Presentation is loading. Please wait.

Presentation is loading. Please wait.

F5 User’s Group September 13th 2011

Similar presentations

Presentation on theme: "F5 User’s Group September 13th 2011"— Presentation transcript:

1 F5 User’s Group September 13th 2011
Agenda TMOS version 11 New features and overview Demo vCMP Demo and discuss iApps User discussion – iRules Survey and suggestions for next meeting Bowling and/or game play Meet 2 times a year in Feburary and September User Group website on – this presentation and survey results will be posted

2 V11 - Revolution

3 Analytics – URL Load Times

4 Analytics – TPS per URL

5 Analytics – Request Throughput per URL

6 Analytics – Response Throughput per URL

7 Statistics and Reporting Per Virtual Server CPU Stats and Profile Stats
* Improved Visibility for Each Virtual Service

8 Statistics and Reporting Per Process CPU & Memory Stats – Dashboard Customization
* Improved Diagnostics

9 Open Application Logging Engine
Client Real-time Transaction logs High Speed Logging Engine (HSL) GUI - Request Logging Profile Unmatched performance - Up to 200,000 HSL (TCP/UDP) messages per second with minimal impact to cpu usage Support compliance requirements W3C standard web log format support HSL is now in the GUI via a Logging Profile

10 F5 ScaleN Architecture Ultimate Scalability and Reliability
The flexibility to scale up, virtualize, and scale out on-demand Clustered Multiprocessing (CMP) & SuperVIP Virtualization (vCMP) Scale Up TMOS Scale Out

11 Typical Failover – Limited Control
Typical ADC runs Active-Standby Can only fail entire ADC Failover events disrupt all services

12 ScaleN : Device Service Clusters Dynamic Service Based Failover
Fail-over targeted application workloads Avoid application service disruptions Move applications needing extra power

13 ScaleN: Device Service Clusters Elastic Scale Driving Efficiency
4/11/2017 ScaleN: Device Service Clusters Elastic Scale Driving Efficiency Active-active-activeN Scale Blade fails on BIG-IP 1 Add new blade to BIG-IP 3 Blade replaced on BIG-IP 1 Any type of BIG-IP device © F5 Networks, Inc.

14 TMOS – TCP, HTTP, & iRule Enhancements
Separate caching & compression profiles from HTTP TCP Options inspection & transformation with iRules Akamai Ability to create TCP/UDP out of band connections via iRules TCP Connection Queuing HTML Parsing iRules TCP Connection Queuing: Provides the ability to queue connection requests that exceed the connection limit for a pool, pool member, or node.  Consequently, instead of dropping connection requests, they reside within a queue in accordance with defined conditions until capacity becomes available. TCP/UDP out of band connections: This new feature will provide the ability to do a "callout" to an external system for connection related information, and as a result, take action.  For example, based on the client's source IP address we could query a policy server and verify if the client was on the white/black list and pass or deny the connection.  This policy server could be RADIUS, HTTP, DIAMETER or LDAP TCP Options read/write via iRules: Enhance the TCP Profile to allow iRules to be able to read and write to the TCP Option in a HTTP Header.  Additionally, we'll add an iRule to extract the Akamai TCP Option. *Bigpipe is no longer supported in v11

15 TCP Connection queuing
Operates at TCP level; HTTP not required Currently only engages when conn limit hit Specify queue length limit, time limit, or both Queues operate per-tmm (no state sharing) Length limit divided by tmm count FIFO guarantees only per-tmm Queued at the pool level for non-persistent connections Queued at the pool member level for persistent connections If conn limit is overridden by persistence, that conn is not queued When a pool member becomes available, it checks the head of its queue, and of the pool’s queue, and services the flow that got there first.

16 New Product and Platform Support
October announcement 1600 3900/3600 6900 and 6900S 8900/8950/8950S 11000 and 11050 New 6900S (Turbo SSL), (48 GB Memory, 4xSSD’s (4x 300GB), 16 Gbps HW Comp.), and 11000/11050F (FIPS) platforms (October announcement) WOM standalone product and platforms (1600, 3600, 3900, 6900, 8900,11000) Modules: Add-on Module support VE and 1600 (ASM, WA, APM, GTM, WOM) Modules: Triplet support on 3600 and higher (Any combination excluding LC) VE Production (LTM, APM, ASM, WOM,GTM) *WA coming next release New VE Lab editions that include all products BIG-IP hardware is designed specifically for application delivery. Features such as hardware SSL, hardware compression, and multi-core processing enable BIG-IP hardware to deliver even the most demanding applications. Options for dual hard drives, dual power, and hot swappable components give you the highest reliability.

