integrating citrix netscaler ind2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/brkapp-2032.pdf ·...

Integrating Citrix NetScaler in

Cisco Data Center BRKAPP-2032

January 2014 Jeff Ostermiller CCIE #5402

Technology Solution Architect

Data Center Architecture

[email protected]

mailto:[email protected]


© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public

Speaker

Jeff Ostermiller CCIE #5402 Technology Solution Architect Data Center Architecture @jostermi [email protected]

3




Abstract

This is an in-depth technical discussion regarding application load balancing. This session will focusing on deployment following key areas

– Insertion methods for physical and virtual load balancers

– Basic Load Balancer Configurations

– Migration methods from existing load balancers to our next generation products from Citrix NetScaler.

This session is intended for IT Administrators and Network Architects who need to deploy application load balancing to meet business requirements.

4


Agenda

• Data Center Design Evolution

• NetScaler Basics

• ADC Design Integration

• NetScaler Layer 4 Load Balancing

• NetScaler Content Switching

• NetScaler Handling SSL

5


Acronym Slide

• ADC - Application Delivery Controller

• MPX – Multi-Core Processor Edition

• VPX - Virtualized ADC

• SDX – Service Delivery Edition

• MCEC - Multi-chassis EtherChannel

• LACP - Link Aggregation Control Protocol

• vPC - Virtual Port Channel

• vPC+ - Virtual Port Channel using Fabric Path as the protocol between the peer nodes

• Leaf - access node used for end node attachment

• Spine - used to interconnect all leaf nodes

6


Citrix NetScaler Master Class

7

NetScaler Training Options

http://training.citrix.com

NetScaler Master Class Training Link

http://www.citrix.com/events/netscaler-master-class.html

On-demand Webinars NetScaler Master Class: April 2014: Taking

Advantage of NetScaler High Availability

NetScaler Master Class: February 2014 - Recommended tips and tricks - things to

enable on NetScaler to make your life easier

NetScaler Master Class: November 2013 - NetScaler 101 – Content Switching

NetScaler Master Class: October 2013 - NetScaler really useful tips - things everyone

should know

NetScaler Master Class: September 2013 - NetScaler overview: Features, functionality

and benefits

http://training.citrix.com






https://www1.gotomeeting.com/register/182496688







































Nuggets from Master Class on CLI

8

Setting the Prompt

> set cli prompt %h-%u-%T

Done

ns1-nsroot-03:08>

set cli mode -color on

Log Messages - GREEN

Error messages - RED

config syntax – BLACK

config network interface 1/2> only commands part of this interface are shown

useful CLI commands

show runningconfig

show ns ns.conf

show info

show ns config

show license

Show conn -summary

Data Center Design Evolution


Evolution of Data Center

10

Distributed

• Manual Provisioning

• Limited scaling

• Rack-wide VM mobility

Application Driven

• Service-centric Provisioning

• Flexible – Anywhere, Anytime

• Cross-cloud VM Mobility

Compute Compute Storage Storage Services Services

L2,

L3

Programmable Provisionable

Monitoring Apps

Provisioning Apps

Networking Apps

End-User

Apps

Integrated Fabric & Cloud

World of Many Clouds

Fabric Based

Cloud

• Policy-based Provisioning

• Scale Physical & Virtual/Cloud

• DC-wide/Cross-DC VM Mobility

Compute Compute Storage Storage Services Services

L2,

L3

Fabric

Cloud


Services, Services, Services ….

• Insertion of services fundamentally drives the logical design (both L2 and L3)

within the data center

– Firewall, Application Firewalls

– Application Delivery Controllers

– IDS/IPS

– Client Routing

• Industry transition underway from physical resources to virtualized resources

• How should we provide logical connectivity between data centers with services.

11


Data Center Based Topologies with Services

12

vPC vPC vPC vPC

Spine

Border Leaf Services Leaf Leaf

vPC

vPC vPC

UCS

N7K2 N7K1

vPC

L3 CORE

vPC vPC

vPC vPC

FEX FEX

vPC

domain

2

vPC

domain

3 FEX FEX

vPC

domain

1

Access


Where and how to implement services?

• Service insertion {load-balancing, firewalling, …} fundamentally drives the logical design (both L2 and L3) within the data center

• Design Decisions

• Routed Services

• Bridged Services

• Proxy Services

• Physical Services

• Virtualized Services

• Chained Services

13

Aggregation/

Access

Compute

4x10GE 4x10GE

Services

Core

WAN Edge / DCI

Storage


MCEC

vPC Peers

vPC – Virtual Port Channel

vPC allows a single device to use a port channel across two neighbor switches (vPC peers) (Layer 2 port channel only)

Eliminate STP blocked ports & reduces STP Complexity

(Do not disable STP)

• Uses all available uplink bandwidth - enables dual-homed servers to operate in active-active mode

• Provides fast convergence upon link/device failure

• If HSRP enabled, both vPC devices are active on forwarding plane

Multi-Chassis EtherChannel (MCEC)

14

MCEC

vPC Peers

! Enable vpc on the switch NX-OS(config)# feature vpc ! Check the feature status NX-OS(config)# show feature | include vpc vpc 1 enabled


Virtual Port Channel – vPC Design Considerations – Orphan Ports

15

Orphan Ports are single homed ports on a member of the vPC pair

In the event of loss of the vPC peer link all vPC ports on the secondary vPC switch are shut down to prevent topology problems

Non vPC or orphan ports are left active

Potential to isolate orphan ports which could affect failover of services nodes

Design Options based on Failure Conditions

1. For Service Nodes, configure orphan ports to be shut down as well as vPC ports on secondary.

2. Provide a secondary uplink or switch to switch link for orphan port VLAN (requires the use of distinct VLAN for orphan and vPC ports)

Orphan Ports remain active on vPC secondary by default during a failure

of the peer-link

Primary Secondary

vPC Design Rule

#1 – ALWAYS dual home

devices to a vPC Domain


CE L2 link

CE L2 link

L3 link

N7K2 N7K

1

L3 CORE

vPC vPC

vPC

vPC

domain

3

FEX FEX

vPC

domain

1

vPC Based DATA CENTER Physical Services Insertion

16

• If Appliance supports LACP

• connect appliance to both core switches

• Use LACP negotiation

• If Appliance does not support LACP,

• Connect appliance to single Core switch

• Decide on Failure behavior

• Determine proper orphan behavior required

NetScaler Basics


Cisco & Citrix Product Break-out

18

VPX MPX

HW

Appliance

SDX

HW

Appliance

Product

N1110

NetScaler

1000V

NetScaler 1000V = VPX w/ Cisco Competing features disabled & vPath toggle

Current Citrix NetScaler Architecture

x86 X86 Platform

1. Cisco Competing features that have been disabled:

• Citrix® Branch Repeater® (now Cloud Bridge),

• NetScaler CloudConnectors™,

• Citrix Access Gateway™ EE SSL VPN (now NetScaler Gateway),

2. Throughputs: 10M, 200M, 500M, 1G, 2G, 3G & 4G (w/ and w/o Clustering)

3. Ability to enable/disable (toggle) vPath; disabling vPath allows you to load balance physical servers

4. 141x SKUs NOW orderable on Cisco’s Global Price List (GPL); includes ALL upgrade SKUs

5. Since vPath is optional the Nexus 1000V is also now optional


NetScaler 1000V and Cloud Services Portfolio

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

• Sold and supported exclusively by Cisco

• Integrated with Nexus 1100 Series Cloud Services

Platform (CSP)

• Part of Cisco Validated Design – VMDC Virtual Services

Architecture (VSA) 1.0 Release

• vPath and Nexus 1000V are both optional

Cisco Cloud Services Platform (CSP)

NetScaler 1000V

Nexus 1100 Series Cloud Services Platform

Citrix NetScaler

1000V on ESXi OR

Nexus 1100 Series

1110-X

10G enabled

SSL FRU

(Q2CY14)


Standard Edition

Enterprise Edition

Platinum Edition

Web application delivery

solution providing advanced

traffic management and

powerful application

acceleration

Web application delivery

solution designed to deliver

mission-critical applications

with web application firewall

security, fastest performance,

and lowest cost

Comprehensive L4-7

load balancing and optimizes

expensive server and network

resources to reduce cost

NetScaler 1000V Editions

20


When to Use Which?

Physical Appliances Virtual Appliances

• Gig+ performance

• High volume SSL Offload

• High SSL TPS

• High IO/Packets Per Second

• FIPS requirements

• Physical device security

• Labs/test environments

• Development environments

• “Datacenter-in-a-box”

• CPU-intensive workloads

• Frequently moved apps

• Fast/remote deployment

21


NetScaler Licensed Features

• System -> Licensed features

22


NetScaler Licensed Features

23

mpx502-2> show license

License status:

Web Logging: YES

Surge Protection: YES

Load Balancing: YES

Content Switching: YES

Cache Redirection: YES

Sure Connect: YES

Compression Control: YES

[omitted]

Appflow for ICA: YES

Vpath: NO

RISE: YES

Model Number ID: 20500

License Type: Platinum License

For Your Reference


NetScaler Enabling Features

24


NetScaler Enabling Features

25

mpx502-2> show info

NetScaler NS10.1: Build 124.1308.e.nc, Date: Mar 28 2014, 14:52:35

NetScaler IP: 10.90.14.217 (mask: 255.255.255.128)

Feature Acronym Status

3) Load Balancing LB ON

4) Content Switching CS OFF

9) SSL Offloading SSL OFF

30) Vpath Vpath OFF

31) RISE RISE ON

Mode Acronym Status

1) Fast Ramp FR ON

3) Use Source IP USIP OFF

8) Use Subnet IP USNIP ON

9) Layer 3 mode (ip forwarding) L3 ON

16) Bridge BPDUs BridgeBPDUs OFF

17) RISE APBR Advertisement RISE_APBR ON

18) RISE RHI Advertisement RISE_RHI OFF

For Your Reference


Differences between ACE and VPX

• VPX instances, similar to ACE contexts and are managed independently of

each other.

• ACLs are applied globally in order of priority and have to be named uniquely.

There is no explicit 'deny' statement associated with the ACLs. Lower priority

ACLs are applied first.

• There is no concept of alias address. Each interface has unique IP address

and HA uses the same address, but is in standby mode.

• Probes are only sent out via the primary node.

• Management IP address is used for HA instead of FT link and FT state.

• Syslog logging messages are defined differently on VPX. Logging level has to

be 'Notice' instead of 'Informational' to generate link failure logs.

26


• L2 – Bridge mode

• L3 – Routed mode – Static Routes

– Dynamic Routes

– Policy Based Routing (PBR)

• MBF – MAC Based Forwarding – When packets need to go back to same device

– Firewall / IDS / BR Load Balancing

Packet Forwarding Modes For Your Reference

27


Packet Forwarding Modes – Flow Chart For Your Reference

28


VLANs

• Default VLAN

• Port Based Vlan

• 802.1q tagging support

• Ingress Processing

– If the frame is untagged or tag = 0, VLAN is set to Port VLAN ID (PVID)

– If VLAN tag = FFF or any other VLAN than PVID, packet is dropped

• Layer 3 VLANs

• NSVLAN – management VLAN for NetScaler

29

For Your Reference


Bridge Groups

• Bind multiple VLANs together to form a bridge group

• All member VLANs become part of the same broadcast domain

• Layer 3 functionality is supported on bridge groups

• add bridgegroup <id>

• bind bridgegroup <id> -vlan <positive_integer>

30

For Your Reference


Spanning Tree Protocol

• By default the appliance does not switch packets between interfaces in the

same virtual LAN, a layer 2 loop cannot exist. Use the following commands

– Spanning-tree port type portfast (trunk)

– Spanning-tree port type edge (trunk)

• In cases where L2 mode on the appliance must be enabled, same behavior as

Cisco ACE 4710:

– The appliance does not participate in the spanning tree

– With bridgeBPDUs mode: OFF (the default mode) the NetScaler appliance drops all BPDUs

received on an interface

– If BPDUs must pass through NetScaler, bridgeBPDUs mode must be enabled

31

• Host type behavior

For Your Reference


NetScaler Address Management

• NSIP = NetScaler IP

– Set in initial configuration

– Management IP for the NetScaler system

• VIPs = Virtual IPs

– Normal method for configuring explicit services

• SNIP = Subnet IPs (Proxy Address)

– This address can be used to manage the NetScaler

• IPs for VLANs

– add vlan <id>

– bind vlan <id> -IPAddress <IP> <netmask>

– Another form of SNIP

32


IP Address Settings

• IP Address Settings

33

For Your Reference


Managing Subnet IPs (SNIP)

• If NS has to directly communicate with an IP in a subnet different from the subnet

of NSIP, a subnet IP has to be created

– add ns ip <IPAddress> <netmask>

creates an IP on the NS in that subnet

• SNIPs are easily removed

– rm ns ip <IPAddress>

• Use Subnet IP allows SNIPs to be used as MIPs

• Without USNIP mode enabled, Subnet IP’s are like additional NSIP’s

34


Managing Subnet IPs (SNIP)

• IP addresses added with single command

add ns ip <IPAddress> <netmask> -type<type>

creates an IP on the NS in that subnet

• Type can be VIP or SNIP

• Management features can be enabled selectively on SNIP

show ip> show ip

Ipaddress Type Mode Arp Icmp Vserver State

--------- ---- ---- --- ---- ------- ------

1) 12.178.35.145 NetScaler IP Active Enabled Enabled NA Enabled

2) 10.10.1.146 Subnet IP Active Enabled Enabled NA Enabled

3) 12.178.35.147 VIP Active Enabled Enabled Enabled Enabled

4) 12.178.35.148 VIP Active Enabled Enabled Enabled Enabled

35

NetScaler

NSIP

SN

IP

VIP

SN

IP

Management

Servers Clients


Expanded IPv6 Support

• Native IPv6 support

• IPv4 – IPv6 Gateway

• Supports mixed IPv6 and v6

deployments

• Facilitates transition from

IPv4 to IPv6

• 6 to 4 or 4 to 6 requires

SNIP

36

Mixed

IPv4/IPv6

Support


VLANs and Interfaces

• Vlans/Interfaces, not the way we normally think about them

37


Binding Interface to VLANs • By defaults all IPs are available via all interfaces.

38


Link Aggregation

• Manual

• LACP – Link Aggregation Control Protocol

• Hashing for distribution based on combination of SrcIP, DstIP, SrcPort and DstPort

• Maximum of four channels supported

add channel <id> [-ifnum <interfaceName> ...] [-state ( ENABLED | DISABLED )] [-speed <speed>] [-flowControl <flowControl>] [-haMonitor ( ON | OFF )][-tagall ( ON | OFF )] [-ifAlias <string>] [-throughput <positive_integer>] [-bandwidthHigh <positive_integer> [-bandwidthNormal <positive_integer>]]

set interface <id> [-lacpMode <disabled|ACTIVE|passive>] [-lacpKey<positive_integer>] [-lacpPriority <positive_integer>] [-lacpTimeout (LONG | SHORT )]

39

http://support.citrix.com/proddocs/topic/netscaler-advanced-networking-92-map/ns-nw-interfaces-stng-the-nw-intrfcs-params-tsk.html


Static Routing

• ECMP support

– Hashing based on SRCIP+DSTIP is used to distribute the load

– Weights can be assigned

• Static route monitors

– PING

– ARP – IPv4

– ND6 – IPv6

• Static route is marked as down if the subnet on which the next hop resides is unreachable

add route <network> <netmask> <gateway>[-cost <positive_integer>]

[-advertise ( DISABLED | ENABLED )]

add route <network> <netmask> <gateway> [-distance <positive_integer>]

[-weight <positive_integer>][-msr ( ENABLED | DISABLED ) [-monitor <string>]]

rm route <network> <netmask> <gateway>

For Your Reference

40


Dynamic Routing

• Supported Protocols (for IPv4 and IPv6) – Routing Information Protocol (RIP) version 2

– Open Shortest Path First (OSPF) version 2

– Border Gateway Protocol (BGP)

– Routing Information Protocol next generation (RIPng) for IPv6

– Open Shortest Path First (OSPF) version 3 for IPv6

– ISIS

• Configuration through nscli and vtysh (recommended)

• In a HA setup – primary runs the routing protocols and updates secondary

enable ns feature RIP|OSPF|BGP

disable ns feature RIP|OSPF|BGP

If using Dynamic Routing you can not use vPC 41

ADC Design Integration


Services Node Insertion Methods

• Two Armed Mode

– Bridged / Transparent

– Routed

• One Armed Mode

• vPath, dynamic insertion for virtual services nodes

– VEM Virtual Ethernet Module, ie the virtual switch deployed with the hypervisor

• RISE, Remote Integration of Service Engines

• NSH, Network Services Header

– Added to encapsulated network packets or frames to create network service paths.

• OpFlex

– A distributed control system based on a declarative policy information model

43


What is the Hardest Part of Load Balancing Designs?

• Source NAT, loss of Clients IP address

• Policy Based Routing, very manual and problematic

• Creating Stovepipes through the network

– VLAN stitching, transparent devices

– VRF, Virtual Route Forwarding

– More hardware

– Making the Services Node to be the server Default Gateway

– … I am sure we can think of more “options”

Return Traffic from the server

44


Challenges of Existing ADC Solutions

Inline Mode - Challenges • DC Switching is measured in Terabits, while ADC capacity is still in

Gigabits • Thus inline ADCs can easily become DC bottlenecks • This is particularly true for virtual environments where vADCs lower

performance than physical ADCs • Creates logical Stove Pipes of traffic through the network

One-Arm Mode – Challenges • To use ADC capacity more effectively by only sending necessary

traffic through the ADC • SNAT is primarily used due to simplicity, however client source is

obscured often preventing SNAT deployment • PBR is a partial solution to preserve the client source, but increases

deployment complexity and operation cost

45


Network Topologies One-Armed

1. User Request

3. Response4. ResponsePublic/Front

VLAN

Private/Server

VLAN

2. User Request

• One-armed topologies have several benefits

– Simple, one physical interface and no risk of bridge loops

– May make use of one or many VLANs with 802.1q tagging

– Can make use of Link Aggregation to satisfy bandwidth requirements

– Very few failure modes, easing HA failure analysis

46


Network Topologies Two-Armed

1. User Request

3. Response4. Response

2. User Request

Public/Front

VLAN Private/Server

VLAN

• Two-armed topologies work in situations where one-armed doesn't – Allows layer 3 style deployments with split subnets (as shown)

– Allow layer 2 style deployments with one subnet on both sides

– Supports transparent compression and SSL offload

– Support USIP or Use Source IP processing without server changes

47


Application Requirements for Network Services

• Current generation network capabilities are driven by physical network topology. Example, If the firewall is plugged into the Internet connection and then the load balancer into firewall, the path of traffic must always flow in that order.

• Application driven requirements that change the relationship (load balancing, then firewall) cannot be supported without physically changing the layout of the network.

Core

Router/Switch

Firewall

Load Balancer Proxy Server

Application

48


Cloud

Network

Services

(CNS)

Any Hypervisor

Nexus 1000V vPath

vPath

vPath is Nexus 1000V dataplane component:

1. Distributed Service insertion architecture, with Intelligent traffic intercept and redirection mechanism

2. Topology agnostic service insertion model

3. Service Chaining across multiple virtual services

4. Performance acceleration with vPath e.g. VSG flow offload

5. Efficient and Scalable Architecture

6. VM Policy mobility with VM mobility

Policy Based Service Enablement

49


vPath

vPath enables service insertion based on policies created for Application VM’s

Services Enabled Per vNIC

vPATH Interception is configured on Server VM’s Port Profile in both directions to redirect packets to a Service Node

Server traffic is intercepted by vPATH interception in VEM and redirected to a Virtual Service Node

Both ingress and egress traffic for a VM is intercepted by vPath

Upstream

Switch VSM

Server

VM

VEM

vPATH

Interception

: In/Out

50


Without vPath With vPath

Evolve the Network for the next wave of application requirements

• Complex deployment- per host

service nodes

• Service chaining is static

• No Fast path acceleration

• Services tightly coupled with

network topology

• Distributed policy-driven Service

Insertion & chaining

• Non-disruptive operations

• Fast-Path acceleration

• Decouple services from network

topology

vPath Benefits

51


• You define which L4-7 Virtual Services through policy, NOT network topology

• Transparent Services Insertion for vPath capable Virtual Services

• Dynamic Service chains enabled per VM/Application/Tenant

Virtual

Service A

Web VM

Container #1

(Policy 2)

Virtual Service

B

Virtual

Service C

Client

VOD VM

Container #2

(Policy 1)

(Admin User Policy 1 & Policy 2 defined for each tenant)

N1KV Virtual Distributed Architecture

Expanded vPath Ecosystem: VSG, ASA 1000V, vWAAS, & NetScaler 1000V

52


Cisco Remote Integrated Service Engine (RISE)

RISE Overview:

• Logical integration of a service appliance with Nexus 7000 and 7700 platforms

• Enables staging to streamline initial deployment of the service appliance

• Allows ongoing configuration updates to drive flows to and from the service appliance

• Allows data path acceleration and increased performance

• Integrated with N7K VDC architecture

Physical Topology Logical RISE Topology

Challenge: Services and switching are deployed independently which increases the complexity for

deploying and maintaining networks

Contr

ol P

lane

53


• RISE simplifies initial appliance deployment from 30 to 8 steps

• Improved VIP Tracking and failover

• Allows ongoing, dynamic configuration updates for flows to and from appliance

• Logical integration of appliance as a virtual service module

• Provides benefits such as plug and play, simplified provisioning, auto-discovery, bootstrap, RHI & APBR

• Eliminates inter-dependencies between network admins & services admins, avoids human errors & provides operational simplicity

• All configuration & management can be done via N7K

• Integration with N7K VDC architecture

RISE Benefits

55 55


RISE Attach Modes

• Direct Mode – Service appliance is directly attached to Nexus 7000 typically via vPC which allows RISE to significantly simplify provisioning

• Indirect Mode – Virtual service appliance (ex: SDX, VPX, NetScaler 1000v) connected to N7K via a switched (L2) network

56 56


• The interface or port-channel connecting to the RISE appliance uses a single trunk carrying both control and data VLANs

• Control VLAN is used for all control channel communication

– For example: Slot-Id assignment, Policy-push, Event Notifications, Statistics download, Heartbeats, Discovery, Bootstrap messaging, etc.

• Control channel is also AES encrypted to ensure communication security

• Data VLAN/VLANs is carried over data channel & used for carrying all the data traffic between Nexus 7000 and service appliance.

