CSS Series: Device Configuration LAB Nick DiPietro Ian Gallagher Bill Kastelic Louis Senecal

Transcription

1 CSS Series: Device Configuration LAB Nick DiPietro Ian Gallagher Bill Kastelic Louis Senecal 1

2 Cisco Content Switching Applications Local Load Balancing = improved utilization and availability (servers, Firewalls, caches) User Prioritization = switch and stick by cookie (Silver, Gold, Platinum) Client Device Discrimination = switch and stick by client device (PC, PDA, wireless) Intelligent Content Positioning = switch by file type (.html,.gif,.cgi) Security Optimization = all of the above in SSL (HTTPS) environment Overflow Servers Gold Global Server Load Balancing = pick best site based on load and proximity (Tokyo, Paris, New York) Internet Bronze Silver 2

3 Data Center Load Balancing For Internet and Intranet ISP-1 ISP-2 Secure Content Accelerator Secure Content Accelerator Hosting Solution Engine PIX Firewall Web Servers PIX Firewall Content Switch Content Switch Hosting Solution Engine Technical Symposium2002:CSS Database Servers Lab 3

4 CSS11500 Management Options CLI Embedded device management GUI CiscoWorks 2000 CiscoView Hosting services engine SNMP, RMON, log files Programmatic management API 4

5 Cisco Content Switching Product Line Decision Points CSS CSS CSS CSM for Catalyst 6500 Form factor Standalone Standalone Standalone Integrated Appliance Modular Modular Module Max density 1 GE, 8 FE 6 GE/2 GE,32 FE 12 GE/ 2 GE,80 FE GE, FE Site activity/intensity Low Medium High Highest Hardware scalability Hardware redundancy No No Yes Yes Session redundancy Future Yes Yes Yes Layer 2/3 networking CS management SSL acceleration External Internal Internal Future Blade Load balancing Servers, Caches, Firewalls Servers, Caches Firewalls, VPNs 5

6 CSS Software Session Spoofing Client TCP SYN Internet or Intranet Source IP Destination IP VIP= Web Server ACK HTTP GET TCP SYN ACK TCP SYN Source IP Destination IP TCP SYN ACK DATA DATA Source IP Destination IP Source IP Destination IP Source IP Destination IP Source IP Destination IP

7 CSS Software File Structure C:/ Archive core ap ap ap ap startup-config release ap image/ log/ script/ cli/ startup-config version build 7

8 Product Features Server Load Balancing Content Verification HTTP Header Load Balancing Sticky Connections Support for Web Caching services Domain Name Services Network Proximity HTTP Redirects NAT Peering 8

9 Product Features (cont.) Smart Content Replication Replication for dynamically scalable Web sites Replication for distributing and updating content Redundancy Web Site Security Full command line interface (CLI) Embedded Device Management Service Level Agreement support through: MIB SNMP RMON Logging subsystem 9

10 Command Line Interface (CLI) A line-oriented interface that has a set of commands for configuring, managing, and monitoring the CSS. Accessed through a local console or Telnet connection Console Connection CSS1 CS100# Telnet Connection CSS2 10

11 CLI Modes CS100> User Mode Username:admin Password: CS100# disable enable (enter username and password) SuperUser Mode configure exit or [Ctrl]z CS100(config)# Prompt reflects mode boot interface circuit. Global Configuration Mode exit [Ctrl]z Subordinate Configuration Modes 11

12 I C S O C Owner acme.com content Layer5_rule vip address service www_server1 service www_server2 balance roundrobin url /* xyz.com content Layer3_rule vip address add service server1 add service server 2 Interface 1/1 bridge vlan 2 Services www_server1 ip address keepalive type http keepalive port 8001 keepalive protocol tcp keepalive uri index.html www_server2 ip address keepalive type http keepalive port 8001 keepalive protocol tcp keepalive uri index.html Interfaces Circuits Services Owners Content Rules Circuit VLAN2 ip address Circuit VLAN1 ip address

