F5 Networks Inc.s Big-IP HA controller load balancer makes Web farms of heterogeneous commodity servers a viable alternative to expensive big-iron servers and hard-to-manage clusters. However, budget-minded companies must figure in a trade-off: the manageability issues that can crop up on any server farm.
The Big-IP HA Controller, which shipped last month, proved powerful, flexible and mature in eWeek Labs tests. The $21,250 base unit we tested includes 5-by-12 technical support and an unprecedented day of on-site installation and training. The appliance is no more complicated than most networking devices, but this level of customer service is still impressive.
New in this release is support for multiple SSL (Secure Sockets Layer) cards to improve scalability. A $2,490 SSL card that supports 200 encrypted connections per second and a $7,500 card that supports 600 connections per second are available.
The appliances built-in application-specific integrated circuit SSL accelerator from Rainbow Technologies Inc. offloads encryption duties from the Web server. The Big-IP HA Controller is the first such device weve seen that does this, although Intel Corp.s NetStructure 7180 also has this capability.
The appliance allows previously encrypted traffic to take advantage of the devices Layer 4 and Layer 7 load balancing functions. It also provided flexible load balancing traffic management in tests, using multiple load balancing and persistence algorithms.
Sites that dont need this level of traffic management could perform adequate load balancing for free by using the round-robin function built into the Internet Software Consortiums BIND (Berkeley Internet Name Domain) server. Further, Cisco Systems Inc.s LocalDirector is a similar device that may be a better choice for Cisco-centric sites.
Shops that prefer a server-based traffic management system should look to products such as Central Dispatch from Resonate Inc.
To test the Big-IP HA, we created a Web farm of mixed servers and operating systems. The test bed consisted of two Compaq Computer Corp. 800MHz dual-processor ML350 servers running Windows 2000 Server Edition; two 700MHz Dell Computer Corp. OptiPlex machines running Windows NT 4.0 Service Pack 6 and Red Hat Inc.s Red Hat Linux 7.0; and two 550MHz Dell OptiPlex devices running Windows NT 4.0 Service Pack 6 and Red Hat Linux 7.0. We used 10 clients with OpenSTA, an open-source distributed Web site traffic generator, to generate a virtual 300-client load.
Initial setup of the big-ip was painless—we hooked a monitor and keyboard to the unit and then used the built-in First-Time Boot utility to stroll through password setup, IP configuration and SSL certificate creation.
We then switched over to the Web-based configuration utility. The Big-IP is built on FreeBSD and comes with a comprehensive manual on command-line configuration, so Unix administrators can opt to configure at the console. We only wish the Web configuration utility were as well-documented.
We first tested the Web farm server performance with identical content and a static round-robin balancing algorithm. We got what we expected: The smaller servers ran at close to 90 percent CPU utilization, and the dual-processor servers coasted along.
We then tested the predictive load balancing option with the same Web farm setup as the previous test. This dynamic method of load balancing is based on two monitored criteria—which server has the fewest connections and which server has the best response time.
When we turned the 300 virtual clients loose on this setup, we were pleased to see an average CPU utilization that was virtually the same across all boxes.
The advantages of running the SSL encryption on the Big-IP appliance instead of the server are better performance, traffic management and persistence. When traffic is encrypted, there is no way to balance it intelligently, and if there is no way to manage it, there is no way to maintain persistence when needed.
The Big-IP not only can decrypt traffic, it also can manage it and maintain persistence when needed.