2005 운영자 교재(part2)pds15.egloos.com/pds/200907/23/98/alteon_switch.pdf · • On, Alteon...

Alteon Switch운영자운영자 교육교육

- Alteon switch

- Alteon swich 제품군

- Server Load Balancing 이해

- Server Load Balancing 운용과 설정

- Troubleshooting Guide

- Alteon switch 제품군

Feature/Function

180e(AD3)• Eight 10/100/1000 Mbps ports• One 1000BASE-SX port• 2MB of memory per port• 336K concurrent sessions• 8 Gbps backplane capacity

184(AD4)• Nine 10/100/1000 Mbps ports• 4 MB of memory per port (1-8)• 8 MB of memory on port 9• 512K concurrent sessions• 8 Gbps backplane capacity

WSM• 4- 10/100 TX or Gig SX ports • 80MB of Memory• 512K concurrent sessions

Pric

e

AAS 2208• 8ea 10/100 Mbps ports• 2ea Gigabit ports• 600K concurrent sessions• 16 Gbps backplane capacity

AAS 2216• 16ea 10/100 Mbps ports• 2ea Gigabit ports• 1M concurrent sessions• 16 Gbps backplane capacity

AAS 2424• 24 10/100Mbps ports• 4ea Gigabit ports• 2M concurrent sessions• 16 Gbps backplane capacity

AAS 3408• 8ea 10/100/1000 Mbps ports• 8ea Gigabit ports• 2M concurrent sessions• 16 Gbps backplane capacity

Selectable 8 x 10/100 or 1000SX Ethernet ports

1- 100 or Gigabit Ethernet uplink on Port 9

6 LEDs/port- Data- Link- Active

Console port

AC and DC power

available

Alteon 184

- Alteon Web switches

...

8 GbpsSwitch Backplane

Management Module

Switch Ports

Memory Flash

WebIC

Memory

Fwd Engine

RISC

RISCWebIC

Memory

Fwd Engine

RISC

RISCWebIC

Memory

Fwd Engine

RISC

RISC

RISC RISC

- Alteon Web switches

• WebIC: network processing ASIC with hardware-assisted forwarding engine and dual RISC processors

• Up to 20 RISC processor per switch• Optimized for processing-intensive session services• Separate centralized switch management processors

• Complete Layer 2-7 switching solution• Comprised of Alteon Web Switching Module

for the Passport 8600• Integrated platform provides a higher level of

intelligent networking for LAN/WAN/MAN and data center requirements

• Lower total cost of ownership with L2-7 integration and device consolidation

Alteon Web Switching Module (WSM)

Passport 8600 L2-7 Intelligent Routing Switch

-Passport 8600 Routing Switch withAlteon Web Switching Module

- Alteon Application Switch Nomenclature

Alteon nn nn

Gigabit Uplink Ports

Port Density

Alteon Application Switch

Series Number2 = Fast Ethernet 3 = Gigabit Ethernet

AAS 2208(8FEx2GE)

AAS 2216(16FEx2GE)

AAS 2424(24FEx4GE)

AAS 3408(12GE)

1 7

2 8

9 15

10 16

17 23

18 24 25 26 27 28

1 7

2 8

9 15

10 16 17 18

1 7

2 8 9 10

8 FE 2 GE

16 FE 2 GE

24 FE 4 GE

4 1000TX Only4 1000TX or GBIC Choice

4 GE

1 2 3 4 3 4 5 6 5 6 7 8 9 10 11 12

4 1000TX or GBIC Choice

- 4가지 모델의 Alteon Application Switch

- Alteon Application Switch 2424

RJ45 Auto 10/100Fast Ethernet Ports

LEDs on Port

SFP GBICs: 1000Base-SXOr 1000Base-LX with LC Connectors

LEDs: SFPLED: Power

LED: Fan

DB9ConsoleRJ45

ManagementPort

12 7

8 910 15

16 1718 23

24 25 261-RUform factor

{27 28

RJ45 Auto 10/100/1000

Ethernet Ports

SFP GBICs: 1000Base-SXOr 1000Base-LX with LC Connectors

RJ45 ManagementPort

Optional Copper or Optical

1-RUform factor

{ 1 4 3 5 864 5 6 72 3

119 10 12

LEDs: SFP

LED: PowerLED: Fan

- Alteon Application Switch 3408

DB9Console

- Alteon Application Switch Inside

MP• On AD/180 series, Management

Processor and Management Port are synonymous

• On Alteon 2000/3000 series, MP refers to Management Processor and NOT Management Port