13 ICSOC Interface Circuit Service Owner Content 13

14 Interfaces, VLANs, and Circuits IP Forwarding (Layer3) Circuit IP Interface for VLAN Circuit IP Interface for VLAN VLAN1 Bridging Domain vlan 1 VLAN2 Bridging Domain vlan 2 Interface Ethernet-1 Interface Ethernet-2 Interface Ethernet-3 Interface Ethernet-4 Interface Ethernet-5 Interface Ethernet-6 Interface Ethernet-7 Interface Ethernet-8 Interface Ethernet-9 Interface Ethernet-10 Interface Ethernet-11 Interface Ethernet-12 14

15 15

16 CLI Lab01-a version sh installed-software sh running Shutdown sh boot-config sh profile sh startup copy running startup sh alias sh chassis configure terminal archive restore 16

17 Interface & Circuit Lab01-b sh phy!************************** GLOBAL ***************************!************************* INTERFACE ************************* interface e1 bridge vlan 100 Interface e5 bridge vlan 10P Interface e6 bridge vlan 10P Interface e7 bridge vlan 10P Interface e8 bridge vlan 10P!************************** CIRCUIT ************************** circuit VLAN100 ip address 10.1.P circuit VLAN10P ip address P sh circuit sh ip route sh ip config sh ip statistics sh interface sh arp ping P=POD Number 17

18 ICSOC Interface Circuit Service Owner Content 18

19 Service Overview A service is a destination location where a piece of content resides A service is created first and then added to content rules The service is identified by a name that can be associated by an IP address, and optionally, a protocol and port number RAS VIP=

20 Service Configuration Configuring Server1: CS100(config)# service Server1 CS100(config-service)[Server1]# type local CS100(config-service)[Server1]# ip address CS100(config-service)[Server1]# port 81 CS100(config-service)[Server1]# protocol tcp CS100(config-service)[Server1]# max connections 10 CS100(config-service)[Server1]# weight 1 CS100(config-service)[Server1]# active RAS VIP=

21 Service Configuration (cont.) Configuring Server1: CS100(config)# service Server1 CS100(config-service)[Server1]# suspend CS100(config-service)[Server1]# exit CS100(config)# no service Server1 RAS VIP=

22 Service Keepalive keepalive frequency keepalive maxfailure keepalive retryperiod keepalive port keepalive type keepalive method keepalive uri RAS VIP= Keepalive Default ping

23 Displaying a Service The show service command enables you to display information for a specific service or all services currently configured. The show service-summary command displays just summary information for each service. The show service command displays the following information: CS100# show service Name: Server1 Index: 0 State: ALIVE Type: Local Rule ( TCP 81 ) Keepalive: (HEAD: ) State Transitions: 1 Connections: 0 Max Connections: 0 Weight: 1 Avg Load: 254 Long Load: 0 Mtu 1500 QOS Avg Min Rate: QOS Min BW:

24 Service Lab Lab02-Section 1 sh service sh service summary sh keepalive sh keepalive-summary monitor show service summary 24

25 ICSOC Interface Circuit Service Owner Content 25

26 Owner Overview Owner = The Owner allows for partitioning of content rules Content Rules are always configured under an Owner Can specify Owner case sensitivity Can specify Owner Address, Billing Information, and Address RAS VIP= Server3 Server2 Server

27 Owner Configuration When creating an owner, you may want to use the owner s DNS name for clarity: CS100(config)# owner cisco.com A service type local designates the service for local load balancing. Other options are proxy-cache, transparent-cache, and redirect. When you create the owner, the CLI drops you into owner mode: CS100(config-owner[cisco.com])# 27

28 Displaying an Owner The show owner command enables you to display information for a specific owner or all services currently configured. The show owner command displays the following information: CS100# show owner cisco.com Owner Configuration: Name : cisco.com Billing Info: finance Address: 235 Littleton Rd. Westford, MA Address: support@cisco.com DNS Policy: none Case Matching: insensitive 28

