Application Delivery Networking Terms and Concerns H lth Ch kiHealth CheckingLoad Balancing Algorithms – Predictors Persistence, Stickiness Policy Configuration Examples Policy Con
Trang 1Application Load Balancing,
Acceleration and Security
BRKAPP-2002_c2
Trang 2Application Optimization Infrastructure
Network-based app recognition
Application Optimization Infrastructure
Network-based app recognition
Queuing, policing, shaping
Visibility, monitoring, control
Adaptive congestion avoidance
Application data cache
Meta data cache
Local services
FlashForward optimization
Application security
Server offload
Trang 3 Application Delivery Networking Terms and Concerns
H lth Ch kiHealth CheckingLoad Balancing Algorithms – Predictors Persistence, Stickiness
Policy Configuration Examples
Policy Configuration Examples
Layer 4 ExampleDetailed Web Protocol Example
ACE Security Features
ACE Security Features
NATAccess Lists
SSL Offload ExampleEnd To End SSL Example
Design Considerations
Design Considerations
Deployment ModelsACE Redundancy
Trang 4Application Delivery Networking
Overview Terminology
Clients
Application Delivery Servers
Application Delivery Controller (ADC) Layer 4–7 switches
Serverfarm
Client-Side Gateway
Algorithm (Predictor)
Round Robin TCP port 80
then use serverfarm X Round Robin
Trang 5Application Delivery Networking
Terms and Concerns
Health Checking
Load Balancing Algorithms – Predictors
Persistence Stickiness
Trang 6Reliability and Availability Techniques
Health Monitoring
Intended to run periodically
Generated by the Application Delivery Controller itself,
which then expects a reply
Either predefined health checks or scripts
Examples: ICMP (L3 connectivity), TCP (stack),
HTTP (application), etc.
Failure detection time is function of interval, retries,
max response time
Scalability vs failure detection time
Trang 7Reliability and Availability Techniques
Cisco ACE Probe Options
ICMP Sends a ICMP request and waits for reply q p y Generic TCP Open a connection with server and disconnect with TCP FIN or RST
TCP FIN Default Generic UDP Sends a packet, probe is considered successful, if no icmp error received HTTP S d HTTP HEAD HTTP GET 1 1 t
HTTP Sends an HTTP HEAD or HTTP GET 1.1 request HTTPs Establishes an SSL connection, send HTTP query and tears it down FTP Similar to TCP probe
Telnet Makes a connection send a “QUIT” message Telnet Makes a connection, send a QUIT message DNS Uses a default domain and waits for any response SMTP Sends a “hello” followed by a “QUIT” message POP3 Similar to TCP probe
POP3 Similar to TCP probe IMAP Similar to TCP probe Radius Similar to UDP probe NAS-IP can be configured SNMP Up to eight OIDs can be configured Used mainly for load balancing
predictions predictions and not health checking Should be combined with another health probe to verify application
Trang 8Reliability and Availability Techniques
Health Monitoring Issues
Application Issue
application
application’s ability to handle requests
An application may fail in a state that the server can respond to a TCP syn but not to an application data request
request keepalive is required
reachability to the application server
Trang 9Reliability and Availability Techniques
Application or Database Server Health Checking
Probing customer application servers with application
data requires scripting keepalive on the load balancer
or on a Front End server Scripting on Front End
servers allows greater flexibility g y
http://www.company.com/test.asp Buy 10,000 Widgets
Customer Test UserCompany Test Inc
Trang 10Application Delivery Networking
Terms and Concerns
Health Checking
Load Balancing Algorithms – Predictors
Persistence Stickiness
Trang 11Load Balancing Algorithms
Load balancing algorithms known as predictors in ACE
determine how connections are load balanced
Serverfarm Client
Trang 12Cisco ACE Load Balancing Algorithms Available
Round Robin: (Weighted)
Very simple
Least Connections: (Weighted)
Dynamic, requires slow-start
Hash on IP: (source/destination, with mask)
No state required for stickiness issues with dynamic changes
Hash on URL: Or portion of URL
Server Watermarks: Min and max number of connections per server
Least Loaded: SNMP OIDs based server feedback for obtaining
useful information maintained as SNMP Object IDs
Least Bandwidth: Connection vs Bandwidth based on the
bidirectional traffic flow
Adaptive Response Predictor: Load-balancing based on server response time
SYN to SYN ACKSYN to SYN-ACKSYN to FIN
Trang 13Predictors
Round-robin and least connection are very simple to
configure and sufficient in many deployments
Traditionally these algorithms have no knowledge of
the servers response time and servers performance
Enhanced Predictor are needed to accurately
determine the servers response time and resources;
determine the servers response time and resources;
this will prevent servers from getting overloaded
Round Robin and Least Connection Predictors Provide a Very Simple Method for Distributing the Connection Requests
Trang 14Enhanced Predictors
New Feature: Adaptive Response Predictor
Load Balancing Based on Server Response Time Response Time
Calculated over a Configured Number of Samples and Supports the
Calculated over a Configured Number of Samples and Supports the
Following Three Measurement Options
response received from
Time between SYN send
from ACE to SYN-ACK
received from the server
Time between SYN send from ACE to FIN/RST received from the server
SYN to Close Application Request to Response SYN to SYN ACK
response received from the server
received from the server received from the server
Trang 15Enhanced Application Algorithms
Least-Loaded Using SNMP
to obtaining CPU Memory and Drive
to obtaining CPU, Memory and Drive
statistics from the servers
Query Result
CPU Utilization = 14%Memory Resources
Query Result
CPU Utilization = 24%Memory Resources885300k f
Query Result
CPU Utilization = 34%Memory Resources
= 785300k free
SNMP Object IDs
CPU Utilization Memory Resources Disk Drive Availability
Memory Resources
= 947300k freeDisk Drive Availability
= 440GB free
= 885300k freeDisk Drive Availability
Trang 16Application Delivery Networking
Terms and Concerns
Health Checking
Load Balancing Algorithms – Predictors
Persistence Stickiness
Trang 17Application Load Balancing
HTTP 1 1 : Building an Entire Page
HTTP 1.1 : Building an Entire Page
TCP 3102 > 80 TCP 3101 > 80
logo1.gif globe.gif footpage.jpg index.html
Trang 18Application Load Balancing
Session Persistence
Stickiness
subsequent connections
introduces the problem
client to the same server
stickiness is very useful since it significantly improves performance
Trang 19Application Load Balancing
client = a cookie value
client = SSL session ID
LB Redirects
to Specific (V)Server
SD, Session Directory
Routing Token = server IP + Port
Client = Session Call-ID
Regex matches on TCP and UDP data
(V)Server server IP + Port data
Variation Full IP
Masked IP
Static Dynamic Insert
Full SSID Offset
specific stickiness
custom applications
Caveats Proxies HTTP only
Clear Test
SSL v3 Renegotiation
HTTP only Absolute
No Token, needs
to fall back to source IP
Specific to application g
URLs Bookmarks
source IP
Trang 20 Application Delivery Networking Terms and Concerns
Policy Configuration Examples
Initial ANM Framework Example Modular Policy CLI Overview Layer 4 Load Balancing Example Detailed Web Protocol Load Balancing Example
ACE Security
ACE Security
Access Lists NAT
Normalization
SSL
Design Considerations g
Fault Tolerance
Trang 21Policy Configuration Examples
Modular Policy CLI Overview
Initial ANM Framework Example
Layer 4 Load Balancing Example
Layer 4 Load Balancing Example
Detailed Web Protocol Load Balancing Example
Trang 22Policy Lookup Order
feature lookup ordering is important
1 Access-control (permit or deny a packet) (p y p )
Trang 23Policy CLI Overview
Trang 24Modular Policy CLI
Management Class-Maps
The class-map command is used to define a traffic
class The purpose of a traffic class is to classify traffic
A traffic class contains three major elements: a name,
a series of match commands and if more than one
a series of match commands, and, if more than one
match command exists in the traffic class, an
instruction on how to evaluate these match commands
class-map type management match-any remote-access description remote-access-traffic-match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol https any
5 match protocol snmp any
5 match protocol snmp any
6 match protocol xml-https any
Trang 25Modular Policy CLI
Nested Class-Maps
type using the match class statement
of association
class-map match-all HTTP-CM
match virtual-address 10.10.119.113 tcp eq www class-map match-any NAT-CM
match source-address 10 86 243 0 255 255 255 0 class-map type http loadbalance match-any URL-PARSE-CM
match http url “/news”
match http url “/sport”
class-map type http loadbalance match-all HEADER-PARSE-CM
match http header User-Agent header-value FireFox match class URL-PARSE-CM
Trang 26Modular Policy CLI
Policy-Maps
The policy-map command is used to define the actions to be preformed on the traffic
Policy-maps can be based on L3/4/7 information Traffic that does not match specified classification in p ppolicy map are then matched against the class-default policy
policy-map type management first-match remote-mgmt
policy map type management first match remote mgmt
class remote-access permit
Trang 27Modular Policy CLI
Activating Policy
Policies are activated on an interface or globally using
the ‘service-policy’ command
The policy-map are enabled on the input direction
Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
service-policy input <policy-name>
Trang 28Policy Configuration
Examples
Modular Policy CLI Overview
Initial ANM Framework Example
Layer 4 Load Balancing Example
Layer 4 Load Balancing Example
Detailed Web Protocol Load Balancing Example
Trang 29no shutdown interface gigabitEthernet 1/2
svclc vlan-group 1 10,20
svclc vlan-group 2 999
channel-group 1
no shutdown interface port-channel 1 switchport trunk native vlan 10
Defining VLANs for a Context
ACE MODULE or Appliance
Trang 30Basic Layer 4 Load Balancing
Management and Device Access for CLI or GUI
Management and Device Access for CLI or GUI
access-list EVERYONE line 10 extended permit ip any any You need an ACL
class-map type management match-any REMOTE-ACCESS
description REMOTE-ACCESS-traffic-match
2 match protocol ssh any
3 match protocol icmp any p p y
4 match protocol https any
5 match protocol snmp any
6 match protocol xml-https any
!
policy map type management first match REMOTE MGNT
policy-map type management first-match REMOTE-MGNT
access-group input EVERYONE
service-policy input REMOTE-MGNT
no shutdown
Trang 31Application Networking Manager 2.1
ANM 2.1 Provides Turnkey control and administration for ACE Modules and ACE Appliances
ANM 2 1 provides
multi-ANM 2.1 provides multi
device application
management of large scale
data center operations
Trang 32Application Networking Manager 2.1
Demo
Trang 33ANM 2.1
Configure Basic Server Load Balancing
Configure Virtual Server
Trang 34ANM 2.1
Configure Basic Server Load Balancing
Intuitive GUI design prompts the user to configure VIP
details as necessary
Advanced options appear as the user drills down
Create Server Farm
Create Health Monitoring Probes
Add Real Servers Health Monitoring Probes
Add Real Servers
Trang 35Basic Web Load Balancing
What Do We Need to Do First?
Is the Server active? How can you check?
Once the we have an active server, how can we balance the connections
How do we keep the client connected to the same server?
Trang 36Device Manager and ANM
Trang 37Basic Layer 4 Load Balancing
rserver host SERVER1
ip address 192.168.1.1 inservice
rserver host SERVER2
ip address 192.168.1.2 inservice
serverfarm TCP80-SF
rserver SERVER1 inservice rserver SERVER2 inservice
! class-map match-all TCP80-CM
2 match virtual-address 172.16.1.73 tcp eq 80
! policy-map type loadbalance first-match TCP80-PM
policy map type loadbalance first match TCP80 PM
class class-default serverfarm TCP80-SF
! policy-map multi-match LOADBALANCE
class TCP80-CM
loadbalance vip inservice loadbalance policy TCP80-PM
! interface vlan 2
ip address 172.16.1.1 255.255.255.0 access-group input everyone
service-policy input REMOTE-MGMT service-policy input REMOTE-MGMT service-policy input LOADBALANCE
no shutdown
Trang 38Probe Configuration Options
probe icmp PING-PROBE
interval 5
passdetect interval 5
Common show commands
show serverfarm TCP80-SF show probe
inservice rserver SERVER2
inservice
command in real server host configuration mode
Trang 39Health Check Configuration with Device Manager and ANM
Trang 40Probe Monitoring with Device Manager
and ANM
Trang 41Health Monitoring with Device Manager and ANM
Trang 42Probe Configuration Options
Appliance/Admin# show serverfarm TCP80-SF
serverfarm : TCP80-SF, type: HOST
port : 80 address : 0.0.0.0 addr type :
-interval : 20 pass intvl : 5 pass count : 3
interval : 20 pass intvl : 5 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /index.html
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex :
-d -d send data : -
probe results associations ip-address port porttype probes failed passed health
- -
-+ -+ -+ -+ -+ -+ -serverfarm : TCP80-SF
real : SERVER1[0]
10.10.119.1 80 DEFAULT 10 4 6 SUCCESS Socket state : CLOSED
No Passed states : 1 No Failed states : 1
No Probes skipped : 0 Last status code : 404
No Out of Sockets : 0 No Internal error: 0
Trang 43Basic Web Load Balancing
inservice class-map match-all TCP80-CM
2 match virtual-address 172.16.1.73 tcp eq www
policy-map type loadbalance first-match TCP-PM
policy map type loadbalance first match TCP PM
ip address 172.16.1.1 255.255.255.0
access-group input everyone
service-policy input REMOTE-MGMT
service-policy input LOADBALANCE
no shutdown
Trang 44Predictors Configuration Options
ACE-1/routed(config-sfarm-host)# predictor ?
hash Configure 'hash' Predictor algorithms
least-bandwidth Configure 'least bandwidth' Predictor algorithm
least-loaded Configure 'least loaded' predictor algorithm
l t C fi 'l t ' P di t l ith
leastconns Configure 'least conns' Predictor algorithm
response Configure 'response' Predictor algorithm
roundrobin Configure 'round robin' Predictor algor (default)
Configuration options
predictor roundrobin predictor leastconns slowstart 200 predictor response syn-to-synack samples 8 predictor response syn-to-close
predictor least-bandwidth assess-time 2 ACE 1/routed(config sfarm host predictor)# do show serverfarm detail
ACE-1/routed(config-sfarm-host-predictor)# do show serverfarm detail
serverfarm : TCP80-SF, type: HOST
Trang 45Predictor Configuration Device Manger
and ANM
and ANM
Trang 46Basic Web Load Balancing
!
Trang 47Persistence Configuration Options
sticky http-cookie ILIKECOOKIES COOKIESTICKY
cookie insert
timeout 720
serverfarm TCP80 SF backup SORRY SF
serverfarm TCP80-SF backup SORRY-SF
!
sticky ip-netmask 255.255.240.0 address source IPSTICKY
serverfarm TCO80-SF backup SORRY-SF
!
Trang 48Cookie Insert
Device Manager and ANM