• Health checking, start-up, configurations…

SP• On, AD/180 series Switch Processor

and Switch Port are synonymous• On, Alteon 2000/3000 series SP

refers to Switch Processor which is not the same as a Switch Port

• Layer 2 – 7 processingM• 128-MB each of fast SDRAM (SP)• Total switch memory = 640-MB

MPSP2SP1 SP4SP3

MM

MM

VMA

Gigabit Ethernet

M

Gigabit or Fast Ethernet

MPSP2SP1 SP4SP3

MM

MM

SP2SP1 SP4SP3MMMM

MMMM

VMA

Gigabit Ethernet

M

Gigabit or Fast Ethernet

Architecture allows for flexibility in future software feature/ application development

- Alteon Application Switch VMAVirtual Matrix Architecture (VMA)

CPU CPU CPU CPU CPU CPU CPU CPU

Unattached port

Client

Server

DA_X, SA_3, RIP_A DA_X, SA_1, RIP_A DA_Y, SA_2, RIP_B DA_X, SA_1, RIP_ASA_1DA_X

SA_3DA_X

SA_2DA_Y

SA_1DA_XServer

• Memory at all ports pooled and utilized at all times

– Session entries kept in memory local to designated CPUs

– Global session table kept for cookie persistent sessions

– All ports store all filtering/redirection policies

Performance of distributed architecture with centralized architecture’s resource utilization

• CPUs at all ports actively share L4-7 processing load– Each ingress packet hashed to one of 8 ports for L4-7 processing– Hashing algorithm ensures even distribution of Internet traffic– Packets in same session always hashed to the same CPU

1.75/11.75/11.75/11.75/11.75/1Height (inches/RU)

NoNoYesNoNoIntegrated SSL VPN

NoNoBase:300Max:1000NoNoIntegrated SSL

Acceleration (tps.)**

20K *40K *>110K.*>110K.*>110K.*Layer 4 Performance(sessions/second)

15K*30K *>51K *>51K *>51K *Layer 7 Performance(sessions/second)

600K91M)1M(2M)2M(4M)2M(4M)2M(4M)Concurrent Sessions

2,0482,0482,0482,0482,048Policy Filters

102410241,0241,0241,024Real Server Support

102410241,0241,0241,024Virtual Server Support

256256256256256IP Routing Interfaces

22444+4**Gigabit Ethernet Ports

81624244+4**10/100 Ethernet Ports

1018282812Total Ports

2208(E)2216(E)2424-SSL(E)2424(E)3408(E)구분

- Alteon Application Switch 성능

- Alteon Application Switch 활용

서버로드밸런싱

Application LB

Global Server LB

Application Health Checks

보안패턴업데이트

하우리바이러스패턴

노텔 P2P 패턴

Bogon필터리스트

고급필터링

Layer 2-4 Attributes

VLAN Filtering

Accept, Deny, NAT, Redirect

보안서비스

기본 DoS 방지기능

응용프로그램과용

SSL VPN 기능

DPILayer 7 Deep Packet Inspection 기능

Ascii, Binary Pattern 제공

패턴그룹핑기능

네트워크장비가속화

Firewall/IDS LB

양방향 VPN LB

WAN Links

WAP Gateways

트래픽관리

Bandwidth Management

Flow기반 BWM

관리기능

공격상세로깅(송수신 IP 및포트, 공격명)

사용자별세션내역트래킹

트래픽통계기능

애플리케이션리디렉션

Web Site

각종 Cache

SSL Appliance

Streaming Media

VPN

Layer 4-7 Application/Content Intelligence

Layer 1

Layer 2

Layer 3

Layer 4

Layer 5

Layer 6

Layer 7

OSI 7-Layer Model

Protocol Example

Ethernet

IP

SSL

TCP

HTTP& URL, 패턴

Device Example

이더넷스위치와같은L2 장비

라우터와같은L3 장비

서버/IDS

애플리케이션스위치

지능적인 L2-7 장비

- Application Switch 기반

- SLB ( Server Load Balancing)Server load Balancing의이해

• 기존 Server Load Balancing 방법

- DNS Roundrobin을이용한 Server Load Balancing

Internet

Client

DNS

Servers

Request:www.abc.com

www.abc.com = xwww.abc.com = ywww.abc.com = z

X y z

http://www.abc.com

http://www.abc.com

http://www.abc.com

http://www.abc.com

- SLB ( Server Load Balancing)

