2005 운영자 교재(part2)pds15.egloos.com/pds/200907/23/98/alteon_switch.pdf · • On, Alteon...
Transcript of 2005 운영자 교재(part2)pds15.egloos.com/pds/200907/23/98/alteon_switch.pdf · • On, Alteon...
Alteon Switch운영자운영자 교육교육
- Alteon switch
- Alteon swich 제품군
- Server Load Balancing 이해
- Server Load Balancing 운용과 설정
- Troubleshooting Guide
- Alteon switch 제품군
Feature/Function
180e(AD3)• Eight 10/100/1000 Mbps ports• One 1000BASE-SX port• 2MB of memory per port• 336K concurrent sessions• 8 Gbps backplane capacity
184(AD4)• Nine 10/100/1000 Mbps ports• 4 MB of memory per port (1-8)• 8 MB of memory on port 9• 512K concurrent sessions• 8 Gbps backplane capacity
WSM• 4- 10/100 TX or Gig SX ports • 80MB of Memory• 512K concurrent sessions
Pric
e
AAS 2208• 8ea 10/100 Mbps ports• 2ea Gigabit ports• 600K concurrent sessions• 16 Gbps backplane capacity
AAS 2216• 16ea 10/100 Mbps ports• 2ea Gigabit ports• 1M concurrent sessions• 16 Gbps backplane capacity
AAS 2424• 24 10/100Mbps ports• 4ea Gigabit ports• 2M concurrent sessions• 16 Gbps backplane capacity
AAS 3408• 8ea 10/100/1000 Mbps ports• 8ea Gigabit ports• 2M concurrent sessions• 16 Gbps backplane capacity
Selectable 8 x 10/100 or 1000SX Ethernet ports
1- 100 or Gigabit Ethernet uplink on Port 9
6 LEDs/port- Data- Link- Active
Console port
AC and DC power
available
Alteon 184
- Alteon Web switches
...
8 GbpsSwitch Backplane
Management Module
Switch Ports
Memory Flash
WebIC
Memory
Fwd Engine
RISC
RISCWebIC
Memory
Fwd Engine
RISC
RISCWebIC
Memory
Fwd Engine
RISC
RISC
RISC RISC
- Alteon Web switches
• WebIC: network processing ASIC with hardware-assisted forwarding engine and dual RISC processors
• Up to 20 RISC processor per switch• Optimized for processing-intensive session services• Separate centralized switch management processors
• Complete Layer 2-7 switching solution• Comprised of Alteon Web Switching Module
for the Passport 8600• Integrated platform provides a higher level of
intelligent networking for LAN/WAN/MAN and data center requirements
• Lower total cost of ownership with L2-7 integration and device consolidation
Alteon Web Switching Module (WSM)
Passport 8600 L2-7 Intelligent Routing Switch
-Passport 8600 Routing Switch withAlteon Web Switching Module
- Alteon Application Switch Nomenclature
Alteon nn nn
Gigabit Uplink Ports
Port Density
Alteon Application Switch
Series Number2 = Fast Ethernet 3 = Gigabit Ethernet
AAS 2208(8FEx2GE)
AAS 2216(16FEx2GE)
AAS 2424(24FEx4GE)
AAS 3408(12GE)
1 7
2 8
9 15
10 16
17 23
18 24 25 26 27 28
1 7
2 8
9 15
10 16 17 18
1 7
2 8 9 10
8 FE 2 GE
16 FE 2 GE
24 FE 4 GE
4 1000TX Only4 1000TX or GBIC Choice
4 GE
1 2 3 4 3 4 5 6 5 6 7 8 9 10 11 12
4 1000TX or GBIC Choice
- 4가지 모델의 Alteon Application Switch
- Alteon Application Switch 2424
RJ45 Auto 10/100Fast Ethernet Ports
LEDs on Port
SFP GBICs: 1000Base-SXOr 1000Base-LX with LC Connectors
LEDs: SFPLED: Power
LED: Fan
DB9ConsoleRJ45
ManagementPort
12 7
8 910 15
16 1718 23
24 25 261-RUform factor
{27 28
RJ45 Auto 10/100/1000
Ethernet Ports
SFP GBICs: 1000Base-SXOr 1000Base-LX with LC Connectors
RJ45 ManagementPort
Optional Copper or Optical
1-RUform factor
{ 1 4 3 5 864 5 6 72 3
119 10 12
LEDs: SFP
LED: PowerLED: Fan
- Alteon Application Switch 3408
DB9Console
- Alteon Application Switch Inside
MP• On AD/180 series, Management
Processor and Management Port are synonymous
