Upload
ngokhanh
View
222
Download
0
Embed Size (px)
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Agenda Application Delivery Networking Terms and Concerns
Health Checking, Server Farms, Traffic Classification, Predictors, Persistence, Stickiness
ACE Overview
Basic Policy Configuration Requirements and Examples
Basic Layer 4 and 7 Load balancing Example
Advanced Application Scenario Requirements and Examples
Persistence
SSL Offload – End to End SSL
Content Health Check
Additional Features and Deployment Considerations
NAT
Access Lists
Deployment Models, ACE Redundancy, RBAC, Virtual Contexts
Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Application Delivery Networking ACE Features
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
Application Delivery Networking Overview Terminology
ClientsApplication Delivery
Controller (ADC)Layer 4–7 switches
Servers
Serverfarm
Client-SideGateway
Health Probe
172.16.2.100TCP port 80
Virtual IP address (VIP)(class-map) URL = /news
User-Agent = MSIE 7.0Client = 192.0.0.0/8
then use serverfarm X
Policy(Policy-map) Load Balancing
Algorithm(Predictor)Round Robin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
Traffic Classification and Processing
ACE supports the load balancing of the following
Generic IP traffic (i.e. IPsec tunnels)
Generic UDP and TCP (i.e. proprietary protocols)
Network services (i.e. LDAP, DNS, Radius)
HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML)
Voice & Video (i.e. RTSP, SIP, H.323)
Remote terminals (i.e. Windows Terminal Services/RDP)
Multi-connection protocols (i.e. FTP, RTSP)
Multi-tier applications (i.e. SAP, Oracle Enterprise/WebLogic, Microsoft Exchange/Sharepoint/ASP, IBM WebSphere)
EthernetHeader
IPHeader
TCPHeader
EthernetTrailer
Payload
Layer 3 Layer 4
Layer 5-7
Layer 2
HTTPHeader
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
ACE Service Health Monitoring - Probes
Periodic Health checks applied to specific real servers or server farms.
Generated by the Application Delivery Controller itself, which then expects a reply
Either predefined health checks or scripts
Examples: ICMP (L3 connectivity), TCP (stack), HTTP (application)
Failure detection time is a function of interval, retries, and max response time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
Reliability and Availability Techniques Cisco ACE Probe Options
Probe Description
ICMP Sends an ICMP request and wait for reply Generic TCP Open connection and disconnect with TCP FIN or
RST. Generic UDP Sends a packet and monitor for icmp errors.
HTTP Sends an HTTP HEAD or HTTP GET 1.1 request
HTTPS Establish SSL connection, send HTTP query and close.
FTP Similar to TCP probeTelnet Make a connection, send a ―QUIT‖ messageDNS Uses a default domain and waits for response
SMTP Sends a ―hello‖ followed by a ―QUIT‖ messagePOP3 Similar to TCP probeSNMP Use SNMP OIDs for load balancing predictions.IMAP Similar to TCP probeScripted Custom Health Check
Radius Similar to UDP probe. NAS-IP can be configured
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
Health Check Selection and Consideration
Which type of probe should be used to determine availability?
ARPs only check the IP stack and not the application
ICMP probes only check the IP stack of the machine and not the application
Generic TCP port opens check the TCP stack but not the application‘s ability to handle requests
An application may fail in a state that the server can respond to a TCP syn but not to an application data request
To verify the integrity of an application, an application data request keepalive is required
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
ACE Load Balancing Algorithms - Predictors
ServerfarmClient
Round Robin: (Simple Weighted)
Least Connections: (Weighted)
Hash on IP, URL, Content, Cookie
Server Watermarks: Min and max number of connections per server
Least Loaded: SNMP based server feedback
Least Bandwidth: Connection vs. Bandwidth
Adaptive Response Predictor: based on server response time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
ACE Enhanced PredictorsAdaptive Response
Time between HTTP request
send from ACE to HTTP
response received from
the server
Time between SYN send
from ACE to SYN-ACK
received from the server
Time between SYN send
from ACE to FIN/RST
received from the server
SYN to Close Application Request to ResponseSYN to SYN-ACK
ACE Serverfarm
Load Balance Based on Server Response Time. Calculated over a Configured Number of Samples for selected Response Time Metric.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
ACE Enhanced Application AlgorithmsLeast-Loaded Using SNMP
ACE utilizes SNMP based probes to obtain CPU, Memory and Drive statistics from the servers
SNMP Object IDs
CPU UtilizationMemory ResourcesDisk Drive Availability……. …….
Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free
Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free
Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB free
SNMP Agent Is Required on the Server—
No Additional Software
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
Session: sequence of requests by a single user client to a server.
State: information maintained in the session across requests. May include both information visible to the user (shopping cart) and application control information (user preference, security token, page history, cached content, etc)
Session-Id: Application assigned id to a user session. Stored session state is referenced by the session-id. Session-Id and state can be stored in memory, cookies, urls, application headers and payload content.
Stateful Session Failover: State may be synchronized across servers by persisting information to a common repository (i.e. database). Rebuilding session state is resource intensive.
Stickiness: Load Balancer sends multiple requests from the same client to the same server. Used when dynamic load distribution across multiple servers introduces problems.
Server Affinity and Persistence – Session Stickiness
How to Uniquely Identify a Client…
Application Load BalancingSession Persistence
Source IP Cookie SSL ID HTTP Redirect
RDP SIP GPP
How Does It Work?
Client= its SRC IP
Client = acookie value
Client = SSL
session ID
LB Redirects to Specific (V) Server
SD, Session Directory. Routing Token = server IP + Port
Client = Session Call-ID
Regex matches on TCP and UDP data
Variation Full IPMasked IP
Static
Dynamic
Insert
Full SSID
Offset
custom
Info Stored on
LB LB LB Client LB LB LB
Good For Simplicity Flexibility No Cookie support
No State on LB
Recovering Disconnected WTS sessions
SIP-specific stickiness
Flexible for custom applications
Caveats Proxies HTTP only
Clear Text
SSL v3
Renegotiation
HTTP only
Absolute URLs
Bookmarks
No Token, needs to fall back to source IP
Specific to application
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
Feature Name Description
Flash ForwardFlash Forward enables acceleration of embedded
objects in a web page by caching them locally. This
results in improved application response time.
ETag Dynamic ETag enables acceleration of non-cacheable
embedded objects, resulting in improved application
response time.
ACE Application Acceleration Features
Feature Name Description
HTTP CompressionReduces traffic to web-clients by compressing HTTP response using GZIP and Deflate compression algorithms
Application Acceleration Features
HTTP Compression Feature
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
Configuration and Deployment Basic LoadBalancing ScenarioRequirements and Configuration for basic web
application
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
Clients
Server-Level Fail-Over
Basic Load Balancing
Application/Content
Server Farm
Stateless Application: No
client session tracking or
long running transaction
requirements.
Virtual IP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
Basic Web Load BalancingConfiguration Checklist
Is the Server/Application active? How can you check?
How should connections be distributed?
If needed, how to identify and persist client sessions ?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Basic Requirements
Load Distribution
Simple Round Robin (No session persistence)
Health Checks
Server: ICMP (Ping)
Protocol: Port 80
Application: HTTP (Response Code)
Application Optimization/Offload
HTTP Compression
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
Policy Lookup Order
There can be many features applied on a given interface, so feature lookup ordering is important
The feature lookup order followed in ACE is as follows:
1. Access-control (permit or deny a packet)
2. Management Traffic
3. TCP normalization/Connection parameters
4. Server Load Balancing
5. Fix-ups/Application inspection
6. Source NAT
7. Destination NAT
The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
Policy CLI Overview
1. Define traffic match criteria
2. Associate policy actions to match criteria
3. Activate the classification-action rules on either an interface or “globally”
class-map C1
match <criteria>policy-map P1
class C1
<action>
interface vlanX
service-policy input P1
1
2
3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
ACE Modular Policy CLIClass-Maps
The class-map command is used to define a traffic type or class of interest.
A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands
class-map type management match-any remote-access-cmdescription remote-access-traffic-match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol https any
5 match protocol snmp any
6 match protocol xml-https any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
Modular Policy CLINested Class-Maps
Class-maps can be linked by using the match class statement
Supported only for L7 class-maps; limitation of only two levels
Used to achieve complex logical expressions; easy combination of boolean (and/or) statements
class-map match-all HTTP-CM
match virtual-address 10.10.119.113 tcp eq www
class-map match-any NAT-CM
match source-address 10.86.243.0 255.255.255.0
class-map type http loadbalance match-any URL-PARSE-CM
match http url “/news”
match http url “/sport”
class-map type http loadbalance match-all HEADER-PARSE-CM
match http header User-Agent header-value Mozilla
match class URL-PARSE-CM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
ACE Modular Policy CLIPolicy-Maps
Use the policy-map command to define actions to take on matched traffic. Traffic that does not match explicitly specified classification is matched against the class-default policy.
