manualshive.com logo in svg

Nortel Web OS 10.0, Application Manual

Share
Download
Nortel Web OS 10.0 Application Manual Download Page 186

Web OS 10.0 Application Guide

186  

n

  Chapter 7: Filtering

212777-A, February 2002

Configuring a Filter-Based Security Solution

Before you begin, you must be connected to the switch CLI as the administrator.

In this example, all filters are applied only to the switch port that connects to the Internet. If 
intranet restrictions are required, filters can be placed on switch ports connecting to local 
devices.

Also, filtering is not limited to the few protocols and TCP or UDP applications shown in this 
example. See 

Table 7-1 on page 171

 and 

Table 7-2 on page 171

 for a list of other well-known 

protocols and applications.

1.

Assign an IP address to each of the network devices.

For this example, the network devices have the following IP addresses on the same IP subnet:

2.

Create a default filter that will deny and log unwanted traffic.

The default filter is defined as Filter 224 in order to give it the lowest order of precedence:

N

OTE

 – 

Because the 

proto

 parameter is not 

tcp

 or 

udp

, the source port (

sport

) and desti-

nation port (

dport

) values are ignored and may be excluded from the filter configuration.

Table 7-4  Web Cache Example: Real Server IP Addresses

Network Device

IP address

Local Subnet

205.177.15.0 - 205.177.15.255

Web Server

205.177.15.2

Mail Server

205.177.15.3

Domain Name Server

205.177.15.4

>> # /cfg/slb/filt 224

(Select the default filter)

>> Filter 224# sip any

(From any source IP addresses)

>> Filter 224# dip any

(To any destination IP addresses)

>> Filter 224# proto any

(For any protocols)

>> Filter 224# action deny

(Deny matching traffic)

>> Filter 224# name deny unwanted traffic

(Provide a descriptive name for the

 filter)

>> Filter 224# ena

(Enable the default filter)

>> Filter 224# adv/log enable

(Log matching traffic to syslog)

Summary of Contents for Web OS 10.0

Page 1: ...50 Great Oaks Boulevard San Jose California 95119 408 360 5500 Main 408 360 5501 Fax www nortelnetworks com Web OS Switch Software 10 0 Application Guide Part Number 212777 Revision A February 2002...

Page 2: ...ers are authorized to use this documentation only in accordance with those rights and restrictions set forth herein consistent with FAR 12 211 12 212 Oct 1995 DFARS 227 7202 JUN 1995 and DFARS 252 227...

Page 3: ...net Routing 31 Defining IP Address Ranges for the Local Route Cache 35 Border Gateway Protocol BGP 36 Internal Routing Versus External Routing 36 Forming BGP Peer Routers 37 BGP Failover Configuration...

Page 4: ...runking 65 Overview 65 Statistical Load Distribution 66 Built In Fault Tolerance 66 Port Trunking Example 67 Chapter 4 OSPF 69 OSPF Overview 69 Types of OSPF Areas 70 Types of OSPF Routing Devices 71...

Page 5: ...in Web OS 104 Web Switch User Accounts 105 Secure Shell and Secure Copy 107 Encryption of Management Messages 108 SCP Services 108 RSA Host and Server Keys 109 Radius Authentication 110 SecurID Suppor...

Page 6: ...apter 7 Filtering 169 Overview 170 Filtering Benefits 170 Filtering Criteria 170 Stacking Filters 172 Overlapping Filters 172 The Default Filter 173 VLAN based Filtering 174 Optimizing Filter Performa...

Page 7: ...nk Health Checks 223 TCP Health Checks 224 ICMP Health Checks 224 Script Based Health Checks 225 Configuring the Switch for Script Based Health Checks 225 Script Format 226 Scripting Guidelines 227 Sc...

Page 8: ...61 High Availability Configurations 263 Active Standby Virtual Server Router Configuration 263 Active Active VIR and VSR Configuration 265 Active Active Server Load Balancing Configuration 267 VRRP Ba...

Page 9: ...es 308 Using Border Gateway Protocol for GSLB 312 Chapter 13 Firewall Load Balancing 313 Firewall Overview 314 Basic FWLB 316 Basic FWLB Implementation 317 Configuring Basic FWLB 319 Four Subnet FWLB...

Page 10: ...389 DNS Load Balancing 390 Layer 7 RTSP Load Balancing 392 Content Intelligent Web Cache Redirection 394 URL Based Web Cache Redirection 395 HTTP Header Based Web Cache Redirection 403 Browser Based...

Page 11: ...ersistence 437 How SSL Session ID Based Persistence Works 437 Chapter 17 Bandwidth Management 441 Overview 442 Bandwidth Policies 444 Rate Limits 445 Bandwidth Policy Configuration 445 Data Pacing 446...

Page 12: ...Web OS 10 0 Application Guide 12 n Contents 212777 A February 2002 Configuring Bandwidth Management 454 Additional Configuration Examples 457 Preferential Services Examples 460 Glossary 471 Index 475...

Page 13: ...d in a Single Spanning Tree Group 52 Figure 2 5 Implementing Multiple Spanning Tree Groups 53 Figure 2 6 Default Gateways per VLAN 58 Figure 2 7 Jumbo Frame VLANs 64 Figure 3 1 Port Trunk Group 65 Fig...

Page 14: ...Figure 7 6 Limiting User Access to Server 183 Figure 7 7 Security Topology Example 185 Figure 7 8 Static Network Address Translation 192 Figure 7 9 Dynamic Network Address Translation 193 Figure 7 10...

Page 15: ...ample Network 347 Figure 13 10 Typical Firewall Load Balancing Topology with DMZ 349 Figure 14 1 Basic Network Frame Flow and Operation 355 Figure 14 2 VPN Load Balancing Configuration Example 356 Fig...

Page 16: ...orks 442 Figure 17 2 Bandwidth Rate Limits 444 Figure 17 3 Virtual Clocks and TDT 446 Figure 17 4 URL Based Bandwidth Management 450 Figure 17 5 URL Based Bandwidth Management with Web Cache Redirecti...

Page 17: ...b OS Alteon Levels 106 Table 6 1 Web Host Example Real Server IP Addresses 124 Table 6 2 Web Host Example Port Usage 126 Table 6 3 Well Known Application Ports 128 Table 6 4 Proxy Example Port Usage 1...

Page 18: ...age 297 Table 12 3 Denver Real Server IP Addresses 300 Table 12 4 Web Host Example Alteon 180 Port Usage 301 Table 12 5 HTTP Versus Non HTTP Redirects 305 Table 15 1 Standard Regular Expression Specia...

Page 19: ...No Yes SYN Attack Detection Protection Yes Yes Enhanced Port Mirroring Yes Yes Reporting Classification Manager SYSLOG and SNMP No Yes Reporting Classification Manager Ability to fil ter SYSLOG based...

Page 20: ...rs Yes Yes OSPF No Yes LDAP health check Yes Yes Streaming Cache Redirection Yes Yes L7 Parsing of RTSP SLB Yes Yes ARP health check Yes Yes Telnet client Yes Yes Increase logging buffer Yes Yes Suppo...

Page 21: ...tware Where possible each section provides feature overviews usage examples and configuration instructions Part 1 Basic Switching Routing n Chapter 1 Basic IP Routing describes how to configure the We...

Page 22: ...ith the various load balancing and application redirection features n Chapter 11 High Availability describes how to use the Virtual Router Redundancy Pro tocol VRRP to ensure that network resources re...

Page 23: ...c123 This bold type appears in command exam ples It shows text that must be typed in exactly as shown Main sys AaBbCc123 This italicized type appears in command examples as a parameter placeholder Rep...

Page 24: ...ort and sales information visit the Nortel Networks website at the following URL http www nortelnetworks com See the contact information on this site for regional support and sales phone numbers and e...

Page 25: ...functions In addi tion to switching traffic at near line rates the Web switch can perform multi protocol routing This section includes the following basic switching and routing topics n Basic IP Rout...

Page 26: ...Web OS 10 0 Application Guide 26 n Basic Switching Routing 212777 A February 2002...

Page 27: ...eb switch to perform IP routing functions The following topics are addressed in this chapter n IP Routing Benefits on page 28 n Routing Between IP Subnets on page 28 n Example of Subnet Routing on pag...

Page 28: ...server switched network by automatically fragmenting UDP Jumbo frames when routing to non Jumbo frame VLANs or subnets n Provides the ability to route IP traffic between multiple Virtual Local Area Ne...

Page 29: ...ch to the router and back again adds two hops for the data slowing throughput considerably n Traffic to the router increases increasing congestion Even if every end station could be moved to better lo...

Page 30: ...tch which then relays the packet to the proper destination subnet using Layer 2 switching With Layer 3 IP routing in place on the Alteon Web switch routing between different IP sub nets can be accompl...

Page 31: ...ched to the switch Since there are five IP subnets connected to the switch five IP interfaces are needed Table 1 1 Subnet Routing Example IP Address Assignments Subnet Devices IP Addresses 1 Primary a...

Page 32: ...IP Interface 2 ena Enable IP interface 2 IP Interface 2 if 3 Select IP interface 3 IP Interface 3 addr 131 15 15 1 Assign IP address for the interface IP Interface 3 ena Enable IP interface 3 IP Inter...

Page 33: ...their respective VLANs The VLANs shown in Table 1 3 are configured as follows Table 1 3 Subnet Routing Example Optional VLAN Ports VLAN Devices IP Interface Switch Port 1 First Floor Client Workstati...

Page 34: ...on changes Port 4 is untagged and VLAN 2 is not a configured PVID for port 4 Would you like to change all PVIDS for port 4 to VLAN 2 y n VLAN 3 cfg ip if 1 Select IP interface 1 for def routers IP Int...

Page 35: ...ed bit wise AND with the local network mask and checked against the local network address By default the local network address and local network mask are both set to 0 0 0 0 This pro duces a range tha...

Page 36: ...ctive processing of network traffic every router on your network needs to know how to send a packet directly or indirectly to any other location destination in your network This is referred to as inte...

Page 37: ...is interested in that route for example if a peer would like to receive your static routes and the new route is static an update message is sent to that peer containing the new route For each route re...

Page 38: ...s configured with a metric of 3 thereby appearing to the switch to be three router hops away 1 Configure the switch as you normally would for Server Load Balancing SLB n Assign an IP address to each o...

Page 39: ...for a Denial of Service DoS attack the forwarding of directed broadcasts is disabled by default cfg vlan 1 Select VLAN 1 vlan 1 add port number Add a port to the VLAN membership vlan 1 ena Enable VLA...

Page 40: ...ve your configuration changes cfg ip bgp peer 1 Select BGP peer router 1 BGP Peer 1 ena Enable this peer configuration BGP Peer 1 addr 200 200 200 2 Set IP address for peer router 1 BGP Peer 1 if 200...

Page 41: ...TP servers on every subnet It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them Without the DHCP relay agent there must be at least one DHCP...

Page 42: ...re shows a basic DHCP network example Figure 1 5 DHCP Relay Agent Configuration In Alteon Web switch implementation there is no need for primary or secondary servers The client request is forwarded to...

Page 43: ...tions can only be accomplished from stations on VLANs that include an IP interface to the switch n VLAN Topologies and Design Issues on page 45 This section discusses how you can logically connect use...

Page 44: ...known as its PVID The fac tory default value of all PVIDs is 1 This places all ports on the same VLAN initially although each port s PVID is configurable to any VLAN number between 1 and 4094 Any unta...

Page 45: ...ssues By default the Web OS software has a single VLAN configured on every port This configura tion groups all ports into the same broadcast domain The VLAN has an 802 1Q VLAN PVID of 1 VLAN tagging i...

Page 46: ...only for VLAN 3 so VLAN tagging is off Server 2 This high use server needs to be accessed from all VLANs and IP sub nets The server has an VLAN tagging adapter installed with VLAN tagging turned on Th...

Page 47: ...VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5 Tagging is not enabled on their switch port PC 3 A member of VLAN 1 this PC can only communicate with Server 2 and PC 5 PC 4 A membe...

Page 48: ...mains n Ports 1 and 2 on both switches are on VLAN 10 ports 3 and 4 on both switches are on VLAN 22 Ports 5 and 6 on both switches are on VLAN 32 port 9 on both switches are on VLAN 109 n It is necess...

Page 49: ...th fails Spanning Tree automatically sets up another active path on the network to sustain network operations The relationship between port trunk groups VLANs and Spanning Trees is shown in Table 2 1...

Page 50: ...received BPDU to its own BPDU that it will transmit If the received BPDU is better than its own BPDU it will replace its BPDU with the received BPDU Then the Web switch adds its own bridge ID num ber...

Page 51: ...d VLANs are members of Spanning Tree Group 1 Why Do We Need Multiple Spanning Trees Figure 2 3 shows a simple example of why we need multiple Spanning Trees Two VLANs VLAN 1 and VLAN 100 exist between...

Page 52: ...A With a single Spanning Tree environment as shown in Figure 2 4 you will have two links blocked to prevent loops on the network It is possible that the blocks may be between Web switches C and D and...

Page 53: ...tified on each of the three shaded areas connect ing the switches The port numbers are shown next to each switch The Spanning Tree Group STG number for each VLAN is shown at the switch Figure 2 5 Impl...

Page 54: ...ric it is used to iden tify the VLANs participating in the Spanning Tree groups The Spanning Tree group ID is not transmitted in the BPDU Each Spanning Tree decision is based on the configuration of t...

Page 55: ...for Spanning Tree Group 2 and forwards it out from port 8 Web switch B receives this BPDU on its port 1 Port 1 on Web switch B is on VLAN 2 Spanning Tree group 1 Because Web switch B has no additiona...

Page 56: ...up 2 for VLAN 2 VLAN 2 is automatically removed from Spanning Tree Group 1 2 Configure the following on Web switch B Add port 1 to VLAN 2 port 8 to VLAN 3 and define Spanning Tree groups 2 for VLAN 3...

Page 57: ...from Spanning Tree group 1 and by default VLAN 2 remains in Spanning Tree Group 1 NOTE Web switch D does not require any special configuration for multiple Spanning Trees because it configured for the...

Page 58: ...route traffic through default gateway 5 and VLAN 3 is required to route traffic through default gateway 6 Figure 2 6 Default Gateways per VLAN You can configure 246 default gateways per VLAN with val...

Page 59: ...from VLAN 2 uses Gateway 5 to access destination IP address 192 168 20 200 If traffic from VLAN 3 requests the same destination address then traffic is routed via Gateway 5 instead of Gateway 6 becaus...

Page 60: ...ched to the switch cfg ip if 1 Select IP interface 1 for gateway 5 6 subnet IP Interface 1 addr 10 10 1 1 Assign IP address for interface 1 IP Interface 1 mask 255 255 255 0 Assign mask for IF 1 IP In...

Page 61: ...xamine the results under the gateway section If any settings are incorrect make the appropri ate changes cfg ip gw 5 Select default gateway 5 Default gateway 5 addr 10 10 1 20 Assign IP address for ga...

Page 62: ...Select the local network Menu IP Forwarding add 10 10 0 0 Specify the network for routers 1 2 3 IP Forwarding mask 255 255 0 0 Add the mask for the routers IP Forwarding add 172 21 2 0 Specify the net...

Page 63: ...ny VLAN that has Jumbo frames enabled Isolating Jumbo Frame Traffic using VLANs Jumbo frame traffic must not be used on a VLAN where there is any device that cannot process frame sizes larger than Eth...

Page 64: ...Non Jumbo Frame VLANs When IP routing is used to route traffic between VLANs the switch will fragment Jumbo UDP datagrams when routing from a Jumbo frame VLAN to a non Jumbo frame VLAN The result ing...

Page 65: ...rts up to four trunk groups per switch each with two to six links Figure 3 1 Port Trunk Group Trunk groups are also useful for connecting an Alteon Web switch to third party devices that support link...

Page 66: ...topologies however only a limited number of Layer 2 devices such as a hand ful of routers and servers feed the trunk lines When this occurs the limited number of MAC address combinations encountered...

Page 67: ...appropriate changes c Save your new configuration changes cfg trunk 1 Select trunk group 1 Trunk group 1 add 2 Add port 2 to trunk group 1 Trunk group 1 add 4 Add port 4 to trunk group 1 Trunk group...

Page 68: ...figured trunk group will be displayed Make sure that trunk groups consist of the expected ports and that each port is in the expected state The following restrictions apply n Any physical switch port...

Page 69: ...ted router summarizing routes defining route maps and so forth n OSPF Configuration Examples on page 83 This section provides step by step instruc tions on configuring four different configuration exa...

Page 70: ...stub area with additional capabilities Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas External routes from outside the AS can be advertised within th...

Page 71: ...ocal area n Area Border Router ABR a router that has interfaces in multiple areas ABRs maintain one LSDB for each connected area and disseminate routing information between areas n Autonomous System B...

Page 72: ...ghbors including the DR Each neighbor sends its data base information to the BDR just as with the DR but the BDR merely stores this data and does not distribute it If the DR fails the BDR will take ov...

Page 73: ...routing and can be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers abou...

Page 74: ...Command Line Interface CLI Web OS Browser Based Interface BBI for Alteon AD4 and 184 switches or through SNMP The CLI supports the following parameters interface output cost interface priority dead a...

Page 75: ...d an area ID The command to define an OSPF area is as follows NOTE The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual O...

Page 76: ...are supported be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the...

Page 77: ...27 is the highest and 1 is the lowest A priority value of 0 specifies that the interface cannot be used as a DR or BDR In case of a tie the routing device with the low est router ID wins Summarizing R...

Page 78: ...3 there are multiple routes leading from the area In such areas traffic for unrecognized destinations cannot tell which route leads upstream without further configuration To resolve the situation and...

Page 79: ...k must be configured on the routing devices at each endpoint of the virtual link though they may traverse multiple routing devices To configure an Alteon Web switch as one endpoint of a virtual link u...

Page 80: ...enticated so that only trusted routing devices can participate This ensures less processing on routing devices that are not listening to OSPF packets OSPF allows packet authentication and uses IP mult...

Page 81: ...0 on Web switches 1 2 and 3 3 Enable OSPF authentication for Area 2 on Web switch 4 4 Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on Web swit...

Page 82: ...IP address serves a different and equal portion of the external world incoming traffic from the upstream router should be split evenly among ABRs n ABR Failover Complementing ABR load sharing identica...

Page 83: ...is required for each desired network range of IP addresses being assigned to an OSPF area on the Web switch 2 Optional Configure the router ID The router ID is required only when configuring virtual l...

Page 84: ...k that will be attached to OSPF areas In this example two IP interfaces are needed one for the backbone network on 10 10 7 0 24 and one for the stub area network on 10 10 12 0 24 2 Enable OSPF cfg ip...

Page 85: ...ype OSPF Area index 0 enable Enable the area OSPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type stub Define...

Page 86: ...onfiguring virtual links Later when configuring the other end of the virtual link on Web Switch 2 the router ID specified here will be used as the target vir tual neighbor nbr address 3 Enable OSPF cf...

Page 87: ...SPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type transit Define area as transit type OSPF Area index 1 ena...

Page 88: ...irtual link as follows 5 Define the transit area cfg ip if 1 Select menu for IP interface 1 IP Interface 1 addr 10 10 12 2 Set IP address on transit area network IP Interface 1 enable Enable IP interf...

Page 89: ...the menu for area index 2 OSPF Area index 2 areaid 0 0 0 2 Set the area ID for OSPF area 2 OSPF Area index 2 type stub Define area as stub type OSPF Area index 2 enable Enable the area OSPF Area index...

Page 90: ...200 0 through 36 128 200 255 Figure 4 7 Summarizing Routes NOTE You can specify a range of addresses to prevent advertising by using the hide option In this example routes in the range 36 128 200 0 th...

Page 91: ...e OSPF Area index 1 enable Enable the area OSPF Area index 1 if 1 Select OSPF menu for IP interface 1 OSPF Interface 1 aindex 0 Attach network to backbone index OSPF Interface 1 enable Enable the back...

Page 92: ...r both virtual server IP addresses 10 10 10 1 and 10 10 10 2 The upstream router sees that both addresses exist on both Web switches and uses the host route with the lowest cost for each Traffic for 1...

Page 93: ...for real server 2 Real server 2 ena Enable the real server Real server 2 group 1 Select menu for real server group 1 Real server group 1 add 1 Add real server 1 to group Real server group 1 add 2 Add...

Page 94: ...virtual server Virtual server 1 group 1 Use real server group 1 for http service Virtual server 1 cfg ip if 1 Select menu for IP interface 1 IP Interface 1 addr 10 10 7 1 Set IP address on backbone ne...

Page 95: ...Interface 1 if 2 Select OSPF menu for IP interface 2 OSPF Interface 2 aindex 1 Attach network to stub area index OSPF Interface 2 enable Enable the stub area interface OSPF Interface 2 host 1 Select...

Page 96: ...group 1 add 2 Add real server 2 to group Real server group 1 enable Enable the group Real server group 1 on Turn SLB on Layer 4 virt 1 Select menu for virtual server 1 Virtual server 1 vip 10 10 10 1...

Page 97: ...ype transit Define backbone as transit type OSPF Area index 0 enable Enable the area OSPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the ID for stub area 1...

Page 98: ...info ospf route n stats route Refer to the Web OS 10 0 Command Reference for information on the above commands OSPF Interface 2 host 1 Select menu for host route 1 OSPF Host Entry 1 addr 10 10 10 1 Se...

Page 99: ...tch port you can set a source IP address or range that will be allowed to connect to the switch IP interface through Telnet SSH SNMP or the Web OS Browser Based Interface BBI This will also help preve...

Page 100: ...0 and the mmask is set to 255 255 255 128 This defines the following range of allowed IP addresses 192 192 192 1 to 192 192 192 127 n A host with a source IP address of 192 192 192 21 falls within the...

Page 101: ...ryption of management information exchanged between the remote administrator and the switch Examples of protocols to encrypt management information are SSH Secure Shell and SCP Secure Copy Authenticat...

Page 102: ...ation protocol support acting as a client in the AA model n A back end authentication and authorization server that performs the following functions o Authenticates remote administrators o Checks the...

Page 103: ...ent will communicate to the RADIUS server to authenticate and authorize a remote administrator using the protocol defini tions specified in RFC 2138 and 2866 Transactions between the client and RADIUS...

Page 104: ...the secondary authen tication server Use the cfg sys radius cur command to show the currently active RADIUS authentication server n Supports user configurable RADIUS server retry and time out values...

Page 105: ...for future use to provide access to operational commands for operators managing traffic on the line leading to the shared Internet services l4oper Operator The Operator manages all functions of the s...

Page 106: ...an option to allow backdoor access via the console only or console and telnet access The default is disable for telnet access and enable for console access All user privileges other than those assigne...

Page 107: ...Using SSH gives administrators an alternate way to manage the switch one that provides strong security SCP is typically used to copy files securely from one machine to another SCP uses SSH for encryp...

Page 108: ...et the SCP admin password this password must be different from the admin password The following SCP commands are supported in this service These commands are entered using the CLI on the client that i...

Page 109: ...To generate a host key n To generate a server key Again the host and server key are automatically stored in FLASH memory when generated NOTE For security reasons the SSHD menu options are available v...

Page 110: ...ord the SecurID authentication is being performed now You will need to provide your actual username and the token in your SecurID card as a regular Telnet user would do in order to log in To use SCP y...

Page 111: ...if the switch is busy doing other key or cipher generation when the timer expires To enable or disable the SCP apply and save SCP putcfg_apply and putcfg_apply_save commands use these commands The fol...

Page 112: ...name switch IP address n To download the switch configuration using SCP scp switch IP address getcfg local filename n To upload the configuration to the switch scp local filename switch IP address put...

Page 113: ...ing Ports Figure 5 2 shows two mirrored ports monitored by a single port Similarly you can have a sin gle or groups of n a mirrored port to a monitored port n many mirrored ports to one monitored port...

Page 114: ...iguration cfg pmirr monport 5 Select port 5 for monitoring Port 5 add 1 Select port 1 to mirror Enter port mirror direction in out or both in Monitor ingress traffic on port 1 Port 5 add 3 Select port...

Page 115: ...ry IP however is not optimized for all the various applications Web switching goes beyond IP and makes intelligent switching decisions based on the application and its data This sections details the f...

Page 116: ...Web OS 10 0 Application Guide 116 n Web Switching Fundamentals 212777 A February 2002...

Page 117: ...rovides reliability performance and ease of maintenance on your network o Network Topology Requirements on page 122 This section provides key require ments to consider before deploying server load bal...

Page 118: ...back up without interrupting access to services n Increased scalability of services As users are added and the server pool s capabilities are saturated new servers can be added to the pool transparen...

Page 119: ...often happens in networks where other servers are actually available The solution to getting the most from your servers is SLB With this software feature the switch is aware of the services provided b...

Page 120: ...ch receives the request it binds the session to the IP address of the best available real server and remaps the fields in each frame from virtual addresses to real addresses IP FTP RTSP IDS and static...

Page 121: ...num ber of simultaneous Web connection requests also increases Figure 6 2 Web Hosting Configuration Without SLB Such a company has three primary needs n Increased server availability n Server performa...

Page 122: ...ndard SLB all client requests to a virtual server IP address and all responses from the real servers must pass through the switch as shown in Figure 6 4 If there is a path between the client and the r...

Page 123: ...onfigured to process server responses to cli ent requests provide address translation from the real server IP address to the virtual server IP address These ports require real servers to be connected...

Page 124: ...Assign an IP address to each of the real servers in the server pool The real servers in any given real server group must have an IP route to the switch that per forms the SLB functions This IP routing...

Page 125: ...l IP address and enable the real server For example 4 Define a real server group and add the three real servers to the service group cfg ip if 1 Select IP interface 1 IP Interface 1 addr 200 200 200 1...

Page 126: ...le Services on page 130 6 Define the port settings In this example the following ports are being used on the Web switch Real server group 1 cfg slb virt 1 Select virtual server 1 Virtual server 1 vip...

Page 127: ...then check the information again Virtual server 1 cfg slb port 1 Select physical switch port 1 SLB port 1 server ena Enable server processing on port 1 SLB port 1 port 2 Select physical switch port 2...

Page 128: ...verflow Servers on page 135 Supported Services and Applications Each virtual server can be configured to support up to eight services limited to a total of 256 services per switch Using the cfg slb vi...

Page 129: ...r SLB By default the imask setting is 255 255 255 255 which means that each real and virtual server represents a single IP address An imask setting of 255 255 255 0 would mean that each real and virtu...

Page 130: ...ails a health check for a service then the status of the real server for the second service appears as blocked If you are configuring two independent services such as FTP and SMTP where the real serve...

Page 131: ...ncing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets n For SLB the client source IP address and real server IP address are used All...

Page 132: ...is added to or leaves the mix then a different server might be assigned to a subsequent session with the same IP address information even though the original server is still available Open connection...

Page 133: ...real server octet counts to assign sessions to a server The switch monitors the number of octets sent between the server and the switch Then the real server weights are adjusted so they are inversely...

Page 134: ...d of all connections on the designated real server to four minutes Maximum Connections for Real Servers You can set the number of open connections each real server is allowed to handle for SLB To set...

Page 135: ...l server group If all real servers in a real server group fail or overflow the backup comes online Real server groups can also use another real server group for backup overflow cfg slb real 4 Select r...

Page 136: ...nt sends its own IP address for use as a return address If a proxy IP address is configured for the client port on the switch the switch replaces the client s source IP address with the switch s own p...

Page 137: ...ple Port Usage Port Host L4 Processing 1 Server A None 2 Server B None 3 Server C None 4 Back end NFS server provides centralized Web content for all three real servers This port does not require Web...

Page 138: ...of this manual and for information on using the commands see the Web OS Command Reference cfg slb adv matrix for more information 4 Apply and save your changes NOTE Remember that you must apply any c...

Page 139: ...pping is supported with Direct Access Mode DAM For infor mation about DAM refer to Using Direct Access Mode on page 143 Mapping a Single Virtual Server Port to Multiple Real Server Ports To take advan...

Page 140: ...o ports 8001 and 8002 for HTTP services the logical real servers are n 192 168 2 1 8001 n 192 168 2 1 8002 n 192 168 2 2 8001 n 192 168 2 2 8002 n 192 168 2 3 8001 n 192 168 2 3 8002 n 192 168 2 4 800...

Page 141: ...cfg slb virt virtual server number service virtual port the switch maps the virtual port to the real port NOTE To use the single virtual port to multiple rport feature configure this real server port...

Page 142: ...arge amounts of data are flowing from servers to clients such as with content providers or portal sites that typically have asymmetric traffic patterns DSR and content intelligent Layer 7 switching ca...

Page 143: ...ith DAM enabled any number of virtual services can be configured to load balance a real service Traffic sent directly to real server IP addresses is excluded from load balancing decisions The same cli...

Page 144: ...SLB processing as it returns through the Web switch with the real server IP address getting remapped back to the virtual server IP address on the Web switch First two port processes must be executed o...

Page 145: ...lanced NOTE Clients on the management network do not have access to SLB services and cannot access the virtual services being load balanced The mnet and mmask options are described below n mnet If def...

Page 146: ...instead sends another SYN request the server gets saturated with SYN requests As a result all of the servers resources are consumed and it can no longer service legitimate client requests Figure 6 9...

Page 147: ...hus pre venting the server from being inundated with SYN requests NOTE Delayed binding is automatically enabled when content intelligent switching features are used However if you are not parsing cont...

Page 148: ...ides enhanced security n Improves visibility and protection for DoS attacks The probability of a SYN attack is higher if excessive half open sessions are being generated on the Web switch Half open se...

Page 149: ...er Load Balancing IP server load balancing allows you to configure your Web switch for server load balancing based on client s IP address only Typically the client IP address is used with the client p...

Page 150: ...annel the passive FTP mode does not pose a prob lem with firewalls and is the most common mode of operation FTP Network Topology Restrictions FTP network topology restrictions are listed below n FTP u...

Page 151: ...e switch to send TCP DNS queries to one group of real servers and UDP DNS queries to another group of real servers The requests are then load balanced among the real servers in that group Figure 6 11...

Page 152: ...address Real server 20 real 21 Real server 21 ena Enable real server 21 Real server 21 rip 10 10 10 21 Specify the IP address Real server 20 real 22 Real server 22 ena Enable real server 22 Real serve...

Page 153: ...oes not process session requests with a TCP three way handshake 4 Enable UDP DNS queries 5 Apply and save your configuration cfg slb virt 1 vip 20 20 20 20 Specify the virt server IP address Virtual S...

Page 154: ...based load balancing make sure to disable UDP DNS queries 5 Apply and save your configuration cfg slb virt 2 vip 20 20 20 20 Specify the virt server IP address Virtual Server 2 ena Enable the virtual...

Page 155: ...metric URL hashing and URL pattern matching and all Layer 4 load balancing metrics RTSP load balancing with the URL hash metric can be used to load balance cache servers that cache multimedia presenta...

Page 156: ...be played over the Internet using RTSP are specially formatted and are called hinted QuickTime files Normal QuickTime files cannot be used for streaming The QuickTime files have the extension mov Qui...

Page 157: ...for Layer 4 load balancing of RTSP select rtsp or port 554 as a service for the virtual server 2 To configure a virtual server for Layer 7 URL hashing of RTSP select rtsp as a virtual service and enab...

Page 158: ...teway the request should go WAP SLB is based on RADIUS static session entry or RADIUS snooping The following topics are discussed in this section n Using RADIUS Static Session Entries n Using RADIUS S...

Page 159: ...ssion The WAP gateway issues another Add Session request on detecting that it has lost a request The WAP gateway detects this situation when it receives WAP traffic that does not belong to that WAP ga...

Page 160: ...s It needs to know the type of the RADIUS Accounting message the client IP address the caller ID and the user s name If it finds this information the switch adds a session entry to its session table I...

Page 161: ...n Protocol SLB 1 Enable the external notification from WAP gateway to add and delete session request 2 Enable TPCP for adding and deleting WAP sessions Configuring RADIUS Snooping Consider the followi...

Page 162: ...not available in the RADIUS Accounting packets In such a case the switch uses USER_NAME to choose a WAP server instead of CALLING_STATION_ID Thus persistence cannot be maintained Configure the follow...

Page 163: ...rd the information about the intruders IDS Server Load Balancing helps scale intrusion detection systems since it is not possible for an individual server to scale information being processed at gigab...

Page 164: ...s are not applicable to IDS server load balancing Configuring IDS Server Load Balancing To configure your switch for IDS do the following NOTE IDS SLB is supported only when RTSP SLB or WAP RADIUS Sno...

Page 165: ...for the clients 5 Define the group health check If you implemented IDS without an IP address link health check is specifically developed for IDS load balancing Use ICMP health check if your IDS server...

Page 166: ...used to steer requests initiated within the user s network and his her responses over the appropriate link at that moment in time How WAN Link Load Balancing Works The Web switch uses redirection fil...

Page 167: ...ction filter 5 Enable WAN link load balancing proxy for the redirection filter 6 Apply and save your changes cfg slb real 1 Select the real server menu Real server 1 ena Enable real server 1 Real serv...

Page 168: ...Web OS 10 0 Application Guide 168 n Chapter 6 Server Load Balancing 212777 A February 2002...

Page 169: ...page 176 o IP Address Ranges on page 178 o Cache Enabled versus Cache Disabled Filters on page 178 n TCP Rate Limiting on page 179 This section explains how TCP rate limiting allows you to monitor th...

Page 170: ...rns For more information see Layer 7 Deny Filter on page 417 This gives the administrator control over the types of traffic permitted through the switch Any filter can be optionally configured to gene...

Page 171: ...er criteria you can create a single filter that blocks external Telnet traffic to your main server except from a trusted IP address Another filter could warn you if FTP access is attempted from a spec...

Page 172: ...pplied first For example consider a filter system where the Internet is divided according to destination IP address Figure 7 1 Assigning Filters According to Range of Coverage Assuming that traffic is...

Page 173: ...iguring filters for IP traffic con trol and redirection Using default filters can increase session performance but takes some of the session binding resources If you experience an unacceptable number...

Page 174: ...ned based on data traffic for example ingress traffic on VLAN 1 egress traffic on VLAN 2 and management traffic on VLAN 3 filters can be applied accordingly to the different VLANs In the following exa...

Page 175: ...From any source IP address Filter 2 dip 205 177 15 0 To base local network dest address Filter 2 dmask 255 255 255 0 For entire subnet range Filter 2 proto tcp For TCP protocol traffic Filter 2 sport...

Page 176: ...and 80 Peak processing efficiency is achieved when filters are numbered sequentially beginning with 1 Filter Logs To provide enhanced troubleshooting and session inspection capability packet source an...

Page 177: ...is shown below displaying the filter number port source IP address and destination IP address cfg slb filt 15 Select filter 15 Filter 15 sip any From any source IP address Filter 15 dip any To any des...

Page 178: ...sabled Filters To improve efficiency by default the Web switch performs filter processing only the first frame in each session Subsequent frames in the session are assumed to match the same criteria a...

Page 179: ...The switch monitors the number of new TCP connections and when it exceeds the configured limit any new TCP connection request is blocked When this occurs the client is said to be held down The client...

Page 180: ...nnections to a virtual IP address or a group of virtual IP addresses Basic TCP Rate Limiting Filter The following example shows how to configure TCP rate limiting for Filter 10 in Figure 7 5 1 Enable...

Page 181: ...g attacked The default is 100 TCP connections per second For larger sites TCP rate limit greater than 2550 connection per second indicates the possibility that your switch is under attack 4 Set the ho...

Page 182: ...ond 150 connections second Any client with source IP address equal to 30 30 30 x is allowed to make 150 new TCP con nections per second to any single destination When the rate limit of 150 is met the...

Page 183: ...s 2 seconds hold down time holddur x slowage 5 x 8 minutes 40 minutes max rate maxcon time window 200 connections 2 seconds 100 connections second cfg slb filt 100 ena Enable the filter Filter 100 dip...

Page 184: ...e 24 bit source IP address ensures that client requests access the same cache 2 Set the metric for the real server group to minmisses or hash The source IP address is passed to the real server group f...

Page 185: ...is generally recommended that you configure filters to deny all traffic except for those services that you specifically wish to allow In this example the administrator wishes to install basic securit...

Page 186: ...IP subnet 2 Create a default filter that will deny and log unwanted traffic The default filter is defined as Filter 224 in order to give it the lowest order of precedence NOTE Because the proto parame...

Page 187: ...port Filter 1 action allow Allow matching traffic to pass Filter 1 name allow matching traffic Provide a descriptive name for the filter Filter 1 ena Enable the filter Filter 1 filt 2 Select the menu...

Page 188: ...and outgoing Filter 3 filt 4 Select the menu for Filter 4 Filter 4 sip any From any source IP address Filter 4 dip 205 177 15 0 To base local network dest address Filter 4 dmask 255 255 255 0 For enti...

Page 189: ...in From a DNS source port Filter 7 dport any To any destination port Filter 7 action allow Allow matching traffic to pass Filter 7 ena Enable the filter Filter 7 filt 8 Select the menu for Filter 8 Fi...

Page 190: ...y appropriate configuration changes and then check the information again NOTE Changes to filters on a given port do not take effect until the port s session information is updated every two minutes or...

Page 191: ...ly unique IP addresses With NAT private networks are not required to remain isolated NAT capabilities within the switch allow internal private network IP addresses to be translated to valid publicly a...

Page 192: ...n nat Use the same settings as outbound Filter 11 nat dest Reverse the translation direction Filter 11 sip 10 10 10 0 Use the same settings as outbound Filter 11 smask 255 255 255 0 Use the same setti...

Page 193: ...rnal private network require TCP UDP access to the Internet Figure 7 9 Dynamic Network Address Translation NOTE Dynamic NAT can also be used to support ICMP traffic for PING This example requires a NA...

Page 194: ...Filter 14 dip 10 10 10 0 If the destination is not private Filter 14 dmask 255 255 255 0 For the entire private subnet range Filter 14 sip any From any source IP address Filter 14 action nat Perform...

Page 195: ...witch can monitor the control channel and replace the client s private IP address with a proxy IP address defined on the switch When a client in active FTP mode sends a port com mand to a remote FTP s...

Page 196: ...destination is not private Filter 14 dmask 255 255 255 0 For the entire private subnet range Filter 14 sip any From any source IP address Filter 14 action nat Perform NAT on matching traffic Filter 1...

Page 197: ...ag filters must be cache disabled Exercise caution when applying cache enabled and cache disabled filters to the same switch port For more information see Cache Enabled versus Cache Disabled Filters o...

Page 198: ...server would listen to the TCP SYN allocate buffer space for the connection and reply to the connect request In some SYN attack scenarios this could cause the server s buffer space to fill crashing th...

Page 199: ...pass Filter 15 ena Enable the filter Filter 15 adv tcp Select the advanced TCP menu Filter 15 Advanced ack ena Match acknowledgments only Filter 15 Advanced cfg slb filt 16 Select a filter for incomi...

Page 200: ...B port 1 add 16 Add the incoming HTTPS filter SLB port 1 add 224 Add the default filter to the port SLB port 1 filt ena Enable filtering on the port SLB port 1 port 2 Select the first Web server port...

Page 201: ...ge types ICMP message type filtering must be enabled Web OS software supports filtering on the following ICMP message types Table 7 6 ICMP Message Types Type Message Type Description 0 echorep ICMP ec...

Page 202: ...ne time The any option disables ICMP message type filtering The list option displays a list of the available ICMP message types that can be entered NOTE ICMP message type filters must be cache disable...

Page 203: ...e on page 206 This section provides a step by step procedure on how to intercept all Internet bound HTTP requests on default TCP port 80 and redirect them to the Web cache servers n RTSP Web Cache Red...

Page 204: ...ation redirection filters are properly configured for the Web OS powered switch outbound client requests for Internet data are intercepted and redirected to a group of application or Web cache servers...

Page 205: ...ng services n Performance is improved by balancing the cached Web request load across multiple serv ers More servers can be added at any time to increase processing power n The proxy is transparent to...

Page 206: ...protocols and TCP or UDP applications shown in this example See Table 6 3 on page 128 and Table 7 2 on page 171 for a list of other well known protocols and services 1 Assign an IP address to each of...

Page 207: ...pecify its actual IP address and enable the real server For example 5 Define a real server group This places the three Web cache real servers into one service group cfg ip if 1 Select IP interface 1 I...

Page 208: ...edirected traffic will be sent The port defined by the rport parameter is used when performing Layer 4 health checks of TCP services Also if NAT and proxy addresses are used on the Web switch see Step...

Page 209: ...S Command Reference 12 Examine the resulting information from the cur command If any settings are incorrect make appropriate changes Filter 2 filt 224 Select the default filter Filter 224 sip any From...

Page 210: ...filters on a given port only effect new sessions To make filter changes take effect immediately clear the session binding table for the port see the oper slb clear command in the Web OS Command Refere...

Page 211: ...te locally Since the requests for this data are directed to the local cache they are served faster You can also configure certain URL content to be non cacheable The requests for non cacheable URLs wi...

Page 212: ...port rtsp Enter service port for RTSP Filter 1 rport rtsp Enter redirection port for RTSP Filter 1 group 1 Select RTSP cache server group 1 Filter 1 adv Select advanced menu for filter 1 Filter 1 Adva...

Page 213: ...sses to the redirection ports Each of the ports using redirection filters require proxy IP addresses to be configured Each proxy IP address must be unique on your network These are configured as follo...

Page 214: ...of other well known services and ports see the Web OS Command Reference 4 Apply and save your changes 5 Check server statistics to verify that traffic has been redirected based on filtering criteria...

Page 215: ...e if you wished to prevent a popular Web based game site on subnet 200 10 10 from being redirected you could add the following to the previous example configuration cfg slb filt 1 Select the menu for...

Page 216: ...Web OS 10 0 Application Guide 216 n Chapter 8 Application Redirection 212777 A February 2002...

Page 217: ...enable VMA especially when using Bandwidth Management and Content Intelligent Switch ing for multiple frames processing up to 4500 bytes Proxy IP Addresses and VMA By default VMA is enabled on the Web...

Page 218: ...bled is processed by other ports that have been configured with a proxy IP address but the client source address will not be replaced with a proxy IP address before it is forwarded to a server NOTE VM...

Page 219: ...client queries made to the Virtual server IP address when the server is in Direct Server Return DSR mode n Link Health Checks on page 223 This section describes how to perform Layer 1 health checking...

Page 220: ...ks on page 238 This section explains how to use Net work News Transfer Protocol NNTP server to perform health checks between a cli ent system and a mail server and how to configure the switch for NNTP...

Page 221: ...us of each service on each real server every two sec onds Sometimes the real server may be too busy processing connections to respond to health checks If a service does not respond to four consecutive...

Page 222: ...checks for DSR configurations For more informa tion see Using Direct Server Return on page 142 The switch is able to verify that the server correctly responds to requests made to the virtual server IP...

Page 223: ...1 health checking on the IDS As long as the physical link between the switch and the IDS is up it indicates the IDS is alive To perform this health check a link option has been added to the real serv...

Page 224: ...uests identify both failed servers and failed services on a healthy server When a connection request succeeds the session switch quickly closes the connection by sending a TCP FIN finished packet NOTE...

Page 225: ...of multiple domains or Web sites Web OS supports the following capacity for a single switch n 1024 bytes per script n 16 scripts per switch n approximately 10 to 15 health check statements HTTP get a...

Page 226: ...ww hostname com press Enter key twice This is known as a host header It is important to include because most Web sites now require it for proper processing Host headers were optional in HTTP 1 0 but a...

Page 227: ...heck Configure the switch to check a series of Web pages HTML or dynamic CGI scripts before it declares a real server is available to receive requests NOTE If you are using the CLI to create a health...

Page 228: ...h check statements to check all the substrings involved in all the real servers Site 1 with Virtual Server 1 and the following real servers n Real Server 1 and Real Server 2 images n Real Server 3 and...

Page 229: ...ll respond to the first GET health check If all the real server IP addresses are down Real Server 7 the virtual server IP address of the remote site will respond with an HTTP Redirect respond code 302...

Page 230: ...ecks on page 233 n FTP Server Health Checks on page 234 n POP3 Server Health Checks on page 235 n SMTP Server Health Checks on page 236 n IMAP Server Health Checks on page 237 n NNTP Server Health Che...

Page 231: ...dex html Health check is performed using GET index html HTTP 1 1 Host everest alteonwebsystems com NOTE If the content is not specified the health check will revert back to TCP on the port that is bei...

Page 232: ...everest index html Health check is performed using GET index html HTTP 1 1 Host everest Configuring the Switch for HTTP Health Checks Perform the following on the switch to configure the switch for H...

Page 233: ...ried may be modified by specifying the content command if you need to change the domain name Configuring the Switch for UDP based Health Checks Configure the switch to verify if the DNS server is ali...

Page 234: ...t up it is always initiated by the client However either the client or the server may be the sender of data Along with transferring user requested files the data transfer mechanism is also used for tr...

Page 235: ...POP3 service by listening on TCP port 110 When a client host wants to make use of the service it establishes a TCP connection with the server host Configuring the Switch for POP3 Health Checks To supp...

Page 236: ...il client using either POP or IMAP Configuring the Switch for SMTP Health Checks To support SMTP health checking the network administrator must configure a username pass word value in the switch using...

Page 237: ...he switch using the content option on the SLB Real Server Group Menu cfg slb group To configure the switch for IMAP health checks 1 Select the health check menu for the real server group 2 Set the hea...

Page 238: ...net community NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items he wishes to read NNTP is documented in RFC977 Articles are trans...

Page 239: ...ifying the user name and password the data base may specify the client s or port s the user is allowed to access NOTE Network attached storage NAS is hard disk storage that is set up with its own net...

Page 240: ...verifies fields in the response and marks the service Up if the fields are OK During the handshake the user and server exchange security certificates negotiate an encryp tion and compression method an...

Page 241: ...the gateway is also specified in the form of hexadecimal byte string The switch matches each byte of this string with the received content If there is a mismatch of even a single byte on the received...

Page 242: ...Hello based health check for connection oriented WTLS traffic on port 9203 The web switch sends a new WTLS Client Hello to the WAP gateway and checks to see if it receives a valid WTLS Server Hello b...

Page 243: ...protocol session by sending an anonymous bind request to the server n Bind response On receiving the bind request the server sends a bind response to the switch If the result code indicates that the...

Page 244: ...check type to LDAP for the real server group 3 Apply and save your configuration Determining the Version of LDAP 1 Select the Advanced Menu 2 Set the version of LDAP The default version is 2 3 Apply a...

Page 245: ...e health check consists of the following sequence of actions 1 Accessing the ARP table 2 Looking for the session entry in the ARP table If the entry exists in the table that means the real server is u...

Page 246: ...iled service from load balancing allows users access to all healthy servers supporting a given service When a service on a server is in the service failed state the session switch sends Layer 4 connec...

Page 247: ...lemented in Web OS n High Availability Configurations on page 263 This section discusses a few of the more useful and easily deployed redundant configurations o Active Standby Virtual Server Router Co...

Page 248: ...ly process traffic addressed to it Because the router associated with a given alternate path supported by VRRP uses the same IP address and MAC address as the routers for other paths the host s gatewa...

Page 249: ...ot to implement an IP address owner For the purposes of this chapter VRRP routers that are not the IP address owner are called renters Master and Backup Virtual Router Within each virtual router one V...

Page 250: ...al interface is configured with an IP address that is on the same subnet as the virtual interface router but is not the IP address of the virtual interface router The virtual interface router has been...

Page 251: ...nge permitted for non owners If there is an IP address owner it is always the master for the virtual interface router as long as it is available The master periodically sends advertisements to an IP m...

Page 252: ...kup for the virtual interface router with VRID 1 In this manner both routers can actively forward traffic at the same time but not for the same interface Figure 11 2 Example 2 VRRP Router Table 11 1 A...

Page 253: ...lls it into action Service pro viders now demand that vendors equipment support redundant configurations where all devices can process traffic when they are healthy increasing site throughput and decr...

Page 254: ...al server IP addresses and acts as a standby for other services on the other switch If either switch fails the remaining switch takes over processing for all services The backup switch may forward Lay...

Page 255: ...the same service at the same time both switches can be active simultaneously for a given IP routing interface or load balancing virtual server VIP Figure 11 5 Active Active Redundancy In the example a...

Page 256: ...ciated with it and is now based on VRRP In a hot standby configuration two or more switches provide redundancy for each other One switch is elected master and actively processes Layer 4 traffic The ot...

Page 257: ...e also used to help bridges learn the virtual router MAC address Since all of the virtual routers can have different virtual router identifiers VRIDs you must rotate the MAC source address of the adve...

Page 258: ...forces the user to configure a inter switch link when hot standby is globally enabled and prohibits the inter switch link from also being a hot standby link for VRRP advertisements These advertisement...

Page 259: ...ed Only the master can process packets that are destined for the virtual server IP address and respond to ARP requests One difference between virtual server routers and virtual interface routers is th...

Page 260: ...sed in configurations where incoming packets have more than one entry point into the virtual router for example where a hub is used to connect the switches Table 11 2 Sharing Active Active Failover We...

Page 261: ...g to have any effect on virtual router operation preemption must be enabled NOTE Tracking only affects hot standby and active standby configurations It does not have any effect on active active sharin...

Page 262: ...er This parameter influences the VRRP router s prior ity in both virtual interface routers and virtual server routers Number of healthy real servers behind the virtual server IP address that is the sa...

Page 263: ...ming packets will be seen by more than one switch such as instances where a hub is used to connect the switches In this configuration when both switches are healthy only the master responds to packets...

Page 264: ...Synchronizing Configurations on page 282 6 Change the real servers in the Web switch 2 configuration to RIP 205 178 13 105 RIP 205 178 13 106 RIP 205 178 13 107 and RIP 205 178 13 108 Adjust Web swit...

Page 265: ...alanced packets are sent to the virtual server IP address resulting in higher capacity and performance than when the switches are used in an active standby configuration The switch on which a frame en...

Page 266: ...226 and priority Be sure to enable sharing 5 Synchronize the SLB and VRRP configurations by pushing the configuration from Web switch 1 to Web switch 2 Use the oper slb sync command 6 Reverse the rol...

Page 267: ...an 15 min utes to complete You can use either the Web OS Browser Based Interface BBI or the Com mand Line Interface CLI for configuration Task 1 Background Configuration 1 Define the IP interfaces The...

Page 268: ...enabled by default Make sure IP forwarding is enabled if the virtual server IP addresses and real server IP addresses are on different subnets or if the switch is connected to different subnets and t...

Page 269: ...10 10 6 24 n RIP 3 20 10 10 5 24 n RIP 4 20 10 10 6 24 n RIP 5 30 10 10 5 24 n RIP 6 30 10 10 6 24 n RIP 7 200 1 1 5 24 n RIP 8 200 1 1 6 24 2 Define the real server groups adding the appropriate rea...

Page 270: ...stined for a load balanced service Defining a server port state tells the port to the do the remapping NAT of the real server IP address back to the virtual server IP address Note the following n The...

Page 271: ...ciate with IP interface 5 Address 200 200 200 104 2 Configure virtual routers 1 3 5 and 7 These virtual routers will act as the default gateways for the servers on each respective subnet Because these...

Page 272: ...R 3 Priority 101 n VR 4 Priority 101 4 Configure priority tracking parameters for each virtual router For this example the best parameter s on which to track is Layer 4 ports l4pts Use the following c...

Page 273: ...as Customer Name Switch 1 then type the following command in the switch command line interface cfg dump A script will be dumped out d Stop logging your session transfer capture text stop Modify the sc...

Page 274: ...deleted by resetting it to factory settings using the following command You can tell if the switch is at factory default when you log on because the switch will prompt you if you want to use the step...

Page 275: ...time is 45 50 seconds much longer than the typical failover rate using VRRP only NOTE To use hot standby redundancy peer switches must have an equal number of ports Figure 11 10 Hot Standby Configurat...

Page 276: ...RP menu enable VRRP group mode then enable hot standby 3 Sync the VRRP SLB and filter settings to the other switch same ports NOTE Switches peering with each other must have an equal number of ports 4...

Page 277: ...unexpected operational characteristics and therefore are not recommended Synchronizing Active Active Failover The hot standby failover required the primary and secondary switches to have identical con...

Page 278: ...active failover is significantly different from the hot standby failover method supported in previous releases As shown in Figure 11 11 active active configurations can introduce loops into complex L...

Page 279: ...o Eliminate Loops When using VRRP you can decrease failover response time by using VLANs instead of STP to separate traffic into non looping broadcast domains An example is shown in Figure 11 13 Figur...

Page 280: ...in the process n If Web switch 1 is the master and it has two or more active servers fewer than Web switch 2 then Web switch 2 becomes the master n If Web switch 2 is the master it remains the master...

Page 281: ...ng So Web switch 1 s priority will settle out at 112 and Web switch 2 s priority at 125 When both servers are restored to Web switch 1 that switch s priority will rise by 12 2 healthy real servers X 6...

Page 282: ...IP address as follows Similarly from switch 2 configure switch 1 as a peer and specify its IP address as follows Port specific parameters such as what filters are applied and enabled on what ports are...

Page 283: ...does not synchronize all sessions except persistent sessions Make sure Direct Access Mode DAM is enabled when you configure stateful failover for Layer 7 persistency for example SSL session ID persist...

Page 284: ...l failover the following sequence of events occurs 1 The backup switch Switch 2 becomes active 2 The incoming request is redirected to Switch 2 3 When the user clicks Submit again the request is forwa...

Page 285: ...Enable stateful failover 2 Set the update interval On the Backup Switch 1 Turn on stateful failover 2 Set the update interval NOTE The update does not have to be the same for both switches Stateful f...

Page 286: ...the info vrrp command If the switch is a master If the switch is a backup info vrrp View VRRP Information VRRP information 1 vrid 1 172 21 16 187 if 4 renter prio 109 master server 3 vrid 3 192 168 1...

Page 287: ...ags and cookies so that each request can be isolated and treated intelligently This section describes the following advanced Web switching applications n Global Server Load Balancing n Firewall Load B...

Page 288: ...Web OS 10 0 Application Guide 288 n Advanced Web Switching 212777 A February 2002...

Page 289: ...oad Balancing GSLB across multiple geographic sites The following topics are covered n GSLB Overview on page 290 n Configuring GSLB on page 293 n IP Proxy for Non HTTP Redirects on page 304 n Verifyin...

Page 290: ...rforming sites receive a majority of traffic over a given period of time but are not overwhelmed n Switches at different sites regularly exchange information through the Distributed Site State Protoco...

Page 291: ...NS resolution for GSLB is described in detail in the following procedure 1 The client Web browser requests the www foocorp com IP address from the local DNS 2 Client s DNS asks its upstream DNS which...

Page 292: ...knows that Foo Corp Denver currently provides better service and lists Foo Corp Denver s virtual server IP address first when responding to the DNS request 5 The client connects to Foo Corp Denver for...

Page 293: ...figure the switch at each site to act as the DNS server for each service that is hosted on its virtual servers Also configure the local DNS server to recognize the switch as the authoritative DNS serv...

Page 294: ...mmand Line Interface CLI as the administrator n Both of the following optional software keys must be activated o SLB o GSLB NOTE For details about any of the processes or menu commands described in th...

Page 295: ...I NOTE This example assumes that all ports and IP interfaces use default VLAN 1 requiring no special VLAN configuration for the ports or IP interface 3 On the California switch define the default gate...

Page 296: ...California switch define a real server group Combine the real servers into one service group and set the necessary health checking parame ters In this example HTTP health checking is used to ensure t...

Page 297: ...n the Web switch The ports are configured as follows 6 On the California switch enable SLB Real server group 1 virt 1 Select virtual server 1 Virtual server 1 vip 200 200 200 1 Assign a virtual server...

Page 298: ...d at the California site The new real server entry is configured with the IP address of the remote virtual server rather than the usual IP address of a local physical server Do not confuse this value...

Page 299: ...then check again 6 Save your new configuration changes Task 4 Configure the Basics at the Denver Site Following the same procedure described for California see Example GSLB Topology on page 294 config...

Page 300: ...Denver server pool 2 On the Denver switch define each local real server cfg ip if 1 Select IP interface 1 IP Interface 1 addr 174 14 70 100 Assign IP address for the interface IP Interface 1 ena Enab...

Page 301: ...ecks Real server group 1 virt 1 Select virtual server 1 Virtual server 1 vip 179 14 70 1 Assign IP address Virtual server 1 service http Select the HTTP service menu Virtual server 1 http service grou...

Page 302: ...is step the local Denver site is configured to recognize the services offered at the remote California site As before configure one real server entry on the Denver switch for each virtual server locat...

Page 303: ...your new configuration changes Remote site 1 cfg slb real 3 Create an entry for real server 3 Real server 3 rip 200 200 200 1 Set remote virtual server IP address Real server 3 remote enable Define t...

Page 304: ...ese applications requires that a proxy IP address be configured on the client port The client port will initiate a redirect only if resources are unavailable at the first site NOTE This feature should...

Page 305: ...e at Site 1 Site 1 completes TCP three way handshake with client Non HTTP application no redirection 2a Client DNS request reaches Site 2 Resources are unavailable at Site 2 Site 2 sends a request to...

Page 306: ...ss at Site 2 as the destination IP address 3 The switch at Site 2 receives the POP3 TCP SYN request to its virtual server The request looks like a normal SYN frame so it performs normal local load bal...

Page 307: ...sses on Site 2 the following commands are issued on the Denver switch cfg slb port 6 Select port to default gateway SLB port 6 pip 200 200 200 4 Set unique proxy IP address SLB port 6 proxy enable Ena...

Page 308: ...r group number o stats slb maint Configuring Client Site Preferences Internet Assigned Numbers Authority IANA the central coordinator for the assignment of unique parameter values for Internet protoco...

Page 309: ...re 12 5 GSLB Proximity Tables How They Work The following example illustrated in Figure 12 6 on page 310 shows how to add entries into a GSLB proximity table Two client networks A and B are configured...

Page 310: ...ites The Web switch forwards the client request based on the minimum available sessions and response time between the two preferred sites Internet Client Site B DNS Request Client Site A DNS Request 2...

Page 311: ...cfg slb gslb lookup lookups ena Enable the lookup or proximity table dname nortelnetworks com Select the domain name network 1 Select Client A subnet sip 205 178 13 0 Assign source address for Client...

Page 312: ...the Internet by distributing the IP blocks that contain that content to several sites When using DNS to select the site a single packet is used to make the decision so that the request will not be spl...

Page 313: ...works using two parallel firewalls and two Web switches The basic FWLB method combines redirection filters and static routing for FWLB n Four Subnet FWLB on page 326 Explanation and example configurat...

Page 314: ...le example all traffic passing between the dirty clean and DMZ networks must traverse the firewall which examines each individual packet The firewall is configured with a detailed set of rules that de...

Page 315: ...e firewall distribu tion is based on a mathematical hash of the IP source and destination addresses For more information about basic FWLB see Basic FWLB on page 316 n Four Subnet FWLB for larger netwo...

Page 316: ...erver on the internal net work for each incoming request The same process is used for outbound server responses a redirection filter on the clean side Web switch splits the traffic and static routes f...

Page 317: ...am For instance the first static route will lead to an IP interface on the clean side Web switch using the first firewall as the next hop A second static route will lead to a second clean side IP inte...

Page 318: ...P addresses Each IP address represents an IP interface on a different subnet on the dirty side Web switch 8 Outbound traffic is routed to the firewalls Static routes are configured on the clean side s...

Page 319: ...oad balanced Each must be on a different subnet cfg ip if 1 Select IP interface 1 IP Interface 1 addr 192 16 12 1 Set address for switch management IP Interface 1 mask 255 255 255 0 Set subnet mask fo...

Page 320: ...P source destination address pairs flows through the same firewall This ensures that sessions established by the firewalls are main tained for their duration NOTE Other load balancing metrics such as...

Page 321: ...ds to clean side IF 3 10 1 4 1 through the second firewall 10 1 2 10 as its gateway 12 Apply and save the configuration changes Layer 4 cfg slb filt 10 Select filter 10 Filter 10 sip any From any sour...

Page 322: ...interface 1 IP Interface 1 addr 20 1 1 1 Set the IP address for interface 1 IP Interface 1 mask 255 255 255 0 Set subnet mask for interface 1 IP Interface 1 ena Enable IP interface 1 IP Interface 1 if...

Page 323: ...s on the network Real server group 1 health icmp Select ICMP as health check type Real server group 1 metric hash Select SLB hash metric for group 1 Real server group 1 cfg slb on Real server group 1...

Page 324: ...r group 1 Real server group 200 add 2 Select real server 2 to group 200 Real server group 200 add 3 Select real server 3 to group 200 Real server group 200 port 4 server ena SLB port 4 port 5 server e...

Page 325: ...ds to dirty side IF 2 10 1 1 1 through the first firewall 10 1 3 10 as its gateway and one that leads to dirty side IF 3 10 1 2 1 through the second firewall 10 1 4 10 as its gateway NOTE Configuring...

Page 326: ...etwork failover Nor mally the interswitch link between the primary and secondary Web switches is configured on port 9 of the Web switch However the interswitch links may trunked together with multiple...

Page 327: ...milar to basic FWLB a redirection filter splits traffic into multiple streams which are routed through the available firewalls to the primary clean side Web switch Just as with the basic method four s...

Page 328: ...through a different firewall Although other load balancing metrics can be used in some configurations see Free Metric FWLB on page 346 the distribution of traffic within each stream is normally based...

Page 329: ...itches with VRRP support settings n Configure FWLB groups and redirection filters on the primary dirty side Web switch n Configure and synchronize VRRP on the primary dirty side Web switch n Configure...

Page 330: ...c each firewall must be configured with a static route to the clean side virtual server using the VIR in its clean side subnet as the next hop For outbound traffic each firewall must use the VIR in it...

Page 331: ...ed for routing traffic through the top firewall IF 3 will be used for routing traffic through the lower firewall To avoid confusion IF 2 and IF 3 will be used in the same way on all Web switches NOTE...

Page 332: ...used on all Web switches whenever routing through the top firewall and IF 3 is being used on all Web switches whenever routing through the lower fire wall The static route add command uses the follow...

Page 333: ...b switch 3 Turn STP off for the secondary dirty side Web switch 4 Configure static routes on the secondary dirty side Web switch 5 Apply and save your configuration cfg vlan 2 add 2 add 9 ena cfg ip i...

Page 334: ...des the firewall port and interswitch connection port VLAN 4 includes the port that attaches to the real servers 2 Configure IP interfaces on the primary clean side Web switch 3 Turn STP off for the p...

Page 335: ...ewall 2 using clean side IF 3 Again the static route add command uses the following format add destination address dest mask gateway address source interface This example requires the following static...

Page 336: ...secondary clean side Web switch 5 Apply and save your changes cfg ip if 1 mask 255 255 255 0 addr 10 10 4 11 vlan 4 ena if 2 mask 255 255 255 0 addr 10 10 3 11 vlan 3 ena if 3 mask 255 255 255 255 ad...

Page 337: ...ured with the primary as its peer Once this is done the secondary Web switch will get the remainder of its configuration from the pri mary when synchronized in a later step In this example the seconda...

Page 338: ...ver routing through the top firewall and IF 3 on all Web switches whenever routing through the lower firewall Therefore the first address will represent the primary clean side IF 2 and the second repr...

Page 339: ...ents local traffic from being redirected n Filter 20 prevents VRRP traffic and other multicast traffic on the reserved 224 0 0 0 24 network from being redirected n Filter 224 redirects the remaining t...

Page 340: ...e primary dirty side Web switch 5 Apply and save your configuration changes 6 Synchronize primary and secondary dirty side Web switches cfg vrrp on vr 1 vrid 1 Configure virtual router 1 addr 195 1 1...

Page 341: ...re added to the group The two addresses are the inter faces of the dirty side Web switch and are configured as if they are real servers NOTE Remember that IF 2 is used on all Web switches whenever rou...

Page 342: ...20 rip 10 10 4 20 Set IP address of real server 20 ena Enable real 21 Select real server 21 rip 10 10 4 21 Set IP address of real server 21 ena Enable real 22 Select real server 22 rip 10 10 4 22 Set...

Page 343: ...e port attaching to the real servers n Filter 10 prevents local traffic from being redirected n Filter 20 prevents VRRP traffic from being redirected n Filter 224 redirects the remaining traffic to th...

Page 344: ...ubnet attached to the real servers and one for the subnet attached to the firewalls A third virtual router is required for the virtual server used for optional SLB cfg vrrp on vr 1 vrid 3 addr 10 10 4...

Page 345: ...n 345 212777 A February 2002 5 Configure the peer on the primary clean side Web switch 6 Apply and save your configuration changes 7 Synchronize primary and secondary dirty side Web switches cfg slb...

Page 346: ...se free metric FWLB in this network the following configuration changes are necessary 1 On the clean side Web switch enable RTS on the ports attached to firewalls ports 2 and 3 2 On the dirty side Web...

Page 347: ...Four Subnet FWLB Example Network group 1 metric metric type Subnet 1 VLAN 1 195 1 1 0 24 Subnet 2 VLAN 2 10 10 2 0 24 Subnet 3 VLAN 3 10 10 3 0 24 Subnet 4 VLAN 4 10 10 4 0 24 Dirty Side Clean Side I...

Page 348: ...rs ports 4 but make sure filter processing is enabled To view the original redirection filters that were configured for the four subnet example see Step 3 on page 343 On both clean side switches 3 On...

Page 349: ...ypi cal firewall load balancing configuration with a DMZ is shown in Figure 13 10 Figure 13 10 Typical Firewall Load Balancing Topology with DMZ The DMZ servers can be attached to the Web switch direc...

Page 350: ...filt 80 Select filter 80 Filter 80 sip any From any source IP address Filter 80 dip 205 178 29 0 To the DMZ base destination Filter 80 dmask 255 255 255 0 For the range of DMZ addresses Filter 80 pro...

Page 351: ...b switch stops routing traffic to that IP interface and instead distributes it across the remaining healthy Web switch IP interfaces and firewalls When a Web switch IP interface is in the Server Faile...

Page 352: ...ilter as the last filter after the redirect all filter to force the HTTP health checks to activate as shown below NOTE Make sure that the number of each real filter is lower than the number of the dum...

Page 353: ...ows the switch to load balance simultaneously up to 255 VPN devices The switch records from which VPN server a session was initiated and ensures that the traffic returns back to the same VPN server fr...

Page 354: ...ough a particular VPN must traverse the same VPN as it egresses back to the client Traffic ingressing from the Internet is usually addressed to the VPNs with the real destination encrypted inside the...

Page 355: ...the session table and forwards the packet to VPN device 1 The selection of the VPN device is based on the hash load balancing metric 4 The VPN device strips the IP header and decrypts the encrypted I...

Page 356: ...urn to Sender RTS feature on the ports attached to the VPN devices using the following command VPN Load Balancing Configuration Example The following example uses Alteon Web switches for VPN load bala...

Page 357: ...g sys bootp dis cfg vlan 2 ena def 7 8 cfg stp off cfg ip if 1 ena Select IP interface 1 and enable IP Interface 1 mask 255 255 255 0 Set subnet mask for interface 1 IP Interface 1 addr 30 0 0 10 Set...

Page 358: ...Virtual Router Redundancy Protocol vr 1 Select virtual router 1 menu VRRP Virtual Router 1 ena Enable the virtual router VRRP Virtual Router 1 vrid 1 Assign virtual router ID 1 VRRP Virtual Router 1 i...

Page 359: ...1 Real server 1 rip 10 0 0 10 Assign IP address for real server 1 Real server 1 real 2 ena Enable SLB for real server 2 Real server 2 rip 10 0 0 11 Assign IP address for real server 2 Real server 2 re...

Page 360: ...ed 5 Configure routes for each of the IP interfaces you configured in Step 4 using the VPN devices as gateways One static route is required for each VPN device being load balanced cfg sys bootp dis cf...

Page 361: ...30 0 0 50 VRRP Virtual Router 1 share dis VRRP Virtual Router 1 track vrs ena VRRP Virtual Router 1 Priority Tracking cfg vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Virtual...

Page 362: ...static routes for each of the IP interfaces you configured in Step 4 using the VPN devices as gateways One static route is required for each VPN device being load balanced SLB port 8 port 1 filter en...

Page 363: ...outer 1 Priority Tracking vrs ena VRRP Virtual Router 1 Priority Tracking ports ena VRRP Virtual Router 1 Priority Tracking cfg vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Vi...

Page 364: ...le firewall load balancing This filter will redirect inbound traffic redirecting it among the defined real servers in the group 13 Add filters to the ingress port 14 Apply and save the configuration a...

Page 365: ...figure routes for each of the IP interfaces you configured in Step 4 cfg sys bootp dis cfg vlan 2 ena def 7 8 cfg stp off cfg ip if 1 ena mask 255 255 255 0 addr 192 168 10 11 cfg ip if 2 ena mask 255...

Page 366: ...eal server group and place real servers 1 4 into the real server group cfg vrrp on cfg vrrp vr 1 ena vrid 1 if 1 addr 192 168 10 50 share dis track vrs ena ports ena cfg vrrp vr 2 ena vrid 2 if 2 addr...

Page 367: ...ble firewall load balancing This filter will redirect inbound traffic among the defined real servers in the group 12 Add filters to the ingress port 13 Apply and save the configuration and reboot the...

Page 368: ...n page 368 Figure 14 3 Checkpoint Rules for Both VPN Devices as Seen in the Policy Editor 1 Disconnect the cables cause failures to change the available servers that are up This should change the VRRP...

Page 369: ...mote client on the dirty side of the network 2 Add a new site 3 Enter the policy server IP address 192 168 10 120 You have the option of adding a nickname 4 Launch a browser such as Netscape or Intern...

Page 370: ...rypted traffic To verify that the FWLB and hash metric is working correctly on the dirty side switches that is hashed on client IP address Destination IP address you can configure your current client...

Page 371: ...he following topics n Overview on page 372 n Content Intelligent Server Load Balancing on page 375 n Content Intelligent Web Cache Redirection on page 394 n Exclusionary String Matching for Real Serve...

Page 372: ...istics and so on Figure 15 1 illustrates the process of content intelligent switching in the Web switch Figure 15 1 Content Intelligent Load Balancing Example Client requests a Web page 1 Requests for...

Page 373: ...on one from the client to the Web switch and the second from the Web switch to the selected server The Web switch must modify the TCP header including performing TCP sequence number translation and re...

Page 374: ...be extended over multiple lines by preceding each extra line with at least one space Some customer applications of HTTP header inspection are listed below n Redirection based on domain name n Cachabil...

Page 375: ...rformance Content dis persion can be optimized by making load balancing decisions on the entire path and filename of each URL NOTE Both HTTP 1 0 and HTTP 1 1 requests are supported For URL matching yo...

Page 376: ...vers in the server pool n Define an IP interface on the switch n Define each real server n Define a real server group and set up health checks for the group n Define a virtual server on virtual port 8...

Page 377: ...uct b gif images company a gif images testing c jpg The server will not handle these requests company images b gif product images c gif testing images a gif Example 2 String without the Forward Slash...

Page 378: ...d balancing 6 Add the defined string s to the real server using the following command where ID is the identification number of the defined string NOTE If you don t add a defined string or add the defi...

Page 379: ...AM and configuring a Proxy IP address on the client port port mapping for URL load balancing can be performed 9 Enable URL based SLB on the virtual server s Statistics for URL Based Server Load Balanc...

Page 380: ...equest sent to an origin server not a proxy server is a partial URL instead of a full URL An example of the request that the origin server would see as follows GET products 180 HTTP 1 0 User agent Moz...

Page 381: ...ver on the switch 2 www company a com and www company b com are defined as URL strings 3 Server Group 1 is configured with Servers 1 through 8 Servers 1 through 4 belong to www company a com and Serve...

Page 382: ...re your network for server load balancing see Server Load Balancing on page 117 2 Turn on URL parsing for the virtual server for virtual hosting 3 Define the host names 4 Configure the real server s t...

Page 383: ...n Identify a user group and redirect them to a particular server n Serve content based on user identity n Prioritize access to scarce resources on a Web site n Provide better services to repeat custom...

Page 384: ...ure your network for SLB see Chapter 6 Server Load Bal ancing 2 Turn on URL parsing for the virtual server where sid cookie name 1 offset the starting position of the value to be used for hashing 6 le...

Page 385: ...it will be forwarded to Real Server 4 since it does not have an exact cookie match matches with any configured at Real Server 4 4 Configure the real server s to handle the appropriate load balance st...

Page 386: ...an IP address to each of the real servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and servi...

Page 387: ...sh is selected as the load balancing algorithm the switch hashes the source IP address to select the server for SLB Under this condition the switch may not send Web requests for the same origin server...

Page 388: ...er n Assign servers to real server groups n Define virtual servers and services n Configure load balancing algorithm for hash or minmiss n Enable SLB For information on how to configure your network f...

Page 389: ...f the real servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services For information on h...

Page 390: ...s extracted from the query processed by the regular expressions engine and the request is sent to the appropriate real server For example Figure 15 4 shows a DNS server farm load balancing DNS queries...

Page 391: ...on how to configure your network for SLB see Chapter 6 Server Load Balancing n Define server port and client port 2 Enable DNS load balancing 3 Enable delayed binding 4 Define the host names 5 Apply...

Page 392: ...content In addition to hashing Web OS 10 0 allows you to segregate the requests based on the string pattern match the strings in the requests and direct the requests to the assigned servers For more i...

Page 393: ...URL string ID Add URL string ID for example g2video rm cfg slb layer7 slb Server Load Balance Resource rem URL string ID Remove URL string ID g2video rm cfg slb layer7 slb Server Load Balance Resource...

Page 394: ...ecial request with respect to caching such as to guar antee up to date data from the origin server If this feature Cache Control no cache directive is enabled HTTP 1 1 GET requests are forwarded direc...

Page 395: ...NOTE Both HTTP 1 0 and HTTP 1 1 requests are supported Each request is examined and handled as described below n If the request is a non GET request such as HEAD POST PUT or HTTP with cookies it is no...

Page 396: ...IN directory o SHTML scripted html o Microsoft HTML extension files htx o executable files exe n Dynamic URL parameters Figure 15 5 URL Based Web Cache Redirection Requests matching the URL are load b...

Page 397: ...the IP address of the Web cache and the destination MAC address is replaced by the MAC address of the Web cache Both the IP address and the MAC address of the source remain unchanged n Full NAT In thi...

Page 398: ...che server or the origin server c Enable disable cache redirection of requests that contain cookie in the HTTP header o Ena The switch redirects all requests that contain cookie in the HTTP header to...

Page 399: ...ests images product b gif images company a gif images testing c jpg The server will not handle these requests company images b gif product images c gif testing images a gif Example 2 String without th...

Page 400: ...where ID is the identification number of the defined string The server can have multiple defined strings For example images sales gif With these defined strings the server can handle requests that beg...

Page 401: ...number dip any To any destination IP addresses Filter filter number proto tcp For TCP protocol traffic Filter filter number sport any From any source port Filter filter number dport http To an HTTP de...

Page 402: ...fault filter Filter filter number sip any From any source IP addresses Filter filter number dip any To any destination IP addresses Filter filter number proto any For any protocol traffic Filter filte...

Page 403: ...servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services 2 Turn on URL parsing for the f...

Page 404: ...r of the defined string NOTE If you don t add a defined string or add ID 1 the server will handle any request 8 If Host header filtering is enabled Step 3 you can configure the switch to use the host...

Page 405: ...interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services 2 Turn on URL parsing for the filter 3 Enable header load balancing for U...

Page 406: ...header if present up to a maximum of 255 bytes You can optimize cache hits by using the hashing algorithm to redirect client requests going to the same page of an origin server to a specific cache ser...

Page 407: ...n the switch uses the source IP address as the hash key Example 1 Hashing on the URL In this example URL hashing is enabled If the Host field does not exist the specified length of the URL is used to...

Page 408: ...lient 3 request http www nortelnetworks com is directed to cache server 1 Example 3 Hashing on the Source IP address In this example URL hashing is disabled Because the host header field does not exis...

Page 409: ...file extensions that will bypass RTSP streaming cache redirection This is the user defined non cacheable content You can add or remove RTSP files like mov smil rm and so forth 3 Assign the url string...

Page 410: ...ings that are added to that real server This means you cannot configure a dedicated server to receive a certain string and at the same time have it exclude other URL strings The exclu sionary feature...

Page 411: ...e 5 Assign the URL string ID to the real server 6 Enable the exclusionary string matching option If you configured a string any and enabled the exclusion option the server will not handle any requests...

Page 412: ...ing is a list of standard regular expression special characters that are supported in Web OS Use the following rules to describe patterns for string matching n Supports one layer of parenthesis n Supp...

Page 413: ...mple html htm appears as html htm n Incorrectly or ambiguously formatted regular expressions are rejected instantly For exam ple o where a or follows a special character like the o A single or sign o...

Page 414: ...hash and Header hash are used in combination with Host Cookie or Browser content types For example the following types of load balancing can be configured using the Content Prece dence Lookup feature...

Page 415: ...r the URL string is examined next o If a request from a client contains no Host Header but has a URL string such as gold the request is load balanced among Server 1 or Server 3 o If a request from a c...

Page 416: ...ficient use of their server resources they separate their servers into two groups using their fastest servers to process dynamic content such as cgi files and their slower servers to process all stati...

Page 417: ...switch examines the HTTP content of the incoming client request for the matching string pattern If the matching virus pattern is found then the packet is dropped and a reset frame is sent to the offen...

Page 418: ...ing HTTP URL request to be blocked 3 Apply and save the configuration 4 Identify the IDs of the defined strings Number of entries four 5 Select the filter and enable the filter action to deny 6 Enable...

Page 419: ...ter to the port Filter 1 Advanced l7deny Select the Layer 7 deny menu Filter 1 Advanced L7deny ena Enable Layer 7 deny filter Filter 1 Advanced L7deny addstr 1 Add the code red virus string Filter 1 A...

Page 420: ...Web OS 10 0 Application Guide 420 n Chapter 15 Content Intelligent Switching 212777 A February 2002...

Page 421: ...se of cookie persistence provides a mech anism for inserting a unique key for each client of a virtual server This feature is only used in nonsecure socket layer non SSL connections This section discu...

Page 422: ...aracteristics source IP address cook ies and Secure Sockets Layer SSL session ID Using Source IP Address Until recently the only way to achieve TCP IP session persistence was to use the source IP addr...

Page 423: ...e feature solves the proxy server problem and gives better load distribution at the server site In the Web switch cookies are used to route client traffic back to the same physical server to maintain...

Page 424: ...a key that associates the user with additional state data that is kept on the server such as a shopping cart and its contents In a more complex application the cookie may be encoded so that it actuall...

Page 425: ...fter the browser has been shut down A temporary cookie is only valid for the current browser session Similar to a SSL Ses sion based ID the temporary cookie expires when you shut down the browser Base...

Page 426: ...mode Passive Cookie Mode on page 428 using a temporary cookie The switch mathematically calculates the cookie value using a hash algorithm to determine which real server should receive the request n...

Page 427: ...a request to visit the Web site The Web switch performs load balancing and selects a real server The real server responds without a cookie The Web switch inserts a cookie and forwards the new request...

Page 428: ...mporary cookies However you can use this mode for permanent cookies if the server is embedding an IP address The following figure shows passive cookie mode operation Figure 16 3 Passive Cookie Mode Su...

Page 429: ...r An additional eight bytes must be reserved if you are using cookie based persistence with Global Server Load Bal ancing GSLB NOTE Rewrite cookie mode only works for cookies defined in the HTTP heade...

Page 430: ...ad Balancing on page 117 2 Either enable Direct Access Mode DAM or disable DAM and specify proxy IP address es on the client port s n Enable DAM for the switch n Disable DAM and specify proxy IP addre...

Page 431: ...nabled for service 80 HTTP Once you specify cookie as the mode of persistence you will be prompted for the following parameters n Cookie based persistence mode insert passive or rewrite n Cookie name...

Page 432: ...expi ration timer The expiration timer specifies a date string that defines the valid life time of that cookie The expiration timer for insert cookie can be of the following types n Absolute timer The...

Page 433: ...websystems com Cookie UID 87654321 n Look for the cookie in the HTTP header The last parameter in this command answers the Look for cookie in URI prompt If you set this parameter to disable the Web sw...

Page 434: ...ur bytes This uses 789a as a hashing key n Using wildcards for selecting cookie names With this configuration the switch will look for a cookie name that starts with ASPSES SIONID ASPSESSIONID123 ASPS...

Page 435: ...t with this cookie will be directed to the same real server n Rewrite server cookie with the encrypted real server IP address and virtual server IP address If the cookie length is configured to be 16...

Page 436: ...cookie a few responses later In order to achieve cookie based per sistence in such cases Web OS 10 0 allows the network administrator to configure the switch to look through multiple HTTP responses f...

Page 437: ...er configurable How SSL Session ID Based Persistence Works n All SSL sessions that present the same session ID 32 random bytes chosen by the SSL server will be directed to the same real server NOTE Th...

Page 438: ...ns from Client 1 with the same SSL session ID are directed to Server 1 Figure 16 5 SSL Session ID Based Persistence 5 Client 2 appears to the switch to have the same source IP address as Client 1 beca...

Page 439: ...a virtual server on the virtual port for HTTPS for example port 443 and assign a real server group to service it n Enable SLB on the switch n Enable client processing on the port connected to the cli...

Page 440: ...Web OS 10 0 Application Guide 440 n Chapter 16 Persistence 212777 A February 2002...

Page 441: ...on critical traffic Traffic classification can be based on user or application information BWM policies can be configured to set lower and upper bounds on the bandwidth allocation The following topics...

Page 442: ...ertain frames are grouped together n A bandwidth policy specifying usage limitations to be applied to these frames NOTE At any given time up to 1024 contracts can be created for a single Alteon AD4 or...

Page 443: ...ended when Bandwidth Management is enabled n Bandwidth management occurs on the egress port of the switch that is the port from which the frame is leaving However in the case of multiple routes or tru...

Page 444: ...co location provider could charge a customer for bandwidth utilization There are three rates that are configured a Committed Information Rate CIR Reserved Limit a Soft Limit and a Hard Limit as descr...

Page 445: ...sure that the sum of all committed informa tion rates never exceeds the link speeds associated with ports on which the traffic is transmitted In a case where the total CIRs exceed the out bound port b...

Page 446: ...to reduce the queue depth or the hard limit is reached If the data cannot be transmitted at the soft limit then the rate is adjusted downward until the data can be trans mitted or the CIR is hit If th...

Page 447: ...cified IP destination address or range of addresses defined with a subnet mask n Switch services on the virtual servers The following are various Layer 4 groupings o A single virtual server o A group...

Page 448: ...lows 1 Layer 7 applications for example URL HTTP headers cookies and so forth 2 Layer 4 services on the virtual server 3 Filter 4 VLAN 5 Source Port Default Assignment Bandwidth Classification Configu...

Page 449: ...d on URLs gives Web site managers the following capabilities n Ability to allocate bandwidth based on the type of request The switch allocates bandwidth based on certain strings in the incoming URL re...

Page 450: ...0 Application Guide 450 n Chapter 17 Bandwidth Management 212777 A February 2002 Figure 17 4 URL Based Bandwidth Management Figure 17 5 URL Based Bandwidth Management with Web Cache Redirection Cache...

Page 451: ...ers to prevent network abuse by bandwidth hog ging users Using this feature bandwidth can be allocated by type of user or other user specific information available in the cookie Cookie based bandwidth...

Page 452: ...ss has been set up cfg bwm user To obtain graphs the data must be collected and pro cessed by an external entity through SNMP or through e mailed logs History is maintained only for the contracts for...

Page 453: ...t basis using the wtos option under the contract menu cfg bwm cont x wtos to enable disable overwriting IP TOS The actual values used by the switch for overwriting TOS values depending on whether traf...

Page 454: ...on For more information about SLB configuration see Server Load Balancing on page 117 2 Enable BWM on the switch NOTE If you purchased the Bandwidth Management option make sure you enable it by typ in...

Page 455: ...e packet size NOTE Keep in mind that the total buffer limit for the Bandwidth Management policy is 128K 7 On the switch select a BWM contract and optional a name for the contract Each contract must ha...

Page 456: ...ch apply and verify the configuration Examine the resulting information If any settings are incorrect make any appropriate changes 14 On the switch save your new configuration changes 15 On the switch...

Page 457: ...ng dial up customers n Customers from the same hosting facility locking out each other because of flash crowd n FTP from locking out Telnet n Rate limit particular applications In the following exampl...

Page 458: ...e bandwidth policy for this contract Each BWM contract must be assigned a bandwidth policy 10 Enable this BWM contract Policy 1 cfg bwm cont 1 Select BWM contract 1 BWM Contract 1 name dial up Assign...

Page 459: ...he resulting information If any settings are incorrect make any appropriate changes 13 On the switch save your new configuration changes 14 On the switch check the BWM information Check that all BWM c...

Page 460: ...f the real servers in the server pool n Define an IP interface on the switch n Define each real server n Define a real server group n Define a virtual server n Define the port configuration For more i...

Page 461: ...e bandwidth policy for this contract Each BWM contract must be assigned a bandwidth policy 11 Enable this BWM contract BWM Contract 1 pol 1 Assign policy 1 to BWM contract 1 BWM Contract 1 ena Enables...

Page 462: ...rmation If any settings are incorrect make the appropriate changes 14 On the switch save your new configuration changes 15 On the switch check the bandwidth management information Check that all BWM c...

Page 463: ...agement is to assign a contract to each defined string This allocates a percentage of bandwidth to the string or URL containing the string To configure the switch for URL based bandwidth management pe...

Page 464: ...itch or configure a proxy IP address on the client port NOTE If VMA is enabled and you are using a proxy IP address you need to configure proxy IP addresses on ports 1 through 8 To turn on DAM To turn...

Page 465: ...Cookie Based Bandwidth Management Example In this example you will assign bandwidth based on cookies First configure cookie based server load balancing which is very similar to URL based load balanci...

Page 466: ...on the client port NOTE If VMA is enabled you need to configure a unique proxy IP address for each port 1 8 To turn on DAM To turn off DAM and configure a Proxy IP address on the client port NOTE By e...

Page 467: ...467 Figure 17 7 Cookie Based Preferential Services The configuration to support this scenario is similar to Scenario 1 Note the following 1 Configure the string and assign contracts for the strings an...

Page 468: ...h real server n Define a real server group n Define a virtual server n Define the port configuration NOTE Ensure BWM is enabled on the switch cfg bwm on 2 Select a bandwidth policy Each policy must ha...

Page 469: ...the switch save your new configuration changes 11 On the switch check the BWM information Check that all BWM contract parameters are set correctly If necessary make any appropriate configuration chan...

Page 470: ...Web OS 10 0 Application Guide 470 n Chapter 17 Bandwidth Management 212777 A February 2002...

Page 471: ...n be any value represented by a 8 bit value in the IP header adherent to the IP specification for example TCP UDP OSPF ICMP and so on Real Server Group A group of real servers that are associated with...

Page 472: ...rfaces on the Alteon Web switches must be in a VLAN If there is more than one VLAN defined on the Web switch then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP inter...

Page 473: ...r stop advertising the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification The switch announces this change in ownership to the devices around it by way of...

Page 474: ...Web OS 10 0 Application Guide 474 n Glossary 212777 A February 2002...

Page 475: ...redirection example 204 to 215 authenticating in OSPF 80 authoritative name servers 291 autonomous systems AS 73 B backup servers 135 bandwidth management 449 to 450 burst limit 453 classification pol...

Page 476: ...sk destination mask for filtering 178 Domain Name System DNS filtering 185 188 Global SLB diagram 291 load balancing layer 4 151 load balancing layer 7 390 round robin 118 dport filtering option 186 2...

Page 477: ...utes OSPF 82 hostname for HTTP health checks 231 299 hot standby redundancy 256 configuration 275 HTTP application health checks 231 redirects Global SLB option 292 HTTP header hashing 389 HTTP URL re...

Page 478: ...t connections SLB Real Server metric 132 limiting TCP sessions 179 lmask local route cache parameter 35 lnet local route cache parameter 35 load balancing DNS 151 390 FTP traffic 150 IDS traffic 163 l...

Page 479: ...administrator account 105 user account 105 PDUs 48 persistence cookie based 424 multi reponse cookie search 436 SSL session ID based 437 to 439 persistent bindings 123 port sessions 286 PIP See proxie...

Page 480: ...bility service 118 SCP services 108 script based health checks 225 to 229 searching for cookie 432 searching for cookies 432 SecurID 110 security filtering 170 185 firewalls 185 from viruses 170 layer...

Page 481: ...0 T tagging See VLANs tagging TCP 171 188 189 health checking using 130 port 80 144 rate limiting 179 TCP UDP port numbers 139 TDT Theoretical Departure Times 446 Telnet 185 text conventions 23 Theore...

Page 482: ...tive redundancy 255 active standby redundancy 254 hot standby redundancy 256 inter switch port states 257 overview 248 261 synchronization 277 synchronizing configurations 257 virtual interface router...

Reviews:

No comments

Brands by name

Popular brands

Load more brands