Application Networking Services (ACE)

Blog‎ > ‎

Application Networking Services (ACE)

posted Oct 9, 2013, 10:06 AM by Rick McGee [ updated Nov 12, 2013, 12:34 PM ]

Video 32

Global Site Selector

This is not included in written test, but will be tested on in the lab portion of the CCIE data center.

GSS works in conjunction with a DNS server

How it works

Sits in "front" of the DNS server
Forwards queries to DNS server
Responds to host requests for web applications and offers services with best selection a "A" record (ACE VIP) based on certain criteria.

Closest geographic proximity, Alternate/Failover DC, etc

Can exist in a cluster so if one fails, all other continue as normal
Communicates with ACE to determine who is alive and best suited to accept the HTPP or other requests

Uses Cisco proprietary keep-alive "KAL-AP" to communicate with ACE

ACE

Catalyst 6K module
Standalone ACE 4710 appliance
ACE XML appliance

ACE Benefits

Scalability: Load Balancing

ACE scales to performance of web servers by distributing its requests across multiple servers

This could be done with DNS, but cannot tell when a server is down, and just uses a basic round robin hashing algorithm.

High Availability

Redundant ACE's and multiple "REAL SERVER's" behind ACE VIP
ACE provides HA by automatically detecting the failure of a server

Application Acceleration

ACE improves application performance and reduces response time by minimizing latency by the use of data compression for HTTP traffic

Server offload TCP and SSL

Process TCP and SSL from the servers, allowing servers to serve more users and requests without increasing the number of "REAL Servers"

Load Balancing Probes

Generic

DNS, ECHO, Finger, FTP, and ICMP

HTTP
RADIUS
Reliable Datagram Protocol (RDP)
Real-Time streaming protocol (RTSP)
Session Initiation Protocol (SIP)
Custom TCL scripts can be written and developed to check specific attributes of severs not covered in other probes

Load Balancing Predictors

ACE uses the following predictors to select the best server to fulfill the client request

Application Response: Selects the server with the lowest average response time for the specified response time base on the current connection count and serve weight
HASH's (5 Different HASH's)

Hash Address: Selects server using a hash value based on either Source or Destination IP Address or IP Address or both. You would use this HASH for Firewall Load Balancing (FWLB)
Hash Content: Select server using a hash value based on content string in the "Trusted Third Parties" (TTP) packet body
Hash Cookie: Selects the server using a hash value based on cookie name
Hash Header: Selects the server using a hash value based o the HTTP header name
Hash URL: Selects the the server using a hash value based on the requested URL. You can specify a beginning pattern and an ending pattern to match in the URL. You would use this method to load balance CACHE SERVER's
Least Bandwidth: Selects sever with fewest number of active connections, based on the sever weight. For the least-Connections predictor you can configure a "slow start" mechanism to avoid sending a high amount of connections to a server you have just put into production
Least Load: Selects the server with the lowest load based on information obtained from SNMP probes. To use this probe you must associate an SNMP probe with it.
Round Robin: This is the DEFAULT predictor, selects the next server in the list of REAL SERVER's based on the server weight (WRR). Severs with a higher weight value receive the higher percentage of the connections

ACE Features

Load Balancing
SSL Offload and bulk TCP offload (bundle man TCP session into one)
SSL

All requests come into the ACE an terminate SSL on the ACE and all unencrypted data from ACE to the Server with the certificate being on the ACE

Bulk TCP

ACE can reply in lieu of the server and perform the three way hand shake SYN,SYN-ACK,ACK. Think of it as 4000 user to 15 servers , where the ACE can bundle TCP sessions into one or more sessions. This could create a choke point and should be used with caution.

Session Persistence

Stickiness "Sticky" allow client to maintain multiple simultaneous TCP or IP connection with Sticky DB

With New HTML code this is sometimes not needed.

Compression of some traffic types
Redundancy and Fault Tolerance

All connection information is replicated and kept in state with failover ACE

No SSL connections, those have to be re-established upon failover

Virtual Contexts

Similar to ASA contexts

Command "Changeto"
Can perform Active/Active Load Balancing

Context 1 and Context 2 are active on ACE-A, Standby on ACE-B
Context 3 and Context 4 are active on ACE-B, Standby on ACE-A

ACE comes with (5) five contexts and with additional licensing can go to 255

Application Acceleration

Delta Optimization

Dynamically calculate the content difference or deltas between subsequent content retrievals. Can serve locally if no change
Flash Forward Object Acceleration

Enforces Version management at the server of embedded web objects.

Such as CSS (Cascading Style Sheets), Java Script and can serve from cache
Each object requires validation to ensure that the user has the latest version which the ACE offloads from the server.

ACE Topologies

One-Armed mode

ACE is connected off to the side of a L2/L3 network
Not directly in packet path
Easiest to configure

Routed Mode

Good:

Simple Topology
Easier to configure

No IGP support, static routes only
All traffic must route through the ACE (no dead-man pass through)
Servers DFGW has to be the ACE

One Armed Single VLAN

Good

ACE is connected off to the side of the Layer 2 network
Not directly in the packet path (Will bypass ACE's if both are in a down state)

Client source IP address is masked by the ACE to to source NAT
All servers see ACE as the client, resulting in loss of visibility of original client IP address
Requires a HTTP header insert as a work around to preserve client source IP address

Process for ACE configuration

Configure the network
Define virtual context(s)
Add health Probes
Configure Real servers
Configure server Farm(s)
Congiure stickiness
Configure Virtual Server(s)

What client sees

Configure SSL offload

Traffic Classification

Barrows standard three tiered structure from MQC (Modular QoS command line

ACE Configuration One-Armed Mode with a single contexts

Networking

Hostname ACE

Interface gigabitEthernet 1/1

Speed 100M

Switchport access vlan 4093 (would use switchport allowed for trunk)

no shutdown

Interface gigabitEthernet 1/2

switchport access vlan 10

no shutdown

Interface gigabitEthernet 1/3

switchport access vlan 100

no shutdown

Interface gigabitEthernet 1/4

no shutdown

interface vlan 120

description upstream VLAN_120 - Clients and VIP's

ip address 192.168.120.1 255.255.255.0

fragment chain 20

fragment min-mtu 68

access-group input ACL1

nat-pool 1 192.168.120.70 192.168.120.70 net mask 255.255.255.0 pat (this is the Source NAT for one-armed single VLAN mode)

service-policy input L4SH-GOLD-VIPs_POLICY (what invokes everything we are going to configure) (you can assign multiple service-policys to each VLAN interface for L3/L4 and management)

no shutdown

Define probes

probe tcp TCP (simple tcp session)

interval 5 (check every 5 seconds)

faildetect 2 (fail to intervals)

passdetect interval 10 (healthy when passes 10 intervals)

open 3

Define the Real servers

rserver SERVER1

ip address 10.1.0.2

inservice

rserver SERVER2

ip address 10.1.0.3

inservice

rserver SERVER3

ip address 10.1.0.4

inservice

rserver SERVER4

ip address 10.1.0.5

inservice

all the way through SERVER8

Create the Server Farm

serverfam host PRED-CONNS

predictor leastconns

rsercer SERVER1

inservice

rsercer SERVER2

inservice

rsercer SERVER3

inservice

rsercer SERVER4

inservice

All the way through 8 servers

serverfarm host PRED-CONNS-UDP

failaction purge

predictor leastconns

rserver SERVER1

inservice

rserver SERVER2

inservice

rsercer SERVER3

probe ICMP

inservice

You can put multiple servers into multiple server farms....

Stickiness

stickey http-cookie COOKIE_TEST STKY-GRP-43 (this is in the default context, you would have to define min and mix for non-default context)

cookie offset 1 length 999

timeout 30

replicate sticky (between ACE's)

serverfarm PRED-CONNS

Create L3,L4,L7 class-map

class-map match-all L4PRED-CONNS-UPD-VIP_128:2222_CLASS

2 (sequence number) match virtual-addrss 192.168.120.128 udp eq 0 (virtual ip address for port 80 UDP)

class-map match-all L4PRED-CONN-VIP_128:80_CLASS

2 match virtual-address 192.168.120.129 tcp eq www (virtual ip address for port 80 TCP)

class-map match-all L4PREDICTOR_117:80_CLASS

2 match virtual-address 192.168.120.117 tcp eq ww (virtual ip address for port 80 TCP)

Create the Policy-map L3,L4

policy-map multi-math L4SH-GOLD-VIPS_POLICY

class L4PREDICTOR_117:80_CLASS

loadbalance vip inservice

loadbalance policy L7PLBSF_PREDICTOR_POLICY

loadbalance vip icmp-reply active

nat dyname 1 vlan 120

appl-parameter http advanced-options PRESIST-REBALANCE

class L4PREDICTOR_128:80_CLASS

loadbalance vip inservice

loadbalance policy L7PLBSF_PRED-CONNS_POLICY

loadbalance vip icmp-reply active (this makes the serves able to reply to ICMP requests)

nat dyname 1 vlan 120 (nat pool 1 from above)

appl-parameter http advanced-options PRESIST-REBALANCE

Create parameter-map

parameter-map type http PRESIST-REBALANCE

presistence-rebalance

parameter-map type conection PRED-CONNS-UPD_CONN

set timeout inactivity 300 (for UDP flows timeout for 300 seconds)

