Server Load Balancing Design - CCC.edu

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKAPP-200214405_04_2008_c2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKAPP-200214405_04_2008_c2 2

Server Load Balancing Design

BRKAPP-2002


2


WAN AccelerationData redundancy eliminationWindow scalingLZ compressionAdaptive congestion avoidance

Application AccelerationLatency mitigationApplication data cacheMeta data cacheLocal services

Application OptimizationDelta encodingFlashForward optimizationApplication securityServer offload

Application NetworkingMessage transformationProtocol transformationMessage-based securityApplication visibility

Application ScalabilityServer load-balancingSite selectionSSL termination and offloadVideo delivery

Network ClassificationQuality of serviceNetwork-based app recognitionQueuing, policing, shapingVisibility, monitoring, control

Cisco Application Delivery Networks

WAN


Other Cisco Live Breakout Sessions that You May Want to Attend

BRKAPP-2014 Deploying AXG

BRKAPP-2013 Best Practices for Application Optimization illustrated with SAP, Seibel and Exchange

BRKAPP-2011 Scaling Applications in a Clustered Environment

BRKAPP-2010 How to build and deploy a scalable video communication solution for your organization

BRKAPP-1009 Introduction to Web Application Security

BRKAPP-1008 What can Cisco IOS do for my application?

BRKAPP-3006 Troubleshooting WAASBRKAPP-2005 Deploying WAAS

BRKAPP-2018 Optimizing Oracle Deployments in Distributed Data Centers

BRKAPP-2017 Optimizing Application DeliveryBRKAPP-1016 Running Applications on the Branch Router

BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for Network Engineers

BRKAPP-1004 Introduction WAAS

BRKAPP-3003 Troubleshooting ACEBRKAPP-2002 Server Load Balancing Design

ApplicationsISRGSS WAAS ACE AXGACNS

Relevancy


3


Agenda

Application Load BalancingHealth CheckingPredictionPersistenceDesign Implementation Considerations

Policy Configuration ExamplesLayer 4 ExampleWeb Protocol ExampleServer to Server Load Balancing Example

SSLSSL Offload Example

Advanced Load Balancing DesignApplication InspectionsTCP ReuseURL Load Balancing


ACE Application Switching ModuleIntegrates Load Balancing, Application Optimization and Security

Virtual Device Support

Data Center and Application Firewall

Multimedia and Voice Intelligence

Low Power Usage with High Performance

License-based Upgrades (SSL, virtual licenses)

Support for Catalyst 6500 Series Switch and Cisco 7600 Series Router

Integrated Services, High PerformanceApplication Switching Platform: 4-16 Gbps


4


ACE Application Switching ApplianceIntegrates Load Balancing, Application Optimization and Security

Virtual Device Support

Data Center and Application Firewall

Multimedia and Voice Intelligence

Low Power Usage with High Performance

License-based Upgrades (SSL, Virtual licenses, Application Optimization, Compression Performance)

Specific optimizations for common applications

Latency and bandwidth reduction with protection

Application switching for scalability and availability

Embedded Browser-based Graphical User Interface

High Performance Multi-core, Dual-CPU Architecture

Integrated Services, High PerformanceApplication Switching Platform: 1-2 Gbps


Cisco Application Networking Manager (ANM)

ACE Appliance has an embedded GUI

ANM free for 2 ACE devices (with 5 context max w/o additional licensing) must place order for ANM-SERVER-12-K9"

ACE Module has no embedded GUI

Cisco ANM runs from a centralized server running Redhat Linux

Multiple Cisco ANM users can simultaneously manage multiple devices via web browser

Enables device & virtualization provisioning for up to fifty (50) ACE and forty (40) CSS & CSM per Cisco ANM server

Graphical interface for simplified and standardized service provisioning for basic, advanced and expert users

Secure user access and delegation of responsibilities

Enables Centralized Configuration, Operations, and Monitoring of Cisco Data Center Networking Equipment and Services


5


Load Balancing Overview TerminologyClients

ContentSwitch—

LoadBalancer

Servers

Serverfarm

Client-SideGateway

Keepalive (Probe)

172.16.2.100TCP port 80

Virtual IP Address (VIP)

URL = /newsUser-Agent = WindowsCE

Client = 192.0.0.0/8

Class-Map

Load BalancingAlgorithm(Predictor)Round Robin

XML Gateways

If Match class-map XThen Use serverfarm XElse Use serverfarm y

Policy-Map


Traffic Being Load Balanced

Generic IP traffic (i.e. IPsec tunnels)Generic UDP and TCP (i.e. proprietary protocols)Network services (i.e. LDAP, DNS, Radius)HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML)Voice & Video (i.e. RTSP, SIP, H.323)Remote terminals (i.e. Windows Terminal Services)Multi-connection protocols (i.e. FTP, RTSP)Multi-tier packaged applications (i.e. SAP, Oracle, Microsoft, BEA)Vertical specific applications (i.e. medical, finance, education)

EthernetHeader

IPHeader

TCPHeader

EthernetTrailerPayload

Layer 3 Layer 4Layer 5-7

Layer 2

HTTPHeader


6


Scale Your Application

Health Checking


Scale Your Application Health Monitoring Issues

ARPs only check the IP stack and not the application

ICMP probes only check the IP stack of the machine and not the application

Generic TCP port opens check the TCP stack but not the application’s ability to handle requests

An application may fail in a state that the server can respond to a TCP syn but not to an application data request

To verify the integrity of an application, and application data request keepalive is required

How to verify the Application servers health or the Web Servers reachability to the application server

Application Issue


7


Application Load Balancing Probe Options

Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform health monitoring

Scripted

Up to eight OIDs can be configured. Used mainly for load balancing predictions and not health checking. Should be combined with another health probe to verify application

SNMP

Similar to UDP probe. NAS-IP can be configuredRadiusSimilar to TCP probeIMAPSimilar to TCP probePOP3Sends a “hello” followed by a “QUIT” messageSMTP

Uses a default domain and waits for any responseDNSMakes a connection, send a “QUIT” messageTelnetSimilar to TCP probeFTPEstablishes an SSL connection, send HTTP query and tears it downHTTPsSends an HTTP HEAD or HTTP GET 1.1 requestHTTPSends a packet, probe is considered successful, if no icmp error receivedGeneric UDPOpen a connection with server and disconnect with TCP FIN or RST. TCP FIN DefaultGeneric TCPSends a ICMP request and waits for reply ICMP

DescriptionProbe


Scale Your Application Application or Database Server Health Checking

http://www.company.com/test.aspBuy 10000 WidgetsCustomer TestuserCompany Test Inc.

Probing Customer Application Servers with Application Data Requires Scripting Keep Alive on the Load Balancer or on a Front End Server. Scripting on Front End Servers Allows Greater Flexibility


8



Predictors


ServerfarmClient

Predictors Determine How Connections Are Load Balanced

Scale Your Application Predictors


9


Scale Your Application Predictors Algorithms

Round Robin: (Weighted) Very simple

Least Connections: (Weighted) Dynamic, requires slow-start

Hash on IP: (source/destination, with mask)No state required for stickiness issues with dynamic changes

Hash on URL: Or portion of URLServer Watermarks: Min and max number of connections per serverLeast Loaded: SNMP OIDs based server feedback for obtaining useful information maintained as SNMP Object IDsLeast Bandwidth: Connection vs. Bandwidth based on the bidirectional traffic flowAdaptive Response Predictor: Load-balancing based on server response time

SYN to SYN-ACKSYN to FINApplication request to first packet of response


Enhanced PredictorsAdaptive Response Predictor

ACE Serverfarm

Time Between HTTP Request Send from ACE to HTTP Response Received from the Server

Time Between SYN Send from ACE to SYN-ACK Received from the Server

Time Between SYN Send from ACE to FIN/RST Received from the Server

SYN to Close Application Request to ResponseSYN to SYN-ACK

Load Balancing Based on Server Response Time; Response Time Calculated over a Configured Number of Samples and Supports the Following Three Measurement Options


10


Enhanced Predictors Least-Loaded Using SNMP

The Least Loaded Predictor can support up to 8 user defined SNMP Object IDsLeast-loaded algorithm will automatically calculate the least loaded server from the SNMP response received from the serversNumber of active connections on the server are also be calculated in the Least-loaded algorithmUsers can define static weights for each Object ID to allow unprecedented load balancing control of new connections based on real-time appliance performance

Least-loaded Predictor Provides Most Accurate Method for Calculating the Servers Load


Enhanced Application Algorithms Least-Loaded Using SNMPACE Utilizes SNMP-Based Probes to Obtaining CPU, Memory and Drive Statistics from the Servers

SNMP Object IDs

CPU UtilizationMemory ResourcesDisk Drive Availability……. …….

ACE Queries Server for the Following Three SNMP Object IDs

Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free

Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free

Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free

Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free

Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB Free

Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB Free

Only SNMP Agent Is Required on the Server—No Additional Software


11


Enhanced Application Algorithms New Feature—Least-Bandwidth

The ACE measures traffic statistics between itself and the real servers in the server farm in both directions and calculates the bandwidth over the sampling period

Then, it creates an ordered list of real servers based on the sampling results and selects the server that used the least amount of bandwidth during the sampling period

Least-Bandwidth Predictor Suited Best for Heavy Traffic Use

Load Balancer Introduces the Least-Bandwidth Predictorwhich Selects the Server that Processed the Least Amount of Network Traffic Over a Specified Sampling Period



Predictors


12


Scale Your Application Session Persistence

Session: Logical aggregation of multiple simultaneous or subsequent connections

Sessions are limited in time (timeout)

Servers keep session state

The content switch and load distribution across multiple servers introduces the problem

The content switch needs to send connections from the same client to the same server

Even in case of backend database with session information, stickiness is very useful since it significantly improves performance

Stickiness


Scale Your Application Session Persistence Methods

Specific to application

No Token, needs to fall back to source IP

HTTP onlyAbsolute URLsBookmarks

SSL v3Renegotiation

HTTP onlyClear Test

ProxiesCaveats

Flexible for custom applications

SIP-specificstickiness

Recovering Disconnected WTS sessions

No State on LB

No Cookie support

FlexibilitySimplicityGood For

LBLBLBClientLBLBLBInfo Stored on

customFull SSIDOffset

Static DynamicInsert

Full IPMasked IP

Variation

Regex matches on TCP and UDP data

Client = Session Call-ID

SD, Session Directory. Routing Token = server IP + Port

LB Redirects to Specific (V)Server

client = SSLsession ID

client = acookie value

Client= its SRC IP

How DoesIt Work

GPPSIPRDPHTTP RedirectSSL IDCookieSource

IP

How to Uniquely Identify a Client…


13


Design Configuration


Physical Device

Context 1Admin

ContextContext

Definition

Resource Allocation

ANM ManagementStation

Context 2 Context 3

AAA

Design ConfigurationACE Service Virtualization


14


Design ConfigurationACE Virtualization

Provides means to partition one physical unit into independently managed logical engines

Provisions resource per logical deviceAlmost every feature subsystem is virtualized including Linux kernel

Logical devices are called virtual contextsEach with independent resource allocation and policies

Default context called ‘Admin’ context is available initiallyCustomers who do not wish to use virtualization can perform all operations from within ‘Admin’ context

ACE Module250 contexts + Admin context supported

ACE Appliance20 contexts + Admin context supported


Design ConfigurationACE Resource Management

By default, every context is a member of the ‘default’resource-class, with unlimited access to system resourcesResources can be guaranteed in three ways:

No guaranteed resources but access to any available resourceX% of resources guaranteed, with no access to other additional resourcesX% of resources guaranteed and access to any available resource

Minimum limit is specified as a percentage (5.00%)Maximum limit can equal the Min value or be unlimitedOnly one resource-class can be applied per contextMaximum 100 resource-classes can be configuredSticky Resources requires min 1% per context, not default, associate all contexts to a non default context


15


Design ConfigurationRouter Mode

The preferred configuration for appliances

By default the load balancer acts as a router

Servers default gateway is the load balancer

The VIP addresses can reside on the client side or the server side

If you do not want to change the IP addresses of the servers, put the VIP on the servers side and create a /30 network to Firewall Servers Default Gateway:

Content Switch IP

Subnet A

Subnet CSubnet B


Design ConfigurationBridge Mode

This is preferred for integrated load balancers like the ACE modulesThe Load balancer acts as a bump in the wireThe servers default gateway will be the upstream router or firewallIf packets are set to the physical IP address of the load balancers, it will try and route the packet by default

Servers Default Gateway:Upstream Router or Firewalls IP Address,

Not ACE’s Address

Subnet ASubnet A

Subn

et B

Subn

et B


16


How Are Customers Using Virtualization?Security and Bridge Mode

Part

ition

B

AdminPartition

Part

ition

A

Part

ition

C

“Bridge mode on the CSM was great, but ACE takes the same approach to a whole new level with virtualization”

“The security team continues to fully manage the FWSM and is comfortable with the bridge mode approach. In parallel, we have turned on some extra HTTP security features on ACE”

Each Pair of Bridged VLANs Has Its Own Configuration, Independent Management, and Enhanced Security


Design ConsiderationsOne-Arm Mode: Overview

L2-rewrite not possible

Content switch not inlineDoes not see unnecessary traffic

Requires PBR, server default gateway pointing to load balancer or client source NAT

The return traffic is needed!

ACE can insert users original IP address as client header

Policy-map type loadbalance first-match OAM

class L7Policy

insert http x-forwarded-for header-value %is

Subnet B

Subnet B

Servers Default Gateway:Upstream Router

PBR—Policy Based Routing, NAT—Network Address Translation


17


Design ConsiderationsOne-Arm Mode: Overview

Without PBR, Client NAT, or Servers Gateway Being

Set for Load Balancer

1

LB MACRouter MAC

VIPClient IP

VIP PortRandom Port

1

2Selected

Server MACCS MAC

SelectedServer IPClient IP

VIP PortRandom Port

2

3

CS MACServer MAC

Client IPSelected Server IP

Random PortVIP Port

3

RST


L2 One-Arm ModeReturn Traffic Bypassing ACE

Bypass for return traffic: high throughput!Requires MAC rewrite, L2 adjacencyServers need identical loopback addresses (one per VIP)TCP termination not possible: no L7 features!Load balancer blind to return traffic (inband, accounting)

ServersDefault Gateway:Upstream Router

Subnet B


18


Redundancy Model

Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contextsTwo instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standbyThe peer ACE can be in the same or different Cisco Catalyst® 6k chassisBoth ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy)

ACE-1Example:

Two ACE modulesFour FT groupsFour Virtual Contexts(A, B, C, D)

ACE-2

FT VLAN

AActive

A’Standby

FTGroup 1

BActive

B’Standby

FTGroup 2

CActive

C’Standby

FTGroup 3

DActive

D’Standby

FTGroup 4


Policy ConfigurationExamples


19


Policy Lookup Order

There can be many features applied on a given interface, so feature lookup ordering is importantThe feature lookup order followed by datapath in ACE is as follows:

1. Access-control (permit or deny a packet)2. Management Traffic3. TCP normalization/Connection parameters4. Server Load Balancing5. Fix-ups/Application inspection6. Source NAT 7. Destination NAT

The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface


Application Networking Manager 1.2ANM 1.2 Provides Turnkey control and administration for ACE Modules and ACE Appliances

ANM 1.2 provides multi-device application management of large scale data center operations


20


ANM 1.2Configure Basic Server Load Balancing

Configure Virtual ServerConfigure Virtual Server(VIP)(VIP)

Configure Load Balancing ActionsConfigure Load Balancing ActionsEasy to use Server Load Balancing Configuration


ANM 1.2Configure Basic Server Load Balancing

Intuitive GUI design prompts the user to configure VIP details as necessaryAdvanced options appear as the user drills down

Add Real ServersAdd Real Servers

CreateCreateHealth Monitoring ProbesHealth Monitoring Probes

Create Server FarmCreate Server Farm


21


Policy CLI Overview

1. Define match criteria

2. Associate actions to match criteria

3. Activate the classification-action rules on either an interface or “globally”

class-map C1match <criteria> policy-map P1

class C1<action>

interface vlanXservice-policy input P1


Modular Policy CLI

The class-map command is used to define a traffic class. The purpose of a traffic class is to classify traffic

A traffic class contains three major elements: a name, a series of match commands, and, if more than one match command exists in the traffic class, an instruction on how to evaluate these match commands

Class Maps

class-map type management match-any REMOTE-ACCESSdescription REMOTE-ACCESS-TRAFFIC-MATCH2 match protocol telnet any3 match protocol ssh any4 match protocol icmp any5 match protocol http any6 match protocol https any


22


Modular Policy CLIClass-Maps

A class-map can associate an existing class-map of the same type using the match class statementSupported only for L7 class-maps; limitation of only two levels of associationUsed to achieve complex logical expressionsEasy combination of and and or statements

class-map match-all WEB-CM2 match virtual-address 172.16.73.10 tcp eq www

!class-map type http loadbalance match-any IMAGE-CM

2 match http url .*gif3 match http url .*jpg4 match http url .*jpeg


Modular Policy CLI Policy-Maps

The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy

first-matchThe class-action pairs within the policy-map are looked up sequentially and the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters.e.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’all-matchAn attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed.e.g. policy-map of type inspect httpmulti-matchSpecifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.

policy-map type management first-match REMOTE-MGMTclass REMOTE-ACCESS

permit


23


Modular Policy CLI Policy-Maps

The policy-map command is used to define the actions to be preformed on the traffic. Policy-maps can be based on L3/4/7 information. Traffic that does not match specified classification in policy map are then matched against the class-default policy

policy-map type loadbalance first-match APPLICATION-PMclass IMAGE-CM

serverfarm IMAGE-SFclass class-default

sticky-serverfarm WEB-SF


Modular Policy CLI Activating Policy

Policies are activated on an interface or globally using the ‘service-policy’ command

The policy-map can be enabled either on the ‘input’or ‘output’ or both directions

Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context

service-policy input <policy-name>


24


Basic Layer 4 Load Balancing

Health CheckingBalancing RequestsPersistenceService Failure handling

Generic TCP or Scripted KeepaliveRound Robin or Least ConnectionsRequired based on Source IP with or without sticky mask Fail action to purge or default


Basic Layer 4 Load BalancingManagement and Device Access

rserver host SERVER1ip address 192.168.1.1inservice

rserver host SERVER2ip address 192.168.1.2inservice

!access-list EVERYONE line 10 extended permit ip any any!class-map type management match-any REMOTE-ACCESSdescription REMOTE-ACCESS-traffic-match2 match protocol ssh any3 match protocol icmp any4 match protocol https any 5 match protocol snmp any

!policy-map type management first-match REMOTE-MGNTclass REMOTE-ACCESSpermit

!interface vlan 2ip address 172.16.1.1 255.255.255.0access-group input EVERYONEservice-policy input REMOTE-MGNTno shutdown

Define ManagementTraffic

You Need an ACL


25


Basic Layer 4 Load Balancingserverfarm TELNET-SFrserver SERVER1inservice

rserver SERVER2inservice

!class-map match-all TELNET-CM2 match virtual-address 172.16.1.73 tcp eq 23

!policy-map type loadbalance first-match TELNET-PMclass class-defaultserverfarm TELNET-SF

!policy-map multi-match LOADBALANCEclass TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM

!interface vlan 2ip address 172.16.1.1 255.255.255.0access-group input everyoneservice-policy input REMOTE-MGMTservice-policy input LOADBALANCEno shutdown


Probe Configuration Options

probe icmp PING-PROBEinterval 5passdetect interval 5passdetect count 3

probe tcp TCP-PROBEinterval 10passdetect interval 10passdetect count 3

probe telnet TELNET-PROBEinterval 20passdetect interval 10passdetect count 3

!serverfarm TELNET-SFprobe PING-PROBEprobe TCP-PROBEprobe TELNET-PROBErserver SERVER1inservice


!

Common show commandsshow serverfarm TELNET-SFshow probeshow probe TELNET-PROBE detail


26


ANM Probe Configuration


Probe Configuration OptionsACE-1/routed(config-sfarm-host-rs)# do show serverfarm TELNET-SFserverfarm : TELNET-SF, type: HOSTtotal rservers : 3

-------------------------------------------connections-----------

real weight state current total failures ---+---------------------+------+------------+----------+----------+---------rserver: TEST

192.168.1.222:0 8 ARP_FAILED 0 0 0rserver: SERVER1

192.168.1.1:0 8 PROBE-FAILED 0 0 0rserver: SERVER2

192.168.1.2:0 8 PASSED 0 0 0


27


Probe Configuration OptionsACE-1/routed# show probe TELNET-PROBE

probe : TELNET-PROBEtype : TELNETstate : ACTIVE----------------------------------------------

port : 23 address : 0.0.0.0 addr type : -interval : 20 pass intvl : 10 pass count : 3 fail count: 3 recv timeout: 10

--------------------- probe results --------------------probe association probed-address probes failed passed health ------------------- ---------------+----------+----------+----------+-------serverfarm : TELNET-SFreal : SERVER1[0]

192.168.1.1 6 0 6 PASSED real : SERVER2[0]

192.168.1.2 5 0 5 PASSED


Basic Layer 4 Load Balancingprobe tcp TCP-PROBE

port 23interval 5passdetect interval 3

!serverfarm TELNET-SF

probe TCP-PROBErserver SERVER1

inservicerserver SERVER2

inservice!class-map match-all TELNET-CM

2 match virtual-address 172.16.1.73 tcp eq 23!policy-map type loadbalance first-match TELNET-PM

class class-defaultserverfarm TELNET-SF

!policy-map multi-match LOADBALANCE

class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM

!interface vlan 2

ip address 172.16.1.1 255.255.255.0access-group input everyoneservice-policy input REMOTE-MGMTservice-policy input LOADBALANCEno shutdown


28


Predictors Configuration Options

ACE-1/routed(config-sfarm-host)# predictor ?hash Configure 'hash' Predictor algorithmsleast-bandwidth Configure 'least bandwidth' Predictor algorithmleast-loaded Configure 'least loaded' predictor algorithmleastconns Configure 'least conns' Predictor algorithmresponse Configure 'response' Predictor algorithmroundrobin Configure 'round robin' Predictor algor (default)

Configuration optionspredictor roundrobinpredictor leastconns slowstart 200 predictor response syn-to-synack samples 8predictor response syn-to-close predictor least-bandwidth assess-time 2

ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail serverfarm : TELNET-SF, type: HOSTtotal rservers : 3active rservers: 2description : -state : ACTIVEpredictor : RESPONSEmethod : syn-to-synacksamples : 8


ANM Predictor Configuration


29


Basic Layer 4 Load BalancingPredictors

serverfarm TELNET-SFpredictor response syn-to-synack samples 8probe TCP-PROBErserver SERVER1inservice



!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm STICKY

!policy-map multi-match L4class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM

!


Persistence Configuration Options

sticky ip-netmask 255.255.255.0 address source T-STICKYserverfarm TELNET-SF

!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm T-STICKY


30


ANM Persistence Configuration


Basic Layer 4 Load BalancingSticky

serverfarm TELNET-SFrserver SERVER1inservice


probe TCP!sticky ip-netmask 255.255.240.0 address source T-STICKYserverfarm TELNET-SF


!policy-map type loadbalance first-match TELNET-PMclass class-defaultsticky-serverfarm T-STICKY

!policy-map multi-match L4class TELNET-CMloadbalance vip inserviceloadbalance policy TELNET-PM

!


31


Basic Web Load Balancing

Health CheckingBalancing RequestsPersistenceService Failure handling

Generic TCP or Scripted KeepaliveRound Robin or Least ConnectionsRequired based on Source IP with or without sticky mask Fail action to purge or default


Probe Configuration Options

probe http HTTP-PROBEinterval 5passdetect interval 3request method get url /index.htmlexpect status 200 200

!probe https HTTPs-PROBEinterval 5faildetect 2 passdetect interval 3request method get url /secure/index.htmlexpect status 200 202ssl cipher RSA_WITH_RC4_128_MD5


32


Basic Web Load BalancingProbes

probe http HTTP-PROBEinterval 5passdetect interval 3request method get url /index.htmlexpect status 200 499

!probe https HTTPS-PROBE

interval 5faildetect 2 passdetect interval 3request method get url /secure/index.ht expect status 200 200ssl cipher RSA_WITH_RC4_128_MD5

!serverfarm HTTPS-SF

probe HTTPS-PROBErserver SERVER1inservice


serverfarm HTTP-SFprobe HTTP-PROBEpredictor leastconns slowstart 100rserver SERVER1inservice


What Should I Look For?

You Can Check Specific Ciphers


Basic Web Load Balancing

class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80

!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443

!policy-map type loadbalance first-match WEB-PMclass class-defaultserverfarm HTTP-SF

policy-map type loadbalance first-match SSL-PMclass class-defaultserverfarm HTTPS-SF

!policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM

class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-reply active

!

loadbalance vip icmp-reply [active]Configure the VIP to reply to ICMP ECHOThe active option instructs the ACE to reply to an ICMP request only if the configured VIP is active


33


Persistence Configuration Options

sticky http-cookie ILIKECOOKIES STICKYcookie inserttimeout 720serverfarm HTTP-SF backup SORRY-SF

!sticky ip-netmask 255.255.240.0 address source STICKY1serverfarm HTTPS-SF backup SORRY-SF

!


sticky http-cookie ILIKECOOKIES STICKYcookie inserttimeout 720serverfarm HTTP-SF

!sticky ip-netmask 255.255.240.0 address source STICKY1serverfarm HTTPS-SF

!policy-map type loadbalance first-match WEB-PMclass class-defaultsticky-serverfarm STICKY

policy-map type loadbalance first-match SSL-PMclass class-defaultsticky-serverfarm STICKY1

!policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM

class HTTPsloadbalance vip inserviceloadbalance policy SSL-PM

Basic Web Load BalancingSticky Options


34


Web Load BalancingBIG HEADER ISSUE… Where’s the Cookie?

parameter-map type http INSENSITIVEcase-insensitivepersistence-rebalanceset header-maxparse-len 8192

….policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PMappl-parameter http advanced-options INSENSITIVE


URL Parsing parameter-map type http INSENSITIVE

case-insensitivepersistence-rebalanceset header-maxparse-len 8192

class-map type http loadbala match-any URL-MATCHING2 match http url .*

class-map type http loadbala match-any URL-IMAGE2 match http url /image/.*

class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80

serverfarm IMAGE-SFprobe IMAGE-PROBErserver IMAGE1 inservice

rserver IMAGE2 inservice

serverfarm WEB-SFprobe WEB-PROBErserver SERVER1 inservice

rserver SERVER2 inservice

sticky http-cookie IMAGE-COOKIES IMAGECOOKIEcookie insert browser-expireserverfarm IMAGE-SF backup WEB-SF

sticky http-cookie WEB-COOKIES WEBCOOKIEcookie insert browser-expireserverfarm WEB-SF

!policy-map type loadbala first-match HTTP-PMclass URL-IMAGEsticky-serverfarm IMAGE-COOKIE

class URL-MATCHINGsticky-serverfarm WEB-COOKIE

policy-map multi-match L4class HTTP-CMloadbalance vip inserviceloadbalance policy HTTP-PMappl-para http advanced-opti INSENSITIVE


35


Server-Server Communication Should Use the Same VIP as Clients

172.16.1.0

.16 .183

12.20.234.1

VIP172.16.1.100

sNAT172.16.1.101

12.20.234.1

172.16.1.0

.16 .183

VIP172.16.1.100


Clients-to-VIP Load Balanced FlowsNO SRC-NAT

switch/orange# sh conntotal current connections : 4conn-id np dir proto VLAN source destination state----------+--+---+-----+----+---------------------+---------------------+------+96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB

interface VLAN 107description "Client-side Interface"bridge-group 1access-group input anyoneservice-policy input CLIENT

interface VLAN 207description "Server-side Interface"bridge-group 1access-group input anyone

Client to VIP Server to Client

class-map match-all BASIC-CM2 match virtual-address 172.16.1.100 any

policy-map type multi-match CLIENTclass TCP-CM

loadbalance vip inserviceloadbalance policy BASIC-SLB-PM12.20.234.1

172.16.1.0

.16 .183

VIP172.16.1.100


36


172.16.1.0

.16 .183

Server-to-Server Load Balanced FlowsSame ACE Interface

sNAT172.16.1.101

switch/orange# sh conntotal current connections : 4conn-id np dir proto VLAN source destination state----------+--+---+-----+----+---------------------+---------------------+------+96 1 in TCP 107 10.10.10.10:1673 172.16.1.100:80 ESTAB97 1 out TCP 207 12.20.234.183:8080 10.10.10.10:1637 ESTAB

Client to VIP Server to Source NAT IP

12.20.234.1

VIP172.16.1.100

interface VLAN 107description "Client-side Interface"bridge-group 1access-group input anyoneservice-policy input CLIENT

interface VLAN 207description "Server-side Interface"bridge-group 1access-group input anyonenat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 patservice-policy input SERVER

class-map match-all BASIC-CM2 match virtual-addr 12.20.234.100 any

policy-map type multi-match CLIENTclass TCP-CMloadbalance vip inserviceloadbalance policy BASIC-SLB-PM

policy-map type multi-match SERVER class BASIC-CM

loadbalance vip inserviceloadbalance policy BASIC-SLB-PMnat dynamic 123 VLAN 207


Security Features


37


Security FeaturesIsn’t the Firewall Enough?

Enterprises are making more and more applications services available via the webDeploying a web application means inviting potentially maliciousHTTP requests Web application code becomes part of the network security perimeter Who is responsible to patch customer web applications?

WebClient

WebServer

Application

ApplicationDatabase

Server

Existing Network Firewalls Alone Cannot Adequately Inspect Protocols and Application Data

Unfiltered Web Traffic

Firewall

Port 80 and 443 Open


Security Features in ACE

TCP/IP normalizationBuilt-in Transport Protocol Security

User Configurable, to meet Security Requirements

Application Protocol Inspection

Advanced HTTP InspectionRFC Compliance

MIME Type Validation

Prevent Tunneling Protocols over HTTP Ports


38


Security FeaturesIP/UDP/ICMP Exploits Blocked by ACE

IP checks performed by ACE:

Automatic Anti-spoofing (source IP = dest IP); unicast RPF checksrc IP == dest IP, src IP or dest IP == 127.x.x.x

dest IP >= 240.0.0.0, src IP == 0.x.x.x, src IP >= 224.0.0.0

Header length check (min and max lengths, L3 < L2)

IP options control

Drop illicit IP addresses (source IP = class D or broadcast or loopback)

Overlapping fragments dropped, control over max number of fragments

ARP Inspection in transparent mode

ICMP checks performed by default:

Requests and responses matching

Prevents injection of unsolicited ICMP errors

Countermeasures specified in draft-gont-tcpm-icmp-attacks.txt

Blocked Attacks: Timestamp/Route Record/Source Routing/Fragment DoS Attacks, IP Spoofing, Ping of Death,

ICMP Flood, Smurf, ARP Attacks


Always PerformedI. src port and dest port != 0II. Only SYN packet allowed to create

connectionIII. TCP header >= of 20 bytesIV. TCP header <= ip->length – ip-

>header_lengthV. urg flag cleared if urg_pointer is zeroVI. If urg flag not present

urg_pointer is clearedVII. Illegal flags combinations dropped

( SYN|RST etc.)

ConfigurableI. reserved bits

allow/clear/dropII. urg flag allow/clear/dropIII. syn-data allow/dropIV. exceed-mss allow/dropV. random-seq-num-disable

Security FeaturesHardware-Based TCP Normalization

TCP Option Processing

TCP State Tracking

TCP Window Checking

User ConfigurableRandom Sequence Numbers

TCP Standard Header Checks


39


Security FeaturesTCP Exploits Blocked by ACE

1. TCP checks performed by default:Enforces correct usage of TCP flags (can be disabled; flags can be cleared)Randomization of sequence numbers (cloaks OS type, makes fingerprinting recon attacks unreliable, prevents man-in-the-middle session hijacking)Enforces correct header lengthPrevents out-of-state packetsPrevents packets that do not belong to existing connectionsPossibility to define maximum number of conns per secondMatches TCP length with IP header’s + dataBlocks illicit ports (port = zero)Enforces min and max MSS

Example of Blocked Attacks: Tear Drop, Session Hijacking, Jolt, Bloop, Targa, Bonk, Boink, Fraggle, Xmas Scan, Null Scan, etc.


Security FeaturesDenial-of-Service Protection SYN Cookie

Completely Stateless and no ACE memory entries are utilized

SYN ACK replies carry a cookie in the Sequence field of the TCP header

Cookie is generated out of a 24 bit random number and MSS encapsulated

If ACK does not contain the correct cookie ACE drops the packet

SYN Cookie enabled per interface on ACE

SYN

SYN ACK

(SEQ = cookie)

ACK = cookie + 1

ACE Can Guard Against SYN Floods by Implementing a Key Feature Called SYN Cookie. SYN Cookie Provides a Mechanism to Authenticate TCP SYN Packet


40


Secure Socket Layer (SSL)


SSL: Common QuestionsProtocols Over SSL

Any TCP-based protocol is supported by the SSL Accelerators, including, but not limited to, the following well known protocols

119NNTP563SNEWS389LDAP636SSL-LDAP

80HTTP443HTTPS

143IMAP993SIMAP110POP995SPOP325TELNET992TELNETS

PortServiceSecure PortSecure Service

What Protocols Are Supported?


41


SSL Certificate Management ACE/routed# show crypto files File File Expor Key/Filename Size Type table Cert-----------------------------------------------------------------------TestKey 1675 PEM Yes KEYTestCert 1135 PEM Yes CERTACE/routed# crypto import ?ftp Import a key/certificate from an ftp servernon-exportable Mark this key/certificate as non-exportablesftp Import a key/certificate from an sftp serverterminal Accept a key/certificate from terminaltftp Import a key/certificate from a tftp server

ACE/routed# crypto import terminal certnew.pem server certificatePlease enter PEM formatted data. End with "quit" on a new line.-----BEGIN CERTIFICATE-----MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK…v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt-----END CERTIFICATE-----quit COMMON COMMANDS

crypto import terminal <file name>crypto export <file name>crypto verify <key name> <cert name>show crypto files show crypto key allshow crypto key <key name>show crypto certificate allshow crypto certificate <cert name>


Configuration

In order to configure SSL, you need to add the following to a L/L4 class map:

‘parameter-map type ssl’

‘ssl-proxy service’

‘policy-map’

Parameter-map is used to define parameters for SSL connections (e.g., SSL version, cipher suites)

Ssl-proxy is used to define the certificates and keys to be used in SSL connections


42


policy-map type loadbalance first-match SSL-PMclass class-defaultserverfarm WEB-PROTOCOLS

!policy-map multi-match L4class HTTPsloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL-PROXY

SSL Server OffloadPacket Flow with ACE

serverfarm WEB-PROTOCOLSrserver SERVER1 80inservice

rserver SERVER2 80inservice

probe HTTP-GET!class-map match-all HTTPs2 match virtual-address 172.16.1.73 tcp eq 443

!

HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate

HTTPS—Response

SSL Handshake

SYN (tcp—443)SYN SYN/ACK ACK

HTTP—GET index.html

L3Flow

TCPFlow

Client Server 1


rserver host SERVER1 ip address 192.168.1.1 inservicerserver host SERVER2 ip address 192.168.1.2inservice!probe http HTTP-GETinterval 5port 81 passdetect interval 3request method get url /secure/index.htmlexpect status 200 200

!parameter-map type ssl CLIENT_PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM

!class-map match-all HTTPs2 match virtual-address 172.16.1.73 tcp eq 443

!

serverfarm WEB-PROTOCOLSprobe HTTPs-GETrserver SERVER1 81inservice


!sticky http-cookie ILIKECOOKIES STICKYCOOKIEcookie insertserverfarm WEB-PROTOCOLS

!policy-map type loadbalance first-match SSLclass class-defaultsticky-serverfarm STICKYCOOKIE

policy-map multi-match L4class HTTPsloadbalance vip inserviceloadbalance policy SSLloadbalance vip icmp-replyssl-proxy server CLIENT-SSL

Basic SSL Offload and Load BalancingSSL Offload


43


Troubleshooting SSL

WireSharkTcpdumpTelnet on browser portsMSIE plug-ins IE Inspector, HTTP Watch, IE Watch, ieHttpHeadersMozilla extension Live HTTP HeadersPHP/Perl LWP Wget, curlLynx/Links text based browsers


rserver redirect REDIRECTwebhost-redirection https://%h%p 301 inservice !serverfarm redirect REDIRECT-SF

rserver REDIRECTinservice

!class-map match-all HTTP2 match virtual-address 172.16.1.73 tcp eq 80

!policy-map type loadbalance first-match REDIRECT-PMclass class-defaultserverfarm REDIRECT-SF

!policy-map multi-match LOADBALANCEclass HTTPloadbalance vip inserviceloadbalance policy REDIRECT-PM

Basic SSL Load BalancingRedirecting Clients to Use SSL

https://www.cisco.com/go/ace

%h %p

http://www.cisco.com/go/ace


44


SSL Packet FlowWith ACE

parameter-map type ssl PARAM_SSLcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA

!ssl-proxy service SSL-PROXYkey mykey.pemcert mycert.pemssl advanced-options PARAM_SSL

!serverfarm WEB-PROTOCOLSrserver SERVER1 80inservice


probe HTTP-GET!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443

policy-map type loadbalance first-mat SSL-PMclass class-defaultserverfarm WEB-PROTOCOLS

!policy-map multi-match L4class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL-PROXY

crypto verify mykey.pem mycert.pem

HTTP—200 Ok Response index.htmlHTTPS—GET index.htmlAccept-Encoding: gzip, deflate

HTTPS—Response

SSL Handshake


HTTP—GET index.html

L3Flow

TCPFlow

Client Server 1


Basic SSL Load BalancingRedirecting Clients to Use SSL

rserver redirect REDIRECTwebhost-redirection https://%h%p inservice !serverfarm redirect REDIRECT-SF rserver REDIRECTinservice

!class-map match-all HTTP-CM2 match virtual-address 172.16.1.73 tcp eq 80

!policy-map type loadbalance first-match WEB-PMclass class-defaultserverfarm REDIRECT-SF

!policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy WEB-PM

!

https://www.cisco.com/go/ace

%h %p

http://www.cisco.com/go/ace


45


Basic Configuration SSL Offload ExamplePutting It All Together

rserver redirect REDIRECTwebhost-redirection https://%h%pinservice!parameter-map type ssl CLIENT_SSLcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA

ssl-proxy service SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_SSL

!probe http HTTP-GETinterval 10passdetect interval 10request meth get url /index.htmlexpect status 200 202

!serverfarm redirect REDIRECT-SFrserver REDIRECTinservice

serverfarm HTTP-SFprobe HTTP-GETrserver SERVER1 80inservice


class-map match-all SSL-CM2 match virtual-addr 172.16.20.1 tcp eq 443

class-map match-all HTTP-CM2 match virtual-addre 172.16.20.1 tcp eq 80

!sticky http-cookie ILIKECOOKIES SSL-STICKYcookie inserttimeout 720serverfarm HTTP-SF

!policy-map type loadbal first-ma REDIRECT-PMclass class-defaultserverfarm REDIRECT-SF

policy-map type loadbalan first-ma SSL-PMclass class-defaultsticky-serverfarm SSL-STICKY

policy-map multi-match LOADBALANCEclass HTTP-CMloadbalance vip inserviceloadbalance policy REDIRECT-PM

class SSL-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-reply activessl-proxy server SSL

!interface vlan 2service-policy input LOADBALANCE


End to End SSL With ACE

ssl-proxy service SERVER_SSLkey www-client.keycert www-client.crtssl advanced-options ssl_ciphers!serverfarm WEB-PROTOCOLSrserver SERVER1 443inservice


probe HTTPs-GET!class-map match-all HTTPS-CM2 match virtual-address 172.16.1.73 tcp eq 443

!

policy-map type loadbalan first-m SSL-PMclass class-defaultserverfarm WEB-PROTOCOLSssl-proxy client SERVER_SSL

!policy-map multi-match L4class HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server SSL

New Commands Are in the Boxes

HTTPS—GET index.htmlAccept-Encoding: gzip, deflate

Client

HTTPS—Response

SSL Handshake


Server 1

HTTPs—200 Ok Response index.html


HTTPS—Response

HTTPS—GET index.htmlAccept-Encoding: gzip, deflate

SSL Handshake


46


End to End SSL Offload and Load Balancing

rserver host SERVER1 ip address 192.168.1.1inservicerserver host SERVER2 ip address 192.168.1.2inservice!parameter-map type ssl CLIENT_PARAMcipher RSA_WITH_RC4_128_MD5cipher RSA_WITH_AES_128_CBC_SHAcipher RSA_WITH_AES_256_CBC_SHA

!parameter-map type ssl SERVER_PARAMcipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA

!ssl-proxy service CLIENT-SSLkey mykey.pemcert mycert.pemssl advanced-options CLIENT_PARAM

!ssl-proxy service SERVER-SSL ssl advanced-options SERVER_PARAM

!probe https HTTPs-GETinterval 20 request method get url /index.htmlexpect status 200 202

!

probe icmp PINGinterval 5

serverfarm WEB-PROTOCOLSprobe HTTPs-GETprobe PINGrserver SERVER1 443inservice


!class-map match-all HTTPS-CM2 match virtual-add 172.16.1.73 tcp eq 443

!sticky http-cookie ILIKECOOKIES STICKYCOOKIEcookie inserttimeout 720serverfarm WEB-PROTOCOLS

!policy-map type loadbalance first-mat SSL-PMclass class-defaultsticky-serverfarm STICKYCOOKIEssl-proxy client SERVER-SSL

!policy-map multi-match LOADBALANCEclass HTTPS-CMloadbalance vip inserviceloadbalance policy SSL-PMloadbalance vip icmp-replyssl-proxy server CLIENT-SSL


SSL Redirect Rewrite ACE 2.0 !action-list type modify http ACTIONheader insert request FRONT-END-HTTPS header-value Onssl url rewrite location 172.16.20.1

!policy-map type loadbalance first-match SSL-PMclass class-defaultsticky-serverfarm STICKY

policy-map multi-match LOADBALANCEclass HTTP-CM

loadbalance vip inserviceloadbalance policy HTTP-PM

class SSL-CMloadbalance vip inserviceloadbalance policy HTTP-PMloadbalance vip icmp-reply activessl-proxy server SSLaction ACTION


47


Advanced Load Balancing


Advanced Load Balancing FeaturesIncreased Protocol Inspection

Protocols supportedFTP and Strict FTPRTSPICMP DNSHTTP

Enhanced Protocol inspection:SIPSkinnyH.323ILS/LDAP

ACE

Deep Packet Inspection Extends Visibility and Persistence to All Applications

Protocol Inspection on the ACE Can Be Used to Analyze or Modify Application Data. Compliance With RFCs Can Also Be Enforced, as Well as Filtering for User-Defined Interactions, Which Are Denied if Attempted


48


Advanced Load Balancing FeaturesHTTP Inspection Overview

HTTP Inspection is a special case of Application FW in which the focus is mainly on HTTP attributes such as HTTP header, URL, the payload itself

Enables users to validate, filter and log the HTTP transactions by matching the traffic against the policies configured

Shares the HTTP stack and the REGEX engine with L7 SLB with added features for inspect

Can work with L7 Loadbalancing for the same flow

User defined REGEX can be used in a limited way to detect offending traffic by searching for “signatures”


Advanced Load Balancing FeaturesHTTP Inspect Features

RFC compliance

MIME type validation

Length and Encoding Checks

Port 80 misuse

Permit/Deny based on L7 Regex match


49


How to Enable Compression?

From the Cisco ACE 4710 Device Manager you can begin compressing HTTP traffic on Cisco ACE 4710 by clicking the “Enable Compression”command within the Virtual Server configuration for server farms. A single click enables compression for the load balancing policy configured

Enable Compression


HTTP Compression

Searching for “cisco” in www.google.com

Compressed Data


50


TCP Server Offload“TCP Multiplex” or “TCP Re-use”

TCP setup and teardown offloaded from server(currently limited to HTTP)

Effective for servers dedicating high percentageof CPU cycles to TCP processing

TCP connections to the server are kept open(HTTP 1.1 connection keepalive)

Client requests multiplexed to existing server connections

ACE creates a connection pool on the reals [ip:port] associated to the virtual server

Client connections matched to server connections based on TCP options (Sack, timestamp, window_scale, MSS)


TCP Server Offload IllustratedTCP1

ACE-TCP1 Pool1

TCP2

TCP3

ACE-TCP2 Pool2

parameter-map type http PARAM-MAPserver-conn reusecase-insensitive persistence-rebalance

!class-map match-any HTTP

10 match virtual-address 172.16.1.73 tcp eq 80!policy-map type loadbalance first-match HTTPclass class-defaultsticky-serverfarm STICKY

!

policy-map multi-match L4class vipmap1loadbalance vip inserviceloadbalance policy HTTPappl-parameter http advanced-options PARAM-MAPnat dynamic 1 vlan 2


51


Server Connection Reuse

When the feature is enabled, a server TCP connection may be reused to service a different client TCP connection after the response to the previous HTTP request has been transmitted“Connection: keep-alive” is inserted and “Connection: close” is removed from the client HTTP request, to avoid closing the server connection earlyNote: details on Connection Reuse come later

switch/Admin(config)# parameter-map type http HTTP_PARAM

switch/Admin(config-parammap-http)# server-conn reuse

switch/Admin# show np 1 me-stats "-s icm | grep Reuse"Reuse link update conn invalid error: 0

Reuse link update conn not on reuse erro 0

Reuse conn remove not on head error: 0

Connection Reuse Add Errors: 0

Connections Removed From Reuse Pools: 1Connections Added To Reuse Pools: 1

switch/Admin# show stats http | include Reuse

Reuse msgs sent : 1 , HTTP requests : 4 switch/Admin# show stats http | include Headers

Reproxied requests : 0 , Headers removed : 1Headers inserted : 1 , HTTP redirects : 0


TCP Server Offload Example

Over 98% reduction in server side TCP connetions per secondDepends also on server configuration (HTTP GET’s per TCP connection)

Server Side

Client Side


52


Advanced Load BalancingPersistence and Pipelining

HTTP is assumed to follow a simple Request/Response transaction modelIntroduced in HTTP/1.1, persistence is also referred to as client keep-aliveMultiple persistent HTTP requests on the same TCP connection will be balanced to [potentially] different rservers if persistence rebalance is configuredThis works without regard to packet boundariesPipelined requests are buffered and later parsed after completing transmit of the previous response. In other words, the requests are un-pipelinedIf persistence-rebalance is not configured, then pipelined requests on a connection will all be sent to the same server, as they arrive

switch/Admin(config)# parameter-map type http HTTP_PARAM

switch/Admin(config-parammap-http)# persistence-rebalance

switch/Admin# show stats http | include requests

Reuse msgs sent : 0 , HTTP requests : 7

Reproxied requests : 0 , Headers removed : 0

HTTP chunks : 0 , Pipelined requests : 2


Advanced Load BalancingHeader Insert

Can be used to insert the Client Source IP address if NAT being usedInserts a header into the client HTTP request just before transmit to serverIf persistence-rebalance is configured, insert occurs on all requests for the connection, otherwise just the firstThe point of insertion is always between the request line and the existing first headerConfigure “%is” and “%ps” to dynamically insert source (client) IP and portConfigure “%id” and “%pd” to dynamically insert destination (virtual server) IP and portIn the below example, inserted header might look something like:

ACE: Src=61.0.0.5:32797;Dest=61.0.0.113:80

switch/Admin(config)# policy-map type loadbalance first-match PSLB

switch/Admin(config-pmap-lb)# class C1

switch/Admin(config-pmap-lb-c)# insert-http ACE header-value Src=%is:%ps;Dest=%id:%pd

switch/Admin# show stats http | include insert

Headers inserted : 1 , HTTP redirects : 0


53


Q and A


Recommended Reading

Designing Content Switching SolutionsZeeshan Nasesh CCIE 6836Haroon Khan CCIE 4530

Data Center FundamentalsMauricio Aregoces CCIE 3285Maurizio Portaloni

Content Networking FundamentalsSilvano DaRos

Web Security Field GuideSteve Kalman

Server Load BalancingTony Bourke

SSL and TLS: Designing and Building Secure Systems

Eric Rescorla

Available Onsite at the Cisco Company Store

Continue your Networkers at Cisco Live Learning Experience with Further Reading from Cisco Press


54


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.



55


Backup Slides


Design-Comparison:Application-View

L2 In-PathNo Source-NAT necessary (except Server-2-Server via VIP)

L3 In-PathNo Source-NAT necessary (except Server-2-Server via VIP)

L3 Out-of-PathSource-NAT necessary or

PBR (Policy Based Routing) -> Not VRF-Aware, Operational Challenge


56


Design-Comparison:Scalability

L2 In-PathOne or multiple VLAN per context possible

Non loadbalanced traffic is also passing ACE

L3 In-PathCentralized Loadbalancing-Architecture

Non loadbalanced traffic is also passing ACE

L3 Out-of-PathOnly loadbalanced traffic is passing the ACE


Design-Comparison:Migration

L2 In-PathEasy and transparent migration

No changes to Server-IP or gateway

L3 In-PathGateway address is typically moved to ACE

L3 Out-of-PathEasy migration

Typically non transparent in terms of Source-IP address


57


Content Switching Design ApproachesRouted Mode: Design

Servers default gateway is the alias IPon the ACEExtra configurations needed for:

Direct access to serversNon-load balanced server initiated sessions

ACE’s default gateway is the HSRP group IP address on the MSFCRHI possibleLoad balancer inline of all traffic

(2A) Routed Mode Design with MSFC on Client Side

Servers default gateway is the HSRP group IP address on the MSFCExtra configurations needed for (simpler the option 2a):

Direct access to serversNon-load balanced server initiated sessions

SM’s default gateway is the core routerRHI not possibleServer to server communication bypasses the load balancer

(2B) Routed Mode Design with MSFC on Server Side

Core-1 Core-2

Agg-1 Agg-2MSFC1 MSFC2

FTPortChannel

DataPortChannel

ACE 2Standby

ACE Client-Side VLAN 10 10.10.1.0/24ACE Server-Side VLAN 20 10.20.1.0/24ACE Server-Side VLAN 30 10.30.1.0/24

Access Access

ACE 1

Core-1 Core-2

Agg-1 Agg-2

MSFC1 MSFC2

ACE 1

FTPortChannel

DataPortChannel

ACE 2Standby

Access AccessACE Server-Side VLAN 1 10.10.1.0/24Server VLAN 20 10.20.1.0/24Server VLAN 30 10.30.1.0/24

ACE Client-Side VLAN 5 10.5.1.0/24


ACE!

interface vlan 10

ip address 10.10.1.5 255.255.255.0

alias 10.10.1.4 255.255.255.0

peer ip address 10.10.1.6 255.255.255.0

no shutdown

!

interface vlan 20

ip address 10.20.1.2 255.255.255.0

alias 10.20.1.1 255.255.255.0

peer ip address 10.20.1.3 255.255.255.0

no shutdown

!

interface vlan 30

ip address 10.30.1.2 255.255.255.0

alias 10.30.1.1 255.255.255.0

peer ip address 10.30.1.3 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.10.1.1

MSFC!

interface Vlan10

ip address 10.10.1.2 255.255.255.0

standby 10 ip 10.10.1.1

standby 10 priority 110

standby 10 preempt

!

Content Switching Design ApproachesRouted Mode: Configuration


58


Servers default gateway is the HSRP group IP address on the MSFCBroadcast/multicast/route update traffic bridges throughNo extra configurations for:

Direct access to serversServer initiated sessions

RHI possibleLoad balancer inline of all traffic

(1) Bridged Mode Design Considerations

Content Switching Design ApproachesBridged Mode: Design

Core-1 Core-2

Agg-1 Agg-2

MSFC1 MSFC2

ACE 1 ACE 2 Standby

FTPortChannel

DataPortChannel

ACE Client-Side VLAN 10 10.10.1.0/24ACE Server-Side VLAN 20 10.10.1.0/24

Access


ACEinterface vlan 10

bridge-group 10

access-group input anyone

access-group output anyone

no shutdown

!

interface vlan 20

bridge-group 10

access-group input anyone


no shutdown

!

interface bvi 10

ip address 10.10.1.5 255.255.255.0

alias 10.10.1.4 255.255.255.0

peer ip address 10.10.1.6 255.255.255.0

no shutdown

!

ip route 0.0.0.0 0.0.0.0 10.10.1.1

!

MSFC!

interface Vlan10

ip address 10.10.1.2 255.255.255.0

standby 10 ip 10.10.1.1


standby 10 preempt

!

Content Switching Design ApproachesRouted Mode: Configuration


59


ACE Configuration to Allow BPDUs

!access-list bpduallow ethertype permit bpdu!interface vlan 10bridge-group 10access-group input bpduallowno shutdown

!interface vlan 20bridge-group 10access-group input bpduallowno shutdown

!

Content Switching Design ApproachesBridged Mode: BPDU Forwarding

Similarly to the FWSM, ACE can let BPDUs through and can rewrite their payload, correctly handling STP merged domains

Protects against accidental loops in case of FT heartbeat cable or VLAN disconnected


Content Switching Design ApproachesL3 One-Armed Mode: Design

Servers default gateway is the HSRP group IP address on the MSFCNo extra configurations for:

Direct access to serversServer initiated sessions

RHI possibleCSM/ACE inline for only server load balanced trafficPolicy based routing or source NAT can be used for server return traffic redirection to the load balancer

(3) One-Armed Design Considerations

Core-1 Core-2

Agg-1 Agg-2

MSFC1

FTPortChannel

DataPortChannel

ACE Server-Side VLAN 10 10.10.1.0/24Server VLAN 20 10.20.1.0/24Server VLAN 30 10.30.1.0/24

Access Access

ACE 1 ACE 2 StandbyMSFC2


60


ACE - Asymmetric Routing!

!

interface vlan 10

ip address 10.10.1.5 255.255.255.0

alias 10.10.1.4 255.255.255.0

peer ip address 10.10.1.6 255.255.255.0

no normalizationaccess-group input anyone


no shutdown

!

MSFC!

interface Vlan10

ip address 10.10.1.2 255.255.255.0

standby 10 ip 10.10.1.1


standby 10 preempt

!

MSFC!interface Vlan20ip address 10.20.1.2 255.255.255.0

ip policy route-map FromServersToSLBstandby 20 ip 10.20.1.1standby 20 priority 110!access-list 121 permit tcp any eq telnet anyaccess-list 121 permit tcp any eq www anyaccess-list 121 permit tcp any eq 443 anyaccess-list 121 deny ip any any!

route-map FromServersToSLB permit 10match ip address 121

set ip next-hop 10.10.1.4

Content Switching Design ApproachesL3 One-Armed Mode: PBR Configuration


class-map match-all HTTP

2 match virtual-address 172.16.1.73 tcp eq 80

policy-map type loadbalance first-match WEB

class class-default

insert-http x-forwarded-for: header-value %is

serverfarm HTTP

policy-map multi-match L4

class HTTP

loadbalance vip inservice

loadbalance policy WEB

nat dynamic 1 vlan 2

interface vlan 2

ip address 172.16.1.1 255.255.255.0

alias 172.16.1.254 255.255.255.0

peer ip address 172.16.1.2 255.255.255.0

access-group input everyone

service-policy input remote-mgmt

service-policy input L4

no normalization

nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat

no shutdown

Content Switching Design ApproachesL3 One-Armed Mode: Source-NAT Configuration

Documents

Server Load Balancing Design - CCC.edu