CSS 11000 Series: Device Configuration LAB Nick DiPietro Ian Gallagher Bill Kastelic Louis Senecal 1
Cisco Content Switching Applications Local Load Balancing = improved utilization and availability (servers, Firewalls, caches) User Prioritization = switch and stick by cookie (Silver, Gold, Platinum) Client Device Discrimination = switch and stick by client device (PC, PDA, wireless) Intelligent Content Positioning = switch by file type (.html,.gif,.cgi) Security Optimization = all of the above in SSL (HTTPS) environment Overflow Servers Gold Global Server Load Balancing = pick best site based on load and proximity (Tokyo, Paris, New York) Internet Bronze Silver 2
Data Center Load Balancing For Internet and Intranet ISP-1 ISP-2 Secure Content Accelerator Secure Content Accelerator Hosting Solution Engine PIX Firewall Web Servers PIX Firewall Content Switch Content Switch Hosting Solution Engine Technical Symposium2002:CSS Database Servers Lab 3
CSS11500 Management Options CLI Embedded device management GUI CiscoWorks 2000 CiscoView Hosting services engine SNMP, RMON, log files Programmatic management API 4
Cisco Content Switching Product Line Decision Points CSS 11050 CSS 11503 CSS 11506 CSM for Catalyst 6500 Form factor Standalone Standalone Standalone Integrated Appliance Modular Modular Module Max density 1 GE, 8 FE 6 GE/2 GE,32 FE 12 GE/ 2 GE,80 FE 8-178 GE, 46-528 FE Site activity/intensity Low Medium High Highest Hardware scalability Hardware redundancy No No Yes Yes Session redundancy Future Yes Yes Yes Layer 2/3 networking CS management SSL acceleration External Internal Internal Future Blade Load balancing Servers, Caches, Firewalls Servers, Caches Firewalls, VPNs 5
CSS Software Session Spoofing 200.20.30.100 Client TCP SYN Internet or Intranet Source IP 200.20.30.100 Destination IP 192.10.10.1 VIP=192.10.10.1 10.0.3.221 Web Server ACK HTTP GET TCP SYN ACK TCP SYN Source IP 200.20.30.100 Destination IP 10.0.3.221 TCP SYN ACK DATA DATA Source IP 192.10.10.1 Destination IP 200.20.30.100 Source IP 10.0.3.221 Destination IP 200.20.30.100 Source IP 200.20.30.100 Destination IP 192.10.10.1 Source IP 200.20.30.100 Destination IP 10.0.3.221 6
CSS Software File Structure C:/ Archive core ap0310026 ap0302026 ap0310010 ap0400003 startup-config release ap0400003 image/ log/ script/ cli/ startup-config version build 7
Product Features Server Load Balancing Content Verification HTTP Header Load Balancing Sticky Connections Support for Web Caching services Domain Name Services Network Proximity HTTP Redirects NAT Peering 8
Product Features (cont.) Smart Content Replication Replication for dynamically scalable Web sites Replication for distributing and updating content Redundancy Web Site Security Full command line interface (CLI) Embedded Device Management Service Level Agreement support through: MIB SNMP RMON Logging subsystem 9
Command Line Interface (CLI) A line-oriented interface that has a set of commands for configuring, managing, and monitoring the CSS. Accessed through a local console or Telnet connection Console Connection CSS1 CS100# Telnet Connection CSS2 10
CLI Modes CS100> User Mode Username:admin Password: CS100# disable enable (enter username and password) SuperUser Mode configure exit or [Ctrl]z CS100(config)# Prompt reflects mode boot interface circuit. Global Configuration Mode exit [Ctrl]z Subordinate Configuration Modes 11
I C S O C Owner acme.com content Layer5_rule vip address 192.1.1.1 service www_server1 service www_server2 balance roundrobin url /* xyz.com content Layer3_rule vip address 192.1.1.2 add service server1 add service server 2 Interface 1/1 bridge vlan 2 Services www_server1 ip address 10.1.1.1 keepalive type http keepalive port 8001 keepalive protocol tcp keepalive uri index.html www_server2 ip address 10.1.1.2 keepalive type http keepalive port 8001 keepalive protocol tcp keepalive uri index.html Interfaces Circuits Services Owners Content Rules Circuit VLAN2 ip address 192.1.1.254 Circuit VLAN1 ip address 10.1.1.254 12
ICSOC Interface Circuit Service Owner Content 13
Interfaces, VLANs, and Circuits IP Forwarding (Layer3) Circuit IP Interface for VLAN1 158.3.7.58 Circuit IP Interface for VLAN2 10.3.6.60 VLAN1 Bridging Domain vlan 1 VLAN2 Bridging Domain vlan 2 Interface Ethernet-1 Interface Ethernet-2 Interface Ethernet-3 Interface Ethernet-4 Interface Ethernet-5 Interface Ethernet-6 Interface Ethernet-7 Interface Ethernet-8 Interface Ethernet-9 Interface Ethernet-10 Interface Ethernet-11 Interface Ethernet-12 14
15
CLI Lab01-a version sh installed-software sh running Shutdown sh boot-config sh profile sh startup copy running startup sh alias sh chassis configure terminal archive restore 16
Interface & Circuit Lab01-b sh phy!************************** GLOBAL ***************************!************************* INTERFACE ************************* interface e1 bridge vlan 100 Interface e5 bridge vlan 10P Interface e6 bridge vlan 10P Interface e7 bridge vlan 10P Interface e8 bridge vlan 10P!************************** CIRCUIT ************************** circuit VLAN100 ip address 10.1.P.254 255.255.255.0 circuit VLAN10P ip address 192.168.P.254 255.255.255. sh circuit sh ip route sh ip config sh ip statistics sh interface sh arp ping P=POD Number 17
ICSOC Interface Circuit Service Owner Content 18
Service Overview A service is a destination location where a piece of content resides A service is created first and then added to content rules The service is identified by a name that can be associated by an IP address, and optionally, a protocol and port number RAS VIP=192.10.10.1 10.0.3.225 10.0.3.224 10.0.3.223 10.0.3.222 10.0.3.221 www.cats.com www.dogs.com 19
Service Configuration Configuring Server1: CS100(config)# service Server1 CS100(config-service)[Server1]# type local CS100(config-service)[Server1]# ip address 10.0.3.221 CS100(config-service)[Server1]# port 81 CS100(config-service)[Server1]# protocol tcp CS100(config-service)[Server1]# max connections 10 CS100(config-service)[Server1]# weight 1 CS100(config-service)[Server1]# active RAS VIP=192.10.10.1 10.0.3.221 20
Service Configuration (cont.) Configuring Server1: CS100(config)# service Server1 CS100(config-service)[Server1]# suspend CS100(config-service)[Server1]# exit CS100(config)# no service Server1 RAS VIP=192.10.10.1 10.0.3.221 21
Service Keepalive keepalive frequency keepalive maxfailure keepalive retryperiod keepalive port keepalive type keepalive method keepalive uri RAS VIP=192.10.10.1 Keepalive Default ping 10.0.3.221 22
Displaying a Service The show service command enables you to display information for a specific service or all services currently configured. The show service-summary command displays just summary information for each service. The show service command displays the following information: CS100# show service Name: Server1 Index: 0 State: ALIVE Type: Local Rule ( 10.0.3.210 TCP 81 ) Keepalive: (HEAD:HTTP:/index.html 5 3 5 ) State Transitions: 1 Connections: 0 Max Connections: 0 Weight: 1 Avg Load: 254 Long Load: 0 Mtu 1500 QOS Avg Min Rate: 14400 QOS Min BW: 100000000 23
Service Lab Lab02-Section 1 sh service sh service summary sh keepalive sh keepalive-summary monitor show service summary 24
ICSOC Interface Circuit Service Owner Content 25
Owner Overview Owner = www.cisco.com The Owner allows for partitioning of content rules Content Rules are always configured under an Owner Can specify Owner case sensitivity Can specify Owner Address, Billing Information, and Email Address RAS VIP=192.10.10.1 Server3 Server2 Server1 10.0.3.223 10.0.3.222 10.0.3.221 www.dogs.com 26
Owner Configuration When creating an owner, you may want to use the owner s DNS name for clarity: CS100(config)# owner cisco.com A service type local designates the service for local load balancing. Other options are proxy-cache, transparent-cache, and redirect. When you create the owner, the CLI drops you into owner mode: CS100(config-owner[cisco.com])# 27
Displaying an Owner The show owner command enables you to display information for a specific owner or all services currently configured. The show owner command displays the following information: CS100# show owner cisco.com Owner Configuration: Name : cisco.com Billing Info: finance Address: 235 Littleton Rd. Westford, MA 01886 Email Address: support@cisco.com DNS Policy: none Case Matching: insensitive 28
Content Rule Overview Describes what content is accessible by visitors to the web site Describes how content is mirrored and load balanced to multiple services Translates the Owner VIP address using Network Address Translation (NAT) to the service s IP address and port Checks for available services that match the content request RAS VIP=192.10.10.1 NAT and Load balanced to 10.0.3.221 Request to 192.10.10.1 www.dogs.com Server3 Server2 Server1 10.0.3.223 10.0.3.222 10.0.3.221 www.dogs.com 29
Content Rule Overview An content rule is a hierarchical rule set containing individual rules that describe which content is accessible by visitors to the web site, how the content is mirrored, on which server the content resides, and how the CSS should process requests for the content. When a request for content is made, the CSS: Uses the owner content rule to translate the owner Virtual IP Address (VIP) using Network Address Translation to the corresponding service IP address and port. Checks for available services that match the content request. Uses the content rule to choose which service can best process the request for content. Applies all content rules to service the request for content (for example, load balancing method, redirects, failover, sticky, cookies) 30
Creating Content Rules The CSS uses content rules to determine: Where the content physically resides, whether local or remote. Where to direct the request for content (which service or services). Which load balancing method to use. The types of content rule are as follows: A layer 3 content rule implies source IP address of the host or network. A layer 4 content rule implies a combination of source IP address and port. A layer 5 content rule implies a combination of source IP address, port, and URL that may contain an HTTP cookie. 31
Assigning Content Rules To assign a content rule to an owner, use the content command. You assign content rules to an owner by creating the content rule in the mode for that owner. The following example creates a content rule named layer3 and assigns it to the owner cisco.com: CS100(config-owner[cisco.com])# content layer3 Once you assign a content rule to an owner, the CLI prompt changes to reflect the specific owner and content rule mode: CS100(config-owner[cisco.com-layer3])# From here, the content rule can be entered. To remove an existing content rule from an owner, issue the no content command from owner mode: CS100{config-owner[cisco.com])# no content layer3 32
Basic Content Rule Config To configure a Layer 3 content rule, enter the following from the owner mode: (config-owner[cisco.com-layer3]# vip address 192.168.11.5 Configure a Virtual IP address for the owner content. (config-owner[cisco.com-layer3]# balance aca Specify a load balancing type (config-owner[cisco.com-layer3]# add service serv1 (config-owner[cisco.com-layer3]# add service serv2 Add previously configured services to the content rule. (config-owner[cisco.com-layer3]# active Activates the content rule. This rule load balances based on VIP only. Only traffic destined for VIP address will get load balanced. 33
Owner and Content Rule Lab02 Section 2,3 and 4 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 34
Load Balancing Categories General Load Balancing Advanced Load Balancing (sticky) 35
Server Load Balancing To specify the load balancing algorithm for a content rule, use the balance command available in content configuration mode: balance aca - ArrowPoint Content Awareness algorithm. The CSS uses the normalized response time from client to server to determine the load on each service. ACA balances the traffic over the services based on load. balance roundrobin - Round-robin algorithm (default) balance weightedrr - Weighted round-robin load balancing. The CSS uses round-robin but weighs some services more heavily than others. You can configure the weight if a service when you add it to this rule. balance leastconn - Least connections load balancing. The CSS chooses a running service that has the least number of connections. 36
General Purpose Load Balancing Algorithms Round Robin Weighted Round Robin Least Connections ACA Weighted ACA 37
Round Robin Flow 1,4... Flow 2,5 Flow3,6 Server1 content rule1 vip address 192.10.10.1 balance roundrobin add service server1 add service server2 add service server3 active Server2 Server3 38
Weighted Round Robin Flow 1,2,3 Flow 4,5 Flow 6 Server1 Server2 Server3 content rule1 vip address 192.10.10.1 balance weightedrr add service server1 weight 3 add service server2 weight 2 add service server3 weight 1 39
Least Connections Services: Name: serv1 Index: 0 State: ALIVE Type: Local Rule ( 10.0.3.210 TCP 80 ) Keepalive: (ICMP 5 3 5 ) State Transitions: 0 Connections: 2 Max Connections: 0 Name: serv2 Index: 1 State: ALIVE Type: Local Rule ( 10.0.3.211 TCP 80 ) Keepalive: (ICMP 5 3 5 ) State Transitions: 0 Connections: 0 Max Connections: 0 Content Smart Switch keeps track of current connections to servers and serves requests to server with the least number of connections 40
ACA Load Balancing Arrowpoint Content Awareness algorithm Load balances servers based on normalized flow attributes calculated at flow tear down time Manages dynamic unpredictable server load and performance Periodically calculates server load and dynamically balances more flows to fastest servers Prunes slow servers from eligible list 41
ACA Parameters Load step msec dynamic - (10msec default) dynamic or static Load threshold - (254 default) is the maximum Load Number for service eligibility Load reporting - enable or disable Load teardown-timer seconds - (20 seconds default) Load ageout-timer seconds - (60 seconds default) Interval to bring back removed services. Resets load to 2. 42
ACA Load Calculation 255 254 Load response for 3 servers: Server Name Normalized Response servera 100ms serverb 1100ms serverc 120ms 255 254 130 serverb-> 102 Load Calculation Formula Fastest Server Assigned = 2 Loadsx = resp sx - resp_fastest sx +2 load step 130 serverc-> 4 serverb-> 12 servera-> Loads with load step-size equal to 10ms. 2 servera&serverc-> Load with load step size equal to 100ms 2 43
Show Load CS100(config)# show load Global load information: Step Size:Dynamic Configured:10 Actual:10 Threshold:254 Ageout timer:60 Service load information: Load Number for Load Number for Service Name Short Lived Flows Long Lived Flows -------------------------------------------------------------------- serv1 2 2 serv2 2 2 serv3 10 12 serv4 254 254 44
Configuring Basic L7 Server Load Balancing Lab03 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 45
Advanced Load Balancing Algorithms (sticky) Sticky refers to when a load balancing algorithm sticks a client to a specific server based on certain credentials advanced-balance sticky-srcip advanced-balance sticky-srcip-dstport advanced-balance cookies advanced-balance url advanced-balance cookieurl advanced-balance arrowpoint-cookie advanced-balance ssl 46
Sticky IP advanced-balance sticky-srcip Content Smart Switch sticks a client to a server based on the client s source IP address Available Layer 3, 4, and 5 content rules Referred to as Layer 3 Sticky advanced-balance sticky-srcip dstport Content Smart Switch sticks a client to a server based on the client s source IP address and destination port Available Layer 4, and 5 content rules Referred to as Layer 4 Sticky 47
Sticky-Mask RAS Sticky mask 255.255.255.0 IBM Compatible IBM Compatible Remote client addresses 200.20.30.1-200.20.30.254 Server Sticky Mask, masks a group of client ip addresses to preserve the client connection state Reduces entries in sticky table (32k Entries Max) Mask 255.255.255.0 would provide a single sticky entry for ip addresses with the 1st 3 octets of ip address in common 48
Sticky Cookie vip 192.10.10.1 RAS HTTP get HTTP response cookie: server1; Server1 10.0.3.221 IBM Compatible HTTP get cookie: server1; advanced-balance cookie Sticking on the Server that issued the cookie Content Smart Switch sticks a client to a server based on the cookie that the client sends Additional string tools Cookie configured for server Does not use sticky table content sticky-cookie vip address 192.10.10.1 url /* advanced- balance cookie add service server1 active service server1 ip address 10.0.3.221 string server1 active 49
Sticky URL vip 192.10.10.1 RAS IBM Compatible advanced-balanced url Enables the content rule to stick a client to a server based on a configured string found in the URL of the HTTP request. You can use this option with a Layer 5 HTTP content rule. This does not use the sticky table HTTP get http//www.dogs.com/spaniels service server1 ip address 10.0.3.221 string spaniels active content sticky-cookie vip address 192.10.10.1 url /* advanced- balance url add service server1 active Server1 10.0.3.221 50
Sticky cookieurl vip 192.10.10.1 RAS http//www.dogs.com/spaniels/products.jsp?id=1007 Server1 10.0.3.221 IBM Compatible Cookieurl provides a primary and fallback mechanism First try to match the string found in the service cookie If no cookie match found it will go to the parameters (url extensions) that follows Cookieurl does not use the sticky table content sticky-cookieurl vip address 192.10.10.1 url /* advanced- balance cookieurl add service server1 active service server1 ip address 10.0.3.221 string ID=1007 active 51
Sticky SSL Enables the content rule to stick the client to the server based on the SSL version 3 session ID If no session ID is present, the CSS uses the source IP address and destination port to maintain stickiness Sticky SSL does use the sticky table 52
Sticky ArrowPoint Cookie vip 192.10.10.1 RAS http//www.dogs.com/ Server1 10.0.3.221 IBM Compatible Web applications do not need to be modified The CSS sets the cookie IP address of service can be configured to where the client will be stuck Expiration of the cookie can be configured Pre determine the path the cookie will use content arrowpoint vip address 192.10.10.1 url /* advanced- balance arrwowpoint-cookie add service server1 active service server1 ip address 10.0.3.221 string server1 active 53
Configuring Advanced L7 Server Load Balancing Lab04 sh service sh service summary sh rule sh rule-summary sh summary monitor show summary 54
4515_03_2002_c1 55 2002, Cisco Systems, Inc. All rights reserved. 55
Overview ArrowPoint Cookie When a client makes a request that matches on a Content Rule that is configured to use the ArrowPoint Cookie, the CSS will set a cookie and redirect the client's request back to the site by using meta-tags. Each service will have a unique string configured to use for matching a client's requests to a particular server that will be included in the ArrowPoint Cookie. If no string is configured, the CSS will use the service s IP address. 56
Configuring the ArrowPoint Cookie arrowpoint-cookie Assigns the cookie expiration Assigns the cookie path Assign string for each service in the content rule Assigned in the content mode 57
Configuring the ArrowPoint Cookie (cont.) Example: CSS11050 (config-owner-content [cisco-r1] )# arrowpoint-cookie expiration 08:04:02:08 CSS11050 (config-owner-content [cisco-r1) # arrowpoint-cookie path /cgi-bin/ CSS11050 (config-service [server1] )# string server1 58
Configure Advanced Balance ArrowPoint Cookie advanced-balance arrowpoint-cookie Enables the content rule to stick the client to the server Assigned in the content mode Example: CSS11050 (config-owner-content [cisco-r1] ) # advanced-balance arrowpoint-cookie 59
Sticky Serverdown Failover Use the sticky-serverdown-failover command to define what will happen when a sticky string is found, but the associated service has failed or is suspended. The sticky failover default method is for the CSS to use the configured load balancing method. 60
Sticky Serverdown Failover sticky-serverdown-failover balance Set the failover method to use a service based on the configured load balancing method. sticky-serverdown-failover redirect Set the failover method to use a service based on the currently configured redirect string. If a redirect string is not configured, the load balancing method is used. sticky-serverdown-failover reject Reject the content request. sticky-serverdown-failover sticky-srcip Set the failover method to use a service based on the client source IP address. sticky-serverdown-failover sticky-srcip-dstport Set the failover method to use a service based on the client source IP address and the server destination port. 61
Sticky show rule Advanced Balance: cookies Sticky Mask: 255.255.255.255 Sticky Group: 0 Sticky Server Down Failover: Balance String Match Criteria: String Range: 1-100 String Prefix: "UID=" String Eos-Char: ";" String Ascii-Conversion: Enabled String Skip-Len: 3 String Process-Len: 0 String Operation: Match-Service-Cookie 62
Caching Balance Methods balance domainhash/urlhash Hashes host tag or url and load balances based on hash value. balance url Uses the first 3 characters of the URL balance domain Uses the first 3 characters of the domain from the host tag 63
Caching Balance Methods balance srcip Uses source ip address balance destip Uses destination ip address params bypass Automatic bypass of transparent cache Based on a char of? or # after url for L5 rules This is a command in a content rule - disable is the default 64
Cache Service Failover failover bypass Bypass and send to the origin server failover linear Distribute evenly over remaining servers failover next Send the request to the next service based on configuration order 65
Source Groups A Source Group is a collection of local servers that initiate flows from within the local web farm. The CSS lets you treat a group as a virtual server with its own source IP address, typically matching the inbound VIP. NATs private address of servers to Internet routable public addresses (VIP). 66
Configuring Source Groups To configure source groups, use the following syntax: CS100(config)# group Training Training is the name of the newly created group CS100(config-group[Training])# ipaddress 208.208.4.15 Virtual IP address of outbound connections. Same address as inbound VIP To connect to Internet, must be routable address. CS100(config-group[Training])# add service training222 Adds corresponding service to each source group. NOTE: A service may be assigned to only ONE source group. CS100(config-group[Training])# active Make the service active enable outbound connections. 67