Upload
gcaramello
View
218
Download
0
Embed Size (px)
Citation preview
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
1/74
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
2/74
Data Center Application ServicesBRKAPP-2022
Hernan Vukovic
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
3/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAASApplication Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
4/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
Global Site Selector OperationNameserver.ciscojax.com
www.sharepoint.ciscojax.com NS Record 10.0.10.90NS Record 10.0.10.141
User
VIP=10.2.86.93
www.sharepoint.ciscojax.com
(Secondary Site)
VIP=10.2.86.92
www.sharepoint.ciscojax.com (Primary Site)
GSS-Primary
10.0.10.141
GSS-Secondary10.0.10.90
MeshLink
DNS querywww.sharepoint.ciscojax.com
A Record
10.2.86.92
Which VIP?
Whos Leastloaded ?
Select Answer10.2.86.92
RespondP-DNS216.1.1.1
http://www.bxb.com/http://www.bxb.com/8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
5/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 5
Global Site Selector
Improves availability andresiliency of DNSinfrastructure with highperformance and selfprotecting DDOS software
Offloads and optimizes DNSprocessing and selects thebest site based on:
Intelligent load balancingalgorithms and clauses
Proximity to user request
Data center and server loads,availability and health
Persistence to prevent lost sessioninformation
A-record responder, works inconcert with existing full DNSdeployments
Security conscious features:
DDOS Mitigation Software
Client to GSS and GSS to GSScommunication encrypted
Private DNS code base
Supports all DNS-compatibledevices
Can be deployed with or withoutApplication Delivery Controllers
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
6/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 6
Shared KeepaliveType kal-ap
10.2.86.92 | 10.2.86.93
AnswerGroupSharePoint
Answer-1 (ACE1)Answer-1(ACE2)
Answer-1(ACE1)VIP-A 10.2.86.92
Answer-1(ACE2)
VIP-A 10.2.86.93
Domain List SharePoint
sharepoint.ciscojax.com
Source Address List - Any0.0.0.0 255.255.255.255
Rule: SharePoint
Source Address List: Any
Domain List: SharePoint
Balance Clause 1:AnswerGroup: SharePointBalance Method: Ordered List
1
24
5
63
2a
Global Site SelectorBasic Configuration Sequence
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
7/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7
Application Control Engine
Infrastructure simplicity in a single hardware platform,ACE integrates
Application delivery
Server offload
Data center security features
ACE is a Cisco Catalyst6500 service module, which comes in threethroughput licenses: 4Gbps, 8Gbps, and 16Gbps
ACE Appliance 4710 is a 1-ru appliance with 4xGbE uplinks in fourthroughput licenses: 500kbps, 1Gbps, 2Gbps, 4Gbps
It delivers application infrastructure control, with features like virtualpartitions and native role-based administration(RBA)
ACE 4710
ACE Module
Exchange SharePointSAP
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
8/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8
Design Considerations
Routed ModeEasy to deploy
Requires at least two IP subnets
Servers in dedicated IP subnet
One Armed
Load Balancer not inline
Allows direct server access
Requires Source NAT
Bridged Mode
Easy migration for servers
Requires one IP subnet
Recommend for non-lb traffic
For YourReference
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
9/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAASApplication Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
10/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 10
The Need for Optimization
Applications were built for andtested on the LANHigh bandwidth/low latency/reliability
Last Mile problem
Already congestedLow bandwidth
Latency
Packet Loss
Its not justabout bandwidth
Solutions:Caching
Server offload(TCP/SSL)
Session proxy
Round Trip Time (RTT) ~ 0mS
ClientLAN Switch Server
Server
Client
WAN / Internet
Client
ISP
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
11/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
The Impact of Latency and Loss
1.544Mbps
500Kbps
Coefficient of Latency and Loss
Throughput
Actual
Expected
Low
5.0
2.1
pRTTMSSR
R : Average Throughput
MSS: Packet Size
RTT: Round-Trip Time
P : Packet Loss
High
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
12/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 12
Traffic Flow with ACE 4710Compression
The following shows how the servers response whencompressed is applied by the ACE 4710 Appliance
2. ACE rewritesClients request
