Blog‎ > ‎

Application Networking Services (ACE)

posted Oct 9, 2013, 10:06 AM by Rick McGee   [ updated Nov 12, 2013, 12:34 PM ]
Video 32 
 Global Site Selector
    This is not included in written test, but will be tested on in the lab portion of the CCIE data center.

GSS works in conjunction with a DNS server

How it works
  • Sits in "front" of the DNS server
  • Forwards queries to DNS server
  • Responds to host requests for web applications and offers services with best selection a "A" record (ACE VIP) based on certain criteria.
    • Closest geographic proximity, Alternate/Failover DC, etc
  • Can exist in a cluster so if one fails, all other continue as normal
  • Communicates with ACE to determine who is alive and best suited to accept the HTPP or other requests
    • Uses Cisco proprietary keep-alive "KAL-AP" to communicate with ACE
ACE
  • Catalyst 6K module
  • Standalone ACE 4710 appliance 
  • ACE XML appliance
ACE Benefits
  • Scalability: Load Balancing
    • ACE scales to performance of web servers by distributing its requests across multiple servers
      • This could be done with DNS, but cannot tell when a server is down, and just uses a basic round robin hashing algorithm.
  • High Availability
    • Redundant ACE's and multiple "REAL SERVER's" behind ACE VIP
    • ACE provides HA by automatically detecting the failure of a server
  • Application Acceleration
    • ACE improves application performance and reduces response time by minimizing latency by the use of data compression for HTTP traffic
  • Server offload TCP and SSL
    • Process TCP and SSL from the servers, allowing servers to serve more users and requests without increasing the number of "REAL Servers"
Load Balancing Probes
  • Generic
    • DNS, ECHO, Finger, FTP, and ICMP
  • HTTP
  • RADIUS
  • Reliable Datagram Protocol (RDP)
  • Real-Time streaming protocol (RTSP)
  • Session Initiation Protocol (SIP)
  • Custom TCL scripts can be written and developed to check specific attributes of severs not covered in other probes
Load Balancing Predictors
  • ACE uses the following predictors to select the best server to fulfill the client request
    • Application Response: Selects the server with the lowest average response time for the specified response time base on the current connection count and serve weight
    • HASH's (5 Different HASH's)
      • Hash Address: Selects server using a hash value based on either Source or Destination IP Address or IP Address or both. You would use this HASH for Firewall Load Balancing (FWLB)
      • Hash Content: Select server using a hash value based on content string in the "Trusted Third Parties" (TTP) packet body
      • Hash Cookie: Selects the server using a hash value based on cookie name
      • Hash Header: Selects the server using a hash value based o the HTTP header name
      • Hash URL: Selects the the server using a hash value based on the requested URL. You can specify a beginning pattern and an ending pattern to match in the URL. You would use this method to load balance CACHE SERVER's
      • Least Bandwidth: Selects sever with fewest number of active connections, based on the sever weight. For the least-Connections predictor you can configure a "slow start" mechanism to avoid sending a high amount of connections to a server you have just put into production
      • Least Load: Selects the server with the lowest load based on information obtained from SNMP probes. To use this probe you must associate an SNMP probe with it.
      • Round Robin: This is the DEFAULT predictor, selects the next server in the list of REAL SERVER's based on the server weight (WRR). Severs with a higher weight value receive the higher percentage of the connections
ACE Features

  • Load Balancing 
  • SSL Offload and bulk TCP offload (bundle man TCP session into one)
  • SSL
    • All requests come into the ACE an terminate SSL on the ACE and all unencrypted data from ACE to the Server with the certificate being on the ACE
  • Bulk TCP
    • ACE can reply in lieu of the server and perform the three way hand shake SYN,SYN-ACK,ACK. Think of it as 4000 user to 15 servers , where the ACE can bundle TCP sessions into one or more sessions. This could create a choke point and should be used with caution.
  • Session Persistence
    • Stickiness "Sticky" allow client to maintain multiple simultaneous TCP or IP connection with Sticky DB
      • With New HTML code this is sometimes not needed.
  • Compression of some traffic types
  • Redundancy and Fault Tolerance 
    • All connection information is replicated and kept in state with failover ACE
      • No SSL connections, those have to be re-established upon failover 
  • Virtual Contexts
    • Similar to ASA contexts 
      • Command "Changeto"
      • Can perform Active/Active Load Balancing 
        • Context 1 and Context 2 are active on ACE-A, Standby on ACE-B
        • Context 3 and Context 4 are active on ACE-B, Standby on ACE-A
      • ACE comes with (5) five contexts and with additional licensing can go to 255
  • Application Acceleration 
    • Delta Optimization 
      • Dynamically calculate the content difference or deltas between subsequent content retrievals. Can serve locally if no change 
      • Flash Forward Object Acceleration 
        • Enforces Version management at the server of embedded web objects.
          • Such as CSS (Cascading Style Sheets), Java Script and can serve from cache 
          • Each object requires validation to ensure that the user has the latest version which the ACE offloads from the server. 
ACE Topologies 
  • One-Armed mode 
    • ACE is connected off to the side of a L2/L3 network
    • Not directly in packet path 
    • Easiest to configure
  • Routed Mode
    • Good:
      • Simple Topology
      • Easier to configure
    • Bad
      • No IGP support, static routes only
      • All traffic must route through the ACE (no dead-man pass through)
      • Servers DFGW has to be the ACE

  • One Armed Single VLAN
    • Good
      • ACE is connected off to the side of the Layer 2 network
      • Not directly in the packet path (Will bypass ACE's if both are in a down state)
    • Bad
      • Client source IP address is masked by the ACE to to source NAT
      • All servers see ACE as the client, resulting in loss of visibility of original client IP address
      • Requires a HTTP header insert as a work around to preserve client source IP address
  • Process for ACE configuration 
    • Configure the network
    • Define virtual context(s)
    • Add health Probes
    • Configure Real servers
    • Configure server Farm(s)
    • Congiure stickiness
    • Configure Virtual Server(s)
      • What client sees
    • Configure SSL offload
  • Traffic Classification  
    • Barrows standard three tiered structure from MQC (Modular QoS command line

    ACE Configuration  One-Armed Mode with a single contexts 
    Networking 
        Hostname ACE
        Interface gigabitEthernet 1/1
            Speed 100M
            Switchport access vlan 4093 (would use switchport allowed for trunk)
            no shutdown
        Interface gigabitEthernet 1/2
            switchport access vlan 10
            no shutdown
       Interface gigabitEthernet 1/3
            switchport access vlan 100
            no shutdown
       Interface gigabitEthernet 1/4
            no shutdown

interface vlan 120
    description upstream VLAN_120 - Clients and VIP's    
    ip address 192.168.120.1 255.255.255.0
    fragment chain 20
    fragment min-mtu 68
    access-group input ACL1
    nat-pool 1 192.168.120.70 192.168.120.70 net mask 255.255.255.0 pat (this is the Source NAT for one-armed single VLAN mode)
    service-policy input L4SH-GOLD-VIPs_POLICY (what invokes everything we are going to configure) (you can assign multiple service-policys to each VLAN interface for L3/L4 and management)
    no shutdown

Define probes
    probe tcp TCP (simple tcp session)
        interval 5 (check every 5 seconds)
        faildetect 2 (fail to intervals)
        passdetect interval 10 (healthy when passes 10 intervals)
        open 3

Define the Real servers

rserver SERVER1
    ip address 10.1.0.2
    inservice

rserver SERVER2
    ip address 10.1.0.3
    inservice

rserver SERVER3
    ip address 10.1.0.4
    inservice

rserver SERVER4
    ip address 10.1.0.5
    inservice
all the way through SERVER8

Create the Server Farm
    serverfam host PRED-CONNS
    predictor leastconns
    rsercer SERVER1
        inservice

    rsercer SERVER2
        inservice

    rsercer SERVER3
        inservice

    rsercer SERVER4
        inservice
All the way through 8 servers

serverfarm host PRED-CONNS-UDP
    failaction purge
    predictor leastconns
    rserver SERVER1
        inservice
    rserver SERVER2
        inservice
    rsercer SERVER3
        probe ICMP
        inservice
You can put multiple servers into multiple server farms....

Stickiness
    stickey http-cookie COOKIE_TEST STKY-GRP-43 (this is in the default context, you would have to define min and mix for non-default context)
        cookie offset 1 length 999
        timeout 30
        replicate sticky (between ACE's)
        serverfarm PRED-CONNS

Create L3,L4,L7 class-map

class-map match-all L4PRED-CONNS-UPD-VIP_128:2222_CLASS
    2 (sequence number) match virtual-addrss 192.168.120.128 udp eq 0 (virtual ip address for port 80 UDP)
class-map match-all L4PRED-CONN-VIP_128:80_CLASS
    2 match virtual-address 192.168.120.129 tcp eq www   (virtual ip address for port 80 TCP)
class-map match-all L4PREDICTOR_117:80_CLASS
    2 match virtual-address 192.168.120.117 tcp eq ww     (virtual ip address for port 80 TCP)

Create the Policy-map  L3,L4

policy-map multi-math L4SH-GOLD-VIPS_POLICY
    class L4PREDICTOR_117:80_CLASS
    loadbalance vip inservice 
    loadbalance policy L7PLBSF_PREDICTOR_POLICY
    loadbalance vip icmp-reply active
    nat dyname 1 vlan 120
    appl-parameter http advanced-options PRESIST-REBALANCE

     class L4PREDICTOR_128:80_CLASS
     loadbalance vip inservice 
     loadbalance policy L7PLBSF_PRED-CONNS_POLICY
     loadbalance vip icmp-reply active (this makes the serves able to reply to ICMP requests)
     nat dyname 1 vlan 120 (nat pool 1 from above)
     appl-parameter http advanced-options PRESIST-REBALANCE

Create parameter-map
parameter-map type http PRESIST-REBALANCE
    presistence-rebalance
parameter-map type conection PRED-CONNS-UPD_CONN
    set timeout inactivity 300 (for UDP flows timeout for 300 seconds)

 The ACE 4710 appliance has the web GUI and the ACE module's for the Cat 6K do not 

ACE Routed Example
 
 
 
 
 hostname ACE
    
interface gigabitEthernet 1/1
    speed 100M
     switchport vlan 4093
    no shutdown
interface gigabitEthernet 1/2
    switchport vlan 10
    no shutdown
 
interface gigabitEthernet 1/3
    switchport vlan 100
    no shutdown
 
interface gigabitEthernet 1/4
    no shutdown
 
For Stickiness per Context like VDC's in Nexus 7K's
 
resource-class Stickiness
    limit-resource all minimum 0.00 maximum unlimited  (
    limit-resource sticky minimum 0.00 maximum unlimited
 
  
Context DC1
    allocate-interface vlan 10
    allocate-interface vlan 100
Context DC2
Context DC3
Context DC4
Context DC5
 
RBAC Configuration can intergrate with TACAC's, RADIUS, and LDAP
username admin password 5 "text" role Admin domain 
default-domain
username www password 5 "text" role Admin domain 
default-domain
 
no NAT commands because in routed mode so no need for SNAT
 
interfaces vlan 10  (client subnet)
    ip address 69.26.241.4 255.255.255.250
    peer ip address 69.36.341.5 255.255.255.240 (standby ACE)
    service-policy input mgmt.
    service-policy int10
    no shutdown
 
interface vlan 100 (server subnet not service policies)
    description "Server VLAN"
    ip address 192.168.100.2 255.255.255.0
    alias 192.168.100.1 255.255.255.0 (VIP)
    per ip address 192.168.100.3 255.255.255.0 (standby ACE)
    no shutdown
interface vlan 4093
    description vlan MGMT Interface
    ip address 192.168.0.25 255.255.255.0
    service-policy imput mgmt.
    no shutdown
 
ip route 0.0.0.0 0.0.0.0 192.168.0.1
 
Class Maps
 
class-map type management match-any mgmt
    201 match protocol snmp any
    202 match protocol xml-https any
    203 match protocol telnet any (don't do)
    204 match protocol ssh any
    205 match protocol kalp-udp any (Cisco Proprietary Keepalives)
    206 match protocol imcp any
    207 match protocol https any
    208 match protocol http any
 
Both have the same VIP address 69.36.241.10
 
class-map match-all acme_ecomm_http
    2 match virtual-address 69.36.241.10 tecp eq www
class-map match-all acme_ecomm_https                                
    2 match mirtual-address 69.26.241.10 tcp https
 
Policy Maps
    
policy-map type management first-match mgmt
    class mgmt
     permit
 
policy-map multi-match int10
    class acme-ecomm_http
        loadbalance vip inservice
        loadbalance policy acme_ecomm_http-l7slb
        optimize http policy acme_ecomm_http-l7opt
        loadbalance vip imcp-reply active (allow ICMP replies)
        appl-parameter http advanced-options cisco_avs_parametermap
 
    class acme-ecomm_https
        loadbalance vip inservice
        loadbalance policy acme_ecomm_https-l7slb
        optimize http policy acme_ecomm_https-l7opt
        loadbalance vip imcp-reply active (allow ICMP replies)
        appl-parameter http advanced-options cisco_avs_parametermap
        ssl-proxy serer acme_ecomm_ssl (SSL proxy offloading)
 
Layer 7 Policy Map
    policy-map type optimization  http first-match acme_ecomm_http_l7opt
        class cisco_avs_obj_latency
            action cisco_avs_obj_latency
        class cisco_avs_img_latency
            action cisco_avs_img_latency
 
Action Lists for Policy Maps
    action-list type optimization http cisco_avs_contrainer_latency
        flashforward
    action-list type optimization http cisco_avs_in_latency
        flashforward-object
 
These actions will allow the client to ask the server if these items have changed and if they haven't to serve them up from the cache.
 
 
Class Map for Cisco_avs_ob_latency
    class-map type http loadbalance match-any cisco_avs_obj_latency
        2 match http url .*gif
        3 match http url .*css
        4 match http url .*js
        5 match http url .*class
        6 match http url .*jar
Parameter MAP L7 Applied to Policy-Map
pareter-map type https cisco_avs_parametermap (from the option below)
    case-insensitive (don't care about case sensitivity)
    persistence-rebalance
 
 
 
class acme-ecomm_http
        loadbalance vip inservice
        loadbalance policy acme_ecomm_http-l7slb
        optimize http policy acme_ecomm_http-l7opt
        loadbalance vip imcp-reply active
    appl-parameter http advanced-options cisco_avs_parametermap
 
 For ACE configuration you don't use a ! bang, if you do it will give you an error
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Comments