• On Alteon 2000/3000 series, MP refers to Management Processor and NOT Management Port
• Health checking, start-up, configurations…
SP• On, AD/180 series Switch Processor
and Switch Port are synonymous• On, Alteon 2000/3000 series SP
refers to Switch Processor which is not the same as a Switch Port
• Layer 2 – 7 processingM• 128-MB each of fast SDRAM (SP)• Total switch memory = 640-MB
MPSP2SP1 SP4SP3
MM
MM
VMA
Gigabit Ethernet
M
Gigabit or Fast Ethernet
MPSP2SP1 SP4SP3
MM
MM
SP2SP1 SP4SP3MMMM
MMMM
VMA
Gigabit Ethernet
M
Gigabit or Fast Ethernet
Architecture allows for flexibility in future software feature/ application development
- Alteon Application Switch VMAVirtual Matrix Architecture (VMA)
CPU CPU CPU CPU CPU CPU CPU CPU
Unattached port
Client
Server
DA_X, SA_3, RIP_A DA_X, SA_1, RIP_A DA_Y, SA_2, RIP_B DA_X, SA_1, RIP_ASA_1DA_X
SA_3DA_X
SA_2DA_Y
SA_1DA_XServer
• Memory at all ports pooled and utilized at all times
– Session entries kept in memory local to designated CPUs
– Global session table kept for cookie persistent sessions
– All ports store all filtering/redirection policies
Performance of distributed architecture with centralized architecture’s resource utilization
• CPUs at all ports actively share L4-7 processing load– Each ingress packet hashed to one of 8 ports for L4-7 processing– Hashing algorithm ensures even distribution of Internet traffic– Packets in same session always hashed to the same CPU
1.75/11.75/11.75/11.75/11.75/1Height (inches/RU)
NoNoYesNoNoIntegrated SSL VPN
NoNoBase:300Max:1000NoNoIntegrated SSL
Acceleration (tps.)**
20K *40K *>110K.*>110K.*>110K.*Layer 4 Performance(sessions/second)
15K*30K *>51K *>51K *>51K *Layer 7 Performance(sessions/second)
600K91M)1M(2M)2M(4M)2M(4M)2M(4M)Concurrent Sessions
2,0482,0482,0482,0482,048Policy Filters
102410241,0241,0241,024Real Server Support
102410241,0241,0241,024Virtual Server Support
256256256256256IP Routing Interfaces
22444+4**Gigabit Ethernet Ports
81624244+4**10/100 Ethernet Ports
1018282812Total Ports
2208(E)2216(E)2424-SSL(E)2424(E)3408(E)구분
- Alteon Application Switch 성능
- Alteon Application Switch 활용
서버로드밸런싱
Application LB
Global Server LB
Application Health Checks
보안패턴업데이트
하우리바이러스패턴
노텔 P2P 패턴
Bogon필터리스트
고급필터링
Layer 2-4 Attributes
VLAN Filtering
Accept, Deny, NAT, Redirect
보안서비스
기본 DoS 방지기능
응용프로그램과용
SSL VPN 기능
DPILayer 7 Deep Packet Inspection 기능
Ascii, Binary Pattern 제공
패턴그룹핑기능
네트워크장비가속화
Firewall/IDS LB
양방향 VPN LB
WAN Links
WAP Gateways
트래픽관리
Bandwidth Management
Flow기반 BWM
관리기능
공격상세로깅(송수신 IP 및포트, 공격명)
사용자별세션내역트래킹
트래픽통계기능
애플리케이션리디렉션
Web Site
각종 Cache
SSL Appliance
Streaming Media
VPN
Layer 4-7 Application/Content Intelligence
Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
Layer 6
Layer 7
OSI 7-Layer Model
Protocol Example
Ethernet
IP
SSL
TCP
HTTP& URL, 패턴
Device Example
이더넷스위치와같은L2 장비
라우터와같은L3 장비
서버/IDS
애플리케이션스위치
지능적인 L2-7 장비
- Application Switch 기반
- SLB ( Server Load Balancing)Server load Balancing의이해
• 기존 Server Load Balancing 방법
- DNS Roundrobin을이용한 Server Load Balancing
Internet
Client
DNS
Servers
Request:www.abc.com
www.abc.com = xwww.abc.com = ywww.abc.com = z
X y z
- SLB ( Server Load Balancing)
Internet
Client
DNSwww.abc.com = VIP
Servers
Request:www.abc.com
Virtual IP Address
R_IP 1 R_IP 2 R_IP 3
HealthChecking
Real IP Addresses
L4를통한 Server Load Balancing
- Client가웹브라우저 상에서 URL을입력하여 DNS로
하여금얻어지는 Ip address값 (L4에서는 Virtual IP :
VIP 이라고말한다.) 을통하여 L4의 Virtual Server로
접속하게된다.
- Virtual Server로접속하게된 http request는 Vip로
mapping되어있는 실제 서버들(real server)의 Group
으로 matching시켜주게된다.
- Server group으로 Matching 시키는기법은 L4가가지고
있는여러가지분산알고리즘에의해 작동하게되는데
사이트의성격에따라알맞게 선택하여주면된다.
- Alteon Application Switch
WebOS Traffic Flow
• At each Ingress Port if Layer 4 parameters are configured traffic flow follows these 3 processes:
• Server – Translates RIP to VIP, RPort to VPort and RMAC to VMAC
• Filter– Fires Filters and performs associated action
• Client – Translates VIP to RIP, VPort to Rport and VMAC to RMAC
- SLB ( Server Load Balancing)
Internet
Client-Terminology
Virtual IP Address (VIP)
Real server IP Address (RIP)
Group
• Virtual IP Address (VIP)– Also called Virtual Server– Each VIP must have at least one service – Each VIP can support 8 Services
• Real Servers– Can have Public or Private IP Addresses– Must run a TCP/UDP service– Up to 1024 Real Servers can be configured (Version 10)– Can have maximum connections and timeout values assigned
• Groups– Support of up to 256 Groups– A Group can support 1024 Real Servers– Requires a Health Check metric– Requires a Load Balancing Metric
- SLB ( Server Load Balancing)
Internet
ClientCIP,CMAC,CPORT
VMAC ,VIP,VPORT
RMAC,RIP,RPORT
Group
-Terminology
• VIP, VMAC, Vport– virtual server :
• IP address, MAC address, TCP/UDP port• RIP, RMAC, Rport
– real server :• IP address, MAC address, TCP/UDP port
• CIP, CMAC, Cport– Client :
• IP address, MAC address, TCP/UDP port• PIP, PMAC, Pport
– proxy :• IP address, MAC address, TCP/UDP port
• Session– TCP connection, UDP session, IP flow
- SLB ( Server Load Balancing)
Internet
Client
SERVERS
• Client ports
- Client processing을 적용할 수 있는 switch port
-각각의 session을 server로 할당
VIP를 RIP로 변환
• Server ports
- Server processing을 적용할 수 있는 switch port
RIP를 VIP로 변환
• Health Check
- Server의 이상유무를 수시로 점검하는 기능
( http, tcp, ftp, icmp ...)
-Terminology
Client ports
Server portsHealth Check
- SLB ( Server Load Balancing)
• Client / Server processing
– Changes DIP from VIP to Real server IP and vice-versa
– Client processing also creates session binding entry based on client SIP and Sport
Server192.168.1.1VIP 100.10.10.1
SIP 200.20.20.1DIP 100.10.10.1DMAC = V-MAC
SIP 200.20.20.1DIP 192.168.1.1DMAC = R-MAC
Client processing
SIP 192.168.1.1DIP 200.20.20.1DMAC = DGW-MAC
SIP 100.10.10.1DIP 200.20.20.1DMAC = C-MAC
Server processing
- SLB ( Server Load Balancing)• Client Processing- VIP (Virtual IP address)를 RIP (Real IP address)로변환하는작업
1. Translate VMAC:VIP:Vportto RMAC:RIP:Rport
2. Forward to real server
1. Select Server2. Place Entry inSession Table
yesno
Session Table Existing session entry?
Client port?
yesno
egress port
Clients Server
Src C mac C mac C mac C mac
Dst v mac v mac R mac R mac
Src C ip C ip C ip C ip
Dst V ip V ip R ip R ip
Src 2155 2155 2155 2155
Dst 80 80 80 80TCP
L4구 분
MAC
IP
• Server Processing
- RIP (Real IP address)를 VIP (Virtual IP address)로변환하는작업
Server Clients
Src R mac R mac V mac V mac
Dst C mac C mac C mac C mac
Src R ip R ip V ip V ip
Dst C ip C ip C ip C ip
Src 80 80 80 80
Dst 2155 2155 2155 2155TCP
L4구분
MAC
IPService Mapping Table
Frame IP SA and source UDP/TCP portmatches a configured
RIP:Rport?
Translate RIP:Rportto VIP:Vport
yes
Filtering
Server port?
