CSS 11000 Series: Device Configuration LAB€¦ · (.html, .gif, .cgi) ... Appliance Modular...

1Technical Symposium2002:CSS Lab

CSS 11000 Series:

Device Configuration LABNick DiPietro

Ian Gallagher

Bill Kastelic

Louis Senecal

CSS 11000 Series:

Device Configuration LABNick DiPietro

Ian Gallagher

Bill Kastelic

Louis Senecal


Cisco Content SwitchingApplications

BronzeBronze

Gold

OverflowServers

InternetInternet

• Local Load Balancing= improved utilization and availability(servers, Firewalls, caches)

• User Prioritization= switch and stick by cookie(Silver, Gold, Platinum)

• Client Device Discrimination= switch and stick by client device(PC, PDA, wireless)

• Intelligent Content Positioning= switch by file type(.html, .gif, .cgi)

• Security Optimization= all of the above in SSL (HTTPS) environment

• Global Server Load Balancing= pick best site based on load and proximity(Tokyo, Paris, New York)

Silver


HostingSolution Engine

HostingSolution Engine

Data Center Load BalancingFor Internet and Intranet

Web Servers

ISP-1 ISP-2

Database Servers

PIX™

FirewallPIX™

Firewall

Secure ContentAccelerator

Content Switch Content Switch

Secure ContentAccelerator


CSS11500Management Options

• CLI

• Embedded device management GUI

• CiscoWorks 2000 CiscoView

• Hosting services engine

• SNMP, RMON, log files

• Programmatic management API

555Technical Symposium2002:CSS LabServers, CachesFirewalls, VPNs

Cisco Content Switching Product Line

Decision PointsCSS 11050 CSS 11503 CSM for

Catalyst® 6500

Standalone Standalone Standalone IntegratedAppliance Modular Modular Module

CSS 11506

Max density 1 GE, 8 FE 6 GE/2 GE,32 FE 12 GE/ 2 GE,80 FE 8-178 GE, 46-528 FE

Site activity/intensity Low Medium High Highest

Hardware scalability

Hardware redundancy No No Yes Yes

SSL acceleration External Internal Internal Future Blade

CS management

Session redundancy Future Yes Yes Yes

Layer 2/3 networking

Load balancing Servers, Caches, Firewalls

Form factor


CSS Software Session SpoofingCSS Software Session Spoofing

Internet or

Intranet

DATA DATA

200.20.30.100VIP=192.10.10.1

10.0.3.221

TCP SYN

ACK HTTP GET

TCP SYN ACK

Source IP 200.20.30.100Destination IP 192.10.10.1

TCP SYNTCP SYN ACK






Client WebServer


CSS Software File StructureCSS Software File Structure

C:/

Archive

startup-config

ap0310026 ap0302026 ap0310010 ap0400003

image/

core

log/script/

cli/startup-config

ap0400003

version build

release


Product Features

Server Load Balancing

Content Verification

HTTP Header Load Balancing

Sticky Connections

Support for Web Caching services

Domain Name Services

Network Proximity

HTTP Redirects

NAT Peering


Product Features (cont.)

Smart Content ReplicationReplication for dynamically scalable Web sitesReplication for distributing and updating content

RedundancyWeb Site SecurityFull command line interface (CLI)Embedded Device ManagementService Level Agreement support through:

MIBSNMPRMONLogging subsystem


Command Line Interface (CLI)

ConsoleConnection

TelnetConnection

CSS1

CSS2

A line-oriented interface that has a set of commands for configuring, managing, and monitoring the CSS.

Accessed through a local console or Telnet connection

CS100#


CLI Modes

CS100#

CS100(config)#

CS100>

Username:adminPassword: SuperUser Mode

User Mode

Global Configuration Mode

disable

configure exit or [Ctrl]z

enable(enter username and password)

Subordinate Configuration Modes

bootinterfacecircuit exit [Ctrl]z

.

.

.

Prompt reflects mode


I C S O C

• Interfaces

• Circuits

• Services

• Owners

• Content Rules

Serviceswww_server1

ip address 10.1.1.1keepalive type httpkeepalive port 8001keepalive protocol tcpkeepalive uri “index.html”

www_server2ip address 10.1.1.2keepalive type httpkeepalive port 8001keepalive protocol tcpkeepalive uri “index.html”

Owneracme.com

content Layer5_rulevip address 192.1.1.1service www_server1service www_server2 balance roundrobinurl “/*”

xyz.comcontent Layer3_rule

vip address 192.1.1.2add service server1add service server 2

Interface 1/1bridge vlan 2

Circuit VLAN2ip address 192.1.1.254

Circuit VLAN1ip address 10.1.1.254


ICSOC

• Interface

• Circuit

• Service

• Owner

• Content


Interfaces, VLANs, and Circuits

IPForwarding

(Layer3)

