Applies To:Show Versions
BIG-IP versions 1.x - 4.x
- 3.0 PTF-04, 3.0 PTF-03, 3.0 PTF-02, 3.0 PTF-01, 3.0.0
Introduction to the BIG/ip Controller Administrator Guide
- Welcome to the BIG/ip Controller Administrator Guide
- BIG/ip Controller specifications
- Finding help and technical support resources
- What's new in version 3.0
Welcome to the BIG/ip Controller Administrator Guide
Welcome to the BIG/ip® Controller Administrator Guide. This guide describes the advanced features included in the BIG/ip Controller. The Administrator guide also includes the software specifications for the BIG/ip Controller platform and reviews some sample configurations that can help you in planning your own configuration. This book is a part of a series of three guides:
- BIG/ip Controller Getting Started Guide
Use this guide for hardware configuration and basic software configuration.
- BIG/ip Controller Administrator Guide
Use this guide for advanced software configuration and administration of the BIG/ip Controller.
- BIG/ip Controller Reference Guide
Use this guide for reference information including the BIG/pipe command line commands, BIG/ip configuration utilities, and system utilities.
BIG/ip Controller specifications
The BIG/ip Controller is a network appliance that manages and balances traffic for networking equipment such as web servers, cache servers, routers, firewalls, and proxy servers. A variety of useful features meets the special needs of e-commerce sites, Internet service providers, and managers of large intranets. The system is highly configurable, and its web-based and command line configuration utilities allow for easy system set up and monitoring.
Adding a BIG/ip Controller to your network ensures that your network remains reliable. The BIG/ip Controller continually monitors the servers and other equipment it manages, and never attempts to send connections to servers that are down or too busy to handle the connection. The BIG/ip Controller uses a variety of methods to monitor equipment, from simple pings to more advanced methods, such as Extended Content Verification that verifies whether a server returns specific site content. The BIG/ip Controller also offers several layers of redundancy that ensure its own reliability.
Internet protocol and network management support
The BIG/ip platform supports both TCP and UDP protocols, and also supports popular network services including:
- FTP (Active and Passive)
- Real Audio/TCP
The BIG/ip Controller supports administrative protocols, such as Simple Network Management Protocol (SNMP) and Simple Mail Transfer Protocol (SMTP) (outbound only), for performance monitoring and notification of system events. The BIG/ip Controller's SNMP agent allows you to monitor status and current traffic flow using popular network management tools, including the F5 Configuration utility. The SNMP agent provides useful data such as packets in and out per second, and current connections being handled for each virtual server. You may also want to take advantage of Telnet, FTP, and the F-Secure SSH client (distributed only in the US). The F-Secure SSH client provides a secure UNIX shell connection to the BIG/ip Controller from a remote workstation.
The BIG/ip Controller offers a variety of security features that protect both the controller itself, and the network equipment that it manages. Each of the following features can help prevent potentially hostile attacks on your site or equipment.
- IP address protection
On its external network, the BIG/ip Controller does not expose the IP addresses of the servers that it manages unless you specifically configure it to do so. Instead, it offers firewall capabilities, translating addresses when servers connect to other hosts on the external network. You can set up either standard Network Address Translations (NATs) that allow both incoming and outgoing traffic, or you can set up Secure Network Address Translations (SNATs) that allow only outgoing connections.
- Port lockdown
The BIG/ip Controller prevents clients from connecting to any port which you have not specifically opened for network traffic. This feature helps prevent a common attack where users try to gain access to the machine using one of the many ephemeral ports that do not host a well-known service.
- Controlled administrative connections
The BIG/ip Controller allows you to make direct administrative connections to the servers it manages, but it prevents direct connections to those servers by random clients, based on their IP address.
- IP address filtering
The IP filtering features allow you to specifically accept or deny connections received from particular IP addresses or ranges of IP addresses.
- Termination of inactive connections
The BIG/ip Controller automatically terminates connections that remain inactive for a period of time you specify, which prevents common denial of service attacks.