- SLB ( Server Load Balancing)
- SLB ( Server Load Balancing)• Health Check
R1_OK R2_OK R3_Fail
• Health check types- ICMP- TCP - 3 way handshake (Service port)- Content - HTTP- Application specific – Radius, SSL, POP, DNS etc.- Scripted – send sequence, expected response
• Health check parameters (realserver)- Interval ( default 2sec)- Retry counts- Restroe counts- etc
- SLB ( Server Load Balancing)• Load Balancing Metrics
• Load Based:– Round Robin / Weighted Round Robin– Least Connections / Weighted Least Connections– Response Time– Bandwidth
• Persistent IP Based– Hash– Minimum Misses– SSL ID– Cookie
Option : Weights , Maxcon…
- SLB ( Server Load Balancing)>> Load Balancing Metrics <<
• Round Robin Load Balancing
• LeastConns Load Balancing
- Real server로 session을순차적을맺어주는방식- weight (가중치), Maximum connection 적용가능
- real server의 open 세션수를고려한다음, 가장적은수의 open
session을가진 real server로 session을맺어주는방식.
-각 real server들이서로상이한 resource와 connection에부수되는
시간과데이터양이서로다른환경에서활용할수있다.
- SLB ( Server Load Balancing)>> Load Balancing Metrics <<
• Hash
• Minimum Missies
- Clients와 Server 간에한번성립된 session을계속해서유지해주는
방식으로 특정 client는특정 server로만접속하게된다.
-이방식은 clients source IP address (32 bit) 값을 real server의대수로
나눈나머지값으로 connection할 server 결정
- Hash Algorithm과거의유사
-역시 clients source IP address (32 bit) 값을 real server의대수로나눈
나머지값으로 connection할 server 결정
-그러나, 이 Algorithm은 Cache Redirection에주로사용하도록권장
- SLB ( Server Load Balancing)>> Load Balancing Metrics <<
• Bandwith
• Respose Time
-대역폭의사용량에따라 Load Balancing
-대역폭이적게사용되는 server로먼저 session 연결
-응답속도에따라 Load Balancing
-응답속도가빠른 server로먼저 session 연결
- SLB ( Server Load Balancing)• DAM( Direct Access Mode)
Internet
Client
Real IP
• When Server Processing is run the switch assumes flows with a IP SA of a RIP are using a load balancedservice and the IP SA is always translated from RIP toVIP without checking the session table
• This allows packets to enter one switch and leave onanother and still be translated from RIP to VIPe.g. Active - Active
• No Direct Access to the RIP is possible
• The RIP to VIP translation is not done automatically,it requires that the Session Table is checked first
- SLB ( Server Load Balancing)• DSR ( Direct Sever Return)
Internet
Client
ServersR_IP 1 R_IP 2 R_IP 3
Loopback if = VIP
1
2
3
• To configure DSR Alteon switch/cfg/slb/real 1/submac en/cfg/slb/virt 1/ser http/nonat en
- SLB ( Server Load Balancing)• High Availablity with VRRPVRRP (Virtual Router Redundancy Protocol)- rfc 2338
- VRRP uses IP multicast to communicate on 224.0.0.18- Use of a multicast MAC address ( 00-00-5E-00-01-02 for VRID = 2 )- Alteon extensions to VRRP
support Layer4 redunancy with virtual server routers(VSR)shared Mode
1
Multicast Updates12
ARP for Default Gateway
2
3
Master Answers ARP3
4
Path For Traffic4
2
BM
- SLB ( Server Load Balancing)• High Availablity with VRRPActive – standby
Active Standby
- All switches actively perform load balancing and/or routing functions,but for different virtual services and/or interfaces
- SLB ( Server Load Balancing)• High Availablity with VRRPActive – Hot standby
Active Hot Standby
- One master with one or more backups. Only master processes layer 4 traffic- STP is not needed to eliminate bridge loops.
