application switching technology and benefits switching technology and benefits ©foundry networks,...
TRANSCRIPT
IT-Symposium 2005 05. April 2005
www.decus.de 1
Application Switching Technology and Benefits
©Foundry Networks, Inc.22
• Application and Server Farm Challenges
• Application Switching Technology Fundamentals
• Benefits of Application Switching
• Foundry Application Switching Highlights
• Summary
Agenda
IT-Symposium 2005 05. April 2005
www.decus.de 2
©Foundry Networks, Inc.33
Business-Critical Enterprise Application Requirements
Business-CriticalIP and Web Application
Services
HighAvailability
Scalability
NetworkResiliency
Security
Manageability
Performance
©Foundry Networks, Inc.44
High Availability and Security Challenge
• Service Availability ChallengesServer or Application Goes DownApplication Software or OS Needs PatchingServer Load Surges and Performance DeclinesData Center Loses Power
Client
Web Apps
Financial Apps
Server Farm
ERP Apps
DoS Attack
Hacker
IP Network
IP Network
• Networked Applications are Subject to Vulnerabilities
Denial of Service AttacksVirus and Worm AttacksApplication Level ExploitsAbuse of Server and Network Resources
Result – Disruption to Service and Loss of Revenue and/or Productivity
IT-Symposium 2005 05. April 2005
www.decus.de 3
©Foundry Networks, Inc.55
Poor Server Performance, Scalability and Utilization Results in Poor ROI
Web Apps
ERP Apps
Server Farm
Forklift Upgrade
Growing Needs
Web Apps
Financial Apps
Server Farm
ERP Apps
IP Network
IP Network
• Performance and Response Time Suffer when Load Surges• Poor Server Utilization with Protocol (TCP/IP) Overhead• Forklift Upgrades to Meet Growing Demands• Service Disruption During Upgrades• No Investment Protection
©Foundry Networks, Inc.66
• Application and Server Farm Challenges
• Application Switching Technology Fundamentals
• Benefits of Application Switching
• Foundry Application Switching Highlights
• Summary
Agenda
IT-Symposium 2005 05. April 2005
www.decus.de 4
©Foundry Networks, Inc.77
Application Switches Enable• On Demand Server Scalability• High Availability Automatic Failover• Best Response Time and Performance• Robust Security from Most Attacks• Server Resource Conservation by
Offloading Functions to the Network• Maximized Server Utilization and Better
Return on Investment (ROI)
Virtual Server Farms for High Availability, Security and Scalability
Virtual Application Infrastructure
Application Switching
Web Apps
Financial Apps
Server Farm
ERP Apps
©Foundry Networks, Inc.88
Application Switching and Load Balancing Overview
Clients
Virtual Application InfrastructureApplication Switching
Server Farm
Web Apps
IP Network
IP Network
• Application Switch Receives All Client Requests• Selects “Best” Resource Using Real-Time Health and Performance• Utilizes All Resources Simultaneously• Intelligently Distributes Load to All Available Resources
• User Configurable Choice of Methods
• Shields Servers Farm from Attacks and Abuse
IT-Symposium 2005 05. April 2005
www.decus.de 5
©Foundry Networks, Inc.99
Application Switching and Virtual Server Farm Fundamentals
Application Switch
Clients
10.1.1.10
10.1.1.20
10.1.1.30
VIP = 40.1.1.1
Client MessageSource IP = Client IPDest IP = Load Balancer VIP
After NATDestination IP = 10.1.1.10Source IP Change if SNAT Used
GW IP = 10.1.1.1
Default Gateway = Load Balancer IP
VIP = Virtual IP
NAT = Network Address Translation
SNAT = Source NAT
IP Network
IP Network
• Clients Connect to Applications Services using Virtual IP (VIP)• VIP Address is Owned by the Application Switch
• Application Switch Performs Address Translation after Server Selection• Server Addressing is Private and Secure
©Foundry Networks, Inc.1010
Stateful Load Balancing and Session Table
1 2 3 4
1 2 3 4
RS38049510.1.1.30188.1.1.102
RS28025010.1.1.20188.1.1.101
RS18010010.1.1.10188.1.1.100
ServerDst. PortSrc. PortDest. IPSrc. IP
Session Table
1 2 3 4
Clients
IP Network
IP Network
Application Switch 10.1.1.10
10.1.1.20
10.1.1.30
VIP = 192.1.1.1GW IP = 10.1.1.1
• Session Boundaries Maintained• For the Duration of the Session,
• Each User Flow is Assigned a Session Entry in the Table
• Each Flow is Bound to a Specific Server• All Messages over a Flow Sent to the
Same Server
IT-Symposium 2005 05. April 2005
www.decus.de 6
©Foundry Networks, Inc.1111
Virtual Application Infrastructure
Web Apps
Financial Apps
Server Farm
ERP Apps
ServerIron High Availability and Stateful Failover for Total Resiliency
Session Table
RS280101192.1.1.1188.1.1.100
RS180100192.1.1.1188.1.1.100
ServerDestination PortSource PortDestination IPSource IP
RS280101192.1.1.1188.1.1.100
RS180100192.1.1.1188.1.1.100
ServerDestination PortSource PortDestination IPSource IP
Synchronized Session Table
RS280101192.1.1.1188.1.1.100
RS180100192.1.1.1188.1.1.100
ServerDestination PortSource PortDestination IPSource IP
RS280101192.1.1.1188.1.1.100
RS180100192.1.1.1188.1.1.100
ServerDestination PortSource PortDestination IPSource IP• Session Table Synchronized Between Two Switches
• No Loss of Service When Switch Fails• Second Switch Detects Failure and
Services User Flows• Rapid Failure Detection and Session
Failover are Required• Failover is Totally Transparent to User
NOTE: Without Stateful Failover, Application Switch Failures will Result in Termination of All Active User
Sessions Causing Significant Service Disruption
©Foundry Networks, Inc.1212
Application and Server Health Checking
• Periodic Health Check Requests Sent to Server/Application• Server and/or Applications Marked Unavailable when Checks Fail• Health Checks Can be Customized for Diverse Needs
Layer 2/3 (ARP, Ping), Layer 4 (TCP and UDP messages)Layer 7 (HTTP, Application Specific, SSL, Scripted)
• Dedicated Processing Capacity and Resources for Health Checks Onthe Application Switch Ensures Rapid Detection of Failures and Failover of User Service Requests
Load Balancer
Request
Response
Application taken out of service
Request
HTTP
FTP
Server taken out of service
HTTP
FTP
IT-Symposium 2005 05. April 2005
www.decus.de 7
©Foundry Networks, Inc.1313
Delayed Server Binding Concept & Benefits
• Application Switch Acts as a Connection Proxy and Delays Server Selection Until After Application Content is Received
Server Connection Completed After Inspecting Application Messages Received
• Server Selection Based on Layer-7 Application ContentHTTP Header, URL, Session ID, Cookie, XML, and Others
• Eliminates Need for Content/Service Replication on All Servers
Complete Connection
Application Switch
Client
TCP SYN
TCP SYN ACK
TCP ACK
1
2
3HTTP Request4
1 2 3 4
Select “best” server using Layer-7 content
5
Data Exchange
6
IP Network
IP Network
©Foundry Networks, Inc.1414
Layer-7 Content Examples
• Avoid Replicating Content and Application Services on All Servers• Distinguish Service Requests By Inspecting Content and Switching
Simply Content Management on ServersMaximize Server UtilizationFilter Information and Prioritize
• Widely Used Content Switching ExamplesURL full, prefix and suffix matchBrowser type, device type and language codeHTTP Cookies for Persistence and High AvailabilityXML Switching (For Web Services and Protocols Using XML)
Text Content
Image Content
IP Hdr TCP HdrHTTP Hdr
URL Prefix
/home. foo.com/*.htm
Client
IP Network
IP Network
CGI
www.foo.com/*.gif
www.foo.com/*.binURL
Switch
IT-Symposium 2005 05. April 2005
www.decus.de 8
©Foundry Networks, Inc.1515
Session Persistence Concept & Benefits
• Persistence Defined – Sticking a “User” to the Same ServerNot Load Distribute Connections from the Same UserLoad Distribution is Done for New Connections from New Users
• Persistence Required when Application Transactions Span Across Multiple TCP Connections (Stateful Sessions)
• Unique Layer 3, 4 and 7 User Identifiers Used for Persistence
Load Balancer
Connection to Browse Book 11
Connection to Add Book 1 to Cart2
Connection to Browse Book 23
Connection to Add Book 2 to Cart4
Connection to Checkout Cart51 2 3 4 5
Transaction persistence maintained
Client
IP Network
IP Network
©Foundry Networks, Inc.1616
Session Persistence Mechanisms
• Layer 4 TCP Connection PersistenceSource IP & Port, Destination IP & Port, Protocol
• UDP Session Persistence using Layer 3/4UDP is Connectionless and Requires Aging Approach for Stateful SupportSource IP & Port, Destination IP & Port, ProtocolInactivity Timeout used to Age and Clear Sessions
• Layer 7 Cookie Switching/PersistenceCookie Inserted in the HTTP Header (Typically by Servers)All Connection Requests with Same Cookie are Switched to Same ServerApplication Switches can Insert Cookies if Servers Do Not
• Cookie is not Visible when using SSL Connections – Requires Persistence Using Source IP or SSL Session ID
Alternatively, SSL Termination May be Used to Make Cookie Visible
IT-Symposium 2005 05. April 2005
www.decus.de 9
©Foundry Networks, Inc.1717
Load Balancing to Oracle Application Server using Cookie Switching
Oracle Database
• Oracle Application Server 10g – Oracle Certification ProgramMultiple Vendor Solutions Certified in Different Configurations
• Application Switch Front Ends Web, Directory and Single Sign-On Servers Providing High Availability and Scalability
• Best Practices Deployment of Application SwitchLayer 4 Stateful Load Balancing with Failover (with IP Persistence)Layer 7 Cookie Persistence to Web ServersSSL Acceleration as an Optional Function to
Accelerate SSL PerformanceProvide Clear Text Visibility to HTTP Cookie
Web Servers
Application Switch
Clients
IP Network
IP Network
©Foundry Networks, Inc.1818
Cookie:JsessionID=SessionID!rs1!rs3
• May be Deployed to Use Dynamic Session ReplicationOriginal Server Selects a Secondary Server for Session ReplicationCreates a Cookie String that Identifies Primary (Original) and Secondary Servers
• Server Inserts BEA Specific Cookie with Primary and Secondary Server IDs in the Cookie String
• Switch Inspects Cookie to Direct Requests to Appropriate ServerRequest Sent to Primary Server if it is UpRequest Sent to Secondary Server if Primary Server Down
Load Balancing to BEA WebLogicApplication Server
Application Switch
Client
IP Network
IP Network
rs1 – Primary Server
rs2 – Secondary Server
Session Replication
BEA WebLogic serversBEA Server Cookie
IT-Symposium 2005 05. April 2005
www.decus.de 10
©Foundry Networks, Inc.1919
Maximizing Server Utilization and Accelerating Applications - Need for Connection Offload
TCP Connection SetupApplication Request
Application Response
123
Connection Tear Down4
5
2 3
Servers
TCP Connection SetupApplication Request
Application Response
567
Connection Tear Down
86 7
HTTP1.0 /1.1 Connections
HTTP1.0/1.1Connection
1
• Each New Client Connection Triggers a New Connection to Server• HTTP1.0 Even Worse – Only One GET/REPLY per TCP Connection
• Connection Setup and Tear Down Add Significant Overhead to Servers• Studies Show Connection Management Overhead on Servers is 30 to 40%
• Connection Overhead Slows Down Service Response Time
4
8Clients
IP Network
IP Network
©Foundry Networks, Inc.2020
ServerIron
TCP Connection SetupApplication Request
Application Response
123
Connection Tear Down4
1 2 3
TCP Connection SetupApplication Request
Application Response
567
Connection Tear Down8
6 7
HTTP1.0 /1.1 Connections
HTTP1.1 Connection
No TCP setup or tear down
HTTP Connection Offload on Application Switches
ServersClients
• Switch Streams Many Client Connections Over Few Server Connections• Re-Uses Server Side Connection and Reduces Connection Management Overhead
• Servers See Very Few Connection Setups and Tear Downs• Security is Improved By Eliminating Direct Client-Server TCP Interaction
• Improves Service Response Time by Making More Server Resources Available for Application Content
IT-Symposium 2005 05. April 2005
www.decus.de 11
©Foundry Networks, Inc.2121
Maximizing Throughput for Bulk Transfer Applications – Direct Server Return (DSR)
Server Loopback IP = Load Balancer VIP
Application Switch
10.1.1.10
10.1.1.20
10.1.1.30
VIP = 40.1.1.1
Layer-2Switch
1
23
• Maximizing Throughput Requires Switching Traffic at Wire-Speed
• Return Traffic in Direct Server Return Mode Bypasses the Application Switch
• Inbound Requests are Received and Distributed by the Application Switch
• Ideal for Bulk Transfer Applications Like• Streaming Media• FTP• E-Mail
©Foundry Networks, Inc.2222
Key Server Farm and Application Security Functions
Legitimate Traffic
Virtual Application Infrastructure
Miss-Critical Application Servers
Legitimate Client
Application Switch
Blocked Application Messages
Hacker
Multi-Gigabit Rate Denial of Service Attack
IP Network
IP Network
Denial of Service Attack Protection from SYN and ACK FloodsApplication Level Rate Limiting of Server and Client ConnectionsSPAM Protection and Mitigation
Always-On Traffic Monitoring and Network VisibilityVirus and Worm Protection with Content Inspection and FilteringHigh Performance ACL and NAT
Security without Sacrifice - Peak Application Performance Under Attack
IT-Symposium 2005 05. April 2005
www.decus.de 12
©Foundry Networks, Inc.2323
• Application and Server Farm Challenges
• Application Switching Technology Fundamentals
• Benefits of Application Switching
• Foundry Application Switching Highlights
• Summary
Agenda
©Foundry Networks, Inc.2424
Improve Return on Server Investment
• Use Servers of Varying Capacity and PerformanceInvestment Protection in ServersAdd Required Server Capacity On-Demand
• Application Switches Distribute Requests on Server Weight (Capacity)• Leverage Installed Servers – Avoid Forklift Upgrades• Optimize Capital Cost by Using Diverse Vendors
Clients
Virtual Application InfrastructureApplication Switching
Server Farm
Web Apps
IP Network
IP Network
IT-Symposium 2005 05. April 2005
www.decus.de 13
©Foundry Networks, Inc.2525
Ease Server Farm Management and Operations
• Scale Server Capacity On-Demand• Transparently Add and Remove Servers and Applications
Server Slow-Start Prevents Overwhelming New Servers when Brought OnlineGraceful Shutdown Ensures Successful Completion of User Sessions Prior to De-Commissioning a Server/Application
• Server Maintenance and Application Software Patching No Longer Require Scheduled Downtime
Clients
Virtual Application InfrastructureApplication Switching
Server Farm
IP Network
IP Network
New Server
Remove for Maintenance
Add Resources on Demand
©Foundry Networks, Inc.2626
Differentiated Services and Application QoS
• Differentiate Application Users with Layer 4-7 Application Intelligence• Customize Performance, Response Time and Service Offerings for
Diverse User Needs• Application Switches can Differentiate Clients Using
Cookies, XML Tags, Application Level IdentifiersSource IP based Access Policy Lists
Clients
IP Network
IP Network
Gold Servers
Application Switch
Silver Servers
Content Inspection to Identify User Class and Switch to
Appropriate Servers
IT-Symposium 2005 05. April 2005
www.decus.de 14
©Foundry Networks, Inc.2727
Summary – Optimizing Applications
• Business-Critical Application Infrastructure Requires• High Availability• Security• Accelerated Performance• Scalability for Growth• Best ROI
• Application Switching Uses Higher-Layer Intelligence to• Protect IP and Web Services from Downtime Due to Failures• Increase Service Response Time by Offloading Servers• Offer Unlimited and On-Demand Scalability for Growth• Secure Server Farms and Applications
©Foundry Networks, Inc.2828
• Application and Server Farm Challenges
• Application Switching Technology Fundamentals
• Benefits of Application Switching
• Foundry Application Switching Highlights
• Summary
Agenda
IT-Symposium 2005 05. April 2005
www.decus.de 15
©Foundry Networks, Inc.2929
Plug-in L4-7 blade for L2-3 switchesPro: Leverage an existing systemCon: Complex to understand flows, bottleneck in performance, lag in functionality
Three Layer 4-7 Product Approaches
Purpose-built L4-7 Switch - FoundryPro: Performance, Scalability, Functionality and SimplicityCon: A new product to install
Software on a PC (or PC with Switch)Pro: Feature FlexibilityCon: Poor performance and scalability, inadequate security, limited availability, hard disks, forklift replacements as needs change
©Foundry Networks, Inc.3030
• 6 Years of Layer 4-7 Innovation and Leadership
• Globally 500,000+ Cumulative Ports Installed
• Industry Records in Performance and SecurityHighest Application Connections/Second
Up to 300,000 Layer 4 Connections per Second @ 1K Object ResponseUp to 100,000 Layer 7 Connections per Second @ 1K Object Response
Multi-Gigabit Rate Wire-Speed Denial of Service (DoS) ProtectionScalable up to 15 Million Attack Packets per Second (Wire-Speed 10 Gig Rate)
Scalable to 12 Gbps of Application ThroughputEven More Application Throughput with Direct Server Return ModeWire-Speed Layer 2/3 Switching Throughput
• Highly Scalable and Comprehensive Product LineRange of Products for Entry Level, Mid Range and High Performance NeedsN+I Tokyo 2004 “Best Enterprise Infrastructure” Product Award
Foundry ServerIron Layer 4-7 Application Switches
IT-Symposium 2005 05. April 2005
www.decus.de 16
©Foundry Networks, Inc.3131
Industry’s Most CompleteApplication Switching Solution
SI 450
SI 850
GT-EGx2
XL-16
XL-24
1x 3x 6x 8x
Performance
Pri
ce
10K
15K
25K
35K
GT-E10Gx2
45K
15x**With Optional Dual-WSM6
GT-EGx4P
Entry-Level – Essential Features and Best Price
Expandable, Feature-Rich, “stackable pricing”
High-Performance, Highly Scalable
Pre-ConfiguredFixed Configuration
GT-EGC16
GT-E2404
Modular Chassis
Complete Range of Web Acceleration Devices
Fixed Configuration
1x 25x 50x
SA-200
SA-400
SA-800
SA-F400
L4 CPS SSL L4 CPS
L4-7 Application Switches Web Accelerators
Thank You