BRKAPP 2002 Server Load Balance

BRKAPP-2002
14405_04_2008_c2
2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Server Load
Balancing Design
BRKAPP-2002
BRKAPP-2002
14405_04_2008_c2
2006, Cisco Systems, Inc. All rights reserved.

Presentation_ID.scr
Cisco Public
Cisco Application Delivery Networks

Network Classification
Application Scalability
Application Networking
Quality of service
Network-based app recognition
Queuing, policing, shaping
Visibility, monitoring, control
Server load-balancing
Site selection
SSL termination and offload
Video delivery
Message transformation
Protocol transformation
Message-based security
Application visibility
WAN
Application Acceleration
WAN Acceleration
Application Optimization
Latency mitigation
Application data cache
Meta data cache
Local services
BRKAPP-2002
14405_04_2008_c2
Data redundancy elimination

Window scaling
LZ compression
Adaptive congestion avoidance
Delta encoding
FlashForward optimization
Application security
Server offload
3
Cisco Public
Other Cisco Live Breakout Sessions

that You May Want to Attend
Relevancy
GSS
ISR
WAAS
ACNS
ACE
AXG
Applications
BRKAPP-2002 Server Load Balancing Design

BRKAPP-3003 Troubleshooting ACE
BRKAPP-1004 Introduction WAAS
BRKAPP-2005 Deploying WAAS
BRKAPP-3006 Troubleshooting WAAS
BRKAPP-1008 What can Cisco IOS do for my application?
BRKAPP-1009 Introduction to Web Application Security
BRKAPP-2010 How to build and deploy a scalable video
communication solution for your organization
BRKAPP-2011 Scaling Applications in a Clustered
Environment
BRKAPP-2013 Best Practices for Application Optimization
illustrated with SAP, Seibel and Exchange
BRKAPP-2014 Deploying AXG
BRKAPP-1015 Web 2.0, AJAX, XML, Web Services for
Network Engineers
BRKAPP-1016 Running Applications on the Branch Router
BRKAPP-2017 Optimizing Application Delivery
BRKAPP-2018 Optimizing Oracle Deployments in
Distributed Data Centers
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
Agenda
Application Load Balancing
Health Checking
Prediction
Persistence
Design Implementation Considerations
Policy Configuration Examples

Layer 4 Example
Web Protocol Example
Server to Server Load Balancing Example
SSL
SSL Offload Example
Advanced Load Balancing Design

Application Inspections
TCP Reuse
URL Load Balancing
BRKAPP-2002
14405_04_2008_c2
Cisco Public
ACE Application Switching Module

Integrates Load Balancing,
Application Optimization and Security
Virtual Device Support
Data Center and Application Firewall
Multimedia and Voice Intelligence
Low Power Usage with High
Performance
License-based Upgrades
(SSL, virtual licenses)
Support for Catalyst 6500 Series
Switch and Cisco 7600 Series Router
Integrated Services, High Performance

Application Switching Platform: 4-16 Gbps
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
ACE Application Switching Appliance

Integrates Load Balancing, Application Optimization
and Security
Virtual Device Support
Data Center and Application Firewall
Multimedia and Voice Intelligence
Low Power Usage with High Performance
License-based Upgrades (SSL, Virtual licenses,
Application Optimization, Compression Performance)
Specific optimizations for common applications
Latency and bandwidth reduction with protection
Application switching for scalability and availability
Embedded Browser-based Graphical
User Interface
High Performance Multi-core, Dual-CPU Architecture
Integrated Services, High Performance

Application Switching Platform: 1-2 Gbps
BRKAPP-2002
14405_04_2008_c2
Cisco Public
Cisco Application Networking

Manager (ANM)
ACE Appliance has an embedded GUI
ANM free for 2 ACE devices (with 5 context max
w/o additional licensing) must place order
for ANM-SERVER-12-K9"
ACE Module has no embedded GUI
Cisco ANM runs from a centralized server running
Redhat Linux
Multiple Cisco ANM users can simultaneously
manage multiple devices via web browser
Enables device & virtualization provisioning for up
to fifty (50) ACE and forty (40) CSS & CSM
per Cisco ANM server
Graphical interface for simplified and standardized
service provisioning for basic, advanced
and expert users
Secure user access and delegation of responsibilities
Enables Centralized Configuration, Operations, and Monitoring

of Cisco Data Center Networking Equipment and Services
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
Load Balancing Overview Terminology

Load Balancing
Algorithm
Servers
(Predictor)
Clients
Content
Switch
Load
Balancer
Serverfarm
Keepalive
(Probe)
Client-Side
Gateway
Class-Map
URL = /news
User-Agent = WindowsCE
Client = 192.0.0.0/8
Virtual IP Address
(VIP)
172.16.2.100
TCP port 80
BRKAPP-2002
14405_04_2008_c2
Round Robin
XML
Gateways
Policy-Map
If Match class-map X
Then Use serverfarm X
Else Use serverfarm y
Cisco Public
Traffic Being Load Balanced

Generic IP traffic (i.e. IPsec tunnels)
Generic UDP and TCP (i.e. proprietary protocols)
Network services (i.e. LDAP, DNS, Radius)
HTTP (i.e. Web Presentation Layer, Web Services, SOAP/XML)
Voice & Video (i.e. RTSP, SIP, H.323)
Remote terminals (i.e. Windows Terminal Services)
Multi-connection protocols (i.e. FTP, RTSP)
Multi-tier packaged applications (i.e. SAP, Oracle, Microsoft, BEA)
Vertical specific applications (i.e. medical, finance, education)
Ethernet
Header
IP
Header
TCP
Header
Layer 2
Layer 3
Layer 4
HTTP
Header
Payload
Ethernet
Trailer
Layer 5-7
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
10
Scale Your
Application
Health Checking
BRKAPP-2002
14405_04_2008_c2
Cisco Public
11
Scale Your Application

Health Monitoring Issues
Application Issue
ARPs only check the IP stack and not the application
ICMP probes only check the IP stack of the machine
and not the application
Generic TCP port opens check the TCP stack but not
the applications ability to handle requests
An application may fail in a state that the server can respond
to a TCP syn but not to an application data request
To verify the integrity of an application, and application

data request keepalive is required
How to verify the Application servers health or the Web
Servers reachability to the application server
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
12
Application Load Balancing

Probe Options
Probe
Description
ICMP
Sends a ICMP request and waits for reply
Generic TCP
Open a connection with server and disconnect with TCP FIN or RST. TCP FIN Default
Generic UDP
Sends a packet, probe is considered successful, if no icmp error received
HTTP
Sends an HTTP HEAD or HTTP GET 1.1 request
HTTPs
Establishes an SSL connection, send HTTP query and tears it down
FTP
Similar to TCP probe
Telnet
Makes a connection, send a QUIT message
DNS
Uses a default domain and waits for any response
SMTP
Sends a hello followed by a QUIT message
POP3
IMAP
Radius
Similar to UDP probe. NAS-IP can be configured
Scripted
Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform
health monitoring
SNMP
Up to eight OIDs can be configured. Used mainly for load balancing predictions
and not health checking. Should be combined with another health probe to
verify application
BRKAPP-2002
14405_04_2008_c2
13
Cisco Public

Application or Database Server Health Checking
Probing Customer Application Servers with Application
Data Requires Scripting Keep Alive on the Load Balancer
or on a Front End Server. Scripting on Front End Servers
Allows Greater Flexibility
http://www.company.com/test.asp
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
Buy 10000 Widgets

Customer Testuser
Company Test Inc.
14
Scale Your
Application
Predictors
BRKAPP-2002
14405_04_2008_c2
15
Cisco Public

Predictors
Predictors Determine How Connections
Are Load Balanced
Client
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Serverfarm
Cisco Public
16

Predictors Algorithms
Round Robin: (Weighted)
Very simple
Least Connections: (Weighted)

Dynamic, requires slow-start
Hash on IP: (source/destination, with mask)

No state required for stickiness issues with dynamic changes
Hash on URL: Or portion of URL

Server Watermarks: Min and max number of connections per server
Least Loaded: SNMP OIDs based server feedback for obtaining
useful information maintained as SNMP Object IDs
Least Bandwidth: Connection vs. Bandwidth based on the
bidirectional traffic flow
Adaptive Response Predictor: Load-balancing based on server
response time
SYN to SYN-ACK
SYN to FIN
Application request to first packet of response
BRKAPP-2002
14405_04_2008_c2
17
Cisco Public
Enhanced Predictors
Adaptive Response Predictor
Load Balancing Based on Server Response Time; Response Time
Calculated over a Configured Number of Samples
and Supports the Following Three Measurement Options
ACE
SYN to SYN-ACK
Time Between SYN Send
from ACE to SYN-ACK
Received from the Server
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Serverfarm
SYN to Close
Time Between SYN Send
from ACE to FIN/RST
Received from the Server
Cisco Public
Application
Request to Response
Time Between HTTP
Request Send from ACE to
HTTP Response Received
from the Server
18
Enhanced Predictors
Least-Loaded Using SNMP
The Least Loaded Predictor can support up to
8 user defined SNMP Object IDs
Least-loaded algorithm will automatically calculate the
least loaded server from the SNMP response received
from the servers
Number of active connections on the server are also
be calculated in the Least-loaded algorithm
Users can define static weights for each Object ID to
allow unprecedented load balancing control of new
connections based on real-time appliance performance
Least-loaded Predictor Provides Most Accurate
Method for Calculating the Servers Load
BRKAPP-2002
14405_04_2008_c2
19
Cisco Public
Enhanced Application Algorithms

Least-Loaded Using SNMP
ACE Utilizes SNMP-Based Probes to Obtaining CPU,
Memory and Drive Statistics from the Servers
SNMP Object IDs

CPU Utilization
Memory Resources
Disk Drive Availability
.
.
Query
Query Result
Result
Query
Query Result
Result
CPU
== 34%
CPU Utilization
Utilization
34%
Query
Result
Query
Result
CPU
Utilization
== 24%
CPU
Utilization
24%
Memory
Resources
Memory
Resources
CPU
Utilization
== 14%
CPU Utilization
14%
Resources
Memory
Resources
== Memory
785300k
free
785300k
free
Memory
Resources
Memory
Resources
== 885300k
free
885300k
free
Disk
Drive
Availability
Disk
Drive
Availability
=
947300k
free
=
947300k
free
Drive
Availability
Disk
Drive
Availability
== Disk
202GB
Free
202GB
Free
Drive
Disk
Drive
Availability
== Disk
307GB
free
307GB
freeAvailability
== 440GB
440GB free
free
ACE Queries Server

for the Following Three
SNMP Object IDs
Only SNMP Agent Is Required on the Server

No Additional Software
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
20
10
Enhanced Application Algorithms

New FeatureLeast-Bandwidth
Load Balancer Introduces the Least-Bandwidth Predictor
which Selects the Server that Processed the Least Amount
of Network Traffic Over a Specified Sampling Period
The ACE measures traffic statistics between itself and
the real servers in the server farm in both directions
and calculates the bandwidth over the sampling period
Then, it creates an ordered list of real servers based
on the sampling results and selects the server that
used the least amount of bandwidth during the
sampling period
Least-Bandwidth Predictor Suited Best
for Heavy Traffic Use
BRKAPP-2002
14405_04_2008_c2
Cisco Public
21
Cisco Public
22
Scale Your
Application
Predictors
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
11

Session Persistence
Stickiness
Session: Logical aggregation of multiple simultaneous
or subsequent connections
Sessions are limited in time (timeout)
Servers keep session state
The content switch and load distribution across multiple
servers introduces the problem
The content switch needs to send connections
from the same client to the same server
Even in case of backend database with session
information, stickiness is very useful since it
significantly improves performance
BRKAPP-2002
14405_04_2008_c2
23
Cisco Public

Session Persistence Methods
How to Uniquely Identify a Client
Source
IP
Cookie
SSL ID
Variation
Full IP
Masked
IP
Static
Dynamic
Insert
Full SSID
Offset
Info
Stored
on
LB
LB
LB
Client
LB
Good For
Simplicity
Flexibility
No Cookie
support
No State
on LB
Recovering
SIPDisconnected specific
WTS sessions stickiness
Flexible for
custom
applications
Caveats
Proxies
HTTP only
Clear Test
SSL v3
Renegotiation
HTTP only
Absolute
URLs
Bookmarks
No Token,
needs to fall
back to
source IP
Specific to
application

Presentation_ID.scr
Client =
Session
Call-ID
GPP
client = a
cookie
value
Cisco Public
SD, Session
Directory.
Routing
Token =
server IP +
Port
SIP
Client=
its SRC
IP
LB
Redirects
to Specific
(V)Server
RDP
How
Does
It Work
BRKAPP-2002
14405_04_2008_c2
client = SSL
session ID
HTTP
Redirect
Regex
matches on
TCP and
UDP data
custom
LB
LB
24
12
Design Configuration
BRKAPP-2002
14405_04_2008_c2
25
Cisco Public
ACE Service Virtualization
Physical Device
Admin
Context
Context 1
Context 2
Context 3
Context
Definition
Resource
Allocation
ANM Management
Station
AAA
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
26
13
ACE Virtualization
Provides means to partition one physical unit into
independently managed logical engines
Provisions resource per logical device
Almost every feature subsystem is virtualized
including Linux kernel
Logical devices are called virtual contexts

Each with independent resource allocation and policies
Default context called Admin context is available initially

Customers who do not wish to use virtualization
can perform all operations from within Admin context
ACE Module
250 contexts + Admin context supported
ACE Appliance
20 contexts + Admin context supported
BRKAPP-2002
14405_04_2008_c2
Cisco Public
27
ACE Resource Management
By default, every context is a member of the default
resource-class, with unlimited access to system resources
Resources can be guaranteed in three ways:
No guaranteed resources but access to any available resource
X% of resources guaranteed, with no access to other additional
resources
X% of resources guaranteed and access to any available resource
Minimum limit is specified as a percentage (5.00%)

Maximum limit can equal the Min value or be unlimited
Only one resource-class can be applied per context
Maximum 100 resource-classes can be configured
Sticky Resources requires min 1% per context, not default,
associate all contexts to a non default context
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
28
14
Router Mode
Subnet A
The preferred configuration

for appliances
By default the load balancer
acts as a router
Servers default gateway is the
load balancer
The VIP addresses can
reside on the client side or
the server side
If you do not want to change
the IP addresses of the
servers, put the VIP on the
servers side and create a /30
network to Firewall
BRKAPP-2002
14405_04_2008_c2
Subnet B
Subnet C
Servers Default Gateway:

Content Switch IP
29
Cisco Public
Subnet B
Subnet A
The Load balancer acts

as a bump in the wire
Subnet A
This is preferred for

integrated load balancers
like the ACE modules
Subnet B
Bridge Mode
The servers default gateway

will be the upstream router
or firewall
If packets are set to the
physical IP address of the
load balancers, it will try and
route the packet by default

Upstream Router or Firewalls IP Address,
Not ACEs Address
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
30
15
How Are Customers Using Virtualization?

Security and Bridge Mode
Partition C
Admin
Partition
Partition B
The security team

continues to fully
manage the FWSM and
is comfortable with the
bridge mode approach.
In parallel, we have
turned on some extra
HTTP security features
on ACE
Partition A
Bridge mode on the

CSM was great, but ACE
takes the same approach
to a whole new level with
virtualization
Each Pair of Bridged VLANs Has Its Own Configuration,

Independent Management, and Enhanced Security
BRKAPP-2002
14405_04_2008_c2
31
Cisco Public
Design Considerations
One-Arm Mode: Overview
L2-rewrite not possible
Content switch not inline
Does not see unnecessary traffic
Subnet B
Requires PBR, server default

gateway pointing to load balancer
or client source NAT
ACE can insert users original IP
address as client header
Subnet B
The return traffic is needed!
Policy-map type loadbalance

first-match OAM
class L7Policy
insert http x-forwardedfor header-value %is
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public

Upstream Router
PBRPolicy Based Routing,
NATNetwork Address Translation
32
16
One-Arm Mode: Overview
Router MAC
LB MAC
Client IP
VIP
Random Port
VIP Port
Selected
CS MAC
Server MAC
Selected
Client IP
Server IP
Random Port
VIP Port
BRKAPP-2002
14405_04_2008_c2
VIP Port
Server MAC
Selected
Server IP
CS MAC
RSTClient IP
Random Port
Without PBR, Client NAT,

or Servers Gateway Being
Set for Load Balancer
33
Cisco Public
L2 One-Arm Mode
Return Traffic Bypassing ACE
Servers
Default Gateway:
Upstream Router
Subnet B
Bypass for return traffic: high throughput!

Requires MAC rewrite, L2 adjacency
Servers need identical loopback addresses (one per VIP)
TCP termination not possible: no L7 features!
Load balancer blind to return traffic (inband, accounting)
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
34
17
Redundancy Model
Redundancy groups (Fault Tolerance, FT groups) are configured based
on virtual contexts
Two instances of the same context (on two distinct ACE modules) form
a redundancy group, one being active and the other standby
The peer ACE can be in the same or different Cisco Catalyst 6k chassis
Both ACE modules can be active at the same time, processing traffic
for distinct contexts, and backing-up each other (stateful redundancy)
ACE-1
Example:
Two ACE modules
Four FT groups
Four Virtual Contexts
(A, B, C, D)
Active
Active
Standby Standby
FT VLAN
Standby Standby
Active
Active
FT
Group 3
FT
Group 4
ACE-2
BRKAPP-2002
14405_04_2008_c2
FT
Group 1
Cisco Public
FT
Group 2
35
Policy Configuration
Examples
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
36
18
Policy Lookup Order

There can be many features applied on a given interface,
so feature lookup ordering is important
The feature lookup order followed by datapath in ACE
is as follows:
1. Access-control (permit or deny a packet)
2. Management Traffic
3. TCP normalization/Connection parameters
4. Server Load Balancing
5. Fix-ups/Application inspection
6. Source NAT
7. Destination NAT
The policy lookup order is implicit, irrespective of the order

in which the user configures policies on the interface
BRKAPP-2002
14405_04_2008_c2
37
Cisco Public
Application Networking Manager 1.2

ANM 1.2 Provides Turnkey control
and administration for ACE Modules
and ACE Appliances
ANM 1.2 provides multidevice application

management of large scale
data center operations
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
38
19
ANM 1.2
Configure Basic Server Load Balancing
Configure Virtual Server

(VIP)
Easy to use
Server Load
Balancing
Configuration
BRKAPP-2002
14405_04_2008_c2
Configure Load Balancing Actions
Cisco Public
39
ANM 1.2
Configure Basic Server Load Balancing
Intuitive GUI design prompts the user to configure VIP
details as necessary
Advanced options appear as the user drills down
Create Server Farm
Create
Health Monitoring Probes
Add Real Servers

BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
40
20
Policy CLI Overview

1. Define match criteria
2. Associate actions to match criteria
3. Activate the classification-action rules
on either an interface or globally
class-map C1
match <criteria>
policy-map P1
class C1
<action>
interface vlanX
service-policy input P1
BRKAPP-2002
14405_04_2008_c2
Cisco Public
41
Modular Policy CLI

Class Maps
The class-map command is used to define a traffic
class. The purpose of a traffic class is to classify traffic
A traffic class contains three major elements: a name,
a series of match commands, and, if more than one
match command exists in the traffic class, an instruction
on how to evaluate these match commands
class-map type management match-any REMOTE-ACCESS
description REMOTE-ACCESS-TRAFFIC-MATCH
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol https any
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
42
21
Modular Policy CLI

Class-Maps
A class-map can associate an existing class-map of the
same type using the match class statement
Supported only for L7 class-maps; limitation of only two
levels of association
Used to achieve complex logical expressions
Easy combination of and and or statements
class-map
2 match
!
class-map
2 match
3 match
4 match
BRKAPP-2002
14405_04_2008_c2
match-all WEB-CM
virtual-address 172.16.73.10 tcp eq www
type
http
http
http
http loadbalance match-any IMAGE-CM

url .*gif
url .*jpg
url .*jpeg
Cisco Public
43
Modular Policy CLI

Policy-Maps
The policy-map command is used to define the actions to be
preformed on the traffic. Policy-maps can be based on L3/4/7
information. Traffic that does not match specified classification
in policy map are then matched against the class-default policy
first-match
The class-action pairs within the policy-map are looked up sequentially and the
actions listed against first matching class-map in the policy-map are executed.
Order of class-maps within policy-map matters.
e.g. policy-map of type loadbalance, management &ftp
all-match
An attempt is made to match traffic against all classes in the policy-map
and the actions of all matching classes will be executed.
e.g. policy-map of type inspect http
multi-match
Specifies that the policy-map supports multiple feature actions and each feature
by itself can have only one match (first match). The policy as a whole has
multiple matches due to multiple features.
policy-map type management first-match REMOTE-MGMT
class REMOTE-ACCESS
permit
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
44
22
Modular Policy CLI

Policy-Maps
The policy-map command is used to define the actions
to be preformed on the traffic. Policy-maps can be
based on L3/4/7 information. Traffic that does not
match specified classification in policy map are then
matched against the class-default policy
policy-map type loadbalance first-match APPLICATION-PM

class IMAGE-CM
serverfarm IMAGE-SF
class class-default
sticky-serverfarm WEB-SF
BRKAPP-2002
14405_04_2008_c2
Cisco Public
45
Modular Policy CLI

Activating Policy
Policies are activated on an interface or globally using
the service-policy command
The policy-map can be enabled either on the input
or output or both directions
Policy-maps applied globally in a context, are internally
applied on all interfaces existing in the context
service-policy input <policy-name>
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
46
23
Basic Layer 4 Load Balancing
Health Checking
Balancing Requests
Persistence
Service Failure handling
BRKAPP-2002
14405_04_2008_c2
Generic TCP or Scripted

Keepalive
Round Robin or Least
Connections
Required based on Source IP
with or without sticky mask
Fail action to purge or default
47
Cisco Public

Management and Device Access
rserver host SERVER1
ip address 192.168.1.1
inservice
inservice
!
access-list EVERYONE line 10 extended permit ip any any
!
class-map type management match-any REMOTE-ACCESS
description REMOTE-ACCESS-traffic-match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol https any
5 match protocol snmp any
!
policy-map type management first-match REMOTE-MGNT
class REMOTE-ACCESS
permit
!
interface vlan 2
ip address 172.16.1.1 255.255.255.0
access-group input EVERYONE
service-policy input REMOTE-MGNT
no shutdown
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
You Need an ACL
Define Management
Traffic
48
24

serverfarm TELNET-SF
rserver SERVER1
inservice
rserver SERVER2
inservice
!
class-map match-all TELNET-CM
2 match virtual-address 172.16.1.73 tcp eq 23
!
policy-map type loadbalance first-match TELNET-PM
class class-default
!
policy-map multi-match LOADBALANCE
class TELNET-CM
loadbalance vip inservice
loadbalance policy TELNET-PM
!
interface vlan 2
ip address 172.16.1.1 255.255.255.0
access-group input everyone
service-policy input REMOTE-MGMT
service-policy input LOADBALANCE
no shutdown
BRKAPP-2002
14405_04_2008_c2
49
Cisco Public
Probe Configuration Options
probe icmp PING-PROBE

interval 5
passdetect interval 5
passdetect count 3
probe tcp TCP-PROBE
interval 10
passdetect count 3
probe telnet TELNET-PROBE
interval 20
passdetect count 3
!
probe PING-PROBE
probe TCP-PROBE
probe TELNET-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
!
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Common show commands

show serverfarm TELNET-SF
show probe
show probe TELNET-PROBE detail
Cisco Public
50
25
ANM
Probe Configuration
BRKAPP-2002
14405_04_2008_c2
Cisco Public
51

ACE-1/routed(config-sfarm-host-rs)# do show serverfarm TELNET-SF
serverfarm
: TELNET-SF, type: HOST
total rservers : 3
------------------------------------------connections----------real
weight state
current
total
failures
---+---------------------+------+------------+----------+----------+--------rserver: TEST
192.168.1.222:0
8
ARP_FAILED
0
0
0
rserver: SERVER1
192.168.1.1:0
8
PROBE-FAILED 0
0
0
rserver: SERVER2
192.168.1.2:0
8
PASSED
0
0
0
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
52
26

ACE-1/routed# show probe
TELNET-PROBE
probe
: TELNET-PROBE
type
: TELNET
state
: ACTIVE
---------------------------------------------port
: 23
address
: 0.0.0.0
addr type : interval : 20
pass intvl : 10
pass count : 3
fail count: 3
recv timeout: 10
--------------------- probe results -------------------probe association
probed-address probes
failed
passed
health
------------------- ---------------+----------+----------+----------+------serverfarm : TELNET-SF
real
: SERVER1[0]
192.168.1.1
6
0
6
PASSED
real
: SERVER2[0]
192.168.1.2
5
0
5
PASSED
BRKAPP-2002
14405_04_2008_c2
Cisco Public
53
BRKAPP-2002
14405_04_2008_c2
probe tcp TCP-PROBE

port 23
interval 5
!
probe TCP-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
!
!
class class-default
!
class TELNET-CM
!
interface vlan 2
ip address 172.16.1.1 255.255.255.0
service-policy input REMOTE-MGMT
no shutdown

Presentation_ID.scr
Cisco Public
54
27
Predictors Configuration Options

ACE-1/routed(config-sfarm-host)# predictor ?
hash
Configure 'hash' Predictor algorithms
least-bandwidth Configure 'least bandwidth' Predictor algorithm
least-loaded
Configure 'least loaded' predictor algorithm
leastconns
Configure 'least conns' Predictor algorithm
response
Configure 'response' Predictor algorithm
roundrobin
Configure 'round robin' Predictor algor (default)
Configuration options
predictor roundrobin
predictor leastconns slowstart 200
predictor response syn-to-synack samples 8
predictor response syn-to-close
predictor least-bandwidth assess-time 2
ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail
serverfarm
: TELNET-SF, type: HOST
total rservers : 3
active rservers: 2
description
: state
: ACTIVE
predictor
: RESPONSE
method
: syn-to-synack
samples
: 8
BRKAPP-2002
14405_04_2008_c2
Cisco Public
55
ANM Predictor Configuration
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
56
28

Predictors
predictor response syn-to-synack samples 8
probe TCP-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
!
!
class class-default
sticky-serverfarm STICKY
!
policy-map multi-match L4
class TELNET-CM
!
BRKAPP-2002
14405_04_2008_c2
Cisco Public
57
Persistence Configuration Options
sticky ip-netmask 255.255.255.0 address source T-STICKY

!
class class-default
sticky-serverfarm T-STICKY
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
58
29
ANM Persistence Configuration
BRKAPP-2002
14405_04_2008_c2
Cisco Public
59

Sticky
rserver SERVER1
inservice
rserver SERVER2
inservice
probe TCP
!
sticky ip-netmask 255.255.240.0 address source T-STICKY
!
!
class class-default
sticky-serverfarm T-STICKY
!
class TELNET-CM
!
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
60
30
Basic Web Load Balancing
BRKAPP-2002
14405_04_2008_c2
Health Checking
Balancing Requests
Persistence
Service Failure handling
Generic TCP or Scripted Keepalive

Round Robin or Least Connections
Required based on Source IP
with or without sticky mask
Fail action to purge or default
Cisco Public
61
probe http HTTP-PROBE

interval 5
request method get url /index.html
expect status 200 200
!
probe https HTTPs-PROBE
interval 5
faildetect 2
request method get url /secure/index.html
ssl cipher RSA_WITH_RC4_128_MD5
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
62
31

Probes
probe http HTTP-PROBE
interval 5
What Should I Look For?
!
probe https HTTPS-PROBE
interval 5
faildetect 2
request method get url /secure/index.ht
You Can Check
Specific Ciphers
ssl cipher RSA_WITH_RC4_128_MD5
!
serverfarm HTTPS-SF
probe HTTPS-PROBE
rserver SERVER1
inservice
rserver SERVER2
inservice
serverfarm HTTP-SF
probe HTTP-PROBE
predictor leastconns slowstart 100
rserver SERVER1
inservice
rserver SERVER2
inservice
BRKAPP-2002
14405_04_2008_c2
63
Cisco Public

class-map match-all HTTP-CM
!
class-map match-all HTTPS-CM
!
policy-map type loadbalance first-match WEB-PM
class class-default
serverfarm HTTP-SF
policy-map type loadbalance first-match SSL-PM
class class-default
serverfarm HTTPS-SF
!
class HTTP-CM
loadbalance policy WEB-PM
class HTTPS-CM
loadbalance vip icmp-reply [active]
loadbalance policy SSL-PM
loadbalance vip icmp-reply active
Configure the VIP to reply to ICMP ECHO
The active option instructs the ACE to
reply to an ICMP request only if the
configured VIP is active
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
64
32
Persistence Configuration Options
sticky http-cookie ILIKECOOKIES STICKY

cookie insert
timeout 720
serverfarm HTTP-SF backup SORRY-SF
!
sticky ip-netmask 255.255.240.0 address source STICKY1
serverfarm HTTPS-SF backup SORRY-SF
!
BRKAPP-2002
14405_04_2008_c2
Cisco Public
65

Sticky Options
sticky http-cookie ILIKECOOKIES STICKY
cookie insert
timeout 720
serverfarm HTTP-SF
!
sticky ip-netmask 255.255.240.0 address source STICKY1
serverfarm HTTPS-SF
!
class class-default
class class-default
sticky-serverfarm STICKY1
!
class HTTP-CM
class HTTPs
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
66
33
Web Load Balancing

BIG HEADER ISSUE Wheres the Cookie?
parameter-map type http INSENSITIVE
case-insensitive
persistence-rebalance
set header-maxparse-len 8192
.
class HTTP-CM
appl-parameter http advanced-options INSENSITIVE
BRKAPP-2002
14405_04_2008_c2
Cisco Public
67
URL Parsing
parameter-map type http INSENSITIVE
case-insensitive
set header-maxparse-len 8192
class-map type http loadbala match-any URL-MATCHING
2 match http url .*
class-map type http loadbala match-any URL-IMAGE
2 match http url /image/.*
serverfarm IMAGE-SF
sticky http-cookie IMAGE-COOKIES IMAGECOOKIE
probe IMAGE-PROBE
cookie insert browser-expire
rserver IMAGE1
serverfarm IMAGE-SF backup WEB-SF
inservice
sticky http-cookie WEB-COOKIES WEBCOOKIE
rserver IMAGE2
cookie insert browser-expire
inservice
serverfarm WEB-SF
serverfarm WEB-SF
!
probe WEB-PROBE
policy-map type loadbala first-match HTTP-PM
rserver SERVER1
class URL-IMAGE
inservice
sticky-serverfarm IMAGE-COOKIE
rserver SERVER2
class URL-MATCHING
inservice
sticky-serverfarm WEB-COOKIE
class HTTP-CM
loadbalance policy HTTP-PM
appl-para http advanced-opti INSENSITIVE
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
68
34
Server-Server Communication
Should Use the Same VIP as Clients
12.20.234.1
12.20.234.1
VIP
172.16.1.100
VIP
172.16.1.100
172.16.1.0
.16
BRKAPP-2002
14405_04_2008_c2
172.16.1.0
.183
sNAT
172.16.1.101
.16
.183
69
Cisco Public
Clients-to-VIP Load Balanced Flows

NO SRC-NAT
class-map match-all BASIC-CM
2 match virtual-address 172.16.1.100 any
policy-map type multi-match CLIENT
class TCP-CM
loadbalance policy BASIC-SLB-PM
12.20.234.1
interface VLAN 107

description "Client-side Interface"
bridge-group 1
access-group input anyone
service-policy input CLIENT
VIP
172.16.1.100
172.16.1.0
interface VLAN 207

description "Server-side Interface"
bridge-group 1
Client to VIP
Server to Client
.16
.183
switch/orange# sh conn
total current connections : 4
conn-id
np dir proto VLAN source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
96
1 in TCP
107 10.10.10.10:1673
172.16.1.100:80
ESTAB
97
1 out TCP
207 12.20.234.183:8080
10.10.10.10:1637
ESTAB
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
70
35
Server-to-Server Load Balanced Flows

Same ACE Interface class-map match-all BASIC-CM
2 match virtual-addr 12.20.234.100 any
policy-map type
class TCP-CM
loadbalance
loadbalance
policy-map type
class BASIC-CM
loadbalance
loadbalance
nat dynamic
12.20.234.1
VIP
172.16.1.100
sNAT
172.16.1.101
multi-match CLIENT
vip inservice
policy BASIC-SLB-PM
multi-match SERVER
vip inservice
policy BASIC-SLB-PM
123 VLAN 207
interface VLAN 107

description "Client-side Interface"
bridge-group 1
service-policy input CLIENT
172.16.1.0
interface VLAN 207
description "Server-side Interface"
bridge-group 1
nat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 pat
Clientinput
to VIPSERVER Server to Source NAT IP
service-policy
.16
.183
switch/orange# sh conn
total current connections : 4
conn-id
np dir proto VLAN source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
96
1 in TCP
107 10.10.10.10:1673
172.16.1.100:80
ESTAB
97
1 out TCP
207 12.20.234.183:8080
10.10.10.10:1637
ESTAB
BRKAPP-2002
14405_04_2008_c2
Cisco Public
71
Security Features
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
72
36
Security Features
Isnt the Firewall Enough?
Enterprises are making more and more applications services
available via the web
Deploying a web application means inviting potentially malicious
HTTP requests
Web application code becomes part of the network
security perimeter
Who is responsible to patch customer web applications?
Firewall
Application
Web
Client
Web
Server
Unfiltered Web Traffic
Application
Database
Server
Port 80 and 443 Open
Existing Network Firewalls Alone Cannot Adequately

Inspect Protocols and Application Data
BRKAPP-2002
14405_04_2008_c2
Cisco Public
73
Security Features in ACE

TCP/IP normalization
Built-in Transport Protocol Security
User Configurable, to meet Security Requirements
Application Protocol Inspection

Advanced HTTP Inspection
RFC Compliance
MIME Type Validation
Prevent Tunneling Protocols over HTTP Ports
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
74
37
Security Features
IP/UDP/ICMP Exploits Blocked by ACE
IP checks performed by ACE:

Automatic Anti-spoofing (source IP = dest IP); unicast RPF check
src IP == dest IP, src IP or dest IP == 127.x.x.x
dest IP >= 240.0.0.0, src IP == 0.x.x.x, src IP >= 224.0.0.0
Header length check (min and max lengths, L3 < L2)

IP options control
Drop illicit IP addresses (source IP = class D or broadcast or loopback)
Overlapping fragments dropped, control over max number of fragments
ARP Inspection in transparent mode
ICMP checks performed by default:

Requests and responses matching
Prevents injection of unsolicited ICMP errors
Countermeasures specified in draft-gont-tcpm-icmp-attacks.txt
Blocked Attacks: Timestamp/Route Record/Source

Routing/Fragment DoS Attacks, IP Spoofing, Ping of Death,
ICMP Flood, Smurf, ARP Attacks
BRKAPP-2002
14405_04_2008_c2
75
Cisco Public
Security Features
Hardware-Based TCP Normalization
TCP Standard Header Checks
Always Performed
I.
src port and dest port != 0
II.
Only SYN packet allowed to create

connection
III.
TCP header >= of 20 bytes
IV.
TCP header <= ip->length ip>header_length
V.
urg flag cleared if urg_pointer is zero
VI.
If urg flag not present

urg_pointer is cleared
I.
reserved bits
allow/clear/drop
VII.
Illegal flags combinations dropped

( SYN|RST etc.)
II.
urg flag allow/clear/drop
User Configurable
Random Sequence Numbers
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
TCP Option Processing

TCP State Tracking
TCP Window Checking
Configurable
III.
syn-data allow/drop
IV.
exceed-mss allow/drop
V.
random-seq-num-disable
76
38
Security Features
TCP Exploits Blocked by ACE
1. TCP checks performed by default:
Enforces correct usage of TCP flags (can be disabled;
flags can be cleared)
Randomization of sequence numbers (cloaks OS type, makes
fingerprinting recon attacks unreliable, prevents man-in-the-middle
session hijacking)
Enforces correct header length
Prevents out-of-state packets
Prevents packets that do not belong to existing connections
Possibility to define maximum number of conns per second
Matches TCP length with IP headers + data
Blocks illicit ports (port = zero)
Enforces min and max MSS
Example of Blocked Attacks: Tear Drop, Session Hijacking, Jolt, Bloop,

Targa, Bonk, Boink, Fraggle, Xmas Scan, Null Scan, etc.
BRKAPP-2002
14405_04_2008_c2
77
Cisco Public
Security Features
Denial-of-Service Protection SYN Cookie
ACE Can Guard Against SYN Floods by Implementing a
Key Feature Called SYN Cookie. SYN Cookie Provides a
Mechanism to Authenticate TCP SYN Packet
Completely Stateless and no ACE
memory entries are utilized
SYN ACK replies carry a cookie
in the Sequence field of the
TCP header
Cookie is generated out of a 24 bit
random number and MSS
encapsulated
If ACK does not contain the correct
cookie ACE drops the packet
SYN Cookie enabled per interface
on ACE
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
SYN
A CK
SYN cookie)
=
(SEQ
ACK
= coo
kie +
1
78
39
Secure Socket Layer

(SSL)
BRKAPP-2002
14405_04_2008_c2
79
Cisco Public
SSL: Common Questions

Protocols Over SSL
What Protocols Are Supported?
Any TCP-based protocol is supported by the SSL
Accelerators, including, but not limited to, the following
well known protocols
Secure Service
Secure Port
BRKAPP-2002
14405_04_2008_c2
Service
Port
80
HTTPS
443
HTTP
TELNETS
992
TELNET
25
SPOP3
995
POP
110
SIMAP
993
IMAP
143
SSL-LDAP
636
LDAP
389
SNEWS
563
NNTP
119

Presentation_ID.scr
Cisco Public
80
40
SSL Certificate Management

ACE/routed# show crypto files
File File
Expor
Key/
Filename
Size Type
table
Cert
----------------------------------------------------------------------TestKey
1675 PEM
Yes
KEY
TestCert
1135 PEM
Yes
CERT
ACE/routed# crypto import ?
ftp
Import a key/certificate from an ftp server
non-exportable Mark this key/certificate as non-exportable
sftp
Import a key/certificate from an sftp server
terminal
Accept a key/certificate from terminal
tftp
Import a key/certificate from a tftp server
ACE/routed# crypto import terminal certnew.pem server certificate
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN CERTIFICATE----MIIFYDCCBEigAwIBAgIKJ51kxAAAAAAAETANBgkqhkiG9w0BAQUFADBAMRUwEwYK
v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt
-----END CERTIFICATE----quit
COMMON COMMANDS
crypto import terminal <file name>
crypto export <file name>
crypto verify <key name> <cert name>
show crypto files
show crypto key all
show crypto key <key name>
show crypto certificate all
show crypto certificate <cert name>
BRKAPP-2002
14405_04_2008_c2
Cisco Public
81
Configuration
In order to configure SSL, you need to add the following
to a L/L4 class map:
parameter-map type ssl
ssl-proxy service
policy-map
Parameter-map is used to define parameters for SSL

connections (e.g., SSL version, cipher suites)
Ssl-proxy is used to define the certificates and keys
to be used in SSL connections
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
82
41
SSL Server Offload

Packet Flow with ACE
Client
serverfarm WEB-PROTOCOLS
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
probe HTTP-GET
!
class-map match-all HTTPs
!
BRKAPP-2002
14405_04_2008_c2
Server 1
L3
Flow
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
Accept-Encoding: gzip, deflate
HTTPSResponse
HTTPGET index.html
HTTP200 Ok Response index.html
TCP
Flow

class class-default
!
class HTTPs
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY
83
Cisco Public
Basic SSL Offload and Load Balancing

SSL Offload
inservice
inservice
!
probe http HTTP-GET
interval 5
port 81
request method get url /secure/index.html
!
parameter-map type ssl CLIENT_PARAM
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_AES_128_CBC_SHA
probe HTTPs-GET
rserver SERVER1 81
inservice
rserver SERVER2 81
inservice
!
sticky http-cookie ILIKECOOKIES
STICKYCOOKIE
cookie insert
!
policy-map type loadbalance firstmatch SSL
class class-default
sticky-serverfarm STICKYCOOKIE
class HTTPs
loadbalance policy SSL
ssl-proxy server CLIENT-SSL
ssl-proxy service CLIENT-SSL

key mykey.pem
cert mycert.pem
ssl advanced-options CLIENT_PARAM
!
class-map match-all HTTPs
!
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
84
42
Troubleshooting SSL
BRKAPP-2002
14405_04_2008_c2
WireShark
Tcpdump
Telnet on browser ports
MSIE plug-ins IE Inspector, HTTP Watch, IE Watch,
ieHttpHeaders
Mozilla extension Live HTTP Headers
PHP/Perl LWP
Wget, curl
Lynx/Links text based browsers
Cisco Public
85
Basic SSL Load Balancing

Redirecting Clients to Use SSL
rserver redirect REDIRECT
webhost-redirection https://%h%p 301
%h
%p
inservice
!
http://www.cisco.com/go/ace
serverfarm redirect REDIRECT-SF
rserver REDIRECT
inservice
!
https://www.cisco.com/go/ace
class-map match-all HTTP
!
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SF
!
class HTTP
loadbalance policy REDIRECT-PM
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
86
43
SSL Packet Flow

With ACE
Client
parameter-map type ssl PARAM_SSL

!
ssl-proxy service SSL-PROXY
key mykey.pem
cert mycert.pem
ssl advanced-options PARAM_SSL
!
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
probe HTTP-GET
!
2 match virtual-address 172.16.1.73 tcp
Server 1
L3
Flow
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
HTTPSResponse
HTTPGET index.html
HTTP200 Ok Response index.html
TCP
Flow
policy-map type loadbalance first-mat SSL-PM

class class-default
!
class HTTPS-CM
ssl-proxy server SSL-PROXY
eq 443
crypto verify mykey.pem mycert.pem

BRKAPP-2002
14405_04_2008_c2
87
Cisco Public
Basic SSL Load Balancing

Redirecting Clients to Use SSL
%h
%p

webhost-redirection https://%h%p
http://www.cisco.com/go/ace
inservice
!
rserver REDIRECT
inservice
https://www.cisco.com/go/ace
!
!
class class-default
!
class HTTP-CM
!
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
88
44
Basic Configuration SSL Offload Example

Putting It All Together
webhost-redirection https://%h%p
inservice
!
parameter-map type ssl CLIENT_SSL
ssl-proxy service SSL
key mykey.pem
cert mycert.pem
ssl advanced-options CLIENT_SSL
!
probe http HTTP-GET
interval 10
request meth get url /index.html
!
rserver REDIRECT
inservice
serverfarm HTTP-SF
probe HTTP-GET
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
BRKAPP-2002
14405_04_2008_c2
class-map match-all SSL-CM

2 match virtual-addr 172.16.20.1 tcp eq 443
2 match virtual-addre 172.16.20.1 tcp eq 80
!
sticky http-cookie ILIKECOOKIES SSL-STICKY
cookie insert
timeout 720
serverfarm HTTP-SF
!
policy-map type loadbal first-ma REDIRECT-PM
class class-default
policy-map type loadbalan first-ma SSL-PM
class class-default
sticky-serverfarm SSL-STICKY
class HTTP-CM
loadbalance policy REDIRECT-PM
class SSL-CM
ssl-proxy server SSL
!
interface vlan 2
89
Cisco Public
End to End SSL

With ACE
Client
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
HTTPSResponse
ssl-proxy service SERVER_SSL

key www-client.key
cert www-client.crt
ssl advanced-options ssl_ciphers
!
rserver SERVER1 443
inservice
rserver SERVER2 443
inservice
probe HTTPs-GET
!
2 match virtual-address 172.16.1.73 tcp
!
SYN (tcp443)
Server 1
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
HTTPs200 Ok Response index.html
HTTPSResponse
policy-map type loadbalan first-m SSL-PM

class class-default
ssl-proxy client SERVER_SSL
!
class HTTPS-CM
eq 443
New Commands Are in the Boxes

BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
90
45
End to End SSL Offload

and Load Balancing
inservice
inservice
!
parameter-map type ssl CLIENT_PARAM
!
parameter-map type ssl SERVER_PARAM
cipher RSA_EXPORT_WITH_RC4_40_MD5
cipher RSA_EXPORT_WITH_DES40_CBC_SHA
!
ssl-proxy service CLIENT-SSL
key mykey.pem
cert mycert.pem
ssl advanced-options CLIENT_PARAM
!
ssl-proxy service SERVER-SSL
ssl advanced-options SERVER_PARAM
!
probe https HTTPs-GET
interval 20
! BRKAPP-2002
14405_04_2008_c2
probe icmp PING

interval 5
probe HTTPs-GET
probe PING
rserver SERVER1 443
inservice
rserver SERVER2 443
inservice
!
2 match virtual-add 172.16.1.73 tcp eq 443
!
sticky http-cookie ILIKECOOKIES STICKYCOOKIE
cookie insert
timeout 720
!
policy-map type loadbalance first-mat SSL-PM
class class-default
sticky-serverfarm STICKYCOOKIE
ssl-proxy client SERVER-SSL
!
class HTTPS-CM
ssl-proxy server CLIENT-SSL
Cisco Public
91
SSL Redirect Rewrite ACE 2.0

!
action-list type modify http ACTION
header insert request FRONT-END-HTTPS header-value On
ssl url rewrite location 172.16.20.1
!
class class-default
class HTTP-CM
class SSL-CM
action ACTION
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
92
46
Advanced
Load Balancing
BRKAPP-2002
14405_04_2008_c2
93
Cisco Public
Advanced Load Balancing Features

Increased Protocol Inspection
Protocol Inspection on the ACE Can Be Used to Analyze
or Modify Application Data. Compliance With RFCs Can
Also Be Enforced, as Well as Filtering for User-Defined
Interactions, Which Are Denied if Attempted
Protocols supported
ACE
FTP and Strict FTP

RTSP
ICMP
DNS
HTTP
Enhanced Protocol inspection:

SIP
Skinny
H.323
ILS/LDAP
Deep Packet Inspection Extends Visibility

and Persistence to All Applications
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
94
47

HTTP Inspection Overview
HTTP Inspection is a special case of Application FW
in which the focus is mainly on HTTP attributes such
as HTTP header, URL, the payload itself
Enables users to validate, filter and log the HTTP
transactions by matching the traffic against the policies
configured
Shares the HTTP stack and the REGEX engine
with L7 SLB with added features for inspect
Can work with L7 Loadbalancing for the same flow
User defined REGEX can be used in a limited way to
detect offending traffic by searching for signatures
BRKAPP-2002
14405_04_2008_c2
Cisco Public
95

HTTP Inspect Features
RFC compliance
MIME type validation
Length and Encoding Checks
Port 80 misuse
Permit/Deny based on L7 Regex match
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
96
48
How to Enable Compression?

From the Cisco ACE
4710 Device Manager
you can begin
compressing HTTP
traffic on Cisco ACE
4710 by clicking the
Enable Compression
command within the
Virtual Server
configuration for server
farms. A single click
enables compression
for the load balancing
policy configured
Enable Compression
BRKAPP-2002
14405_04_2008_c2
Cisco Public
97
HTTP Compression
Searching for cisco in

www.google.com
Compressed Data
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
98
49
TCP Server Offload

TCP Multiplex or TCP Re-use
TCP setup and teardown offloaded from server
(currently limited to HTTP)
Effective for servers dedicating high percentage
of CPU cycles to TCP processing
TCP connections to the server are kept open
(HTTP 1.1 connection keepalive)
Client requests multiplexed to existing server connections
ACE creates a connection pool on the reals [ip:port]
associated to the virtual server
Client connections matched to server connections based
on TCP options (Sack, timestamp, window_scale, MSS)
BRKAPP-2002
14405_04_2008_c2
99
Cisco Public
TCP Server Offload Illustrated

TCP1
ACE-TCP1 Pool1
TCP2
ACE-TCP2 Pool2
TCP3
parameter-map type http PARAM-MAP

server-conn reuse
case-insensitive
!
class-map match-any HTTP
!
policy-map type loadbalance first-match HTTP
class class-default
!
class vipmap1
loadbalance policy HTTP
appl-parameter http advanced-options PARAM-MAP
nat dynamic 1 vlan 2
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
100
50
Server Connection Reuse

When the feature is enabled, a server TCP connection may be reused
to service a different client TCP connection after the response to the
previous HTTP request has been transmitted
Connection: keep-alive is inserted and Connection: close is removed
from the client HTTP request, to avoid closing the server connection early
Note: details on Connection Reuse come later
switch/Admin(config)# parameter-map type http HTTP_PARAM
switch/Admin(config-parammap-http)# server-conn reuse
switch/Admin# show stats http | include Reuse
Reuse msgs sent
: 1
, HTTP requests
switch/Admin# show stats http | include Headers
Reproxied requests
: 0
, Headers removed
Headers inserted
: 1
, HTTP redirects
: 4
: 1
: 0
switch/Admin# show np 1 me-stats "-s icm | grep Reuse"

Reuse link update conn invalid error:
0
Reuse link update conn not on reuse erro
0
Reuse conn remove not on head error:
0
Connection Reuse Add Errors:
0
Connections Removed From Reuse Pools:
1
Connections Added To Reuse Pools:
1
BRKAPP-2002
14405_04_2008_c2
Cisco Public
101
TCP Server Offload Example

Over 98% reduction in server side TCP connetions per second
Depends also on server configuration
(HTTP GETs per TCP connection)
Server Side
Client Side
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
102
51
Advanced Load Balancing

Persistence and Pipelining
HTTP is assumed to follow a simple Request/Response transaction model
Introduced in HTTP/1.1, persistence is also referred to as client keep-alive
Multiple persistent HTTP requests on the same TCP connection will
be balanced to [potentially] different rservers if persistence rebalance
is configured
This works without regard to packet boundaries
Pipelined requests are buffered and later parsed after completing transmit
of the previous response. In other words, the requests are un-pipelined
If persistence-rebalance is not configured, then pipelined requests
on a connection will all be sent to the same server, as they arrive
switch/Admin(config)# parameter-map type http HTTP_PARAM
switch/Admin(config-parammap-http)# persistence-rebalance
switch/Admin# show stats http | include requests
BRKAPP-2002
14405_04_2008_c2
Reuse msgs sent
: 0
, HTTP requests
: 7
Reproxied requests
: 0
, Headers removed
: 0
HTTP chunks
: 0
, Pipelined requests
: 2
103
Cisco Public
Advanced Load Balancing

Header Insert
Can be used to insert the Client Source IP address if NAT being used
Inserts a header into the client HTTP request just before transmit to server
If persistence-rebalance is configured, insert occurs on all requests for the
connection, otherwise just the first
The point of insertion is always between the request line and the existing
first header
Configure %is and %ps to dynamically insert source (client) IP and port
Configure %id and %pd to dynamically insert destination (virtual server)
IP and port
In the below example, inserted header might look something like:
ACE: Src=61.0.0.5:32797;Dest=61.0.0.113:80
switch/Admin(config)# policy-map type loadbalance first-match PSLB
switch/Admin(config-pmap-lb)# class C1
switch/Admin(config-pmap-lb-c)# insert-http ACE header-value Src=%is:%ps;Dest=%id:%pd
switch/Admin# show stats http | include insert
Headers inserted
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
: 1
, HTTP redirects
Cisco Public
: 0
104
52
Q and A
BRKAPP-2002
14405_04_2008_c2
Cisco Public
105
Recommended Reading
Continue your Networkers at Cisco
Live Learning Experience with
Further Reading from Cisco Press
Designing Content Switching Solutions
Zeeshan Nasesh CCIE 6836
Haroon Khan CCIE 4530
Data Center Fundamentals

Mauricio Aregoces CCIE 3285
Maurizio Portaloni
Content Networking Fundamentals

Silvano DaRos
Web Security Field Guide

Steve Kalman
Server Load Balancing

Tony Bourke
SSL and TLS: Designing and Building

Secure Systems
Eric Rescorla
Available Onsite at the Cisco Company Store

BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
106
53
Complete Your Online

Session Evaluation
Give us your feedback and you could win
fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session
evaluation you complete.
Complete your session evaluation online now
(open a browser through our wireless network
to access our portal) or visit one of the Internet
stations throughout the Convention Center.
Dont forget to activate

your Cisco Live virtual
account for access to
all session material
on-demand and return
for our live virtual event
in October 2008.
Go to the Collaboration
Zone in World of
Solutions or visit
www.cisco-live.com.
BRKAPP-2002
14405_04_2008_c2
Cisco Public
107
BRKAPP-2002
14405_04_2008_c2
Cisco Public
108

Presentation_ID.scr
54
Backup Slides
BRKAPP-2002
14405_04_2008_c2
Cisco Public
109
Design-Comparison:
Application-View
L2 In-Path
No Source-NAT necessary (except Server-2-Server via VIP)
L3 In-Path
No Source-NAT necessary (except Server-2-Server via VIP)
L3 Out-of-Path
Source-NAT necessary or
PBR (Policy Based Routing) -> Not VRF-Aware,
Operational Challenge
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
110
55
Design-Comparison:
Scalability
L2 In-Path
One or multiple VLAN per context possible
Non loadbalanced traffic is also passing ACE
L3 In-Path
Centralized Loadbalancing-Architecture
Non loadbalanced traffic is also passing ACE
L3 Out-of-Path
Only loadbalanced traffic is passing the ACE
BRKAPP-2002
14405_04_2008_c2
Cisco Public
111
Design-Comparison:
Migration
L2 In-Path
Easy and transparent migration
No changes to Server-IP or gateway
L3 In-Path
Gateway address is typically moved to ACE
L3 Out-of-Path
Easy migration
Typically non transparent in terms of Source-IP address
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
112
56
Content Switching Design Approaches

Routed Mode: Design
Core-1
Agg-1
Core-2
Core-1
Agg-2
Data
PortChannel
MSFC1
Core-2
Agg-1
Data
PortChannel
ACE 1
ACE 2
Standby
MSFC1
FT
ACE 1 PortChannel
Access
Agg-2
MSFC2
FT
PortChannel
ACE 2
Standby
Access
Access
MSFC2
Access
ACE Client-Side VLAN 10 10.10.1.0/24

ACE Server-Side VLAN 20 10.20.1.0/24
(2A) Routed Mode Design with MSFC

on Client Side
Servers default gateway is the alias IP
on the ACE
Extra configurations needed for:
(2B) Routed Mode Design with MSFC

on Server Side
Servers default gateway is the HSRP
group IP address on the MSFC
Extra configurations needed for
(simpler the option 2a):
Direct access to servers

Non-load balanced server initiated sessions

Non-load balanced server initiated sessions
ACEs default gateway is the HSRP

RHI possible
Load balancer inline of all traffic
BRKAPP-2002
14405_04_2008_c2

Server VLAN 20
10.20.1.0/24
Server VLAN 30
10.30.1.0/24
SMs default gateway is the core router

RHI not possible
Server to server communication bypasses
the load balancer
113
Cisco Public

Routed Mode: Configuration
ACE
MSFC
interface vlan 10
interface Vlan10
ip address 10.10.1.5 255.255.255.0
ip address 10.10.1.2 255.255.255.0
alias 10.10.1.4 255.255.255.0
standby 10 ip 10.10.1.1
peer ip address 10.10.1.6 255.255.255.0

no shutdown
standby 10 priority 110

!
standby 10 preempt
interface vlan 20
ip address 10.20.1.2 255.255.255.0

alias 10.20.1.1 255.255.255.0
peer ip address 10.20.1.3 255.255.255.0
no shutdown
!
interface vlan 30
ip address 10.30.1.2 255.255.255.0
alias 10.30.1.1 255.255.255.0
peer ip address 10.30.1.3 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.10.1.1
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
114
57

Bridged Mode: Design
Core-1
Core-2
Agg-1
Agg-2
Data
PortChannel
MSFC1
MSFC2
FT
PortChannel
ACE 1
(1) Bridged Mode

ACE 2
Standby

Broadcast/multicast/route update
traffic bridges through
No extra configurations for:
Server initiated sessions
Access
RHI possible
Load balancer inline of all traffic

BRKAPP-2002
14405_04_2008_c2
115
Cisco Public

Routed Mode: Configuration
ACE
interface vlan 10
MSFC
bridge-group 10
interface Vlan10
access-group output anyone
ip address 10.10.1.2 255.255.255.0
no shutdown
standby 10 ip 10.10.1.1
interface vlan 20
standby 10 preempt
bridge-group 10

no shutdown
!
interface bvi 10
ip address 10.10.1.5 255.255.255.0
alias 10.10.1.4 255.255.255.0
peer ip address 10.10.1.6 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.10.1.1
!
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
116
58

Bridged Mode: BPDU Forwarding
Similarly to the
FWSM, ACE can let
BPDUs through and
can rewrite their
payload, correctly
handling STP
merged domains
ACE Configuration to Allow BPDUs

!
access-list bpduallow ethertype permit bpdu
!
interface vlan 10
bridge-group 10
access-group input bpduallow
no shutdown
!
interface vlan 20
bridge-group 10
access-group input bpduallow
no shutdown
!
Protects against
accidental loops in
case of FT heartbeat
cable or VLAN
disconnected
BRKAPP-2002
14405_04_2008_c2
117
Cisco Public

L3 One-Armed Mode: Design
Core-1
Core-2
Agg-1
Agg-2
Data
PortChannel
MSFC1
MSFC2
ACE 1
ACE 2 Standby
FT
PortChannel
(3) One-Armed Design Considerations

No extra configurations for:
Access
Access
BRKAPP-2002
14405_04_2008_c2
Server VLAN 20
10.20.1.0/24
Server VLAN 30
10.30.1.0/24

Presentation_ID.scr
Cisco Public

Server initiated sessions
RHI possible
CSM/ACE inline for only server load
balanced traffic
Policy based routing or source NAT
can be used for server return traffic redirection
to the load balancer
118
59

L3 One-Armed Mode: PBR Configuration
MSFC
ACE - Asymmetric Routing
interface Vlan10
ip address 10.10.1.2 255.255.255.0
interface vlan 10
standby 10 ip 10.10.1.1
ip address 10.10.1.5 255.255.255.0
MSFC
alias 10.10.1.4 255.255.255.0
standby 10 preempt
peer ip address 10.10.1.6 255.255.255.0
interface Vlan20
no normalization
ip address 10.20.1.2 255.255.255.0
ip policy route-map FromServersToSLB
standby 20 ip 10.20.1.1
no shutdown

!
!
access-list 121 permit tcp any eq telnet any
access-list 121 permit tcp any eq www any
access-list 121 permit tcp any eq 443 any
access-list 121 deny ip any any
!
route-map FromServersToSLB permit 10
match ip address 121
set ip next-hop 10.10.1.4
BRKAPP-2002
14405_04_2008_c2
Cisco Public
119

L3 One-Armed Mode: Source-NAT Configuration
class-map match-all HTTP
policy-map type loadbalance first-match WEB
class class-default
insert-http x-forwarded-for: header-value %is
serverfarm HTTP
class HTTP
loadbalance policy WEB
nat dynamic 1 vlan 2
interface vlan 2
ip address 172.16.1.1 255.255.255.0
alias 172.16.1.254 255.255.255.0
peer ip address 172.16.1.2 255.255.255.0
service-policy input remote-mgmt
service-policy input L4
no normalization
nat-pool 1 10.10.1.110 10.10.1.110 netmask 255.255.255.0 pat
no shutdown
BRKAPP-2002
14405_04_2008_c2

Presentation_ID.scr
Cisco Public
120
60

BRKAPP 2002 Server Load Balance

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BRKAPP 2002 Server Load Balance

Caricato da

Copyright:

Formati disponibili

BRKAPP-2002

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Cisco Application Delivery Networks

2008 Cisco Systems, Inc. All rights reserved.

Data redundancy elimination

Other Cisco Live Breakout Sessions

BRKAPP-2002 Server Load Balancing Design

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Policy Configuration Examples

Advanced Load Balancing Design

2008 Cisco Systems, Inc. All rights reserved.

ACE Application Switching Module

Integrated Services, High Performance

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

ACE Application Switching Appliance

Integrated Services, High Performance

2008 Cisco Systems, Inc. All rights reserved.

Cisco Application Networking

Enables Centralized Configuration, Operations, and Monitoring

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Load Balancing Overview Terminology

2008 Cisco Systems, Inc. All rights reserved.

Traffic Being Load Balanced

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Scale Your Application

To verify the integrity of an application, and application

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Application Load Balancing

Sends a ICMP request and waits for reply

Sends a packet, probe is considered successful, if no icmp error received

Sends an HTTP HEAD or HTTP GET 1.1 request

Establishes an SSL connection, send HTTP query and tears it down

Similar to TCP probe

Makes a connection, send a QUIT message

Uses a default domain and waits for any response

Sends a hello followed by a QUIT message

Similar to TCP probe

Similar to TCP probe

Similar to UDP probe. NAS-IP can be configured

2008 Cisco Systems, Inc. All rights reserved.

Scale Your Application

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Buy 10000 Widgets

2008 Cisco Systems, Inc. All rights reserved.

Scale Your Application

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

Scale Your Application

Least Connections: (Weighted)

Hash on IP: (source/destination, with mask)

Hash on URL: Or portion of URL

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2006, Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.