BLOCKING
- SLB ( Server Load Balancing)• High Availablity with VRRPActive – Active
Active Active
- All switches can actively forward traffic for the same virtual services and/or interface
- SLB ( Server Load Balancing)• Basic configration and operation- CLI (Command Line Interface )
[Main Menu]info - Information Menustats - Statistics Menucfg - Configuration Menuoper - Operations Command Menuboot - Boot Options Menumaint - Maintenance Menudiff - Show pending config changes [global command]apply - Apply pending config changes [global command]save - Save updated config to FLASH [global command]revert - Revert pending or applied changes [global command]exit - Exit [global command, always available]
- SLB ( Server Load Balancing)• Basic configration and operationAdministration Interfaces
- CLI (Command Line Interface) : consloe (DB9) , telnet
/cfg/sys/tnet enalbe
- BBI (Browser Base Interface)
/cfg/sys/http enalbe , /cfg/sys/wport <port>
- SNMP : EMS
/cfg/sys/snmp , /cfg/snmp
- RMON
- SLB ( Server Load Balancing)• Basic configration and operation- BBI (Browser Base Interface)
- SLB ( Server Load Balancing)• Basic configration and operation- EMS ( Alteon Element Management System)
• An Intuitive, Graphical Configuration Tool– Java based
• Client/Server Application– Stand-alone
client– Unix/Windows
support
• Platform-Less Operation– Optional usage in HP OpenView environment
- SLB ( Server Load Balancing)• Basic configration and operation- EMS ( Alteon Element Management System)
Real Time Statistical Information Graphing
- SLB ( Server Load Balancing)• Basic configration and operation
Internet
Client
1
2 3 4
Step1 L2,L3,system configration1.Connect switch
Enter password : admin (default)
2.Set IP address of switch/cfg/ip/if 1 (enter)mask 255.255.255.0 (enter) add 10.1.1.10 (enter)en (enter) // enalbe
3.Set gateway ip address/cfg/ip/gw 1 (enter)add 10.1.1.1en (enter)
4.Set telnet , http access/cfg/sys/tnet en (enter)/cfg/sys/http en (enter)
apply (enter)save (enter)
VIP 10.1.1.100 sevice http
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
Realserver IP 10.1.1.11~13
- SLB ( Server Load Balancing)• Basic configration and operation
Internet
Client
1
2 3 4
Step2 L2,L3 monitor and information1. /info/link>>Main# /info/link------------------------------------------------------------------Port Speed Duplex Flow Ctrl Link----- ----- -------- --TX-----RX-- ------
1 100 full yes yes up 2 100 full yes yes up 3 100 full yes yes up 4 100* full* no* no* up 5 10/100 any yes yes down6 10/100 any yes yes down7 10/100 any yes yes down* = value set by configuration; not autonegotiated.
2. Port speed setting(manual)/cfg/port 24/fast/speed 100/mode full/auto off
Current port 24 speed setting: 10/100Pending new speed setting: 100Current port 24 mode setting: anyPending new mode setting: full duplexCurrent port 24 autonegotiation: onPending new autonegotiation: off
3. /info/l3/ip (/info/ip)>> Information# /info/ipInterface information:
1: 10.1.1.0 255.255.255.0 10.1.1.255, vlan 1, up
Default gateway information: metric strict1: 10.1.1.1, vlan any, up
Realserver IP 10.1.1.11~13
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
health check ( icmp )
- SLB ( Server Load Balancing)• Basic configration and operation
Step3 L4 SLB configration
Internet
Client
1
2 3 4
VIP 10.1.1.100 sevice http
L4`IP 10.1.1.10/24
Realserver IP 10.1.1.11~13
1.SLB ON /cfg/slb/on
2.Real server configration/cfg/slb/real 1/rip 10.1.1.11/en (enter)Current real server IP address: 0.0.0.0 New pending real server IP address: 10.1.1.11/cfg/slb/real 2/rip 10.1.1.12/en (enter)/cfg/slb/real 3/rip 10.1.1.13/en (enter)
3.Group, health check configraion/cfg/slb/gr 1/add 1/add 2/add 3 (enter)
Real server 1 added to real server group 1.Real server 2 added to real server group 1.Real server 3 added to real server group 1./cfg/slb/gr 1/health httpCurrent health check type: tcpNew pending health check type: http
4.Group load balancing Metric configration/cfg/slb/gr 1/metric
leastconns | roundrobin | minmisses|hash…
Group 1
Health check
- SLB ( Server Load Balancing)• Basic configration and operation
Internet
Client
1
2 3 4
VIP 10.1.1.100 sevice http
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
Step3 L4 SLB configration5. VIP, Service port, group configration
>> Main# /cfg/slb/virt 1/vip 10.1.1.100/en Current virtual server IP address: 0.0.0.0New pending virtual server IP address: 10.1.1.100Current status: disabledNew status: enabled
>> Main# /cfg/slb/virt 1/service http------------------------------------------------------------[Virtual Server 1 http Service Menu]
group - Set real server group numberrport - Set real porthname - Set hostname. . . .
