--> Each and every BIG IP system comes with the SSL Accelerator card which takes care of SSL encryption and decryption.
--> Having a separate module on the BIG IP System which handles the SSL transactions as well key exchange is going to increase the performance of the backend servers as they are not performing any encryption and decryption.
--> TPS is the number of new SSL sessions per second, Already established SSL connections do not come into the play.
--> Each and every SSL Transaction contains 3 Stages:
1) Session Establishment: Authentication/Key Exchange and Handshake happen in this phase.
2) Data Transfer: Encryption/Decryption of the Data Transfer takes place in this phase.
3) Session Closure: Session Ends in this phase.
--> A BIG-IP system's SSL TPS mainly depends upon three things:
1) SSL TPS Limit
A TPS limit that is specified in the /config/bigip.license file. This limit applies to each instance of the Traffic Management Microkernel (TMM) for non-chassis systems and each blade for VIPRION systems.
--> To Know SSL TPS which is set under bigip.license file, Execute the below command:
tmsh show sys license detail | grep -i perf_SSL_total_TPS
Output: perf_SSL_total_TPS : 1000
--> To Know how many TMMS present under BIG IP System, Execute the below command:
tmsh show sys tmm-info global | grep -i 'TMM count'
Output: TMM Count 6
--> So Now we found both TPS Limit and TMM count from the above commands, You can use the below formula to find the exact SSL TPS of the device:
(perf_SSL_total_TPS) * ( TMM Count) = 1000*6 = 6000 TPS
2) The system's hardware limitation.
--> If the system supports more SSL TPS than which is configured under the license then we can install an add-on to increase the SSL TPS.
--> Keep in mind installing the new addons will reload the daemons which might impact the traffic so it is recommended to install a new license as per the change control process.
Note: In the case of Viprion systems simply replace the TMM Count with the Blade Count installed on Viprion Systems.
(perf_SSL_total_TPS) * ( Blade Count) = 1000*4= 4000 TPS
3) Key Size of the Certificate
--> By default, The SSL TPS is calculated based upon key size between 2048 bits to 4095 bits.
--> If the key size on the certificate is more than 4095 bits then the actual SSL TPS will be 20% of the licensed limit present in the license file.
Ex: If a certificate is configured with 4096 bits and SSL TPS license on the device is 6000 TPS then actual SSL TPS would be 20% of 6000 TPS equals to 1200 TPS
--> We can monitor SSL TPS using performance graphs on the F5 LTM or we can configure F5 System to send the SNMP trap once the SSL TPS goes beyond the license limit.
--> The BIG-IP system does not accept any new SSL connections until the SSL TPS rate falls below the licensed limit
--> SSL TPS is only applied to Client-Side connections and does not apply to the server-side connections.
--> SSL TPS is enforced across a sliding time window. The BIG-IP system uses a 10ms window (1/100 of a second) to calculate the current TPS.
--> If the number of TPS requests within any 10ms window exceeds 1/100 of the licensed TPS, the system sends an error message to the /var/log/ltm file indicating that the TPS limit is being reached.
--> For example: If the device is licensed for 6000 TPS and BIG IP system receives more than 60 SSL connections within the sliding window ( 10 ms) then the system silently discards the SSL connections which were exceeded.
--> Keep in mind that the SSL TPS is only calculated if the client SSL profile on the virtual server.
--> By using Max Active Handshakes setting under client SSL Profile we can limit the number of SSL TPS per virtual server. The default setting is Indefinite, which means that there is no limit. The Max Active Handshakes option is introduced in BIG-IP 12.1.0.
--> By using tmm.ssl.maxactivehandshakes setting we can limit the number of SSL TPS globally.
Ref:F5.com
Md.Kareemoddin,
CCIE# 54759
--> Having a separate module on the BIG IP System which handles the SSL transactions as well key exchange is going to increase the performance of the backend servers as they are not performing any encryption and decryption.
--> TPS is the number of new SSL sessions per second, Already established SSL connections do not come into the play.
--> Each and every SSL Transaction contains 3 Stages:
1) Session Establishment: Authentication/Key Exchange and Handshake happen in this phase.
2) Data Transfer: Encryption/Decryption of the Data Transfer takes place in this phase.
3) Session Closure: Session Ends in this phase.
--> A BIG-IP system's SSL TPS mainly depends upon three things:
1) SSL TPS Limit
A TPS limit that is specified in the /config/bigip.license file. This limit applies to each instance of the Traffic Management Microkernel (TMM) for non-chassis systems and each blade for VIPRION systems.
--> To Know SSL TPS which is set under bigip.license file, Execute the below command:
tmsh show sys license detail | grep -i perf_SSL_total_TPS
Output: perf_SSL_total_TPS : 1000
--> To Know how many TMMS present under BIG IP System, Execute the below command:
tmsh show sys tmm-info global | grep -i 'TMM count'
Output: TMM Count 6
--> So Now we found both TPS Limit and TMM count from the above commands, You can use the below formula to find the exact SSL TPS of the device:
(perf_SSL_total_TPS) * ( TMM Count) = 1000*6 = 6000 TPS
2) The system's hardware limitation.
--> If the system supports more SSL TPS than which is configured under the license then we can install an add-on to increase the SSL TPS.
--> Keep in mind installing the new addons will reload the daemons which might impact the traffic so it is recommended to install a new license as per the change control process.
Note: In the case of Viprion systems simply replace the TMM Count with the Blade Count installed on Viprion Systems.
(perf_SSL_total_TPS) * ( Blade Count) = 1000*4= 4000 TPS
3) Key Size of the Certificate
--> By default, The SSL TPS is calculated based upon key size between 2048 bits to 4095 bits.
--> If the key size on the certificate is more than 4095 bits then the actual SSL TPS will be 20% of the licensed limit present in the license file.
Ex: If a certificate is configured with 4096 bits and SSL TPS license on the device is 6000 TPS then actual SSL TPS would be 20% of 6000 TPS equals to 1200 TPS
--> We can monitor SSL TPS using performance graphs on the F5 LTM or we can configure F5 System to send the SNMP trap once the SSL TPS goes beyond the license limit.
--> The BIG-IP system does not accept any new SSL connections until the SSL TPS rate falls below the licensed limit
--> SSL TPS is only applied to Client-Side connections and does not apply to the server-side connections.
--> SSL TPS is enforced across a sliding time window. The BIG-IP system uses a 10ms window (1/100 of a second) to calculate the current TPS.
--> If the number of TPS requests within any 10ms window exceeds 1/100 of the licensed TPS, the system sends an error message to the /var/log/ltm file indicating that the TPS limit is being reached.
--> For example: If the device is licensed for 6000 TPS and BIG IP system receives more than 60 SSL connections within the sliding window ( 10 ms) then the system silently discards the SSL connections which were exceeded.
--> Keep in mind that the SSL TPS is only calculated if the client SSL profile on the virtual server.
--> By using Max Active Handshakes setting under client SSL Profile we can limit the number of SSL TPS per virtual server. The default setting is Indefinite, which means that there is no limit. The Max Active Handshakes option is introduced in BIG-IP 12.1.0.
--> By using tmm.ssl.maxactivehandshakes setting we can limit the number of SSL TPS globally.
Ref:F5.com
Md.Kareemoddin,
CCIE# 54759
0 comments:
Post a Comment