Implementing Data Center Services (Interoperability, Design and Deployment) BRKDCT , Cisco Systems, Inc. All rights reserved.
|
|
- Melina Randall
- 5 years ago
- Views:
Transcription
1 Implementing Data Center Services (Interoperability, Design and Deployment) 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2.scr 1
2 Agenda Data Centers Components Server Load Balancing (Content Switching) SSL Offload Security (Firewall) Integrated Data Center Services Design Options Real World Deployments 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Data Center Components 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4.scr 2
3 Acronyms ACE Application Control Engine BGP Border Gateway Protocol Cat4000 Cisco Catalyst Cat4000 Cat6500 Cisco Catalyst 6500 CE Cisco Content Engine CSA Cisco Security Agent (Host-based Intrusion Prevention) CSM Cisco Content Switching Service Module on Cat6500 CSS Cisco Content Services Switch (CSS11000 and CSS11500 family) FWSM Cisco Firewall Service Module on Cat6500 HSRP Hot Standby Routing Protocol GSS Global Site Selector IDSM Cisco Intrusion Detection Service Module on Cat6500 LMS Cisco Works LAN Management Solution MAC Media Control MSFC Multilayer Switching Feature Card NAM Cisco Network Analysis Service Module on Cat6500 OSPF Open Shortest Path First PBR Policy Based Routing SLB Server Load Balancing SSL Secure Socket Layer SSLM Cisco SSL Offload Service Module on Cat6500 VMS Cisco Works VPN/Security Management Solution VPN- SM/SPA Cisco Virtual Private Network Service Module on Cat Cisco Systems, Inc. All rights reserved. Cisco Public 5 Data Center Residents Presentation Servers Business Logic Servers Also known as middleware custom applications DB Servers Data Web front end servers that provides the interface to the clients, e.g., Apache, IIS, etc. Oracle, Sybase, etc. NAS, SAN 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6.scr 3
4 Data Center Elements Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 7 Data Center Elements Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 8.scr 4
5 Data Center Elements Redundancy Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) HSRP, RPR, SSO, RPVST Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS % Availability Stateful Redundancy Desired on CSM and FWSM Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 9 Data Center Elements Scalability Network Infrastructure Solution Application Solution Routers and Switches Linux/HP, (Cisco GSRs, Catalyst 6500, Catalyst 4500, Solaris/SunFire, Nexus5000/7000) WebLogic, J2EE custom Core, Aggregation/Distribution/ app, etc. Services, Model Layers 4 7 Services Solution Database Solution ACE, CSM, SSLM, CSS, CE, GSS Linux/HP, Solaris/ SunFire, Oracle 10G Flexible and Simple Growth Ability to Scale to Multiple Services RAC, etc. Capabilities Desired Modules (ACE, SSLM, etc.) Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 10.scr 5
6 Data Center Elements Security Protection Against DoS Attacks and Worm Activity Network Infrastructure Solution Routers and Switches (Cisco GSRs, Catalyst 6500, Catalyst 4500, Nexus5000/7000) Layers 4 7 Services Solution ACE, CSM, SSLM, CSS, CE, GSS Protection of Infrastructure Devices from Unauthorized Network Security Solution PIX, FWSM, IDSM, VPNSM, CSA Application Solution Linux/HP, Solaris/SunFire, WebLogic, J2EE Custom App, Etc. Protection of Information/Data Database Solution Linux/HP, Solaris/ SunFire, Oracle 10G RAC, Etc. Management and Instrumentation Solution Terminal Servers, NAM, Cisco Works LMS/VMS, HSE Storage Solution MDS Cisco Systems, Inc. All rights reserved. Cisco Public 11 Typical Data Center Topology Internal Network Service Provider A Internet Service Provider B Edge Routers Core Switches Aggregation Switches Switches WEB Tier Application Tier Database Tier 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12.scr 6
7 Distributed Data Centers Data Center Services Server Load Balancing and App A App B Health Monitoring, Caches, SSL Offload, Firewall, and App A App B Intrusion Detection IP Network FCIP Link Production Data Center FC Storage Network FC Backup Data Center 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13 Server Load Balancing Please Visit BRKAPP-2002: Server Load balancing Design 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14.scr 7
8 Server Load Balancing Also known as content switching; one of the single most important infrastructure service in the data center Key purpose: Load distribution of Requests. The Requests could be from Internet, Intranet, or extranet Clients. Layers 3 to 7 content switching capabilities are available with extensive keepalives (server health checks) functionality Layer 4 or Layer 7 proxy can be used as a security perimeter Application Redundancy Load Distribution Application Health Checks Communication of Load to GSLB Device Content Switching Design Decisions Application protocol and ports (listener ports) End-to-end application flows Direct server access Server management Server initiated sessions Infrastructure design 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Content Switching Design Approaches Bridged Mode: Design Agg Core-1 MSFC1 Data Core-2 Agg-2 MSFC2 ACE 1 FT ACE 2 Standby ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 Key Content Switching Design Options Bridged mode design Routed mode design with MSFC on client side Routed mode design with MSFC on server side One-armed design (1) Bridged Mode Design Considerations Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through No extra configurations for: Direct access to servers Server initiated sessions RHI possible Load balancer inline of all traffic Easily Deployed in Existing Networks 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16.scr 8
9 Content Switching Design Approaches Bridged Mode: Configuration CSM module ContentSwitchingModule 4 vlan 10 client ip address gateway alias vlan 20 server ip address MSFC interface Vlan10 ip address standby 10 ip standby 10 priority 110 standby 10 preempt ACE interface vlan 10 bridge-group 10 access-group input anyone access-group output anyone no shutdown interface vlan 20 bridge-group 10 access-group input anyone access-group output anyone no shutdown interface bvi 10 ip address alias peer ip address no shutdown ip route Cisco Systems, Inc. All rights reserved. Cisco Public 17 Content Switching Design Approaches Bridged Mode: BPDU Forwarding ACE Configuration to Allow BPDUs access-list bpduallow ethertype permit bpdu interface vlan 10 bridge-group 10 access-group input bpduallow no shutdown interface vlan 20 bridge-group 10 access-group input bpduallow no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18.scr 9