>> Virtual Server 1 http Service# gr 1Current real server group: 1New pending real server group: 1
Group 1
Health check
Realserver IP 10.1.1.11~13
- SLB ( Server Load Balancing)• Basic configration and operation
6 .Client ,Server process configration
>> Main# /cfg/slb/port 1/client en (enter)Current client processing: disabledNew client processing: enabled
>> SLB port 1# /cfg/slb/port 2/server en (enter)Current server processing: disabledNew server processing: enabled
>> SLB port 2# /cfg/slb/port 3/server en (enter)>> SLB port 3# /cfg/slb/port 4/server en (enter)
Step3 L4 SLB configration
Internet
Client
1
2 3 4
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
Group 1Realserver IP 10.1.1.11~13
Client side port
Server side port
- SLB ( Server Load Balancing)• Basic configration and operation
Step4 L4 SLB monitor and operation
Internet
Client
1
2 3 4
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
Group 1Realserver IP 10.1.1.11~13
VIP 10.1.1.100 sevice http
1.VIP, Realserver heath check monitor
Main# /iinfo/slb/du
Real server state:1: 10.1.1.11, 00:e0:00:8c:cd:18, vlan 1, port 2, health 4, up2: 10.1.1.12, 00:e0:00:8c:cd:19, vlan 1, port 3, health 4, up3: 10.1.1.13, 00:00:00:00:00:00, vlan 0, port 0, health 4, FAILED
Virtual server state:1: 10.1.1.100, 00:60:cf:4b:04:6e
virtual ports:http: rport http, group 1, backup none
real servers:1: 10.1.1.11, backup none, 1 ms, up2: 10.1.1.12, backup none, 2 ms, up3: 10.1.1.13, backup none, 0 ms, FAILED
Redirect filter state:Port state:
1: 0.0.0.0, client2: 0.0.0.0, server3: 0.0.0.0, server4: 0.0.0.0, server5: 0.0.0.06: 0.0.0.0
- SLB ( Server Load Balancing)• Basic configration and operation
Internet
Client
1
2 3 4
gateway 10.1.1.1/24
L4`IP 10.1.1.10/24
Group 1Realserver IP 10.1.1.11~13
VIP 10.1.1.100 sevice http
Step4 L4 SLB monitor and operation2.Group LB monitor>>Main# /stat/slb/gr 1
------------------------------------------------------------------Real server group 1 stats:
Current Total Highest OctetsReal IP address Sessions Sessions Sessions---- --------------------------- -------- ----- -------- ---------------
1 10.1.1.11 0 0 0 583202 10.1.1.12 0 1 1 75884
---- --------------------------- -------- ---------- ---------- ---------------0 1 1 134204
3. Session talbe monitor
>> Main # /info/slb/se/du
4,1025: 10.1.1.1 1322 --> 10.1.1.12 80 age 10 E
- SLB ( Server Load Balancing)• Basic configration and operation
Step4 L4 SLB monitor and operation4. Session talbe monitor>> Main # /info/slb/sess/helpThe fields, (1)-(13), associated with a session, as identified in theexample below are described in the following.3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 3567 3.3.3.1 http age 6 f:10 ELNPSRtUW c:#(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13)3, 01: 1.1.1.1 4586, 2.2.2.1 http ->(1) (2) (3) (4) (5) (6)
1.1.1.2 3567 3.3.3.1 http age 6 f:10 ELNPSRtUW c:#(7a) (7) (8) (9) (10) (11) (12) (13)
------------------------------------------------------------------(1) SP number: This field indicates which SP created the session.(2) Ingress port: This field shows the physical port# of the client traffic that entered to the switch.(3) Source IP address: This field contains the source IP address from client IP packet.(4) Source port: This field identifies the TCP/UDP source port from client packet.(5) Destination IP address:This is the destination IP address from client TCP/UDP packet.
For load balancing, this address is the virtual IP address.For filtering redirect, this address is the destination server's address.
(6) Destination port: This field identifies the TCP/UDP destination port from client packet.(8) Real server IP address: (9) Server port: (10) Age: This is the session timeout value. If no packet is received within
the value specified, the session is freed.
