That's right--a switch. Designed by F5 from the ground up, this IP application switch marries Layer 2/3 switching with the latest Big-IP software, version 4.1, providing a robust, flexible switching environment well suited for enterprise and service providers alike. Featuring 24 ports of 10/100 Fast Ethernet and four ports of Gigabit Ethernet, coupled with more processing power and memory for load-balancing and on-board SSL (Secure Sockets Layer) functions, the Big-IP 5000 is an excellent debut into the switch "plus" market for F5.
The Big-IP platform has changed considerably since the last time we examined it. Version 4.0 introduced virtual private networking and ISP load-balancing, TCP multiplexing and iControl: a SOAP (Simple Object Access Protocol) XML (Extensible Markup Language) and/or CORBA (Common Object Request Broker Architecture)-based API that offers the ability to control other F5 and non-F5 devices and be controlled by them. F5 also has added a redesigned GUI complete with configuration wizards for load-balancing, server-health monitoring and first-time setup. Version 4.1 offers new SSL-based features in addition to the new switch platform.
We looked at the Big-IP 5000 in our Real-World Labs® in Green Bay, Wis., and liked what we saw. Associate technology editor Steven Schuchart put the Layer 2/3 features of the switch through their performance paces and gave them a thumbs up. All the expected Layer 2/3 functionality is available--full VLAN (virtual LAN) support (802.1q, 802.1p and 802.3ad) and port mirroring, as well as wire-speed switching and routing. We examined the new GUI features and tested the content-aware aspects of the latest version of the OS. In particular, we admired the GUI features that offer assistance in building rule sets as well as the capability to use Layer 7 rules on any IP-based traffic, not just load-balanced traffic.
The 'Switchness' of the BIG-IP
All the Big-IP 5000's features can be managed via the CLI (command-line interface)--SSH (Secure Shell) or console--or the GUI. Using Spirent Communications SmartBits, we put the Big-IP 5000 through some standard switching performance tests to verify its wire-speed claims. A fully-meshed test with all 24 Fast Ethernet ports proved that the product was up to the task; it took all the traffic and passed it through without losing a single packet.
While SmartBits was pounding on the switch, we still were able to configure other features of the Big-IP 5000 via the GUI. The device remained responsive during all our tests, both from the GUI and the CLI. We tested the product's combined switching and load-balancing functionality. We configured three VLANs, one each for the Caw Networks WebAvalanche and WebReflector and one for administration. After assigning an IP address to each VLAN, we configured the Big-IP to route between them so we could test the switch's load-balancing capabilities.
"Intercept, inspect, transform, direct" is an F5 marketing slogan, and the Big-IP 5000 lives up to it. After first configuring the WebReflector to act as three Web servers, we added them to a single pool, or cluster, via the Big-IP GUI. We then set up a VIP (Visual IP) and began hammering the new "site" with traffic from the WebReflector. Performance was excellent; we maxed out the WebAvalanche by directing an average of 10,000 requests per second, which the Big-IP 5000 handled flawlessly.
We then configured the VIP with a new rule set, one that watched expressly for requests as sent by CodeRed, and it dropped the packets completely. We reset the WebAvalanche to send half its requests for default.ida and half for index.html. Again, all went well.
|
Vendor Information
BIG-IP 5000, base model priced at $31,990 for a single unit, $57,990 for a redundant pair. Available: Now. F5 Networks, (206) 272-5555, (888) 88BIGIP; fax (206) 272-5556
info@f5.com or www.F5.com
|
There's more: Not only can the Big-IP 5000 stop malicious traffic destined for Web servers, it can stop any malicious traffic entering or leaving the switch. By specifying "any address/any port" as the destination for a rule set, you can direct the switch to intercept all traffic and examine the data payload, discarding any traffic that meets the criteria specified by the rule. A great little wizard assists in building rules for F5's rule set "C," like syntax. This mechanism can stop all potentially hazardous traffic from getting near your Web servers or e-mail clients.
Big-IP 4.1 software also includes on-board SSL (provided via a Broadcom Corp. chipset) that can handle up to 100 TPS (transactions per second). The number of TPS supported can be upgraded to 400 or 800 via a license for $3,000 or $7,000, respectively. That's less than $10 per TPS--below the industry average. The on-board SSL and deep inspection of packets also provide the capability of the Big-IP to re-encrypt terminated SSL sessions to the back end--a necessity for financial and health-care industries. To help performance in these situations, the SSL sessions can be multiplexed to the back-end-secured Web servers. Client certificate authentication is available, as is the capability to include the client certificate in the data payload for authentication by back-end systems.
With all its new features and its new platform, the Big-IP 5000 is an excellent choice for an edge switch, as well as for handling load-balancing chores. Its flexibility and rich feature set, coupled with a competitive price, offer a well-balanced product able to fit into any network infrastructure and provide significant value for multiple services.
Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at lmacvittie@nwc.com.
RSS