10 Content Switching Design Approaches Routed Mode: Design Core-1 Core-2 Core-1 Core-2 Agg-1 Data MSFC1 Agg-2 MSFC2 Agg-1 Data Agg-2 10 ACE 1 ACE 2 Standby 20 FT ACE 1 30 ACE 2 Standby MSFC1 FT MSFC2 ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 ACE Server-Side VLAN /24 ACE Client-Side VLAN /24 ACE Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 (2A) Routed Mode Design with MSFC on Client Side Servers default gateway is the alias IP on the CSM/ACE Extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions CSM/ACE s default gateway is the HSRP group IP address on the MSFC RHI possible Load balancer inline of all traffic (2B) Routed Mode Design with MSFC on Server Side Servers default gateway is the HSRP group IP address on the MSFC Extra configurations needed for (simpler the option 2a): Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the core router RHI not possible Server to server communication bypasses the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19 Content Switching Design Approaches Routed Mode: Design Core-1 Core-2 Agg-1 Agg-2 MSFC1 MSFC2 Data (2C) Routed Mode Design with VRF-Lite ACE 1 VRF-Lite Server Instance FT ACE 2 Standby VRF-Lite Server Instance Servers default gateway is the HSRP group IP address on VLANs within the VRF-Lite Instance (SVIs) Extra configurations needed for (simpler the option 2a): Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is Global MSFCs HSRP IP address RHI is Possible Server to server communication bypasses the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20.scr 10
11 Content Switching Design Approaches Routed Mode: Configuration CSM module ContentSwitchingModule 4 vlan 10 client ip address gateway alias vlan 20 server ip address alias vlan 30 server ip address alias MSFC interface Vlan10 ip address standby 10 ip standby 10 priority 110 standby 10 preempt ACE interface vlan 10 ip address alias peer ip address no shutdown interface vlan 20 ip address alias peer ip address no shutdown interface vlan 30 ip address alias peer ip address no shutdown ip route Cisco Systems, Inc. All rights reserved. Cisco Public 21 Content Switching Design Approaches One-Armed Mode: Design Core-1 Core-2 Agg-1 Agg-2 Data 10 MSFC1 MSFC2 ACE FT LB Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 ACE 2 Standby (3) One-Armed Design Considerations Servers default gateway is the HSRP group IP address on the MSFC No extra configurations for: Direct access to servers Server initiated sessions RHI possible CSM/ACE inline for only server load balanced traffic Only Policy based routing or source NAT can be used for server return traffic redirection to the load balancer 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22.scr 11
12 Content Switching Design Approaches One-Armed Mode: PBR Configuration MSFC interface Vlan10 ip address MSFC standby 10 ip standby 10 priority 110 interface Vlan20 standby 10 preempt ip address ip policy route-map FromServersToSLB standby 20 ip standby 20 priority 110 standby 20 preempt access-list 121 permit tcp any eq telnet any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any route-map FromServersToSLB permit 10 match ip address 121 set ip next-hop CSM - Asymmetric Routing module ContentSwitchingModule 4 variable ROUTE_UNKNOWN_FLOW_PKTS 2 ACE - Asymmetric Routing interface vlan 10 ip address alias peer ip address no normalization access-group input anyone access-group output anyone no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23 Content Switching Design Approaches One-Armed Mode: Source-NAT Configuration CSM module ContentSwitchingModule 4 natpool SRC_NAT netmask serverfarm SFARM_NAT nat server nat client SRC_NAT real inservice real inservice probe TCP ACE policy-map multi-match SLB-TELNET-POLICY class SLB-TELNET loadbalance vip inservice loadbalance policy TELNET-POLICY-TYPE loadbalance vip icmp-reply nat dynamic 1 vlan 10 interface vlan 10 ip address alias peer ip address no normalization access-group input anyone access-group output anyone nat-pool netmask pat no shutdown 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24.scr 12
13 Content Switching Design Approaches Virtual Context in ACE Core-1 Core-2 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 Agg-1 MSFC1 Data Agg-2 MSFC2 ACE1 ACE2 ACE1 ACE2 Control Transparent Virtual Contexts Control Transparent Virtual Contexts VC_A VLAN /24 VC_A VLAN /24 VC_B VLAN /24 VC_B VLAN /24 ACE to MSFC VLAN /24 ACE to MSFC VLAN /24 VC_2 VLAN /24 VC_1 VLAN /24 (4A) Bridged Context context VC_A allocate-interface vlan 2 allocate-interface vlan 20 member VC_A_RESRC context VC_B allocate-interface vlan 3 allocate-interface vlan 30 member VC_B_RESRC (4B) Routed Context context VC_A allocate-interface vlan 12 allocate-interface vlan 21 allocate-interface vlan 22 member VC_1_RESRC context VC_B allocate-interface vlan 13 allocate-interface vlan 31 member VC_2_RESRC 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25 Content Switching Design Approaches Virtual Context in ACE: Configuration resource-class VC_1 limit-resource all minimum maximum equal-to-min resource-class VC_2 limit-resource all minimum 0.00 maximum unlimited limit-resource conc-connections minimum maximum equal-to-min limit-resource sticky minimum maximum equal-to-min context VC_A description Context for initial client request allocate-interface vlan 5 allocate-interface vlan 10 member VC_1 context VC_B description Context for second tier of internal VIPs allocate-interface vlan 15 allocate-interface vlan 20 allocate-interface vlan 30 member VC_2 ft interface vlan 31 ip address peer ip address no shutdown ft peer 1 heartbeat interval 300 heartbeat count 10 ft-interface vlan 31 ft group 11 peer 1 priority 110 peer priority 105 associate-context VC_A inservice ft group 22 peer 1 priority 105 peer priority 110 associate-context VC_B inservice 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26.scr 13
14 Content Switching Designs Summary Default Gateway of Servers Direct to Servers Servers Originated Connections Multicast Support Layer 2 Loops (1) Bridge Mode HSRP IP IP on on MSFC No Extra extra Configuration configuration Needed needed No Extra extra Configuration configuration Needed needed Supported, Supported, Bridges bridges Through through Possible If if Misconfigured misconfigured (2A) Routed Mode MSFC on Client Side Alias IP on CSM Extra Configuration configuration Needed needed Extra Configuration configuration May may Be be Needed needed Not Supported supported (2B) Routed Mode MSFC on Server Side HSRP IP on MSFC Extra Configuration configuration Needed, needed, may May Bypass bypass CSM Extra Configuration configuration may May be needed, Be Needed, may bypass May Bypass CSM CSM Not Supported, supported, server Server to server to Server works Works (3) One-Armed HSRP IP on MSFC CSM Is is Bypassed bypassed CSM Is is Bypassed bypassed Supported as CSM Is is Bypassed bypassed Not Possible possible Not Possible possible Not Possible possible 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27 SSL Offload Please Visit BRKCDT-3703: SSL Offload for DC Backend Server Farm 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28.scr 14
