View
230
Download
8
Category
Tags:
Preview:
Citation preview
© F5 Networks, Inc.
1
F5 User’s Group September 13th 2011
Agenda
TMOS version 11 New features and overview Demo vCMP Demo and discuss iApps
User discussion – iRules
Survey and suggestions for next meeting
Bowling and/or game play
V11 - Revolution
© F5 Networks, Inc.
3
Analytics – URL Load Times
© F5 Networks, Inc.
4
Analytics – TPS per URL
© F5 Networks, Inc.
5
Analytics – Request Throughput per URL
© F5 Networks, Inc.
6
Analytics – Response Throughput per URL
© F5 Networks, Inc.
7
Statistics and Reporting Per Virtual Server CPU Stats and Profile Stats
* Improved Visibility for Each Virtual Service
© F5 Networks, Inc.
8
Statistics and ReportingPer Process CPU & Memory Stats – Dashboard Customization
* Improved Diagnostics
© F5 Networks, Inc.
9
Real-time Transaction logs
Client
Open Application Logging Engine
High Speed Logging Engine (HSL)
• GUI - Request Logging Profile
• Unmatched performance - Up to 200,000 HSL (TCP/UDP) messages per second with minimal impact to cpu usage
• Support compliance requirements
• W3C standard web log format support
© F5 Networks, Inc.
10
F5 ScaleN ArchitectureUltimate Scalability and Reliability
Scale Up
Scale Out
Virtualization (vCMP)
Clustered Multiprocessing (CMP) & SuperVIP
TMOS
The flexibility to scale up, virtualize, and scale out on-demand
© F5 Networks, Inc.
11
Typical Failover – Limited Control
• Typical ADC runs Active-Standby
• Can only fail entire ADC
• Failover events disrupt all services
© F5 Networks, Inc.
12
ScaleN : Device Service ClustersDynamic Service Based Failover
• Fail-over targeted application workloads
• Avoid application service disruptions
• Move applications needing extra power
© F5 Networks, Inc.
13
• Active-active-activeN Scale
• Blade fails on BIG-IP 1
• Add new blade to BIG-IP 3
• Blade replaced on BIG-IP 1
• Any type of BIG-IP device
ScaleN: Device Service ClustersElastic Scale Driving Efficiency
© F5 Networks, Inc.
14
Akamai
TMOS – TCP, HTTP, & iRule Enhancements
Ability to create TCP/UDP out of
band connections via iRules
TCP Connection Queuing
TCP Options inspection &
transformation with iRules
Separate caching &
compression profiles from
HTTP
HTML ParsingiRules
*Bigpipe is no longer supported in v11
© F5 Networks, Inc.
15
• Operates at TCP level; HTTP not required• Currently only engages when conn limit hit• Specify queue length limit, time limit, or both• Queues operate per-tmm (no state sharing)
• Length limit divided by tmm count• FIFO guarantees only per-tmm
• Queued at the pool level for non-persistent connections• Queued at the pool member level for persistent connections
• If conn limit is overridden by persistence, that conn is not queued
• When a pool member becomes available, it checks the head of its queue, and of the pool’s queue, and services the flow that got there first.
TCP Connection queuing
© F5 Networks, Inc.
16
New Product and Platform Support
• New 6900S (Turbo SSL), 11000 (48 GB Memory, 4xSSD’s (4x 300GB), 16 Gbps HW Comp.), and 11000/11050F (FIPS) platforms (October announcement)
• WOM standalone product and platforms (1600, 3600, 3900, 6900, 8900,11000)
• Modules: Add-on Module support VE and 1600 (ASM, WA, APM, GTM, WOM)
• Modules: Triplet support on 3600 and higher (Any combination excluding LC)
• VE Production (LTM, APM, ASM, WOM,GTM) *WA coming next release
• New VE Lab editions that include all products
3900/3600 8900/8950/8950S6900 and 6900S1600 11000 and 11050
October announcement
© F5 Networks, Inc.
17
BIG-IP Advanced Acceleration Overview
Adaptive Protection for Web 2.0 Applications
© F5 Networks, Inc.
18
Easily Secure JSON PayloadsBIG-IP Application Security Manager
Example: www.stockfacts.com
• Protect from JSON threats
• Render unique blocking message for AJAX widgets
• User informs admin with support ID for resolution
Display a Blocking Message in AJAX Widget
© F5 Networks, Inc.
19
F5 Innovative Protection for Web 2.0 Apps
• Secure all applications
• Automatically share policies between devices
• Quickly deploy BIG-IP ASM VE in private clouds
Internet
Private Cloud Apps
Data Center
Web 2.0 Apps
Hacker
Clients
BIG-IP ApplicationSecurity Manager
BIG-IP ApplicationSecurity Manager
© F5 Networks, Inc.
20
Customer Website
Protection from Vulnerabilities Enhanced Integration: BIG-IP ASM and WhiteHat Sentinel
WhiteHat Sentinel• Finds a vulnerability• Virtual-patching with
one-click on BIG-IP ASM
BIG-IP Application Security Manager
• Verify, assess, resolve and retest in one UI• Automatic or manual creation of policies• Discovery and remediation in minutes
• Vulnerability checking, detection and remediation
• Complete website protection
© F5 Networks, Inc.
21
• Policy Tuning• Pen tests• Performance Tests
• Final Policy Tuning• Pen Tests
• Incorporate vulnerability assessment into the SDLC
• Use business logic to address known vulnerabilities
• Allow resources to create value
ASM and the Software Development Lifecycle
• WAF “offload” features:• Cookies • Brute Force• DDOS• Web Scraping• SSL, Caching,
Compression
© F5 Networks, Inc.
22
BIG-IP Advanced Acceleration Overview
Advanced Dynamic Services for Unified Access Control
© F5 Networks, Inc.
