manualshive.com logo in svg

Nortel Web OS 10.0, Инструкция по применению

Поделиться
Скачать
Nortel Web OS 10.0 Скачать руководство пользователя страница 103

Web OS 10.0 Application Guide

Chapter 5: Secure Switch Management  

n

  103

212777-A, February 2002

RADIUS Authentication and Authorization

RADIUS is an access server authentication, authorization, and accounting protocol used to 
secure remote access to networks and network services against unauthorized access. 

RADIUS consists of three components:

n

A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)

n

A centralized server that stores all the user authorization information

n

A client, in this case, the switch

The operation of RADIUS authentication and authorization protocol is based on the AA model 
described previously. The switch—acting as the RADIUS client—will communicate to the 
RADIUS server to authenticate and authorize a remote administrator using the protocol defini-
tions specified in RFC 2138 and 2866. Transactions between the client and RADIUS server are 
authenticated through the use of a shared secret, which is never sent over the network. In addi-
tion, the remote administrator passwords are sent encrypted between the RADIUS client (the 
switch) and the back-end RADIUS server.

Figure 5-1  Authentication and Authorization: How It Works

Internet

1. Remote administrator connects to
    switch and provides user name 
    and password

2. Using Authentication/Authorization
    protocol, the switch sends request
    to authentication server

3. Authentication server
    checks request against 
    the user ID database

4. Using RADIUS protocol,
    the authentication server 
    instructs the switch to 
    grant or deny admim access

Authentication
Servers

Alteon Web Switch

Содержание Web OS 10.0

Страница 1: ...50 Great Oaks Boulevard San Jose California 95119 408 360 5500 Main 408 360 5501 Fax www nortelnetworks com Web OS Switch Software 10 0 Application Guide Part Number 212777 Revision A February 2002...

Страница 2: ...ers are authorized to use this documentation only in accordance with those rights and restrictions set forth herein consistent with FAR 12 211 12 212 Oct 1995 DFARS 227 7202 JUN 1995 and DFARS 252 227...

Страница 3: ...net Routing 31 Defining IP Address Ranges for the Local Route Cache 35 Border Gateway Protocol BGP 36 Internal Routing Versus External Routing 36 Forming BGP Peer Routers 37 BGP Failover Configuration...

Страница 4: ...runking 65 Overview 65 Statistical Load Distribution 66 Built In Fault Tolerance 66 Port Trunking Example 67 Chapter 4 OSPF 69 OSPF Overview 69 Types of OSPF Areas 70 Types of OSPF Routing Devices 71...

Страница 5: ...in Web OS 104 Web Switch User Accounts 105 Secure Shell and Secure Copy 107 Encryption of Management Messages 108 SCP Services 108 RSA Host and Server Keys 109 Radius Authentication 110 SecurID Suppor...

Страница 6: ...apter 7 Filtering 169 Overview 170 Filtering Benefits 170 Filtering Criteria 170 Stacking Filters 172 Overlapping Filters 172 The Default Filter 173 VLAN based Filtering 174 Optimizing Filter Performa...

Страница 7: ...nk Health Checks 223 TCP Health Checks 224 ICMP Health Checks 224 Script Based Health Checks 225 Configuring the Switch for Script Based Health Checks 225 Script Format 226 Scripting Guidelines 227 Sc...

Страница 8: ...61 High Availability Configurations 263 Active Standby Virtual Server Router Configuration 263 Active Active VIR and VSR Configuration 265 Active Active Server Load Balancing Configuration 267 VRRP Ba...

Страница 9: ...es 308 Using Border Gateway Protocol for GSLB 312 Chapter 13 Firewall Load Balancing 313 Firewall Overview 314 Basic FWLB 316 Basic FWLB Implementation 317 Configuring Basic FWLB 319 Four Subnet FWLB...

Страница 10: ...389 DNS Load Balancing 390 Layer 7 RTSP Load Balancing 392 Content Intelligent Web Cache Redirection 394 URL Based Web Cache Redirection 395 HTTP Header Based Web Cache Redirection 403 Browser Based...

Страница 11: ...ersistence 437 How SSL Session ID Based Persistence Works 437 Chapter 17 Bandwidth Management 441 Overview 442 Bandwidth Policies 444 Rate Limits 445 Bandwidth Policy Configuration 445 Data Pacing 446...

Страница 12: ...Web OS 10 0 Application Guide 12 n Contents 212777 A February 2002 Configuring Bandwidth Management 454 Additional Configuration Examples 457 Preferential Services Examples 460 Glossary 471 Index 475...

Страница 13: ...d in a Single Spanning Tree Group 52 Figure 2 5 Implementing Multiple Spanning Tree Groups 53 Figure 2 6 Default Gateways per VLAN 58 Figure 2 7 Jumbo Frame VLANs 64 Figure 3 1 Port Trunk Group 65 Fig...

Страница 14: ...Figure 7 6 Limiting User Access to Server 183 Figure 7 7 Security Topology Example 185 Figure 7 8 Static Network Address Translation 192 Figure 7 9 Dynamic Network Address Translation 193 Figure 7 10...

Страница 15: ...ample Network 347 Figure 13 10 Typical Firewall Load Balancing Topology with DMZ 349 Figure 14 1 Basic Network Frame Flow and Operation 355 Figure 14 2 VPN Load Balancing Configuration Example 356 Fig...

Страница 16: ...orks 442 Figure 17 2 Bandwidth Rate Limits 444 Figure 17 3 Virtual Clocks and TDT 446 Figure 17 4 URL Based Bandwidth Management 450 Figure 17 5 URL Based Bandwidth Management with Web Cache Redirecti...

Страница 17: ...b OS Alteon Levels 106 Table 6 1 Web Host Example Real Server IP Addresses 124 Table 6 2 Web Host Example Port Usage 126 Table 6 3 Well Known Application Ports 128 Table 6 4 Proxy Example Port Usage 1...

Страница 18: ...age 297 Table 12 3 Denver Real Server IP Addresses 300 Table 12 4 Web Host Example Alteon 180 Port Usage 301 Table 12 5 HTTP Versus Non HTTP Redirects 305 Table 15 1 Standard Regular Expression Specia...

Страница 19: ...No Yes SYN Attack Detection Protection Yes Yes Enhanced Port Mirroring Yes Yes Reporting Classification Manager SYSLOG and SNMP No Yes Reporting Classification Manager Ability to fil ter SYSLOG based...

Страница 20: ...rs Yes Yes OSPF No Yes LDAP health check Yes Yes Streaming Cache Redirection Yes Yes L7 Parsing of RTSP SLB Yes Yes ARP health check Yes Yes Telnet client Yes Yes Increase logging buffer Yes Yes Suppo...

Страница 21: ...tware Where possible each section provides feature overviews usage examples and configuration instructions Part 1 Basic Switching Routing n Chapter 1 Basic IP Routing describes how to configure the We...

Страница 22: ...ith the various load balancing and application redirection features n Chapter 11 High Availability describes how to use the Virtual Router Redundancy Pro tocol VRRP to ensure that network resources re...

Страница 23: ...c123 This bold type appears in command exam ples It shows text that must be typed in exactly as shown Main sys AaBbCc123 This italicized type appears in command examples as a parameter placeholder Rep...

Страница 24: ...ort and sales information visit the Nortel Networks website at the following URL http www nortelnetworks com See the contact information on this site for regional support and sales phone numbers and e...

Страница 25: ...functions In addi tion to switching traffic at near line rates the Web switch can perform multi protocol routing This section includes the following basic switching and routing topics n Basic IP Rout...

Страница 26: ...Web OS 10 0 Application Guide 26 n Basic Switching Routing 212777 A February 2002...

Страница 27: ...eb switch to perform IP routing functions The following topics are addressed in this chapter n IP Routing Benefits on page 28 n Routing Between IP Subnets on page 28 n Example of Subnet Routing on pag...

Страница 28: ...server switched network by automatically fragmenting UDP Jumbo frames when routing to non Jumbo frame VLANs or subnets n Provides the ability to route IP traffic between multiple Virtual Local Area Ne...

Страница 29: ...ch to the router and back again adds two hops for the data slowing throughput considerably n Traffic to the router increases increasing congestion Even if every end station could be moved to better lo...

Страница 30: ...tch which then relays the packet to the proper destination subnet using Layer 2 switching With Layer 3 IP routing in place on the Alteon Web switch routing between different IP sub nets can be accompl...

Страница 31: ...ched to the switch Since there are five IP subnets connected to the switch five IP interfaces are needed Table 1 1 Subnet Routing Example IP Address Assignments Subnet Devices IP Addresses 1 Primary a...

Страница 32: ...IP Interface 2 ena Enable IP interface 2 IP Interface 2 if 3 Select IP interface 3 IP Interface 3 addr 131 15 15 1 Assign IP address for the interface IP Interface 3 ena Enable IP interface 3 IP Inter...

Страница 33: ...their respective VLANs The VLANs shown in Table 1 3 are configured as follows Table 1 3 Subnet Routing Example Optional VLAN Ports VLAN Devices IP Interface Switch Port 1 First Floor Client Workstati...

Страница 34: ...on changes Port 4 is untagged and VLAN 2 is not a configured PVID for port 4 Would you like to change all PVIDS for port 4 to VLAN 2 y n VLAN 3 cfg ip if 1 Select IP interface 1 for def routers IP Int...

Страница 35: ...ed bit wise AND with the local network mask and checked against the local network address By default the local network address and local network mask are both set to 0 0 0 0 This pro duces a range tha...

Страница 36: ...ctive processing of network traffic every router on your network needs to know how to send a packet directly or indirectly to any other location destination in your network This is referred to as inte...

Страница 37: ...is interested in that route for example if a peer would like to receive your static routes and the new route is static an update message is sent to that peer containing the new route For each route re...

Страница 38: ...s configured with a metric of 3 thereby appearing to the switch to be three router hops away 1 Configure the switch as you normally would for Server Load Balancing SLB n Assign an IP address to each o...

Страница 39: ...for a Denial of Service DoS attack the forwarding of directed broadcasts is disabled by default cfg vlan 1 Select VLAN 1 vlan 1 add port number Add a port to the VLAN membership vlan 1 ena Enable VLA...

Страница 40: ...ve your configuration changes cfg ip bgp peer 1 Select BGP peer router 1 BGP Peer 1 ena Enable this peer configuration BGP Peer 1 addr 200 200 200 2 Set IP address for peer router 1 BGP Peer 1 if 200...

Страница 41: ...TP servers on every subnet It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them Without the DHCP relay agent there must be at least one DHCP...

Страница 42: ...re shows a basic DHCP network example Figure 1 5 DHCP Relay Agent Configuration In Alteon Web switch implementation there is no need for primary or secondary servers The client request is forwarded to...

Страница 43: ...tions can only be accomplished from stations on VLANs that include an IP interface to the switch n VLAN Topologies and Design Issues on page 45 This section discusses how you can logically connect use...

Страница 44: ...known as its PVID The fac tory default value of all PVIDs is 1 This places all ports on the same VLAN initially although each port s PVID is configurable to any VLAN number between 1 and 4094 Any unta...

Страница 45: ...ssues By default the Web OS software has a single VLAN configured on every port This configura tion groups all ports into the same broadcast domain The VLAN has an 802 1Q VLAN PVID of 1 VLAN tagging i...

Страница 46: ...only for VLAN 3 so VLAN tagging is off Server 2 This high use server needs to be accessed from all VLANs and IP sub nets The server has an VLAN tagging adapter installed with VLAN tagging turned on Th...