15 Network-Based SSL Offload Agg-1 Core-1 FT Core-2 Agg-2 Data CSM 1 CSM 2 10 MSFC1 MSFC SSLM 1 SSLM 2 CSM Server-Side VLAN /24 Server VLAN /24 Server VLAN /24 SSLM VLAN /24 Key Motivations Offload SSLdecryption/ encryption from servers Redundancy Scalability Unified management of SSL certificates Layer 7 based load balancing and sticky possible for HTTPS SSL Offload Design In ACE (Application Control Engine) SSL Offload is built in on the module Simply add the SSLMs on a VLAN connected to the ACE SSLMs default gateway would be the alias IP on the ACE Backend SSL requires no design change 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29 SSL Services Module Configuration Tips: Admin VLAN and Data VLAN One VLAN on the SSL Module Has to Be Admin VLAN Make Sure That the Admin VLAN Has a Route to the CA, TFTP Server, Management Stations, Etc. The Admin VLAN Can Also Carry Data Traffic The Default Gateway of the Admin VLAN Is the Module Default Gateway Admin SSL SSL Data Admin and Data 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30.scr 15
16 Data Center Security 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31 Firewall Design Approaches Layer 2 Agg-1 Core-1 FWSM1 MSFC1 Data Control DMZ-1 VLAN /24 Core-2 FWSM2 Agg-2 MSFC2 Key Firewall Design Options Bridged mode design, also known as transparent or stealth firewall Routed mode design, also known as Layer 3 firewall Virtual firewall contexts for Layer 2 or Layer 3 mode (1) Layer 2 (Transparent) Firewall Design Considerations Servers default gateway is the HSRP group IP address on the MSFC Broadcast/multicast/route update traffic bridges through Bump on the wire; easy integration Currently two VLANs can be merged 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32.scr 16
17 Firewall Design Approaches Layer 3 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 FWSM1 Control FWSM2 (2) Layer 3 Firewall Design Considerations Servers default gateway is the IP address on the firewall Dynamic routing is supported FWSM to MSFC VLAN /24 DMZ-1 VLAN /24 DMZ-1 VLAN / Cisco Systems, Inc. All rights reserved. Cisco Public 33 Firewall Design Approaches Virtual Context It s the ability to segment a single physical firewall into multiple virtualized instances Multiple interfaces/ VLANs within Layer 3 virtual contexts are supported Multiple bridge pairs for Layer 2 virtual contexts are supported ON MSFC firewall multiple-vlan-interfaces firewall module 7 vlan-group 100 firewall vlan-group ,50-53 ON FIREWALL CAT1-FWSM-SYS# conf t CAT1-FWSM-SYS(config)# firewall? Usage: [no clear show ] firewall [transparent] FWSM(config)# FWSM(config)# mode? Usage: mode single multiple FWSM(config)# FWSM# 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34.scr 17
18 Firewall Design Approaches Virtual Context Core-1 Core-2 Core-1 Core-2 Agg-1 MSFC1 Data Agg-2 MSFC2 Agg-1 MSFC1 Data Agg-2 MSFC2 FWSM2 FWSM2 FWSM2 FWSM2 Control Transparent Virtual Contexts Control Transparent Virtual Contexts (3A) Transparent Context context FWA allocate-interface vlan2 allocate-interface vlan20 config-url disk:/fwa.cfg context FWB allocate-interface vlan3 allocate-interface vlan30 config-url disk:/fwb.cfg FWA VLAN /24 FWB VLAN /24 (3B) Routed Context context FW1 allocate-interface vlan12 allocate-interface vlan20 config-url disk:/fw1.cfg context FW2 allocate-interface vlan13 allocate-interface vlan30 config-url disk:/fw2.cfg FWSM to MSFC VLAN /24 FWSM to MSFC VLAN /24 DMZ-1 VLAN /24 DMZ-2 VLAN / Cisco Systems, Inc. All rights reserved. Cisco Public 35 Firewall Designs Summary (1) Bridge Mode Layer 2 (2) Routed Mode Layer 3 (3A) Virtual Context Layer 2 (3B) Virtual Context Layer 3 Default Gateway of Servers HSRP IP on MSFC Primary Alias IP IP on on CSM FW HSRP IP IP on on MSFC HSRP Primary IP IP on on MSFC FW Multicast Support Supported Supported Supported Supported Layer 2 Loops Possible If if Misconfigured misconfigured Not Possible possible Possible If if Misconfigured misconfigured Not Possible possible VLAN Usage Multiple VLANs Allowed allowed Multiple VLANs Allowed allowed Multiple VLANs Multiple VLANS per VC, Cannot per VC, cannot Share VLANs share VLANs Across VCs Multiple VLANs Multiple VLANS per VC, Can per VC, cannot Share VLANs share VLANs Across VCs 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36.scr 18
19 Firewall Services Module Configuration Tips for Getting Started FWSM Define the VLANs the FWSM Will Protect in Switch Configuration Mode C6509# config t C6509(config)#vlan 200 C6509(config)#vlan 201 C6509(config)#vlan 202 Create a Firewall Group for the FWSM to Manage C6509(config)#firewall vlan-group VLAN Group Identifier Attach Firewall Group to FWSM C6509(config)#firewall module 6 vlan-group 100 VLANs Defined in Previous Step Slot Where FWSM Installed in Chassis 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37 Firewall Services Module (Cont.) Configuration Tips for Getting Started FWSM Some Initial Configuration FWSM Configuration Statements FWSM# wr t Building configuration... : Saved : FWSM Version 3.1(1) <snip> interface Vlan200 nameif inside security-level 100 ip address <snip> icmp permit any inside <snip> http server enable http inside <snip> telnet inside Define VLAN Interfaces and Associate Security Levels Use This Statement for Each Interface That You Want to Respond to Pings Without It No Pings Will Be Answered If You Want to Use PDM to Configure the FWSM, Then You Need to Enable HTTP and Specify the IP Address of Each User Requiring If You Want to Use Telnet to the FWSM Through a FWSM Interface, Then You Need to Define a Telnet Statement for Each User Requiring 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38.scr 19
20 Integrated Data Center Design Options 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39 Data Center Services Design Options We understand what products and devices are available in the data center to provide the services of security, server load balancing, SSL offload etc. We understand design options of individual products Let s look at different ways of integrating these products Each design consists of three redundant layers core, aggregation, and access (1) FW on Core With ACE/CSM on Aggregation in Layer 3 (2) FW and ACE on Aggregation with ACE/CSM in Layer 2 and FW in Layer 3 (3) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 3 (4) FW and ACE on Aggregation with ACE/CSM in One-Armed and FW in Layer 2 Secure Internal Segment 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40.scr 20
21 Physical Topology 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 VLAN 3 Security Details Layer 3 firewall used Firewall perimeter at the core Aggregation and access are considered trusted zones Security perimeter not possible between Web/App/DB tiers In the aggregation layer, some security using VLAN tags on the CSM is possible VLAN 16 ACE-1 VLAN 200 ACE-2 VLAN 17 Control VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Cat SSL Termination on ACE Web VLAN App VLAN DB VLAN App Server Web Server DB Server Cat Content Switching Details ACE/CSM is used in routed design Servers default gateway is the ACE/CSM alias IP address Extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group IP on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All to/from traffic, load balanced/ non-load balanced servers go through the CSM 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42.scr 21
