Professional Documents
Culture Documents
November 2008
Andrew Holding
andrew.holding@bt.com
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Scope
The scope of this training is to ensure that network designers understand the ACE topology and the configuration options used within the VDC design This is a high-level training to explain basic features and ACE behaviour It is assumed that attendees have basic load-balancing knowledge
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Layer 3-7 content-aware, virtualised, application loadbalancer with SSL termination & initiation and security
British Telecommunications plc
CSM
ACE Module
Appliances
CSS 11506
ACE Appliance
Cat6K Modules
CSS 11503
CSS 11501
British Telecommunications plc
Infrastructure simplification with L47 Services integration Converged policy creation, management, and troubleshooting Reduced latency (single TCP termination for all functions)
NP1
10G
NP2
10G 8G
Sup Connect
Daughter Card 1
8G
Daughter Card 2
SSL Crypto
ACE Performance/Features
Max of 4 ACEs per chassis (64Gbps) 4Gbps, 8Gbps, 16Gbps single link to Backplane 4Million Concurrent connections ~350K L4 connections per second
DDoS protection
etc
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Note: ACE Module and ACE Appliance use different software images
British Telecommunications plc
Model -----------------ACE10-6500-K9 WS-SVC-FWM-1 WS-X6748-GE-TX WS-SVC-SSL-1 WS-SUP720-3B WS-X6066-SLB-APC WS-X6066-SLB-APC WS-X6704-10GE WS-X6704-10GE
Serial No. ----------SAD1021076N SAD100202V9 SAL1005CBZP SAD094307LT SAL1004BPJU SAD1006061M SAD100301YX SAL1005C12A SAD100204FK Status ------Ok Ok Ok Ok Ok Ok Ok Ok Ok
Mod MAC addresses Hw Fw Sw --- ---------------------------------- ------ ------------ -----------1 0030.f275.b454 to 0030.f275.b45b 1.1 8.7(0.22)ACE A2(1.1) 2 0013.c39f.63f8 to 0013.c39f.63ff 4.0 7.2(1) 3.2(4) 3 0016.c810.3284 to 0016.c810.32b3 2.3 12.2(14r)S5 12.2(18)SXF1 4 0030.f274.f702 to 0030.f274.f709 4.0 7.2(1) 2.1(9) 5 0013.c43a.8cb0 to 0013.c43a.8cb3 4.5 8.1(3) 12.2(18)SXF1 6 0013.c39f.cce0 to 0013.c39f.cce7 1.9 4.2(3a) 7 0013.c39f.8530 to 0013.c39f.8537 1.9 4.2(3a) 8 0016.c75a.a700 to 0016.c75a.a703 2.2 12.2(14r)S5 12.2(18)SXF1 9 0015.62e1.aee8 to 0015.62e1.aeeb 2.2 12.2(14r)S5 12.2(18)SXF1
British Telecommunications plc
ACE licensing
Base = 5 contexts (plus Admin), 1000 SSL tps, 4Gbps Contexts = 50, 100 or 250 Throughput = 8 or 16Gbps SSL = 5,000, 10,000, 15,000 tps
bncmnace02/Admin# show license status Licensed Feature -----------------------------SSL transactions per second Virtualized contexts Module bandwidth in Gbps Count ----5000 50 8
bncmnace02/Admin# show ver . Software loader: Version 12.2[118] system: Version A2(1.1) [build 3.0(0)A2(1.1) adbuild_00:25:02-2008/06/05_/a uto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_0_A2_1_1] system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1.bin British Telecommunications plc installed license: ACE-08G-LIC ACE-VIRT-050 ACE-SEC-LIC-K9 ACE-SSL-05K-K9
ACE Virtualisation
One Physical Device
100%
Admin Context
Context Definition, Resource Allocation, FT Config
Context 1
Context 2
Context 3
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
ACE Deployment
Physical View
Web Client
Web Server
ACE VLANs
Logical View
Catalyst 6500
Web Client
Client-side VLAN
ACE
Server-side VLAN
Web Server
ACE Bridging
VLAN 10
VLAN 20 Subnet A
ACE Routing
Subnet A VLAN 10
Subnet B VLAN 20
One-Armed Mode
Subnet A VLAN 10
Subnet B VLAN 20
%cust1-fw1-vrf-name%
VLAN 501
EIGRP
VLAN%cust1-ace1-ns-vlan% %ace-blade1-hostname%-001/002
Subnet A
ACE Block
VLAN 601
VLAN7 VLAN%cust1-ace1-ss-vlan%
%cust1-ace1-vrf-name%
ACE has a static default route with a next-hop of the FW1 VRF, and server-subnet routes with a next-hop of the Cust VRF
British Telecommunications plc
Bridged interfaces:
interface vlan bridge-group no shutdown interface vlan bridge-group no shutdown 231 3 232 3
interface bvi 3 description Server Access vlan ip address 172.16.31.5 255.255.255.0 no shutdown
British Telecommunications plc
Mod MAC addresses Hw Fw Sw --- ---------------------------------- ------ ------------ -----------1 0030.f275.b454 to 0030.f275.b45b 1.1 8.7(0.22)ACE A2(1.1) 2 0013.c39f.63f8 to 0013.c39f.63ff 4.0 7.2(1) 3.2(4) 3 0016.c810.3284 to 0016.c810.32b3 2.3 12.2(14r)S5 12.2(18)SXF1 4 0030.f274.f702 to 0030.f274.f709 4.0 7.2(1) 2.1(9) 5 0013.c43a.8cb0 to 0013.c43a.8cb3 4.5 8.1(3) 12.2(18)SXF1 6 0013.c39f.cce0 to 0013.c39f.cce7 1.9 4.2(3a) 7 0013.c39f.8530 to 0013.c39f.8537 1.9 4.2(3a) 8 0016.c75a.a700 to 0016.c75a.a703 2.2 12.2(14r)S5 12.2(18)SXF1 9 0015.62e1.aee8 to 0015.62e1.aeeb 2.2 12.2(14r)S5 12.2(18)SXF1
Create the necessary VLANs on the Cat6k. Group the VLANs into service line card VLAN groups. Assign the VLAN groups to individual ACE modules.
vlan 7,2001-2003, 3502,3504 svclc multiple-vlan-interfaces svclc module 1 vlan-group 1 svclc vlan-group 1 7,2001,2002
Create the necessary VLANs on the Cat6k. Group the VLANs into service line card VLAN groups. Assign the VLAN groups to individual ACE modules.
vlan 7,2001-2003, 3502,3504 svclc multiple-vlan-interfaces svclc module 1 vlan-group 1 svclc vlan-group 1 7,2001,2002
Create the necessary VLANs on the Cat6k. Group the VLANs into service line card VLAN groups. Assign the VLAN groups to individual ACE modules.
vlan 7,2001-2003, 3502,3504 svclc multiple-vlan-interfaces svclc module 1 vlan-group 1 svclc vlan-group 1 7,2001,2002
Group ----1 2 3
v401 Group 2
v2003 Group 3
v2001 Group 1
Processor 0 = Control Plane CPU for configuration Processor 1 = NP1 Processor 2 = NP2
bncmnace02/Admin# show vlan Vlans configured on SUP for this module vlan7 vlan2001-2003 bncmnace02/Admin#config Enter configuration commands, one bncmnace02/Admin(config)# context bncmnace02/Admin(config-context)# bncmnace02/Admin(config-context)# bncmnace02/Admin(config-context)# bncmnace02/Admin(config)# exit
British Telecommunications plc
per line. End with CNTL/Z. development allocate-interface vlan 7 allocate-interface vlan 2001-2003 exit
Name: development , Id: 117 Description: Resource-class: default Vlans: Vlan7, Vlan2001-2003
ACE-Module/Admin# show run Generating configuration.... context development allocate-interface vlan 7 allocate-interface vlan 2001-2003
or can Telnet/SSH direct to management interface of the relevant context (once it has been created)
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Rates
Memory
Bandwidth Data connections per sec. Management connections per sec. SSL bandwidth Syslogs per sec.
Access lists Regular expressions Data connections Management connections SSL connections Xlates Sticky entries
Maximum Unlimited
Minimum Guarantee
Minimum Guarantee
default resource class = 0% minimum, unlimited maximum gold resource class = 10% minimum, unlimited maximum Looking at the above figures, the gold class is applied to 2 contexts, meaning there is a 200% oversubscription By default a context is a member of the default resource group
British Telecommunications plc
500,000,000Bps = 4Gbps
When upgrading an ACE licence, the percentage figure in the resource-class does not change, therefore you must change the percentage allocated if you want the same amount of resources to be allocated to members of that resource-class after the upgrade
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
ACE Redundancy
Two ACEs form a Redundancy pair Single FT VLAN required between ACEs (not one per context) Redundant ACEs can be in the same, or different, Catalyst 6500 Chassis
Each pair of contexts (on two distinct ACE modules) form a redundancy group, one being active and the other standby Both ACE modules can be active at the same time, processing traffic for different contexts, and backing-up each other (stateful redundancy)
ACE-1
A
Active FT VLAN
B
Active
C C
Active
FT group 3
D D
Active
FT group 4
Standby Standby
A
ACE-2
FT group 1
B
FT group 2
Standby Standby
ACE Redundancy
Fault-Tolerant (FT) VLAN (/30) carries FT packets, heart beats, config-sync packets, state replication packets Configuration synchronisation (bulk and incremental) & state replication is enabled by default SSL files (keys and certs) are not replicated Much like HSRP, each Context is assigned a priority, and the highest priority will become master (if pre-emption enabled) Normally recommend pre-emption is only used for operations (failing back to a recovered ACE) Possible to oversubscribe resources on both ACEs (active/active), however, a failure of one of the ACEs (or path to the ACE) will reduce capacity by half
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Think of the ACE as a Firewall By default, traffic is not allowed through or to the ACE Access-list type management is required for traffic to the ACE IP access-list is required for traffic through the ACE
N.B. Access-list type ethertype required in order to allow STP BPDUs (when ACE is in Bridged mode)
description Client_VLAN
bridge-group 1 access-group input nonip access-group input permit-all no shutdown interface vlan 2002 description Server_VLAN bridge-group 1 access-group input nonip
ACE routes
Routes are not shared between contexts Each load-balancing context requires route(s) to servers AND a route back to the client, before forwarding traffic Admin context will typically only need management routes Within VDC each Context requires;
the default route will have a next-hop of the North-side VRF HSRP address Route to server subnets with next-hop of South-side HSRP address Management route(s)
ip ip ip ip route route route route 0.0.0.0 0.0.0.0 10.80.199.109 default route 10.80.202.0 255.255.255.192 10.80.199.94 route to rservers 10.80.196.0 255.255.254.0 10.80.193.3 management route 147.149.163.128 255.255.255.128 10.80.193.3 management route
server2 10.1.4.102
serverfarm host farm1 predictor leastconns probe tcpprobe rserver server1 inservice rserver server2 inservice serverfarm host farm2 probe httpprobe rserver server1 81 inservice rserver server2 81 inservice
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
TCP Connection
Client
Server
SYN
Initialize
ACK Data
SYN_ACK
ACK
Use
ACK FIN
Close
ACK
British Telecommunications plc
ACK FIN
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
SYN Identifies VIP (matches class-map) Selects Server Farm Makes Load Balancing Decision SYN
SYN Identifies VIP (matches class-map) Selects Server Farm Makes Load Balancing Decision SYN
SYN_ACK
ACK Data
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Requires TCP termination and buffering of multiple packets before a LB decision can be made (this is why L7 load-balancing can never be as fast as L4 load-balancing)
* Layer 5 and above (SSL is Layer 5)
British Telecommunications plc
GET /css/cavendish/template.css
SYN_ACK
ACK Starts buffering client packets Data (e.g. HTTP GET /) ACKs data received from client ACK
British Telecommunications plc
Buffers all packets until it has enough data for policy matching Elects serverfarm, makes balancing decision Sends previously buffered SYN to real server SYN
Buffers all packets until it has enough data for policy matching Elects serverfarm, makes balancing decision Sends previously buffered SYN to real server SYN SYN_ACK Does not forward SYN_ACK ACK