GET / HTTP/1.1Accept-Encoding: gzip,deflate
1. Request before ACE
GET / HTTP/1.1Accept-Encoding: identity
Request after ACE
4. ACE Inspectsresponse
HTTP/1.1 200 OKContent-type: text/htmlContent-Encoding: deflateTransfer-Encoding:chunked
6. Response after ACEServer sends uncompressedHTTP payload of 5963 bytes
7. Client receives compressed
HTTP payload 1789 bytes
Cisco ACE 4710Client LAN
HTTP/1.1 200 OKContent-type: text/html
Content-Length: 5963
3. Response before ACE
5. ACECompresses
Response
Server
WAN
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
13/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 13
WAN
Wide Area Application Services
WAAS overcomes TCP and WAN bottlenecks
Shields nodes connections from WAN conditionsClients experience fast acknowledgement
Minimize perceived packet loss
Eliminate need to use inefficient congestion handling
LAN TCPBehavior
LAN TCPBehavior
Window ScalingLarge Initial WindowsCongestion MgmtImproved Retransmit
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
14/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 14
Catalyst6509 w/ACEModule
OriginalFlow
Optimized
Flow
WAECluster
WAN
WAAS Optimizations
Base optimizations (TCP-only traffic)
Data redundancy elimination (byte cache)
Lempel-Ziv compression (similar to GZIP)
TCP flow optimization (adaptive to link conditions)
Application optimizers
HTTP
SSL
CIFS
NFS
Video stream splitting (WMS)
Interception options
In-line, WCCP, PBR, ACE
Virtual blade (local server in branch - ISSU)
Modular design
RemoteOffice
WAN
WAN
OptimizedFlow
OriginalFlow
InterceptionRedirectionMonitoring
WAECluster
RemoteOffice
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
15/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 15
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAASApplication Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
16/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16
Adaptive Security ApplianceFirewall/IPS/VPN
Why do I need firewall services?
Application segmentation
Regulatory compliance
Edge security
Business unit segmentation
Why do I need VPN services?
Mobile users
Business partners
Small branch
Why do I need IPS services?
Audit compliance
Traffic flow visibility
Reporting
Defense in depth
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
17/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 17
Iron Port E-Mail SecurityMore Spam and Spammers
More Spam
Daily spam volume doubles yearly
Reaching 180 billion spam
messages per day
More Spammers
More Spammers with Botnet-compromised hosts send spam
Malware sophistication increasing
Average Daily Spam Volume
Source: Cisco Threat Operations Center
0
50
100
150
200
250
300
350
400
450
500
Q 1'07 Q 2'07 Q 3'07 Q 4'07 Q 1'08 Q 2'08 Q 3'08 Q 4'08
AverageSimultane
ousCompromised
Hosts(th
ousands)
Calendar Quarter Period
Average # Compromised Hosts
0
20
40
60
80
100
120
140
160
180
Q 1' 07 Q 2'07 Q 3' 07 Q 4'07 Q 1' 08 Q 2'08 Q 3'08 Q 4' 08AverageDailySpamV
olume(billions)
Calendar Quarter Period
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
18/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 18
ACE Application Inspections
TCP/IP Various Atomic TCP checks implemented TCP state tracking and TCP option processing Sequence number randomization
ICMP
Protection against ICMP Attacks & crafted ICMP Error messages Makes ICMP requests and responses stateful Prevents bogus unsolicited responses from entering the network
HTTP
Enforce HTTP specific parameters (URL/Header Lengths) Filtering on HTTP encoding mechanisms, multiple content types Tunneled application control (IM/P2P/Files types) Customizable reg-ex based signatures and dynamic updates
IM / P2P
(Over HTTP)
Access control for IM (Yahoo, MSN, AIM, ICQ) and P2P (KaZaa,Torrents, Gnutella) over user-defined/well known ports
Feature control (doodling, voice chat, file sharing) Customizable regex based signatures
FTP
Directory traversal attack prevention and command filtering Server identity protection via obfuscation techniques Filtering based on username, file name/type, server name Enhanced logging capabilities
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
19/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 19
ACE Application Inspections
DNS
Enforce legitimate zone transfers, private v/s public domains DNS Spoofing and Cache Poisoning prevention Filtering based on domain name
LDAP/ILS
Decodes the ADDRequest, SearchRequest and SearchEntryResult Fixup the embedded IP addresses in LDAP messages Logs IP mismatch between IP Header and Payload
RTSP
