integrating citrix netscaler ind2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/brkapp-2032.pdf ·...
TRANSCRIPT
Integrating Citrix NetScaler in
Cisco Data Center BRKAPP-2032
January 2014 Jeff Ostermiller CCIE #5402
Technology Solution Architect
Data Center Architecture
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Speaker
Jeff Ostermiller CCIE #5402 Technology Solution Architect Data Center Architecture @jostermi [email protected]
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Abstract
This is an in-depth technical discussion regarding application load balancing. This session will focusing on deployment following key areas
– Insertion methods for physical and virtual load balancers
– Basic Load Balancer Configurations
– Migration methods from existing load balancers to our next generation products from Citrix NetScaler.
This session is intended for IT Administrators and Network Architects who need to deploy application load balancing to meet business requirements.
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Agenda
• Data Center Design Evolution
• NetScaler Basics
• ADC Design Integration
• NetScaler Layer 4 Load Balancing
• NetScaler Content Switching
• NetScaler Handling SSL
5
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Acronym Slide
• ADC - Application Delivery Controller
• MPX – Multi-Core Processor Edition
• VPX - Virtualized ADC
• SDX – Service Delivery Edition
• MCEC - Multi-chassis EtherChannel
• LACP - Link Aggregation Control Protocol
• vPC - Virtual Port Channel
• vPC+ - Virtual Port Channel using Fabric Path as the protocol between the peer nodes
• Leaf - access node used for end node attachment
• Spine - used to interconnect all leaf nodes
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Citrix NetScaler Master Class
7
NetScaler Training Options
http://training.citrix.com
NetScaler Master Class Training Link
http://www.citrix.com/events/netscaler-master-class.html
On-demand Webinars NetScaler Master Class: April 2014: Taking
Advantage of NetScaler High Availability
NetScaler Master Class: February 2014 - Recommended tips and tricks - things to
enable on NetScaler to make your life easier
NetScaler Master Class: November 2013 - NetScaler 101 – Content Switching
NetScaler Master Class: October 2013 - NetScaler really useful tips - things everyone
should know
NetScaler Master Class: September 2013 - NetScaler overview: Features, functionality
and benefits
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Nuggets from Master Class on CLI
8
Setting the Prompt
> set cli prompt %h-%u-%T
Done
ns1-nsroot-03:08>
set cli mode -color on
Log Messages - GREEN
Error messages - RED
config syntax – BLACK
config network interface 1/2> only commands part of this interface are shown
useful CLI commands
show runningconfig
show ns ns.conf
show info
show ns config
show license
Show conn -summary
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Evolution of Data Center
10
Distributed
• Manual Provisioning
• Limited scaling
• Rack-wide VM mobility
Application Driven
• Service-centric Provisioning
• Flexible – Anywhere, Anytime
• Cross-cloud VM Mobility
Compute Compute Storage Storage Services Services
L2,
L3
Programmable Provisionable
Monitoring Apps
Provisioning Apps
Networking Apps
End-User
Apps
Integrated Fabric & Cloud
World of Many Clouds
Fabric Based
Cloud
• Policy-based Provisioning
• Scale Physical & Virtual/Cloud
• DC-wide/Cross-DC VM Mobility
Compute Compute Storage Storage Services Services
L2,
L3
Fabric
Cloud
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Services, Services, Services ….
• Insertion of services fundamentally drives the logical design (both L2 and L3)
within the data center
– Firewall, Application Firewalls
– Application Delivery Controllers
– IDS/IPS
– Client Routing
• Industry transition underway from physical resources to virtualized resources
• How should we provide logical connectivity between data centers with services.
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Data Center Based Topologies with Services
12
vPC vPC vPC vPC
Spine
Border Leaf Services Leaf Leaf
vPC
vPC vPC
UCS
N7K2 N7K1
vPC
L3 CORE
vPC vPC
vPC vPC
FEX FEX
vPC
domain
2
vPC
domain
3 FEX FEX
vPC
domain
1
Access
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Where and how to implement services?
• Service insertion {load-balancing, firewalling, …} fundamentally drives the logical design (both L2 and L3) within the data center
• Design Decisions
• Routed Services
• Bridged Services
• Proxy Services
• Physical Services
• Virtualized Services
• Chained Services
13
Aggregation/
Access
Compute
4x10GE 4x10GE
Services
Core
WAN Edge / DCI
Storage
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
MCEC
vPC Peers
vPC – Virtual Port Channel
vPC allows a single device to use a port channel across two neighbor switches (vPC peers) (Layer 2 port channel only)
Eliminate STP blocked ports & reduces STP Complexity
(Do not disable STP)
• Uses all available uplink bandwidth - enables dual-homed servers to operate in active-active mode
• Provides fast convergence upon link/device failure
• If HSRP enabled, both vPC devices are active on forwarding plane
Multi-Chassis EtherChannel (MCEC)
14
MCEC
vPC Peers
! Enable vpc on the switch NX-OS(config)# feature vpc ! Check the feature status NX-OS(config)# show feature | include vpc vpc 1 enabled
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Virtual Port Channel – vPC Design Considerations – Orphan Ports
15
Orphan Ports are single homed ports on a member of the vPC pair
In the event of loss of the vPC peer link all vPC ports on the secondary vPC switch are shut down to prevent topology problems