Internet

Client

DNSwww.abc.com = VIP

Servers

Request:www.abc.com

Virtual IP Address

R_IP 1 R_IP 2 R_IP 3

HealthChecking

Real IP Addresses

L4를통한 Server Load Balancing

- Client가웹브라우저 상에서 URL을입력하여 DNS로

하여금얻어지는 Ip address값 (L4에서는 Virtual IP :

VIP 이라고말한다.) 을통하여 L4의 Virtual Server로

접속하게된다.

- Virtual Server로접속하게된 http request는 Vip로

mapping되어있는 실제 서버들(real server)의 Group

으로 matching시켜주게된다.

- Server group으로 Matching 시키는기법은 L4가가지고

있는여러가지분산알고리즘에의해 작동하게되는데

사이트의성격에따라알맞게 선택하여주면된다.

http://www.abc.com

http://www.abc.com

- Alteon Application Switch

WebOS Traffic Flow

• At each Ingress Port if Layer 4 parameters are configured traffic flow follows these 3 processes:

• Server – Translates RIP to VIP, RPort to VPort and RMAC to VMAC

• Filter– Fires Filters and performs associated action

• Client – Translates VIP to RIP, VPort to Rport and VMAC to RMAC


Internet

Client-Terminology

Virtual IP Address (VIP)

Real server IP Address (RIP)

Group

• Virtual IP Address (VIP)– Also called Virtual Server– Each VIP must have at least one service – Each VIP can support 8 Services

• Real Servers– Can have Public or Private IP Addresses– Must run a TCP/UDP service– Up to 1024 Real Servers can be configured (Version 10)– Can have maximum connections and timeout values assigned

• Groups– Support of up to 256 Groups– A Group can support 1024 Real Servers– Requires a Health Check metric– Requires a Load Balancing Metric


Internet

ClientCIP,CMAC,CPORT

VMAC ,VIP,VPORT

RMAC,RIP,RPORT

Group

-Terminology

• VIP, VMAC, Vport– virtual server :

• IP address, MAC address, TCP/UDP port• RIP, RMAC, Rport

– real server :• IP address, MAC address, TCP/UDP port

• CIP, CMAC, Cport– Client :

• IP address, MAC address, TCP/UDP port• PIP, PMAC, Pport

– proxy :• IP address, MAC address, TCP/UDP port

• Session– TCP connection, UDP session, IP flow


Internet

Client

SERVERS

• Client ports

- Client processing을 적용할 수 있는 switch port

-각각의 session을 server로 할당

VIP를 RIP로 변환

• Server ports

- Server processing을 적용할 수 있는 switch port

RIP를 VIP로 변환

• Health Check

- Server의 이상유무를 수시로 점검하는 기능

( http, tcp, ftp, icmp ...)

-Terminology

Client ports

Server portsHealth Check


• Client / Server processing

– Changes DIP from VIP to Real server IP and vice-versa

– Client processing also creates session binding entry based on client SIP and Sport

Server192.168.1.1VIP 100.10.10.1

SIP 200.20.20.1DIP 100.10.10.1DMAC = V-MAC

SIP 200.20.20.1DIP 192.168.1.1DMAC = R-MAC

Client processing

SIP 192.168.1.1DIP 200.20.20.1DMAC = DGW-MAC

SIP 100.10.10.1DIP 200.20.20.1DMAC = C-MAC

Server processing

- SLB ( Server Load Balancing)• Client Processing- VIP (Virtual IP address)를 RIP (Real IP address)로변환하는작업

1. Translate VMAC:VIP:Vportto RMAC:RIP:Rport

2. Forward to real server

1. Select Server2. Place Entry inSession Table

yesno

Session Table Existing session entry?

