What is Application Acceleration Manager? - F5 DevCentral

uptightexampleNetworking and Communications

Oct 24, 2013 (4 years and 16 days ago)

216 views

F5 User’s Group

2

I T a g i l i t y. Yo u r wa y.

Welcome!

Introductions


Name


Title


Company

Role

Requests (optional)


Please introduce yourself


Name


Title


Company


Your role


Application


Network


Security




Requests? (optional)



3

F5 User’s Group Meeting June 12
th
, 2013

NEW Agenda


F5 Technology Update

What’s new in 11.4




Application Acceleration Manager

Centralized Policy Matching

VMWare
View Proxy

VXLAN
Gateway & NVGRE Gateway

Programmable Infrastructure

JavaScript and CSS Minification

DNS Recap

New Platforms

F5’s role at
Interop

By the way…


FLOWJAM


Lunch



Roundtable discussion


Brian Deitch, FSE

Jon Bartlett, FSE

WHAT’S NEW IN VERSION 11.4

11.0 was released
in August 2011

5

What is Application Acceleration Manager?


Web Accelerator Manager


WAN Optimization Manager



Web Accelerator will optimize your web applications and
decreases page load time anywhere from 10 to 90%


WAN Optimization Manager will optimize network traffic
and reduce latency

What happens if I already own WA or WOM?


You will be licensed as AAM with 11.4


Since WA and WOM are AAM, you get both features

6

What is Centralized Policy Matching?


Policy matching framework enables creation of flexible L7
policies:


Centralized policy matching across BIG
-
IP modules


Protocol
-
neutral matching for HTTP and other L7/L4
protocols


Replaces HTTP class in v11.4

BIG
-
IP

Local Traffic
Manager

BIG
-
IP

Application
Acceleration

Manager

BIG
-
IP

Application
Security
Manager

Centralized Policy Matching

7

Old

HTTP Class

New

Centralized Policy

8

VMWare View Proxy
-
PCoIP Support


Customizable TCP/IP Stack


What does this really mean?


PCoIP Decryption and
re
-
encryption


Elimination of Secure Gateway Servers

9

Typical VMWare View Deployment

Router

Connection Servers:

VMWare View

DMZ

Client

BIG
-
IP LTM

Secure Gateway Servers

PCoIP

CORP

10

Using F5 to handle PCoIP Traffic

Router

Connection Servers:

VMWare View

DMZ

Client

BIG
-
IP LTM

Secure Gateway Servers

PCoIP

CORP

Before

Router

Connection Servers:

VMWare View

DMZ

Client

BIG
-
IP LTM
+ APM

CORP

After

11

VXLAN Functionality


Simplify the Expansion of Virtual Networks


What does this really mean?


Apply Services across
Heterogeneous Networks
for Optimized Performance


Improve Application
Mobility and Business
Continuity

12

Configuring VXLAN from the CLI


create net vlan vxlancontrol { interfaces add { 1.1} mtu 1550 }

create
net self myvtep { address 10.1.1.1/32 vlan vxlancontrol }

create net tunnels tunnel vxlan5000 { local
-
address 10.1.1.1 remote
-
address 239.0.0.1 profile vxlan key 5000 }

create net vlan legacy5000 { interfaces add { 1.2 } }

create net vlan
-
group vxlan5000
-
bridge { members add { legacy5000
vxlan5000 } }

create net self vxlan5000
-
defroute { address 11.1.1.254/32 vlan
vxlan5000
-
bridge }

13

NVGRE Functionality


NVGRE Gateway plugin available
for Microsoft’s
System Center Virtual Machine
Manager on DevCentral

Video:
http://
goo.gl/jQKvE


Download:
http
://
goo.gl/LfJd5



Gateway between multiple Microsoft Hyper
-
V enabled
virtual networks

14

What is
Programmable
Infrastructure?

Management Plane

Data Plane

Extensibility

Control Plane

Programmable infrastructure improves
IT agility to
deliver
your applications
faster and with higher
predictability.

15

Generic iApps

Leverage application
service objects to
provide a logical
container and context
to your application
without the need for
deployment
templates.

Programmable Infrastructure

Unleashing TMOS Programmability

iRules

Intercept
, inspect,
transform, direct and
make decisions based
on inbound and
outbound
application
traffic.

iApps

Define and
tie all
related application
availability,
security
and optimization
services to the
application.
D
eploy
these services with
optimum,
application
-
specific
configurations in
only
a few minutes.

iControl

Realize new levels of
automation and
configuration
management with F5’s
web services

enabled
open.

iCall

Automate tasks to
improve
operations by
monitoring
for
events and
executing
scripts
to resolve issues
quickly and
predictable.

iControl REST

REST
provides
a
modern lightweight API
standard for
integration preferred

Control Plane
Automation

Automate BIG
-
IP
to dynamically
respond to events
and
perform BIG
-
IP configuration
actions.

iRule Procedures

Build
a library of
functionality that can be
re
-
used, controlled and
managed in a consistent
way

What’s New

16

iCall Examples

Local Traffic Manager


Triggered


Run TCP Dump on an
event


Detect
server errors and mark server down in a
pool on excessive errors


On Failover, generate qkview and/or ucs


GTM Monitor weight change
-

Set LTM wildcard
virtual server "VS Score" value based on the
number of available pool members of tertiarily
-
related (that is, non
-
default to the VIP) pool.


Re
-
prioritization of SharePoint nodes based on
the SharePoint
-
reported health value that is
delivered in an HTTP response.


Automatic qkview creation upon core dump or
unknown restart
-

Customers are frequently
asked to generate qkviews for support to
troubleshoot issues. To improve the chance of
repro, it would be good to have an event that
detects core dumps/ restarts and automatically
creates a qkview
.

Periodic


Generate Config Backup


Pool Synchronization from DNS
-

use an
iApp to accept a list of host names that
will be used to populate a pool via DNS.
Detect when the results of the resolution
change and repopulate the pool to stay
synchronized.


Pool update on DHCP response
-

create
a script that takes DHCP responses and
adds the IPs to a pool.


Re
-
prioritization of SharePoint nodes
based on the SharePoint
-
reported health
value that is delivered in an HTTP
response.


Datagroup Sync with external source

Perpetual


Achieve application delivery optimization
and enhanced productivity without the
need to rewrite applications

17

JavaScript and CSS Minification


Reduces overall file size


What does this really mean?


Removes whitespace


Removes comments

18

Before: 6,167 Bytes

After : 5,574 Bytes

--------------------------

Savings: 10% or 593 Bytes

19

DNS Recap



External
Firewall

DNS Load
Balancing

Array of DNS
Servers

Hidden
Master DNS

Internal
Firewall

Internet

DMZ

Datacenter

Conventional DNS Thinking

Master DNS
Infrastructure

Internet

F5 DNS Delivery Reimagined

DNS Firewall

DNS DDoS Protection

Protocol Validation

Authoritative DNS

Caching Resolver

Transparent Caching

High Performance DNSSEC

DNSSEC Validation

Intelligent GSLB

F5 Paradigm Shift

20

New platforms


TMOS versions

Platform

Versions
supported

F5
-
BIG
-
LTM
-
5000s

v11.4

F5
-
BIG
-
LTM
-
5200v

v11.4

F5
-
BIG
-
LTM
-
7000s

V11.4

F5
-
BIG
-
LTM
-
7200v

v11.4

F5
-
BIG
-
LTM
-
10200s

v11.4

21

22

23

24

F5’s Role at Interop

25

Attacking the Network


2 BreakingPoint Firestorms w/40 Gbits each


Denver


External Edge Las Vegas


Leveraged Capabilities


Client Simulation


Application Session Simulation


Security Attack Strike Lists


Protocol Fuzzing







26

Attacking the Network

Network Attack
from the internet
to all users at the show

Sourced from random spoofed locations on the
internet

Destined for the attendees

On ports identified that should be protected ie:
Microsoft file transfers, SQL and other common
vulnerabilities

Common load
33Gbits

per second

F5 tech: AFM

DDoS attack to www.interop.com

Sourced from 45.0.14&15.0/24 upstream over the
100Gbit link

Destined for the Interop show’s ns server

Common load
7Gbits

per second

Common requests:
3.5 Million per second

F5 tech: DNS
Express

DDoS
attack to www.interop.com

Sourced from 45.0.14&15.0/24 upstream over the
100Gbit link

Destined for www.interop.com

Common load
800Mbits

per second

Common requests: 70k per second

Simulated bots: 30k

F5 tech: AFM & ASM


DoS
attack to www.interop.com using SQL Injection

Sourced from 45.0.14&15.0/24 upstream over the
100Gbit link

Destined for www.interop.com

Common load
20Mbits

per second

F5 tech: AFM & ASM

Watch the Video


http
://
www.youtube.com/watch?feature=player_detailpage&v=hFpVivIqx9Q#t=59s


27

Attack Mitigation Technologies


Advanced Firewall Manager (AFM)


Provides ACL management


Provides DOS Vector Protection


DNS Express


High Speed Responder


Application Security Module (ASM)


Signature detection


DDoS detection


iRules


Provide custom detection and mitigation







28

By the way…


ASM HP WebInspect Vulnerability Scanner Integration


AFM SIP DDoS
protection


APM local user
DB


APM Citrix Traffic Shaping


AAM Forward Error Correction


vCMP Flexible Allocation


Heterogeneous Failover Groups


Enhanced sFlow


http://
blog.sflow.com/2013/06/f5
-
big
-
ip
-
ltm
-
and
-
tmos
-
1140.html


SSL Elliptic Curve Cryptography


ProxyPass via Rewrite profiles







Other cool features in 11.4

Thank You!

Please fill

out a survey