Non vPC or orphan ports are left active
Potential to isolate orphan ports which could affect failover of services nodes
Design Options based on Failure Conditions
1. For Service Nodes, configure orphan ports to be shut down as well as vPC ports on secondary.
2. Provide a secondary uplink or switch to switch link for orphan port VLAN (requires the use of distinct VLAN for orphan and vPC ports)
Orphan Ports remain active on vPC secondary by default during a failure
of the peer-link
Primary Secondary
vPC Design Rule
#1 – ALWAYS dual home
devices to a vPC Domain
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
CE L2 link
CE L2 link
L3 link
N7K2 N7K
1
L3 CORE
vPC vPC
vPC
vPC
domain
3
FEX FEX
vPC
domain
1
vPC Based DATA CENTER Physical Services Insertion
16
• If Appliance supports LACP
• connect appliance to both core switches
• Use LACP negotiation
• If Appliance does not support LACP,
• Connect appliance to single Core switch
• Decide on Failure behavior
• Determine proper orphan behavior required
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Cisco & Citrix Product Break-out
18
VPX MPX
HW
Appliance
SDX
HW
Appliance
Product
N1110
NetScaler
1000V
NetScaler 1000V = VPX w/ Cisco Competing features disabled & vPath toggle
Current Citrix NetScaler Architecture
x86 X86 Platform
1. Cisco Competing features that have been disabled:
• Citrix® Branch Repeater® (now Cloud Bridge),
• NetScaler CloudConnectors™,
• Citrix Access Gateway™ EE SSL VPN (now NetScaler Gateway),
2. Throughputs: 10M, 200M, 500M, 1G, 2G, 3G & 4G (w/ and w/o Clustering)
3. Ability to enable/disable (toggle) vPath; disabling vPath allows you to load balance physical servers
4. 141x SKUs NOW orderable on Cisco’s Global Price List (GPL); includes ALL upgrade SKUs
5. Since vPath is optional the Nexus 1000V is also now optional
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler 1000V and Cloud Services Portfolio
Nexus 1000V
vPath
Any Hypervisor
VM VM VM
• Sold and supported exclusively by Cisco
• Integrated with Nexus 1100 Series Cloud Services
Platform (CSP)
• Part of Cisco Validated Design – VMDC Virtual Services
Architecture (VSA) 1.0 Release
• vPath and Nexus 1000V are both optional
Cisco Cloud Services Platform (CSP)
NetScaler 1000V
Nexus 1100 Series Cloud Services Platform
Citrix NetScaler
1000V on ESXi OR
Nexus 1100 Series
1110-X
10G enabled
SSL FRU
(Q2CY14)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Standard Edition
Enterprise Edition
Platinum Edition
Web application delivery
solution providing advanced
traffic management and
powerful application
acceleration
Web application delivery
solution designed to deliver
mission-critical applications
with web application firewall
security, fastest performance,
and lowest cost
Comprehensive L4-7
load balancing and optimizes
expensive server and network
resources to reduce cost
NetScaler 1000V Editions
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
When to Use Which?
Physical Appliances Virtual Appliances
• Gig+ performance
• High volume SSL Offload
• High SSL TPS
• High IO/Packets Per Second
• FIPS requirements
• Physical device security
• Labs/test environments
• Development environments
• “Datacenter-in-a-box”
• CPU-intensive workloads
• Frequently moved apps
• Fast/remote deployment
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler Licensed Features
• System -> Licensed features
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler Licensed Features
23
mpx502-2> show license
License status:
Web Logging: YES
Surge Protection: YES
Load Balancing: YES
Content Switching: YES
Cache Redirection: YES
Sure Connect: YES
Compression Control: YES
[omitted]
Appflow for ICA: YES
Vpath: NO
RISE: YES
Model Number ID: 20500
License Type: Platinum License
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler Enabling Features
24
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler Enabling Features
25
mpx502-2> show info
NetScaler NS10.1: Build 124.1308.e.nc, Date: Mar 28 2014, 14:52:35
NetScaler IP: 10.90.14.217 (mask: 255.255.255.128)
Feature Acronym Status
3) Load Balancing LB ON
4) Content Switching CS OFF
9) SSL Offloading SSL OFF
30) Vpath Vpath OFF
31) RISE RISE ON
Mode Acronym Status
1) Fast Ramp FR ON
3) Use Source IP USIP OFF
8) Use Subnet IP USNIP ON
9) Layer 3 mode (ip forwarding) L3 ON
16) Bridge BPDUs BridgeBPDUs OFF
17) RISE APBR Advertisement RISE_APBR ON
18) RISE RHI Advertisement RISE_RHI OFF
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Differences between ACE and VPX
• VPX instances, similar to ACE contexts and are managed independently of
each other.
• ACLs are applied globally in order of priority and have to be named uniquely.
There is no explicit 'deny' statement associated with the ACLs. Lower priority
ACLs are applied first.
• There is no concept of alias address. Each interface has unique IP address
and HA uses the same address, but is in standby mode.
• Probes are only sent out via the primary node.
• Management IP address is used for HA instead of FT link and FT state.
• Syslog logging messages are defined differently on VPX. Logging level has to
be 'Notice' instead of 'Informational' to generate link failure logs.