23
F5 Unified Access and ControlFlexible and Dynamic ADC Services – BIG-IP v11
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
Headquarters and Remote Offices
CorporateWAN
IPsec: Optimized Site-to-Site Tunnels
Internet
BIG-IP System Virtual Editions
BIG-IP Edge Gateway
Data Center
BIG-IP GlobalTraffic Manager
BIG-IP LocalTraffic Manager
+Access Policy Manager
Mobile and Remote Users
Public/PrivateCloud
Optimized Applications to BIG-IP Edge Client
© F5 Networks, Inc.
24
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11
© F5 Networks, Inc.
25
New Detailed ReportingBIG-IP APM
Custom, Built-in and Saved reports
Exported and usedon other devices
e.g How many XP users are still on my network?
e.g. Who accessed app. or network and when?
e.g. Where are users accessing from (geolocation)?
© F5 Networks, Inc.
26
BIG-IP Advanced Acceleration Overview
Scalable, Adaptive and Secure DNS infrastructure
© F5 Networks, Inc.
27
Scalable GSLB PerformanceStep 1: Multicore (CMP) BIG-IP GTM v11
• Enable users to access apps during spikes
• Scale with GTM query performance utilizing hardware– CMP enabled utilizing full set of processing cores
– Up to 6 million QPS on VIPRION
– Each CPU Core ~ high performance DNS server = 130k+ qps
• Integrates GTM in TMM for exponential performance
125k QPS
600k QPS
1.5Mil QPS
3Mil QPS
6Mil QPS2Mil
QPS
Preliminary estimates: (may exceed)
© F5 Networks, Inc.
28
Exponential and Efficient DNS Performance Step 2: Implement DNS Express
DNS Express
• High-speed response and DDoS protection with in-memory DNS
• Authoritative DNS serving out of RAM
• Configuration size for tens of millions of records
• Scalable DNS Performance
• Consolidate DNS ServersManage
DNSRecords
NIC
OSAdminAuthRoles
DynamicDNS
DHCP
AnswerDNS
QueryAnswer
DNSQuery
AnswerDNS
Query
AnswerDNS
Query
AnswerDNS
Query
DNS Express in TMOS
DNS Server
© F5 Networks, Inc.
29
Solution: Easily Handle All DNS Requests Step 3: BIG-IP GTM and IP Anycast Integration
• Same IP Address for multiple devices• Geographically separate the DNS request load for all requests• Scale DNS infrastructure up and out per BIG-IP • Revenue and brand are protected
© F5 Networks, Inc.
30
Eases the IPv6 EvolutionDNS 6 4• Combined NAT64 and DNS64 provide automatic translation• Supports pure IPv6 clients accessing both IPv6/IPv4 sites• Critical for mobile devices and any client optimized for pure IPv6• Eases evolution and bridges gap between IPv6/IPv4 DNS
Internet
IPv4 and IPv6 Clients
BIG-IP Local Traffic Manager+Global Traffic Manager
NAT64
Forwarding/ Mapping Virtual
v4 DNSwww.server.com
(A)
v6 DNSwww.server.com(AAAA)
DNS64
© F5 Networks, Inc.
31
Removed Basic/Advanced
listener
Usability EnhancementsRoute Domains, Monitors, & Default Certificates!
Optional manual selection of prober
assignments
iQuery status in in the GUI
GTM
Route Domain 0
Route Domain 1
Route Domain 2
BIG-IP Local Traffic Manager+Global Traffic Manager
BIG-IP
Global Traffic Manager
GTM monitor support of Route
Domains
Default certificate is now 10 yrs!
© F5 Networks, Inc.
32
• Free Customer Web-based Training What’s New in BIG-IP V11
• Additional v11 WBTs modules will be available later
Global Customer Training for V11
© F5 Networks, Inc.
33
vCMP DemoVirtual Clustered Multi-Processing
vCMP = F5’s purpose built hypervisor
Currently available with version 11 on the VIPRION platforms
Today’s demo is on a VIPRION 2400
© F5 Networks, Inc.
34
V11: The iApp Revolution
• Optimizing the network for specific applications takes weeks … and can be frustrating
• F5’s unique application deployment guides helped … now just days
• F5’s new iApp capability reduces process to hours and minutes and it’s portable like virtual machines
• Framework to unify, simplify and control Application Delivery Services
• Application-centric
• Contextual view and advanced analytics
• Rapid and predictable deployment
© F5 Networks, Inc.
35
BIG-IP V10 Managing Objects & ServicesBIG-IP V11 Managing Application Services
© F5 Networks, Inc.
36
BIG-IP V11 Managing Application Services
F5 iAPPs:Managing application services … not network devices or objects.
© F5 Networks, Inc.
37
• IT Network, Security, WAN, and Exchange Team Collaboration
• Application specific questions
© F5 Networks, Inc.
38
Use a single interface to:
• Understand F5 application service dependencies
• Rapidly perform operational tasks
• Quick view of overall application and health status
• View availability status and type for each service object
• Rapidly enable and disable resource pool nodes or servers.
The network from an “Application’s Point of View”
© F5 Networks, Inc.
39
iApp Ecosystem• More than 20 iApp templates come with v11
• F5’s Open iApp Ecosystem is part of DevCentral
• Share iApps within organizations, between partners, and other vendors
© F5 Networks, Inc.
40
User Discussion: iRulesRandy Ferguson – F5 Consultant (Tempe, AZ)
Do you have an iRule you would like to discuss?
Examples:
Select a pool based on the HTTP host header
Sideband Connection – new in v11
LDAP Proxy
Proxy Pass
Additional resources – DevCentral Tutorials
© 2011 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, ARX, FirePass, iControl, iRules, TMOS, and VIPRION are registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries
Recommended