Training ACE
Transcript of Training ACE
Cisco Application Control Engine
Pravin WankhadeNCE GSP-GTP
April 2012
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
• Background – Load Balancers and ACE
• Product Overview and Recent Releases
• New Capabilities
• Hardware
• Modular Policy CLI
• Virtualization
• Role Based Access Control
• Security Features
• Redundancy
• Deployment
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3
ACE Functionality
What does this thing do?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
ACE Function In the Datacenter(In case you didn’t know…)
• ACE is an “Application Delivery Controller” (ADC) or “Load Balancer” (SLB).
• LB/ADC distributes L4-L7 Traffic “Flows” to Application Servers.
• Server Load Balancing (SLB) is critical to *any* scalable application deployment.
Application Server Farm
Clients
• Distributes Traffic Flows
• SSL Offload• Persistence (sticky)• Compression• Virtualization• App / Health Checking
ACE
“ADC” is newer terminology
RADIUS
• DC Site Selection• DNS load balancing• Application Keep-Alive• Geo-DB Intelligence
GSS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ACE In the Datacenter(In case you didn’t know…)
• ACE Uses Nexus 7000 OTV functionality.
• ACE Uses Virtual Contexts to provide isolated, load balancing to applications – Up to 250 VC’s per Module.
• ACE distributes traffic to VM server farms in UCS deployments.
• ACE works with VMware for Manageability and Dynamic Workload Scaling (DWS)
Virtual Contexts
VMs
UCS
vCenter
250
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
ACE Function In the Datacenter..
• ACE product family including GSS, Module & Appliance and ANM Management provide critical Application Delivery Solutions in the Globally Connected Datacenter.
ClientsDatacenter A
Datacenter C
Datacenter BClients
ACE GSS
ACE GSS Steers traffic Flows to ACE VIPs
ACE Distributes Client Flows in the Datacenter
ANM Provisions, Operates, Monitors and shows end-to-end connectivity
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 7
60 Second Detour – Why do We Need It?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Client View Of the Application (Service)
Network
Server
Application (Service) Endpoint
Clients
Client has no knowledge/visibility of the underlying Network
A
A
Such as:
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Application on it’s own is not “Robust”
Application Failure
Traffic & Client Load
Business Impact
Per
form
ance
No Load
High Load
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
ADC View Of the Application
Network
Clients
ADC Scales and enhances the application
S
Application Server Farm
A
A
A
A
AHealth ProbeACE
A
SSL Offload & Health
Monitoring
Virtual IP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
The Load Balanced Application Becomes Robust
Application Continuity
Traffic & Client Load
Per
form
ance
Business Continuity
No Load
High Load
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
CC
Datacenter Expansion Of the Application
Clients
A A A A A
B B B B
vCenter
ACE
CMultiple Apps (Services) are
Virtualized by ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
The Evolution of L4 to 7 Services
• Infrastructure simplification with L4–7 Services integration • Converged policy creation, management, and troubleshooting• Reduced latency (single TCP termination for all functions)
Today
IntegratedLayer 4
andLayer 7Rules
ApplicationControlEngine
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 14
Scalable Application
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Application on it’s own is not “Robust”
Application(a.k.a. Service)
Scalability
Reliability
Security
Mobility(virtualization)
Therefore, we use the Load Balancer to enhance the application
…And Distribute traffic to all those UCS Servers and Virtual Machines.
