F5 Networks Inc. has been in the load balancing business as long as anyone. It began with a router-based system, but the BIG-IP 5000 Application Switch is an entirely new product that combines a switch-based architecture with a dual-processor Intel-based routing engine.
The switch includes 24 10/100 Ethernet ports and four Gigabit Ethernet ports. With a 16Gbps backplane and the capability to handle 40,000 real servers and 40,000 virtual IP addresses, the BIG-IP 5000 is a device that can handle the needs of a large ISP or virtually any corporate Web site, and the price is good. The feature set of the BIG-IP is broad and deep, with many different choices to suit different environments.
Installing the unit and setting up the VLANs (virtual LANs) and virtual server farm for our testing went smoothly. Even if the F5 engineer had not been there to help (on-site installation is included in the price of the device), the configuration would have been straightforward. The management interface is clear and easy to use and requires only a browser with SSL (Secure Sockets Layer) capability.
The BIG-IP offers a wide range of load-balancing algorithms, including round robin, static ratios, fewest connections, fastest response, observed response (historical trending), and predictive. Persistence modes include source IP address, destination server, shopping cart persistence, SSL session ID persistence, cookie (which puts a cookie on the client to identify it), content affinity (which maintains sessions based on the content of the traffic) and virtual server.
Health-checking includes not only ensuring that servers respond to pings, but also that specific URLs are available or that database requests return valid data. Notification of errors, failed servers and other problems can be sent to administrators automatically via e-mail.
The BIG-IP includes SSL acceleration, which off-loads the encryption/decryption process from Web servers. The basic SSL package supports 100 SSL sessions per second, and can be upgraded to support as many as 800 sessions per second.
Redundancy includes an active/active mode as well as session state fail-over, so clients running persistent sessions through a load balancer that fails will be able to maintain their sessions when they are passed to another load balancer.
For security against hackers and denial of service (DoS) attacks, the BIG-IP has a number of tricks up its sleeve. It can use packet filtering to limit or deny access to and from Internet sites based on monitoring the traffic source, destination or port. It can reap idle connections to stop DoS attacks, perform source route tracing to stop IP spoofing, and resist unacknowledged SYN without ACK buffers to stop SYN floods. The BIG-IP can also stop teardrop and land attacks, and protect itself and servers from Internet Control Message Protocol (ICMP) attacks. Finally, it can report all attacks to the administrator via e-mail.
The BIG-IP is a high-end, mature product with a broad feature set and loads of capacity. It would be suitable for any large ISP or corporate Web site.
Harbaugh, who writes for InfoWorld (U.S.), is the author of two books on networking. He can be contacted at logan@lharba.com.
BIG-IP 5000
Supplier: F5 Networks
Price: US$31,990
Pros: On-site installation support; very full feature set; bandwidth-handling capabilities comparable to layer-seven switches; provides ease-of-use of appliance
Cons: none