Professional Documents
Culture Documents
Pravin Wankhade
NCE GSP-GTP
April 2012
Background Load Balancers and ACE Product Overview and Recent Releases New Capabilities Hardware Modular Policy CLI Virtualization Role Based Access Control Security Features Redundancy Deployment
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2
Cisco Confidential
ADC is newer terminology ACE is an Application Delivery Controller (ADC) or Load Balancer
(SLB).
LB/ADC distributes L4-L7 Traffic Flows to Application Servers. Server Load Balancing (SLB) is critical to *any* scalable application
deployment.
ACE Clients
Distributes Traffic Flows SSL Offload Persistence (sticky) Compression Virtualization App / Health Checking
GSS
Cisco Confidential
functionality.
ACE Uses Virtual Contexts to
250
vCenter
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5
Clients Clients
Datacenter A
Datacenter B
ACE GSS
ACE GSS Steers traffic Flows to ACE VIPs ACE Distributes Client Flows in the Datacenter
Datacenter C
ANM Provisions, Operates, Monitors and shows end-to-end connectivity
and ANM Management provide critical Application Delivery Solutions in the Globally Connected Datacenter.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6
Cisco Confidential
Network Server
Application (Service) Endpoint A
Clients
Client has no knowledge/visibility of the underlying Network
2012 Cisco and/or its affiliates. All rights reserved.
Such as:
Cisco Confidential
No Load
Performance
High Load
Application Failure
Business Impact
Traffic & Client Load
Cisco Confidential
S
A
Network
A
A
ACE
Health Probe
Clients
Virtual IP
Cisco Confidential
10
No Load
Application Continuity
Performance
High Load
Business Continuity
Cisco Confidential
11
A A
ACE
B B
Clients
Multiple Apps (Services) are Virtualized by ACE
2012 Cisco and/or its affiliates. All rights reserved.
C C
vCenter
Cisco Confidential
12
Today
Infrastructure simplification with L47 Services integration Converged policy creation, management, and troubleshooting Reduced latency (single TCP termination for all functions)
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
13
Cisco Confidential
14
Manageabity
Scalability
And Distribute traffic to all those UCS Servers and Virtual Machines.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15
Scalability
Cisco Confidential
16
Reliability
Scalability
Cisco Confidential
17
Security Reliability
Scalability
Cisco Confidential
18
Scalability
Cisco Confidential
19
Scalability
ANM Unified View KPI Monitoring Role-Based Access Control (Operations and Provisioning) VCenter Plug-In Delegation Mobile Application (iPhone/Android..etc)
Manageabity
Cisco Confidential
20
Scalability
Application ++ Application ++
Manageabity
Cisco Confidential
21
Cisco Confidential
22
416 Gbps
0.5-4 Gbps
Centralized Management
Configuration, operations, and monitoring of ACE equipment & services
Virtualized Architecture
Industry leading virtualized Application Delivery Controller (ADC)
VMWare Integrated
Integration with vCenter provides streamlined VM and ACE provisioning and monitoring
Investment Protection
Pay as you grow licensing model. increase performance & scale without deploying new hw
Operations Excellence
Secure delegation of service & server tasks for ACE, CSS, CSM, GSS
Established Products
Over 30K units deployed world-wide
IT Agility
Granular role based access control with user activity logging supports managing multi-tenant/use
Cisco Confidential
23
System Bundles
Scaling to 64 Gbps
ACE Module
New Software
ACE Appliance
ACE 4710
0.5-4 Gbps
ACE30
416 Gbps
+
ACE Software A4.2.1/ A5.1.0 Delivers: GSS Software v4.1 Delivers:
+
Application Networking Manager (ANM) v4/v5 Delivers:
Dynamic Workload
Scaling
Dual stack IPv4/v6 SLB64 Gateway HTTP/S support for IPv6 IPv6 certification OCSP support
Geo-location based GSLB AAAA record support IDN support IPv6 support DNSSEC ready
Application Templates ANM Mobile App ACE 5.1 IPv6 support Web Services API DWS support vCenter integration Virtual ANM
Cisco Confidential
25
Testing Metric
L4 CPS SSL TPS SSL Bulk Throughput
ACE20
325,000 15,000 3.3 Gbps
ACE30
500,000 30,000 6 Gbps
Compare
54% 100% 82%
Compression
Not Available
6 Gbps
+ 6 Gbps
Compression IPv6 dual stack with translation Nexus OTV integration with Dynamic Workload Scaling ACE10 and 20 EOS For February 2012 All Roadmap Now On ACE30
Cisco Confidential
26
Cisco Confidential
27
HTTP Compression
Problem: Big Page + Small Pipe ACE Solution: Small compressed page, small Pipe
Challenge: Large amounts of client traffic is being sent over low speed links result in slow performance and poor user experience. Compression Overview
Reduces the amount of HTTP traffic that is sent between client and server ACE30 is utilized at the host site to compress/decompress traffic Clients leverage compression technology in existing Web browsers
Benefits:
Up to 90% reduction in size of web objects Improves application response time Reduces bandwidth costs
Cisco Confidential
28
Internet
Client
Slow
ACE
Servers
Client
Challenge: Slow detection of server outages results in lost transactions and delayed time to recovery.
Benefits:
Detection moves from seconds with probes to milliseconds Unlike probes, monitoring has no impact on server performance Improves the recovery time for server outages
Cisco Confidential
29
IPv4 Clients
IPv6 Clients
IPv6 Overview All IPv4 Modes are supported in IPv6 (One-arm, Routed, Bridged, ASR) IPv6 -> IPv4 and IPv4 -> IPv6 translation modes Solution delivery includes IPv6 on the ACE Module, Appliance, ANM, and Global Site Selector Compliance
IPv4 Server Farm IPv6 Server Farm
Cisco Confidential
30
Dual Stack
IPv4-to-IPv4 and IPv6-to-IPv6 HTTP and DNS inspection for native IPv6-IPv6 traffic
Translation
SLB64, SLB46 for all the Layer4 load balancing, which do not need payload modifications or pinholing SLB64 and SLB46 support L7 loadbalancing for HTTP and SSL protocols. NAT64, NAT46 for all TCP, UDP protocols, which do not need payload modifications or pinholing No DNS64 or DNS46 support on ACE
ICMPv6
IPV6 Ph2 Logo Certification Application Awareness
HTTP, HTTPS and DNS
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
Cisco Confidential
32
IPV6 Support
ACE Module ACE Appliance ACE Global Site Selector
Cisco Confidential
34
GSS ACE
VM
Cisco Confidential
35
Hardware
Cisco Confidential
36
Parallel network-processor based hardware with separate control and data-path CPUs
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
NP1
10G
NP2
10G 8G
Daughter Card 1
8G
Daughter Card 2
SSL Crypto
Cisco Confidential
38
ACSW OS
60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation Verification Variable Load Distribution
Parallel NPs handle Data Processing 16 ME (1.4 GHz) XScale 700MHz 1.5 GB RDRAM 32MB SRAM 20B ops/s
CPU
20 Gbps Switch Fabric 100 Mbps Supervisor Connection
Network Processor 1
Micro Engines
20 Gbps
C P U
1 Gbps
Cisco ASIC
16 Gbps 10 Gbps
10 Gbps
10 Gbps
DRAM 1.5 GB
Network Processor 2
Micro Engines
C P U
Crypto chip
DBUS 16 Gbps Bus RBUS EOBC
CEF720 Linecard
Cisco Confidential
39
Cisco Confidential
40
Language)
Provides a common CLI framework across security
security features
Cisco Confidential
41
Cisco Confidential
42
1. Define match criteria 2. Associate actions to match criteria 3. Activate the classification-action rules on either an interface or globally class-map C1 match <criteria>
Interface Service-Policy
Apply to any Interface
Management Policy-map
Management Class-map
Match allowed connections for remote access
Cisco Confidential
44
Multi-Match Policy-map
GET /example.html
Traffic Class-map
Match VIP connections
Serverfarm
Real1 Real2
Default
Class
Virtualization
Cisco Confidential
46
Abstraction
Physical elements are represented by an abstract entity HSRP, VRRP
VIP, NAT
Pooling
Multiple physical entities appear and treated as one Link-bundling (EtherChannel)
Partitioning
Single physical entity partitioned as multiple distinct entities VLANs (data-path only)
Cisco Confidential
47
Cisco Application Services Virtualization Distinct configuration files Single configuration file Separate routing tables Single routing table RBAC with Contexts, Roles, Domains Limited RBAC Limited resource allocation Management and data resource control Independent application rule sets Global administration and monitoring
Traditional device
Cisco Confidential
48
Per context Control Guaranteed resource levels for each context Support for over-subscription
Guaranteed Rates
Bandwidth Data connections / sec Management connections / sec Ssl-bandwidth Syslogs / sec
Guaranteed Memory
Access Lists Regular Expressions Data connections Management connections SSL connections Xlates Sticky entries
Cisco Confidential
49
1.
Isolate applications
Guarantee resources to critical applications
Cisco Confidential
50
Enterprise Network
App C LB 2
LB App A App D
LB App B
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51
Virtual Partition 1
ACE
Virtual Partition 4
Virtual Partition 1
App A App B
Virtual Partition 2
ACE
Cisco Confidential
52
Multi-tier Applications
Enterprise Network
Firewalls LB
Enterprise Network
Front-end Firewalls
Front-end servers
LB
Application servers
APP virtual partition
ACE with Application Infrastructure Control and Application DataBase Security servers
DB virtual partition
Cisco Confidential
53
DataBase servers
2012 Cisco and/or its affiliates. All rights reserved.
FE virtual partition
Data-Center Consolidation
Multiple Contexts
C1 C2 C3
C4 C5 C6
Front End Network Front End Network N-Tier Applications N-Tier Applications Web Servers App Servers DB Servers
DB Servers
Cisco Confidential
54
Cisco Confidential
55
Fully integrated Role Based Access Control Four main levels of actions over categories of commands
1. 2. 3. 4. Create Modify Debug Monitor
Roles are defined by specifying which actions can be performed on the sets of commands Pre-defined roles New roles can be created to adapt to different organization structures
Cisco Confidential
56
Control over user access to instances of objects Flexible multi-user maintenance operations
R1 R2 R3
2012 Cisco and/or its affiliates. All rights reserved.
R4 R5 R6
Cisco Confidential
58
Physical module
Admin Context
Context A definition Context B definition
Role
Context A Context B Domain2
VIP3 Farm3 Farm4 SSL cert1,2
Admin
Domain1
VIP1 VIP 2 Farm1 Farm2
Network/Security
Server Admin Monitor
Resource allocation
Admin management config
Management station
AAA
Cisco Confidential
59
Security Features
Cisco Confidential
60
TCP/IP normalization Built-in Transport Protocol Security User Configurable, to meet Security Requirements
Cisco Confidential
61
4. src IP == 0.x.x.x
5. src IP >= 224.0.0.0
Cisco Confidential
62
Configurable
I. II. III. IV. V. reserved bits allow/clear/drop urg flag allow/clear/drop syn-data allow/drop exceed-mss allow/drop random-seq-num-disable
Cisco Confidential
63
Performed on NP CPU
RTSP
ICMP DNS
HTTP/S
Cisco Confidential
64
Redundancy
Cisco Confidential
65
Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts.
Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby. The peer ACE can be in the same or different Catalyst 6k chassis. Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy) ACE-1 Example: 2 ACE modules 4 FT groups 4 Virtual Contexts (A,B,C,D) A
Active FT VLAN
B
Active
Standby Standby
A ACE-2
FT group 1
C
Active
FT group 3
D
Active
FT group 4
66
Standby Standby
FT group 2
Cisco Confidential
There is a designated VLAN (FT VLAN) between the ACE pairs All Redundancy related traffic are sent over this VLAN
1. TRP protocol packets 2. Heart Beats 3. Configuration sync packets 4. State replication packets
Cisco Confidential
67
Bulk Sync
The entire configuration gets transferred in bulk from Active to Standby HA is in Active/Standby_config state during Bulk Sync
Incremental Sync
A line-by-line sync of configuration as it is being configured on active HA is in Active/Standby_hot state during Incremental Sync
Cisco Confidential
68
HSRP The Supervisor notifies ACE of all state changes for the HSRP group Interface Supervisor sends UP and DOWN events to ACE Host Multiple Probes may be configured with a priority. The individual probe priorities provide granular control of ACE failover
Cisco Confidential
69
Deployments
Cisco Confidential
70
L2 or L3 Access
Mainframe
Web / Front-end Servers 2012 Cisco and/or its affiliates. All rights reserved.
Application Servers
Data-Base
Cisco Confidential
71
MSFC
Data Port-Channel
ACE alias IP
All data VLANs and FT VLAN
FT Control Port-Channel
access switches
Management access to
VLAN on the same subnet (BVI used to merge the two VLANs)
MSFC MSFC
same subnet
Data Port-Channel
FT Control Port-Channel
access switches
Management access to servers
requires access-list
Cisco Confidential
73
MSFC HSRP IP
All data VLANs and FT
Data Port-Channel
FT Control Port-Channel
Context B
Context A
external routers
VRF-aware Route Health
Injection (add/remove routes to/from MSFC main routing table as well as VRF routing tables)
Cisco Confidential
75
Further Assistance
Cisco ACE Family Webpage
www.cisco.com/go/ace/
Doc Wiki
http://docwiki.cisco.com/wiki/ACE
PDI Helpdesk
www.cisco.com/go/pdihelpdesk
DCAS KB
dcaskb/
cs-ans-dc@cisco.com
Thank you.
Cisco Confidential
79
ACSW OS
Cavium Octeon CN5860 (OcteonPlus) 16 core, 600 MHz CPUs with 4G DRAM 32k iCache, 16k dCache, 2MB L2 cache On chip support for Encryption/Decryption Coprocessors for Compression/Decompression
CPU
Network Processor 1
Daughter Card 1
DRAM 4 GB DRAM 4 GB
Network Processor 2
shared memory
Verni
20 Gbps Switch Fabric 100 Mbps 1 Gbps Supervisor Connection
FPGA
8 Gbps
20 Gbps
16 Gbps
60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation/Verification Variable Load Distribution
Cisco ASIC
Network Processor 3
DBUS 16 Gbps Bus RBUS EOBC
shared memory
Network Processor 4
Daughter Card 2
Cisco Confidential
80
DaughterCard1
NP1
NP2
8G
1G
CDESwitch 60Gbps
16G 8G
Cisco Confidential
81
Clients
Servers
Detailed
Cisco Confidential
83
Class-maps are used to classify interesting L3-4/7 traffic They contain a set of match statements specifying match criteria Class-maps are typed based on the protocol and actions being performed for a given traffic classification. Support both logical AND (match-all default) and logical OR (matchany) semantics. Notion of class-default: well-known class-map that matches any traffic if none of the user specified class-maps match in a policy-map. Every match statement has a line number Easy deletion/modification of a particular match statement
Cisco Confidential
84
class-map type http loadbalance match-any C1 match http url /news match http url /sport class-map type http loadbalance match-all C2 match http header User-Agent header-value FireFox match class C1
Cisco Confidential
85
Policy-maps are typed as per the action/feature Support policy-maps for both L3-4/L7 actions.
The L7 policy-maps are child policies within an L3-L4 policy-map and cannot be applied on interface
Support for various execution semantics as dictated by the specific
feature
If none of the classification specified in policy-maps match then the
[no] policy-map type <main-type> <sub-type> {first-match|all-match|multi-match} <policy-name> [no] class <cmap-name> action1 [no] class class-default default-action
policy-map type loadbalance first-match SLB-POLICY class C1 serverfarm SF1 class C2 serverfarm SF2 class class-default serverfarm BACKUP
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
87
first-match
The class-action pairs within the policy-map are looked up sequentially & the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters. E.g. policy-map of type loadbalance, management &ftp
all-match
An attempt is made to match traffic against all classes in the policymap and the actions of all matching classes will be executed. E.g. policy-map of type inspect http
multi-match
Specifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
88
Support for inline match statements for ease of use, especially if there is
only a single match criteria to be specified. Currently allowed only for L7 policy-maps.
action can be specified against only a single match statement in the
policy. To specify actions against more than one match statement, use a class-map
class-map type http loadbalance match-any TEST match protocol http header User-Agent header-value *IE* match protocol http url *jpg*
policy-map type loadbalance first-match TESTPOLICY match M1 http url /finance (inline match command) serverfarm farm1 class TEST (pre-defined class-map) serverfarm farm2
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
89
The policy-map can be enabled either on the input or output or both directions.
Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
Cisco Confidential
90
There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapath in ACE is as follows:
1) Access-control (permit or deny a packet) 2) Management Traffic 3) TCP normalization/Connection parameters 4) Server Load Balancing
5) Fix-ups/Application inspection
6) Source NAT 7) Destination NAT
The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface
Cisco Confidential
91