580 likes | 737 Views
F5 Application Traffic Management. Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223. 2007. Business Continuity HA Disaster Recovery. WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access. User Experience & App Performance. App
E N D
F5 ApplicationTrafficManagement Radovan GibalaField Systems Engineerr.gibala@f5.com+420 731 137 223 2007
Business Continuity HA Disaster Recovery • WAN Virtualization • File Virtualization • DC to DC Acceleration • Virtualized VPN Access User Experience & App Performance App Security & Data Integrity • AAA • Data Protection • Transaction Validation • Asymmetric & Symmetric Acceleration • Server Offload • Load Balancing People People Apps Apps Data Data • Virtualization • Migration • Tiering • Load Balancing • Virtualized App & Infrastructure • Server & App Offload • Load Balancing • Remote, WLAN & LAN Central Policy Enforcement • End-Point Security • Encryption • AAA Managing Scale & Consolidation Storage Growth Unified Security Enforcement & Access Control
Business Continuity HA Disaster Recovery BIG-IP LTM • GTM • LC • WA FirePass • ARX • WJ Application Delivery Network • WAN Virtualization • File Virtualization • DC to DC Acceleration • Virtualized VPN Access User Experience & App Performance App Security & Data Integrity BIG-IP LTM • GTM • WA ARX • WJ BIG-IP LTM • ASM FirePass • AAA • Data Protection • Transaction Validation • Asymmetric & Symmetric Acceleration • Server Offload • Load Balancing People Apps Data • Virtualization • Migration • Tiering • Load Balancing • Virtualized App & Infrastructure • Server & App Offload • Load Balancing • Remote, WLAN & LAN Central Policy Enforcement • End-Point Security • Encryption • AAA Managing Scale & Consolidation Storage Growth ARX BIG-IP GTM BIG-IP LTM • GTM • LC • WA FirePass • ARX • WJ Unified Security Enforcement & Access Control FirePass BIG-IP LTM • GTM
Application How To Achieve the Requirements ? Multiple Point Solutions More Bandwidth Network Administrator Application Developer Add More Infrastructure? Hire an Army of Developers?
The Result: A Growing Network Problem Applications Users Network Point Solutions DoS Protection Mobile Phone SFA Rate Shaping SSL Acceleration CRM ERP CRM PDA Server Load Balancer ERP Laptop ERP CRM SFA ContentAcceleration ApplicationFirewall Desktop SFA Connection Optimisation TrafficCompression Customised Application Co-location
F5’s Integrated Solution Applications Users The F5 Solution Application Delivery Network CRMDatabaseSiebelBEALegacy.NETSAPPeopleSoftIBMERPSFACustom Mobile Phone PDA Laptop Desktop TMOS Co-location
Flow Based TM/OS React to a Real Time, Two-Way Conversation Translate Between Parties A New Level of Intelligence Legacy Approach Packet Based React to a Single Communication, One Direction
Deliver Application Exactly as Intended Manage Entire Application Flows: • Independent Connection Control • Supporting All IP Applications • High Performance Framework • BI-Directional, Full Payload Inspection • Session Level Control Universal Inspection Engine (UIE) TM/OS Fast Application Proxy Client Side Server Side
GUI-Based Application Profiles Repeatable Policies iRules Programmable Network Language Security Optimisation Delivery New Service News Website The Most Intelligent and Adaptable Solution Programmable Application Network Unified Application Infrastructure Services Targeted and Adaptable Functions Complete Visibility and Control of Application Flows Universal Inspection Engine (UIE) TM/OS Fast Application Proxy Client Side Server Side Compression TCP Offloading Load Balancing
Traffic Management Operating System iRules Rate Shaping / Rate Limiting Resource Cloaking Transaction Assurance Universal Persistence Caching Compression Selective Content Encryption Advanced Client Authentication Application Health Monitors Application Switching Shared Application Services TMOS Operating System Shared Network Services TCP Express Protocol Sanitization High Performance SSL DoS and DDoS Protection VLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP) IP Packet Filtering IPv6 Dynamic Routing Secure Network Address Translation Port Mapping Common Management Framework
Unique TMOS Architecture TrafficShield Web Accel 3rd Party Microkernel TCP Proxy Rate Shaping TCP Express SSL Caching XML Compression OneConnect TCP Express Client Side Server Side Client Server iRules High Performance HW iControl API • TMOS Traffic Plug-ins • High-Performance Networking Microkernel • Powerful Application Protocol Support • iControl – External Monitoring and Control • iRules – Network Programming Language
Market Leading Functionality Today • Comprehensive Load Balancing • Advanced Application Switching • Customised Health Monitoring • Intelligent Network Address Translation • Advanced Routing • Intelligent Port Mirroring Deliver • DoS and SYN Flood Protection • Network Address/Port Translation • Application Attack Filtering • Certificate Management • SSL Acceleration • Quality of Service Optimise Secure
First Unified Application Infrastructure Services • IPv6 Gateway • Universal Persistence • Response Error Handling • Session / Flow Switching New Deliver New New • Resource Cloaking • Advanced Client Authentication • Firewall - Packet Filtering • Selective Content Encryption • Cookie Encryption • Content Protection • Protocol Sanitisation TM/OS • Connection Pooling • Intelligent Compression • L7 Rate Shaping • Content Spooling/ Buffering • TCP Optimisation • Content Transformation Optimise Secure
