Training ACE

Cisco Application Control Engine
Pravin Wankhade
NCE GSP-GTP
April 2012
Background Load Balancers and ACE Product Overview and Recent Releases New Capabilities Hardware Modular Policy CLI Virtualization Role Based Access Control Security Features Redundancy Deployment
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
ADC is newer terminology ACE is an Application Delivery Controller (ADC) or Load Balancer
(SLB).
LB/ADC distributes L4-L7 Traffic Flows to Application Servers. Server Load Balancing (SLB) is critical to *any* scalable application
deployment.
ACE Clients
Distributes Traffic Flows SSL Offload Persistence (sticky) Compression Virtualization App / Health Checking
Application Server Farm
DC Site Selection DNS load balancing Application Keep-Alive Geo-DB Intelligence
GSS
Cisco Confidential
ACE Uses Nexus 7000 OTV
functionality.
ACE Uses Virtual Contexts to
provide isolated, load balancing to applications Up to 250 VCs per Module.

ACE distributes traffic to VM
250
server farms in UCS deployments.

ACE works with VMware for
Manageability and Dynamic Workload Scaling (DWS)
vCenter
5
Clients Clients
Datacenter A
Datacenter B
ACE GSS
ACE GSS Steers traffic Flows to ACE VIPs ACE Distributes Client Flows in the Datacenter
Datacenter C
ANM Provisions, Operates, Monitors and shows end-to-end connectivity
ACE product family including GSS, Module & Appliance
and ANM Management provide critical Application Delivery Solutions in the Globally Connected Datacenter.
6
Cisco Confidential
Network Server
Application (Service) Endpoint A
Clients
Client has no knowledge/visibility of the underlying Network
Such as:
Cisco Confidential
No Load
Performance
High Load
Application Failure
Business Impact
Traffic & Client Load
Cisco Confidential
SSL Offload & Health Monitoring
S
A
Network
A
A
ACE
Health Probe
Application Server Farm
Clients
Virtual IP
ADC Scales and enhances the application
Cisco Confidential
10
No Load
Application Continuity
Performance
High Load
Business Continuity
Traffic & Client Load
Cisco Confidential
11
A A
ACE
B B

Clients
Multiple Apps (Services) are Virtualized by ACE
C C
vCenter
Cisco Confidential
12
Today
Application Control Engine Integrated Layer 4 and Layer 7 Rules
Infrastructure simplification with L47 Services integration Converged policy creation, management, and troubleshooting Reduced latency (single TCP termination for all functions)
13
Cisco Confidential
14
Therefore, we use the Load Balancer to enhance the application
Security Mobility Reliability

(virtualization)
Manageabity
Scalability
Application (a.k.a. Service)
And Distribute traffic to all those UCS Servers and Virtual Machines.
15
Scalability
N + 1 Server Scaling SNAT Compression Persistence
Cisco Confidential
16
Reliability
Scalability
Health Monitoring Failover (server farm) Validation
Cisco Confidential
17
Security Reliability
Scalability
SSL Offload DDOS Protection SNAT
Cisco Confidential
18

(virtualization)
Scalability
Virtual IP Virtual Contexts (isolation) VCenter Integration OTV Integration
Cisco Confidential
19

(virtualization)
Scalability
ANM Unified View KPI Monitoring Role-Based Access Control (Operations and Provisioning) VCenter Plug-In Delegation Mobile Application (iPhone/Android..etc)
Manageabity
Cisco Confidential
20

(virtualization)
Scalability
Application ++ Application ++
Manageabity
Cisco Confidential
21
Cisco Confidential
22
New ACE30 Module shipping
416 Gbps
0.5-4 Gbps
App Service Delivery

Integrates load balancing, server offload, compression, app optimization & app security
Centralized Management
Configuration, operations, and monitoring of ACE equipment & services
Virtualized Architecture
Industry leading virtualized Application Delivery Controller (ADC)
VMWare Integrated
Integration with vCenter provides streamlined VM and ACE provisioning and monitoring
Investment Protection
Pay as you grow licensing model. increase performance & scale without deploying new hw
Operations Excellence
Secure delegation of service & server tasks for ACE, CSS, CSM, GSS
Established Products
Over 30K units deployed world-wide
IT Agility
Granular role based access control with user activity logging supports managing multi-tenant/use
Cisco Confidential
23
Global Load Balancers

