ANM free for 2 ACE devices (with 5 context max w/o additional ... HTTP (i.e. Web
Presentation Layer, Web Services, SOAP/XML) ..... One-Arm Mode: Overview.
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Server Load Balancing Design
BRKAPP-2002
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
2
1
Cisco Application Delivery Networks Network Classification
Application Scalability
Application Networking
Quality of service Network-based app recognition Queuing, policing, shaping Visibility, monitoring, control
Server load-balancing Site selection SSL termination and offload Video delivery
Message transformation Protocol transformation Message-based security Application visibility
WAN
Application Acceleration
WAN Acceleration
Application Optimization
Latency mitigation Application data cache Meta data cache Local services
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Data redundancy elimination Window scaling LZ compression Adaptive congestion avoidance
Delta encoding FlashForward optimization Application security Server offload 3
Cisco Public
Other Cisco Live Breakout Sessions that You May Want to Attend Relevancy GSS
ISR
WAAS
ACNS
ACE
AXG
Applications
BRKAPP-2002 Server Load Balancing Design BRKAPP-3003 Troubleshooting ACE BRKAPP-1004 Introduction WAAS BRKAPP-2005 Deploying WAAS BRKAPP-3006 Troubleshooting WAAS BRKAPP-1008 What can Cisco IOS do for my application? BRKAPP-1009 Introduction to Web Application Security BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization BRKAPP-2011 Scaling Applications in a Clustered Environment BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange BRKAPP-2014 Deploying AXG BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers BRKAPP-1016 Running Applications on the Branch Router BRKAPP-2017 Optimizing Application Delivery BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
4
2
Agenda Application Load Balancing Health Checking Prediction Persistence Design Implementation Considerations
Policy Configuration Examples Layer 4 Example Web Protocol Example Server to Server Load Balancing Example
SSL SSL Offload Example
Advanced Load Balancing Design Application Inspections TCP Reuse URL Load Balancing BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
5
Cisco Public
ACE Application Switching Module Integrates Load Balancing, Application Optimization and Security Virtual Device Support Data Center and Application Firewall Multimedia and Voice Intelligence Low Power Usage with High Performance License-based Upgrades (SSL, virtual licenses) Support for Catalyst 6500 Series Switch and Cisco 7600 Series Router
Integrated Services, High Performance Application Switching Platform: 4-16 Gbps BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
6
3
ACE Application Switching Appliance Integrates Load Balancing, Application Optimization and Security Virtual Device Support Data Center and Application Firewall Multimedia and Voice Intelligence Low Power Usage with High Performance License-based Upgrades (SSL, Virtual licenses, Application Optimization, Compression Performance) Specific optimizations for common applications Latency and bandwidth reduction with protection Application switching for scalability and availability Embedded Browser-based Graphical User Interface High Performance Multi-core, Dual-CPU Architecture
Integrated Services, High Performance Application Switching Platform: 1-2 Gbps BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
7
Cisco Public
Cisco Application Networking Manager (ANM) ACE Appliance has an embedded GUI ANM free for 2 ACE devices (with 5 context max w/o additional licensing) must place order for ANM-SERVER-12-K9" ACE Module has no embedded GUI Cisco ANM runs from a centralized server running Redhat Linux Multiple Cisco ANM users can simultaneously manage multiple devices via web browser Enables device & virtualization provisioning for up to fifty (50) ACE and forty (40) CSS & CSM per Cisco ANM server Graphical interface for simplified and standardized service provisioning for basic, advanced and expert users Secure user access and delegation of responsibilities
Enables Centralized Configuration, Operations, and Monitoring of Cisco Data Center Networking Equipment and Services BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
8
4
Load Balancing Overview Terminology Load Balancing Algorithm Servers (Predictor)
Clients Content Switch— Load Balancer
Serverfarm
Keepalive (Probe)
Client-Side Gateway
Class-Map
URL = /news User-Agent = WindowsCE Client = 192.0.0.0/8
Virtual IP Address (VIP) 172.16.2.100 TCP port 80
BRKAPP-2002 14405_04_2008_c2
Round Robin
XML Gateways
Policy-Map If Match class-map X Then Use serverfarm X Else Use serverfarm y
© 2008 Cisco Systems, Inc. All rights reserved.
9
Cisco Public
Traffic Being Load Balanced Generic IP traffic (i.e. IPsec tunnels) Generic UDP and TCP (i.e. proprietary protocols) Network services (i.e. LDAP, DNS, Radius) HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML) Voice & Video (i.e. RTSP, SIP, H.323) Remote terminals (i.e. Windows Terminal Services) Multi-connection protocols (i.e. FTP, RTSP) Multi-tier packaged applications (i.e. SAP, Oracle, Microsoft, BEA) Vertical specific applications (i.e. medical, finance, education) Ethernet Header
IP Header
TCP Header
Layer 2
Layer 3
Layer 4
HTTP Header
Payload
Ethernet Trailer
Layer 5-7 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
10
5
Scale Your Application Health Checking
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Scale Your Application Health Monitoring Issues Application Issue ARPs only check the IP stack and not the application ICMP probes only check the IP stack of the machine and not the application Generic TCP port opens check the TCP stack but not the application’s ability to handle requests An application may fail in a state that the server can respond to a TCP syn but not to an application data request
To verify the integrity of an application, and application data request keepalive is required How to verify the Application servers health or the Web Servers reachability to the application server BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
12
6
Application Load Balancing Probe Options Probe
Description
ICMP
Sends a ICMP request and waits for reply
Generic TCP
Open a connection with server and disconnect with TCP FIN or RST. TCP FIN Default
Generic UDP
Sends a packet, probe is considered successful, if no icmp error received
HTTP
Sends an HTTP HEAD or HTTP GET 1.1 request
HTTPs
Establishes an SSL connection, send HTTP query and tears it down
FTP
Similar to TCP probe
Telnet
Makes a connection, send a “QUIT” message
DNS
Uses a default domain and waits for any response
SMTP
Sends a “hello” followed by a “QUIT” message
POP3
Similar to TCP probe
IMAP
Similar to TCP probe
Radius
Similar to UDP probe. NAS-IP can be configured
Scripted
Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform health monitoring
SNMP
Up to eight OIDs can be configured. Used mainly for load balancing predictions and not health checking. Should be combined with another health probe to verify application
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
13
Cisco Public
Scale Your Application Application or Database Server Health Checking Probing Customer Application Servers with Application Data Requires Scripting Keep Alive on the Load Balancer or on a Front End Server. Scripting on Front End Servers Allows Greater Flexibility http://www.company.com/test.asp
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
Buy 10000 Widgets Customer Testuser Company Test Inc.
