Upload
kds20850
View
6
Download
5
Tags:
Embed Size (px)
DESCRIPTION
b
Citation preview
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-201314361_04_2008_c1 2
Best Practices for Application Optimization Illustrated with SAP, Seibel and Exchange
BRKAPP-2013
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAPP-201314361_04_2008_c1
WAN AccelerationData redundancy eliminationWindow scalingLZ compressionAdaptive congestion avoidance
Application AccelerationLatency mitigationApplication data cacheMeta data cacheLocal services
Application OptimizationDelta encodingFlashForward optimizationApplication securityServer offload
Application NetworkingMessage transformationProtocol transformationMessage-based securityApplication visibility
Application ScalabilityServer load-balancingSite selectionSSL termination and offloadVideo delivery
Network ClassificationQuality of serviceNetwork-based app recognitionQueuing, policing, shapingVisibility, monitoring, control
Cisco Application Delivery Networks
WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAPP-201314361_04_2008_c1
Other Cisco Live Breakout Sessions that You May Want to Attend
BRKAPP-2014 Deploying AXG
BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange
BRKAPP-2011 Scaling Applications in a Clustered Environment
BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-3006 Troubleshooting WAASBRKAPP-2005 Deploying WAAS
BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers
BRKAPP-2017 Optimizing Application DeliveryBRKAPP-1016 Running Applications on the Branch Router
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers
BRKAPP-1004 Introduction WAAS
BRKAPP-3003 Troubleshooting ACEBRKAPP-2002 Server Load Balancing Design
ApplicationsISRGSS WAAS ACE AXGACNS
Relevancy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAPP-201314361_04_2008_c1
Agenda
Cisco Validated Designs
Data Center Infrastructure
Service Integration
Data Center Evolution
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAPP-201314361_04_2008_c1
Cisco Validated DesignsThe Program
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAPP-201314361_04_2008_c1
Cisco Validated DesignsWhat Is the Value?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAPP-201314361_04_2008_c1
Cisco Validated DesignsContinuously Improving the Solution
s
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAPP-201314361_04_2008_c1
Agenda
Cisco Validated Designs
Data Center Infrastructure
Service Integration
Data Center Evolution
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAPP-201314361_04_2008_c1
Layers and Services
Aggregation
Edge
Access
Core
Fabric Routing Services
Data Replication Services
Storage Virtualization
Virtual Fabrics (VSANs)
Content Caching
SSL Offloading
Firewall Services
Intrusion Detection
Server Balancing
Server Virtualization V
Remote DMA Services
Virtual I/O
Clustering Services
Compute Fabric Services
Network Analysis
DC Functional Layers
VPN Termination
File Caching
CoreFabric Gateway Services
Fabric Gateway Services
Storage/Tape Farms
DoS Protection
Server ClustersServer Farms
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKAPP-201314361_04_2008_c1
Data Center Architecture Overview
Blade Chassis with Integrated Switch
L3 Access
Blade Chassis with Pass Thru
Mainframe with OSA
L2 with Clustering and NIC Teaming
Enterprise Core
DC Aggregation
DC Access
DC Core
Layers of the Enterprise Multi-Tier Model
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAPP-201314361_04_2008_c1
Aggregation Layer
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAPP-201314361_04_2008_c1
Aggregation Layer Design
Root PrimaryHSRP PrimaryActive Context
Root SecondaryHSRP SecondaryStandby Context
Core
RootguardLoopGuardBPDU GuardUDLD Global
Spanning Tree Design
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAPP-201314361_04_2008_c1
Aggregation Layer Design
+
