Home |  Log In  |    
Traction Networks LLC - Buy Refurbished Load Balancing Solutions NOTE: Expert BIGIP and 3DNS Consulting from Tractionet is now available!
Please Click here to contact us to discuss your BIG-IP consulting needs!  
Or call us at 1-888-512-3691 to discuss your BIG-IP or 3DNS needs!     
Home   FAQs    Customer Service    Learn More    News    About    Contact   
Global Load Balancing (6)
Server Load Balancing (30)
Firewalls (2)
Blade Servers (2)
Link Balancing /Link Aggregation (6)

Specials ...
New Products ...









Browse Manufacturers:

Frequently Asked Questions

NOTE: Expert BIGIP and 3DNS Consulting from Tractionet is now available! Please Click here to contact us to discuss your BIG-IP consulting needs!

Latest Questions

BIGIP

Load Balancing

Latest FAQs

BIGIP

What BIGIP Services does Tractionet offer other than Hardware Sales?

Common Big/IP Tasks we perform:

  • Hardware selection/upgrade assistance

  • System clean-up and configuration - used systems

  • Initial system configuration - new or used systems

  • Dual redundant system set-up and configuration

  • Dual redundant system Additions

  • Network planning or Integration with existing networks

  • Rules/filters Configuration

  • Extended Content Verification (EVC)

  • Extended Application Verification(EAV)

  • Custom Scripting - perform decisions based on URL content

  • Training

  • Assistance installing software upgrades

About Tractionet's BIG-IP/3DNS/Globalsite Service:

Tractionet can help you get quickly started with your Big/IP set-up. We assist with configuration, administration, and maintenance. Tractionet has years of experience quickly implementing Big/IP solutions. Tractionet will even help you with your used BIG-IP/3DNS investment. So you have bought a used Big-IP/3DNS server. What's Next? What is the solution truly capable of? At Tractionet, we can help you optimize the performance. If you decide today, you could be running on them in less than a week. Tractionet works with both small companies and large to help your I.T. Department and staff quickly clean, optimize and implement. If your company lacks the skills to configure and implement Big/IP, Tractionet can help.

How do I setup Metrics with BIGIP MIBs?


F5's BIG-IP Load-Balancing Metrics (MIBs)

F5 is the maker of the widely used BIG-IP load balancer, and has one of the most complete implementations of MIB for load balancing metrics via SNMP. F5 has compiled MIBs that allow you to check the following:

  • Bandwidth, in bits per second, out of every interface

  • Connections per second

  • Total Concurrent sessions

  • Bandwidth in and out of each virtual server (VIP)

  • Bandwidth in and out of each virtual server (VIP), separated by TCP port

  • Many, many other metrics

How can I use f5 to Provide High Availability


Using F5’s BIG-IP® Controller to Provide High Availability and Load Balancing For LDAP

Introduction

There is a growing demand for a standard way of providing access to personalized information ("white pages" data), while reducing or simplifying the number of logon id’s a user is required to remember or administrate. Hence the need for LDAP, or Lightweight Directory Access Protocol. Think of LDAP as a lighting fast, read-only database. LDAP directories play the part of a network-accessible database, indexing and organizing information. The address book in most e-mail applications uses LDAP to locate addresses. Backend databases for things like Netscape Calendar can use LDAP as well. Some companies may have their own directory services pages, enabling a user to quickly look up another’s name and phone extension and so on. Again, LDAP is behind the scenes. LDAP also plays an important role in tighter security, with the directory acting as a type of gatekeeper, deciding who has access to which information.

F5’s BIG-IP Controller

Many businesses are discovering the advantages of placing F5’s BIG-IP Controller, a high availability, intelligent load balancing device, behind LDAP applications. There are several advantages in doing this:

  • High Availability, Load Balancing — By distributing LDAP ‘branches’ across servers, content is always available. LDAP servers never become overloaded or unresponsive, resulting in excellent response time for users.
  • EAV (Extended Application Verification) — Not only does BIG-IP Controller allow a business to load balance LDAP, its unique EAV feature enables administrators to verify that the directory is providing the correct information to users.
  • Security — BIG-IP Controller is designed to protect itself from attacks and provide protection for the LDAP servers being load balanced. Basic functionality includes packet filtering; security scripting which identifies any services or ports being probed; default deny, which provides a tight control of the traffic allowed to pass through; administration through F-Secure, 1024 bit encryption software; and the ability to thwart ping attacks, Denial of Service attacks, IP spoofing, SYN floods and much more.
  • Ease of Maintenance, thanks to BIG-IP Controller's LDAP servers can be taken out of service while remaining transparent to clients. Maintenance and network upgrades are therefore made easier.
  • Optimal Scalability through additional LDAP servers that can be transparently added as traffic increases. With BIG-IP Controller, you can build a massive virtual server out of heterogeneous software, regardless of platform type or combination.
  • Flexibility — The BIG-IP Controller supports any OS, using a variety of Internet applications and services over TCP/IP.

F5 Networks’ BIG-IP Controllers and LDAP

A Case Study: Lawrence Berkley National Laboratory

Founded in 1931, Ernest Orlando Lawrence Berkeley National Laboratory (Berkeley Lab) is the oldest of America's national laboratories. Today, six decades later, the achievements of this Lab can be viewed as an affirmation of an enduring belief in human progress.

Ernest Lawrence, the Lab's founder and the first of its nine Nobel prize winners, invented the cyclotron, which led to a Golden Age of particle physics and revolutionary discoveries about the nature of the universe. The Lab remains a world center for accelerator and detector innovation and design, is the birthplace of nuclear medicine and the cradle of invention for medical imaging.

Overview

The Centralized Infrastructure group is in charge of assimilating all of the centralized services for the Lab. Centralized services include Directory Services (LDAP), e-mail, scheduling, and file & print services. Particularly, the group utilizes LDAP for many different applications. LDAP contains the Lab’s human resources database. Netscape Calendar is utilized for over 4,000 individuals; LDAP is the backend database for Calendar. The Lab also uses Netscape Messenger for some 6,000 people, again, LDAP is used for the backend database. They also have their own portal (LBL.gov) that uses the LDAP database, and a directory services page where one can look up names and extensions (again, backed by LDAP).

The Problem

The Centralized Infrastructure group obviously had many different uses for LDAP within the Lab, and many demands placed upon these applications. They needed to provide fast response and high availability of these various applications, on demand.

Their first solution was to take LDAP – which consists of a ‘directory tree’ – and split the tree into various branches and place it on different high-end servers. The problems of replication immediately came to light: replicating the ‘tree’ into many different ‘sub-trees’ proved to be difficult to synchronize, as well as difficult to maintain. Combined with the need to provide high-availability of the LDAP applications, they added F5 Networks BIG-IP Controller behind their servers for load balancing user traffic.

With BIG-IP, the group found that they could distribute the entire tree across every single server. This enabled the distribution of load, enhancing response time and availability. Similarly, because BIG-IP allowed the entire tree to be placed on each server (not just sub-trees), replication problems were eliminated.

Additionally, the Lab immediately saw the cost-effectiveness of using BIG-IP Controller. Because of BIG-IP Controller’s load balancing capabilities, the Lab found that they could replace their expensive high-end Sun servers with PC’s running Linux. Before BIG-IP Controller, this wouldn’t have been possible because the Linux machine simply wouldn’t have been powerful enough to support their many LDAP applications.

Conclusion

LDAP continues to gain popularity among business as a fast, read-only database for many different applications. And there is a growing need for a high-availability, intelligent load balancing technology that provides the scalability, performance and security for LDAP. F5 Network’s solutions, specifically the BIG-IP Controller, is a robust product that provides the necessary security, manageability and load balancing power to help businesses take full advantage of LDAP’s many capabilities.

 

How do I use a "Chained Cert" like Comodo with the BIGIP SSL Accelerator?

The solution to this issue is to upgrade to the most recent intermediate certificate for Comodo. This new certificate should have arrived from your cert issuer and have a name like: ComodoSecurityServicesCA.crt.

Additionally, the most up to date certificate for Comodo should be available from this link: Comodo Class 3 Security Services CA

  1. Open the crt file in a text editor.
  2. Copy the contents of the file.
  3. Using the vi text editor, create a new intermediate-ca.crt file in the /var/tmp directory by typing the following command:

    vi /var/tmp/intermediate-ca.crt

    Note: You can use pico if you are not familiar with vi.

  4. Paste the certificate contents into the editor window. Ensure that the certificate text begins with the BEGIN CERTIFICATE line and ends with the END CERTIFICATE line.


  5. Back up the existing certificate-ca.crt file by typing the following commands:

    cd /config/bigconfig/ssl.crt
    mv intermediate-ca.crt intermediate-ca.crt.orig

  6. Copy the new certificate file into place by typing the following command:

    mv /var/tmp/intermediate-ca.crt intermediate-ca.crt

  7. Restart BIG-IP's services so the new certificate can be read:

    bigstart restart

  8. Don't forget to sync your unit to your standby unit if you have a redundant configuration. (After you verify correct operation of the cert).

At this point the new Comodo intermediate-ca.crt file should be in use. If you try to connect to an SSL Proxy and still receive an error, check the following:

  • Is the text of the error the same as before?


  • Are you connecting to the same BIG-IP that you just copied the updated certificate to?


  • Does the new certificate have the correct name and is it in the correct location?

Can I use a BIGIP Load Balancer with multiple drops/links from my ISP?


Basically, yes. This article describes how to use the BIGIP to load balance multiple websites across multiple ISP drops or links. Note that this solution might also require F5 Networks' 3DNS solution to handle the DNS for multiple subnets of the 2 ISP drops/links.

Using ISP load balancing

You may find that as your network grows, or network traffic increases, you need to add an additional connection to the internet. You can use this configuration to add an additional Internet connection to your existing network. Figure 6.1 shows a network configured with two Internet connections.

Figure 6.1 An example of an additional internet connection

This type of configuration requires you to configure network address translation (NAT) on your routers. If your routers cannot perform NAT, you can use the VLAN SNAT automap feature on the BIG-IP.

Load Balancing

What is a load balancer?

Also known as a Server Load Balancers (SLB) - A load balancer is a device that distributes load among several machines. As dis­cussed earlier, it has the effect of making several machines appear as one. There are several components of SLB devices, which are discussed in detail.

Is load-balancing different from "clustering"?

Load-Balancing and Clustering are both solutions to the same problem but they go about it somewhat differently. Clustering usually refers to the use of proprietary software to interact at an OS level and is specific to the vendor in question. Since there is a requirement for tight integration between servers, special software is required, and thus the vendor will only support a finite amount of platforms. Thus, in Tractionet's experience, Network Application devices such as F5 Networks BigIPs are preferred over vendor specific proprietary software solutions. Typically, the cost of the network application device is the same if not less than the "clustering" software solution. Additionally, there is less to trouble-shoot with the Load-Balancer than there is with their software counterparts. Similarly, scalability is usually much easier to achieve with a Load-Balancer as all the user must do is add a server, update its content and tell the Load-Balancer of its existence.

What is Load Balancing?

Load-Balancing is a process and technology that distributes site traffic among several servers using a network-based device. This device processes traffic targeted at a site and redirects that traffic to various servers (nodes) distributing the load across multiple machines creating a vast virtual server. This load balancing process is completely transparent to the end user and there can be anywhere from 2 to hundreds of servers operating behind a single URL.

What additional features does the new 7.4.x ServerIron OS provide?

Foundry Networks Inc. is debuting a new operating system for its ServerIron switch that will allow the load-balancing platform to control high-level traffic based on XML tags, HTTP headers, and firewall functions.

As part of the IronWorks 9.0 release, firmware for FPGAs already used in the ServerIron switch will upgrade the chips to better cope with denial-of-service attacks by making the switch act as a TCP SYN proxy.

Foundry is best known for its edge routers and switches for enterprise and metro carrier applications. The ServerIron server-load balancers, introduced three years ago, pit the company directly against rivals like Alteon Websystems Inc. and F5 Inc.

A key factor in effective load-balancer design is not merely offering best access performance but having a purpose-built architecture that will allow switching based on many attributes of traffic at Layers 4 (transport) through 7 (application).

The new software allows traffic to be switched based on XML tags and HTTP header fields. Foundry has been careful to distinguish the former feature from the specialized XML content switches offered by newer specialists like Sarvega Inc.

The ServerIron switch now serves two distinct proxy functions. For HTTP client traffic, the switch terminates all TCP traffic and operates as an HTTP proxy, aggregating multiple client links to the server. In DoS attacks, when SYN floods are initiated by malicious users, the switch acts as a TCP SYN proxy (SYN is a flag for the first stage of a TCP handshake).

Foundry made two improvements to its network management software as part of the OS release. Configuration updates for ServerIron switches are now handled directly through IronView network management software. For more detailed monitoring of switches, Foundry is using the sFlow flow analysis mechanism specified in the Internet Engineering Task Force RFC 3176 standard. The packet sampling used in sFlow is directly implemented in ServerIron ASICs, and is able to be analyzed by the network management system.

Foundry is implementing a new capability for the ServerIron which will allow the switch to be used in a unique application, as a means of selecting links from an enterprise to two different Internet service providers. The link load balancing function measures link bandwidth and response time, and compares pricing of an ISP link as a function of time, packets and bandwidth. It then chooses the most effective link dynamically.

In smaller enterprises, separate ServerIron switches could be used for external ISP link and internal firewall balancing which is why Foundry made a smaller switch. In larger companies, one switch can serve both ISP and firewall functions, though Foundry will recommend only higher-end systems that offer more ASIC-based performance, to serve required dual functions.

Can I use a Load Balancer as a Firewall?

Load Balancers As Firewalls by Tony Bourke - 08/23/2001

In a nutshell, yes! Per Tony Bourke, using a load balancer to distribute traffic to the servers, as well as protect them, would be both financially and logistically advantageous. Most load balancers can push hundreds of Mbps worth of traffic while providing firewall functionality to a site, without any performance hit. Keep in mind that this concept may not fit everyone's needs. Some websites might have a need for a higher level of security like financial related websites.

For all the details, please see our Full "Learn More" Article Click Here.

Back
Click for Live Support!

Read our FAQs

Type: