ACE Server Load Balancing Designd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKAPP-2002.pdf · ACE supports the load balancing of the following Generic IP traffic (i.e. IPsec tunnels)

BRKAPP-2002

ACE Server Load Balancing Design

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

Agenda Application Delivery Networking Terms and Concerns

Health Checking, Server Farms, Traffic Classification, Predictors, Persistence, Stickiness

ACE Overview

Basic Policy Configuration Requirements and Examples

Basic Layer 4 and 7 Load balancing Example

Advanced Application Scenario Requirements and Examples

Persistence

SSL Offload – End to End SSL

Content Health Check

Additional Features and Deployment Considerations

NAT

Access Lists

Deployment Models, ACE Redundancy, RBAC, Virtual Contexts

Summary


Application Delivery Networking ACE Features


Application Delivery Networking Overview Terminology

ClientsApplication Delivery

Controller (ADC)Layer 4–7 switches

Servers

Serverfarm

Client-SideGateway

Health Probe

172.16.2.100TCP port 80

Virtual IP address (VIP)(class-map) URL = /news

User-Agent = MSIE 7.0Client = 192.0.0.0/8

then use serverfarm X

Policy(Policy-map) Load Balancing

Algorithm(Predictor)Round Robin


Traffic Classification and Processing

ACE supports the load balancing of the following

Generic IP traffic (i.e. IPsec tunnels)

Generic UDP and TCP (i.e. proprietary protocols)

Network services (i.e. LDAP, DNS, Radius)

HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML)

Voice & Video (i.e. RTSP, SIP, H.323)

Remote terminals (i.e. Windows Terminal Services/RDP)

Multi-connection protocols (i.e. FTP, RTSP)

Multi-tier applications (i.e. SAP, Oracle Enterprise/WebLogic, Microsoft Exchange/Sharepoint/ASP, IBM WebSphere)

EthernetHeader

IPHeader

TCPHeader

EthernetTrailer

Payload

Layer 3 Layer 4

Layer 5-7

Layer 2

HTTPHeader


ACE Service Health Monitoring - Probes

Periodic Health checks applied to specific real servers or server farms.

Generated by the Application Delivery Controller itself, which then expects a reply

Either predefined health checks or scripts

Examples: ICMP (L3 connectivity), TCP (stack), HTTP (application)

Failure detection time is a function of interval, retries, and max response time


Reliability and Availability Techniques Cisco ACE Probe Options

Probe Description

ICMP Sends an ICMP request and wait for reply Generic TCP Open connection and disconnect with TCP FIN or

RST. Generic UDP Sends a packet and monitor for icmp errors.

HTTP Sends an HTTP HEAD or HTTP GET 1.1 request

HTTPS Establish SSL connection, send HTTP query and close.

FTP Similar to TCP probeTelnet Make a connection, send a ―QUIT‖ messageDNS Uses a default domain and waits for response

SMTP Sends a ―hello‖ followed by a ―QUIT‖ messagePOP3 Similar to TCP probeSNMP Use SNMP OIDs for load balancing predictions.IMAP Similar to TCP probeScripted Custom Health Check

Radius Similar to UDP probe. NAS-IP can be configured


Health Check Selection and Consideration

Which type of probe should be used to determine availability?

ARPs only check the IP stack and not the application

ICMP probes only check the IP stack of the machine and not the application

Generic TCP port opens check the TCP stack but not the application‘s ability to handle requests

An application may fail in a state that the server can respond to a TCP syn but not to an application data request

To verify the integrity of an application, an application data request keepalive is required


ACE Load Balancing Algorithms - Predictors

ServerfarmClient

Round Robin: (Simple Weighted)

Least Connections: (Weighted)

Hash on IP, URL, Content, Cookie

Server Watermarks: Min and max number of connections per server

Least Loaded: SNMP based server feedback

Least Bandwidth: Connection vs. Bandwidth

Adaptive Response Predictor: based on server response time


ACE Enhanced PredictorsAdaptive Response

Time between HTTP request

send from ACE to HTTP

response received from

the server

Time between SYN send

from ACE to SYN-ACK

received from the server

Time between SYN send

from ACE to FIN/RST

received from the server

SYN to Close Application Request to ResponseSYN to SYN-ACK

ACE Serverfarm

Load Balance Based on Server Response Time. Calculated over a Configured Number of Samples for selected Response Time Metric.


ACE Enhanced Application AlgorithmsLeast-Loaded Using SNMP

ACE utilizes SNMP based probes to obtain CPU, Memory and Drive statistics from the servers

SNMP Object IDs

CPU UtilizationMemory ResourcesDisk Drive Availability……. …….

Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free

Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free

Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB free

SNMP Agent Is Required on the Server—

No Additional Software


Session: sequence of requests by a single user client to a server.

State: information maintained in the session across requests. May include both information visible to the user (shopping cart) and application control information (user preference, security token, page history, cached content, etc)

Session-Id: Application assigned id to a user session. Stored session state is referenced by the session-id. Session-Id and state can be stored in memory, cookies, urls, application headers and payload content.

Stateful Session Failover: State may be synchronized across servers by persisting information to a common repository (i.e. database). Rebuilding session state is resource intensive.

Stickiness: Load Balancer sends multiple requests from the same client to the same server. Used when dynamic load distribution across multiple servers introduces problems.

Server Affinity and Persistence – Session Stickiness

How to Uniquely Identify a Client…

Application Load BalancingSession Persistence

Source IP Cookie SSL ID HTTP Redirect

RDP SIP GPP

How Does It Work?

Client= its SRC IP

Client = acookie value

Client = SSL

session ID

LB Redirects to Specific (V) Server

SD, Session Directory. Routing Token = server IP + Port

Client = Session Call-ID

Regex matches on TCP and UDP data

Variation Full IPMasked IP

Static

Dynamic

Insert

Full SSID

Offset

custom

Info Stored on

LB LB LB Client LB LB LB

Good For Simplicity Flexibility No Cookie support

No State on LB

Recovering Disconnected WTS sessions

SIP-specific stickiness

Flexible for custom applications

Caveats Proxies HTTP only

Clear Text

SSL v3

Renegotiation

HTTP only

Absolute URLs

Bookmarks

No Token, needs to fall back to source IP

Specific to application


Feature Name Description

Flash ForwardFlash Forward enables acceleration of embedded

objects in a web page by caching them locally. This

results in improved application response time.

ETag Dynamic ETag enables acceleration of non-cacheable

embedded objects, resulting in improved application

response time.

ACE Application Acceleration Features

Feature Name Description

HTTP CompressionReduces traffic to web-clients by compressing HTTP response using GZIP and Deflate compression algorithms

Application Acceleration Features

HTTP Compression Feature


Configuration and Deployment Basic LoadBalancing ScenarioRequirements and Configuration for basic web

application


Clients

Server-Level Fail-Over

Basic Load Balancing

Application/Content

Server Farm

Stateless Application: No

client session tracking or

long running transaction

requirements.

Virtual IP


Basic Web Load BalancingConfiguration Checklist

Is the Server/Application active? How can you check?

How should connections be distributed?

If needed, how to identify and persist client sessions ?


Basic Requirements

Load Distribution

Simple Round Robin (No session persistence)

Health Checks

Server: ICMP (Ping)

Protocol: Port 80

Application: HTTP (Response Code)

Application Optimization/Offload

HTTP Compression


Policy Lookup Order

There can be many features applied on a given interface, so feature lookup ordering is important

The feature lookup order followed in ACE is as follows:

1. Access-control (permit or deny a packet)

2. Management Traffic

3. TCP normalization/Connection parameters

4. Server Load Balancing

5. Fix-ups/Application inspection

6. Source NAT

7. Destination NAT

The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface


Policy CLI Overview

1. Define traffic match criteria

2. Associate policy actions to match criteria

3. Activate the classification-action rules on either an interface or “globally”

class-map C1

match <criteria>policy-map P1

class C1

<action>

interface vlanX

service-policy input P1

1

2

3


ACE Modular Policy CLIClass-Maps

The class-map command is used to define a traffic type or class of interest.

A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands

class-map type management match-any remote-access-cmdescription remote-access-traffic-match

2 match protocol ssh any

3 match protocol icmp any

4 match protocol https any

5 match protocol snmp any

6 match protocol xml-https any


Modular Policy CLINested Class-Maps

Class-maps can be linked by using the match class statement

Supported only for L7 class-maps; limitation of only two levels

Used to achieve complex logical expressions; easy combination of boolean (and/or) statements

class-map match-all HTTP-CM

match virtual-address 10.10.119.113 tcp eq www

class-map match-any NAT-CM

match source-address 10.86.243.0 255.255.255.0

class-map type http loadbalance match-any URL-PARSE-CM

match http url “/news”

match http url “/sport”

class-map type http loadbalance match-all HEADER-PARSE-CM

match http header User-Agent header-value Mozilla

match class URL-PARSE-CM


ACE Modular Policy CLIPolicy-Maps

Use the policy-map command to define actions to take on matched traffic. Traffic that does not match explicitly specified classification is matched against the class-default policy.

Specify how traffic class matches are processed:

first-match: The class-action pairs within the policy-map are looked up sequentially

all-match: match traffic against all classes in the policy-map and the actions of all matching classes will be executed; e.g., policy-map of type inspect http

multi-match: Specifies that the policy-map supports multiple actions and each action by itself can have only one match (first match).

policy-map type management first-match remote-mgmt-pmclass remote-access-cm

permit


ACE Modular Policy CLIActivating Policy

Policies are activated on an interface or globally using the ‗service-policy‘ command

The policy-map is enabled on the input direction of interfaces

Policy-maps applied globally in an ACE device context, are internally applied on all interfaces existing in the context

service-policy input <policy-name>


Basic Layer 4 Load BalancingManagement and Device Access for CLI or GUI

access-list EVERYONE line 10 extended permit ip any any

class-map type management match-any REMOTE-ACCESS

description REMOTE-ACCESS-traffic-match

2 match protocol ssh any

3 match protocol icmp any

4 match protocol https any

5 match protocol snmp any

6 match protocol xml-https any

policy-map type management first-match REMOTE-MGNT

class REMOTE-ACCESS

permit

interface vlan 2

ip address 10.10.119.55 255.255.255.0

access-group input EVERYONE

service-policy input REMOTE-MGNT

no shutdown

Match mgmt

type traffic

Permit on

Match

Enable on

interface


Health Probe Configuration

probe icmp PING-PROBEinterval 5passdetect interval 5passdetect count 3

probe tcp TCP80-PROBEinterval 10port 80passdetect interval 10passdetect count 3

probe http HTTP-PROBEinterval 20passdetect interval 5request method get url /index.htmlexpect status 200 499

serverfarm WEB-SF

probe PING-PROBE

probe TCP80-PROBE

probe HTTP-PROBE


Server Farms and Real Servers

Define collections of mirrored application hosts (real servers) into pooled server farm resources.

Real Servers can be tagged with properties such as connection limits and weight values.


ACE Basic Layer 4 Load BalancingReal Servers and Server Farm

rserver host SERVER1

ip address 192.168.1.1

inservice



inservice



inservice

serverfarm Web-SF

probe HTTP-PROBE

rserver SERVER1

inservice

rserver SERVER2

inservice

rserver SERVER3

inservice

Define Real Servers

Assign Health Probe

and Real Servers to

a Server Farm


ACE Basic Layer 4 Load BalancingDeploy Policy

class-map match-all TCP80-CM

2 match virtual-address 172.16.1.73

tcp eq 80

policy-map type loadbalance first-

match TCP80-PM

class class-default

serverfarm WEB-SF

policy-map multi-match LOADBALANCE-PM

class TCP80-CM

loadbalance vip inservice

loadbalance policy TCP80-PM

interface vlan 2

ip address 172.16.1.1 255.255.255.0

access-group input everyone

service-policy input REMOTE-MGMT

service-policy input LOADBALANCE-PM

no shutdown

Match on traffic to

Virtual IP and Port 80

Define load-balancing

action for any traffic

If traffic matches then

enable VIP for load

balancing and apply

policy

Enable policy on vlan

interface


“Sorry Service” – Backup Servers

rserver host APPSERVER-11


inservice

rserver host APPSERVER-12


inservice

rserver host SORRY-SERVER


inservice

serverfarm host HTTP-FARM

rserver APPSERVER-11

inservice

rserver APPSERVER-12

inservice

backup-rserver SORRY-SERVER

inservice

Define Real Servers

Designate a backup

server if

APPSERVER-12 is

unavailable


Cisco ACE HTTP Compression

Reduces HTTP traffic using GZIP and Deflate compression algorithms which are supported in today's Web browsers.

Compression is completely transparent to the end user, requiring no downloads or agents.

Up to 90% reduction in size of web objects such as static and dynamic HTML, Flash, PDFs, Text files, XML

Optimizes delivery of content for last-mile bandwidth bottlenecks.

Accelerates end-user experience.

Remote User

Shared DSL

Roaming User

56k Dial-up

Branch Office

128k Leased

line

Problem: Big Page,

Small Pipe

OK: Big Page, Big PipeSolution: Small

compressed page,

small Pipe

HTTP Compression


HTTP Compressionserverfarm host WEB-COMPRESS-SF

probe HTTP-PROBE

rserver Server-3

inservice

rserver Server-4

inservice

class-map type http loadbalance match-all HTTP-CM

2 match http url .*

class-map match-all VIP-COMPRESS-CM

2 match virtual-address 10.86.158.21 tcp eq www

policy-map type loadbalance first-match COMPRESS-PM

class HTTP-CM

serverfarm WEB-COMPRESS-SF

compress default-method deflate

policy-map multi-match CLIENT-VIP-PM

class VIP-COMPRESS-CM


loadbalance policy COMPRESS-PM

loadbalance vip icmp-reply active

Compress all client

browser Traffic

using “DEFLATE”

algorithm

Match on any URL


Configuration with Device Manager and ANM Health Checks


Define Real

Servers

Define Server Farm

GUI Based ConfigurationReal Servers and Server Farm

Add Real Servers

to Server Farm

and define sorry

server


GUI Based ConfigurationVIP and Load Balance Policy

Define Virtual IP

Assign Interface

Assign Action,

Server Farm, and

Compression


Probe Monitoring with Device Manager and ANM


Monitoring with Device Manager and ANM


Configuration and Deployment Advanced LoadBalancing ScenarioRequirements and Configuration for multi-tier

transactional web application


Clients

Multi Tier Load Balancing

Application Servers

N-Tier Application, Client

Type and Session

Tracking, Transactional,

SSL Offload


Requirements

Load Distribution - Adaptive

Least Connections, Response Time

Health Checks

Content Inspection

Persistence

Cookie Sticky

SSL Sticky

Application Offload

SSL


Advanced PredictorsLeast Connections

serverfarm TCP80-SF

predictor leastconns slowstart 200

probe TCP80-PROBE

rserver SERVER1

inservice

rserver SERVER2

inservice

class-map match-all TCP80-CM

2 match virtual-address 172.16.1.73 tcp eq 23

policy-map type loadbalance first-match TCP80-PM

class class-default

sticky-serverfarm STICKY

policy-map multi-match L4

class TCP80-CM




Predictor Configuration Device Manger and ANM


Persistence Configuration Options

Persist based on

cookie

sticky http-cookie ILIKECOOKIES COOKIESTICKY

cookie insert

timeout 720

serverfarm WEB-SF backup SORRY-SF

sticky ip-netmask 255.255.240.0 address source IPSTICKY

serverfarm WEB-SF backup SORRY-SF

Persist based on

source ip


Cookie InsertDevice Manager and ANM


SSL Configuration

In order to configure SSL, you need to add the following to a L/L4 class map:

„parameter-map type ssl‟

„ssl-proxy service‟

„policy-map‟

Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites)

SSL-proxy is used to define the certificates and keys to be used in SSL connections

A Default Cert and Key is included for testing


SSL Certificate Management ACE/routed# show crypto files File File Expor Key/

Filename Size Type table Cert

-----------------------------------------------------------------------

TestKey 1675 PEM Yes KEY

TestCert 1135 PEM Yes CERT

ACE/routed# crypto import ?

ftp Import a key/certificate from an ftp server

non-exportable Mark this key/certificate as non-exportable

sftp Import a key/certificate from an sftp server

terminal Accept a key/certificate from terminal

tftp Import a key/certificate from a tftp server

ACE/routed# crypto import terminal certnew.pem server certificatePlease enter PEM formatted data. End with "quit" on a new line.

-----BEGIN CERTIFICATE-----

MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK

…

v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt

-----END CERTIFICATE-----

quitCOMMON COMMANDS

crypto import terminal <file name>crypto export <file name>crypto verify <key name> <cert name>show crypto files show crypto key allshow crypto key <key name>show crypto certificate allshow crypto certificate <cert name>


SSL Packet FlowWith ACE

ssl-proxy service SSL-PROXYkey mykey.pemcert mycert.pem

!serverfarm WEB-PROTOCOLSrserver SERVER1 81inservice

rserver SERVER2 81inservice

probe HTTP-GET

class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443

policy-map type loadbalance first-match SSL-PM

class class-default

serverfarm WEB-PROTOCOLS

!


class HTTPS-CM


loadbalance policy SSL-PM

loadbalance vip icmp-reply

ssl-proxy server SSL-PROXY

crypto verify mykey.pem mycert.pem

HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate

HTTPS—Response

SSL Handshake

SYN (tcp—443)

SYN SYN/ACK ACKHTTP—GET index.html

L3Flow

TCPFlow

Client Server 1


parameter-map type ssl CLIENT-PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM

class-map match-all HTTPSmatch virtual-address 172.16.1.73 tcp eq 443

sticky http-cookie COOKIENAME STICKYCOOKIE

cookie insert

serverfarm WEB-SF


class class-default

sticky-serverfarm STICKYCOOKIE

policy-map multi-match SecureL4-PM

class HTTPS




ssl-proxy server CLIENT-SSL

SSL Offload and Load Balancing Policy

Define SSL Session constraints:

SSL Version and Cipher Suites

Create SSL Proxy with defined

parameters.

Match on VIP and SSL Port

Define Session Persistence Policy

on Server Farm

Deploy SSL Policy


http://www.cisco.com/go/ace

Basic SSL Load BalancingRedirecting Clients to Use SSL

rserver redirect REDIRECTwebhost-redirection https://%h%p inservice

serverfarm redirect REDIRECT-SFrserver REDIRECTinservice

class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80

policy-map type loadbalance first-match WEB-PM

class class-default

serverfarm REDIRECT-SF

policy-map multi-match LOADBALANCE

class HTTP-CM


loadbalance policy WEB-PM

!

https://www.cisco.com/go/ace

%h %p


SSL Redirect Rewrite and Header Insert

!

action-list type modify http ACTION

header insert request FRONT-END-HTTPS header-value “On”

header insert response x-forwarded-for header-value "%is"

ssl url rewrite location www.company.com

!


class class-default

sticky-serverfarm STICKY


class HTTP-CM


loadbalance policy HTTP-PM

class SSL-CM


loadbalance policy HTTP-PM


ssl-proxy server SSL

action ACTION


SSL ID Sticky – ACE Configparameter-map type generic SSL-V3

set max-parse-length 70

sticky layer4-payload STICKY-SSL-V3

timeout 600

serverfarm HTTPS-FARM

response sticky

layer4-payload offset 43 length 32 begin-pattern "\x20“

class-map match-all HTTPS-VIP

2 match virtual-address 10.86.157.36 tcp eq https

policy-map type loadbalance generic first-match SSL-V3-STICKY

class class-default

sticky-serverfarm STICKY-SSL-V3

policy-map multi-match CLIENT-VIPS

class HTTPS-VIP


loadbalance policy SSL-V3-STICKY


appl-parameter generic advanced-options SSL-V3

Persist session

based on ssl

session-id info


End to End SSL With ACE

ssl-proxy service CLIENT_SSL

key client.key

cert client.crt

ssl-proxy service SERVER_SSL

!


rserver SERVER1 443

inservice

rserver SERVER2 443

inservice

probe HTTPs-GET

!

class-map match-all HTTPS-CM

2 match virtual-address 172.16.1.73 tcp eq 443

!


class class-default


ssl-proxy client SERVER_SSL

!


class HTTPS-CM




ssl-proxy server CLIENT_SSL

HTTPS—GET index.htmlAccept-Encoding: gzip, deflate

Client

HTTPS—Response

SSL Handshake

SYN (tcp—443)

SYN SYN/ACK ACK

Server 1

HTTPs—200 Ok Response index.html

SYN (tcp—443)

SYN SYN/ACK ACK

HTTPS—Response

HTTPS—GET index.htmlAccept-Encoding: gzip, deflate

SSL Handshake


SSL Session ID Sticky - Server Hello

0000 00 1a 6b 66 88 27 00 16 9d cb 43 e3 08 00 45 00

0010 03 13 f0 be 40 00 78 06 c5 72 0a 56 bf 85 0a 56

0020 75 82 01 bb 09 b2 02 90 d3 6a ea 18 e3 a0 50 18

0030 44 a2 f7 60 00 00 16 03 00 02 e6 02 00 00 46 03

0040 00 47 f0 cc a5 d4 98 21 ec 87 9f 20 2a eb 7d 11

0050 7d 8b 51 f3 b6 9a 4b dd 11 66 e0 37 eb 04 3c a3

0060 f5 20 79 21 00 00 e2 8e 18 6d fb fe 2a af 44 13

0070 7b 70 67 e3 de 89 12 4f a0 79 84 5b 5d 27 22 e2

0080 13 7c 00 04 00 0b 00 02 94 00 02 91 00 02 8e 30

0090 82 02 8a 30 82 01 f3 02 01 05 30 0d 06 09 2a 86

00a0 48 86 f7 0d 01 01 04 05 00 30 81 b1 31 0b 30 09

00b0 06 03 55 04 06 13 02 55 53 31 16 30 14 06 03 55

00c0 04 08 13 0d 4d 61 73 73 61 63 68 75 73 65 74 74

00d0 73 31 13 30 11 06 03 55 04 07 13 0a 42 6f 78 62

00e0 6f 72 6f 75 67 68 31 10 30 0e 06 03 55 04 0a 13

00f0 07 41 4e 53 2d 4c 61 62 31 23 30 21 06 03 55 04

Session ID

Max-Parse- Length

70


ACE - Header Loadbalancing Config (1)Scenario: Direct to Language Localized Server

rserver host SERVER-10 !Catch All Server


inservice

rserver host SERVER-11 !French Server


inservice

rserver host SERVER-12 !German Server


inservice

rserver host SERVER-13 !English Server


inservice


ACE - Header Loadbalancing Config Cont‟d (2)

serverfarm host HTTP-CATCH-ALL

probe HTTP

rserver SERVER-10 80

inservice

serverfarm host HTTP-DE

probe HTTP

rserver SERVER-12

inservice

serverfarm host HTTP-EN

rserver SERVER-13

probe HTTP

inservice

serverfarm host HTTP-FR

probe HTTP

rserver SERVER-11

inservice

Localized Server

Farms


ACE - Header Loadbalancing Cont‟d (3)

class-map type http loadbalance match-any CATCH-ALL-CM

2 match http url .*

class-map type http loadbalance match-any DE-CM

2 match http header Accept-Language header-value ".*de.*"

class-map type http loadbalance match-any EN-CM

2 match http header Accept-Language header-value ".*en.*"

class-map type http loadbalance match-any FR-CM

2 match http header Accept-Language header-value ".*fr.*"

class-map match-all HEADERS-CM

2 match virtual-address 10.86.158.19 tcp eq www

Identify

Browser

Language


ACE - Header Loadbalancing Cont‟d (4)

policy-map type loadbalance first-match HEADER-SELECT-PM

class DE-CM

serverfarm HTTP-DE

class EN-CM

serverfarm HTTP-EN

class FR-CM

serverfarm HTTP-FR

class CATCH-ALL-CM

serverfarm HTTP-CATCH-ALL

policy-map multi-match CLIENT-VIPS-PM

class HEADERS-CM


loadbalance policy HEADER-SELECT


Assign Server based

on language header

class match


HTTP Header Insert and Inline Inspection

policy-map type loadbalance first-match TCP80-PM

class class-default

serverfarm TCP80-SF

insert-http x-forwarded-for header-value "%is"

policy-map type inspect http all-match TCP80-CM-HTTP

class class-default

permit


class TCP80-CM



inspect http policy TCP80-CM-HTTP

Insert http header

and add client

source-ip value

Enable deep packet

inspection for http


parameter-map type http INSENSITIVEcase-insensitivepersistence-rebalanceset header-maxparse-len 8192

….policy-map multi-match LOADBALANCEclass HTTP-CM

loadbalance vip inserviceloadbalance policy WEB-PMappl-parameter http advanced-options INSENSITIVE

Default Header parse length 2K

Persistence Rebalance allows ACE to look at each HTTP request inside the same TCP Connection

Load BalancingBIG HEADER ISSUE… Where‘s the Cookie?

Set max packet parse

length high enough to

catch expected pattern

Set case sensitivity and

check every request


URL Delayed Bind and Header InsertDevice Manager and ANM


Application Delivery Networking Additional Features and Deployment Concepts


Defining VLANs

ACE Service Module:

Config t

svclc multiple-vlan-interfaces

svclc module 2 vlan-group 1,2

svclc vlan-group 1 10,20

svclc vlan-group 2 999

Defining VLANs for a Context

ACE MODULE or Appliance

Config t

context PROD

allocate-interface vlan 10


ACE Appliance Interface config

interface gigabitEthernet 1/1

channel-group 1

no shutdown

interface gigabitEthernet 1/2

channel-group 1

no shutdown

interface port-channel 1

switchport trunk native vlan 10

switchport trunk allowed vlan 10,20,999

no shutdown


Multiple Virtual Devices

Redundancy provided at the virtual device level

Routing between virtual devices through an external routing device

Traffic doesn‘t cross over even when VLAN is shared between virtual devices

A context can be configured in any design mode – routed, bridged, one-arm

Create context and associate vlan interface example:

context WebServerContext


Each Virtual Device (context) has

Distinct configuration file

Own directory structure

Separate routing table

Guaranteed Min Resources

Distinct RBAC (Roles and Domains)

Independent application rule sets

ACE Device Virtualization


Rates Memory

Bandwidth

Connections/sec

Management connections/sec

Ssl-bandwidth

Syslogs/sec

Access Lists

Regular Expressions

Data, Mgmt, SSL connections

Xlates

Sticky entries

Virtualization Resource Control Resource Classes

Resource classes define capacity per device context. Create using ―resource-class‖ command

Example: resource-class WebResourceClass

Use the ―member‖ command in context configuration mode to assign a resource class to the context:

Context Web

Member WebResourceClass


ACE Virtual Partitioning Model Resource Management

Assign Resources to Contexts using resource-classes. Only one resource-class per context

By default, every context is a member of the „default‟ resource-class, with unlimited access to system resources

Resources can be guaranteed to a context by setting min limits

Over-subscription of resources allowed by setting max limits to unlimited

All limits specified as a percentage

Maximum 100 resource-classes can be configured


Protecting Resource Allocation

Create a Virtual Context (i.e.Resource_Context) that will not be used to process traffic.

Create a resource class with minimum values for all resource types (i.e. Reserved_Resources). Suggest 10-20%

resource-class Reserved-Resources

limit-resource all minimum 20.00 maximum equal-to-min

Assign the resource class (Reserved_Resources) to the virtual context (i.e.‖Resource_Context‖).

Resources are committed to the reserve virtual context and cannot be accessed by any other context. Resources can be freed by lowering the values of the resource class assigned to the reserve Context, and then allocating freed resources as needed.


ACE Redundancy Model

Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual context

Two instances of the same virtual context (on two distinct ACE modules) form a redundancy group, one being active and the other standby

The redundant ACE can be in the same or different Catalyst 6500 Chassis

Both ACE modules can be active at the same time, processing traffic for distinct virtual devices, and backing-up each other (stateful redundancy)

ACE-1

Example:2 ACE modules4 FT groups4 Virtual Contexts

(A,B,C,D)ACE-2

FT VLAN

AActive

A‟Standby

FTgroup 1

BActive

B‟Standby

FTgroup 2

CActive

C‟Standby

FTgroup 3

DActive

D‟Standby

FTgroup 4


High-Availability Configuration on ACEACE Master—Configuration Configured in the Admin Context

Configure shared Alias IP address,

and standby Peer IP address

Define FT Peer “Only 1 Possible”

Define heartbeat interval and count

Define FT vlan number

interface vlan 110

ip address 10.25.91.201 255.255.255.0

alias 10.25.91.204 255.255.255.0

peer ip address 10.25.91.202 255.255.255.0

service-policy input remote-mgmt

no shutdown

ft interface vlan 999

ip address 10.1.1.1 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 20

ft-interface vlan 999

query-interface vlan 110


One FT group per Context

Associate context with FT group

Define FT Peer per FT Group

Define Peer Priority

ft group 3

peer 1

priority 110

associate-context Admin

inservice

ft group 1

peer 1

priority 110

associate-context LoadBalancing

inservice

ft group 2

peer 1

priority 110

associate-context WAAS

inservice

High-Availability Configuration on ACEACE Master—Configuration Configured in the Admin Context


switch/C1# show resource usage

Allocation

Resource Current Peak Min Max Denied

--------------------------------------------------------------------

Context: C1

conc-connections 0 0 800000 7200000 0

mgmt-connections 0 0 500 4500 0

proxy-connections 0 0 104858 943716 0

xlates 0 0 104858 943716 0

bandwidth 0 0 50000000 450000000 0

connection rate 0 0 100000 900000 0

ssl-connections rate 0 0 100 900 0

mgmt-traffic rate 0 0 12500000 112500000 0

mac-miss rate 0 0 200 1800 0

inspect-conn rate 0 0 600 5400 0

acl-memory 0 0 7861044 78610432 0

regexp 0 0 104858 1048576 0

View Resource-class Utilization


Basic ACLsDevice Access

Input ACL is needed to permit traffic.

Output ACL is not needed to permit traffic but if applied it would be followed.

All ACLs have an implicit deny at the end.

Support for global access-group and access-group per interface in a context


Basic ACLsDevice Access

L3/L4 ACLs: Security Access List

access-list NAME [line number] extended {deny | permit} {protocol} {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]

access-list NAME [line number] extended {deny | permit} icmp {src_ip_address netmask | any | host src_ip_address} {dest_ip_address netmask | any | host dest_ip_address} [type] [code operator code1 [code2]]

Recommended starting point for all configurations:

access-list EVERYONE line 10 extended permit ip any any!interface vlan 2

ip address 172.16.1.1 255.255.255.0access-group input EVERYONE

no shutdown


As the number of access-control list entries increases,

managing this list can be very challenging

By grouping like objects together, you can use an object group in an ACL entry instead of having to enter an ACL entry for each object separately.

