Application Switching Technology and Benefits Switching Technology and Benefits ©Foundry Networks, Inc. 2 • Application and Server Farm Challenges • Application …

IT-Symposium 2005 05. April 2005

www.decus.de 1

Application Switching Technology and Benefits

©Foundry Networks, Inc.22

• Application and Server Farm Challenges

• Application Switching Technology Fundamentals

• Benefits of Application Switching

• Foundry Application Switching Highlights

• Summary

Agenda


www.decus.de 2


Business-Critical Enterprise Application Requirements

Business-CriticalIP and Web Application

Services

HighAvailability

Scalability

NetworkResiliency

Security

Manageability

Performance


High Availability and Security Challenge

• Service Availability ChallengesServer or Application Goes DownApplication Software or OS Needs PatchingServer Load Surges and Performance DeclinesData Center Loses Power

Client

Web Apps

Email

Financial Apps

Server Farm

ERP Apps

DoS Attack

Hacker

IP Network

IP Network

• Networked Applications are Subject to Vulnerabilities

Denial of Service AttacksVirus and Worm AttacksApplication Level ExploitsAbuse of Server and Network Resources

Result – Disruption to Service and Loss of Revenue and/or Productivity


www.decus.de 3


Poor Server Performance, Scalability and Utilization Results in Poor ROI

Web Apps

ERP Apps

Server Farm

Forklift Upgrade

Growing Needs

Web Apps

Email

Financial Apps

Server Farm

ERP Apps

IP Network

IP Network

• Performance and Response Time Suffer when Load Surges• Poor Server Utilization with Protocol (TCP/IP) Overhead• Forklift Upgrades to Meet Growing Demands• Service Disruption During Upgrades• No Investment Protection






• Summary

Agenda


www.decus.de 4


Application Switches Enable• On Demand Server Scalability• High Availability Automatic Failover• Best Response Time and Performance• Robust Security from Most Attacks• Server Resource Conservation by

Offloading Functions to the Network• Maximized Server Utilization and Better

Return on Investment (ROI)

Virtual Server Farms for High Availability, Security and Scalability

Virtual Application Infrastructure

Application Switching

Web Apps

Email

Financial Apps

Server Farm

ERP Apps


Application Switching and Load Balancing Overview

Clients

Virtual Application InfrastructureApplication Switching

Server Farm

Web Apps

IP Network

IP Network

• Application Switch Receives All Client Requests• Selects “Best” Resource Using Real-Time Health and Performance• Utilizes All Resources Simultaneously• Intelligently Distributes Load to All Available Resources

• User Configurable Choice of Methods

• Shields Servers Farm from Attacks and Abuse


www.decus.de 5


Application Switching and Virtual Server Farm Fundamentals

Application Switch

Clients

10.1.1.10

10.1.1.20

10.1.1.30

VIP = 40.1.1.1

Client MessageSource IP = Client IPDest IP = Load Balancer VIP

After NATDestination IP = 10.1.1.10Source IP Change if SNAT Used

GW IP = 10.1.1.1

Default Gateway = Load Balancer IP

VIP = Virtual IP

NAT = Network Address Translation

SNAT = Source NAT

IP Network

IP Network

• Clients Connect to Applications Services using Virtual IP (VIP)• VIP Address is Owned by the Application Switch

• Application Switch Performs Address Translation after Server Selection• Server Addressing is Private and Secure