22 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode Configuration Snapshots MSFC SVI module ContentSwitchingModule 3 vlan 16 client ip address gateway alias vlan 17 server ip address alias vlan 18 server ip address alias vlan 19 server ip address alias interface Vlan16 ip address standby 16 ip standby 16 priority 150 serverfarm ROUTE no nat server no nat client predictor forward vserver ROUTE virtual any serverfarm ROUTE inservice 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43 Design (1): Firewall on Core; ACE/CSM on Aggregation in Layer 3 Mode: Session Flows WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 VLAN 3 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 VLAN 3 ACE Makes VLAN 200 ACE-1 ACE-2 SLB Control Decision VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN ACE Routes VLAN 200 ACE-1 ACE-2 Control VLAN 17 VLAN 17 VLAN 18 VLAN 18 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server Load Balanced Session Flow App Server Web Server DB Server Server Management Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44.scr 22
23 Design (2): Firewall and ACE/CSM on Aggregation; Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 VLAN 3 VLAN 16 FWSM1 VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 ACE-1 Multiple Control s ACE-2 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Cat FW in Layer 3 and ACE/CSM in Layer 2 Mode SSL Termination on ACE Web VLAN App VLAN DB VLAN FWSM2 Cat Security Details Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers Content Switching Details ACE/CSM is used in bridged design with multiple bridged VLAN pairs Servers default gateway is the firewall primary IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the firewall primary IP address Since MSFC is not directly connected to the ACE/CSM, RHI is not possible All to/from traffic, load balanced/ non-load balanced servers go through the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45 Design (2): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in Layer 2 Mode Configuration Snapshots module ContentSwitchingModule 3 vlan 7 client ip address gateway vlan 17 server ip address vlan 8 client ip address gateway vlan 18 server ip address MSFC SVI interface Vlan16 ip address standby 16 ip standby 16 priority 150 VLANS ON THE FIREWALL VLAN16 (towards the MSFC) Inside Server VLANs VLAN7 VLAN8 VLAN Cisco Systems, Inc. All rights reserved. Cisco Public 46.scr 23
24 Design (2): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in Layer 2 Mode Session Flows WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Core Firewall Makes VLAN 3 Cat6513-Agg-1 Data VLAN 3 Security Cat6513-Agg-2 Decisions VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data VLAN 3 Cat6513-Agg-2 SSLM1 FWSM1 VLAN 11 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 ACE-1 Multiple Control ACE s Makes ACE-2 SLB Decision VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN FWSM1 VLAN 11 Internal DMZs FWSM2 Perimeters VLAN 7 VLAN 8 VLAN 8 VLAN 7 VLAN 9 VLAN 9 Multiple Control ACE-1 ACE s Bridges ACE-2 Traffic VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server App Server Web Server DB Server Load Balanced Session Flow Web Server to App Server Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47 Design (3): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and ACE/CSM in One-Armed Mode Cat6509-Core-1 WAN Cat6509-Core-2 VLAN 2 VLAN 2 VLAN 3 Cat6513-Agg-1 Data VLAN 3 Cat6513-Agg-2 VLAN 16 FWSM1 ACE-1 Multiple Control s VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 Web VLAN VLAN 19 App VLAN DB VLAN Cat SSL Termination on ACE VLAN 15 ACE-2 FWSM2 Cat Security Details Layer 3 firewall used with single contexts Firewall perimeter at the core Firewall perimeter is used in the aggregation between Web/App/DB tiers Content Switching Details ACE/CSM is used in a one-armed fashion Servers default gateway is the firewall primary IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48.scr 24
25 Design (3): Firewall and CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode module ContentSwitchingModule 3 vlan 15 server ip address gateway alias MSFC SVI interface Vlan15 ip address standby 15 ip standby 15 priority 150 interface Vlan16 ip address standby 16 ip standby 16 priority 150 VLANS ON THE FIREWALL VLAN16 (towards the MSFC) DMZ VLANs VLAN17 VLAN18 VLAN Cisco Systems, Inc. All rights reserved. Cisco Public 49 Design (3): Firewall and CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode: Session Flows (1 of 2) WAN WAN Cat6509-Core-1 Cat6509-Core-2 Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 PBR/ Core Firewall SRC- Makes VLAN 3 VLAN 3 Cat6513-Agg-1 Security Data NAT Cat6513-Agg-2 Decisions ACE-1 ACE-2 ACE Makes FWSM1 SLB Decision Multiple Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN VLAN 2 VLAN 2 VLAN 3 VLAN 3 Cat6513-Agg-1 Data Cat6513-Agg-2 ACE-1 ACE-2 ACE Is Bypassed FWSM1 Multiple Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat Cat Cat App Server Web Server DB Server App Server Web Server DB Server Load Balanced Session Flow Web Server to App Server Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50.scr 25
26 Design (3): Firewall and ACE/CSM on Aggregation; FW in Layer 3 and CSM in One-Armed Mode Session Flows (2 of 2) WAN Cat6509-Core-1 Cat6509-Core-2 VLAN 2 VLAN 2 Firewall Makes Security VLAN 3 VLAN 3 Cat6513-Agg-1 Decisions Data Cat6513-Agg-2 ACE-1 ACE-2 ACE Is FWSM1 Multiple Bypassed Control s Internal DMZs FWSM2 VLAN 17 VLAN 18 Perimeters VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat Cat App Server Web Server DB Server Server Management Session Flow 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51 Design (4): Firewall and ACE/CSM on Aggregation; Cat6509-Core-1 WAN Multiple Control s Cat6509-Core-2 VLAN 12 VLAN 12 Cat6513-Agg-1 Secure Internal Cat6513-Agg-2 Segment FWSM1 FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment] Data VLAN 2 VLAN 11 VLAN 2 SSL Termination on ACE VLAN 7 VLAN 7 VLAN 8 VLAN 8 VLAN 9 VLAN 9 VLAN 17 VLAN 18 VLAN 18 VLAN 17 VLAN 19 VLAN 19 Web VLAN App VLAN DB VLAN Cat FWSM2 Cat Security Details Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network Content Switching Details ACE/CSM is used in a one-armed fashion Servers default gateway is the HSRP group IP address No extra configurations needed for: Direct access to servers Non-load balanced server initiated sessions ACE/CSM s default gateway is the HSRP group address on the MSFC Since MSFC is directly connected to the ACE/CSM, RHI is possible All non-load balanced traffic to/from servers will bypass the ACE/CSM App Server Web Server DB Server 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52.scr 26
27 Design (4): Firewall and ACE/CSM on Aggregation; FW in Layer 2 and CSM in One-Armed Mode [Secure Internal Segment] module ContentSwitchingModule 3 vlan 15 server ip address gateway alias vlan 11 server ip address alias FIREWALL CONTEXTS context DB allocate-interface vlan7 allocate-interface vlan17 config-url disk:/db.cfg context APP allocate-interface vlan8 allocate-interface vlan18 config-url disk:/app.cfg context WEB allocate-interface vlan9 allocate-interface vlan19 config-url disk:/web.cfg MSFC SVI interface Vlan15 Description VLAN Towards ACE ip address standby 15 ip standby 15 priority 150 interface Vlan7 ip address standby 17 ip standby 17 priority 150 interface Vlan8 ip address standby 18 ip standby 18 priority 150 interface Vlan9 ip address standby 19 ip standby 19 priority Cisco Systems, Inc. All rights reserved. Cisco Public 53 Real-World Deployments 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54.scr 27
28 Real-World Deployments Firewall All DMZs and Networks Goal Ensure high security within the data center All tiers (Web/App/DB) are untrusted Sessions between servers should be locked down to particular ports Ensure non load balanced traffic bypass the content switch Solution Transparent virtual contexts used on the FWSM to seamlessly integrate a firewall perimeter on each of data center VLANs Content switch deployed in a one-armed fashion 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55 Real-World Deployments Firewall All DMZs and Networks Cat6509-Core-1 MSFC VLAN 6 VLAN 14 FWSM1 CSS11506_1 VLAN 5 VLAN 3 Internal Router Secure Internal Segment LAN FailOver StateLink VLAN /24 VLAN /30 Data VLAN /27 Web Server 1 Web Server 2 VLAN /28 App Server 1 VLAN 200 VLAN 201 App Server 2 VLAN /23 Internet Inside Core CSS11506_2 Cat6509-Core-2 MSFC FWSM2 Edge Router 1 Edge Router 2 Design Approach Layer 2 firewall used with multiple contexts Firewall perimeter at outside, internal and each DMZ Agg MSFC is a secure internal segment with protection from each connected network Secure internal segment is protected from malicious activity from each DC network/vlan switches setup in Layer 2 approach CSS11506 is used in a one-armed fashion Since it is not supported on transparent FW, NAT is performed on the MSFC Content Switching Details Servers default gateway is the HSRP group IP address on agg switches CSS s default gateway is the HSRP group address on the MSFC on VLAN 40 Since MSFC is directly connected to the ACE, RHI is possible All non-load balanced traffic to/from servers will bypass the CSS Cisco Systems, Inc. All rights reserved. Cisco Public 56.scr 28
29 Real-World Deployments Firewall All DMZs and Networks context WEB allocate-interface vlan3 allocate-interface vlan103 config-url disk:/web.cfg context APP allocate-interface vlan5 allocate-interface vlan105 config-url disk:/app.cfg PBR for Production Web Apps access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 deny ip any any route-map FromDMZWebSendToCSS permit 10 match ip address 121 set ip next-hop interface Vlan3 description DMZWeb ip policy route-map FromDMZWebSendToCSS MSFC SVI interface Vlan3 description DMZWeb ip address standby 3 ip standby 3 priority 150 ip nat inside interface Vlan6 description Outside ip address standby 6 ip standby 6 priority 150 ip nat outside interface Vlan40 description CSSVLAN ip address standby 40 ip standby 40 priority 150 ip nat inside 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57 Real-World Deployments (Nexus) Trust with Caution Goal Firewall perimeter needed to protect against the outside world which includes internet clients and partners Secure VPN is needed for access into the data center All tiers are trusted as extensive application hardening is deployed Session monitoring is essential Solution Routed virtual contexts used on the FWSM to create multiple perimeters on the core switches; this ensures protection from internet clients and from partners Content switching module is deployed in a one-armed fashion Layer 3 routing is used between the tiers Network and host based IPS are deployed to monitor sessions 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58.scr 29
30 Q and A 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59 Recommended Reading Solutions Reference NetworkDesign (SRND) Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books Designing Content Switching Solutions: ISBN: X By Zeeshan Naseh, Haroon Khan Available Onsite at the Cisco Company Store 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60.scr 30
31 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October Go to the Collaboration Zone in World of Solutions or visit Cisco Systems, Inc. All rights reserved. Cisco Public Cisco Systems, Inc. All rights reserved. Cisco Public 62.scr 31
Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0
Design Guide Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0 This design guide describes how to deploy the Cisco Application Control Engine (Cisco
More informationOracle 10g Application Server Suite Deployment with Cisco Application Control Engine Deployment Guide, Version 1.0
Design Guide Oracle 10g Application Server Suite Deployment with Cisco Application Control Engine Deployment Guide, Version 1.0 This design guide describes how to deploy the The Cisco Application Control
More informationZeeshan Naseh, CCIE No Haroon Khan, CCIE No. 4530
Desi So! itching s Zeeshan Naseh, CCIE No. 6838 Haroon Khan, CCIE No. 4530 Cisco Press 800 Eas Indianapolis, Indiana Table of Contents Foreword Introduction xxv xxvi Part I Server Load Balancing (SLB)
More informationCisco Application Networking for Microsoft Office Communications Server 2007 Deployment Guide
Cisco Application Networking for Microsoft Office Communications Server 2007 Deployment Guide Cisco Validated Design February 18, 2009 Integrating Microsoft Office Communications Server 2007 into the Cisco
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationvserver vserver virtserver-name no vserver virtserver-name Syntax Description
Chapter 2 vserver vserver To identify a virtual server, and then enter the virtual server configuration submode, use the vserver command. To remove a virtual server from the configuration, use the no form
More informationConfiguring Route Health Injection
CHAPTER 11 This chapter describes how to configure route health injection (RHI) for the Cisco Application Control Engine (ACE) module. This chapter contains the following sections: Information About RHI
More informationConfiguring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE)
Configuring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE) Craig Hyps Principal Technical Marketing Engineer, Cisco Systems Sample ACE Configuration 2 Health Probes and Real Servers Define
More informationConfigure ACE with Source NAT and Client IP Header Insert
Configure ACE with Source NAT and Client IP Header Insert Document ID: 107399 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify
More informationRHI on the Content Switching Module Configuration Example
RHI on the Content Switching Module Configuration Example Document ID: 60043 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify
More informationConfiguring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode
Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode Document ID: 15055 Contents Introduction Prerequisites Requirements Components Used Conventions Configure HTTP Probes Network
More informationConfiguring Virtual Servers
3 CHAPTER This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance. Note When you use the ACE CLI to configure named
More informationPrepKing. PrepKing
PrepKing Number: 642-961 Passing Score: 800 Time Limit: 120 min File Version: 6.8 http://www.gratisexam.com/ PrepKing 642-961 Exam A QUESTION 1 Which statement best describes the data center core layer?
More informationData Center Interconnection
Dubrovnik, Croatia, South East Europe 20-22 May, 2013 Data Center Interconnection Network Service placements Yves Louis TSA Data Center 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco
More informationBridging Traffic CHAPTER3
CHAPTER3 This chapter describes how clients and servers communicate through the ACE using either Layer 2 (L2) or Layer 3 (L3) in a VLAN configuration. When the client-side and server-side VLANs are on
More informationApplication Networking Optimizing Oracle E-Business Suite 12i Across the WAN
Application Networking Optimizing Oracle E-Business Suite 12i Across the WAN October 6, 2008 Introduction This document presents network design practices to enhance an Oracle E-Business Suite12i application
More informationCisco Application Networking for BEA WebLogic Portal Deployment Guide
Cisco Application Networking for BEA WebLogic Portal Deployment Guide Preface 3 Document Purpose 3 Prerequisites 3 Document Organization 3 Solution Overview 4 Solution Description 4 Process Flow 7 Solution
More informationApplication Networking Optimizing Oracle E-Business Suite 11i across the WAN
Application Networking Optimizing Oracle E-Business Suite 11i across the WAN This document provides network design best practices to enhance an Oracle E-Business Suite 11i application environment across
More informationConfiguring Secure (Router) Mode, Redundancy, Fault Tolerance, and HSRP
CHAPTER 4 Configuring Secure (Router) Mode, Redundancy, Fault Tolerance, and HSRP This chapter describes how to configure the following aspects of content switching that are necessary for the Content Services
More informationConfiguring Secure (Router) Mode on the Content Switching Module
Configuring Secure (Router) Mode on the Content Switching Module Document ID: 5448 Contents Introduction Before You Begin Conventions Prerequisites Components Used Operation Mode Network Diagram Configurations
More informationConfiguring Different Modes of Operation
CHAPTER 5 The SSL Services Module operates either in a standalone configuration or with a Content Switching Module (CSM). In a standalone configuration, secure traffic is directed to the SSL Services Module
More informationCisco CISCO Data Center Networking Infrastructure Design Specialist. Practice Test. Version
Cisco 642-971 CISCO 642-971 Data Center Networking Infrastructure Design Specialist Practice Test Version 1.1 QUESTION NO: 1 Cisco 642-971: Practice Exam Which service module configuration is recommended
More informationCisco Application Networking for Siebel 8.0 Solutions Deployment Guide
Cisco Application Networking for Siebel 8.0 Solutions Deployment Guide Cisco Validated Design February 18, 2009 Preface Document Purpose To address challenges associated with today s mission critical enterprise
More informationConfiguring Real Servers and Server Farms
CHAPTER2 Configuring Real Servers and Server Farms This chapter describes the functions of real servers and server farms in load balancing and how to configure them on the ACE module. It contains the following
More informationConfiguring Traffic Interception
4 CHAPTER This chapter describes the WAAS software support for intercepting all TCP traffic in an IP-based network, based on the IP and TCP header information, and redirecting the traffic to wide area
More informationData Center Security Topologies
March, 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 THE SPECIFICATIONS
More informationContent Switching Module with SSL Commands
CHAPTER 2 This chapter contains an alphabetical listing of the commands necessary to configure the CSM-S. These commands are unique to server load-balancing (SLB) and Layer 3 switching. 2-1 arp Chapter
More informationConfiguring VLAN Interfaces
CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign
More informationUsing ANM With Virtual Data Centers
APPENDIXB Date: 3/8/10 This appendix describes how to integrate ANM with VMware vcenter Server, which is a third-party product for creating and managing virtual data centers. Using VMware vsphere Client,
More informationConfiguring Real Servers and Server Farms
CHAPTER2 Configuring Real Servers and Server Farms Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. All features described in this chapter
More informationSecurity Overview and Cisco ACE Replacement
Security Overview and Cisco ACE Replacement March, 2014 Florian Hartmann, Senior Systems Engineer DACH A10 Corporate Introduction Headquarters in San Jose 800+ Employees Offices in 32 countries Customers
More informationCisco Lean Retail Oracle Siebel 8 Application Deployment Guide
Cisco Lean Retail Oracle Siebel 8 Application Deployment Guide Cisco Validated Design April 14, 2008 Introduction The Cisco Lean Retail Oracle Siebel solution provides best practices and implementation
More informationConfiguring VLAN Interfaces
CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign
More informationMassimiliano Sbaraglia
Massimiliano Sbaraglia Printer Layer 2 access connections to End-Point Layer 2 connections trunk or layer 3 p2p to pair distribution switch PC CSA PVST+ or MST (Spanning Tree Protocol) VLANs LapTop VoIP
More informationNAT Box-to-Box High-Availability Support
The feature enables network-wide protection by making an IP network more resilient to potential link and router failures at the Network Address Translation (NAT) border. NAT box-to-box high-availability
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationmatch protocol http cookie (cookie map submode)
Chapter 2 22 match protocol http cookie (cookie map submode) match protocol http cookie (cookie map submode) To add cookies to a cookie map, use the match protocol http cookie command in SLB cookie map
More informationConfiguring Transparent Caching on the Content Switch Module
Configuring Transparent Caching on the Content Switch Module Document ID: 19680 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify
More informationConfiguring End-to-End SSL
CHAPTER5 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. This
More informationCisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer
Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer mailme@cisco.com Agenda Application requirements in virtualized DC The Anatomy of Nexus 1000V Virtual Services
More informationDesigning Solution with Cisco Intrusion Prevention Systems
Designing Solution with Cisco Intrusion Prevention Systems Petr Růžička, CSE CCIE #20166 1 Session Abstract IPS technology could be placed in many different places in the network and as such it has to
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationRelease Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(9)
Release Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(9) November 2, 2004 Previous Releases 3.1(8), 3.1(7), 3.1(6), 3.1(5), 3,1(4), 3,1(3), 3,1(2), 3.1(1a), 3.1(1) This publication
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationImplementing SBC Multi-VRF
10 CHAPTER The Session Border Controller (SBC) provides support for multi-vrf (VPN routing and forwarding) on customer edge (CE) devices. This feature provides the capability of suppressing provider edge
More informationContent Switching. Koen Denecker, IT Architect. Cisco Public. Session Number Presentation_ID Cisco Systems, Inc. All rights reserved.