Страница 47: ...VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5 Tagging is not enabled on their switch port PC 3 A member of VLAN 1 this PC can only communicate with Server 2 and PC 5 PC 4 A membe...

Страница 48: ...mains n Ports 1 and 2 on both switches are on VLAN 10 ports 3 and 4 on both switches are on VLAN 22 Ports 5 and 6 on both switches are on VLAN 32 port 9 on both switches are on VLAN 109 n It is necess...

Страница 49: ...th fails Spanning Tree automatically sets up another active path on the network to sustain network operations The relationship between port trunk groups VLANs and Spanning Trees is shown in Table 2 1...

Страница 50: ...received BPDU to its own BPDU that it will transmit If the received BPDU is better than its own BPDU it will replace its BPDU with the received BPDU Then the Web switch adds its own bridge ID num ber...

Страница 51: ...d VLANs are members of Spanning Tree Group 1 Why Do We Need Multiple Spanning Trees Figure 2 3 shows a simple example of why we need multiple Spanning Trees Two VLANs VLAN 1 and VLAN 100 exist between...

Страница 52: ...A With a single Spanning Tree environment as shown in Figure 2 4 you will have two links blocked to prevent loops on the network It is possible that the blocks may be between Web switches C and D and...

Страница 53: ...tified on each of the three shaded areas connect ing the switches The port numbers are shown next to each switch The Spanning Tree Group STG number for each VLAN is shown at the switch Figure 2 5 Impl...

Страница 54: ...ric it is used to iden tify the VLANs participating in the Spanning Tree groups The Spanning Tree group ID is not transmitted in the BPDU Each Spanning Tree decision is based on the configuration of t...

Страница 55: ...for Spanning Tree Group 2 and forwards it out from port 8 Web switch B receives this BPDU on its port 1 Port 1 on Web switch B is on VLAN 2 Spanning Tree group 1 Because Web switch B has no additiona...

Страница 56: ...up 2 for VLAN 2 VLAN 2 is automatically removed from Spanning Tree Group 1 2 Configure the following on Web switch B Add port 1 to VLAN 2 port 8 to VLAN 3 and define Spanning Tree groups 2 for VLAN 3...

Страница 57: ...from Spanning Tree group 1 and by default VLAN 2 remains in Spanning Tree Group 1 NOTE Web switch D does not require any special configuration for multiple Spanning Trees because it configured for the...

Страница 58: ...route traffic through default gateway 5 and VLAN 3 is required to route traffic through default gateway 6 Figure 2 6 Default Gateways per VLAN You can configure 246 default gateways per VLAN with val...

Страница 59: ...from VLAN 2 uses Gateway 5 to access destination IP address 192 168 20 200 If traffic from VLAN 3 requests the same destination address then traffic is routed via Gateway 5 instead of Gateway 6 becaus...

Страница 60: ...ched to the switch cfg ip if 1 Select IP interface 1 for gateway 5 6 subnet IP Interface 1 addr 10 10 1 1 Assign IP address for interface 1 IP Interface 1 mask 255 255 255 0 Assign mask for IF 1 IP In...

Страница 61: ...xamine the results under the gateway section If any settings are incorrect make the appropri ate changes cfg ip gw 5 Select default gateway 5 Default gateway 5 addr 10 10 1 20 Assign IP address for ga...

Страница 62: ...Select the local network Menu IP Forwarding add 10 10 0 0 Specify the network for routers 1 2 3 IP Forwarding mask 255 255 0 0 Add the mask for the routers IP Forwarding add 172 21 2 0 Specify the net...

Страница 63: ...ny VLAN that has Jumbo frames enabled Isolating Jumbo Frame Traffic using VLANs Jumbo frame traffic must not be used on a VLAN where there is any device that cannot process frame sizes larger than Eth...

Страница 64: ...Non Jumbo Frame VLANs When IP routing is used to route traffic between VLANs the switch will fragment Jumbo UDP datagrams when routing from a Jumbo frame VLAN to a non Jumbo frame VLAN The result ing...

Страница 65: ...rts up to four trunk groups per switch each with two to six links Figure 3 1 Port Trunk Group Trunk groups are also useful for connecting an Alteon Web switch to third party devices that support link...

Страница 66: ...topologies however only a limited number of Layer 2 devices such as a hand ful of routers and servers feed the trunk lines When this occurs the limited number of MAC address combinations encountered...

Страница 67: ...appropriate changes c Save your new configuration changes cfg trunk 1 Select trunk group 1 Trunk group 1 add 2 Add port 2 to trunk group 1 Trunk group 1 add 4 Add port 4 to trunk group 1 Trunk group...

Страница 68: ...figured trunk group will be displayed Make sure that trunk groups consist of the expected ports and that each port is in the expected state The following restrictions apply n Any physical switch port...

Страница 69: ...ted router summarizing routes defining route maps and so forth n OSPF Configuration Examples on page 83 This section provides step by step instruc tions on configuring four different configuration exa...

Страница 70: ...stub area with additional capabilities Routes originating from within the NSSA can be propagated to adjacent transit and backbone areas External routes from outside the AS can be advertised within th...

Страница 71: ...ocal area n Area Border Router ABR a router that has interfaces in multiple areas ABRs maintain one LSDB for each connected area and disseminate routing information between areas n Autonomous System B...

Страница 72: ...ghbors including the DR Each neighbor sends its data base information to the BDR just as with the DR but the BDR merely stores this data and does not distribute it If the DR fails the BDR will take ov...

Страница 73: ...routing and can be done with static routes or using active internal routing protocols such as OSPF RIP or RIPv2 It is also useful to tell routers outside your network upstream providers or peers abou...

Страница 74: ...Command Line Interface CLI Web OS Browser Based Interface BBI for Alteon AD4 and 184 switches or through SNMP The CLI supports the following parameters interface output cost interface priority dead a...

Страница 75: ...d an area ID The command to define an OSPF area is as follows NOTE The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number The actual O...

Страница 76: ...are supported be sure that the area IDs are in the same format throughout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the...

Страница 77: ...27 is the highest and 1 is the lowest A priority value of 0 specifies that the interface cannot be used as a DR or BDR In case of a tie the routing device with the low est router ID wins Summarizing R...

Страница 78: ...3 there are multiple routes leading from the area In such areas traffic for unrecognized destinations cannot tell which route leads upstream without further configuration To resolve the situation and...

Страница 79: ...k must be configured on the routing devices at each endpoint of the virtual link though they may traverse multiple routing devices To configure an Alteon Web switch as one endpoint of a virtual link u...

Страница 80: ...enticated so that only trusted routing devices can participate This ensures less processing on routing devices that are not listening to OSPF packets OSPF allows packet authentication and uses IP mult...

Страница 81: ...0 on Web switches 1 2 and 3 3 Enable OSPF authentication for Area 2 on Web switch 4 4 Configure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on Web swit...

Страница 82: ...IP address serves a different and equal portion of the external world incoming traffic from the upstream router should be split evenly among ABRs n ABR Failover Complementing ABR load sharing identica...

Страница 83: ...is required for each desired network range of IP addresses being assigned to an OSPF area on the Web switch 2 Optional Configure the router ID The router ID is required only when configuring virtual l...

Страница 84: ...k that will be attached to OSPF areas In this example two IP interfaces are needed one for the backbone network on 10 10 7 0 24 and one for the stub area network on 10 10 12 0 24 2 Enable OSPF cfg ip...

Страница 85: ...ype OSPF Area index 0 enable Enable the area OSPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type stub Define...

Страница 86: ...onfiguring virtual links Later when configuring the other end of the virtual link on Web Switch 2 the router ID specified here will be used as the target vir tual neighbor nbr address 3 Enable OSPF cf...

Страница 87: ...SPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type transit Define area as transit type OSPF Area index 1 ena...

Страница 88: ...irtual link as follows 5 Define the transit area cfg ip if 1 Select menu for IP interface 1 IP Interface 1 addr 10 10 12 2 Set IP address on transit area network IP Interface 1 enable Enable IP interf...

Страница 89: ...the menu for area index 2 OSPF Area index 2 areaid 0 0 0 2 Set the area ID for OSPF area 2 OSPF Area index 2 type stub Define area as stub type OSPF Area index 2 enable Enable the area OSPF Area index...

Страница 90: ...200 0 through 36 128 200 255 Figure 4 7 Summarizing Routes NOTE You can specify a range of addresses to prevent advertising by using the hide option In this example routes in the range 36 128 200 0 th...

Страница 91: ...e OSPF Area index 1 enable Enable the area OSPF Area index 1 if 1 Select OSPF menu for IP interface 1 OSPF Interface 1 aindex 0 Attach network to backbone index OSPF Interface 1 enable Enable the back...

Страница 92: ...r both virtual server IP addresses 10 10 10 1 and 10 10 10 2 The upstream router sees that both addresses exist on both Web switches and uses the host route with the lowest cost for each Traffic for 1...

Страница 93: ...for real server 2 Real server 2 ena Enable the real server Real server 2 group 1 Select menu for real server group 1 Real server group 1 add 1 Add real server 1 to group Real server group 1 add 2 Add...

Страница 94: ...virtual server Virtual server 1 group 1 Use real server group 1 for http service Virtual server 1 cfg ip if 1 Select menu for IP interface 1 IP Interface 1 addr 10 10 7 1 Set IP address on backbone ne...

Страница 95: ...Interface 1 if 2 Select OSPF menu for IP interface 2 OSPF Interface 2 aindex 1 Attach network to stub area index OSPF Interface 2 enable Enable the stub area interface OSPF Interface 2 host 1 Select...

Страница 96: ...group 1 add 2 Add real server 2 to group Real server group 1 enable Enable the group Real server group 1 on Turn SLB on Layer 4 virt 1 Select menu for virtual server 1 Virtual server 1 vip 10 10 10 1...

Страница 97: ...ype transit Define backbone as transit type OSPF Area index 0 enable Enable the area OSPF Area index 0 aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the ID for stub area 1...

Страница 98: ...info ospf route n stats route Refer to the Web OS 10 0 Command Reference for information on the above commands OSPF Interface 2 host 1 Select menu for host route 1 OSPF Host Entry 1 addr 10 10 10 1 Se...

Страница 99: ...tch port you can set a source IP address or range that will be allowed to connect to the switch IP interface through Telnet SSH SNMP or the Web OS Browser Based Interface BBI This will also help preve...

Страница 100: ...0 and the mmask is set to 255 255 255 128 This defines the following range of allowed IP addresses 192 192 192 1 to 192 192 192 127 n A host with a source IP address of 192 192 192 21 falls within the...

Страница 101: ...ryption of management information exchanged between the remote administrator and the switch Examples of protocols to encrypt management information are SSH Secure Shell and SCP Secure Copy Authenticat...

Страница 102: ...ation protocol support acting as a client in the AA model n A back end authentication and authorization server that performs the following functions o Authenticates remote administrators o Checks the...

Страница 103: ...ent will communicate to the RADIUS server to authenticate and authorize a remote administrator using the protocol defini tions specified in RFC 2138 and 2866 Transactions between the client and RADIUS...

Страница 104: ...the secondary authen tication server Use the cfg sys radius cur command to show the currently active RADIUS authentication server n Supports user configurable RADIUS server retry and time out values...

Страница 105: ...for future use to provide access to operational commands for operators managing traffic on the line leading to the shared Internet services l4oper Operator The Operator manages all functions of the s...

Страница 106: ...an option to allow backdoor access via the console only or console and telnet access The default is disable for telnet access and enable for console access All user privileges other than those assigne...