The ACE 4710 appliance has the web GUI and the ACE module's for the Cat 6K do not

ACE Routed Example

hostname ACE

interface gigabitEthernet 1/1

speed 100M
switchport vlan 4093
no shutdown

interface gigabitEthernet 1/2

switchport vlan 10
no shutdown

interface gigabitEthernet 1/3

switchport vlan 100
no shutdown

interface gigabitEthernet 1/4
no shutdown

For Stickiness per Context like VDC's in Nexus 7K's

resource-class Stickiness

limit-resource all minimum 0.00 maximum unlimited (

limit-resource sticky minimum 0.00 maximum unlimited

Context DC1

allocate-interface vlan 10

allocate-interface vlan 100

Context DC2

Context DC3

Context DC4

Context DC5

RBAC Configuration can intergrate with TACAC's, RADIUS, and LDAP

username admin password 5 "text" role Admin domain

default-domain

username www password 5 "text" role Admin domain

default-domain

no NAT commands because in routed mode so no need for SNAT

interfaces vlan 10 (client subnet)

ip address 69.26.241.4 255.255.255.250

peer ip address 69.36.341.5 255.255.255.240 (standby ACE)

service-policy input mgmt.

service-policy int10

no shutdown

interface vlan 100 (server subnet not service policies)

description "Server VLAN"

ip address 192.168.100.2 255.255.255.0

alias 192.168.100.1 255.255.255.0 (VIP)

per ip address 192.168.100.3 255.255.255.0 (standby ACE)

no shutdown

interface vlan 4093

description vlan MGMT Interface

ip address 192.168.0.25 255.255.255.0

service-policy imput mgmt.

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Class Maps

class-map type management match-any mgmt

201 match protocol snmp any

202 match protocol xml-https any

203 match protocol telnet any (don't do)

204 match protocol ssh any

205 match protocol kalp-udp any (Cisco Proprietary Keepalives)

206 match protocol imcp any

207 match protocol https any

208 match protocol http any

Both have the same VIP address 69.36.241.10

class-map match-all acme_ecomm_http

2 match virtual-address 69.36.241.10 tecp eq www

class-map match-all acme_ecomm_https

2 match mirtual-address 69.26.241.10 tcp https

Policy Maps

policy-map type management first-match mgmt

class mgmt

permit

policy-map multi-match int10

class acme-ecomm_http

loadbalance vip inservice

loadbalance policy acme_ecomm_http-l7slb

optimize http policy acme_ecomm_http-l7opt

loadbalance vip imcp-reply active (allow ICMP replies)

appl-parameter http advanced-options cisco_avs_parametermap

class acme-ecomm_https

loadbalance vip inservice

loadbalance policy acme_ecomm_https-l7slb

optimize http policy acme_ecomm_https-l7opt

loadbalance vip imcp-reply active (allow ICMP replies)

appl-parameter http advanced-options cisco_avs_parametermap

ssl-proxy serer acme_ecomm_ssl (SSL proxy offloading)

Layer 7 Policy Map

policy-map type optimization http first-match acme_ecomm_http_l7opt

class cisco_avs_obj_latency

action cisco_avs_obj_latency

class cisco_avs_img_latency

action cisco_avs_img_latency

Action Lists for Policy Maps

action-list type optimization http cisco_avs_contrainer_latency

flashforward

action-list type optimization http cisco_avs_in_latency

flashforward-object

These actions will allow the client to ask the server if these items have changed and if they haven't to serve them up from the cache.

Class Map for Cisco_avs_ob_latency

class-map type http loadbalance match-any cisco_avs_obj_latency

2 match http url .*gif

3 match http url .*css

4 match http url .*js

5 match http url .*class

6 match http url .*jar

Parameter MAP L7 Applied to Policy-Map

pareter-map type https cisco_avs_parametermap (from the option below)

case-insensitive (don't care about case sensitivity)

persistence-rebalance

class acme-ecomm_http

loadbalance vip inservice

loadbalance policy acme_ecomm_http-l7slb

optimize http policy acme_ecomm_http-l7opt

loadbalance vip imcp-reply active

appl-parameter http advanced-options cisco_avs_parametermap

For ACE configuration you don't use a ! bang, if you do it will give you an error

Comments