Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
14405_04_2008_c2
Cisco Public
Server Load
Balancing Design
BRKAPP-2002
BRKAPP-2002
14405_04_2008_c2
Cisco Public
Application Scalability
Application Networking
Quality of service
Network-based app recognition
Queuing, policing, shaping
Visibility, monitoring, control
Server load-balancing
Site selection
SSL termination and offload
Video delivery
Message transformation
Protocol transformation
Message-based security
Application visibility
WAN
Application Acceleration
WAN Acceleration
Application Optimization
Latency mitigation
Application data cache
Meta data cache
Local services
BRKAPP-2002
14405_04_2008_c2
Delta encoding
FlashForward optimization
Application security
Server offload
3
Cisco Public
ISR
WAAS
ACNS
ACE
AXG
Applications
Cisco Public
Agenda
Application Load Balancing
Health Checking
Prediction
Persistence
Design Implementation Considerations
SSL
SSL Offload Example
Cisco Public
Cisco Public
Cisco Public
Cisco Public
Clients
Content
Switch
Load
Balancer
Serverfarm
Keepalive
(Probe)
Client-Side
Gateway
Class-Map
URL = /news
User-Agent = WindowsCE
Client = 192.0.0.0/8
Virtual IP Address
(VIP)
172.16.2.100
TCP port 80
BRKAPP-2002
14405_04_2008_c2
Round Robin
XML
Gateways
Policy-Map
If Match class-map X
Then Use serverfarm X
Else Use serverfarm y
Cisco Public
IP
Header
TCP
Header
Layer 2
Layer 3
Layer 4
HTTP
Header
Payload
Ethernet
Trailer
Layer 5-7
BRKAPP-2002
14405_04_2008_c2
Cisco Public
10
Scale Your
Application
Health Checking
BRKAPP-2002
14405_04_2008_c2
Cisco Public
11
Cisco Public
12
Description
ICMP
Generic TCP
Open a connection with server and disconnect with TCP FIN or RST. TCP FIN Default
Generic UDP
HTTP
HTTPs
FTP
Telnet
DNS
SMTP
POP3
IMAP
Radius
Scripted
Uses TCL Interpreter Release 8.44 to execute user defined TCL scripts, to perform
health monitoring
SNMP
Up to eight OIDs can be configured. Used mainly for load balancing predictions
and not health checking. Should be combined with another health probe to
verify application
BRKAPP-2002
14405_04_2008_c2
13
Cisco Public
BRKAPP-2002
14405_04_2008_c2
Cisco Public
14
Scale Your
Application
Predictors
BRKAPP-2002
14405_04_2008_c2
15
Cisco Public
Client
BRKAPP-2002
14405_04_2008_c2
Serverfarm
Cisco Public
16
17
Cisco Public
Enhanced Predictors
Adaptive Response Predictor
Load Balancing Based on Server Response Time; Response Time
Calculated over a Configured Number of Samples
and Supports the Following Three Measurement Options
ACE
SYN to SYN-ACK
Time Between SYN Send
from ACE to SYN-ACK
Received from the Server
BRKAPP-2002
14405_04_2008_c2
Serverfarm
SYN to Close
Time Between SYN Send
from ACE to FIN/RST
Received from the Server
Cisco Public
Application
Request to Response
Time Between HTTP
Request Send from ACE to
HTTP Response Received
from the Server
18
Enhanced Predictors
Least-Loaded Using SNMP
The Least Loaded Predictor can support up to
8 user defined SNMP Object IDs
Least-loaded algorithm will automatically calculate the
least loaded server from the SNMP response received
from the servers
Number of active connections on the server are also
be calculated in the Least-loaded algorithm
Users can define static weights for each Object ID to
allow unprecedented load balancing control of new
connections based on real-time appliance performance
Least-loaded Predictor Provides Most Accurate
Method for Calculating the Servers Load
BRKAPP-2002
14405_04_2008_c2
19
Cisco Public
Query
Query Result
Result
Query
Query Result
Result
CPU
== 34%
CPU Utilization
Utilization
34%
Query
Result
Query
Result
CPU
Utilization
== 24%
CPU
Utilization
24%
Memory
Resources
Memory
Resources
CPU
Utilization
== 14%
CPU Utilization
14%
Resources
Memory
Resources
== Memory
785300k
free
785300k
free
Memory
Resources
Memory
Resources
== 885300k
free
885300k
free
Disk
Drive
Availability
Disk
Drive
Availability
=
947300k
free
=
947300k
free
Drive
Availability
Disk
Drive
Availability
== Disk
202GB
Free
202GB
Free
Drive
Disk
Drive
Availability
== Disk
307GB
free
307GB
freeAvailability
== 440GB
440GB free
free
Cisco Public
20
10
Cisco Public
21
Cisco Public
22
Scale Your
Application
Predictors
BRKAPP-2002
14405_04_2008_c2
11
23
Cisco Public
Cookie
SSL ID
Variation
Full IP
Masked
IP
Static
Dynamic
Insert
Full SSID
Offset
Info
Stored
on
LB
LB
LB
Client
LB
Good For
Simplicity
Flexibility
No Cookie
support
No State
on LB
Recovering
SIPDisconnected specific
WTS sessions stickiness
Flexible for
custom
applications
Caveats
Proxies
HTTP only
Clear Test
SSL v3
Renegotiation
HTTP only
Absolute
URLs
Bookmarks
No Token,
needs to fall
back to
source IP
Specific to
application
Client =
Session
Call-ID
GPP
client = a
cookie
value
Cisco Public
SD, Session
Directory.
Routing
Token =
server IP +
Port
SIP
Client=
its SRC
IP
LB
Redirects
to Specific
(V)Server
RDP
How
Does
It Work
BRKAPP-2002
14405_04_2008_c2
client = SSL
session ID
HTTP
Redirect
Regex
matches on
TCP and
UDP data
custom
LB
LB
24
12
Design Configuration
BRKAPP-2002
14405_04_2008_c2
25
Cisco Public
Design Configuration
ACE Service Virtualization
Physical Device
Admin
Context
Context 1
Context 2
Context 3
Context
Definition
Resource
Allocation
ANM Management
Station
AAA
BRKAPP-2002
14405_04_2008_c2
Cisco Public
26
13
Design Configuration
ACE Virtualization
Provides means to partition one physical unit into
independently managed logical engines
Provisions resource per logical device
Almost every feature subsystem is virtualized
including Linux kernel
ACE Module
250 contexts + Admin context supported
ACE Appliance
20 contexts + Admin context supported
BRKAPP-2002
14405_04_2008_c2
Cisco Public
27
Design Configuration
ACE Resource Management
By default, every context is a member of the default
resource-class, with unlimited access to system resources
Resources can be guaranteed in three ways:
No guaranteed resources but access to any available resource
X% of resources guaranteed, with no access to other additional
resources
X% of resources guaranteed and access to any available resource
Cisco Public
28
14
Design Configuration
Router Mode
Subnet A
Subnet B
Subnet C
Cisco Public
Design Configuration
Subnet B
Subnet A
Subnet A
Subnet B
Bridge Mode
Cisco Public
30
15
Partition C
Admin
Partition
Partition B
Partition A
31
Cisco Public
Design Considerations
One-Arm Mode: Overview
L2-rewrite not possible
Content switch not inline
Does not see unnecessary traffic
Subnet B
Subnet B
Cisco Public
16
Design Considerations
One-Arm Mode: Overview
Router MAC
LB MAC
Client IP
VIP
Random Port
VIP Port
Selected
CS MAC
Server MAC
Selected
Client IP
Server IP
Random Port
VIP Port
BRKAPP-2002
14405_04_2008_c2
VIP Port
Server MAC
Selected
Server IP
CS MAC
RSTClient IP
Random Port
Cisco Public
L2 One-Arm Mode
Return Traffic Bypassing ACE
Servers
Default Gateway:
Upstream Router
Subnet B
BRKAPP-2002
14405_04_2008_c2
Cisco Public
34
17
Redundancy Model
Redundancy groups (Fault Tolerance, FT groups) are configured based
on virtual contexts
Two instances of the same context (on two distinct ACE modules) form
a redundancy group, one being active and the other standby
The peer ACE can be in the same or different Cisco Catalyst 6k chassis
Both ACE modules can be active at the same time, processing traffic
for distinct contexts, and backing-up each other (stateful redundancy)
ACE-1
Example:
Two ACE modules
Four FT groups
Four Virtual Contexts
(A, B, C, D)
Active
Active
Standby Standby
FT VLAN
Standby Standby
Active
Active
FT
Group 3
FT
Group 4
ACE-2
BRKAPP-2002
14405_04_2008_c2
FT
Group 1
2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
FT
Group 2
35
Policy Configuration
Examples
BRKAPP-2002
14405_04_2008_c2
Cisco Public
36
18
37
Cisco Public
BRKAPP-2002
14405_04_2008_c2
Cisco Public
38
19
ANM 1.2
Configure Basic Server Load Balancing
Easy to use
Server Load
Balancing
Configuration
BRKAPP-2002
14405_04_2008_c2
Cisco Public
39
ANM 1.2
Configure Basic Server Load Balancing
Intuitive GUI design prompts the user to configure VIP
details as necessary
Advanced options appear as the user drills down
Create
Health Monitoring Probes
Cisco Public
40
20
policy-map P1
class C1
<action>
interface vlanX
service-policy input P1
BRKAPP-2002
14405_04_2008_c2
Cisco Public
41
BRKAPP-2002
14405_04_2008_c2
Cisco Public
42
21
class-map
2 match
!
class-map
2 match
3 match
4 match
BRKAPP-2002
14405_04_2008_c2
match-all WEB-CM
virtual-address 172.16.73.10 tcp eq www
type
http
http
http
Cisco Public
43
Cisco Public
44
22
BRKAPP-2002
14405_04_2008_c2
Cisco Public
45
BRKAPP-2002
14405_04_2008_c2
Cisco Public
46
23
Health Checking
Balancing Requests
Persistence
Service Failure handling
BRKAPP-2002
14405_04_2008_c2
Cisco Public
Cisco Public
Define Management
Traffic
48
24
BRKAPP-2002
14405_04_2008_c2
49
Cisco Public
Cisco Public
50
25
ANM
Probe Configuration
BRKAPP-2002
14405_04_2008_c2
Cisco Public
51
BRKAPP-2002
14405_04_2008_c2
Cisco Public
52
26
TELNET-PROBE
probe
: TELNET-PROBE
type
: TELNET
state
: ACTIVE
---------------------------------------------port
: 23
address
: 0.0.0.0
addr type : interval : 20
pass intvl : 10
pass count : 3
fail count: 3
recv timeout: 10
--------------------- probe results -------------------probe association
probed-address probes
failed
passed
health
------------------- ---------------+----------+----------+----------+------serverfarm : TELNET-SF
real
: SERVER1[0]
192.168.1.1
6
0
6
PASSED
real
: SERVER2[0]
192.168.1.2
5
0
5
PASSED
BRKAPP-2002
14405_04_2008_c2
Cisco Public
53
BRKAPP-2002
14405_04_2008_c2
Cisco Public
54
27
Cisco Public
55
BRKAPP-2002
14405_04_2008_c2
Cisco Public
56
28
BRKAPP-2002
14405_04_2008_c2
Cisco Public
57
BRKAPP-2002
14405_04_2008_c2
Cisco Public
58
29
BRKAPP-2002
14405_04_2008_c2
Cisco Public
59
BRKAPP-2002
14405_04_2008_c2
Cisco Public
60
30
BRKAPP-2002
14405_04_2008_c2
Health Checking
Balancing Requests
Persistence
Service Failure handling
Cisco Public
61
BRKAPP-2002
14405_04_2008_c2
Cisco Public
62
31
63
Cisco Public
BRKAPP-2002
14405_04_2008_c2
Cisco Public
64
32
BRKAPP-2002
14405_04_2008_c2
Cisco Public
65
BRKAPP-2002
14405_04_2008_c2
Cisco Public
66
33
BRKAPP-2002
14405_04_2008_c2
Cisco Public
67
URL Parsing
parameter-map type http INSENSITIVE
case-insensitive
persistence-rebalance
set header-maxparse-len 8192
class-map type http loadbala match-any URL-MATCHING
2 match http url .*
class-map type http loadbala match-any URL-IMAGE
2 match http url /image/.*
class-map match-all HTTP-CM
2 match virtual-address 172.16.1.73 tcp eq 80
serverfarm IMAGE-SF
sticky http-cookie IMAGE-COOKIES IMAGECOOKIE
probe IMAGE-PROBE
cookie insert browser-expire
rserver IMAGE1
serverfarm IMAGE-SF backup WEB-SF
inservice
sticky http-cookie WEB-COOKIES WEBCOOKIE
rserver IMAGE2
cookie insert browser-expire
inservice
serverfarm WEB-SF
serverfarm WEB-SF
!
probe WEB-PROBE
policy-map type loadbala first-match HTTP-PM
rserver SERVER1
class URL-IMAGE
inservice
sticky-serverfarm IMAGE-COOKIE
rserver SERVER2
class URL-MATCHING
inservice
sticky-serverfarm WEB-COOKIE
policy-map multi-match L4
class HTTP-CM
loadbalance vip inservice
loadbalance policy HTTP-PM
appl-para http advanced-opti INSENSITIVE
BRKAPP-2002
14405_04_2008_c2
Cisco Public
68
34
Server-Server Communication
Should Use the Same VIP as Clients
12.20.234.1
12.20.234.1
VIP
172.16.1.100
VIP
172.16.1.100
172.16.1.0
.16
BRKAPP-2002
14405_04_2008_c2
172.16.1.0
.183
sNAT
172.16.1.101
.16
.183
69
Cisco Public
12.20.234.1
VIP
172.16.1.100
172.16.1.0
Client to VIP
Server to Client
.16
.183
switch/orange# sh conn
total current connections : 4
conn-id
np dir proto VLAN source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
96
1 in TCP
107 10.10.10.10:1673
172.16.1.100:80
ESTAB
97
1 out TCP
207 12.20.234.183:8080
10.10.10.10:1637
ESTAB
BRKAPP-2002
14405_04_2008_c2
Cisco Public
70
35
12.20.234.1
VIP
172.16.1.100
sNAT
172.16.1.101
multi-match CLIENT
vip inservice
policy BASIC-SLB-PM
multi-match SERVER
vip inservice
policy BASIC-SLB-PM
123 VLAN 207
172.16.1.0
interface VLAN 207
description "Server-side Interface"
bridge-group 1
access-group input anyone
nat-pool 123 12.20.234.101 12.20.234.101 netmask 255.255.255.255 pat
Clientinput
to VIPSERVER Server to Source NAT IP
service-policy
.16
.183
switch/orange# sh conn
total current connections : 4
conn-id
np dir proto VLAN source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
96
1 in TCP
107 10.10.10.10:1673
172.16.1.100:80
ESTAB
97
1 out TCP
207 12.20.234.183:8080
10.10.10.10:1637
ESTAB
BRKAPP-2002
14405_04_2008_c2
Cisco Public
71
Security Features
BRKAPP-2002
14405_04_2008_c2
Cisco Public
72
36
Security Features
Isnt the Firewall Enough?
Enterprises are making more and more applications services
available via the web
Deploying a web application means inviting potentially malicious
HTTP requests
Web application code becomes part of the network
security perimeter
Who is responsible to patch customer web applications?
Firewall
Application
Web
Client
Web
Server
Application
Database
Server
Cisco Public
73
BRKAPP-2002
14405_04_2008_c2
Cisco Public
74
37
Security Features
IP/UDP/ICMP Exploits Blocked by ACE
BRKAPP-2002
14405_04_2008_c2
75
Cisco Public
Security Features
Hardware-Based TCP Normalization
TCP Standard Header Checks
Always Performed
I.
II.
III.
IV.
V.
VI.
I.
reserved bits
allow/clear/drop
VII.
II.
User Configurable
Random Sequence Numbers
BRKAPP-2002
14405_04_2008_c2
Cisco Public
III.
syn-data allow/drop
IV.
exceed-mss allow/drop
V.
random-seq-num-disable
76
38
Security Features
TCP Exploits Blocked by ACE
1. TCP checks performed by default:
Enforces correct usage of TCP flags (can be disabled;
flags can be cleared)
Randomization of sequence numbers (cloaks OS type, makes
fingerprinting recon attacks unreliable, prevents man-in-the-middle
session hijacking)
Enforces correct header length
Prevents out-of-state packets
Prevents packets that do not belong to existing connections
Possibility to define maximum number of conns per second
Matches TCP length with IP headers + data
Blocks illicit ports (port = zero)
Enforces min and max MSS
77
Cisco Public
Security Features
Denial-of-Service Protection SYN Cookie
ACE Can Guard Against SYN Floods by Implementing a
Key Feature Called SYN Cookie. SYN Cookie Provides a
Mechanism to Authenticate TCP SYN Packet
Completely Stateless and no ACE
memory entries are utilized
SYN ACK replies carry a cookie
in the Sequence field of the
TCP header
Cookie is generated out of a 24 bit
random number and MSS
encapsulated
If ACK does not contain the correct
cookie ACE drops the packet
SYN Cookie enabled per interface
on ACE
BRKAPP-2002
14405_04_2008_c2
Cisco Public
SYN
A CK
SYN cookie)
=
(SEQ
ACK
= coo
kie +
1
78
39
BRKAPP-2002
14405_04_2008_c2
79
Cisco Public
Secure Service
Secure Port
BRKAPP-2002
14405_04_2008_c2
Service
Port
80
HTTPS
443
HTTP
TELNETS
992
TELNET
25
SPOP3
995
POP
110
SIMAP
993
IMAP
143
SSL-LDAP
636
LDAP
389
SNEWS
563
NNTP
119
Cisco Public
80
40
v24KvEoWIIuevUQSsljlP1xOmZq2gW3isYf+5PFu1jltYedt
-----END CERTIFICATE----quit
COMMON COMMANDS
crypto import terminal <file name>
crypto export <file name>
crypto verify <key name> <cert name>
show crypto files
show crypto key all
show crypto key <key name>
show crypto certificate all
show crypto certificate <cert name>
BRKAPP-2002
14405_04_2008_c2
Cisco Public
81
Configuration
In order to configure SSL, you need to add the following
to a L/L4 class map:
parameter-map type ssl
ssl-proxy service
policy-map
BRKAPP-2002
14405_04_2008_c2
Cisco Public
82
41
serverfarm WEB-PROTOCOLS
rserver SERVER1 80
inservice
rserver SERVER2 80
inservice
probe HTTP-GET
!
class-map match-all HTTPs
2 match virtual-address 172.16.1.73 tcp eq 443
!
BRKAPP-2002
14405_04_2008_c2
Server 1
L3
Flow
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
Accept-Encoding: gzip, deflate
HTTPSResponse
HTTPGET index.html
HTTP200 Ok Response index.html
TCP
Flow
Cisco Public
serverfarm WEB-PROTOCOLS
probe HTTPs-GET
rserver SERVER1 81
inservice
rserver SERVER2 81
inservice
!
sticky http-cookie ILIKECOOKIES
STICKYCOOKIE
cookie insert
serverfarm WEB-PROTOCOLS
!
policy-map type loadbalance firstmatch SSL
class class-default
sticky-serverfarm STICKYCOOKIE
policy-map multi-match L4
class HTTPs
loadbalance vip inservice
loadbalance policy SSL
loadbalance vip icmp-reply
ssl-proxy server CLIENT-SSL
Cisco Public
84
42
Troubleshooting SSL
BRKAPP-2002
14405_04_2008_c2
WireShark
Tcpdump
Telnet on browser ports
MSIE plug-ins IE Inspector, HTTP Watch, IE Watch,
ieHttpHeaders
Mozilla extension Live HTTP Headers
PHP/Perl LWP
Wget, curl
Lynx/Links text based browsers
Cisco Public
85
BRKAPP-2002
14405_04_2008_c2
Cisco Public
86
43
Server 1
L3
Flow
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
Accept-Encoding: gzip, deflate
HTTPSResponse
HTTPGET index.html
HTTP200 Ok Response index.html
TCP
Flow
eq 443
87
Cisco Public
%p
BRKAPP-2002
14405_04_2008_c2
Cisco Public
88
44
Cisco Public
SYN (tcp443)
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
Accept-Encoding: gzip, deflate
HTTPSResponse
SYN (tcp443)
Server 1
SYN SYN/ACK ACK
SSL Handshake
HTTPSGET index.html
Accept-Encoding: gzip, deflate
HTTPs200 Ok Response index.html
HTTPSResponse
Cisco Public
90
