f5 application traffic management

1

F5

ApplicationTrafficManagement

F5

ApplicationTrafficManagement

2007

Radovan GibalaField Systems [email protected]+420 731 137 223

2

• Asymmetric & Symmetric Acceleration

• Server Offload• Load Balancing

• WAN Virtualization• File Virtualization• DC to DC

Acceleration• Virtualized VPN

Access• AAA• Data

Protection• Transaction

Validation

• Virtualized App & Infrastructure

• Server & App Offload• Load Balancing

• Remote, WLAN & LAN Central Policy Enforcement

• End-Point Security• Encryption• AAA

• Virtualization• Migration• Tiering• Load

Balancing

People

Data

Apps

People

Apps Data

BusinessContinuity HA

DisasterRecovery

ManagingScale &

Consolidation

UnifiedSecurity

Enforcement& AccessControl

AppSecurity & Data

Integrity

StorageGrowth

UserExperience

& AppPerformance

3Business

Continuity HADisasterRecovery

People

Apps Data

FirePassBIG-IP LTM • GTM

ARXBIG-IP GTM

BIG-IP LTM • ASMFirePass

BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ

• Asymmetric & Symmetric Acceleration

• Server Offload• Load Balancing

• WAN Virtualization• File Virtualization• DC to DC

Acceleration• Virtualized VPN

Access• AAA• Data

Protection• Transaction

Validation

• Virtualized App & Infrastructure

• Server & App Offload

• Load Balancing • Remote, WLAN & LAN Central Policy Enforcement

• End-Point Security• Encryption• AAA

• Virtualization• Migration• Tiering• Load

Balancing

BIG-IP LTM • GTM • WA ARX • WJ

BIG-IP LTM • GTM • LC • WAFirePass • ARX • WJ

Application DeliveryNetwork

ManagingScale &

Consolidation

UnifiedSecurity

Enforcement& AccessControl

AppSecurity & Data

Integrity

StorageGrowth

UserExperience

& AppPerformance

4

Application

How To Achieve the Requirements ?

Network Administrator Application Developer

Hire an Army of Developers?

Add More Infrastructure?

More Bandwidth

Multiple Point Solutions

5

CRMCRMSFA

ERP

ERPERP

SFACRM

SFA

SSL Acceleration

Network Point Solutions ApplicationsUsers

Server Load Balancer

Rate Shaping

DoS Protection

ApplicationFirewall

ContentAcceleration

TrafficCompression

Connection Optimisation Customised

Application

Mobile Phone

PDA

Laptop

Desktop

Co-location

The Result: A Growing Network Problem

6

The F5 Solution ApplicationsUsers

Mobile Phone

PDA

Laptop

Desktop

Co-location

F5’s Integrated Solution

CRM

Database

Siebel

BEA

Legacy

.NET

SAP

PeopleSoft

IBM

ERP

SFA

CustomTMOS

Application Delivery Network

7

TM/OS

A New Level of Intelligence

React to a Single Communication, One Direction

Packet

Based

React to a Real Time, Two-Way Conversation

Translate Between Parties

Flow

Based

Legacy Approach

8

Deliver Application Exactly as Intended

TM/OS Fast Application Proxy

Universal Inspection Engine (UIE)

Client Side

ServerSide

• Independent Connection Control

• Supporting All IP Applications

• High Performance Framework

• BI-Directional, Full Payload Inspection

• Session Level Control

Manage Entire Application Flows:

9

iRulesProgrammable Network Language

GUI-Based Application ProfilesRepeatable Policies

The Most Intelligent and Adaptable Solution

TM/OS Fast Application Proxy

Programmable Application

Network

Complete Visibility and Control of

Application Flows

Security Optimisation Delivery New Service

Universal Inspection Engine (UIE)

Client Side

ServerSide

Targeted and Adaptable Functions

Unified Application Infrastructure Services

Compression TCP Offloading

Load Balancing

News Website

10

Traffic Management Operating System

TMOSOperating System

Shared Application Services

CompressionSelective Content EncryptionAdvanced Client AuthenticationApplication Health MonitorsApplication Switching

iRulesRate Shaping / Rate LimitingResource CloakingTransaction AssuranceUniversal PersistenceCaching

Shared Network Services

TCP ExpressProtocol SanitizationHigh Performance SSLDoS and DDoS ProtectionVLAN Segmentation Line Rate L2 Switching (Mirroring, Trunking, STP, LACP)

IP Packet FilteringIPv6 Dynamic RoutingSecure Network Address Translation

Port MappingCommon Management Framework

11

SS

L

Co

mp

ress

ion

ClientSide

ServerSide

TC

P E

xpre

ss

ServerTC

P E

xpre

ss

Cac

hin

g

Microkernel

TMOS Traffic Plug-ins

High-Performance Networking Microkernel

Powerful Application Protocol Support

iControl – External Monitoring and Control

iRules – Network Programming Language

High Performance HW

iRules

Client

iControl API

TCP Proxy

On

eCo

nn

ect

XM

L

Rat

e S

hap

ing T

raff

icS

hie

ld

Web

Acc

el

3 rd P

arty

Unique TMOS Architecture

12

BIG-IP v9

13

OptimiseOptimise

Market Leading Functionality Today

DeliverDeliver

SecureSecure

• Comprehensive Load Balancing• Advanced Application Switching• Customised Health Monitoring

• DoS and SYN Flood Protection

• Network Address/Port Translation

• Application Attack Filtering

• Certificate Management

• SSL Acceleration• Quality of Service

• Intelligent Network Address Translation• Advanced Routing• Intelligent Port Mirroring

14

OptimiseOptimise

First Unified Application Infrastructure Services

DeliverDeliver

SecureSecure

• IPv6 Gateway • Universal Persistence• Response Error Handling • Session / Flow Switching

• Resource Cloaking • Advanced Client

Authentication• Firewall - Packet Filtering• Selective Content

Encryption• Cookie Encryption• Content Protection• Protocol Sanitisation

• Connection Pooling• Intelligent Compression• L7 Rate Shaping• Content Spooling/

Buffering• TCP Optimisation• Content Transformation

New

New

New

TM/OS

15

F5

Load Balancing

Application Switching

Response Error Handling

IPv6 Gateway

Universal Persistence

Compression

Connection Optimisation

Content Spooling

L7 Rate Shaping

Content Transformation

High Performance SSL Encryption

Cookie Encryption

Resource Cloaking

Advanced Client Authentication

DoS and Network Firewall

Content Protection

Protocol Sanitisation

Most Intelligent and Adaptable Solution Delivering Unmatched Services

16

Comprehensive Load Balancing

Static– RoundRobin– Ratio

Dynamic– Fastest– LeastConnections– Observed– Predictive– Dynamic Ratio

Priority Groups

17

Availability Checking

• Check any back-end process using EAV

• Will work for any IP based application

• Stateful failover between devices

Security

• Firewall-like device to resist most attacks

• All administration is encrypted

• Integrated SSL/FIPS and secure NAT

Feature Overview/BIG-IP

18

SSL and E-Commerce

• Only product with integrated SSL

• Single certificate simplifies administration

• Lowers certificate costs

• Client certificate checking (Authentication)

Layer 7 Functionality

• Can utilize all HTTP header/content or TCP content in traffic decisions

• Can persist on anything

• HTTP 1.1 keep-alives dramatically improve performance


19

Easy to Implement and Support

• Can be deployed as either Layer 2 or 3 device

• Simple and complete Graphical User Interface

• Installation services by F5 and/or partner

Flexibility

• BIG-IP works with any server or IP based service

• iControl enables integration with internal and/or 3rd party applications


20

“We have to deal with multiple products. The new user interface makes every other solution in this space look absolutely immature. F5’s solutions are 10 times easier to manage than Cisco.” - Major US Hosting Provider

Powerful and Simplified Management

21

Profile Based Management

Profile Based Traffic Management

DeliverDeliver

OptimizeOptimize SecureSecure

Improved vision of all resources and traffic

22

Ensure Higher Availability - Superior System Design

Processes Reporting and Control – Granular status, logging and configurable actions for component-level failures. Capable of warm restarts and upgrades.

3-way HA Design – Robust Internal system checking and pass-through design.

23

Extensibility - IPv6 Gateway

24

Application Security ModuleProtect applications and data

SSL AccelerationProtect data over the Internet

Advanced Client Authentication ModuleProtect against unauthorised access

BIG-IP Security Add-On Modules

25

BIG-IP Software Add-On ModulesQuickly Adapt to Changing Application & Business Challenges

Compression ModuleIncrease performance

Webaccelerator - Fast Cache ModuleOffload servers

Rate Shaping ModuleReserve bandwidth

26

Intelligent HTTP Compression

URI/content filters – allow/disallow lists

– Compress only specified file types

– Based on URI or MIME type

Client-aware compression (patent pending)

– Based on TCP latency – observe client RTT

– Based on low bandwidth client connections

Granular L7 based compression

Tunable resource allocation

– Devote more memory and CPU cycles for high priority compression jobs

Adaptable Compression

– Scale back compression based on CPU load

Most Intelligent and flexible solution to target HTTP compression where it matters most

27

Real Time Compression Toolwww.f5demo.com/compression

28

OneConnect ™ – Connection PoolingIncrease server capacity by 30% – Aggregates massive number of client requests into fewer server

side connections

Transformations form HTTP 1.0 to 1.1 for Server Connection Consolidation

Maintains Intelligent load balancing to dedicated content servers

Good Sources: http://tech.f5.com/home/bigip/solutions/traffic/sol1548.htmlhttp://www.f5.com/solutions/archives/whitepapers/httpbigip.html

29

OneConnect ™ New and Improved

3) OneConnect ™ Connection Pooling

index.htma.gifb.gif c.aspsales.htm d.gife.gif f.aspsales.htm d.gife.gif f.asp

index.htma.gifb.gif c.asp

Server


index.htm

a.gifb.gif

c.asp

1) OneConnect ™ Content Switching

HTML server pool

GIF server pool

ASP server pool

HTTP Request Pooling

2) OneConnect ™ HTTP transformations



• Streamlines single client request to BIG-IP

• Enabled by HTTP 1.1

• Avg. Reduction is 20 to 1 per Web Page

• Intelligent load balancing to dedicated content servers

• Maintain Server Logging

• Transformation form HTTP 1.0 to 1.1 for Server Connection Consolidation

New

20

1


index.htma.gifb.gif c.aspMany

One

• Aggregates massive number of client requests into fewer server side connections

30

Content SpoolingProblem: TCP Overhead on Servers

– There is overhead for breaking apart…”chunking” content

– Client and Server negotiate TCP segmentation

– Client forces more segmentation that is good for the server

– The Servers is burdened with breaking content up into small pieces for good client consumption

Solution

Benefit: Increases server capacity up to 15%

Slurp up server response

Spoon feed clients

31

Sophisticated Bandwidth Control

– Flexible bandwidth limits

– Full support for bandwidth borrowing

– Traffic queuing (stochastic fair queue, FIFO ToS priority queue)

Granular Traffic Classification L2 through L7

– iRules support can initiate a rate class on any traffic flow variable

Only Multi Direction Control

– Control throughput in any direction

Ceiling Rate

Base

Rate Class

Burst

Integrated and Fine Grained Bandwidth Control

WAN

Pool of Servers

NetworkSegments

L7 Rate Shaping

32

Hardware

33

Hardware Performance– High Performance Switching Fabric

– Dual Processor

– Packet Velocity ASIC (PVA2)

– SSL Transactions per Second (TPS)

– SSL Bulk Encryption

– FIPS Support

– HTTP Compression

Independent Secure Management Access

SCCP Microcomputer - Switch Card Control Processor

34

Hardware cont.

Dual Media CF + HDD Tri-Speed Ethernet (10/100/1000) + Mini GBICs10 Gbps InterfacesLCD DisplayUSB PortHot Swappable Fan Trays + Power Supplies

Integrated Solution

35

Hardware Manageability and PerformanceUnique IP Application Switches

68006400

3400

1500

Simplified Management:Lights Out Management

Multi-Boot Support

LCD for Simplified Management

Hot-Swappable Parts

Redundant Power / Fans

Port Flexibility

PCI Slots

Independent Secure Management

Powerful:Packet Velocity ASIC 2

High Performance SSL & Compression

High Performance Switching Fabric

Dual Processor*All Models Include 100 TPS SSL Acceleration

88008400

36

Up-selling Platforms1500 to 3400– Packet Velocity ASIC– 2x performance (Throughput, L4, SSL, etc)– Better multi-function support – more modules– Better management and logging (Compact Flash and Hard Drive)

3400 to 6400– 2x Performance and up (throughput, SSL, etc)– Superior multi-function support – more modules– Expandable PCI Slots (future hardware acceleration cards)– Hardware redundancy and extensibility (accessible Compact Flash,

dual power supply and fan tray)

37

Introducing the BIG-IP 1500The next-generation BIG-IP 1000 and BIG-IP 520

1U Height – New USB Port, LCD Display & Keypad

4 10/100/1000 Copper Ethernet Ports

2 Optional Gigabit Fiber Ports

Hard Drive

1 PCI Add-in Card Slot

Integrated Management Computer (lights-out management)

38

Introducing the BIG-IP 3400 The next-generation BIG-IP 2400 and BIG-IP 540


Packet Velocity ASIC 2


2 Optional Gigabit Fiber Ports

Compact Flash & Hard Drive – Improved Logging

1 PCI Add-in Card Slot


The benefits of an ASIC with the flexibility and ease of an appliance

39

Introducing the BIG-IP 6400The next-generation BIG-IP 5100 and BIG-IP 5110


Dual Processors

Packet Velocity ASIC 2


2 Standard, 2 Optional (Total 4) Gigabit Fiber Ports

Field Accessible Compact Flash & Hard Drive – Improved Logging

3 PCI Add-in Card Slots

Hot Swappable Redundant Power Supplies


The most powerful and flexible BIG-IP platform ever

40

Viprion Overview

Unmatched Performance – Massive scalability – Processing architecture common with 8800

Intelligent clustering– SuperVIP (Virtuals can seamlessly span blades)– N+M redundancy for all features in cluster

High Availability– Automatic failover within cluster– Chassis-to-chassis redundancy

Full Modular Chassis– 4 blade slots w/1 blade type– 1 blade type– Any blade can be chassis master

Common central management console– Single point of Management– Same user interface as BIG-IP appliances

41

VIPRION – On Demand ADC

Add application intelligence without adding management cost

Market-leading performance

Ultimate redundancy

TMOS inside

42

Physical Server

VirtualMachines

Physical Server

VirtualMachines

Servers

Servers

Servers

On Demand – Zero Reconfiguration

Automatic addition of power

No need to overprovision

Fixed and predictable OpEx

43

Virtual Processing Fabric

Clustered Multi Processing (CMP)

Custom Disaggregator ASICs

High Speed Bridge

44

Ultimate Reliability

Client Server

Multi-Level Redundancy

Blade failure will not cause chassis failure

Redundant and hot swappable components

Always Available

46

iRules

and

iControl

47

High performance rules – Event based iRules provide more control

Only truly programmable rules engine– Fully programmable - switching, security,

transformation and optimisation functions

Based on industry standard language – Extended Tools Command Language (TCL)

The network can now apply unlimited business logic for the application

iRules – The Next Generation

48

FeaturesTcl

PerlVisual

Basic

Speed of use

Rapid development

Flexible, rapid evolution

Great regular expressions

Breadth of functionality

Easily extensible

Embeddable

Easy GUIs

Internet and Web-enabled

Enterprise usage

Cross platform

Internationalisation support

Thread safe

Database access

iRules – Full Programming Language

**TCL Developers Exchange

Includes Number Extensions

• Standard Language

• Fast Rule Evaluation

• Event Based Rules

• Multiple Rules Per Event

49

Integration and Extensibility - iRules

50

Centralized Transaction Assurance: Proactive Response Error Handling for Higher Availability

rule redirect_error_code { when HTTP_REQUEST { set my_uri [HTTP::uri] } when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::redirect http://192.168.33.131$my_uri }

when HTTP_REQUEST { # www.A.com -- domain == A.com, company == A regexp {\.([\w]+)\.com} [HTTP::host] domain company If { "" ne $company } { # look for the second string in the data group set mapping [findclass $company $::valid_company_mappings " "] if { "" ne $mapping } { HTTP::redirect "http://www.my_vs.com/$mapping" } } }

Host to URI mapping: Faster Access to Data through Automatic Re-direction

The Better Alternative Example Centralized Availability, Security & Acceleration

rule protect_content { when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] # # Find and replace SSN numbers. # regsub -all {\d{3}-\d{2}-\d{4}} $payload "xxx-xx-xxxx" new_response # # Replace only if necessary. # if {$new_response != 0} { HTTP::payload replace 0 [HTTP::payload length] $new_response }}

Centralized Data Protection: Rewrite, Remove, Block and or Log Sensitive Content

A Repeatable, Extensible, Flexible Architecture

51

Introducing iControl v9

Open API (SOAP/XML) allows applications to automatically interact with the network

Integration with development tools from Microsoft, BEA, and Oracle

Online community F5 DevCentral– Developer assistance on F5 DevCentral via

developer forums (http://devcentral.f5.com)

– iRules forum and code examples

52

Benefits

– Open, standards based integration

– Simplified development

– Proven integration

– Sample code, documentation, discussion forums

Leverage the skills and expertise you already have!

Key Components

– XML/SOAP interface

– Downloadable SDK

– Technology partnerships

– DevCentral resource centre and community

iControl Eases Application Integration

53

Integration and Extensibility - iControl Event API

Applications can subscribe to 47 different system eventsSample application (screenshots) provided with SDKBulk method support – 100:1 reduction in call, 90% reduction in bandwidth

Create Subscription

Administrator uses the provided sample

application (or custom application) to create Event Subscriptions

Select Event TypeChoose a specific event

to track. Then, create the Subscription name and

parameters.

Upon Event, message is distributed via log, email,

or SMS to phone/PDA

54

iControl Application Migration to v9

Analyser free for use by all F5 DevCentral membersDevCentral Forum available for posting migration questionsAdditional sample and technical tips will be available

Paste Code Into Analyser

Developer visits DevCentral, accesses the Code Analyser, select language, and report

format

Summary ReportGenerated report identifies line where conflicts exist,

defines the method affected, and enables direct link to online versions of 4.x

& v9 SDKs

55

DevCentral Technical Community

Forum for F5 customers for building iRules and iControl applicationsF5 provides technical documentation, tips, free sample downloads, and a confidential discussion forumMonitored by F5 engineers and technical experts that answer technical questions

– Design, architecture, troubleshooting and general assistance with iRules and iControl

http://devcentral.f5.com/

56

Overall www.f5.com

Technical ask.f5.com

devcentral.f5.com

F5 University www.f5university.com/» Login: your email» Password: adv5tech

Partner Informaiotn

www.f5.com/partnerswww.f5.com/training_services/certification/certFAQ.html

Gartner Report http://mediaproducts.gartner.com/reprints/f5networks/article1/article1.html

Important deployment information is available at http://www.f5.com/solutions/deployment/Data Center Virtualization http://www.f5.com/solutions/technology/pdfs/dc_virtualization_wp.pdfApplication Traffic Management http://www.f5.com/solutions/technology/pdfs/atm_wp.pdfApplication Briefs http://www.f5.com/solutions/applications/Solution Briefs http://www.f5.com/solutions/sb/F5 Compression and Cache Test http://www.f5demo.com/compression/index.phpF5 iControl Alliance Partners http://www.f5.com/solutions/partners/iControl/F5 Technology Alliance Partners http://www.f5.com/solutions/partners/tech/

Let us know if you need any clarification or you have any further questions.

Link Collection www.f5.com

57

Source: Gartner, January 2007

Magic Quadrant for Application Delivery Products, 2007

F5 Strengths•Offers the most feature-rich AP ADC, combined with excellent performance and programmability via iRules and a broad product line.

•Strong focus on applications, including long-term relationships with major application vendors, including Microsoft, Oracle and SAP.

•Strong balance sheet and cohesive management team with a solid track record for delivering the right products at the right time.

•Strong underlying platform allows easy extensibility to add features.

•Support of an increasingly loyal and large group of active developers tuning their applications environments specifically with F5 infrastructure.

Analyst Leadership PositionChallengers Leaders

Niche Players Visionaries

Ab

ilit

y t

o E

xe

cu

te

Completeness of Vision

F5 Networks

Citrix Systems

Akamai Technologies

RadwareCresendo

Coyote Point

Zeus

Cisco Systems

Foundry Networks

Nortel Networks

Juniper

NetContinuumArray Networks

58

Thank You

f5 application traffic management

Documents