F5 Networks has been in the load-balancing business as long as anyone. It began with a router-based system, but the BIG-IP 5000 Application Switch is an entirely new product, which combines a switch-based architecture with a dual-processor Intel-based routing engine.
The switch includes 24 10/100 Ethernet ports and four Gigabit Ethernet ports. With a 16Gbps back-plane and the capability to handle 40,000 real servers and 40,000 virtual IP addresses, the BIG-IP 5000 is a device that can handle the needs of a large ISP or virtually any corporate Web site, and the price is good. The feature set of the BIG-IP is broad and deep, with many different choices to suit different environments.
Installing the unit and setting up the VLANs (virtual LANs) and virtual server farm for our testing went smoothly. Even if the F5 engineer had not been there to help (on-site installation is included in the price of the device), the configuration would have been straightforward. The management interface is clear and easy to use, and requires only a browser with SSL (Secure Sockets Layer) capability.
The BIG-IP offers a wide range of load-balancing algorithms, including round robin, static ratios, fewest connections, fastest response, observed response (historical trending), and predictive. Persistence modes include source IP address, destination server, shopping cart persistence, SSL session ID persistence, cookie (which puts a cookie on the client to identify it), content affinity (which maintains sessions based on the content of the traffic), and virtual server.
Health-checking includes not only ensuring that servers respond to ping, but also that specific URLs are available or that database requests return valid data. Notification of errors, failed servers, and other problems can be sent to administrators automatically via e-mail.
The BIG-IP includes SSL acceleration, which offloads the encryption/decryption process from Web servers. The basic SSL package supports 100 SSL sessions per second, and can be upgraded to support as many as 800 sessions per second.
Redundancy includes an active/active mode as well as session state fail-over, so clients running persistent sessions through a load balancer that fails will be able to maintain their sessions when they are passed to another load balancer.
For security against hackers and DoS (denial-of-service) attacks, the BIG-IP has a number of tricks up its sleeve. It can use packet filtering to limit or deny access to and from Internet sites based on monitoring the traffic source, destination, or port. It can reap idle connections to stop DoS attacks, perform source route tracing to stop IP spoofing, and resist unacknowledged SYN without ACK buffers to stop SYN floods. The BIG-IP can also stop teardrop and land attacks, and protect itself and servers from ICMP (Internet Control Message Protocol) attacks. Finally, it can report all attacks to the administrator via e-mail.
The BIG-IP is a high-end, mature product with a broad feature set and loads of capacity. It would be suitable for any large ISP or corporate Web site.
Scaling Web sites with load balancers
A load balancer is a network device used to create a virtual Web server that is actually a group of real servers. Traffic sent to the virtual server is distributed among multiple real servers in a Web farm. A load balancer will allow your Web site traffic to grow by 40,000 times or more, and allow you to upgrade or perform maintenance on servers without customers losing access to your Web site.
The first load balancers simply rotated among a group of servers, sending the next request to the next server in the group. Then load balancers evolved by sending the next request to the server handling the fewest users, or to the one that responds the fastest. This is because Web traffic is seldom uniform - 50 users on one server might produce a relatively light load if they were all viewing the home page, whereas 50 users on another server could overload it if they were all executing scripts. Load balancers also provide redundancy: if a server in the group fails or is taken down for maintenance or upgrades, the other servers in the group can take up the slack, ensuring users have continued access to the site.
The latest load balancers can also route traffic based on content, encrypt and decrypt SSL (Secure Sockets Layer) traffic, balance traffic across firewalls or multiple Internet or WAN connections, or prioritise traffic based on user or type, so that e-commerce users buying products get better service than people downloading old manuals, for example. Today's load balancers can also ensure that a client sent to a particular real server is returned to that same server for the length of an e-commerce transaction; this is known as persistence. And they can check whether real servers are operational, and remove them from the group if they crash.
The switch-based F5 system can provide the traffic-carrying capacity needed to support hundreds or even thousands of Web sites. But if you have a single Web site with a T-1 connection, switch-based device specifications such as 1 million concurrent connections or 50,000 connections per second will be meaningless, because a 1.5Mbps connection cannot carry 50,000 connections per second.
IT consultant Logan Harbaugh (firstname.lastname@example.org) is the author of two books on networking.