Manual Chapter : TurboFlex Profiles Overview

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.1, 13.1.0

BIG-IP APM

  • 13.1.1, 13.1.0

BIG-IP LTM

  • 13.1.1, 13.1.0
Manual Chapter

About TurboFlex Profiles

TurboFlex Profiles are groupings of hardware-accelerated (FPGA) features that are associated with a specific use case. TurboFlex Profiles are dependent on module licensing. Platforms running a standard license (x600) support only the Base Profile. Platforms running a high performance license (x800) support all profiles.

Note: Changing the provisioning on your system might cause your system to restart.

These profiles are currently available:

Base (turboflex-base)
The basic profile requires that you provision any module that is licensed with your standard license (x600).
ADC (turboflex-adc)
The Application Delivery Controller (ADC) profile provides the hardware acceleration features that are normally associated with the ADC use cases. To enable this profile, provision the LTM module.
Security (turboflex-security)
The Security profile provides the hardware acceleration features that are normally associated with the security use cases. To enable this profile, provision the AFM® or APM® modules.
Private Cloud (turboflex-private-cloud)
The Private Cloud (PC) profile provides the hardware acceleration features that normally associated with the PC use cases. To enable this profile, provision the LTM module.
Low Latency FIX (turboflex-low-latency) - Early Access Only
The Low Latency FIX profile provides the hardware acceleration features that are normally associated the FIX use case. For more information about this profile, contact F5 Support.

About FPGA features

These FPGA features are currently available:

Q-in-Q tunneling
Q-in-Q tunneling is a private cloud feature that uses a double VLAN header, which dramatically increases the VLAN address space and provides a layer of security by obscuring the inner VLAN header.
ePVA - TCP IPv4
Embedded Packet Velocity Acceleration (ePVA) is a feature that provides a wire speed L4 TCP proxy for IPv4 address. This function offloads the CPU from L4 TCP proxy functions.
Per virtual server SYN cookies
The per virtual server SYN cookie feature protects the system, on a virtual server basis, from SYN flood attacks and enables the BIG-IP® system to maintain connections when the SYN queue begins to fill up during an attack. The FPGA implementation offloads the effort from the CPU.
NVGRE, VXLAN, Ether-IP and IP in IP tunneling
This feature makes the handling of these tunneling methods more efficient by more effectively handing the entire (inner and outer header) checksums, and adding support in HSBs to disaggregate on inner headers. This implementation offloads some of the CPU load associated with termination, de-termination, and internal switching of the tunnels within the BIG-IP system.
ePVA - UDP
See ePVA - TCP IPv4. This feature adds wire speed L4 UDP proxy for UDP packets.
ePVA - TCP IPv6
See ePVA - TCP IPv4. This feature adds wire speed L4 proxy (UDP and TCP) with IPv6 IP address support.
Basic DoS Vectors
This is a package of approximately 80 DDoS Volumetric and Protocol Compliance vectors, not including DNS and SIP vectors.
Advanced DoS vectors - SIP/DNS
This feature completes the package of a total of 100 DDoS Volumetric and Protocol Compliance vectors, including DNS and SIP vectors.
Per client white/gray/black listing
White lists and Black lists provide the ability to accept a user-provided set of IP-based addresses and use them as filters for IP addresses, either globally or within a specific route domain or virtual server. When implemented in FPGAs, this provides wire-speed lists and offloads the CPU.
Multiple Vector Lookups (multi-layer attack mitigation)
This feature enables the ability to separate vectors into ISO layer layers and support multiple hardware DoS rules per packet.
Custom DOS Signatures in Hardware (Behavioral DOS)
This feature enables dynamically programmable hardware signatures. Only ISO L3 and L4 are supported currently.
Guaranteed FIX Low Latency (FIX-LL)
FIX is a protocol used by the financial industry, where any delay of information transmission is critical. This feature uses the FPGAs, Neuron, and flow cache entries to guarantee population in the hardware flow cache tables, minimizing latency and jitter. This implementation reduces the probability of TCP Reset to almost zero, which is a problem for the high speed TCP stacks used in high frequency trading servers. The first 10,000 flows are managed by the Neuron, and there are no TCP resets. Testing indicates that the probability of TCP reset is almost zero in the 100,000 range. This profile provides low latency and very low jitter for TCP streams, providing equal and fair delay to all flows.
Security Analytics: DDoS/sPVA dropped packets info and reroute
This feature provides visibility and re-routing of traffic that is dropped by AFM. It includes global DoS, sPVA DoS, sPVA blacklist and graylist, Neuron blacklist, and ePVA Duplicate SYN drops. This feature also includes two debug re-route modes: Re-Route All packets or Re-Route packets on a specific flow.
Global SYN Cookies
This feature provides a single control for protecting the box from all SYN attacks. It includes VLAN based thresholds and a global threshold for resulting actions.
Virtual Wire
Virtual Wire, also known as Transparent L4 forwarding, forwards VLANs through the BIG-IP system through the FPGAs without changing the VLAN headers in the ePVA.