The inspection engine parses SETUP response messages with a status code 200 Opens pinholes for data channels Keeps state to remember the client ports in the SETUP message
SCCP/
Skinny
NATs embedded IP address Dynamic opening of media pinholes Enforces user configured policies
State checking to ensure only registered clients can place/receive calls
SIP
NATs embedded IP address Prepares dynamic secondary control/data connection Tracks SIP Finite State Machine Enforces User Configured Policies
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
20/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAASApplication Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
21/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 21
Validated Application Solutions
Comprehensive set ofvalidated ACE solutions
Example showing Ciscoand Microsoft validatedsolution for MicrosoftExchange Server 2007using ACE
Currently testingExchange 2010 runningCisco Unified ComputingSystem (UCS) loadbalanced by ACE
http://www.cisco.com/en/US/partner/netsol/ns751/networking_solutions_sub_program_home.html
For YourReference
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
22/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 22
6500VSS6500VSS
General DC Services Flow
WAEACE ACE WAE
Campus/Branch Internet Intranet
VirtualizedServer Farm
NX-7kNX-7k
NX-5kNX-5k
ASAASA
GSS
UCS
VLAN982
VLAN882
VLAN983
VLAN981
NX-2k
Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
23/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 23
NX-7k NX-7k
Data Center InfrastructureACEBridged Mode
WAE WAE
NX-5kNX-5k
ASAASA
UCS
ACE ACEVLAN983
VLAN981
VLAN982
MultipleServer
VLANs
VLAN882
ft track host DC-Gtwytrack-host 10.86.91.97peer track-host 10.86.91.97priority 50peer priority 50ft track interface WAEtrack-interface vlan 981
ft track host WAN-Gtwytrack-host 10.86.91.99
access-list BPDU_allow ethertype permit bpdu
interface bvi 2ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240peer ip address 10.86.91.109 255.255.255.240
Interface vlan 981ip address 10.86.79.222 255.255.255.248alias 10.86.79.217 255.255.255.248peer ip address 10.86.79.221 255.255.255.248no normalizationmac-sticky enableno icmp-guardaccess-group input all
Interface vlan 982bridge-group 2no normalizationaccess-group input BPDU_allowservice-policy input From_WAN_982
Interface vlan 983
service-policy input From_DC_983
GSS
ip route 0.0.0.0 0.0.0.0 10.86.91.97ip route 192.168.0.0 255.255.255.0 10.86.91.98
NX-2k
Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
24/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 24
NX-7k NX-7k
Data Center InfrastructureACEBridged Mode
WAE WAE
NX-5kNX-5k
ASAASA
UCS
ACE ACEVLAN983
VLAN981
VLAN982
MultipleServer
VLANs
VLAN882
probe tcp WAE-PROBEport 8443interval 5passdetect interval 5receive 1ssl version allexpect status 200 200open 2
probe icmp GATEWAY-PROBEinterval 5
passdetect interval 5receive 1
serverfarm host BR-WAE-FARMdescription Inbound from the Branchtransparentpredictor hash address source 255.255.255.240
serverfarm host DC-WAE-FARMdescription Outbound from the Data Centertransparentpredictor hash address destination 255.255.255.240
rserver host WAN-GWip address 10.86.79.230inservicerserver host DC-GWip address 10.86.91.97inservicerserver host WAE1ip address 10.86.91.114conn-limit max 2000 min 50inservicerserver host WAE2ip address 10.86.91.115conn-limit max 12000 min 50inservice
GSS
class-map match-any BYPASSdescription Non-Accelerated (Bypassed) Traffic
1 match virtual-address 0.0.0.0 0.0.0.0 tcp eq telnet2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 223 match virtual-address 0.0.0.0 0.0.0.0 tcp eq domain4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 495 match virtual-address 0.0.0.0 0.0.0.0 tcp range 1812
18136 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1617 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1628 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 123
9 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 179
class-map match-all WAASdescription Accelerated Traffic2 match virtual-address 0.0.0.0 0.0.0.0 any
NX-2k
Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
25/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 25
NX-7k NX-7k
Data Center InfrastructureACERouted Mode
WAE WAE
NX-5kNX-5k
ASAASA
UCS
ACE ACEVLAN983
VLAN981
VLAN982
MultipleServer
VLANs
VLAN882
ft track host DC-Gtwytrack-host 10.86.91.97peer track-host 10.86.91.97priority 50peer priority 50ft track interface WAEtrack-interface vlan 981
ft track interface ServerFarmtrack-interface vlan 982
Interface vlan 981ip address 10.86.79.222 255.255.255.248
alias 10.86.79.217 255.255.255.248peer ip address 10.86.79.221 255.255.255.248no normalizationmac-sticky enableno icmp-guardservice-policy input WAAS_VIP_pol
Interface vlan 982ip address 10.86.79.227 255.255.255.248
alias 10.86.79.225 255.255.255.248peer ip address 10.86.79.226 255.255.255.248no normalization
Interface vlan 983ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240peer ip address 10.86.91.108 255.255.255.240no normalization
service-policy input WAE_pol
access-group input all
GSS
ip route 0.0.0.0 0.0.0.0 10.86.91.97
NX-2k
Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
26/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 26
NX-7k NX-7k
Data Center InfrastructureGSS
WAE WAE
NX-5kNX-5k
ASAASA
UCS
ACE ACEVLAN983
VLAN981
VLAN982
MultipleServer
VLANs
VLAN882GSS
NX-2k
Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
27/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 27
Data Center InfrastructureGSS
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
28/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 28
Data Center InfrastructureGSS
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
29/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 29
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAASApplication Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
30/74
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
31/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 31
Exchange Server 2007 Role Deployment
Each Role on a Separate Computer
Role Function
Edge Transport DMZ Deployment
Mailbox Single DB
Client Access Server Client Interface
Active Directory Authentication
HubTransport
Mail Mover
Exchange ManagementConsole
Default on Any Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
32/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 32
DB
Logs
Logs
FileShare
DB
Logs
Logs
Replication to a standby serverReplication to a second disk set
Replication within a cluster
DB/Logs
DB/Logs
LCR
SCR
Mailbox Protection 2007 MicrosoftBased
CCR
DB Logs
SCC
Quorum
Local Continuous Replication (LCR) Standby Continuous Replication (SCR)
Cluster Continuous Replication (CCR) Single Copy Cluster (SCC)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
33/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 33
Exchange Server 2010 Architecture
For YourReference
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
34/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 34
Exchange Server 2010 Role Deployment
Each Role in a Separate Virtual Guest
Role Function
Edge Transport DMZ Deployment
Mailbox (No VirtualClustering, HA services) Primary DB (Active) andSecondary DB (Standby)
Client Access Server Client Interface
Active Directory Authentication
HubTransport
Mail Mover
Exchange ManagementConsole
Default on Any Server
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
35/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35
Database Availability Group
DB1
DB1
DB1
DB2
DB2
DB2
DB3
DB3
DB3
MBX-1 MBX-2 MBX-3
Active
Passive
Lagged
No need for Older Mailbox Protection Options
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
36/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 36
Exchange Role Deployment GuidelinesRole Network Deployment Guidelines
Client Access Server (CAS)
Provides general web services and clientaccess for OWA, POP3, IMAP4, RPC/HTTP,ActiveSync
Can be located internally (inside the DC) orin DMZ SLB/SSL Offload on ACE GSS
WAAS for unencrypted OWA/Anywhere
Firewall service
Edge Transport (ET)
Routes Mail In/Out of Exchange Org. Acts asSMTP Relay, Smarthost, Anti-Spam
Located in DMZ/perimeter
SLB on ACE GSS
Firewall services
Replace with IronPort C-Series
Hub Transport (HT)
Internal routing of Mail. Compliance,disclaimers, journaling, site connections
Nothing special for networking validateBW requirements based on customer mail
load
Mailbox (MBX)
Host mailbox and public folder stores
Layer 2 extension for Windows 2003 WSCS
Layer 3 clusters (Windows Server 2008WSFC)
WAAS for SAN and SAN-based replication
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
37/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 37
Exchange Flows (SMTP to IronPort-C)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
38/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 38
Exchange Flows (SMTP to IronPort-C)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
39/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 39
Exchange Flows (SMTP to IronPort-C)
Data CenterServices
Internet
ACE
ACE
GSS
WAAS, WoW
WAAS, WoW
DC WAN Router
DC WAN Router
Internet Router
Provider A
Provider B
