Data Center Interconnection
|
|
- Myrtle Gibbs
- 5 years ago
- Views:
Transcription
1 Dubrovnik, Croatia, South East Europe May, 2013 Data Center Interconnection Network Service placements Yves Louis TSA Data Center Cisco and/or its affiliates. All rights reserved. Cisco Connect 1
2 Agenda Objectives Feedback from the Field Experiences with State-full Devices placements and their impact within DCI environment Understand the Data Workflow with State-full Devices across multiple sites Discuss about the evolution of the Act/Act Firewall with the ASA Clustering Agenda Review generic State-full devices roles and related workflow inside the DC Traditional solutions ASA clustering Discuss about state-full devices placement and roles across Multiple Sites Impact on the Workflow LISP Path optimization integration with State-full devices
3 Security and Network Services inside the DC State-full devices deployment inside the DC Multiple types of State-full services Firewalls Load Balancers Inspection Prevention/Detection Systems SSL Off-loader WAAS State-full implies one-way symmetrical establishments State-full Devices HA and Scalability: Active-Standby mode for statefull convergences & recovery Active Active mode for Redundancy and Scalability WAAS FW SSL Offload SLB Outside VLAN Inside VLAN IPS Front-End VLAN DC Core layer Aggregation Layer Service layer FW Access Layer Application Layer Back-End VLAN Access and Application layer
4 Security and Network Service inside the DC Nominal workflow with State-full devices deployment inside the PoD Network Services in active-standby context mode (boxes run A/A) Multiple Models of deployment o o o o SLB facing the server farm FW facing the server farm SLB In Line versus One Arm One-arm: PBR or Src-NAT VRF L3 segmentation Multiple modes of forwarding o o o Transparent Routed Mixed Session and State synchronization Usually enable Interface Tracking to force a failover for other services Simplest use case deployment for the purpose of this session 1 context of FW and SLB A/S 1 tier Application (front-end) SLB in One-arm with src-nat Dynamic FW NAT for Security VIP Source-NAT traffic flow control Web serverfarm Outside LAN FW FT & Synchro Inside LAN SLB FT Front-End VLAN DC-1 DC Core layer Aggregation layer Service layer Sub-Aggregation layer Access and Application layer
5 Security and Network Service inside the DC Ping-Pong effect with A/S State-full devices inside the PoD Network Services in active-standby context mode (boxes run A/A) Multiple Models of deployment o o o o SLB facing the server farm FW facing the server farm SLB In Line versus One Arm One-arm: PBR or Src-NAT VRF L3 segmentation Multiple modes of forwarding o o o Transparent Routed Mixed Session and State synchronization Usually enable Interface Tracking to force a failover for other services Simplest use case deployment for the purpose of this session 1 context of FW and SLB A/S 1 tier Application (front-end) SLB in One-arm with src-nat Dynamic FW NAT for Security VIP Source-NAT traffic flow control Web serverfarm Outside LAN FW FT & Synchro Inside LAN SLB FT Front-End VLAN DC-1 Ping-Pong workflow exists inside the DC, but has not impact in term of perfs, nor latency. Some devices do not support preemption making the troubleshooting/analysis a bit more challenging. DC Core layer Aggregation layer Service layer Sub-Aggregation layer Access and Application layer
6 One-armed SLB and Source NAT App 1? Outside World App1= VLAN VLAN150 server-farm nat-pool VIP Client hits VIP SLB the request to one of the real servers and source-nats the client to So that responses from the real server is sent to SLB The advantage of the one-arm configuration is that it is very easy to bypass the load-balancer when necessary. If certain clients have a need to communicate with a real server directly, it is very straightforward: the router takes care of forwarding the packet directly to its destination without involving the SLB. If on the other hand the intervention of SLB is desired, hitting the VIP will do the job. The return-traffic (server back to client) must be sent back to the SLB. There are two ways to address the problem: 1. Policy-based routing on the router 2. Source-NAT the clients IP addresses Src-NAT offers very granular matching and L4-L7-based decisions (versus Direct Srv Return) This particular scenario explores option number 2.