Profiles and features available on i2000/i4000 Series platforms

The i2000/i4000 Series platforms include support for these profiles and features.

Feature Base profile ADC profile Private cloud profile Security profile
Q in Q tunneling X X X X
NVGRE, VXLAN, Ether-IP, and IPinIP tunneling X X X X
Basic DoS vectors       X
Advanced DoS vectors - SIP/DNS       X
Per client white/gray/black listing       X (i4800 only)
Multiple vector lookups (multi-layer attack mitigation)       X
Custom DoS signatures in hardware (behavioral DoS)       X
Global SYN cookies   X X X

Profiles and features available on i5000/i7000/i10000/i11000 Series platforms

The i5000/i7000/i10000/i11000 Series platforms include support for these profiles and features.

Feature Base profile ADC profile Private cloud profile Security profile Low Latency FIX profile
Q in Q tunneling X X X X X
ePVA - TCP IPv4   X X X X
Per virtual server SYN cookies   X X X X
NVGRE, VXLAN, Ether-IP, and IPinIP tunneling X X X X X
ePVA - UDP   X X X X
ePVA - TCP IPv6   X X X X
Basic DoS vectors   X X X X
Advanced DoS vectors - SIP/DNS       X  
Per client white/gray/black listing       X  
Multiple vector lookups (multi-layer attack mitigation)       X  
Custom DoS signatures in hardware (behavioral DoS)       X  
Guaranteed FIX low latency (FIX-LL)         X
Security Analytics - DDoS/sPVA dropped packets       X  
Global SYN cookies   X X X  
Virtual wire       X  

About managing TurboFlex Profiles using tmsh

You can use the TMOS Shell (tmsh) to manage your TurboFlex Profiles for your system.

View all TurboFlex Profile information using tmsh

You can use tmsh to see information about all TurboFlex Profiles, including the profile that is currently active on your system.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. View the currently active profile.
    show turboflex profile
    This is an example of the output that you might see when you run this command:
                                  
    ---------------------------------------
    Sys::Active Turboflex
    ---------------------------------------
    Current Profile:       turboflex-adc
    
    Active Features:       epva-tcpipv4
                           epva-syncookie
                           basic-tunneling
                           epva-udp
                           epva-ipv6
                           global-syncookie
                           adv-tunneling
    
    ================================================================================
    Sys::FPGA Turboflex Profiles:
    ================================================================================
    PROFILE                     FEATURES
    --------------------------------------------------------------------------------
    turboflex-adc               epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling
    turboflex-base              epva-tcpipv4 epva-syncookie basic-tunneling adv-tunneling
    turboflex-dns               epva-tcpipv4 basic-tunneling epva-udp epva-ipv6 fpga-dns
    turboflex-low-latency       epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 adv-tunneling hw-latency-dedicate
    turboflex-private-cloud     epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 global-syncookie adv-tunneling
    turboflex-security          epva-tcpipv4 epva-syncookie basic-tunneling epva-udp epva-ipv6 basic-dos-vectors adv-dos-vectors epva-spva global-syncookie adv-tunneling multiple-vector-lookup transparent-layer2 custom-dos-signatures security-analytics
    turboflex-ultrafast-layer4  epva-tcpipv4 basic-tunneling epva-udp ultrahigh-layer4 global-syncookie
                               
    

View the currently active TurboFlex Profile using tmsh

You can use tmsh to see which TurboFlex Profile is currently active on your system.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. View the currently active profile.
    list turboflex profile-config
    This is an example of the output that you might see when you run this command:
                                  
    sys turboflex profile-config {
        type turboflex-adc
    }
                               
    

View all TurboFlex Profile features using tmsh

You can use tmsh to see a list of all available TurboFlex Profile features on your system.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. View all TurboFlex profile features.
    show turboflex profile features
    This is an example of the output that you might see when you run this command:
                                  
    --------------------------------------------------------------------------------
    Sys::FPGA Turboflex Features:
    --------------------------------------------------------------------------------
    adv-dos-vectors          Advanced DoS Vectors - SIP/DNS
    adv-tunneling            NVGRE, VXLAN, Ether-IP and IPinIP Tunneling
    basic-dos-vectors        Basic DoS Vectors
    basic-tunneling          Q in Q Tunneling
    custom-dos-signatures    Custom DoS Signatures in HW (Behavioral DoS)
    epva-dos-vectors         EPVA SPVA DOS
    epva-ipv6                ePVA - IPv6
    epva-low-latency         EPVA Low Latency
    epva-spva                Per Client White/Gray/Black Listing
    epva-syncookie           Per VS SYN Cookies
    epva-tcpipv4             ePVA - TCP IPv4
    epva-udp                 ePVA - UDP
    fpga-dns                 EPVA DNS Offloading
    global-syncookie         Global SYN Cookies
    hw-latency-dedicate      Guaranteed FIX-LL
    hw-security-dedicate     NEURON Security
    hwsyncookie-neuron       NEURON HW Syncookie
    hwvip-neuron             NEURON HW Listener
    hybrid-cloud-director    FPGA Hybrid Cloud
    multiple-vector-lookup   Multiple Vector Lookups (multi-layer attack mitigation)
    security-analytics       Security Analytics: DDoS/sPVA dropped packets info and reroute
    transparent-layer2       Transparent L2
    tunnel-encapdecap-accel  FPGA Tunnel Acceleration
    ultrahigh-layer4         EPVA UltraSpeed L4
                               
    

View the currently active TurboFlex Profile and features using tmsh

You can use tmsh to see which TurboFlex Profile is currently active on your system and view a list of features for that profile.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. View the currently active profile.
    show turboflex profile feature
    This is an example of the output that you might see when you run this command:
                                  
    ---------------------------------------
    Sys::Active Turboflex
    ---------------------------------------
    Current Profile:       turboflex-adc
    
    Active Features:       epva-tcpipv4
                           epva-syncookie
                           basic-tunneling
                           epva-udp
                           epva-ipv6
                           global-syncookie
                           adv-tunneling
                               
    

View all TurboFlex Profiles supported by each firmware using tmsh

You can use tmsh to view all TurboFlex Profiles and features.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. View all TurboFlex Profiles and features.
    show fpga turboflex-profile
    This is an example of the output that you might see when you run this command:
                                  
    --------------------------------------------------------------------------------
    Sys::FPGA Turboflex Information:
    --------------------------------------------------------------------------------
    FW Type   l4-performance-fpga
    Personas  turboflex-base
    
    FW Type   l7-intelligent-fpga
    Personas  turboflex-base turboflex-dns
    
    FW Type   low-latency
    Personas  turboflex-base turboflex-low-latency
    
    FW Type   standard-balanced-fpga
    Personas  turboflex-base turboflex-adc turboflex-security turboflex-private-cloud turboflex-low-latency
                               
    

Change the currently active TurboFlex Profile using tmsh

Before you change to a different TurboFlex Profile, verify that you have the appropriate modules provisioned.
You can use tmsh to change which TurboFlex Profile is currently active on your system.
  1. Open the Traffic Management Shell (tmsh).
    tmsh
  2. Change to the system module.
    sys
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.sys)# user@bigiq01(Active)(/Common)(tmos.sys)#
  3. Change the currently active profile.
    modify turboflex profile-config type <turboflex-profile-name>
    Confirm that you would like to change the active TurboFlex Profile.
    Note: Changing the active profile might require a restart of daemons and disrupt traffic.

About managing TurboFlex Profiles using the Configuration utility

You can use the Configuration utility to manage your TurboFlex Profiles for your system.

View all TurboFlex profiles using the Configuration utility

You can use the Configuration utility to see a list of all TurboFlex Profiles that are supported on your system.
On the Main tab, click System > Resource Provisioning > TurboFlex .
This displays a list of active and available TurboFlex profiles.

Change the currently active TurboFlex Profile using the Configuration utility

Before you change to a different TurboFlex Profile, verify that you have the appropriate modules provisioned.
You can use the Configuration utility to change which TurboFlex Profile is currently active on your system.
  1. On the Main tab, click System > Resource Provisioning > TurboFlex .
    This displays a list of active and available TurboFlex profiles.
  2. Click Enable Profile for the profile that you would like to activate.