AOS V23.0 Beta Training

8/12/2019 AOS V23.0 Beta Training

1/57

NORTEL NETWORKS CONFIDENTIAL

Application Switching

Nortel Application Switch OS 23.0

Planned Features


2/57

PG 2 NORTEL NETWORKS CONFIDENTIAL

Alteon OS 23.0 Major Features

> Customized Application Delivery> Converged Network Intelligence

> Secure Switching

> Networks and Standards

> Management Improvements

Creating a resi l ient netwo rk that in tel ligently,

accelerates and secures converged app l icat ions in

a global enterpr ise


3/57


4/57


Workload Manager

> Workload Manager monitors server resources

Implementation of the SASP protocolIBM Proprietary

Additional factor added to load balancing decision

Considers servers CPU, storage, network traffic in the final weight

Client1

Client2

Server Clusters

File Systems

LB decision

based upon

network traffic

to servers

Domain

Manager

LB decision hasan added weight

based upon

usage of servers

and attached

devices

Server Load Balancing


5/57


Configuring WLM

> Configure WLM Load Balancing/cfg/slb/wlm 1-16[Workload Manager 1 Menu]

addr - Set IP address for Workload Manager

port - Set port for Workload Manager

del - Delete Workload Manager

cur - Display current Workload Manager configuration

> Assign WLM to group (requires configuring the WLM)/cfg/slb/group 1

[Real Server Group 1 Menu]

wlmSet Workload Manager number

> Display statistics for WLM /stats/slb/wlm

Enter Workload Manager number (1-16):

> Display Information /info/slb/wlm


6/57


SoftGrid Servers Load Balancing

> Softricity SoftGrid

Delivering resources as needed - Same concept aspower grid - client uses apps only when required

Client1Requires

Word &

Powerpoint

Client2

Requires

only

Powerpoint Applicationsloaded on

these servers

Word

&Powerpoint

Delivered

Powerpoint

Delivered

Dumb terminals SoftGrid

Servers

Load balancing at Layer 7 not just layer 4


7/57


Configuring SoftGrid Servers

> Configure SoftGrid Load Balancing

/cfg/slb/virt /service rtsp

[Virtual Server rtsp Service Menu]

softgrid - Enable/disable SoftGrid load balancing

If SoftGrid is enabled, regular RTSP load balancing will not be available forthat service.


8/57


WTS Load Balancing

Client1

Client2

Window Servers

Load

Balancing

with

persistency

Session

Directory

Typical LBdecisions do

not guarantee

reaching the

same server

> Support for Microsoft Windows Terminal Services

Load balancing with persistency

WTS Health Checking


9/57


WTS Load Balancing Configuration

> Configure WTS Load Balancing/cfg/slb/virt /service 3389

[Virtual Server 3389 Service Menu]

wtsWTS Load Balancing Menu

[WTS loadbalancing and persistence Menu]

userhash - Enable userhash when there is no Session Directory Server

ena - Enable WTS load balancing and persistence

dis - Disable WTS load balancing and persistencecur - Display current WTS configuration


10/57


Customized Application Delivery

> P2P Cache Load Balancing Redirects traffic @ L7 without delayed binding

Configure P2P cache LB (transparent proxy redirection)/cfg/slb/real /adv

[Real Server Advanced Menu]subdmac - Enable/disable destination MAC address substitution

> Connection Pooling Improves SLB performance Offloads TCP setup and tear down on servers Configure connection pooling

/cfg/slb/virt/ /service 80 /http

[Http Load Balancing Menu]pooling - Enable/disable connection pooling for HTTP traffic

Statistics for connection pooling/stats/slb/layer7

[Layer7 Statistics Menu]

poolingShow connection pooling stats


11/57




> Secure Switching



Creating a resi l ient netwo rk that in tel ligently,accelerates and secures converged app l icat ions in a

global enterpr ise


12/57


Continuing to Deliver

Resilient VoIP -1

> SIP Operator Defined PortAllow the operator to change server SIP port to other than