Content Switching Koen Denecker, IT Architect 2 Outline Content Switching Overview Service Switch Architecture Case Study 1: www.cisco.com Infrastructure Content Landscape Case Study 2: email Service Virtualization
More informationConfiguring L4 Switch for Redirection Ver.4.1
JAG C TB L4Switch v4.1e Configuring L4 Switch for Redirection Ver.4.1 Technical Brief When JAGUAR operates in Transparent Mode or Hidden Mode, L4 Switch or PBR (Policy Based Routing) of L3 Router is used
More informationConfiguring Real Servers and Server Farms
6 CHAPTER This section provides an overview of server load balancing and procedures for configuring real servers and server farms for load balancing on an ACE appliance. When you use the ACE CLI to configure
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More informationConfiguring Stickiness
CHAPTER 5 This chapter describes how to configure stickiness (sometimes referred to as session persistence) on an Cisco 4700 Series Application Control Engine (ACE) appliance. It contains the following
More informationInterchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby
More informationSecurity and Virtualization in the Data Center. BRKSEC Cisco Systems, Inc. All rights reserved. Cisco Public
Security and Virtualization in the Data Center 1 What We ll Cover Areas of Interest Security for Data Center Layers Device Virtualization & Security Services Security Considerations for Server Virtualization
More informationConfiguring Bridged Mode
CHAPTER 13 This chapter describes how to configure the Cisco Application Control Engine (ACE) module to bridge traffic on a single IP subnet. This chapter includes the following topics: Information About
More informationConfiguring Network Address Translation
CHAPTER5 Configuring Network Address Translation This chapter contains the following major sections which describe how to configure NAT on the Cisco Application Control Engine (ACE) module: Network Address
More informationConfiguring NAT for High Availability
Configuring NAT for High Availability Last Updated: December 18, 2011 This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient
More informationCisco Application Control Engine Module Routing and Bridging Configuration Guide
Cisco Application Control Engine Module Routing and Bridging Configuration Guide Software Version A4(1.0) and A4(2.0) February 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose,
More informationConfiguring Routes on the ACE
CHAPTER2 This chapter describes how the ACE is considered a router hop in the network when it is in routed mode. In the Admin or user contexts, the ACE supports static routes only. The ACE supports up
More informationConfiguring Additional Features and Options
CHAPTER 10 This chapter describes how to configure content switching and contains these sections: Configuring Sticky Groups, page 10-3 Configuring Route Health Injection, page 10-5 Environmental Variables,
More informationLARGE SCALE DYNAMIC MULTIPOINT VPN
LARGE SCALE DYNAMIC MULTIPOINT VPN NOVEMBER 2004 1 INTRODUCTION Presentation_ID 2004, Cisco Systems, Inc. All rights reserved. 2 Dynamic Multipoint VPN Facts Dynamic Multipoint VPN (DMVPN) can work with
More informationCisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers Product Overview The Cisco ACE Application Control Engine Module for the Cisco Catalyst
More informationDeployment Guide AX Series with Oracle E-Business Suite 12
Deployment Guide AX Series with Oracle E-Business Suite 12 DG_OEBS_032013.1 TABLE OF CONTENTS 1 Introduction... 4 2 Deployment Prerequisites... 4 3 Oracle E-Business Topology... 5 4 Accessing the AX Series
More informationConfiguring the Catena Solution
This chapter describes how to configure Catena on a Cisco NX-OS device. This chapter includes the following sections: About the Catena Solution, page 1 Licensing Requirements for Catena, page 2 Guidelines
More informationIOS Server Load Balancing Feature in IOS Release 12.2(18)SXF5
IOS Server Load Balancing Feature in IOS Release 12.2(18)SXF5 Feature History Release 12.0(7)XE 12.1(1)E Modification This feature was introduced with support for the following platforms: Multilayer Switch
More informationConfiguring Secure Oracle E-Business Suite 11i Deployment Using Cisco Application Control Engine (ACE)
Configuring Secure Oracle E-Business Suite 11i Deployment Using Cisco Application Control Engine (ACE) This document contains information for implementing SSL with Oracle E-Business Suite 11i. It provides
More informationConfiguring VRRP. Finding Feature Information. The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a
More informationRelease Note for the Cisco 4700 Series Application Control Engine Appliance
Release Note for the Cisco 4700 Series Application Control Engine Appliance June 9, 2008 Note The most current Cisco documentation for released products is also available on Cisco.com. Contents This release
More informationQuick Start Guide, Cisco ACE 4700 Series Application Control Engine Appliance
Quick Start Guide, Cisco ACE 4700 Series Application Control Engine Appliance Software Version A5(1.0) September 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationConfiguring High Availability (HA)
4 CHAPTER This chapter covers the following topics: Adding High Availability Cisco NAC Appliance To Your Network, page 4-1 Installing a Clean Access Manager High Availability Pair, page 4-3 Installing
More informationConfiguring InterVLAN Routing
CHAPTER 2 Configuring InterVLAN Routing This chapter describes how to configure the Multilayer Switch Feature Card (MSFC) for intervlan routing on the Catalyst 6000 family switches and MSFC. Note For more
More informationRelease Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(10)
Release Notes for Catalyst 6500 Series Content Switching Module Software Release 3.1(10) March 18, 2005 Previous Releases 3.1(9), 3.1(8), 3.1(7), 3.1(6), 3.1(5), 3,1(4), 3,1(3), 3,1(2), 3.1(1a), 3.1(1)
More informationInformation About Cisco IOS SLB
CHAPTER 2 To configure IOS SLB, you should understand the following concepts: Overview, page 2-1 Benefits of IOS SLB, page 2-3 Cisco IOS SLB Features, page 2-4 This section describes the general features
More informationCisco Application Control Engine: A Technical Overview of Virtual Partitioning
Cisco Application Control Engine: A Technical Overview of Virtual Partitioning Virtualization of the network is paramount for companies to successfully roll out the applications required for today s business
More informationCisco Application Networking for PeopleSoft Enterprise Deployment Guide
Cisco Application Networking for PeopleSoft Enterprise Deployment Guide Preface 3 Document Purpose 3 Prerequisites 3 Document Organization 3 Solution Overview 4 Solution Description 4 Process Flow 7 Solution
More informationThis article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.
This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN. Requirements: When configuring NSRP-Lite for the NS-50, confirm the following necessary requirements: The NS-25 or
More informationHot Standby Router Protocol (HSRP): Frequently Asked Questions
Hot Standby Router Protocol (HSRP): Frequently Asked Questions Document ID: 9281 Contents Introduction Will the standby router take over if the active router LAN interface state is "interface up line protocol
More informationDEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC
DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC OVERVIEW Microsoft SharePoint Server 2016 is a collaboration platform that organizations of all sizes can use to improve the
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationFirewalls for Secure Unified Communications
Firewalls for Secure Unified Communications Positioning Guide 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12 Firewall protection for call control
More informationPass-Through Technology
CHAPTER 3 This chapter provides best design practices for deploying blade servers using pass-through technology within the Cisco Data Center Networking Architecture, describes blade server architecture,
More informationConfiguring SSL Termination
CHAPTER 3 This chapter describes the steps required to configure a context on the Cisco 4700 Series Application Control Engine (ACE) appliance as a virtual SSL server for SSL termination. It contains the
More informationWhat is New in Cisco ACE 4710 Application Control Engine Software Release 3.1
What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1 PB478675 Product Overview The Cisco ACE Application Control Engine 4710 represents the next generation of application switches
More informationNumerics I N D E X. 3DES (Triple Data Encryption Standard), 48
I N D E X Numerics A 3DES (Triple Data Encryption Standard), 48 Access Rights screen (VPN 3000 Series Concentrator), administration, 316 322 Action options, applying to filter rules, 273 adding filter
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationConfiguring MWTM to Run with Various Networking Options
APPENDIXH Configuring MWTM to Run with Various Networking Options In addition to running on standard IP-connected networks, the Cisco Mobile Wireless Transport Manager (MWTM) has the flexibility to adapt
More informationA10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS
DEPLOYMENT GUIDE A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS A10 NETWORKS SSL INSIGHT & FIREWALL LOAD BALANCING SOLUTION FOR SONICWALL SUPERMASSIVE NEXT GENERATION FIREWALLS OVERVIEW This document describes
More informationConfiguring Traffic Policies for Server Load Balancing
CHAPTER3 Configuring Traffic Policies for Server Load Balancing This chapter describes how to configure the ACE appliance to use classification (class) maps and policy maps to filter and match interesting
More informationZone-Based Policy Firewall High Availability
The feature enables you to configure pairs of devices to act as backup for each other. High availability can be configured to determine the active device based on a number of failover conditions. When
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationHome Agent Redundancy
CHAPTER 5 This chapter discusses several concepts related to, how Home Agent redundancy works, and how to configure redundancy on the Cisco Mobile Wireless Home Agent. This chapter includes the following
More informationIntroducing Cisco Data Center Networking [AT]
Introducing Cisco Data Center Networking [AT] Number: 640-911 Passing Score: 825 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ Cisco 640-911 Introducing Cisco Data Center Networking
More informationCisco Certified Network Associate ( )
Cisco Certified Network Associate (200-125) Exam Description: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that
More informationCisco CISCO Securing Networks with ASA Advanced. Practice Test. Version
Cisco 642-515 CISCO 642-515 Securing Networks with ASA Advanced Practice Test Version 3.1 QUESTION NO: 1 Cisco 642-515: Practice Exam Which two statements correctly describe configuring active/active failover?
More informationThis chapter covers the following topics: Types of server farms and Data Centers Data Center topologies Fully redundant Layer 2 and Layer 3 designs
This chapter covers the following topics: Types of server farms and Data Centers Data Center topologies Fully redundant Layer 2 and Layer 3 designs Fully redundant Layer 2 and Layer 3 designs with services
More informationMultihoming with BGP and NAT
Eliminating ISP as a single point of failure www.noction.com Table of Contents Introduction 1. R-NAT Configuration 1.1 NAT Configuration 5. ISPs Routers Configuration 3 15 7 7 5.1 ISP-A Configuration 5.2
More informationChapter 1: Enterprise Campus Architecture. Course v6 Chapter # , Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 1: Analyzing The Cisco Enterprise Campus Architecture CCNP SWITCH: Implementing IP Switching Course v6 1 Chapter 1 Objectives Describe common campus design options and how design choices affect
More informationHigh Availability Options
, on page 1 Load Balancing, on page 2 Distributed VPN Clustering, Load balancing and Failover are high-availability features that function differently and have different requirements. In some circumstances
More informationBIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0
BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationCisco ACE30 Application Control Engine Module
Data Sheet Cisco ACE30 Application Control Engine Module Product Overview The Cisco ACE30 Application Control Engine Module (Figure 1) belongs to the Cisco ACE family of application switches, which deliver
More information