Campus/Branch
Remote SMTP
WAAS
ASAFW/VPN
CASASAFW/VPN
VLAN 982
VLAN 983
VLAN 981
VLAN 782
DNS
SMTP
WAAS Mobile
Ironport C
VLAN 883
To MBX
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
40/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 40
Exchange Flows (Access to CAS)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
41/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 41
Exchange Flows (Access to CAS)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
42/74
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
43/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 43
Exchange Flows (Access to CAS)
Data CenterServices
Internet
ACE
ACE
GSS
WAAS, WoW
WAAS, WoW
DC WAN Router
DC WAN Router
Internet Router
Provider A
Provider B
Campus/Branch
Remote SMTP
WAAS
ASAFW/VPN
CASASAFW/VPN
VLAN 982
VLAN 983
VLAN 981
VLAN 782
DNS
SMTP
WAAS Mobile
Ironport C
VLAN 883
C fi i th OWA S f
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
44/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 44
Configuring the OWA Server forSSL-offload
The CAS role is aware of the SSL-offload functionality of the ACE. Toconfigure support for SSL-offloading on a CAS role, refer to:http://technet.microsoft.com/en-us/library/bb885060.aspx
Change Value data,type 1
For YourReference
WAAS R lt E t d O tl k
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
45/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 45
WAAS Results Encrypted OutlookAnywhere
WAE674-WoW#show statistics connection optimized
D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction RatioA:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID Source IP:Port Dest IP:Port PeerID Accel RR
205172 10.0.65.103:3851 10.7.53.55:443 00:21:55:86:1e:77 TSDL 36.9%
205173 10.0.65.102:3853 10.7.53.55:443 00:21:55:86:1e:77 TSDL 42.2%
205175 10.0.65.102:3855 10.7.53.55:443 00:21:55:86:1e:77 TSDL 31.3%
205186 10.0.65.112:1355 10.7.53.55:443 00:21:55:86:1e:77 TSDL 32.8%
205187 10.0.65.112:1357 10.7.53.55:443 00:21:55:86:1e:77 TSDL 46.7%
205189 10.0.65.112:1359 10.7.53.55:443 00:21:55:86:1e:77 TSDL 34.1%205198 10.0.65.111:1313 10.7.53.55:443 00:21:55:86:1e:77 TSDL 33.1%
205200 10.0.65.111:1315 10.7.53.55:443 00:21:55:86:1e:77 TSDL 47.4%
WAE674-WoW#show statistics dre
Connections: Total (cumulative): 68 Active: 33
Encode:
Overall: msg: 3213, in: 27729 KB, out: 8930 KB, ratio: 67.79%
DRE: msg: 3142, in: 27727 KB, out: 9736 KB, ratio: 64.89%
DRE Bypass: msg: 71, in: 1604 B
LZ: msg: 2719, in: 6562 KB, out: 5755 KB, ratio: 12.31%
WAAS R lt U E t d O tl k
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
46/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 46
WAAS Results Un-Encrypted OutlookAnywhere
WAE674-WoW#show statistics connection optimized
D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction RatioA:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
ConnID Source IP:Port Dest IP:Port PeerID Accel RR
205514 10.0.65.112:1465 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%
205522 10.0.65.111:1422 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%
205528 10.0.65.110:2690 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%
WAE674-WoW#show statistics dre
Encode:
Overall: msg: 13796, in: 52556 KB, out: 13083 KB, ratio: 75.11%
DRE: msg: 12428, in: 52368 KB, out: 14179 KB, ratio: 72.92%
DRE Bypass: msg: 10351, in: 188 KB
LZ: msg: 10650, in: 10936 KB, out: 9589 KB, ratio: 12.32%
LZ Bypass: msg: 3146, in: 3431 KB
Avg latency: 0.238 ms Delayed msg: 9605
Encode th-put: 16009 KB/s
Message size distribution:
0-1K=11% 1K-5K=29% 5K-15K=58% 15K-25K=0% 25K-40K=0% >40K=0%
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
47/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 47
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAAS
Application Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
48/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 48
SAP Business SuiteFor YourReference
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
49/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 49
SAP Application Flows
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
50/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 50
Multi Tiered Architecture
Web-Browser or SAPGUI
SAP Portal or otherMiddleware server
SAP Application
NetWeaver and BusinessApplication
Database
All Data and programsare stored in a Single DB
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
51/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 51
SAP Flows
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
52/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 52