In addition to these features, BIG/ip Controllers distributed in the US support encrypted administrative connections using F-Secure SSH for shell connections, and SSL protocol for connections to the web-based configuration utility.
The BIG/ip Controller is a highly scalable and versatile solution. You can actually configure a single BIG/ip Controller to manage thousands of virtual servers, though most common configurations are significantly smaller. The number of servers, firewalls, or routers that a single BIG/ip Controller can load balance is limited only by the capacity of your network media, such as Ethernet. The BIG/ip Controller supports a variety of media options, including Fast Ethernet, Gigabit Ethernet, and FDDI. The maximum number of concurrent connections that a BIG/ip Controller can manage is determined by the amount of RAM in your particular BIG/ip Controller hardware configuration.
Configuration and monitoring tools
The BIG/ip platform provides the following web-based and command line administrative tools that make for easy setup and configuration.
The First-Time Boot utility
The First-Time Boot utility is a wizard that walks you through the initial system set up. The utility helps you quickly define basic system settings, such as a root password and the IP addresses for the interfaces that connect the BIG/ip Controller to the network. The First-Time Boot utility also helps you configure access to the BIG/ip web server, which hosts the web-based F5 Configuration utility.
The F5 Configuration utility
The F5 Configuration utility is a web-based application that you use to configure and monitor the load balancing setup on the BIG/ip Controller. In the F5 Configuration utility, you can configure virtual servers, define IP and rate filters, and also configure system objects including the SNMP agent and system settings. The F5 Configuration utility allows you to monitor network traffic, current connections, and the operating system itself, and it also provides convenient access to downloads such as the SNMP MIB. The F5 Configuration utility requires Netscape Navigator version 4.06 or later, or Microsoft Internet Explorer version 4.0 or later.
The BIG/pipe and BIG/top command line utilities
The BIG/pipeTM utility is the command line counter-part to the F5 Configuration utility. Using BIG/pipe commands, you can configure virtual servers, open ports to network traffic, and configure a wide variety of features. To monitor the BIG/ip Controller, you can use certain BIG/pipe commands, or you can use the BIG/topTM utility, which provides real-time system monitoring. You can use the command line utilities directly on the BIG/ip Controller, or you can execute commands via a remote shell, such as the SSH client (US only), or a Telnet client.
Load balancing options
The BIG/ip Controller offers seven different load balancing modes, including three static modes and four dynamic modes. A load balancing mode defines, in part, the logic that a BIG/ip Controller uses to determine which server should receive a particular connection on a specific port.
Static load balancing
Static load balancing is based on pre-defined user settings, and does not take current performance into account. The BIG/ip Controller supports three static load balancing modes:
- Round Robin
Round Robin mode is a basic load balancing mode that distributes connections evenly across all server ports, passing each new connection to the next server port in line.
The Ratio mode distributes new connections across server ports in proportion to a user-defined ratio. For example, if your array contained one new, high-speed server and two older servers, you could set the ratio so that the high-speed server receives twice as many connections as either of the two older servers.
The Priority mode distributes connections in round robin fashion to a specific groups of servers. It begins distributing new connections to the highest priority group. If all servers in that group should go down, it begins distributing connections to servers in the next higher priority group.
Dynamic load balancing
Dynamic load balancing modes use current performance information from each node to determine which node should receive each new connection. The different dynamic load balancing modes incorporate different performance factors:
- Least Connections
In Least Connections mode, the BIG/ip Controller sends each new connection to the node that currently hosts the fewest current connections.
In Fastest mode, the BIG/ip Controller sends each new connection to the node that has the best response time.
In Observed mode, the BIG/ip Controller sends each new connection to the node that has the highest performance rating, based on a combination of fewest connections and best response time.
Predictive mode factors in both performance ratings and performance improvement over time.
IP packet filtering, rate classes, and rate filters
The BIG/ip platform supports easy configuration of IP packet filtering. IP packet filtering allows you to control both in-bound and out-bound network traffic. For example, you can specify a single IP address, or a range of IP addresses, from which your site either accepts or denies network traffic. You can also specify one or more IP addresses to which you specifically want to allow or prevent out-bound connections.
