Application Load Balancing, Acceleration and Security BRKAPP-2002_c2 Presentation_ID © 2009 Cisco Systems, Inc All rights reserved Cisco Public Application Optimization Infrastructure Network Classification Application Scalability Application Networking ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ Quality of service Network-based app recognition Queuing, policing, shaping Visibility, monitoring, control Server load-balancing Site selection SSL termination and offload Video delivery Message transformation Protocol transformation Message-based security Application visibility WAN Application Acceleration WAN Acceleration Application Optimization ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ Latency mitigation Application data cache Meta data cache Local services BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Data redundancy elimination Window scaling LZ compression Adaptive congestion avoidance Cisco Public Delta encoding FlashForward optimization Application security Server offload Agenda ƒ Application Delivery Networking Terms and Concerns H lth Ch Health Checking ki Load Balancing Algorithms – Predictors Persistence, Stickiness ƒ Policy Configuration Examples Layer Example Detailed Web Protocol Example ƒ ACE Security Features NAT Access Lists ƒ SSL SSL Offload Example End To End SSL Example ƒ Design Considerations Deployment Models ACE Redundancy BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Application Delivery Networking Overview Terminology Clients Application Delivery Controller (ADC) Layer 4–7 switches Servers Serverfarm Client-Side Client Side Gateway Virtual IP address (VIP)(class-map) 172.16.2.100 TCP port 80 BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Health Probe Policy (P li (Policy-map) ) URL = /news User-Agent = MSIE 7.0 Client = 192.0.0.0/8 then use serverfarm X Cisco Public Load Balancing Algorithm (Predictor) Round Robin Application Delivery Networking Terms and Concerns Health Checking Load Balancing Algorithms – Predictors Persistence Stickiness Persistence, BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Reliability and Availability Techniques Health Monitoring ƒ Intended to run periodically ƒ Generated by the Application Delivery Controller itself, which then expects a reply ƒ Either predefined health checks or scripts ƒ Examples: ICMP (L3 connectivity), TCP (stack), HTTP (application), ( li ti ) etc t ƒ Failure detection time is function of interval, retries, max response time ƒ Scalability vs failure detection time BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Reliability and Availability Techniques Cisco ACE Probe Options Probe ICMP Description Sends a ICMP request q and waits for reply py Generic TCP Open a connection with server and disconnect with TCP FIN or RST TCP FIN Default Generic UDP Sends a packet, probe is considered successful, if no icmp error received HTTP S d an HTTP HEAD or HTTP GET 1.1 Sends 1 requestt HTTPs Establishes an SSL connection, send HTTP query and tears it down FTP Telnet Makes a connection connection, send a “QUIT” QUIT message DNS Uses a default domain and waits for any response SMTP Sends a “hello” followed by a “QUIT” message POP3 Similar to TCP probe IMAP Similar to TCP probe Radius SNMP BRKAPP-2002_c2 Similar to TCP probe Similar to UDP probe NAS-IP can be configured Up to eight OIDs can be configured Used mainly for load balancing predictions and not health checking Should be combined with another health probe to verify application © 2009 Cisco Systems, Inc All rights reserved Cisco Public Reliability and Availability Techniques Health Monitoring Issues Application Issue ƒ ARPs only check the IP stack and not the application ƒ ICMP probes only check the IP stack of the machine and not the application ƒ Generic TCP port opens check the TCP stack but not the application’s ability to handle requests An application may fail in a state that the server can respond to a TCP syn but not to an application data request ƒ To verify the integrity of an application, and application data request keepalive is required ƒ How to verify the Application servers health or the Web Servers reachability to the application server BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Reliability and Availability Techniques Application or Database Server Health Checking ƒ Probing customer application servers with application data requires scripting keepalive on the load balancer or on a Front End server Scripting on Front End greater flexibility y servers allows g http://www.company.com/test.asp BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Buy 10,000 Widgets Customer Test User Company Test Inc Application Delivery Networking Terms and Concerns Health Checking Load Balancing Algorithms – Predictors Persistence Stickiness Persistence, BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 10 Design Considerations Subnet B One-Arm One Arm Mode: Overview Servers Default Gateway: U t Upstream R Router t ƒ L2-rewrite not possible ƒ Content switch not inline Subnet B Does not see unnecessary traffic ƒ Requires PBR PBR, server default gateway pointing to load balancer or client source NAT The return traffic is needed! ƒ Not as common as bridge or routed mode due to problems with forcing traffic back to ACE in return direction PBR—Policy Based Routing, NAT—Network Address Translation BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 87 Design Considerations One-Arm One Arm Mode: Overview Ethernet 0x0800 SRC 172.16.8.20 IP DST 192 168 10 192.168.2.10 SRC 1302 TCP SYN DST 80 Ethernet 0x0800 SRC 172.16.8.20 IP DST 172.24.1.100 SRC 1302 TCP SYN DST 80 Just Routing Traffic to the VIP Just Routing Traffic to the Server IP BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 88 Design Considerations One-Arm One Arm Mode: Overview 3’ Ethernet h 0800 0x0800 SRC 172.24.1.100 IP DST 172.16.8.20 SRC 80 SYN TCP DST 1302 ACK Ethernet 0x0800 SRC 192.168.2.10 IP DST 172.16.8.20 SRC 80 SYN TCP DST 1302 ACK L2 to the server default gateway 3’ Routing would break; need to use either PBR or Source NAT Just routing to the client IP BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 89 Asymmetric Server Normalization: Return Traffic Bypassing ACE Servers Default Gateway: Upstream Router Subnet B ƒ Bypass for return traffic: high throughput! ƒ Requires MAC rewrite, L2 adjacency ƒ Servers need identical loopback addresses (one per VIP) ƒ TCP termination t i ti nott possible: ibl no L7 ffeatures! t ! ƒ Load balancer blind to return traffic (inband, accounting) BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 90 High Availability on ACE BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 91 ACE Redundancy Model ƒ Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual context ƒ Two instances of the same virtual context (on two distinct ACE modules) form a redundancy group, one being active and the other standby ƒ The redundant ACE can be in the same or different Catalyst y 6500 Chassis ƒ Both ACE modules can be active at the same time, processing traffic for distinct virtual devices, and backing-up each other (stateful redundancy) ACE ACE-1 Example: ACE modules FT groups Virtual Contexts (A,B,C,D) A B Active Active A’ B’ C’ D’ Standby Standby FT VLAN Standby y Standby y C D Active Active FT group FT group ACE-2 FT group BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public FT group 92 High-Availability Configuration on ACE ACE Master—Configuration g Configured g in the Admin Context interface vlan 110 ip address 10.25.91.201 255.255.255.0 alias 10.25.91.204 255.255.255.0 Alias IP used for shared IP address peer ip address 10.25.91.202 255.255.255.0 service-policy input remote-mgmt Configure g the Peer IP address no shutdown ft interface vlan 999 ip address 10.1.1.1 255.255.255.0 peer ip address 10.1.1.2 255.255.255.0 no shutdown Define FT Peer “Only Possible” ft peer heartbeat interval 300 heartbeat count 20 ft-interface ft interface vlan 999 Define heartbeat interval and count Define FT vlan number query-interface vlan 110 BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 93 High-Availability Configuration on ACE ACE Master—Configuration g Configured g in the Admin Context ft group One FT group per Context peer priority 110 Associate context with FT group associate-context Admin i inservice i ft group Define FT Peer per FT Group peer priority 110 associate-context LoadBalancing inservice ft group peer priority 110 Define Peer Priority associate-context i WAAS inservice BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 94 Interface Redundancy on the ACE 4710 Gigabit Interfaces Port Channel vlans “110,210- 211,411,999” BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 95 Questions and Answers BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 96 Please Visit the Cisco Booth in the World of Solutions See the technology in action ƒ Data Center and Virtualization DC1 – Cisco Unified Computing System DC2 – Data Center Switching: Cisco Nexus and Catalyst DC3 – Unified Fabric Solutions DC4 – Data Center Switching: Cisco Nexus and Catalyst DC5 – Data Center 3.0: Accelerate Your Business, Optimize Your Future DC6 – Storage Area Networking: MDS DC7 – Application Networking Systems: WAAS and ACE BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 97 Recommended Reading BRKAPP-2002 BRKAPP 2002_c2 c2 Source: Cisco Press BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 98 Meet The Expert To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert Designed to provide a "big big picture" picture perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable l bl iinsights i ht and d id ideas Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 99 Complete Your Online Session Evaluation ƒ Give us your feedback and you could win fabulous prizes prizes Winners announced daily ƒ Receive 20 Passport points for each session evaluation you complete ƒ Complete your session evaluation online now ((open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public Don’t forget f to activate your Cisco Live Virtual account for access to all session material, communities, and on-demand and live activities throughout the h year A Activate i your account at the h Cisco booth in the World of Solutions or visit www.ciscolive.com 100 BRKAPP-2002_c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 101 ... Checking Load Balancing Algorithms – Predictors Persistence Stickiness Persistence, BRKAPP- 2002_ c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public 10 Load Balancing Algorithms Load balancing. .. determine how connections are load balanced Client BRKAPP- 2002_ c2 © 2009 Cisco Systems, Inc All rights reserved Serverfarm Cisco Public 11 Predictors Cisco ACE Load Balancing Algorithms Available... Coolstuff.jsp l ff j BRKAPP- 2002_ c2 © 2009 Cisco Systems, Inc All rights reserved Cisco Public menu.jpg j 17 Application Load Balancing Session Persistence Stickiness ƒ Session: logical aggregation