SAP Flows
Data CenterServices
Internet
ACE
ACE
GSS
WAAS, WoW
WAAS, WoW
DC WAN Router
DC WAN Router
Internet Router
Provider A
Provider B
Campus/Branch
WAAS
ASAFW/VPN
ASA
FW/VPN
VLAN 982
VLAN 983
VLAN 981
VLAN 782
DNS
WAAS Mobile
VLAN 883
SAPNetweaver
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
53/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 53
SAP Flows
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
54/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 54
SAP Flows
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
55/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 55
SAP Flows
Data CenterServices
Internet
ACE
ACE
GSS
WAAS, WoW
WAAS, WoW
DC WAN Router
DC WAN Router
Internet Router
Provider A
Provider B
Campus/Branch
WAAS
ASAFW/VPN
ASA
FW/VPN
VLAN 982
VLAN 983
VLAN 981
VLAN 782
DNS
WAAS Mobile
VLAN 883
SAPNetweaver
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
56/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 56
SAP Flows
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
57/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 57
SAP Flows
Data CenterServices
Internet
ACE
ACE
GSS
WAAS, WoW
WAAS, WoW
DC WAN Router
DC WAN Router
Internet Router
Provider A
Provider B
Campus/Branch
WAAS
ASAFW/VPN
ASA
FW/VPN
VLAN 982
VLAN 983
VLAN 981
VLAN 782
DNS
WAAS Mobile
VLAN 883
SAPNetweaver
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
58/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 58
Agenda
Data Center Application Services
Application High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAAS
Application Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
59/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 59
Management Components
Application Networking ManagerGUI Config and Management for GSS/ACE Application HAenvironment
Wide Area Application Services Central Manager
Centralized GUI Config and Reporting for WAAS Cisco Security Manager
GUI config and Reporting for Firewall/IPS/VPN
Unified Compute System Manager
Central, built-in Management for UCS Systems Center Operations Manager
Central Management for MSFT Applications (i.e.: Exchange)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
60/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 60
Application Network Manager
Wide Area Application Services
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
61/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 61
Wide Area Application ServicesCentral Manager
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
62/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 62
Cisco Security Manager
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
63/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 63
UCSM
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
64/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 64
SCOM Interface
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
65/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 65
Agenda
Data Center Application ServicesApplication High Availability
GSS, ACE
Application Optimization
ACE, WAAS/vWAAS
Application Security
ASA, IronPort, ACE
Applications Focus
Exchange 2007/2010
SAP Netweaver
Management Components
Additional Configuration Items
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
66/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 66
probe smtp SMTP-prointerval 5
passdetect interval 15
passdetect count 5
expect status 211 211
expect status 250 250
rserver host IP1
ip address 10.0.88.223
inservicerserver host IP2
ip address 10.0.88.224
inservice
rserver host IP3
ip address 10.0.88.225
inservice
serverfarm host IP_SF
probe SMTP-prorserver IP1
inservice
rserver IP2
inservice
rserver IP3
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-grptimeout 60
replicate sticky
serverfarm IP_SF
class-map match-any IPVIP-cls
2 match virtual-address 10.0.88.230 tcp eq smtp
policy-map type loadbalance first-match IPLB-pol
class class-default
sticky-serverfarm STICKY-grppolicy-map multi-match IPVIP-pol
class IPVIP-cls
loadbalance vip inservice
loadbalance policy IPLB-pol
loadbalance vip icmp-reply active
nat dynamic 1 vlan 88
interface vlan 88
ip address 10.0.88.6 255.255.255.0
nat-pool 1 10.0.88.253 10.0.88.253 netmask 255.255.255.0 pat
service-policy input IPVIP-pol
no shutdown
Config Example ACE Ironport C-Class
Config Example ACE CAS Servers
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
67/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 67
probe tcp IP-Pro1
description CAS Server Probe1
port 25
interval 10passdetect interval 15
passdetect count 5
receive 20
probe tcp IP-Pro2
description CAS Server Probe2
port 443
interval 10
passdetect interval 15
passdetect count 5receive 20
probe tcp IP-Pro3
description CAS Server Probe3
interval 10
passdetect interval 15
passdetect count 5
receive 20
rserver host CAS1
ip address 10.0.93.101
inservice
rserver host CAS2
ip address 10.0.93.102
inservice
rserver host CAS3
ip address 10.0.93.103
inservice
serverfarm host CAS_SF
probe IP-Pro1
probe IP-Pro2
probe IP-Pro3rserver CAS1
inservice
rserver CAS2
inservice
rserver CAS3
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-grptimeout 120
replicate sticky
serverfarm CAS_SF
class-map match-any CAS-VIP
2 match virtual-address 10.0.93.210 tcp any
policy-map type loadbalance first-match CASLB-pol
class class-default
sticky-serverfarm STICKY-grp
policy-map multi-match CASVIP-pol
class CAS-VIP
loadbalance vip inservice
loadbalance policy CASLB-pol
loadbalance vip icmp-reply active
Config Example ACE CAS Servers
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
68/74
Config Example ACE for WAAS
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
69/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 69
interface vlan 981
description Data Center WAAS VLAN
ip address 10.86.79.222 255.255.255.248
alias 10.86.79.217 255.255.255.248
peer ip address 10.86.79.221 255.255.255.248
no normalization
mac-sticky enable
no icmp-guard
access-group input everyone
interface vlan 982
description Branch Facing VLAN
ip address 10.86.79.227 255.255.255.240alias 10.86.79.225 255.255.255.240
peer ip address 10.86.79.226 255.255.255.240
no normalization
no icmp-guard
access-group input everyone
service-policy input Traffic-From-BR_982
interface vlan 983
description Data Center Facing VLAN
ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240
peer ip address 10.86.91.109 255.255.255.240
no normalization
no icmp-guard
access-group input everyone
service-policy input remote-access
service-policy input Traffic-From-DC_983
serverfarm host BR-to-CORE-BACKUP
transparentprobe GATEWAY-PROBE
rserver DC-GW-97
inservice
serverfarm host DC-to-BR-BACKUP
transparent
probe GATEWAY-PROBE
rserver BR-GW-130
inservice
Config Example ACE for WAAS(Non-WCCP)
Config Example ACE for WAAS
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
70/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 70
class-map match-any BYPASS
description Non-Accelerated (Bypassed) Traffic
1 match virtual-address 0.0.0.0 0.0.0.0 tcp eq telnet2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 22
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq rdp
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq domain
5 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 49
6 match virtual-address 0.0.0.0 0.0.0.0 tcp range 1812 1813
7 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 161
8 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1629 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 123
10 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 179
serverfarm host BR-WAE-FARM
description Inbound from the Branch
transparent
predictor hash address source 255.255.255.240
probe WAE-PROBE
...
serverfarm host DC-WAE-FARM
description Outbound from the Data Centertransparent
predictor hash address destination 255.255.255.240
probe WAE-PROBE
Config Example ACE for WAAS(Non-WCCP)
Config Example ACE for WAAS
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
71/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 71
policy-map type loadbalance first-match BYPASS
description Send non-accelerated traffic directly to router
class class-default
forward
policy-map type loadbalance first-match BR-Traffic-LB
description Loadbalance traffic from branches
class class-default
serverfarm BR-WAE-FARM backup BR-to-CORE-BACKUP
policy-map type loadbalance first-match DC-Traffic-LB
description Loadbalance traffic destined to branches
class class-defaultserverfarm DC-WAE-FARM backup DC-to-BR-BACKUP
policy-map multi-match Traffic-From-BR_982
class BYPASS
loadbalance vip inservice
loadbalance policy BYPASS
class WAAS
loadbalance vip inservice
loadbalance policy BR-Traffic-LB
policy-map multi-match Traffic-From-DC_983
class BYPASS
loadbalance vip inservice
loadbalance policy BYPASS
class WAAS
loadbalance vip inservice
loadbalance policy DC-Traffic-LB
Config Example ACE for WAAS(Non-WCCP)
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
72/74
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 72
Recommended Reading
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
73/74
8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos
74/74