The BIG/ip platform also supports rate classes, which are an extension to IP filters. A rate class defines a maximum outgoing packet rate (bits per second) for connections that are destined for a specific IP address or from a range of IP addresses. You can use rate classes to help control the amount and flow of specific network traffic. For example, you can offer faster connection speeds for high priority connections, such as paying customers on an e-commerce site.
Configurable persistence for e-commerce and dynamic content sites
Some e-commerce and other dynamic content sites occasionally require returning users to go the same server that hosted their last connection, rather than being load balanced to a random server. For example, if a customer reserves an airline ticket and holds it for 24 hours, the customer may need to return to a specific back-end server that stores the reservation information in order to purchase the ticket.
The BIG/ip Controller offers a variety of sophisticated persistence options that support this functionality. In addition to simple persistence and standard SSL persistence, the BIG/ip Controller supports cookie persistence. Cookie persistence is a unique implementation where the BIG/ip Controller stores persistence connection information in a cookie on the client, rather than in a table in its own memory. When the client returns and makes a persistence connection request, the BIG/ip Controller uses the information in the cookie to determine which back-end server should host the client connection.
The BIG/ip Controller supports other useful persistence options, including simple persistence for TCP and UDP (which bases connection information on source and destination IP address) and SSL persistence (which bases connection information on an SSL session ID).
BIG/ip Controller platform options
The BIG/ip Controller platform offers three different systems, each of which can be stand-alone, or can run in redundant pairs:
- The BIG/ip LB Controller
The BIG/ip LB Controller provides basic load balancing features. Note that the BIG/ip LB Controller does not support all of the features documented in this guide.
- The BIG/ip HA Controller
In addition to the basic load balancing features supported on the BIG/ip LB Controller, the BIG/ip HA Controller supports advanced features, such as Extended Content Verification, and also supports high-end security for administrative shell connections. BIG/ip HA Controllers distributed in the US also support encrypted administrative connections using SSH for shell connections and SSL for connections to the web-based F5 Configuration utility.
- The BIG/ip HA+ Controller
The BIG/ip HA+ Controller supports the same features as the BIG/ip HA Controller, but it offers high-end hardware for high traffic sites.
Note: BIG/ip Controllers distributed outside of the United States, regardless of system type, do not support encrypted communications. They do not include the F-Secure SSH client, nor do they support SSL connections to the BIG/ip web server. Instead, you can use the standard Telnet, FTP, and HTTP protocols to connect to the unit and perform administrative functions.
Finding help and technical support resources
In addition to this administrator guide, you can find technical documentation about the BIG/ip Controller in the following locations:
- Release notes
The release note for the current version of the BIG/ip Controller is available on the BIG/ip web server. The release note contains the latest information for the current version, including a list of new features and enhancements, a list of fixes, and, in some cases, a list of known issues.
- Online help for BIG/ip Controller features
You can find help online in three different locations:
- The BIG/ip web server has a PDF version of this administrator guide. Note that some BIG/ip Controller upgrades replace the online administrator guide with an updated version of the guide.
- The web-based F5 Configuration utility has online help for each screen. Simply click the Help button in the toolbar.
- Individual BIG/pipe commands have online help, including command syntax and examples, in standard UNIX man page format. Simply type the command followed by the question mark option (-?), and the BIG/ip Controller displays the syntax and usage associated with the command.
- Third-party documentation for software add-ons
The BIG/ip web server contains online documentation for all third-party software included with the BIG/ip Controller, such as GateD.
- Technical support via the World Wide Web
The F5 Networks Technical Support web site, http://tech.F5.com, provides the latest technical notes, answers to frequently asked questions, and updates for administrator guides (in PDF format). To access this site, you need to obtain a customer ID and a password from the F5 Help Desk.
What's new in version 3.0
The BIG/ip platform offers the following major new features in version 3.0, in addition to many smaller enhancements.
Active-active redundant controllers
BIG/ip Controller version 3.0 supports a new active-active redundant system where both controllers actively handle connections.
The active-active redundant controller feature allows both controllers to simultaneously manage traffic for different virtual addresses. This option allows you to take advantage of the throughput of both controllers simultaneously. In the event of a failure on one of the controllers, the remaining active controller assumes the virtual servers of the failed machine.
Intelligent traffic control (ITC)
Intelligent traffic control (ITC) is a set of flexible features that increase the level of service and control over Internet traffic. In these features is the ability to identify specific traffic, based on HTTP request data (URLs, HTTP version, HTTP host field), cookies, or client source address and send that traffic to a specific set of servers or devices that can best service the request. These features let you allocate server resources based on the type of application or content requested most.
More flexible load balancing using pools and members
BIG/ip Controller version 3.0 increases load balancing flexibility by introducing the load balancing pool. A load balancing pool is a group of nodes, or other network devices, that are mapped to corresponding virtual server.
In previous versions of the BIG/ip Controller, the commands used to create a virtual server with a node list resulted in a directly associated, node list "pool" with identical function. You can still create node list style virtual servers in this version of the BIG/ip Controller. However, pools are more configurable than node lists. Pools may be configured independently and associated with virtual servers in complex ways.
Selecting a load balancing pool using a rule
With BIG/ip Controller version 3.0, you can create virtual servers indirectly associated with multiple load balancing pools by directly referencing a rule which, in turn, can reference one or more load balancing pools. In other words, you can use a rule to select a pool for a virtual server. When a request that is destined for a virtual server that does not match a current connection, the BIG/ip Controller can select a pool by evaluating a virtual server rule to pick a node pool.
You can create rules that load balance connections based on the client IP address or on the HTTP header information.
- Client IP address load balancing
For client IP address load balancing, you can create a rule that selects a pool for a connection based on the source IP address of the packet.
- HTTP header load balancing
For HTTP header load balancing, you can create a rule that selects a pool for a connection based on different HTTP header values such as: method, uri, version, host, and cookie.
The versatile interfaces features provide the ability to change the security settings of any BIG/ip Controller interface, and to independently enable translation of the source or destination address of IP packets passing through the interface. The virtual interfaces features phase out the concept of internal and external interfaces. With these features, you can configure a single interface with the source processing attributes of an "internal" interface, and destination processing properties of an "external" interface.
Source and destination processing
The versatile interfaces features provide the ability to change both the source address or destination address and/or route of an IP packet on a BIG/ip Controller interface. The ability to change the source or destination can be turned on independently for each interface. In practical terms, this means that you can configure an interface to handle traffic going to virtual servers and, independently, you can configure the interface to handle traffic going out from nodes. So, you can have virtual servers and nodes on each interface you have installed in the BIG/ip Controller. This allows the most flexible processing of packets by the BIG/ip Controller. When either the source or destination processing feature is turned off on an interface, the result is a gain in performance. In this way, you can optimize BIG/ip Controller performance with no additional effort.
An additional feature of versatile interfaces is the ability to control access to the BIG/ip Controller on any interface. In previous versions of the BIG/ip Controller, the external interface was always in a locked down state, and the internal interface was open. In BIG/ip Controller version 3.0, any interface may be in either a locked down or open state. When an interface is locked down, only the ports essential to the configuration and operation of the BIG/ip Controller and 3DNS Controller are open. When an interface is open, all connections are allowed to and from the BIG/ip Controller through that interface.
The per-connection routing option is now available for virtual servers. In situations where the BIG/ip Controller is accepting connections for virtual servers from more than one gateway, you can send the return data back through the same device from which the connection originated. Use this option to spread the load among outbound routers, or to ensure that connections go through the same device if that device is connection-oriented, such as a proxy, cache, firewall, or VPN router. You can do this by defining a pool that contains the list of gateways from which the connections are received, and then associating the pool with a virtual server using the lasthop keyword.
Secure forwarding virtual servers
You can now create a forwarding virtual server in BIG/ip Controller, version 3.0. A forwarding virtual server is a type of virtual server that simply forwards all traffic to the specific node or network specified in the virtual IP address. It has no associated nodes. A forwarding virtual server has the added benefit of keeping statistics for the amount of forwarded traffic, and does not perform load balancing.
Transparent virtual servers
You can now create a transparent virtual server in BIG/ip Controller, version 3.0. The new translate keyword allows you to turn off address translation for any virtual server. This simplifies and generalizes the Transparent Node mode and bonfire mode from previous versions of the BIG/ip Controller that were used to load balance transparent devices. This can also be useful when the BIG/ip Controller is load balancing devices that have the same IP address. This is typical with the nPath routing configuration where duplicate IP addresses are configured on the loopback device of several servers. You can control whether address translation is enabled for a virtual server using the translate keyword. Address translation is enabled by default. You can enable or disable address translation for any valid address.
Virtual server port translation
A new attribute has been added to virtual servers to control whether port translation is enabled for a Virtual Server. Port translation is turned on by default. An exception to this is if the port defined for a member is port zero. Members with a zero port cannot do translation because zero is not a valid port. You can control whether port translation is enabled for a virtual server using the translate keyword. Port translation is enabled by default. You can enable or disable port translation for any valid port.
Reset connections on service down
You can configure individual virtual servers so that the BIG/ip Controller sends connection resets to the end points of TCP connections when the controller determines that the service they are using has gone down. This feature is currently only used in conjunction with service checking. Node pings that time out do not cause connection resets to be sent. Only TCP connections receive the resets. UDP connections are not reset because there is no shutdown mechanism for UDP connections.
Cookie persistence hash mode
The BIG/ip Controller offers a new HTTP cookie persistence hash mode. The hash mode for cookie persistence is a new feature available with this release of the BIG/ip Controller. The hash mode allows you to specify a certain number of bytes in a cookie to determine the destination of the connection. Cookie hash mode is used to map a cookie value to a node. This mode is then used to persistently connect clients presenting cookies to a given node.
Enhancements to configuration and monitoring tools
The F5 Configuration utility
The F5 Configuration utility supports all of the new features in version 3.0. In addition to several new screens, some existing screens have been reorganized to accommodate new settings. For a review of each particular screen, click the Help button in the toolbar. In addition to these changes, we made the following improvements:
- The port on the virtual server is now automatically opened when you define virtual servers.
- There is quicker navigation to Global Virtual Ports and Global Node Ports from the left-hand navigation pane.
- We have updated the Virtual Server and SNAT creation step, which assembles groups of nodes through interactive list editors.
- We have improved the high-level listing of objects including Virtual Servers, Global Virtual Ports, Nodes, and Global Node Ports. The new lists present more summary information for each list item. Also, items in the high-level lists that are themselves lists (like the nodes associated with a Virtual Server in a default pool), which means the you can navigate to one of the items on that list by clicking the list and choosing a particular item.
- Now there is a separate extended service check category on ECV/EAV property pages for Simple service check. That category was previously part of the ECV select box menu.
- You can now configure multiple trap communities and trap sinks for SNMP using the new lists editors.
- The load balancing options for node list virtual servers have moved from the BIG/ip System Properties Page to the Virtual Servers List page.
- The network interface card properties page is improved to show shared IP addresses. This page also has new navigation options for VLAN tag information.
BIG/pipe command line utility
The BIG/pipe® command line utility has been updated and streamlined. In addition to new commands for new features, certain existing commands support new syntax to make for more efficient configuration.
System control variables
There are new system control variables, and the default settings for some existing system control variables have changed in certain cases. To view a description of the system control variables used by BIG/ip Controllers, refer to the BIG/ip Controller Reference Guide, BIG/ip System Control Variables.
The SNMP MIB
The BIG/ip Controller includes an updated SNMP MIB that supports the new features, as well as enhanced support for existing features.