Specify how traffic class matches are processed:
first-match: The class-action pairs within the policy-map are looked up sequentially
all-match: match traffic against all classes in the policy-map and the actions of all matching classes will be executed; e.g., policy-map of type inspect http
multi-match: Specifies that the policy-map supports multiple actions and each action by itself can have only one match (first match).
policy-map type management first-match remote-mgmt-pmclass remote-access-cm
permit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
ACE Modular Policy CLIActivating Policy
Policies are activated on an interface or globally using the ‗service-policy‘ command
The policy-map is enabled on the input direction of interfaces
Policy-maps applied globally in an ACE device context, are internally applied on all interfaces existing in the context
service-policy input <policy-name>
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
Basic Layer 4 Load BalancingManagement and Device Access for CLI or GUI
access-list EVERYONE line 10 extended permit ip any any
class-map type management match-any REMOTE-ACCESS
description REMOTE-ACCESS-traffic-match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol https any
5 match protocol snmp any
6 match protocol xml-https any
policy-map type management first-match REMOTE-MGNT
class REMOTE-ACCESS
permit
interface vlan 2
ip address 10.10.119.55 255.255.255.0
access-group input EVERYONE
service-policy input REMOTE-MGNT
no shutdown
Match mgmt
type traffic
Permit on
Match
Enable on
interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
Health Probe Configuration
probe icmp PING-PROBEinterval 5passdetect interval 5passdetect count 3
probe tcp TCP80-PROBEinterval 10port 80passdetect interval 10passdetect count 3
probe http HTTP-PROBEinterval 20passdetect interval 5request method get url /index.htmlexpect status 200 499
serverfarm WEB-SF
probe PING-PROBE
probe TCP80-PROBE
probe HTTP-PROBE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
Server Farms and Real Servers
Define collections of mirrored application hosts (real servers) into pooled server farm resources.
Real Servers can be tagged with properties such as connection limits and weight values.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
ACE Basic Layer 4 Load BalancingReal Servers and Server Farm
rserver host SERVER1
ip address 192.168.1.1
inservice
rserver host SERVER2
ip address 192.168.1.2
inservice
rserver host SERVER3
ip address 192.168.1.3
inservice
serverfarm Web-SF
probe HTTP-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
rserver SERVER3
inservice
Define Real Servers
Assign Health Probe
and Real Servers to
a Server Farm
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
ACE Basic Layer 4 Load BalancingDeploy Policy
class-map match-all TCP80-CM
2 match virtual-address 172.16.1.73
tcp eq 80
policy-map type loadbalance first-
match TCP80-PM
class class-default
serverfarm WEB-SF
policy-map multi-match LOADBALANCE-PM
class TCP80-CM
loadbalance vip inservice
loadbalance policy TCP80-PM
interface vlan 2
ip address 172.16.1.1 255.255.255.0
access-group input everyone
service-policy input REMOTE-MGMT
service-policy input LOADBALANCE-PM
no shutdown
Match on traffic to
Virtual IP and Port 80
Define load-balancing
action for any traffic
If traffic matches then
enable VIP for load
balancing and apply
policy
Enable policy on vlan
interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
“Sorry Service” – Backup Servers
rserver host APPSERVER-11
ip address 10.1.1.10
inservice
rserver host APPSERVER-12
ip address 10.1.1.12
inservice
rserver host SORRY-SERVER
ip address 10.1.2.100
inservice
serverfarm host HTTP-FARM
rserver APPSERVER-11
inservice
rserver APPSERVER-12
inservice
backup-rserver SORRY-SERVER
inservice
Define Real Servers
Designate a backup
server if
APPSERVER-12 is
unavailable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
Cisco ACE HTTP Compression
Reduces HTTP traffic using GZIP and Deflate compression algorithms which are supported in today's Web browsers.
Compression is completely transparent to the end user, requiring no downloads or agents.
Up to 90% reduction in size of web objects such as static and dynamic HTML, Flash, PDFs, Text files, XML
Optimizes delivery of content for last-mile bandwidth bottlenecks.
Accelerates end-user experience.
