to a VLAN and shared between two computer systems.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands, such as variables and keywords. For example, with the bigpipe self <ip_address> show command, you can specify a specific self IP address to show by specifying an IP address for the <ip_address> variable.
We use italic text to denote a reference to another document or section of a document. We use bold, italic text to denote a reference to a book title. For example, for installation instructions, see the guide titled BIG-IP® Systems: Gettng Started Guide.
We show complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, the following command shows the configuration of the specified pool name:
Table 1.3 explains additional special conventions used in command line syntax.
< >
Identifies a user-defined parameter. For example, if the command has <your name>, type in your name, but do not include the brackets.
Online help
The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen.
Welcome screen in the Configuration utility
The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including:
F5 Networks Technical Support web site
The F5 Networks Technical Support web site,, provides the latest documentation for the product, including:
The AskF5SM Knowledge Base
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)