Integrated Services: Firewall, Load Balancing, SSL
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKAPP-201314361_04_2008_c1
Aggregation Layer Design
Root PrimaryHSRP PrimaryActive Context
Root SecondaryHSRP SecondaryStandby Context
Core
Active-Standby Service Design
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAPP-201314361_04_2008_c1
Aggregation Layer DesignActive-Active Service Design
Root PrimaryHSRP PrimaryActive Context
Root SecondaryHSRP SecondaryStandby Context
Core
VLAN 6:Root SecondaryHSRP Secondary
Standby Context
VLAN 5:Root SecondaryHSRP SecondaryStandby Context
vlan5 vlan6 vlan6 vlan5
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAPP-201314361_04_2008_c1
Aggregation Layer DesignEstablishing Path Preference for Applications
Core
vlan5 vlan6 vlan6 vlan5
3. Route Map on Host Route Sets Preferred Metric of Route
route-map RHI permit 10match ip address 44
set metric-type type-1
1. ACE Probes to Real Servers in VIP to Determine Health
4. If Context Failover Occurs, RHI and Route
Preference Follow
2. If Healthy, Installs Host Route to VIP on
Local MSFC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAPP-201314361_04_2008_c1
Core and Aggregation Layer DesignSTP, HSRP and Service Context Alignment
Root PrimaryHSRP PrimaryActive Context
Root SecondaryHSRP SecondaryStandby Context
Core
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAPP-201314361_04_2008_c1
Agg2Agg1
VRF-Green
VRF-Blue
VRF-Red
802.1Q Trunks
VLANs Isolate Contexts on Access
Alternate Primary Contexts on
Agg1 and 2 to Achieve Active-Active Design
Firewall and SLB Contexts for Green,
Blue, and Red
MPLS or Other Core
DC Core
Aggregation Layer DesignUsing VRFs in the DC (1)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAPP-201314361_04_2008_c1
Aggregation Layer Design
PE PE
WAN/BranchCampusBlue VRFGreen VRF Blue VRFGreen VRF
Core: P-Nodes
Red VRF Red VRF
Agg Module 1DC Core
802.1Q Trunks
Agg Module 2
802.1Q Trunks
Using VRFs in the DC (2)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAPP-201314361_04_2008_c1
Access Layer Design
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKAPP-201314361_04_2008_c1
Access Layer Design
802.
1q T
runk
s
L3 Agg2
DC Core
Primary RootPrimary HSRP
Active Services
Secondary RootSecondary HSRPStandby Services
L2
Agg1 Inter-SwitchLink
Defining Layer 2 Access
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAPP-201314361_04_2008_c1
Access Layer DesignEstablish a Deterministic Model
802.
1q T
runk
s
L3 Agg2
DC Core
Secondary RootSecondary HSRPStandby Services
L2
Agg1 Inter-SwitchLink
Path Pref
L3+L4 Hash
Def gwy
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAPP-201314361_04_2008_c1
Scaling B/W with GEC and 10GE
Access Pair 1 … …
Aggregation
DC Core
Migrating Access Layer Uplinks to 10GE
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKAPP-201314361_04_2008_c1
Scaling B/W with GEC and 10GE
DC Core
Service Switch2
(Redundant)
Service Switch1
Access
Aggregation
Service Layer Switch
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAPP-201314361_04_2008_c1
Agg1:STP Primary Root
HSRP Primary HSRP Preempt and DelayDual Sup with NSF+SSO
Agg2:STP Secondary Root
HSRP SecondaryHSRP Preempt and Delay
Single Sup
Blade Chassis with Integrated
Switch
FT
Rootguard
LoopGuard
Portfast + BPDUguard
Data
Data Center NetworkBest Practices: STP, HSRP, Other
Rapid PVST+ UDLD Global
Spanning Tree Pathcost Method=Long
Rapid PVST+: Maximum Number of STP Active Logical Ports- 8000 and Virtual Ports Per Linecard-1500
LACP+L4 HashDist EtherChannel
Min-Links
L3+ L4 CEF Hash
LACP+L4 Port HashDist EtherChannel for FT and Data
VLANs
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAPP-201314361_04_2008_c1
Agenda
Cisco Validated Designs
Data Center Infrastructure
Service Integration
Data Center Evolution
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAPP-201314361_04_2008_c1
Service Integration Goals
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAPP-201314361_04_2008_c1
Application Examples
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAPP-201314361_04_2008_c1
Exchange 2007 Logical Layout
Internet
SMTPMessages
CAS Mailbox
EdgeTransport
HubTransport
Remote Clients(OWA, ActiveSync, Anywhere,
POP3, IMAP4)
MAPIMail
Client
External CommunicationsInternal Exchange Communications
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAPP-201314361_04_2008_c1
SAP
SAPGUITCP:32xx
HTTP(S) (ABAP)Default TCP:8000
HTTP (J2EE)HTTP:5xx00
HTTPS: 5xx01
Web Services
Logical Layout
JCo/RFC
RFC
SAP Web Application ServerOperating System and Database Agnostic
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAPP-201314361_04_2008_c1
Oracle 11i
DesktopTier
ApplicationTier
DatabaseTier
WebServer
FormsServer
ConcurrentServer
ReportsServer
AdminServer
DiscovererServer
WebBrowser
DatabaseServer
Web Server(HTTP/HTTPs
Listener)
Form Server(HTTP/HTTPs
Listener)
Desktop TierWeb Client
Web Server(HTTP/HTTPS
Listener)
Form Server(HTTP/HTTPS
Listener)
Desktop TierWeb Client
Forms ListenerServlet
Logical Topology
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAPP-201314361_04_2008_c1
Common Application ExpectationsTransaction Processing Applications
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAPP-201314361_04_2008_c1
Application Delivery Services
Security and Monitoring Services
Service Integration and Network Design
Blade Chassis with Integrated Switch
L3 Access
Blade Chassis with Pass Thru
Mainframe with OSA
L2 with Clustering and NIC Teaming
Enterprise Core
DC Aggregation
DC Access
DC Core
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAPP-201314361_04_2008_c1
Data Center Technology
ACE Service Module
Application Control Engine Overview
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKAPP-201314361_04_2008_c1
Data Center Technology
Front
Rear
Application Control Engine Appliance
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAPP-201314361_04_2008_c1
Data Center TechnologyFirewall Service Module
Firewall Service Module
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAPP-201314361_04_2008_c1
Data Center TechnologyAdaptive Security Appliance (ASA) 5580
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAPP-201314361_04_2008_c1
Cisco Catalyst 6500
One ArmMode
BridgedMode
BridgedMode
RoutedMode
RoutedMode
Service Chaining
BU-1 BU-2 BU-3 BU-4 BU-5
Virtualized Network Services
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKAPP-201314361_04_2008_c1
Service Chaining
user Mark pass abc role Security-Admin user Tom pass xyz role SLB-Admin
domain SRM add-object policy-map SRM-policy
username tom password 123 role SLB-Admin domain SRM
ACE-1/sap(config)# policy-map type loadbalance first Portal-policyError: object being referred to is not part of User's domain
ACE-1/sap(config)# policy-map type loadbalance first SRM-policyACE-1/sap(config-pmap-lb)#
Consolidated Secure Infrastructure
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAPP-201314361_04_2008_c1
ACE-FWSM Example Design OptionsBridge Mode Routed Mode One Arm Mode
default gw
bpduforwarding
default gw
default gw
ospfneighbors
PBRS-NAT
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAPP-201314361_04_2008_c1
Application Scalability and Availability
Server selection
Load distribution mechanisms
Scales AVS, WAAS and server farms
Session persistence
TCP reuse
Via ACE
Health checks
Backup server farms
Fault-tolerant groups
Route health injection
Server offload
Back-end encryption
WAE
ServersAVS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAPP-201314361_04_2008_c1
Health Probes
/index.html
/irj/portal
probe http PORTAL-50000description http-probeport 50000interval 20passdetect interval 10request method get url /irj/portalexpect status 200 200
Configuration
SAP Enterprise Portal Example
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAPP-201314361_04_2008_c1
Health Checks
ACE/dc# telnet 169.145.90.16 50100Trying 169.145.90.16...Connected to 169.145.90.16.Escape character is '^]'.GET /nwa HTTP/1.1Host: 169.145.90.16
HTTP/1.1 302 Foundserver: SAP NetWeaver Composition Environment 7.1 / AS Java 7.1content-type: text/htmllocation: http://169.145.90.16/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~localnavigation~wd/NWAAppcontent-length: 0date: Fri, 30 Nov 2007 04:15:04 GMT
probe http BACK-1port 50100interval 20passdetect interval 10request method get url
/webdynpro/dispatcher/sap.com/tc~lm~itsam~co~ui~nwa~localnavigation~wd/NWAApp
expect status 200 200
NetWeaver Web Administrator
Health Monitoring
Web Services
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAPP-201314361_04_2008_c1
Session PersistenceOptions
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAPP-201314361_04_2008_c1
ACE Session PersistenceCookie Sticky Case Study: Oracle 11i
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAPP-201314361_04_2008_c1
switch/SAP-Datacenter# sh stat http+------------------------------------------++-------------- HTTP statistics -----------++------------------------------------------+LB parse result msgs sent : 151 , TCP data msgs sent : 152 Inspect parse result msgs : 0 , SSL data msgs sent : 495
sentTCP fin/rst msgs sent : 8 , Bounced fin/rst msgs sent: 8 SSL fin/rst msgs sent : 18 , Unproxy msgs sent : 14 Drain msgs sent : 118 , Particles read : 1718 Reuse msgs sent : 0 , HTTP requests : 156 Reproxied requests : 0 , Headers removed : 0 Headers inserted : 254 , HTTP redirects : 0 HTTP chunks : 37 , Pipelined requests : 0 HTTP unproxy conns : 14 , Pipeline flushes : 0 Whitespace appends : 0 , Second pass parsing : 0 Response entries recycled : 110 , Analysis errors : 0 Header insert errors : 0 , Max parselen errors : 3Static parse errors : 0 , Resource errors : 0 Invalid path errors : 0 , Bad HTTP version errors : 0
ACE Session Persistence
parameter-map type http PERSISTset header-maxparse-length 4096
policy-map multi-match SLB-policyclass epSAP-s
appl-parameter http advanced-options PERSIST
Configuration
Session Persistence
Header Parsing: SAP Case Study
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAPP-201314361_04_2008_c1
ACE Session PersistenceCookie Sticky Case Study: SAP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAPP-201314361_04_2008_c1
ACE Session Persistence
sticky ip-netmask 255.255.255.255 address source SRC-STCKY-GRP
serverfarm CAS_FARM
Outlook Anywhere Enabled Client
Case Study: Outlook Anywhere
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAPP-201314361_04_2008_c1
parameter-map type connection DB
set timeout inactivity 0
class-map match-all DB-class
match port tcp eq 1521
policy-map multi-match DB-policy
class DB-class
connection advanced-options DB
ACE Session Persistence
Policy applied only to server initiated connections on specified port
interface vlan 10description server side interfaceservice-policy input DB-policy
Database Connection
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAPP-201314361_04_2008_c1
ACE SSL Server Offload
NAM IDS
Clear Text toServers:50XX0
Encrypted toVIP:443
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAPP-201314361_04_2008_c1
SSL Server Offload
switch/sap# crypto import ?ftp Import a key/certificate from an ftp servernon-export Mark this key/certificate as non-exportablesftp Import a key/certificate from an sftp serverterminal Accept a key/certificate from terminaltftp Import a key/certificate from a tftp server
switch/sap# show crypto filesFilename File File Expor Key/
Size Type table Cert-----------------------------------------------------------------------testkey.key 497 PEM Yes KEYSAPcert.cer 855 PEM Yes CERT
ACE-1/sap# crypto verify testkey.key SAPcert.cerKeypair in testkey.key matches certificate in SAPcert.cer.
ssl-proxy service SAPkey testkey.keycert SAPcert.cer
policy-map multi-match SLBclass epSAP-s
ssl-proxy server SAP
ACE Configuration
1. Acquire Key and Cert in PEM format 2. Configure Proxy and apply
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAPP-201314361_04_2008_c1
ACE SSL Offload
https://----/irj
http://----/irj/
http://----/irj/index.html
http://----/irj
policy-map type loadbalance first-match EP-HTTPSclass class-default
insert-http ClientProtocol header-value "https"
Header Insert Configurationparameter-map type http PERSIST
persistence-rebalance
policy-map multi-match SLB-policyclass epSAP-s
appl-parameter http advanced-options PERSIST
Persistence Rebalance
HTTP Header Insert
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAPP-201314361_04_2008_c1
Encrypted toVIP:443
ACE SSL Offload
Encrypted toServers:443
ssl-proxy service testsslclient
policy-map type loadbalance first-match EP-HTTPSclass class-defaultssl-proxy client testsslclient
Configuration
Back-End Encryption
SSL Termination SSL Initiation
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceSAP
policy-map type loadbalance first-match EP-HTTPS
class class-default
insert-http ClientProtocol header-value "https“
parameter-map type http PERSISTpersistence-rebalance
policy-map multi-match SLB-policyclass epSAP-s
appl-parameter http advanced-options PERSIST
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceBEA Weblogic
policy-map type loadbalance first-match VIP-POLICY-10class class-defaultsticky-serverfarm learninsert-http WL-Proxy-SSL header-value "true"
parameter-map type http PERSISTpersistence-rebalance
policy-map multi-match SLB-policyclass xyzappl-parameter http advanced-options PERSIS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceOracle 11i
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceSiebel 8.0
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceExchange 2007 Client Access Server
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAPP-201314361_04_2008_c1
SSL Offload ReferenceMicrosoft SharePoint
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAPP-201314361_04_2008_c1
SSL Offload
parameter-map type ssl sslparamssession-cache timeout 600
ssl-proxy service testsslclientssl advanced-options sslparams
ssl-proxy service sapkey sap-privatecert sap-certssl advanced-options sslparams
Reuse Definition
switch/sap# show crypto session SSL Session Cache Stats for Context ------------------Number of Client Sessions 2Number of Server Sessions 4
Verification
Back-End Encryption with SSL Reuse
Server Side Reuse
Client Side Reuse
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAPP-201314361_04_2008_c1
Scaling IDS Capacity
Subnet1
VLANs 10, 20, 30, …
IDS1
IDS2
RSPANVLAN
VACL Filter
HTTP
All VLAN Traffic
Telnet Subnet3
IDSx
NAM
all
RSPAN + VACL Redirect
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAPP-201314361_04_2008_c1
Transport PolicyEnforce Security
https://----/irj
https://----/irj/
http://----/irj
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAPP-201314361_04_2008_c1
ACE OWA Case StudyPersistence, Offload and Redirection
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAPP-201314361_04_2008_c1
ACE TCP Multiplexing
parameter-map type http PERSISTserver-conn reuse
TCP Reuse Configuration
interface vlan 201description server interface
nat-pool 123 169.145.90.90 169.145.90.90 netmask 255.255.255.255 pat
Source NAT Configuration
policy-map multi-match SLB-policyclass epSAP-sappl-parameter http advanced-options PERSISTnat dynamic 123 vlan 201
Applied to Multi-Match Policy
Server Offload
ACE-TCP1 Pool1
ACE-TCP2 Pool2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAPP-201314361_04_2008_c1
ACE TCP MultiplexingCase Study with Exchange 2007
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAPP-201314361_04_2008_c1
Cisco Technology Highlights
ACE GSSAppliance
ACE GSSAppliance
ACE Global Site Selector (GSS)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAPP-201314361_04_2008_c1
Site Selection Example
GSS MX Record Request
A Cohesive Solution: GSS, ACE and CNR
InternetClient DNS
Server
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAPP-201314361_04_2008_c1
Site Selection ExampleGSS Keepalive Configuration
ACE CONFIGURATION
kalap udp
ip address 10.210.1.4 encryption md5 <password>
class-map type management match-any <MANAGEMENT>
2 match protocol kalap-udp any
policy-map type management first-match <P-MANAGEMENT>
class <MANAGEMENT>
permit
interface vlan <VLAN>
description ** Public Facing Interface **
service-policy input <P-MANAGEMENT>
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAPP-201314361_04_2008_c1
Site Selection ExampleGSS Answer Configuration
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAPP-201314361_04_2008_c1
Service Integration WAN Optimizations
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKAPP-201314361_04_2008_c1
The Application Delivery Problem
Distribution ofResources
Data Center Consolidation
Remote Offices
Regional Offices
Home Offices
Data Center
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAPP-201314361_04_2008_c1
5MB Document Download from SAP NetWeaver Portal
5MB File(40 mbits)
45 Mbps: <1 secondTheoretical Wire Speed
5X
Continental WAN
Source: SAP TechEd 2007, Session LCM222
5.3 sec1.06 secDirect SAP (https)
60 ms, T3, 0%LAN
Latency, Bandwidth, Packet Loss
5,000 km0 kmDistance
US East West CoastOfficeScenario
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAPP-201314361_04_2008_c1
25 sec1.06 secDirect SAP (https)
300 ms, T3, 0%LAN
Latency, Bandwidth, Packet Loss
15,000–20,000 km0 kmDistance
Asia USOfficeScenario
Intercontinental Transfer Increases Delay
or
Transfer Time: 1 second + 300 ms ?
More Windows =More Delay
(ms): 300 + 300 + 300 + 300 ...
(data): 65KB + 65KB + 65KB + 65KB ...
Data: 5MB
25X
Source: SAP TechEd 2007, Session LCM222
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAPP-201314361_04_2008_c1
Packet Loss Magnifies Effect of Delay300 300 300 300 300...
Congestion Response:More, Smaller
Windows = More Delay
Loss
142X
Source: SAP TechEd 2007, Session LCM222
142 sec
300 ms,T3, 1%
25 sec1.06 secDirect SAP (https)
300 ms, T3, 0%LAN
Latency, Bandwidth, Packet Loss
15,000–20,000 km0 kmDistance
Asia USOfficeScenario
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAPP-201314361_04_2008_c1
Bandwidth Also Affects Transfer Times
5MB File(40 mbit)
45M 768K
<1s 52s
Minimum Wire Delay56X
Source: SAP TechEd 2007, Session LCM222
56 sec
60 ms, 786 kbps, 0%
5,000 km
Dial-In (East West Coast)
5.3 sec1.06 secDirect SAP (https)
60 ms, T3, 0%LAN
Latency, Bandwidth, Packet Loss
5,000 km0 kmDistance
US East West CoastOfficeScenario
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAPP-201314361_04_2008_c1
ACE Tuning for Slow WAN
< 1 ms300ms
TCP Flow Control vs.
Buffering
parameter-map type connection WANset tcp buffer-share 262143tcp-options selective-ack allow
policy-map multi-match SAP-LBclass SSL-VIPconnection advanced-options WAN
TCP re-use
Loss
SelectiveAcks
Delay
Loss
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAPP-201314361_04_2008_c1
Cisco Technology Highlights
WAEAppliances and Modules
Wide Area Application Engine
Wide Area Application Engine (WAE)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKAPP-201314361_04_2008_c1
SAP Test Topology for WAN Optimization
Load Runner
Enterprise Portal
ERP
Business Logic
ipsec Encrypted Tunnel
ACEwccp wccp
WAASWAAS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAPP-201314361_04_2008_c1
Test 1: Enterprise Portal Login/Logout
Baseline
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAPP-201314361_04_2008_c1
Test 1: Enterprise Portal Login/Logout
Branch WAE Encode Branch WAE DecodeData Center WAE EncodeData Center WAE Decode
Note: LZ operates on 521 MB out of 1621 MB overall (32% of 9.49% = 3%)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAPP-201314361_04_2008_c1
Login/Logout Result Summary
Data ReductionTransaction Time
26%99%
55%
3% LZ52% DRE
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAPP-201314361_04_2008_c1
Test 2: Knowledge Management
PortalClient
Baseline
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAPP-201314361_04_2008_c1
Knowledge Management
97% 97%
Data ReductionTransaction Time
3% LZ86% DRE
89%
Result Summary
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAPP-201314361_04_2008_c1
Test 3: Technical Document Management
2.
EPBack-End
1. Request Doc
1MB PDFRandom Data
Composite App
3.
4. PDF Post5. Notification
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAPP-201314361_04_2008_c1
Technical Document Management
60%<1%
26%
21% LZ5% DRE
Result SummaryTransaction Time Data Reduction
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAPP-201314361_04_2008_c1
Test 4: Customer Fact Sheet
50 Requests for Customer Fact Sheets
ERPComposite App
Web Services Request to ERP for CFS
ERP Returns CFS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAPP-201314361_04_2008_c1
Customer Fact Sheet
70%71%
77%
77% LZ
Result SummaryTransaction Time Data Reduction
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAPP-201314361_04_2008_c1
WAAS Configuration Essentials
CM Config
hostname C2851ip wccp 61ip wccp 62
interface GigabitEthernet0/0.93description DC-wae
ip wccp redirect exclude in!interface GigabitEthernet0/0.962description server VLANip wccp 61 redirect inip wccp 62 redirect out
!ntp master 2
hostname dc-waasdevice mode application-accelerator
primary-interface GigabitEthernet 1/0interface GigabitEthernet 1/0ip address 169.145.93.93 255.255.255.0
ip default-gateway 169.145.93.1
ntp server 169.145.93.1
wccp router-list 1 169.145.92.1 169.145.93.1wccp tcp-promiscuous router-list-num 1wccp version 2
central-manager address 169.145.92.92cms enable
WAN Router Config
WAEConfig
device mode central-managerinterface GigabitEthernet 1/0ip address 169.145.92.92 255.255.255.0
ip default-gateway 169.145.92.1ntp server 169.145.93.1
ClientNetwork
Server Network
0/0.92
0/0.93
0/0.962
Exclude WCCP to WAE interface
Enable WCCP on User Interface
WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAPP-201314361_04_2008_c1
Network Services Cheat SheetExchange 2007 Example
N/AN/ANIC-Teaming, Multiple Edge
Transport Servers
Cisco ACE, Microsoft NLB or
DNS Round-Robin
Cisco Global Site Selector (GSS)
and/or DNS Round-Robin
Edge Transport Server
N/ACisco WAENIC-Teaming, Clusters (LCR,
CCR, SCR, SCC)N/AN/AMailbox
Server
N/AN/ANIC-Teaming, Multiple Hub
Transport Servers
Handled Internally by Microsoft Exchange
N/AHub Transport Server
Cisco ACECisco WAENIC-Teaming, Multiple CAS Roles
Cisco ACE, Microsoft Network Load-Balancing (NLB) or DNS Round-Robin
Cisco Global Site Selector (GSS)
and/or DNS Round-Robin
Client Access Server
SSL-Offloading
Network OptimizationFault ToleranceServer Load-
BalancingSite Load-BalancingMicrosoft Exchange 2007 Role
Microsoft Exchange Server 2007 Role and Load-Balance, Fault Tolerance, High-Availability Methods Supported
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAPP-201314361_04_2008_c1
Agenda
Cisco Validated Designs
Data Center Infrastructure
Service Integration
Data Center Evolution
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAPP-201314361_04_2008_c1
Virtual Switch
VSSSwitch 1 + Switch 2 =
Virtual Switch DomainVirtual Switch Link (VSL)
Cisco Catalyst 6500 Virtual Switching System (VSS)
SiSi SiSi
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKAPP-201314361_04_2008_c1
Virtual Switching SystemSingle Control Plane
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Active Supervisor
Sup MSFC PFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Line Card—DFC
Standby Supervisor
Sup MSFC PFC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAPP-201314361_04_2008_c1
VSS
Increased Operational EfficiencySystem Virtualization Simplifying the Network
Traditional Layer 2/Layer 3 VSS
SiSiSiSi SiSi SiSi
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAPP-201314361_04_2008_c1
Virtual Switch System
Multi-Chassis EtherChannel
Multi-Chassis EtherChannel
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAPP-201314361_04_2008_c1
Virtual Switch SystemDeployment Considerations
SiSi SiSi
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKAPP-201314361_04_2008_c1
VSS in the Data CenterAggregation Layer
Server Farm
Core
Aggregation
ServicesChassis
Access
L3L2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKAPP-201314361_04_2008_c1
Service Chassis Models
TransparentService Chain
ACE in Routed Mode
VRF-Enabled FWLB
Service Layer Switch
VRF
VRF
MSFC
ACE Context
FWSM Context
MSFC
ACE Context
FWSM Context
Layer 2
Layer 2
Layer 3
MSFC
ACE Context
FWSM Context(s)Layer 3
ACE Context
MSFC
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKAPP-201314361_04_2008_c1
Evolving Data Center
Consider impact of new technologies to traffic patterns in the data center
Network service integration must consider these new data center capabilities
Today, VSS does not support service modules; July 2008 service module support is introduced with Whitney 2
Virtual services with a virtual switch (ACE/FWSM)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKAPP-201314361_04_2008_c1
Summary
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKAPP-201314361_04_2008_c1
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKAPP-201314361_04_2008_c1
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press®
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKAPP-201314361_04_2008_c1
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily
Receive 20 Passport points for each session evaluation you complete
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKAPP-201314361_04_2008_c1