Remote User
Shared DSL
Roaming User
56k Dial-up
Branch Office
128k Leased
line
Problem: Big Page,
Small Pipe
OK: Big Page, Big PipeSolution: Small
compressed page,
small Pipe
HTTP Compression
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
HTTP Compressionserverfarm host WEB-COMPRESS-SF
probe HTTP-PROBE
rserver Server-3
inservice
rserver Server-4
inservice
class-map type http loadbalance match-all HTTP-CM
2 match http url .*
class-map match-all VIP-COMPRESS-CM
2 match virtual-address 10.86.158.21 tcp eq www
policy-map type loadbalance first-match COMPRESS-PM
class HTTP-CM
serverfarm WEB-COMPRESS-SF
compress default-method deflate
policy-map multi-match CLIENT-VIP-PM
class VIP-COMPRESS-CM
loadbalance vip inservice
loadbalance policy COMPRESS-PM
loadbalance vip icmp-reply active
Compress all client
browser Traffic
using “DEFLATE”
algorithm
Match on any URL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Configuration with Device Manager and ANM Health Checks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
Define Real
Servers
Define Server Farm
GUI Based ConfigurationReal Servers and Server Farm
Add Real Servers
to Server Farm
and define sorry
server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
GUI Based ConfigurationVIP and Load Balance Policy
Define Virtual IP
Assign Interface
Assign Action,
Server Farm, and
Compression
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
Probe Monitoring with Device Manager and ANM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
Monitoring with Device Manager and ANM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
Configuration and Deployment Advanced LoadBalancing ScenarioRequirements and Configuration for multi-tier
transactional web application
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
Clients
Multi Tier Load Balancing
Application Servers
N-Tier Application, Client
Type and Session
Tracking, Transactional,
SSL Offload
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
Requirements
Load Distribution - Adaptive
Least Connections, Response Time
Health Checks
Content Inspection
Persistence
Cookie Sticky
SSL Sticky
Application Offload
SSL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
Advanced PredictorsLeast Connections
serverfarm TCP80-SF
predictor leastconns slowstart 200
probe TCP80-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
class-map match-all TCP80-CM
2 match virtual-address 172.16.1.73 tcp eq 23
policy-map type loadbalance first-match TCP80-PM
class class-default
sticky-serverfarm STICKY
policy-map multi-match L4
class TCP80-CM
loadbalance vip inservice
loadbalance policy TCP80-PM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
Predictor Configuration Device Manger and ANM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
Persistence Configuration Options
Persist based on
cookie
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert
timeout 720
serverfarm WEB-SF backup SORRY-SF
sticky ip-netmask 255.255.240.0 address source IPSTICKY
serverfarm WEB-SF backup SORRY-SF
Persist based on
source ip
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Cookie InsertDevice Manager and ANM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
SSL Configuration
In order to configure SSL, you need to add the following to a L/L4 class map:
„parameter-map type ssl‟
„ssl-proxy service‟
„policy-map‟
Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites)
SSL-proxy is used to define the certificates and keys to be used in SSL connections
A Default Cert and Key is included for testing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
SSL Certificate Management ACE/routed# show crypto files File File Expor Key/
Filename Size Type table Cert
-----------------------------------------------------------------------
TestKey 1675 PEM Yes KEY
TestCert 1135 PEM Yes CERT
ACE/routed# crypto import ?
ftp Import a key/certificate from an ftp server
non-exportable Mark this key/certificate as non-exportable
sftp Import a key/certificate from an sftp server
terminal Accept a key/certificate from terminal
tftp Import a key/certificate from a tftp server
ACE/routed# crypto import terminal certnew.pem server certificatePlease enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK
…
v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt
-----END CERTIFICATE-----
quitCOMMON COMMANDS
crypto import terminal <file name>crypto export <file name>crypto verify <key name> <cert name>show crypto files show crypto key allshow crypto key <key name>show crypto certificate allshow crypto certificate <cert name>
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
SSL Packet FlowWith ACE
ssl-proxy service SSL-PROXYkey mykey.pemcert mycert.pem
!serverfarm WEB-PROTOCOLSrserver SERVER1 81inservice
rserver SERVER2 81inservice
probe HTTP-GET
class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443
policy-map type loadbalance first-match SSL-PM
class class-default
serverfarm WEB-PROTOCOLS
!
policy-map multi-match L4
class HTTPS-CM
loadbalance vip inservice
loadbalance policy SSL-PM
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY
crypto verify mykey.pem mycert.pem
HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate
HTTPS—Response
SSL Handshake
SYN (tcp—443)
SYN SYN/ACK ACKHTTP—GET index.html
L3Flow
TCPFlow
Client Server 1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
parameter-map type ssl CLIENT-PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM
class-map match-all HTTPSmatch virtual-address 172.16.1.73 tcp eq 443
sticky http-cookie COOKIENAME STICKYCOOKIE
cookie insert
serverfarm WEB-SF
policy-map type loadbalance first-match SSL-PM
class class-default
sticky-serverfarm STICKYCOOKIE
policy-map multi-match SecureL4-PM
class HTTPS
loadbalance vip inservice
loadbalance policy SSL-PM
loadbalance vip icmp-reply
ssl-proxy server CLIENT-SSL
SSL Offload and Load Balancing Policy
Define SSL Session constraints:
SSL Version and Cipher Suites
Create SSL Proxy with defined
parameters.