– For example: Client to server communication etc

• Both control & data VLANs are provisioned by user

RISE Control & Data Vlans

Co

ntr

ol P

lan

e

57 57


Direct Attached Mode Configuration

Four Simple Steps to Configure RISE

1. Interconnect the NS with the N7k

2. Create port-channel & allow control and data VLANs

3. Configure RISE service

4. Boot the RISE client

Note: “no shutdown” will trigger auto-discovery

N7K Configuration

N7K-1(config)# vlan 99-101 (Create the VLANs)

N7K-1(config)# int e3/47,e8/47

N7K-1(config-if-range)# switchport

N7K-1(config-if-range)# channel-group 2052 mode on

N7K-1(config-if-range)# int po2052

N7K-1(config-if)# switchport mode trunk

N7K-1(config-if)# switchport trunk allowed VLAN 99-101

N7K-1(config-if)# no shut

N7K-1(config-if)# end

N7K-1(config)# feature rise (Enable RISE feature)

N7K-1(config)# service vlan-group 20 100-101 (this is list of data vlans)

N7K-1(config)# service type rise name mpx502b mode vpc

Note: assigned slot-id: 333

A unique slot-id is assigned to NS and auto-discovery & bootstrap starts !

N7K-1(config-rise)# vlan 99 (This is control vlan)

N7K-1(config-rise)# port-channel 2052

N7K-1(config-rise)# vlan-group 20

N7K-1(config-rise)# ip 10.90.14.217/24

N7K-1(config-rise)# no shutdown (I always forget this)

59


RISE Connection for Direct Attach

1. Unique slot-id assigned to RISE device

3. AES Encrypted Control Channel established

2. Auto-discovery and Bootstrap starts

4. Once finished, the service appliance will appear as a module on N7K

5. After NS is configured, Heart Beat will be exchanged continuously.

Data plane optimization can now take place as ADC services are provisioned

RISE auto-establishes once configured !

60


mpx502-2> show ip

Ipaddress TD Type Mode Arp Icmp Vserver State

--------- -- ---- ---- --- ---- ------- ------

1)10.90.14.217 0 NetScaler IP Active Enabled Enabled NA Enabled

2)172.16.1.217 0 SNIP Active Enabled Enabled NA Enabled

Show RISE when Directly Attached n7k1-dc1-agg1# show rise

Name Slot Vdc Rise-Ip State Interface

Id Id

------------- ---- --- --------------- ------------ ---------

Mpx205b 333 2 10.90.14.217 active Po2052

n7k1-dc1-agg1# show rise detail

RISE module name: mpx502b

State: active

Admin state: Enabled

Interface: Po2052

RISE Channel connectivity via interface Po2052

Mode: vpc

Slot id: 333

Service token: 0x2

Serial number: MH8C02AM50

SUP IP: 10.90.14.138

RISE IP: 10.90.14.217

VDC id: 2

VLAN: 99

VLAN group: 20

VLAN list: 99-101

Data Interface: N/A

RISE device active

and operational

Unique slot ID

for RISE device

Direct Attached RISE

device using vPC

For Your Reference

IP Correlation

VLAN 99 IP address

Next Hop Address for PBR

61


Show RISE from RISE Client when Directly Attached

N7K-1 # n7k1-dc1-agg1(config-rise)# attach rise slot 333

Attaching to RISE 332 ...

Username:nsroot

Warning: Permanently added '10.90.14.216' (RSA) to the list of known hosts.

Password:

Last login: Tue Mar 11 09:15:31 2014 from 10.90.14.138

Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994

The Regents of the University of California. All rights reserved.

Done

> show rise profile

1) Service Name : mpx205b

Status : Active

Mode : vPC-Direct

Device Id : TBM14257214

Slot Number : 333

VDC Id : 2

vPC Id : 2052

SUP IP : 10.90.14.138

VLAN : 99

VLAN Group : 20

Interface : LA/1

ISSU : None

For Your Reference

62


RISE Indirectly Attached with vPC

• Here a service appliance is indirectly attached to a Nexus 7000 vPC peer via a L2 network. (Typical design for virtual services)

• It is recommended to dual attach access switches to both vPC peers

• If attaching to just one vPC Peer, be sure to use orphan ports to prevent act/act scenarios and possible black-holing “vpc orphan-port suspend”

Indirect Attach Mode dual attached to vPC Peers Indirect Attach Mode singularly attached

to vPC Peers, use Orphan Ports

N7K2

NS 1 NS 2

N7K1 vPC Peer-link

L2

Network

L2

Network

PC

N7K2

NS 1 NS 2

L2

Network

L2

Network

N7K1

vPC

PC

vPC Peer-link

PC

63


RISE Indirect Mode Security

• NS appliance is indirectly attached to the Nexus 7000 either via a switch in between or connected via a switched (L2) network.

N7K NS 1

L2 Network

NS 2

Indirect Attach Mode

Encrypted Channel

L2 Network

For Your Reference

64


Cisco Solution: Use RISE for Auto PBR

• NS adds redirection rules as per configuration

– Sends the list of servers and the next hop interface

• N7K applies to rules for its local servers and propagates the rules for servers attached to the neighboring N7K

• No need for Source-NAT or manual PBR configuration

• Uses the RISE control channel for sending Auto PBR messages

Configure a

new service 0. Auto PBR

APBR

rules

1. Client VIP

2. Client VIP

4.

Client

Server

5.

Server

Client

3. Client Server

6. Server Client

7. VIP Client

8. VIP Client

Preserve Client IP Visibility without the operation cost of Traditional

Policy Based Routing

Internet


1. Create a monitor add lb mon monitor-wfe HTTP

2. Create servers add server WEB-1 192.168.1.11

add server WEB-2 192.168.1.12

3. Create services add service Web-Front-End-1 WEB-1 HTTP 80

add service Web-Front-End-2 WEB-2 HTTP 80

4. Bind the monitor to the services bind mon monitor-wfe Web-Front-End-1

bind mon monitor-wfe Web-Front-End-2

5. Create virtual server add lb vserver Vserver-WFE HTTP 172.16.1.100 80

6. Bind the services to the virtual server bind lb vserver Vserver-WFE Web-Front-End-1

bind lb vserver Vserver-WFE Web-Front-End-2

7. Select APBR for the virtual server services set service Web-Front-End-1 –usip yes

set service Web-Front-End-2 –usip yes

Citrix NetScaler Auto PBR Configuration

APBR is applied to

the services bound

to the vserver

No APBR Specific

configuration required

on N7K, except

enabling ‘feature pbr’

66


Dynamic Route-Map for Auto PBR created and applied on SVI

N7K-1# sh run | begin “route-map _r”

route-map _rise-system-rmap-Vlan10 permit 1

match ip address _rise-system-acl-172.16.1.217-Vlan10

set ip next-hop 172.16.1.217

route-map _rise-system-rmap-Vlan11 permit 1

match ip address _rise-system-acl-172.16.1.217-Vlan11

set ip next-hop 172.16.1.217

<snip>

interface Vlan10

no shutdown

ip policy route-map _rise-system-rmap-Vlan10

hsrp 10

interface Vlan11

no shutdown

ip policy route-map _rise-system-rmap-Vlan11

hsrp 11

Nexus 7000 is Populated with PBR Configuration

67

Dynamic Access List matching the Real Server Ips

N7K-1# sh access-lists dynamic

IP access list _rise-system-acl-172.16.1.217-Vlan10

10 permit tcp 192.168.1.140/32 eq 8081 any

20 permit tcp 192.168.1.152/32 eq www any




IP access list _rise-system-acl-172.16.1.217-Vlan11




RISE adds PBR configuration automatically on Nexus 7000 , no manual configuration required !

For Applications with separate Control and Data connections like FTP, the NetScaler installs Layer 3 based ACLs


Verifying Auto PBR Configuration on the Nexus 7000

n7k1-dc1agg1#show service rise ipv4 auto-pbr slot 333

APBR routes added by slot 333

rs ip port protocol nhop ip rs nexthop inf

--------------- ------ -------- --------------- --------------

192.168.1.62 80 TCP 172.16.1.217 Vlan10

192.168.1.72 80 TCP 172.16.1.217 Vlan10

192.168.1.82 80 TCP 172.16.1.217 Vlan10

192.168.1.88 80 TCP 172.16.1.217 Vlan10

192.168.1.92 80 TCP 172.16.1.217 Vlan10

192.168.1.140 80 TCP 172.16.1.217 Vlan10

192.168.1.140 8081 TCP 172.16.1.217 Vlan10

192.168.1.142 80 TCP 172.16.1.217 Vlan10

192.168.1.150 80 TCP 172.16.1.217 Vlan10

192.168.1.152 80 TCP 172.16.1.217 Vlan10

Lists all APBR entries

added on N7K

n7k1-dc1agg1# show rise

Name Slot Vdc Rise-Ip State Interface

Id Id

--------------- ---- --- --------------- ------------ ----------------

mpx205a 332 2 10.90.14.216 active Po2051

mpx205b 333 2 10.90.14.217 active Po2052

ciscovpx1 334 2 10.90.14.218 active N/A

nam2220 335 2 10.90.14.242 active Eth10/2

For Your Reference

68


Initial Appliance Integration with Cisco

• NetScaler supports four platforms: 10.1 Build 124.1308.e

• MPX: Direct ADC application software running on specialized hardware (Similar to the ACE 4710)

• VPX: Virtualized ADC, which can run on various hypervisors

• SDX: Specialized HW, which runs a Citrix hypervisor allowing multiple instances of VPX to proved HW accelerated solution

• NetScaler 1000v: VPX running on the Nexus 1110

• The Cisco Prime NAM has added RISE support in version 6.02

• RISE requires the ENHANCED_LAYER2_PKG license

Feature Release

Simplified Provisioning NX-OS 6.2(2a)

Auto Policy Based Routing (APBR) NX-OS 6.2(8)

Route Host Injection (RHI) Targeted for NX-OS 7.1 69


Enabling Route Health Injection, RHI

• One of the primary purposes of running dynamic routing protocols is to inject routes in upstream routers

• This is used to distribute reachability information of VIPs

• Enable VIP advertisement with set ns ip 172.16.10.100 -hostRoute ENABLED

• Route injection can be controlled based on the state of vserver using “–vserverRHILevel” option – ALL_VSERVERS - A host route is injected only if all the vservers associated to the VIP are UP

– ONE_VSERVERS - A host route is injected only if any one of the vservers associated to the VIP are UP

– NONE - A host route is injected no matter the state of the vservers associated to the VIP

set ns ip 172.16.10.100 -hostRoute ENABLED –vserverRHILevel ONE_SERVER

If using Dynamic Routing for RHI you can not use vPC 70


RISE Links

Cisco RISE Page on Cisco.com

http://www.cisco.com/go/rise

NS & N7K Integration White Paper

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/ps8361/ white_paper_c11-688039_ps9402_Products_White_Paper.html

N7K Documentation

http://www.cisco.com/en/US/products/ps9402/products_installation_and_configuration_guides_list.html

NetScaler Documentation

http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-enhancements-124-13xxe-con.html

71

For Your Reference



http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/ps8361/white_paper_c11-688039_ps9402_Products_White_Paper.html






























The ACI Fabric

Draw a software boundary around collection of switches to make a system

Policies Who can talk to whom

What about

Topology control

Ops stuff

API

Distributed policy enforcement

Just in-time resolution

Performed by embedded policy enforcement agents

(PEs)

72


Application Network

VM

VM

…

VM

VM

…

VM

VM

…

web app db

applic

ation

The

Outside

a collection of end-

points connecting to

the network… VMs,

physical compute, …

Component

Tier

End Point Group Or VMware Port Group

a set of network requirements

specifying how application

components communicate with

each other

Contract Access Control

QoS

Network Services

rules of how application

communicates to the

external private or public

networks

Network Profile application-centric network policy network Virtual Patch Panel


ACI Introduces Logical Network Provisioning of Stateless Hardware

ACI Fabric

Non-Blocking Penalty Free Overlay

App DB Web

Outside

(Tenant

VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure

Controller

APIC

74


ACI Layer 4 - 7 Service Integration

• Elastic service insertion architecture for

physical and virtual services

• Helps enable administrative separation

between application tier policy and service

definition

• APIC as central point of network control

with policy coordination

• Automation of service bring-up / tear-

down through programmable interface

• Supports existing operational model when

integrated with existing services

• Service enforcement guaranteed,

regardless of endpoint location

Centralized, Automated, and Supports Existing Model

Web

Server

App Tier

A Web

Server

Web

Server

App Tier

B App

Server

Chain

“Security 5 ”

Policy

Redirection

Application

Admin

Service

Admin

Serv

ice

Gra

ph

begin end Stage 1 ….. Stage

N

Pro

vid

ers

inst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Se

rvic

e P

rofile

“Security 5” Chain Defined

75


Citrix Device Package Functions

Following functions can be configured through APIC 76

Layer 4 Load Balancing Design


• Source IP

• Cookie

• SSL Session ID

• Server-ID in URL Query

• Customer Server-ID

• Token (header or body)

Maintaining User

Sessions

Distributing

Traffic

• Least Connections

• Lowest Response Time

• SNMP-based

• IBM SASP

• Hash-based

• Many more…

Monitoring Server

Health and Availability

• TCP Connection

• HTTPS Connection

• Extended Content Verification

• Scriptable Health Checks

TCP and UDP Client Requests

Layer 4 Load Balancing

78


HTTP Requests

• Anything in request body

• Device Type

• Language

• Cookie

• Browser Capability

• XML XPath support

Client Attributes

• Any TCP Request

• HTTP Get

• HTTP Post

Request Protocol

Request Method

• Any TCP payload value

• Any HTTP payload value

• Domain

• Wildcard URL

Content Switching: Load Balancing on Steriods

79


How LB works

80

• Components of LB

– VIP, virtual IP address

– Service

– Servicegroup

– Vserver to service bindings

– Monitor

– Monitor to service bindings


Load Balancing Structure

• Server

– Name, IP

• Service or Service Group

– Name, IP, Port, Protocol …

• Virtual Server

– Name, IP, Port, Protocol

• Monitor

– Protocol, characteristics…

81

• Simple Load Balancing Example

Server

VM Service LB

Virtual

Server

Service Server

VM

Client

Monitor

Monitor


Typical LB topology

82

Internet

Client NetScaler

Client

Client

Service

Service Group

Servers

Servers with Identical content

VIP

SNIP


Protocols supported

• Generic Protocols

– TCP

– UDP

– SIP_UDP

– DNS

• TCP Based Protocols

– HTTP

– SSL

– FTP

– SSL_Bridge

– SSL_TCP

• Data Base

– MYSQL

– MSSQL

Protocol Binding

• Protocol binding combination

– http-http

– http-ssl

– ssl-http

– ssl-ssl

83


Basic Load Balancing

84

• Is the server active? How can you check?

Monitors

• How can you balance the connections?

LB Methods • How do you

keep the client connected to the same server?

Persistence


Server Health Monitors • ICMP ping for all services

• TCP SYN for any TCP services.

• HTTP response code for HTTP services

• Extended Content Verification: HTTP, TCP, UDP, and pattern based

• Extended Applications Verification: DNS, FTP, HTTPS

• Transparent device monitoring

• Custom monitors in user space

• Citrix Presentation Server specific monitors

85


Monitors/Keepalive messages

• Monitors

86


Application Specific Monitors

87

or

87


Load Balancing Methods

• Round Robin: continuously rotates a list of the services that are bound to it

• Least Connections: (Default Load Balancing Method ) selects the service with the fewest

active connections

• Least bandwidth: Selects the service that is currently serving the least amount of traffic

• Least Response: selects the service with the fewest active connections and the lowest

average response time

• Least Packets: service that has received the fewest packets in the last 14 seconds

• Token LB: selection of a service on the value of a data segment extracted from the client

request

• Custom Load Method: A load monitor, calculates the load on each service in the network

to determine the server with the smallest load

• Hashing: based on hashes of certain connection information or header information

Predictor Algorithms

88


Service Weight

• Weight indicates what percentage of traffic should be sent

• Higher weight services take up more requests

• Efficient to work with a mix of fast and slow servers

• Supported LB methods

– Round Robin

– Least Connection

– Least Response Time

– Least Bandwidth

– Least Packets

– Custom Load 89


Persistence Type

90

Persistence Type Description

Source IP SOURCEIP. Connections from the same client IP

HTTP Cookie COOKIEINSERT. Connections that have the same HTTP Cookie header

SSL Session ID SSLSESSION. Connections that have the same SSL Session ID

URL Passive URLPASSIVE. Connections to the same URL

Custom Server ID CUSTOMSERVERID. Connections with the same HTTP HOST header

Destination IP DESTIP. Connections to the same destination IP

Source and Destination IPs

SRCIPDESTIP. Connections that are both from the same source IP and to the same destination IP

SIP Call ID CALLID. Connections that have the same call ID in the SIP header

RTSP Session ID RTSPSID. Connections that have the same RTSP Session ID

User-Defined Rule RULE. Connections that match a user-defined rule


Persistence Setup and Backup Persistence

91


Persistence Group

• Applications/Deployments with different content/connectivity

• Group different type of Virtual servers logically

• Common persistence across HTTP and HTTPS

• Possible methods

– Cookie

– Source IP

• Can have backup persistence as well

92


Persistence Group

• Persistent Group -> Create -> Close

93


Persistency Type to Virtual Server

94

Per Type HTTP HTTPS TCP UDP/IP SSL_Bridge SSL_TCP

SOURCEIP YES YES YES YES YES YES

COOKIEINSERT YES YES NO NO NO NO

SSLSESSION NO YES NO NO YES YES

URLPASSIVE YES YES NO NO NO NO

CUSTOMSERVERID YES YES NO NO NO NO

RULE YES YES YES NO NO YES

SRCIPDESTIP YES YES YES YES YES YES

DESTIP YES YES YES YES YES YES

CALLID NO NO YES

(SIP_UDP)

YES NO NO

RTSPID NO NO YES (RTSP) NO NO NO


Adding Servers ( Think Host )

• Load Balancing -> Servers Add

95


Add Services ( Think Protocol and Port )

96

• Load Balancing -> Services Add


Services Continued

• Health of Services

97


Creating a Virtual Server

• Load Balancing -> Virtual Servers RBG1

HTTP

80

192.168.10.216

98


Load Balancing and Persistence

• Load Balancing -> Virtual Server -> Rule -> Method and Persistence

99


Enhancing Monitor

• Load Balancing -> Service

100


What do I check on the server?