17 BIG-IP Advanced Acceleration Overview
Adaptive Protection for Web 2.0 Applications

18 Easily Secure JSON Payloads BIG-IP Application Security Manager
Display a Blocking Message in AJAX Widget Protect from JSON threats Render unique blocking message for AJAX widgets User informs admin with support ID for resolution Blocking page: User doesn’t understand if there is not a blocking page ASM administrator: customer calls and says I can’t pass a certain image A blocking page will allow the customer to inform the ASM administrator or tech. support of block and what the support ID is to give to Tech. Support to solve the problem. Also allow the testing team to make sure to test the ASM policy making sure the policy doesn’t contain a false positive An attacker using JSON payload will be blocked If the JSON payload continues to violate the policy then the image/text will not render. If the payload doesn’t violate the policy then the image is rendered. If IT sees that this support ID is a false positive then correction could be made for JSON payload to not violate policy. The data flexibility provided by JSON and AJAX also creates a rich environment for web application attacks that are based on name=value pairs. Poorly written JSON code can allow an attacker to modify the application by manipulating the name=value object data or by inserting or altering the binary payloads, preventing a user from seeing their customized content. Sophisticated AJAX attacks can also be used to initiate XSS and JSON hijacking attacks, allowing the attacker to compromise very personalized information for targeted users. Example:

19 F5 Innovative Protection for Web 2.0 Apps
Secure all applications Automatically share policies between devices Quickly deploy BIG-IP ASM VE in private clouds Data Center Hacker BIG-IP Application Security Manager Internet Clients Web 2.0 Apps Private Cloud Apps BIG-IP Application Security Manager

20 BIG-IP Application Security Manager
Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel Customer Website WhiteHat Sentinel Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM Vulnerability checking, detection and remediation Complete website protection BIG-IP Application Security Manager Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes

21 ASM and the Software Development Lifecycle
Policy Tuning Pen tests Performance Tests WAF “offload” features: Cookies Brute Force DDOS Web Scraping SSL, Caching, Compression Final Policy Tuning Pen Tests Incorporate vulnerability assessment into the SDLC Use business logic to address known vulnerabilities Allow resources to create value Best scenario: Add ASM into SDLC in Design, Integration/Test , and Installation and Acceptance phase. Some customer unable to make that investment. For these customers we offer an alternative: vulnerability assessment on production environment followed a quick ASM mitigation. Essentially this is the WhiteHat integration giving them assurance of no open vulnerabilities.

22 BIG-IP Advanced Acceleration Overview
Advanced Dynamic Services for Unified Access Control

23 F5 Unified Access and Control Flexible and Dynamic ADC Services – BIG-IP v11
Mobile and Remote Users Public/Private Cloud BIG-IP System Virtual Editions Internet Optimized Applications to BIG-IP Edge Client BIG-IP Edge Gateway Data Center BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager +Access Policy Manager Corporate WAN IPsec: Optimized Site-to-Site Tunnels BIG-IP Edge Gateway +Access Policy Manager +WebAccelerator +WAN Optimization Manager Headquarters and Remote Offices Supports users worldwide Secure IPsec site to site tunnels Fast apps to Edge Client users Virtual and standalone deployments APM v11 on Edge Gateway surpasses VPN feature parity IPSec (iSessions) site to site (gateway to gateway) extending layer 3 networks vs. initial IPSec (client to site) where normally SSL VPN is a replacement App Tunnels: new and improved Easily configurable Dynamic Webtop Flash patching

24 Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity Able to show the different back-end or server side auth mechanisms that we can support Integrate and distribute users to apps. Multi-domain Single Sign-On to applications and networks ACA now in APM = OCSP , CRLDP (Certificate Revocation List) and TACACS+ (Cisco version of RADIUS) Easy and simple authentication design Single Sign-On to multiple LTM/APM or Edge Gateway virtual servers. Example: * Client Cert authentication to an iPhone/iPad back to APM/Edge Gateway using Kerberos Constrained Delegation (KCD) and Kerberos Protocol Transition (KPT) to perform backend SSO Easy configuration for settings and domains Configure different cookie settings and SSO methods for different domains or different hosts in the same domain ending multiple separate domains or multiple hosts within same domains NTLM, Basic, Header KPT, = BIG-IP v11