UDP 5060

Configure operator defined port/cfg/slb/virt 1/service 5060/rport xxxx

> SIP Refer Method Support

Enable support for SIP Refer method for SIP proxy LB

Required for call transfer services

No configuration required


13/57



Resilient VoIP -2

> SIP parsing (SIP NAT and Gleaning) Provides SIP NAT functionality

Inspects SIP traffic to determine RTP ports

Open required pinholes and applies contracts

Configure SIP parsing

/cfg/slb/filt /adv/layer7/ sip

[Layer 7 SIP Menu]

rtpcont - Set BW contract for SIP RTP sessions

sipp - Enable/disable SIP parsing

cur - Display current SIP configuration

> SIP Options Health Check Support SIP health check type based on SIP OPTIONS (like HTTP

and RTSP) Current SIP health check initiates a SIP PING

Configurationcfg/slb/group /health


14/57



Resilient VoIP -3 Example of SIP Option transaction

OPTIONS 47.80.23.195 SIP/2.0Via: SIP/2.0/UDP 47.80.23.242;Max-Forwards: 70To: From: Call-ID: 45454545454 CSeq: 1

OPTIONS Contact: Accept: application/sdpContent-Length: 0

SIP/2.0 200 OKVia: SIP/2.0/UDP 47.80.23.242To:

From: Call-ID: 45454545454 CSeq: 2OPTIONS Contact:

Allow: INVITE, ACK, CANCEL, OPTIONS, BYEAccept: application/sdpContent-Type: application/sdpContent-Length: 0


15/57




> Secure Switching




accelerates and secures converged app l icat ions in a

global enterpr ise


16/57


Secure Switching

> Expanded Dos Attack Protection Extend DoS support to include additional DoS signatures

> Nortel TPS Enforcement Point Threats detected are blocked by switch

> Enhanced Intelligent traffic Management Symantec First Attack Protection

Multi-packet Inspection

Bogon filtering

Socket Based BWM Statistics Transfer

Packet Counters

Contract Based Mirroring


17/57


Expanded DoS Attack Protection - 1

> The following lists all DoS attacks in v23.0 iplen : IPv4 packets with bad IP header or payload length ipversion : IPv4 packets with IP version not 4. broadcast : IPv4 packets with broadcast source or destination IP loopback : IPv4 packets with loopback source or destination IP land : IPv4 packets with same source and destination IP

ipreserved : IPv4 packets with IP reserved bit is set ipttl : IPv4 packets with small IP TTL ipprot : IPv4 packets with IP protocol unassigned or reserved ipoptlen : IPv4 packets with bad IP options length fragmoredont: IPv4 packets with more fragments and dont

fragment bit set

fragdata IPv4 packets with more fragments bit set and smallpayload

fragboundary: IPv4 packets with more fragments bit set andpayload not at 8-byte boundary


18/57



> The following lists all DoS attacks in v23.0 fraglast : IPv4 packets last fragment without payload fragdontoff : IPv4 packets with non-zero fragment offset and don't

fragment bits set fragopt : IPv4 packets with non-zero fragment offset and IP options fragoff : IPv4 packets with small non-zero fragment offset

fragoversize: IPv4 packets with non-zero fragment offset andoversize payload

tcplen : TCP packets with bad TCP header length tcpportzero : TCP packets with source or destination port is zero tcpreserved : TCP packets with TCP reserved bit is set finscan : TCP packets with only FIN bit is set

vecnascan : TCP packets with only URG or PUSH or URG|FIN orPSH|FIN or URG|PSH bits are set

synfinscan : TCP packets with SYN and FIN bits are set


19/57



> The following lists all DoS attacks in v23.0 tcplen : TCP packets with bad TCP header length tcpportzero : TCP packets with source or destination port is zero tcpreserved : TCP packets with TCP reserved bit is set finscan : TCP packets with only FIN bit is set vecnascan : TCP packets with only URG or PUSH or URG|FIN or

