Upload
nguyentram
View
223
Download
3
Embed Size (px)
Citation preview
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKAPP-200214405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 2
Server Load Balancing Design
BRKAPP-2002
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKAPP-200214405_04_2008_c2
WAN AccelerationData redundancy eliminationWindow scalingLZ compressionAdaptive congestion avoidance
Application AccelerationLatency mitigationApplication data cacheMeta data cacheLocal services
Application OptimizationDelta encodingFlashForward optimizationApplication securityServer offload
Application NetworkingMessage transformationProtocol transformationMessage-based securityApplication visibility
Application ScalabilityServer load-balancingSite selectionSSL termination and offloadVideo delivery
Network ClassificationQuality of serviceNetwork-based app recognitionQueuing, policing, shapingVisibility, monitoring, control
Cisco Application Delivery Networks
WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKAPP-200214405_04_2008_c2
Other Cisco Live Breakout Sessions that You May Want to Attend
BRKAPP-2014 Deploying AXG
BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange
BRKAPP-2011 Scaling Applications in a Clustered Environment
BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-3006 Troubleshooting WAASBRKAPP-2005 Deploying WAAS
BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers
BRKAPP-2017 Optimizing Application DeliveryBRKAPP-1016 Running Applications on the Branch Router
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers
BRKAPP-1004 Introduction WAAS
BRKAPP-3003 Troubleshooting ACEBRKAPP-2002 Server Load Balancing Design
ApplicationsISRGSS WAAS ACE AXGACNS
Relevancy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKAPP-200214405_04_2008_c2
Agenda
Application Load BalancingHealth CheckingPredictionPersistenceDesign Implementation Considerations
Policy Configuration ExamplesLayer 4 ExampleWeb Protocol ExampleServer to Server Load Balancing Example
SSLSSL Offload Example
Advanced Load Balancing DesignApplication InspectionsTCP ReuseURL Load Balancing
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKAPP-200214405_04_2008_c2
ACE Application Switching ModuleIntegrates Load Balancing, Application Optimization and Security
Virtual Device Support
Data Center and Application Firewall
Multimedia and Voice Intelligence
Low Power Usage with High Performance
License-based Upgrades (SSL, virtual licenses)
Support for Catalyst 6500 Series Switch and Cisco 7600 Series Router
Integrated Services, High PerformanceApplication Switching Platform: 4-16 Gbps
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKAPP-200214405_04_2008_c2
ACE Application Switching ApplianceIntegrates Load Balancing, Application Optimization and Security
Virtual Device Support
Data Center and Application Firewall
Multimedia and Voice Intelligence
Low Power Usage with High Performance
License-based Upgrades (SSL, Virtual licenses, Application Optimization, Compression Performance)
Specific optimizations for common applications
Latency and bandwidth reduction with protection
Application switching for scalability and availability
Embedded Browser-based Graphical User Interface
High Performance Multi-core, Dual-CPU Architecture
Integrated Services, High PerformanceApplication Switching Platform: 1-2 Gbps
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKAPP-200214405_04_2008_c2
Cisco Application Networking Manager (ANM)
ACE Appliance has an embedded GUI
ANM free for 2 ACE devices (with 5 context max w/o additional licensing) must place order for ANM-SERVER-12-K9"
ACE Module has no embedded GUI
Cisco ANM runs from a centralized server running Redhat Linux
Multiple Cisco ANM users can simultaneously manage multiple devices via web browser
Enables device & virtualization provisioning for up to fifty (50) ACE and forty (40) CSS & CSM per Cisco ANM server
Graphical interface for simplified and standardized service provisioning for basic, advanced and expert users
Secure user access and delegation of responsibilities
Enables Centralized Configuration, Operations, and Monitoring of Cisco Data Center Networking Equipment and Services
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKAPP-200214405_04_2008_c2
Load Balancing Overview TerminologyClients
ContentSwitch—
LoadBalancer
Servers
Serverfarm
Client-SideGateway
Keepalive (Probe)
172.16.2.100TCP port 80
Virtual IP Address (VIP)
URL = /newsUser-Agent = WindowsCE
Client = 192.0.0.0/8
Class-Map
Load BalancingAlgorithm(Predictor)Round Robin
XML Gateways
If Match class-map XThen Use serverfarm XElse Use serverfarm y
Policy-Map
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKAPP-200214405_04_2008_c2
Traffic Being Load Balanced
Generic IP traffic (i.e. IPsec tunnels)Generic UDP and TCP (i.e. proprietary protocols)Network services (i.e. LDAP, DNS, Radius)HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML)Voice & Video (i.e. RTSP, SIP, H.323)Remote terminals (i.e. Windows Terminal Services)Multi-connection protocols (i.e. FTP, RTSP)Multi-tier packaged applications (i.e. SAP, Oracle, Microsoft, BEA)Vertical specific applications (i.e. medical, finance, education)
EthernetHeader
IPHeader
TCPHeader
EthernetTrailerPayload
Layer 3 Layer 4Layer 5-7
Layer 2
HTTPHeader
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 11
Scale Your Application
Health Checking
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKAPP-200214405_04_2008_c2
Scale Your Application Health Monitoring Issues
ARPs only check the IP stack and not the application
ICMP probes only check the IP stack of the machine and not the application
Generic TCP port opens check the TCP stack but not the application’s ability to handle requests
An application may fail in a state that the server can respond to a TCP syn but not to an application data request
To verify the integrity of an application, and application data request keepalive is required
How to verify the Application servers health or the Web Servers reachability to the application server
Application Issue
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKAPP-200214405_04_2008_c2
Application Load Balancing Probe Options
Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform health monitoring
Scripted
Up to eight OIDs can be configured. Used mainly for load balancing predictions and not health checking. Should be combined with another health probe to verify application
SNMP
Similar to UDP probe. NAS-IP can be configuredRadiusSimilar to TCP probeIMAPSimilar to TCP probePOP3Sends a “hello” followed by a “QUIT” messageSMTP
Uses a default domain and waits for any responseDNSMakes a connection, send a “QUIT” messageTelnetSimilar to TCP probeFTPEstablishes an SSL connection, send HTTP query and tears it downHTTPsSends an HTTP HEAD or HTTP GET 1.1 requestHTTPSends a packet, probe is considered successful, if no icmp error receivedGeneric UDPOpen a connection with server and disconnect with TCP FIN or RST. TCP FIN DefaultGeneric TCPSends a ICMP request and waits for reply ICMP
DescriptionProbe
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKAPP-200214405_04_2008_c2
Scale Your Application Application or Database Server Health Checking
http://www.company.com/test.aspBuy 10000 WidgetsCustomer TestuserCompany Test Inc.
Probing Customer Application Servers with Application Data Requires Scripting Keep Alive on the Load Balancer or on a Front End Server. Scripting on Front End Servers Allows Greater Flexibility
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 15
Scale Your Application
Predictors
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKAPP-200214405_04_2008_c2
ServerfarmClient
Predictors Determine How Connections Are Load Balanced
Scale Your Application Predictors
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKAPP-200214405_04_2008_c2
Scale Your Application Predictors Algorithms
Round Robin: (Weighted) Very simple
Least Connections: (Weighted) Dynamic, requires slow-start
Hash on IP: (source/destination, with mask)No state required for stickiness issues with dynamic changes
Hash on URL: Or portion of URLServer Watermarks: Min and max number of connections per serverLeast Loaded: SNMP OIDs based server feedback for obtaining useful information maintained as SNMP Object IDsLeast Bandwidth: Connection vs. Bandwidth based on the bidirectional traffic flowAdaptive Response Predictor: Load-balancing based on server response time
SYN to SYN-ACKSYN to FINApplication request to first packet of response
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKAPP-200214405_04_2008_c2
Enhanced PredictorsAdaptive Response Predictor
ACE Serverfarm
Time Between HTTP Request Send from ACE to HTTP Response Received from the Server
Time Between SYN Send from ACE to SYN-ACK Received from the Server
Time Between SYN Send from ACE to FIN/RST Received from the Server
SYN to Close Application Request to ResponseSYN to SYN-ACK
Load Balancing Based on Server Response Time; Response Time Calculated over a Configured Number of Samples and Supports the Following Three Measurement Options
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKAPP-200214405_04_2008_c2
Enhanced Predictors Least-Loaded Using SNMP
The Least Loaded Predictor can support up to 8 user defined SNMP Object IDsLeast-loaded algorithm will automatically calculate the least loaded server from the SNMP response received from the serversNumber of active connections on the server are also be calculated in the Least-loaded algorithmUsers can define static weights for each Object ID to allow unprecedented load balancing control of new connections based on real-time appliance performance
Least-loaded Predictor Provides Most Accurate Method for Calculating the Servers Load
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKAPP-200214405_04_2008_c2
Enhanced Application Algorithms Least-Loaded Using SNMPACE Utilizes SNMP-Based Probes to Obtaining CPU, Memory and Drive Statistics from the Servers
SNMP Object IDs
CPU UtilizationMemory ResourcesDisk Drive Availability……. …….
ACE Queries Server for the Following Three SNMP Object IDs
Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free
Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free
Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free
Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free
Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB Free
Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB Free
Only SNMP Agent Is Required on the Server—No Additional Software
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKAPP-200214405_04_2008_c2
Enhanced Application Algorithms New Feature—Least-Bandwidth
The ACE measures traffic statistics between itself and the real servers in the server farm in both directions and calculates the bandwidth over the sampling period
Then, it creates an ordered list of real servers based on the sampling results and selects the server that used the least amount of bandwidth during the sampling period
Least-Bandwidth Predictor Suited Best for Heavy Traffic Use
Load Balancer Introduces the Least-Bandwidth Predictorwhich Selects the Server that Processed the Least Amount of Network Traffic Over a Specified Sampling Period
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 22
Scale Your Application
Predictors
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKAPP-200214405_04_2008_c2
Scale Your Application Session Persistence
Session: Logical aggregation of multiple simultaneous or subsequent connections
Sessions are limited in time (timeout)
Servers keep session state
The content switch and load distribution across multiple servers introduces the problem
The content switch needs to send connections from the same client to the same server
Even in case of backend database with session information, stickiness is very useful since it significantly improves performance
Stickiness
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKAPP-200214405_04_2008_c2
Scale Your Application Session Persistence Methods
Specific to application
No Token, needs to fall back to source IP
HTTP onlyAbsolute URLsBookmarks
SSL v3Renegotiation
HTTP onlyClear Test
ProxiesCaveats
Flexible for custom applications
SIP-specificstickiness
Recovering Disconnected WTS sessions
No State on LB
No Cookie support
FlexibilitySimplicityGood For
LBLBLBClientLBLBLBInfo Stored on
customFull SSIDOffset
Static DynamicInsert
Full IPMasked IP
Variation
Regex matches on TCP and UDP data
Client = Session Call-ID
SD, Session Directory. Routing Token = server IP + Port
LB Redirects to Specific (V)Server
client = SSLsession ID
client = acookie value
Client= its SRC IP
How DoesIt Work
GPPSIPRDPHTTP RedirectSSL IDCookieSource
IP
How to Uniquely Identify a Client…
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 25
Design Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKAPP-200214405_04_2008_c2
Physical Device
Context 1Admin
ContextContext
Definition
Resource Allocation
ANM ManagementStation
Context 2 Context 3
AAA
Design ConfigurationACE Service Virtualization
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKAPP-200214405_04_2008_c2
Design ConfigurationACE Virtualization
Provides means to partition one physical unit into independently managed logical engines
Provisions resource per logical deviceAlmost every feature subsystem is virtualized including Linux kernel
Logical devices are called virtual contextsEach with independent resource allocation and policies
Default context called ‘Admin’ context is available initiallyCustomers who do not wish to use virtualization can perform all operations from within ‘Admin’ context
ACE Module250 contexts + Admin context supported
ACE Appliance20 contexts + Admin context supported
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKAPP-200214405_04_2008_c2
Design ConfigurationACE Resource Management
By default, every context is a member of the ‘default’resource-class, with unlimited access to system resourcesResources can be guaranteed in three ways:
No guaranteed resources but access to any available resourceX% of resources guaranteed, with no access to other additional resourcesX% of resources guaranteed and access to any available resource
Minimum limit is specified as a percentage (5.00%)Maximum limit can equal the Min value or be unlimitedOnly one resource-class can be applied per contextMaximum 100 resource-classes can be configuredSticky Resources requires min 1% per context, not default, associate all contexts to a non default context
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKAPP-200214405_04_2008_c2
Design ConfigurationRouter Mode
The preferred configuration for appliances
By default the load balancer acts as a router
Servers default gateway is the load balancer
The VIP addresses can reside on the client side or the server side
If you do not want to change the IP addresses of the servers, put the VIP on the servers side and create a /30 network to Firewall Servers Default Gateway:
Content Switch IP
Subnet A
Subnet CSubnet B
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKAPP-200214405_04_2008_c2
Design ConfigurationBridge Mode
This is preferred for integrated load balancers like the ACE modulesThe Load balancer acts as a bump in the wireThe servers default gateway will be the upstream router or firewallIf packets are set to the physical IP address of the load balancers, it will try and route the packet by default
Servers Default Gateway:Upstream Router or Firewalls IP Address,
Not ACE’s Address
Subnet ASubnet A
Subn
et B
Subn
et B
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKAPP-200214405_04_2008_c2
How Are Customers Using Virtualization?Security and Bridge Mode
Part
ition
B
AdminPartition
Part
ition
A
Part
ition
C
“Bridge mode on the CSM was great, but ACE takes the same approach to a whole new level with virtualization”
“The security team continues to fully manage the FWSM and is comfortable with the bridge mode approach. In parallel, we have turned on some extra HTTP security features on ACE”
Each Pair of Bridged VLANs Has Its Own Configuration, Independent Management, and Enhanced Security
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKAPP-200214405_04_2008_c2
Design ConsiderationsOne-Arm Mode: Overview
L2-rewrite not possible
Content switch not inlineDoes not see unnecessary traffic
Requires PBR, server default gateway pointing to load balancer or client source NAT
The return traffic is needed!
ACE can insert users original IP address as client header
Policy-map type loadbalance first-match OAM
class L7Policy
insert http x-forwarded-for header-value %is
Subnet B
Subnet B
Servers Default Gateway:Upstream Router
PBR—Policy Based Routing, NAT—Network Address Translation
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKAPP-200214405_04_2008_c2
Design ConsiderationsOne-Arm Mode: Overview
Without PBR, Client NAT, or Servers Gateway Being
Set for Load Balancer
1
LB MACRouter MAC
VIPClient IP
VIP PortRandom Port
1
2Selected
Server MACCS MAC
SelectedServer IPClient IP
VIP PortRandom Port
2
3
CS MACServer MAC
Client IPSelected Server IP
Random PortVIP Port
3
RST
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKAPP-200214405_04_2008_c2
L2 One-Arm ModeReturn Traffic Bypassing ACE
Bypass for return traffic: high throughput!Requires MAC rewrite, L2 adjacencyServers need identical loopback addresses (one per VIP)TCP termination not possible: no L7 features!Load balancer blind to return traffic (inband, accounting)
ServersDefault Gateway:Upstream Router
Subnet B
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKAPP-200214405_04_2008_c2
Redundancy Model
Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contextsTwo instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standbyThe peer ACE can be in the same or different Cisco Catalyst® 6k chassisBoth ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy)
ACE-1Example:
Two ACE modulesFour FT groupsFour Virtual Contexts(A, B, C, D)
ACE-2
FT VLAN
AActive
A’Standby
FTGroup 1
BActive
B’Standby
FTGroup 2
CActive
C’Standby
FTGroup 3
DActive
D’Standby
FTGroup 4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 36
Policy ConfigurationExamples
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKAPP-200214405_04_2008_c2
Policy Lookup Order
There can be many features applied on a given interface, so feature lookup ordering is importantThe feature lookup order followed by datapath in ACE is as follows:
1. Access-control (permit or deny a packet)2. Management Traffic3. TCP normalization/Connection parameters4. Server Load Balancing5. Fix-ups/Application inspection6. Source NAT 7. Destination NAT
The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKAPP-200214405_04_2008_c2
Application Networking Manager 1.2ANM 1.2 Provides Turnkey control and administration for ACE Modules and ACE Appliances
ANM 1.2 provides multi-device application management of large scale data center operations
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKAPP-200214405_04_2008_c2
ANM 1.2Configure Basic Server Load Balancing
Configure Virtual ServerConfigure Virtual Server(VIP)(VIP)
Configure Load Balancing ActionsConfigure Load Balancing ActionsEasy to use Server Load Balancing Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKAPP-200214405_04_2008_c2
ANM 1.2Configure Basic Server Load Balancing
Intuitive GUI design prompts the user to configure VIP details as necessaryAdvanced options appear as the user drills down
Add Real ServersAdd Real Servers
CreateCreateHealth Monitoring ProbesHealth Monitoring Probes
Create Server FarmCreate Server Farm
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKAPP-200214405_04_2008_c2
Policy CLI Overview
1. Define match criteria
2. Associate actions to match criteria
3. Activate the classification-action rules on either an interface or “globally”
class-map C1match <criteria> policy-map P1
class C1<action>
interface vlanXservice-policy input P1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKAPP-200214405_04_2008_c2
Modular Policy CLI
The class-map command is used to define a traffic class. The purpose of a traffic class is to classify traffic
A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands
Class Maps
class-map type management match-any REMOTE-ACCESSdescription REMOTE-ACCESS-TRAFFIC-MATCH2 match protocol telnet any3 match protocol ssh any4 match protocol icmp any5 match protocol http any6 match protocol https any
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKAPP-200214405_04_2008_c2
Modular Policy CLIClass-Maps
A class-map can associate an existing class-map of the same type using the match class statementSupported only for L7 class-maps; limitation of only two levels of associationUsed to achieve complex logical expressionsEasy combination of and and or statements
class-map match-all WEB-CM2 match virtual-address 172.16.73.10 tcp eq www
!class-map type http loadbalance match-any IMAGE-CM
2 match http url .*gif3 match http url .*jpg4 match http url .*jpeg
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKAPP-200214405_04_2008_c2
Modular Policy CLI Policy-Maps
The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy
first-matchThe class-action pairs within the policy-map are looked up sequentially and the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters.e.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’all-matchAn attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed.e.g. policy-map of type inspect httpmulti-matchSpecifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.
policy-map type management first-match REMOTE-MGMTclass REMOTE-ACCESS
permit
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKAPP-200214405_04_2008_c2
Modular Policy CLI Policy-Maps
The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy
policy-map type loadbalance first-match APPLICATION-PMclass IMAGE-CM
serverfarm IMAGE-SFclass class-default
sticky-serverfarm WEB-SF
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKAPP-200214405_04_2008_c2
Modular Policy CLI Activating Policy
Policies are activated on an interface or globally using the ‘service-policy’ command
The policy-map can be enabled either on the ‘input’or ‘output’ or both directions
Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
service-policy input <policy-name>
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load Balancing
Health CheckingBalancing RequestsPersistenceService Failure handling
Generic TCP or Scripted KeepaliveRound Robin or Least ConnectionsRequired based on Source IP with or without sticky mask Fail action to purge or default
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load BalancingManagement and Device Access
rserver host SERVER1ip address 192.168.1.1inservice
rserver host SERVER2ip address 192.168.1.2inservice
!access-list EVERYONE line 10 extended permit ip any any!class-map type management match-any REMOTE-ACCESSdescription REMOTE-ACCESS-traffic-match2 match protocol ssh any3 match protocol icmp any4 match protocol https any 5 match protocol snmp any
!policy-map type management first-match REMOTE-MGNTclass REMOTE-ACCESSpermit
!interface vlan 2ip address 172.16.1.1 255.255.255.0access-group input EVERYONEservice-policy input REMOTE-MGNTno shutdown
Define ManagementTraffic
You Need an ACL
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load Balancingserverfarm TELNET-SFrserver SERVER1inservice
rserver SERVER2inservice
!class-map match-all TELNET-CM2 match virtual-address 172.16.1.73 tcp eq 23
!policy-map type loadbalance first-match TELNET-PMclass class-defaultserverfarm TELNET-SF
!policy-map multi-match LOADBALANCEclass TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM
!interface vlan 2ip address 172.16.1.1 255.255.255.0access-group input everyoneservice-policy input REMOTE-MGMTservice-policy input LOADBALANCEno shutdown
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKAPP-200214405_04_2008_c2
Probe Configuration Options
probe icmp PING-PROBEinterval 5passdetect interval 5passdetect count 3
probe tcp TCP-PROBEinterval 10passdetect interval 10passdetect count 3
probe telnet TELNET-PROBEinterval 20passdetect interval 10passdetect count 3
!serverfarm TELNET-SFprobe PING-PROBEprobe TCP-PROBEprobe TELNET-PROBErserver SERVER1inservice
rserver SERVER2inservice
!
Common show commandsshow serverfarm TELNET-SFshow probeshow probe TELNET-PROBE detail
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKAPP-200214405_04_2008_c2
ANM Probe Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKAPP-200214405_04_2008_c2
Probe Configuration OptionsACE-1/routed(config-sfarm-host-rs)# do show serverfarm TELNET-SFserverfarm : TELNET-SF, type: HOSTtotal rservers : 3
-------------------------------------------connections-----------
real weight state current total failures ---+---------------------+------+------------+----------+----------+---------rserver: TEST
192.168.1.222:0 8 ARP_FAILED 0 0 0rserver: SERVER1
192.168.1.1:0 8 PROBE-FAILED 0 0 0rserver: SERVER2
192.168.1.2:0 8 PASSED 0 0 0
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKAPP-200214405_04_2008_c2
Probe Configuration OptionsACE-1/routed# show probe TELNET-PROBE
probe : TELNET-PROBEtype : TELNETstate : ACTIVE----------------------------------------------
port : 23 address : 0.0.0.0 addr type : -interval : 20 pass intvl : 10 pass count : 3 fail count: 3 recv timeout: 10
--------------------- probe results --------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+-------serverfarm : TELNET-SFreal : SERVER1[0]
192.168.1.1 6 0 6 PASSED real : SERVER2[0]
192.168.1.2 5 0 5 PASSED
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load Balancingprobe tcp TCP-PROBE
port 23interval 5passdetect interval 3
!serverfarm TELNET-SF
probe TCP-PROBErserver SERVER1
inservicerserver SERVER2
inservice!class-map match-all TELNET-CM
2 match virtual-address 172.16.1.73 tcp eq 23!policy-map type loadbalance first-match TELNET-PM
class class-defaultserverfarm TELNET-SF
!policy-map multi-match LOADBALANCE
class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM
!interface vlan 2
ip address 172.16.1.1 255.255.255.0access-group input everyoneservice-policy input REMOTE-MGMTservice-policy input LOADBALANCEno shutdown
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKAPP-200214405_04_2008_c2
Predictors Configuration Options
ACE-1/routed(config-sfarm-host)# predictor ?hash Configure 'hash' Predictor algorithmsleast-bandwidth Configure 'least bandwidth' Predictor algorithmleast-loaded Configure 'least loaded' predictor algorithmleastconns Configure 'least conns' Predictor algorithmresponse Configure 'response' Predictor algorithmroundrobin Configure 'round robin' Predictor algor (default)
Configuration optionspredictor roundrobinpredictor leastconns slowstart 200 predictor response syn-to-synack samples 8predictor response syn-to-close predictor least-bandwidth assess-time 2
ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail serverfarm : TELNET-SF, type: HOSTtotal rservers : 3active rservers: 2description : -state : ACTIVEpredictor : RESPONSEmethod : syn-to-synacksamples : 8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKAPP-200214405_04_2008_c2
ANM Predictor Configuration
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load BalancingPredictors
serverfarm TELNET-SFpredictor response syn-to-synack samples 8probe TCP-PROBErserver SERVER1inservice
rserver SERVER2inservice
!class-map match-all TELNET-CM2 match virtual-address 172.16.1.73 tcp eq 23
!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm STICKY
!policy-map multi-match L4class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM
!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKAPP-200214405_04_2008_c2
Persistence Configuration Options
sticky ip-netmask 255.255.255.0 address source T-STICKYserverfarm TELNET-SF
!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm T-STICKY
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKAPP-200214405_04_2008_c2
ANM Persistence Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKAPP-200214405_04_2008_c2
Basic Layer 4 Load BalancingSticky
serverfarm TELNET-SFrserver SERVER1inservice
rserver SERVER2inservice
probe TCP!sticky ip-netmask 255.255.240.0 address source T-STICKYserverfarm TELNET-SF
!class-map match-all TELNET-CM2 match virtual-address 172.16.1.73 tcp eq 23
!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm T-STICKY
!policy-map multi-match L4class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM
!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKAPP-200214405_04_2008_c2
Basic Web Load Balancing
Health CheckingBalancing RequestsPersistenceService Failure handling
Generic TCP or Scripted KeepaliveRound Robin or Least ConnectionsRequired based on Source IP with or without sticky mask Fail action to purge or default
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKAPP-200214405_04_2008_c2
Probe Configuration Options
probe http HTTP-PROBEinterval 5passdetect interval 3request method get url /index.htmlexpect status 200 200
!probe https HTTPs-PROBEinterval 5faildetect 2 passdetect interval 3request method get url /secure/index.htmlexpect status 200 202ssl cipher RSA_WITH_RC4_128_MD5
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKAPP-200214405_04_2008_c2
Basic Web Load BalancingProbes
probe http HTTP-PROBEinterval 5passdetect interval 3request method get url /index.htmlexpect status 200 499
!probe https HTTPS-PROBE
interval 5faildetect 2 passdetect interval 3request method get url /secure/index.ht expect status 200 200ssl cipher RSA_WITH_RC4_128_MD5
!serverfarm HTTPS-SF
probe HTTPS-PROBErserver SERVER1inservice
rserver SERVER2inservice
serverfarm HTTP-SFprobe HTTP-PROBEpredictor leastconns slowstart 100rserver SERVER1inservice
rserver SERVER2inservice
What Should I Look For?
You Can Check Specific Ciphers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKAPP-200214405_04_2008_c2
Basic Web Load Balancing
class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80
!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443
!policy-map type loadbalance first-match WEB-PMclass class-defaultserverfarm HTTP-SF
policy-map type loadbalance first-match SSL-PMclass class-defaultserverfarm HTTPS-SF
!policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM
class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-reply active
!
loadbalance vip icmp-reply [active]Configure the VIP to reply to ICMP ECHOThe active option instructs the ACE to reply to an ICMP request only if the configured VIP is active
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKAPP-200214405_04_2008_c2
Persistence Configuration Options
sticky http-cookie ILIKECOOKIES STICKYcookie inserttimeout 720serverfarm HTTP-SF backup SORRY-SF
!sticky ip-netmask 255.255.240.0 address source STICKY1serverfarm HTTPS-SF backup SORRY-SF
!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKAPP-200214405_04_2008_c2
sticky http-cookie ILIKECOOKIES STICKYcookie inserttimeout 720serverfarm HTTP-SF
!sticky ip-netmask 255.255.240.0 address source STICKY1serverfarm HTTPS-SF
!policy-map type loadbalance first-match WEB-PMclass class-defaultsticky-serverfarm STICKY
policy-map type loadbalance first-match SSL-PMclass class-defaultsticky-serverfarm STICKY1
!policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM
class HTTPsloadbalance vip inserviceloadbalance policy SSL-PM
Basic Web Load BalancingSticky Options
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKAPP-200214405_04_2008_c2
Web Load BalancingBIG HEADER ISSUE… Where’s the Cookie?
parameter-map type http INSENSITIVEcase-insensitivepersistence-rebalanceset header-maxparse-len 8192
….policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PMappl-parameter http advanced-options INSENSITIVE
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKAPP-200214405_04_2008_c2
URL Parsing parameter-map type http INSENSITIVE
case-insensitivepersistence-rebalanceset header-maxparse-len 8192
class-map type http loadbala match-any URL-MATCHING2 match http url .*
class-map type http loadbala match-any URL-IMAGE2 match http url /image/.*
class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80
serverfarm IMAGE-SFprobe IMAGE-PROBErserver IMAGE1 inservice
rserver IMAGE2 inservice
serverfarm WEB-SFprobe WEB-PROBErserver SERVER1 inservice
rserver SERVER2 inservice
sticky http-cookie IMAGE-COOKIES IMAGECOOKIEcookie insert browser-expireserverfarm IMAGE-SF backup WEB-SF
sticky http-cookie WEB-COOKIES WEBCOOKIEcookie insert browser-expireserverfarm WEB-SF
!policy-map type loadbala first-match HTTP-PMclass URL-IMAGEsticky-serverfarm IMAGE-COOKIE
class URL-MATCHINGsticky-serverfarm WEB-COOKIE
policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy HTTP-PMappl-para http advanced-opti INSENSITIVE
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKAPP-200214405_04_2008_c2
Server-Server Communication Should Use the Same VIP as Clients
172.16.1.0
.16 .183
12.20.234.1
VIP172.16.1.100
sNAT172.16.1.101
12.20.234.1
172.16.1.0
.16 .183
VIP172.16.1.100
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKAPP-200214405_04_2008_c2
Clients-to-VIP Load Balanced FlowsNO SRC-NAT
switch/orange# sh conntotal current connections : 4conn-id np dir proto VLAN source destination state----------+--+---+-----+----+---------------------+---------------------+------+96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB
interface VLAN 107description "Client-side Interface"bridge-group 1access-group input anyoneservice-policy input CLIENT
interface VLAN 207description "Server-side Interface"bridge-group 1access-group input anyone
Client to VIP Server to Client
class-map match-all BASIC-CM2 match virtual-address 172.16.1.100 any
policy-map type multi-match CLIENTclass TCP-CM
loadbalance vip inserviceloadbalance policy BASIC-SLB-PM12.20.234.1
172.16.1.0
.16 .183
VIP172.16.1.100
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKAPP-200214405_04_2008_c2
172.16.1.0
.16 .183
Server-to-Server Load Balanced FlowsSame ACE Interface
sNAT172.16.1.101
switch/orange# sh conntotal current connections : 4conn-id np dir proto VLAN source destination state----------+--+---+-----+----+---------------------+---------------------+------+96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB
Client to VIP Server to Source NAT IP
12.20.234.1
VIP172.16.1.100
interface VLAN 107description "Client-side Interface"bridge-group 1access-group input anyoneservice-policy input CLIENT
interface VLAN 207description "Server-side Interface"bridge-group 1access-group input anyonenat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 patservice-policy input SERVER
class-map match-all BASIC-CM2 match virtual-addr 12.20.234.100 any
policy-map type multi-match CLIENTclass TCP-CMloadbalance vip inserviceloadbalance policy BASIC-SLB-PM
policy-map type multi-match SERVER class BASIC-CM
loadbalance vip inserviceloadbalance policy BASIC-SLB-PMnat dynamic 123 VLAN 207
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 72
Security Features
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKAPP-200214405_04_2008_c2
Security FeaturesIsn’t the Firewall Enough?
Enterprises are making more and more applications services available via the webDeploying a web application means inviting potentially maliciousHTTP requests Web application code becomes part of the network security perimeter Who is responsible to patch customer web applications?
WebClient
WebServer
Application
ApplicationDatabase
Server
Existing Network Firewalls Alone Cannot Adequately Inspect Protocols and Application Data
Unfiltered Web Traffic
Firewall
Port 80 and 443 Open
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKAPP-200214405_04_2008_c2
Security Features in ACE
TCP/IP normalizationBuilt-in Transport Protocol Security
User Configurable, to meet Security Requirements
Application Protocol Inspection
Advanced HTTP InspectionRFC Compliance
MIME Type Validation
Prevent Tunneling Protocols over HTTP Ports
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKAPP-200214405_04_2008_c2
Security FeaturesIP/UDP/ICMP Exploits Blocked by ACE
IP checks performed by ACE:
Automatic Anti-spoofing (source IP = dest IP); unicast RPF checksrc IP == dest IP, src IP or dest IP == 127.x.x.x
dest IP >= 240.0.0.0, src IP == 0.x.x.x, src IP >= 224.0.0.0
Header length check (min and max lengths, L3 < L2)
IP options control
Drop illicit IP addresses (source IP = class D or broadcast or loopback)
Overlapping fragments dropped, control over max number of fragments
ARP Inspection in transparent mode
ICMP checks performed by default:
Requests and responses matching
Prevents injection of unsolicited ICMP errors
Countermeasures specified in draft-gont-tcpm-icmp-attacks.txt
Blocked Attacks: Timestamp/Route Record/Source Routing/Fragment DoS Attacks, IP Spoofing, Ping of Death,
ICMP Flood, Smurf, ARP Attacks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKAPP-200214405_04_2008_c2
Always PerformedI. src port and dest port != 0II. Only SYN packet allowed to create
connectionIII. TCP header >= of 20 bytesIV. TCP header <= ip->length – ip-
>header_lengthV. urg flag cleared if urg_pointer is zeroVI. If urg flag not present
urg_pointer is clearedVII. Illegal flags combinations dropped
( SYN|RST etc.)
ConfigurableI. reserved bits
allow/clear/dropII. urg flag allow/clear/dropIII. syn-data allow/dropIV. exceed-mss allow/dropV. random-seq-num-disable
Security FeaturesHardware-Based TCP Normalization
TCP Option Processing
TCP State Tracking
TCP Window Checking
User ConfigurableRandom Sequence Numbers
TCP Standard Header Checks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKAPP-200214405_04_2008_c2
Security FeaturesTCP Exploits Blocked by ACE
1. TCP checks performed by default:Enforces correct usage of TCP flags (can be disabled; flags can be cleared)Randomization of sequence numbers (cloaks OS type, makes fingerprinting recon attacks unreliable, prevents man-in-the-middle session hijacking)Enforces correct header lengthPrevents out-of-state packetsPrevents packets that do not belong to existing connectionsPossibility to define maximum number of conns per secondMatches TCP length with IP header’s + dataBlocks illicit ports (port = zero)Enforces min and max MSS
Example of Blocked Attacks: Tear Drop, Session Hijacking, Jolt, Bloop, Targa, Bonk, Boink, Fraggle, Xmas Scan, Null Scan, etc.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKAPP-200214405_04_2008_c2
Security FeaturesDenial-of-Service Protection SYN Cookie
Completely Stateless and no ACE memory entries are utilized
SYN ACK replies carry a cookie in the Sequence field of the TCP header
Cookie is generated out of a 24 bit random number and MSS encapsulated
If ACK does not contain the correct cookie ACE drops the packet
SYN Cookie enabled per interface on ACE
SYN
SYN ACK
(SEQ = cookie)
ACK = cookie + 1
ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 79
Secure Socket Layer (SSL)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKAPP-200214405_04_2008_c2
SSL: Common QuestionsProtocols Over SSL
Any TCP-based protocol is supported by the SSL Accelerators, including, but not limited to, the following well known protocols
119NNTP563SNEWS389LDAP636SSL-LDAP
80HTTP443HTTPS
143IMAP993SIMAP110POP995SPOP325TELNET992TELNETS
PortServiceSecure PortSecure Service
What Protocols Are Supported?
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKAPP-200214405_04_2008_c2
SSL Certificate Management ACE/routed# show crypto files File File Expor Key/Filename Size Type table Cert-----------------------------------------------------------------------TestKey 1675 PEM Yes KEYTestCert 1135 PEM Yes CERTACE/routed# crypto import ?ftp Import a key/certificate from an ftp servernon-exportable Mark this key/certificate as non-exportablesftp Import a key/certificate from an sftp serverterminal Accept a key/certificate from terminaltftp Import a key/certificate from a tftp server
ACE/routed# crypto import terminal certnew.pem server certificatePlease enter PEM formatted data. End with "quit" on a new line.-----BEGIN CERTIFICATE-----MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK…v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt-----END CERTIFICATE-----quit COMMON COMMANDS
crypto import terminal <file name>crypto export <file name>crypto verify <key name> <cert name>show crypto files show crypto key allshow crypto key <key name>show crypto certificate allshow crypto certificate <cert name>
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKAPP-200214405_04_2008_c2
Configuration
In order to configure SSL, you need to add the following to a L/L4 class map:
‘parameter-map type ssl’
‘ssl-proxy service’
‘policy-map’
Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites)
Ssl-proxy is used to define the certificates and keys to be used in SSL connections
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKAPP-200214405_04_2008_c2
policy-map type loadbalance first-match SSL-PMclass class-defaultserverfarm WEB-PROTOCOLS
!policy-map multi-match L4class HTTPsloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL-PROXY
SSL Server OffloadPacket Flow with ACE
serverfarm WEB-PROTOCOLSrserver SERVER1 80inservice
rserver SERVER2 80inservice
probe HTTP-GET!class-map match-all HTTPs2 match virtual-address 172.16.1.73 tcp eq 443
!
HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate
HTTPS—Response
SSL Handshake
SYN (tcp—443)SYN SYN/ACK ACK
HTTP—GET index.html
L3Flow
TCPFlow
Client Server 1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKAPP-200214405_04_2008_c2
rserver host SERVER1 ip address 192.168.1.1 inservicerserver host SERVER2 ip address 192.168.1.2inservice!probe http HTTP-GETinterval 5port 81 passdetect interval 3request method get url /secure/index.htmlexpect status 200 200
!parameter-map type ssl CLIENT_PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM
!class-map match-all HTTPs2 match virtual-address 172.16.1.73 tcp eq 443
!
serverfarm WEB-PROTOCOLSprobe HTTPs-GETrserver SERVER1 81inservice
rserver SERVER2 81inservice
!sticky http-cookie ILIKECOOKIES STICKYCOOKIEcookie insertserverfarm WEB-PROTOCOLS
!policy-map type loadbalance first-match SSLclass class-defaultsticky-serverfarm STICKYCOOKIE
policy-map multi-match L4class HTTPsloadbalance vip inserviceloadbalance policy SSLloadbalance vip icmp-replyssl-proxy server CLIENT-SSL
Basic SSL Offload and Load BalancingSSL Offload
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKAPP-200214405_04_2008_c2
Troubleshooting SSL
WireSharkTcpdumpTelnet on browser portsMSIE plug-ins IE Inspector, HTTP Watch, IE Watch, ieHttpHeadersMozilla extension Live HTTP HeadersPHP/Perl LWP Wget, curlLynx/Links text based browsers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKAPP-200214405_04_2008_c2
rserver redirect REDIRECTwebhost-redirection https://%h%p 301 inservice !serverfarm redirect REDIRECT-SF
rserver REDIRECTinservice
!class-map match-all HTTP2 match virtual-address 172.16.1.73 tcp eq 80
!policy-map type loadbalance first-match REDIRECT-PMclass class-defaultserverfarm REDIRECT-SF
!policy-map multi-match LOADBALANCEclass HTTPloadbalance vip inserviceloadbalance policy REDIRECT-PM
Basic SSL Load BalancingRedirecting Clients to Use SSL
https://www.cisco.com/go/ace
%h %p
http://www.cisco.com/go/ace
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKAPP-200214405_04_2008_c2
SSL Packet FlowWith ACE
parameter-map type ssl PARAM_SSLcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA
!ssl-proxy service SSL-PROXYkey mykey.pemcert mycert.pemssl advanced-options PARAM_SSL
!serverfarm WEB-PROTOCOLSrserver SERVER1 80inservice
rserver SERVER2 80inservice
probe HTTP-GET!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443
policy-map type loadbalance first-mat SSL-PMclass class-defaultserverfarm WEB-PROTOCOLS
!policy-map multi-match L4class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL-PROXY
crypto verify mykey.pem mycert.pem
HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate
HTTPS—Response
SSL Handshake
SYN (tcp—443)SYN SYN/ACK ACK
HTTP—GET index.html
L3Flow
TCPFlow
Client Server 1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKAPP-200214405_04_2008_c2
Basic SSL Load BalancingRedirecting Clients to Use SSL
rserver redirect REDIRECTwebhost-redirection https://%h%p inservice !serverfarm redirect REDIRECT-SF rserver REDIRECTinservice
!class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80
!policy-map type loadbalance first-match WEB-PMclass class-defaultserverfarm REDIRECT-SF
!policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM
!
https://www.cisco.com/go/ace
%h %p
http://www.cisco.com/go/ace
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKAPP-200214405_04_2008_c2
Basic Configuration SSL Offload ExamplePutting It All Together
rserver redirect REDIRECTwebhost-redirection https://%h%pinservice!parameter-map type ssl CLIENT_SSLcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA
ssl-proxy service SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_SSL
!probe http HTTP-GETinterval 10passdetect interval 10request meth get url /index.htmlexpect status 200 202
!serverfarm redirect REDIRECT-SFrserver REDIRECTinservice
serverfarm HTTP-SFprobe HTTP-GETrserver SERVER1 80inservice
rserver SERVER2 80inservice
class-map match-all SSL-CM2 match virtual-addr 172.16.20.1 tcp eq 443
class-map match-all HTTP-CM2 match virtual-addre 172.16.20.1 tcp eq 80
!sticky http-cookie ILIKECOOKIES SSL-STICKYcookie inserttimeout 720serverfarm HTTP-SF
!policy-map type loadbal first-ma REDIRECT-PMclass class-defaultserverfarm REDIRECT-SF
policy-map type loadbalan first-ma SSL-PMclass class-defaultsticky-serverfarm SSL-STICKY
policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy REDIRECT-PM
class SSL-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-reply activessl-proxy server SSL
!interface vlan 2service-policy input LOADBALANCE
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKAPP-200214405_04_2008_c2
End to End SSL With ACE
ssl-proxy service SERVER_SSLkey www-client.keycert www-client.crtssl advanced-options ssl_ciphers!serverfarm WEB-PROTOCOLSrserver SERVER1 443inservice
rserver SERVER2 443inservice
probe HTTPs-GET!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443
!
policy-map type loadbalan first-m SSL-PMclass class-defaultserverfarm WEB-PROTOCOLSssl-proxy client SERVER_SSL
!policy-map multi-match L4class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL
New Commands Are in the Boxes
HTTPS—GET index.htmlAccept-Encoding: gzip, deflate
Client
HTTPS—Response
SSL Handshake
SYN (tcp—443)SYN SYN/ACK ACK
Server 1
HTTPs—200 Ok Response index.html
SYN (tcp—443)SYN SYN/ACK ACK
HTTPS—Response
HTTPS—GET index.htmlAccept-Encoding: gzip, deflate
SSL Handshake
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKAPP-200214405_04_2008_c2
End to End SSL Offload and Load Balancing
rserver host SERVER1 ip address 192.168.1.1inservicerserver host SERVER2 ip address 192.168.1.2inservice!parameter-map type ssl CLIENT_PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA
!parameter-map type ssl SERVER_PARAMcipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA
!ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM
!ssl-proxy service SERVER-SSL ssl advanced-options SERVER_PARAM
!probe https HTTPs-GETinterval 20 request method get url /index.htmlexpect status 200 202
!
probe icmp PINGinterval 5
serverfarm WEB-PROTOCOLSprobe HTTPs-GETprobe PINGrserver SERVER1 443inservice
rserver SERVER2 443inservice
!class-map match-all HTTPS-CM2 match virtual-add 172.16.1.73 tcp eq 443
!sticky http-cookie ILIKECOOKIES STICKYCOOKIEcookie inserttimeout 720serverfarm WEB-PROTOCOLS
!policy-map type loadbalance first-mat SSL-PMclass class-defaultsticky-serverfarm STICKYCOOKIEssl-proxy client SERVER-SSL
!policy-map multi-match LOADBALANCEclass HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server CLIENT-SSL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKAPP-200214405_04_2008_c2
SSL Redirect Rewrite ACE 2.0 !action-list type modify http ACTIONheader insert request FRONT-END-HTTPS header-value Onssl url rewrite location 172.16.20.1
!policy-map type loadbalance first-match SSL-PMclass class-defaultsticky-serverfarm STICKY
policy-map multi-match LOADBALANCEclass HTTP-CM
loadbalance vip inserviceloadbalance policy HTTP-PM
class SSL-CMloadbalance vip inserviceloadbalance policy HTTP-PMloadbalance vip icmp-reply activessl-proxy server SSLaction ACTION
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 93
Advanced Load Balancing
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKAPP-200214405_04_2008_c2
Advanced Load Balancing FeaturesIncreased Protocol Inspection
Protocols supportedFTP and Strict FTPRTSPICMP DNSHTTP
Enhanced Protocol inspection:SIPSkinnyH.323ILS/LDAP
ACE
Deep Packet Inspection Extends Visibility and Persistence to All Applications
Protocol Inspection on the ACE Can Be Used to Analyze or Modify Application Data. Compliance With RFCs Can Also Be Enforced, as Well as Filtering for User-Defined Interactions, Which Are Denied if Attempted
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKAPP-200214405_04_2008_c2
Advanced Load Balancing FeaturesHTTP Inspection Overview
HTTP Inspection is a special case of Application FW in which the focus is mainly on HTTP attributes such as HTTP header, URL, the payload itself
Enables users to validate, filter and log the HTTP transactions by matching the traffic against the policies configured
Shares the HTTP stack and the REGEX engine with L7 SLB with added features for inspect
Can work with L7 Loadbalancing for the same flow
User defined REGEX can be used in a limited way to detect offending traffic by searching for “signatures”
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKAPP-200214405_04_2008_c2
Advanced Load Balancing FeaturesHTTP Inspect Features
RFC compliance
MIME type validation
Length and Encoding Checks
Port 80 misuse
Permit/Deny based on L7 Regex match
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKAPP-200214405_04_2008_c2
How to Enable Compression?
From the Cisco ACE 4710 Device Manager you can begin compressing HTTP traffic on Cisco ACE 4710 by clicking the “Enable Compression”command within the Virtual Server configuration for server farms. A single click enables compression for the load balancing policy configured
Enable Compression
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKAPP-200214405_04_2008_c2
HTTP Compression
Searching for “cisco” in www.google.com
Compressed Data
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKAPP-200214405_04_2008_c2
TCP Server Offload“TCP Multiplex” or “TCP Re-use”
TCP setup and teardown offloaded from server(currently limited to HTTP)
Effective for servers dedicating high percentageof CPU cycles to TCP processing
TCP connections to the server are kept open(HTTP 1.1 connection keepalive)
Client requests multiplexed to existing server connections
ACE creates a connection pool on the reals [ip:port] associated to the virtual server
Client connections matched to server connections based on TCP options (Sack, timestamp, window_scale, MSS)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKAPP-200214405_04_2008_c2
TCP Server Offload IllustratedTCP1
ACE-TCP1 Pool1
TCP2
TCP3
ACE-TCP2 Pool2
parameter-map type http PARAM-MAPserver-conn reusecase-insensitive persistence-rebalance
!class-map match-any HTTP
10 match virtual-address 172.16.1.73 tcp eq 80!policy-map type loadbalance first-match HTTPclass class-defaultsticky-serverfarm STICKY
!
policy-map multi-match L4class vipmap1loadbalance vip inserviceloadbalance policy HTTPappl-parameter http advanced-options PARAM-MAPnat dynamic 1 vlan 2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKAPP-200214405_04_2008_c2
Server Connection Reuse
When the feature is enabled, a server TCP connection may be reused to service a different client TCP connection after the response to the previous HTTP request has been transmitted“Connection: keep-alive” is inserted and “Connection: close” is removed from the client HTTP request, to avoid closing the server connection earlyNote: details on Connection Reuse come later
switch/Admin(config)# parameter-map type http HTTP_PARAM
switch/Admin(config-parammap-http)# server-conn reuse
switch/Admin# show np 1 me-stats "-s icm | grep Reuse"Reuse link update conn invalid error: 0
Reuse link update conn not on reuse erro 0
Reuse conn remove not on head error: 0
Connection Reuse Add Errors: 0
Connections Removed From Reuse Pools: 1Connections Added To Reuse Pools: 1
switch/Admin# show stats http | include Reuse
Reuse msgs sent : 1 , HTTP requests : 4 switch/Admin# show stats http | include Headers
Reproxied requests : 0 , Headers removed : 1Headers inserted : 1 , HTTP redirects : 0
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKAPP-200214405_04_2008_c2
TCP Server Offload Example
Over 98% reduction in server side TCP connetions per secondDepends also on server configuration (HTTP GET’s per TCP connection)
Server Side
Client Side
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKAPP-200214405_04_2008_c2
Advanced Load BalancingPersistence and Pipelining
HTTP is assumed to follow a simple Request/Response transaction modelIntroduced in HTTP/1.1, persistence is also referred to as client keep-aliveMultiple persistent HTTP requests on the same TCP connection will be balanced to [potentially] different rservers if persistence rebalance is configuredThis works without regard to packet boundariesPipelined requests are buffered and later parsed after completing transmit of the previous response. In other words, the requests are un-pipelinedIf persistence-rebalance is not configured, then pipelined requests on a connection will all be sent to the same server, as they arrive
switch/Admin(config)# parameter-map type http HTTP_PARAM
switch/Admin(config-parammap-http)# persistence-rebalance
switch/Admin# show stats http | include requests
Reuse msgs sent : 0 , HTTP requests : 7
Reproxied requests : 0 , Headers removed : 0
HTTP chunks : 0 , Pipelined requests : 2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKAPP-200214405_04_2008_c2
Advanced Load BalancingHeader Insert
Can be used to insert the Client Source IP address if NAT being usedInserts a header into the client HTTP request just before transmit to serverIf persistence-rebalance is configured, insert occurs on all requests for the connection, otherwise just the firstThe point of insertion is always between the request line and the existing first headerConfigure “%is” and “%ps” to dynamically insert source (client) IP and portConfigure “%id” and “%pd” to dynamically insert destination (virtual server) IP and portIn the below example, inserted header might look something like:
ACE: Src=61.0.0.5:32797;Dest=61.0.0.113:80
switch/Admin(config)# policy-map type loadbalance first-match PSLB
switch/Admin(config-pmap-lb)# class C1
switch/Admin(config-pmap-lb-c)# insert-http ACE header-value Src=%is:%ps;Dest=%id:%pd
switch/Admin# show stats http | include insert
Headers inserted : 1 , HTTP redirects : 0
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
53
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKAPP-200214405_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKAPP-200214405_04_2008_c2
Recommended Reading
Designing Content Switching SolutionsZeeshan Nasesh CCIE 6836Haroon Khan CCIE 4530
Data Center FundamentalsMauricio Aregoces CCIE 3285Maurizio Portaloni
Content Networking FundamentalsSilvano DaRos
Web Security Field GuideSteve Kalman
Server Load BalancingTony Bourke
SSL and TLS: Designing and Building Secure Systems
Eric Rescorla
Available Onsite at the Cisco Company Store
Continue your Networkers at Cisco Live Learning Experience with Further Reading from Cisco Press
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKAPP-200214405_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKAPP-200214405_04_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKAPP-200214405_04_2008_c2
Backup Slides
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKAPP-200214405_04_2008_c2
Design-Comparison:Application-View
L2 In-PathNo Source-NAT necessary (except Server-2-Server via VIP)
L3 In-PathNo Source-NAT necessary (except Server-2-Server via VIP)
L3 Out-of-PathSource-NAT necessary or
PBR (Policy Based Routing) -> Not VRF-Aware, Operational Challenge
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKAPP-200214405_04_2008_c2
Design-Comparison:Scalability
L2 In-PathOne or multiple VLAN per context possible
Non loadbalanced traffic is also passing ACE
L3 In-PathCentralized Loadbalancing-Architecture
Non loadbalanced traffic is also passing ACE
L3 Out-of-PathOnly loadbalanced traffic is passing the ACE
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKAPP-200214405_04_2008_c2
Design-Comparison:Migration
L2 In-PathEasy and transparent migration
No changes to Server-IP or gateway
L3 In-PathGateway address is typically moved to ACE
L3 Out-of-PathEasy migration
Typically non transparent in terms of Source-IP address
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
57
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113BRKAPP-200214405_04_2008_c2
Content Switching Design ApproachesRouted Mode: Design
Servers default gateway is the alias IPon the ACEExtra configurations needed for:
Direct access to serversNon-load balanced server initiated sessions
ACE’s default gateway is the HSRP group IP address on the MSFCRHI possibleLoad balancer inline of all traffic
(2A) Routed Mode Design with MSFC on Client Side
Servers default gateway is the HSRP group IP address on the MSFCExtra configurations needed for (simpler the option 2a):
Direct access to serversNon-load balanced server initiated sessions
SM’s default gateway is the core routerRHI not possibleServer to server communication bypasses the load balancer
(2B) Routed Mode Design with MSFC on Server Side
Core-1 Core-2
Agg-1 Agg-2MSFC1 MSFC2
FTPortChannel
DataPortChannel
ACE 2Standby
ACE Client-Side VLAN 10 10.10.1.0/24ACE Server-Side VLAN 20 10.20.1.0/24ACE Server-Side VLAN 30 10.30.1.0/24
Access Access
ACE 1
Core-1 Core-2
Agg-1 Agg-2
MSFC1 MSFC2
ACE 1
FTPortChannel
DataPortChannel
ACE 2Standby
Access AccessACE Server-Side VLAN 1 10.10.1.0/24Server VLAN 20 10.20.1.0/24Server VLAN 30 10.30.1.0/24
ACE Client-Side VLAN 5 10.5.1.0/24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114BRKAPP-200214405_04_2008_c2
ACE!
interface vlan 10
ip address 10.10.1.5 255.255.255.0
alias 10.10.1.4 255.255.255.0
peer ip address 10.10.1.6 255.255.255.0
no shutdown
!
interface vlan 20
ip address 10.20.1.2 255.255.255.0
alias 10.20.1.1 255.255.255.0
peer ip address 10.20.1.3 255.255.255.0
no shutdown
!
interface vlan 30
ip address 10.30.1.2 255.255.255.0
alias 10.30.1.1 255.255.255.0
peer ip address 10.30.1.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.10.1.1
MSFC!
interface Vlan10
ip address 10.10.1.2 255.255.255.0
standby 10 ip 10.10.1.1
standby 10 priority 110
standby 10 preempt
!
Content Switching Design ApproachesRouted Mode: Configuration
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
58
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115BRKAPP-200214405_04_2008_c2
Servers default gateway is the HSRP group IP address on the MSFCBroadcast/multicast/route update traffic bridges throughNo extra configurations for:
Direct access to serversServer initiated sessions
RHI possibleLoad balancer inline of all traffic
(1) Bridged Mode Design Considerations
Content Switching Design ApproachesBridged Mode: Design
Core-1 Core-2
Agg-1 Agg-2
MSFC1 MSFC2
ACE 1 ACE 2 Standby
FTPortChannel
DataPortChannel
ACE Client-Side VLAN 10 10.10.1.0/24ACE Server-Side VLAN 20 10.10.1.0/24
Access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116BRKAPP-200214405_04_2008_c2
ACEinterface vlan 10
bridge-group 10
access-group input anyone
access-group output anyone
no shutdown
!
interface vlan 20
bridge-group 10
access-group input anyone
access-group output anyone
no shutdown
!
interface bvi 10
ip address 10.10.1.5 255.255.255.0
alias 10.10.1.4 255.255.255.0
peer ip address 10.10.1.6 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.10.1.1
!
MSFC!
interface Vlan10
ip address 10.10.1.2 255.255.255.0
standby 10 ip 10.10.1.1
standby 10 priority 110
standby 10 preempt
!
Content Switching Design ApproachesRouted Mode: Configuration
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
59
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117BRKAPP-200214405_04_2008_c2
ACE Configuration to Allow BPDUs
!access-list bpduallow ethertype permit bpdu!interface vlan 10bridge-group 10access-group input bpduallowno shutdown
!interface vlan 20bridge-group 10access-group input bpduallowno shutdown
!
Content Switching Design ApproachesBridged Mode: BPDU Forwarding
Similarly to the FWSM, ACE can let BPDUs through and can rewrite their payload, correctly handling STP merged domains
Protects against accidental loops in case of FT heartbeat cable or VLAN disconnected
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118BRKAPP-200214405_04_2008_c2
Content Switching Design ApproachesL3 One-Armed Mode: Design
Servers default gateway is the HSRP group IP address on the MSFCNo extra configurations for:
Direct access to serversServer initiated sessions
RHI possibleCSM/ACE inline for only server load balanced trafficPolicy based routing or source NAT can be used for server return traffic redirection to the load balancer
(3) One-Armed Design Considerations
Core-1 Core-2
Agg-1 Agg-2
MSFC1
FTPortChannel
DataPortChannel
ACE Server-Side VLAN 10 10.10.1.0/24Server VLAN 20 10.20.1.0/24Server VLAN 30 10.30.1.0/24
Access Access
ACE 1 ACE 2 StandbyMSFC2
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
60
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119BRKAPP-200214405_04_2008_c2
ACE - Asymmetric Routing!
!
interface vlan 10
ip address 10.10.1.5 255.255.255.0
alias 10.10.1.4 255.255.255.0
peer ip address 10.10.1.6 255.255.255.0
no normalizationaccess-group input anyone
access-group output anyone
no shutdown
!
MSFC!
interface Vlan10
ip address 10.10.1.2 255.255.255.0
standby 10 ip 10.10.1.1
standby 10 priority 110
standby 10 preempt
!
MSFC!interface Vlan20ip address 10.20.1.2 255.255.255.0
ip policy route-map FromServersToSLBstandby 20 ip 10.20.1.1standby 20 priority 110!access-list 121 permit tcp any eq telnet anyaccess-list 121 permit tcp any eq www anyaccess-list 121 permit tcp any eq 443 anyaccess-list 121 deny ip any any!
route-map FromServersToSLB permit 10match ip address 121
set ip next-hop 10.10.1.4
Content Switching Design ApproachesL3 One-Armed Mode: PBR Configuration
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120BRKAPP-200214405_04_2008_c2
class-map match-all HTTP
2 match virtual-address 172.16.1.73 tcp eq 80
policy-map type loadbalance first-match WEB
class class-default
insert-http x-forwarded-for: header-value %is
serverfarm HTTP
policy-map multi-match L4
class HTTP
loadbalance vip inservice
loadbalance policy WEB
nat dynamic 1 vlan 2
interface vlan 2
ip address 172.16.1.1 255.255.255.0
alias 172.16.1.254 255.255.255.0
peer ip address 172.16.1.2 255.255.255.0
access-group input everyone
service-policy input remote-mgmt
service-policy input L4
no normalization
nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat
no shutdown
Content Switching Design ApproachesL3 One-Armed Mode: Source-NAT Configuration