Match on VIP and SSL Port
Define Session Persistence Policy
on Server Farm
Deploy SSL Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
http://www.cisco.com/go/ace
Basic SSL Load BalancingRedirecting Clients to Use SSL
rserver redirect REDIRECTwebhost-redirection https://%h%p inservice
serverfarm redirect REDIRECT-SFrserver REDIRECTinservice
class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80
policy-map type loadbalance first-match WEB-PM
class class-default
serverfarm REDIRECT-SF
policy-map multi-match LOADBALANCE
class HTTP-CM
loadbalance vip inservice
loadbalance policy WEB-PM
!
https://www.cisco.com/go/ace
%h %p
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
SSL Redirect Rewrite and Header Insert
!
action-list type modify http ACTION
header insert request FRONT-END-HTTPS header-value “On”
header insert response x-forwarded-for header-value "%is"
ssl url rewrite location www.company.com
!
policy-map type loadbalance first-match SSL-PM
class class-default
sticky-serverfarm STICKY
policy-map multi-match LOADBALANCE
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
class SSL-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
loadbalance vip icmp-reply active
ssl-proxy server SSL
action ACTION
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
SSL ID Sticky – ACE Configparameter-map type generic SSL-V3
set max-parse-length 70
sticky layer4-payload STICKY-SSL-V3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20“
class-map match-all HTTPS-VIP
2 match virtual-address 10.86.157.36 tcp eq https
policy-map type loadbalance generic first-match SSL-V3-STICKY
class class-default
sticky-serverfarm STICKY-SSL-V3
policy-map multi-match CLIENT-VIPS
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy SSL-V3-STICKY
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSL-V3
Persist session
based on ssl
session-id info
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
End to End SSL With ACE
ssl-proxy service CLIENT_SSL
key client.key
cert client.crt
ssl-proxy service SERVER_SSL
!
serverfarm WEB-PROTOCOLS
rserver SERVER1 443
inservice
rserver SERVER2 443
inservice
probe HTTPs-GET
!
class-map match-all HTTPS-CM
2 match virtual-address 172.16.1.73 tcp eq 443
!
policy-map type loadbalance first-match SSL-PM
class class-default
serverfarm WEB-PROTOCOLS
ssl-proxy client SERVER_SSL
!
policy-map multi-match L4
class HTTPS-CM
loadbalance vip inservice
loadbalance policy SSL-PM
loadbalance vip icmp-reply
ssl-proxy server CLIENT_SSL
HTTPS—GET index.htmlAccept-Encoding: gzip, deflate
Client
HTTPS—Response
SSL Handshake
SYN (tcp—443)
SYN SYN/ACK ACK
Server 1
HTTPs—200 Ok Response index.html
SYN (tcp—443)
SYN SYN/ACK ACK
HTTPS—Response
HTTPS—GET index.htmlAccept-Encoding: gzip, deflate
SSL Handshake
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
SSL Session ID Sticky - Server Hello
0000 00 1a 6b 66 88 27 00 16 9d cb 43 e3 08 00 45 00
0010 03 13 f0 be 40 00 78 06 c5 72 0a 56 bf 85 0a 56
0020 75 82 01 bb 09 b2 02 90 d3 6a ea 18 e3 a0 50 18
0030 44 a2 f7 60 00 00 16 03 00 02 e6 02 00 00 46 03
0040 00 47 f0 cc a5 d4 98 21 ec 87 9f 20 2a eb 7d 11
0050 7d 8b 51 f3 b6 9a 4b dd 11 66 e0 37 eb 04 3c a3
0060 f5 20 79 21 00 00 e2 8e 18 6d fb fe 2a af 44 13
0070 7b 70 67 e3 de 89 12 4f a0 79 84 5b 5d 27 22 e2
0080 13 7c 00 04 00 0b 00 02 94 00 02 91 00 02 8e 30
0090 82 02 8a 30 82 01 f3 02 01 05 30 0d 06 09 2a 86
00a0 48 86 f7 0d 01 01 04 05 00 30 81 b1 31 0b 30 09
00b0 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55
00c0 04 08 13 0d 4d 61 73 73 61 63 68 75 73 65 74 74
00d0 73 31 13 30 11 06 03 55 04 07 13 0a 42 6f 78 62
00e0 6f 72 6f 75 67 68 31 10 30 0e 06 03 55 04 0a 13
00f0 07 41 4e 53 2d 4c 61 62 31 23 30 21 06 03 55 04
Session ID
Max-Parse- Length
70
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
ACE - Header Loadbalancing Config (1)Scenario: Direct to Language Localized Server
rserver host SERVER-10 !Catch All Server
ip address 10.1.1.10
inservice
rserver host SERVER-11 !French Server
ip address 10.1.1.11
inservice
rserver host SERVER-12 !German Server
ip address 10.1.1.12
inservice
rserver host SERVER-13 !English Server
ip address 10.1.1.13
inservice
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
ACE - Header Loadbalancing Config Cont‟d (2)
serverfarm host HTTP-CATCH-ALL
probe HTTP
rserver SERVER-10 80
inservice
serverfarm host HTTP-DE
probe HTTP
rserver SERVER-12
inservice
serverfarm host HTTP-EN
rserver SERVER-13
probe HTTP
inservice
serverfarm host HTTP-FR
probe HTTP
rserver SERVER-11
inservice
Localized Server
Farms
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
ACE - Header Loadbalancing Cont‟d (3)
class-map type http loadbalance match-any CATCH-ALL-CM
2 match http url .*