GSS Appliance
New Software ACE GSS
20K DNS RPS
New 16G Bundle
Application Delivery Controllers Multi-module
System Bundles
Scaling to 64 Gbps
ACE Module
New Software
ACE30 System Bundles
Application Networking Manager
ACE Appliance
ACE 4710
0.5-4 Gbps
ACE30
416 Gbps
ANM Mobility Application

ANM VMWare Plug-In
New Software
Management & Provisioning

24
+
ACE Software A4.2.1/ A5.1.0 Delivers: GSS Software v4.1 Delivers:
+
Application Networking Manager (ANM) v4/v5 Delivers:
Dynamic Workload
Scaling
Dual stack IPv4/v6 SLB64 Gateway HTTP/S support for IPv6 IPv6 certification OCSP support
Geo-location based GSLB AAAA record support IDN support IPv6 support DNSSEC ready
Application Templates ANM Mobile App ACE 5.1 IPv6 support Web Services API DWS support vCenter integration Virtual ANM
Cisco Confidential
25
Testing Metric
L4 CPS SSL TPS SSL Bulk Throughput
ACE20
325,000 15,000 3.3 Gbps
ACE30
500,000 30,000 6 Gbps
Compare
54% 100% 82%
Compression
Not Available
6 Gbps
+ 6 Gbps
ACE30 Only Not Available on ACE20

Higher performance
Compression IPv6 dual stack with translation Nexus OTV integration with Dynamic Workload Scaling ACE10 and 20 EOS For February 2012 All Roadmap Now On ACE30
Cisco Confidential
26
Cisco Confidential
27
Remote User Shared DSL
HTTP Compression
Branch Office 128k Leased line
Roaming User 56k Dial-up
Problem: Big Page + Small Pipe ACE Solution: Small compressed page, small Pipe
Challenge: Large amounts of client traffic is being sent over low speed links result in slow performance and poor user experience. Compression Overview
Reduces the amount of HTTP traffic that is sent between client and server ACE30 is utilized at the host site to compress/decompress traffic Clients leverage compression technology in existing Web browsers
Benefits:
Up to 90% reduction in size of web objects Improves application response time Reduces bandwidth costs
Cisco Confidential
28
ACE Monitors client connection setups

Client
Internet
Client
Slow
ACE
Servers
Client
Challenge: Slow detection of server outages results in lost transactions and delayed time to recovery.
Inband Health Check Overview

ACE proactively monitors TCP and UDP data to detect server failures. Should be combined with probes to meet server failure detection SLAs Internal tracking method to ACE; does not solicit information from servers
Benefits:
Detection moves from seconds with probes to milliseconds Unlike probes, monitoring has no impact on server performance Improves the recovery time for server outages
Cisco Confidential
29
IPv4 Clients
IPv6 Clients
IPv6 Overview All IPv4 Modes are supported in IPv6 (One-arm, Routed, Bridged, ASR) IPv6 -> IPv4 and IPv4 -> IPv6 translation modes Solution delivery includes IPv6 on the ACE Module, Appliance, ANM, and Global Site Selector Compliance
IPv4 Server Farm IPv6 Server Farm
New IPv4-to-IPv4 IPv6-to-IPv6 IPv6-to-IPv4 IPv4-to-IPv6
One Arm Routed Bridged
USGv6 IPv6 Ph2 Logo
Cisco Confidential
30
Dual Stack
IPv4-to-IPv4 and IPv6-to-IPv6 HTTP and DNS inspection for native IPv6-IPv6 traffic
Translation
SLB64, SLB46 for all the Layer4 load balancing, which do not need payload modifications or pinholing SLB64 and SLB46 support L7 loadbalancing for HTTP and SSL protocols. NAT64, NAT46 for all TCP, UDP protocols, which do not need payload modifications or pinholing No DNS64 or DNS46 support on ACE
Mixed v4 &v6 rserver support Duplicate Address Discovery Neighbor Discovery
ICMPv6
IPV6 Ph2 Logo Certification Application Awareness
HTTP, HTTPS and DNS
31
Cisco Confidential
32
Now featuring enhanced Template, DWS / OTV provisioning

33
New for Version 5

Application Templates
Simple application deployment
User Export and Modify
IPV6 Support
ACE Module ACE Appliance ACE Global Site Selector
ANM Mobile for Mobile Devices

Native iPhone and Android Mobile Browser
API support for App deployment from templates

Full Provisioning vi API RBAC for Network and Application sections of template
Cisco Confidential
34
GSS ACE
VM
Cisco Confidential
35
Hardware
Cisco Confidential
36
Parallel network-processor based hardware with separate control and data-path CPUs
37
Control Plane ACSW OS

100M 2G
NP1
10G
NP2
10G 8G
Sup Connect Switch Fabric Interface

16G
CDE Switch 60Gbps

10G
Daughter Card 1
8G
Daughter Card 2
SSL Crypto
Cisco Confidential
38
ACSW OS
2x 700MHz MIPS 1 GB Memory

Control Plane Software
60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation Verification Variable Load Distribution
Parallel NPs handle Data Processing 16 ME (1.4 GHz) XScale 700MHz 1.5 GB RDRAM 32MB SRAM 20B ops/s
CPU
20 Gbps Switch Fabric 100 Mbps Supervisor Connection
Daughter Card Expansion Slot 1

Field upgradeable
8 Gbps
DRAM 1.5 GB
Network Processor 1
Micro Engines
20 Gbps
C P U
1 Gbps
Cisco ASIC
16 Gbps 10 Gbps
Classification Distribution Engine

8 Gbps 4 FIFO Interlinks
10 Gbps
10 Gbps
DRAM 1.5 GB
Network Processor 2
Micro Engines
C P U
SSL, IPSec Crypto
Crypto chip
DBUS 16 Gbps Bus RBUS EOBC
Daughter Card Expansion Slot 2

Field upgradeable
40K RSA ops
CEF720 Linecard
Cisco Confidential
39
Modular Policy CLI
Cisco Confidential
40
Modular Policy CLI (MPC) in ACE
ACE CLI is based on C3PL (Cisco Common Class-based Policy
Language)
Provides a common CLI framework across security
implementations in-order to define consistent CLI across platforms

The CLI aims at seamless integration in terms of configuring
SLB, SSL and Security features

No need to session in or enter a sub-mode of configuration for
the different features

Traffic classification is the core functionality for all delivery and
security features
Cisco Confidential
41
Features that can be configured via Policy
CLI can be grouped as follows: through the box traffic

Security access-lists Server Load Balancing Protocol Fix-ups & Application Inspection NAT TCP & IP Normalization
to the box (mgmt / control-plane)

Restrict access to protocol and/or hosts
Cisco Confidential
42
1. Define match criteria 2. Associate actions to match criteria 3. Activate the classification-action rules on either an interface or globally class-map C1 match <criteria>
policy-map P1 class C1 <action>
interface vlanX service-policy input P1

43
Management Traffic to ACE
Interface Service-Policy
Apply to any Interface
Management Policy-map
Management Class-map
Match allowed connections for remote access
Cisco Confidential
44
Client Traffic through ACE at Layer 7

Interface Service-Policy
Apply to any Interface
Multi-Match Policy-map
GET /example.html
Traffic Class-map
Match VIP connections
LoadBalancing Policy Map

Class for URL1 Serverfarm
Real
Class for URL2 Serverfarm

Real
Serverfarm
Real1 Real2
Default
Class
Only allow Traffic Destined to a VIP

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Virtualization
Cisco Confidential
46
Abstraction
Physical elements are represented by an abstract entity HSRP, VRRP
VIP, NAT
Pooling
Multiple physical entities appear and treated as one Link-bundling (EtherChannel)
TCP connection pooling
Partitioning
Single physical entity partitioned as multiple distinct entities VLANs (data-path only)
VRFs (data-path only)

FWSM virtual contexts (both data- and control-path)
Cisco Confidential
47
Service Virtualization System Separation
One physical device

100%
Multiple virtual systems (dedicated control and data path)

25% 25% 15% 15% 20%
Cisco Application Services Virtualization Distinct configuration files Single configuration file Separate routing tables Single routing table RBAC with Contexts, Roles, Domains Limited RBAC Limited resource allocation Management and data resource control Independent application rule sets Global administration and monitoring
Traditional device
Cisco Confidential
48
Service Virtualization Resource Control
Per context Control Guaranteed resource levels for each context Support for over-subscription
Guaranteed Rates
Bandwidth Data connections / sec Management connections / sec Ssl-bandwidth Syslogs / sec
Guaranteed Memory
Access Lists Regular Expressions Data connections Management connections SSL connections Xlates Sticky entries
Cisco Confidential
49
1.
Isolate departments or customers

Provide direct configuration access Reduce exposure to critical config components
Provide consistent access across GUI, API, CLI

Dedicated resources 2.
Isolate applications
Guarantee resources to critical applications
Isolate from impact of other app roll outs

Central config file for managing policy change Reduced complexity of security/application rules Possiblity to have a parallel test environment with no impact to production
Cisco Confidential
50
Applications over Multiple Load Balancers

Enterprise with Growing Number of Applications
LB 1
Enterprise Network
App C LB 2
LB App A App D
LB App B
51
Applications over Multiple Load Balancers

Enterprise with Growing Number of Applications
Enterprise Network
Virtual Partition 1
App C App D App E App F
Virtual Partition 2 Virtual Partition 3
ACE
Virtual Partition 4
Virtual Partition 1
App A App B
Virtual Partition 2
ACE
Cisco Confidential
52
Multi-tier Applications
Enterprise Network
Firewalls LB
Enterprise Network
Front-end Firewalls
Front-end servers
LB
Application servers Front-end servers

LB
Application servers
APP virtual partition
ACE with Application Infrastructure Control and Application DataBase Security servers
DB virtual partition
Cisco Confidential
53
DataBase servers
FE virtual partition
Data-Center Consolidation
Multiple Contexts
C1 C2 C3
C4 C5 C6
Single ACE Module
Front End Network Front End Network N-Tier Applications N-Tier Applications Web Servers App Servers DB Servers
Web Servers App Servers
DB Servers
Cisco Confidential
54
Role-Based Access Control
Cisco Confidential
55
Fully integrated Role Based Access Control Four main levels of actions over categories of commands
1. 2. 3. 4. Create Modify Debug Monitor
Roles are defined by specifying which actions can be performed on the sets of commands Pre-defined roles New roles can be created to adapt to different organization structures
Cisco Confidential
56
Default Roles in the System Admin
Access to all functions in the context/device.

SLB-Admin
Serverfarm, Servers, Health Monitoring

Security-Admin
Access Contorl, Inspection, AAA, NAT

Server-Maintenance
Servers in/out of rotation, debug of SLB functions

Server-Application-Maintenance
Servers, Health Monitoring, Load Balancing Rules

Network-Admin
Interfaces, Routing, NAT, TCP

Network-Monitor
Access to all show commands only

57
Control over user access to instances of objects Flexible multi-user maintenance operations
Context 1 Domain A VIP1 VIP2 Domain B VIP3 VIP4
R1 R2 R3
R4 R5 R6
Cisco Confidential
58
Contexts, Roles, Domains
Physical module
Admin Context
Context A definition Context B definition
Role
Context A Context B Domain2
VIP3 Farm3 Farm4 SSL cert1,2
Admin
Domain1
VIP1 VIP 2 Farm1 Farm2
Network/Security
Server Admin Monitor
Resource allocation
Admin management config
Management station
AAA
Cisco Confidential
59
Security Features
Cisco Confidential
60
TCP/IP normalization Built-in Transport Protocol Security User Configurable, to meet Security Requirements
Application Protocol Inspection