Manageabity
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Scalability
Scalability • N + 1 Server Scaling• SNAT• Compression• Persistence
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Reliability
Scalability
Reliability
• Health Monitoring• Failover (server
farm)• Validation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Security
Scalability
Reliability
Security
• SSL Offload• DDOS Protection• SNAT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Mobility
Scalability
Reliability
Security
Mobility(virtualization)
• Virtual IP• Virtual Contexts
(isolation)• VCenter Integration• OTV Integration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Manageability
Scalability
Reliability
Security
Mobility(virtualization)
Manageabity• ANM Unified View• KPI Monitoring• Role-Based Access
Control (Operations and Provisioning)
• VCenter Plug-In Delegation
• Mobile Application (iPhone/Android..etc)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Application ++
Now the Scalable Application is Enabled
Application ++
Scalability
Reliability
Security
Mobility(virtualization)
Manageabity
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 22
Product Overview&Recent Releases
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
App Service Delivery Integrates load balancing, server offload,
compression, app optimization & app security
Virtualized Architecture Industry leading virtualized Application Delivery
Controller (ADC)
Investment Protection “Pay as you grow” licensing model. increase
performance & scale without deploying new hw
Established Products Over 30K units deployed world-wide
ACE & ANM: Application Delivery Solution For The Virtualized Data Center
Centralized Management Configuration, operations, and monitoring of ACE
equipment & services
VMWare Integrated Integration with vCenter provides streamlined VM
and ACE provisioning and monitoring
Operations Excellence Secure delegation of service & server tasks for
ACE, CSS, CSM, GSS
IT Agility Granular role based access control with user
activity logging supports managing multi-tenant/use
New ACE30 Module shipping
4–16 Gbps 0.5-4 Gbps
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
ACE Product PortfolioComplete Application Delivery Solution
Application Networking Manager
Management & Provisioning
Application Delivery ControllersGlobal Load Balancers
ACE GSS20K DNS RPS
System Bundles
ACE30 System Bundles
ACE 4710 0.5-4 Gbps
ACE Appliance
ANM VMWare Plug-In
ACE Module
ACE304–16 Gbps
+
Multi-module
Scaling to 64 Gbps
GSS Appliance
ANM Mobility Application
NewSoftware
NewSoftware
New16G
Bundle
NewSoftware
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Recent Product ReleasesSoftware and Management Receive Major Updates
+
ACE SoftwareA4.2.1/ A5.1.0
Application Networking Manager
(ANM) v4/v5
+
Delivers:
Dynamic Workload Scaling
Dual stack IPv4/v6
SLB64 Gateway
HTTP/S support for IPv6
IPv6 certification
OCSP support
Delivers:
Geo-location based GSLB
AAAA record support
IDN support
IPv6 support
DNSSEC ready
Delivers:
Application Templates ANM Mobile App ACE 5.1 IPv6 support Web Services API DWS support vCenter integration Virtual ANM
GSS Softwarev4.1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
ACE30 PerformanceIncreased Performance, Capacity and Features
Testing Metric ACE20 ACE30 Compare
L4 CPS 325,000 500,000 54%
SSL TPS 15,000 30,000 100%
SSL Bulk Throughput 3.3 Gbps 6 Gbps 82%
Compression Not Available 6 Gbps + 6 Gbps
ACE30 Only – Not Available on ACE20• Higher performance• Compression• IPv6 dual stack with translation• Nexus OTV integration with Dynamic Workload Scaling• ACE10 and 20 EOS For February 2012 – All Roadmap Now On ACE30
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 27
New Capabilities
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
ACE30 Module – CompressionAccelerating Web Traffic; Improving User Experience
ACE Solution: Small compressed page, small Pipe
Remote UserShared DSL
Roaming User 56k Dial-up
Branch Office128k Leased
line
HTTP Compression
Problem: Big Page + Small Pipe
Benefits: Up to 90% reduction in size of web
objects Improves application response
time Reduces bandwidth costs
Compression Overview Reduces the amount of HTTP traffic
that is sent between client and server ACE30 is utilized at the host site to
compress/decompress traffic Clients leverage compression
technology in existing Web browsers
Challenge: Large amounts of client traffic is being sent over low speed links result in slow performance and poor user experience.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Inband Health CheckingLimiting Server Outage Impact
Internet
ClientACE
Servers
?
ACE Monitors client connection setups
Benefits: Detection moves from seconds
with probes to milliseconds Unlike probes, monitoring has no
impact on server performance Improves the recovery time for
server outages
Inband Health Check Overview ACE proactively monitors TCP and
UDP data to detect server failures. Should be combined with probes to
meet server failure detection SLA’s Internal tracking method to ACE;
does not solicit information from servers
Challenge: Slow detection of server outages results in lost transactions and delayed time to recovery.