Stateful Load Balancing and Session Table

1 2 3 4

1 2 3 4

RS38049510.1.1.30188.1.1.102

RS28025010.1.1.20188.1.1.101

RS18010010.1.1.10188.1.1.100

ServerDst. PortSrc. PortDest. IPSrc. IP

Session Table

1 2 3 4

Clients

IP Network

IP Network

Application Switch 10.1.1.10

10.1.1.20

10.1.1.30

VIP = 192.1.1.1GW IP = 10.1.1.1

• Session Boundaries Maintained• For the Duration of the Session,

• Each User Flow is Assigned a Session Entry in the Table

• Each Flow is Bound to a Specific Server• All Messages over a Flow Sent to the

Same Server


www.decus.de 6



Web Apps

Email

Financial Apps

Server Farm

ERP Apps

ServerIron High Availability and Stateful Failover for Total Resiliency

Session Table

RS280101192.1.1.1188.1.1.100

RS180100192.1.1.1188.1.1.100

ServerDestination PortSource PortDestination IPSource IP

RS280101192.1.1.1188.1.1.100

RS180100192.1.1.1188.1.1.100


Synchronized Session Table

RS280101192.1.1.1188.1.1.100

RS180100192.1.1.1188.1.1.100


RS280101192.1.1.1188.1.1.100

RS180100192.1.1.1188.1.1.100

ServerDestination PortSource PortDestination IPSource IP• Session Table Synchronized Between Two Switches

• No Loss of Service When Switch Fails• Second Switch Detects Failure and

Services User Flows• Rapid Failure Detection and Session

Failover are Required• Failover is Totally Transparent to User

NOTE: Without Stateful Failover, Application Switch Failures will Result in Termination of All Active User

Sessions Causing Significant Service Disruption


Application and Server Health Checking

• Periodic Health Check Requests Sent to Server/Application• Server and/or Applications Marked Unavailable when Checks Fail• Health Checks Can be Customized for Diverse Needs

Layer 2/3 (ARP, Ping), Layer 4 (TCP and UDP messages)Layer 7 (HTTP, Application Specific, SSL, Scripted)

• Dedicated Processing Capacity and Resources for Health Checks Onthe Application Switch Ensures Rapid Detection of Failures and Failover of User Service Requests

Load Balancer

Request

Response

Application taken out of service

Request

HTTP

FTP

Server taken out of service

HTTP

FTP


www.decus.de 7


Delayed Server Binding Concept & Benefits

• Application Switch Acts as a Connection Proxy and Delays Server Selection Until After Application Content is Received

Server Connection Completed After Inspecting Application Messages Received

• Server Selection Based on Layer-7 Application ContentHTTP Header, URL, Session ID, Cookie, XML, and Others

• Eliminates Need for Content/Service Replication on All Servers

Complete Connection

Application Switch

Client

TCP SYN

TCP SYN ACK

TCP ACK

1

2

3HTTP Request4

1 2 3 4

Select “best” server using Layer-7 content

5

Data Exchange

6

IP Network

IP Network


Layer-7 Content Examples

• Avoid Replicating Content and Application Services on All Servers• Distinguish Service Requests By Inspecting Content and Switching

Simply Content Management on ServersMaximize Server UtilizationFilter Information and Prioritize

• Widely Used Content Switching ExamplesURL full, prefix and suffix matchBrowser type, device type and language codeHTTP Cookies for Persistence and High AvailabilityXML Switching (For Web Services and Protocols Using XML)

Text Content

Image Content

IP Hdr TCP HdrHTTP Hdr

URL Prefix

/home. foo.com/*.htm

Client

IP Network

IP Network

CGI

www.foo.com/*.gif

www.foo.com/*.binURL

Switch


www.decus.de 8


Session Persistence Concept & Benefits

• Persistence Defined – Sticking a “User” to the Same ServerNot Load Distribute Connections from the Same UserLoad Distribution is Done for New Connections from New Users

• Persistence Required when Application Transactions Span Across Multiple TCP Connections (Stateful Sessions)

• Unique Layer 3, 4 and 7 User Identifiers Used for Persistence

Load Balancer

Connection to Browse Book 11

Connection to Add Book 1 to Cart2

Connection to Browse Book 23

Connection to Add Book 2 to Cart4

Connection to Checkout Cart51 2 3 4 5

Transaction persistence maintained

Client

IP Network

IP Network


Session Persistence Mechanisms

• Layer 4 TCP Connection PersistenceSource IP & Port, Destination IP & Port, Protocol

• UDP Session Persistence using Layer 3/4UDP is Connectionless and Requires Aging Approach for Stateful SupportSource IP & Port, Destination IP & Port, ProtocolInactivity Timeout used to Age and Clear Sessions

• Layer 7 Cookie Switching/PersistenceCookie Inserted in the HTTP Header (Typically by Servers)All Connection Requests with Same Cookie are Switched to Same ServerApplication Switches can Insert Cookies if Servers Do Not