Client port?

yesno

egress port

Clients Server

Src C mac C mac C mac C mac

Dst v mac v mac R mac R mac

Src C ip C ip C ip C ip

Dst V ip V ip R ip R ip

Src 2155 2155 2155 2155

Dst 80 80 80 80TCP

L4구 분

MAC

IP

• Server Processing

- RIP (Real IP address)를 VIP (Virtual IP address)로변환하는작업

Server Clients

Src R mac R mac V mac V mac

Dst C mac C mac C mac C mac

Src R ip R ip V ip V ip

Dst C ip C ip C ip C ip

Src 80 80 80 80

Dst 2155 2155 2155 2155TCP

L4구분

MAC

IPService Mapping Table

Frame IP SA and source UDP/TCP portmatches a configured

RIP:Rport?

Translate RIP:Rportto VIP:Vport

yes

Filtering

Server port?


- SLB ( Server Load Balancing)• Health Check

R1_OK R2_OK R3_Fail

• Health check types- ICMP- TCP - 3 way handshake (Service port)- Content - HTTP- Application specific – Radius, SSL, POP, DNS etc.- Scripted – send sequence, expected response

• Health check parameters (realserver)- Interval ( default 2sec)- Retry counts- Restroe counts- etc

- SLB ( Server Load Balancing)• Load Balancing Metrics

• Load Based:– Round Robin / Weighted Round Robin– Least Connections / Weighted Least Connections– Response Time– Bandwidth

• Persistent IP Based– Hash– Minimum Misses– SSL ID– Cookie

Option : Weights , Maxcon…

- SLB ( Server Load Balancing)>> Load Balancing Metrics <<

• Round Robin Load Balancing

• LeastConns Load Balancing

- Real server로 session을순차적을맺어주는방식- weight (가중치), Maximum connection 적용가능

- real server의 open 세션수를고려한다음, 가장적은수의 open

session을가진 real server로 session을맺어주는방식.

-각 real server들이서로상이한 resource와 connection에부수되는

시간과데이터양이서로다른환경에서활용할수있다.


• Hash

• Minimum Missies

- Clients와 Server 간에한번성립된 session을계속해서유지해주는

방식으로 특정 client는특정 server로만접속하게된다.

-이방식은 clients source IP address (32 bit) 값을 real server의대수로

나눈나머지값으로 connection할 server 결정

- Hash Algorithm과거의유사

-역시 clients source IP address (32 bit) 값을 real server의대수로나눈

나머지값으로 connection할 server 결정

-그러나, 이 Algorithm은 Cache Redirection에주로사용하도록권장


• Bandwith

• Respose Time

-대역폭의사용량에따라 Load Balancing

-대역폭이적게사용되는 server로먼저 session 연결

-응답속도에따라 Load Balancing

-응답속도가빠른 server로먼저 session 연결

- SLB ( Server Load Balancing)• DAM( Direct Access Mode)

Internet

Client

Real IP

• When Server Processing is run the switch assumes flows with a IP SA of a RIP are using a load balancedservice and the IP SA is always translated from RIP toVIP without checking the session table

• This allows packets to enter one switch and leave onanother and still be translated from RIP to VIPe.g. Active - Active

• No Direct Access to the RIP is possible

• The RIP to VIP translation is not done automatically,it requires that the Session Table is checked first

- SLB ( Server Load Balancing)• DSR ( Direct Sever Return)

Internet

Client

ServersR_IP 1 R_IP 2 R_IP 3

Loopback if = VIP

1

2

3

• To configure DSR Alteon switch/cfg/slb/real 1/submac en/cfg/slb/virt 1/ser http/nonat en

- SLB ( Server Load Balancing)• High Availablity with VRRPVRRP (Virtual Router Redundancy Protocol)- rfc 2338

- VRRP uses IP multicast to communicate on 224.0.0.18- Use of a multicast MAC address ( 00-00-5E-00-01-02 for VRID = 2 )- Alteon extensions to VRRP

support Layer4 redunancy with virtual server routers(VSR)shared Mode

1

Multicast Updates12

ARP for Default Gateway

2

3

Master Answers ARP3

4

Path For Traffic4

2

BM

- SLB ( Server Load Balancing)• High Availablity with VRRPActive – standby

Active Standby

- All switches actively perform load balancing and/or routing functions,but for different virtual services and/or interfaces

- SLB ( Server Load Balancing)• High Availablity with VRRPActive – Hot standby

Active Hot Standby

- One master with one or more backups. Only master processes layer 4 traffic- STP is not needed to eliminate bridge loops.