Slow
Client
Client
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
ACE Enabled To Deliver IPv6-based Application Services
All IPv4 Modes are supported in IPv6 (One-arm, Routed, Bridged, ASR)
IPv6 -> IPv4 and IPv4 -> IPv6 translation modes
Solution delivery includes IPv6 on the ACE Module, Appliance, ANM, and Global Site Selector
ComplianceUSGv6IPv6 Ph2 Logo
IPv4 Clients IPv6 Clients
One ArmRoutedBridged
IPv6 Overview
IPv4Server Farm
IPv6Server Farm
IPv4-to-IPv4
IPv6-to-IPv6
IPv6-to-IPv4
IPv4-to-IPv6
New
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
IPv6 Support on ACE• Dual Stack
IPv4-to-IPv4 and IPv6-to-IPv6
HTTP and DNS inspection for native IPv6-IPv6 traffic
• Translation• SLB64, SLB46 for all the Layer4 load balancing, which
do not need payload modifications or pinholing
• SLB64 and SLB46 support L7 loadbalancing for HTTP and SSL protocols.
• NAT64, NAT46 for all TCP, UDP protocols, which do not need payload modifications or pinholing
• No DNS64 or DNS46 support on ACE
• Mixed v4 &v6 rserver support• Duplicate Address Discovery• Neighbor Discovery• ICMPv6• IPV6 Ph2 Logo Certification• Application Awareness
HTTP, HTTPS and DNS
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 32
New Capabilities: ACE Management with ANM
“Linked Operations Continuity in the Virtualized Datacenter “
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Introducing ANM 5
Now featuring enhanced
Template, DWS / OTV provisioning
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
ANM 5.x Highlights• New for Version 5
Application Templates
Simple application deployment
User Export and Modify
IPV6 Support
ACE Module
ACE Appliance
ACE Global Site Selector
ANM Mobile for Mobile Devices
Native iPhone and Android
Mobile Browser
API support for App deployment from templates
Full Provisioning vi API
RBAC for Network and Application sections of template
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
ANM Visualization Visualizes Complete Application Path
GSS
ACEVM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Hardware
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Application Control Engine
Parallel network-processor based hardwarewith separate control and data-path CPUs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
SwitchFabric
Interface
SupConnect
16G
100M DaughterCard 1
DaughterCard 2
8G
8G
SSLCrypto
10G
NP1 NP2
10G10G
ControlPlane
ACSW OS
2G
CDESwitch
60Gbps
ACE—Hardware Architecture
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
2x 700MHz MIPS1 GB Memory
CPU
Control Plane Software
SupervisorConnection
DBUS
16 GbpsBus
RBUS
EOBC
CiscoASIC
100 Mbps
Crypto chip
SSL, IPSec Crypto
8 Gbps
8 Gbps
10 Gbps
10 GbpsClassificationDistribution
Engine
Daughter Card Expansion Slot 2Field upgradeable
1 Gbps
10 Gbps
40K RSA ops
Micro Engines CPU
DRAM1.5 GB
DRAM1.5 GB
Parallel NP’s handle Data Processing16 ME (1.4 GHz)XScale 700MHz1.5 GB RDRAM
32MB SRAM20B ops/s
ACSW OS
NetworkProcessor 1
Micro Engines CPU
60Gbps switching CapacityIPv4, IPv6 Classifications
TCP Checksum GenerationVerification
Variable Load Distribution
Daughter Card Expansion Slot 1Field upgradeable
4 FIFO Interlinks
16 Gbps
CEF720 Linecard
20 Gbps
20 GbpsSwitch Fabric
ACE – Detailed Hardware Architecture
NetworkProcessor 2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Modular Policy CLI
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
• ACE CLI is based on C3PL (Cisco Common Class-based Policy Language)
• Provides a common CLI framework across security implementations in-order to define consistent CLI across platforms
• The CLI aims at seamless integration in terms of configuring SLB, SSL and Security features
• No need to session in or enter a sub-mode of configuration for the different features
• Traffic classification is the core functionality for all delivery and security features
Modular Policy CLI (MPC) in ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Features configurable via Policy CLI
• Features that can be configured via Policy CLI can be grouped as follows:• “through” the box traffic Security access-lists Server Load Balancing Protocol Fix-ups & Application Inspection NAT TCP & IP Normalization• “to” the box (mgmt / control-plane) Restrict access to protocol and/or hosts
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Policy CLI Overview
1. Define match criteria
2. Associate actions to match criteria
3. Activate the classification-action rules on either an interface or “globally”
class-map C1 match <criteria>
policy-map P1 class C1 <action>
