Applies To:Show Versions
BIG-IP versions 1.x - 4.x
- 2.1.4 PTF-01, 2.1.4, 2.1.3 PTF-04, 2.1.3 PTF-03, 2.1.3 PTF-02, 2.1.3 PTF-01, 2.1.3, 2.1.2 PTF-02, 2.1.2 PTF-01, 2.1.2, 2.1.1, 2.1.0
Introduction to the BIG/ip Controller
- Welcome to the BIG/ip Controller
- BIG/ip Controller specifications
- Finding help and technical support resources
- What's new in version 2.1
- Managing your network traffic
Welcome to the BIG/ip® Controller Administrator Guide. This guide describes how to set up the BIG/ip Controller hardware and how to configure your load balancing setup, as well as other BIG/ip Controller features. The Administrator guide also includes the software specifications for the BIG/ip Controller platform and reviews some sample configurations that can help you in planning your own configuration.
The BIG/ip Controller is a network appliance that manages and balances traffic for networking equipment such as web servers, cache servers, routers, firewalls, and proxy servers. A variety of useful features meets the special needs of e-commerce sites, Internet service providers, and managers of large intranets. The system is highly configurable, and its web-based and command line configuration utilities allow for easy system set up and monitoring.
Adding a BIG/ip Controller to your network ensures that your network remains reliable. The BIG/ip Controller continually monitors the servers and other equipment it manages, and never attempts to send connections to servers that are down or too busy to handle the connection. The BIG/ip Controller uses a variety of methods to monitor equipment, from simple pings to more advanced methods, such as Extended Content Verification that verifies whether a server returns specific site content. The BIG/ip Controller also offers several layers of redundancy that ensure its own reliability.
The BIG/ip platform supports both TCP and UDP protocols, and also supports popular network services including:
- FTP (Active and Passive)
- Real Audio/TCP
Note that the BIG/ip Controller supports administrative protocols, such as Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) (outbound only), for performance monitoring and notification of system events. The BIG/ip Controller's SNMP agent allows you to monitor status and current traffic flow using popular network management tools, including the F5 Configuration utility. The SNMP agent provides useful data such as packets in and out per second, and current connections being handled for each virtual server. You may also want to take advantage of Telnet, FTP, and the F-Secure SSH client (distributed only in the US). The F-Secure SSH client provides a secure UNIX shell connection to the BIG/ip Controller from a remote workstation.
The BIG/ip Controller offers a variety of features that protect both the controller itself, and the network equipment that it manages. Each of the following features can help prevent potentially hostile attacks on your site or equipment.
- IP address protection
On its external network, the BIG/ip Controller does not expose the IP addresses of the servers that it manages. Instead, it offers firewall capabilities, translating addresses when servers connect to other hosts on the external network. You can set up either standard Network Address Translations (NATs) that allow both incoming and outgoing traffic, or you can set up Secure Network Address Translations (SNATs) that allow only outgoing traffic.
- Port lockdown
The BIG/ip Controller prevents clients from connecting to any port which you have not specifically opened for network traffic. This feature helps prevent a common attack where users try to gain access to the machine using one of the many ephemeral ports that do not host a well-known service.
- Controlled administrative connections
The BIG/ip Controller allows you to make direct administrative connections to the servers it manages, but it prevents direct connections to those servers by random clients, based on their IP address.
- IP address filtering
The IP filtering features allow you to specifically accept or deny connections received from particular IP addresses or ranges of IP addresses.
- Termination of inactive connections
The BIG/ip Controller automatically terminates connections that remain inactive for a period of time you specify, which prevents common denial of service attacks.
In addition to these features, BIG/ip Controllers distributed in the US support encrypted administrative connections using F-Secure SSH for shell connections, and SSL protocol for connections to the web-based configuration utility.
The BIG/ip Controller is a highly scalable and versatile solution. You can actually configure a single BIG/ip Controller to manage up to 10,000 virtual servers, though most common configurations are significantly smaller. The number of servers, firewalls, or routers that a single BIG/ip Controller can load balance is limited only by the capacity of your network media, such as Ethernet. The BIG/ip Controller supports a variety of media options, including Fast Ethernet, Gigabit Ethernet, and FDDI. The maximum number of concurrent connections that a BIG/ip Controller can manage is determined by the amount of RAM in your particular BIG/ip Controller hardware configuration.