CircuitIP Interfacefor VLAN1

CircuitIP Interfacefor VLAN2

Interface Ethernet-1Interface Ethernet-2



VLAN1

BridgingDomainvlan 1

158.3.7.58

10.3.6.60




VLAN2

BridgingDomainvlan 2


CLILab01-a

•version

•sh installed-software

•sh running

•sh startup

•copy running startup

•configure terminal

•archive

•restore

Shutdown

sh boot-config

sh profile

sh alias

sh chassis


Interface & CircuitLab01-b

!************************** GLOBAL ***************************

!************************* INTERFACE *************************interface e1

bridge vlan 100Interface e5

bridge vlan 10P Interface e6



bridge vlan 10P

!************************** CIRCUIT **************************circuit VLAN100

ip address 10.1.P.254 255.255.255.0

circuit VLAN10P

ip address 192.168.P.254 255.255.255.

P=POD Number

•sh phy

•sh circuit

•sh ip route

•sh ip config

•sh ip statistics

•sh interface

•sh arp

•ping


ICSOC

• Interface

• Circuit

• Service

• Owner

• Content


Service Overview

• A service is a destination location where a piece of content resides

• A service is created first and then added to content rules

• The service is identified by a name that can be associated by anIP address, and optionally, a protocol and port number

www.dogs.com

RASRAS

www.cats.com10.0.3.224 10.0.3.223 10.0.3.222 10.0.3.221

VIP=192.10.10.1

10.0.3.225


Service Configuration

Configuring Server1:• CS100(config)# service Server1• CS100(config-service)[Server1]# type local• CS100(config-service)[Server1]# ip address 10.0.3.221• CS100(config-service)[Server1]# port 81• CS100(config-service)[Server1]# protocol tcp• CS100(config-service)[Server1]# max connections 10• CS100(config-service)[Server1]# weight 1• CS100(config-service)[Server1]# active

RASRAS

10.0.3.221

VIP=192.10.10.1


Service Configuration (cont.)

Configuring Server1:• CS100(config)# service Server1

• CS100(config-service)[Server1]# suspend

• CS100(config-service)[Server1]# exit

• CS100(config)# no service Server1

RASRAS

10.0.3.221

VIP=192.10.10.1


Service KeepaliveService Keepalive

• keepalive frequency

• keepalive maxfailure

• keepalive retryperiod

• keepalive port

• keepalive type

• keepalive method

• keepalive uri

Keepalive Default ping

RASRAS

10.0.3.221

VIP=192.10.10.1


Displaying a Service

• The show service command enables you to display information for a specific service or all services currently configured.

• The show service-summary command displays just summary information for each service.

• The show service command displays the following information:

CS100# show service

Name: Server1 Index: 0 State: ALIVE

Type: Local

Rule ( 10.0.3.210 TCP 81 )

Keepalive: (HEAD:HTTP:/index.html 5 3 5 )

State Transitions: 1

Connections: 0 Max Connections: 0

Weight: 1 Avg Load: 254 Long Load: 0

Mtu 1500 QOS Avg Min Rate: 14400 QOS Min BW: 100000000


Service LabLab02-Section 1

•sh service

•sh service summary

•sh keepalive

•sh keepalive-summary

•monitor “show service summary”


ICSOC

• Interface

• Circuit

• Service

• Owner

• Content


Owner Overview

• Owner = www.cisco.com

• The Owner allows for partitioning of content rules

• Content Rules are always configured under an Owner

• Can specify Owner case sensitivity

• Can specify Owner Address, Billing Information, and Email Address

www.dogs.com

RASRASVIP=192.10.10.1

Server3 Server2 Server110.0.3.223 10.0.3.222 10.0.3.221


Owner Configuration

• When creating an owner, you may want to use the owner’s DNS namefor clarity:

CS100(config)# owner cisco.com

A service type local designates the service for local load balancing. Other options are proxy-cache, transparent-cache, and redirect.

When you create the owner, the CLI drops you into owner mode: CS100(config-owner[cisco.com])#


Displaying an Owner

• The show owner command enables you to display information for a specific owner or all services currently configured.

• The show owner command displays the following information:

CS100# show owner cisco.comOwner Configuration:

Name : cisco.com

Billing Info: finance

Address: 235 Littleton Rd. Westford, MA 01886

Email Address: [email protected]

DNS Policy: none

Case Matching: insensitive


Content Rule Overview

• Describes what content is accessible by visitors to the web site

• Describes how content is mirrored and load balanced to multiple services

• Translates the Owner VIP address using Network Address Translation (NAT) to the service’s IP address and port

• Checks for available services that match the content request

Request to 192.10.10.1www.dogs.com

NAT and Load balanced to 10.0.3.221

www.dogs.com

RASRAS

Server3 Server2 Server110.0.3.223 10.0.3.222 10.0.3.221

VIP=192.10.10.1


Content Rule Overview

• An content rule is a hierarchical rule set containing individual rules that describe which content is accessible by visitors to the web site, how the content is mirrored, on which server the content resides, and how the CSS should process requests for the content.

• When a request for content is made, the CSS:

Uses the owner content rule to translate the owner Virtual IP Address (VIP) using Network Address Translation to the corresponding service IP address and port.

Checks for available services that match the content request.

Uses the content rule to choose which service can best process the request for content.

Applies all content rules to service the request for content (for example, load balancing method, redirects, failover, sticky, cookies)


Creating Content Rules

• The CSS uses content rules to determine:

Where the content physically resides, whether local or remote.

Where to direct the request for content (which service or services).

Which load balancing method to use.

• The types of content rule are as follows:

A layer 3 content rule implies source IP address of the host or network.

A layer 4 content rule implies a combination of source IP address and port.

A layer 5 content rule implies a combination of source IP address, port, and URL that may contain an HTTP cookie.


Assigning Content Rules

• To assign a content rule to an owner, use the content command. You assign content rules to an owner by creating the content rule in the mode for that owner.

• The following example creates a content rule named layer3 and assigns it to the owner cisco.com:

CS100(config-owner[cisco.com])# content layer3

• Once you assign a content rule to an owner, the CLI prompt changes to reflect the specific owner and content rule mode:

CS100(config-owner[cisco.com-layer3])#

From here, the content rule can be entered.

• To remove an existing content rule from an owner, issue the no content command from owner mode:

CS100{config-owner[cisco.com])# no content layer3


Basic Content Rule Config

• To configure a Layer 3 content rule, enter the following from the owner mode:

(config-owner[cisco.com-layer3]# vip address 192.168.11.5

Configure a Virtual IP address for the owner content.

(config-owner[cisco.com-layer3]# balance aca

Specify a load balancing type

(config-owner[cisco.com-layer3]# add service serv1

(config-owner[cisco.com-layer3]# add service serv2

Add previously configured services to the content rule.

(config-owner[cisco.com-layer3]# active

Activates the content rule.

• This rule load balances based on VIP only.

• Only traffic destined for VIP address will get load balanced.


Owner and Content RuleLab02 Section 2,3 and 4

•sh service


•sh rule

•sh rule-summary

•sh summary

•monitor “show summary”


Load Balancing Categories

• General Load Balancing

• Advanced Load Balancing (sticky)


Server Load Balancing

• To specify the load balancing algorithm for a content rule, use the balance command available in content configuration mode:

balance aca - ArrowPoint Content Awareness algorithm. The CSS uses the normalized response time from client to server to determine the load on each service. ACA balances the traffic over the services based on load.

balance roundrobin - Round-robin algorithm (default)

balance weightedrr - Weighted round-robin load balancing. The CSS uses round-robin but weighs some services more heavily than others. You can configure the weight if a service when you add it to this rule.

balance leastconn - Least connections load balancing. The CSS chooses a running service that has the least number of connections.


General PurposeLoad Balancing Algorithms

• Round Robin

• Weighted Round Robin

• Least Connections

• ACA

• Weighted ACA


Round Robin

Server3Server2Server1

Flow 1,4...

Flow 2,5Flow3,6

content rule1vip address 192.10.10.1balance roundrobinadd service server1add service server2add service server3active


Weighted Round Robin

Server3Server2Server1

content rule1vip address 192.10.10.1balance weightedrradd service server1 weight 3add service server2 weight 2add service server3 weight 1

Flow 1,2,3

Flow 4,5Flow 6


Least Connections

Content Smart Switch keeps track of current connections to servers and serves requests to server with the least number of connections

Services:Name: serv1 Index: 0 State: ALIVEType: LocalRule ( 10.0.3.210 TCP 80 )Keepalive: (ICMP 5 3 5 )State Transitions: 0Connections: 2 Max Connections: 0

Name: serv2 Index: 1 State: ALIVEType: LocalRule ( 10.0.3.211 TCP 80 )Keepalive: (ICMP 5 3 5 )State Transitions: 0Connections: 0 Max Connections: 0


• Arrowpoint Content Awareness algorithm

• Load balances servers based on normalized flowattributes calculated at flow tear down time

• Manages dynamic unpredictable server load andperformance

• Periodically calculates server load and dynamicallybalances more flows to fastest servers

• Prunes slow servers from eligible list

ACA Load BalancingACA Load Balancing


• Load step msec dynamic - (10msec default) dynamicor static

• Load threshold - (254 default) is the maximum LoadNumber for service eligibility

• Load reporting - enable or disable

• Load teardown-timer seconds - (20 seconds default)

• Load ageout-timer seconds - (60 seconds default) Intervalto bring back removed services. Resets load to 2.

ACA ParametersACA Parameters


ACA Load Calculation

Load response for 3 servers:Server Name Normalized Response

serverA 100msserverB 1100msserverC 120ms

2

254

Loads with load step-sizeequal to 10ms.

serverA->

serverC-> 4

serverB-> 102

130

2

130

254

serverA&serverC->

serverB-> 12

255255

Load with load step size equal to 100ms

Load Calculation Formula

Fastest Server Assigned = 2

Loadsx=resp sx - resp_fastest sx

+2load step


Show Load

CS100(config)# show loadGlobal load information:

Step Size:Dynamic Configured:10 Actual:10Threshold:254 Ageout timer:60

Service load information:Load Number for Load Number for

Service Name Short Lived Flows Long Lived Flows--------------------------------------------------------------------serv1 2 2serv2 2 2serv3 10 12serv4 254 254


Configuring Basic L7 Server Load BalancingLab03

•sh service


•sh rule

•sh rule-summary

•sh summary



Advanced Load Balancing Algorithms (sticky)

“Sticky” refers to when a load balancing algorithm sticks a client to a specific server based on certain credentials

advanced-balance sticky-srcip

advanced-balance sticky-srcip-dstport

advanced-balance cookies

advanced-balance url

advanced-balance cookieurl

advanced-balance arrowpoint-cookie

advanced-balance ssl


Sticky IP

• advanced-balance sticky-srcipContent Smart Switch “sticks” a client to a server based on the client’s source IP address

Available Layer 3, 4, and 5 content rules

Referred to as Layer 3 Sticky

• advanced-balance sticky-srcip dstportContent Smart Switch “sticks” a client to a server based on the client’s source IP address and destination port

Available Layer 4, and 5 content rules

Referred to as Layer 4 Sticky


Sticky-Mask

• Sticky Mask, masks a group of client ip addresses to preserve the client connection state

• Reduces entries in sticky table (32k Entries Max)

• Mask 255.255.255.0 would provide a single sticky entry for ip addresses with

the 1st 3 octets of ip address in common

Server

IBM CompatibleIBM Compatible

RASRAS

Remote client addresses200.20.30.1 - 200.20.30.254

Sticky mask255.255.255.0


Sticky Cookie

• advanced-balance cookie

• Sticking on the Server that issued the cookie

• Content Smart Switch “sticks” a client to a server based on the cookie that the client sends

• Additional string tools

• Cookie configured for server

• Does not use sticky table

Server1

IBM Compatible

RASRAS

HTTP get

HTTP response cookie: server1;

HTTP get cookie: server1;

service server1ip address 10.0.3.221string server1active

10.0.3.221

content sticky-cookievip address 192.10.10.1url “/*”advanced- balance cookieadd service server1active

vip 192.10.10.1


Sticky URL

• advanced-balanced url

• Enables the content rule to stick a client to a server based on a configured string found in the URL of the HTTP request.

• You can use this option with a Layer 5 HTTP content rule.

• This does not use the sticky table

Server1

IBM Compatible

RASRAS

10.0.3.221

vip 192.10.10.1

HTTP get http//www.dogs.com/spaniels

service server1ip address 10.0.3.221string spanielsactive

content sticky-cookievip address 192.10.10.1url “/*”advanced- balance urladd service server1active


Sticky cookieurl

• Cookieurl provides a primary and fallback mechanism

• First try to match the string found in the service cookie

• If no cookie match found it will go to the

parameters (url extensions) that follows

• Cookieurl does not use the sticky table

Server1

IBM Compatible

RASRAS

10.0.3.221

vip 192.10.10.1

http//www.dogs.com/spaniels/products.jsp?ID=1007

service server1ip address 10.0.3.221string ID=1007active

content sticky-cookieurlvip address 192.10.10.1url “/*”advanced- balance cookieurladd service server1active


Sticky SSL

• Enables the content rule to stick the client to the server basedon the SSL version 3 session ID

• If no session ID is present, the CSS uses the source IP address and destination port to maintain stickiness

• Sticky SSL does use the sticky table


Sticky ArrowPoint Cookie

• Web applications do not need to be modified

• The CSS sets the cookie

• IP address of service can be configured to where the client will be stuck

• Expiration of the cookie can be configured

• Pre determine the path the cookie will use

Server1

IBM Compatible

RASRAS

10.0.3.221

vip 192.10.10.1

http//www.dogs.com/

service server1ip address 10.0.3.221string server1active

content arrowpointvip address 192.10.10.1url “/*”advanced- balance arrwowpoint-cookieadd service server1active


Configuring Advanced L7 Server Load BalancingLab04

•sh service


•sh rule

•sh rule-summary

•sh summary



Overview ArrowPoint Cookie

• When a client makes a request that matches on a Content Rule that is configured to use the ArrowPoint Cookie, the CSS will set a cookie and redirect the client's request back to the site by using meta-tags. Each service will have a unique string configured to use for matching a client's requests to a particular server that will be included in the ArrowPoint Cookie. If no string is configured, the CSS will use the service’s IP address.


Configuring the ArrowPoint Cookie

•arrowpoint-cookie

Assigns the cookie expiration

Assigns the cookie path

Assign string for each service in the content rule

Assigned in the content mode


Configuring the ArrowPoint Cookie (cont.)

•Example:

•CSS11050 (config-owner-content [cisco-R1] )#

•arrowpoint-cookie expiration 08:04:02:08

•CSS11050 (config-owner-content [cisco-R1) #

•arrowpoint-cookie path “/cgi-bin/”

•CSS11050 (config-service [server1] )#

• string server1


Configure Advanced Balance ArrowPoint Cookie

•advanced-balance arrowpoint-cookie

Enables the content rule to stick the client to the server

Assigned in the content mode

•Example:

•CSS11050 (config-owner-content [cisco-R1] ) #

•advanced-balance arrowpoint-cookie


Sticky Serverdown Failover

• Use the sticky-serverdown-failover command to define what will happen when a sticky string is found, but the associated service has failed or is suspended.

• The sticky failover default method is for the CSS to use the configured load balancing method.


Sticky Serverdown Failover

• sticky-serverdown-failover balanceSet the failover method to use a service based on the configured load balancing method.

• sticky-serverdown-failover redirectSet the failover method to use a service based on the currently configured redirect string. If a redirect string is not configured, the load balancing method is used.

• sticky-serverdown-failover rejectReject the content request.

• sticky-serverdown-failover sticky-srcipSet the failover method to use a service based on the client source IP address.

• sticky-serverdown-failover sticky-srcip-dstportSet the failover method to use a service based on the client source IP address and the server destination port.


Stickyshow rule

Advanced Balance: cookiesSticky Mask: 255.255.255.255Sticky Group: 0Sticky Server Down Failover: BalanceString Match Criteria:String Range: 1 - 100String Prefix: "UID="String Eos-Char: ";" String Ascii-Conversion: EnabledString Skip-Len: 3 String Process-Len: 0String Operation: Match-Service-Cookie


Caching Balance Methods

• balance domainhash/urlhash

Hashes host tag or url and load balances based on hash value.

• balance url

Uses the first 3 characters of the URL

• balance domain

Uses the first 3 characters of the domain from the host tag


Caching Balance Methods

• balance srcipUses source ip address

• balance destipUses destination ip address

• params bypassAutomatic bypass of transparent cache

Based on a char of ? or # after url for L5 rules

This is a command in a content rule - disable is the default


Cache Service Failover

• failover bypass

Bypass and send to the origin server

• failover linear

Distribute evenly over remaining servers

• failover next

Send the request to the next service based on configuration order


Source Groups

• A Source Group is a collection of local servers that initiate flows from within the local web farm.

• The CSS lets you treat a group as a virtual server with its own source IP address, typically matching the inbound VIP.

• NATs private address of servers to Internet routable public addresses (VIP).


Configuring Source Groups

• To configure source groups, use the following syntax:

CS100(config)# group Training

Training is the name of the newly created group

CS100(config-group[Training])# ip address 208.208.4.15

Virtual IP address of outbound connections. Same address as

inbound VIP

To connect to Internet, must be routable address.

CS100(config-group[Training])# add service training222

Adds corresponding service to each source group.

NOTE: A service may be assigned to only ONE source group.

CS100(config-group[Training])# active

Make the service active enable outbound connections.

CSS 11000 Series: Device Configuration LAB€¦ · (.html, .gif, .cgi) ... Appliance Modular...

Documents

Transcript of CSS 11000 Series: Device Configuration LAB€¦ · (.html, .gif, .cgi) ... Appliance Modular...