BRKAPP2022 Servicios de Aplicaciones en Centros de Datos

8/6/2019 BRKAPP2022 Servicios de Aplicaciones en Centros de Datos

1/74


2/74

Data Center Application ServicesBRKAPP-2022

Hernan Vukovic

[email protected]


3/74

2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3

Agenda

Data Center Application Services

Application High Availability

GSS, ACE

Application Optimization

ACE, WAAS/vWAASApplication Security

ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver

Management Components

Additional Configuration Items


4/74


Global Site Selector OperationNameserver.ciscojax.com

www.sharepoint.ciscojax.com NS Record 10.0.10.90NS Record 10.0.10.141

User

VIP=10.2.86.93

www.sharepoint.ciscojax.com

(Secondary Site)

VIP=10.2.86.92

www.sharepoint.ciscojax.com (Primary Site)

GSS-Primary

10.0.10.141

GSS-Secondary10.0.10.90

MeshLink

DNS querywww.sharepoint.ciscojax.com

A Record

10.2.86.92

Which VIP?

Whos Leastloaded ?

Select Answer10.2.86.92

RespondP-DNS216.1.1.1
http://www.bxb.com/http://www.bxb.com/


5/74


Global Site Selector

Improves availability andresiliency of DNSinfrastructure with highperformance and selfprotecting DDOS software

Offloads and optimizes DNSprocessing and selects thebest site based on:

Intelligent load balancingalgorithms and clauses

Proximity to user request

Data center and server loads,availability and health

Persistence to prevent lost sessioninformation

A-record responder, works inconcert with existing full DNSdeployments

Security conscious features:

DDOS Mitigation Software

Client to GSS and GSS to GSScommunication encrypted

Private DNS code base

Supports all DNS-compatibledevices

Can be deployed with or withoutApplication Delivery Controllers


6/74


Shared KeepaliveType kal-ap

10.2.86.92 | 10.2.86.93

AnswerGroupSharePoint

Answer-1 (ACE1)Answer-1(ACE2)

Answer-1(ACE1)VIP-A 10.2.86.92

Answer-1(ACE2)

VIP-A 10.2.86.93

Domain List SharePoint

sharepoint.ciscojax.com

Source Address List - Any0.0.0.0 255.255.255.255

Rule: SharePoint

Source Address List: Any

Domain List: SharePoint

Balance Clause 1:AnswerGroup: SharePointBalance Method: Ordered List

1

24

5

63

2a

Global Site SelectorBasic Configuration Sequence


7/74 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7

Application Control Engine

Infrastructure simplicity in a single hardware platform,ACE integrates

Application delivery

Server offload

Data center security features

ACE is a Cisco Catalyst6500 service module, which comes in threethroughput licenses: 4Gbps, 8Gbps, and 16Gbps

ACE Appliance 4710 is a 1-ru appliance with 4xGbE uplinks in fourthroughput licenses: 500kbps, 1Gbps, 2Gbps, 4Gbps

It delivers application infrastructure control, with features like virtualpartitions and native role-based administration(RBA)

ACE 4710

ACE Module

Exchange SharePointSAP



Design Considerations

Routed ModeEasy to deploy

Requires at least two IP subnets

Servers in dedicated IP subnet

One Armed

Load Balancer not inline

Allows direct server access

Requires Source NAT

Bridged Mode

Easy migration for servers

Requires one IP subnet

Recommend for non-lb traffic

For YourReference



Agenda



GSS, ACE



ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver





The Need for Optimization

Applications were built for andtested on the LANHigh bandwidth/low latency/reliability

Last Mile problem

Already congestedLow bandwidth

Latency

Packet Loss

Its not justabout bandwidth

Solutions:Caching

Server offload(TCP/SSL)

Session proxy

Round Trip Time (RTT) ~ 0mS

ClientLAN Switch Server

Server

Client

WAN / Internet

Client

ISP



The Impact of Latency and Loss

1.544Mbps

500Kbps

Coefficient of Latency and Loss

Throughput

Actual

Expected

Low

5.0

2.1

pRTTMSSR

R : Average Throughput

MSS: Packet Size

RTT: Round-Trip Time

P : Packet Loss

High



Traffic Flow with ACE 4710Compression

The following shows how the servers response whencompressed is applied by the ACE 4710 Appliance

2. ACE rewritesClients request

GET / HTTP/1.1Accept-Encoding: gzip,deflate

1. Request before ACE

GET / HTTP/1.1Accept-Encoding: identity

Request after ACE

4. ACE Inspectsresponse

HTTP/1.1 200 OKContent-type: text/htmlContent-Encoding: deflateTransfer-Encoding:chunked

6. Response after ACEServer sends uncompressedHTTP payload of 5963 bytes

7. Client receives compressed

HTTP payload 1789 bytes

Cisco ACE 4710Client LAN

HTTP/1.1 200 OKContent-type: text/html

Content-Length: 5963

3. Response before ACE

5. ACECompresses

Response

Server

WAN



WAN

Wide Area Application Services

WAAS overcomes TCP and WAN bottlenecks

Shields nodes connections from WAN conditionsClients experience fast acknowledgement

Minimize perceived packet loss

Eliminate need to use inefficient congestion handling

LAN TCPBehavior

LAN TCPBehavior

Window ScalingLarge Initial WindowsCongestion MgmtImproved Retransmit



Catalyst6509 w/ACEModule

OriginalFlow

Optimized

Flow

WAECluster

WAN

WAAS Optimizations

Base optimizations (TCP-only traffic)

Data redundancy elimination (byte cache)

Lempel-Ziv compression (similar to GZIP)

TCP flow optimization (adaptive to link conditions)

Application optimizers

HTTP

SSL

CIFS

NFS

Video stream splitting (WMS)

Interception options

In-line, WCCP, PBR, ACE

Virtual blade (local server in branch - ISSU)

Modular design

RemoteOffice

WAN

WAN

OptimizedFlow

OriginalFlow

InterceptionRedirectionMonitoring

WAECluster

RemoteOffice



Agenda



GSS, ACE



ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver





Adaptive Security ApplianceFirewall/IPS/VPN

Why do I need firewall services?

Application segmentation

Regulatory compliance

Edge security

Business unit segmentation

Why do I need VPN services?

Mobile users

Business partners

Small branch

Why do I need IPS services?

Audit compliance

Traffic flow visibility

Reporting

Defense in depth



Iron Port E-Mail SecurityMore Spam and Spammers

More Spam

Daily spam volume doubles yearly

Reaching 180 billion spam

messages per day

More Spammers

More Spammers with Botnet-compromised hosts send spam

Malware sophistication increasing

Average Daily Spam Volume

Source: Cisco Threat Operations Center

0

50

100

150

200

250

300

350

400

450

500

Q 1'07 Q 2'07 Q 3'07 Q 4'07 Q 1'08 Q 2'08 Q 3'08 Q 4'08

AverageSimultane

ousCompromised

Hosts(th

ousands)

Calendar Quarter Period

Average # Compromised Hosts

0

20

40

60

80

100

120

140

160

180

Q 1' 07 Q 2'07 Q 3' 07 Q 4'07 Q 1' 08 Q 2'08 Q 3'08 Q 4' 08AverageDailySpamV

olume(billions)

Calendar Quarter Period



ACE Application Inspections

TCP/IP Various Atomic TCP checks implemented TCP state tracking and TCP option processing Sequence number randomization

ICMP

Protection against ICMP Attacks & crafted ICMP Error messages Makes ICMP requests and responses stateful Prevents bogus unsolicited responses from entering the network

HTTP

Enforce HTTP specific parameters (URL/Header Lengths) Filtering on HTTP encoding mechanisms, multiple content types Tunneled application control (IM/P2P/Files types) Customizable reg-ex based signatures and dynamic updates

IM / P2P

(Over HTTP)

Access control for IM (Yahoo, MSN, AIM, ICQ) and P2P (KaZaa,Torrents, Gnutella) over user-defined/well known ports

Feature control (doodling, voice chat, file sharing) Customizable regex based signatures

FTP

Directory traversal attack prevention and command filtering Server identity protection via obfuscation techniques Filtering based on username, file name/type, server name Enhanced logging capabilities