Страница 107: ...Using SSH gives administrators an alternate way to manage the switch one that provides strong security SCP is typically used to copy files securely from one machine to another SCP uses SSH for encryp...

Страница 108: ...et the SCP admin password this password must be different from the admin password The following SCP commands are supported in this service These commands are entered using the CLI on the client that i...

Страница 109: ...To generate a host key n To generate a server key Again the host and server key are automatically stored in FLASH memory when generated NOTE For security reasons the SSHD menu options are available v...

Страница 110: ...ord the SecurID authentication is being performed now You will need to provide your actual username and the token in your SecurID card as a regular Telnet user would do in order to log in To use SCP y...

Страница 111: ...if the switch is busy doing other key or cipher generation when the timer expires To enable or disable the SCP apply and save SCP putcfg_apply and putcfg_apply_save commands use these commands The fol...

Страница 112: ...name switch IP address n To download the switch configuration using SCP scp switch IP address getcfg local filename n To upload the configuration to the switch scp local filename switch IP address put...

Страница 113: ...ing Ports Figure 5 2 shows two mirrored ports monitored by a single port Similarly you can have a sin gle or groups of n a mirrored port to a monitored port n many mirrored ports to one monitored port...

Страница 114: ...iguration cfg pmirr monport 5 Select port 5 for monitoring Port 5 add 1 Select port 1 to mirror Enter port mirror direction in out or both in Monitor ingress traffic on port 1 Port 5 add 3 Select port...

Страница 115: ...ry IP however is not optimized for all the various applications Web switching goes beyond IP and makes intelligent switching decisions based on the application and its data This sections details the f...

Страница 116: ...Web OS 10 0 Application Guide 116 n Web Switching Fundamentals 212777 A February 2002...

Страница 117: ...rovides reliability performance and ease of maintenance on your network o Network Topology Requirements on page 122 This section provides key require ments to consider before deploying server load bal...

Страница 118: ...back up without interrupting access to services n Increased scalability of services As users are added and the server pool s capabilities are saturated new servers can be added to the pool transparen...

Страница 119: ...often happens in networks where other servers are actually available The solution to getting the most from your servers is SLB With this software feature the switch is aware of the services provided b...

Страница 120: ...ch receives the request it binds the session to the IP address of the best available real server and remaps the fields in each frame from virtual addresses to real addresses IP FTP RTSP IDS and static...

Страница 121: ...num ber of simultaneous Web connection requests also increases Figure 6 2 Web Hosting Configuration Without SLB Such a company has three primary needs n Increased server availability n Server performa...

Страница 122: ...ndard SLB all client requests to a virtual server IP address and all responses from the real servers must pass through the switch as shown in Figure 6 4 If there is a path between the client and the r...

Страница 123: ...onfigured to process server responses to cli ent requests provide address translation from the real server IP address to the virtual server IP address These ports require real servers to be connected...

Страница 124: ...Assign an IP address to each of the real servers in the server pool The real servers in any given real server group must have an IP route to the switch that per forms the SLB functions This IP routing...

Страница 125: ...l IP address and enable the real server For example 4 Define a real server group and add the three real servers to the service group cfg ip if 1 Select IP interface 1 IP Interface 1 addr 200 200 200 1...

Страница 126: ...le Services on page 130 6 Define the port settings In this example the following ports are being used on the Web switch Real server group 1 cfg slb virt 1 Select virtual server 1 Virtual server 1 vip...

Страница 127: ...then check the information again Virtual server 1 cfg slb port 1 Select physical switch port 1 SLB port 1 server ena Enable server processing on port 1 SLB port 1 port 2 Select physical switch port 2...

Страница 128: ...verflow Servers on page 135 Supported Services and Applications Each virtual server can be configured to support up to eight services limited to a total of 256 services per switch Using the cfg slb vi...

Страница 129: ...r SLB By default the imask setting is 255 255 255 255 which means that each real and virtual server represents a single IP address An imask setting of 255 255 255 0 would mean that each real and virtu...

Страница 130: ...ails a health check for a service then the status of the real server for the second service appears as blocked If you are configuring two independent services such as FTP and SMTP where the real serve...

Страница 131: ...ncing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets n For SLB the client source IP address and real server IP address are used All...

Страница 132: ...is added to or leaves the mix then a different server might be assigned to a subsequent session with the same IP address information even though the original server is still available Open connection...

Страница 133: ...real server octet counts to assign sessions to a server The switch monitors the number of octets sent between the server and the switch Then the real server weights are adjusted so they are inversely...

Страница 134: ...d of all connections on the designated real server to four minutes Maximum Connections for Real Servers You can set the number of open connections each real server is allowed to handle for SLB To set...

Страница 135: ...l server group If all real servers in a real server group fail or overflow the backup comes online Real server groups can also use another real server group for backup overflow cfg slb real 4 Select r...

Страница 136: ...nt sends its own IP address for use as a return address If a proxy IP address is configured for the client port on the switch the switch replaces the client s source IP address with the switch s own p...

Страница 137: ...ple Port Usage Port Host L4 Processing 1 Server A None 2 Server B None 3 Server C None 4 Back end NFS server provides centralized Web content for all three real servers This port does not require Web...

Страница 138: ...of this manual and for information on using the commands see the Web OS Command Reference cfg slb adv matrix for more information 4 Apply and save your changes NOTE Remember that you must apply any c...

Страница 139: ...pping is supported with Direct Access Mode DAM For infor mation about DAM refer to Using Direct Access Mode on page 143 Mapping a Single Virtual Server Port to Multiple Real Server Ports To take advan...

Страница 140: ...o ports 8001 and 8002 for HTTP services the logical real servers are n 192 168 2 1 8001 n 192 168 2 1 8002 n 192 168 2 2 8001 n 192 168 2 2 8002 n 192 168 2 3 8001 n 192 168 2 3 8002 n 192 168 2 4 800...

Страница 141: ...cfg slb virt virtual server number service virtual port the switch maps the virtual port to the real port NOTE To use the single virtual port to multiple rport feature configure this real server port...

Страница 142: ...arge amounts of data are flowing from servers to clients such as with content providers or portal sites that typically have asymmetric traffic patterns DSR and content intelligent Layer 7 switching ca...

Страница 143: ...ith DAM enabled any number of virtual services can be configured to load balance a real service Traffic sent directly to real server IP addresses is excluded from load balancing decisions The same cli...

Страница 144: ...SLB processing as it returns through the Web switch with the real server IP address getting remapped back to the virtual server IP address on the Web switch First two port processes must be executed o...

Страница 145: ...lanced NOTE Clients on the management network do not have access to SLB services and cannot access the virtual services being load balanced The mnet and mmask options are described below n mnet If def...

Страница 146: ...instead sends another SYN request the server gets saturated with SYN requests As a result all of the servers resources are consumed and it can no longer service legitimate client requests Figure 6 9...

Страница 147: ...hus pre venting the server from being inundated with SYN requests NOTE Delayed binding is automatically enabled when content intelligent switching features are used However if you are not parsing cont...

Страница 148: ...ides enhanced security n Improves visibility and protection for DoS attacks The probability of a SYN attack is higher if excessive half open sessions are being generated on the Web switch Half open se...

Страница 149: ...er Load Balancing IP server load balancing allows you to configure your Web switch for server load balancing based on client s IP address only Typically the client IP address is used with the client p...

Страница 150: ...annel the passive FTP mode does not pose a prob lem with firewalls and is the most common mode of operation FTP Network Topology Restrictions FTP network topology restrictions are listed below n FTP u...

Страница 151: ...e switch to send TCP DNS queries to one group of real servers and UDP DNS queries to another group of real servers The requests are then load balanced among the real servers in that group Figure 6 11...

Страница 152: ...address Real server 20 real 21 Real server 21 ena Enable real server 21 Real server 21 rip 10 10 10 21 Specify the IP address Real server 20 real 22 Real server 22 ena Enable real server 22 Real serve...

Страница 153: ...oes not process session requests with a TCP three way handshake 4 Enable UDP DNS queries 5 Apply and save your configuration cfg slb virt 1 vip 20 20 20 20 Specify the virt server IP address Virtual S...

Страница 154: ...based load balancing make sure to disable UDP DNS queries 5 Apply and save your configuration cfg slb virt 2 vip 20 20 20 20 Specify the virt server IP address Virtual Server 2 ena Enable the virtual...

Страница 155: ...metric URL hashing and URL pattern matching and all Layer 4 load balancing metrics RTSP load balancing with the URL hash metric can be used to load balance cache servers that cache multimedia presenta...

Страница 156: ...be played over the Internet using RTSP are specially formatted and are called hinted QuickTime files Normal QuickTime files cannot be used for streaming The QuickTime files have the extension mov Qui...

Страница 157: ...for Layer 4 load balancing of RTSP select rtsp or port 554 as a service for the virtual server 2 To configure a virtual server for Layer 7 URL hashing of RTSP select rtsp as a virtual service and enab...

Страница 158: ...teway the request should go WAP SLB is based on RADIUS static session entry or RADIUS snooping The following topics are discussed in this section n Using RADIUS Static Session Entries n Using RADIUS S...

Страница 159: ...ssion The WAP gateway issues another Add Session request on detecting that it has lost a request The WAP gateway detects this situation when it receives WAP traffic that does not belong to that WAP ga...

Страница 160: ...s It needs to know the type of the RADIUS Accounting message the client IP address the caller ID and the user s name If it finds this information the switch adds a session entry to its session table I...

Страница 161: ...n Protocol SLB 1 Enable the external notification from WAP gateway to add and delete session request 2 Enable TPCP for adding and deleting WAP sessions Configuring RADIUS Snooping Consider the followi...

Страница 162: ...not available in the RADIUS Accounting packets In such a case the switch uses USER_NAME to choose a WAP server instead of CALLING_STATION_ID Thus persistence cannot be maintained Configure the follow...

Страница 163: ...rd the information about the intruders IDS Server Load Balancing helps scale intrusion detection systems since it is not possible for an individual server to scale information being processed at gigab...

Страница 164: ...s are not applicable to IDS server load balancing Configuring IDS Server Load Balancing To configure your switch for IDS do the following NOTE IDS SLB is supported only when RTSP SLB or WAP RADIUS Sno...

Страница 165: ...for the clients 5 Define the group health check If you implemented IDS without an IP address link health check is specifically developed for IDS load balancing Use ICMP health check if your IDS server...

Страница 166: ...used to steer requests initiated within the user s network and his her responses over the appropriate link at that moment in time How WAN Link Load Balancing Works The Web switch uses redirection fil...

Страница 167: ...ction filter 5 Enable WAN link load balancing proxy for the redirection filter 6 Apply and save your changes cfg slb real 1 Select the real server menu Real server 1 ena Enable real server 1 Real serv...

Страница 168: ...Web OS 10 0 Application Guide 168 n Chapter 6 Server Load Balancing 212777 A February 2002...

Страница 169: ...page 176 o IP Address Ranges on page 178 o Cache Enabled versus Cache Disabled Filters on page 178 n TCP Rate Limiting on page 179 This section explains how TCP rate limiting allows you to monitor th...

Страница 170: ...rns For more information see Layer 7 Deny Filter on page 417 This gives the administrator control over the types of traffic permitted through the switch Any filter can be optionally configured to gene...

Страница 171: ...er criteria you can create a single filter that blocks external Telnet traffic to your main server except from a trusted IP address Another filter could warn you if FTP access is attempted from a spec...