7 Firewall Load Balancing Symmetrical flow using Source NAT * this doesn t apply to the ASA clustering FWLB addresses scalability and redundancy by distributing traffic over parallel FW devices Each FW requires a one-way symmetrical establishment. Multiple Models of deployment o o o FWLB in sandwich between SLB Source-NAT for return flows for one-way symmetrical establishment ASA Clustering (new) No Session synchronization * o All FW are active and autonomous Simplest use case deployment for the purpose of this session 3 A/A FW 1 tier Application (front-end) * this doesn t apply to the ASA clustering Predictor Hash SLB FT Outside VLAN Inside VLAN Client VLAN (VIP) VIP Front-End VLAN Web serverfarm DC-1 DC Core layer Aggregation layer FW NAT for security Source-NAT for symmetric flow control Service layer Sub-Aggregation layer Access and Application layer
8 Firewall Load Balancing (cont) Symmetrical flow using SLB in sandwich mode FWLB in sandwich mode between 2 SLB engines Each FW requires a one-way symmetrical establishment. FW are configured in Routed mode MAC sticky from the inside SLB performs persistence for the return traffic to the original FW device. Predictor used to LB is IP Src and Dst hash (maintaining each TCP session through the same FW) IPS can be enabled on each ASA No Session synchronization o All FW are active and autonomous Src+Dst Hash MAC sticky SLB FT Client VLAN (VIP) DC Core layer Service layer Sub-Aggregation layer Front-End VLAN Web serverfarm DC-1 Access and Application layer
9 ASA Clustering (9.0) Or what s new that may help deploying security state-full devices in a DCI Interfaces in a ASA cluster can be configured in either L2 or L3 mode Interface L2 mode: All ASA share a single IP and MAC Interface L3 mode: Each ASA uses its own IP and MAC (per interface) Fully Distributed Data-Path State sharing between units (Identity, authenticate, HA etc..) Stateless Load Balancing by: External switch using ECLB for L2 mode or Router (ECMP, PBR) for L3 mode Connection Load balancing within cluster over Cluster Control Protocol State-full firewall inspection No single point of failure Centralized management and monitoring One unit is designated as the master, all other are slaves LACP (L2) or ECMP (L3) Data Traffic Port-Channel Master slave slave slave clacp for L2 mode only Cluster Control Link (CCL) LACP or ECMP
10 ASA Clustering (9.0) Connection setup when traffic is Symmetric Cluster Control Link (CCL) Director 1) State Update Owner SYN SYN/ACK SYN SYN/ACK Client Server Outside Network Inside Network State replication from Owner to Director, also serves as failover msg to provide redundancy should owner fail Director is selected per connection using consistent hashing algorithm.
11 ASA Clustering (9.0) TCP SYN cookies with Asymmetrical Traffic workflows Cluster Control Link (CCL) Director 1) State Update 1) Encodes the owner information into SYN cookies 2) forwards SYN packet encoded with the cookie toward the server Owner SYN SYN/ACK SYN/ACK SYN SYN/ACK Client Outside Network Inside Network Server 3) SYN/ACK arrives at non-owner unit 4) decodes the owner information from the SYN cookie 5) forward packet to the owner unit over CCL It is possible that the SYN/ACK from the server arrives at a non-owner unit before the connection is built at the director. As the owner unit processes the TCP SYN, it encodes within the Sequence # which unit in the cluster is the owner Other units can decode that information and forward the SYN/ACK directly to the owner without having to query the director
12 5) Here is the Owner ID 4) Owner Query? ASA Clustering (9.0) UDP sessions with Asymmetric Traffic workflows Cluster Control Link (CCL) Director 1) Owner Query 2) Not Found 3) State Update Owner Client Server Outside Network Inside Network When a unit receives a UDP packet for a flow that it does not own, it queries the director to find the owner Thereafter, it maintains a forwarding flow. It can punt packets directly to the owner, bypassing the query to the director Short-lived flows (eg. DNS, ICMP) do not have forwarding flows
13 1) Owner Query? 1) Owner Query? ASA Clustering (9.0) ASA Failover Session Recovery Cluster Control Link (CCL) Director Client Owner ASA X 3) You are onwer 4) The Owner is ASA X Server Outside Network ASA Y Inside Network Director unit maintains backup stub flow Redirects units towards the flow owner In case owner unit fails, director unit elects the owner Receives connection updates, so that they are up to date in case of owner failure
14 ASA Clustering (9.0) ASA Failover Session Recovery Cluster Control Link (CCL) Director Owner Client Outside Network ASA Y Packet M+1 Packet M Inside Network Server Director unit maintains backup stub flow Redirects units towards the flow owner In case owner unit fails, director unit elects the owner Receives connection updates, so that they are up to date in case of owner failure
15 How does State-full devices policies apply to DCI 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 15
16 Network Service placement for Metro Distances A/S state-full devices stretched across 2 locations nominal workflow Network Services are usually active on primary DC Distributed pair of Act/Sby FW & SLB on each location Additional VLAN Extended for state synchronization between peers Source NAT for SLB VIP Nota: With traditional pair cluster this scenario is limited to 2 sites Historically this has been well accepted for most of Metro Virtual DC (Twin-DC) Almost 80% of Twin-DC follows this model Outside VLAN FW FT and session synch Inside VLAN VIP Src-NAT VIP VLAN SLB session synch Front-end VLAN Back-end VLAN Primary DC-1 Secondary DC-2