class-map type http loadbalance match-any DE-CM
2 match http header Accept-Language header-value ".*de.*"
class-map type http loadbalance match-any EN-CM
2 match http header Accept-Language header-value ".*en.*"
class-map type http loadbalance match-any FR-CM
2 match http header Accept-Language header-value ".*fr.*"
class-map match-all HEADERS-CM
2 match virtual-address 10.86.158.19 tcp eq www
Identify
Browser
Language
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 57
ACE - Header Loadbalancing Cont‟d (4)
policy-map type loadbalance first-match HEADER-SELECT-PM
class DE-CM
serverfarm HTTP-DE
class EN-CM
serverfarm HTTP-EN
class FR-CM
serverfarm HTTP-FR
class CATCH-ALL-CM
serverfarm HTTP-CATCH-ALL
policy-map multi-match CLIENT-VIPS-PM
class HEADERS-CM
loadbalance vip inservice
loadbalance policy HEADER-SELECT
loadbalance vip icmp-reply active
Assign Server based
on language header
class match
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
HTTP Header Insert and Inline Inspection
policy-map type loadbalance first-match TCP80-PM
class class-default
serverfarm TCP80-SF
insert-http x-forwarded-for header-value "%is"
policy-map type inspect http all-match TCP80-CM-HTTP
class class-default
permit
policy-map multi-match LOADBALANCE
class TCP80-CM
loadbalance vip inservice
loadbalance policy TCP80-PM
inspect http policy TCP80-CM-HTTP
Insert http header
and add client
source-ip value
Enable deep packet
inspection for http
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
parameter-map type http INSENSITIVEcase-insensitivepersistence-rebalanceset header-maxparse-len 8192
….policy-map multi-match LOADBALANCEclass HTTP-CM
loadbalance vip inserviceloadbalance policy WEB-PMappl-parameter http advanced-options INSENSITIVE
Default Header parse length 2K
Persistence Rebalance allows ACE to look at each HTTP request inside the same TCP Connection
Load BalancingBIG HEADER ISSUE… Where‘s the Cookie?
Set max packet parse
length high enough to
catch expected pattern
Set case sensitivity and
check every request
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
URL Delayed Bind and Header InsertDevice Manager and ANM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
Application Delivery Networking Additional Features and Deployment Concepts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
Defining VLANs
ACE Service Module:
Config t
svclc multiple-vlan-interfaces
svclc module 2 vlan-group 1,2
svclc vlan-group 1 10,20
svclc vlan-group 2 999
Defining VLANs for a Context
ACE MODULE or Appliance
Config t
context PROD
allocate-interface vlan 10
allocate-interface vlan 20
ACE Appliance Interface config
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface port-channel 1
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,999
no shutdown
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
Multiple Virtual Devices
Redundancy provided at the virtual device level
Routing between virtual devices through an external routing device
Traffic doesn‘t cross over even when VLAN is shared between virtual devices
A context can be configured in any design mode – routed, bridged, one-arm
Create context and associate vlan interface example:
context WebServerContext
allocate-interface vlan 102
Each Virtual Device (context) has
Distinct configuration file
Own directory structure
Separate routing table
Guaranteed Min Resources
Distinct RBAC (Roles and Domains)
Independent application rule sets
ACE Device Virtualization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
Rates Memory
Bandwidth
Connections/sec
Management connections/sec
Ssl-bandwidth
Syslogs/sec
Access Lists
Regular Expressions
Data, Mgmt, SSL connections
Xlates
Sticky entries
Virtualization Resource Control Resource Classes
Resource classes define capacity per device context. Create using ―resource-class‖ command
Example: resource-class WebResourceClass
Use the ―member‖ command in context configuration mode to assign a resource class to the context:
Context Web
Member WebResourceClass
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
ACE Virtual Partitioning Model Resource Management
Assign Resources to Contexts using resource-classes. Only one resource-class per context
By default, every context is a member of the „default‟ resource-class, with unlimited access to system resources
Resources can be guaranteed to a context by setting min limits
Over-subscription of resources allowed by setting max limits to unlimited
All limits specified as a percentage
Maximum 100 resource-classes can be configured
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
Protecting Resource Allocation
Create a Virtual Context (i.e.Resource_Context) that will not be used to process traffic.