BLOCKING

- SLB ( Server Load Balancing)• High Availablity with VRRPActive – Active

Active Active

- All switches can actively forward traffic for the same virtual services and/or interface

- SLB ( Server Load Balancing)• Basic configration and operation- CLI (Command Line Interface )

[Main Menu]info - Information Menustats - Statistics Menucfg - Configuration Menuoper - Operations Command Menuboot - Boot Options Menumaint - Maintenance Menudiff - Show pending config changes [global command]apply - Apply pending config changes [global command]save - Save updated config to FLASH [global command]revert - Revert pending or applied changes [global command]exit - Exit [global command, always available]

- SLB ( Server Load Balancing)• Basic configration and operationAdministration Interfaces

- CLI (Command Line Interface) : consloe (DB9) , telnet

/cfg/sys/tnet enalbe

- BBI (Browser Base Interface)

/cfg/sys/http enalbe , /cfg/sys/wport <port>

- SNMP : EMS

/cfg/sys/snmp , /cfg/snmp

- RMON

- SLB ( Server Load Balancing)• Basic configration and operation- BBI (Browser Base Interface)

- SLB ( Server Load Balancing)• Basic configration and operation- EMS ( Alteon Element Management System)

• An Intuitive, Graphical Configuration Tool– Java based

• Client/Server Application– Stand-alone

client– Unix/Windows

support

• Platform-Less Operation– Optional usage in HP OpenView environment

- SLB ( Server Load Balancing)• Basic configration and operation- EMS ( Alteon Element Management System)

Real Time Statistical Information Graphing

- SLB ( Server Load Balancing)• Basic configration and operation

Internet

Client

1

2 3 4

Step1 L2,L3,system configration1.Connect switch

Enter password : admin (default)

2.Set IP address of switch/cfg/ip/if 1 (enter)mask 255.255.255.0 (enter) add 10.1.1.10 (enter)en (enter) // enalbe

3.Set gateway ip address/cfg/ip/gw 1 (enter)add 10.1.1.1en (enter)

4.Set telnet , http access/cfg/sys/tnet en (enter)/cfg/sys/http en (enter)

apply (enter)save (enter)

VIP 10.1.1.100 sevice http

gateway 10.1.1.1/24

L4`IP 10.1.1.10/24

Realserver IP 10.1.1.11~13


Internet

Client

1

2 3 4

Step2 L2,L3 monitor and information1. /info/link>>Main# /info/link------------------------------------------------------------------Port Speed Duplex Flow Ctrl Link----- ----- -------- --TX-----RX-- ------

1 100 full yes yes up 2 100 full yes yes up 3 100 full yes yes up 4 100* full* no* no* up 5 10/100 any yes yes down6 10/100 any yes yes down7 10/100 any yes yes down* = value set by configuration; not autonegotiated.

2. Port speed setting(manual)/cfg/port 24/fast/speed 100/mode full/auto off

Current port 24 speed setting: 10/100Pending new speed setting: 100Current port 24 mode setting: anyPending new mode setting: full duplexCurrent port 24 autonegotiation: onPending new autonegotiation: off

3. /info/l3/ip (/info/ip)>> Information# /info/ipInterface information:

1: 10.1.1.0 255.255.255.0 10.1.1.255, vlan 1, up

Default gateway information: metric strict1: 10.1.1.1, vlan any, up


gateway 10.1.1.1/24

L4`IP 10.1.1.10/24

health check ( icmp )


Step3 L4 SLB configration

Internet

Client

1

2 3 4


L4`IP 10.1.1.10/24


1.SLB ON /cfg/slb/on

2.Real server configration/cfg/slb/real 1/rip 10.1.1.11/en (enter)Current real server IP address: 0.0.0.0 New pending real server IP address: 10.1.1.11/cfg/slb/real 2/rip 10.1.1.12/en (enter)/cfg/slb/real 3/rip 10.1.1.13/en (enter)

3.Group, health check configraion/cfg/slb/gr 1/add 1/add 2/add 3 (enter)

Real server 1 added to real server group 1.Real server 2 added to real server group 1.Real server 3 added to real server group 1./cfg/slb/gr 1/health httpCurrent health check type: tcpNew pending health check type: http

4.Group load balancing Metric configration/cfg/slb/gr 1/metric

leastconns | roundrobin | minmisses|hash…

Group 1

Health check


Internet

Client

1

2 3 4


gateway 10.1.1.1/24

L4`IP 10.1.1.10/24

Step3 L4 SLB configration5. VIP, Service port, group configration

>> Main# /cfg/slb/virt 1/vip 10.1.1.100/en Current virtual server IP address: 0.0.0.0New pending virtual server IP address: 10.1.1.100Current status: disabledNew status: enabled

>> Main# /cfg/slb/virt 1/service http------------------------------------------------------------[Virtual Server 1 http Service Menu]

group - Set real server group numberrport - Set real porthname - Set hostname. . . .

>> Virtual Server 1 http Service# gr 1Current real server group: 1New pending real server group: 1

Group 1

Health check



6 .Client ,Server process configration

>> Main# /cfg/slb/port 1/client en (enter)Current client processing: disabledNew client processing: enabled

>> SLB port 1# /cfg/slb/port 2/server en (enter)Current server processing: disabledNew server processing: enabled

>> SLB port 2# /cfg/slb/port 3/server en (enter)>> SLB port 3# /cfg/slb/port 4/server en (enter)

Step3 L4 SLB configration

Internet

Client

1

2 3 4

gateway 10.1.1.1/24

L4`IP 10.1.1.10/24

Group 1Realserver IP 10.1.1.11~13

Client side port

Server side port


Step4 L4 SLB monitor and operation

Internet

Client

1

2 3 4

gateway 10.1.1.1/24

L4`IP 10.1.1.10/24



1.VIP, Realserver heath check monitor

Main# /iinfo/slb/du

Real server state:1: 10.1.1.11, 00:e0:00:8c:cd:18, vlan 1, port 2, health 4, up2: 10.1.1.12, 00:e0:00:8c:cd:19, vlan 1, port 3, health 4, up3: 10.1.1.13, 00:00:00:00:00:00, vlan 0, port 0, health 4, FAILED

Virtual server state:1: 10.1.1.100, 00:60:cf:4b:04:6e

virtual ports:http: rport http, group 1, backup none

real servers:1: 10.1.1.11, backup none, 1 ms, up2: 10.1.1.12, backup none, 2 ms, up3: 10.1.1.13, backup none, 0 ms, FAILED

Redirect filter state:Port state:

1: 0.0.0.0, client2: 0.0.0.0, server3: 0.0.0.0, server4: 0.0.0.0, server5: 0.0.0.06: 0.0.0.0


Internet

Client

1

2 3 4

gateway 10.1.1.1/24

L4`IP 10.1.1.10/24



Step4 L4 SLB monitor and operation2.Group LB monitor>>Main# /stat/slb/gr 1

------------------------------------------------------------------Real server group 1 stats:

Current Total Highest OctetsReal IP address Sessions Sessions Sessions---- --------------------------- -------- ----- -------- ---------------

1 10.1.1.11 0 0 0 583202 10.1.1.12 0 1 1 75884

---- --------------------------- -------- ---------- ---------- ---------------0 1 1 134204

3. Session talbe monitor

>> Main # /info/slb/se/du

4,1025: 10.1.1.1 1322 --> 10.1.1.12 80 age 10 E


Step4 L4 SLB monitor and operation4. Session talbe monitor>> Main # /info/slb/sess/helpThe fields, (1)-(13), associated with a session, as identified in theexample below are described in the following.3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 3567 3.3.3.1 http age 6 f:10 ELNPSRtUW c:#(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13)3, 01: 1.1.1.1 4586, 2.2.2.1 http ->(1) (2) (3) (4) (5) (6)

1.1.1.2 3567 3.3.3.1 http age 6 f:10 ELNPSRtUW c:#(7a) (7) (8) (9) (10) (11) (12) (13)

------------------------------------------------------------------(1) SP number: This field indicates which SP created the session.(2) Ingress port: This field shows the physical port# of the client traffic that entered to the switch.(3) Source IP address: This field contains the source IP address from client IP packet.(4) Source port: This field identifies the TCP/UDP source port from client packet.(5) Destination IP address:This is the destination IP address from client TCP/UDP packet.

For load balancing, this address is the virtual IP address.For filtering redirect, this address is the destination server's address.

(6) Destination port: This field identifies the TCP/UDP destination port from client packet.(8) Real server IP address: (9) Server port: (10) Age: This is the session timeout value. If no packet is received within

the value specified, the session is freed.

- SLB ( Server Load Balancing)• Troubleshooting command Tip

- link and Layer 2,3 Issusecheck the LEDcheck the calbecheck link negotiation (/info/link , /cfg/port # /fast…..)check the port stats ( /stats/port # ….)check the FDB, ARP tables

/info/l2/fdb/dump ( /info/fdb/dump)/info/l3/arp/dump ( /info/arp/dump)

check the interface and gateway/info/l3/ip ( /info/ip)


- Layer 4 IssuseCannot connect VIP service port and ping VIPcheck the client , server process at the portscheck the realserver heath checking

( /info/slb/du )

Cannot connect realserver IP service portcheck the Direct Access Mode(DAM) configration( /cfg/slb/adv/dire )


- Layer 4 IssuseLoad Balancing state( /stats/slb/gr # , /stats/slb/virt # )

Realserver operation disalbe( /oper/slb/dis <realserver number> )

Switch slb configraion( /cfg/slb/cu ..)


Alteon technical support files( /maint/tsdump……scripts)

- 보안 가속

• 보안 가속이란?

– 이미 존재하는 보안시스템에 애플리케이션 스위치를 접목시켜 효율적인 고가용성 보안 서비스를제공하는 것

• 보안 가속 응용

– Firewall 로드밸런싱

– Virtual Private Network (VPN) 로드밸런싱

– Intrusion Detection System (IDS) 로드밸런싱

– Viruswall 로드밸런싱

• 장점

– 단일 장애 포인트 제거를 통한 무정지 서비스

– 기존 플랫폼 및 자원의 활용을 통한 서비스 확장

– 병렬로 구성된 여러 개의 보안 장비 활용을 통한고성능 서비스 제공

애플리케이션 스위치를 적용한파이어월 로드밸런싱 디자인

Internet

InternalNetwork

Application Switch

Application Switch

Firewall

Internet

내부네트웍

Application Switch

Application Switch

“Dirty” Sideof Network

“Clean” Sideof Network

Firewall LoadBalancing

Server LoadBalancing

1. “Dirty” side 의 Redirection filter를 통해 유입된트래픽들을 세션별 스트림으로 구분

2. 스트림을 각 파이어월로 전달

3. 파이어월에서 허가된 스트림은 “Clean” side 의애플리케이션 스위치로 전달

4. “Clean” side 스위치는 서버 로드밸런싱을 수행

5. 서버의 응답은 동일한 과정을 거쳐 클라이언트로 전달

6. 동일한 IP Source / Destination 조합을 가진 트래픽은 항상 같은 파이어월을 통해 전송되게끔하여 하나의 파이어월이 세션내의 전체 스트림을 감시할 수 있게 된다.

- FWLB ( Firewall Load Balancing)

• VPN 장비의 보안 특성상 내부망으로의 유입 및 유출 트래픽은 항상 같은 VPN장비를 이용하도록 구성 되어야 한다.

– 애플리케이션 스위치는 어느 VPN장비를 통해 세션이 들어 왔는지를 세션 테이블에 기억

– 세션 테이블은 항상 같은 VPN장비가 내부의 사용자와외부 사용자 간의 특정 세션의 트래픽을 관리할 수 있도록 한다.

• 애플리케이션 스위치를 통한 VPN Load Balancing

– VPN 서비스의 확장성 보장

– 클라이언트 및 원격지 장비의 쉬운 관리

• 마치 하나의 VPN장비처럼 하나의 IP로 접근되어 다수의 VPN장비로 로드 밸런싱

– 외부 스위치 : IKE(UDP 500), IPSEC 세션의Persistency 유지

– 내부 스위치 : 내부에서 생성된 세션의 적합한 VPN장비선택

Internet

DNS

Branch OfficesWith VPN

LDAP

InternalNetwork

ApplicationSwitch

ApplicationSwitch

VPN Servers

VPN LoadBalancing

- VPN Load Balancing

– 침입탐지 시스템(IDS)은 보안 서비스에 있어 반드시필요하나 대부분 성능이 매우 낮은 것이 현실임

– IDS 로드밸런싱은 성능 향상을 위해 다수의 IDS로 부하를 분산하는 서비스

• IDS의 확장성 향상

• IDS의 가용성 향상

– 애플리케이션 스위치는 IDS로 전달된 프레임의 세션을 기억하므로서 항상 같은 IDS로 프레임을 전송 한다

Secured Servers

Application Switch

Application Switch

IDS Servers

* IDS = Intrusion Detection System

Internet

- IDS Load Balancing

- FWLB (Firewall Load Balancing)• Basic configration and operation(Bride firewall Mode)

Step1 L2,L3,system configration(up)1.Connect switch



/cfg/ip/if 10 (enter)mask 255.255.255.0 (enter) add 192.168.1.1 (enter)en (enter) // enalbe


Firewall #2Firewall #1

192.168.1.0/24 192.168.2.0/24

192.168.100.1/24

IF 1: 192.168.10.1/24

IF 10 : 192.168.1.1/24

192.168.1.2/24

IF 20 : 192.168.2.1/24

192.168.2.2/24


Step1 L2,L3,system configration(up)3.Vlan config

/cfg/ip/if 1/vlan 1/cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20

/cfg/ vlan 10/en/add 2/cfg/ vlan 20/en/add 3

4.STP OFF

/cfg/stp/off

1

2 3

1

2 3


192.168.1.0/24 192.168.2.0/24

192.168.100.1/24

192.168.10.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24


Step2 L4 configration(up)1. SLB On

/cfg/slb/on

2. Realserver and group

/cfg/slb/real 1/rip 192.168.1.2/en


/cfg/slb/gr 1/add 1/add 2

/cfg/slb/gr 1/health icmp

/cfg/slb/gr 1/metric hash

1

2 3


192.168.10.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24Real server 1 Real server 2


Step2 L4 configration(up)3. Allow Filter config

/cfg/slb/fil 10/en/dip 192.168.10.0/dmask 255.255.255.0



4.Redir Filter config

/cfg/slb/fil 100/en/ac re/gr 1

/cfg/slb/port 1/filter en//cfg/slb/port 1/add 10/add 20/add 30

/add 100

1

2 3


192.168.10.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24Real server 1 Real server 2


Step1 L2,L3,system configration(down)1.Connect switch



/cfg/ip/if 10 (enter)mask 255.255.255.0 (enter) add 192.168.1.2(enter)en (enter) // enalbe



192.168.1.0/24 192.168.2.0/24

IF 1 :192.168.100.1/24

192.168.10.1/24

192.168.1.1/24

IF 10 : 192.168.1.2/24

192.168.2.1/24

IF 20 : 192.168.2.2/24


Step1 L2,L3,system configration(down)3.Vlan config

/cfg/ip/if 1/vlan 1/cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20

/cfg/ vlan 10/en/add 2/cfg/ vlan 20/en/add 3

4.STP OFF

/cfg/stp/off

1

2 3


192.168.1.0/24 192.168.2.0/24

192.168.100.1/24

192.168.10.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24


Step2 L4 configration(down)1. SLB On

/cfg/slb/on

2. Realserver and group



/cfg/slb/gr 1/add 1/add 2

/cfg/slb/gr 1/health icmp

/cfg/slb/gr 1/metric hash

1

2 3


192.168.100.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24

Real server 1 Real server 2


Step2 L4 configration(down)

1

2 3


192.168.100.1/24

192.168.1.1/24

192.168.1.2/24

192.168.2.1/24

192.168.2.2/24

Real server 1 Real server 2

3. Allow Filter config




4.Redir Filter config

/cfg/slb/fil 100/en/ac re/gr 1

/cfg/slb/port 1/filter en//cfg/slb/port 1/add 10/add 20/add 30

/add 100

2005 운영자 교재(part2)pds15.egloos.com/pds/200907/23/98/alteon_switch.pdf · • On, Alteon...

Documents

Transcript of 2005 운영자 교재(part2)pds15.egloos.com/pds/200907/23/98/alteon_switch.pdf · • On, Alteon...