17 Network Service placement for Metro Distances Ingress/Egress flows: Ping-Pong impact with A/S state-full devices stretched across 2 locations - FW failover to remote site - Source NAT for SLB VIP - Consider +/- 1 ms for each round trip for 100 km - For Secured multi-tier software architecture, it is usual to see + 10 round-trips from the client request up to the result. - Interface tracking optionally enabled to maintain active security and network services on the same site Historically limited to Network services and HA clusters offering state-full failover & fast convergences It is accepted to work in degraded mode with predictable mobility of Network Services Outside VLAN Inside VLAN VIP Src-NAT VIP VLAN Front-end VLAN Back-end VLAN Primary DC km +/- 1 ms per round trip Secondary DC-2
18 Network Service placement for Metro Distances Ingress/Egress flows: Additional Ping-Pong impact with IP mobility between 2 locations - FW failover to remote site - Front-end server farm moves to remote site - Source NAT for SLB VIP Network team is not necessarily aware of the Application/VM mobility Uncontrolled degraded mode with unpredictable mobility of Network Services Outside VLAN Inside VLAN VIP Src-NAT VIP VLAN Front-end VLAN Back-end VLAN Primary DC km +/- 1 ms per round trip Secondary DC-2
19 Network Service placement for Metro Distances State-full Devices and Trombone effect for IP Mobility between 2 locations - Migrate the whole multi-tier framework and enable HSRP filtering to reduce the trombone effect - FHRP filtering is ON on the Front-end & Back-end side gateways - Source NAT for SLB VIP maintains the return path thru the Active SLB Limited relation between server team (VM mobility) and Network Team (HSRP Filtering) and Service Team (FW, SLB, IPS..) Ping-Pong effect with active services placement may impact the performances Outside VLAN Src-NAT Inside VLAN VIP VLAN HSRP Filter Front-end VLAN Back-end VLAN Primary DC km +/- 1 ms per round trip Secondary DC-2
20 Network Service placement for Metro Distances Intelligent placement of Network Services based on IP Mobility localization - Move the FW Context associated to the application of interests - Interface Tracking to maintain the state-full devices in same location when possible - Return traffic keeps symmetrical via the state-full devices - Intra-DC Path Optimization almost achieved, however Ingress Path Optimization may be required - Sillo ed organisations - Server/app - Network/hsrp filter - service & security - Storage Outside VLAN Improving relations between sillo ed organizations increases workflow efficiency Reduce trombon ing with active services placement VIP Src-NAT Inside VLAN VIP VLAN HSRP Filter VIP Src-NAT Front-end VLAN Back-end VLAN Primary DC km +/- 1 ms per round trip Secondary DC-2
21 Network Service placement for long distances Active/Standby Network Services per Site with Extended LAN (State-full Live migration) Subnet Replication is possible using NAT or LISP Ingress Path Optimization can be initiated to reduce trombone effect due to active services placement Src NAT on each FW is mandatory Extend the VLAN of interests FW and SLB maintain state-full session per DC. No real limit in term of number of DC Granular migration is possible only using LISP or RHI (if the Enterprise owns the L3 core) Localization IP routed mode Src NAT routed mode Src NAT routed mode Src NAT Inside VLAN Inside VLAN Front-End VLAN Front-End VLAN Back-End VLAN DC-1 Move the whole framework (Front-End and Back-End) Back-End VLAN HSRP Filter DC-2 DC-3
22 Network Service placement for long distances Active/Standby Network Services per Site across Subnets (Cold migration) FW and SLB maintain state-full session per DC. No Limit in term of number of DC Granular migration is possible with LISP or RHI (if the Enterprise owns the L3 core) Implies Cold migration (stateless) LAN Extension is not required for Cold migration Subnet Replication is possible using NAT or LISP Ingress Path Optimization is needed to improve RTO Localization IP That is likely not going to happen with Cold migration Subnet C DC-1 Move the whole framework (Front-End and Back-End) DC-2 DC-3
23 Can ASA Clustering improve this? 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23
24 Clarification As of today, the ASA clustering stretched across multiple location has not been validated yet (We are currently working on multiple scenarios to build the test plan ). However our first series of tests in our lab and in conjunction with OTV and LISP are showing great results. Stay tuned for a Cisco Validated Design 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 24
25 Single ASA Cluster stretched across multiple sites ASA Clustering Data Plane Load Distribution in Layer 2 mode - Only 1 port-channel from the ASA clustering - clacp dictated that the same port channel must exist across the same cluster - Therefore the same vpc Domain ID must be replicated on each vpc peer IP ASA Cluster Control Link IP ASA Cluster Control Link IP IP clacp ASA Po 10 IP clacp ASA Po 10 IP clacp ASA Po 10 DC-1 DC-2 DC-3
26 Single ASA Clustering stretched across multiple DC ASA Clustering with VLAN Extension (State-full Live Migration) - State-full Live Migration supported All ASA are Active Certainly good to deploy for Metro Distances using fibers Ingress traffic can be optimized using LISP (or RHI) Theoretically FW Cluster spread over up to 8 DC (more likely 4 DC with 2 Act/Act ASA on each DC) Localization IP TCP SYNCookie? Director ASA Cluster Control Link ASA Cluster Control Link Owner HRSP Filter HRSP Filter Front-End VLAN Back-End VLAN Back-end VLAN HRSP Filter DC-1 HRSP Filter Front-End VLAN HRSP Filter DC-2 HRSP Filter DC-3