• Can the application owners create a script

on the server for you?

• Can you make an application request?

• What about the small image on the URL bar?

– /favicon.ico

• You can’t do a get and no icon? What about a

head instead?

101


Configuring Virtual Server

• Load Balancing -> Virtual Servers

102


Service Group – add service group

• Service group require unique name for nomenclature – Server association

– Provides shorter config of services (pooling servers to single group)

103


Most Common Configuration One Armed Mode

• System -> Settings -> Change HTTP Parameters

104


Most Common Configuration One Armed Mode

• System -> Settings -> Change HTTP Parameters

• Fixing the Lose of Client Source IP

105

set service <ServiceName> -CIP <Value> <cipHeader>

Example

set service Service-HTTP-1 -CIP enabled X-forwarded-for


Managing Configuration

106


Reverting Configuration

107

Content Switching Layer 7 Load Balancing Design


Content Switching: L7

• Allows NS to mask multiple sites into a single URL/DNS entry

• Client decisions can be rendered within Policy Infrastructure: L3-L7

• HTTP call outs can be leveraged here for additional 3rd party

requirements

• Simplifies application behavior

• Servers can be built based on requirements rather than mirroring all

data (fast servers for processing, slow servers for static data)

109


How Request SwitchingTM Works

2) Decrypt / authenticate / analyze every request

3) Queue + dispatch valid requests

1) Receive + terminate connections

4) Switch requests + multiplex over persistent connections

Application 1

Application 2

Application 3 Layer 7 Packet Engine

‘Gap’

110


Citrix NetScaler

NetScaler Virtual Server Tree

111

Internet

Client

LB VSVR

LB VSVR

LB VSVR

CSW VSVR

CRD VSVR

LB VSVR

LB VSVR CSW VSVR

Dynamic

Content

Static

Content

Cache

Servers

Dynamic

Content

Static

Content

LB VSVR Cache

Servers

Dynamically

Recognized


Layer 7 decisions

• Browser Types, Object Types, Application headers …

112


What happened to my IP address?

113


Configure Virtual Server Content Switching

• Content Switching -> Virtual Server -> Add

114


Configure Virtual Server Content Switching Policies

• Content Switching -> Policies

115


Content Switching Visualizer

• Multiple Different Decision Paths Visualized

116

Handling SSL


Changing Requirements for Crypto

“Starting at the end of the 4th quarter of 2010, a 2048-bit CSR will be required for all SSL

certificates”

Verisign

“Use of 1024-bit RSA is … not recommended after Dec 2010”

NIST 800-57: Recommendation for Key management

118


Offloading SSL

• Offload CPU-intensive SSL processing – Servers resources are dedicated to serving requests and running

applications, rather than encrypting data

• Centralized key/certificate storage/management

• Allows advanced load balancing (URL-based, cookie-sticky, payload parsing) and inspection of SSL traffic

• Scalability: easy to add more SSL “performance”

Clear Text to

Servers:80 Servers Application

Load Balancer

Encrypted to

VIP:443

119


Web

Servers Content

Switch Encrypted to

VIP:443

SSL Server Offload Back-End Encryption

120

Encrypted to

Servers:443

SSL Termination SSL Initiation Inspection

L7 load balancing

L7 persistence

Clear text traffic

internal processing


How much SSL TPS is realistic

Link Type Link Speed 20 K Page size

SSL TPS

700 K Page Size

SSL TPS

1114 K Page Size

SSL TPS

T1 1.5 Mbps 8.5 TPS 0.24 TPS 0.2 TPS

10 Mbps Ethernet 10 Mbps 56.8 TPS 1.6 TPS 1.0 TPS

DS-3 45 Mbps 255.7 TPS 7.3 TPS 4.6 TPS

Fast Ethernet 100 Mbps 568.1 TPS 16.2 TPS 10.2 TPS

OC-3 155 Mbps 880.7 TPS 25.2 TPS 15.8 TPS

Gigabit Ethernet 1,000 Mbps 5681.8 TPS 162.3 TPS 102.0 TPS

10 Gigabit Ethernet 10,000 Mbps 56818.2 TPS 1623.4 TPS 1020.1 TPS

* http://www.websiteoptimization.com/speed/tweak/average-web-page/

2003 average Page size 20k

2011 Average Page size approximately 700kbytes*

2012 Average Page size approximately 1114kbyte*

Assumption SSL overhead 10%,

(Average Page Size * 8)*(1 + SSL Overhead %)

Bandwidth =TPS

121


Importing/Creating Keys

Use the wizard create self signed certificates and keys for test.

122


Creating Key Pairs

• SSL -> Certificates -> Add

123


Creating New SSL Offload Rule

124


Adding SSL offload

• SSL

125


SSL Parameters

126


Adding SSL to Virtual Server

127


Configurable Ciphers

128

Closing


Services Requirements

• Remember services are required

• Design with services in mind

• Don’t let services become an after thought

130


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle (Jeff) @jostermi (Dave) @ccie5952

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

131

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

132

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

133

integrating citrix netscaler ind2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/brkapp-2032.pdf ·...

Documents