British Telecommunications plc
Empties buffer and sends data to server Data ACK Does not forward ACK Starts splicing the flows
Empties buffer and sends data to server Data (e.g. HTTP GET /) ACK Does not forward ACK Starts splicing the flows Data ACK
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
.1 bt-fwsm-ace .5
VLAN 2001 10.1.1.0/24
Context landing
.4
b4:55
.6 bt-customer .1
VLAN 2006 10.1.4.0/24
3/22 3/23
.101
10Port81
0d:17
ef:5e
.102
11Port81
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
interface vlan 2001 description Client_VLAN bridge-group 1 access-group input nonip access-group input permit-all service-policy input mmp_ns1 no shutdown interface vlan 2002 description Server_VLAN bridge-group 1 access-group input nonip access-group input permit-all no shutdown interface bvi 1 ip address 10.1.1.4 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 10.1.1.5 ip route 10.1.4.0 255.255.255.0 10.1.1.6
interface vlan 2001 description Client_VLAN bridge-group 1 access-group input nonip access-group input permit-all service-policy input mmp_ns1 no shutdown interface vlan 2002 description Server_VLAN bridge-group 1 access-group input nonip access-group input permit-all no shutdown interface bvi 1 ip address 10.1.1.4 255.255.255.0 no shutdown ip route 0.0.0.0 0.0.0.0 10.1.1.5 ip route 10.1.4.0 255.255.255.0 10.1.1.6
Layer 7 class-maps can use a match-all, match-any, or use nested class-maps (match A or B or [C & D])
British Telecommunications plc
class-map match-all classmap1 2 match virtual-address 10.1.1.100 tcp eq www class-map type http loadbalance match-any checkforstatic 2 match http url .*\.jpg 3 match http url .*\.pdf policy-map type loadbalance first-match policy1 class checkforstatic serverfarm caches class class-default serverfarm farm1 policy-map multi-match mmp_ns1 class classmap1 loadbalance vip inservice loadbalance policy policy1
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
VRF redistributes static routes into EIGRP and advertises northwards ACE RHI injects active VIPs into Firewall Block VRF
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Persistence Rebalance
HTTP 1.0 requires a separate TCP connection for each HTTP request HTTP 1.1 supports persistent TCP connections, allowing pipelining of multiple HTTP requests within the same TCP connection Processing Layer 7 (within ACE HTTP ME) information is more resource intensive than simply checking Layer 4 information By default, once the ACE has made a Layer 7 (check URL, Language etc) decision on the first packet of a flow, (which farm/server), all subsequent traffic will be sent to that server (fast-switched) Persistence rebalance disables this feature
Persistence refers to a persistent TCP connection (multiple pipelined HTTP requests) Rebalance refers to whether traffic should be re-balanced to another serverfarm
British Telecommunications plc
Persistence rebalance is disabled by default on ACE (enabled by default on CSM) HTTP parameter-map required to modify behaviour
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
ACE Stickiness
Required when you need multiple sessions (concurrent or subsequent) from the same user to be sent to the same backend server. Many applications work by the Client initiating multiple connections e.g. HTTP sessions Without sticky, if ACE load-balances on round-robin, leastconnections etc, then connections from the same client are likely to be sent to different servers If no sticky entry exists (e.g. first time a client connects), then the Predictor configured on the serverfarm is used to select which server to send the traffic to. At this point, a sticky table entry is created, and can then be used for subsequent connections (until the entry times out)
British Telecommunications plc
ACE Stickiness
It is important to understand the application and the client profile before deciding which method to use N.B. Sticky resources are not allocated to a context by default (not included in the resource all designation), and need to be specifically assigned
Source IP Stickiness
Advantages
Simple to configure and troubleshoot
Disadvantages
Proxy Servers in the path can present a single source IP address (SNAT) for many clients. Result is all users are sent to the same rserver Mega Proxies can change the SNAT IP address midsession
.1 bt-fwsm-ace .5
VLAN 2001 10.1.1.0/24
Context landing
.4
b4:55
.6 bt-customer .1
VLAN 2006 10.1.4.0/24
3/22 3/23
.101
10Port81
0d:17
ef:5e
.102
11Port81
Cookie Stickiness
Cookie can be
set by the rserver (which is learned by ACE) set by the ACE (Cookie-insert)
Disadvantages
