I’ve worked with BIGIP F5 hardware for over two years now, and have become quite familiar with the great features it provides. For those who are unfamiliar with BIGIP F5 hardware, it is network hardware company specializing in load balancing at both the local and global layers of an enterprises network infrastructure. Their website is located here.
BIGIP F5 product family consists of many different components, however the two major ones most network engineers are familiar with are the Local Traffic Manager(LTM) and the Global Traffic Manager(GTM). Both are network rackable load balancers.
The GTM
is used as an “Intelligent DNS” server, handling DNS resolutions based on intelligent monitors and F5’s own iQuery protocol used to communicate with other BIGIP F5 devices. Seen at the top level of a data center, especially in multiple data center infrastructures, deciding where to resolve requesting traffic to. The GTM also includes other advanced features, such as DNSSEC and intelligent resolution based on many different algorithms.
The LTM
is a full reverse proxy, handling connections from clients. The F5 LTM uses Virtual Services(VSs) and Virtual IPs(VIPs) to configure a load balancing setup for a service. LTMs can handle load balancing in two ways, first way is a nPathconfiguration, and second is a Secure Network Address Translation(SNAT) method.
nPath, the F5 does the job of load balancing by intelligently deciding which server endpoint to pass traffic to. nPath, however, does so by bypassing the F5 in the return path. For example you have two servers 192.168.0.10 and 192.168.0.11, and an F5 listening for this particular set up on VIP 172.16.0.2. Now when the traffic from a client destined for the 172.16.0.2 hits the F5, the F5 intelligently passes it to either 192.168.0.10 or 192.168.0.11. The tricky part is when the traffic leaves from the F5 to either server, the IP packet’s source address is that of the F5. Therefore each server mush have a loopback address configured that matches the F5s source IP address of the interface (on the F5) the original packet leaves from., in this example 172.16.0.2. This prevents each server endpoint from sending it back to the F5 directly and forces the server to use it’s gateway of last resort.
Secure Network Address Translation(SNAT), is a more common BIGIP F5 implementation. In this scenario the F5 is configured essentially as a reverse-proxy server. Think Many-to-One. Client’s target Virtual IPs that sit in front of a pool of endpoint servers. However, the Client never sees behind the VIP, to there perspective the VIP is the server they are requesting. For example, you have a VIP 192.168.0.55 which routes to an F5 who is listening for requests destined for that IP. The F5 has a configuration in place that knows 4 server endpoints that can serve requests destined for that IP, 10.0.0.5, 10.0.0.6, 10.0.0.6, 10.0.0.7. When a request comes from a client to the VIP the F5 acts as the server for the client. In the back-end the F5 acts as a client sending the identical request to one of the four endpoint servers. The response is then proxied back from the F5 to the “real” client.
Tying them together.
GTMs and LTMs used in conjunction with each other provide a robust and resilient, and network optimized environment. This is especially true when dealing with multiple Data Centers or Service Sites. The GTMs will handling the initially network path to take by resolving clients with the best route option. The LTMs will handle the load optimization of the service by logically proxying the endpoint servers.
Below is a diagram of a typical GTM/LTM setup. In this example, there are two Data Centers, the GTM sites at the front of the Data Centers and hands out the VIP that will handle the client’s request. The LTMs are localized in each Data Center (They don’t have to be :-p) in a High Availability pair. The LTMs will reverse proxy the clients connections with the actual server endpoint.
Can you take an F5 1500 and load them with either the LTM software or GTM software. Will it take both?
Hi Edwin. I know for the 1600 series you may run either LTM or GTM. However it is not a question of loading the software. It is more of a licensing issue that “unlocks” either feature from the base build. At least that has been my experience with it. I believe also that the GTM license is more $$ so…Let me know if you get it to work.
Cheers!
Hi,
Can you show how to configure a pool of addresses for a node like for instance different webserver? Can you discuss the process on how to do it?
Thanks.
vrian
Hi Can you throw some light on how the GTM LTM combination can be used for unified communication setup with 25000 users on MS Exchange 2013.
F5 2000s 5 boxes 2 GTM and 3 LTM . 1 GTM + 2 LTM in HA at DC site and 1 GTM and 1 LTM at DR site.
How can we use the 2 LTMs in active active mode to distribute the reverse proxy load .
Can we use GTM for reverse Proxy.
What is the concurrent users that LTM /GTM 2000s can handle.
Rajesh, according to the latest BIG IP Product datasheet your 2000s can handle over 200K L7 requests per second and 75K+ connections, see here http://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf .
HI can anyone tell me that Big Ip F5 load balancer is server & link load balancer both.
I guess it depends on your definition. However, I would define it as an application delivery appliance. It’s main function is to load balance application data and deliver it to clients.
Hi, Thanks for such valuable information. I am new to F5 technology. We are have f5 model C103 and C62A in our DC which is been used as loadbalancer and ISA as reverse proxy. Now we want to remove the ISA proxy and use existing F5 devices as reverse proxy as well. Can you help what need to be checked with respect to licence on the F5 devices or any other check before I proceed.
Regards,
Giri
Hi Giri, I apologize for the late reply…So you have a pair of 3600s and 3400s? Is your ISA acting strictly as reverse proxy? Migrating to you F5s should be fairly straight-forward. Consider any special configurations from the ISA that you want to bring forward. Such as, SSL offloading, redirects, etc. Curious, so you use the F5s currently as LTMs or GTMs load balancers? What version are you running 9.x? 10.x? 11.x? You will need an LTM license to achive full reverse proxy load-balancing as well as high-availability.
Hi, at present C103 is working on 3600 and C62A is working on 3400. ISA is acting as straight reverse proxy. Currently we are using as GTM loadbalancer. on C62A we have 9.x and C103 we have 10.x .
Can you pls let me know how to check on these two devices whether we have LTM licences or not as they are pretty old setup.
Sure thing! Version 9.x I’m a bit rusty, but Version 10.x it will be under System –> Resource Provisioning. Look for Local Traffic (LTM) under Resource Provisioning (Licensed Modules).
You can also check what modules you have available under System –> License. This will show you all the modules you have a license for. LTM is “LTM, Base”
How does GTM and BIND work together? More specifically I have a GTM set up and working on an upgrade from 10.2.4 to 11.5.1, so prior to upgrading F5 suggest that we check BIND configuration by issuing the following command:
named-checkconf -t /var/named -z -j /config/named.conf
I noticed that it has the device name as an error and the error is zone company.com/IN: NS ‘hostname.company.com’ has no address records (A or AAAA)
I know how to resolve this issue, but how does this address get into bind? I can’t seem to figure that out. Any help would be appreciated.
Hi Wallace,
The GTM module is practically built from BIND. BIND is an opensource DNS service application. The reason I state this is the configuration file on the GTM is strictly similar to that of a standard BIND server.
How they work together…Are you asking how you can use GTM in conjunction with an already existing BIND infrastructure? If so, you could use either GTM or BIND to be authoratiative. I would recommend the GTM due to the healthcheck mechansims. Also, you could configure BIND to be your DNS forwarder in your environment.
The ZoneRunner process maintains zone information.
-Jim
Hi Jim, We have LTM lic, I check in the path provided by you. So can I now migrate my ISA reverse proxy to F5, or still I need to check some other parameter, please suggest. Also, as of now F5 ( which is used as LB ) has CPU utilazation as 45 %.
HI Giri,
With the LTM license you will be able to convert your ISA reserve proxy environment to F5 fairly easily as both perform similar functionality. I do not know the inter-workings of your setup, but typically you would start with verifying the IP addressing on the F5 can reach your server farms. After that, you could create a Pool with the servers in it. Do the appropriate healthcheck mechanism and verify connectivity. Lastly, you would create the Virtual Server and define a port 80 instance. I hope that helps.
As for the high CPU utilization, have you upgraded to 10.x or 11.x? Check the dashboard function under Statistics on the active unit to get you a better idea of what is going on.
-Jim
So now I can use my existing F5 LB, as reverse proxy as well. Wow! single device twin perpose solved. Thanks Jim for sharing your experiance. If you have any document on how to do capacity planing/Sizing of F5 please share.
So … if I use a Squid Web Proxy for the internal clients and Apache Reverse Proxy to make my webservers available externally, why would I need a LTM ? Is there a benefit for creating an environment with a F5 LTM or GTM load balancer if we have these open source apps stood-up?
You still won’t have the benefits of F5’s iRule feature, or hardware acceleration for SSL 2048-bit+. So if you have less than 20 sites I’d say opensource should work for you. I know, I’ve done implemented it that way in very small environments. But I’ve seen environments with over 1200 VIPs some web some non-web, SSL, iRules, Multiple DataCenter high availability DNS via GTM, etc. This is the closest I’ve gotten to opensource solution for LTM, not GTM.
This post is explained beautifully. Thank you very much.
Ths post is awesome.can you please post any video lecture how total work flow happend to load balance lke user hit request it hit gtm then company firweall or comany dmz segment and then one DC and then ltm
Total work flow like where is nat happed and all thing
Thank you
Tushar naik
+91 9594475100
Hi tushar, let me see if I can put something together. Do you have a particular scenario you are trying to solve? What I have above in this article is a typical deployment, but you can change it to suite your needs.