- SLB ( Server Load Balancing)• Troubleshooting command Tip
- link and Layer 2,3 Issusecheck the LEDcheck the calbecheck link negotiation (/info/link , /cfg/port # /fast…..)check the port stats ( /stats/port # ….)check the FDB, ARP tables
/info/l2/fdb/dump ( /info/fdb/dump)/info/l3/arp/dump ( /info/arp/dump)
check the interface and gateway/info/l3/ip ( /info/ip)
- SLB ( Server Load Balancing)• Troubleshooting command Tip
- Layer 4 IssuseCannot connect VIP service port and ping VIPcheck the client , server process at the portscheck the realserver heath checking
( /info/slb/du )
Cannot connect realserver IP service portcheck the Direct Access Mode(DAM) configration( /cfg/slb/adv/dire )
- SLB ( Server Load Balancing)• Troubleshooting command Tip
- Layer 4 IssuseLoad Balancing state( /stats/slb/gr # , /stats/slb/virt # )
Realserver operation disalbe( /oper/slb/dis <realserver number> )
Switch slb configraion( /cfg/slb/cu ..)
- SLB ( Server Load Balancing)• Troubleshooting command Tip
Alteon technical support files( /maint/tsdump……scripts)
- 보안 가속
• 보안 가속이란?
– 이미 존재하는 보안시스템에 애플리케이션 스위치를 접목시켜 효율적인 고가용성 보안 서비스를제공하는 것
• 보안 가속 응용
– Firewall 로드밸런싱
– Virtual Private Network (VPN) 로드밸런싱
– Intrusion Detection System (IDS) 로드밸런싱
– Viruswall 로드밸런싱
• 장점
– 단일 장애 포인트 제거를 통한 무정지 서비스
– 기존 플랫폼 및 자원의 활용을 통한 서비스 확장
– 병렬로 구성된 여러 개의 보안 장비 활용을 통한고성능 서비스 제공
애플리케이션 스위치를 적용한파이어월 로드밸런싱 디자인
Internet
InternalNetwork
Application Switch
Application Switch
Firewall
Internet
내부네트웍
Application Switch
Application Switch
“Dirty” Sideof Network
“Clean” Sideof Network
Firewall LoadBalancing
Server LoadBalancing
1. “Dirty” side 의 Redirection filter를 통해 유입된트래픽들을 세션별 스트림으로 구분
2. 스트림을 각 파이어월로 전달
3. 파이어월에서 허가된 스트림은 “Clean” side 의애플리케이션 스위치로 전달
4. “Clean” side 스위치는 서버 로드밸런싱을 수행
5. 서버의 응답은 동일한 과정을 거쳐 클라이언트로 전달
6. 동일한 IP Source / Destination 조합을 가진 트래픽은 항상 같은 파이어월을 통해 전송되게끔하여 하나의 파이어월이 세션내의 전체 스트림을 감시할 수 있게 된다.
- FWLB ( Firewall Load Balancing)
• VPN 장비의 보안 특성상 내부망으로의 유입 및 유출 트래픽은 항상 같은 VPN장비를 이용하도록 구성 되어야 한다.
– 애플리케이션 스위치는 어느 VPN장비를 통해 세션이 들어 왔는지를 세션 테이블에 기억
– 세션 테이블은 항상 같은 VPN장비가 내부의 사용자와외부 사용자 간의 특정 세션의 트래픽을 관리할 수 있도록 한다.
• 애플리케이션 스위치를 통한 VPN Load Balancing
– VPN 서비스의 확장성 보장
– 클라이언트 및 원격지 장비의 쉬운 관리
• 마치 하나의 VPN장비처럼 하나의 IP로 접근되어 다수의 VPN장비로 로드 밸런싱
– 외부 스위치 : IKE(UDP 500), IPSEC 세션의Persistency 유지
– 내부 스위치 : 내부에서 생성된 세션의 적합한 VPN장비선택
Internet
DNS
Branch OfficesWith VPN
LDAP
InternalNetwork
ApplicationSwitch
ApplicationSwitch
VPN Servers
VPN LoadBalancing
- VPN Load Balancing
– 침입탐지 시스템(IDS)은 보안 서비스에 있어 반드시필요하나 대부분 성능이 매우 낮은 것이 현실임
– IDS 로드밸런싱은 성능 향상을 위해 다수의 IDS로 부하를 분산하는 서비스
• IDS의 확장성 향상
• IDS의 가용성 향상
– 애플리케이션 스위치는 IDS로 전달된 프레임의 세션을 기억하므로서 항상 같은 IDS로 프레임을 전송 한다
Secured Servers
Application Switch
Application Switch
IDS Servers
* IDS = Intrusion Detection System
Internet
- IDS Load Balancing
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step1 L2,L3,system configration(up)1.Connect switch
Enter password : admin (default)
2.Set IP address of switch/cfg/ip/if 1 (enter)mask 255.255.255.0 (enter) add 192.168.10.1 (enter)en (enter) // enalbe
/cfg/ip/if 10 (enter)mask 255.255.255.0 (enter) add 192.168.1.1 (enter)en (enter) // enalbe
/cfg/ip/if 20 (enter)mask 255.255.255.0 (enter) add 192.168.2.1 (enter)en (enter) // enalbe
Firewall #2Firewall #1
192.168.1.0/24 192.168.2.0/24
192.168.100.1/24
IF 1: 192.168.10.1/24
IF 10 : 192.168.1.1/24
192.168.1.2/24
IF 20 : 192.168.2.1/24
192.168.2.2/24
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step1 L2,L3,system configration(up)3.Vlan config
/cfg/ip/if 1/vlan 1/cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20
/cfg/ vlan 10/en/add 2/cfg/ vlan 20/en/add 3
4.STP OFF
/cfg/stp/off
1
2 3
1
2 3
Firewall #2Firewall #1
192.168.1.0/24 192.168.2.0/24
192.168.100.1/24
192.168.10.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step2 L4 configration(up)1. SLB On
/cfg/slb/on
2. Realserver and group
/cfg/slb/real 1/rip 192.168.1.2/en
/cfg/slb/real 2/rip 192.168.2.2/en
/cfg/slb/gr 1/add 1/add 2
/cfg/slb/gr 1/health icmp
/cfg/slb/gr 1/metric hash
1
2 3
Firewall #2Firewall #1
192.168.10.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24Real server 1 Real server 2
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step2 L4 configration(up)3. Allow Filter config
/cfg/slb/fil 10/en/dip 192.168.10.0/dmask 255.255.255.0
/cfg/slb/fil 20/en/dip 192.168.1.0/dmask 255.255.255.0
/cfg/slb/fil 30/en/dip 192.168.2.0/dmask 255.255.255.0
4.Redir Filter config
/cfg/slb/fil 100/en/ac re/gr 1
/cfg/slb/port 1/filter en//cfg/slb/port 1/add 10/add 20/add 30
/add 100
1
2 3
Firewall #2Firewall #1
192.168.10.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24Real server 1 Real server 2
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step1 L2,L3,system configration(down)1.Connect switch
Enter password : admin (default)
2.Set IP address of switch/cfg/ip/if 1 (enter)mask 255.255.255.0 (enter) add 192.168.100.1 (enter)en (enter) // enalbe
/cfg/ip/if 10 (enter)mask 255.255.255.0 (enter) add 192.168.1.2(enter)en (enter) // enalbe
/cfg/ip/if 20 (enter)mask 255.255.255.0 (enter) add 192.168.2.2 (enter)en (enter) // enalbe
Firewall #2Firewall #1
192.168.1.0/24 192.168.2.0/24
IF 1 :192.168.100.1/24
192.168.10.1/24
192.168.1.1/24
IF 10 : 192.168.1.2/24
192.168.2.1/24
IF 20 : 192.168.2.2/24
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step1 L2,L3,system configration(down)3.Vlan config
/cfg/ip/if 1/vlan 1/cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20
/cfg/ vlan 10/en/add 2/cfg/ vlan 20/en/add 3
4.STP OFF
/cfg/stp/off
1
2 3
Firewall #2Firewall #1
192.168.1.0/24 192.168.2.0/24
192.168.100.1/24
192.168.10.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step2 L4 configration(down)1. SLB On
/cfg/slb/on
2. Realserver and group
/cfg/slb/real 1/rip 192.168.1.1/en
/cfg/slb/real 2/rip 192.168.2.1/en
/cfg/slb/gr 1/add 1/add 2
/cfg/slb/gr 1/health icmp
/cfg/slb/gr 1/metric hash
1
2 3
Firewall #2Firewall #1
192.168.100.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24
Real server 1 Real server 2
- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)
Step2 L4 configration(down)
1
2 3
Firewall #2Firewall #1
192.168.100.1/24
192.168.1.1/24
192.168.1.2/24
192.168.2.1/24
192.168.2.2/24
Real server 1 Real server 2
3. Allow Filter config
/cfg/slb/fil 10/en/dip 192.168.10.0/dmask 255.255.255.0
/cfg/slb/fil 20/en/dip 192.168.1.0/dmask 255.255.255.0
/cfg/slb/fil 30/en/dip 192.168.2.0/dmask 255.255.255.0
4.Redir Filter config
/cfg/slb/fil 100/en/ac re/gr 1
/cfg/slb/port 1/filter en//cfg/slb/port 1/add 10/add 20/add 30
/add 100