Server Load Balancing Design - Faculty Web Server

BRKAPP-2002 14405_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Server Load Balancing Design

BRKAPP-2002

BRKAPP-2002 14405_04_2008_c2


© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

Cisco Public

2

1

Cisco Application Delivery Networks Network Classification

Application Scalability

Application Networking

Quality of service Network-based app recognition Queuing, policing, shaping Visibility, monitoring, control

Server load-balancing Site selection SSL termination and offload Video delivery

Message transformation Protocol transformation Message-based security Application visibility

WAN

Application Acceleration

WAN Acceleration

Application Optimization

Latency mitigation Application data cache Meta data cache Local services

BRKAPP-2002 14405_04_2008_c2


Data redundancy elimination Window scaling LZ compression Adaptive congestion avoidance

Delta encoding FlashForward optimization Application security Server offload 3

Cisco Public

Other Cisco Live Breakout Sessions that You May Want to Attend Relevancy GSS

ISR

WAAS

ACNS

ACE

AXG

Applications

BRKAPP-2002 Server Load Balancing Design BRKAPP-3003 Troubleshooting ACE BRKAPP-1004 Introduction WAAS BRKAPP-2005 Deploying WAAS BRKAPP-3006 Troubleshooting WAAS BRKAPP-1008 What can Cisco IOS do for my application? BRKAPP-1009 Introduction to Web Application Security BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization BRKAPP-2011 Scaling Applications in a Clustered Environment BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange BRKAPP-2014 Deploying AXG BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers BRKAPP-1016 Running Applications on the Branch Router BRKAPP-2017 Optimizing Application Delivery BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers BRKAPP-2002 14405_04_2008_c2



Cisco Public

4

2

Agenda Application Load Balancing Health Checking Prediction Persistence Design Implementation Considerations

Policy Configuration Examples Layer 4 Example Web Protocol Example Server to Server Load Balancing Example

SSL SSL Offload Example

Advanced Load Balancing Design Application Inspections TCP Reuse URL Load Balancing BRKAPP-2002 14405_04_2008_c2


5

Cisco Public

ACE Application Switching Module Integrates Load Balancing, Application Optimization and Security Virtual Device Support Data Center and Application Firewall Multimedia and Voice Intelligence Low Power Usage with High Performance License-based Upgrades (SSL, virtual licenses) Support for Catalyst 6500 Series Switch and Cisco 7600 Series Router

Integrated Services, High Performance Application Switching Platform: 4-16 Gbps BRKAPP-2002 14405_04_2008_c2



Cisco Public

6

3

ACE Application Switching Appliance Integrates Load Balancing, Application Optimization and Security Virtual Device Support Data Center and Application Firewall Multimedia and Voice Intelligence Low Power Usage with High Performance License-based Upgrades (SSL, Virtual licenses, Application Optimization, Compression Performance) Specific optimizations for common applications Latency and bandwidth reduction with protection Application switching for scalability and availability Embedded Browser-based Graphical User Interface High Performance Multi-core, Dual-CPU Architecture

Integrated Services, High Performance Application Switching Platform: 1-2 Gbps BRKAPP-2002 14405_04_2008_c2


7

Cisco Public

Cisco Application Networking Manager (ANM) ACE Appliance has an embedded GUI ANM free for 2 ACE devices (with 5 context max w/o additional licensing) must place order for ANM-SERVER-12-K9" ACE Module has no embedded GUI Cisco ANM runs from a centralized server running Redhat Linux Multiple Cisco ANM users can simultaneously manage multiple devices via web browser Enables device & virtualization provisioning for up to fifty (50) ACE and forty (40) CSS & CSM per Cisco ANM server Graphical interface for simplified and standardized service provisioning for basic, advanced and expert users Secure user access and delegation of responsibilities

Enables Centralized Configuration, Operations, and Monitoring of Cisco Data Center Networking Equipment and Services BRKAPP-2002 14405_04_2008_c2



Cisco Public

8

4

Load Balancing Overview Terminology Load Balancing Algorithm Servers (Predictor)

Clients Content Switch— Load Balancer

Serverfarm

Keepalive (Probe)

Client-Side Gateway

Class-Map

URL = /news User-Agent = WindowsCE Client = 192.0.0.0/8

Virtual IP Address (VIP) 172.16.2.100 TCP port 80

BRKAPP-2002 14405_04_2008_c2

Round Robin

XML Gateways

Policy-Map If Match class-map X Then Use serverfarm X Else Use serverfarm y


9

Cisco Public

Traffic Being Load Balanced Generic IP traffic (i.e. IPsec tunnels) Generic UDP and TCP (i.e. proprietary protocols) Network services (i.e. LDAP, DNS, Radius) HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML) Voice & Video (i.e. RTSP, SIP, H.323) Remote terminals (i.e. Windows Terminal Services) Multi-connection protocols (i.e. FTP, RTSP) Multi-tier packaged applications (i.e. SAP, Oracle, Microsoft, BEA) Vertical specific applications (i.e. medical, finance, education) Ethernet Header

IP Header

TCP Header

Layer 2

Layer 3

Layer 4

HTTP Header

Payload

Ethernet Trailer

Layer 5-7 BRKAPP-2002 14405_04_2008_c2



Cisco Public

10

5

Scale Your Application Health Checking

BRKAPP-2002 14405_04_2008_c2


Cisco Public

11

Scale Your Application Health Monitoring Issues Application Issue ARPs only check the IP stack and not the application ICMP probes only check the IP stack of the machine and not the application Generic TCP port opens check the TCP stack but not the application’s ability to handle requests An application may fail in a state that the server can respond to a TCP syn but not to an application data request

To verify the integrity of an application, and application data request keepalive is required How to verify the Application servers health or the Web Servers reachability to the application server BRKAPP-2002 14405_04_2008_c2



Cisco Public

12

6

Application Load Balancing Probe Options Probe

Description

ICMP

Sends a ICMP request and waits for reply

Generic TCP

Open a connection with server and disconnect with TCP FIN or RST. TCP FIN Default

Generic UDP

Sends a packet, probe is considered successful, if no icmp error received

HTTP

Sends an HTTP HEAD or HTTP GET 1.1 request

HTTPs

Establishes an SSL connection, send HTTP query and tears it down

FTP

Similar to TCP probe

Telnet

Makes a connection, send a “QUIT” message

DNS

Uses a default domain and waits for any response

SMTP

Sends a “hello” followed by a “QUIT” message

POP3


IMAP


Radius

Similar to UDP probe. NAS-IP can be configured

Scripted

Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform health monitoring

SNMP

Up to eight OIDs can be configured. Used mainly for load balancing predictions and not health checking. Should be combined with another health probe to verify application

BRKAPP-2002 14405_04_2008_c2


13

Cisco Public

Scale Your Application Application or Database Server Health Checking Probing Customer Application Servers with Application Data Requires Scripting Keep Alive on the Load Balancer or on a Front End Server. Scripting on Front End Servers Allows Greater Flexibility http://www.company.com/test.asp

BRKAPP-2002 14405_04_2008_c2



Cisco Public

Buy 10000 Widgets Customer Testuser Company Test Inc.

14

7

Scale Your Application Predictors

BRKAPP-2002 14405_04_2008_c2


15

Cisco Public

Scale Your Application Predictors Predictors Determine How Connections Are Load Balanced

Client

BRKAPP-2002 14405_04_2008_c2



Serverfarm

Cisco Public

16

8

Scale Your Application Predictors Algorithms Round Robin: (Weighted) Very simple

Least Connections: (Weighted) Dynamic, requires slow-start

Hash on IP: (source/destination, with mask) No state required for stickiness issues with dynamic changes

Hash on URL: Or portion of URL Server Watermarks: Min and max number of connections per server Least Loaded: SNMP OIDs based server feedback for obtaining useful information maintained as SNMP Object IDs Least Bandwidth: Connection vs. Bandwidth based on the bidirectional traffic flow Adaptive Response Predictor: Load-balancing based on server response time SYN to SYN-ACK SYN to FIN Application request to first packet of response BRKAPP-2002 14405_04_2008_c2


17

Cisco Public

Enhanced Predictors Adaptive Response Predictor Load Balancing Based on Server Response Time; Response Time Calculated over a Configured Number of Samples and Supports the Following Three Measurement Options

ACE

SYN to SYN-ACK Time Between SYN Send from ACE to SYN-ACK Received from the Server

BRKAPP-2002 14405_04_2008_c2



Serverfarm

SYN to Close Time Between SYN Send from ACE to FIN/RST Received from the Server

Cisco Public

Application Request to Response Time Between HTTP Request Send from ACE to HTTP Response Received from the Server

18

9

Enhanced Predictors Least-Loaded Using SNMP The Least Loaded Predictor can support up to 8 user defined SNMP Object IDs Least-loaded algorithm will automatically calculate the least loaded server from the SNMP response received from the servers Number of active connections on the server are also be calculated in the Least-loaded algorithm Users can define static weights for each Object ID to allow unprecedented load balancing control of new connections based on real-time appliance performance Least-loaded Predictor Provides Most Accurate Method for Calculating the Servers Load BRKAPP-2002 14405_04_2008_c2


19

Cisco Public

Enhanced Application Algorithms Least-Loaded Using SNMP ACE Utilizes SNMP-Based Probes to Obtaining CPU, Memory and Drive Statistics from the Servers

SNMP Object IDs CPU Utilization Memory Resources Disk Drive Availability ……. …….

Query Query Result Result Query Query Result Result CPU == 34% CPU Utilization Utilization 34% Query Result Query Result CPU Utilization == 24% CPU Utilization 24% Memory Resources Memory Resources CPU Utilization == 14% CPU Utilization 14% Resources Memory Resources == Memory 785300k free 785300k free Memory Resources Memory Resources == 885300k free 885300k free Disk Drive Availability Disk Drive Availability = 947300k free = 947300k free Drive Availability Disk Drive Availability == Disk 202GB Free 202GB Free Drive Disk Drive Availability == Disk 307GB free 307GB freeAvailability == 440GB 440GB free free

ACE Queries Server for the Following Three SNMP Object IDs

Only SNMP Agent Is Required on the Server— No Additional Software BRKAPP-2002 14405_04_2008_c2



Cisco Public

20

10

Enhanced Application Algorithms New Feature—Least-Bandwidth Load Balancer Introduces the Least-Bandwidth Predictor which Selects the Server that Processed the Least Amount of Network Traffic Over a Specified Sampling Period The ACE measures traffic statistics between itself and the real servers in the server farm in both directions and calculates the bandwidth over the sampling period Then, it creates an ordered list of real servers based on the sampling results and selects the server that used the least amount of bandwidth during the sampling period Least-Bandwidth Predictor Suited Best for Heavy Traffic Use BRKAPP-2002 14405_04_2008_c2


Cisco Public

21

Cisco Public

22

Scale Your Application Predictors

BRKAPP-2002 14405_04_2008_c2



11

Scale Your Application Session Persistence Stickiness Session: Logical aggregation of multiple simultaneous or subsequent connections Sessions are limited in time (timeout) Servers keep session state The content switch and load distribution across multiple servers introduces the problem The content switch needs to send connections from the same client to the same server Even in case of backend database with session information, stickiness is very useful since it significantly improves performance BRKAPP-2002 14405_04_2008_c2


23

Cisco Public

Scale Your Application Session Persistence Methods How to Uniquely Identify a Client… Source IP

Cookie

SSL ID

Variation

Full IP Masked IP

Static Dynamic Insert

Full SSID Offset

Info Stored on

LB

LB

LB

Client

LB

Good For

Simplicity

Flexibility

No Cookie support

No State on LB

Recovering SIPDisconnected specific WTS sessions stickiness

Flexible for custom applications

Caveats

Proxies

HTTP only Clear Test

SSL v3 Renegotiation

HTTP only Absolute URLs Bookmarks

No Token, needs to fall back to source IP

Specific to application


Client = Session Call-ID

GPP

client = a cookie value

Cisco Public

SD, Session Directory. Routing Token = server IP + Port

SIP

Client= its SRC IP


LB Redirects to Specific (V)Server

RDP

How Does It Work

BRKAPP-2002 14405_04_2008_c2

client = SSL session ID

HTTP Redirect

Regex matches on TCP and UDP data

custom

LB

LB

24

12

Design Configuration

BRKAPP-2002 14405_04_2008_c2


25

Cisco Public

Design Configuration ACE Service Virtualization Physical Device

Admin Context

Context 1

Context 2

Context 3

Context Definition Resource Allocation

ANM Management Station AAA BRKAPP-2002 14405_04_2008_c2



Cisco Public

26

13

Design Configuration ACE Virtualization Provides means to partition one physical unit into independently managed logical engines Provisions resource per logical device Almost every feature subsystem is virtualized including Linux kernel

Logical devices are called virtual contexts Each with independent resource allocation and policies

Default context called ‘Admin’ context is available initially Customers who do not wish to use virtualization can perform all operations from within ‘Admin’ context

ACE Module 250 contexts + Admin context supported

ACE Appliance 20 contexts + Admin context supported BRKAPP-2002 14405_04_2008_c2


Cisco Public

27

Design Configuration ACE Resource Management By default, every context is a member of the ‘default’ resource-class, with unlimited access to system resources Resources can be guaranteed in three ways: No guaranteed resources but access to any available resource X% of resources guaranteed, with no access to other additional resources X% of resources guaranteed and access to any available resource

Minimum limit is specified as a percentage (5.00%) Maximum limit can equal the Min value or be unlimited Only one resource-class can be applied per context Maximum 100 resource-classes can be configured Sticky Resources requires min 1% per context, not default, associate all contexts to a non default context BRKAPP-2002 14405_04_2008_c2



Cisco Public

28

14

Design Configuration Router Mode

Subnet A

The preferred configuration for appliances By default the load balancer acts as a router Servers default gateway is the load balancer The VIP addresses can reside on the client side or the server side If you do not want to change the IP addresses of the servers, put the VIP on the servers side and create a /30 network to Firewall BRKAPP-2002 14405_04_2008_c2


Subnet B

Subnet C

Servers Default Gateway: Content Switch IP 29

Cisco Public

Design Configuration

Subnet B

Subnet A

The Load balancer acts as a bump in the wire

Subnet A

This is preferred for integrated load balancers like the ACE modules

Subnet B

Bridge Mode

The servers default gateway will be the upstream router or firewall If packets are set to the physical IP address of the load balancers, it will try and route the packet by default

Servers Default Gateway: Upstream Router or Firewalls IP Address, Not ACE’s Address BRKAPP-2002 14405_04_2008_c2



Cisco Public

30

15

How Are Customers Using Virtualization? Security and Bridge Mode

Partition C

Admin Partition

Partition B

“The security team continues to fully manage the FWSM and is comfortable with the bridge mode approach. In parallel, we have turned on some extra HTTP security features on ACE”

Partition A

“Bridge mode on the CSM was great, but ACE takes the same approach to a whole new level with virtualization”

Each Pair of Bridged VLANs Has Its Own Configuration, Independent Management, and Enhanced Security BRKAPP-2002 14405_04_2008_c2


31

Cisco Public

Design Considerations One-Arm Mode: Overview L2-rewrite not possible Content switch not inline Does not see unnecessary traffic

Subnet B

Requires PBR, server default gateway pointing to load balancer or client source NAT ACE can insert users original IP address as client header

Subnet B

The return traffic is needed!