You can create the following types of object groups:

Network object groups

Service object groups <- Protocols and Ports

Security FeaturesACL with Object Groups

Object Grouping allows you to streamline the

configuration of multiple ACL entries in an ACL


Dynamic NAT To a Pool of Addresses

class-map match-all NAT-CM

2 match virtual-address 172.16.1.73 any


class NAT-CM


loadbalance policy SLB_LOGIC

nat dynamic 1 vlan 100

interface vlan 20

ip address 172.16.1.1 255.255.255.0

service-policy input LOADBALANCE

no shutdown

interface vlan 100

ip address 192.168.1.1 255.255.255.0

nat-pool 1 192.168.1.100 192.168.1.150 netmask 255.255.255.0

no shutdown

Any packet sent from any client to 172.16.1.73, the source IP

Will be translated to 192.168.1.100 to 150 when it is sent out on

Vlan 100. What will happen when you run out of addresses?

VL

AN

20

VL

AN

10

0

192.168.1.100-150.x

Internal

Network

Outside

World

any


Dynamic NAT Client Connections PAT‘d to VIP

class-map match-all NAT-CM

2 match virtual-address 172.16.1.73 any

policy-map type loadbalance first-match SLB_LOGIC

class class-default

serverfarm TELNET-SF


class NAT-CM


loadbalance policy SLB_LOGIC

nat dynamic 1 vlan 2

interface vlan 2

ip address 172.16.1.1 255.255.255.0

nat-pool 1 172.16.1.73 172.16.1.73 netmask 255.255.255.0 pat

service-policy input remote-mgmt

service-policy input LOADBALANCE

no shutdown

Any packet sent from any client to 172.16.1.73, the source

IP will PAT‟d to 172.16.1.73 when it is sent out on vlan 2

VL

AN

20

VL

AN

15

0

server

client

VIP172.16.1.73

Router

Clie

nt=

172.1

6.1

.73

VLAN2


More Security Features in ACE

TCP/IP normalization

Built-in Transport Protocol Security

User Configurable, to meet Security Requirements

Application Protocol Inspection

Rate Limiting

Advanced HTTP Inspection

RFC Compliance

MIME Type Validation

Prevent Tunneling Protocols over HTTP Ports


Security FeaturesDenial-of-Service Protection SYN Cookie

Completely Stateless and no ACE memory entries are utilized

SYN ACK replies carry a cookie in the Sequence field of the TCP header

Cookie is generated out of a 24 bit random number and MSS encapsulated

If ACK does not contain the correct cookie ACE drops the packet

SYN Cookie enabled per interface on ACE

ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet

Appliance/PROD(config-if)# syn-cookie 100


Design Configurations


Physical Device

Context 1Admin

Context

Context Definition

Resource Allocation

ManagementStation

Context 2 Context 3

AAA

Design ConfigurationACE Service Virtualization


Design ConfigurationRouter Mode

Servers in dedicated IP subnet

VIPs usually in different, routable subnet from servers

Requires at least two IP subnets

Easy to deploy with many server IP subnets

Servers Default Gateway:

Load Balancer

ACE ―Routing‖

Subnet A Subnet B


Design ConfigurationBridge Mode

Servers in routable IP subnet

VIP‘s can be in the same or different subnet

Requires one IP subnets for each server farm


Upstream Router

ACE ―Bridging‖

Subnet A


Design ConsiderationsOne-Arm Mode: Overview

L2-rewrite not possible

Content switch not inline

Does not see unnecessary traffic

Requires PBR, server default gateway pointing to load balancer or client source NAT

The return traffic is needed!

Not as common as bridge or routed mode due to problems with forcing traffic back to ACE in return direction


Upstream Router

Subnet B

Su

bn

et B

PBR—Policy Based Routing, NAT—Network Address Translation


How Are Customers Using Virtualization?Security and Bridge Mode

Pa

rtit

ion

B

AdminPartition

Pa

rtit

ion

A

Pa

rtit

ion

C

―Bridge mode on the

CSM was great, but ACE

takes the same approach

to a whole new level with

virtualization‖

―The security team

continues to fully

manage the FWSM and

is comfortable with the

bridge mode approach.

In parallel, we have

turned on some extra

HTTP security features

on ACE‖

Each Pair of Bridged VLANs Has Its Own Configuration,

Independent Management, and Enhanced Security


SummaryQuestions and Answers


Recommended ReadingBRKAPP-2002

Source: Cisco Press


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don‘t forget to activate your

Cisco Live and Networkers Virtual

account for access to all session

materials, communities, and on-demand

and live activities throughout the year.

Activate your account at any internet

station or visit www.ciscolivevirtual.com.

http://www.ciscolivevirtual.com/

http://docwiki.cisco.com/w/images/2/2f/SLB_flow.jpg

Documents

ACE Server Load Balancing Designd2zmdbbm9feqrf.cloudfront.net/2010/usa/pdf/BRKAPP-2002.pdf · ACE supports the load balancing of the following Generic IP traffic (i.e. IPsec tunnels)