Add intelligence to your network with new approaches to Layer 7 traffic management

Hardware and software-oriented approaches to network traffic

Forget unlimited bandwidth, forget port density - let's talk about adding intelligence to the network in the form of Layer 7 traffic management.

This is not about simple network management protocol and device management, but rather about controlling network traffic flows, changing packet contents, reserving bandwidth on demand and many more on-the-fly activities. This is where networking gets intelligent and programmable and it presents you with a choice. F5 has proposed a classic hardware-oriented approach, whereas Zeus has offered the option of a software-only design to run on Linux or Unix platforms or a hardware appliance format.

Revolution - not evolution - is long overdue in networking, yet it need not be bloody. We have a situation where, with the kind of capabilities now on offer, it is possible to completely re-engineer the network, but over as long a period of time as you need.

This approach to traffic management provides us with endless real applications, such as a true migration toolkit, whether that be with respect to IPv6, moving between enterprise software applications, changing authentication servers and services or any scenario where a change for the better should be made, but previously would have been too painful, in terms of time and cost, to consider.

F5 Networks V9 Big-IP 6800

F5 was one of the early specialists in the L4-L7 traffic management market with its Big-IP range of devices. What started life as essentially a gateway product has since progressed through two effective transformations to the product range we see now - the V9 range - a completely re-architected version of its still available V4.5 product line-up.

So what is new? Well, everything. Even the management GUI - always one of our favourite features - has been completely updated to cope with the mass of new features you can configure. And there are plenty.

The range starts with the Big-IP 1500, leading to the 6800 top-end product we are focusing on here. All have the same basic feature set in common, but lower down the range some features come as optional extras. For the first time, F5 has added compression to its Big-IPs, something that its competition has had in place for some time.

But F5 has not stopped there. Another new feature with V9 is Rate Shaping, which allows for traffic limiting, prioritisation and borrowing for maintaining enough bandwidth and fast service for high-priority applications and traffic. One problem for servers is that their load is often increased because they must handle many clients concurrently, each at different speeds. So with V9, F5 has introduced Content Spooling to the Big-IP system, which enables it to accept and buffer the complete server response, allowing the server to free the associated resources immediately.

The Big-IP device delivers the data to the client as fast as it can receive it. This allows the server to send data at its optimum rate and the client receives data at its optimum rate.

The Big-IP can convert IPv6 client traffic to IPv4 node traffic and back to IPv4 client traffic (and vice versa). It allows you to mix IPv6 and IPv4 nodes in the same pool. You can also have both an IPv6 and IPv4 virtual server direct traffic to that pool, ideal for migration scenarios.

Another addition is response error handling. With V9, the Big-IP device can look at any server response code such as standard 404 errors, or custom server errors such as 900 errors, and make decisions based on observing server responses. Businesses can use the iRules scripting language F5 has carried over and further developed from the previous architecture to customise actions to be taken, such as redirecting the request to another location or reload balancing the request back to the pool to servers with valid content.

This resolves the common problem of leaving many legitimate users directed to a resource that has been down for several minutes. The software creates an observed monitoring capability that can see all errors and take corrective action to redistribute requests before that error is transmitted to a user.

And so the list of new or improved features goes on. Security-wise, two interesting additions are protocol sanitisation and resource cloaking. The former is achieved by the Big-IP acting as an application proxy to protect against various denial of service attacks and all other forms of unanticipated malformed packets by default. It can detect and block any attack using iRules.

So what is resource cloaking? Well, there is a lot - repeat, a lot - of information about your network passing across the internet in headers which can provide valuable information for network terrorists.

To nullify this, the Big-IP can be configured to block response headers or portions of the headers which contain information about a web server, for example, important libraries or the language an application was written in. Most users do not want to broadcast they are using IIS or Apache servers, yet typically this kind of information is present in a server header. With Big-IP you can hide this information during a transfer.

The re-architecting of the product range has not only brought a load of new features but also a massive increase in performance, said F5. So we put it to the test with the 6800 model, creating a huge test bed and plan covering more than 150 tests, many based on direct feedback from F5 customers, asking what they would like to see the product achieve.

One area where F5 was making very bold claims was in Secure Sockets Layer (SSL) transaction handling. This is where the L7 device terminates the SSL sessions itself, relieving the servers behind it of that duty - one that kills server processes stone dead. Prior to this testing, anything we have seen that achieves 5,000tps (transactions per second) has been given a large nod of approval.

However, the 6800 in a test set-up with no SSL session ID reuse (not real-world but easily the toughest test for the device) recorded 16,494tps. With a more realistic 10-session ID re-use set, that figure rose to 23,533tps. These are big numbers and come courtesy of dedicated ASICs (chips that accelerate specific functions) within the box.

Across all the tests we ran, performance was outstanding and a huge leap over the previous generation of Big-IPs. For example, L7 connections per second peaked at almost 110,000tps and overall L7 throughput levels reached almost 4gbps - more than ample for the biggest enterprise applications.