Only supported with HTTP Client browser must support cookies
British Telecommunications plc
.1 bt-fwsm-ace .5
VLAN 2001 10.1.1.0/24
Context landing
.4
b4:55
.6 bt-customer .1
VLAN 2006 10.1.4.0/24
3/22 3/23
.101
10Port81
0d:17
ef:5e
.102
11Port81
sticky http-cookie serverid cook_group serverfarm farm1 class-map match-all classmap1 2 match virtual-address 10.1.1.100 tcp eq www policy-map type loadbalance first-match policy1 class class-default sticky-serverfarm cook_group
Agenda
Scope ACE Overview What is the ACE Module? Software, Licences and Virtualisation Deployment options Resource Management Redundancy Key ACE terminology Layer 3-7 Server Load Balancing TCP Review Layer 3-4 Server Load Balancing Layer 7 Server Load Balancing Configuration Examples & Important ACE features Layer 3, Layer 4, Layer 7 load-balancing Route Health Injection Persistent Rebalance ACE Connection handling Stickiness Source IP, Cookie SNAT SSL ACE Configuration Spreadsheet ACE Documentation Q & A
British Telecommunications plc
ACE SNAT
Source-NAT can be required for Client to Server, Server to Client, Server to Server NAT can be performed using either a pool of addresses, or statically with a one-to-one mapping (use where predictable IP is required)
Within the policy-map you must configure which NAT pool number and which egress interface is to be used
Caveats; The ACE will *not* NAT bridged traffic. It must hit a loadbalancing policy in order for SNAT to be implemented SNAT to the VIP address requires ACE 2.x software
British Telecommunications plc
ACE SNAT
1 Dest IP = Internet
Source IP = Web
ACE SNAT
rserver host gwnorth ip address 10.1.1.1 inservice interface vlan 2001 description Client_VLAN bridge-group 1 access-group input nonip access-group input permit-all nat-pool 1 10.1.1.250 10.1.1.251 netmask 255.255.255.0 pat no shutdown
interface vlan 2002 description Server_VLAN bridge-group 1 policy-map type loadbalance first-match SNAT-POL access-group input nonip access-group input permit-all class class-default service-policy input SLB-NAT serverfarm gateway_north_farm no shutdown policy-map multi-match SLB-SNAT interface bvi 1 class SNAT-CLASS ip address 10.1.1.4 255.255.255.0 loadbalance vip inservice no shutdown loadbalance policy SNAT-POL nat dynamic 1 vlan 2001
British Telecommunications plc
2 Source IP = Web
Dest IP = App B
A
Application
British Telecommunications plc
B
Application
A
Application
B
Application
Dest IP = App B
A
Application
B
Application
Application
Application
ACE SSL
What is SSL Why terminate SSL on ACE SSL Termination Certificate Chains
What is SSL
Secure Sockets Layer Layer 5 protocol above TCP and below Applications, such as HTTP, FTP etc
HTTPS
Client
HTTPS
HTTP
Client
SLB
Server
SSL Certificates
Company Docs Application
Certificate Authority
Application
KEY Pair
Certificate Signing Request Public KEY Common name Domain name Location E-mail
Validation Process Certificate Signing Request Public KEY Common name Domain name Location E-mail
Certificate
Server Public Key
Certificate
Server Public Key
SSL Server
Certificate
SAasdfkjw1340+jakjb//alkjt
Private Key
Data
British Telecommunications plc
Data
Client Browser
Server
SSL Termination
parameter-map type ssl sslparam cipher RSA_WITH_3DES_EDE_CBC_SHA cipher RSA_WITH_AES_128_CBC_SHA class-map match-all classmap1 2 match virtual-address 10.1.1.100 tcp eq https ! policy-map type loadbalance first-match policy1 class class-default serverfarm farm1 ! policy-map multi-match mmp_ns1 class classmap1 loadbalance vip inservice loadbalance policy policy1 loadbalance vip icmp-reply active loadbalance vip advertise active ssl-proxy server sslproxy
cipher RSA_WITH_AES_256_CBC_SHA
! ssl-proxy service sslproxy key mykey.pem cert mycert.pem ssl advanced-options sslparam ! serverfarm host farm1 rserver server1 81
ACE
inservice
rserver server2 81 inservice
British Telecommunications plc
Encrypted Unencrypted
x x x
BVI
Routing Parameter-map Crypto chaingroup Ssl proxy service Probe Rserver
x
x
x x x
x x x x x x x
x x
x x
x x
x x
Server farm
Class-map Match-all virtualaddress (L3/4) http loadbalance (L7) Policy-map Type loadbalance multimatch Access-list
x
x
x
x
x
x x
x
x
x
x x
x
x
x x x
x x
x x
x x
x x
x x
For stickiness, apply a sticky-serverfarm to the LB policy-map, and apply the serverfarm to the sticky-group
ACE Documentation
Cisco ACE Documentation http://www.cisco.com/en/US/partner/products/ps6906 /tsd_products_support_model_home.html ACE Design Guidelines coming soon.. How to use the ACE Packet Capture feature
http://livelink.intra.bt.com/livelink/livelink.exe?func=ll&objId= 70435818&objAction=browse&sort=name&viewType=1
Questions?