ACE Application Inspections

DNS

Enforce legitimate zone transfers, private v/s public domains DNS Spoofing and Cache Poisoning prevention Filtering based on domain name

LDAP/ILS

Decodes the ADDRequest, SearchRequest and SearchEntryResult Fixup the embedded IP addresses in LDAP messages Logs IP mismatch between IP Header and Payload

RTSP

The inspection engine parses SETUP response messages with a status code 200 Opens pinholes for data channels Keeps state to remember the client ports in the SETUP message

SCCP/

Skinny

NATs embedded IP address Dynamic opening of media pinholes Enforces user configured policies

State checking to ensure only registered clients can place/receive calls

SIP

NATs embedded IP address Prepares dynamic secondary control/data connection Tracks SIP Finite State Machine Enforces User Configured Policies



Agenda



GSS, ACE



ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver




21/74


Validated Application Solutions

Comprehensive set ofvalidated ACE solutions

Example showing Ciscoand Microsoft validatedsolution for MicrosoftExchange Server 2007using ACE

Currently testingExchange 2010 runningCisco Unified ComputingSystem (UCS) loadbalanced by ACE

http://www.cisco.com/en/US/partner/netsol/ns751/networking_solutions_sub_program_home.html

For YourReference


22/74


6500VSS6500VSS

General DC Services Flow

WAEACE ACE WAE

Campus/Branch Internet Intranet

VirtualizedServer Farm

NX-7kNX-7k

NX-5kNX-5k

ASAASA

GSS

UCS

VLAN982

VLAN882

VLAN983

VLAN981

NX-2k

Server


23/74


NX-7k NX-7k

Data Center InfrastructureACEBridged Mode

WAE WAE

NX-5kNX-5k

ASAASA

UCS

ACE ACEVLAN983

VLAN981

VLAN982

MultipleServer

VLANs

VLAN882

ft track host DC-Gtwytrack-host 10.86.91.97peer track-host 10.86.91.97priority 50peer priority 50ft track interface WAEtrack-interface vlan 981

ft track host WAN-Gtwytrack-host 10.86.91.99

access-list BPDU_allow ethertype permit bpdu

interface bvi 2ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240peer ip address 10.86.91.109 255.255.255.240

Interface vlan 981ip address 10.86.79.222 255.255.255.248alias 10.86.79.217 255.255.255.248peer ip address 10.86.79.221 255.255.255.248no normalizationmac-sticky enableno icmp-guardaccess-group input all

Interface vlan 982bridge-group 2no normalizationaccess-group input BPDU_allowservice-policy input From_WAN_982

Interface vlan 983

service-policy input From_DC_983

GSS

ip route 0.0.0.0 0.0.0.0 10.86.91.97ip route 192.168.0.0 255.255.255.0 10.86.91.98

NX-2k

Server


24/74


NX-7k NX-7k

Data Center InfrastructureACEBridged Mode

WAE WAE

NX-5kNX-5k

ASAASA

UCS

ACE ACEVLAN983

VLAN981

VLAN982

MultipleServer

VLANs

VLAN882

probe tcp WAE-PROBEport 8443interval 5passdetect interval 5receive 1ssl version allexpect status 200 200open 2

probe icmp GATEWAY-PROBEinterval 5

passdetect interval 5receive 1

serverfarm host BR-WAE-FARMdescription Inbound from the Branchtransparentpredictor hash address source 255.255.255.240

serverfarm host DC-WAE-FARMdescription Outbound from the Data Centertransparentpredictor hash address destination 255.255.255.240

rserver host WAN-GWip address 10.86.79.230inservicerserver host DC-GWip address 10.86.91.97inservicerserver host WAE1ip address 10.86.91.114conn-limit max 2000 min 50inservicerserver host WAE2ip address 10.86.91.115conn-limit max 12000 min 50inservice

GSS

class-map match-any BYPASSdescription Non-Accelerated (Bypassed) Traffic

1 match virtual-address 0.0.0.0 0.0.0.0 tcp eq telnet2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 223 match virtual-address 0.0.0.0 0.0.0.0 tcp eq domain4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 495 match virtual-address 0.0.0.0 0.0.0.0 tcp range 1812

18136 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1617 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1628 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 123

9 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 179

class-map match-all WAASdescription Accelerated Traffic2 match virtual-address 0.0.0.0 0.0.0.0 any

NX-2k

Server


25/74


NX-7k NX-7k

Data Center InfrastructureACERouted Mode

WAE WAE

NX-5kNX-5k

ASAASA

UCS

ACE ACEVLAN983

VLAN981

VLAN982

MultipleServer

VLANs

VLAN882

ft track host DC-Gtwytrack-host 10.86.91.97peer track-host 10.86.91.97priority 50peer priority 50ft track interface WAEtrack-interface vlan 981

ft track interface ServerFarmtrack-interface vlan 982

Interface vlan 981ip address 10.86.79.222 255.255.255.248

alias 10.86.79.217 255.255.255.248peer ip address 10.86.79.221 255.255.255.248no normalizationmac-sticky enableno icmp-guardservice-policy input WAAS_VIP_pol

Interface vlan 982ip address 10.86.79.227 255.255.255.248

alias 10.86.79.225 255.255.255.248peer ip address 10.86.79.226 255.255.255.248no normalization

Interface vlan 983ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240peer ip address 10.86.91.108 255.255.255.240no normalization

service-policy input WAE_pol

access-group input all

GSS

ip route 0.0.0.0 0.0.0.0 10.86.91.97

NX-2k

Server


26/74


NX-7k NX-7k

Data Center InfrastructureGSS

WAE WAE

NX-5kNX-5k

ASAASA

UCS

ACE ACEVLAN983

VLAN981

VLAN982

MultipleServer

VLANs

VLAN882GSS

NX-2k

Server


27/74




28/74




29/74


Agenda



GSS, ACE



ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver




30/74


31/74


Exchange Server 2007 Role Deployment

Each Role on a Separate Computer

Role Function

Edge Transport DMZ Deployment

Mailbox Single DB

Client Access Server Client Interface

Active Directory Authentication

HubTransport

Mail Mover

Exchange ManagementConsole

Default on Any Server


32/74


DB

Logs

Logs

FileShare

DB

Logs

Logs

Replication to a standby serverReplication to a second disk set

Replication within a cluster

DB/Logs

DB/Logs

LCR

SCR

Mailbox Protection 2007 MicrosoftBased

CCR

DB Logs

SCC

Quorum

Local Continuous Replication (LCR) Standby Continuous Replication (SCR)

Cluster Continuous Replication (CCR) Single Copy Cluster (SCC)


33/74


Exchange Server 2010 Architecture

For YourReference


34/74


Exchange Server 2010 Role Deployment

Each Role in a Separate Virtual Guest

Role Function

Edge Transport DMZ Deployment

Mailbox (No VirtualClustering, HA services) Primary DB (Active) andSecondary DB (Standby)

Client Access Server Client Interface

Active Directory Authentication

HubTransport

Mail Mover

Exchange ManagementConsole

Default on Any Server


35/74


Database Availability Group

DB1

DB1

DB1

DB2

DB2

DB2

DB3

DB3

DB3

MBX-1 MBX-2 MBX-3

Active

Passive

Lagged

No need for Older Mailbox Protection Options


36/74


Exchange Role Deployment GuidelinesRole Network Deployment Guidelines

Client Access Server (CAS)

Provides general web services and clientaccess for OWA, POP3, IMAP4, RPC/HTTP,ActiveSync

Can be located internally (inside the DC) orin DMZ SLB/SSL Offload on ACE GSS

WAAS for unencrypted OWA/Anywhere

Firewall service

Edge Transport (ET)

Routes Mail In/Out of Exchange Org. Acts asSMTP Relay, Smarthost, Anti-Spam

Located in DMZ/perimeter

SLB on ACE GSS

Firewall services

Replace with IronPort C-Series

Hub Transport (HT)

Internal routing of Mail. Compliance,disclaimers, journaling, site connections

Nothing special for networking validateBW requirements based on customer mail

load

Mailbox (MBX)