29 Content Rule Overview Describes what content is accessible by visitors to the web site Describes how content is mirrored and load balanced to multiple services Translates the Owner VIP address using Network Address Translation (NAT) to the service s IP address and port Checks for available services that match the content request RAS VIP= NAT and Load balanced to Request to Server3 Server2 Server

30 Content Rule Overview An content rule is a hierarchical rule set containing individual rules that describe which content is accessible by visitors to the web site, how the content is mirrored, on which server the content resides, and how the CSS should process requests for the content. When a request for content is made, the CSS: Uses the owner content rule to translate the owner Virtual IP Address (VIP) using Network Address Translation to the corresponding service IP address and port. Checks for available services that match the content request. Uses the content rule to choose which service can best process the request for content. Applies all content rules to service the request for content (for example, load balancing method, redirects, failover, sticky, cookies) 30

31 Creating Content Rules The CSS uses content rules to determine: Where the content physically resides, whether local or remote. Where to direct the request for content (which service or services). Which load balancing method to use. The types of content rule are as follows: A layer 3 content rule implies source IP address of the host or network. A layer 4 content rule implies a combination of source IP address and port. A layer 5 content rule implies a combination of source IP address, port, and URL that may contain an HTTP cookie. 31

32 Assigning Content Rules To assign a content rule to an owner, use the content command. You assign content rules to an owner by creating the content rule in the mode for that owner. The following example creates a content rule named layer3 and assigns it to the owner cisco.com: CS100(config-owner[cisco.com])# content layer3 Once you assign a content rule to an owner, the CLI prompt changes to reflect the specific owner and content rule mode: CS100(config-owner[cisco.com-layer3])# From here, the content rule can be entered. To remove an existing content rule from an owner, issue the no content command from owner mode: CS100{config-owner[cisco.com])# no content layer3 32

33 Basic Content Rule Config To configure a Layer 3 content rule, enter the following from the owner mode: (config-owner[cisco.com-layer3]# vip address Configure a Virtual IP address for the owner content. (config-owner[cisco.com-layer3]# balance aca Specify a load balancing type (config-owner[cisco.com-layer3]# add service serv1 (config-owner[cisco.com-layer3]# add service serv2 Add previously configured services to the content rule. (config-owner[cisco.com-layer3]# active Activates the content rule. This rule load balances based on VIP only. Only traffic destined for VIP address will get load balanced. 33

34 Owner and Content Rule Lab02 Section 2,3 and 4 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 34

35 Load Balancing Categories General Load Balancing Advanced Load Balancing (sticky) 35

36 Server Load Balancing To specify the load balancing algorithm for a content rule, use the balance command available in content configuration mode: balance aca - ArrowPoint Content Awareness algorithm. The CSS uses the normalized response time from client to server to determine the load on each service. ACA balances the traffic over the services based on load. balance roundrobin - Round-robin algorithm (default) balance weightedrr - Weighted round-robin load balancing. The CSS uses round-robin but weighs some services more heavily than others. You can configure the weight if a service when you add it to this rule. balance leastconn - Least connections load balancing. The CSS chooses a running service that has the least number of connections. 36

37 General Purpose Load Balancing Algorithms Round Robin Weighted Round Robin Least Connections ACA Weighted ACA 37

38 Round Robin Flow 1,4... Flow 2,5 Flow3,6 Server1 content rule1 vip address balance roundrobin add service server1 add service server2 add service server3 active Server2 Server3 38

39 Weighted Round Robin Flow 1,2,3 Flow 4,5 Flow 6 Server1 Server2 Server3 content rule1 vip address balance weightedrr add service server1 weight 3 add service server2 weight 2 add service server3 weight 1 39

40 Least Connections Services: Name: serv1 Index: 0 State: ALIVE Type: Local Rule ( TCP 80 ) Keepalive: (ICMP ) State Transitions: 0 Connections: 2 Max Connections: 0 Name: serv2 Index: 1 State: ALIVE Type: Local Rule ( TCP 80 ) Keepalive: (ICMP ) State Transitions: 0 Connections: 0 Max Connections: 0 Content Smart Switch keeps track of current connections to servers and serves requests to server with the least number of connections 40

41 ACA Load Balancing Arrowpoint Content Awareness algorithm Load balances servers based on normalized flow attributes calculated at flow tear down time Manages dynamic unpredictable server load and performance Periodically calculates server load and dynamically balances more flows to fastest servers Prunes slow servers from eligible list 41

42 ACA Parameters Load step msec dynamic - (10msec default) dynamic or static Load threshold - (254 default) is the maximum Load Number for service eligibility Load reporting - enable or disable Load teardown-timer seconds - (20 seconds default) Load ageout-timer seconds - (60 seconds default) Interval to bring back removed services. Resets load to 2. 42

43 ACA Load Calculation Load response for 3 servers: Server Name Normalized Response servera 100ms serverb 1100ms serverc 120ms serverb-> 102 Load Calculation Formula Fastest Server Assigned = 2 Loadsx = resp sx - resp_fastest sx +2 load step 130 serverc-> 4 serverb-> 12 servera-> Loads with load step-size equal to 10ms. 2 servera&serverc-> Load with load step size equal to 100ms 2 43

44 Show Load CS100(config)# show load Global load information: Step Size:Dynamic Configured:10 Actual:10 Threshold:254 Ageout timer:60 Service load information: Load Number for Load Number for Service Name Short Lived Flows Long Lived Flows serv1 2 2 serv2 2 2 serv serv

45 Configuring Basic L7 Server Load Balancing Lab03 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 45

46 Advanced Load Balancing Algorithms (sticky) Sticky refers to when a load balancing algorithm sticks a client to a specific server based on certain credentials advanced-balance sticky-srcip advanced-balance sticky-srcip-dstport advanced-balance cookies advanced-balance url advanced-balance cookieurl advanced-balance arrowpoint-cookie advanced-balance ssl 46

47 Sticky IP advanced-balance sticky-srcip Content Smart Switch sticks a client to a server based on the client s source IP address Available Layer 3, 4, and 5 content rules Referred to as Layer 3 Sticky advanced-balance sticky-srcip dstport Content Smart Switch sticks a client to a server based on the client s source IP address and destination port Available Layer 4, and 5 content rules Referred to as Layer 4 Sticky 47

48 Sticky-Mask RAS Sticky mask IBM Compatible IBM Compatible Remote client addresses Server Sticky Mask, masks a group of client ip addresses to preserve the client connection state Reduces entries in sticky table (32k Entries Max) Mask would provide a single sticky entry for ip addresses with the 1st 3 octets of ip address in common 48

49 Sticky Cookie vip RAS HTTP get HTTP response cookie: server1; Server IBM Compatible HTTP get cookie: server1; advanced-balance cookie Sticking on the Server that issued the cookie Content Smart Switch sticks a client to a server based on the cookie that the client sends Additional string tools Cookie configured for server Does not use sticky table content sticky-cookie vip address url /* advanced- balance cookie add service server1 active service server1 ip address string server1 active 49

50 Sticky URL vip RAS IBM Compatible advanced-balanced url Enables the content rule to stick a client to a server based on a configured string found in the URL of the HTTP request. You can use this option with a Layer 5 HTTP content rule. This does not use the sticky table HTTP get http// service server1 ip address string spaniels active content sticky-cookie vip address url /* advanced- balance url add service server1 active Server

51 Sticky cookieurl vip RAS http// Server IBM Compatible Cookieurl provides a primary and fallback mechanism First try to match the string found in the service cookie If no cookie match found it will go to the parameters (url extensions) that follows Cookieurl does not use the sticky table content sticky-cookieurl vip address url /* advanced- balance cookieurl add service server1 active service server1 ip address string ID=1007 active 51

52 Sticky SSL Enables the content rule to stick the client to the server based on the SSL version 3 session ID If no session ID is present, the CSS uses the source IP address and destination port to maintain stickiness Sticky SSL does use the sticky table 52

53 Sticky ArrowPoint Cookie vip RAS http// Server IBM Compatible Web applications do not need to be modified The CSS sets the cookie IP address of service can be configured to where the client will be stuck Expiration of the cookie can be configured Pre determine the path the cookie will use content arrowpoint vip address url /* advanced- balance arrwowpoint-cookie add service server1 active service server1 ip address string server1 active 53

54 Configuring Advanced L7 Server Load Balancing Lab04 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 54

55 4515_03_2002_c , Cisco Systems, Inc. All rights reserved. 55

56 Overview ArrowPoint Cookie When a client makes a request that matches on a Content Rule that is configured to use the ArrowPoint Cookie, the CSS will set a cookie and redirect the client's request back to the site by using meta-tags. Each service will have a unique string configured to use for matching a client's requests to a particular server that will be included in the ArrowPoint Cookie. If no string is configured, the CSS will use the service s IP address. 56

57 Configuring the ArrowPoint Cookie arrowpoint-cookie Assigns the cookie expiration Assigns the cookie path Assign string for each service in the content rule Assigned in the content mode 57

58 Configuring the ArrowPoint Cookie (cont.) Example: CSS11050 (config-owner-content [cisco-r1] )# arrowpoint-cookie expiration 08:04:02:08 CSS11050 (config-owner-content [cisco-r1) # arrowpoint-cookie path /cgi-bin/ CSS11050 (config-service [server1] )# string server1 58

59 Configure Advanced Balance ArrowPoint Cookie advanced-balance arrowpoint-cookie Enables the content rule to stick the client to the server Assigned in the content mode Example: CSS11050 (config-owner-content [cisco-r1] ) # advanced-balance arrowpoint-cookie 59

60 Sticky Serverdown Failover Use the sticky-serverdown-failover command to define what will happen when a sticky string is found, but the associated service has failed or is suspended. The sticky failover default method is for the CSS to use the configured load balancing method. 60

61 Sticky Serverdown Failover sticky-serverdown-failover balance Set the failover method to use a service based on the configured load balancing method. sticky-serverdown-failover redirect Set the failover method to use a service based on the currently configured redirect string. If a redirect string is not configured, the load balancing method is used. sticky-serverdown-failover reject Reject the content request. sticky-serverdown-failover sticky-srcip Set the failover method to use a service based on the client source IP address. sticky-serverdown-failover sticky-srcip-dstport Set the failover method to use a service based on the client source IP address and the server destination port. 61

62 Sticky show rule Advanced Balance: cookies Sticky Mask: Sticky Group: 0 Sticky Server Down Failover: Balance String Match Criteria: String Range: String Prefix: "UID=" String Eos-Char: ";" String Ascii-Conversion: Enabled String Skip-Len: 3 String Process-Len: 0 String Operation: Match-Service-Cookie 62

63 Caching Balance Methods balance domainhash/urlhash Hashes host tag or url and load balances based on hash value. balance url Uses the first 3 characters of the URL balance domain Uses the first 3 characters of the domain from the host tag 63

64 Caching Balance Methods balance srcip Uses source ip address balance destip Uses destination ip address params bypass Automatic bypass of transparent cache Based on a char of? or # after url for L5 rules This is a command in a content rule - disable is the default 64

65 Cache Service Failover failover bypass Bypass and send to the origin server failover linear Distribute evenly over remaining servers failover next Send the request to the next service based on configuration order 65

66 Source Groups A Source Group is a collection of local servers that initiate flows from within the local web farm. The CSS lets you treat a group as a virtual server with its own source IP address, typically matching the inbound VIP. NATs private address of servers to Internet routable public addresses (VIP). 66

67 Configuring Source Groups To configure source groups, use the following syntax: CS100(config)# group Training Training is the name of the newly created group CS100(config-group[Training])# ipaddress Virtual IP address of outbound connections. Same address as inbound VIP To connect to Internet, must be routable address. CS100(config-group[Training])# add service training222 Adds corresponding service to each source group. NOTE: A service may be assigned to only ONE source group. CS100(config-group[Training])# active Make the service active enable outbound connections. 67