Страница 172: ...pplied first For example consider a filter system where the Internet is divided according to destination IP address Figure 7 1 Assigning Filters According to Range of Coverage Assuming that traffic is...

Страница 173: ...iguring filters for IP traffic con trol and redirection Using default filters can increase session performance but takes some of the session binding resources If you experience an unacceptable number...

Страница 174: ...ned based on data traffic for example ingress traffic on VLAN 1 egress traffic on VLAN 2 and management traffic on VLAN 3 filters can be applied accordingly to the different VLANs In the following exa...

Страница 175: ...From any source IP address Filter 2 dip 205 177 15 0 To base local network dest address Filter 2 dmask 255 255 255 0 For entire subnet range Filter 2 proto tcp For TCP protocol traffic Filter 2 sport...

Страница 176: ...and 80 Peak processing efficiency is achieved when filters are numbered sequentially beginning with 1 Filter Logs To provide enhanced troubleshooting and session inspection capability packet source an...

Страница 177: ...is shown below displaying the filter number port source IP address and destination IP address cfg slb filt 15 Select filter 15 Filter 15 sip any From any source IP address Filter 15 dip any To any des...

Страница 178: ...sabled Filters To improve efficiency by default the Web switch performs filter processing only the first frame in each session Subsequent frames in the session are assumed to match the same criteria a...

Страница 179: ...The switch monitors the number of new TCP connections and when it exceeds the configured limit any new TCP connection request is blocked When this occurs the client is said to be held down The client...

Страница 180: ...nnections to a virtual IP address or a group of virtual IP addresses Basic TCP Rate Limiting Filter The following example shows how to configure TCP rate limiting for Filter 10 in Figure 7 5 1 Enable...

Страница 181: ...g attacked The default is 100 TCP connections per second For larger sites TCP rate limit greater than 2550 connection per second indicates the possibility that your switch is under attack 4 Set the ho...

Страница 182: ...ond 150 connections second Any client with source IP address equal to 30 30 30 x is allowed to make 150 new TCP con nections per second to any single destination When the rate limit of 150 is met the...

Страница 183: ...s 2 seconds hold down time holddur x slowage 5 x 8 minutes 40 minutes max rate maxcon time window 200 connections 2 seconds 100 connections second cfg slb filt 100 ena Enable the filter Filter 100 dip...

Страница 184: ...e 24 bit source IP address ensures that client requests access the same cache 2 Set the metric for the real server group to minmisses or hash The source IP address is passed to the real server group f...

Страница 185: ...is generally recommended that you configure filters to deny all traffic except for those services that you specifically wish to allow In this example the administrator wishes to install basic securit...

Страница 186: ...IP subnet 2 Create a default filter that will deny and log unwanted traffic The default filter is defined as Filter 224 in order to give it the lowest order of precedence NOTE Because the proto parame...

Страница 187: ...port Filter 1 action allow Allow matching traffic to pass Filter 1 name allow matching traffic Provide a descriptive name for the filter Filter 1 ena Enable the filter Filter 1 filt 2 Select the menu...

Страница 188: ...and outgoing Filter 3 filt 4 Select the menu for Filter 4 Filter 4 sip any From any source IP address Filter 4 dip 205 177 15 0 To base local network dest address Filter 4 dmask 255 255 255 0 For enti...

Страница 189: ...in From a DNS source port Filter 7 dport any To any destination port Filter 7 action allow Allow matching traffic to pass Filter 7 ena Enable the filter Filter 7 filt 8 Select the menu for Filter 8 Fi...

Страница 190: ...y appropriate configuration changes and then check the information again NOTE Changes to filters on a given port do not take effect until the port s session information is updated every two minutes or...

Страница 191: ...ly unique IP addresses With NAT private networks are not required to remain isolated NAT capabilities within the switch allow internal private network IP addresses to be translated to valid publicly a...

Страница 192: ...n nat Use the same settings as outbound Filter 11 nat dest Reverse the translation direction Filter 11 sip 10 10 10 0 Use the same settings as outbound Filter 11 smask 255 255 255 0 Use the same setti...

Страница 193: ...rnal private network require TCP UDP access to the Internet Figure 7 9 Dynamic Network Address Translation NOTE Dynamic NAT can also be used to support ICMP traffic for PING This example requires a NA...

Страница 194: ...Filter 14 dip 10 10 10 0 If the destination is not private Filter 14 dmask 255 255 255 0 For the entire private subnet range Filter 14 sip any From any source IP address Filter 14 action nat Perform...

Страница 195: ...witch can monitor the control channel and replace the client s private IP address with a proxy IP address defined on the switch When a client in active FTP mode sends a port com mand to a remote FTP s...

Страница 196: ...destination is not private Filter 14 dmask 255 255 255 0 For the entire private subnet range Filter 14 sip any From any source IP address Filter 14 action nat Perform NAT on matching traffic Filter 1...

Страница 197: ...ag filters must be cache disabled Exercise caution when applying cache enabled and cache disabled filters to the same switch port For more information see Cache Enabled versus Cache Disabled Filters o...

Страница 198: ...server would listen to the TCP SYN allocate buffer space for the connection and reply to the connect request In some SYN attack scenarios this could cause the server s buffer space to fill crashing th...

Страница 199: ...pass Filter 15 ena Enable the filter Filter 15 adv tcp Select the advanced TCP menu Filter 15 Advanced ack ena Match acknowledgments only Filter 15 Advanced cfg slb filt 16 Select a filter for incomi...

Страница 200: ...B port 1 add 16 Add the incoming HTTPS filter SLB port 1 add 224 Add the default filter to the port SLB port 1 filt ena Enable filtering on the port SLB port 1 port 2 Select the first Web server port...

Страница 201: ...ge types ICMP message type filtering must be enabled Web OS software supports filtering on the following ICMP message types Table 7 6 ICMP Message Types Type Message Type Description 0 echorep ICMP ec...

Страница 202: ...ne time The any option disables ICMP message type filtering The list option displays a list of the available ICMP message types that can be entered NOTE ICMP message type filters must be cache disable...

Страница 203: ...e on page 206 This section provides a step by step procedure on how to intercept all Internet bound HTTP requests on default TCP port 80 and redirect them to the Web cache servers n RTSP Web Cache Red...

Страница 204: ...ation redirection filters are properly configured for the Web OS powered switch outbound client requests for Internet data are intercepted and redirected to a group of application or Web cache servers...

Страница 205: ...ng services n Performance is improved by balancing the cached Web request load across multiple serv ers More servers can be added at any time to increase processing power n The proxy is transparent to...

Страница 206: ...protocols and TCP or UDP applications shown in this example See Table 6 3 on page 128 and Table 7 2 on page 171 for a list of other well known protocols and services 1 Assign an IP address to each of...

Страница 207: ...pecify its actual IP address and enable the real server For example 5 Define a real server group This places the three Web cache real servers into one service group cfg ip if 1 Select IP interface 1 I...

Страница 208: ...edirected traffic will be sent The port defined by the rport parameter is used when performing Layer 4 health checks of TCP services Also if NAT and proxy addresses are used on the Web switch see Step...

Страница 209: ...S Command Reference 12 Examine the resulting information from the cur command If any settings are incorrect make appropriate changes Filter 2 filt 224 Select the default filter Filter 224 sip any From...

Страница 210: ...filters on a given port only effect new sessions To make filter changes take effect immediately clear the session binding table for the port see the oper slb clear command in the Web OS Command Refere...

Страница 211: ...te locally Since the requests for this data are directed to the local cache they are served faster You can also configure certain URL content to be non cacheable The requests for non cacheable URLs wi...

Страница 212: ...port rtsp Enter service port for RTSP Filter 1 rport rtsp Enter redirection port for RTSP Filter 1 group 1 Select RTSP cache server group 1 Filter 1 adv Select advanced menu for filter 1 Filter 1 Adva...

Страница 213: ...sses to the redirection ports Each of the ports using redirection filters require proxy IP addresses to be configured Each proxy IP address must be unique on your network These are configured as follo...

Страница 214: ...of other well known services and ports see the Web OS Command Reference 4 Apply and save your changes 5 Check server statistics to verify that traffic has been redirected based on filtering criteria...

Страница 215: ...e if you wished to prevent a popular Web based game site on subnet 200 10 10 from being redirected you could add the following to the previous example configuration cfg slb filt 1 Select the menu for...

Страница 216: ...Web OS 10 0 Application Guide 216 n Chapter 8 Application Redirection 212777 A February 2002...

Страница 217: ...enable VMA especially when using Bandwidth Management and Content Intelligent Switch ing for multiple frames processing up to 4500 bytes Proxy IP Addresses and VMA By default VMA is enabled on the Web...

Страница 218: ...bled is processed by other ports that have been configured with a proxy IP address but the client source address will not be replaced with a proxy IP address before it is forwarded to a server NOTE VM...

Страница 219: ...client queries made to the Virtual server IP address when the server is in Direct Server Return DSR mode n Link Health Checks on page 223 This section describes how to perform Layer 1 health checking...

Страница 220: ...ks on page 238 This section explains how to use Net work News Transfer Protocol NNTP server to perform health checks between a cli ent system and a mail server and how to configure the switch for NNTP...

Страница 221: ...us of each service on each real server every two sec onds Sometimes the real server may be too busy processing connections to respond to health checks If a service does not respond to four consecutive...

Страница 222: ...checks for DSR configurations For more informa tion see Using Direct Server Return on page 142 The switch is able to verify that the server correctly responds to requests made to the virtual server IP...

Страница 223: ...1 health checking on the IDS As long as the physical link between the switch and the IDS is up it indicates the IDS is alive To perform this health check a link option has been added to the real serv...

Страница 224: ...uests identify both failed servers and failed services on a healthy server When a connection request succeeds the session switch quickly closes the connection by sending a TCP FIN finished packet NOTE...

Страница 225: ...of multiple domains or Web sites Web OS supports the following capacity for a single switch n 1024 bytes per script n 16 scripts per switch n approximately 10 to 15 health check statements HTTP get a...

Страница 226: ...ww hostname com press Enter key twice This is known as a host header It is important to include because most Web sites now require it for proper processing Host headers were optional in HTTP 1 0 but a...

Страница 227: ...heck Configure the switch to check a series of Web pages HTML or dynamic CGI scripts before it declares a real server is available to receive requests NOTE If you are using the CLI to create a health...

Страница 228: ...h check statements to check all the substrings involved in all the real servers Site 1 with Virtual Server 1 and the following real servers n Real Server 1 and Real Server 2 images n Real Server 3 and...

Страница 229: ...ll respond to the first GET health check If all the real server IP addresses are down Real Server 7 the virtual server IP address of the remote site will respond with an HTTP Redirect respond code 302...

Страница 230: ...ecks on page 233 n FTP Server Health Checks on page 234 n POP3 Server Health Checks on page 235 n SMTP Server Health Checks on page 236 n IMAP Server Health Checks on page 237 n NNTP Server Health Che...

Страница 231: ...dex html Health check is performed using GET index html HTTP 1 1 Host everest alteonwebsystems com NOTE If the content is not specified the health check will revert back to TCP on the port that is bei...

Страница 232: ...everest index html Health check is performed using GET index html HTTP 1 1 Host everest Configuring the Switch for HTTP Health Checks Perform the following on the switch to configure the switch for H...

Страница 233: ...ried may be modified by specifying the content command if you need to change the domain name Configuring the Switch for UDP based Health Checks Configure the switch to verify if the DNS server is ali...

