Cisco - ACE

1© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102

Application Control Engine (ACE) Overview


Agenda

• Introduction

• Architecture

• Application Infrastructure Control

• Role-Based Access Control

• Application Security

• Application Availability

• Management

• Roadmap


Introduction


Evolution of the Data Center InfrastructurePhased Approach

AUTOMATION

Storage

Network

Compute

Dynamic Provisioning and Information Lifecycle

Management (ILM) to Enable Business Agility

Business PoliciesOn-Demand

Service OrientedVIRTUALIZATION

StorageNetworkCompute

EnterpriseApplications

Management of Resources Independent of Underlying Physical Infrastructure to

Increase Utilization, Efficiency and Flexibility

Data Network

Server Fabric

Network

Centralization and Standardization to

Lower Costs, Improve Efficiency and Uptime

CONSOLIDATION

LANWANMAN

SAN

Storage Network

Intelligent Information

Network

HPCClusterGRID


Server-Centric to Service-Centric

Service-Centric Model“Pools” of Standardized ResourcesAssembled On-Demand to Create

“Virtual Infrastructure”

DATA CENTER

NETWORK

User Access Network

Shared Application Services

Pooled Compute

Resources

PooledStorage

Resources

Aggregation of Storage into SAN

Prevalence of 1-RU and Blade

Servers with Consolidated I/O

Application Silos

Application Silos

Server-Centric Monolithic Proprietary Compute Silos

Application Silos


Servers

Home/Road User

Typical Application Environment Today

WAN, VPN, Internet

DATACENTER

HTTP, HTTPS

Enterprise Applications

Web Servers App Servers DB Servers

E-mail Servers

ExchangeServers

NotesServers

MAPI, IMAP, WebDAV

CIFS, NFS, WebDAV

Legacy Application Servers

Emulation andCitrix Servers

Mainframe &Legacy 2-Tier

ICA, TN3270

Majority of Users are Remote

Branch Office User

Streaming Media Servers

MMS, RTSP/RTP

• Multiple applications

• Distributed users – partner, supplier

• Complex application environments

• Security and data management concerns


Cisco Application Delivery Business Unit Application Networking Services

Client to Application Application to Application

WAN

Integrated Services Router

Wide AreaApplication

Engine

Branch Office User

Core WAE Application

Engine

File Servers

Exchange

Citrix Servers

Catalyst Switch

Web Servers

ApplicationControl Engine

ApplicationVelocity

System (AVS)

Home/Road UserBusiness Partner

HTTP/HTTPS/WebDAV

Infiniband

NAS

Application Delivery

Application Integration

Web Servers

Web Servers

Secondary or Partner

Data Center

Catalyst Switch

Application Control Engine(CSS/CSM/GSS)

Data CenterIntranet and

Infrastructure


Innovation• Virtual Partitioning• Hierarchical Management Domains• Role-Based Access Control

ACE & AVS Innovations At-a-Glance

Application Infrastructure Control

*Available in AVS Today

Application Performance Application Security Infrastructure Simplification

Innovation• Highest Throughput

• Maximum Scalability

• Multi-tiered reliability, availability, and scalability

•

Base• Server Load Balancing

• Content Switching

• Web Acceleration

• Intelligent Compression

Innovation• Richest App-Layer Security*• Hardware-accelerated Protocol

Control• Highest Performing NAT &

Access Control List (ACL)

Base• Limited Network Address

Translation• DDoS Protection

Innovation• Layer 2-7 Network Integration• Functional Consolidation• Application Network

Management solution

Base• TCP Optimization• SSL Termination• XML API


CSS 11506

CSM

Appliances

Modules

ACE

Cisco L4-7 Switching Portfolio

CSS 11503

CSS 11501


Architecture


Cisco Application Control Engine (ACE)

Parallel network-processor based architecturewith separate control and data paths


SwitchFabric

Interface

SwitchFabric

Interface

SupConnect

SupConnect

16G

100M

ACE – Hardware Architecture

DaughterCard 1

DaughterCard 1

DaughterCard 2

DaughterCard 2

8G

8G

SSLCryptoSSL

Crypto

10G

Data PlaneNP1

Data PlaneNP1

Data PlaneNP2

Data PlaneNP2

10G10G

ControlPlane

ACSW OS

ControlPlane

ACSW OS

2G

CDESwitch

60 Gbps

CDESwitch

60 Gbps

16 Micro-Engines on each

20B ops / sec


Dataplane Subsystems on Micro-Engines

• Receive + Fastpath (+ Transmit)

• IP Reassembly + Timers + Syslog

• Inbound Connection Manager

• Outbound Connection Manager

• Connection Close Management

• TCP

• HTTP

• ACL Classification, Forwarding

• NAT

• Application fixups

• SSL Record Layer

• Static and user-configurable REGEX

• TCP Normalization + FixUps

Rx FastPath

FastPath

FastPath

FastPath

FastPath

IP FragTimers

ICM

OCM CCM TCP HTTP

HTTP SSLRecord

RegEx FixUps

TCP Norm.

Xscale ProcessorXScale Processor

Layer 7 policy matching

Load balancing algorithms

SSL Handshake

FTP and RTSP inspection & fixups

HA heartbeats


Control Plane Subsystems

CPCP

• System Manager

• Configuration Manager

• Policy / ACL Compiler

• L2/L3 Services: Route Manager, Interface Manager, ARP

• Health monitoring

• DHCP Relay


ACE and AVS Innovations: Raising the Bar for Application Performance

Multi-tiered reliability, availability, and scalability: Per application; intra-chassis; inter-chassis; inter-data center

Maximum protection for your critical business

2-5X improvement in application response times

High application performance impact: Patented latency and bandwidth reduction techniques; common inspection engine

Pay-as-you-grow without fork-lift upgrade

Highest throughput: 16 Gbps; 345K L4 CPS

Handles large data files, rich-media applications and large user-base with ease

Maximum scalability: Up to 4 modules in a Catalyst 6500 chassis; Architected for add-on Services

Industry Leading Application Performance


Application Infrastructure Control


One physical deviceMultiple virtual systems

(dedicated control and data path)

Traditional device

Single configuration file

Single routing table

Limited RBAC

Limited resource allocation

25% 25% 20%15%15%100%

Cisco Application Infrastructure Control

Distinct configuration files

Separate routing tables

RBAC with Contexts, Roles, Domains

Management and data resource control

Independent application rule sets

Global administration and monitoring

Virtual Partitioning – System Separation


Physical Device

Context 1Admin

ContextContext

Definition

Resource Allocation

Managementstation

Context 2 Context 250

Virtual Partitioning – Deployments

AAA

Isolate Depts / Customers / AppsRapid Application Roll-outLower Cost to deploy / change / add


Per context Control• Guaranteed resource levels for each context• Support for over-subscription

Virtual Partitions – Resource Control

GuaranteedRates

GuaranteedRates

GuaranteedMemory

GuaranteedMemory

BandwidthData connections / secManagement connections / secSSL bandwidthSyslogs / sec

Access ListsRegular expressions# Data connections# Management connections# SSL connections# Xlates# Sticky entries


ACE in Action: Data Center Consolidation

MultipleVirtual Partitions(each withfunctionsand resources

N-Tier Applications

Web Servers

App Servers

DB Servers

Front End Network

C2C1 C3 C4 C5 C6

Single ACE

Module

N-Tier Applications

Web Servers

App Servers

DB Servers

Front End Network

ACE consolidates horizontal application silos and supports central control with distributed management

ACE consolidates horizontal application silos and supports central control with distributed management

Depts, Users, Applications


Role-Based Access Control


Grouping of objects in a Virtual Context to restrict management access

Objects can belong to multiple Domains

Max 10 Domains / Context

Domains

VIP1 VIP3 VIP4VIP2

R1 R2 R3 R3 R4 R5

Domain A Domain B

Context 1


• AdminAccess to ALL functions in the context / device

• SLB-AdminServerfarm, Servers, Health Monitoring

• Security-AdminAccess Contorl, Inspection, AAA, NAT

• Server-MaintenanceServers in/out of rotation

• Server-Application-MaintenanceServers, Health Monitoring, Load Balancing Rules

• Network-AdminInterfaces, Routing, NAT, TCP

• Network-MonitorAccess to all show commands only

Default Roles in the System

Create

Modify

Debug

Monitor


AdminContext

Context Adefinition

Context Bdefinition

Resourceallocation

Adminmanagement

config

Physical module

ContextB

ContextA

VIP1VIP 2Farm

1Farm

2

VIP3Farm3Farm4SSL

cert1,2

Domain1 Domain2

Admin

Network/Security

Server Admin

Monitor

Management station

Role

AAA

Application Infrastructure ControlContexts, Roles, Domains


RBAC in ActionApplication Infrastructure Control

Applicationteam

NetworkAdministrators

ServerAdministrators

Configchanges

Configchanges

Config

changes

Continuous Change Request = Bottleneck

Prone to conflicting changes and errors

Application role

Server role

Network role


ACE Innovations: Application Infrastructure Control

The New Standard For Application Delivery Systems

Up to 250 Virtual Partitions

Adapt application infrastructure to business operations

Fewer devices with superior control

Maximum utilization of system & physical resources

Guaranteed performance levels

Centralized control, decentralized management

Improved workflow

Rapid response to application demands

Aligns IT operations with IT organization structure

Hierarchical Management Domains

Role-Based Access Control


TCP ReuseTCP1

ACE-TCP1 Pool1

TCP2

TCP3

ACE-TCP2 Pool2

• Connection pools are established per real server per server-farm

• Multiple pools can be established per real server

• A connection is added to the reuse pool upon completion of server response

• Client connections matched to server connections based on TCP options

- sack, timestamp, window_scale, MSS

• Client TCP options/parameters are preserved

Significantly reducesserver overhead


Application Health Monitoring Overview

• Continually monitor the health of Applications and Server availability

• Health Monitoring Support

- “Out-of-band” monitoring

- Ability to monitor a gateway or other remote device for failover purposes

- Optional port and IP address probe configuration

- 15 different native probe types, including TCL support

- 4K unique probe configurations

- 16K probe associations supported


Application Availability


Most Robust Application Availability

Physical Redundancy –Inter-chassis

ACE ACE

Catalyst 6500 Catalyst 6500

Physical Redundancy –Intra-chassis

ACE

ACE

Catalyst 6500

A BACE-1

ACE-2

Active Active

C DActive Active

C’ D’Standby Standby

A’ B’StandbyStandby

Red-grp2Red-grp1 Red-grp3 Red-grp4

Application Redundancy --Inter-Context

FT VLAN TRP protocol packets Heart-beats Configuration sync packets State replication packets

Failover Tracking• HSRP• Interface up / down• Multiple probes with priority


Benefits of Integration with the Catalyst 6500

• Unique Cisco strength -- presence, market and technology leadership of the Catalyst 6500 enterprise-class switching family

• Leverage all L2-L4 Catalyst 6500 HW-based features (VACLs, QoS, per-flow policing, SPAN, PBR, port-security, Private VLANs, etc…)

• Largest offer of connectivity options: 10/100/1000, 10G, WAN interfaces, copper / fiber, …

• Integration with the MSFC routing table, injecting/removing VIP host routes based on server and application health (Route Health Injection)

• Integration with other L4-7 services modules, with Safe Harbor certified releases (http://www.cisco.com/go/safeharbor/) and integration design documents (http://www.cisco.com/go/srnd/)Includes NAM modules for Network Analysis


Management


Device Management

XML Interface

• Configuration, Provisioning and Monitoring

• All features on ACE can be configured using XML over HTTP / HTTPS

• Monitoring support via XLM-ized "show commands"

• XML DTD is available for both Monitoring and Provisioning

SNMP

• Supervisor agent provides environmental status of ACE

• SNMP agent is virtualized to allow SNMP settings per virtual context

• Up to 10 SNMP hosts are supported per virtual context

• ACE supports SNMP v1, v2c and v3

Modular Policy Command (MPC)


Management Solution for ACE and Across Application Networking Services

- Provisioning, Monitoring, Reporting of Virtualized Services

- RBAC - Templates - Rich GUI


ACE Innovations: Infrastructure Simplification

Most Comprehensively Integrated Solution

Reduced footprint; Improved application availability

Layer 2 - Layer 7 network integration: Bi-directional communications between 6500 supervisor and ACE modules

Better application performance; Simpler topologies

Functional consolidation: SLB, SSL, Firewall, protocol optimization

Quick and concurrent application deployment at multiple points

Application Network Manager: Management for virtual partitions, hierarchical management domains across multiple devices


AVS


Cisco AVS 3120 / 3180

Delivery Functions

AccelerateBest response time on existing infrastructure

OptimizeMinimize required network infrastructure

OffloadMaximize capacity of application infrastructure

Service Functions

MonitorProvide end-user quality of service metrics

SecurePolicy-based protection of app infrastructure

ManageManagement and exception handling


Typical Deployment with Cisco CSS/CSM

L7Switch

SSL

VIP1

VIP2


Application Optimization

• Industry’s best set of optimizations

Dramatic real-time application impact

Any web applicationor web front-end

• Highly configurable

Granular rules-based control

Pre-built application templates

Comprehensive best practices

• No application or desktop changes

• Rapid deployment

• Benefit

Application performance engineering in a box

Network LatencyMitigationTechniques

BandwidthReductionOptions

ServerOffload

FunctionsApplication Delivery Engine


Cisco AVS-3120 Manages Network Latency

• Minimizes network roundtrips per page or transaction

• Proxy manages sessions for both clients and servers

• Includes both proprietary and industry-standard features

FlashForward object acceleration

Smart redirect

Fast redirect

TCP Multiplexing

• Multiplies performance benefits under SSL


Cisco AVS 3120 Minimizes Bandwidth Needs

• Converts browser cache into dynamic engine

• Intelligently reduces content payloads


Delta Optimization

Smart Image Compression

Just-in-time object acceleration

GZIP and DEFLATE compression

• Leapfrogs compression alone

• Multiplies performance benefits under SSL

• Leverages existing caching and CDN


Cisco AVS-3120 Reduces Server Contention

• Offloads web and application servers

• Provides additional scalability for clustered environments


Adaptive dynamic caching

Static caching

TCP connection offload


Cisco AVS-3120 Deployment Scenarios

• AVS 3120 devices are deployed in two configurations:

– “Inline” using internal clustering for scalability and failover

– “Out of band” using Layer 4-7 SLB to manage infrastructure

• Proven configurations available with Cisco CSS

• Velocity appears as another web server to the SLB

CSS / CSM

Application Velocity System

Network Integration

Network Security

Application Availability

Service Virtualization

Application Security

Application Acceleration


Process packets Manage Load Maximize throughput

Com

pressionTC

P O

ffload

SSL Offload

Process applications Control Request/Response Maximize efficiency

Switch Architecture Proxy Architecture

Packet LoadBalancing

Application Delivery Engine

Network LatencyMitigationTechniques

BandwidthReductionOptions

End-userMonitoring

ApplicationFirewall

ServerOffload

Functions

Application Control & Optimization


Technology Advantage

Functional Areas Basic Capabilities AVS Capabilities (*= Patented)

AccelerateNetwork Latency Management

Request aggregation / browser cache management* Browser TCP multiplexing* PDF download optimization Response redirection control*

OptimizeBandwidth Reduction

Gzip/DEFLATE compression

Delta encoding* Dynamic browser caching* Dynamic image optimization (JPG, GIF, PNG) Flexible processing rules

OffloadServer Efficiency TCP connection multiplexing

SSL offload and acceleration Static caching

Configurable dynamic caching* Load-based caching* Lazy request evaluation* Single sign-on optimizations XML merging/transformation

MonitorApplication QoS

Logging System health checking

End-to-end response time monitoring Business transactions capability First-line service triage

SecureProtect Applications and Infrastructure Rules-based protection

Out-of-the-box Layer-7 protections Stateful Content inspection policies Comprehensive exception handling and monitoring

Management/ Integration SNMP access and control

Application delivery dashboard Service-level integration with BMC, HP, etc.


Specific Features and Benefits of the Condenser

Features Impact Benefits

Network Latency Mitigation

Request aggregation Browser cache management* Browser TCP multiplexing* PDF download optimization Response redirection control*

2X - 5X minimum improvements in response time

» Dramatically improved end-user performance

Network Optimization

Delta encoding* Dynamic browser caching* Dynamic image optimization

(JPG, GIF, PNG)* Gzip/DEFLATE compression Flexible processing rules

70-90% reduction in bandwidth use

» Reduce bandwidth costs

» Delay or eliminate network upgrades

» Better end-user performance

Server Offload

Configurable dynamic caching*

Load-based caching* Lazy request evaluation* Single sign-on optimizations TCP connection multiplexing SSL offload and acceleration Static caching

50% reduction in server cycles

• Delay or reduce server purchases

• Minimize application licenses

• Better performance

Cisco - ACE

Documents

Transcript of Cisco - ACE