May 10, 2012 at 13:52CISCO ACE - Application Balancing
Hello!
I want to talk a little about the equipment for the data center from CISCO - CISCO ACE (Application Control Engine). This article will address issues such as the purpose of the devices, architectural features, application possibilities, and setting up basic functions. The material does not provide for the subtleties of work; rather, it is designed for those who are thinking about introducing such devices, trying to make a choice, wanting to understand how such equipment will help optimize the network infrastructure, increase the availability and time of implementation of services.
People call these devices “balancers,” that is, devices that can distribute the load to multiple servers depending on certain conditions. We can say that switching is performed at the L4-L7 levels. But this is only one side of the coin and the manufacturer himself states that the use of CISCO ACE in the data center allows you to:
• Improve performance,
• Scalability,
• Flexibly reallocate resources,
• Simplify the process of introducing new applications,
• Optimize applications,
• Ensure availability,
• Consolidate resources ,
• Provide control and monitoring.
These devices are presented in the form of two form factors: standalone equipment (for example, CISCO ACE 4710) and modules in the CISCO 6500/7600 chassis (CISCO ACE-20/30 Module). Standalone equipment is a separate device that can be integrated into a network built on the basis of any vendor, service modules are high-performance devices suitable for installation on an existing 6500/7600 chassis in a network, which allows to increase productivity, provide centralized control, reduce the number of cable connections, and facilitate fast the introduction of services.
Specifications:
CISCO ACE 4710
What's inside the box: Intel Pentium 4 3.4 Ghz CPU, 4x1GE, 8Gb RAM (cannot be increased), 1Gb Flash (cannot be increased), console port, ports for connecting a monitor, keyboard. Ability to control using CLI, SNMP, WEB interface. Form Factor - 1U.
CISCO ACE-20/30 Module
Inside: 1Gb FLASH (cannot be increased), 3Gb RAM DATA PLANE, 1Gb RAM CONTROL PLANE.
It is possible to install up to 4 modules in the CISCO 6500/7600 chassis, thereby obtaining performance up to 64 Gb per chassis. It is worth noting that the installation of 4 modules does not mean that in the system we get one balancer with the declared performance, we just have 4 to 16 Gbps. Marketers love to cite such numbers, but just as well, you can take a dozen CISCO ACE 4710, lay on top of each other and get great performance. By the way, here are the prices for devices:
Approximate prices are given, since the price list has very few offers and the price varies greatly from the number of required contexts (more on this later), SSL sessions, etc.
Opportunities
Here we dwell a little on what all these non-cheap devices can do (the list will not be complete, only the main one).
1. Switching applications.
CISCO ACE is an application-level switch that provides server load balancing based on information from L4 to L7. Built-in native deep support (Generic protocol parsing) for HTTP, FTP, DNS, Internet Control Message Protocol (ICMP), Session Initiation Protocol (SIP), Real-Time Streaming Protocol (RTSP), Extended RTSP, RADIUS, and Microsoft Remote Desktop Protocol (RDP). This means that in the case of using these protocols, it is possible to balance traffic based on (practically) any information in payload.
There is a flexible mechanism for regular expressions, as well as any manipulation of HTTP headers (add, delete, change, etc.).
2. Traffic processing.
As it has already become clear, ACE can perform deep packet inspection, but there is tcpdump, which is especially useful for troubleshooting.
3. Address translation.
It can implement Source NAT, Destination NAT, as well as Static NAT (but this is rather a side effect of the previous two types with one server in the server farm, but more on that later).
4. Methods of balancing.
To balance the traffic to the servers within the server farm, a set of tests is performed to determine the availability of applications / services. So we can balance on the server following. Parameters: the least loaded (the number of connections or the amount of traffic to the server), randomly (here I would note that each server in the server farm is assigned a coefficient - weight. The probability of sending a request to a specific server is defined as the ratio of its own weight to the sum of the weights Therefore, if all servers have the same weight (relative value), then the balancing will be uniform), defining a hash from addresses, a hash from cookies, a hash from protocol headers, a hash with a URL.