PSH|FIN or URG|PSH bits are set synfinscan : TCP packets with SYN and FIN bits are set flagabnormal: TCP packets with abnormal control bits combination syndata : TCP packets with SYN bit set and with payload synfrag : TCP packets with SYN bit is set and more fragments bit is

set

ftpport : TCP packets with SPORT=20, DPORT


20/57


21/57


22/57


DoS Attack Protection

Configuration - 1

/cfg/sec/dos

[DoS Attack Prevention Menu]ipttl - Set the smallest allowable IP ttl for ipttlIpprot - Set the highest allowable IP protocol for ipprotfragdata - Set the smallest allowable IP fragment payload for fragdatafragoff - Set the smallest allowable IP fragment offset for fragoffsyndata - Set the largest allowable TCP SYN payload for syndataIcmpdata - Set the largest allowable ICMP payload for icmpdatahelp - DoS attack prevention descriptioncur - Display current DoS attack prevention

/cfg/sec/dos/curCurrent DoS attack prevention settings: ipttl 1, ipprot 137, fragdata 32,

fragoff 4, syndata 0, icmpdata 800


23/57


DoS Attack Protection

Configuration - 2

/cfg/sec/port

[Port Menu]add - Add DoS attack to preventionaadd - Add all protocol anomaly/DoS attack to preventionrem - Remove DoS attack from prevention

arem - Remove all protocol anomaly/DoS attack from preventionhelp - DoS attack prevention description


24/57


Nortel TPS Enforcement Point -1

Client Network Server Farm / Data Center POE / WI-LAN

Nortel TPS

Nortel ApplicationSwitch

Nortel TPS

Nortel DefenseCenter

Enforcement Instructions

Event Monitoring

Event Monitoring

Event Analysis

Out of path

monitoring with in

path enforcement

Terminate existing

sessions and stop

new sessions

Retrieve

instructions from

events learned

elsewhere


25/57


Nortel TPS Enforcement Point -2

> Nortel TPS Enforcement Point Dynamically add/remove filters/ACLs Syslog captures addition/deletion of filters/ACLs

Manually set filters/ACLs

ACLs can be issued to

block source IP block destination IP

block source network

block destination network

delete session


26/57


Enhanced ITM-1

> Symantec First Attack Protection (Maintenance Release) Integrate Symantec IPS Engine

> Multi-packet Inspection Permit the chaining of pattern groups

Match multiple patterns across multiple IPv4 packets

Configure multi-packet inspection/cfg/slb/filt /adv/sec/parsechn

> Socket Based BWM Statistics Transfer Change BWM statistics transfer from SMTP to Socket Based

User configurabledefault SMTP

Configure socket based stats/cfg/bwm/email disable

/cfg/bwm/report

report - Set IP address of Reporting server


27/57


Enhanced ITM -2

> Packet Counters Extend current stats to maintain BWM statistics for packet count per

contract

Permits the calculation of avg packet size

> Contract Based Mirroring

Available in maintenance mode Used to isolate traffic for troubleshooting / analysis

Configure

/cfg/bwm/cont x

pmirr - Set monitoring port for packet mirroring

> Bogon Filtering


28/57


Automated BOGON Support

BOGONs (Bogus

Networks) are

unassigned IP

Address Ranges

BOGONs should

NEVER be seen

entering or exiting

your network

BOGON ranges are

commonly used to

spoof IPv4 packets

for large-scale

attacks

Not efficient to

manage 8k+ ever

changing filters

UNTIL NOW!


29/57


Content Switching Enhancements -1

> Stateful Failover Supports session failover on service basis

Services supported are SIP, FTP & NAT filters

Uses proprietary protocolNAAP

Configure stateful failover/cfg/slb/port /intersw

/cfg/slb/virt /service

mirrorenable/disable session mirroring

/cfg/slb/filt x/adv/mirror

Statistics/stats/slb/mirror


30/57


31/57


Content Switching Enhancements - 3

> VPNLB Persistence

Glue the IPSEC connection to the existing IKE connection Required when VPN link flaps because hash will send IPSEC

connection back to original server but IKE connection iselsewhere


32/57



> Buddy Server Health Check

Ability to tie the load balanced servers health to a non load-balanced server

Real Server is only marked up when buddy server is availablebuddy server may use different health check

NOT same us buddy groupsthis marks individual server and not

server group Configuration

/cfg/slb/real /adv/buddyhc

[Buddy Server health check Menu]

addbds - Add Buddy serverdelbds - Delete Buddy server

cur - Display current buddy server configuration


33/57



> Backup Only Server

Support for Server as Backup ONLY (not overflow)Allows operator to impose maximum session capacity (paid

services) and still provide for resiliency

Configure backup only server/cfg/slb/real

[Real Server Menu]

OverfloEnable/disable backup on overflow

> Configurable Session Timeout per Service Provide different session timeout values on a per service basis

Custom timeout values per service, only available for filters now

Configure timeout per service/cfg/slb/virt /service 80

[Virtual Server http Service Menu]

TmoutSet minutes inactive connection remains open


34/57



> Send Resets when Switch DENYs a TCP Packet Switch sends RST instead of waiting for server to timeout

Alternative server needs to time out the connections

> Configurable RTSP Control PortAllow the operator to specify the RTSP control port

Currently fixed to 554

Configure RTSP control port/cfg/slb/virt service 100/rtsp

[RTSP Load Balancing Menu]

rtspslbSet RTSP URL Load balancing type

> Proxy Support Insert Cookie Mode Insert Cookie mode when operating in a proxied environment


35/57



> Customized Application Delivery

> Converged Network Intelligence

> Secure Switching

> Networks Standards




global enterpr ise


36/57


Network Standards

>V23.0 provides support for the followingstandards

Phase 1 IPv6

XML Configuration API

Hosted Overlap NAT Support

RIPv2

802.1s and 802.1w


37/57


Phase 1 IPv6 -1

Includes IPv6 GW, Static Route, VIP, Filter (allow | deny),

Management Port = IPv4 Configure IPv6

/cfg/l3/ip/if

[IP Interface Menu]

ipver - Set IP version

mask - Set subnet mask/prefix length

>> IP Interface # ipver

Current ip version: v4

Enter ip version: v6

>> IP Interface # maskCurrent Prefix length: 0

Pending new Prefix length: 64

Enter new Prefix length [1-128]: 64


38/57


39/57


IPv6 - 3

Filter Configuration>> Main# /cfg/slb/filt

[Filter Menu]

ipver - Set IP version

New commandPing 6 to ping ipv6 address

Statistics

/stats/l3/ipv6


40/57


IPv6 - 4

Information>> IP# /info/l3/

[Layer 3 Menu]

route6 - IPv6 Routing Information Menu

nbrcache - IPv6 Neighbor Cache Information Menu

>> Layer 3# route6

[IPv6 Routing Menu]

dump - Show all routes

>> IPv6 Address Resolution Protocol# /i/l3/nbrcache

[IPv6 Address Resolution Protocol Menu]

dump - Show all IP6 neighbor cache entries


41/57


IPv6 - 5

Information continued>> Server Load Balancing Information# /info/slb/sess

[Session Table Information Menu]cip6 - Show all session entries with source IP6 addressdip6 - Show all session entries with destination IP6 addressdump - Show all session entries

>> Session Table Informationdump 4dump 6

dump (dump ip4 and ip6 sessions)


42/57


XML Configuration API

Provides common API to manage switch

Removes requirement to constantly develop unique APIs

Maps all configuration CLI commands to XMLcommands

Secured transport

Configure XML API

/cfg/sys/access/xmlxml - Enable/disable XML config access

port - Set XML server port number

gtcert - Import XML client certificate

delcert - Delete XML client certificate

dispcert - Display XML client certificatecur - Display current XML config access configuration


43/57


Hosted Overlap NAT

Support the NAT of overlapping client IP addresses with unique

VLANs

Return traffic returned to original client VLAN

Configuration

/cfg/slb/adv

pvlantagEnable/disable preserving vlan tag during packet forwarding


44/57



> Customized Application Delivery

> Converged Network Intelligence

> Secure Switching





global enterpr ise


45/57


Management Enhancements

> FTP Transfer Support

Support FTP as transfer alternative to TFTP Supported over data and/or management port

image, config, tsdump and panic dumps upload and download

Hostname, filename, user and password are requested

> Configuration Ranges Permit configuration using ranges for ports, trunks, real servers

and filters

Ex. /cfg/po 1-10/pvid 5sets ports 1 through 10 to defaultVLANID 5

> Comprehensive Boot Logging Logs S/W version, boot code, firmware during boot process


46/57


Management Enhancements

> Port Aliasing Reference port by name rather than number

> Query Encryption License/ Switch serial number Obtain encryption licenses or serial number of switch

CLI and SNMP

> Delete Specified Session EntryAllow operator to delete a specific session entry without clearing

entire session table


47/57


EMS Enhancements

> Job Scheduler Handles scheduling jobs by users

Supported jobs include ITM signature update, Bogon File Update,TSDMP,CFG dump etc.

> SLB Wizard

Intended for first time or novice users Intuitive and Easy to use

> New EMS server ClientServer architecture

Entirely rewritten in Java

Handles multiple switches Centralized MySQL Database

Jetty Webserver


48/57


ASEM Server Architecture


49/57


Backup Slides


50/57


RIPv2 -1

Implement Routing Information Protocol version 2 RFC2453

RIPv2 Password per RIP Interface Add RIP password name to support the multiple RIPv2 interfaces

Variable length subnet mask in updates

Next hop router address

Configure RIPv2

/cfg/l3/rip

[Routing Information Protocol Menu]

if - RIP Interface menu

update - Set update period in seconds

on - Globally turn RIP ON

off - Globally turn RIP OFF

current - Display current RIP configuration


51/57


RIPv2 -2

>> Routing Information Protocol# if 12

[RIP Interface 12 Menu]

version - Set RIP version

supply - Enable/disable supplying route updates

listen - Enable/disable listening to route updates

default - Set default route actionpoison - Enable/disable poisoned reverse

trigg - Enable/disable triggered updates

Mcast - Enable/disable multicast updates

metric - Set metric

auth - Set authentication type

key - Set authentication keycurrent - Display current RIP interface configuration


52/57


RSTP & MSTP Support -1

> Rapid Spanning Tree (RSTP) Evolution of 802.1d Supports only single Spanning tree

Faster convergence times

3 operational states Discarding

Learning

Forwarding

> Multiple Spanning Tree (MSTP) Extension of RSTP to Multiple Spanning Trees

Backward compatible with 802.1d and 802.1wAssociates group of vlans to a single spanning tree instance

Load balancing

Multiple forwarding paths

16 instances and one CIST


53/57


RSTP & MSTP -2

Configure RSTP & MSTP

Main# /cfg/l2/

[Layer 2 Menu]

mrst - Multiple Spanning Tree/Rapid Spanning Tree Menu

cist - Common and Internal Spanning Tree menu

name - Set MST region nameversion - Set Version of this MST region

maxhop - Set Maximum Hop Count for MST (6 - 40)

mode - Spanning Tree Mode

on - Globally turn Multiple Spanning Tree (MSTP/RSTP) ON

off - Globally turn Multiple Spanning Tree (MSTP/RSTP) OFFcur - Display current MST parameters

D li i R ili t S V IP


54/57


Delivering Resilient Secure VoIP

Customer Challenges

> VoIP networks require 5 x 9suptime

> SIP Proxy server is the brain ofIP Telephony networks

REGISTER and

INVITE John INVITE John

SIP Call Server Clusters

SIP 200/OK

SIP 200/OK

Application Switch

Solution provides resiliency,with security

Maintains performance with SIP Proxy

application level Health checking

Offloads Proxys response to SIP clienthealth/info checks

Ensures persistence based on the SIP

protocol call ID

Secures Proxy with wire speed NAT and

DoS filtering to ensure minimum latency in

IP Telephony networks

Secures Traffic with SSL Acceleration


55/57


56/57


Layered Security

ScanSynFin DoS Attack

Anti-Spoofing

Worms, Viruses, Trojans

Peer-to-Peer

Instant Messaging, Internet Radio

VoIP uaranteedimited

Nortel Internal

POR / Roadmap

ONLY

Under Strict NDA


57/57

Nortel Application Switch Roadmap

> Resilient VoIP> Secure Switching

Connection Management Offload certain functions to specialized hardware Server Cloaking

XML acceleration> Guaranteed Application Delivery

Retry until response is obtained Inform operator before end users

Protocol Optimizations

Asymmetric Compression for any protocol Object caching

Creating a resi l ient netwo rk that intel l igently, accelerates and

secures converged appl icat ions in a global enterpr ise

Documents

AOS V23.0 Beta Training