Host mailbox and public folder stores

Layer 2 extension for Windows 2003 WSCS

Layer 3 clusters (Windows Server 2008WSFC)

WAAS for SAN and SAN-based replication


37/74


Exchange Flows (SMTP to IronPort-C)


38/74




39/74



Data CenterServices

Internet

ACE

ACE

GSS

WAAS, WoW

WAAS, WoW

DC WAN Router

DC WAN Router

Internet Router

Provider A

Provider B

Campus/Branch

Remote SMTP

WAAS

ASAFW/VPN

CASASAFW/VPN

VLAN 982

VLAN 983

VLAN 981

VLAN 782

DNS

SMTP

WAAS Mobile

Ironport C

VLAN 883

To MBX


40/74


Exchange Flows (Access to CAS)


41/74




42/74


43/74



Data CenterServices

Internet

ACE

ACE

GSS

WAAS, WoW

WAAS, WoW

DC WAN Router

DC WAN Router

Internet Router

Provider A

Provider B

Campus/Branch

Remote SMTP

WAAS

ASAFW/VPN

CASASAFW/VPN

VLAN 982

VLAN 983

VLAN 981

VLAN 782

DNS

SMTP

WAAS Mobile

Ironport C

VLAN 883

C fi i th OWA S f


44/74


Configuring the OWA Server forSSL-offload

The CAS role is aware of the SSL-offload functionality of the ACE. Toconfigure support for SSL-offloading on a CAS role, refer to:http://technet.microsoft.com/en-us/library/bb885060.aspx

Change Value data,type 1

For YourReference

WAAS R lt E t d O tl k


45/74


WAAS Results Encrypted OutlookAnywhere

WAE674-WoW#show statistics connection optimized

D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction RatioA:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID Source IP:Port Dest IP:Port PeerID Accel RR

205172 10.0.65.103:3851 10.7.53.55:443 00:21:55:86:1e:77 TSDL 36.9%

205173 10.0.65.102:3853 10.7.53.55:443 00:21:55:86:1e:77 TSDL 42.2%

205175 10.0.65.102:3855 10.7.53.55:443 00:21:55:86:1e:77 TSDL 31.3%

205186 10.0.65.112:1355 10.7.53.55:443 00:21:55:86:1e:77 TSDL 32.8%

205187 10.0.65.112:1357 10.7.53.55:443 00:21:55:86:1e:77 TSDL 46.7%

205189 10.0.65.112:1359 10.7.53.55:443 00:21:55:86:1e:77 TSDL 34.1%205198 10.0.65.111:1313 10.7.53.55:443 00:21:55:86:1e:77 TSDL 33.1%

205200 10.0.65.111:1315 10.7.53.55:443 00:21:55:86:1e:77 TSDL 47.4%

WAE674-WoW#show statistics dre

Connections: Total (cumulative): 68 Active: 33

Encode:

Overall: msg: 3213, in: 27729 KB, out: 8930 KB, ratio: 67.79%

DRE: msg: 3142, in: 27727 KB, out: 9736 KB, ratio: 64.89%

DRE Bypass: msg: 71, in: 1604 B

LZ: msg: 2719, in: 6562 KB, out: 5755 KB, ratio: 12.31%

WAAS R lt U E t d O tl k


46/74


WAAS Results Un-Encrypted OutlookAnywhere

WAE674-WoW#show statistics connection optimized

D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction RatioA:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO

ConnID Source IP:Port Dest IP:Port PeerID Accel RR

205514 10.0.65.112:1465 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%

205522 10.0.65.111:1422 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%

205528 10.0.65.110:2690 10.7.53.55:34052 00:21:55:86:1e:77 THDL 92.8%

WAE674-WoW#show statistics dre

Encode:

Overall: msg: 13796, in: 52556 KB, out: 13083 KB, ratio: 75.11%

DRE: msg: 12428, in: 52368 KB, out: 14179 KB, ratio: 72.92%

DRE Bypass: msg: 10351, in: 188 KB

LZ: msg: 10650, in: 10936 KB, out: 9589 KB, ratio: 12.32%

LZ Bypass: msg: 3146, in: 3431 KB

Avg latency: 0.238 ms Delayed msg: 9605

Encode th-put: 16009 KB/s

Message size distribution:

0-1K=11% 1K-5K=29% 5K-15K=58% 15K-25K=0% 25K-40K=0% >40K=0%


47/74


Agenda



GSS, ACE


ACE, WAAS/vWAAS

Application Security

ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver




48/74


SAP Business SuiteFor YourReference


49/74


SAP Application Flows


50/74


Multi Tiered Architecture

Web-Browser or SAPGUI

SAP Portal or otherMiddleware server

SAP Application

NetWeaver and BusinessApplication

Database

All Data and programsare stored in a Single DB


51/74


SAP Flows


52/74


SAP Flows

Data CenterServices

Internet

ACE

ACE

GSS

WAAS, WoW

WAAS, WoW

DC WAN Router

DC WAN Router

Internet Router

Provider A

Provider B

Campus/Branch

WAAS

ASAFW/VPN

ASA

FW/VPN

VLAN 982

VLAN 983

VLAN 981

VLAN 782

DNS

WAAS Mobile

VLAN 883

SAPNetweaver


53/74


SAP Flows


54/74


SAP Flows


55/74


SAP Flows

Data CenterServices

Internet

ACE

ACE

GSS

WAAS, WoW

WAAS, WoW

DC WAN Router

DC WAN Router

Internet Router

Provider A

Provider B

Campus/Branch

WAAS

ASAFW/VPN

ASA

FW/VPN

VLAN 982

VLAN 983

VLAN 981

VLAN 782

DNS

WAAS Mobile

VLAN 883

SAPNetweaver


56/74


SAP Flows


57/74


SAP Flows

Data CenterServices

Internet

ACE

ACE

GSS

WAAS, WoW

WAAS, WoW

DC WAN Router

DC WAN Router

Internet Router

Provider A

Provider B

Campus/Branch

WAAS

ASAFW/VPN

ASA

FW/VPN

VLAN 982

VLAN 983

VLAN 981

VLAN 782

DNS

WAAS Mobile

VLAN 883

SAPNetweaver


58/74


Agenda



GSS, ACE


ACE, WAAS/vWAAS


ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver




59/74



Application Networking ManagerGUI Config and Management for GSS/ACE Application HAenvironment

Wide Area Application Services Central Manager

Centralized GUI Config and Reporting for WAAS Cisco Security Manager

GUI config and Reporting for Firewall/IPS/VPN

Unified Compute System Manager

Central, built-in Management for UCS Systems Center Operations Manager

Central Management for MSFT Applications (i.e.: Exchange)


60/74


Application Network Manager

Wide Area Application Services


61/74


Wide Area Application ServicesCentral Manager


62/74


Cisco Security Manager


63/74


UCSM


64/74


SCOM Interface


65/74


Agenda

Data Center Application ServicesApplication High Availability

GSS, ACE


ACE, WAAS/vWAAS


ASA, IronPort, ACE

Applications Focus

Exchange 2007/2010

SAP Netweaver




66/74


probe smtp SMTP-prointerval 5

passdetect interval 15

passdetect count 5

expect status 211 211

expect status 250 250

rserver host IP1

ip address 10.0.88.223

inservicerserver host IP2


inservice

rserver host IP3


inservice

serverfarm host IP_SF

probe SMTP-prorserver IP1

inservice

rserver IP2

inservice

rserver IP3

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-grptimeout 60

replicate sticky

serverfarm IP_SF

class-map match-any IPVIP-cls

2 match virtual-address 10.0.88.230 tcp eq smtp

policy-map type loadbalance first-match IPLB-pol

class class-default

sticky-serverfarm STICKY-grppolicy-map multi-match IPVIP-pol

class IPVIP-cls

loadbalance vip inservice

loadbalance policy IPLB-pol

loadbalance vip icmp-reply active

nat dynamic 1 vlan 88

interface vlan 88

ip address 10.0.88.6 255.255.255.0

nat-pool 1 10.0.88.253 10.0.88.253 netmask 255.255.255.0 pat

service-policy input IPVIP-pol

no shutdown

Config Example ACE Ironport C-Class

Config Example ACE CAS Servers


67/74


probe tcp IP-Pro1

description CAS Server Probe1

port 25

interval 10passdetect interval 15

passdetect count 5

receive 20

probe tcp IP-Pro2


port 443

interval 10


passdetect count 5receive 20

probe tcp IP-Pro3


interval 10


passdetect count 5

receive 20

rserver host CAS1


inservice

rserver host CAS2


inservice

rserver host CAS3


inservice

serverfarm host CAS_SF

probe IP-Pro1

probe IP-Pro2

probe IP-Pro3rserver CAS1

inservice

rserver CAS2

inservice

rserver CAS3

inservice

sticky ip-netmask 255.255.255.0 address source STICKY-grptimeout 120

replicate sticky

serverfarm CAS_SF

class-map match-any CAS-VIP

2 match virtual-address 10.0.93.210 tcp any

policy-map type loadbalance first-match CASLB-pol

class class-default

sticky-serverfarm STICKY-grp

policy-map multi-match CASVIP-pol

class CAS-VIP


loadbalance policy CASLB-pol

loadbalance vip icmp-reply active

Config Example ACE CAS Servers


68/74

Config Example ACE for WAAS


69/74


interface vlan 981

description Data Center WAAS VLAN

ip address 10.86.79.222 255.255.255.248

alias 10.86.79.217 255.255.255.248

peer ip address 10.86.79.221 255.255.255.248

no normalization

mac-sticky enable

no icmp-guard

access-group input everyone

interface vlan 982

description Branch Facing VLAN

ip address 10.86.79.227 255.255.255.240alias 10.86.79.225 255.255.255.240

peer ip address 10.86.79.226 255.255.255.240

no normalization

no icmp-guard


service-policy input Traffic-From-BR_982

interface vlan 983

description Data Center Facing VLAN

ip address 10.86.91.110 255.255.255.240alias 10.86.91.108 255.255.255.240

peer ip address 10.86.91.109 255.255.255.240

no normalization

no icmp-guard


service-policy input remote-access

service-policy input Traffic-From-DC_983

serverfarm host BR-to-CORE-BACKUP

transparentprobe GATEWAY-PROBE

rserver DC-GW-97

inservice

serverfarm host DC-to-BR-BACKUP

transparent

probe GATEWAY-PROBE

rserver BR-GW-130

inservice

Config Example ACE for WAAS(Non-WCCP)



70/74


class-map match-any BYPASS

description Non-Accelerated (Bypassed) Traffic

1 match virtual-address 0.0.0.0 0.0.0.0 tcp eq telnet2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 22

3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq rdp

4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq domain


6 match virtual-address 0.0.0.0 0.0.0.0 tcp range 1812 1813


8 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1629 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 123


serverfarm host BR-WAE-FARM

description Inbound from the Branch

transparent

predictor hash address source 255.255.255.240

probe WAE-PROBE

...

serverfarm host DC-WAE-FARM

description Outbound from the Data Centertransparent

predictor hash address destination 255.255.255.240

probe WAE-PROBE




71/74


policy-map type loadbalance first-match BYPASS

description Send non-accelerated traffic directly to router

class class-default

forward

policy-map type loadbalance first-match BR-Traffic-LB

description Loadbalance traffic from branches

class class-default

serverfarm BR-WAE-FARM backup BR-to-CORE-BACKUP

policy-map type loadbalance first-match DC-Traffic-LB

description Loadbalance traffic destined to branches

class class-defaultserverfarm DC-WAE-FARM backup DC-to-BR-BACKUP

policy-map multi-match Traffic-From-BR_982

class BYPASS


loadbalance policy BYPASS

class WAAS


loadbalance policy BR-Traffic-LB

policy-map multi-match Traffic-From-DC_983

class BYPASS


loadbalance policy BYPASS

class WAAS


loadbalance policy DC-Traffic-LB



72/74


Recommended Reading


73/74


74/74

Documents

BRKAPP2022 Servicios de Aplicaciones en Centros de Datos