27 Multiple ASA Clustering distributed on each DC ASA Clustering with Layer 3 routing between sites (Cold migration) - Certainly the best choice for Cold Migration Provide flexibility in the Operational choice Subnet replication is possible using NAT or LISP ASA can run L2 or L3 mode (mode must be the same inside the DC) Ingress Path redirection to improve RTO Localization IP Owner Director Owner Director CCL DC-1 Director CCL Owner CCL Subnet C DC-2 DC-3
28 Network Services Placement with LISP IP Mobility 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 28
29 LISP values for these scenarios Ingress Path Optimization Reduce the latency between users and application Avoid asymmetric routing In conjunction with FHRP localization IP Mobility Generic Deployment LISP using Extended Subnet Mode (LAN-Extension) LISP using Across Subnet Mode (L3 inter-site connection)
30 LISP Deployment for Ingress Path Optimization LISP w/ LAN Ext. and A/S Network Services per site (high level workflow) 1- VIP is active on DC-1 ITR redirects to DC-1 2- Move action: the whole Server-farm migrates 3- VIP becomes active in DC-2 4- VIP sends packet out (i.e. RHI) through FW 5- ETR notices and updates the Mapping DB accordingly 6- MS updates original ETR 7- ITR redirects to DC-2 1 M-DB User ITR Independent FW & SLB cluster in each location LAN extensions using OTV New state created after moves 7 No state synchronization ETR 6 5 ETR 4 HSRP Filter VIP LAN Extension 3 HSRP Filter LAN Extension DC-1 2 DC-2
31 Traditional ASA deployment across Multiple DC LISP Extend. Subnet Mode with State-Full Device in Act/standby mode (Hot Migration) 1 - End-user sends Request to App 2 - ITR intercepts the Req and check the localization 3 - MS replies location for being ETR DC ITR encaps the packet and sends it to RLOC ETR-DC-1 M-DB ITR Update your Table 4 LISP Multi-hop informs ETR on DC-2 about theismove of App Source NAT required for 5 Meanwhile ETR DC-2 informs MSone about new location of App way symmetric 6 MS updates ETR DC-1 establishment 7 ETR DC-1 updates its table (App:Null0) Stateful migration is not 8 ITR sends traffic to ETR DC-1 achieved 9 ETR DC-1 replies with a Solicit Map Req from a TCP flow point view. 8 ITR sends a Map Req and redirects the of Req to ETR DC-2 However the HTTP session is kept alive ETR App is located in ETR-DC-2 ETR routed mode Src NAT App has moved ETR routed mode Src NAT Inside VLAN Inside VLAN HRSP Filter HRSP Filter HRSP Filter Front-End VLAN Front-End VLAN Back-End VLAN Back-end VLAN HRSP Filter DC-1 routed mode Src NAT HRSP Filter DC-2 HRSP Filter DC-3
32 App has moved Traditional ASA deployment across Multiple DC LISP Across Subnet Mode with State-Full devices in Act / Standby mode (Cold migration) M-DB Update your Table 1 - End-user sends Request to App 2 - ITR intercepts the Req and check the localization 3 - MS replies location for being ETR DC ITR encaps the packet and sends it to RLOC ETR-DC-1 ITR 4 LISP Multi-hop informs ETR on DC-2 about the move of App 5 ETR DC-2 informs MS about new One location way of symmetric App 6 MS updates ETR DC-1 establishment can not be 7 ETR DC-1 updates its table (App:Null0) achieved without VLAN 8 ITR sends traffic to ETR DC-1 extension between DC 9 ETR DC-1 replies Solicit Map Req Cold Migration implies the 8 ITR sends a Map Req and redirects Server the Req to restart to ETR DC-2 ETR ETR ETR Subnet B Subnet C DC-1 DC-2 DC-3
33 Single ASA Clustering stretched across Multiple DC LISP Extended Subnet Mode with ASA Clustering (Stateful Live migration) 1 - End-user sends Request to App 2 - ITR intercepts the Req and check the localization 3 - MS replies location for being ETR DC ITR encaps the packet and sends it to RLOC ETR-DC-1 M-DB ITR Update your Table 4 LISP Multi-hop informs ETR on DC-2 about the move of App Way Symmetric 5 Meanwhile ETR DC-2 informs MSOne about new location of App Establishment is achieved via 6 MS updates ETR DC-1 7 ETR DC-1 updates its table (App:Null0) the CCL 8 ITR sends traffic to ETR DC-1 Current active sessions are 9 ETR DC-1 replies with a Solicit Map Req maintained stateful 8 ITR sends a Map Req and redirects the Req to Ingress flowsetr for DC-2 new Sessions are optimized ETR App is located in ETR-DC-2 ETR ASA Cluster Control Link App has moved ETR Director ASA Cluster Control Link Owner HRSP Filter HRSP Filter Front-End VLAN Front-End VLAN HRSP Filter Back-End VLAN Back-end VLAN HRSP Filter DC-1 HRSP Filter DC-2 HRSP Filter DC-3
34 Single ASA Clustering stretched across Multiple DC LISP Across Subnet Mode with ASA Clustering (Cold migration) 1 - End-user sends Request to App 2 - ITR intercepts the Req and check the localization 3 - MS replies location for being ETR DC ITR encaps the packet and sends it to RLOC ETR-DC-1 M-DB ITR Update your Table 4 LISP Multi-hop informs ETR on DC-2 about the move of App Cold Migration 5 ETR DC-2 informs MS about new location of App implies the Server to restart 6 MS updates ETR DC-1 7 ETR DC-1 updates its table (App:Null0) There is no added value to 8 ITR sends traffic to ETR DC-1 stretch the ASA clustering 9 ETR DC-1 replies Solicit Map Reqacross the sites for Cold 8 ITR sends a Map Req and redirects the flow to ETR DC-2 Migration ETR ETR ASA Cluster Control Link App has moved ETR Director ASA Cluster Control Link Owner Subnet C Subnet B DC-1 DC-2 DC-3
35 ASA Clustering per DC across Multiple sites LISP Across Subnet Mode with ASA Clustering (Cold migration) 1 - End-user sends Request to App 2 - ITR intercepts the Req and check the localization 3 - MS replies location for being ETR DC ITR encaps the packet and sends it to RLOC ETR-DC-1 M-DB ITR Update your Table 4 LISP Multi-hop informs ETR on DC-2 about the move of App Solution designed for Cold 5 ETR DC-2 informs MS about new location of App migration only 6 MS updates ETR DC-1 7 ETR DC-1 updates its table (App:Null0) Preferred choice for Cold 8 ITR sends traffic to ETR DC-1 migration 9 ETR DC-1 replies Solicit Map Req Cold Migration implies the 8 ITR sends a Map Req and redirects the Req to ETR DC-2 Server to restart ETR ETR Director App has moved Owner ETR Owner Director CCL Owner Director CCL CCL Owner Subnet C Subnet B DC-1 DC-2 DC-3
36 State-full devices placement with DCI Key Takeaways Ping-Pong effect might have a bad impact in term of perf with long distances: Greedy bandwidth Latency For Metro Virtual DC, It is commonly accepted to distribute traditional A/S state-full devices between 2 Twin DC (for short Metro Distances (+/- 10km max) Keep transparency and easy to operate limited to 2 Active DC Only 1 FW is Active at a time Preferred method is to deploy Stretch ASA clustering for Metro VDC Easy to operate with all ASA active Not limited to 2 Active DC LISP is the good choice for Ingress Path Optimization GSLB (DNS and KAP-AP) can help to redirect the traffic accordingly, but may face some caveats with proxy DNS and client caching RHI can help but offers App based granularity only for Intranet core (Enterprise owns the L3 core) The recommended choice is ASA clustering in conjunction with the traditional DNS and LISP Mobility. Stretched across multiple DC with LAN extension for Hot Migration Confined inside each DC without LAN extension for Cold Migration ASA Clustering stretch across multiple sites is not yet supported, as not fully tested. Stay tune
37 Thank you Cisco and/or its affiliates. All rights reserved. Cisco Connect 37
Deploying LISP Host Mobility with an Extended Subnet
CHAPTER 4 Deploying LISP Host Mobility with an Extended Subnet Figure 4-1 shows the Enterprise datacenter deployment topology where the 10.17.1.0/24 subnet in VLAN 1301 is extended between the West and
More informationCisco Intelligent Traffic Director Deployment Guide with Cisco ASA
Cisco Intelligent Traffic Director with Cisco ASA Cisco Intelligent Traffic Director Deployment Guide with Cisco ASA 2016 Cisco and/or its affiliates. All rights reserved. 1 Cisco Intelligent Traffic Director
More informationCisco ACI Multi-Pod and Service Node Integration
White Paper Cisco ACI Multi-Pod and Service Node Integration 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 68 Contents Introduction... 3 Prerequisites...
More informationIP Mobility Design Considerations
CHAPTER 4 The Cisco Locator/ID Separation Protocol Technology in extended subnet mode with OTV L2 extension on the Cloud Services Router (CSR1000V) will be utilized in this DRaaS 2.0 System. This provides
More informationZeeshan Naseh, CCIE No Haroon Khan, CCIE No. 4530
Desi So! itching s Zeeshan Naseh, CCIE No. 6838 Haroon Khan, CCIE No. 4530 Cisco Press 800 Eas Indianapolis, Indiana Table of Contents Foreword Introduction xxv xxvi Part I Server Load Balancing (SLB)
More informationMobility and Virtualization in the Data Center with LISP and OTV
Mobility and Virtualization in the Data Center with LISP and OTV Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases LAN Extensions: OTV LISP + OTV Deployment
More informationSome features are not supported when using clustering. See Unsupported Features with Clustering, on page 11.
Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased
More informationvserver vserver virtserver-name no vserver virtserver-name Syntax Description
Chapter 2 vserver vserver To identify a virtual server, and then enter the virtual server configuration submode, use the vserver command. To remove a virtual server from the configuration, use the no form
More informationOracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0
Design Guide Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0 This design guide describes how to deploy the Cisco Application Control Engine (Cisco
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationConfiguring Real Servers and Server Farms
CHAPTER2 Configuring Real Servers and Server Farms Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. All features described in this chapter
More informationZone-Based Policy Firewall High Availability
The feature enables you to configure pairs of devices to act as backup for each other. High availability can be configured to determine the active device based on a number of failover conditions. When
More informationConfiguring Virtual Servers
3 CHAPTER This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance. Note When you use the ACE CLI to configure named
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationImplementing Data Center Services (Interoperability, Design and Deployment) BRKDCT , Cisco Systems, Inc. All rights reserved.
Implementing Data Center Services (Interoperability, Design and Deployment) 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2.scr 1 Agenda Data Centers Components Server Load Balancing (Content
More informationMobility and Virtualization in the Data Center with LISP and OTV
Cisco Expo 2012 Mobility and Virtualization in the Data Center with LISP and OTV Tech DC2 Martin Diviš Cisco, CSE, mdivis@cisco.com Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. 1 Twitter
More informationThis section describes the clustering architecture and how it works. Management access to each ASA for configuration and monitoring.
Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased
More informationNetwork Design First Hop
Network Design First Hop First Hop Redundancy, Server Redundancy Agenda First Hop Redundancy Proxy ARP, IDRP, DHCP HSRP VRRP GLBP Design Access WAN Server Load Balancing SLB DNS First Hop Redundancy, v1.6
More informationConfiguring the Catena Solution
This chapter describes how to configure Catena on a Cisco NX-OS device. This chapter includes the following sections: About the Catena Solution, page 1 Licensing Requirements for Catena, page 2 Guidelines
More informationKillTest ᦝ䬺 䬽䭶䭱䮱䮍䭪䎃䎃䎃ᦝ䬺 䬽䭼䯃䮚䮀 㗴 㓸 NZZV ]]] QORRZKYZ PV ٶ瀂䐘މ悹伥濴瀦濮瀃瀆ݕ 濴瀦
KillTest Exam : 1Y0-A21 Title : Basic Administration for Citrix NetScaler 9.2 Version : Demo 1 / 5 1.Scenario: An administrator is working with a Citrix consultant to architect and implement a NetScaler
More informationConfiguring Real Servers and Server Farms
CHAPTER2 Configuring Real Servers and Server Farms This chapter describes the functions of real servers and server farms in load balancing and how to configure them on the ACE module. It contains the following
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, on page 1 About Multi-Node Policy-Based Redirect, on page 3 About Symmetric Policy-Based Redirect, on page 3 Policy Based Redirect and Hashing Algorithms, on page 4 Policy-Based
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationMulti-site Datacenter Network Infrastructures
Multi-site Datacenter Network Infrastructures Petr Grygárek rek 2009 Petr Grygarek, Advanced Computer Networks Technologies 1 Why Multisite Datacenters? Resiliency against large-scale site failures (geodiversity)
More informationMobility and Virtualization in the Data Center with LISP and OTV
Mobility and Virtualization in the Data Center with LISP and OTV Victor Moreno, Distinguished Engineer Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases
More informationInterchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby
More informationOracle 10g Application Server Suite Deployment with Cisco Application Control Engine Deployment Guide, Version 1.0
Design Guide Oracle 10g Application Server Suite Deployment with Cisco Application Control Engine Deployment Guide, Version 1.0 This design guide describes how to deploy the The Cisco Application Control
More informationConfiguring NAT for High Availability
Configuring NAT for High Availability Last Updated: December 18, 2011 This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient
More informationFirepower Threat Defense Cluster for the Firepower 4100/9300
Firepower Threat Defense Cluster for the Firepower 4100/9300 Clustering lets you group multiple Firepower Threat Defense units together as a single logical device. Clustering is only supported for the
More informationINTRODUCTION 2 DOCUMENT USE PREREQUISITES 2
Table of Contents INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2 LISP MOBILITY MODES OF OPERATION/CONSUMPTION SCENARIOS 3 LISP SINGLE HOP SCENARIO 3 LISP MULTI- HOP SCENARIO 3 LISP IGP ASSIT MODE 4 LISP INTEGRATION
More informationLoad Balancing Technology White Paper
Load Balancing Technology White Paper Keywords: Server, gateway, link, load balancing, SLB, LLB Abstract: This document describes the background, implementation, and operating mechanism of the load balancing
More informationLayer 2 Implementation
CHAPTER 3 In the Virtualized Multiservice Data Center (VMDC) 2.3 solution, the goal is to minimize the use of Spanning Tree Protocol (STP) convergence and loop detection by the use of Virtual Port Channel
More informationIP Application Services Commands default (tracking) default {delay object object-number threshold percentage}
default (tracking) default (tracking) To set the default values for a tracked list, use the default command in tracking configuration mode. To disable the defaults, use the no form of this command. default
More informationStatic NAT Mapping with HSRP
This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application
More informationFinding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8
This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: Finding Feature Information, page 2 Information
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationCisco Virtualized Workload Mobility Introduction
CHAPTER 1 The ability to move workloads between physical locations within the virtualized Data Center (one or more physical Data Centers used to share IT assets and resources) has been a goal of progressive
More informationConfiguring Traffic Interception
4 CHAPTER This chapter describes the WAAS software support for intercepting all TCP traffic in an IP-based network, based on the IP and TCP header information, and redirecting the traffic to wide area
More informationInformation About Cisco IOS SLB
CHAPTER 2 To configure IOS SLB, you should understand the following concepts: Overview, page 2-1 Benefits of IOS SLB, page 2-3 Cisco IOS SLB Features, page 2-4 This section describes the general features
More informationQ-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ
Q-Balancer Range FAQ The Q-Balance LB Series The Q-Balance Balance Series is designed for Small and medium enterprises (SMEs) to provide cost-effective solutions for link resilience and load balancing
More informationLoad Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Bloxx Web Filter Deployment Guide v1.3.5 Copyright Loadbalancer.org Table of Contents 1. About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org Software Versions
More informationLessons Learned Operating Active/Active Data Centers Ethan Banks, CCIE
Lessons Learned Operating Active/Active Data Centers Ethan Banks, CCIE #20655 @ecbanks Senior Network Architect, Carenection Co-founder, Packet Pushers Interactive http://ethancbanks.com http://packetpushers.net
More informationChapter 5. Enterprise Data Center Design
Chapter 5 Enterprise Data Center Design 1 Enterprise Data Center The data center is home to the computational power, storage, and applications necessary to support an enterprise business. Performance Resiliency
More informationNAT Box-to-Box High-Availability Support
The feature enables network-wide protection by making an IP network more resilient to potential link and router failures at the Network Address Translation (NAT) border. NAT box-to-box high-availability
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationLoad Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Web Proxies / Filters / Gateways Deployment Guide v1.6.5 Copyright Loadbalancer.org Table of Contents 1. About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org
More informationNexus 7000/5000/2000/1000v Deployment Case Studies
Nexus 7000/5000/2000/1000v Deployment Case Studies Session Goal Understand how to design a scalable data center based upon customer requirements How to choose different flavor of the designs using Nexus
More informationASA Cluster for the Firepower 9300 Chassis
Clustering lets you group multiple Firepower 9300 chassis ASAs together as a single logical device. The Firepower 9300 chassis series includes the Firepower 9300. A cluster provides all the convenience
More informationWhat is New in Cisco ACE 4710 Application Control Engine Software Release 3.1
What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 PB478675 Product Overview The Cisco ACE Application Control Engine 4710 represents the next generation of application switches
More informationConfiguring Real Servers and Server Farms
6 CHAPTER This section provides an overview of server load balancing and procedures for configuring real servers and server farms for load balancing on an ACE appliance. When you use the ACE CLI to configure
More informationGUIDE. Optimal Network Designs with Cohesity
Optimal Network Designs with Cohesity TABLE OF CONTENTS Introduction...3 Key Concepts...4 Five Common Configurations...5 3.1 Simple Topology...5 3.2 Standard Topology...6 3.3 Layered Topology...7 3.4 Cisco
More informationIdentity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationIOS Server Load Balancing Feature in IOS Release 12.2(18)SXF5
IOS Server Load Balancing Feature in IOS Release 12.2(18)SXF5 Feature History Release 12.0(7)XE 12.1(1)E Modification This feature was introduced with support for the following platforms: Multilayer Switch
More informationScalability of web applications
Scalability of web applications CSCI 470: Web Science Keith Vertanen Copyright 2014 Scalability questions Overview What's important in order to build scalable web sites? High availability vs. load balancing
More informationHigh Availability Options
, on page 1 Load Balancing, on page 2 Distributed VPN Clustering, Load balancing and Failover are high-availability features that function differently and have different requirements. In some circumstances
More informationDeployment Scenarios for Standalone Content Engines
CHAPTER 3 Deployment Scenarios for Standalone Content Engines This chapter introduces some sample scenarios for deploying standalone Content Engines in enterprise and service provider environments. This
More informationASA Cluster for the Firepower 4100/9300 Chassis
Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. The Firepower 4100/9300 chassis series includes the Firepower 9300 and Firepower 4100 series. A
More informationConfiguring NAT for IP Address Conservation
This module describes how to configure Network Address Translation (NAT) for IP address conservation and how to configure inside and outside source addresses. This module also provides information about
More informationApplication Networking Optimizing Oracle E-Business Suite 12i Across the WAN
Application Networking Optimizing Oracle E-Business Suite 12i Across the WAN October 6, 2008 Introduction This document presents network design practices to enhance an Oracle E-Business Suite12i application
More informationSD-WAN Deployment Guide (CVD)
SD-WAN Deployment Guide (CVD) All Cisco Meraki security appliances are equipped with SD-WAN capabilities that enable administrators to maximize network resiliency and bandwidth efficiency. This guide introduces
More informationData Center Interconnect Solution Overview
CHAPTER 2 The term DCI (Data Center Interconnect) is relevant in all scenarios where different levels of connectivity are required between two or more data center locations in order to provide flexibility
More informationInformation About Cisco IOS SLB
Information About Cisco IOS SLB Overview Information About Cisco IOS SLB Last Updated: April 27, 2011 To configure IOS SLB, you should understand the following concepts: Note Some IOS SLB features are
More informationPass-Through Technology
CHAPTER 3 This chapter provides best design practices for deploying blade servers using pass-through technology within the Cisco Data Center Networking Architecture, describes blade server architecture,
More informationCisco IOS LISP Application Note Series: Access Control Lists
Cisco IOS LISP Application Note Series: Access Control Lists Version 1.1 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration and configuration
More informationApplication Networking Optimizing Oracle E-Business Suite 11i across the WAN
Application Networking Optimizing Oracle E-Business Suite 11i across the WAN This document provides network design best practices to enhance an Oracle E-Business Suite 11i application environment across
More informationConfiguring NAT for IP Address Conservation
This module describes how to configure Network Address Translation (NAT) for IP address conservation and how to configure inside and outside source addresses. This module also provides information about
More informationLARGE SCALE DYNAMIC MULTIPOINT VPN
LARGE SCALE DYNAMIC MULTIPOINT VPN NOVEMBER 2004 1 INTRODUCTION Presentation_ID 2004, Cisco Systems, Inc. All rights reserved. 2 Dynamic Multipoint VPN Facts Dynamic Multipoint VPN (DMVPN) can work with
More informationConfiguring Static and Dynamic NAT Translation
This chapter contains the following sections: Network Address Translation Overview, page 1 Information About Static NAT, page 2 Dynamic NAT Overview, page 4 Timeout Mechanisms, page 4 NAT Inside and Outside
More informationASA Cluster for the Firepower 9300 Chassis
Clustering lets you group multiple Firepower 9300 chassis ASAs together as a single logical device. The Firepower 9300 chassis series includes the Firepower 9300. A cluster provides all the convenience
More informationCisco Application Networking for Microsoft Office Communications Server 2007 Deployment Guide
Cisco Application Networking for Microsoft Office Communications Server 2007 Deployment Guide Cisco Validated Design February 18, 2009 Integrating Microsoft Office Communications Server 2007 into the Cisco
More informationDesigning Solution with Cisco Intrusion Prevention Systems
Designing Solution with Cisco Intrusion Prevention Systems Petr Růžička, CSE CCIE #20166 1 Session Abstract IPS technology could be placed in many different places in the network and as such it has to
More informationPrepKing. PrepKing
PrepKing Number: 642-961 Passing Score: 800 Time Limit: 120 min File Version: 6.8 http://www.gratisexam.com/ PrepKing 642-961 Exam A QUESTION 1 Which statement best describes the data center core layer?
More informationInternetwork Expert s CCNP Bootcamp. Gateway Redundancy Protocols & High Availability. What is High Availability?
Internetwork Expert s CCNP Bootcamp Gateway Redundancy Protocols & High Availability http:// What is High Availability? Ability of the network to recover from faults in timely fashion Service availability
More informationRelease Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(9)
Release Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(9) November 2, 2004 Previous Releases 3.1(8), 3.1(7), 3.1(6), 3.1(5), 3,1(4), 3,1(3), 3,1(2), 3.1(1a), 3.1(1) This publication
More informationLayer-4 to Layer-7 Services
Overview, page 1 Tenant Edge-Firewall, page 1 LBaaS, page 2 FWaaS, page 4 Firewall Configuration, page 6 Overview Layer-4 through Layer-7 services support(s) end-to-end communication between a source and
More informationCisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer
Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer mailme@cisco.com Agenda Application requirements in virtualized DC The Anatomy of Nexus 1000V Virtual Services
More informationFinding Feature Information
This module describes how to configure Network Address Translation (NAT) for IP address conservation and how to configure inside and outside source addresses. This module also provides information about
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationIntroduction to External Connectivity
Before you begin Ensure you know about Programmable Fabric. Conceptual information is covered in the Introduction to Cisco Programmable Fabric and Introducing Cisco Programmable Fabric (VXLAN/EVPN) chapters.
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1416BE NSX Logical Routing Yves Hertoghs Pooja Patel #VMworld #NET1416BE Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationConfiguring Answers and Answer Groups
CHAPTER 6 Configuring Answers and Answer Groups This chapter describes how to create and configure answers and answer groups for your GSS network. It contains the following major sections: Configuring
More informationConfiguring Answers and Answer Groups
CHAPTER 6 This chapter describes how to create and configure answers and answer groups for your GSS network. It contains the following major sections: Configuring and Modifying Answers Configuring and
More informationConfiguring VIP and Virtual Interface Redundancy
CHAPTER 6 Configuring VIP and Virtual Interface Redundancy This chapter describes how to plan for and configure virtual IP (VIP) redundancy and virtual interface redundancy on the CSS. Information in this
More informationConfiguring Routes on the ACE
CHAPTER2 This chapter describes how the ACE is considered a router hop in the network when it is in routed mode. In the Admin or user contexts, the ACE supports static routes only. The ACE supports up
More informationWCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments
WCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments What You Will Learn This document is intended for network engineers deploying the Cisco Catalyst
More informationConfiguring Virtual Servers, Maps, and Policies
6 CHAPTER This chapter describes how to configure content switching and contains these sections: Configuring Virtual Servers, page 6-1 Configuring Maps, page 6-9 Configuring Policies, page 6-11 Configuring
More informationData Center InterConnect (DCI) Technologies. Session ID 20PT
Data Center InterConnect (DCI) Technologies Session ID 20PT Session Objectives The main goals of this session are: Highlighting the main business requirements driving Data Center Interconnect (DCI) deployments
More informationCisco Application Networking Services for VMware Virtual Desktop Infrastructure
Cisco Application Networking Services for VMware Virtual Desktop Infrastructure Deployment Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Contents Introduction...
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 300-160 Title : Designing Cisco Data Center Unified Computing Vendor : Cisco Version
More informationENTERPRISE. Brief selected topics. Jeff Hartley, SP ADP SE
IPv6 TRANSITION FOR THE ENTERPRISE Brief selected topics Jeff Hartley, SP ADP SE Observations on IPv6 Deployment Trends Where do successful sites commonly deploy first? Upstream Connectivity (Transit/Border/Peering/etc.)
More informationSetting General VPN Parameters
CHAPTER 62 The adaptive security appliance implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features. It
More informationConfiguring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE)
Configuring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE) Craig Hyps Principal Technical Marketing Engineer, Cisco Systems Sample ACE Configuration 2 Health Probes and Real Servers Define
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationVeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH
VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. 1 Agenda 1. Overview and company presentation 2. Solution presentation 3. Main benefits to show to customers 4. Deployment models 2 VeloCloud Company
More informationRouting Overview. Information About Routing CHAPTER
21 CHAPTER This chapter describes underlying concepts of how routing behaves within the ASA, and the routing protocols that are supported. This chapter includes the following sections: Information About
More informationMigrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches
Migration Guide Migrate from Cisco Catalyst 6500 Series Switches to Cisco Nexus 9000 Series Switches Migration Guide November 2013 2013 Cisco and/or its affiliates. All rights reserved. This document is
More informationRouting Overview. Path Determination
This chapter describes underlying concepts of how routing behaves within the Cisco ASA, and the routing protocols that are supported. Routing is the act of moving information across a network from a source
More information