Most Intelligent and Adaptable Solution Delivering Unmatched Services F5 Load Balancing Application Switching Response Error Handling IPv6 Gateway Universal Persistence Compression Connection Optimisation Content Spooling L7 Rate Shaping Content Transformation High Performance SSL Encryption Cookie Encryption Resource Cloaking Advanced Client Authentication DoS and Network Firewall Content Protection Protocol Sanitisation
Comprehensive Load Balancing • Static • RoundRobin • Ratio • Dynamic • Fastest • LeastConnections • Observed • Predictive • Dynamic Ratio • Priority Groups
Feature Overview/BIG-IP • Availability Checking • Check any back-end process using EAV • Will work for any IP based application • Stateful failover between devices • Security • Firewall-like device to resist most attacks • All administration is encrypted • Integrated SSL/FIPS and secure NAT
Feature Overview/BIG-IP • SSL and E-Commerce • Only product with integrated SSL • Single certificate simplifies administration • Lowers certificate costs • Client certificate checking (Authentication) • Layer 7 Functionality • Can utilize all HTTP header/content or TCP content in traffic decisions • Can persist on anything • HTTP 1.1 keep-alives dramatically improve performance
Feature Overview/BIG-IP • Easy to Implement and Support • Can be deployed as either Layer 2 or 3 device • Simple and complete Graphical User Interface • Installation services by F5 and/or partner • Flexibility • BIG-IP works with any server or IP based service • iControl enables integration with internal and/or 3rd party applications
Powerful and Simplified Management “We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.” - Major US Hosting Provider
Deliver Optimize Secure Profile Based Management • Profile Based Traffic Management • Improved vision of all resources and traffic
Ensure Higher Availability - Superior System Design • Processes Reporting and Control – Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades. • 3-way HA Design – Robust Internal system checking and pass-through design.
Application Security Module Protect applications and data SSL Acceleration Protect data over the Internet Advanced Client Authentication Module Protect against unauthorised access BIG-IP Security Add-On Modules
Compression Module Increase performance Webaccelerator - Fast Cache Module Offload servers Rate Shaping Module Reserve bandwidth BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges
Intelligent HTTP Compression Most Intelligent and flexible solution to target HTTP compression where it matters most • URI/content filters – allow/disallow lists • Compress only specified file types • Based on URI or MIME type • Client-aware compression (patent pending) • Based on TCP latency – observe client RTT • Based on low bandwidth client connections • Granular L7 based compression • Tunable resource allocation • Devote more memory and CPU cycles for high priority compression jobs • Adaptable Compression • Scale back compression based on CPU load
Real Time Compression Tool www.f5demo.com/compression
OneConnect ™ – Connection Pooling • Increase server capacity by 30% • Aggregates massive number of client requests into fewer server side connections • Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation • Maintains Intelligent load balancing to dedicated content servers Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.html http://www.f5.com/solutions/archives/whitepapers/httpbigip.html
HTML server pool GIF server pool ASP server pool b.gif sales.htm c.asp e.gif a.gif d.gif index.htm f.asp OneConnect ™ New and Improved HTTP Request Pooling • Streamlines single client request to BIG-IP • Enabled by HTTP 1.1 • Avg. Reduction is 20 to 1 per Web Page 20 b.gif c.asp a.gif index.htm 1 b.gif c.asp a.gif index.htm 1) OneConnect ™ Content Switching • Intelligent load balancing to dedicated content servers • Maintain Server Logging index.htm b.gif a.gif b.gif c.asp a.gif index.htm c.asp 2) OneConnect ™ HTTP transformations New • Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation One b.gif c.asp a.gif index.htm Many b.gif c.asp a.gif index.htm 3) OneConnect ™ Connection Pooling • Aggregates massive number of client requests into fewer server side connections b.gif c.asp a.gif index.htm Server sales.htm e.gif d.gif f.asp
Content Spooling Problem: TCP Overhead on Servers • There is overhead for breaking apart…”chunking” content • Client and Server negotiate TCP segmentation • Client forces more segmentation that is good for the server • The Servers is burdened with breaking content up into small pieces for good client consumption Solution Slurp up server response Spoon feed clients Benefit: Increases server capacity up to 15%
L7 Rate Shaping Integrated and Fine Grained Bandwidth Control Rate Class • Sophisticated Bandwidth Control • Flexible bandwidth limits • Full support for bandwidth borrowing • Traffic queuing (stochastic fair queue, FIFO ToS priority queue) • Granular Traffic Classification L2 through L7 • iRules support can initiate a rate class on any traffic flow variable • Only Multi Direction Control • Control throughput in any direction Ceiling Rate Burst Base WAN Network Segments Pool of Servers
Hardware • Performance • High Performance Switching Fabric • Dual Processor • Packet Velocity ASIC (PVA2) • SSL Transactions per Second (TPS) • SSL Bulk Encryption • FIPS Support • HTTP Compression • Independent Secure Management Access • SCCP Microcomputer - Switch Card Control Processor
Hardware cont. • Dual Media CF + HDD • Tri-Speed Ethernet (10/100/1000) + Mini GBICs • 10 Gbps Interfaces • LCD Display • USB Port • Hot Swappable Fan Trays + Power Supplies • Integrated Solution
Unique IP Application Switches Hardware Manageability and Performance 8800 8400 Simplified Management: • Lights Out Management • Multi-Boot Support • LCD for Simplified Management • Hot-Swappable Parts • Redundant Power / Fans • Port Flexibility • PCI Slots • Independent Secure Management Powerful: • Packet Velocity ASIC 2 • High Performance SSL & Compression • High Performance Switching Fabric • Dual Processor 6800 6400 3400 1500 • *All Models Include 100 TPS SSL Acceleration
Up-selling Platforms • 1500 to 3400 • Packet Velocity ASIC • 2x performance (Throughput, L4, SSL, etc) • Better multi-function support – more modules • Better management and logging (Compact Flash and Hard Drive) • 3400 to 6400 • 2x Performance and up (throughput, SSL, etc) • Superior multi-function support – more modules • Expandable PCI Slots (future hardware acceleration cards) • Hardware redundancy and extensibility (accessible Compact Flash, dual power supply and fan tray)
Introducing the BIG-IP 1500The next-generation BIG-IP 1000 and BIG-IP 520 • 1U Height – New USB Port, LCD Display & Keypad • 4 10/100/1000 Copper Ethernet Ports • 2 Optional Gigabit Fiber Ports • Hard Drive • 1 PCI Add-in Card Slot • Integrated Management Computer (lights-out management)
Introducing the BIG-IP 3400 The next-generation BIG-IP 2400 and BIG-IP 540 • 1U Height – New USB Port, LCD Display & Keypad • Packet Velocity ASIC 2 • 8 10/100/1000 Copper Ethernet Ports • 2 Optional Gigabit Fiber Ports • Compact Flash & Hard Drive – Improved Logging • 1 PCI Add-in Card Slot • Integrated Management Computer (lights-out management) The benefits of an ASIC with the flexibility and ease of an appliance
Introducing the BIG-IP 6400The next-generation BIG-IP 5100 and BIG-IP 5110 • 2U Height – New USB Port, LCD Display & Keypad • Dual Processors • Packet Velocity ASIC 2 • 16 10/100/1000 Copper Ethernet Ports • 2 Standard, 2 Optional (Total 4) Gigabit Fiber Ports • Field Accessible Compact Flash & Hard Drive – Improved Logging • 3 PCI Add-in Card Slots • Hot Swappable Redundant Power Supplies • Integrated Management Computer (lights-out management) The most powerful and flexible BIG-IP platform ever
Viprion Overview Unmatched Performance Massive scalability Processing architecture common with 8800 Intelligent clustering SuperVIP (Virtuals can seamlessly span blades) N+M redundancy for all features in cluster High Availability Automatic failover within cluster Chassis-to-chassis redundancy Full Modular Chassis 4 blade slots w/1 blade type 1 blade type Any blade can be chassis master Common central management console Single point of Management Same user interface as BIG-IP appliances
VIPRION – On Demand ADC Add application intelligence without adding management cost Market-leading performance Ultimate redundancy TMOS inside
On Demand – Zero Reconfiguration Automatic addition of power No need to overprovision Fixed and predictable OpEx Virtual Machines Virtual Machines Servers Servers Servers Physical Server Physical Server
Virtual Processing Fabric Clustered Multi Processing (CMP) Custom Disaggregator ASICs High Speed Bridge
Ultimate Reliability Multi-Level Redundancy Blade failure will not cause chassis failure Redundant and hot swappable components Always Available Server Client
iRules – The Next Generation The network can now apply unlimited business logic for the application • High performance rules • Event based iRules provide more control • Only truly programmable rules engine • Fully programmable - switching, security, transformation and optimisation functions • Based on industry standard language • Extended Tools Command Language (TCL)
iRules – Full Programming Language Includes Number Extensions • Standard Language • Fast Rule Evaluation • Event Based Rules • Multiple Rules Per Event **TCL Developers Exchange
rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri } rule protect_content { when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] # # Find and replace SSN numbers. # regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx-xxxx" new_response # # Replace only if necessary. # if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response } } when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } } The Better Alternative Example Centralized Availability, Security & Acceleration Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content A Repeatable, Extensible, Flexible Architecture Host to URI mapping: Faster Access to Data through Automatic Re-direction
Introducing iControl v9 • Open API (SOAP/XML) allows applications to automatically interact with the network • Integration with development tools from Microsoft, BEA, and Oracle • Online community F5 DevCentral • Developer assistance on F5 DevCentral via developer forums (http://devcentral.f5.com) • iRules forum and code examples