5. Determining the availability of services / applications (how this is configured and I will give an example later): ICMP, TCP, UDP, ECHO {tcp | udp}, Finger, HTTP, HTTPS, FTP, Telnet, DNS, SMTP, IMAP, POP, RADIUS, scripted, Keepalive Appliance Protocol (KAL-AP), RTSP, SIP, HTTP return-code parsing, SNMP. It is also worth noting that using (for example) an HTTP probe, accessibility is determined not only by receiving any response, but it is possible to specify the necessary response codes (or their ranges), the necessary values of the headers in the HTTP response, response time, etc. When creating a sample, we determine the requested page, header values, etc. The mechanism is very, very flexible.
6. Fault tolerance.Fault tolerance is achieved by using an additional module / device within the same chassis or geographically separated in Active / Active, Active / Standby modes. Using CISCO VSS, both modules in the chassis can be virtualized into one virtual device.
7. Speeding up applications. The device multiplexes TCP / UDP sessions to improve network performance.
8. SSL acceleration.ACE has a built-in hardware SSL accelerator, which allows you to terminate sessions on the device, thereby removing the load from the servers. There are 3 modes of operation: SSL termination, SSL initiation, End-to-end SSL (termination + initiation). SSL termination - the session is terminated on CISCO ACE, traffic from the balancer to the server goes in the clear. The server responds to the balancer, who in turn encrypts the data and sends it back to the client. One interesting feature should be noted: the balancer decrypts the traffic, but does not change the destination port (TCP), that is, the WEB server on the servers should listen to port 443 instead of 80, naturally without encryption.
SSL initiation - the traffic from the client to the balancer goes in the clear, the balancer establishes an SSL session with the servers and communicates with them using SSL. Openings to the client are transmitted in an unencrypted form.
In the third mode, the client establishes one session with the balancer, and the volume, in turn, establishes another session with the servers. Double encryption occurs (meaning not encrypted encryption, but re-encryption of the previously decrypted one).
9. Security features : ACL (L3-L7), Bidirectional NAT and PAT (+ policy NAT), TCP connection state tracking, Virtual connection state for UDP, Sequence number randomization, TCP header validation, TCP window-size checking, Unicast Reverse check Path Forwarding (URPF) when establishing a session, Rate limiting.
10. Virtualization features.
The device can work as one and only, which is not always flexible. Or from one physical device it is possible to create up to 250 virtual balancers. Each such balancer has its own administrators, its own configuration, its own rules, and limitations on the resources used (CPU, connections, bandwidth). It is very suitable not only for their own needs, but it is also possible to provide customers with a dedicated ACE service, where they can do whatever they want within their device.
11. Operating modes : Routed mode, Bridged Mode, Asymmetric server normalization (ASN). In Router mode, two sub-modes can be distinguished: Inline and On-a-stick (or One-Arm-Mode).
Bridged mode
The device should be found in the “gap” between the servers and the default-gateway for servers. Both device interfaces on the same subnet in L2 (bridge) mode. A prerequisite is the lack of traffic passing between the servers and the router NOT through CISCO ACE. Thus, the client accesses VIP 172.16.3.100 (Virtual IP - the virtual address of the balancer. The traffic arriving at it (VIP) is balanced between the servers), and the device, in turn, redirects the request to the servers, changing the destination address. The server sends a response to 172.16.3.1, but when traffic passes through the ACE (and we said that it was mandatory) the source address changes back to 172.15.3.100.
This solution is well suited for the implementation of CISCO ACE in an existing network, addressing does not change, server reconfiguration is not performed.
Routed Inline mode
In this mode, CISCO ACE performs hop for passing traffic. The mode is preferred for new installations. Balancer is the default gateway for servers. In this mode, I will dwell in more detail and give a typical configuration for balancing.
Routed mode On-a-stick (One-Arm-Mode)
Traffic from the user comes to the balancer (VIP). The client address is replaced with its own balancer address, destination address with the real (or one of the real) server addresses. In this case, the server responds directly to the balancer and the procedure is repeated in the reverse order: the source address changes to VIP, the destination address changes to the client address. The client (s) has the impression of communicating with a server with an address (VIP), although in fact the servers can be located around the globe.
A good option when the client wants to get a balancing service. For example, a client has 3 WEB servers in different DCs. From us he receives the real IP address of the balancer –VIP. In the settings, DNS binds its domain to a dedicated VIP. Now the client does not “shine” its servers, as well as adding or removing them, clients continue to receive service.
Routed mode Asymmetric server normalization
The mode is very similar to the previous one, in this case the server responds directly to the client, bypassing CISCO ACE.
Consider an example of customization.
I want to consider a basic example without describing many options, since this is not an urgent need (I will give links to good materials), it’s better if I need to, I will comment or explain some unclear points.
As a topology, we take rice. Routed Inline mode.
Management Interface 172.16.1.5.
We will write the rules of the management policy: From the network 172.16.1.0/24 it is possible to access the device using the SSH, SNMP, HTTPS, ICMP protocols. Let us have 3 servers in the server farm, on which we will balance the load. We declare the server: We connect the server to the farm (we will use HTTP and ICMP for the samples): Description of the samples: interval - interval between samples receive - response timeout passdetect count - server is not available when not receiving so many answers passdetect interval - sample interval for not available server We describe the balancing policy. Virtual IP address (we will only accept requests on port 80):
We will balance the traffic to our farm, which means we will describe the balancing policy: If we do not specify the type of http balancing (which is not necessary), then when using the http protocol we can get problems with cookies, for example. This parameter determines the type of future traffic and processing features. Basket problem: This means that any HTTP traffic to which the FARM_POLICY policy will be assigned will be routed to the FARM farm. Now create a policy that combines the above: This policy is applicable on the input (external) interface:
This means that, firstly, the balancer will give its MAC when requesting the address 172.16.1.100. Further, if traffic goes to port 80 of address 172.16.1.100 (class-map match-all FARM-VIP), then the traffic must be balanced (loadbalance vip inservice) using the described balancing rules (loadbalance policy FARM_POLICY), that is, everything (class class-default ) send to the FARM farm (serverfarm FARM). CISCO ACE also responds to pings to this address (loadbalance vip icmp-reply active).
In order for the server responses to reach the client in general and with the correct address, it is necessary to create a translation of the internal server addresses to the external VIP address.
Also, on all interfaces, add an ACL that allows everything. We mean that we are filtering traffic elsewhere. CISCO ACE blocks all traffic by default.
On FWSM (ASA, PIX) NAT is configured several times easier.
Small touches (default route, SNMP): You can find the full configuration via the link (http://pastebin.com/DV4QM2Ya). To demonstrate the capabilities, CISCO ACE has an interface to the user network. For users, it performs the PAT function and inspects the FTP protocol so that there are no problems with this protocol (active / passive mode). Monitoring what they got (base): And many more other teams. Summarizing
In this article I wanted to introduce the reader a little to this equipment, and not only from CISCO, but generally with balancers as a rather important part of the data center infrastructure. A lot of information is spinning in my head, but it seems to me that the post has turned out not so small.
So, the main purpose of such devices: load balancing between services (which entails increasing availability, performance, consolidating resources), transferring SSL termination functions from servers to hardware accelerators, some security improvement (thanks to normalization and other proprietary technologies), TCP / acceleration UDP (due to multiplexing, compression).
It is also worth noting the possibility of balancing not only in the aisles of one data center, but also between geographically remote services.
We use the ACE20-MOD-K9 4Gbps module. It is loaded, of course, not for all 4Gbps, but it performs its tasks. During the operation, there were no problems with it; it has established itself quite well. Why did I start to write about this. The fact is that, in particular, on the resource etherealmind.com I did not hear positive reviews towards CISCO ACE. Or do not write anything, or openly spit. Mostly complain about freezes, IOS buggy, instability. I know that CISCO with its ACE is not far ahead of the rest. Engineers praise the products from F5 quite strongly, noting at the same time far from children's prices. I have not encountered this equipment, and in general, it is a rarity in our area, I have not seen such ones.
If readers have a desire to know something in more detail - I will try to help, or even write a separate note.
I really look forward to comments and opinions of people who have worked / are working with similar equipment. In fact, the theme was practically not touched on Habré.
CISCO ACE. Part 2: balancing remote servers and applications
Sources:
1. CISCO Documentation, cisco.com.
2. vivekganapathi.blogspot.com/2010/07/cisco-ace-4710-load-balancer.html .
3. www.packetslave.com/2010/01/24/cisco-ace-basic-http-load-balancing
4. docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_ (ACE) _Configuration_Examples
5. etherealmind.com/cisco-ace- load-balance-stick-source-nat-part-1
6. etherealmind.com/cisco-ace-load-balance-stick-source-nat-part-2
7.etherealmind.com/cisco-ace-load-balance-stick-source-nat-part-3
8. etherealmind.com/cisco-ace-fwsm-resource-allocation-for-virtualization
9. www.cisco.com/en/ US / products / hw / modules / ps2706 / products_configuration_example09186a00809c3041.shtml
I want to talk a little about the equipment for the data center from CISCO - CISCO ACE (Application Control Engine). This article will address issues such as the purpose of the devices, architectural features, application possibilities, and setting up basic functions. The material does not provide for the subtleties of work; rather, it is designed for those who are thinking about introducing such devices, trying to make a choice, wanting to understand how such equipment will help optimize the network infrastructure, increase the availability and time of implementation of services.
People call these devices “balancers,” that is, devices that can distribute the load to multiple servers depending on certain conditions. We can say that switching is performed at the L4-L7 levels. But this is only one side of the coin and the manufacturer himself states that the use of CISCO ACE in the data center allows you to:
• Improve performance,
• Scalability,
• Flexibly reallocate resources,
• Simplify the process of introducing new applications,
• Optimize applications,
• Ensure availability,
• Consolidate resources ,
• Provide control and monitoring.
These devices are presented in the form of two form factors: standalone equipment (for example, CISCO ACE 4710) and modules in the CISCO 6500/7600 chassis (CISCO ACE-20/30 Module). Standalone equipment is a separate device that can be integrated into a network built on the basis of any vendor, service modules are high-performance devices suitable for installation on an existing 6500/7600 chassis in a network, which allows to increase productivity, provide centralized control, reduce the number of cable connections, and facilitate fast the introduction of services.
Specifications:
CISCO ACE 4710
| Feature | Maximum Performance or Configuration |
| Throughput | 0.5, 1, 2, or 4 Gbps |
| Compression | 0.5, 1, or 2 Gbps (using GZIP or Deflate) |
| Virtual contexts | 20 |
| SSL throughput | 1 gbps |
| SSL TPS | 7500 SSL TPS using 1024-bit keys |
| SSL TPS | 7500 SSL TPS using 1024-bit keys |
| Maximum L4 connections per second | 100,000 complete transactions sustained rate |
| Maximum L7 connections per second | 30,000 complete transactions sustained rate |
| Concurrent connections | 1 million |
What's inside the box: Intel Pentium 4 3.4 Ghz CPU, 4x1GE, 8Gb RAM (cannot be increased), 1Gb Flash (cannot be increased), console port, ports for connecting a monitor, keyboard. Ability to control using CLI, SNMP, WEB interface. Form Factor - 1U.
CISCO ACE-20/30 Module
| Feature | Maximum Performance or Configuration |
| Throughput | 16 Gbps *, 8 Gbps *, and 4 Gbps |
| Total VLANs (client and server) | 4000 |
| Probes | ICMP, TCP, UDP, Echo, Finger, DNS, Telnet, FTP, HTTP, HTTPS, SMTP, POP3, IMAP, RTSP, RADIUS, SIP, SNMP, KAL-AP, and TCL Scripts |
| NAT entries | 1 million |
| Virtual partitions | Up to 250 *; 5 virtual partitions (devices) included in base price |
| SSL throughput | 3.3 / 6 Gbps |
| SSL TPS | 1000 TPS included in base price, and 5000, 10,000, or 15,000 TPS with licensing, (up to 30,000 with 1024-bit key) |
| Maximum L4 connections per second | 325,000 / 500,000 complete transactions sustained rate |
| Maximum L7 connections per second | 130,000 / 200,000 complete transactions sustained rate |
| Concurrent connections | 4 million |
| Sticky table entries | 4 million |
Inside: 1Gb FLASH (cannot be increased), 3Gb RAM DATA PLANE, 1Gb RAM CONTROL PLANE.