25 New Detailed Reporting BIG-IP APM
e.g. Who accessed app. or network and when? e.g How many XP users are still on my network? e.g. Where are users accessing from (geolocation)? Custom, Built-in and Saved reports Exported and used on other devices

26 BIG-IP Advanced Acceleration Overview
Scalable, Adaptive and Secure DNS infrastructure

27 Scalable GSLB Performance Step 1: Multicore (CMP) BIG-IP GTM v11
Enable users to access apps during spikes Scale with GTM query performance utilizing hardware CMP enabled utilizing full set of processing cores Up to 6 million QPS on VIPRION Each CPU Core ~ high performance DNS server = 130k+ qps Integrates GTM in TMM for exponential performance Preliminary estimates: (may exceed) Preliminary Estimates: (may exceed) Queries/second 130k+ QPS per core GTM VE – 1 TMM = up to 125k QPS depending on server CPU GTM 1600 standalone – 2 cores = ~300k QPS (not pictured) GTM 3900 standalone – 4 cores = ~600K QPS GTM 8900 standalone – 8 cores = ~1.5 Million QPS GTM standalone – 12 cores = ~2 (or 2.5?) Million QPS (extra high speed bridge for L4) VIPRION 2000 GTM module scales with blades 16 cores = up to 3 Million QPS VIPRION 4000 GTM module scales with blades 32 cores = up to 6 Million QPS 6Mil QPS 125k QPS 600k QPS 1.5Mil QPS 2Mil QPS 3Mil QPS

28 Exponential and Efficient DNS Performance Step 2: Implement DNS Express
High-speed response and DDoS protection with in-memory DNS Authoritative DNS serving out of RAM Configuration size for tens of millions of records Scalable DNS Performance Consolidate DNS Servers DNS Server DNS Express in TMOS Answer DNS Query Manage DNS Records Answer DNS Query Answer DNS Query OS Admin Auth Roles Answer DNS Query Answer DNS Query Zone transfer and notify for updates Estimated performance 250k QPS per core NIC Dynamic DNS DHCP

29 Solution: Easily Handle All DNS Requests Step 3: BIG-IP GTM and IP Anycast Integration
Same IP Address for multiple devices Geographically separate the DNS request load for all requests Scale DNS infrastructure up and out per BIG-IP Revenue and brand are protected *DNS queries, legitimate and attacks sent to closest device *Difficult for attackers to target a single device *Obscures the numbers of servers and devices answering DNS queries (after with IPAnycast and one IP address, routing system distributes DNS requests across multiple GTM devices reducing increased load each device has to handle.) Increase performance = if 2mil before now after balance query load with 6mil QPS *add graph for each GTM to show each managing DNS query requests sharing the load Splitting the load allows for easy management of increased DNS query requests. Monitors GTM automatically for RHI (Checkbox in DNS Listener) Add Routing Module to Standalone GTM Route Health Injection (RHI) for DNS Listener Routing Architecture sends query to closest device Uses networking / routing weights Can be used inside a datacenter to cluster GTMs Basic Global Server Load Balancing GSLB illustration: Setup: The organization EXAMPLE.COM is concerned about application latency and maintaining high availability in the event of a datacenter failure. Clients located all over the world Three major datacenters North America EMEA ASIA Three F5 BIG-IP Global Traffic Managers (GTM) in a synch group and effectively act as single system First Click: Highlight the three datacenters Second Click: Black line represents the clients requests for the same resource: Third Click: Details of F5 BIG-IP GTM handling the request GTM receives request Match FQDN in GTM name list Configured for topology load balancing using IP geolocation Lookup LDNS IP against geolocation database Map LDNS location to the Datacenter’s region Validate resource is available Respond with appropriate IP for the chosen datacenter Then it shows the colored arrows representing the different IP addresses that are used for each datacenter Fourth click: The GTM box dissolves and the answer arrows show the BEST answer that each client receives based on their location. Fifth Click: Text Box explaining that this configuration and dynamic IP response is invalid in the traditional world of DNSSEC.

