Zeeshan Naseh, CCIE No Haroon Khan, CCIE No. 4530

Transcription

1 Desi So! itching s Zeeshan Naseh, CCIE No Haroon Khan, CCIE No Cisco Press 800 Eas Indianapolis, Indiana

2 Table of Contents Foreword Introduction xxv xxvi Part I Server Load Balancing (SLB) 3 Chapter 1 Introduction to Server Load Balancing 5 Why Load Balance? 5 Scalability 6 Availability and Redundancy 6 Security 7 Cost Effectiveness 8 History of Server Load Balancing 8 First-Generation Load Baiancers 8 DNS-Based Load Balancing 9 TPAnycast 10 Second-Generation Load Baiancers 10 Local Director 10 Accelerated SLB 11 IOS SLB! 1 Third-Generation Load Baiancers 11 Content Services Switch 11 Content Switching Module 11 Ch aracteri zati on of the Application 12 Protocol and Port 12 Sessions per Second 13 Duration of Transaction 13 Concurrent Sessions 13 Idle Timeout 13 Back End Sessions 14 Session Stickiness 14 SLB and SLB Modes 14 Dispatch Mode 15 Directed Mode 16 SLB Designs 17 Layer 2 Design 18 Layer 3 Design 19 One-Armed Design 20 Policy-Based Routing 21 SourceNAT 21 Direct Server Return 21

3 Deciding on a Load Balanccr 22 Review of Infrastructure Design Concepts 23 VLANs 23 STP 23 DotlQTrunking 24 Dual Homed Servers 24 Summary 24 Chapter 2 Introduction to the Cisco Content Services Switch 27 CSS Platforms Overview 27 CSS CSS CSS CSS Architecture 30 Distributed Architecture 30 CSS Modules 32 Switch Control Module for the Cisco SSL Module for the Cisco I/O Modules for the Cisco Session Accelerator Module for the Cisco Load Balancing with CSS Services, Owners, and Content Rules 33 CSS I! 500 Flow Overview 35 Flow Control Block 36 Persistent Reset Redirect 37 Persistent Reset Remap 38 Flow Cleanup 38 WebNS Software Features 39 Infrastructure-Level Features 39 Load-Balancing Algorithms 41 High Availability 42 SSL Integration for Security and Performance 42 Local and Global Load Balancing 43 Site and System Security 43 Summary of WebNS Features 43 Case Study: CSS-Based Solution 44 Server and Application Requirements 44 Management and Security Requirements 45 Infrastructure Requirements 45

4 XI Design Options 46 HTTP and HTTPS Server Stickiness 47 Traffic Flow 49 Test and Verification 50 Summary 51 Chapter 3 Introduction to the Cisco Content Switching Module 53 Benefits of the Content Switch Module 53 CSM Architecture 54 CSM Hardware 54 CSM Configuration Limits 55 Load Balancing with Content Switching Module 56 Real Server, Virtual Server, SLB Policy, and More 56 Load Balancing Methods 57 VLAN Tag 58 Client Group (Access Control List) 59 IP Protocol Support 59 High Availability 59 Connection Redundancy 59 User Session Persistence 60 A Typical CSM Traffic Flow 60 Routing with CSM 61 CSM Network Integration Options 63 CSM Layer 2 Design-Bridged Mode 63 CSM Layer 3 Design I Routed Mode with MSFC on the Client Side 64 CSM Layer 3 Design II Routed Mode with MSFC on the Server Side 66 CSM Layer 3 Design III One-Armed CSM Design 69 CSM Layer 3 Design IV Direct Server Return 72 Case Study: CSM-Based Solution 73 Server and Application Requirements 73 Management and Security Requirements 74 Infrastructure Requirements 74 Design Options 75 CSM Configurations 75 Catalyst 6509 Layer 2 Configurations 79 Catalyst 6509 Layer 3 Configurations 79 Traffic Flow 80 Test and Verification 80 Summary 81

5 xii Chapter 4 Layer 7 Load Balancing and Content Customization 83 Benefits of Layer 7 Load Balancing 83 Scalability and Application Acceleration 84 Session Persistence 84 Content Customization 85 Introduction to TCP 85 Data Segments 85 TCP Headers 86 Source and Destination Port 86 Sequence Number 86 Acknowledgement Number 87 Header Length 87 Reserved 87 Control Bits 87 Window 87 Checksum 88 Urgent Pointer 88 Options 88 Padding 89 TCP Connection Establishment and Termination 89 TCP Connection Establishment 89 TCP Connection Termination 90 TCP Flow Control 91 TCP Acknowledgements, Retransmission, and Timeout 91 Sliding Window 92 Introduction to HTTP 92 Protocol Details 93 HTTP Methods 94 URL 96 HTTP Cookie 96 HTTP Cookie Parameters 98 HTTP Header Fields 99 General Headers 99 Request Headers 100 Response Headers 102 Entity Headers 104 Differences Between HTTP Versions 1.0 and Persistent Connections 105 Chunked Messages 105 Hostname 106 Pipelining Requests 106

6 XIII Layer 7 Load Balancing Mechanisms 106 HTTP Methods-Based Load Balancing 107 HTTP URL-Based Load Balancing 107 HTTP Cookie-Based Load Balancing 108 HTTP Cookie Passive-Based Persistence 109 HTTP Cookie Learn-Based Persistence 109 HTTP Cookie Insert-Based Persistence 110 Case Study: Layer 7-Based Solution 110 Server and Application Requirements 111 Infrastructure Configuration 112 Probe Configuration 112 Online Download Application 113 Online Shop Application 114 Online User Profile Application 115 Maximum HTTP Request Parse Length 116 CSM Configuration 117 Test and Verification 120 Summary 120 ChapterS Firewall Load Balancing 123 Reasons for and Benefits of FWLB 123 Scalability 123 Redundancy 124 Manageability 124 Types of Firew al 1 s 124 Packet-Based Firewalls 125 Application-Based Firewalls 126 Application Gateway or Proxy Firewalls 126 Layer 2 or Stealth Firewalls 128 Case Study: Firewall Load Balancing 129 Server and Application Requirements 129 Security Requirements 130 Infrastructure Requirements 130 FWLB Design Considerations 130 FWLB Probes 133 Traffic to the Firewalls 134 Traffic from the Firewalls 134 Router or Secure Mode 135 Bridge Mode 135 FWLB Algorlthms 136 Configuration Details of the INET Segment 136

7 XIV CSM Configurations 136 Catalyst 6509 Layer 3 Configurations 138 Configuration Details of the DMZ Segment 139 CSM Configurations 139 Cataly st 6509 Layer 3 Configurations 141 Configuration Details of the LAN Segment 142 CSM Configurations 142 Catalyst 6509 Layer 3 Configurations 144 Test and Verification 144 Summary 145 Chapter 6 Transparent and Proxy Cache Load Balancing 147 Benefits of Caching 147 Caching Overview 147 Caching Terminology 148 Mechanics of HTTP Caching 149 HTTP Response Status Code 149 HTTP Rcqucst Methods 150 HTTP Cache-Control Directives 150 Expiration and Validation 150 Request Authentication 151 Cisco Application Content Networking and Caching 151 ACNSRoles 152 ACNS Content Types 153 Content Engine Architecture 153 Transparent Caching Modes 154 WCCP Protocols 156 WCCP Version WCCP Version Redirection with the CSS 160 IPSpoofing 161 Proxy Caching Overview 161 Server Proxy (Reverse Proxy Caching) 163 Supported Protocols on the Content Engine 165 Authentication and Management on the Content Engine 165 Content Engine Models 166

8 XV Case Study: Content Engine in a Transparent Caching-Based Solution 167 Design Requiremcnts 167 Design Options 168 Layer 2 Redirection 168 HTTP Configuration 170 URL Filtering Configuration with Local Lists 176 Configuration Details 178 Summary 181 Chapter 7 Load Balancing Streaming Video Servers 183 Benefits of Load Balancing Streaming Video Servers 183 Scalability 183 Redundancy 183 Introduction to Streaming 184 Video Streaming Clients and Protocols 184 Methods of Video Stream Initiation 185 Types of Streaming Video Servers 186 Apple QuickTime 186 RealMedia 187 Windows Media Technology 187 Streaming Video Protocols 188 Microsoft Media Server (MMS) 188 Microsoft Media Server - Universal Datagram Protocol (MMSU) 188 Microsoft Media Server - Transmission Control Protocol (MMST) 188 Microsoft Media Server over HTTP 189 RTP and RTSP 189 Case Study: Load-Balancing Solution for Video Streaming 190 CSS-Based Solution 191 QuickTime Video Stream: Session Flow 192 QuickTime Load Balancing: First Failure Scenario 193 QuickTime Load Balancing: Second Failure Scenario 194 QuickTime Load Balancing 196 CSS Configuration Details 197 MSFC Configuration Details for the CSS-Based Solution 198 HTM L Code Used in the Solution 199 CSM-Based Solution 200 QuickTime Load Balancing 201 CSM Configuration Details 201 MSFC Configuration Details for the CSM-Based Solution 202 Summary 203

9 XVI Chapter 8 Virtual Private Network Load Balancing 205 Benefits of VPN Load Balancing 205 Tntroduction to Virtual Private Networks 207 Virtual Private Network Protocols 208 Internet Key Exchange Protocol (IKE) 209 ESP and AH 210 Authentication Header (AH) 210 The Encapsulating Security Payload (ESP) 211 Case Study: VPN Load-Balanced Solution 211 IKE Requirements 211 ESP Requirements 212 IPsec over UDP Requirements 212 Design Options 213 Directed Mode Solution 213 CSM Configurations for Directed Mode 214 CSM show Commands for Directed Mode 216 IPsec Router Configurations for Directed Mode 217 Dispatch Mode Solution 217 CSM Configurations for Dispatch Mode 219 CSM Show Commands for Dispatch Mode 220 IPsec Router Configurations for Dispatch Mode 220 Summary 221 Chapter 9 Content Switching Device Migrations 223 Motivation Behind Migration 223 Evolution of Load Balancing 223 Advanced Load-Balancing Methods 224 Scalability and Performance 224 Software Features and Functionality 225 Migration Planning 226 Migration Team 226 Project Manager 226 Content Engineer 227 Network Operations Engineer 229 Core (Layer 2/Layer 3) Engineer 229 Application Administrator 229 Fallback Plan 230 Methods and Procedures for the Maintenance Window 231 Application Testing 235

10 xvii Case Study: Migration from CSS to CSM 236 Infrastructure Requirements 237 CSS and CSM Mode of Operation 237 Server's Default Gateway 237 Redundancy and Fault Tolerance 237 Server and Application Requirements 238 Migration Configuration and Design Details 238 CSS and CSM Mode of Operation 240 Redundancy and Fault Tolerance 241 Ready for Migration 243 Source IP Sticky Configuration 245 Layer 5 Content Rules 246 Port Mapping or Port Redirection 247 Keepalives 248 CSS Configurations 250 CSM Configurations 252 Summary 255 Part II Secure Socket Layer 257 Chapter 10 SSL Offloading 259 introduction to SSL 259 Public Key Cryptography 260 SSL Certificates 261 SSL Protocol Communication 263 SSL Protocol Structure 266 SSL Protocol Versions 267 Introduction to SSLMs 268 SSLM for the Catalyst SSLM Deployments 270 SSLM in Bridge Mode with the CSM 271 SSLM in Routed Mode with the CSM 272 SSLM on the CSS 272 SSL Flows on the CSS-SSLM 274 Case Study: CSM and SSLM-Based Solution 275 Design Requirements 275 Design Details of a CSM and an SSLM-Based Solution 276 SSLM Certificate Management 277 SSLM and CSM Flow Overview 281 Client Connection to the CSM 282 CSM Connection to the SSLM 282 SSLM to the CSM 284

11 XVIII CSM Connection to the Server 285 Configuration Details 286 CSM Configuration 286 SSLM Configuration Primary 287 SSLM Configuration Secondary 289 Summary 291 Chapter11 Back-End SSL Offloading 293 Back-End SSL on Modules 293 Back-End SSL on the SSLM for the Catalyst Back-End SSL on the SSLM on the CSS 300 Case Study: Back-End SSL Solution 304 Requirements 304 Design Options 305 SSLM Certificate Management 306 SSLM and CSM Flow Overview 310 Client Connection to the CSM 312 CSM Connection to the SSLM 312 SSLM to the CSM 314 CSM to the SSLM 315 SSLM to the Server (via CSM) 316 Configuration Details 318 Summary 323 Part Mi Distributed Data Centers 325 Chapter12 Global Server Load Balancing 327 Motivation for GSLB 327 Domain Name System (DNS) Overview 328 DNS Architecture Components 329 DNS Resolution Process 330 DNS Resource Records and Zones 331 Resource Records 331 Zones 331 TypesofDNSQueries 332 Global Site Selector 334 GSLB Using GSS 334 GSS Features and Performance 336 GSS Roles 337 GSS DNS Rules 339 GSS Balance Methods 341

12 XIX GSS Domains 343 GSS Answers 344 GSS Keepalives 347 GSS Resources, Locations, Regions, and Owners 349 GSS DNS Stickiness 352 GSS Network Proximity 352 Case Study: GSLB Solution Using GSS 353 Requirements 354 Topology 354 GSS Network Setup 355 Primary GSSM 356 Secondary GSSM 357 GSS Secondary GSSM Activation 358 CSS Setup in Primary Data Center 359 CSS Setup in Secondary Data Center 360 GSS Setup for the Domain 360 GSS DNS Rule Configuration for GSS DNS Rule Testing for GSS TCP Keepalive for the Domain 369 GSS Setup for the Domain 370 GSS DNS Rule Testing for Configuration Details 374 Summary 377 Chapter13 IP-Based GSLB Using RHI 379 Benefits of Using RHI 379 Architecture 379 Active/Standby Site-to-Site Recovery 380 Autonomous System Prepending 381 BGP Conditional Advertisements 381 Design Limitations 382 Implementation Details for Active/Standby Scenarios 382 AS Prepending 383 Primary Site Configuration 384 Standby Site Configuration 385 BGP Conditional Advertisement 386 Primary Site Configuration 388 Standby Site Configuration 390 Active/Active Site-to-Site Load Distribution 392 Implementation Details for Active/Active Scenarios 393

13 XX OSPF Route Redistribution and Summarization 394 BGP Route Redistribution and Route Preference 395 BGP Configuration of Primary Site Edge Router 395 BGP Configuration of Secondary Site Edge Router 396 Load Balancing Without IGP Between Sites 397 Routes During Steady State 398 Routes After All Servers on the Primary Site Are Down 398 Limitations and Restrictions 399 Subnet-Based Load Balancing Using IGP Between Sites 400 Changing IGP Cost for Site Maintenance 400 Routes During Steady State 401 Limitations and Restrictions 403 Application-Based Load Balancing Using IGP Between Sites 403 Configuration on Primary Site 404 Configuration on Secondary Site 404 Routes During Steady State 405 Limitations and Restrictions 406 Using NAT in Active/Active Load-Balancing Solutions 406 Primary Site Edge Router Configuration 407 Secondary Site Edge Router Configuration 408 Steady State Routes 409 Routes Whcn Servers in Primary Data Center Goes Down 412 Summary 413 Part IV Data Center Designs 415 Chapter14 Scaling Server Load Balancing within a Data Center 417 Benefits of Scaling Content Switching 417 Scalability 417 Performance 418 Scaling Methodologies 418 Distribution of Applications 419 Using DNS for Application Scalability 419 Using Route Health lnjection for Application Scalability 419 Application Distribution Approach 419 DNS-Based Seal ing Approach 420 Predictable Traffic Flow 422 Ease of Management and Maintenance 422 RHI-Based Scaling Approach 422 CSM RHI Configuration 424 MSFC RHI Configuration and Routes 425

14 xxi Scaling Beyond Server Capacity 426 Case Study: Scalable SLB Environment 426 Server and Application Requirements 427 Management and Security Requirements 427 Infrastructure Requirements 427 DNS-Based Design 428 CSM-1 Configuration for DNS-Based Solution 429 CSM-2 Configuration for DNS-Based Solution 431 RHI-Based Design 433 CSM-1 Configuration for RHI-Based Solution 434 CSM-2 Configuration for RHT-Based Solution 435 Testing Maximum Connections 437 Test Case I 437 Test Case Test Case Summary 441 Chapter 15 Integrated Data Center Designs 443 Motivations Behind Integrated Data Center Designs 443 Data Center Design 1: FWSM in the Core and Layer 3 CSM in Aggregation 444 Design 1 Topology Details 444 Design 1 Details 446 Design 1 Configuration Details 446 Data Center Design 2: Layer 3 FWSM and Layer 2 CSM in Aggregation 447 Design 2 Topology Details 447 Design 2 Caveats 449 Design 2 Configuration Details 450 Data Center Design 3: Layer 3 FWSM and Layer 2 CSM in Aggregation 450 Design 3 Topology Details 451 Design 3 Caveats 452 Design 3 Configuration Details 453 Data Center Design 4: Layer 3 FWSM and Layer 2 CSM in Aggregation 453 Design 4 Topology Details 454 Design 4 Caveats 455 Design 4 Configuration Details 456

15 Case Study: Integrated Data Center Design 457 Design Details 458 Primary CSS (CSS ) Configuration Details 460 Backup CSS (CSS ) Configuration Details 465 Catalyst 6509 Configuration Details 465 Layer 2 Port-Channel Configuration Details 468 NAT Configuration Details 468 Policy-Based Routing Configuration Details 470 FWSM Configuration Details 470 DMZWeb Virtual Context 472 DMZApp Virtual Context 473 Outside Virtual Context 474 Inside Virtual Context 475 Summary 477