Overall, it is fair to say we were very impressed with F5's total reworking of its Big-IP products. We liked the old range, but it does look positively antiquated against the new V9 release which is a huge leap forward.

Details: F5 Big-IP 6800. Price: from £38,610 (£48,771 fully loaded as tested). www.f5.com

Zeus ZXTM 3.0

The name Zeus might be familiar to those of you who know the Webserver product, itself at the heart of the mighty eBay engine - but with respect to Layer 7 traffic management? No, didn't think so.

Based in the UK, Zeus has taken the software engineering that went into the Webserver product and subsequent load balancer to form the basis of its entry into L7 traffic management. The Zeus' ZXTM (Zeus Extensible Traffic Manager) is a software application designed to run on a number of listed supported Unix and Linux platforms. You can even download this one for free evaluation from the Zeus website and then keep it if you like it (as long as you pay up).

It operates at both L4 (load-balancing) and L7, so there is no denying it is in direct competition with the likes of F5 Networks' Big-IP application switch, which we tested alongside it. However, ZXTM 3.0 is not a switch but effectively a server-based network appliance which just happens to be sold as software. It therefore typically sits in front of the server farm, behind the internet gateway, from where it conducts traffic in a wide number of ways.

ZXTM's feature set is extensive, covering intelligent L7 load-balancing and every aspect of L7 traffic management: throughput, compression, data manipulation, security - such as denial of service protection - server and application optimisation and migration tools.

The company has unashamedly looked at F5 as the market leader and sought to equal or better every element of its own products. The result is what would be a very comprehensive set of capabilities for a mature product, let alone a new kid on the block. One excellent example of this attention to detail lies in ZXTM's Trafficscript feature for deep-packet inspection and manipulation.

This is quite simply the most comprehensive, rules-based methodology for traffic control available on anything we have seen. Configuration and deployment tools are very important with the fairly complex products in the L7 world. ZXTM comes with a first-class GUI and basic configurations literally take minutes. An excellent feature is a diagnose button, which checks you have configured the system correctly via a single mouse button click. And, in the event of any problem in the cluster, the diagnostics report gives a complete summary of the state of the cluster.

It runs a number of tests on each ZXTM machine to determine connectivity and configuration problems, platform/ licence incompatibilities and fault intolerance. Where possible, the page includes links to tools to resolve the problems it has found.

Another feature is ZXTM's draining nodes, which let you gracefully take servers out of an active pool without cutting user connections. Equally important on the scalability side is Zeus' N+M scalability, where near infinite redundancy and scalability has been achieved. Adding an additional ZXTM to a cluster is simple, as a new ZXTM is automatically detected by the existing cluster and the configuration is automatically replicated. This makes scalability very cost effective as you only have to buy one additional ZXTM if that is all you need and very easy at the same time.

ZXTM 3.0 arrived, pre-installed on a couple of Sun servers running Linux - dual Opteron devices in this case, but of course you can spec the hardware according to your own performance requirements.

We looked to put ZXTM 3.0 to the test in intelligence scenario tests and performance tests. For the intelligence tests, we looked at two really fascinating applications. The first was the problem of when searching on Google you get a "page not found" message. One way around this is to use ZXTM to intercept the page request and route it to the new site, transparent to the user. This involves creating a simple rule that examines the request, identifies the old link and rewrites it with the new link and forwards the request.

The second application test may be a familiar scenario to anyone who has a website with a somewhat inferior search engine. There is this monster called Google that is staggeringly capable of returning search results about almost anything within microseconds. So wouldn't it be cool to simply front-end the Google engine with your search utility and take advantage of its great power?

For the time being Google allows you to issue an XML request to its Soap interface and get a Soap request back. For free. So we used ZXTM's Trafficscript's ability to embed XML requests and translate Soap responses. What we ended up with is a perfectly formatted page of search results that looks like it was delivered by your own search engine but was actually delivered via Google.

Using Spirent's Webavalanche and Webreflector internet traffic simulators, we ran a series of performance tests, looking at maximum requests per second, SSL session termination, maximum throughput and compression (rates and throughput).

In all instances, ZXTM 3.0 performed to class standards, either literally or on a price and performance basis. We achieved 87,512 requests per second, 19,835tps compressing html pages at a 9:1 compression ratio, 2.6gbps of sustained L7 throughput and 8,511 SSL tps (10 session ID reuse).

Price and performance indexed against the Big-IP 6800 translates into figures of 227,531 requests per second, 51,571tps of compression, 6.8gbps of sustained L7 throughput and 21,000 SSL tps. Given Zeus' scalability claims, this augurs well for future tests where we will be looking at a clustered ZXTM configuration to see if we can get record figures in each category.

In summary, ZXTM 3.0 met or surpassed all our targets, both for performance and feature flexibility. As such, we recommend it to anyone looking at L7 traffic management devices without hesitation. And if you do not think you need such a device, use your imagination and take a look anyway.

Details: Zeus ZXTM (Zeus Extensible Traffic Manager) 3.0. Price: from £4,400 (£12,100 plus hardware as tested, fully-loaded). www.zeus.com