cisco - ace
Post on 27-Nov-2015
50 Views
Preview:
DESCRIPTION
TRANSCRIPT
1© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Application Control Engine (ACE) Overview
2© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Agenda
• Introduction
• Architecture
• Application Infrastructure Control
• Role-Based Access Control
• Application Security
• Application Availability
• Management
• Roadmap
4© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Evolution of the Data Center InfrastructurePhased Approach
AUTOMATION
Storage
Network
Compute
Dynamic Provisioning and Information Lifecycle
Management (ILM) to Enable Business Agility
Business PoliciesOn-Demand
Service OrientedVIRTUALIZATION
StorageNetworkCompute
EnterpriseApplications
Management of Resources Independent of Underlying Physical Infrastructure to
Increase Utilization, Efficiency and Flexibility
Data Network
Server Fabric
Network
Centralization and Standardization to
Lower Costs, Improve Efficiency and Uptime
CONSOLIDATION
LANWANMAN
SAN
Storage Network
Intelligent Information
Network
HPCClusterGRID
5© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Server-Centric to Service-Centric
Service-Centric Model“Pools” of Standardized ResourcesAssembled On-Demand to Create
“Virtual Infrastructure”
DATA CENTER
NETWORK
User Access Network
Shared Application Services
Pooled Compute
Resources
PooledStorage
Resources
Aggregation of Storage into SAN
Prevalence of 1-RU and Blade
Servers with Consolidated I/O
Application Silos
Application Silos
Server-Centric Monolithic Proprietary Compute Silos
Application Silos
6© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Servers
Home/Road User
Typical Application Environment Today
WAN, VPN, Internet
DATACENTER
HTTP, HTTPS
Enterprise Applications
Web Servers App Servers DB Servers
E-mail Servers
ExchangeServers
NotesServers
MAPI, IMAP, WebDAV
CIFS, NFS, WebDAV
Legacy Application Servers
Emulation andCitrix Servers
Mainframe &Legacy 2-Tier
ICA, TN3270
Majority of Users are Remote
Branch Office User
Streaming Media Servers
MMS, RTSP/RTP
• Multiple applications
• Distributed users – partner, supplier
• Complex application environments
• Security and data management concerns
7© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco Application Delivery Business Unit Application Networking Services
Client to Application Application to Application
WAN
Integrated Services Router
Wide AreaApplication
Engine
Branch Office User
Core WAE Application
Engine
File Servers
Exchange
Citrix Servers
Catalyst Switch
Web Servers
ApplicationControl Engine
ApplicationVelocity
System (AVS)
Home/Road UserBusiness Partner
HTTP/HTTPS/WebDAV
Infiniband
NAS
Application Delivery
Application Integration
Web Servers
Web Servers
Secondary or Partner
Data Center
Catalyst Switch
Application Control Engine(CSS/CSM/GSS)
Data CenterIntranet and
Infrastructure
8© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Innovation• Virtual Partitioning• Hierarchical Management Domains• Role-Based Access Control
ACE & AVS Innovations At-a-Glance
Application Infrastructure Control
*Available in AVS Today
Application Performance Application Security Infrastructure Simplification
Innovation• Highest Throughput
• Maximum Scalability
• Multi-tiered reliability, availability, and scalability
•
Base• Server Load Balancing
• Content Switching
• Web Acceleration
• Intelligent Compression
Innovation• Richest App-Layer Security*• Hardware-accelerated Protocol
Control• Highest Performing NAT &
Access Control List (ACL)
Base• Limited Network Address
Translation• DDoS Protection
Innovation• Layer 2-7 Network Integration• Functional Consolidation• Application Network
Management solution
Base• TCP Optimization• SSL Termination• XML API
9© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
CSS 11506
CSM
Appliances
Modules
ACE
Cisco L4-7 Switching Portfolio
CSS 11503
CSS 11501
11© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco Application Control Engine (ACE)
Parallel network-processor based architecturewith separate control and data paths
12© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
SwitchFabric
Interface
SwitchFabric
Interface
SupConnect
SupConnect
16G
100M
ACE – Hardware Architecture
DaughterCard 1
DaughterCard 1
DaughterCard 2
DaughterCard 2
8G
8G
SSLCryptoSSL
Crypto
10G
Data PlaneNP1
Data PlaneNP1
Data PlaneNP2
Data PlaneNP2
10G10G
ControlPlane
ACSW OS
ControlPlane
ACSW OS
2G
CDESwitch
60 Gbps
CDESwitch
60 Gbps
16 Micro-Engines on each
20B ops / sec
13© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Dataplane Subsystems on Micro-Engines
• Receive + Fastpath (+ Transmit)
• IP Reassembly + Timers + Syslog
• Inbound Connection Manager
• Outbound Connection Manager
• Connection Close Management
• TCP
• HTTP
• ACL Classification, Forwarding
• NAT
• Application fixups
• SSL Record Layer
• Static and user-configurable REGEX
• TCP Normalization + FixUps
Rx FastPath
FastPath
FastPath
FastPath
FastPath
IP FragTimers
ICM
OCM CCM TCP HTTP
HTTP SSLRecord
RegEx FixUps
TCP Norm.
Xscale ProcessorXScale Processor
Layer 7 policy matching
Load balancing algorithms
SSL Handshake
FTP and RTSP inspection & fixups
HA heartbeats
14© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Control Plane Subsystems
CPCP
• System Manager
• Configuration Manager
• Policy / ACL Compiler
• L2/L3 Services: Route Manager, Interface Manager, ARP
• Health monitoring
• DHCP Relay
15© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
ACE and AVS Innovations: Raising the Bar for Application Performance
Multi-tiered reliability, availability, and scalability: Per application; intra-chassis; inter-chassis; inter-data center
Maximum protection for your critical business
2-5X improvement in application response times
High application performance impact: Patented latency and bandwidth reduction techniques; common inspection engine
Pay-as-you-grow without fork-lift upgrade
Highest throughput: 16 Gbps; 345K L4 CPS
Handles large data files, rich-media applications and large user-base with ease
Maximum scalability: Up to 4 modules in a Catalyst 6500 chassis; Architected for add-on Services
Industry Leading Application Performance
16© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Application Infrastructure Control
17© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
One physical deviceMultiple virtual systems
(dedicated control and data path)
Traditional device
Single configuration file
Single routing table
Limited RBAC
Limited resource allocation
25% 25% 20%15%15%100%
Cisco Application Infrastructure Control
Distinct configuration files
Separate routing tables
RBAC with Contexts, Roles, Domains
Management and data resource control
Independent application rule sets
Global administration and monitoring
Virtual Partitioning – System Separation
18© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Physical Device
Context 1Admin
ContextContext
Definition
Resource Allocation
Managementstation
Context 2 Context 250
Virtual Partitioning – Deployments
AAA
Isolate Depts / Customers / AppsRapid Application Roll-outLower Cost to deploy / change / add
19© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Per context Control• Guaranteed resource levels for each context• Support for over-subscription
Virtual Partitions – Resource Control
GuaranteedRates
GuaranteedRates
GuaranteedMemory
GuaranteedMemory
BandwidthData connections / secManagement connections / secSSL bandwidthSyslogs / sec
Access ListsRegular expressions# Data connections# Management connections# SSL connections# Xlates# Sticky entries
20© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
ACE in Action: Data Center Consolidation
MultipleVirtual Partitions(each withfunctionsand resources
N-Tier Applications
Web Servers
App Servers
DB Servers
Front End Network
C2C1 C3 C4 C5 C6
Single ACE
Module
N-Tier Applications
Web Servers
App Servers
DB Servers
Front End Network
ACE consolidates horizontal application silos and supports central control with distributed management
ACE consolidates horizontal application silos and supports central control with distributed management
Depts, Users, Applications
22© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Grouping of objects in a Virtual Context to restrict management access
Objects can belong to multiple Domains
Max 10 Domains / Context
Domains
VIP1 VIP3 VIP4VIP2
R1 R2 R3 R3 R4 R5
Domain A Domain B
Context 1
23© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
• AdminAccess to ALL functions in the context / device
• SLB-AdminServerfarm, Servers, Health Monitoring
• Security-AdminAccess Contorl, Inspection, AAA, NAT
• Server-MaintenanceServers in/out of rotation
• Server-Application-MaintenanceServers, Health Monitoring, Load Balancing Rules
• Network-AdminInterfaces, Routing, NAT, TCP
• Network-MonitorAccess to all show commands only
Default Roles in the System
Create
Modify
Debug
Monitor
24© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
AdminContext
Context Adefinition
Context Bdefinition
Resourceallocation
Adminmanagement
config
Physical module
ContextB
ContextA
VIP1VIP 2Farm
1Farm
2
VIP3Farm3Farm4SSL
cert1,2
Domain1 Domain2
Admin
Network/Security
Server Admin
Monitor
Management station
Role
AAA
Application Infrastructure ControlContexts, Roles, Domains
25© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
RBAC in ActionApplication Infrastructure Control
Applicationteam
NetworkAdministrators
ServerAdministrators
Configchanges
Configchanges
Config
changes
Continuous Change Request = Bottleneck
Prone to conflicting changes and errors
Application role
Server role
Network role
26© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
ACE Innovations: Application Infrastructure Control
The New Standard For Application Delivery Systems
Up to 250 Virtual Partitions
Adapt application infrastructure to business operations
Fewer devices with superior control
Maximum utilization of system & physical resources
Guaranteed performance levels
Centralized control, decentralized management
Improved workflow
Rapid response to application demands
Aligns IT operations with IT organization structure
Hierarchical Management Domains
Role-Based Access Control
27© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
TCP ReuseTCP1
ACE-TCP1 Pool1
TCP2
TCP3
ACE-TCP2 Pool2
• Connection pools are established per real server per server-farm
• Multiple pools can be established per real server
• A connection is added to the reuse pool upon completion of server response
• Client connections matched to server connections based on TCP options
- sack, timestamp, window_scale, MSS
• Client TCP options/parameters are preserved
Significantly reducesserver overhead
28© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Application Health Monitoring Overview
• Continually monitor the health of Applications and Server availability
• Health Monitoring Support
- “Out-of-band” monitoring
- Ability to monitor a gateway or other remote device for failover purposes
- Optional port and IP address probe configuration
- 15 different native probe types, including TCL support
- 4K unique probe configurations
- 16K probe associations supported
30© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Most Robust Application Availability
Physical Redundancy –Inter-chassis
ACE ACE
Catalyst 6500 Catalyst 6500
Physical Redundancy –Intra-chassis
ACE
ACE
Catalyst 6500
A BACE-1
ACE-2
Active Active
C DActive Active
C’ D’Standby Standby
A’ B’StandbyStandby
Red-grp2Red-grp1 Red-grp3 Red-grp4
Application Redundancy --Inter-Context
FT VLAN TRP protocol packets Heart-beats Configuration sync packets State replication packets
Failover Tracking• HSRP• Interface up / down• Multiple probes with priority
31© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Benefits of Integration with the Catalyst 6500
• Unique Cisco strength -- presence, market and technology leadership of the Catalyst 6500 enterprise-class switching family
• Leverage all L2-L4 Catalyst 6500 HW-based features (VACLs, QoS, per-flow policing, SPAN, PBR, port-security, Private VLANs, etc…)
• Largest offer of connectivity options: 10/100/1000, 10G, WAN interfaces, copper / fiber, …
• Integration with the MSFC routing table, injecting/removing VIP host routes based on server and application health (Route Health Injection)
• Integration with other L4-7 services modules, with Safe Harbor certified releases (http://www.cisco.com/go/safeharbor/) and integration design documents (http://www.cisco.com/go/srnd/)Includes NAM modules for Network Analysis
33© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Device Management
XML Interface
• Configuration, Provisioning and Monitoring
• All features on ACE can be configured using XML over HTTP / HTTPS
• Monitoring support via XLM-ized "show commands"
• XML DTD is available for both Monitoring and Provisioning
SNMP
• Supervisor agent provides environmental status of ACE
• SNMP agent is virtualized to allow SNMP settings per virtual context
• Up to 10 SNMP hosts are supported per virtual context
• ACE supports SNMP v1, v2c and v3
Modular Policy Command (MPC)
34© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Management Solution for ACE and Across Application Networking Services
- Provisioning, Monitoring, Reporting of Virtualized Services
- RBAC - Templates - Rich GUI
35© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
ACE Innovations: Infrastructure Simplification
Most Comprehensively Integrated Solution
Reduced footprint; Improved application availability
Layer 2 - Layer 7 network integration: Bi-directional communications between 6500 supervisor and ACE modules
Better application performance; Simpler topologies
Functional consolidation: SLB, SSL, Firewall, protocol optimization
Quick and concurrent application deployment at multiple points
Application Network Manager: Management for virtual partitions, hierarchical management domains across multiple devices
38© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco AVS 3120 / 3180
Delivery Functions
AccelerateBest response time on existing infrastructure
OptimizeMinimize required network infrastructure
OffloadMaximize capacity of application infrastructure
Service Functions
MonitorProvide end-user quality of service metrics
SecurePolicy-based protection of app infrastructure
ManageManagement and exception handling
39© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Typical Deployment with Cisco CSS/CSM
L7Switch
SSL
VIP1
VIP2
40© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Application Optimization
• Industry’s best set of optimizations
Dramatic real-time application impact
Any web applicationor web front-end
• Highly configurable
Granular rules-based control
Pre-built application templates
Comprehensive best practices
• No application or desktop changes
• Rapid deployment
• Benefit
Application performance engineering in a box
Network LatencyMitigationTechniques
BandwidthReductionOptions
ServerOffload
FunctionsApplication Delivery Engine
41© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco AVS-3120 Manages Network Latency
• Minimizes network roundtrips per page or transaction
• Proxy manages sessions for both clients and servers
• Includes both proprietary and industry-standard features
FlashForward object acceleration
Smart redirect
Fast redirect
TCP Multiplexing
• Multiplies performance benefits under SSL
42© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco AVS 3120 Minimizes Bandwidth Needs
• Converts browser cache into dynamic engine
• Intelligently reduces content payloads
• Includes both proprietary and industry-standard features
Delta Optimization
Smart Image Compression
Just-in-time object acceleration
GZIP and DEFLATE compression
• Leapfrogs compression alone
• Multiplies performance benefits under SSL
• Leverages existing caching and CDN
43© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco AVS-3120 Reduces Server Contention
• Offloads web and application servers
• Provides additional scalability for clustered environments
• Includes both proprietary and industry-standard features
Adaptive dynamic caching
Static caching
TCP connection offload
44© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Cisco AVS-3120 Deployment Scenarios
• AVS 3120 devices are deployed in two configurations:
– “Inline” using internal clustering for scalability and failover
– “Out of band” using Layer 4-7 SLB to manage infrastructure
• Proven configurations available with Cisco CSS
• Velocity appears as another web server to the SLB
CSS / CSM
Application Velocity System
Network Integration
Network Security
Application Availability
Service Virtualization
Application Security
Application Acceleration
45© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Process packets Manage Load Maximize throughput
Com
pressionTC
P O
ffload
SSL Offload
Process applications Control Request/Response Maximize efficiency
Switch Architecture Proxy Architecture
Packet LoadBalancing
Application Delivery Engine
Network LatencyMitigationTechniques
BandwidthReductionOptions
End-userMonitoring
ApplicationFirewall
ServerOffload
Functions
Application Control & Optimization
46© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Technology Advantage
Functional Areas Basic Capabilities AVS Capabilities (*= Patented)
AccelerateNetwork Latency Management
Request aggregation / browser cache management* Browser TCP multiplexing* PDF download optimization Response redirection control*
OptimizeBandwidth Reduction
Gzip/DEFLATE compression
Delta encoding* Dynamic browser caching* Dynamic image optimization (JPG, GIF, PNG) Flexible processing rules
OffloadServer Efficiency TCP connection multiplexing
SSL offload and acceleration Static caching
Configurable dynamic caching* Load-based caching* Lazy request evaluation* Single sign-on optimizations XML merging/transformation
MonitorApplication QoS
Logging System health checking
End-to-end response time monitoring Business transactions capability First-line service triage
SecureProtect Applications and Infrastructure Rules-based protection
Out-of-the-box Layer-7 protections Stateful Content inspection policies Comprehensive exception handling and monitoring
Management/ Integration SNMP access and control
Application delivery dashboard Service-level integration with BMC, HP, etc.
47© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicAPP-1102
Specific Features and Benefits of the Condenser
Features Impact Benefits
Network Latency Mitigation
Request aggregation Browser cache management* Browser TCP multiplexing* PDF download optimization Response redirection control*
2X - 5X minimum improvements in response time
» Dramatically improved end-user performance
Network Optimization
Delta encoding* Dynamic browser caching* Dynamic image optimization
(JPG, GIF, PNG)* Gzip/DEFLATE compression Flexible processing rules
70-90% reduction in bandwidth use
» Reduce bandwidth costs
» Delay or eliminate network upgrades
» Better end-user performance
Server Offload
Configurable dynamic caching*
Load-based caching* Lazy request evaluation* Single sign-on optimizations TCP connection multiplexing SSL offload and acceleration Static caching
50% reduction in server cycles
• Delay or reduce server purchases
• Minimize application licenses
• Better performance
top related