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
• L2 – Bridge mode
• L3 – Routed mode – Static Routes
– Dynamic Routes
– Policy Based Routing (PBR)
• MBF – MAC Based Forwarding – When packets need to go back to same device
– Firewall / IDS / BR Load Balancing
Packet Forwarding Modes For Your Reference
27
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Packet Forwarding Modes – Flow Chart For Your Reference
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
VLANs
• Default VLAN
• Port Based Vlan
• 802.1q tagging support
• Ingress Processing
– If the frame is untagged or tag = 0, VLAN is set to Port VLAN ID (PVID)
– If VLAN tag = FFF or any other VLAN than PVID, packet is dropped
• Layer 3 VLANs
• NSVLAN – management VLAN for NetScaler
29
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Bridge Groups
• Bind multiple VLANs together to form a bridge group
• All member VLANs become part of the same broadcast domain
• Layer 3 functionality is supported on bridge groups
• add bridgegroup <id>
• bind bridgegroup <id> -vlan <positive_integer>
30
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Spanning Tree Protocol
• By default the appliance does not switch packets between interfaces in the
same virtual LAN, a layer 2 loop cannot exist. Use the following commands
– Spanning-tree port type portfast (trunk)
– Spanning-tree port type edge (trunk)
• In cases where L2 mode on the appliance must be enabled, same behavior as
Cisco ACE 4710:
– The appliance does not participate in the spanning tree
– With bridgeBPDUs mode: OFF (the default mode) the NetScaler appliance drops all BPDUs
received on an interface
– If BPDUs must pass through NetScaler, bridgeBPDUs mode must be enabled
31
• Host type behavior
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
NetScaler Address Management
• NSIP = NetScaler IP
– Set in initial configuration
– Management IP for the NetScaler system
• VIPs = Virtual IPs
– Normal method for configuring explicit services
• SNIP = Subnet IPs (Proxy Address)
– This address can be used to manage the NetScaler
• IPs for VLANs
– add vlan <id>
– bind vlan <id> -IPAddress <IP> <netmask>
– Another form of SNIP
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
IP Address Settings
• IP Address Settings
33
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Managing Subnet IPs (SNIP)
• If NS has to directly communicate with an IP in a subnet different from the subnet
of NSIP, a subnet IP has to be created
– add ns ip <IPAddress> <netmask>
creates an IP on the NS in that subnet
• SNIPs are easily removed
– rm ns ip <IPAddress>
• Use Subnet IP allows SNIPs to be used as MIPs
• Without USNIP mode enabled, Subnet IP’s are like additional NSIP’s
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Managing Subnet IPs (SNIP)
• IP addresses added with single command
add ns ip <IPAddress> <netmask> -type<type>
creates an IP on the NS in that subnet
• Type can be VIP or SNIP
• Management features can be enabled selectively on SNIP
show ip> show ip
Ipaddress Type Mode Arp Icmp Vserver State
--------- ---- ---- --- ---- ------- ------
1) 12.178.35.145 NetScaler IP Active Enabled Enabled NA Enabled
2) 10.10.1.146 Subnet IP Active Enabled Enabled NA Enabled
3) 12.178.35.147 VIP Active Enabled Enabled Enabled Enabled
4) 12.178.35.148 VIP Active Enabled Enabled Enabled Enabled
35
NetScaler
NSIP
SN
IP
VIP
SN
IP
Management
Servers Clients
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Expanded IPv6 Support
• Native IPv6 support
• IPv4 – IPv6 Gateway
• Supports mixed IPv6 and v6
deployments
• Facilitates transition from
IPv4 to IPv6
• 6 to 4 or 4 to 6 requires
SNIP
36
Mixed
IPv4/IPv6
Support
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
VLANs and Interfaces
• Vlans/Interfaces, not the way we normally think about them
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Binding Interface to VLANs • By defaults all IPs are available via all interfaces.
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Link Aggregation
• Manual
• LACP – Link Aggregation Control Protocol
• Hashing for distribution based on combination of SrcIP, DstIP, SrcPort and DstPort
• Maximum of four channels supported
add channel <id> [-ifnum <interfaceName> ...] [-state ( ENABLED | DISABLED )] [-speed <speed>] [-flowControl <flowControl>] [-haMonitor ( ON | OFF )][-tagall ( ON | OFF )] [-ifAlias <string>] [-throughput <positive_integer>] [-bandwidthHigh <positive_integer> [-bandwidthNormal <positive_integer>]]
set interface <id> [-lacpMode <disabled|ACTIVE|passive>] [-lacpKey<positive_integer>] [-lacpPriority <positive_integer>] [-lacpTimeout (LONG | SHORT )]
39
http://support.citrix.com/proddocs/topic/netscaler-advanced-networking-92-map/ns-nw-interfaces-stng-the-nw-intrfcs-params-tsk.html
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Static Routing
• ECMP support
– Hashing based on SRCIP+DSTIP is used to distribute the load
– Weights can be assigned
• Static route monitors
– PING
– ARP – IPv4
– ND6 – IPv6
• Static route is marked as down if the subnet on which the next hop resides is unreachable
add route <network> <netmask> <gateway>[-cost <positive_integer>]
[-advertise ( DISABLED | ENABLED )]
add route <network> <netmask> <gateway> [-distance <positive_integer>]
[-weight <positive_integer>][-msr ( ENABLED | DISABLED ) [-monitor <string>]]
rm route <network> <netmask> <gateway>
For Your Reference
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Dynamic Routing
• Supported Protocols (for IPv4 and IPv6) – Routing Information Protocol (RIP) version 2
– Open Shortest Path First (OSPF) version 2
– Border Gateway Protocol (BGP)
– Routing Information Protocol next generation (RIPng) for IPv6
– Open Shortest Path First (OSPF) version 3 for IPv6
– ISIS
• Configuration through nscli and vtysh (recommended)
• In a HA setup – primary runs the routing protocols and updates secondary
enable ns feature RIP|OSPF|BGP
disable ns feature RIP|OSPF|BGP
If using Dynamic Routing you can not use vPC 41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Services Node Insertion Methods
• Two Armed Mode
– Bridged / Transparent
– Routed
• One Armed Mode
• vPath, dynamic insertion for virtual services nodes
– VEM Virtual Ethernet Module, ie the virtual switch deployed with the hypervisor
• RISE, Remote Integration of Service Engines
• NSH, Network Services Header
– Added to encapsulated network packets or frames to create network service paths.
• OpFlex
– A distributed control system based on a declarative policy information model
43
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
What is the Hardest Part of Load Balancing Designs?
• Source NAT, loss of Clients IP address
• Policy Based Routing, very manual and problematic
• Creating Stovepipes through the network
– VLAN stitching, transparent devices
– VRF, Virtual Route Forwarding
– More hardware
– Making the Services Node to be the server Default Gateway
– … I am sure we can think of more “options”
Return Traffic from the server
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Challenges of Existing ADC Solutions
Inline Mode - Challenges • DC Switching is measured in Terabits, while ADC capacity is still in
Gigabits • Thus inline ADCs can easily become DC bottlenecks • This is particularly true for virtual environments where vADCs lower
performance than physical ADCs • Creates logical Stove Pipes of traffic through the network
One-Arm Mode – Challenges • To use ADC capacity more effectively by only sending necessary
traffic through the ADC • SNAT is primarily used due to simplicity, however client source is
obscured often preventing SNAT deployment • PBR is a partial solution to preserve the client source, but increases
deployment complexity and operation cost
45
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Network Topologies One-Armed
1. User Request
3. Response4. ResponsePublic/Front
VLAN
Private/Server
VLAN
2. User Request
• One-armed topologies have several benefits
– Simple, one physical interface and no risk of bridge loops
– May make use of one or many VLANs with 802.1q tagging
– Can make use of Link Aggregation to satisfy bandwidth requirements
– Very few failure modes, easing HA failure analysis
46
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Network Topologies Two-Armed
1. User Request
3. Response4. Response
2. User Request
Public/Front
VLAN Private/Server
VLAN
• Two-armed topologies work in situations where one-armed doesn't – Allows layer 3 style deployments with split subnets (as shown)
– Allow layer 2 style deployments with one subnet on both sides
– Supports transparent compression and SSL offload
– Support USIP or Use Source IP processing without server changes
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Application Requirements for Network Services
• Current generation network capabilities are driven by physical network topology. Example, If the firewall is plugged into the Internet connection and then the load balancer into firewall, the path of traffic must always flow in that order.
• Application driven requirements that change the relationship (load balancing, then firewall) cannot be supported without physically changing the layout of the network.
Core
Router/Switch
Firewall
Load Balancer Proxy Server
Application
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Cloud
Network
Services
(CNS)
Any Hypervisor
Nexus 1000V vPath
vPath
vPath is Nexus 1000V dataplane component:
1. Distributed Service insertion architecture, with Intelligent traffic intercept and redirection mechanism
2. Topology agnostic service insertion model
3. Service Chaining across multiple virtual services
4. Performance acceleration with vPath e.g. VSG flow offload
5. Efficient and Scalable Architecture
6. VM Policy mobility with VM mobility
Policy Based Service Enablement
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
vPath
vPath enables service insertion based on policies created for Application VM’s
Services Enabled Per vNIC
vPATH Interception is configured on Server VM’s Port Profile in both directions to redirect packets to a Service Node
Server traffic is intercepted by vPATH interception in VEM and redirected to a Virtual Service Node
Both ingress and egress traffic for a VM is intercepted by vPath
Upstream
Switch VSM
Server
VM
VEM
vPATH
Interception
: In/Out
50
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Without vPath With vPath
Evolve the Network for the next wave of application requirements
• Complex deployment- per host
service nodes
• Service chaining is static
• No Fast path acceleration
• Services tightly coupled with
network topology
• Distributed policy-driven Service
Insertion & chaining
• Non-disruptive operations
• Fast-Path acceleration
• Decouple services from network
topology
vPath Benefits
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
• You define which L4-7 Virtual Services through policy, NOT network topology
• Transparent Services Insertion for vPath capable Virtual Services
• Dynamic Service chains enabled per VM/Application/Tenant
Virtual
Service A
Web VM
Container #1
(Policy 2)
Virtual Service
B
Virtual
Service C
Client
VOD VM
Container #2
(Policy 1)
(Admin User Policy 1 & Policy 2 defined for each tenant)
N1KV Virtual Distributed Architecture
Expanded vPath Ecosystem: VSG, ASA 1000V, vWAAS, & NetScaler 1000V
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Cisco Remote Integrated Service Engine (RISE)
RISE Overview:
• Logical integration of a service appliance with Nexus 7000 and 7700 platforms
• Enables staging to streamline initial deployment of the service appliance
• Allows ongoing configuration updates to drive flows to and from the service appliance
• Allows data path acceleration and increased performance
• Integrated with N7K VDC architecture
Physical Topology Logical RISE Topology
Challenge: Services and switching are deployed independently which increases the complexity for
deploying and maintaining networks
Contr
ol P
lane
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
• RISE simplifies initial appliance deployment from 30 to 8 steps
• Improved VIP Tracking and failover
• Allows ongoing, dynamic configuration updates for flows to and from appliance
• Logical integration of appliance as a virtual service module
• Provides benefits such as plug and play, simplified provisioning, auto-discovery, bootstrap, RHI & APBR
• Eliminates inter-dependencies between network admins & services admins, avoids human errors & provides operational simplicity
• All configuration & management can be done via N7K
• Integration with N7K VDC architecture
RISE Benefits
55 55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
RISE Attach Modes
• Direct Mode – Service appliance is directly attached to Nexus 7000 typically via vPC which allows RISE to significantly simplify provisioning
• Indirect Mode – Virtual service appliance (ex: SDX, VPX, NetScaler 1000v) connected to N7K via a switched (L2) network
56 56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
• The interface or port-channel connecting to the RISE appliance uses a single trunk carrying both control and data VLANs
• Control VLAN is used for all control channel communication
– For example: Slot-Id assignment, Policy-push, Event Notifications, Statistics download, Heartbeats, Discovery, Bootstrap messaging, etc.
• Control channel is also AES encrypted to ensure communication security
• Data VLAN/VLANs is carried over data channel & used for carrying all the data traffic between Nexus 7000 and service appliance.
– For example: Client to server communication etc
• Both control & data VLANs are provisioned by user
RISE Control & Data Vlans
Co
ntr
ol P
lan
e
57 57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Direct Attached Mode Configuration
Four Simple Steps to Configure RISE
1. Interconnect the NS with the N7k
2. Create port-channel & allow control and data VLANs
3. Configure RISE service
4. Boot the RISE client
Note: “no shutdown” will trigger auto-discovery
N7K Configuration
N7K-1(config)# vlan 99-101 (Create the VLANs)
N7K-1(config)# int e3/47,e8/47
N7K-1(config-if-range)# switchport
N7K-1(config-if-range)# channel-group 2052 mode on
N7K-1(config-if-range)# int po2052
N7K-1(config-if)# switchport mode trunk
N7K-1(config-if)# switchport trunk allowed VLAN 99-101
N7K-1(config-if)# no shut
N7K-1(config-if)# end
N7K-1(config)# feature rise (Enable RISE feature)
N7K-1(config)# service vlan-group 20 100-101 (this is list of data vlans)
N7K-1(config)# service type rise name mpx502b mode vpc
Note: assigned slot-id: 333
A unique slot-id is assigned to NS and auto-discovery & bootstrap starts !
N7K-1(config-rise)# vlan 99 (This is control vlan)
N7K-1(config-rise)# port-channel 2052
N7K-1(config-rise)# vlan-group 20
N7K-1(config-rise)# ip 10.90.14.217/24
N7K-1(config-rise)# no shutdown (I always forget this)
59
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
RISE Connection for Direct Attach
1. Unique slot-id assigned to RISE device
3. AES Encrypted Control Channel established
2. Auto-discovery and Bootstrap starts
4. Once finished, the service appliance will appear as a module on N7K
5. After NS is configured, Heart Beat will be exchanged continuously.
Data plane optimization can now take place as ADC services are provisioned
RISE auto-establishes once configured !
60
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
mpx502-2> show ip
Ipaddress TD Type Mode Arp Icmp Vserver State
--------- -- ---- ---- --- ---- ------- ------
1)10.90.14.217 0 NetScaler IP Active Enabled Enabled NA Enabled
2)172.16.1.217 0 SNIP Active Enabled Enabled NA Enabled
Show RISE when Directly Attached n7k1-dc1-agg1# show rise
Name Slot Vdc Rise-Ip State Interface
Id Id
------------- ---- --- --------------- ------------ ---------
Mpx205b 333 2 10.90.14.217 active Po2052
n7k1-dc1-agg1# show rise detail
RISE module name: mpx502b
State: active
Admin state: Enabled
Interface: Po2052
RISE Channel connectivity via interface Po2052
Mode: vpc
Slot id: 333
Service token: 0x2
Serial number: MH8C02AM50
SUP IP: 10.90.14.138
RISE IP: 10.90.14.217
VDC id: 2
VLAN: 99
VLAN group: 20
VLAN list: 99-101
Data Interface: N/A
RISE device active
and operational
Unique slot ID
for RISE device
Direct Attached RISE
device using vPC
For Your Reference
IP Correlation
VLAN 99 IP address
Next Hop Address for PBR
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Show RISE from RISE Client when Directly Attached
N7K-1 # n7k1-dc1-agg1(config-rise)# attach rise slot 333
Attaching to RISE 332 ...
Username:nsroot
Warning: Permanently added '10.90.14.216' (RSA) to the list of known hosts.
Password:
Last login: Tue Mar 11 09:15:31 2014 from 10.90.14.138
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
Done
> show rise profile
1) Service Name : mpx205b
Status : Active
Mode : vPC-Direct
Device Id : TBM14257214
Slot Number : 333
VDC Id : 2
vPC Id : 2052
SUP IP : 10.90.14.138
VLAN : 99
VLAN Group : 20
Interface : LA/1
ISSU : None
For Your Reference
62
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
RISE Indirectly Attached with vPC
• Here a service appliance is indirectly attached to a Nexus 7000 vPC peer via a L2 network. (Typical design for virtual services)
• It is recommended to dual attach access switches to both vPC peers
• If attaching to just one vPC Peer, be sure to use orphan ports to prevent act/act scenarios and possible black-holing “vpc orphan-port suspend”
Indirect Attach Mode dual attached to vPC Peers Indirect Attach Mode singularly attached
to vPC Peers, use Orphan Ports
N7K2
NS 1 NS 2
N7K1 vPC Peer-link
L2
Network
L2
Network
PC
N7K2
NS 1 NS 2
L2
Network
L2
Network
N7K1
vPC
PC
vPC Peer-link
PC
63
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
RISE Indirect Mode Security
• NS appliance is indirectly attached to the Nexus 7000 either via a switch in between or connected via a switched (L2) network.
N7K NS 1
L2 Network
NS 2
Indirect Attach Mode
Encrypted Channel
L2 Network
For Your Reference
64
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Cisco Solution: Use RISE for Auto PBR
• NS adds redirection rules as per configuration
– Sends the list of servers and the next hop interface
• N7K applies to rules for its local servers and propagates the rules for servers attached to the neighboring N7K
• No need for Source-NAT or manual PBR configuration
• Uses the RISE control channel for sending Auto PBR messages
Configure a
new service 0. Auto PBR
APBR
rules
1. Client VIP
2. Client VIP
4.
Client
Server
5.
Server
Client
3. Client Server
6. Server Client
7. VIP Client
8. VIP Client
Preserve Client IP Visibility without the operation cost of Traditional
Policy Based Routing
Internet
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
1. Create a monitor add lb mon monitor-wfe HTTP
2. Create servers add server WEB-1 192.168.1.11
add server WEB-2 192.168.1.12
3. Create services add service Web-Front-End-1 WEB-1 HTTP 80
add service Web-Front-End-2 WEB-2 HTTP 80
4. Bind the monitor to the services bind mon monitor-wfe Web-Front-End-1
bind mon monitor-wfe Web-Front-End-2
5. Create virtual server add lb vserver Vserver-WFE HTTP 172.16.1.100 80
6. Bind the services to the virtual server bind lb vserver Vserver-WFE Web-Front-End-1
bind lb vserver Vserver-WFE Web-Front-End-2
7. Select APBR for the virtual server services set service Web-Front-End-1 –usip yes
set service Web-Front-End-2 –usip yes
Citrix NetScaler Auto PBR Configuration
APBR is applied to
the services bound
to the vserver
No APBR Specific
configuration required
on N7K, except
enabling ‘feature pbr’
66
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Dynamic Route-Map for Auto PBR created and applied on SVI
N7K-1# sh run | begin “route-map _r”
route-map _rise-system-rmap-Vlan10 permit 1
match ip address _rise-system-acl-172.16.1.217-Vlan10
set ip next-hop 172.16.1.217
route-map _rise-system-rmap-Vlan11 permit 1
match ip address _rise-system-acl-172.16.1.217-Vlan11
set ip next-hop 172.16.1.217
<snip>
interface Vlan10
no shutdown
ip policy route-map _rise-system-rmap-Vlan10
hsrp 10
interface Vlan11
no shutdown
ip policy route-map _rise-system-rmap-Vlan11
hsrp 11
Nexus 7000 is Populated with PBR Configuration
67
Dynamic Access List matching the Real Server Ips
N7K-1# sh access-lists dynamic
IP access list _rise-system-acl-172.16.1.217-Vlan10
10 permit tcp 192.168.1.140/32 eq 8081 any
20 permit tcp 192.168.1.152/32 eq www any
30 permit tcp 192.168.1.142/32 eq www any
40 permit tcp 192.168.1.92/32 eq www any
50 permit tcp 192.168.1.82/32 eq www any
IP access list _rise-system-acl-172.16.1.217-Vlan11
10 permit tcp 192.168.1.152/32 eq www any
20 permit tcp 192.168.1.142/32 eq www any
30 permit tcp 192.168.1.92/32 eq www any
RISE adds PBR configuration automatically on Nexus 7000 , no manual configuration required !
For Applications with separate Control and Data connections like FTP, the NetScaler installs Layer 3 based ACLs
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Verifying Auto PBR Configuration on the Nexus 7000
n7k1-dc1agg1#show service rise ipv4 auto-pbr slot 333
APBR routes added by slot 333
rs ip port protocol nhop ip rs nexthop inf
--------------- ------ -------- --------------- --------------
192.168.1.62 80 TCP 172.16.1.217 Vlan10
192.168.1.72 80 TCP 172.16.1.217 Vlan10
192.168.1.82 80 TCP 172.16.1.217 Vlan10
192.168.1.88 80 TCP 172.16.1.217 Vlan10
192.168.1.92 80 TCP 172.16.1.217 Vlan10
192.168.1.140 80 TCP 172.16.1.217 Vlan10
192.168.1.140 8081 TCP 172.16.1.217 Vlan10
192.168.1.142 80 TCP 172.16.1.217 Vlan10
192.168.1.150 80 TCP 172.16.1.217 Vlan10
192.168.1.152 80 TCP 172.16.1.217 Vlan10
Lists all APBR entries
added on N7K
n7k1-dc1agg1# show rise
Name Slot Vdc Rise-Ip State Interface
Id Id
--------------- ---- --- --------------- ------------ ----------------
mpx205a 332 2 10.90.14.216 active Po2051
mpx205b 333 2 10.90.14.217 active Po2052
ciscovpx1 334 2 10.90.14.218 active N/A
nam2220 335 2 10.90.14.242 active Eth10/2
For Your Reference
68
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Initial Appliance Integration with Cisco
• NetScaler supports four platforms: 10.1 Build 124.1308.e
• MPX: Direct ADC application software running on specialized hardware (Similar to the ACE 4710)
• VPX: Virtualized ADC, which can run on various hypervisors
• SDX: Specialized HW, which runs a Citrix hypervisor allowing multiple instances of VPX to proved HW accelerated solution
• NetScaler 1000v: VPX running on the Nexus 1110
• The Cisco Prime NAM has added RISE support in version 6.02
• RISE requires the ENHANCED_LAYER2_PKG license
Feature Release
Simplified Provisioning NX-OS 6.2(2a)
Auto Policy Based Routing (APBR) NX-OS 6.2(8)
Route Host Injection (RHI) Targeted for NX-OS 7.1 69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Enabling Route Health Injection, RHI
• One of the primary purposes of running dynamic routing protocols is to inject routes in upstream routers
• This is used to distribute reachability information of VIPs
• Enable VIP advertisement with set ns ip 172.16.10.100 -hostRoute ENABLED
• Route injection can be controlled based on the state of vserver using “–vserverRHILevel” option – ALL_VSERVERS - A host route is injected only if all the vservers associated to the VIP are UP
– ONE_VSERVERS - A host route is injected only if any one of the vservers associated to the VIP are UP
– NONE - A host route is injected no matter the state of the vservers associated to the VIP
set ns ip 172.16.10.100 -hostRoute ENABLED –vserverRHILevel ONE_SERVER
If using Dynamic Routing for RHI you can not use vPC 70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
RISE Links
Cisco RISE Page on Cisco.com
http://www.cisco.com/go/rise
NS & N7K Integration White Paper
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/ps8361/ white_paper_c11-688039_ps9402_Products_White_Paper.html
N7K Documentation
http://www.cisco.com/en/US/products/ps9402/products_installation_and_configuration_guides_list.html
NetScaler Documentation
http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-enhancements-124-13xxe-con.html
71
For Your Reference
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
The ACI Fabric
Draw a software boundary around collection of switches to make a system
Policies Who can talk to whom
What about
Topology control
Ops stuff
API
Distributed policy enforcement
Just in-time resolution
Performed by embedded policy enforcement agents
(PEs)
72
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Application Network
VM
VM
…
VM
VM
…
VM
VM
…
web app db
applic
ation
The
Outside
a collection of end-
points connecting to
the network… VMs,
physical compute, …
Component
Tier
End Point Group Or VMware Port Group
a set of network requirements
specifying how application
components communicate with
each other
Contract Access Control
QoS
Network Services
rules of how application
communicates to the
external private or public
networks
Network Profile application-centric network policy network Virtual Patch Panel
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
ACI Introduces Logical Network Provisioning of Stateless Hardware
ACI Fabric
Non-Blocking Penalty Free Overlay
App DB Web
Outside
(Tenant
VRF)
QoS
Filter
QoS
Service
QoS
Filter
Application Policy
Infrastructure
Controller
APIC
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
ACI Layer 4 - 7 Service Integration
• Elastic service insertion architecture for
physical and virtual services
• Helps enable administrative separation
between application tier policy and service
definition
• APIC as central point of network control
with policy coordination
• Automation of service bring-up / tear-
down through programmable interface
• Supports existing operational model when
integrated with existing services
• Service enforcement guaranteed,
regardless of endpoint location
Centralized, Automated, and Supports Existing Model
Web
Server
App Tier
A Web
Server
Web
Server
App Tier
B App
Server
Chain
“Security 5 ”
Policy
Redirection
Application
Admin
Service
Admin
Serv
ice
Gra
ph
begin end Stage 1 ….. Stage
N
Pro
vid
ers
inst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Se
rvic
e P
rofile
“Security 5” Chain Defined
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Citrix Device Package Functions
Following functions can be configured through APIC 76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
• Source IP
• Cookie
• SSL Session ID
• Server-ID in URL Query
• Customer Server-ID
• Token (header or body)
Maintaining User
Sessions
Distributing
Traffic
• Least Connections
• Lowest Response Time
• SNMP-based
• IBM SASP
• Hash-based
• Many more…
Monitoring Server
Health and Availability
• TCP Connection
• HTTPS Connection
• Extended Content Verification
• Scriptable Health Checks
TCP and UDP Client Requests
Layer 4 Load Balancing
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
HTTP Requests
• Anything in request body
• Device Type
• Language
• Cookie
• Browser Capability
• XML XPath support
Client Attributes
• Any TCP Request
• HTTP Get
• HTTP Post
Request Protocol
Request Method
• Any TCP payload value
• Any HTTP payload value
• Domain
• Wildcard URL
Content Switching: Load Balancing on Steriods
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
How LB works
80
• Components of LB
– VIP, virtual IP address
– Service
– Servicegroup
– Vserver to service bindings
– Monitor
– Monitor to service bindings
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Load Balancing Structure
• Server
– Name, IP
• Service or Service Group
– Name, IP, Port, Protocol …
• Virtual Server
– Name, IP, Port, Protocol
• Monitor
– Protocol, characteristics…
81
• Simple Load Balancing Example
Server
VM Service LB
Virtual
Server
Service Server
VM
Client
Monitor
Monitor
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Typical LB topology
82
Internet
Client NetScaler
Client
Client
Service
Service Group
Servers
Servers with Identical content
VIP
SNIP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Protocols supported
• Generic Protocols
– TCP
– UDP
– SIP_UDP
– DNS
• TCP Based Protocols
– HTTP
– SSL
– FTP
– SSL_Bridge
– SSL_TCP
• Data Base
– MYSQL
– MSSQL
Protocol Binding
• Protocol binding combination
– http-http
– http-ssl
– ssl-http
– ssl-ssl
83
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Basic Load Balancing
84
• Is the server active? How can you check?
Monitors
• How can you balance the connections?
LB Methods • How do you
keep the client connected to the same server?
Persistence
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Server Health Monitors • ICMP ping for all services
• TCP SYN for any TCP services.
• HTTP response code for HTTP services
• Extended Content Verification: HTTP, TCP, UDP, and pattern based
• Extended Applications Verification: DNS, FTP, HTTPS
• Transparent device monitoring
• Custom monitors in user space
• Citrix Presentation Server specific monitors
85
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Monitors/Keepalive messages
• Monitors
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Application Specific Monitors
87
or
87
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Load Balancing Methods
• Round Robin: continuously rotates a list of the services that are bound to it
• Least Connections: (Default Load Balancing Method ) selects the service with the fewest
active connections
• Least bandwidth: Selects the service that is currently serving the least amount of traffic
• Least Response: selects the service with the fewest active connections and the lowest
average response time
• Least Packets: service that has received the fewest packets in the last 14 seconds
• Token LB: selection of a service on the value of a data segment extracted from the client
request
• Custom Load Method: A load monitor, calculates the load on each service in the network
to determine the server with the smallest load
• Hashing: based on hashes of certain connection information or header information
Predictor Algorithms
88
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Service Weight
• Weight indicates what percentage of traffic should be sent
• Higher weight services take up more requests
• Efficient to work with a mix of fast and slow servers
• Supported LB methods
– Round Robin
– Least Connection
– Least Response Time
– Least Bandwidth
– Least Packets
– Custom Load 89
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Persistence Type
90
Persistence Type Description
Source IP SOURCEIP. Connections from the same client IP
HTTP Cookie COOKIEINSERT. Connections that have the same HTTP Cookie header
SSL Session ID SSLSESSION. Connections that have the same SSL Session ID
URL Passive URLPASSIVE. Connections to the same URL
Custom Server ID CUSTOMSERVERID. Connections with the same HTTP HOST header
Destination IP DESTIP. Connections to the same destination IP
Source and Destination IPs
SRCIPDESTIP. Connections that are both from the same source IP and to the same destination IP
SIP Call ID CALLID. Connections that have the same call ID in the SIP header
RTSP Session ID RTSPSID. Connections that have the same RTSP Session ID
User-Defined Rule RULE. Connections that match a user-defined rule
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Persistence Setup and Backup Persistence
91
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Persistence Group
• Applications/Deployments with different content/connectivity
• Group different type of Virtual servers logically
• Common persistence across HTTP and HTTPS
• Possible methods
– Cookie
– Source IP
• Can have backup persistence as well
92
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Persistence Group
• Persistent Group -> Create -> Close
93
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Persistency Type to Virtual Server
94
Per Type HTTP HTTPS TCP UDP/IP SSL_Bridge SSL_TCP
SOURCEIP YES YES YES YES YES YES
COOKIEINSERT YES YES NO NO NO NO
SSLSESSION NO YES NO NO YES YES
URLPASSIVE YES YES NO NO NO NO
CUSTOMSERVERID YES YES NO NO NO NO
RULE YES YES YES NO NO YES
SRCIPDESTIP YES YES YES YES YES YES
DESTIP YES YES YES YES YES YES
CALLID NO NO YES
(SIP_UDP)
YES NO NO
RTSPID NO NO YES (RTSP) NO NO NO
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Adding Servers ( Think Host )
• Load Balancing -> Servers Add
95
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Add Services ( Think Protocol and Port )
96
• Load Balancing -> Services Add
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Services Continued
• Health of Services
97
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Creating a Virtual Server
• Load Balancing -> Virtual Servers RBG1
HTTP
80
192.168.10.216
98
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Load Balancing and Persistence
• Load Balancing -> Virtual Server -> Rule -> Method and Persistence
99
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Enhancing Monitor
• Load Balancing -> Service
100
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
What do I check on the server?