The BIG/ip platform provides the following web-based and command line administrative tools that make for easy setup and configuration.
The First-Time Boot utility
The First-Time Boot utility is a wizard that walks you through the initial system set up. The utility helps you quickly define basic system settings, such as a root password and the IP addresses for the interfaces that connect the BIG/ip Controller to the network. The First-Time Boot utility also helps you configure access to the BIG/ip web server, which hosts the web-based F5 Configuration utility.
The F5 Configuration utility
The F5 Configuration utility is a web-based application that you use to configure and monitor the load balancing setup on the BIG/ip Controller. In the F5 Configuration utility, you can configure virtual servers, define IP and packet rate filters, and also configure system objects including the SNMP agent and system settings. The F5 Configuration utility allows you to monitor network traffic, current connections, and the operating system itself, and it also provides convenient access to downloads such as the SNMP MIB. The F5 Configuration utility requires Netscape Navigator or Microsoft Internet Explorer, version 4.0 or later.
The BIG/pipe and BIG/top command line utilities
The BIG/pipeTM utility is the command line counter-part to the F5 Configuration utility. Using BIG/pipe commands, you can configure virtual servers, open ports to network traffic, and configure a wide variety of features. To monitor the BIG/ip Controller, you can use certain BIG/pipe commands, or you can use the BIG/topTM utility, which provides real-time system monitoring. You can use the command line utilities directly on the BIG/ip Controller, or you can execute commands via a remote shell, such as the SSH client (US only), or a Telnet client.
The BIG/ip Controller offers seven different load balancing modes, including three static modes and four dynamic modes. A load balancing mode defines, in part, the logic that a BIG/ip Controller uses to determine which server should receive a particular connection on a specific port.
Static load balancing
Static load balancing is based on pre-defined user settings, and does not take current performance into account. The BIG/ip Controller supports three static load balancing modes:
- Round Robin
Round Robin mode is a basic load balancing mode that distributes connections evenly across all ports, passing each new connection to the next port in line.
The Ratio mode distributes new connections across ports in proportion to a user-defined ratio. For example, if your array contained one new, high-speed server and two older servers, you could set the ratio so that the high-speed server receives twice as many connections as either of the two older servers.
The Priority mode distributes connections in round robin fashion to a specific groups of servers. It begins distributing new connections to the highest priority group. If all servers in that group should go down, it begins distributing connections to servers in the next higher priority group.
Dynamic load balancing
Dynamic load balancing modes use current performance information from each node to determine which node should receive each new connection. The different dynamic load balancing modes incorporate different performance factors:
- Least Connections
In Least Connections mode, the BIG/ip Controller sends each new connection to the node that currently hosts the fewest current connections.
In Fastest mode, the BIG/ip Controller sends each new connection to the node that has the best response time.
In Observed mode, the BIG/ip Controller sends each new connection to the node that has the highest performance rating, based on a combination of fewest connections and best response time.
Predictive mode factors in both performance ratings and performance improvement over time.
a name="1022006"> IP packet filtering and rate classes
The BIG/ip platform supports easy configuration of the BSD operating system method of IP packet filtering. IP packet filtering allows you to control both in-bound and out-bound network traffic. For example, you can specify a single IP address, or a range of IP addresses, from which your site either accepts or denies network traffic. You can also specify one or more IP addresses to which you specifically want to allow or prevent out-bound connections.
The BIG/ip platform also supports rate classes, which are an extension to IP filters. A rate class defines a maximum outgoing packet rate (bits per second) for connections that are destined for a specific IP address or from a range of IP addresses. You can use rate classes to help control the amount and flow of specific network traffic. For example, you can offer faster connection speeds for high priority connections, such as paying customers on an e-commerce site.
Some e-commerce and other dynamic content sites occasionally require returning users to go the same server that hosted their last connection, rather than being load balanced to a random server. For example, if a customer reserves an airline ticket and holds it for 24 hours, the customer may need to return to a specific back-end server that stores the reservation information in order to purchase the ticket.
The BIG/ip Controller offers a variety of sophisticated persistence options that support this functionality. In addition to simple persistence and standard SSL persistence, the BIG/ip Controller supports cookie persistence. Cookie persistence is a unique implementation where the BIG/ip Controller stores persistence connection information in a cookie on the client, rather than in a table in its own memory. When the client returns and makes a persistence connection request, the BIG/ip Controller uses the information in the cookie to determine which back-end server should host the client connection.
The BIG/ip Controller supports other useful persistence options, including simple persistence for TCP and UDP (which bases connection information on source and destination IP address) and SSL persistence (which bases connection information on an SSL session ID).
The BIG/ip Controller platform offers three different systems, each of which can be stand-alone, or can run in redundant pairs:
- The BIG/ip LB Controller
The BIG/ip LB Controller provides basic load balancing features. Note that the BIG/ip LB Controller does not support all of the features documented in this guide. For a comprehensive list of the features that it does support, refer to the Quick Guide to the BIG/ip LB Controller, provided with your BIG/ip LB Controller product package.
- The BIG/ip HA Controller
In addition to the basic load balancing features supported on the BIG/ip LB Controller, the BIG/ip HA Controller supports advanced features, such as Extended Content Verification, and also supports high-end security for administrative shell connections. BIG/ip HA Controllers distributed in the US also support encrypted administrative connections using SSH for shell connections and SSL for connections to the web-based F5 Configuration utility.
- The BIG/ip HA+ Controller
The BIG/ip HA+ Controller supports the same features as the BIG/ip HA Controller, but it offers high-end hardware for high traffic sites.
Note: BIG/ip Controllers distributed outside of the United States, regardless of system type, do not support encrypted communications. They do not include the F-Secure SSH client, nor do they support SSL connections to the BIG/ip web server. Instead, you can use the standard Telnet, FTP, and HTTP protocols to connect to the unit and perform administrative functions.
In addition to this administrator guide, you can find technical documentation about the BIG/ip Controller in the following locations:
- Release notes
The release note for the current version of the BIG/ip Controller is available on the BIG/ip web server. The release note contains the latest information for the current version, including a list of new features and enhancements, a list of fixes, and, in some cases, a list of known issues.
- Online help for BIG/ip Controller features
You can find help online in three different locations:
- The BIG/ip web server has a PDF version of this administrator guide. Note that some BIG/ip Controller upgrades replace the online administrator guide with an updated version of the guide.
- The web-based F5 Configuration utility has online help for each screen. Simply click the Help button in the toolbar.
- Individual BIG/pipe commands have online help, including command syntax and examples, in standard UNIX man page format. Simply type the command followed by the question mark option (-?), and the BIG/ip Controller displays the syntax and usage associated with the command.
- Third-party documentation for software add-ons
The BIG/ip web server contains online documentation for all third-party software included with the BIG/ip Controller, such as GateD.
- Technical support via the World Wide Web
The F5 Networks Technical Support web site, http://tech.F5.com, provides the latest technical notes, answers to frequently asked questions, and updates for administrator guides (in PDF format). To access this site, you need to obtain a customer ID and a password from the F5 Help Desk.
The BIG/ip platform offers the following major new features in version 2.1, in addition to smaller enhancements such as support for VLAN trunks.
Redundant BIG/ip Controller systems support three new important features: connection mirroring, network fail-over, and gateway fail-safe.
Connection and persistence mirroring
Connection and persistence mirroring allow the standby unit in a redundant system to maintain the information necessary to sustain the connections and persistence information currently running through the active unit. If the active unit fails and the standby unit takes over, it handles the current connections or persistence information immediately, and allows them to continue virtually uninterrupted. This is particularly useful if your site handles FTP, Telnet, Chat, or other long-lived connections, that are especially sensitive to interruption.
Fail-over configuration options
The BIG/ip Controller now offers two types of redundant system configurations:
- Hardware fail-over
Hardware fail-over is the standard fail-over configuration that has been supported on the BIG/ip Controller for the past several versions. In a hardware fail-over configuration, the two BIG/ip Controller units in the system are connected directly by a fail-over cable. This provides the highest level of reliability, because it does not depend on any network equipment to get the important fail-over data from one unit to the other.
- Network fail-over
Network fail-over is a new configuration option that allows you to set up two individual BIG/ip Controllers as a redundant system, without having a direct hardwired connection between the two units. Instead, the units transfer the fail-over data via the network. This option works well in many situations, but does not provide as much reliability as the hardware fail-over setup. You may actually want to consider using this option to provide an additional layer of fail-over redundancy in a system that is currently configured for hardware fail-over.
Gateway fail-safe is a new feature for redundant systems that simply provides one more checkpoint that can trigger a fail-over. You generally want to implement gateway fail-safe if your BIG/ip Controller uses two different gateways to connect each unit in the redundant system to the Internet. If the primary gateway fails, the second BIG/ip Controller can still connect to the Internet through the second gateway. Gateway fail-safe uses ICMP echo requests to verify that a particular gateway is up and running.
The BIG/ip Controller offers several new options for persistence, including a unique persistence that stores persistent connection information in an HTTP cookie on a client's own workstation.
Cookie persistence is an important new feature unique to the BIG/ip Controller. Cookie persistence allows persistent connection information to be stored in an HTTP cookie on the client's machine, rather than in a table on the BIG/ip Controller. Web servers may store client information independently, rather than storing it in location available to all web servers in an array. Thus, even though a returning client may have information stored in a cookie, the server to which the client connects may not have the corresponding information needed to process the cookie. In this case, the client needs to return to the same server that stores the information needed to process the cookie, and the BIG/ip Controller now allows for that. Using cookie persistence offers you the advantage of reducing the amount of storage space taken up on the BIG/ip Controller.
Destination address affinity
This feature provides a special type of persistence that is especially useful for cache servers. Similar to simple persistence, destination address affinity keeps track of incoming clients' source and destination IP addresses. When a client is looking to make a repeat connection to a particular destination IP address, the BIG/ip Controller directs the client to the same cache server or other transparent node that it previously used. Forcing clients to repeatedly use the same cache server can help you reduce the amount of content that might otherwise be duplicated on two or more cache servers in your network.
You can now configure simple persistence for each individual virtual server. (In previous versions, you could configure simple persistence only for ports; any virtual server that used a specific port would inherit that port's persistence settings.)
Simple persistence for a virtual server provides a new persist mask feature. The persist mask defines a range of IP addresses that can be matched to a persistent connection. Any client whose source IP address falls within the range is considered a match for the given persistence entry.
Secure Network Address Translation (SNAT) is a new feature that gives the BIG/ip Controller additional firewall functionality. You can define a SNAT IP address that acts as the source IP address for one or more clients on the BIG/ip Controller's internal interface looking to connect to hosts on the BIG/ip Controller's external interface. SNAT IP addresses are very secure because they cannot accept incoming connections from clients on the BIG/ip Controller's external network.
All BIG/ip Controller products now support having more than two interface cards. You can enhance the reliability of a BIG/ip Controller by installing redundant interface cards for each network that the BIG/ip Controller connects to. The separate interface cards can connect through different routers or gateways to the same network, allowing for more than one available network path.
You can now use wildcard ports both in standard virtual servers and in wildcard virtual servers. A virtual server defined with a wildcard port inherently accepts any type of traffic. Accordingly, the nodes that are members of that virtual server must also use wildcard ports.
You can now set up ECV service checks for transparent nodes. These checks are used to determine if tranparent nodes are operating. This is done by routing the ECV service check through the transparent node to a configurable destination beyond the transparent node.
The BIG/ip Controller now supports IEEE 802.1q VLAN tags. You can define a VLAN tag for the IP address, the shared IP alias in a redundant system, and any IP addresses on the BIG/ip Controller's internal interface. Note however, that if you use a VLAN tag for any one of these addresses, you must use VLAN tags for all of the IP addresses defined for the BIG/ip Controller itself (excluding IP addresses used for virtual servers, nodes, NATs, and SNATs).
The F5 Configuration utility
The web-based F5 Configuration utility now supports multiple-user access, which allows you to define three security levels for users: full read-write, partial read-write, and read-only. The Config utility also supports all of the new features in version 2.1. In addition to several new screens, some existing screens have been reorganized to accommodate new settings. For a review of each particular screen, click the Help button in the toolbar.
BIG/pipe command line utility
The BIG/pipe® command line utility has been updated and streamlined. In addition to new commands for new features, certain existing commands support new syntax to make for more efficient configuration.
System control variables
There are new system control variables, and the default settings for some existing system control variables have changed in certain cases. To view a description of the system control variables used by BIG/ip Controllers, refer to Appendix C, BIG/ip System Control Variables.
The SNMP MIB
The BIG/ip Controller includes an updated SNMP MIB that supports the new features, as well as enhanced support for existing features.
The most common application of the BIG/ip Controller is to distribute traffic across an array of web servers that host standard web traffic, including e-commerce traffic. However, a BIG/ip Controller can also control traffic distribution for other types of servers, such as cache servers, proxy servers, firewalls, and even routers.
The following sections provide you with two basic configuration examples that can help you plan your installation. These examples can also help you understand how people use some of the most popular BIG/ip Controller features to resolve specific issues or to enhance network performance in general.
First, we start with a basic configuration where a BIG/ip Controller load balances two sites: www.MySite.com and store.MySite.com. The www.MySite.com site provides standard web content, and the store.MySite.com site is the e-commerce site that sells items to www.MySite.com customers. In this scenario, the BIG/ip Controller provides simple load balancing for both sites.
Setting up the topology
To set up load balancing for these sites, you need to create two virtual servers, one for each site. Even though the sites are related and they may even share the same IP address, each requires its own virtual server because it uses a different port to support its particular protocol: port 80 for the HTTP traffic going to www.MySite.com, and port 443 for the SSL traffic going to store.MySite.com.
Figure 1.1 shows the topology for the sample configuration. Each site uses two of the three web servers to host its content. Both sites happen to share Server 2.
Note: Note that in this example, as in all examples in this guide, we use only non-routable IP addresses. In a real topology, the virtual server IP addresses would have to be routable on the Internet.
The virtual servers that you define always include three basic elements:
- virtual IP address
This is the IP address that is registered with DNS and associated with your site's domain name. In our example, both www.MySite.com and store.MySite.com use the same IP address: 192.168.200.10. Both domain names would presumably have to be registered with DNS to resolve to that IP address.
The port that hosts the specific service supported by your site. In our example, we have two different sites that support two different ports: port 80 and port 443.
- Servers that host your site
The list of physical servers that actually host your site connections. For a given server, you list each IP address and port number pair, referred to as a node, that the server handles. Even though our example above only includes three servers, it actually has four nodes:
- Server 1 hosts only one node: 192.168.100.1:80.
- Server 2 hosts two nodes, one for each service it supports: 192.168.100.2:80 and 192.168.100.2:443.
- Server 3 hosts only one node: 192.168.100.3:443.
The BIG/ip Controller distributes connections among the three servers according to a user-specified load balancing mode. The most common mode is Round Robin, which simply distributes each new connection to the next server in line, eventually distributing the connections equally among all the servers.
Using additional features
In this type of configuration, you might want to take advantage of the following BIG/ip Controller features:
- Extended Content Verification
Verifies that the web servers are not only up and running, but also able to send valid content to clients. For example, you could use Extended Content Verification to make sure that www.MySite.com returns its home page rather than an HTTP 404 error.
Allows returning e-commerce customers to bypass load balancing and connect to the original back-end server that may contain user-specific information. In our example, store.MySite.com may allow users to fill a shopping cart, disconnect from the site, and then return up to 24 hours later to purchase the items. When the user returns to purchase the items, the user may need to go to the same back-end server, depending on how the e-commerce site is set up.
- Network Address Translation
Allows you to make direct administrative connections to the web servers through the BIG/ip Controller. If your administrative workstation is on the network connected to the BIG/ip Controller's external interface, and administrative workstations frequently are, this feature is essential.
- Secure Network Address Translation (SNAT)
Allows you to make map internally routable IP addresses to an externally routable IP address. SNATs do not allow incoming connections.
The next example is a configuration that might be found in a large corporate intranet. In this scenario, the BIG/ip Controller performs load balancing for two different types of connection requests:
- Connections to the company's intranet web site
The load balancing for the company's intranet web site is similar to basic Internet web site load balancing. The BIG/ip Controller simply load balances the two web servers that host the company intranet web site.
- Connections to hosts on the Internet
In this example, the BIG/ip Controller provides load balancing for connections bound for the Internet. However, the example shows a somewhat sophisticated setup where the BIG/ip Controller actually intercepts HTTP traffic and directs it to a special cache server. Only clients using protocols other than HTTP, such as FTP or SMTP email, get load balanced to one of the two firewalls that lead to the Internet. This greatly reduces the number of concurrent connections that the firewalls have to maintain. Clients looking to retrieve web content get the content from the cache server itself, instead of the actual web site host. If the cache server does not have the content that the client is looking for, the cache server retrieves the content from the real web site on behalf of the client and then forwards it to the client.
Setting up the topology
To set up load balancing for this intranet example, you need to create three virtual servers: one that handles load balancing for the internal corporate web site, one that directs outbound HTTP traffic to the cache server, and one that handles load balancing for the firewalls.
Figure 1.2 shows the topology for the sample configuration. A standard virtual server handles the load balancing for the corporate intranet web site, Corporate.main.net. Wildcard Virtual Server 1 takes all of the outbound HTTP traffic and directs it to the cache server. Wildcard Virtual Server 2 handles all of the remaining traffic that actually has to go out to the Internet.
The wildcard virtual servers are a special type of virtual server, which accept traffic going to IP addresses unknown to the BIG/ip Controller, as all outside Internet addresses would be. When the BIG/ip Controller receives a connection request, it immediately tries to match the requested IP address to one of its virtual server IP addresses. If it cannot find a match among the standard virtual servers that it manages, it then looks for a wildcard virtual server. Wildcard virtual servers provide the default IP address of 0.0.0.0 that the BIG/ip Controller can use as a sort of catch-all IP address match.
There are actually two types of wildcard virtual servers, and this example takes advantage of both:
- Port-specific wildcard virtual servers
A port-specific wildcard virtual server uses the default IP address, but it has a specific port number, and it only handles traffic associated with that port number. In our example above, the port-specific wildcard virtual server captures all outbound traffic that uses port 80 and directs it to the cache server.
- Default wildcard virtual servers
A default wildcard virtual server is one that uses only port 0. Port 0, like the 0.0.0.0 IP address, is a catch-all match for outgoing traffic that does not match any standard virtual server or any port-specific wildcard virtual server. Default wildcard virtual servers typically handle traffic only for firewalls or routers. In our example above, the default wildcard virtual server load balances the intranet's firewalls that connect to the Internet.
Using additional features
In this type of configuration, you might want to take advantage of the following BIG/ip Controller features:
- State mirroring
This feature is available only for redundant BIG/ip Controller systems, and it greatly enhances the reliability of your network. A redundant system runs two BIG/ip Controllers at the same time. One unit actively handles all connection requests, and the other unit acts as a standby that immediately takes over if the active unit fails and reboots. The state mirroring feature allows the standby unit to maintain all of the current connection and persistence information. If the active unit fails and the standby unit takes over, all connections continue, virtually uninterrupted. This is especially useful for long-lived connections, such as FTP connections which would otherwise have to re-establish an entire transfer session.
- Destination address affinity
Allows the BIG/ip Controller to cache content on specified cache servers. This avoids caching the same content on multiple cache servers. Because the above example includes only one cache server, you would not actually implement this feature in that example. However, the destination address affinity feature is very useful for users who work with multiple cache servers in a similar intranet scenario. It allows the BIG/ip Controller to cache information on a specified server. Caching specific information on the same cache server saves disk space on your cache servers.
- IP address filtering
Allows you to deny connections going to or coming from specific IP addresses. This feature is useful if you are experiencing denial of service attacks from hostile sources. You can set up an IP filter to ignore traffic coming in from the hostile IP address.