• Cookie is not Visible when using SSL Connections – Requires Persistence Using Source IP or SSL Session ID

Alternatively, SSL Termination May be Used to Make Cookie Visible


www.decus.de 9


Load Balancing to Oracle Application Server using Cookie Switching

Oracle Database

• Oracle Application Server 10g – Oracle Certification ProgramMultiple Vendor Solutions Certified in Different Configurations

• Application Switch Front Ends Web, Directory and Single Sign-On Servers Providing High Availability and Scalability

• Best Practices Deployment of Application SwitchLayer 4 Stateful Load Balancing with Failover (with IP Persistence)Layer 7 Cookie Persistence to Web ServersSSL Acceleration as an Optional Function to

Accelerate SSL PerformanceProvide Clear Text Visibility to HTTP Cookie

Web Servers

Application Switch

Clients

IP Network

IP Network


Cookie:JsessionID=SessionID!rs1!rs3

• May be Deployed to Use Dynamic Session ReplicationOriginal Server Selects a Secondary Server for Session ReplicationCreates a Cookie String that Identifies Primary (Original) and Secondary Servers

• Server Inserts BEA Specific Cookie with Primary and Secondary Server IDs in the Cookie String

• Switch Inspects Cookie to Direct Requests to Appropriate ServerRequest Sent to Primary Server if it is UpRequest Sent to Secondary Server if Primary Server Down

Load Balancing to BEA WebLogicApplication Server

Application Switch

Client

IP Network

IP Network

rs1 – Primary Server

rs2 – Secondary Server

Session Replication

BEA WebLogic serversBEA Server Cookie


www.decus.de 10


Maximizing Server Utilization and Accelerating Applications - Need for Connection Offload

TCP Connection SetupApplication Request

Application Response

123

Connection Tear Down4

5

2 3

Servers



567

Connection Tear Down

86 7

HTTP1.0 /1.1 Connections

HTTP1.0/1.1Connection

1

• Each New Client Connection Triggers a New Connection to Server• HTTP1.0 Even Worse – Only One GET/REPLY per TCP Connection

• Connection Setup and Tear Down Add Significant Overhead to Servers• Studies Show Connection Management Overhead on Servers is 30 to 40%

• Connection Overhead Slows Down Service Response Time

4

8Clients

IP Network

IP Network


ServerIron



123


1 2 3



567


6 7

HTTP1.0 /1.1 Connections

HTTP1.1 Connection

No TCP setup or tear down

HTTP Connection Offload on Application Switches

ServersClients

• Switch Streams Many Client Connections Over Few Server Connections• Re-Uses Server Side Connection and Reduces Connection Management Overhead

• Servers See Very Few Connection Setups and Tear Downs• Security is Improved By Eliminating Direct Client-Server TCP Interaction

• Improves Service Response Time by Making More Server Resources Available for Application Content


www.decus.de 11


Maximizing Throughput for Bulk Transfer Applications – Direct Server Return (DSR)

Server Loopback IP = Load Balancer VIP

Application Switch

10.1.1.10

10.1.1.20

10.1.1.30

VIP = 40.1.1.1

Layer-2Switch

1

23

• Maximizing Throughput Requires Switching Traffic at Wire-Speed

• Return Traffic in Direct Server Return Mode Bypasses the Application Switch

• Inbound Requests are Received and Distributed by the Application Switch

• Ideal for Bulk Transfer Applications Like• Streaming Media• FTP• E-Mail


Key Server Farm and Application Security Functions

Legitimate Traffic


Miss-Critical Application Servers

Legitimate Client

Application Switch

Blocked Application Messages

Hacker

Multi-Gigabit Rate Denial of Service Attack

IP Network

IP Network

Denial of Service Attack Protection from SYN and ACK FloodsApplication Level Rate Limiting of Server and Client ConnectionsSPAM Protection and Mitigation

Always-On Traffic Monitoring and Network VisibilityVirus and Worm Protection with Content Inspection and FilteringHigh Performance ACL and NAT

Security without Sacrifice - Peak Application Performance Under Attack


www.decus.de 12






• Summary

Agenda


Improve Return on Server Investment

• Use Servers of Varying Capacity and PerformanceInvestment Protection in ServersAdd Required Server Capacity On-Demand

• Application Switches Distribute Requests on Server Weight (Capacity)• Leverage Installed Servers – Avoid Forklift Upgrades• Optimize Capital Cost by Using Diverse Vendors

Clients


Server Farm

Web Apps

IP Network

IP Network


www.decus.de 13


Ease Server Farm Management and Operations

• Scale Server Capacity On-Demand• Transparently Add and Remove Servers and Applications

Server Slow-Start Prevents Overwhelming New Servers when Brought OnlineGraceful Shutdown Ensures Successful Completion of User Sessions Prior to De-Commissioning a Server/Application

• Server Maintenance and Application Software Patching No Longer Require Scheduled Downtime

Clients


Server Farm

IP Network

IP Network

New Server

Remove for Maintenance

Add Resources on Demand


Differentiated Services and Application QoS

• Differentiate Application Users with Layer 4-7 Application Intelligence• Customize Performance, Response Time and Service Offerings for

Diverse User Needs• Application Switches can Differentiate Clients Using

Cookies, XML Tags, Application Level IdentifiersSource IP based Access Policy Lists

Clients

IP Network

IP Network

Gold Servers

Application Switch

Silver Servers

Content Inspection to Identify User Class and Switch to

Appropriate Servers


www.decus.de 14


Summary – Optimizing Applications

• Business-Critical Application Infrastructure Requires• High Availability• Security• Accelerated Performance• Scalability for Growth• Best ROI

• Application Switching Uses Higher-Layer Intelligence to• Protect IP and Web Services from Downtime Due to Failures• Increase Service Response Time by Offloading Servers• Offer Unlimited and On-Demand Scalability for Growth• Secure Server Farms and Applications






• Summary

Agenda


www.decus.de 15


Plug-in L4-7 blade for L2-3 switchesPro: Leverage an existing systemCon: Complex to understand flows, bottleneck in performance, lag in functionality

Three Layer 4-7 Product Approaches

Purpose-built L4-7 Switch - FoundryPro: Performance, Scalability, Functionality and SimplicityCon: A new product to install

Software on a PC (or PC with Switch)Pro: Feature FlexibilityCon: Poor performance and scalability, inadequate security, limited availability, hard disks, forklift replacements as needs change


• 6 Years of Layer 4-7 Innovation and Leadership

• Globally 500,000+ Cumulative Ports Installed

• Industry Records in Performance and SecurityHighest Application Connections/Second

Up to 300,000 Layer 4 Connections per Second @ 1K Object ResponseUp to 100,000 Layer 7 Connections per Second @ 1K Object Response

Multi-Gigabit Rate Wire-Speed Denial of Service (DoS) ProtectionScalable up to 15 Million Attack Packets per Second (Wire-Speed 10 Gig Rate)

Scalable to 12 Gbps of Application ThroughputEven More Application Throughput with Direct Server Return ModeWire-Speed Layer 2/3 Switching Throughput

• Highly Scalable and Comprehensive Product LineRange of Products for Entry Level, Mid Range and High Performance NeedsN+I Tokyo 2004 “Best Enterprise Infrastructure” Product Award

Foundry ServerIron Layer 4-7 Application Switches


www.decus.de 16


Industry’s Most CompleteApplication Switching Solution

SI 450

SI 850

GT-EGx2

XL-16

XL-24

1x 3x 6x 8x

Performance

Pri

ce

10K

15K

25K

35K

GT-E10Gx2

45K

15x**With Optional Dual-WSM6

GT-EGx4P

Entry-Level – Essential Features and Best Price

Expandable, Feature-Rich, “stackable pricing”

High-Performance, Highly Scalable

Pre-ConfiguredFixed Configuration

GT-EGC16

GT-E2404

Modular Chassis

Complete Range of Web Acceleration Devices

Fixed Configuration

1x 25x 50x

SA-200

SA-400

SA-800

SA-F400

L4 CPS SSL L4 CPS

L4-7 Application Switches Web Accelerators

Thank You

Documents

Application Switching Technology and Benefits Switching Technology and Benefits ©Foundry Networks, Inc. 2 • Application and Server Farm Challenges • Application …