14
7
Scale Your Application Predictors
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
15
Cisco Public
Scale Your Application Predictors Predictors Determine How Connections Are Load Balanced
Client
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Serverfarm
Cisco Public
16
8
Scale Your Application Predictors Algorithms Round Robin: (Weighted) Very simple
Least Connections: (Weighted) Dynamic, requires slow-start
Hash on IP: (source/destination, with mask) No state required for stickiness issues with dynamic changes
Hash on URL: Or portion of URL Server Watermarks: Min and max number of connections per server Least Loaded: SNMP OIDs based server feedback for obtaining useful information maintained as SNMP Object IDs Least Bandwidth: Connection vs. Bandwidth based on the bidirectional traffic flow Adaptive Response Predictor: Load-balancing based on server response time SYN to SYN-ACK SYN to FIN Application request to first packet of response BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
17
Cisco Public
Enhanced Predictors Adaptive Response Predictor Load Balancing Based on Server Response Time; Response Time Calculated over a Configured Number of Samples and Supports the Following Three Measurement Options
ACE
SYN to SYN-ACK Time Between SYN Send from ACE to SYN-ACK Received from the Server
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Serverfarm
SYN to Close Time Between SYN Send from ACE to FIN/RST Received from the Server
Cisco Public
Application Request to Response Time Between HTTP Request Send from ACE to HTTP Response Received from the Server
18
9
Enhanced Predictors Least-Loaded Using SNMP The Least Loaded Predictor can support up to 8 user defined SNMP Object IDs Least-loaded algorithm will automatically calculate the least loaded server from the SNMP response received from the servers Number of active connections on the server are also be calculated in the Least-loaded algorithm Users can define static weights for each Object ID to allow unprecedented load balancing control of new connections based on real-time appliance performance Least-loaded Predictor Provides Most Accurate Method for Calculating the Servers Load BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
19
Cisco Public
Enhanced Application Algorithms Least-Loaded Using SNMP ACE Utilizes SNMP-Based Probes to Obtaining CPU, Memory and Drive Statistics from the Servers
SNMP Object IDs CPU Utilization Memory Resources Disk Drive Availability ……. …….
Query Query Result Result Query Query Result Result CPU == 34% CPU Utilization Utilization 34% Query Result Query Result CPU Utilization == 24% CPU Utilization 24% Memory Resources Memory Resources CPU Utilization == 14% CPU Utilization 14% Resources Memory Resources == Memory 785300k free 785300k free Memory Resources Memory Resources == 885300k free 885300k free Disk Drive Availability Disk Drive Availability = 947300k free = 947300k free Drive Availability Disk Drive Availability == Disk 202GB Free 202GB Free Drive Disk Drive Availability == Disk 307GB free 307GB freeAvailability == 440GB 440GB free free
ACE Queries Server for the Following Three SNMP Object IDs
Only SNMP Agent Is Required on the Server— No Additional Software BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
20
10
Enhanced Application Algorithms New Feature—Least-Bandwidth Load Balancer Introduces the Least-Bandwidth Predictor which Selects the Server that Processed the Least Amount of Network Traffic Over a Specified Sampling Period The ACE measures traffic statistics between itself and the real servers in the server farm in both directions and calculates the bandwidth over the sampling period Then, it creates an ordered list of real servers based on the sampling results and selects the server that used the least amount of bandwidth during the sampling period Least-Bandwidth Predictor Suited Best for Heavy Traffic Use BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Cisco Public
22
Scale Your Application Predictors
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
11
Scale Your Application Session Persistence Stickiness Session: Logical aggregation of multiple simultaneous or subsequent connections Sessions are limited in time (timeout) Servers keep session state The content switch and load distribution across multiple servers introduces the problem The content switch needs to send connections from the same client to the same server Even in case of backend database with session information, stickiness is very useful since it significantly improves performance BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
23
Cisco Public
Scale Your Application Session Persistence Methods How to Uniquely Identify a Client… Source IP
Cookie
SSL ID
Variation
Full IP Masked IP
Static Dynamic Insert
Full SSID Offset
Info Stored on
LB
LB
LB
Client
LB
Good For
Simplicity
Flexibility
No Cookie support
No State on LB
Recovering SIPDisconnected specific WTS sessions stickiness
Flexible for custom applications
Caveats
Proxies
HTTP only Clear Test
SSL v3 Renegotiation
HTTP only Absolute URLs Bookmarks
No Token, needs to fall back to source IP
Specific to application
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Client = Session Call-ID
GPP
client = a cookie value
Cisco Public
SD, Session Directory. Routing Token = server IP + Port
SIP
Client= its SRC IP
© 2008 Cisco Systems, Inc. All rights reserved.
LB Redirects to Specific (V)Server
RDP
How Does It Work
BRKAPP-2002 14405_04_2008_c2
client = SSL session ID
HTTP Redirect
Regex matches on TCP and UDP data
custom
LB
LB
24
12
Design Configuration
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
25
Cisco Public
Design Configuration ACE Service Virtualization Physical Device
Admin Context
Context 1
Context 2
Context 3
Context Definition Resource Allocation
ANM Management Station AAA BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
26
13
Design Configuration ACE Virtualization Provides means to partition one physical unit into independently managed logical engines Provisions resource per logical device Almost every feature subsystem is virtualized including Linux kernel
Logical devices are called virtual contexts Each with independent resource allocation and policies
Default context called ‘Admin’ context is available initially Customers who do not wish to use virtualization can perform all operations from within ‘Admin’ context
ACE Module 250 contexts + Admin context supported
ACE Appliance 20 contexts + Admin context supported BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Design Configuration ACE Resource Management By default, every context is a member of the ‘default’ resource-class, with unlimited access to system resources Resources can be guaranteed in three ways: No guaranteed resources but access to any available resource X% of resources guaranteed, with no access to other additional resources X% of resources guaranteed and access to any available resource
Minimum limit is specified as a percentage (5.00%) Maximum limit can equal the Min value or be unlimited Only one resource-class can be applied per context Maximum 100 resource-classes can be configured Sticky Resources requires min 1% per context, not default, associate all contexts to a non default context BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
28
14
Design Configuration Router Mode
Subnet A
The preferred configuration for appliances By default the load balancer acts as a router Servers default gateway is the load balancer The VIP addresses can reside on the client side or the server side If you do not want to change the IP addresses of the servers, put the VIP on the servers side and create a /30 network to Firewall BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Subnet B
Subnet C
Servers Default Gateway: Content Switch IP 29
Cisco Public
Design Configuration
Subnet B
Subnet A
The Load balancer acts as a bump in the wire
Subnet A
This is preferred for integrated load balancers like the ACE modules
Subnet B
Bridge Mode
The servers default gateway will be the upstream router or firewall If packets are set to the physical IP address of the load balancers, it will try and route the packet by default
Servers Default Gateway: Upstream Router or Firewalls IP Address, Not ACE’s Address BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
30
15
How Are Customers Using Virtualization? Security and Bridge Mode
Partition C
Admin Partition
Partition B
“The security team continues to fully manage the FWSM and is comfortable with the bridge mode approach. In parallel, we have turned on some extra HTTP security features on ACE”
Partition A
“Bridge mode on the CSM was great, but ACE takes the same approach to a whole new level with virtualization”
Each Pair of Bridged VLANs Has Its Own Configuration, Independent Management, and Enhanced Security BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
31
Cisco Public
Design Considerations One-Arm Mode: Overview L2-rewrite not possible Content switch not inline Does not see unnecessary traffic
Subnet B
Requires PBR, server default gateway pointing to load balancer or client source NAT ACE can insert users original IP address as client header
Subnet B
The return traffic is needed!
Policy-map type loadbalance first-match OAM class L7Policy insert http x-forwardedfor header-value %is BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
Servers Default Gateway: Upstream Router PBR—Policy Based Routing, NAT—Network Address Translation 32
16
Design Considerations One-Arm Mode: Overview
1
Router MAC
LB MAC
Client IP
VIP
1
Random Port
2
VIP Port Selected CS MAC Server MAC Selected Client IP Server IP
Random Port
3
VIP Port BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
3
VIP Port
Server MAC Selected Server IP
2
CS MAC
RSTClient IP Random Port
Without PBR, Client NAT, or Servers Gateway Being Set for Load Balancer 33
Cisco Public
L2 One-Arm Mode Return Traffic Bypassing ACE Servers Default Gateway: Upstream Router
Subnet B
Bypass for return traffic: high throughput! Requires MAC rewrite, L2 adjacency Servers need identical loopback addresses (one per VIP) TCP termination not possible: no L7 features! Load balancer blind to return traffic (inband, accounting)
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
34
17
Redundancy Model Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby The peer ACE can be in the same or different Cisco Catalyst® 6k chassis Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy) ACE-1 Example: Two ACE modules Four FT groups Four Virtual Contexts (A, B, C, D)
A
B
Active
Active
A’
B’
C’
D’
Standby Standby
FT VLAN
Standby Standby
C
D
Active
Active
FT Group 3
FT Group 4
ACE-2 BRKAPP-2002 14405_04_2008_c2
FT Group 1 © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
FT Group 2
35
Policy Configuration Examples
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
36
18
Policy Lookup Order There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapath in ACE is as follows: 1. Access-control (permit or deny a packet) 2. Management Traffic 3. TCP normalization/Connection parameters 4. Server Load Balancing 5. Fix-ups/Application inspection 6. Source NAT 7. Destination NAT
The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
37
Cisco Public
Application Networking Manager 1.2 ANM 1.2 Provides Turnkey control and administration for ACE Modules and ACE Appliances
ANM 1.2 provides multidevice application management of large scale data center operations
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
38
19
ANM 1.2 Configure Basic Server Load Balancing
Configure Virtual Server (VIP)
Easy to use Server Load Balancing Configuration BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Configure Load Balancing Actions
Cisco Public
39
ANM 1.2 Configure Basic Server Load Balancing Intuitive GUI design prompts the user to configure VIP details as necessary Advanced options appear as the user drills down
Create Server Farm
Create Health Monitoring Probes
Add Real Servers BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
40
20
Policy CLI Overview 1. Define match criteria 2. Associate actions to match criteria 3. Activate the classification-action rules on either an interface or “globally” class-map C1 match
policy-map P1 class C1
interface vlanX service-policy input P1 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
41
Modular Policy CLI Class Maps The class-map command is used to define a traffic class. The purpose of a traffic class is to classify traffic A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands class-map type management match-any REMOTE-ACCESS description REMOTE-ACCESS-TRAFFIC-MATCH 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 6 match protocol https any
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
42
21
Modular Policy CLI Class-Maps A class-map can associate an existing class-map of the same type using the match class statement Supported only for L7 class-maps; limitation of only two levels of association Used to achieve complex logical expressions Easy combination of and and or statements
class-map 2 match ! class-map 2 match 3 match 4 match
BRKAPP-2002 14405_04_2008_c2
match-all WEB-CM virtual-address 172.16.73.10 tcp eq www type http http http
© 2008 Cisco Systems, Inc. All rights reserved.
http loadbalance match-any IMAGE-CM url .*gif url .*jpg url .*jpeg
Cisco Public
43
Modular Policy CLI Policy-Maps The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy first-match The class-action pairs within the policy-map are looked up sequentially and the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters. e.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’ all-match An attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed. e.g. policy-map of type inspect http multi-match Specifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features. policy-map type management first-match REMOTE-MGMT class REMOTE-ACCESS permit BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
44
22
Modular Policy CLI Policy-Maps The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy
policy-map type loadbalance first-match APPLICATION-PM class IMAGE-CM serverfarm IMAGE-SF class class-default sticky-serverfarm WEB-SF
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
45
Modular Policy CLI Activating Policy Policies are activated on an interface or globally using the ‘service-policy’ command The policy-map can be enabled either on the ‘input’ or ‘output’ or both directions Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
service-policy input
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
46
23
Basic Layer 4 Load Balancing
Health Checking Balancing Requests Persistence Service Failure handling
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Generic TCP or Scripted Keepalive Round Robin or Least Connections Required based on Source IP with or without sticky mask Fail action to purge or default 47
Cisco Public
Basic Layer 4 Load Balancing Management and Device Access rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! access-list EVERYONE line 10 extended permit ip any any ! class-map type management match-any REMOTE-ACCESS description REMOTE-ACCESS-traffic-match 2 match protocol ssh any 3 match protocol icmp any 4 match protocol https any 5 match protocol snmp any ! policy-map type management first-match REMOTE-MGNT class REMOTE-ACCESS permit ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input EVERYONE service-policy input REMOTE-MGNT no shutdown BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
You Need an ACL
Define Management Traffic
48
24
Basic Layer 4 Load Balancing serverfarm TELNET-SF rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default serverfarm TELNET-SF ! policy-map multi-match LOADBALANCE class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input everyone service-policy input REMOTE-MGMT service-policy input LOADBALANCE no shutdown
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
49
Cisco Public
Probe Configuration Options
probe icmp PING-PROBE interval 5 passdetect interval 5 passdetect count 3 probe tcp TCP-PROBE interval 10 passdetect interval 10 passdetect count 3 probe telnet TELNET-PROBE interval 20 passdetect interval 10 passdetect count 3 ! serverfarm TELNET-SF probe PING-PROBE probe TCP-PROBE probe TELNET-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Common show commands show serverfarm TELNET-SF show probe show probe TELNET-PROBE detail
Cisco Public
50
25
ANM Probe Configuration
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Probe Configuration Options ACE-1/routed(config-sfarm-host-rs)# do show serverfarm TELNET-SF serverfarm : TELNET-SF, type: HOST total rservers : 3 ------------------------------------------connections----------real weight state current total failures ---+---------------------+------+------------+----------+----------+--------rserver: TEST 192.168.1.222:0 8 ARP_FAILED 0 0 0 rserver: SERVER1 192.168.1.1:0 8 PROBE-FAILED 0 0 0 rserver: SERVER2 192.168.1.2:0 8 PASSED 0 0 0
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
52
26
Probe Configuration Options ACE-1/routed# show probe
TELNET-PROBE
probe : TELNET-PROBE type : TELNET state : ACTIVE ---------------------------------------------port : 23 address : 0.0.0.0 addr type : interval : 20 pass intvl : 10 pass count : 3 fail count: 3 recv timeout: 10 --------------------- probe results -------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+------serverfarm : TELNET-SF real : SERVER1[0] 192.168.1.1 6 0 6 PASSED real : SERVER2[0] 192.168.1.2 5 0 5 PASSED
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Basic Layer 4 Load Balancing
BRKAPP-2002 14405_04_2008_c2
probe tcp TCP-PROBE port 23 interval 5 passdetect interval 3 ! serverfarm TELNET-SF probe TCP-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default serverfarm TELNET-SF ! policy-map multi-match LOADBALANCE class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM ! interface vlan 2 ip address 172.16.1.1 255.255.255.0 access-group input everyone service-policy input REMOTE-MGMT service-policy input LOADBALANCE no shutdown © 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
54
27
Predictors Configuration Options ACE-1/routed(config-sfarm-host)# predictor ? hash Configure 'hash' Predictor algorithms least-bandwidth Configure 'least bandwidth' Predictor algorithm least-loaded Configure 'least loaded' predictor algorithm leastconns Configure 'least conns' Predictor algorithm response Configure 'response' Predictor algorithm roundrobin Configure 'round robin' Predictor algor (default) Configuration options predictor roundrobin predictor leastconns slowstart 200 predictor response syn-to-synack samples 8 predictor response syn-to-close predictor least-bandwidth assess-time 2 ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail serverfarm : TELNET-SF, type: HOST total rservers : 3 active rservers: 2 description : state : ACTIVE predictor : RESPONSE method : syn-to-synack samples : 8 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
55
ANM Predictor Configuration
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
56
28
Basic Layer 4 Load Balancing Predictors serverfarm TELNET-SF predictor response syn-to-synack samples 8 probe TCP-PROBE rserver SERVER1 inservice rserver SERVER2 inservice ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm STICKY ! policy-map multi-match L4 class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Persistence Configuration Options
sticky ip-netmask 255.255.255.0 address source T-STICKY serverfarm TELNET-SF ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm T-STICKY
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
58
29
ANM Persistence Configuration
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Basic Layer 4 Load Balancing Sticky serverfarm TELNET-SF rserver SERVER1 inservice rserver SERVER2 inservice probe TCP ! sticky ip-netmask 255.255.240.0 address source T-STICKY serverfarm TELNET-SF ! class-map match-all TELNET-CM 2 match virtual-address 172.16.1.73 tcp eq 23 ! policy-map type loadbalance first-match TELNET-PM class class-default sticky-serverfarm T-STICKY ! policy-map multi-match L4 class TELNET-CM loadbalance vip inservice loadbalance policy TELNET-PM !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
60
30
Basic Web Load Balancing
BRKAPP-2002 14405_04_2008_c2
Health Checking Balancing Requests Persistence Service Failure handling
© 2008 Cisco Systems, Inc. All rights reserved.
Generic TCP or Scripted Keepalive Round Robin or Least Connections Required based on Source IP with or without sticky mask Fail action to purge or default
Cisco Public
61
Probe Configuration Options
probe http HTTP-PROBE interval 5 passdetect interval 3 request method get url /index.html expect status 200 200 ! probe https HTTPs-PROBE interval 5 faildetect 2 passdetect interval 3 request method get url /secure/index.html expect status 200 202 ssl cipher RSA_WITH_RC4_128_MD5
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
62
31
Basic Web Load Balancing Probes probe http HTTP-PROBE interval 5 passdetect interval 3 request method get url /index.html What Should I Look For? expect status 200 499 ! probe https HTTPS-PROBE interval 5 faildetect 2 passdetect interval 3 request method get url /secure/index.ht You Can Check expect status 200 200 Specific Ciphers ssl cipher RSA_WITH_RC4_128_MD5 ! serverfarm HTTPS-SF probe HTTPS-PROBE rserver SERVER1 inservice rserver SERVER2 inservice serverfarm HTTP-SF probe HTTP-PROBE predictor leastconns slowstart 100 rserver SERVER1 inservice rserver SERVER2 inservice BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
63
Cisco Public
Basic Web Load Balancing class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp eq 443 ! policy-map type loadbalance first-match WEB-PM class class-default serverfarm HTTP-SF policy-map type loadbalance first-match SSL-PM class class-default serverfarm HTTPS-SF ! policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM class HTTPS-CM loadbalance vip inservice loadbalance vip icmp-reply [active] loadbalance policy SSL-PM loadbalance vip icmp-reply active Configure the VIP to reply to ICMP ECHO The active option instructs the ACE to reply to an ICMP request only if the configured VIP is active
!
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
64
32
Persistence Configuration Options
sticky http-cookie ILIKECOOKIES STICKY cookie insert timeout 720 serverfarm HTTP-SF backup SORRY-SF ! sticky ip-netmask 255.255.240.0 address source STICKY1 serverfarm HTTPS-SF backup SORRY-SF !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
65
Basic Web Load Balancing Sticky Options sticky http-cookie ILIKECOOKIES STICKY cookie insert timeout 720 serverfarm HTTP-SF ! sticky ip-netmask 255.255.240.0 address source STICKY1 serverfarm HTTPS-SF ! policy-map type loadbalance first-match WEB-PM class class-default sticky-serverfarm STICKY policy-map type loadbalance first-match SSL-PM class class-default sticky-serverfarm STICKY1 ! policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM class HTTPs loadbalance vip inservice loadbalance policy SSL-PM
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
66
33
Web Load Balancing BIG HEADER ISSUE… Where’s the Cookie? parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 …. policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM appl-parameter http advanced-options INSENSITIVE
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
67
URL Parsing parameter-map type http INSENSITIVE case-insensitive persistence-rebalance set header-maxparse-len 8192 class-map type http loadbala match-any URL-MATCHING 2 match http url .* class-map type http loadbala match-any URL-IMAGE 2 match http url /image/.* class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 serverfarm IMAGE-SF sticky http-cookie IMAGE-COOKIES IMAGECOOKIE probe IMAGE-PROBE cookie insert browser-expire rserver IMAGE1 serverfarm IMAGE-SF backup WEB-SF inservice sticky http-cookie WEB-COOKIES WEBCOOKIE rserver IMAGE2 cookie insert browser-expire inservice serverfarm WEB-SF serverfarm WEB-SF ! probe WEB-PROBE policy-map type loadbala first-match HTTP-PM rserver SERVER1 class URL-IMAGE inservice sticky-serverfarm IMAGE-COOKIE rserver SERVER2 class URL-MATCHING inservice sticky-serverfarm WEB-COOKIE policy-map multi-match L4 class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM appl-para http advanced-opti INSENSITIVE BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
68
34
Server-Server Communication Should Use the Same VIP as Clients
12.20.234.1
12.20.234.1
VIP 172.16.1.100
VIP 172.16.1.100
172.16.1.0
.16
BRKAPP-2002 14405_04_2008_c2
172.16.1.0
.183
© 2008 Cisco Systems, Inc. All rights reserved.
sNAT 172.16.1.101
.16
.183
69
Cisco Public
Clients-to-VIP Load Balanced Flows NO SRC-NAT class-map match-all BASIC-CM 2 match virtual-address 172.16.1.100 any policy-map type multi-match CLIENT class TCP-CM loadbalance vip inservice loadbalance policy BASIC-SLB-PM
12.20.234.1
interface VLAN 107 description "Client-side Interface" bridge-group 1 access-group input anyone service-policy input CLIENT
VIP 172.16.1.100 172.16.1.0
interface VLAN 207 description "Server-side Interface" bridge-group 1 access-group input anyone
Client to VIP
Server to Client
.16 .183 switch/orange# sh conn total current connections : 4 conn-id np dir proto VLAN source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB 97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
70
35
Server-to-Server Load Balanced Flows Same ACE Interface class-map match-all BASIC-CM 2 match virtual-addr 12.20.234.100 any policy-map type class TCP-CM loadbalance loadbalance policy-map type class BASIC-CM loadbalance loadbalance nat dynamic
12.20.234.1
VIP 172.16.1.100
sNAT 172.16.1.101
multi-match CLIENT vip inservice policy BASIC-SLB-PM multi-match SERVER vip inservice policy BASIC-SLB-PM 123 VLAN 207
interface VLAN 107 description "Client-side Interface" bridge-group 1 access-group input anyone service-policy input CLIENT
172.16.1.0 interface VLAN 207 description "Server-side Interface" bridge-group 1 access-group input anyone nat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 pat Clientinput to VIPSERVER Server to Source NAT IP service-policy
.16 .183 switch/orange# sh conn total current connections : 4 conn-id np dir proto VLAN source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB 97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
71
Security Features
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
72
36
Security Features Isn’t the Firewall Enough? Enterprises are making more and more applications services available via the web Deploying a web application means inviting potentially malicious HTTP requests Web application code becomes part of the network security perimeter Who is responsible to patch customer web applications? Firewall Application Web Client
Web Server
Unfiltered Web Traffic
Application
Database Server
Port 80 and 443 Open
Existing Network Firewalls Alone Cannot Adequately Inspect Protocols and Application Data BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
73
Security Features in ACE TCP/IP normalization Built-in Transport Protocol Security User Configurable, to meet Security Requirements
Application Protocol Inspection Advanced HTTP Inspection RFC Compliance MIME Type Validation Prevent Tunneling Protocols over HTTP Ports
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
74
37
Security Features IP/UDP/ICMP Exploits Blocked by ACE
IP checks performed by ACE: Automatic Anti-spoofing (source IP = dest IP); unicast RPF check src IP == dest IP, src IP or dest IP == 127.x.x.x dest IP >= 240.0.0.0, src IP == 0.x.x.x, src IP >= 224.0.0.0
Header length check (min and max lengths, L3 < L2) IP options control Drop illicit IP addresses (source IP = class D or broadcast or loopback) Overlapping fragments dropped, control over max number of fragments ARP Inspection in transparent mode
ICMP checks performed by default: Requests and responses matching Prevents injection of unsolicited ICMP errors Countermeasures specified in draft-gont-tcpm-icmp-attacks.txt
Blocked Attacks: Timestamp/Route Record/Source Routing/Fragment DoS Attacks, IP Spoofing, Ping of Death, ICMP Flood, Smurf, ARP Attacks
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
75
Cisco Public
Security Features Hardware-Based TCP Normalization TCP Standard Header Checks Always Performed I.
src port and dest port != 0
II.
Only SYN packet allowed to create connection
III.
TCP header >= of 20 bytes
IV.
TCP header length – ip>header_length
V.
urg flag cleared if urg_pointer is zero
VI.
If urg flag not present urg_pointer is cleared
I.
reserved bits allow/clear/drop
VII.
Illegal flags combinations dropped ( SYN|RST etc.)
II.
urg flag allow/clear/drop
User Configurable Random Sequence Numbers BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
TCP Option Processing TCP State Tracking TCP Window Checking Configurable
III.
syn-data allow/drop
IV.
exceed-mss allow/drop
V.
random-seq-num-disable
76
38
Security Features TCP Exploits Blocked by ACE 1. TCP checks performed by default: Enforces correct usage of TCP flags (can be disabled; flags can be cleared) Randomization of sequence numbers (cloaks OS type, makes fingerprinting recon attacks unreliable, prevents man-in-the-middle session hijacking) Enforces correct header length Prevents out-of-state packets Prevents packets that do not belong to existing connections Possibility to define maximum number of conns per second Matches TCP length with IP header’s + data Blocks illicit ports (port = zero) Enforces min and max MSS
Example of Blocked Attacks: Tear Drop, Session Hijacking, Jolt, Bloop, Targa, Bonk, Boink, Fraggle, Xmas Scan, Null Scan, etc. BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
77
Cisco Public
Security Features Denial-of-Service Protection SYN Cookie ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet Completely Stateless and no ACE memory entries are utilized SYN ACK replies carry a cookie in the Sequence field of the TCP header Cookie is generated out of a 24 bit random number and MSS encapsulated If ACK does not contain the correct cookie ACE drops the packet SYN Cookie enabled per interface on ACE BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
SYN
A CK SYN cookie) = (SEQ ACK
= coo
kie + 1
78
39
Secure Socket Layer (SSL)
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
79
Cisco Public
SSL: Common Questions Protocols Over SSL What Protocols Are Supported? Any TCP-based protocol is supported by the SSL Accelerators, including, but not limited to, the following well known protocols
Secure Service
Secure Port
BRKAPP-2002 14405_04_2008_c2
Service
Port 80
HTTPS
443
HTTP
TELNETS
992
TELNET
25
SPOP3
995
POP
110
SIMAP
993
IMAP
143
SSL-LDAP
636
LDAP
389
SNEWS
563
NNTP
119
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
80
40
SSL Certificate Management ACE/routed# show crypto files File File Expor Key/ Filename Size Type table Cert ----------------------------------------------------------------------TestKey 1675 PEM Yes KEY TestCert 1135 PEM Yes CERT ACE/routed# crypto import ? ftp Import a key/certificate from an ftp server non-exportable Mark this key/certificate as non-exportable sftp Import a key/certificate from an sftp server terminal Accept a key/certificate from terminal tftp Import a key/certificate from a tftp server ACE/routed# crypto import terminal certnew.pem Å server certificate Please enter PEM formatted data. End with "quit" on a new line. -----BEGIN CERTIFICATE----MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK … v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt -----END CERTIFICATE----quit COMMON COMMANDS crypto import terminal crypto export crypto verify show crypto files show crypto key all show crypto key show crypto certificate all show crypto certificate BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
81
Configuration In order to configure SSL, you need to add the following to a L/L4 class map: ‘parameter-map type ssl’ ‘ssl-proxy service’ ‘policy-map’
Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites) Ssl-proxy is used to define the certificates and keys to be used in SSL connections
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
82
41
SSL Server Offload Packet Flow with ACE Client
serverfarm WEB-PROTOCOLS rserver SERVER1 80 inservice rserver SERVER2 80 inservice probe HTTP-GET ! class-map match-all HTTPs 2 match virtual-address 172.16.1.73 tcp eq 443 !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Server 1
L3 Flow
SYN (tcp—443) SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPS—Response
HTTP—GET index.html HTTP—200 Ok Response index.html TCP Flow
policy-map type loadbalance first-match SSL-PM class class-default serverfarm WEB-PROTOCOLS ! policy-map multi-match L4 class HTTPs loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL-PROXY 83
Cisco Public
Basic SSL Offload and Load Balancing SSL Offload rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! probe http HTTP-GET interval 5 port 81 passdetect interval 3 request method get url /secure/index.html expect status 200 200 ! parameter-map type ssl CLIENT_PARAM cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA
serverfarm WEB-PROTOCOLS probe HTTPs-GET rserver SERVER1 81 inservice rserver SERVER2 81 inservice ! sticky http-cookie ILIKECOOKIES STICKYCOOKIE cookie insert serverfarm WEB-PROTOCOLS ! policy-map type loadbalance firstmatch SSL class class-default sticky-serverfarm STICKYCOOKIE policy-map multi-match L4 class HTTPs loadbalance vip inservice loadbalance policy SSL loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL
ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_PARAM ! class-map match-all HTTPs 2 match virtual-address 172.16.1.73 tcp eq 443 ! BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
84
42
Troubleshooting SSL
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
WireShark Tcpdump Telnet on browser ports MSIE plug-ins IE Inspector, HTTP Watch, IE Watch, ieHttpHeaders Mozilla extension Live HTTP Headers PHP/Perl LWP Wget, curl Lynx/Links text based browsers
Cisco Public
85
Basic SSL Load Balancing Redirecting Clients to Use SSL rserver redirect REDIRECT webhost-redirection https://%h%p 301 %h %p inservice ! http://www.cisco.com/go/ace serverfarm redirect REDIRECT-SF rserver REDIRECT inservice ! https://www.cisco.com/go/ace class-map match-all HTTP 2 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match REDIRECT-PM class class-default serverfarm REDIRECT-SF ! policy-map multi-match LOADBALANCE class HTTP loadbalance vip inservice loadbalance policy REDIRECT-PM
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
86
43
SSL Packet Flow With ACE Client
parameter-map type ssl PARAM_SSL cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ! ssl-proxy service SSL-PROXY key mykey.pem cert mycert.pem ssl advanced-options PARAM_SSL ! serverfarm WEB-PROTOCOLS rserver SERVER1 80 inservice rserver SERVER2 80 inservice probe HTTP-GET ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp
Server 1
L3 Flow
SYN (tcp—443) SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPS—Response
HTTP—GET index.html HTTP—200 Ok Response index.html TCP Flow
policy-map type loadbalance first-mat SSL-PM class class-default serverfarm WEB-PROTOCOLS ! policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL-PROXY
eq 443
crypto verify mykey.pem mycert.pem BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
87
Cisco Public
Basic SSL Load Balancing Redirecting Clients to Use SSL %h
%p
rserver redirect REDIRECT webhost-redirection https://%h%p http://www.cisco.com/go/ace inservice ! serverfarm redirect REDIRECT-SF rserver REDIRECT inservice https://www.cisco.com/go/ace ! class-map match-all HTTP-CM 2 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match WEB-PM class class-default serverfarm REDIRECT-SF ! policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy WEB-PM !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
88
44
Basic Configuration SSL Offload Example Putting It All Together rserver redirect REDIRECT webhost-redirection https://%h%p inservice ! parameter-map type ssl CLIENT_SSL cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ssl-proxy service SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_SSL ! probe http HTTP-GET interval 10 passdetect interval 10 request meth get url /index.html expect status 200 202 ! serverfarm redirect REDIRECT-SF rserver REDIRECT inservice serverfarm HTTP-SF probe HTTP-GET rserver SERVER1 80 inservice rserver SERVER2 80 inservice BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
class-map match-all SSL-CM 2 match virtual-addr 172.16.20.1 tcp eq 443 class-map match-all HTTP-CM 2 match virtual-addre 172.16.20.1 tcp eq 80 ! sticky http-cookie ILIKECOOKIES SSL-STICKY cookie insert timeout 720 serverfarm HTTP-SF ! policy-map type loadbal first-ma REDIRECT-PM class class-default serverfarm REDIRECT-SF policy-map type loadbalan first-ma SSL-PM class class-default sticky-serverfarm SSL-STICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy REDIRECT-PM class SSL-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply active ssl-proxy server SSL ! interface vlan 2 service-policy input LOADBALANCE 89
Cisco Public
End to End SSL With ACE Client
SYN (tcp—443) SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPS—Response
ssl-proxy service SERVER_SSL key www-client.key cert www-client.crt ssl advanced-options ssl_ciphers ! serverfarm WEB-PROTOCOLS rserver SERVER1 443 inservice rserver SERVER2 443 inservice probe HTTPs-GET ! class-map match-all HTTPS-CM 2 match virtual-address 172.16.1.73 tcp !
SYN (tcp—443) Server 1 SYN SYN/ACK ACK SSL Handshake HTTPS—GET index.html Accept-Encoding: gzip, deflate HTTPs—200 Ok Response index.html HTTPS—Response
policy-map type loadbalan first-m SSL-PM class class-default serverfarm WEB-PROTOCOLS ssl-proxy client SERVER_SSL ! policy-map multi-match L4 class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server SSL eq 443
New Commands Are in the Boxes BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
90
45
End to End SSL Offload and Load Balancing rserver host SERVER1 ip address 192.168.1.1 inservice rserver host SERVER2 ip address 192.168.1.2 inservice ! parameter-map type ssl CLIENT_PARAM cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_AES_128_CBC_SHA cipher RSA_WITH_AES_256_CBC_SHA ! parameter-map type ssl SERVER_PARAM cipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA ! ssl-proxy service CLIENT-SSL key mykey.pem cert mycert.pem ssl advanced-options CLIENT_PARAM ! ssl-proxy service SERVER-SSL ssl advanced-options SERVER_PARAM ! probe https HTTPs-GET interval 20 request method get url /index.html expect status 200 202 ! BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
probe icmp PING interval 5 serverfarm WEB-PROTOCOLS probe HTTPs-GET probe PING rserver SERVER1 443 inservice rserver SERVER2 443 inservice ! class-map match-all HTTPS-CM 2 match virtual-add 172.16.1.73 tcp eq 443 ! sticky http-cookie ILIKECOOKIES STICKYCOOKIE cookie insert timeout 720 serverfarm WEB-PROTOCOLS ! policy-map type loadbalance first-mat SSL-PM class class-default sticky-serverfarm STICKYCOOKIE ssl-proxy client SERVER-SSL ! policy-map multi-match LOADBALANCE class HTTPS-CM loadbalance vip inservice loadbalance policy SSL-PM loadbalance vip icmp-reply ssl-proxy server CLIENT-SSL
Cisco Public
91
SSL Redirect Rewrite ACE 2.0 ! action-list type modify http ACTION header insert request FRONT-END-HTTPS header-value On ssl url rewrite location 172.16.20.1 ! policy-map type loadbalance first-match SSL-PM class class-default sticky-serverfarm STICKY policy-map multi-match LOADBALANCE class HTTP-CM loadbalance vip inservice loadbalance policy HTTP-PM class SSL-CM loadbalance vip inservice loadbalance policy HTTP-PM loadbalance vip icmp-reply active ssl-proxy server SSL action ACTION
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
92
46
Advanced Load Balancing
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
93
Cisco Public
Advanced Load Balancing Features Increased Protocol Inspection Protocol Inspection on the ACE Can Be Used to Analyze or Modify Application Data. Compliance With RFCs Can Also Be Enforced, as Well as Filtering for User-Defined Interactions, Which Are Denied if Attempted Protocols supported
ACE
FTP and Strict FTP RTSP ICMP DNS HTTP
Enhanced Protocol inspection: SIP Skinny H.323 ILS/LDAP
Deep Packet Inspection Extends Visibility and Persistence to All Applications BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
94
47
Advanced Load Balancing Features HTTP Inspection Overview HTTP Inspection is a special case of Application FW in which the focus is mainly on HTTP attributes such as HTTP header, URL, the payload itself Enables users to validate, filter and log the HTTP transactions by matching the traffic against the policies configured Shares the HTTP stack and the REGEX engine with L7 SLB with added features for inspect Can work with L7 Loadbalancing for the same flow User defined REGEX can be used in a limited way to detect offending traffic by searching for “signatures” BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
95
Advanced Load Balancing Features HTTP Inspect Features RFC compliance MIME type validation Length and Encoding Checks Port 80 misuse Permit/Deny based on L7 Regex match
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
96
48
How to Enable Compression? From the Cisco ACE 4710 Device Manager you can begin compressing HTTP traffic on Cisco ACE 4710 by clicking the “Enable Compression” command within the Virtual Server configuration for server farms. A single click enables compression for the load balancing policy configured Enable Compression BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
97
HTTP Compression
Searching for “cisco” in www.google.com Compressed Data BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
98
49
TCP Server Offload “TCP Multiplex” or “TCP Re-use” TCP setup and teardown offloaded from server (currently limited to HTTP) Effective for servers dedicating high percentage of CPU cycles to TCP processing TCP connections to the server are kept open (HTTP 1.1 connection keepalive) Client requests multiplexed to existing server connections ACE creates a connection pool on the reals [ip:port] associated to the virtual server Client connections matched to server connections based on TCP options (Sack, timestamp, window_scale, MSS) BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
99
Cisco Public
TCP Server Offload Illustrated TCP1 ACE-TCP1 Pool1 TCP2
ACE-TCP2 Pool2
TCP3
parameter-map type http PARAM-MAP server-conn reuse case-insensitive persistence-rebalance ! class-map match-any HTTP 10 match virtual-address 172.16.1.73 tcp eq 80 ! policy-map type loadbalance first-match HTTP class class-default sticky-serverfarm STICKY ! policy-map multi-match L4 class vipmap1 loadbalance vip inservice loadbalance policy HTTP appl-parameter http advanced-options PARAM-MAP nat dynamic 1 vlan 2
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
100
50
Server Connection Reuse When the feature is enabled, a server TCP connection may be reused to service a different client TCP connection after the response to the previous HTTP request has been transmitted “Connection: keep-alive” is inserted and “Connection: close” is removed from the client HTTP request, to avoid closing the server connection early Note: details on Connection Reuse come later switch/Admin(config)# parameter-map type http HTTP_PARAM switch/Admin(config-parammap-http)# server-conn reuse switch/Admin# show stats http | include Reuse Reuse msgs sent : 1 , HTTP requests switch/Admin# show stats http | include Headers Reproxied requests : 0 , Headers removed Headers inserted : 1 , HTTP redirects
: 4 : 1 : 0
switch/Admin# show np 1 me-stats "-s icm | grep Reuse" Reuse link update conn invalid error: 0 Reuse link update conn not on reuse erro 0 Reuse conn remove not on head error: 0 Connection Reuse Add Errors: 0 Connections Removed From Reuse Pools: 1 Connections Added To Reuse Pools: 1 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
101
TCP Server Offload Example Over 98% reduction in server side TCP connetions per second Depends also on server configuration (HTTP GET’s per TCP connection) Server Side
Client Side BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
102
51
Advanced Load Balancing Persistence and Pipelining HTTP is assumed to follow a simple Request/Response transaction model Introduced in HTTP/1.1, persistence is also referred to as client keep-alive Multiple persistent HTTP requests on the same TCP connection will be balanced to [potentially] different rservers if persistence rebalance is configured This works without regard to packet boundaries Pipelined requests are buffered and later parsed after completing transmit of the previous response. In other words, the requests are un-pipelined If persistence-rebalance is not configured, then pipelined requests on a connection will all be sent to the same server, as they arrive switch/Admin(config)# parameter-map type http HTTP_PARAM switch/Admin(config-parammap-http)# persistence-rebalance switch/Admin# show stats http | include requests
BRKAPP-2002 14405_04_2008_c2
Reuse msgs sent
: 0
, HTTP requests
: 7
Reproxied requests
: 0
, Headers removed
: 0
HTTP chunks
: 0
, Pipelined requests
: 2
© 2008 Cisco Systems, Inc. All rights reserved.
103
Cisco Public
Advanced Load Balancing Header Insert Can be used to insert the Client Source IP address if NAT being used Inserts a header into the client HTTP request just before transmit to server If persistence-rebalance is configured, insert occurs on all requests for the connection, otherwise just the first The point of insertion is always between the request line and the existing first header Configure “%is” and “%ps” to dynamically insert source (client) IP and port Configure “%id” and “%pd” to dynamically insert destination (virtual server) IP and port In the below example, inserted header might look something like: ACE: Src=61.0.0.5:32797;Dest=61.0.0.113:80 switch/Admin(config)# policy-map type loadbalance first-match PSLB switch/Admin(config-pmap-lb)# class C1 switch/Admin(config-pmap-lb-c)# insert-http ACE header-value Src=%is:%ps;Dest=%id:%pd switch/Admin# show stats http | include insert Headers inserted BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
: 1
, HTTP redirects
Cisco Public
: 0 104
52
Q and A
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
105
Recommended Reading Continue your Networkers at Cisco Live Learning Experience with Further Reading from Cisco Press Designing Content Switching Solutions Zeeshan Nasesh CCIE 6836 Haroon Khan CCIE 4530
Data Center Fundamentals Mauricio Aregoces CCIE 3285 Maurizio Portaloni
Content Networking Fundamentals Silvano DaRos
Web Security Field Guide Steve Kalman
Server Load Balancing Tony Bourke
SSL and TLS: Designing and Building Secure Systems Eric Rescorla
Available Onsite at the Cisco Company Store BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
106
53
Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
107
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
108
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
54
Backup Slides
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
109
Design-Comparison: Application-View L2 In-Path No Source-NAT necessary (except Server-2-Server via VIP)
L3 In-Path No Source-NAT necessary (except Server-2-Server via VIP)
L3 Out-of-Path Source-NAT necessary or PBR (Policy Based Routing) -> Not VRF-Aware, Operational Challenge
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
110
55
Design-Comparison: Scalability L2 In-Path One or multiple VLAN per context possible Non loadbalanced traffic is also passing ACE
L3 In-Path Centralized Loadbalancing-Architecture Non loadbalanced traffic is also passing ACE
L3 Out-of-Path Only loadbalanced traffic is passing the ACE
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
111
Design-Comparison: Migration L2 In-Path Easy and transparent migration No changes to Server-IP or gateway
L3 In-Path Gateway address is typically moved to ACE
L3 Out-of-Path Easy migration Typically non transparent in terms of Source-IP address
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
112
56
Content Switching Design Approaches Routed Mode: Design Core-1
Agg-1
Core-2
Core-1
Agg-2
Data PortChannel MSFC1
Core-2
Agg-1
Data PortChannel ACE 1
ACE 2 Standby
MSFC1
FT ACE 1 PortChannel
Access
Agg-2
MSFC2
FT PortChannel
ACE 2 Standby
Access
Access
MSFC2
Access
ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.20.1.0/24 ACE Server-Side VLAN 30 10.30.1.0/24
(2A) Routed Mode Design with MSFC on Client Side Servers default gateway is the alias IP on the ACE Extra configurations needed for:
(2B) Routed Mode Design with MSFC on Server Side Servers default gateway is the HSRP group IP address on the MSFC Extra configurations needed for (simpler the option 2a):
Direct access to servers Non-load balanced server initiated sessions
Direct access to servers Non-load balanced server initiated sessions
ACE’s default gateway is the HSRP group IP address on the MSFC RHI possible Load balancer inline of all traffic BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
ACE Client-Side VLAN 5 10.5.1.0/24 ACE Server-Side VLAN 1 10.10.1.0/24 Server VLAN 20 10.20.1.0/24 Server VLAN 30 10.30.1.0/24
SM’s default gateway is the core router RHI not possible Server to server communication bypasses the load balancer 113
Cisco Public
Content Switching Design Approaches Routed Mode: Configuration ACE MSFC
!
!
interface vlan 10
interface Vlan10
ip address 10.10.1.5 255.255.255.0
ip address 10.10.1.2 255.255.255.0
alias 10.10.1.4 255.255.255.0
standby 10 ip 10.10.1.1
peer ip address 10.10.1.6 255.255.255.0 no shutdown
standby 10 priority 110 !
standby 10 preempt
interface vlan 20
!
ip address 10.20.1.2 255.255.255.0 alias 10.20.1.1 255.255.255.0 peer ip address 10.20.1.3 255.255.255.0 no shutdown ! interface vlan 30 ip address 10.30.1.2 255.255.255.0 alias 10.30.1.1 255.255.255.0 peer ip address 10.30.1.3 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
114
57
Content Switching Design Approaches Bridged Mode: Design Core-1
Core-2
Agg-1
Agg-2
Data PortChannel
MSFC1
MSFC2
FT PortChannel
ACE 1
(1) Bridged Mode Design Considerations
ACE 2 Standby
Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through No extra configurations for: Direct access to servers Server initiated sessions
Access
RHI possible Load balancer inline of all traffic
ACE Client-Side VLAN 10 10.10.1.0/24 ACE Server-Side VLAN 20 10.10.1.0/24
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
115
Cisco Public
Content Switching Design Approaches Routed Mode: Configuration ACE interface vlan 10
MSFC
bridge-group 10
!
access-group input anyone
interface Vlan10
access-group output anyone
ip address 10.10.1.2 255.255.255.0
no shutdown
standby 10 ip 10.10.1.1
!
standby 10 priority 110
interface vlan 20
standby 10 preempt
bridge-group 10
!
access-group input anyone access-group output anyone no shutdown ! interface bvi 10 ip address 10.10.1.5 255.255.255.0 alias 10.10.1.4 255.255.255.0 peer ip address 10.10.1.6 255.255.255.0 no shutdown ! ip route 0.0.0.0 0.0.0.0 10.10.1.1 !
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
116
58
Content Switching Design Approaches Bridged Mode: BPDU Forwarding Similarly to the FWSM, ACE can let BPDUs through and can rewrite their payload, correctly handling STP merged domains
ACE Configuration to Allow BPDUs ! access-list bpduallow ethertype permit bpdu ! interface vlan 10 bridge-group 10 access-group input bpduallow no shutdown ! interface vlan 20 bridge-group 10 access-group input bpduallow no shutdown !
Protects against accidental loops in case of FT heartbeat cable or VLAN disconnected BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
117
Cisco Public
Content Switching Design Approaches L3 One-Armed Mode: Design Core-1
Core-2
Agg-1
Agg-2 Data PortChannel
MSFC1
MSFC2
ACE 1
ACE 2 Standby FT PortChannel
(3) One-Armed Design Considerations Servers default gateway is the HSRP group IP address on the MSFC No extra configurations for:
Access
Access
ACE Server-Side VLAN 10 10.10.1.0/24
BRKAPP-2002 14405_04_2008_c2
Server VLAN 20
10.20.1.0/24
Server VLAN 30
10.30.1.0/24
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
Direct access to servers Server initiated sessions
RHI possible CSM/ACE inline for only server load balanced traffic Policy based routing or source NAT can be used for server return traffic redirection to the load balancer 118
59
Content Switching Design Approaches L3 One-Armed Mode: PBR Configuration MSFC
ACE - Asymmetric Routing
!
!
interface Vlan10
!
ip address 10.10.1.2 255.255.255.0
interface vlan 10
standby 10 ip 10.10.1.1
ip address 10.10.1.5 255.255.255.0
standby 10 priority 110
MSFC
alias 10.10.1.4 255.255.255.0
standby 10 preempt
!
peer ip address 10.10.1.6 255.255.255.0
interface Vlan20
!
no normalization
ip address 10.20.1.2 255.255.255.0
access-group input anyone
ip policy route-map FromServersToSLB
access-group output anyone
standby 20 ip 10.20.1.1
no shutdown
standby 20 priority 110 !
! access-list 121 permit tcp any eq telnet any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any ! route-map FromServersToSLB permit 10 match ip address 121 set ip next-hop 10.10.1.4 BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
119
Content Switching Design Approaches L3 One-Armed Mode: Source-NAT Configuration class-map match-all HTTP 2 match virtual-address 172.16.1.73 tcp eq 80 policy-map type loadbalance first-match WEB class class-default insert-http x-forwarded-for: header-value %is serverfarm HTTP policy-map multi-match L4 class HTTP loadbalance vip inservice loadbalance policy WEB nat dynamic 1 vlan 2 interface vlan 2 ip address 172.16.1.1 255.255.255.0 alias 172.16.1.254 255.255.255.0 peer ip address 172.16.1.2 255.255.255.0 access-group input everyone service-policy input remote-mgmt service-policy input L4 no normalization nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat no shutdown
BRKAPP-2002 14405_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved.
© 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Cisco Public
120
60