It is possible to install up to 4 modules in the CISCO 6500/7600 chassis, thereby obtaining performance up to 64 Gb per chassis. It is worth noting that the installation of 4 modules does not mean that in the system we get one balancer with the declared performance, we just have 4 to 16 Gbps. Marketers love to cite such numbers, but just as well, you can take a dozen CISCO ACE 4710, lay on top of each other and get great performance. By the way, here are the prices for devices:
| Configuration | Price $ GPL |
| ACE 4710 0.5 Gbps | 15.995 |
| ACE 4710 1 Gbps | 29.995 |
| ACE 4710 2 Gbps | 39.995 |
| ACE 4710 4 Gbps | 49.995 |
| ACE30 Module with 4G, 1G Comp, 1K SSL TPS and 5VC | 39.995 |
| ACE30 Module with 16G, 6G Comp, 30K SSL TPS and 250VC | 109.995 |
Approximate prices are given, since the price list has very few offers and the price varies greatly from the number of required contexts (more on this later), SSL sessions, etc.
Opportunities
Here we dwell a little on what all these non-cheap devices can do (the list will not be complete, only the main one).
1. Switching applications.
CISCO ACE is an application-level switch that provides server load balancing based on information from L4 to L7. Built-in native deep support (Generic protocol parsing) for HTTP, FTP, DNS, Internet Control Message Protocol (ICMP), Session Initiation Protocol (SIP), Real-Time Streaming Protocol (RTSP), Extended RTSP, RADIUS, and Microsoft Remote Desktop Protocol (RDP). This means that in the case of using these protocols, it is possible to balance traffic based on (practically) any information in payload.
There is a flexible mechanism for regular expressions, as well as any manipulation of HTTP headers (add, delete, change, etc.).
2. Traffic processing.
As it has already become clear, ACE can perform deep packet inspection, but there is tcpdump, which is especially useful for troubleshooting.
3. Address translation.
It can implement Source NAT, Destination NAT, as well as Static NAT (but this is rather a side effect of the previous two types with one server in the server farm, but more on that later).
4. Methods of balancing.
To balance the traffic to the servers within the server farm, a set of tests is performed to determine the availability of applications / services. So we can balance on the server following. Parameters: the least loaded (the number of connections or the amount of traffic to the server), randomly (here I would note that each server in the server farm is assigned a coefficient - weight. The probability of sending a request to a specific server is defined as the ratio of its own weight to the sum of the weights Therefore, if all servers have the same weight (relative value), then the balancing will be uniform), defining a hash from addresses, a hash from cookies, a hash from protocol headers, a hash with a URL.
5. Determining the availability of services / applications (how this is configured and I will give an example later): ICMP, TCP, UDP, ECHO {tcp | udp}, Finger, HTTP, HTTPS, FTP, Telnet, DNS, SMTP, IMAP, POP, RADIUS, scripted, Keepalive Appliance Protocol (KAL-AP), RTSP, SIP, HTTP return-code parsing, SNMP. It is also worth noting that using (for example) an HTTP probe, accessibility is determined not only by receiving any response, but it is possible to specify the necessary response codes (or their ranges), the necessary values of the headers in the HTTP response, response time, etc. When creating a sample, we determine the requested page, header values, etc. The mechanism is very, very flexible.
6. Fault tolerance.Fault tolerance is achieved by using an additional module / device within the same chassis or geographically separated in Active / Active, Active / Standby modes. Using CISCO VSS, both modules in the chassis can be virtualized into one virtual device.
7. Speeding up applications. The device multiplexes TCP / UDP sessions to improve network performance.
8. SSL acceleration.ACE has a built-in hardware SSL accelerator, which allows you to terminate sessions on the device, thereby removing the load from the servers. There are 3 modes of operation: SSL termination, SSL initiation, End-to-end SSL (termination + initiation). SSL termination - the session is terminated on CISCO ACE, traffic from the balancer to the server goes in the clear. The server responds to the balancer, who in turn encrypts the data and sends it back to the client. One interesting feature should be noted: the balancer decrypts the traffic, but does not change the destination port (TCP), that is, the WEB server on the servers should listen to port 443 instead of 80, naturally without encryption.
SSL initiation - the traffic from the client to the balancer goes in the clear, the balancer establishes an SSL session with the servers and communicates with them using SSL. Openings to the client are transmitted in an unencrypted form.
In the third mode, the client establishes one session with the balancer, and the volume, in turn, establishes another session with the servers. Double encryption occurs (meaning not encrypted encryption, but re-encryption of the previously decrypted one).
9. Security features : ACL (L3-L7), Bidirectional NAT and PAT (+ policy NAT), TCP connection state tracking, Virtual connection state for UDP, Sequence number randomization, TCP header validation, TCP window-size checking, Unicast Reverse check Path Forwarding (URPF) when establishing a session, Rate limiting.
10. Virtualization features.
The device can work as one and only, which is not always flexible. Or from one physical device it is possible to create up to 250 virtual balancers. Each such balancer has its own administrators, its own configuration, its own rules, and limitations on the resources used (CPU, connections, bandwidth). It is very suitable not only for their own needs, but it is also possible to provide customers with a dedicated ACE service, where they can do whatever they want within their device.
11. Operating modes : Routed mode, Bridged Mode, Asymmetric server normalization (ASN). In Router mode, two sub-modes can be distinguished: Inline and On-a-stick (or One-Arm-Mode).
Bridged mode
The device should be found in the “gap” between the servers and the default-gateway for servers. Both device interfaces on the same subnet in L2 (bridge) mode. A prerequisite is the lack of traffic passing between the servers and the router NOT through CISCO ACE. Thus, the client accesses VIP 172.16.3.100 (Virtual IP - the virtual address of the balancer. The traffic arriving at it (VIP) is balanced between the servers), and the device, in turn, redirects the request to the servers, changing the destination address. The server sends a response to 172.16.3.1, but when traffic passes through the ACE (and we said that it was mandatory) the source address changes back to 172.15.3.100.
This solution is well suited for the implementation of CISCO ACE in an existing network, addressing does not change, server reconfiguration is not performed.
Routed Inline mode
In this mode, CISCO ACE performs hop for passing traffic. The mode is preferred for new installations. Balancer is the default gateway for servers. In this mode, I will dwell in more detail and give a typical configuration for balancing.
Routed mode On-a-stick (One-Arm-Mode)
Traffic from the user comes to the balancer (VIP). The client address is replaced with its own balancer address, destination address with the real (or one of the real) server addresses. In this case, the server responds directly to the balancer and the procedure is repeated in the reverse order: the source address changes to VIP, the destination address changes to the client address. The client (s) has the impression of communicating with a server with an address (VIP), although in fact the servers can be located around the globe.
A good option when the client wants to get a balancing service. For example, a client has 3 WEB servers in different DCs. From us he receives the real IP address of the balancer –VIP. In the settings, DNS binds its domain to a dedicated VIP. Now the client does not “shine” its servers, as well as adding or removing them, clients continue to receive service.
Routed mode Asymmetric server normalization
The mode is very similar to the previous one, in this case the server responds directly to the client, bypassing CISCO ACE.
Consider an example of customization.
I want to consider a basic example without describing many options, since this is not an urgent need (I will give links to good materials), it’s better if I need to, I will comment or explain some unclear points.
As a topology, we take rice. Routed Inline mode.
Management Interface 172.16.1.5.
We will write the rules of the management policy: From the network 172.16.1.0/24 it is possible to access the device using the SSH, SNMP, HTTPS, ICMP protocols. Let us have 3 servers in the server farm, on which we will balance the load. We declare the server: We connect the server to the farm (we will use HTTP and ICMP for the samples): Description of the samples: interval - interval between samples receive - response timeout passdetect count - server is not available when not receiving so many answers passdetect interval - sample interval for not available server We describe the balancing policy. Virtual IP address (we will only accept requests on port 80):
class-map type management match-any L4_REMOTE-ACCESS_CLASS
description Enabling remote access traffic to the ACE and the Cisco ACE Module
2 match protocol ssh source-address 172.16.1.0 255.255.255.0
3 match protocol icmp source-address 172.16.1.0 255.255.255.0
4 match protocol https source-address 172.16.1.0 255.255.255.0
5 match protocol snmp source-address 172.16.1.0 255.255.255.0
policy-map type management first-match L4_REMOTE-ACCESS_MATCH
class L4_REMOTE-ACCESS_CLASS
permit
interface vlan 20
ip address 172.16.1.5 255.255.255.0
service-policy input L4_REMOTE-ACCESS_MATCHrserver host SERVER-1
description SERVER-1
ip address 192.168.1.11
inservice
rserver host SERVER-2
description SERVER-2
ip address 192.168.1.12
inservice
rserver host SERVER-3
description SERVER-3
ip address 192.168.1.13
inserviceserverfarm host FARM
probe HTTP_PROBE
probe ICMP_PROBE
rserver SERVER-1
inservice
rserver SERVER-2
inservice
rserver SERVER-3
inserviceprobe http HTTP_PROBE
interval 5
passdetect interval 10
passdetect count 2
request method head url /index.html
expect status 200 210
header User-Agent header-value "LoadBalance"
probe icmp ICMP_PROBE
interval 10
passdetect interval 60
passdetect count 4
receive 1class-map match-all FARM-VIP
2 match virtual-address 172.16.1.100 any eq wwwWe will balance the traffic to our farm, which means we will describe the balancing policy: If we do not specify the type of http balancing (which is not necessary), then when using the http protocol we can get problems with cookies, for example. This parameter determines the type of future traffic and processing features. Basket problem: This means that any HTTP traffic to which the FARM_POLICY policy will be assigned will be routed to the FARM farm. Now create a policy that combines the above: This policy is applicable on the input (external) interface:
policy-map type loadbalance http first-match FARM_POLICY
class class-default
serverfarm FARMpolicy-map multi-match WWW-PM
class FARM-VIP
loadbalance vip inservice
loadbalance policy FARM_POLICY
loadbalance vip icmp-reply activeinterface vlan 20
service-policy input WWW-PMThis means that, firstly, the balancer will give its MAC when requesting the address 172.16.1.100. Further, if traffic goes to port 80 of address 172.16.1.100 (class-map match-all FARM-VIP), then the traffic must be balanced (loadbalance vip inservice) using the described balancing rules (loadbalance policy FARM_POLICY), that is, everything (class class-default ) send to the FARM farm (serverfarm FARM). CISCO ACE also responds to pings to this address (loadbalance vip icmp-reply active).
In order for the server responses to reach the client in general and with the correct address, it is necessary to create a translation of the internal server addresses to the external VIP address.
Also, on all interfaces, add an ACL that allows everything. We mean that we are filtering traffic elsewhere. CISCO ACE blocks all traffic by default.
access-list PERMIT-ANY line 8 extended permit ip any any
access-list NAT line 1 extended permit ip host 192.168.1.11 any
access-list NAT line 2 extended permit ip host 192.168.1.12 any
access-list NAT line 3 extended permit ip host 192.168.1.13 any
class-map match-any PAT-ClassMap
2 match access-list NAT
policy-map multi-match NAT-PM
class PAT-ClassMap
nat dynamic 1 vlan 20
interface vlan 20
access-group input PERMIT-ANY
nat-pool 1 172.16.1.100 172.16.1.100 netmask 255.255.255.255 pat
interface vlan 40
ip address 192.168.1.1 255.255.255.0
access-group input PERMIT-ANY
service-policy input NAT-PMOn FWSM (ASA, PIX) NAT is configured several times easier.
Small touches (default route, SNMP): You can find the full configuration via the link (http://pastebin.com/DV4QM2Ya). To demonstrate the capabilities, CISCO ACE has an interface to the user network. For users, it performs the PAT function and inspects the FTP protocol so that there are no problems with this protocol (active / passive mode). Monitoring what they got (base): And many more other teams. Summarizing
ip route 0.0.0.0 0.0.0.0 172.16.1.1
snmp-server community xxx group Network-Monitor
snmp-server user user_name Network-Monitor auth sha p@ssword localizedkey
snmp-server host 172.16.1.2 traps version 2 xxxACE # show serverfarm FARM
serverfarm : FARM, type: HOST
total rservers : 2
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SERVER-1
192.168.1.11:0 8 OPERATIONAL 44 52841950 12274606
rserver: SERVER-2
192.168.1.11:0 8 OPERATIONAL 49 51043947 13091531
ACE-MEL/Admin# show serverfarm FARM detail
serverfarm : FARM, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 44
Probe(s) :
HTTP_PROBE, type = HTTP
ICMP_PROBE, type = ICMP
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SERVER-1
192.168.1.11:0 8 OPERATIONAL 44 52841981 12274606
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: SERVER-1
192.168.1.11:0 8 OPERATIONAL 49 51043976 13091532
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE # show rserver SERVER-1
rserver : SERVER-1, type: HOST
state : OPERATIONAL (verified by arp response)
---------------------------------
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: FARM
192.168.1.11:0 8 OPERATIONAL 13 1288706In this article I wanted to introduce the reader a little to this equipment, and not only from CISCO, but generally with balancers as a rather important part of the data center infrastructure. A lot of information is spinning in my head, but it seems to me that the post has turned out not so small.
So, the main purpose of such devices: load balancing between services (which entails increasing availability, performance, consolidating resources), transferring SSL termination functions from servers to hardware accelerators, some security improvement (thanks to normalization and other proprietary technologies), TCP / acceleration UDP (due to multiplexing, compression).
It is also worth noting the possibility of balancing not only in the aisles of one data center, but also between geographically remote services.
We use the ACE20-MOD-K9 4Gbps module. It is loaded, of course, not for all 4Gbps, but it performs its tasks. During the operation, there were no problems with it; it has established itself quite well. Why did I start to write about this. The fact is that, in particular, on the resource etherealmind.com I did not hear positive reviews towards CISCO ACE. Or do not write anything, or openly spit. Mostly complain about freezes, IOS buggy, instability. I know that CISCO with its ACE is not far ahead of the rest. Engineers praise the products from F5 quite strongly, noting at the same time far from children's prices. I have not encountered this equipment, and in general, it is a rarity in our area, I have not seen such ones.
If readers have a desire to know something in more detail - I will try to help, or even write a separate note.
I really look forward to comments and opinions of people who have worked / are working with similar equipment. In fact, the theme was practically not touched on Habré.
CISCO ACE. Part 2: balancing remote servers and applications
Sources:
1. CISCO Documentation, cisco.com.
2. vivekganapathi.blogspot.com/2010/07/cisco-ace-4710-load-balancer.html .
3. www.packetslave.com/2010/01/24/cisco-ace-basic-http-load-balancing
4. docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_ (ACE) _Configuration_Examples
5. etherealmind.com/cisco-ace- load-balance-stick-source-nat-part-1
6. etherealmind.com/cisco-ace-load-balance-stick-source-nat-part-2
7.etherealmind.com/cisco-ace-load-balance-stick-source-nat-part-3
8. etherealmind.com/cisco-ace-fwsm-resource-allocation-for-virtualization
9. www.cisco.com/en/ US / products / hw / modules / ps2706 / products_configuration_example09186a00809c3041.shtml