interface vlanX service-policy input P1
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 44
Interface Service-Policy
Management Policy-map
Management Class-map
Apply to any Interface
Match allowed connections for remote access
Management Traffic “to” ACE
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 45
Interface Service-Policy
Multi-Match Policy-map
Traffic Class-map
Apply to any Interface
Match VIP connections
LoadBalancing Policy Map
ServerfarmReal
ServerfarmReal
Class for URL1 Class for URL2
GET /example.html
Default Class
ServerfarmReal1 Real2
Only allow Traffic Destined to a VIP
Client Traffic “through” ACE at Layer 7
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Virtualization
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Models of “Virtualization”
• AbstractionPhysical elements are represented by an abstract entity
HSRP, VRRP
VIP, NAT
• PoolingMultiple physical entities appear and treated as one
Link-bundling (EtherChannel®)
TCP connection pooling
• PartitioningSingle physical entity partitioned as multiple distinct entities
VLANs (data-path only)
VRFs (data-path only)
FWSM virtual contexts (both data- and control-path)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
One physical deviceMultiple virtual systems
(dedicated control and data path)
Traditional device
Single configuration file
Single routing table
Limited RBAC
Limited resource allocation
25% 25% 20%15%15%100%
Cisco Application Services Virtualization
Distinct configuration files
Separate routing tables
RBAC with Contexts, Roles, Domains
Management and data resource control
Independent application rule sets
Global administration and monitoring
Service Virtualization – System Separation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Per context Control• Guaranteed resource levels for each context• Support for over-subscription
Service Virtualization – Resource Control
GuaranteedRates
GuaranteedMemory
BandwidthData connections / secManagement connections / secSsl-bandwidthSyslogs / sec
Access ListsRegular ExpressionsData connectionsManagement connectionsSSL connectionsXlatesSticky entries
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
ACE Virtual Partitioning Deployments1. Isolate departments or customers
Provide direct configuration access
Reduce exposure to critical config components
Provide consistent access across GUI, API, CLI
Dedicated resources
2. Isolate applicationsGuarantee resources to critical applications
Isolate from impact of other app roll outs
Central config file for managing policy change
Reduced complexity of security/application rules
Possiblity to have a parallel test environment with no impact to production
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
ACE in Action Applications over Multiple Load Balancers
LB
App A
EnterpriseNetwork
LB
App B
LB 2
App D
LB 1
App C
Enterprise with Growing Number of Applications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
ACE in Action Applications over Multiple Load Balancers
EnterpriseNetwork
App D
App E
ACE
ACE
App F
App C
App A
App B
Virtual Partition 1
Virtual Partition 2
Virtual Partition 3
Virtual Partition 4
Virtual Partition 1
Virtual Partition 2
Enterprise with Growing Number of Applications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
ACE Virtual Patitioning and App Security in ActionMulti-tier Applications
EnterpriseNetwork
DataBaseservers
LB
LB
LB
Applicationservers
Front-endservers
Firewalls
EnterpriseNetwork
Front-endFirewalls
ACEwith
ApplicationInfrastructure
Controland
ApplicationSecurityDataBase
serversApplication
serversFront-endservers
FE virtualpartition
APP virtualpartition
DB virtualpartition
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Virtualization in Action
Data-Center Consolidation
N-Tier Applications
Web Servers App Servers DB Servers
Front End Network
N-Tier Applications
Web Servers App Servers DB Servers
Front End Network
Multiple Contexts C2C1 C3 C4 C5 C6
Single ACE Module
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Role-Based Access Control
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
• Fully integrated Role Based Access Control
• Four main levels of actions over categoriesof commands
1. Create
2. Modify
3. Debug
4. Monitor
• Roles are defined by specifying which actions can be performed on the sets of commands
• Pre-defined roles
• New roles can be created to adapt to different organization structures
Role Based Access Control (RBAC)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
• AdminAccess to all functions in the context/device.
• SLB-AdminServerfarm, Servers, Health Monitoring
• Security-AdminAccess Contorl, Inspection, AAA, NAT
• Server-MaintenanceServers in/out of rotation, debug of SLB functions
• Server-Application-MaintenanceServers, Health Monitoring, Load Balancing Rules
• Network-AdminInterfaces, Routing, NAT, TCP
• Network-MonitorAccess to all show commands only
Default Roles in the System
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Control over user access to instances of objects
Flexible multi-user maintenance operations
Domains
VIP1 VIP3 VIP4VIP2
R1 R2 R3 R4 R5 R6
Domain A Domain B
Context 1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
AdminContext
Context Adefinition
Context Bdefinition
Resourceallocation
Adminmanagement
config
Physical module
ContextB
ContextA
VIP1VIP 2Farm1Farm2
VIP3Farm3Farm4SSL
cert1,2
Domain1 Domain2
Admin
Network/Security
Server Admin
Monitor
Management station
Role
AAA
Contexts, Roles, Domains
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Security Features
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Security Features in ACE
• TCP/IP normalization–Built-in Transport Protocol Security–User Configurable, to meet Security Requirements
• Application Protocol Inspection
• Advanced HTTP Inspection–RFC Compliance–MIME Type Validation–Prevent Tunneling Protocols over HTTP Ports
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
IP Normalization Address Checking
• Always enabled
• Entirely performed in hardware
• Following packets are dropped
1. src IP == dest IP
2. src IP or dest IP == 127.x.x.x
3. dest IP >= 240.0.0.0
4. src IP == 0.x.x.x
5. src IP >= 224.0.0.0
• src IP == 0.0.0.0 and dest IP == 255.255.255.255 allowed for DHCP requests
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Hardware-Based TCP Normalization
Always performedI. src port and dest port != 0
II. Only SYN packet allowed to create connection
III. TCP header >= of 20 bytes
IV. TCP header <= ip->length – ip->header_length
V. urg flag cleared if urg_pointer is zero
VI. If urg flag not presenturg_pointer is cleared
VII. Illegal flags combinations dropped( SYN|RST etc.)
ConfigurableI. reserved bits
allow/clear/drop
II. urg flag allow/clear/drop
III. syn-data allow/drop
IV. exceed-mss allow/drop
V. random-seq-num-disableUser configurable
Random Sequence Numbers
• TCP option processing
• TCP state tracking
• TCP windowchecking
TCP Standard Header Checks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Inspection in ACE
• FTP
• Strict FTP
• RTSP
• ICMP
• DNS
• HTTP/S
Performed on NP CPU
Performed on NP Micro Engines
Protocol-Specific Inspection Supported for:
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Redundancy
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Redundancy Model
ACE-1
• Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts.
• Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby.
• The peer ACE can be in the same or different Catalyst 6k chassis.
• Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy)
Example:2 ACE modules4 FT groups4 Virtual Contexts (A,B,C,D)
ACE-2
FT VLAN
AActive
A’Standby
FTgroup 1
BActive
B’Standby
FTgroup 2
CActive
C’Standby
FTgroup 3
DActive
D’Standby
FTgroup 4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Fault Tolerant VLANs
• There is a designated VLAN (FT VLAN) between the ACE pairs
• All Redundancy related traffic are sent over this VLAN
1. TRP protocol packets
2. Heart Beats
3. Configuration sync packets
4. State replication packets
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Types of Configuration Sync
• Bulk Sync– The entire configuration gets transferred in bulk from Active to
Standby
– HA is in Active/Standby_config state during Bulk Sync
• Incremental Sync– A line-by-line sync of configuration as it is being configured on
active
– HA is in Active/Standby_hot state during Incremental Sync
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Failover Tracking
• HSRP– The Supervisor notifies ACE of all state changes for the HSRP group
• Interface– Supervisor sends UP and DOWN events to ACE
• Host– Multiple Probes may be configured with a priority. The individual probe priorities provide granular control of ACE failover
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Deployments
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Typical Data Center Design with ACE
EnterpriseCampus Core
Aggregationwith
L4-7 Services
L2 or L3 Access
Mainframe
Data-BaseApplicationServers
Web / Front-end Servers
ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
ACE Deployed in Router Mode
• Client VLAN and server VLANs on different IP subnets
• Servers’ default gateway is ACE alias IP
• All data VLANs and FT VLAN carried over port-channels
• Each Cisco Catalyst has redundant physical links to each access switch
• Serverfarms can span multiple access switches
• Management access to servers requires access-list
DataPort-Channel
FT ControlPort-Channel
MSFC MSFC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
ACE Deployed in Bridge Mode
• Pairs of one client and one server VLAN on the same subnet (BVI used to “merge” the two VLANs)
• Limit of two VLANs in the same subnet
• Servers’ default gateway is MSFC (or other router) HRSP virtual address
• All data VLANs and FT VLAN carried over port-channels
• Each Cisco Catalyst has redundant physical links to each access switch
• Serverfarms can span multiple access switches
• Management access to servers requires access-list
DataPort-Channel
FT ControlPort-Channel
MSFC MSFC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
ACE Deployed in One-Arm Mode
• Single VLAN on ACE
• Servers’ default gateway is MSFC HSRP IP
• All data VLANs and FT VLAN carried over port-channels
• Each Cisco Catalyst has redundant physical links to each access switch
• Serverfarms can span multiple access switches
• Management access to servers bypass ACE
DataPort-Channel
FT ControlPort-Channel
MSFC MSFC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
ACE Virtual Contexts Mapped to VRFs
• Virtual Contexts can be mapped to VRFs on the MSFC
• Or directly to external routers
• VRF-aware Route Health Injection (add/remove routes to/from MSFC main routing table as well as VRF routing tables)
VRF A VRF B
Co
nte
xt C
Co
nte
xt A
Co
nte
xt B
Further Assistance
Cisco ACE Family Webpagewww.cisco.com/go/ace/
Cisco ACE Applicationshttp://www.cisco.com/go/optimizemyapp
Cisco Validated Designshttp://www.cisco.com/go/cvd
Cisco Design Zonehttp://www.cisco.com/go/srnd
Doc Wikihttp://docwiki.cisco.com/wiki/ACE
PDI Helpdeskwww.cisco.com/go/pdihelpdesk
Further Assistance Internal onlyPDI Helpdeskwww.cisco.com/go/pdihelpdesk/
DCAS KBdcaskb/
DCAS CEC Pagewwwin.cisco.com/dss/adbu/dcas/
DCAS Cisco.com Pagewww.cisco.com/go/ace/
Thank you.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 79
Backup Slides
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
2x 700MHz MIPS1 GB Memory
Control Plane Software
SupervisorConnection
DBUS
16 GbpsBus
RBUS
EOBC
CiscoASIC
100 Mbps 8 Gbps
8 Gbps
1 Gbps
ACSW OS
60Gbps switching CapacityIPv4, IPv6 Classifications
TCP Checksum Generation/Verification
Variable Load Distribution
Daughter Card 1
16 Gbps
CEF720 Line Card
20 Gbps
20 GbpsSwitch Fabric
ACE30 Detailed Hardware Architecture
CPU
Classification DistributionEngine (CDE)
NetworkProcessor
1
Verni FPGA
DRAM 4 GB
DRAM 4 GB
NetworkProcessor
2
shared memory
Daughter Card 2
NetworkProcessor
3
Verni FPGA
DRAM 4 GB
DRAM 4 GB Network
Processor4shared memory
Cavium Octeon CN5860 (OcteonPlus)16 core, 600 MHz CPUs with 4G DRAM 32k iCache, 16k dCache, 2MB L2 cache
On chip support for Encryption/Decryption Coprocessors for Compression/Decompression
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
SwitchFabric
Interface
SupConnect
16G
100M
DaughterCard1
8G
8G
NP2
ControlPlane
ACSW OS
1G
CDESwitch60Gbps
ACE30 Simplified Hardware Architecture
NP1
DaughterCard1
NP2NP1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Clients Servers
L7 services can scale until L4 capacity is met
FED Cluster (Active/Standby){Enhanced HA}
BED Cluster – Scaling L7 Services
Initial L7 Services Cluster Topology
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Modular Policy CLI
Detailed
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Class-maps
Class-maps are used to classify “interesting L3-4/7” trafficThey contain a set of match statements specifying match criteria
Class-maps are ‘typed’ based on the protocol and actions being performed for a given traffic classification.
Support both logical AND (match-all – default) and logical OR (match-any) semantics.
Notion of class-default: well-known class-map that matches any traffic if none of the user specified class-maps match in a policy-map.
Every match statement has a “line” numberEasy deletion/modification of a particular match statement
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Nested Class-maps
• A class-map can associate an existing class-map of the same type using the match class statement
• Supported only for L7 class-maps; up to 2 levels of association
• Used to achieve more complex logical expressionsEasy combination of AND and OR statements
class-map type http loadbalance match-any C1match http url “/news”match http url “/sport”
class-map type http loadbalance match-all C2match http header User-Agent header-value FireFoxmatch class C1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Policy-maps
• Policy-maps are ‘typed’ as per the action/feature
• Support policy-maps for both L3-4/L7 actions.The L7 policy-maps are child policies within an L3-L4 policy-map and cannot be applied on interface
• Support for various execution semantics as dictated by the specific feature
• If none of the classification specified in policy-maps match then the default actions specified against “class-default” are executed
• Support for inline match statements for ease of use. These are allowed only for L7 match statements
• Support for flexible class-map ordering, within a policy-map
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
ACE Policy CLI…(specifying actions)Policy-map Format
[no] policy-map type <main-type> <sub-type>{first-match|all-match|multi-match} <policy-name>
[no] class <cmap-name> action1[no] class class-default
default-action
policy-map type loadbalance first-match SLB-POLICYclass C1 serverfarm SF1class C2 serverfarm SF2class class-default serverfarm BACKUP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Policy Execution Semantics
• first-matchThe class-action pairs within the policy-map are looked up sequentially & the actions listed against first matching class-map in the policy-map are executed.Order of class-maps within policy-map matters.E.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’
• all-matchAn attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed.E.g. policy-map of type inspect http
• multi-matchSpecifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Inline Match Statements
• Support for inline match statements for ease of use, especially if there is only a single match criteria to be specified.Currently allowed only for L7 policy-maps.
• ‘action’ can be specified against only a single match statement in the policy. To specify actions against more than one match statement, use a class-map
class-map type http loadbalance match-any TEST match protocol http header User-Agent header-value *IE* match protocol http url *jpg*
policy-map type loadbalance first-match TESTPOLICYmatch M1 http url ‘/finance’ (inline match command) serverfarm farm1class TEST (pre-defined class-map)
serverfarm farm2
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Activating policy
• Policies are activated on an interface or globally using the ‘service-policy’ command
syntax:service-policy [input | output] <policy-name>
• The policy-map can be enabled either on the ‘input’ or ‘output’ or both directions.
• Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Policy Lookup Order
• There can be many features applied on a given interface, so feature lookup ordering is important
• The feature lookup order followed by datapath in ACE is as follows:1) Access-control (permit or deny a packet)
2) Management Traffic
3) TCP normalization/Connection parameters
4) Server Load Balancing
5) Fix-ups/Application inspection
6) Source NAT
7) Destination NAT
• The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface