f5 application traffic management
DESCRIPTION
F5 Application Traffic Management. Radovan Gibala Field Systems Engineer [email protected] +420 731 137 223. 2007. Business Continuity HA Disaster Recovery. WAN Virtualization File Virtualization DC to DC Acceleration Virtualized VPN Access. User Experience & App Performance. App - PowerPoint PPT PresentationTRANSCRIPT
1
F5
ApplicationTrafficManagement
F5
ApplicationTrafficManagement
2007
Radovan GibalaField Systems [email protected]+420 731 137 223
2
• Asymmetric & Symmetric Acceleration
• Server Offload• Load Balancing
• WAN Virtualization• File Virtualization• DC to DC
Acceleration• Virtualized VPN
Access• AAA• Data
Protection• Transaction
Validation
• Virtualized App & Infrastructure
• Server & App Offload• Load Balancing
• Remote, WLAN & LAN Central Policy Enforcement
• End-Point Security• Encryption• AAA
• Virtualization• Migration• Tiering• Load
Balancing
People
Data
Apps
People
Apps Data
BusinessContinuity HA
DisasterRecovery
ManagingScale &
Consolidation
UnifiedSecurity
Enforcement& AccessControl
AppSecurity & Data
Integrity
StorageGrowth
UserExperience
& AppPerformance
3Business
Continuity HADisasterRecovery
People
Apps Data
FirePassBIG-IP LTM • GTM
ARXBIG-IP GTM
BIG-IP LTM • ASMFirePass
BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ
• Asymmetric & Symmetric Acceleration
• Server Offload• Load Balancing
• WAN Virtualization• File Virtualization• DC to DC
Acceleration• Virtualized VPN
Access• AAA• Data
Protection• Transaction
Validation
• Virtualized App & Infrastructure
• Server & App Offload
• Load Balancing • Remote, WLAN & LAN Central Policy Enforcement
• End-Point Security• Encryption• AAA
• Virtualization• Migration• Tiering• Load
Balancing
BIG-IP LTM • GTM • WA ARX • WJ
BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ
Application DeliveryNetwork
ManagingScale &
Consolidation
UnifiedSecurity
Enforcement& AccessControl
AppSecurity & Data
Integrity
StorageGrowth
UserExperience
& AppPerformance
4
Application
How To Achieve the Requirements ?
Network Administrator Application Developer
Hire an Army of Developers?
Add More Infrastructure?
More Bandwidth
Multiple Point Solutions
5
CRMCRMSFA
ERP
ERPERP
SFACRM
SFA
SSL Acceleration
Network Point Solutions ApplicationsUsers
Server Load Balancer
Rate Shaping
DoS Protection
ApplicationFirewall
ContentAcceleration
TrafficCompression
Connection Optimisation Customised
Application
Mobile Phone
PDA
Laptop
Desktop
Co-location
The Result: A Growing Network Problem
6
The F5 Solution ApplicationsUsers
Mobile Phone
PDA
Laptop
Desktop
Co-location
F5’s Integrated Solution
CRM
Database
Siebel
BEA
Legacy
.NET
SAP
PeopleSoft
IBM
ERP
SFA
CustomTMOS
Application Delivery Network
7
TM/OS
A New Level of Intelligence
React to a Single Communication, One Direction
Packet
Based
React to a Real Time, Two-Way Conversation
Translate Between Parties
Flow
Based
Legacy Approach
8
Deliver Application Exactly as Intended
TM/OS Fast Application Proxy
Universal Inspection Engine (UIE)
Client Side
ServerSide
• Independent Connection Control
• Supporting All IP Applications
• High Performance Framework
• BI-Directional, Full Payload Inspection
• Session Level Control
Manage Entire Application Flows:
9
iRulesProgrammable Network Language
GUI-Based Application ProfilesRepeatable Policies
The Most Intelligent and Adaptable Solution
TM/OS Fast Application Proxy
Programmable Application
Network
Complete Visibility and Control of
Application Flows
Security Optimisation Delivery New Service
Universal Inspection Engine (UIE)
Client Side
ServerSide
Targeted and Adaptable Functions
Unified Application Infrastructure Services
Compression TCP Offloading
Load Balancing
News Website
10
Traffic Management Operating System
TMOSOperating System
Shared Application Services
CompressionSelective Content EncryptionAdvanced Client AuthenticationApplication Health MonitorsApplication Switching
iRulesRate Shaping / Rate LimitingResource CloakingTransaction AssuranceUniversal PersistenceCaching
Shared Network Services
TCP ExpressProtocol SanitizationHigh Performance SSLDoS and DDoS ProtectionVLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP)
IP Packet FilteringIPv6 Dynamic RoutingSecure Network Address Translation
Port MappingCommon Management Framework
11
SS
L
Co
mp
ress
ion
ClientSide
ServerSide
TC
P E
xpre
ss
ServerTC
P E
xpre
ss
Cac
hin
g
Microkernel
TMOS Traffic Plug-ins
High-Performance Networking Microkernel
Powerful Application Protocol Support
iControl – External Monitoring and Control
iRules – Network Programming Language
High Performance HW
iRules
Client
iControl API
TCP Proxy
On
eCo
nn
ect
XM
L
Rat
e S
hap
ing T
raff
icS
hie
ld
Web
Acc
el
3 rd P
arty
Unique TMOS Architecture
12
BIG-IP v9
13
OptimiseOptimise
Market Leading Functionality Today
DeliverDeliver
SecureSecure
• Comprehensive Load Balancing• Advanced Application Switching• Customised Health Monitoring
• DoS and SYN Flood Protection
• Network Address/Port Translation
• Application Attack Filtering
• Certificate Management
• SSL Acceleration• Quality of Service
• Intelligent Network Address Translation• Advanced Routing• Intelligent Port Mirroring
14
OptimiseOptimise
First Unified Application Infrastructure Services
DeliverDeliver
SecureSecure
• IPv6 Gateway • Universal Persistence• Response Error Handling • Session / Flow Switching
• Resource Cloaking • Advanced Client
Authentication• Firewall - Packet Filtering• Selective Content
Encryption• Cookie Encryption• Content Protection• Protocol Sanitisation
• Connection Pooling• Intelligent Compression• L7 Rate Shaping• Content Spooling/
Buffering• TCP Optimisation• Content Transformation
New
New
New
TM/OS
15
F5
Load Balancing
Application Switching
Response Error Handling
IPv6 Gateway
Universal Persistence
Compression
Connection Optimisation
Content Spooling
L7 Rate Shaping
Content Transformation
High Performance SSL Encryption
Cookie Encryption
Resource Cloaking
Advanced Client Authentication
DoS and Network Firewall
Content Protection
Protocol Sanitisation
Most Intelligent and Adaptable Solution Delivering Unmatched Services
16
Comprehensive Load Balancing
Static– RoundRobin– Ratio
Dynamic– Fastest– LeastConnections– Observed– Predictive– Dynamic Ratio
Priority Groups
17
Availability Checking
• Check any back-end process using EAV
• Will work for any IP based application
• Stateful failover between devices
Security
• Firewall-like device to resist most attacks
• All administration is encrypted
• Integrated SSL/FIPS and secure NAT
Feature Overview/BIG-IP
18
SSL and E-Commerce
• Only product with integrated SSL
• Single certificate simplifies administration
• Lowers certificate costs
• Client certificate checking (Authentication)
Layer 7 Functionality
• Can utilize all HTTP header/content or TCP content in traffic decisions
• Can persist on anything
• HTTP 1.1 keep-alives dramatically improve performance
Feature Overview/BIG-IP
19
Easy to Implement and Support
• Can be deployed as either Layer 2 or 3 device
• Simple and complete Graphical User Interface
• Installation services by F5 and/or partner
Flexibility
• BIG-IP works with any server or IP based service
• iControl enables integration with internal and/or 3rd party applications
Feature Overview/BIG-IP
20
“We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.” - Major US Hosting Provider
Powerful and Simplified Management
21
Profile Based Management
Profile Based Traffic Management
DeliverDeliver
OptimizeOptimize SecureSecure
Improved vision of all resources and traffic
22
Ensure Higher Availability - Superior System Design
Processes Reporting and Control – Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades.
3-way HA Design – Robust Internal system checking and pass-through design.
23
Extensibility - IPv6 Gateway
24
Application Security ModuleProtect applications and data
SSL AccelerationProtect data over the Internet
Advanced Client Authentication ModuleProtect against unauthorised access
BIG-IP Security Add-On Modules
25
BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges
Compression ModuleIncrease performance
Webaccelerator - Fast Cache ModuleOffload servers
Rate Shaping ModuleReserve bandwidth
26
Intelligent HTTP Compression
URI/content filters – allow/disallow lists
– Compress only specified file types
– Based on URI or MIME type
Client-aware compression (patent pending)
– Based on TCP latency – observe client RTT
– Based on low bandwidth client connections
Granular L7 based compression
Tunable resource allocation
– Devote more memory and CPU cycles for high priority compression jobs
Adaptable Compression
– Scale back compression based on CPU load
Most Intelligent and flexible solution to target HTTP compression where it matters most
27
Real Time Compression Toolwww.f5demo.com/compression
28
OneConnect ™ – Connection PoolingIncrease server capacity by 30% – Aggregates massive number of client requests into fewer server
side connections
Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation
Maintains Intelligent load balancing to dedicated content servers
Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.htmlhttp://www.f5.com/solutions/archives/whitepapers/httpbigip.html
29
OneConnect ™ New and Improved
3) OneConnect ™ Connection Pooling
index.htma.gifb.gif c.aspsales.htm d.gife.gif f.aspsales.htm d.gife.gif f.asp
index.htma.gifb.gif c.asp
Server
index.htma.gifb.gif c.asp
index.htm
a.gifb.gif
c.asp
1) OneConnect ™ Content Switching
HTML server pool
GIF server pool
ASP server pool
HTTP Request Pooling
2) OneConnect ™ HTTP transformations
index.htma.gifb.gif c.asp
index.htma.gifb.gif c.asp
• Streamlines single client request to BIG-IP
• Enabled by HTTP 1.1
• Avg. Reduction is 20 to 1 per Web Page
• Intelligent load balancing to dedicated content servers
• Maintain Server Logging
• Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation
New
20
1
index.htma.gifb.gif c.asp
index.htma.gifb.gif c.aspMany
One
• Aggregates massive number of client requests into fewer server side connections
30
Content SpoolingProblem: TCP Overhead on Servers
– There is overhead for breaking apart…”chunking” content
– Client and Server negotiate TCP segmentation
– Client forces more segmentation that is good for the server
– The Servers is burdened with breaking content up into small pieces for good client consumption
Solution
Benefit: Increases server capacity up to 15%
Slurp up server response
Spoon feed clients
31
Sophisticated Bandwidth Control
– Flexible bandwidth limits
– Full support for bandwidth borrowing
– Traffic queuing (stochastic fair queue, FIFO ToS priority queue)
Granular Traffic Classification L2 through L7
– iRules support can initiate a rate class on any traffic flow variable
Only Multi Direction Control
– Control throughput in any direction
Ceiling Rate
Base
Rate Class
Burst
Integrated and Fine Grained Bandwidth Control
WAN
Pool of Servers
NetworkSegments
L7 Rate Shaping
32
Hardware
33
Hardware Performance– High Performance Switching Fabric
– Dual Processor
– Packet Velocity ASIC (PVA2)
– SSL Transactions per Second (TPS)
– SSL Bulk Encryption
– FIPS Support
– HTTP Compression
Independent Secure Management Access
SCCP Microcomputer - Switch Card Control Processor
34
Hardware cont.
Dual Media CF + HDD Tri-Speed Ethernet (10/100/1000) + Mini GBICs10 Gbps InterfacesLCD DisplayUSB PortHot Swappable Fan Trays + Power Supplies
Integrated Solution
35
Hardware Manageability and PerformanceUnique IP Application Switches
68006400
3400
1500
Simplified Management:Lights Out Management
Multi-Boot Support
LCD for Simplified Management
Hot-Swappable Parts
Redundant Power / Fans
Port Flexibility
PCI Slots
Independent Secure Management
Powerful:Packet Velocity ASIC 2
High Performance SSL & Compression
High Performance Switching Fabric
Dual Processor*All Models Include 100 TPS SSL Acceleration
88008400
36
Up-selling Platforms1500 to 3400– Packet Velocity ASIC– 2x performance (Throughput, L4, SSL, etc)– Better multi-function support – more modules– Better management and logging (Compact Flash and Hard Drive)
3400 to 6400– 2x Performance and up (throughput, SSL, etc)– Superior multi-function support – more modules– Expandable PCI Slots (future hardware acceleration cards)– Hardware redundancy and extensibility (accessible Compact Flash,
dual power supply and fan tray)
37
Introducing the BIG-IP 1500The next-generation BIG-IP 1000 and BIG-IP 520
1U Height – New USB Port, LCD Display & Keypad
4 10/100/1000 Copper Ethernet Ports
2 Optional Gigabit Fiber Ports
Hard Drive
1 PCI Add-in Card Slot
Integrated Management Computer (lights-out management)
38
Introducing the BIG-IP 3400 The next-generation BIG-IP 2400 and BIG-IP 540
1U Height – New USB Port, LCD Display & Keypad
Packet Velocity ASIC 2
8 10/100/1000 Copper Ethernet Ports
2 Optional Gigabit Fiber Ports
Compact Flash & Hard Drive – Improved Logging
1 PCI Add-in Card Slot
Integrated Management Computer (lights-out management)
The benefits of an ASIC with the flexibility and ease of an appliance
39
Introducing the BIG-IP 6400The next-generation BIG-IP 5100 and BIG-IP 5110
2U Height – New USB Port, LCD Display & Keypad
Dual Processors
Packet Velocity ASIC 2
16 10/100/1000 Copper Ethernet Ports
2 Standard, 2 Optional (Total 4) Gigabit Fiber Ports
Field Accessible Compact Flash & Hard Drive – Improved Logging
3 PCI Add-in Card Slots
Hot Swappable Redundant Power Supplies
Integrated Management Computer (lights-out management)
The most powerful and flexible BIG-IP platform ever
40
Viprion Overview
Unmatched Performance – Massive scalability – Processing architecture common with 8800
Intelligent clustering– SuperVIP (Virtuals can seamlessly span blades)– N+M redundancy for all features in cluster
High Availability– Automatic failover within cluster– Chassis-to-chassis redundancy
Full Modular Chassis– 4 blade slots w/1 blade type– 1 blade type– Any blade can be chassis master
Common central management console– Single point of Management– Same user interface as BIG-IP appliances
41
VIPRION – On Demand ADC
Add application intelligence without adding management cost
Market-leading performance
Ultimate redundancy
TMOS inside
42
Physical Server
VirtualMachines
Physical Server
VirtualMachines
Servers
Servers
Servers
On Demand – Zero Reconfiguration
Automatic addition of power
No need to overprovision
Fixed and predictable OpEx
43
Virtual Processing Fabric
Clustered Multi Processing (CMP)
Custom Disaggregator ASICs
High Speed Bridge
44
Ultimate Reliability
Client Server
Multi-Level Redundancy
Blade failure will not cause chassis failure
Redundant and hot swappable components
Always Available
46
iRules
and
iControl
47
High performance rules – Event based iRules provide more control
Only truly programmable rules engine– Fully programmable - switching, security,
transformation and optimisation functions
Based on industry standard language – Extended Tools Command Language (TCL)
The network can now apply unlimited business logic for the application
iRules – The Next Generation
48
FeaturesTcl
PerlVisual
Basic
Speed of use
Rapid development
Flexible, rapid evolution
Great regular expressions
Breadth of functionality
Easily extensible
Embeddable
Easy GUIs
Internet and Web-enabled
Enterprise usage
Cross platform
Internationalisation support
Thread safe
Database access
iRules – Full Programming Language
**TCL Developers Exchange
Includes Number Extensions
• Standard Language
• Fast Rule Evaluation
• Event Based Rules
• Multiple Rules Per Event
49
Integration and Extensibility - iRules
50
Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability
rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri }
when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } }
Host to URI mapping: Faster Access to Data through Automatic Re-direction
The Better Alternative Example Centralized Availability, Security & Acceleration
rule protect_content { when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] # # Find and replace SSN numbers. # regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx-xxxx" new_response # # Replace only if necessary. # if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response }}
Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content
A Repeatable, Extensible, Flexible Architecture
51
Introducing iControl v9
Open API (SOAP/XML) allows applications to automatically interact with the network
Integration with development tools from Microsoft, BEA, and Oracle
Online community F5 DevCentral– Developer assistance on F5 DevCentral via
developer forums (http://devcentral.f5.com)
– iRules forum and code examples
52
Benefits
– Open, standards based integration
– Simplified development
– Proven integration
– Sample code, documentation, discussion forums
Leverage the skills and expertise you already have!
Key Components
– XML/SOAP interface
– Downloadable SDK
– Technology partnerships
– DevCentral resource centre and community
iControl Eases Application Integration
53
Integration and Extensibility - iControl Event API
Applications can subscribe to 47 different system eventsSample application (screenshots) provided with SDKBulk method support – 100:1 reduction in call, 90% reduction in bandwidth
Create Subscription
Administrator uses the provided sample
application (or custom application) to create Event Subscriptions
Select Event TypeChoose a specific event
to track. Then, create the Subscription name and
parameters.
Upon Event, message is distributed via log, email,
or SMS to phone/PDA
54
iControl Application Migration to v9
Analyser free for use by all F5 DevCentral membersDevCentral Forum available for posting migration questionsAdditional sample and technical tips will be available
Paste Code Into Analyser
Developer visits DevCentral, accesses the Code Analyser, select language, and report
format
Summary ReportGenerated report identifies line where conflicts exist,
defines the method affected, and enables direct link to online versions of 4.x
& v9 SDKs
55
DevCentral Technical Community
Forum for F5 customers for building iRules and iControl applicationsF5 provides technical documentation, tips, free sample downloads, and a confidential discussion forumMonitored by F5 engineers and technical experts that answer technical questions
– Design, architecture, troubleshooting and general assistance with iRules and iControl
http://devcentral.f5.com/
56
Overall www.f5.com
Technical ask.f5.com
devcentral.f5.com
F5 University www.f5university.com/» Login: your email» Password: adv5tech
Partner Informaiotn
www.f5.com/partnerswww.f5.com/training_services/certification/certFAQ.html
Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html
Important deployment information is available at http://www.f5.com/solutions/deployment/Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdfApplication Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdfApplication Briefs http://www.f5.com/solutions/applications/Solution Briefs http://www.f5.com/solutions/sb/F5 Compression and Cache Test http://www.f5demo.com/compression/index.phpF5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/
Let us know if you need any clarification or you have any further questions.
Link Collection www.f5.com
57
Source: Gartner, January 2007
Magic Quadrant for Application Delivery Products, 2007
F5 Strengths•Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line.
•Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.
•Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.
•Strong underlying platform allows easy extensibility to add features.
•Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.
Analyst Leadership PositionChallengers Leaders
Niche Players Visionaries
Ab
ilit
y t
o E
xe
cu
te
Completeness of Vision
F5 Networks
Citrix Systems
Akamai Technologies
RadwareCresendo
Coyote Point
Zeus
Cisco Systems
Foundry Networks
Nortel Networks
Juniper
NetContinuumArray Networks
58
Thank You