Policy-map type loadbalance first-match OAM class L7Policy insert http x-forwardedfor header-value %is BRKAPP-2002 14405_04_2008_c2



Cisco Public

Servers Default Gateway: Upstream Router PBR—Policy Based Routing, NAT—Network Address Translation 32

16

Design Considerations One-Arm Mode: Overview

1

Router MAC

LB MAC

Client IP

VIP

1

Random Port

2

VIP Port Selected CS MAC Server MAC Selected Client IP Server IP

Random Port

3

VIP Port BRKAPP-2002 14405_04_2008_c2


3

VIP Port

Server MAC Selected Server IP

2

CS MAC

RSTClient IP Random Port

Without PBR, Client NAT, or Servers Gateway Being Set for Load Balancer 33

Cisco Public

L2 One-Arm Mode Return Traffic Bypassing ACE Servers Default Gateway: Upstream Router

Subnet B

Bypass for return traffic: high throughput! Requires MAC rewrite, L2 adjacency Servers need identical loopback addresses (one per VIP) TCP termination not possible: no L7 features! Load balancer blind to return traffic (inband, accounting)

BRKAPP-2002 14405_04_2008_c2



Cisco Public

34

17

Redundancy Model Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby The peer ACE can be in the same or different Cisco Catalyst® 6k chassis Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy) ACE-1 Example: Two ACE modules Four FT groups Four Virtual Contexts (A, B, C, D)

A

B

Active

Active

A’

B’

C’

D’

Standby Standby

FT VLAN

Standby Standby

C

D

Active

Active

FT Group 3

FT Group 4

ACE-2 BRKAPP-2002 14405_04_2008_c2

FT Group 1 © 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

FT Group 2

35

Policy Configuration Examples

BRKAPP-2002 14405_04_2008_c2



Cisco Public

36

18

Policy Lookup Order There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapath in ACE is as follows: 1. Access-control (permit or deny a packet) 2. Management Traffic 3. TCP normalization/Connection parameters 4. Server Load Balancing 5. Fix-ups/Application inspection 6. Source NAT 7. Destination NAT

The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface BRKAPP-2002 14405_04_2008_c2


37

Cisco Public

Application Networking Manager 1.2 ANM 1.2 Provides Turnkey control and administration for ACE Modules and ACE Appliances

ANM 1.2 provides multidevice application management of large scale data center operations

BRKAPP-2002 14405_04_2008_c2



Cisco Public

38

19

ANM 1.2 Configure Basic Server Load Balancing

Configure Virtual Server (VIP)

Easy to use Server Load Balancing Configuration BRKAPP-2002 14405_04_2008_c2


Configure Load Balancing Actions

Cisco Public

39

ANM 1.2 Configure Basic Server Load Balancing Intuitive GUI design prompts the user to configure VIP details as necessary Advanced options appear as the user drills down

Create Server Farm

Create Health Monitoring Probes

Add Real Servers BRKAPP-2002 14405_04_2008_c2



Cisco Public

40

20

Policy CLI Overview 1. Define match criteria 2. Associate actions to match criteria 3. Activate the classification-action rules on either an interface or “globally” class-map C1 match

policy-map P1 class C1

interface vlanX service-policy input P1 BRKAPP-2002 14405_04_2008_c2


Cisco Public

41

Modular Policy CLI Class Maps The class-map command is used to define a traffic class. The purpose of a traffic class is to classify traffic A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands class-map type management match-any REMOTE-ACCESS description REMOTE-ACCESS-TRAFFIC-MATCH 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 6 match protocol https any

BRKAPP-2002 14405_04_2008_c2



Cisco Public

42

21

Modular Policy CLI Class-Maps A class-map can associate an existing class-map of the same type using the match class statement Supported only for L7 class-maps; limitation of only two levels of association Used to achieve complex logical expressions Easy combination of and and or statements

class-map 2 match ! class-map 2 match 3 match 4 match

BRKAPP-2002 14405_04_2008_c2

match-all WEB-CM virtual-address 172.16.73.10 tcp eq www type http http http


http loadbalance match-any IMAGE-CM url .*gif url .*jpg url .*jpeg

Cisco Public

43

Modular Policy CLI Policy-Maps The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy first-match The class-action pairs within the policy-map are looked up sequentially and the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters. e.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’ all-match An attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed. e.g. policy-map of type inspect http multi-match Specifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features. policy-map type management first-match REMOTE-MGMT class REMOTE-ACCESS permit BRKAPP-2002 14405_04_2008_c2



Cisco Public

44

22

Modular Policy CLI Policy-Maps The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy

policy-map type loadbalance first-match APPLICATION-PM class IMAGE-CM serverfarm IMAGE-SF class class-default sticky-serverfarm WEB-SF

BRKAPP-2002 14405_04_2008_c2


Cisco Public

45

Modular Policy CLI Activating Policy Policies are activated on an interface or globally using the ‘service-policy’ command The policy-map can be enabled either on the ‘input’ or ‘output’ or both directions Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context

service-policy input

BRKAPP-2002 14405_04_2008_c2



Cisco Public

46

23

Basic Layer 4 Load Balancing

Health Checking Balancing Requests Persistence Service Failure handling

BRKAPP-2002 14405_04_2008_c2


Generic TCP or Scripted Keepalive Round Robin or Least Connections Required based on Source IP with or without sticky mask Fail action to purge or default 47

Cisco Public

Basic Layer 4 Load Balancing Management and Device Access rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! access-list EVERYONE line 10 extended permit ip any any ! class-map type management match-any REMOTE-ACCESS description REMOTE-ACCESS-traffic-match 2 match protocol ssh any 3 match protocol icmp any 4 match protocol https any 5 match protocol snmp any ! policy-map type management first-match REMOTE-MGNT class REMOTE-ACCESS permit ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input EVERYONE service-policy input REMOTE-MGNT no shutdown BRKAPP-2002 14405_04_2008_c2



Cisco Public

You Need an ACL

Define Management Traffic

48

24

Basic Layer 4 Load Balancing serverfarm TELNET-SF rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default serverfarm TELNET-SF ! policy-map multi-match LOADBALANCE class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input everyone service-policy input REMOTE-MGMT service-policy input LOADBALANCE no shutdown

BRKAPP-2002 14405_04_2008_c2


49

Cisco Public

Probe Configuration Options

probe icmp PING-PROBE interval 5 passdetect interval 5 passdetect count 3 probe tcp TCP-PROBE interval 10 passdetect interval 10 passdetect count 3 probe telnet TELNET-PROBE interval 20 passdetect interval 10 passdetect count 3 ! serverfarm TELNET-SF probe PING-PROBE probe TCP-PROBE probe TELNET-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! BRKAPP-2002 14405_04_2008_c2



Common show commands show serverfarm TELNET-SF show probe show probe TELNET-PROBE detail

Cisco Public

50

25

ANM Probe Configuration

BRKAPP-2002 14405_04_2008_c2


Cisco Public

51

Probe Configuration Options ACE-1/routed(config-sfarm-host-rs)# do show serverfarm TELNET-SF serverfarm : TELNET-SF, type: HOST total rservers : 3 ------------------------------------------connections----------real weight state current total failures ---+---------------------+------+------------+----------+----------+--------rserver: TEST 192.168.1.222:0 8 ARP_FAILED 0 0 0 rserver: SERVER1 192.168.1.1:0 8 PROBE-FAILED 0 0 0 rserver: SERVER2 192.168.1.2:0 8 PASSED 0 0 0

BRKAPP-2002 14405_04_2008_c2



Cisco Public

52

26

Probe Configuration Options ACE-1/routed# show probe

TELNET-PROBE

probe : TELNET-PROBE type : TELNET state : ACTIVE ---------------------------------------------port : 23 address : 0.0.0.0 addr type : interval : 20 pass intvl : 10 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+------serverfarm : TELNET-SF real : SERVER1[0] 192.168.1.1 6 0 6 PASSED real : SERVER2[0] 192.168.1.2 5 0 5 PASSED

BRKAPP-2002 14405_04_2008_c2


Cisco Public

53

Basic Layer 4 Load Balancing

BRKAPP-2002 14405_04_2008_c2

probe tcp TCP-PROBE port 23 interval 5 passdetect interval 3 ! serverfarm TELNET-SF probe TCP-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default serverfarm TELNET-SF ! policy-map multi-match LOADBALANCE class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input everyone service-policy input REMOTE-MGMT service-policy input LOADBALANCE no shutdown © 2008 Cisco Systems, Inc. All rights reserved.


Cisco Public

54

27

Predictors Configuration Options ACE-1/routed(config-sfarm-host)# predictor ? hash Configure 'hash' Predictor algorithms least-bandwidth Configure 'least bandwidth' Predictor algorithm least-loaded Configure 'least loaded' predictor algorithm leastconns Configure 'least conns' Predictor algorithm response Configure 'response' Predictor algorithm roundrobin Configure 'round robin' Predictor algor (default) Configuration options predictor roundrobin predictor leastconns slowstart 200 predictor response syn-to-synack samples 8 predictor response syn-to-close predictor least-bandwidth assess-time 2 ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail serverfarm : TELNET-SF, type: HOST total rservers : 3 active rservers: 2 description : state : ACTIVE predictor : RESPONSE method : syn-to-synack samples : 8 BRKAPP-2002 14405_04_2008_c2


Cisco Public

55

ANM Predictor Configuration

BRKAPP-2002 14405_04_2008_c2



Cisco Public

56

28

Basic Layer 4 Load Balancing Predictors serverfarm TELNET-SF predictor response syn-to-synack samples 8 probe TCP-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm STICKY ! policy-map multi-match L4 class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM !

BRKAPP-2002 14405_04_2008_c2


Cisco Public

57

Persistence Configuration Options

sticky ip-netmask 255.255.255.0 address source T-STICKY serverfarm TELNET-SF ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm T-STICKY

BRKAPP-2002 14405_04_2008_c2



Cisco Public

58

29

ANM Persistence Configuration

BRKAPP-2002 14405_04_2008_c2


Cisco Public

59

Basic Layer 4 Load Balancing Sticky serverfarm TELNET-SF rserver SERVER1 inservice rserver SERVER2 inservice probe TCP ! sticky ip-netmask 255.255.240.0 address source T-STICKY serverfarm TELNET-SF ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm T-STICKY ! policy-map multi-match L4 class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM !

BRKAPP-2002 14405_04_2008_c2



Cisco Public

60

30

Basic Web Load Balancing

BRKAPP-2002 14405_04_2008_c2

Health Checking Balancing Requests Persistence Service Failure handling


Generic TCP or Scripted Keepalive Round Robin or Least Connections Required based on Source IP with or without sticky mask Fail action to purge or default

Cisco Public

61

Probe Configuration Options

probe http HTTP-PROBE interval 5 passdetect interval 3 request method get url /index.html expect status 200 200 ! probe https HTTPs-PROBE interval 5 faildetect 2 passdetect interval 3 request method get url /secure/index.html expect status 200 202 ssl cipher RSA_WITH_RC4_128_MD5

BRKAPP-2002 14405_04_2008_c2



Cisco Public

62

31

Basic Web Load Balancing Probes probe http HTTP-PROBE interval 5 passdetect interval 3 request method get url /index.html What Should I Look For? expect status 200 499 ! probe https HTTPS-PROBE interval 5 faildetect 2 passdetect interval 3 request method get url /secure/index.ht You Can Check expect status 200 200 Specific Ciphers ssl cipher RSA_WITH_RC4_128_MD5 ! serverfarm HTTPS-SF probe HTTPS-PROBE rserver SERVER1 inservice rserver SERVER2 inservice serverfarm HTTP-SF probe HTTP-PROBE predictor leastconns slowstart 100 rserver SERVER1 inservice rserver SERVER2 inservice BRKAPP-2002 14405_04_2008_c2


63

Cisco Public

Basic Web Load Balancing class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq 443 ! policy-map type loadbalance first-match WEB-PM class class-default serverfarm HTTP-SF policy-map type loadbalance first-match SSL-PM class class-default serverfarm HTTPS-SF ! policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM class HTTPS-CM loadbalance vip inservice loadbalance vip icmp-reply [active] loadbalance policy SSL-PM loadbalance vip icmp-reply active Configure the VIP to reply to ICMP ECHO The active option instructs the ACE to reply to an ICMP request only if the configured VIP is active

!

BRKAPP-2002 14405_04_2008_c2



Cisco Public

64

32

Persistence Configuration Options

sticky http-cookie ILIKECOOKIES STICKY cookie insert timeout 720 serverfarm HTTP-SF backup SORRY-SF ! sticky ip-netmask 255.255.240.0 address source STICKY1 serverfarm HTTPS-SF backup SORRY-SF !

BRKAPP-2002 14405_04_2008_c2


Cisco Public

65

Basic Web Load Balancing Sticky Options sticky http-cookie ILIKECOOKIES STICKY cookie insert timeout 720 serverfarm HTTP-SF ! sticky ip-netmask 255.255.240.0 address source STICKY1 serverfarm HTTPS-SF ! policy-map type loadbalance first-match WEB-PM class class-default sticky-serverfarm STICKY policy-map type loadbalance first-match SSL-PM class class-default sticky-serverfarm STICKY1 ! policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM class HTTPs loadbalance vip inservice loadbalance policy SSL-PM

BRKAPP-2002 14405_04_2008_c2



Cisco Public

66

33

Web Load Balancing BIG HEADER ISSUE… Where’s the Cookie? parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 …. policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM appl-parameter http advanced-options INSENSITIVE

BRKAPP-2002 14405_04_2008_c2


Cisco Public

67

URL Parsing parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 class-map type http loadbala match-any URL-MATCHING 2 match http url .* class-map type http loadbala match-any URL-IMAGE 2 match http url /image/.* class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 serverfarm IMAGE-SF sticky http-cookie IMAGE-COOKIES IMAGECOOKIE probe IMAGE-PROBE cookie insert browser-expire rserver IMAGE1 serverfarm IMAGE-SF backup WEB-SF inservice sticky http-cookie WEB-COOKIES WEBCOOKIE rserver IMAGE2 cookie insert browser-expire inservice serverfarm WEB-SF serverfarm WEB-SF ! probe WEB-PROBE policy-map type loadbala first-match HTTP-PM rserver SERVER1 class URL-IMAGE inservice sticky-serverfarm IMAGE-COOKIE rserver SERVER2 class URL-MATCHING inservice sticky-serverfarm WEB-COOKIE policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM appl-para http advanced-opti INSENSITIVE BRKAPP-2002 14405_04_2008_c2



Cisco Public

68

34

Server-Server Communication Should Use the Same VIP as Clients

12.20.234.1

12.20.234.1

VIP 172.16.1.100

VIP 172.16.1.100

172.16.1.0

.16

BRKAPP-2002 14405_04_2008_c2

172.16.1.0

.183


sNAT 172.16.1.101

.16

.183

69

Cisco Public

Clients-to-VIP Load Balanced Flows NO SRC-NAT class-map match-all BASIC-CM 2 match virtual-address 172.16.1.100 any policy-map type multi-match CLIENT class TCP-CM loadbalance vip inservice loadbalance policy BASIC-SLB-PM

12.20.234.1

interface VLAN 107 description "Client-side Interface" bridge-group 1 access-group input anyone service-policy input CLIENT

VIP 172.16.1.100 172.16.1.0

interface VLAN 207 description "Server-side Interface" bridge-group 1 access-group input anyone

Client to VIP

Server to Client

.16 .183 switch/orange# sh conn total current connections : 4 conn-id np dir proto VLAN source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB 97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB BRKAPP-2002 14405_04_2008_c2



Cisco Public

70

35

Server-to-Server Load Balanced Flows Same ACE Interface class-map match-all BASIC-CM 2 match virtual-addr 12.20.234.100 any policy-map type class TCP-CM loadbalance loadbalance policy-map type class BASIC-CM loadbalance loadbalance nat dynamic

12.20.234.1

VIP 172.16.1.100

sNAT 172.16.1.101

multi-match CLIENT vip inservice policy BASIC-SLB-PM multi-match SERVER vip inservice policy BASIC-SLB-PM 123 VLAN 207

interface VLAN 107 description "Client-side Interface" bridge-group 1 access-group input anyone service-policy input CLIENT

172.16.1.0 interface VLAN 207 description "Server-side Interface" bridge-group 1 access-group input anyone nat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 pat Clientinput to VIPSERVER Server to Source NAT IP service-policy

.16 .183 switch/orange# sh conn total current connections : 4 conn-id np dir proto VLAN source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB 97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB BRKAPP-2002 14405_04_2008_c2


Cisco Public

71

Security Features

BRKAPP-2002 14405_04_2008_c2



Cisco Public

72

36

Security Features Isn’t the Firewall Enough? Enterprises are making more and more applications services available via the web Deploying a web application means inviting potentially malicious HTTP requests Web application code becomes part of the network security perimeter Who is responsible to patch customer web applications? Firewall Application Web Client

Web Server

Unfiltered Web Traffic

Application

Database Server

Port 80 and 443 Open

Existing Network Firewalls Alone Cannot Adequately Inspect Protocols and Application Data BRKAPP-2002 14405_04_2008_c2


Cisco Public

73

Security Features in ACE TCP/IP normalization Built-in Transport Protocol Security User Configurable, to meet Security Requirements

Application Protocol Inspection Advanced HTTP Inspection RFC Compliance MIME Type Validation Prevent Tunneling Protocols over HTTP Ports

BRKAPP-2002 14405_04_2008_c2



Cisco Public

74

37

Security Features IP/UDP/ICMP Exploits Blocked by ACE

IP checks performed by ACE: Automatic Anti-spoofing (source IP = dest IP); unicast RPF check src IP == dest IP, src IP or dest IP == 127.x.x.x dest IP >= 240.0.0.0, src IP == 0.x.x.x, src IP >= 224.0.0.0

Header length check (min and max lengths, L3 < L2) IP options control Drop illicit IP addresses (source IP = class D or broadcast or loopback) Overlapping fragments dropped, control over max number of fragments ARP Inspection in transparent mode

ICMP checks performed by default: Requests and responses matching Prevents injection of unsolicited ICMP errors Countermeasures specified in draft-gont-tcpm-icmp-attacks.txt

Blocked Attacks: Timestamp/Route Record/Source Routing/Fragment DoS Attacks, IP Spoofing, Ping of Death, ICMP Flood, Smurf, ARP Attacks

BRKAPP-2002 14405_04_2008_c2


75

Cisco Public

Security Features Hardware-Based TCP Normalization TCP Standard Header Checks Always Performed I.

src port and dest port != 0

II.

Only SYN packet allowed to create connection

III.

TCP header >= of 20 bytes

IV.

TCP header length – ip>header_length

V.

urg flag cleared if urg_pointer is zero

VI.

If urg flag not present urg_pointer is cleared

I.

reserved bits allow/clear/drop

VII.

Illegal flags combinations dropped ( SYN|RST etc.)

II.

urg flag allow/clear/drop

User Configurable Random Sequence Numbers BRKAPP-2002 14405_04_2008_c2



Cisco Public

TCP Option Processing TCP State Tracking TCP Window Checking Configurable

III.

syn-data allow/drop

IV.

exceed-mss allow/drop

V.

random-seq-num-disable

76

38

Security Features TCP Exploits Blocked by ACE 1. TCP checks performed by default: Enforces correct usage of TCP flags (can be disabled; flags can be cleared) Randomization of sequence numbers (cloaks OS type, makes fingerprinting recon attacks unreliable, prevents man-in-the-middle session hijacking) Enforces correct header length Prevents out-of-state packets Prevents packets that do not belong to existing connections Possibility to define maximum number of conns per second Matches TCP length with IP header’s + data Blocks illicit ports (port = zero) Enforces min and max MSS

Example of Blocked Attacks: Tear Drop, Session Hijacking, Jolt, Bloop, Targa, Bonk, Boink, Fraggle, Xmas Scan, Null Scan, etc. BRKAPP-2002 14405_04_2008_c2


77

Cisco Public

Security Features Denial-of-Service Protection SYN Cookie ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet Completely Stateless and no ACE memory entries are utilized SYN ACK replies carry a cookie in the Sequence field of the TCP header Cookie is generated out of a 24 bit random number and MSS encapsulated If ACK does not contain the correct cookie ACE drops the packet SYN Cookie enabled per interface on ACE BRKAPP-2002 14405_04_2008_c2



Cisco Public

SYN

A CK SYN cookie) = (SEQ ACK

= coo

kie + 1

78

39

Secure Socket Layer (SSL)

BRKAPP-2002 14405_04_2008_c2


79

Cisco Public

SSL: Common Questions Protocols Over SSL What Protocols Are Supported? Any TCP-based protocol is supported by the SSL Accelerators, including, but not limited to, the following well known protocols

Secure Service

Secure Port

BRKAPP-2002 14405_04_2008_c2

Service

Port 80

HTTPS

443

HTTP

TELNETS

992

TELNET

25

SPOP3

995

POP

110

SIMAP

993

IMAP

143

SSL-LDAP

636

LDAP

389

SNEWS

563

NNTP

119



Cisco Public

80

40

SSL Certificate Management ACE/routed# show crypto files File File Expor Key/ Filename Size Type table Cert ----------------------------------------------------------------------TestKey 1675 PEM Yes KEY TestCert 1135 PEM Yes CERT ACE/routed# crypto import ? ftp Import a key/certificate from an ftp server non-exportable Mark this key/certificate as non-exportable sftp Import a key/certificate from an sftp server terminal Accept a key/certificate from terminal tftp Import a key/certificate from a tftp server ACE/routed# crypto import terminal certnew.pem Å server certificate Please enter PEM formatted data. End with "quit" on a new line. -----BEGIN CERTIFICATE----MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK … v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt -----END CERTIFICATE----quit COMMON COMMANDS crypto import terminal crypto export crypto verify show crypto files show crypto key all show crypto key show crypto certificate all show crypto certificate BRKAPP-2002 14405_04_2008_c2


Cisco Public

81

Configuration In order to configure SSL, you need to add the following to a L/L4 class map: ‘parameter-map type ssl’ ‘ssl-proxy service’ ‘policy-map’

Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites) Ssl-proxy is used to define the certificates and keys to be used in SSL connections

BRKAPP-2002 14405_04_2008_c2



Cisco Public

82

41

SSL Server Offload Packet Flow with ACE Client

serverfarm WEB-PROTOCOLS rserver SERVER1 80 inservice rserver SERVER2 80 inservice probe HTTP-GET ! class-map match-all HTTPs 2 match virtual-address 172.16.1.73 tcp eq 443 !

BRKAPP-2002 14405_04_2008_c2


Server 1

L3 Flow

SYN (tcp—443) SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPS—Response

HTTP—GET index.html HTTP—200 Ok Response index.html TCP Flow

policy-map type loadbalance first-match SSL-PM class class-default serverfarm WEB-PROTOCOLS ! policy-map multi-match L4 class HTTPs loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL-PROXY 83

Cisco Public

Basic SSL Offload and Load Balancing SSL Offload rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! probe http HTTP-GET interval 5 port 81 passdetect interval 3 request method get url /secure/index.html expect status 200 200 ! parameter-map type ssl CLIENT_PARAM cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA

serverfarm WEB-PROTOCOLS probe HTTPs-GET rserver SERVER1 81 inservice rserver SERVER2 81 inservice ! sticky http-cookie ILIKECOOKIES STICKYCOOKIE cookie insert serverfarm WEB-PROTOCOLS ! policy-map type loadbalance firstmatch SSL class class-default sticky-serverfarm STICKYCOOKIE policy-map multi-match L4 class HTTPs loadbalance vip inservice loadbalance policy SSL loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL

ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_PARAM ! class-map match-all HTTPs 2 match virtual-address 172.16.1.73 tcp eq 443 ! BRKAPP-2002 14405_04_2008_c2



Cisco Public

84

42

Troubleshooting SSL

BRKAPP-2002 14405_04_2008_c2


WireShark Tcpdump Telnet on browser ports MSIE plug-ins IE Inspector, HTTP Watch, IE Watch, ieHttpHeaders Mozilla extension Live HTTP Headers PHP/Perl LWP Wget, curl Lynx/Links text based browsers

Cisco Public

85

Basic SSL Load Balancing Redirecting Clients to Use SSL rserver redirect REDIRECT webhost-redirection https://%h%p 301 %h %p inservice ! http://www.cisco.com/go/ace serverfarm redirect REDIRECT-SF rserver REDIRECT inservice ! https://www.cisco.com/go/ace class-map match-all HTTP 2 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match REDIRECT-PM class class-default serverfarm REDIRECT-SF ! policy-map multi-match LOADBALANCE class HTTP loadbalance vip inservice loadbalance policy REDIRECT-PM

BRKAPP-2002 14405_04_2008_c2



Cisco Public

86

43

SSL Packet Flow With ACE Client

parameter-map type ssl PARAM_SSL cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ! ssl-proxy service SSL-PROXY key mykey.pem cert mycert.pem ssl advanced-options PARAM_SSL ! serverfarm WEB-PROTOCOLS rserver SERVER1 80 inservice rserver SERVER2 80 inservice probe HTTP-GET ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp

Server 1

L3 Flow


HTTP—GET index.html HTTP—200 Ok Response index.html TCP Flow

policy-map type loadbalance first-mat SSL-PM class class-default serverfarm WEB-PROTOCOLS ! policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL-PROXY

eq 443

crypto verify mykey.pem mycert.pem BRKAPP-2002 14405_04_2008_c2


87

Cisco Public

Basic SSL Load Balancing Redirecting Clients to Use SSL %h

%p

rserver redirect REDIRECT webhost-redirection https://%h%p http://www.cisco.com/go/ace inservice ! serverfarm redirect REDIRECT-SF rserver REDIRECT inservice https://www.cisco.com/go/ace ! class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match WEB-PM class class-default serverfarm REDIRECT-SF ! policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM !

BRKAPP-2002 14405_04_2008_c2



Cisco Public

88

44

Basic Configuration SSL Offload Example Putting It All Together rserver redirect REDIRECT webhost-redirection https://%h%p inservice ! parameter-map type ssl CLIENT_SSL cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ssl-proxy service SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_SSL ! probe http HTTP-GET interval 10 passdetect interval 10 request meth get url /index.html expect status 200 202 ! serverfarm redirect REDIRECT-SF rserver REDIRECT inservice serverfarm HTTP-SF probe HTTP-GET rserver SERVER1 80 inservice rserver SERVER2 80 inservice BRKAPP-2002 14405_04_2008_c2


class-map match-all SSL-CM 2 match virtual-addr 172.16.20.1 tcp eq 443 class-map match-all HTTP-CM 2 match virtual-addre 172.16.20.1 tcp eq 80 ! sticky http-cookie ILIKECOOKIES SSL-STICKY cookie insert timeout 720 serverfarm HTTP-SF ! policy-map type loadbal first-ma REDIRECT-PM class class-default serverfarm REDIRECT-SF policy-map type loadbalan first-ma SSL-PM class class-default sticky-serverfarm SSL-STICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy REDIRECT-PM class SSL-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply active ssl-proxy server SSL ! interface vlan 2 service-policy input LOADBALANCE 89

Cisco Public

End to End SSL With ACE Client


ssl-proxy service SERVER_SSL key www-client.key cert www-client.crt ssl advanced-options ssl_ciphers ! serverfarm WEB-PROTOCOLS rserver SERVER1 443 inservice rserver SERVER2 443 inservice probe HTTPs-GET ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp !

SYN (tcp—443) Server 1 SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPs—200 Ok Response index.html HTTPS—Response

policy-map type loadbalan first-m SSL-PM class class-default serverfarm WEB-PROTOCOLS ssl-proxy client SERVER_SSL ! policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL eq 443

New Commands Are in the Boxes BRKAPP-2002 14405_04_2008_c2



Cisco Public

90

45

End to End SSL Offload and Load Balancing rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! parameter-map type ssl CLIENT_PARAM cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ! parameter-map type ssl SERVER_PARAM cipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA ! ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_PARAM ! ssl-proxy service SERVER-SSL ssl advanced-options SERVER_PARAM ! probe https HTTPs-GET interval 20 request method get url /index.html expect status 200 202 ! BRKAPP-2002 14405_04_2008_c2


probe icmp PING interval 5 serverfarm WEB-PROTOCOLS probe HTTPs-GET probe PING rserver SERVER1 443 inservice rserver SERVER2 443 inservice ! class-map match-all HTTPS-CM 2 match virtual-add 172.16.1.73 tcp eq 443 ! sticky http-cookie ILIKECOOKIES STICKYCOOKIE cookie insert timeout 720 serverfarm WEB-PROTOCOLS ! policy-map type loadbalance first-mat SSL-PM class class-default sticky-serverfarm STICKYCOOKIE ssl-proxy client SERVER-SSL ! policy-map multi-match LOADBALANCE class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL

Cisco Public

91

SSL Redirect Rewrite ACE 2.0 ! action-list type modify http ACTION header insert request FRONT-END-HTTPS header-value On ssl url rewrite location 172.16.20.1 ! policy-map type loadbalance first-match SSL-PM class class-default sticky-serverfarm STICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM class SSL-CM loadbalance vip inservice loadbalance policy HTTP-PM loadbalance vip icmp-reply active ssl-proxy server SSL action ACTION

BRKAPP-2002 14405_04_2008_c2



Cisco Public

92

46

Advanced Load Balancing

BRKAPP-2002 14405_04_2008_c2


93

Cisco Public

Advanced Load Balancing Features Increased Protocol Inspection Protocol Inspection on the ACE Can Be Used to Analyze or Modify Application Data. Compliance With RFCs Can Also Be Enforced, as Well as Filtering for User-Defined Interactions, Which Are Denied if Attempted Protocols supported

ACE

FTP and Strict FTP RTSP ICMP DNS HTTP

Enhanced Protocol inspection: SIP Skinny H.323 ILS/LDAP

Deep Packet Inspection Extends Visibility and Persistence to All Applications BRKAPP-2002 14405_04_2008_c2



Cisco Public

94

47

Advanced Load Balancing Features HTTP Inspection Overview HTTP Inspection is a special case of Application FW in which the focus is mainly on HTTP attributes such as HTTP header, URL, the payload itself Enables users to validate, filter and log the HTTP transactions by matching the traffic against the policies configured Shares the HTTP stack and the REGEX engine with L7 SLB with added features for inspect Can work with L7 Loadbalancing for the same flow User defined REGEX can be used in a limited way to detect offending traffic by searching for “signatures” BRKAPP-2002 14405_04_2008_c2


Cisco Public

95

Advanced Load Balancing Features HTTP Inspect Features RFC compliance MIME type validation Length and Encoding Checks Port 80 misuse Permit/Deny based on L7 Regex match

BRKAPP-2002 14405_04_2008_c2



Cisco Public

96

48

How to Enable Compression? From the Cisco ACE 4710 Device Manager you can begin compressing HTTP traffic on Cisco ACE 4710 by clicking the “Enable Compression” command within the Virtual Server configuration for server farms. A single click enables compression for the load balancing policy configured Enable Compression BRKAPP-2002 14405_04_2008_c2


Cisco Public

97

HTTP Compression

Searching for “cisco” in www.google.com Compressed Data BRKAPP-2002 14405_04_2008_c2



Cisco Public

98

49

TCP Server Offload “TCP Multiplex” or “TCP Re-use” TCP setup and teardown offloaded from server (currently limited to HTTP) Effective for servers dedicating high percentage of CPU cycles to TCP processing TCP connections to the server are kept open (HTTP 1.1 connection keepalive) Client requests multiplexed to existing server connections ACE creates a connection pool on the reals [ip:port] associated to the virtual server Client connections matched to server connections based on TCP options (Sack, timestamp, window_scale, MSS) BRKAPP-2002 14405_04_2008_c2


99

Cisco Public

TCP Server Offload Illustrated TCP1 ACE-TCP1 Pool1 TCP2

ACE-TCP2 Pool2

TCP3

parameter-map type http PARAM-MAP server-conn reuse case-insensitive persistence-rebalance ! class-map match-any HTTP 10 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match HTTP class class-default sticky-serverfarm STICKY ! policy-map multi-match L4 class vipmap1 loadbalance vip inservice loadbalance policy HTTP appl-parameter http advanced-options PARAM-MAP nat dynamic 1 vlan 2

BRKAPP-2002 14405_04_2008_c2



Cisco Public

100

50

Server Connection Reuse When the feature is enabled, a server TCP connection may be reused to service a different client TCP connection after the response to the previous HTTP request has been transmitted “Connection: keep-alive” is inserted and “Connection: close” is removed from the client HTTP request, to avoid closing the server connection early Note: details on Connection Reuse come later switch/Admin(config)# parameter-map type http HTTP_PARAM switch/Admin(config-parammap-http)# server-conn reuse switch/Admin# show stats http | include Reuse Reuse msgs sent : 1 , HTTP requests switch/Admin# show stats http | include Headers Reproxied requests : 0 , Headers removed Headers inserted : 1 , HTTP redirects

: 4 : 1 : 0

switch/Admin# show np 1 me-stats "-s icm | grep Reuse" Reuse link update conn invalid error: 0 Reuse link update conn not on reuse erro 0 Reuse conn remove not on head error: 0 Connection Reuse Add Errors: 0 Connections Removed From Reuse Pools: 1 Connections Added To Reuse Pools: 1 BRKAPP-2002 14405_04_2008_c2


Cisco Public

101

TCP Server Offload Example Over 98% reduction in server side TCP connetions per second Depends also on server configuration (HTTP GET’s per TCP connection) Server Side

Client Side BRKAPP-2002 14405_04_2008_c2



Cisco Public

102

51

Advanced Load Balancing Persistence and Pipelining HTTP is assumed to follow a simple Request/Response transaction model Introduced in HTTP/1.1, persistence is also referred to as client keep-alive Multiple persistent HTTP requests on the same TCP connection will be balanced to [potentially] different rservers if persistence rebalance is configured This works without regard to packet boundaries Pipelined requests are buffered and later parsed after completing transmit of the previous response. In other words, the requests are un-pipelined If persistence-rebalance is not configured, then pipelined requests on a connection will all be sent to the same server, as they arrive switch/Admin(config)# parameter-map type http HTTP_PARAM switch/Admin(config-parammap-http)# persistence-rebalance switch/Admin# show stats http | include requests

BRKAPP-2002 14405_04_2008_c2

Reuse msgs sent

: 0

, HTTP requests

: 7

Reproxied requests

: 0

, Headers removed

: 0

HTTP chunks

: 0

, Pipelined requests

: 2


103

Cisco Public

Advanced Load Balancing Header Insert Can be used to insert the Client Source IP address if NAT being used Inserts a header into the client HTTP request just before transmit to server If persistence-rebalance is configured, insert occurs on all requests for the connection, otherwise just the first The point of insertion is always between the request line and the existing first header Configure “%is” and “%ps” to dynamically insert source (client) IP and port Configure “%id” and “%pd” to dynamically insert destination (virtual server) IP and port In the below example, inserted header might look something like: ACE: Src=61.0.0.5:32797;Dest=61.0.0.113:80 switch/Admin(config)# policy-map type loadbalance first-match PSLB switch/Admin(config-pmap-lb)# class C1 switch/Admin(config-pmap-lb-c)# insert-http ACE header-value Src=%is:%ps;Dest=%id:%pd switch/Admin# show stats http | include insert Headers inserted BRKAPP-2002 14405_04_2008_c2



: 1

, HTTP redirects

Cisco Public

: 0 104

52

Q and A

BRKAPP-2002 14405_04_2008_c2


Cisco Public

105

Recommended Reading Continue your Networkers at Cisco Live Learning Experience with Further Reading from Cisco Press Designing Content Switching Solutions Zeeshan Nasesh CCIE 6836 Haroon Khan CCIE 4530

Data Center Fundamentals Mauricio Aregoces CCIE 3285 Maurizio Portaloni

Content Networking Fundamentals Silvano DaRos

Web Security Field Guide Steve Kalman

Server Load Balancing Tony Bourke

SSL and TLS: Designing and Building Secure Systems Eric Rescorla

Available Onsite at the Cisco Company Store BRKAPP-2002 14405_04_2008_c2



Cisco Public

106

53

Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKAPP-2002 14405_04_2008_c2


Cisco Public

107

BRKAPP-2002 14405_04_2008_c2


Cisco Public

108


54

Backup Slides

BRKAPP-2002 14405_04_2008_c2


Cisco Public

109

Design-Comparison: Application-View L2 In-Path No Source-NAT necessary (except Server-2-Server via VIP)

L3 In-Path No Source-NAT necessary (except Server-2-Server via VIP)

L3 Out-of-Path Source-NAT necessary or PBR (Policy Based Routing) -> Not VRF-Aware, Operational Challenge

BRKAPP-2002 14405_04_2008_c2



Cisco Public

110

55

Design-Comparison: Scalability L2 In-Path One or multiple VLAN per context possible Non loadbalanced traffic is also passing ACE

L3 In-Path Centralized Loadbalancing-Architecture Non loadbalanced traffic is also passing ACE

L3 Out-of-Path Only loadbalanced traffic is passing the ACE

BRKAPP-2002 14405_04_2008_c2


Cisco Public

111

Design-Comparison: Migration L2 In-Path Easy and transparent migration No changes to Server-IP or gateway

L3 In-Path Gateway address is typically moved to ACE

L3 Out-of-Path Easy migration Typically non transparent in terms of Source-IP address

BRKAPP-2002 14405_04_2008_c2



Cisco Public

112

56

Content Switching Design Approaches Routed Mode: Design Core-1

Agg-1

Core-2

Core-1

Agg-2

Data PortChannel MSFC1

Core-2

Agg-1

Data PortChannel ACE 1

ACE 2 Standby

MSFC1

FT ACE 1 PortChannel

Access

Agg-2

MSFC2

FT PortChannel

ACE 2 Standby

Access

Access

MSFC2

Access

ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.20.1.0/24 ACE Server-Side VLAN 30 10.30.1.0/24

(2A) Routed Mode Design with MSFC on Client Side Servers default gateway is the alias IP on the ACE Extra configurations needed for:

(2B) Routed Mode Design with MSFC on Server Side Servers default gateway is the HSRP group IP address on the MSFC Extra configurations needed for (simpler the option 2a):

Direct access to servers Non-load balanced server initiated sessions

Direct access to servers Non-load balanced server initiated sessions

ACE’s default gateway is the HSRP group IP address on the MSFC RHI possible Load balancer inline of all traffic BRKAPP-2002 14405_04_2008_c2


ACE Client-Side VLAN 5 10.5.1.0/24 ACE Server-Side VLAN 1 10.10.1.0/24 Server VLAN 20 10.20.1.0/24 Server VLAN 30 10.30.1.0/24

SM’s default gateway is the core router RHI not possible Server to server communication bypasses the load balancer 113

Cisco Public

Content Switching Design Approaches Routed Mode: Configuration ACE MSFC

!

!

interface vlan 10

interface Vlan10

ip address 10.10.1.5 255.255.255.0

ip address 10.10.1.2 255.255.255.0

alias 10.10.1.4 255.255.255.0

standby 10 ip 10.10.1.1

peer ip address 10.10.1.6 255.255.255.0 no shutdown

standby 10 priority 110 !

standby 10 preempt

interface vlan 20

!

ip address 10.20.1.2 255.255.255.0 alias 10.20.1.1 255.255.255.0 peer ip address 10.20.1.3 255.255.255.0 no shutdown ! interface vlan 30 ip address 10.30.1.2 255.255.255.0 alias 10.30.1.1 255.255.255.0 peer ip address 10.30.1.3 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1 BRKAPP-2002 14405_04_2008_c2



Cisco Public

114

57

Content Switching Design Approaches Bridged Mode: Design Core-1

Core-2

Agg-1

Agg-2

Data PortChannel

MSFC1

MSFC2

FT PortChannel

ACE 1

(1) Bridged Mode Design Considerations

ACE 2 Standby

Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through No extra configurations for: Direct access to servers Server initiated sessions

Access

RHI possible Load balancer inline of all traffic

ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.10.1.0/24

BRKAPP-2002 14405_04_2008_c2


115

Cisco Public

Content Switching Design Approaches Routed Mode: Configuration ACE interface vlan 10

MSFC

bridge-group 10

!

access-group input anyone

interface Vlan10

access-group output anyone

ip address 10.10.1.2 255.255.255.0

no shutdown

standby 10 ip 10.10.1.1

!

standby 10 priority 110

interface vlan 20

standby 10 preempt

bridge-group 10

!

access-group input anyone access-group output anyone no shutdown ! interface bvi 10 ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.6 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1 !

BRKAPP-2002 14405_04_2008_c2



Cisco Public

116

58

Content Switching Design Approaches Bridged Mode: BPDU Forwarding Similarly to the FWSM, ACE can let BPDUs through and can rewrite their payload, correctly handling STP merged domains

ACE Configuration to Allow BPDUs ! access-list bpduallow ethertype permit bpdu ! interface vlan 10 bridge-group 10 access-group input bpduallow no shutdown ! interface vlan 20 bridge-group 10 access-group input bpduallow no shutdown !

Protects against accidental loops in case of FT heartbeat cable or VLAN disconnected BRKAPP-2002 14405_04_2008_c2


117

Cisco Public

Content Switching Design Approaches L3 One-Armed Mode: Design Core-1

Core-2

Agg-1

Agg-2 Data PortChannel

MSFC1

MSFC2

ACE 1

ACE 2 Standby FT PortChannel

(3) One-Armed Design Considerations Servers default gateway is the HSRP group IP address on the MSFC No extra configurations for:

Access

Access

ACE Server-Side VLAN 10 10.10.1.0/24

BRKAPP-2002 14405_04_2008_c2

Server VLAN 20

10.20.1.0/24

Server VLAN 30

10.30.1.0/24



Cisco Public

Direct access to servers Server initiated sessions

RHI possible CSM/ACE inline for only server load balanced traffic Policy based routing or source NAT can be used for server return traffic redirection to the load balancer 118

59

Content Switching Design Approaches L3 One-Armed Mode: PBR Configuration MSFC

ACE - Asymmetric Routing

!

!

interface Vlan10

!

ip address 10.10.1.2 255.255.255.0

interface vlan 10

standby 10 ip 10.10.1.1

ip address 10.10.1.5 255.255.255.0

standby 10 priority 110

MSFC

alias 10.10.1.4 255.255.255.0

standby 10 preempt

!

peer ip address 10.10.1.6 255.255.255.0

interface Vlan20

!

no normalization

ip address 10.20.1.2 255.255.255.0

access-group input anyone

ip policy route-map FromServersToSLB

access-group output anyone

standby 20 ip 10.20.1.1

no shutdown

standby 20 priority 110 !

! access-list 121 permit tcp any eq telnet any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any ! route-map FromServersToSLB permit 10 match ip address 121 set ip next-hop 10.10.1.4 BRKAPP-2002 14405_04_2008_c2


Cisco Public

119

Content Switching Design Approaches L3 One-Armed Mode: Source-NAT Configuration class-map match-all HTTP 2 match virtual-address 172.16.1.73 tcp eq 80 policy-map type loadbalance first-match WEB class class-default insert-http x-forwarded-for: header-value %is serverfarm HTTP policy-map multi-match L4 class HTTP loadbalance vip inservice loadbalance policy WEB nat dynamic 1 vlan 2 interface vlan 2 ip address 172.16.1.1 255.255.255.0 alias 172.16.1.254 255.255.255.0 peer ip address 172.16.1.2 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input L4 no normalization nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat no shutdown

BRKAPP-2002 14405_04_2008_c2



Cisco Public

120

60