accélération et optimisation des applications · data redundancy elimination. optimisation tcp....
TRANSCRIPT
© 2010 Cisco and/or its affiliates. All rights reserved. 1
Accélération et Optimisation des ApplicationsHicham El AlaouiSystems Engineer
Cisco Expo Alger, le 16 Mars [email protected]
© 2010 Cisco and/or its affiliates. All rights reserved. 2
Data Center Security
ASA 5580 Series
Firewall Services Module
Application Network Services
WAAS
WAAS Express
vWAAS
ACE
GSS
StorageNetworking
MDS 9500 Directors
MDS Fabric Switches
Blade Switches
Catalyst 6500
Catalyst 4900M
Catalyst Blade Switches
EthernetNetworking
Unified Networking
Nexus 7000
Nexus 5000
Nexus Blade Switch
Nexus 1000V
Unified Computing
UCS Blade Systems
UCS RackmountSystems
Data Center Networking
© 2010 Cisco and/or its affiliates. All rights reserved. 3
• Technologies d’Optimisation WAN
• WAAS Appliance
• WAAS Express
• vWAAS
• WAAS Mobile
• Partage de Charge entre Serveurs avec ACE
• Partage de Charge entre Sites avec GSS
© 2010 Cisco and/or its affiliates. All rights reserved. 4
© 2010 Cisco and/or its affiliates. All rights reserved. 5
Distribution ofServices
Data center consolidation
La distribution géographique des employés pousse vers la distribution des services du SI :
Plus de ProductivitéPlus de Profit
La protection des données, la haute disponibilité, la conformité aux législations pousse vers la consolidation des SI :
Moins d’Equipements à GérerMoins d’Equipements à Protéger
Data CenterPrimaire
Agences
Directions Régionales
Télétravail
Data CenterSecondaire
© 2010 Cisco and/or its affiliates. All rights reserved. 6
• Bonne Performance des Applications sur le LAN :Grande Bande PassanteFaible LatencePeu/Pas de Perte de Paquets
Round Trip Time (RTT) ~ 0mS
Client LAN Switch Server
Round Trip Time (RTT) ~ Bcp Bcp de milliseconds
ServerClientLAN Switch
LAN Switch
WAN
• Mauvaise Performance des Applications sur le WAN :CongestionnéFaible Bande PassanteGrande LatencePerte de Paquets
© 2010 Cisco and/or its affiliates. All rights reserved. 7
1.544Mbps
500Kbps
Latence
Déb
it
Débit Réel
Débit Théorique
Faible
5.02.1
pRTTMSSR =
R : Average Throughput
MSS: Packet Size
RTT: Round-Trip Time
P : Packet Loss
Grande
© 2010 Cisco and/or its affiliates. All rights reserved. 8
WAN à la Vitesse du LAN
Accélérateur Accélérateur
Data Redundancy Elimination
Optimisation TCP
Accelerations Spécifiques
Data Center
BranchUsers
MobileUsers
Optimisation Vidéo
Accélére les Performances de TCP sur le WAN
Les Données qui se Répètent n’ont pas Besoin de Re-Traverser le WAN
Optimisation des Protocoles comme MAPI, CIFS, NFS, HTTP
Une seule copie des Streaming Vidéo Traverse le WAN
CompressionCompression Avant envoi sur le WAN et Décompression à l’autre Bout
© 2010 Cisco and/or its affiliates. All rights reserved. 9
UtilisateurEn Voyage
LogicielWAAS Mobile
Sur VPN
UtilisateurItinérant
Agence
WAASServiceModule
WAN
Internet
AgenceWAAS
Express
AgenceWAAS
Appliance
Data CenterWAAS
Appliances
VPN
VMware ESXi vWAASAppliances
Server VMs
© 2010 Cisco and/or its affiliates. All rights reserved. 10
Category Applications 2X 5X 10X 25X 50X 100X+
File Sharing CIFSNFS
Email Microsoft ExchangeLotus NotesInternet Mail
Web andCollaboration
HTTPWebDAVFTPMicrosoft Sharepoint
Software Distribution
Microsoft SMSAltirisHP Radia
EnterpriseApplications
Microsoft SQLOracle, SAPLotus Notes
BackupApplications
Microsoft NTBackupLegato NetworkerVeritas NetbackupCommVault Galaxy
Data Replication EMC SRDF/AEMC IP ReplicatorNetApp SnapMirrorData DomainDouble-TakeVeritas Vol Replicator
2-20X Avg >100X Peak
2-5X Avg 20X Peak
2-10X Avg 100X Peak
2-20X Avg >100X Peak
2-5X Avg 20X Peak
2-10X Avg 50X Peak
2-10X Avg 50X Peak
Category Applications 2X 5X 10X 25X 50X 100X+
File Sharing CIFSNFS
Email Microsoft ExchangeLotus NotesInternet Mail
Web andCollaboration
HTTPWebDAVFTPMicrosoft Sharepoint
Software Distribution
Microsoft SMSAltirisHP Radia
EnterpriseApplications
Microsoft SQLOracle, SAPLotus Notes
BackupApplications
Microsoft NTBackupLegato NetworkerVeritas NetbackupCommVault Galaxy
Data Replication EMC SRDF/AEMC IP ReplicatorNetApp SnapMirrorData DomainDouble-TakeVeritas Vol Replicator
2-20X Avg >100X Peak
2-5X Avg 20X Peak
2-10X Avg 100X Peak
2-20X Avg >100X Peak
2-5X Avg 20X Peak
2-10X Avg 50X Peak
2-10X Avg 50X Peak
© 2010 Cisco and/or its affiliates. All rights reserved. 11
SharePoint Response Time (14.5MB Excel Download)
0
50
100
150
200
250
300
Without WAAS With WAAS (1stdownload)
With WAAS (2nddownload)
SecondsChallenges:•Customers scattered in rural areas
•R&D scientists distributed globally
•Time to market relied on real-time collaboration
Strategy:•Microsoft SharePoint portal centrally deployed for once
• LAN-like performance ensured for all
Results:•Average response time: From 270 to 8 seconds
•Bandwidth usage: From 90 to 50%
WAN Bandwidth Consumption
0%10%20%30%40%50%60%70%80%90%
Without WAAS With WAAS
Percentage
See Monsanto video testimonial: www.cisco.com/go/waas
Microsoft SharePoint Acceleration Case Study
© 2010 Cisco and/or its affiliates. All rights reserved. 12
Optimisations de Base (Applicables à Tout Echange TCP)
Elimination de Redondance (DRE)
OptimisationTCP (TFO)
Compression LZ
Accélération du Protocole CIFS
Accélération du Protocole NFS
Accélération du Protocole MAPI
Accélération du Protocole HTTP
Décryptage des Echanges SSL Optimisation VidéoAccélération
Spécifique à Certains Protocoles Applicatifs
© 2010 Cisco and/or its affiliates. All rights reserved. 13
• Persistent LZ Compression: –Session-based compression–Up to an additional 10:1 compression even after DRE
• Data Redundancy Elimination (DRE):–Application-agnostic compression–Up to 100:1 compression
DRE DRE
LZ LZ
SynchronizedCompressionHistory
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. 14
Level-0 Chunk“Basic Chunk”~256 bytes
Level-1 Chunk~1024 bytes
Level-2 Chunk~4096 bytes
Level-3 Chunk~16384 bytes
Données Qui Passent sur le Réseau
• Chaque “Chunk” est stocké dans la base de données (sur disque)
• On Calcule une signature de 5 octets pour chaque “Chunk”
© 2010 Cisco and/or its affiliates. All rights reserved. 15
DRE Database
NO MATCHNO MATCHNO MATCHNO MATCHOriginal
MessageEncodedMessage
© 2010 Cisco and/or its affiliates. All rights reserved. 16
• Improves application throughput
• Improves existing WAN bandwidth utilization
• Shield end-nodes from unruly WAN conditionsBandwidth scalability - help certain applications ‘fill-the-pipe’Connection fairness - ensure bandwidth is allocated fairly amongst flowsLoss mitigation - selective acknowledgement and retransmissionSlow-start mitigation - improve connection setup time
• TCP Proxy architecture provides LAN-like TCP behavior and provides higher levels of compression than per-packet compression
• TFO provides adaptive buffering to help ensure that connections requiring additional memory to achieve higher throughput
LAN-like TCP Behavior
WAN DREPLZ
DREPLZ
TCP TCPTCP TCPLAN-like TCP BehaviorOptimized TCP Connections
© 2010 Cisco and/or its affiliates. All rights reserved. 17
Time (RTT)Slow Start Congestion Avoidance
Taill
e de
la F
enêt
re T
CP
TCP
Impossibilité d’Utiliser la Bande Passante Disponible
Réponse Inefficace aux Pertes de Paquets
Handicap pour les Connéxions de Courte Durée
© 2010 Cisco and/or its affiliates. All rights reserved. 18
© 2010 Cisco and/or its affiliates. All rights reserved. 19
Time (RTT)Slow start Congestion avoidance
TCP sans TFO
TCP avec TFO
Cisco TFO Permet d’Améliorer Significativement les Performances de TCP par Rapport au Standard
Taill
e de
la F
enêt
re T
CP
© 2010 Cisco and/or its affiliates. All rights reserved. 20
Optimisations de Base (Applicables à Tout Echange TCP)
Elimination de Redondance (DRE)
Optimisation TCP (TFO)
Compression LZ
Accélération du Protocole CIFS
Accélération du Protocole NFS
Accélération du Protocole MAPI
Accélération du Protocole HTTP
Décryptage des Echanges SSL Optimisation VidéoAccélération
Spécifique à Certains Protocoles Applicatifs
© 2010 Cisco and/or its affiliates. All rights reserved. 21
Solution• Mise en Cache des Fichiers• Read-ahead• Pré-Positionnement Programmé• Intégration Transparente• Cache Dédié (SMS distribution
point, user home)
Problème
Certains protocoles comme CIFS, NFS et MAPI sont “bavards” et ont été conçus dans un environnement LAN.
=> Deviennent presque inutilisables dans un environnement WAN avec une grande latence, des pertes de paquets et des contraintes de bande passante.
FILE.DOC
Cache
Files
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. 22
Problem• Slow page load on Interactive Web applications • Browsers serially open and close connections to fetch small objects (e.g graphics)• Latency in a connection open/close could be higher than object transmit time.Solution• Fast Connection Reuse - Optimized connections on the WAN remain active for a
short period of time to be re-used should additional data between the client-server pair need to be exchanged
• Proxy Connect to SSL Servers – Each HTTP request is being inspected and forwarded to the HTTP or SSL AO or general optimization
Connect (SYN, SYN-ACK, ACK)
Connect
HTTP Request
HTTP Response
HTTP Request
HTTP Response
© 2010 Cisco and/or its affiliates. All rights reserved. 23
• L’Optimisation et l’Accélération du Trafic ne sont Efficaces que si le Trafic est Décrypté
SSL Handshake
“session key” derived
Encrypted Data Exchange
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. 24
WAN
• Core WAE acts as a Trusted Intermediary Node for SSL requests by client• Private Key and Server Certificate are stored on the Core WAE device• Core WAE participates in SSL Handshake to derive “session key”• Distributes the “session key” securely in-band to the Edge WAE over the established
connection between the Edge WAE and Core WAE
Send “session key”
SSL Session Core WAE to Server- Core WAE: Server Private Key
SSL Session Client to Core WAE (WAAS)
WAAS WAAS
TransparentSecure Channel
Données d’Origine(Cryptés)
Données Optimisées et Cryptées
Données d’Origine(Cryptés)
SSL HandshakeSSL Handshake
© 2010 Cisco and/or its affiliates. All rights reserved. 25
Optimisations de Base (Applicables à Tout Echange TCP)
Elimination de Redondance (DRE)
Optimisation TCP (TFO)
Compression LZ
Accélération du Protocole CIFS
Accélération du Protocole NFS
Accélération du Protocole MAPI
Accélération du Protocole HTTP
Décryptage des Echanges SSL Optimisation VidéoAccélération
Spécifique à Certains Protocoles Applicatifs
© 2010 Cisco and/or its affiliates. All rights reserved. 26
• Boitier
• Boitier Rackble
• Module pour Routeur
• Fonction dans l’IOS d’un Routeur
• Boitier Virtuel (Virtual Appliance)
• Logiciel pour Utilisateurs Mobiles (sur Windows)
© 2010 Cisco and/or its affiliates. All rights reserved. 27
© 2010 Cisco and/or its affiliates. All rights reserved. 28
Cisco Wide Area Virtualization Engine (WAVE) appliances extend the Cisco WAN optimization appliance portfolio to provide the industry's only branch-office appliance family that incorporates comprehensive WAN optimization, embedded virtualization for local hosting, and branch-office video delivery.
WAVE-274 Appliance
WAVE-574 Appliance
WAVE-474 Appliance
WAE-674 Appliance
© 2010 Cisco and/or its affiliates. All rights reserved. 29
• The Cisco Wide Area Application Services (WAAS) network modules provide integrated WAN optimization with Cisco Integrated Services Routers (ISR), enabling you to implement full feature WAN optimization while minimizing total cost of ownership
• Supportés sur les Routeurs ISR G1 à partir du 2811 et sur les ISR G2 à partir du 2911.
NME-WAERouter-Integrated Network Modulefor the Cisco Integrated Services Router
Cisco Integrated ServicesRouter (ISR) Series
Reduce Branch Footprint
Reduce Cost with Integrated Support
Single Box Solution for Voice, Security, Wan Opt
© 2010 Cisco and/or its affiliates. All rights reserved. 30
• Simple Plug-and-Play DeploymentPhysical in-path deployment between switch and router or firewall requires no network changesMechanical fail-to-wire upon hardware, software, or power failure
• Scalability and High AvailabilityTwo two-port fail-to-wire groups provides support for redundant network paths and asymmetric routingSerial in-path clustering with load-sharing and fail-over
• Seamless Transparent IntegrationTransparency and automatic discovery802.1q VLAN trunking supportSupported on all WAE appliance models
Remote Office
WAN
© 2010 Cisco and/or its affiliates. All rights reserved. 31
• Transparent integration and automatic discovery regardless of interception method
• WCCPv2 InterceptionActive/active clustering supports up to 32 WAEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operationNear-linear scalability and performance improvement when adding devices
• Policy-Based Routing InterceptionRouting of flows to be optimized through a Cisco WAE as a next-hop routerActive/passive clustering provides high availability and failover using IP SLAs as a tracking mechanism
WAN
Optimized Flow
OriginalFlow
InterceptionRedirectionMonitoring
WAECluster
Remote Office
© 2010 Cisco and/or its affiliates. All rights reserved. 32
Compliance with critical network services
Industry’s only holistic and secure optimization, visibility, and control solution
Quality of Service (QoS)Classification, NBAR, markingPolicing, shaping, queuing, WREDLFI, header compression
Network ManagementNAM, PVM, NetFlowNetQoS, IP SLA
SecurityIOS Firewall, IDS, IPS, ACL, VPN
Optimized RoutingNetwork Path Affinity (NPA)Optimized Edge Routing, PBR
SrcIP 1.1.1.1DstIP 2.2.2.2
SrcPrt 1434DstPort 80 APP DATA
WAN
SrcIP 1.1.1.1DstIP 2.2.2.2
SrcPrt 1434DstPort 80
optimized
Cisco Integrated Services Router
Cisco Wide Area Application Services
Quality of Service (QoS) Network Analysis/NetFlow IOS Firewall Intrusion Prevention
Optimized Edge Routing Policy Based Routing IP Service Level Agreements VPN
Application Optimizers Advanced Compression
Transport Optimization
© 2010 Cisco and/or its affiliates. All rights reserved. 33
• Centralized ManagementRobust management, monitoring, and
reporting for up to 2500 nodesDevice grouping for simplified rollout of
configuration changesDevice and system alarms, as well as
integration with SNMP and syslog
• Secure Management PlatformSSL-encrypted HTTP GUI and intra-
device communicationRoles-based Access Control (RBAC) to
isolate users to specific capabilities and domains of management
Integrated IOS-like CLI accessible via SSH (also telnet, serial)
• High Availability ConfigurationsActive/standby deployments with
automatic failover, replication of Central Manager database, and encryption keys
• SOA-ready MonitoringStandard XML Web Service (SOAP) Integration with external reporting and
monitoring portals
© 2010 Cisco and/or its affiliates. All rights reserved. 34
Flexible, Optimized Branch IT
CiscoWAAS
Data Center
Technologie WAAS Virtual BladeOffre la Meilleure Combinaison des Modèles IT Distribué et CentraliséValidé par Microsoft pour Windows Services
Servers
Router
Cisco WAAS
Users
Storage Backup
Business and Communication Apps
WAN
LocalStorageBackup
© 2010 Cisco and/or its affiliates. All rights reserved. 35
Platform Management and Services
Cisco WAAS Operating System
Policy Engine, Filter-Bypass, Egress Method, Directed Mode, Auto-Discovery
Embedded virtualization
ConfigurationManagement
System(CMS)
CIFSAO
TCP Proxy with Scheduler Optimizer (SO)DRE, LZ, TFO
MAPIAO
HTTPAO
SSLAO
VideoAO WoW
VirtualBlade
# 2
VirtualBlade
# 3
NFSAO
Disk Storage (Cache, VB storage etc.)EthernetNetwork
I/O
© 2010 Cisco and/or its affiliates. All rights reserved. 36
• Remote access and management using Windows Management facilities
Example: Using Terminal Connection to Virtual Blade IP
© 2010 Cisco and/or its affiliates. All rights reserved. 37
Cisco WAASwith Virtualization
• Branch optimized IT servicesRead-only Domain ControllerPrint servicesDNS/DHCP services
• Complete WAN optimization + application acceleration
• Ability to host Windows services locally
Microsoft Windows Server 2008 Server Core
Jointly developed architecture
Joint customer support
Cisco WAAS with pre-packaged Windows Server 2008 services
© 2010 Cisco and/or its affiliates. All rights reserved. 38
© 2010 Cisco and/or its affiliates. All rights reserved. 39
Non-Optimized – Automatic bypass
Optimized – vPath Redirection
WAAS ExpressPOC Branch
WAN
Non-POC Branch
Web Server
VMware ESXi Server
Nexus 1000V
vWAAS
vPATH
• vWAAS indique à vPATH les flux qui l’intéressent
• vPATH n’envoi au vWAAS que le trafic qui doit être Optimisé
• Déploiement Facile et Progressif• L’Optimisation n’est pas
perturbée par des Opérations de vMotion
© 2010 Cisco and/or its affiliates. All rights reserved. 40
© 2010 Cisco and/or its affiliates. All rights reserved. 41
• Introducing WAAS Express – A small-footprint, cost-effective IOS-based WAN optimization solution
-Key component of Cisco WAAS product portfolio-Extend WAN Optimization solution across the entire ISR G2 family-Increase the amount of available bandwidth for small to medium branch offices and remote locations, while accelerating TCP-based application operating in a WAN environment-Natively use the capabilities of IOS software-Fully interoperable with WAAS on SM-SRE modules, WAAS appliances, and can be managed by a common WAAS Central Manager
WAAS ExpressBranch Office
WAN
Data CenterWAAS
ApplianceWAAS
Central Manager
© 2010 Cisco and/or its affiliates. All rights reserved. 42
• WAAS Express is a standard feature license
• License enabled on IP Base Image
• Enforced using a license key
• License key enforcement done in IOS on the router using Cisco Software Licensing Infrastructure
• 60 day trial license available
• WAAS Central Manager will not participate in license management
WAAS Express will not register with WAAS Central Manager unless valid and active license is presentWAAS Central Manager will periodically ensure (trial and extension) license is active to allow customer configuration
Security U.C. Data
IP Base
Universal Image
W.E
© 2010 Cisco and/or its affiliates. All rights reserved. 43
© 2010 Cisco and/or its affiliates. All rights reserved. 44
LAN
Files (CIFS, FTP)Internet and Web applications (HTTP / HTTPS)
Application Servers & Storage
E-Mail (MAPI, SMTP/POP)
Latency Mitigation
Poste de Travail Mobile
Serveur dansle Data Center
On installe le client “Cisco
WAAS Mobile” sur le Poste
On installe le logiciel serveur“Cisco WAAS Mobile” sur un
Serveur Windows dans le Data Center
© 2010 Cisco and/or its affiliates. All rights reserved. 45
Data Center
App Servers & Storage
Mobile UsersInternet
VPN Cisco WAAS Mobile client
VPN Concentrator
Cisco WAAS Mobile Server
VPN Tunnel
Optimized TCP connections
Un-optimized connections
WAAS Mobile Optimized connection
© 2010 Cisco and/or its affiliates. All rights reserved. 46
• Boitier
• Boitier Rackble
• Module pour Routeur
• Fonction dans l’IOS d’un Routeur
• Boitier Virtuel (Virtual Appliance)
• Logiciel pour Utilisateurs Mobiles (sur Windows)
© 2010 Cisco and/or its affiliates. All rights reserved. 47
Validation avec les Editeurs de Logiciels Majeurs•Architecture leadership and joint R&D•Lower risks via technology licensing•Ease of integration and support escalation
Intégration Facile, Sécurisée et Transparente au Réseau•Ease of operations via network transparency•Accurate application SLA monitoring•Secure acceleration•Better with VoIP and video
Coût de Possession Réduit•Minimized device complexity via router integration•Integrated high quality video•Reduced data center server OpEx via offload technology
© 2010 Cisco and/or its affiliates. All rights reserved. 48
© 2010 Cisco and/or its affiliates. All rights reserved. 49
Clients
ACE LoadBalancer
2ème Ferme de Serveurs
Keepalive(Probe)
Virtual IP Address (VIP)
Exemple :Si “URL = /news”Et “User-Agent = WindowsCE”Et “Client = 192.0.0.0/8”Alors Choisir “Ferme 2”Suivant “Predictor 1”
1ère Ferme de Serveurs
© 2010 Cisco and/or its affiliates. All rights reserved. 50
(Probe Options)
Probe DescriptionICMP Sends a ICMP request and waits for reply
Generic TCP Open a connection with server and disconnect with TCP FIN or RST. TCP FIN Default
Generic UDP Sends a packet, probe is considered successful, if no icmp error receivedHTTP Sends an HTTP HEAD or HTTP GET 1.1 requestHTTPs Establishes an SSL connection, send HTTP query and tears it down
FTP Similar to TCP probeTelnet Makes a connection, send a “QUIT” messageDNS Uses a default domain and waits for any response
SMTP Sends a “hello” followed by a “QUIT” messagePOP3 Similar to TCP probeIMAP Similar to TCP probe
Radius Similar to UDP probe. NAS-IP can be configuredSNMP Up to eight OIDs can be configured. Used mainly for load balancing
predictions and not health checking. Should be combined with another health probe to verify application
© 2010 Cisco and/or its affiliates. All rights reserved. 51
Ferme de Seveurs
Clients
© 2010 Cisco and/or its affiliates. All rights reserved. 52
• Round Robin: (Weighted) Very simple
• Least Connections: (Weighted) Dynamic, requires slow-start
• Hash on IP: (source/destination, with mask)No state required for stickiness issues with dynamic changes
• Hash on URL: or portion of URL• Server Watermarks: min and max number of connections per server.• Least Loaded: SNMP OIDs based server feedback for obtaining
useful information maintained as SNMP Object IDs• Least Bandwidth: Connection vs. Bandwidth based on the
bidirectional traffic flow.• Adaptive Response Predictor: Load-balancing based on server
response timeSYN to SYN-ACKSYN to FINApplication request to first packet of response
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Choix du Serveur le Moins Chargé en Utilisant SNMP
SNMP Object IDsCPU UtilizationMemory ResourcesDisk Drive Availability……. …….
Only SNMP agent is required on the server – no additional software
ACE queries server for the following three SNMP Object IDs
Query ResultCPU Utilization = 14%Memory Resources= 947300k freeDisk Drive Availability= 440GB free
Query Result CPU Utilization = 24%Memory Resources= 885300k freeDisk Drive Availability= 307GB free
Query ResultCPU Utilization = 34%Memory Resources= 785300k freeDisk Drive Availability= 202GB free
© 2010 Cisco and/or its affiliates. All rights reserved. 54
Je Navigue
Je Sélectionne
J’Achète
1
2
3
Panier Vide ?!?
Le Problème du “Panier de Shopping”
Je ne reviendrai plus jamais ici !
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. 55
• Offload CPU-intensive SSL processingServers resources are dedicated to serving requests and running applications, rather than encrypting data
• Centralized key/certificate storage/management• Allows advanced content switching (URL-based, cookie-sticky,
payload parsing) and inspection of SSL traffic• Scalability: easy to add more SSL “performance”
ServersApplicationSwitch
Clear Text toServers:80
Encrypted toVIP:443
© 2010 Cisco and/or its affiliates. All rights reserved. 57
• On Décharge le Serveur Web des opérations d’établissement et de terminaison des connéxions TCP.
• Un nombre de connéxions TCP sont laissés ouverts par des “HTTP Keepalive”
• Réduction des Cycles CPU utilisés par TCP
• Les Nouvelles connéxions sont multipléxés sur les connéxions existantes.TCP1
ACE-TCP1 Pool1
TCP2
ACE-TCP2 Pool2
© 2010 Cisco and/or its affiliates. All rights reserved. 58
• Over 98% reduction in server side TCP connetions per second• Depends also on server configuration (HTTP GET’s per TCP connection)
Server Side
Client Side
© 2010 Cisco and/or its affiliates. All rights reserved. 59
Serveurs
ACE
Client
http://www.cisco.com
1
3Compression
4
Le Navigateur Web Décompresse la page et l’affiche
5
2
© 2010 Cisco and/or its affiliates. All rights reserved. 60
• ACE offload servers by serving directly the content
• ACE offers static caching and sophisticated dynamic caching
• Caching it’s enabled together with the other acceleration feature
• ACE allows Compression and Caching without source-nat!
© 2010 Cisco and/or its affiliates. All rights reserved. 62
• TCP/IP normalization–Built-in Transport Protocol Security–User Configurable, to meet Security Requirements
• SYN Cookies
• Advanced HTTP Inspection–RFC Compliance–MIME Type Validation–Prevent Tunneling Protocols over HTTP–Content Filtering
• Application Protocol Inspection–ICMP, FTP, DNS, RTSP–Voice, Video
Layer 2throughLayer 4
Layer 5throughLayer 7andApplicationSpecific
© 2010 Cisco and/or its affiliates. All rights reserved. 63
One physical deviceMultiple virtual systems(dedicated control and data path)
Traditional deviceSingle configuration fileSingle routing tableLimited RBACLimited resource allocation
25% 25% 20%15%15%100%
Cisco Application Infrastructure ControlDistinct configuration filesSeparate routing tablesRBAC with Contexts, Roles, DomainsManagement and data resource controlIndependent application rule setsGlobal administration and monitoring
Virtual Partitioning – System Separation
© 2010 Cisco and/or its affiliates. All rights reserved. 65
• Module ACE30 pour Catalyst 6500
• Boitier (Appliance) : ACE 4710
De 500 Mbps à 4 Gbps par Simple Activation de Licence (Pay As You Grow)
© 2010 Cisco and/or its affiliates. All rights reserved. 66
• High-availabilityWorks around server, application and network failures
• No single point of failureFailover is transparent to clients
• Disaster recoveryFails over across Data-Centers
• High and scalable performanceCan serve growing number of clients, with more content and transactions
• Intelligent content and load-based decisionsSelection of the best server
• Transaction assuranceEntire transaction sent to the same server
• SecurityProtect self, servers and applications
• FlexibilityAdapt to network topologies and application environments
© 2010 Cisco and/or its affiliates. All rights reserved. 67
• Server OffloadFree up server CPU and resources
• Application AccelerationBetter user experience, faster transactions
• Bandwidth ReductionEfficient WAN resources utilization
• Application and Protocol InspectionProtection against sophisticated application-specific attacks
• VirtualizationOne physical device behaves as many: maximum deployment flexibility and separation of resources
• Flexible Network ManagementAllows multiple users, with different responsibilities, to simultaneously managethe device
© 2010 Cisco and/or its affiliates. All rights reserved. 68
© 2010 Cisco and/or its affiliates. All rights reserved. 69
ContentSwitch
ACE GSS
© 2010 Cisco and/or its affiliates. All rights reserved. 70
Application AApplication B
Clients
PrimaryData Center(Active)
Site Selection Intelligence
SecondaryData Center (Standby)
© 2010 Cisco and/or its affiliates. All rights reserved. 71
Application AApplication B
ClientsSite Selection Intelligence
SecondaryData Center (Active)
While end users are serviced by Standby data center, begin logistics of recovering primary data center
PrimaryData Center(Failed / Inactive)
© 2010 Cisco and/or its affiliates. All rights reserved. 72
Application AApplication B
Clients
PrimaryData Center(Active)
Site Selection Intelligence
SecondaryData Center (Standby)
Application C
© 2010 Cisco and/or its affiliates. All rights reserved. 73
Application AApplication B
ClientsSite Selection Intelligence
SecondaryData Center (Active)
While end users are serviced by Standby data center, begin logistics of recovering primary data center
PrimaryData Center(Failed / Inactive)
© 2010 Cisco and/or its affiliates. All rights reserved. 75
Client
DNS Proxy
Site BSite A
http://www.cisco.com/
Root DNS for/ Root DNS for .com
Authoritative DNScisco.com
ACE GSSAuthoritative DNSwww.cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. 76
Keep Alive Types•Simple
• Layer 3 - ICMP Ping for device online status• Layer 4 – TCP three way handshake FIN/RST option • Layer 5 – HTTP Head : An HTTP Head request is sent to the target device and the GSS checks for 200 OK response from web page
•Advanced – KAL- AP used to check ACE load and VIP online status • Uses UDP protocol for transport
•SNMP – MIB values will be used in least loaded load balancing calculations
© 2010 Cisco and/or its affiliates. All rights reserved. 77
1. Ordered List- Uses next VIPs when all previous VIPs are
overloaded or down2. Static Based on Client’s DNS Address
- Maps IP address of client’s DNS to available VIPs3. Round Robin
– Cycles through available VIPs in order4. Weighted Round Robin
– Weighting causes repeat hits (up to 10) to a VIP
© 2010 Cisco and/or its affiliates. All rights reserved. 78
5. Least Loaded– Least connections or least loaded on ACE– Load communicated via CAPP UDP
6. Source Address and Domain hash- IP address of client’s DNS proxy and domain used- Always sticks same client to same VIP
7. DNS Race– Initiates race of A-record responses to client– Finds closest SLB to client’s d-proxy
© 2010 Cisco and/or its affiliates. All rights reserved. 79
8. DRP-based Dynamic Network Proximity – Actively localizes client traffic by probing the client DNS
Name servers and routing the client to the closest data center based on the lowest RTT measurement.
– Scales to greater than 400,000
9. Global Sticky DNS Database– Dynamically tracks where clients are sent then ensures they
are sent to the same device for subsequent requests– Entries are based the IP address of client name server and
the domain name requested – Sticky answers are shared between GSSs
10. Drop– Silently discards the DNS request
© 2010 Cisco and/or its affiliates. All rights reserved. 80
DNS
Normal Traffic Rates DNS request per second
100 D-RPS
50 D-RPS
500 D-RPS
500 D-RPS
10,000 D-RPS
10,000 D-RPS
D-Proxy 1
D-Proxy 2
D-Proxy 3
D-Proxy 4
Compromised
Compromised
Rate limit these requests
© 2010 Cisco and/or its affiliates. All rights reserved. 81
Data Center Security
ASA 5580 Series
Firewall Services Module
Application Network Services
WAAS
WAAS Express
vWAAS
ACE
GSS
StorageNetworking
MDS 9500 Directors
MDS Fabric Switches
Blade Switches
Catalyst 6500
Catalyst 4900M
Catalyst Blade Switches
EthernetNetworking
Unified Networking
Nexus 7000
Nexus 5000
Nexus Blade Switch
Nexus 1000V
Unified Computing
UCS Blade Systems
UCS RackmountSystems
Data Center Networking
MERCI
N’oubliez Pas S’il Vous Plait de Remplir la Fiche d’Evaluation pour Cette Session.