Advanced HTTP Inspection RFC Compliance MIME Type Validation Prevent Tunneling Protocols over HTTP Ports
Cisco Confidential
61
Always enabled Entirely performed in hardware Following packets are dropped

1. src IP == dest IP 2. src IP or dest IP == 127.x.x.x 3. dest IP >= 240.0.0.0
4. src IP == 0.x.x.x
5. src IP >= 224.0.0.0
src IP == 0.0.0.0 and dest IP == 255.255.255.255 allowed for DHCP requests
Cisco Confidential
62
TCP Standard Header Checks

Always performed
I. II. III. IV. V. VI. VII. src port and dest port != 0 Only SYN packet allowed to create connection TCP header >= of 20 bytes TCP header <= ip->length ip->header_length urg flag cleared if urg_pointer is zero If urg flag not present urg_pointer is cleared Illegal flags combinations dropped ( SYN|RST etc.)
TCP option processing TCP state tracking
TCP window checking
Configurable
I. II. III. IV. V. reserved bits allow/clear/drop urg flag allow/clear/drop syn-data allow/drop exceed-mss allow/drop random-seq-num-disable
Cisco Confidential
User configurable Random Sequence Numbers

63
Protocol-Specific Inspection Supported for:

FTP Strict FTP
Performed on NP CPU
RTSP
ICMP DNS
HTTP/S
Performed on NP Micro Engines
Cisco Confidential
64
Redundancy
Cisco Confidential
65
Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts.
Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby. The peer ACE can be in the same or different Catalyst 6k chassis. Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy) ACE-1 Example: 2 ACE modules 4 FT groups 4 Virtual Contexts (A,B,C,D) A
Active FT VLAN
B
Active
Standby Standby
A ACE-2
FT group 1
C
Active
FT group 3
D
Active
FT group 4
66
Standby Standby
FT group 2
Cisco Confidential
There is a designated VLAN (FT VLAN) between the ACE pairs All Redundancy related traffic are sent over this VLAN
1. TRP protocol packets 2. Heart Beats 3. Configuration sync packets 4. State replication packets
Cisco Confidential
67
Bulk Sync
The entire configuration gets transferred in bulk from Active to Standby HA is in Active/Standby_config state during Bulk Sync
Incremental Sync
A line-by-line sync of configuration as it is being configured on active HA is in Active/Standby_hot state during Incremental Sync
Cisco Confidential
68
HSRP The Supervisor notifies ACE of all state changes for the HSRP group Interface Supervisor sends UP and DOWN events to ACE Host Multiple Probes may be configured with a priority. The individual probe priorities provide granular control of ACE failover
Cisco Confidential
69
Deployments
Cisco Confidential
70
Enterprise Campus Core ACE
Aggregation with L4-7 Services
L2 or L3 Access
Mainframe
Web / Front-end Servers 2012 Cisco and/or its affiliates. All rights reserved.
Application Servers
Data-Base
Cisco Confidential
71
Client VLAN and server

MSFC
MSFC
VLANs on different IP subnets

Servers default gateway is
Data Port-Channel
ACE alias IP
All data VLANs and FT VLAN
FT Control Port-Channel
carried over port-channels

Each Cisco Catalyst has
redundant physical links to each access switch

Serverfarms can span multiple
access switches
Management access to
servers requires access-list

72
Pairs of one client and one server
VLAN on the same subnet (BVI used to merge the two VLANs)
MSFC MSFC
Limit of two VLANs in the
same subnet
Data Port-Channel
Servers default gateway is
MSFC (or other router) HRSP virtual address

All data VLANs and FT VLAN
carried over port-channels


Serverfarms can span multiple
access switches
Management access to servers
requires access-list
Cisco Confidential
73
Single VLAN on ACE Servers default gateway is

MSFC MSFC
MSFC HSRP IP
All data VLANs and FT
Data Port-Channel
VLAN carried over portchannels


Serverfarms can span
multiple access switches

Management access to
servers bypass ACE

74
Virtual Contexts can be

VRF A VRF B Context C
mapped to VRFs on the MSFC

Or directly to
Context B
Context A
external routers
VRF-aware Route Health
Injection (add/remove routes to/from MSFC main routing table as well as VRF routing tables)
Cisco Confidential
75
Further Assistance
Cisco ACE Family Webpage
www.cisco.com/go/ace/
Cisco ACE Applications

http://www.cisco.com/go/optimizemyapp
Cisco Validated Designs

http://www.cisco.com/go/cvd
Cisco Design Zone

http://www.cisco.com/go/srnd
Doc Wiki
http://docwiki.cisco.com/wiki/ACE
PDI Helpdesk
www.cisco.com/go/pdihelpdesk
Further Assistance Internal only

PDI Helpdesk
www.cisco.com/go/pdihelpdesk/
DCAS KB
dcaskb/
DCAS CEC Page

wwwin.cisco.com/dss/adbu/dcas/
DCAS Cisco.com Page

www.cisco.com/go/ace/
cs-ans-dc@cisco.com
Thank you.
Cisco Confidential
79
2x 700MHz MIPS 1 GB Memory
ACSW OS
Cavium Octeon CN5860 (OcteonPlus) 16 core, 600 MHz CPUs with 4G DRAM 32k iCache, 16k dCache, 2MB L2 cache On chip support for Encryption/Decryption Coprocessors for Compression/Decompression
Control Plane Software
CPU
Network Processor 1
Daughter Card 1
DRAM 4 GB DRAM 4 GB
Network Processor 2
shared memory
Verni
20 Gbps Switch Fabric 100 Mbps 1 Gbps Supervisor Connection
FPGA
8 Gbps
20 Gbps
16 Gbps
Classification Distribution Engine (CDE)

8 Gbps
Verni DRAM 4 GB FPGA DRAM 4 GB
60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation/Verification Variable Load Distribution
Cisco ASIC
Network Processor 3
DBUS 16 Gbps Bus RBUS EOBC
shared memory
Network Processor 4
Daughter Card 2
CEF720 Line Card
Cisco Confidential
80
Control Plane ACSW OS

100M Sup Connect
DaughterCard1
NP1
NP2
8G
1G
CDESwitch 60Gbps
16G 8G
Switch Fabric Interface
DaughterCard1 NP1 NP2
Cisco Confidential
81
Clients
Servers
FED Cluster (Active/Standby) {Enhanced HA}
BED Cluster Scaling L7 Services
L7 services can scale until L4 capacity is met

82
Modular Policy CLI
Detailed
Cisco Confidential
83
Class-maps are used to classify interesting L3-4/7 traffic They contain a set of match statements specifying match criteria Class-maps are typed based on the protocol and actions being performed for a given traffic classification. Support both logical AND (match-all default) and logical OR (matchany) semantics. Notion of class-default: well-known class-map that matches any traffic if none of the user specified class-maps match in a policy-map. Every match statement has a line number Easy deletion/modification of a particular match statement
Cisco Confidential
84
A class-map can associate an existing class-map of the same type
using the match class statement

Supported only for L7 class-maps; up to 2 levels of association
Used to achieve more complex logical expressions
Easy combination of AND and OR statements
class-map type http loadbalance match-any C1 match http url /news match http url /sport class-map type http loadbalance match-all C2 match http header User-Agent header-value FireFox match class C1
Cisco Confidential
85
Policy-maps are typed as per the action/feature Support policy-maps for both L3-4/L7 actions.
The L7 policy-maps are child policies within an L3-L4 policy-map and cannot be applied on interface
Support for various execution semantics as dictated by the specific
feature
If none of the classification specified in policy-maps match then the
default actions specified against class-default are executed

Support for inline match statements for ease of use. These are allowed
only for L7 match statements

Support for flexible class-map ordering, within a policy-map
86
[no] policy-map type <main-type> <sub-type> {first-match|all-match|multi-match} <policy-name> [no] class <cmap-name> action1 [no] class class-default default-action
policy-map type loadbalance first-match SLB-POLICY class C1 serverfarm SF1 class C2 serverfarm SF2 class class-default serverfarm BACKUP
87
first-match
The class-action pairs within the policy-map are looked up sequentially & the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters. E.g. policy-map of type loadbalance, management &ftp
all-match
An attempt is made to match traffic against all classes in the policymap and the actions of all matching classes will be executed. E.g. policy-map of type inspect http
multi-match
Specifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.
88
Support for inline match statements for ease of use, especially if there is
only a single match criteria to be specified. Currently allowed only for L7 policy-maps.
action can be specified against only a single match statement in the
policy. To specify actions against more than one match statement, use a class-map
class-map type http loadbalance match-any TEST match protocol http header User-Agent header-value *IE* match protocol http url *jpg*
policy-map type loadbalance first-match TESTPOLICY match M1 http url /finance (inline match command) serverfarm farm1 class TEST (pre-defined class-map) serverfarm farm2
89
Policies are activated on an interface or globally using the servicepolicy command

syntax:
service-policy [input | output] <policy-name>
The policy-map can be enabled either on the input or output or both directions.
Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
Cisco Confidential
90
There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapath in ACE is as follows:
1) Access-control (permit or deny a packet) 2) Management Traffic 3) TCP normalization/Connection parameters 4) Server Load Balancing
5) Fix-ups/Application inspection
6) Source NAT 7) Destination NAT
The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface
Cisco Confidential
91

Training ACE

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training ACE

Uploaded by

Copyright:

Available Formats

Cisco Application Control Engine

2010 Cisco and/or its affiliates. All rights reserved.

Application Server Farm

DC Site Selection DNS load balancing Application Keep-Alive Geo-DB Intelligence

2012 Cisco and/or its affiliates. All rights reserved.

ACE Uses Nexus 7000 OTV

provide isolated, load balancing to applications Up to 250 VCs per Module.

server farms in UCS deployments.

Manageability and Dynamic Workload Scaling (DWS)

ACE product family including GSS, Module & Appliance

2010 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

SSL Offload & Health Monitoring

Application Server Farm

ADC Scales and enhances the application

2012 Cisco and/or its affiliates. All rights reserved.

Traffic & Client Load

2012 Cisco and/or its affiliates. All rights reserved.

Application Control Engine Integrated Layer 4 and Layer 7 Rules

2010 Cisco and/or its affiliates. All rights reserved.

Therefore, we use the Load Balancer to enhance the application

Security Mobility Reliability

Application (a.k.a. Service)

N + 1 Server Scaling SNAT Compression Persistence

2012 Cisco and/or its affiliates. All rights reserved.

Health Monitoring Failover (server farm) Validation

2012 Cisco and/or its affiliates. All rights reserved.

SSL Offload DDOS Protection SNAT

2012 Cisco and/or its affiliates. All rights reserved.

Security Mobility Reliability

Virtual IP Virtual Contexts (isolation) VCenter Integration OTV Integration

2012 Cisco and/or its affiliates. All rights reserved.

Security Mobility Reliability

2012 Cisco and/or its affiliates. All rights reserved.

Security Mobility Reliability

2012 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

New ACE30 Module shipping

App Service Delivery

2012 Cisco and/or its affiliates. All rights reserved.

Global Load Balancers

New 16G Bundle

Application Delivery Controllers Multi-module

ACE30 System Bundles

Application Networking Manager

ANM Mobility Application

Management & Provisioning

2012 Cisco and/or its affiliates. All rights reserved.

ACE30 Only Not Available on ACE20

2012 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Remote User Shared DSL

Branch Office 128k Leased line

Roaming User 56k Dial-up

2012 Cisco and/or its affiliates. All rights reserved.

ACE Monitors client connection setups

Inband Health Check Overview

New IPv4-to-IPv4 IPv6-to-IPv6 IPv6-to-IPv4 IPv4-to-IPv6

One Arm Routed Bridged

USGv6 IPv6 Ph2 Logo

2012 Cisco and/or its affiliates. All rights reserved.

Mixed v4 &v6 rserver support Duplicate Address Discovery Neighbor Discovery

2010 Cisco and/or its affiliates. All rights reserved.