Create a resource class with minimum values for all resource types (i.e. Reserved_Resources). Suggest 10-20%
resource-class Reserved-Resources
limit-resource all minimum 20.00 maximum equal-to-min
Assign the resource class (Reserved_Resources) to the virtual context (i.e.‖Resource_Context‖).
Resources are committed to the reserve virtual context and cannot be accessed by any other context. Resources can be freed by lowering the values of the resource class assigned to the reserve Context, and then allocating freed resources as needed.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
ACE Redundancy Model
Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual context
Two instances of the same virtual context (on two distinct ACE modules) form a redundancy group, one being active and the other standby
The redundant ACE can be in the same or different Catalyst 6500 Chassis
Both ACE modules can be active at the same time, processing traffic for distinct virtual devices, and backing-up each other (stateful redundancy)
ACE-1
Example:2 ACE modules4 FT groups4 Virtual Contexts
(A,B,C,D)ACE-2
FT VLAN
AActive
A‟Standby
FTgroup 1
BActive
B‟Standby
FTgroup 2
CActive
C‟Standby
FTgroup 3
DActive
D‟Standby
FTgroup 4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
High-Availability Configuration on ACEACE Master—Configuration Configured in the Admin Context
Configure shared Alias IP address,
and standby Peer IP address
Define FT Peer “Only 1 Possible”
Define heartbeat interval and count
Define FT vlan number
interface vlan 110
ip address 10.25.91.201 255.255.255.0
alias 10.25.91.204 255.255.255.0
peer ip address 10.25.91.202 255.255.255.0
service-policy input remote-mgmt
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 999
query-interface vlan 110
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
One FT group per Context
Associate context with FT group
Define FT Peer per FT Group
Define Peer Priority
ft group 3
peer 1
priority 110
associate-context Admin
inservice
ft group 1
peer 1
priority 110
associate-context LoadBalancing
inservice
ft group 2
peer 1
priority 110
associate-context WAAS
inservice
High-Availability Configuration on ACEACE Master—Configuration Configured in the Admin Context
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
switch/C1# show resource usage
Allocation
Resource Current Peak Min Max Denied
--------------------------------------------------------------------
Context: C1
conc-connections 0 0 800000 7200000 0
mgmt-connections 0 0 500 4500 0
proxy-connections 0 0 104858 943716 0
xlates 0 0 104858 943716 0
bandwidth 0 0 50000000 450000000 0
connection rate 0 0 100000 900000 0
ssl-connections rate 0 0 100 900 0
mgmt-traffic rate 0 0 12500000 112500000 0
mac-miss rate 0 0 200 1800 0
inspect-conn rate 0 0 600 5400 0
acl-memory 0 0 7861044 78610432 0
regexp 0 0 104858 1048576 0
View Resource-class Utilization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 71
Basic ACLsDevice Access
Input ACL is needed to permit traffic.
Output ACL is not needed to permit traffic but if applied it would be followed.
All ACLs have an implicit deny at the end.
Support for global access-group and access-group per interface in a context
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
Basic ACLsDevice Access
L3/L4 ACLs: Security Access List
access-list NAME [line number] extended {deny | permit} {protocol} {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]
access-list NAME [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address} [type] [code operator code1 [code2]]
Recommended starting point for all configurations:
access-list EVERYONE line 10 extended permit ip any any!interface vlan 2
ip address 172.16.1.1 255.255.255.0access-group input EVERYONE
no shutdown
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 73
As the number of access-control list entries increases,
managing this list can be very challenging
By grouping like objects together, you can use an object group in an ACL entry instead of having to enter an ACL entry for each object separately.