30 Eases the IPv6 Evolution DNS 6  4
Combined NAT64 and DNS64 provide automatic translation Supports pure IPv6 clients accessing both IPv6/IPv4 sites Critical for mobile devices and any client optimized for pure IPv6 Eases evolution and bridges gap between IPv6/IPv4 DNS BIG-IP Local Traffic Manager +Global Traffic Manager Internet IPv4 and IPv6 Clients Forwarding/ Mapping Virtual NAT64 DNS64 NAT64 proxy LTM manages between IPv4 and IPv6 DNS64 automatic method of simulating a IPv6 address for an IPv4 resource Mobile/Notepad/Notebooks unable to support both v4/v6 due to lack of resources High number of mobile devices on each network complicates hosting dual IP address for each device 1. DNS query 2. DNS64 (GTM) sends Queries to upstream recursive DNS servers based on configured options below 3 options for DNS64 handling Try IPv6 first then try IPv4 Send both IPv6/IPv4 at same time. Take first response Convert all queries to IPv4 3a. If v6 DNS then AAAA record returned to client as usual (assuming option 1 above) 3b. If only v4 DNS A record returned, LTM adds 96 bit prefix to A record and returns AAAA to client 4. Client sends traffic to AAAA address 96 bit prefix network address is owned by LTM (or GTM combo) configured with NAT64 5. NAT64 transforms v6 address to v4 addresses for outgoing connection LTM full proxy 6. NAT64 sends the response data to client using IPv6 Many mobile providers have described a problem: Inability of running a dual network stack. v4 DNS (A) v6 DNS (AAAA)

31 Usability Enhancements Route Domains, Monitors, & Default Certificates!
Removed Basic/Advanced listener iQuery status in in the GUI Default certificate is now 10 yrs! BIG-IP Global Traffic Manager BIG-IP Local Traffic Manager +Global Traffic Manager GTM monitor support of Route Domains Route Domain 0 Optional manual selection of prober assignments Route Domain 1 GTM Route Domain 2

32 Global Customer Training for V11
Free Customer Web-based Training What’s New in BIG-IP V11 Additional v11 WBTs modules will be available later

33 vCMP Demo Virtual Clustered Multi-Processing
vCMP = F5’s purpose built hypervisor Currently available with version 11 on the VIPRION platforms Today’s demo is on a VIPRION 2400

34 V11: The iApp Revolution Framework to unify, simplify and control Application Delivery Services Application-centric Contextual view and advanced analytics Rapid and predictable deployment  Optimizing the network for specific applications takes weeks … and can be frustrating F5’s unique application deployment guides helped … now just days F5’s new iApp capability reduces process to hours and minutes and it’s portable like virtual machines

35 BIG-IP V11 Managing Application Services
BIG-IP V10 Managing Objects & Services BIG-IP V11 Managing Application Services There are so many objects to manage in order to deploy an application. It’s a large feat to manage all of these objects as independent collections.

36 BIG-IP V11 Managing Application Services
F5 iAPPs: Managing application services … not network devices or objects. There are so many objects to manage in order to deploy an application. It’s a large feat to manage all of these objects as independent collections.

37 IT Network, Security, WAN, and Exchange Team Collaboration
Application specific questions

38 The network from an “Application’s Point of View”
Use a single interface to: Understand F5 application service dependencies Rapidly perform operational tasks Quick view of overall application and health status View availability status and type for each service object Rapidly enable and disable resource pool nodes or servers. Operational tasks and health status for App objects on a single page Availability status and type for each object Enable/Disable one or more node(s)

39 iApp Ecosystem More than 20 iApp templates come with v11
F5’s Open iApp Ecosystem is part of DevCentral Share iApps within organizations, between partners, and other vendors

40 User Discussion: iRules Randy Ferguson – F5 Consultant (Tempe, AZ)
Do you have an iRule you would like to discuss? Examples: Select a pool based on the HTTP host header Sideband Connection – new in v11 LDAP Proxy Proxy Pass Additional resources – DevCentral Tutorials


Download ppt "F5 User’s Group September 13th 2011"

Similar presentations

Ads by Google