Manual Chapter :
TurboFlex Profiles Overview
Applies To:
Show Versions
TurboFlex Profiles Overview
About TurboFlex Profiles
About FPGA features
These FPGA features are currently available:
- Q-in-Q tunneling
- Q-in-Q tunneling is a private cloud feature that uses a double VLAN header, which dramatically increases the VLAN address space and provides a layer of security by obscuring the inner VLAN header.
- ePVA - TCP IPv4
- Embedded Packet Velocity Acceleration (ePVA) is a feature that provides a wire speed L4 TCP proxy for IPv4 address. This function offloads the CPU from L4 TCP proxy functions.
- Per virtual server SYN cookies
- The per virtual server SYN cookie feature protects the system, on a virtual server basis, from SYN flood attacks and enables the BIG-IP® system to maintain connections when the SYN queue begins to fill up during an attack. The FPGA implementation offloads the effort from the CPU.
- NVGRE, VXLAN, Ether-IP, and IP-in-IP tunneling
- This feature makes the handling of these tunneling methods more efficient by more effectively handing the entire (inner and outer header) checksums, and adding support in HSBs to disaggregate on inner headers. This implementation offloads some of the CPU load associated with termination, de-termination, and internal switching of the tunnels within the BIG-IP system.
- ePVA - UDP
- SeeePVA - TCP IPv4. This feature adds wire speed L4 UDP proxy for UDP packets.
- ePVA - TCP IPv6
- SeeePVA - TCP IPv4. This feature adds wire speed L4 proxy (UDP and TCP) with IPv6 IP address support.
- Basic DoS Vectors
- This is a package of approximately 80 DDoS Volumetric and Protocol Compliance vectors, not including DNS and SIP vectors.
- Advanced DoS vectors - SIP/DNS
- This feature completes the package of a total of 100 DDoS Volumetric and Protocol Compliance vectors, including DNS and SIP vectors.
- Per client white/gray/black listing
- White lists and Black lists provide the ability to accept a user-provided set of IP-based addresses and use them as filters for IP addresses, either globally or within a specific route domain or virtual server. When implemented in FPGAs, this provides wire-speed lists and offloads the CPU.
- Multiple Vector Lookups (multi-layer attack mitigation)
- This feature enables the ability to separate vectors into ISO layer layers and support multiple hardware DoS rules per packet.
- Custom DOS Signatures in Hardware (Behavioral DOS)
- This feature enables dynamically programmable hardware signatures. Only ISO L3 and L4 are supported currently.
- Guaranteed FIX Low Latency (FIX-LL)
- FIX is a protocol used by the financial industry, where any delay of information transmission is critical. This feature uses the FPGAs, Neuron, and flow cache entries to guarantee population in the hardware flow cache tables, minimizing latency and jitter. This implementation reduces the probability of TCP Reset to almost zero, which is a problem for the high speed TCP stacks used in high frequency trading servers. The first 10,000 flows are managed by the Neuron, and there are no TCP resets. Testing indicates that the probability of TCP reset is almost zero in the 100,000 range. This profile provides low latency and very low jitter for TCP streams, providing equal and fair delay to all flows.
- Security Analytics: DDoS/sPVA dropped packets info and reroute
- This feature provides visibility and re-routing of traffic that is dropped by AFM. It includes global DoS, sPVA DoS, sPVA blacklist and graylist, Neuron blacklist, and ePVA Duplicate SYN drops. This feature also includes two debug re-route modes: Re-Route All packets or Re-Route packets on a specific flow.
- Global SYN Cookies
- This feature provides a single control for protecting the box from all SYN attacks. It includes VLAN based thresholds and a global threshold for resulting actions.
- Virtual Wire
- Virtual Wire, also known as Transparent L4 forwarding, forwards VLANs through the BIG-IP system through the FPGAs without changing the VLAN headers in the ePVA.
Profiles and features available on i850/i2000/i4000 Series platforms
The i850 platform is available only in certain countries.