You can create the following types of object groups:
Network object groups
Service object groups <- Protocols and Ports
Security FeaturesACL with Object Groups
Object Grouping allows you to streamline the
configuration of multiple ACL entries in an ACL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 74
Dynamic NAT To a Pool of Addresses
class-map match-all NAT-CM
2 match virtual-address 172.16.1.73 any
policy-map multi-match LOADBALANCE
class NAT-CM
loadbalance vip inservice
loadbalance policy SLB_LOGIC
nat dynamic 1 vlan 100
interface vlan 20
ip address 172.16.1.1 255.255.255.0
service-policy input LOADBALANCE
no shutdown
interface vlan 100
ip address 192.168.1.1 255.255.255.0
nat-pool 1 192.168.1.100 192.168.1.150 netmask 255.255.255.0
no shutdown
Any packet sent from any client to 172.16.1.73, the source IP
Will be translated to 192.168.1.100 to 150 when it is sent out on
Vlan 100. What will happen when you run out of addresses?
VL
AN
20
VL
AN
10
0
192.168.1.100-150.x
Internal
Network
Outside
World
any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 75
Dynamic NAT Client Connections PAT‘d to VIP
class-map match-all NAT-CM
2 match virtual-address 172.16.1.73 any
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm TELNET-SF
policy-map multi-match LOADBALANCE
class NAT-CM
loadbalance vip inservice
loadbalance policy SLB_LOGIC
nat dynamic 1 vlan 2
interface vlan 2
ip address 172.16.1.1 255.255.255.0
nat-pool 1 172.16.1.73 172.16.1.73 netmask 255.255.255.0 pat
service-policy input remote-mgmt
service-policy input LOADBALANCE
no shutdown
Any packet sent from any client to 172.16.1.73, the source
IP will PAT‟d to 172.16.1.73 when it is sent out on vlan 2
VL
AN
20
VL
AN
15
0
server
client
VIP172.16.1.73
Router
Clie
nt=
172.1
6.1
.73
VLAN2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 76
More Security Features in ACE
TCP/IP normalization
Built-in Transport Protocol Security
User Configurable, to meet Security Requirements
Application Protocol Inspection
Rate Limiting
Advanced HTTP Inspection
RFC Compliance
MIME Type Validation
Prevent Tunneling Protocols over HTTP Ports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
Security FeaturesDenial-of-Service Protection SYN Cookie
Completely Stateless and no ACE memory entries are utilized
SYN ACK replies carry a cookie in the Sequence field of the TCP header
Cookie is generated out of a 24 bit random number and MSS encapsulated
If ACK does not contain the correct cookie ACE drops the packet
SYN Cookie enabled per interface on ACE
ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet
Appliance/PROD(config-if)# syn-cookie 100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 78
Design Configurations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 79
Physical Device
Context 1Admin
Context
Context Definition
Resource Allocation
ManagementStation
Context 2 Context 3
AAA
Design ConfigurationACE Service Virtualization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 80
Design ConfigurationRouter Mode
Servers in dedicated IP subnet
VIPs usually in different, routable subnet from servers
Requires at least two IP subnets
Easy to deploy with many server IP subnets
Servers Default Gateway:
Load Balancer
ACE ―Routing‖
Subnet A Subnet B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 81
Design ConfigurationBridge Mode
Servers in routable IP subnet
VIP‘s can be in the same or different subnet
Requires one IP subnets for each server farm
Servers Default Gateway:
Upstream Router
ACE ―Bridging‖
Subnet A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 82
Design ConsiderationsOne-Arm Mode: Overview
L2-rewrite not possible
Content switch not inline
Does not see unnecessary traffic
Requires PBR, server default gateway pointing to load balancer or client source NAT
The return traffic is needed!
Not as common as bridge or routed mode due to problems with forcing traffic back to ACE in return direction
Servers Default Gateway:
Upstream Router
Subnet B
Su
bn
et B
PBR—Policy Based Routing, NAT—Network Address Translation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 83
How Are Customers Using Virtualization?Security and Bridge Mode
Pa
rtit
ion
B
AdminPartition
Pa
rtit
ion
A
Pa
rtit
ion
C
―Bridge mode on the
CSM was great, but ACE
takes the same approach
to a whole new level with
virtualization‖
―The security team
continues to fully
manage the FWSM and
is comfortable with the
bridge mode approach.
In parallel, we have
turned on some extra
HTTP security features
on ACE‖
Each Pair of Bridged VLANs Has Its Own Configuration,
Independent Management, and Enhanced Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 84
SummaryQuestions and Answers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 85
Recommended ReadingBRKAPP-2002
Source: Cisco Press
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 86
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don‘t forget to activate your
Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.