45
Cisco Public
91
BRKAPP-2002
14405_04_2008_c2
Cisco Public
92
46
Advanced
Load Balancing
BRKAPP-2002
14405_04_2008_c2
93
Cisco Public
ACE
Cisco Public
94
47
Cisco Public
95
BRKAPP-2002
14405_04_2008_c2
Cisco Public
96
48
Cisco Public
97
HTTP Compression
Cisco Public
98
49
99
Cisco Public
ACE-TCP2 Pool2
TCP3
BRKAPP-2002
14405_04_2008_c2
Cisco Public
100
50
: 4
: 1
: 0
Cisco Public
101
Client Side
BRKAPP-2002
14405_04_2008_c2
Cisco Public
102
51
BRKAPP-2002
14405_04_2008_c2
: 0
, HTTP requests
: 7
Reproxied requests
: 0
, Headers removed
: 0
HTTP chunks
: 0
, Pipelined requests
: 2
103
Cisco Public
: 1
, HTTP redirects
Cisco Public
: 0
104
52
Q and A
BRKAPP-2002
14405_04_2008_c2
Cisco Public
105
Recommended Reading
Continue your Networkers at Cisco
Live Learning Experience with
Further Reading from Cisco Press
Designing Content Switching Solutions
Zeeshan Nasesh CCIE 6836
Haroon Khan CCIE 4530
Cisco Public
106
53
BRKAPP-2002
14405_04_2008_c2
Cisco Public
107
BRKAPP-2002
14405_04_2008_c2
Cisco Public
108
54
Backup Slides
BRKAPP-2002
14405_04_2008_c2
Cisco Public
109
Design-Comparison:
Application-View
L2 In-Path
No Source-NAT necessary (except Server-2-Server via VIP)
L3 In-Path
No Source-NAT necessary (except Server-2-Server via VIP)
L3 Out-of-Path
Source-NAT necessary or
PBR (Policy Based Routing) -> Not VRF-Aware,
Operational Challenge
BRKAPP-2002
14405_04_2008_c2
Cisco Public
110
55
Design-Comparison:
Scalability
L2 In-Path
One or multiple VLAN per context possible
Non loadbalanced traffic is also passing ACE
L3 In-Path
Centralized Loadbalancing-Architecture
Non loadbalanced traffic is also passing ACE
L3 Out-of-Path
Only loadbalanced traffic is passing the ACE
BRKAPP-2002
14405_04_2008_c2
Cisco Public
111
Design-Comparison:
Migration
L2 In-Path
Easy and transparent migration
No changes to Server-IP or gateway
L3 In-Path
Gateway address is typically moved to ACE
L3 Out-of-Path
Easy migration
Typically non transparent in terms of Source-IP address
BRKAPP-2002
14405_04_2008_c2
Cisco Public
112
56
Agg-1
Core-2
Core-1
Agg-2
Data
PortChannel
MSFC1
Core-2
Agg-1
Data
PortChannel
ACE 1
ACE 2
Standby
MSFC1
FT
ACE 1 PortChannel
Access
Agg-2
MSFC2
FT
PortChannel
ACE 2
Standby
Access
Access
MSFC2
Access
Cisco Public
interface vlan 10
interface Vlan10
standby 10 ip 10.10.1.1
standby 10 preempt
interface vlan 20
Cisco Public
114
57
Core-2
Agg-1
Agg-2
Data
PortChannel
MSFC1
MSFC2
FT
PortChannel
ACE 1
ACE 2
Standby
Access
RHI possible
Load balancer inline of all traffic
BRKAPP-2002
14405_04_2008_c2
115
Cisco Public
MSFC
bridge-group 10
interface Vlan10
no shutdown
standby 10 ip 10.10.1.1
interface vlan 20
standby 10 preempt
bridge-group 10
BRKAPP-2002
14405_04_2008_c2
Cisco Public
116
58
Protects against
accidental loops in
case of FT heartbeat
cable or VLAN
disconnected
BRKAPP-2002
14405_04_2008_c2
117
Cisco Public
Core-2
Agg-1
Agg-2
Data
PortChannel
MSFC1
MSFC2
ACE 1
ACE 2 Standby
FT
PortChannel
Access
Access
BRKAPP-2002
14405_04_2008_c2
Server VLAN 20
10.20.1.0/24
Server VLAN 30
10.30.1.0/24
Cisco Public
RHI possible
CSM/ACE inline for only server load
balanced traffic
Policy based routing or source NAT
can be used for server return traffic redirection
to the load balancer
118
59
interface Vlan10
interface vlan 10
standby 10 ip 10.10.1.1
MSFC
standby 10 preempt
interface Vlan20
no normalization
standby 20 ip 10.20.1.1
no shutdown
!
access-list 121 permit tcp any eq telnet any
access-list 121 permit tcp any eq www any
access-list 121 permit tcp any eq 443 any
access-list 121 deny ip any any
!
route-map FromServersToSLB permit 10
match ip address 121
set ip next-hop 10.10.1.4
BRKAPP-2002
14405_04_2008_c2
Cisco Public
119
BRKAPP-2002
14405_04_2008_c2
Cisco Public
120
60