Feature | Base profile | ADC profile | Private cloud profile | Security profile |
|---|---|---|---|---|
Q in Q tunneling | X | X | X | X |
NVGRE, VXLAN, Ether-IP, and IPinIP tunneling | X | X | X | X |
Basic DoS vectors | X | |||
Advanced DoS vectors - SIP/DNS | X | |||
Per client white/gray/black listing | X (i4800 only) | |||
Multiple vector lookups (multi-layer attack mitigation) | X | |||
Custom DoS signatures in hardware (behavioral DoS) | X | |||
Global SYN cookies | X | X | X |
Profiles and features available on i5000/i7000/i10000/i11000/i15000 Series platforms
Feature | Base profile | ADC profile | Private cloud profile | Security profile | Low Latency FIX profile | Ultrafast Layer 4 CPS |
|---|---|---|---|---|---|---|
Q in Q tunneling | X | X | X | X | X | X |
ePVA - TCP IPv4 | X | X | X | X | X | |
Per virtual server SYN cookies | X | X | X | X | X | |
NVGRE, VXLAN, Ether-IP, and IPinIP tunneling | X | X | X | X | X | X |
ePVA - UDP | X | X | X | X | ||
ePVA - TCP IPv6 | X | X | X | X | ||
Basic DoS vectors | X | X | ||||
Advanced DoS vectors - SIP/DNS | X | |||||
Per client white/gray/black listing | X | |||||
Multiple vector lookups (multi-layer attack mitigation) | X | |||||
Custom DoS signatures in hardware (behavioral DoS) | X | |||||
Guaranteed FIX low latency (FIX-LL) | X | |||||
Security Analytics - DDoS/sPVA dropped packets | X | |||||
Global SYN cookies | X | X | X | |||
Layer 2 transparency acceleration/Virtual wire | X | |||||
Ultrafast Layer 4 performance | X |
About managing TurboFlex Profiles using tmsh
You can use the TMOS Shell (
tmsh
) to manage your TurboFlex
Profiles for your system.View all TurboFlex Profile information using
tmsh
You can use
tmsh
to see information
about all TurboFlex Profiles, including the profile that is currently active
on your system.- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- Open the TMOS Shell (tmsh).tmsh
- View the currently active profile.show turboflex profileThis is an example of the output that you might see when you run this command:--------------------------------------- Sys::Active Turboflex --------------------------------------- Current Profile: turboflex-adc Active Features: epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling ================================================================================ Sys::FPGA Turboflex Profiles: ================================================================================ PROFILE FEATURES -------------------------------------------------------------------------------- turboflex-adc epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling turboflex-base epva-tcpipv4 epva-syncookie basic-tunneling adv-tunneling turboflex-dns epva-tcpipv4 basic-tunneling epva-udp epva-ipv6 fpga-dns turboflex-low-latency epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 adv-tunneling hw-latency-dedicate turboflex-private-cloud epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling turboflex-security epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 basic-dos-vectors adv-dos-vectors epva-spva global-syncookie adv-tunneling multiple-vector-lookup transparent-layer2 custom-dos-signatures security-analytics turboflex-ultrafast-layer4 epva-tcpipv4 basic-tunneling epva-udp ultrahigh-layer4 global-syncookie
View the currently active TurboFlex Profile using tmsh
You can use
tmsh
to see
which TurboFlex Profile is currently active on your system.- Open the TMOS Shell (tmsh).tmsh
- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- View the currently active profile.list turboflex profile-configThis is an example of the output that you might see when you run this command:sys turboflex profile-config { type turboflex-adc }
View all TurboFlex Profile features using tmsh
You can use
tmsh
to see a list of
all available TurboFlex Profile features on your system.- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- Open the TMOS Shell (tmsh).tmsh
- View all TurboFlex profile features.show turboflex profile featuresThis is an example of the output that you might see when you run this command:-------------------------------------------------------------------------------- Sys::FPGA Turboflex Features: -------------------------------------------------------------------------------- adv-dos-vectors Advanced DoS Vectors - SIP/DNS adv-tunneling NVGRE, VXLAN, Ether-IP and IPinIP Tunneling basic-dos-vectors Basic DoS Vectors basic-tunneling Q in Q Tunneling custom-dos-signatures Custom DoS Signatures in HW (Behavioral DoS) epva-dos-vectors EPVA SPVA DOS epva-ipv6 ePVA - IPv6 epva-low-latency EPVA Low Latency epva-spva Per Client White/Gray/Black Listing epva-syncookie Per VS SYN Cookies epva-tcpipv4 ePVA - TCP IPv4 epva-udp ePVA - UDP fpga-dns EPVA DNS Offloading global-syncookie Global SYN Cookies hw-latency-dedicate Guaranteed FIX-LL hw-security-dedicate NEURON Security hwsyncookie-neuron NEURON HW Syncookie hwvip-neuron NEURON HW Listener hybrid-cloud-director FPGA Hybrid Cloud multiple-vector-lookup Multiple Vector Lookups (multi-layer attack mitigation) security-analytics Security Analytics: DDoS/sPVA dropped packets info and reroute transparent-layer2 Transparent L2 tunnel-encapdecap-accel FPGA Tunnel Acceleration ultrahigh-layer4 EPVA UltraSpeed L4
View the currently active TurboFlex Profile and features
using tmsh
You can use
tmsh
to see which
TurboFlex Profile is currently active on your system and view a list of
features for that profile.- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- Open the TMOS Shell (tmsh).tmsh
- View the currently active profile.show turboflex profile featureThis is an example of the output that you might see when you run this command:--------------------------------------- Sys::Active Turboflex --------------------------------------- Current Profile: turboflex-adc Active Features: epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling
View all TurboFlex Profiles supported by each firmware using tmsh
You can use
tmsh
to view
all TurboFlex Profiles and features.- Open the TMOS Shell (tmsh).tmsh
- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- View all TurboFlex Profiles and features.show fpga turboflex-profileThis is an example of the output that you might see when you run this command:-------------------------------------------------------------------------------- Sys::FPGA Turboflex Information: -------------------------------------------------------------------------------- FW Type l4-performance-fpga Personas turboflex-base FW Type l7-intelligent-fpga Personas turboflex-base turboflex-dns FW Type low-latency Personas turboflex-base turboflex-low-latency FW Type standard-balanced-fpga Personas turboflex-base turboflex-adc turboflex-security turboflex-private-cloud turboflex-low-latency
Change the currently active TurboFlex Profile using tmsh
Before you change to a
different TurboFlex Profile, verify that you have the appropriate modules
provisioned.
You can use
tmsh
to change which TurboFlex Profile is currently active on your system.
- Open the TMOS Shell (tmsh).tmsh
- Change to the system module.sysThe system prompt updates with the module name:user@bigip01(Active)(/Common)(tmos.sys)#user@bigiq01(Active)(/Common)(tmos.sys)#
- Change the currently active profile.modify turboflex profile-config type <turboflex-profile-name>Confirm that you would like to change the active TurboFlex Profile.Changing the active profile might require a restart of daemons and disrupt traffic.
About managing TurboFlex Profiles using the
Configuration utility
You can use the Configuration utility to manage your
TurboFlex Profiles for your system.
View all TurboFlex profiles using the Configuration utility
You can use the
Configuration utility to see a list of all TurboFlex Profiles that are
supported on your system.
- On the Main tab, click .This displays a list of active and available TurboFlex profiles.
Change the currently active TurboFlex Profile using the
Configuration utility
Before you change to a different
TurboFlex Profile, verify that you have the appropriate modules
provisioned.
You can use the Configuration
utility to change which TurboFlex Profile is currently active on your system.
- On the Main tab, click .This displays a list of active and available TurboFlex profiles.
- ClickEnable Profilefor the profile that you would like to activate.