Страница 234: ...t up it is always initiated by the client However either the client or the server may be the sender of data Along with transferring user requested files the data transfer mechanism is also used for tr...

Страница 235: ...POP3 service by listening on TCP port 110 When a client host wants to make use of the service it establishes a TCP connection with the server host Configuring the Switch for POP3 Health Checks To supp...

Страница 236: ...il client using either POP or IMAP Configuring the Switch for SMTP Health Checks To support SMTP health checking the network administrator must configure a username pass word value in the switch using...

Страница 237: ...he switch using the content option on the SLB Real Server Group Menu cfg slb group To configure the switch for IMAP health checks 1 Select the health check menu for the real server group 2 Set the hea...

Страница 238: ...net community NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items he wishes to read NNTP is documented in RFC977 Articles are trans...

Страница 239: ...ifying the user name and password the data base may specify the client s or port s the user is allowed to access NOTE Network attached storage NAS is hard disk storage that is set up with its own net...

Страница 240: ...verifies fields in the response and marks the service Up if the fields are OK During the handshake the user and server exchange security certificates negotiate an encryp tion and compression method an...

Страница 241: ...the gateway is also specified in the form of hexadecimal byte string The switch matches each byte of this string with the received content If there is a mismatch of even a single byte on the received...

Страница 242: ...Hello based health check for connection oriented WTLS traffic on port 9203 The web switch sends a new WTLS Client Hello to the WAP gateway and checks to see if it receives a valid WTLS Server Hello b...

Страница 243: ...protocol session by sending an anonymous bind request to the server n Bind response On receiving the bind request the server sends a bind response to the switch If the result code indicates that the...

Страница 244: ...check type to LDAP for the real server group 3 Apply and save your configuration Determining the Version of LDAP 1 Select the Advanced Menu 2 Set the version of LDAP The default version is 2 3 Apply a...

Страница 245: ...e health check consists of the following sequence of actions 1 Accessing the ARP table 2 Looking for the session entry in the ARP table If the entry exists in the table that means the real server is u...

Страница 246: ...iled service from load balancing allows users access to all healthy servers supporting a given service When a service on a server is in the service failed state the session switch sends Layer 4 connec...

Страница 247: ...lemented in Web OS n High Availability Configurations on page 263 This section discusses a few of the more useful and easily deployed redundant configurations o Active Standby Virtual Server Router Co...

Страница 248: ...ly process traffic addressed to it Because the router associated with a given alternate path supported by VRRP uses the same IP address and MAC address as the routers for other paths the host s gatewa...

Страница 249: ...ot to implement an IP address owner For the purposes of this chapter VRRP routers that are not the IP address owner are called renters Master and Backup Virtual Router Within each virtual router one V...

Страница 250: ...al interface is configured with an IP address that is on the same subnet as the virtual interface router but is not the IP address of the virtual interface router The virtual interface router has been...

Страница 251: ...nge permitted for non owners If there is an IP address owner it is always the master for the virtual interface router as long as it is available The master periodically sends advertisements to an IP m...

Страница 252: ...kup for the virtual interface router with VRID 1 In this manner both routers can actively forward traffic at the same time but not for the same interface Figure 11 2 Example 2 VRRP Router Table 11 1 A...

Страница 253: ...lls it into action Service pro viders now demand that vendors equipment support redundant configurations where all devices can process traffic when they are healthy increasing site throughput and decr...

Страница 254: ...al server IP addresses and acts as a standby for other services on the other switch If either switch fails the remaining switch takes over processing for all services The backup switch may forward Lay...

Страница 255: ...the same service at the same time both switches can be active simultaneously for a given IP routing interface or load balancing virtual server VIP Figure 11 5 Active Active Redundancy In the example a...

Страница 256: ...ciated with it and is now based on VRRP In a hot standby configuration two or more switches provide redundancy for each other One switch is elected master and actively processes Layer 4 traffic The ot...

Страница 257: ...e also used to help bridges learn the virtual router MAC address Since all of the virtual routers can have different virtual router identifiers VRIDs you must rotate the MAC source address of the adve...

Страница 258: ...forces the user to configure a inter switch link when hot standby is globally enabled and prohibits the inter switch link from also being a hot standby link for VRRP advertisements These advertisement...

Страница 259: ...ed Only the master can process packets that are destined for the virtual server IP address and respond to ARP requests One difference between virtual server routers and virtual interface routers is th...

Страница 260: ...sed in configurations where incoming packets have more than one entry point into the virtual router for example where a hub is used to connect the switches Table 11 2 Sharing Active Active Failover We...

Страница 261: ...g to have any effect on virtual router operation preemption must be enabled NOTE Tracking only affects hot standby and active standby configurations It does not have any effect on active active sharin...

Страница 262: ...er This parameter influences the VRRP router s prior ity in both virtual interface routers and virtual server routers Number of healthy real servers behind the virtual server IP address that is the sa...

Страница 263: ...ming packets will be seen by more than one switch such as instances where a hub is used to connect the switches In this configuration when both switches are healthy only the master responds to packets...

Страница 264: ...Synchronizing Configurations on page 282 6 Change the real servers in the Web switch 2 configuration to RIP 205 178 13 105 RIP 205 178 13 106 RIP 205 178 13 107 and RIP 205 178 13 108 Adjust Web swit...

Страница 265: ...alanced packets are sent to the virtual server IP address resulting in higher capacity and performance than when the switches are used in an active standby configuration The switch on which a frame en...

Страница 266: ...226 and priority Be sure to enable sharing 5 Synchronize the SLB and VRRP configurations by pushing the configuration from Web switch 1 to Web switch 2 Use the oper slb sync command 6 Reverse the rol...

Страница 267: ...an 15 min utes to complete You can use either the Web OS Browser Based Interface BBI or the Com mand Line Interface CLI for configuration Task 1 Background Configuration 1 Define the IP interfaces The...

Страница 268: ...enabled by default Make sure IP forwarding is enabled if the virtual server IP addresses and real server IP addresses are on different subnets or if the switch is connected to different subnets and t...

Страница 269: ...10 10 6 24 n RIP 3 20 10 10 5 24 n RIP 4 20 10 10 6 24 n RIP 5 30 10 10 5 24 n RIP 6 30 10 10 6 24 n RIP 7 200 1 1 5 24 n RIP 8 200 1 1 6 24 2 Define the real server groups adding the appropriate rea...

Страница 270: ...stined for a load balanced service Defining a server port state tells the port to the do the remapping NAT of the real server IP address back to the virtual server IP address Note the following n The...

Страница 271: ...ciate with IP interface 5 Address 200 200 200 104 2 Configure virtual routers 1 3 5 and 7 These virtual routers will act as the default gateways for the servers on each respective subnet Because these...

Страница 272: ...R 3 Priority 101 n VR 4 Priority 101 4 Configure priority tracking parameters for each virtual router For this example the best parameter s on which to track is Layer 4 ports l4pts Use the following c...

Страница 273: ...as Customer Name Switch 1 then type the following command in the switch command line interface cfg dump A script will be dumped out d Stop logging your session transfer capture text stop Modify the sc...

Страница 274: ...deleted by resetting it to factory settings using the following command You can tell if the switch is at factory default when you log on because the switch will prompt you if you want to use the step...

Страница 275: ...time is 45 50 seconds much longer than the typical failover rate using VRRP only NOTE To use hot standby redundancy peer switches must have an equal number of ports Figure 11 10 Hot Standby Configurat...

Страница 276: ...RP menu enable VRRP group mode then enable hot standby 3 Sync the VRRP SLB and filter settings to the other switch same ports NOTE Switches peering with each other must have an equal number of ports 4...

Страница 277: ...unexpected operational characteristics and therefore are not recommended Synchronizing Active Active Failover The hot standby failover required the primary and secondary switches to have identical con...

Страница 278: ...active failover is significantly different from the hot standby failover method supported in previous releases As shown in Figure 11 11 active active configurations can introduce loops into complex L...

Страница 279: ...o Eliminate Loops When using VRRP you can decrease failover response time by using VLANs instead of STP to separate traffic into non looping broadcast domains An example is shown in Figure 11 13 Figur...

Страница 280: ...in the process n If Web switch 1 is the master and it has two or more active servers fewer than Web switch 2 then Web switch 2 becomes the master n If Web switch 2 is the master it remains the master...

Страница 281: ...ng So Web switch 1 s priority will settle out at 112 and Web switch 2 s priority at 125 When both servers are restored to Web switch 1 that switch s priority will rise by 12 2 healthy real servers X 6...

Страница 282: ...IP address as follows Similarly from switch 2 configure switch 1 as a peer and specify its IP address as follows Port specific parameters such as what filters are applied and enabled on what ports are...

Страница 283: ...does not synchronize all sessions except persistent sessions Make sure Direct Access Mode DAM is enabled when you configure stateful failover for Layer 7 persistency for example SSL session ID persist...

Страница 284: ...l failover the following sequence of events occurs 1 The backup switch Switch 2 becomes active 2 The incoming request is redirected to Switch 2 3 When the user clicks Submit again the request is forwa...

Страница 285: ...Enable stateful failover 2 Set the update interval On the Backup Switch 1 Turn on stateful failover 2 Set the update interval NOTE The update does not have to be the same for both switches Stateful f...

Страница 286: ...the info vrrp command If the switch is a master If the switch is a backup info vrrp View VRRP Information VRRP information 1 vrid 1 172 21 16 187 if 4 renter prio 109 master server 3 vrid 3 192 168 1...

Страница 287: ...ags and cookies so that each request can be isolated and treated intelligently This section describes the following advanced Web switching applications n Global Server Load Balancing n Firewall Load B...

Страница 288: ...Web OS 10 0 Application Guide 288 n Advanced Web Switching 212777 A February 2002...

Страница 289: ...oad Balancing GSLB across multiple geographic sites The following topics are covered n GSLB Overview on page 290 n Configuring GSLB on page 293 n IP Proxy for Non HTTP Redirects on page 304 n Verifyin...

Страница 290: ...rforming sites receive a majority of traffic over a given period of time but are not overwhelmed n Switches at different sites regularly exchange information through the Distributed Site State Protoco...

Страница 291: ...NS resolution for GSLB is described in detail in the following procedure 1 The client Web browser requests the www foocorp com IP address from the local DNS 2 Client s DNS asks its upstream DNS which...

Страница 292: ...knows that Foo Corp Denver currently provides better service and lists Foo Corp Denver s virtual server IP address first when responding to the DNS request 5 The client connects to Foo Corp Denver for...

Страница 293: ...figure the switch at each site to act as the DNS server for each service that is hosted on its virtual servers Also configure the local DNS server to recognize the switch as the authoritative DNS serv...

Страница 294: ...mmand Line Interface CLI as the administrator n Both of the following optional software keys must be activated o SLB o GSLB NOTE For details about any of the processes or menu commands described in th...

Страница 295: ...I NOTE This example assumes that all ports and IP interfaces use default VLAN 1 requiring no special VLAN configuration for the ports or IP interface 3 On the California switch define the default gate...

Страница 296: ...California switch define a real server group Combine the real servers into one service group and set the necessary health checking parame ters In this example HTTP health checking is used to ensure t...

Страница 297: ...n the Web switch The ports are configured as follows 6 On the California switch enable SLB Real server group 1 virt 1 Select virtual server 1 Virtual server 1 vip 200 200 200 1 Assign a virtual server...

Страница 298: ...d at the California site The new real server entry is configured with the IP address of the remote virtual server rather than the usual IP address of a local physical server Do not confuse this value...