• Can the application owners create a script
on the server for you?
• Can you make an application request?
• What about the small image on the URL bar?
– /favicon.ico
• You can’t do a get and no icon? What about a
head instead?
101
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Configuring Virtual Server
• Load Balancing -> Virtual Servers
102
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Service Group – add service group
• Service group require unique name for nomenclature – Server association
– Provides shorter config of services (pooling servers to single group)
103
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Most Common Configuration One Armed Mode
• System -> Settings -> Change HTTP Parameters
104
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Most Common Configuration One Armed Mode
• System -> Settings -> Change HTTP Parameters
• Fixing the Lose of Client Source IP
105
set service <ServiceName> -CIP <Value> <cipHeader>
Example
set service Service-HTTP-1 -CIP enabled X-forwarded-for
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Managing Configuration
106
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Reverting Configuration
107
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Content Switching: L7
• Allows NS to mask multiple sites into a single URL/DNS entry
• Client decisions can be rendered within Policy Infrastructure: L3-L7
• HTTP call outs can be leveraged here for additional 3rd party
requirements
• Simplifies application behavior
• Servers can be built based on requirements rather than mirroring all
data (fast servers for processing, slow servers for static data)
109
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
How Request SwitchingTM Works
2) Decrypt / authenticate / analyze every request
3) Queue + dispatch valid requests
1) Receive + terminate connections
4) Switch requests + multiplex over persistent connections
Application 1
Application 2
Application 3 Layer 7 Packet Engine
‘Gap’
110
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Citrix NetScaler
NetScaler Virtual Server Tree
111
Internet
Client
LB VSVR
LB VSVR
LB VSVR
CSW VSVR
CRD VSVR
LB VSVR
LB VSVR CSW VSVR
Dynamic
Content
Static
Content
Cache
Servers
Dynamic
Content
Static
Content
LB VSVR Cache
Servers
Dynamically
Recognized
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Layer 7 decisions
• Browser Types, Object Types, Application headers …
112
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
What happened to my IP address?
113
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Configure Virtual Server Content Switching
• Content Switching -> Virtual Server -> Add
114
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Configure Virtual Server Content Switching Policies
• Content Switching -> Policies
115
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Content Switching Visualizer
• Multiple Different Decision Paths Visualized
116
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Changing Requirements for Crypto
“Starting at the end of the 4th quarter of 2010, a 2048-bit CSR will be required for all SSL
certificates”
Verisign
“Use of 1024-bit RSA is … not recommended after Dec 2010”
NIST 800-57: Recommendation for Key management
118
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Offloading SSL
• Offload CPU-intensive SSL processing – Servers resources are dedicated to serving requests and running
applications, rather than encrypting data
• Centralized key/certificate storage/management
• Allows advanced load balancing (URL-based, cookie-sticky, payload parsing) and inspection of SSL traffic
• Scalability: easy to add more SSL “performance”
Clear Text to
Servers:80 Servers Application
Load Balancer
Encrypted to
VIP:443
119
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Web
Servers Content
Switch Encrypted to
VIP:443
SSL Server Offload Back-End Encryption
120
Encrypted to
Servers:443
SSL Termination SSL Initiation Inspection
L7 load balancing
L7 persistence
Clear text traffic
internal processing
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
How much SSL TPS is realistic
Link Type Link Speed 20 K Page size
SSL TPS
700 K Page Size
SSL TPS
1114 K Page Size
SSL TPS
T1 1.5 Mbps 8.5 TPS 0.24 TPS 0.2 TPS
10 Mbps Ethernet 10 Mbps 56.8 TPS 1.6 TPS 1.0 TPS
DS-3 45 Mbps 255.7 TPS 7.3 TPS 4.6 TPS
Fast Ethernet 100 Mbps 568.1 TPS 16.2 TPS 10.2 TPS
OC-3 155 Mbps 880.7 TPS 25.2 TPS 15.8 TPS
Gigabit Ethernet 1,000 Mbps 5681.8 TPS 162.3 TPS 102.0 TPS
10 Gigabit Ethernet 10,000 Mbps 56818.2 TPS 1623.4 TPS 1020.1 TPS
* http://www.websiteoptimization.com/speed/tweak/average-web-page/
2003 average Page size 20k
2011 Average Page size approximately 700kbytes*
2012 Average Page size approximately 1114kbyte*
Assumption SSL overhead 10%,
(Average Page Size * 8)*(1 + SSL Overhead %)
Bandwidth =TPS
121
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Importing/Creating Keys
Use the wizard create self signed certificates and keys for test.
122
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Creating Key Pairs
• SSL -> Certificates -> Add
123
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Creating New SSL Offload Rule
124
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Adding SSL offload
• SSL
125
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
SSL Parameters
126
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Adding SSL to Virtual Server
127
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Configurable Ciphers
128
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Services Requirements
• Remember services are required
• Design with services in mind
• Don’t let services become an after thought
130
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle (Jeff) @jostermi (Dave) @ccie5952
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
131
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
132
© 2014 Cisco and/or its affiliates. All rights reserved. BRKAPP-2032 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
133