Страница 299: ...then check again 6 Save your new configuration changes Task 4 Configure the Basics at the Denver Site Following the same procedure described for California see Example GSLB Topology on page 294 config...

Страница 300: ...Denver server pool 2 On the Denver switch define each local real server cfg ip if 1 Select IP interface 1 IP Interface 1 addr 174 14 70 100 Assign IP address for the interface IP Interface 1 ena Enab...

Страница 301: ...ecks Real server group 1 virt 1 Select virtual server 1 Virtual server 1 vip 179 14 70 1 Assign IP address Virtual server 1 service http Select the HTTP service menu Virtual server 1 http service grou...

Страница 302: ...is step the local Denver site is configured to recognize the services offered at the remote California site As before configure one real server entry on the Denver switch for each virtual server locat...

Страница 303: ...your new configuration changes Remote site 1 cfg slb real 3 Create an entry for real server 3 Real server 3 rip 200 200 200 1 Set remote virtual server IP address Real server 3 remote enable Define t...

Страница 304: ...ese applications requires that a proxy IP address be configured on the client port The client port will initiate a redirect only if resources are unavailable at the first site NOTE This feature should...

Страница 305: ...e at Site 1 Site 1 completes TCP three way handshake with client Non HTTP application no redirection 2a Client DNS request reaches Site 2 Resources are unavailable at Site 2 Site 2 sends a request to...

Страница 306: ...ss at Site 2 as the destination IP address 3 The switch at Site 2 receives the POP3 TCP SYN request to its virtual server The request looks like a normal SYN frame so it performs normal local load bal...

Страница 307: ...sses on Site 2 the following commands are issued on the Denver switch cfg slb port 6 Select port to default gateway SLB port 6 pip 200 200 200 4 Set unique proxy IP address SLB port 6 proxy enable Ena...

Страница 308: ...r group number o stats slb maint Configuring Client Site Preferences Internet Assigned Numbers Authority IANA the central coordinator for the assignment of unique parameter values for Internet protoco...

Страница 309: ...re 12 5 GSLB Proximity Tables How They Work The following example illustrated in Figure 12 6 on page 310 shows how to add entries into a GSLB proximity table Two client networks A and B are configured...

Страница 310: ...ites The Web switch forwards the client request based on the minimum available sessions and response time between the two preferred sites Internet Client Site B DNS Request Client Site A DNS Request 2...

Страница 311: ...cfg slb gslb lookup lookups ena Enable the lookup or proximity table dname nortelnetworks com Select the domain name network 1 Select Client A subnet sip 205 178 13 0 Assign source address for Client...

Страница 312: ...the Internet by distributing the IP blocks that contain that content to several sites When using DNS to select the site a single packet is used to make the decision so that the request will not be spl...

Страница 313: ...works using two parallel firewalls and two Web switches The basic FWLB method combines redirection filters and static routing for FWLB n Four Subnet FWLB on page 326 Explanation and example configurat...

Страница 314: ...le example all traffic passing between the dirty clean and DMZ networks must traverse the firewall which examines each individual packet The firewall is configured with a detailed set of rules that de...

Страница 315: ...e firewall distribu tion is based on a mathematical hash of the IP source and destination addresses For more information about basic FWLB see Basic FWLB on page 316 n Four Subnet FWLB for larger netwo...

Страница 316: ...erver on the internal net work for each incoming request The same process is used for outbound server responses a redirection filter on the clean side Web switch splits the traffic and static routes f...

Страница 317: ...am For instance the first static route will lead to an IP interface on the clean side Web switch using the first firewall as the next hop A second static route will lead to a second clean side IP inte...

Страница 318: ...P addresses Each IP address represents an IP interface on a different subnet on the dirty side Web switch 8 Outbound traffic is routed to the firewalls Static routes are configured on the clean side s...

Страница 319: ...oad balanced Each must be on a different subnet cfg ip if 1 Select IP interface 1 IP Interface 1 addr 192 16 12 1 Set address for switch management IP Interface 1 mask 255 255 255 0 Set subnet mask fo...

Страница 320: ...P source destination address pairs flows through the same firewall This ensures that sessions established by the firewalls are main tained for their duration NOTE Other load balancing metrics such as...

Страница 321: ...ds to clean side IF 3 10 1 4 1 through the second firewall 10 1 2 10 as its gateway 12 Apply and save the configuration changes Layer 4 cfg slb filt 10 Select filter 10 Filter 10 sip any From any sour...

Страница 322: ...interface 1 IP Interface 1 addr 20 1 1 1 Set the IP address for interface 1 IP Interface 1 mask 255 255 255 0 Set subnet mask for interface 1 IP Interface 1 ena Enable IP interface 1 IP Interface 1 if...

Страница 323: ...s on the network Real server group 1 health icmp Select ICMP as health check type Real server group 1 metric hash Select SLB hash metric for group 1 Real server group 1 cfg slb on Real server group 1...

Страница 324: ...r group 1 Real server group 200 add 2 Select real server 2 to group 200 Real server group 200 add 3 Select real server 3 to group 200 Real server group 200 port 4 server ena SLB port 4 port 5 server e...

Страница 325: ...ds to dirty side IF 2 10 1 1 1 through the first firewall 10 1 3 10 as its gateway and one that leads to dirty side IF 3 10 1 2 1 through the second firewall 10 1 4 10 as its gateway NOTE Configuring...

Страница 326: ...etwork failover Nor mally the interswitch link between the primary and secondary Web switches is configured on port 9 of the Web switch However the interswitch links may trunked together with multiple...

Страница 327: ...milar to basic FWLB a redirection filter splits traffic into multiple streams which are routed through the available firewalls to the primary clean side Web switch Just as with the basic method four s...

Страница 328: ...through a different firewall Although other load balancing metrics can be used in some configurations see Free Metric FWLB on page 346 the distribution of traffic within each stream is normally based...

Страница 329: ...itches with VRRP support settings n Configure FWLB groups and redirection filters on the primary dirty side Web switch n Configure and synchronize VRRP on the primary dirty side Web switch n Configure...

Страница 330: ...c each firewall must be configured with a static route to the clean side virtual server using the VIR in its clean side subnet as the next hop For outbound traffic each firewall must use the VIR in it...

Страница 331: ...ed for routing traffic through the top firewall IF 3 will be used for routing traffic through the lower firewall To avoid confusion IF 2 and IF 3 will be used in the same way on all Web switches NOTE...

Страница 332: ...used on all Web switches whenever routing through the top firewall and IF 3 is being used on all Web switches whenever routing through the lower fire wall The static route add command uses the follow...

Страница 333: ...b switch 3 Turn STP off for the secondary dirty side Web switch 4 Configure static routes on the secondary dirty side Web switch 5 Apply and save your configuration cfg vlan 2 add 2 add 9 ena cfg ip i...

Страница 334: ...des the firewall port and interswitch connection port VLAN 4 includes the port that attaches to the real servers 2 Configure IP interfaces on the primary clean side Web switch 3 Turn STP off for the p...

Страница 335: ...ewall 2 using clean side IF 3 Again the static route add command uses the following format add destination address dest mask gateway address source interface This example requires the following static...

Страница 336: ...secondary clean side Web switch 5 Apply and save your changes cfg ip if 1 mask 255 255 255 0 addr 10 10 4 11 vlan 4 ena if 2 mask 255 255 255 0 addr 10 10 3 11 vlan 3 ena if 3 mask 255 255 255 255 ad...

Страница 337: ...ured with the primary as its peer Once this is done the secondary Web switch will get the remainder of its configuration from the pri mary when synchronized in a later step In this example the seconda...

Страница 338: ...ver routing through the top firewall and IF 3 on all Web switches whenever routing through the lower firewall Therefore the first address will represent the primary clean side IF 2 and the second repr...

Страница 339: ...ents local traffic from being redirected n Filter 20 prevents VRRP traffic and other multicast traffic on the reserved 224 0 0 0 24 network from being redirected n Filter 224 redirects the remaining t...

Страница 340: ...e primary dirty side Web switch 5 Apply and save your configuration changes 6 Synchronize primary and secondary dirty side Web switches cfg vrrp on vr 1 vrid 1 Configure virtual router 1 addr 195 1 1...

Страница 341: ...re added to the group The two addresses are the inter faces of the dirty side Web switch and are configured as if they are real servers NOTE Remember that IF 2 is used on all Web switches whenever rou...

Страница 342: ...20 rip 10 10 4 20 Set IP address of real server 20 ena Enable real 21 Select real server 21 rip 10 10 4 21 Set IP address of real server 21 ena Enable real 22 Select real server 22 rip 10 10 4 22 Set...

Страница 343: ...e port attaching to the real servers n Filter 10 prevents local traffic from being redirected n Filter 20 prevents VRRP traffic from being redirected n Filter 224 redirects the remaining traffic to th...

Страница 344: ...ubnet attached to the real servers and one for the subnet attached to the firewalls A third virtual router is required for the virtual server used for optional SLB cfg vrrp on vr 1 vrid 3 addr 10 10 4...

Страница 345: ...n 345 212777 A February 2002 5 Configure the peer on the primary clean side Web switch 6 Apply and save your configuration changes 7 Synchronize primary and secondary dirty side Web switches cfg slb...

Страница 346: ...se free metric FWLB in this network the following configuration changes are necessary 1 On the clean side Web switch enable RTS on the ports attached to firewalls ports 2 and 3 2 On the dirty side Web...

Страница 347: ...Four Subnet FWLB Example Network group 1 metric metric type Subnet 1 VLAN 1 195 1 1 0 24 Subnet 2 VLAN 2 10 10 2 0 24 Subnet 3 VLAN 3 10 10 3 0 24 Subnet 4 VLAN 4 10 10 4 0 24 Dirty Side Clean Side I...

Страница 348: ...rs ports 4 but make sure filter processing is enabled To view the original redirection filters that were configured for the four subnet example see Step 3 on page 343 On both clean side switches 3 On...

Страница 349: ...ypi cal firewall load balancing configuration with a DMZ is shown in Figure 13 10 Figure 13 10 Typical Firewall Load Balancing Topology with DMZ The DMZ servers can be attached to the Web switch direc...

Страница 350: ...filt 80 Select filter 80 Filter 80 sip any From any source IP address Filter 80 dip 205 178 29 0 To the DMZ base destination Filter 80 dmask 255 255 255 0 For the range of DMZ addresses Filter 80 pro...

Страница 351: ...b switch stops routing traffic to that IP interface and instead distributes it across the remaining healthy Web switch IP interfaces and firewalls When a Web switch IP interface is in the Server Faile...

Страница 352: ...ilter as the last filter after the redirect all filter to force the HTTP health checks to activate as shown below NOTE Make sure that the number of each real filter is lower than the number of the dum...

Страница 353: ...ows the switch to load balance simultaneously up to 255 VPN devices The switch records from which VPN server a session was initiated and ensures that the traffic returns back to the same VPN server fr...

Страница 354: ...ough a particular VPN must traverse the same VPN as it egresses back to the client Traffic ingressing from the Internet is usually addressed to the VPNs with the real destination encrypted inside the...

Страница 355: ...the session table and forwards the packet to VPN device 1 The selection of the VPN device is based on the hash load balancing metric 4 The VPN device strips the IP header and decrypts the encrypted I...

Страница 356: ...urn to Sender RTS feature on the ports attached to the VPN devices using the following command VPN Load Balancing Configuration Example The following example uses Alteon Web switches for VPN load bala...

Страница 357: ...g sys bootp dis cfg vlan 2 ena def 7 8 cfg stp off cfg ip if 1 ena Select IP interface 1 and enable IP Interface 1 mask 255 255 255 0 Set subnet mask for interface 1 IP Interface 1 addr 30 0 0 10 Set...

Страница 358: ...Virtual Router Redundancy Protocol vr 1 Select virtual router 1 menu VRRP Virtual Router 1 ena Enable the virtual router VRRP Virtual Router 1 vrid 1 Assign virtual router ID 1 VRRP Virtual Router 1 i...

Страница 359: ...1 Real server 1 rip 10 0 0 10 Assign IP address for real server 1 Real server 1 real 2 ena Enable SLB for real server 2 Real server 2 rip 10 0 0 11 Assign IP address for real server 2 Real server 2 re...

Страница 360: ...ed 5 Configure routes for each of the IP interfaces you configured in Step 4 using the VPN devices as gateways One static route is required for each VPN device being load balanced cfg sys bootp dis cf...

Страница 361: ...30 0 0 50 VRRP Virtual Router 1 share dis VRRP Virtual Router 1 track vrs ena VRRP Virtual Router 1 Priority Tracking cfg vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Virtual...

Страница 362: ...static routes for each of the IP interfaces you configured in Step 4 using the VPN devices as gateways One static route is required for each VPN device being load balanced SLB port 8 port 1 filter en...

Страница 363: ...outer 1 Priority Tracking vrs ena VRRP Virtual Router 1 Priority Tracking ports ena VRRP Virtual Router 1 Priority Tracking cfg vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Vi...

Страница 364: ...le firewall load balancing This filter will redirect inbound traffic redirecting it among the defined real servers in the group 13 Add filters to the ingress port 14 Apply and save the configuration a...

Страница 365: ...figure routes for each of the IP interfaces you configured in Step 4 cfg sys bootp dis cfg vlan 2 ena def 7 8 cfg stp off cfg ip if 1 ena mask 255 255 255 0 addr 192 168 10 11 cfg ip if 2 ena mask 255...

Страница 366: ...eal server group and place real servers 1 4 into the real server group cfg vrrp on cfg vrrp vr 1 ena vrid 1 if 1 addr 192 168 10 50 share dis track vrs ena ports ena cfg vrrp vr 2 ena vrid 2 if 2 addr...

Страница 367: ...ble firewall load balancing This filter will redirect inbound traffic among the defined real servers in the group 12 Add filters to the ingress port 13 Apply and save the configuration and reboot the...

Страница 368: ...n page 368 Figure 14 3 Checkpoint Rules for Both VPN Devices as Seen in the Policy Editor 1 Disconnect the cables cause failures to change the available servers that are up This should change the VRRP...

Страница 369: ...mote client on the dirty side of the network 2 Add a new site 3 Enter the policy server IP address 192 168 10 120 You have the option of adding a nickname 4 Launch a browser such as Netscape or Intern...

Страница 370: ...rypted traffic To verify that the FWLB and hash metric is working correctly on the dirty side switches that is hashed on client IP address Destination IP address you can configure your current client...

Страница 371: ...he following topics n Overview on page 372 n Content Intelligent Server Load Balancing on page 375 n Content Intelligent Web Cache Redirection on page 394 n Exclusionary String Matching for Real Serve...

Страница 372: ...istics and so on Figure 15 1 illustrates the process of content intelligent switching in the Web switch Figure 15 1 Content Intelligent Load Balancing Example Client requests a Web page 1 Requests for...

Страница 373: ...on one from the client to the Web switch and the second from the Web switch to the selected server The Web switch must modify the TCP header including performing TCP sequence number translation and re...

Страница 374: ...be extended over multiple lines by preceding each extra line with at least one space Some customer applications of HTTP header inspection are listed below n Redirection based on domain name n Cachabil...

Страница 375: ...rformance Content dis persion can be optimized by making load balancing decisions on the entire path and filename of each URL NOTE Both HTTP 1 0 and HTTP 1 1 requests are supported For URL matching yo...

Страница 376: ...vers in the server pool n Define an IP interface on the switch n Define each real server n Define a real server group and set up health checks for the group n Define a virtual server on virtual port 8...

Страница 377: ...uct b gif images company a gif images testing c jpg The server will not handle these requests company images b gif product images c gif testing images a gif Example 2 String without the Forward Slash...

Страница 378: ...d balancing 6 Add the defined string s to the real server using the following command where ID is the identification number of the defined string NOTE If you don t add a defined string or add the defi...

Страница 379: ...AM and configuring a Proxy IP address on the client port port mapping for URL load balancing can be performed 9 Enable URL based SLB on the virtual server s Statistics for URL Based Server Load Balanc...

Страница 380: ...equest sent to an origin server not a proxy server is a partial URL instead of a full URL An example of the request that the origin server would see as follows GET products 180 HTTP 1 0 User agent Moz...

Страница 381: ...ver on the switch 2 www company a com and www company b com are defined as URL strings 3 Server Group 1 is configured with Servers 1 through 8 Servers 1 through 4 belong to www company a com and Serve...

Страница 382: ...re your network for server load balancing see Server Load Balancing on page 117 2 Turn on URL parsing for the virtual server for virtual hosting 3 Define the host names 4 Configure the real server s t...

Страница 383: ...n Identify a user group and redirect them to a particular server n Serve content based on user identity n Prioritize access to scarce resources on a Web site n Provide better services to repeat custom...

Страница 384: ...ure your network for SLB see Chapter 6 Server Load Bal ancing 2 Turn on URL parsing for the virtual server where sid cookie name 1 offset the starting position of the value to be used for hashing 6 le...

Страница 385: ...it will be forwarded to Real Server 4 since it does not have an exact cookie match matches with any configured at Real Server 4 4 Configure the real server s to handle the appropriate load balance st...

Страница 386: ...an IP address to each of the real servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and servi...

Страница 387: ...sh is selected as the load balancing algorithm the switch hashes the source IP address to select the server for SLB Under this condition the switch may not send Web requests for the same origin server...

Страница 388: ...er n Assign servers to real server groups n Define virtual servers and services n Configure load balancing algorithm for hash or minmiss n Enable SLB For information on how to configure your network f...

Страница 389: ...f the real servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services For information on h...

Страница 390: ...s extracted from the query processed by the regular expressions engine and the request is sent to the appropriate real server For example Figure 15 4 shows a DNS server farm load balancing DNS queries...

Страница 391: ...on how to configure your network for SLB see Chapter 6 Server Load Balancing n Define server port and client port 2 Enable DNS load balancing 3 Enable delayed binding 4 Define the host names 5 Apply...

Страница 392: ...content In addition to hashing Web OS 10 0 allows you to segregate the requests based on the string pattern match the strings in the requests and direct the requests to the assigned servers For more i...

Страница 393: ...URL string ID Add URL string ID for example g2video rm cfg slb layer7 slb Server Load Balance Resource rem URL string ID Remove URL string ID g2video rm cfg slb layer7 slb Server Load Balance Resource...

Страница 394: ...ecial request with respect to caching such as to guar antee up to date data from the origin server If this feature Cache Control no cache directive is enabled HTTP 1 1 GET requests are forwarded direc...

Страница 395: ...NOTE Both HTTP 1 0 and HTTP 1 1 requests are supported Each request is examined and handled as described below n If the request is a non GET request such as HEAD POST PUT or HTTP with cookies it is no...

Страница 396: ...IN directory o SHTML scripted html o Microsoft HTML extension files htx o executable files exe n Dynamic URL parameters Figure 15 5 URL Based Web Cache Redirection Requests matching the URL are load b...

Страница 397: ...the IP address of the Web cache and the destination MAC address is replaced by the MAC address of the Web cache Both the IP address and the MAC address of the source remain unchanged n Full NAT In thi...

Страница 398: ...che server or the origin server c Enable disable cache redirection of requests that contain cookie in the HTTP header o Ena The switch redirects all requests that contain cookie in the HTTP header to...

Страница 399: ...ests images product b gif images company a gif images testing c jpg The server will not handle these requests company images b gif product images c gif testing images a gif Example 2 String without th...

Страница 400: ...where ID is the identification number of the defined string The server can have multiple defined strings For example images sales gif With these defined strings the server can handle requests that beg...

Страница 401: ...number dip any To any destination IP addresses Filter filter number proto tcp For TCP protocol traffic Filter filter number sport any From any source port Filter filter number dport http To an HTTP de...

Страница 402: ...fault filter Filter filter number sip any From any source IP addresses Filter filter number dip any To any destination IP addresses Filter filter number proto any For any protocol traffic Filter filte...

Страница 403: ...servers in the server pool n Define an IP interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services 2 Turn on URL parsing for the f...

Страница 404: ...r of the defined string NOTE If you don t add a defined string or add ID 1 the server will handle any request 8 If Host header filtering is enabled Step 3 you can configure the switch to use the host...

Страница 405: ...interface on the switch n Define each real server n Assign servers to real server groups n Define virtual servers and services 2 Turn on URL parsing for the filter 3 Enable header load balancing for U...

Страница 406: ...header if present up to a maximum of 255 bytes You can optimize cache hits by using the hashing algorithm to redirect client requests going to the same page of an origin server to a specific cache ser...

Страница 407: ...n the switch uses the source IP address as the hash key Example 1 Hashing on the URL In this example URL hashing is enabled If the Host field does not exist the specified length of the URL is used to...

Страница 408: ...lient 3 request http www nortelnetworks com is directed to cache server 1 Example 3 Hashing on the Source IP address In this example URL hashing is disabled Because the host header field does not exis...

Страница 409: ...file extensions that will bypass RTSP streaming cache redirection This is the user defined non cacheable content You can add or remove RTSP files like mov smil rm and so forth 3 Assign the url string...

Страница 410: ...ings that are added to that real server This means you cannot configure a dedicated server to receive a certain string and at the same time have it exclude other URL strings The exclu sionary feature...

Страница 411: ...e 5 Assign the URL string ID to the real server 6 Enable the exclusionary string matching option If you configured a string any and enabled the exclusion option the server will not handle any requests...

Страница 412: ...ing is a list of standard regular expression special characters that are supported in Web OS Use the following rules to describe patterns for string matching n Supports one layer of parenthesis n Supp...

Страница 413: ...mple html htm appears as html htm n Incorrectly or ambiguously formatted regular expressions are rejected instantly For exam ple o where a or follows a special character like the o A single or sign o...

Страница 414: ...hash and Header hash are used in combination with Host Cookie or Browser content types For example the following types of load balancing can be configured using the Content Prece dence Lookup feature...

Страница 415: ...r the URL string is examined next o If a request from a client contains no Host Header but has a URL string such as gold the request is load balanced among Server 1 or Server 3 o If a request from a c...

Страница 416: ...ficient use of their server resources they separate their servers into two groups using their fastest servers to process dynamic content such as cgi files and their slower servers to process all stati...

Страница 417: ...switch examines the HTTP content of the incoming client request for the matching string pattern If the matching virus pattern is found then the packet is dropped and a reset frame is sent to the offen...

Страница 418: ...ing HTTP URL request to be blocked 3 Apply and save the configuration 4 Identify the IDs of the defined strings Number of entries four 5 Select the filter and enable the filter action to deny 6 Enable...

Страница 419: ...ter to the port Filter 1 Advanced l7deny Select the Layer 7 deny menu Filter 1 Advanced L7deny ena Enable Layer 7 deny filter Filter 1 Advanced L7deny addstr 1 Add the code red virus string Filter 1 A...

Страница 420: ...Web OS 10 0 Application Guide 420 n Chapter 15 Content Intelligent Switching 212777 A February 2002...

Страница 421: ...se of cookie persistence provides a mech anism for inserting a unique key for each client of a virtual server This feature is only used in nonsecure socket layer non SSL connections This section discu...

Страница 422: ...aracteristics source IP address cook ies and Secure Sockets Layer SSL session ID Using Source IP Address Until recently the only way to achieve TCP IP session persistence was to use the source IP addr...

Страница 423: ...e feature solves the proxy server problem and gives better load distribution at the server site In the Web switch cookies are used to route client traffic back to the same physical server to maintain...

Страница 424: ...a key that associates the user with additional state data that is kept on the server such as a shopping cart and its contents In a more complex application the cookie may be encoded so that it actuall...

Страница 425: ...fter the browser has been shut down A temporary cookie is only valid for the current browser session Similar to a SSL Ses sion based ID the temporary cookie expires when you shut down the browser Base...

Страница 426: ...mode Passive Cookie Mode on page 428 using a temporary cookie The switch mathematically calculates the cookie value using a hash algorithm to determine which real server should receive the request n...

Страница 427: ...a request to visit the Web site The Web switch performs load balancing and selects a real server The real server responds without a cookie The Web switch inserts a cookie and forwards the new request...

Страница 428: ...mporary cookies However you can use this mode for permanent cookies if the server is embedding an IP address The following figure shows passive cookie mode operation Figure 16 3 Passive Cookie Mode Su...

Страница 429: ...r An additional eight bytes must be reserved if you are using cookie based persistence with Global Server Load Bal ancing GSLB NOTE Rewrite cookie mode only works for cookies defined in the HTTP heade...

Страница 430: ...ad Balancing on page 117 2 Either enable Direct Access Mode DAM or disable DAM and specify proxy IP address es on the client port s n Enable DAM for the switch n Disable DAM and specify proxy IP addre...

Страница 431: ...nabled for service 80 HTTP Once you specify cookie as the mode of persistence you will be prompted for the following parameters n Cookie based persistence mode insert passive or rewrite n Cookie name...

Страница 432: ...expi ration timer The expiration timer specifies a date string that defines the valid life time of that cookie The expiration timer for insert cookie can be of the following types n Absolute timer The...

Страница 433: ...websystems com Cookie UID 87654321 n Look for the cookie in the HTTP header The last parameter in this command answers the Look for cookie in URI prompt If you set this parameter to disable the Web sw...

Страница 434: ...ur bytes This uses 789a as a hashing key n Using wildcards for selecting cookie names With this configuration the switch will look for a cookie name that starts with ASPSES SIONID ASPSESSIONID123 ASPS...

Страница 435: ...t with this cookie will be directed to the same real server n Rewrite server cookie with the encrypted real server IP address and virtual server IP address If the cookie length is configured to be 16...

Страница 436: ...cookie a few responses later In order to achieve cookie based per sistence in such cases Web OS 10 0 allows the network administrator to configure the switch to look through multiple HTTP responses f...

Страница 437: ...er configurable How SSL Session ID Based Persistence Works n All SSL sessions that present the same session ID 32 random bytes chosen by the SSL server will be directed to the same real server NOTE Th...

Страница 438: ...ns from Client 1 with the same SSL session ID are directed to Server 1 Figure 16 5 SSL Session ID Based Persistence 5 Client 2 appears to the switch to have the same source IP address as Client 1 beca...

Страница 439: ...a virtual server on the virtual port for HTTPS for example port 443 and assign a real server group to service it n Enable SLB on the switch n Enable client processing on the port connected to the cli...

Страница 440: ...Web OS 10 0 Application Guide 440 n Chapter 16 Persistence 212777 A February 2002...

Страница 441: ...on critical traffic Traffic classification can be based on user or application information BWM policies can be configured to set lower and upper bounds on the bandwidth allocation The following topics...

Страница 442: ...ertain frames are grouped together n A bandwidth policy specifying usage limitations to be applied to these frames NOTE At any given time up to 1024 contracts can be created for a single Alteon AD4 or...

Страница 443: ...ended when Bandwidth Management is enabled n Bandwidth management occurs on the egress port of the switch that is the port from which the frame is leaving However in the case of multiple routes or tru...

Страница 444: ...co location provider could charge a customer for bandwidth utilization There are three rates that are configured a Committed Information Rate CIR Reserved Limit a Soft Limit and a Hard Limit as descr...

Страница 445: ...sure that the sum of all committed informa tion rates never exceeds the link speeds associated with ports on which the traffic is transmitted In a case where the total CIRs exceed the out bound port b...

Страница 446: ...to reduce the queue depth or the hard limit is reached If the data cannot be transmitted at the soft limit then the rate is adjusted downward until the data can be trans mitted or the CIR is hit If th...

Страница 447: ...cified IP destination address or range of addresses defined with a subnet mask n Switch services on the virtual servers The following are various Layer 4 groupings o A single virtual server o A group...

Страница 448: ...lows 1 Layer 7 applications for example URL HTTP headers cookies and so forth 2 Layer 4 services on the virtual server 3 Filter 4 VLAN 5 Source Port Default Assignment Bandwidth Classification Configu...

Страница 449: ...d on URLs gives Web site managers the following capabilities n Ability to allocate bandwidth based on the type of request The switch allocates bandwidth based on certain strings in the incoming URL re...

Страница 450: ...0 Application Guide 450 n Chapter 17 Bandwidth Management 212777 A February 2002 Figure 17 4 URL Based Bandwidth Management Figure 17 5 URL Based Bandwidth Management with Web Cache Redirection Cache...

Страница 451: ...ers to prevent network abuse by bandwidth hog ging users Using this feature bandwidth can be allocated by type of user or other user specific information available in the cookie Cookie based bandwidth...

Страница 452: ...ss has been set up cfg bwm user To obtain graphs the data must be collected and pro cessed by an external entity through SNMP or through e mailed logs History is maintained only for the contracts for...

Страница 453: ...t basis using the wtos option under the contract menu cfg bwm cont x wtos to enable disable overwriting IP TOS The actual values used by the switch for overwriting TOS values depending on whether traf...

Страница 454: ...on For more information about SLB configuration see Server Load Balancing on page 117 2 Enable BWM on the switch NOTE If you purchased the Bandwidth Management option make sure you enable it by typ in...

Страница 455: ...e packet size NOTE Keep in mind that the total buffer limit for the Bandwidth Management policy is 128K 7 On the switch select a BWM contract and optional a name for the contract Each contract must ha...

Страница 456: ...ch apply and verify the configuration Examine the resulting information If any settings are incorrect make any appropriate changes 14 On the switch save your new configuration changes 15 On the switch...

Страница 457: ...ng dial up customers n Customers from the same hosting facility locking out each other because of flash crowd n FTP from locking out Telnet n Rate limit particular applications In the following exampl...

Страница 458: ...e bandwidth policy for this contract Each BWM contract must be assigned a bandwidth policy 10 Enable this BWM contract Policy 1 cfg bwm cont 1 Select BWM contract 1 BWM Contract 1 name dial up Assign...

Страница 459: ...he resulting information If any settings are incorrect make any appropriate changes 13 On the switch save your new configuration changes 14 On the switch check the BWM information Check that all BWM c...

Страница 460: ...f the real servers in the server pool n Define an IP interface on the switch n Define each real server n Define a real server group n Define a virtual server n Define the port configuration For more i...

Страница 461: ...e bandwidth policy for this contract Each BWM contract must be assigned a bandwidth policy 11 Enable this BWM contract BWM Contract 1 pol 1 Assign policy 1 to BWM contract 1 BWM Contract 1 ena Enables...

Страница 462: ...rmation If any settings are incorrect make the appropriate changes 14 On the switch save your new configuration changes 15 On the switch check the bandwidth management information Check that all BWM c...

Страница 463: ...agement is to assign a contract to each defined string This allocates a percentage of bandwidth to the string or URL containing the string To configure the switch for URL based bandwidth management pe...

Страница 464: ...itch or configure a proxy IP address on the client port NOTE If VMA is enabled and you are using a proxy IP address you need to configure proxy IP addresses on ports 1 through 8 To turn on DAM To turn...

Страница 465: ...Cookie Based Bandwidth Management Example In this example you will assign bandwidth based on cookies First configure cookie based server load balancing which is very similar to URL based load balanci...

Страница 466: ...on the client port NOTE If VMA is enabled you need to configure a unique proxy IP address for each port 1 8 To turn on DAM To turn off DAM and configure a Proxy IP address on the client port NOTE By e...

Страница 467: ...467 Figure 17 7 Cookie Based Preferential Services The configuration to support this scenario is similar to Scenario 1 Note the following 1 Configure the string and assign contracts for the strings an...

Страница 468: ...h real server n Define a real server group n Define a virtual server n Define the port configuration NOTE Ensure BWM is enabled on the switch cfg bwm on 2 Select a bandwidth policy Each policy must ha...

Страница 469: ...the switch save your new configuration changes 11 On the switch check the BWM information Check that all BWM contract parameters are set correctly If necessary make any appropriate configuration chan...

Страница 470: ...Web OS 10 0 Application Guide 470 n Chapter 17 Bandwidth Management 212777 A February 2002...

Страница 471: ...n be any value represented by a 8 bit value in the IP header adherent to the IP specification for example TCP UDP OSPF ICMP and so on Real Server Group A group of real servers that are associated with...

Страница 472: ...rfaces on the Alteon Web switches must be in a VLAN If there is more than one VLAN defined on the Web switch then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP inter...

Страница 473: ...r stop advertising the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification The switch announces this change in ownership to the devices around it by way of...

Страница 474: ...Web OS 10 0 Application Guide 474 n Glossary 212777 A February 2002...

Страница 475: ...redirection example 204 to 215 authenticating in OSPF 80 authoritative name servers 291 autonomous systems AS 73 B backup servers 135 bandwidth management 449 to 450 burst limit 453 classification pol...

Страница 476: ...sk destination mask for filtering 178 Domain Name System DNS filtering 185 188 Global SLB diagram 291 load balancing layer 4 151 load balancing layer 7 390 round robin 118 dport filtering option 186 2...

Страница 477: ...utes OSPF 82 hostname for HTTP health checks 231 299 hot standby redundancy 256 configuration 275 HTTP application health checks 231 redirects Global SLB option 292 HTTP header hashing 389 HTTP URL re...

Страница 478: ...t connections SLB Real Server metric 132 limiting TCP sessions 179 lmask local route cache parameter 35 lnet local route cache parameter 35 load balancing DNS 151 390 FTP traffic 150 IDS traffic 163 l...

Страница 479: ...administrator account 105 user account 105 PDUs 48 persistence cookie based 424 multi reponse cookie search 436 SSL session ID based 437 to 439 persistent bindings 123 port sessions 286 PIP See proxie...

Страница 480: ...bility service 118 SCP services 108 script based health checks 225 to 229 searching for cookie 432 searching for cookies 432 SecurID 110 security filtering 170 185 firewalls 185 from viruses 170 layer...

Страница 481: ...0 T tagging See VLANs tagging TCP 171 188 189 health checking using 130 port 80 144 rate limiting 179 TCP UDP port numbers 139 TDT Theoretical Departure Times 446 Telnet 185 text conventions 23 Theore...

Страница 482: ...tive redundancy 255 active standby redundancy 254 hot standby redundancy 256 inter switch port states 257 overview 248 261 synchronization 277 synchronizing configurations 257 virtual interface router...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды