Nortel 212777 - Manuals

Web OS 10.0 Application Guide 6 n Contents 212777-A, February 2002 Load Balancing Special Services 149 IP Server Load Balancing 149FTP Server Load Balancing 150Domain Name Server (DNS) Load Balancing 151Real Time Streaming Protocol SLB 155Wireless Application Protocol SLB 158Intrusion Detection Syst...

Web OS 10.0 Application Guide Contents n 7 212777-A, February 2002 Chapter 8: Application Redirection 203 Overview 204 Web Cache Redirection Environment 204Additional Application Redirection Options 205 RTSP Web Cache Redirection 211IP Proxy Addresses for NAT 213Excluding Noncacheable Sites 215 Chap...

Web OS 10.0 Application Guide 8 n Contents 212777-A, February 2002 Chapter 11: High Availability 247 VRRP Overview 248 VRRP Components 248VRRP Operation 251Selecting the Master VRRP Router 251Active-Standby Failover 252 Failover Methods 253 Active-Standby Redundancy 254Active-Active Redundancy 255Ho...

Web OS 10.0 Application Guide Contents n 9 212777-A, February 2002 Part 3: Advanced Web Switching Chapter 12: Global Server Load Balancing 289 GSLB Overview 290 Benefits 290Compatibility with Other Web OS Features 290How GSLB Works 291 Configuring GSLB 293IP Proxy for Non-HTTP Redirects 304 How IP P...

Web OS 10.0 Application Guide 10 n Contents 212777-A, February 2002 Chapter 15: Content Intelligent Switching 371 Overview 372 Parsing Content 373HTTP Header Inspection 374Buffering Content with Multiple Frames 374 Content Intelligent Server Load Balancing 375 URL-Based Server Load Balancing 375Virt...

Web OS 10.0 Application Guide Contents n 11 212777-A, February 2002 Chapter 16: Persistence 421 Overview of Persistence 422 Using Source IP Address 422Using Cookies 423Using SSL Session ID 423 Cookie-Based Persistence 424 Permanent and Temporary Cookies 425Cookie Formats 425Cookie Properties 426Clie...

Web OS 10.0 Application Guide 12 n Contents 212777-A, February 2002 Configuring Bandwidth Management 454 Additional Configuration Examples 457Preferential Services Examples 460 Glossary 471 Index 475

212777-A, February 2002 13 Figures Figure 1-1: The Router Legacy Network 29 Figure 1-2: Switch-Based Routing Topology 30 Figure 1-3: iBGP and eBGP 37 Figure 1-4: BGP Failover Configuration Example 38 Figure 1-5: DHCP Relay Agent Configuration 42 Figure 2-1: Example 1: Multiple VLANs with Tagging Gig...

212777-A, February 2002 17 Tables Table 1-1: Subnet Routing Example: IP Address Assignments 31 Table 1-2: Subnet Routing Example: IP Interface Assignments 31 Table 1-3: Subnet Routing Example: Optional VLAN Ports 33 Table 1-4: Local Routing Cache Address Ranges 35 Table 2-1: Ports, Trunk Groups, and...

212777-A, February 2002 19 New Features The following table lists the new features in Web OS 10.0 and the supported platforms: Feature Alteon Web SwitchesAD3/180e Alteon Web SwitchesAD4/184 Vlan-based default gateway No Yes Vlan Filtering No Yes Multiple Instances of Spanning Tree Yes Yes Layer 7 de...

212777-A, February 2002 21 Preface This Application Guide describes how to configure and use the Web OS software on the Alteon Web switches. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model. Who Should Use This Guide This A...

Web OS 10.0 Application Guide Preface n 23 212777-A, February 2002 Typographic Conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Symbol Meaning Example AaBbCc123 This type is used for names of commands, files, and director...

Web OS 10.0 Application Guide 24 n Preface 212777-A, February 2002 Contacting Us For complete product support and sales information, visit the Nortel Networks website at the following URL: http://www.nortelnetworks.com See the contact information on this site for regional support and sales phone num...

212777-A, February 2002 25 Part 1: Basic Switching & Routing This section discusses basic Layer 1 through Layer 3 switching and routing functions. In addi-tion to switching traffic at near line rates, the Web switch can perform multi-protocol routing. This section includes the following basic sw...

212777-A, February 2002 27 C HAPTER 1 Basic IP Routing This chapter provides configuration background and examples for using the Alteon Web switch to perform IP routing functions. The following topics are addressed in this chapter: n “IP Routing Benefits” on page 28 n “Routing Between IP Subnets” on...

Web OS 10.0 Application Guide 28 n Chapter 1: Basic IP Routing 212777-A, February 2002 IP Routing Benefits The Alteon Web switch uses a combination of configurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benefits: n Connects the server IP...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 29 212777-A, February 2002 For example, consider the following topology migration: Figure 1-1 The Router Legacy Network In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch-based...

Web OS 10.0 Application Guide 30 n Chapter 1: Basic IP Routing 212777-A, February 2002 Take a closer look at the Alteon Web switch in the following configuration example: Figure 1-2 Switch-Based Routing Topology The Alteon Web switch connects the Gigabit Ethernet and Fast Ethernet trunks from variou...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 31 212777-A, February 2002 Example of Subnet Routing Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. N OTE – For details about accessing and using any of the menu commands describ...

Web OS 10.0 Application Guide 32 n Chapter 1: Basic IP Routing 212777-A, February 2002 IP interfaces are configured using the following commands at the CLI: 3. Set each server and workstation’s default gateway to the appropriate switch IP interface (the one in the same subnet as the server or workst...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 33 212777-A, February 2002 Using VLANs to Segregate Broadcast Domains In the previous example, devices that share a common IP network are all in the same broadcast domain. If you want to limit the broadcasts on your network, you could use V...

Web OS 10.0 Application Guide 34 n Chapter 1: Basic IP Routing 212777-A, February 2002 Each time you add a port to a VLAN, you may get the following prompt: Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appropriate VLAN. Now that the ports are separated...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 35 212777-A, February 2002 Defining IP Address Ranges for the Local Route Cache A local route cache lets you use switch resources more efficiently. The local network address and local network mask parameters (accessed via the /cfg/ip/frwd/l...

Web OS 10.0 Application Guide 36 n Chapter 1: Basic IP Routing 212777-A, February 2002 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share and advertise routing information with each other about the segments of the IP address...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 37 212777-A, February 2002 Figure 1-3 iBGP and eBGP Typically, an AS has one or more multiple border routers—peer routers that exchange routes with other ASs—and an internal routing scheme that enables routers in that AS to reach every othe...

Web OS 10.0 Application Guide 38 n Chapter 1: Basic IP Routing 212777-A, February 2002 As shown in Figure 1-4 , the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the Web switch to use their peer routers as default gateways. The ISP peer routers will then nee...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 39 212777-A, February 2002 2. Define the VLANs. For simplicity, both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs . 3. Define the IP interfaces. The switch will ...

Web OS 10.0 Application Guide 40 n Chapter 1: Basic IP Routing 212777-A, February 2002 5. Configure BGP peer router 1 and 2. Peer 1 is the primary gateway router. Peer 2 is configured with a metric of “3.” The metric option is key to ensuring gateway traffic is directed to Peer 1, as it will make Pe...

Web OS 10.0 Application Guide Chapter 1: Basic IP Routing n 41 212777-A, February 2002 DHCP Relay Dynamic Host Configuration Protocol (DHCP) is a transport protocol that provides a frame-work for automatically assigning IP addresses and configuration information to other IP hosts or clients in a lar...

Web OS 10.0 Application Guide 42 n Chapter 1: Basic IP Routing 212777-A, February 2002 respond as a a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the switch that ...

212777-A, February 2002 43 C HAPTER 2 VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into man-ageable broadcast domains, to create logical segmentation of workgroups, a...

Web OS 10.0 Application Guide 44 n Chapter 2: VLANs 212777-A, February 2002 VLAN ID Numbers Web OS supports up to 246 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 246, each can be identified with any number between 1 and 4094. VLANs are defined on a per-po...

Web OS 10.0 Application Guide Chapter 2: VLANs n 45 212777-A, February 2002 VLANs and the IP Interfaces Carefully consider how you create VLANs within the switch, so that communication with the switch Management Processor (MP) remains possible. You can access the switch for remote configuration, tra...

Web OS 10.0 Application Guide 46 n Chapter 2: VLANs 212777-A, February 2002 Example 1: Multiple VLANS with Tagging Adapters Figure 2-1 Example 1: Multiple VLANs with Tagging Gigabit Adapters The features of this VLAN are described below: Component Description Web Switch This switch is configured for...

Web OS 10.0 Application Guide 48 n Chapter 2: VLANs 212777-A, February 2002 Example 2: Parallel Links with VLANs Figure 2-2 Example 2: Parallel Links with VLANs The following items describe the features of this example: n Example 2 shows how it is possible, through the use of VLANs, to create config...

Web OS 10.0 Application Guide Chapter 2: VLANs n 49 212777-A, February 2002 VLANs and Spanning Tree Protocol Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. When multiple paths exist, ...

Web OS 10.0 Application Guide 50 n Chapter 2: VLANs 212777-A, February 2002 Bridge Protocol Data Units (BPDUs) To create a Spanning Tree, the Web switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network par-ticipa...

Web OS 10.0 Application Guide Chapter 2: VLANs n 51 212777-A, February 2002 Multiple Spanning Trees Web OS 10.0 supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed on a unique Spanning Tree group per switch except for the default Span-ning Tree group (STG 1...

Web OS 10.0 Application Guide 52 n Chapter 2: VLANs 212777-A, February 2002 Example of a Four-Switch Topology with a Single Spanning Tree In the four-switch topology example shown in Figure 2-4 on page 52 , and assuming Web switch A has a higher priority, you can have at least three loops on the net...

Web OS 10.0 Application Guide Chapter 2: VLANs n 53 212777-A, February 2002 Example of a Four-Switch Topology with Multiple Spanning Trees If multiple Spanning Trees are implemented and each VLAN is on a different Spanning Tree, elimination of logical loops will not isolate any VLAN. Figure 2-5 show...

Web OS 10.0 Application Guide 54 n Chapter 2: VLANs 212777-A, February 2002 Switch-Centric Spanning Tree Protocol In Figure 2-5 on page 53 , VLAN 2 is shared by Web switch A and B on ports 8 and 1 respec- tively. Web switch A identifies VLAN 2 in Spanning Tree group 2 and Web switch B identifies VLA...

Web OS 10.0 Application Guide Chapter 2: VLANs n 55 212777-A, February 2002 VLAN Participation in Spanning Tree Groups The VLAN participation for each Spanning Tree group in Figure 2-5 on page 53 is discussed in the following sections: n VLAN 1 Participation If Web switch A is the root bridge, then ...

Web OS 10.0 Application Guide 56 n Chapter 2: VLANs 212777-A, February 2002 Configuring Multiple Spanning Tree Groups This configuration shows how to configure the three instances of Spanning Tree groups on the Web switches A, B, C, and D illustrated in Figure 2-5 on page 53 . By default Spanning Tr...

Web OS 10.0 Application Guide Chapter 2: VLANs n 57 212777-A, February 2002 3. Configure the following on Web switch C: Add port 8 to VLAN 3 and define Spanning Tree group 3 for VLAN 3. VLAN 3 is automatically removed from Spanning Tree group 1 and by default VLAN 2 remains in Spanning Tree Group 1....

Web OS 10.0 Application Guide 58 n Chapter 2: VLANs 212777-A, February 2002 VLANs and Default Gateways Web OS allows you to assign different default gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single switch. The benefits of segregating customers to di...

Web OS 10.0 Application Guide Chapter 2: VLANs n 59 212777-A, February 2002 In the example shown in Figure 2-6 , if default gateways 5 or 6 fail, then traffic is directed to default gateway 1, which is configured with IP address 10.10.4.1. If default gateways 1 through 4 are not configured on the sw...

Web OS 10.0 Application Guide 60 n Chapter 2: VLANs 212777-A, February 2002 Configuring the Local Network To completely segregate VLAN traffic to its own default gateway, you can configure the local network addresses of the VLAN. This will ensure that all traffic from VLAN 2 is forwarded to Gateway ...

Web OS 10.0 Application Guide Chapter 2: VLANs n 61 212777-A, February 2002 3. Configure the default gateways. Configuring default gateways 5 and 6 for VLANs 2 and 3 respectively. Configure default gate-way 1 for load balancing session requests and as backup when default gateways 5 and 6 fail. N OTE...

Web OS 10.0 Application Guide 62 n Chapter 2: VLANs 212777-A, February 2002 6. (Optional) Configure the local networks to ensure that the VLANs use the configured default gateways. 7. Apply and save your new configuration changes. >> IP# frwd/local (Select the local network Menu) >> IP F...

Web OS 10.0 Application Guide Chapter 2: VLANs n 63 212777-A, February 2002 VLANs and Jumbo Frames To reduce host frame processing overhead, Gigabit network adapters that can handle frame sizes of 9K and higher (such as the 3COM PCI-X/PCI Gigabit adapters) and Alteon Web switches, both running opera...

Web OS 10.0 Application Guide 64 n Chapter 2: VLANs 212777-A, February 2002 Figure 2-7 Jumbo Frame VLANs Routing Jumbo Frames to Non-Jumbo Frame VLANs When IP routing is used to route traffic between VLANs, the switch will fragment Jumbo UDP datagrams when routing from a Jumbo frame VLAN to a non-Ju...

212777-A, February 2002 65 C HAPTER 3 Port Trunking Trunk groups can provide super-bandwidth, multi-link connections between Alteon Web switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. Thi...

Web OS 10.0 Application Guide 66 n Chapter 3: Port Trunking 212777-A, February 2002 Statistical Load Distribution Network traffic is statistically load balanced between the ports in a trunk group. The Web OS-powered switch uses both the Layer 2 MAC address and Layer 3 IP address information present ...

Web OS 10.0 Application Guide Chapter 3: Port Trunking n 67 212777-A, February 2002 Port Trunking Example In the example below, three ports will be trunked between two Alteon Web switches. Figure 3-2 Port Trunk Group Configuration Example Prior to configuring each switch in the above example, you mu...

Web OS 10.0 Application Guide 68 n Chapter 3: Port Trunking 212777-A, February 2002 3. Repeat the process on Web switch 2. Trunk group 1 (on Web switch 1) is now connected to trunk group 3 (on Web switch 2). N OTE – In this example, two Alteon Web switches are used. If a third-party device supportin...

212777-A, February 2002 69 C HAPTER 4 OSPF Web OS 10.0 supports the Open Shortest Path First (OSPF) routing protocol. The Web OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the Alteon AD4/184 Web switches...

Web OS 10.0 Application Guide 70 n Chapter 4: OSPF 212777-A, February 2002 Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other are...

Web OS 10.0 Application Guide Chapter 4: OSPF n 71 212777-A, February 2002 Types of OSPF Routing Devices As shown in Figure 4-2 , OSPF uses the following types of routing devices: n Internal Router (IR)—a router that has all of its interfaces within the same area. IRs main-tain LSDBs identical to th...

Web OS 10.0 Application Guide 72 n Chapter 4: OSPF 212777-A, February 2002 Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships...

Web OS 10.0 Application Guide Chapter 4: OSPF n 73 212777-A, February 2002 The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The ...

Web OS 10.0 Application Guide 74 n Chapter 4: OSPF 212777-A, February 2002 OSPF Implementation in Web OS Web OS 10.0 supports a single instance of OSPF and up to 1K routes on the network. The fol-lowing sections describe OSPF implementation in Web OS: n “Configurable Parameters” on page 74 n “Defini...

Web OS 10.0 Application Guide Chapter 4: OSPF n 75 212777-A, February 2002 Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be desig-nated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all...

Web OS 10.0 Application Guide 76 n Chapter 4: OSPF 212777-A, February 2002 Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the areaid <IP address> option. The octet format is used in order to be compatible with two different systems of notation used by other...

Web OS 10.0 Application Guide Chapter 4: OSPF n 77 212777-A, February 2002 Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely propor...

Web OS 10.0 Application Guide 78 n Chapter 4: OSPF 212777-A, February 2002 Default Routes When an OSPF routing device encounters traffic for a destination address it does not recog-nize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone...

Web OS 10.0 Application Guide Chapter 4: OSPF n 79 212777-A, February 2002 Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone thro...

Web OS 10.0 Application Guide 80 n Chapter 4: OSPF 212777-A, February 2002 Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP inter-face range or in any OSPF ...

Web OS 10.0 Application Guide Chapter 4: OSPF n 81 212777-A, February 2002 To configure OSPF passwords on the Web switches shown in Figure 4-4 use the following commands: 1. Enable OSPF authentication for Area 0 on Web switches 1, 2, and 3. 2. Configure a simple text password up to eight characters ...

Web OS 10.0 Application Guide 82 n Chapter 4: OSPF 212777-A, February 2002 Host Routes for Load Balancing Web OS 10.0 implementation of OSPF includes host routes. Host routes are used for advertis-ing network device IP addresses to external networks, accomplishing the following goals: n Server Load ...

Web OS 10.0 Application Guide Chapter 4: OSPF n 83 212777-A, February 2002 OSPF Configuration Examples A summary of the basic steps for configuring OSPF on the Web switch is listed here. Detailed instructions for each of the steps is covered in the following sections: 1. Configure IP interfaces. One...

Web OS 10.0 Application Guide 84 n Chapter 4: OSPF 212777-A, February 2002 Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the data...

Web OS 10.0 Application Guide Chapter 4: OSPF n 85 212777-A, February 2002 3. Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0 . 4. Define the stub area. 5. Attach the network interface to the backbone. 6. Attach the network interface to the stub area. 7....

Web OS 10.0 Application Guide 86 n Chapter 4: OSPF 212777-A, February 2002 Example 2: Virtual Links In the example shown in Figure 4-6 , area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The...

Web OS 10.0 Application Guide Chapter 4: OSPF n 87 212777-A, February 2002 4. Define the backbone. 5. Define the transit area. The area that contains the virtual link must be configured as a transit area. 6. Attach the network interface to the backbone. 7. Attach the network interface to the transit...

Web OS 10.0 Application Guide 88 n Chapter 4: OSPF 212777-A, February 2002 Configuring OSPF for a Virtual Link on Switch #2 1. Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch #2: one for the transit area network on 10.10.12.0/24 and...

Web OS 10.0 Application Guide Chapter 4: OSPF n 89 212777-A, February 2002 6. Define the stub area. 7. Attach the network interface to the backbone. 8. Attach the network interface to the transit area. 9. Configure the virtual link. The nbr router ID configured in this step must be the same as the r...

Web OS 10.0 Application Guide 90 n Chapter 4: OSPF 212777-A, February 2002 Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity ...

Web OS 10.0 Application Guide 92 n Chapter 4: OSPF 212777-A, February 2002 Example 4: Host Routes The Web OS 10.0 implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks and allows for Server Load Bal-ancing (SLB) within OSPF...

Web OS 10.0 Application Guide Chapter 4: OSPF n 93 212777-A, February 2002 Configuring OSPF for Host Routes on Web Switch #1 1. Configure basic SLB parameters. Web switch 1 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group. 2. Confi...

Web OS 10.0 Application Guide 94 n Chapter 4: OSPF 212777-A, February 2002 5. Configure the backup virtual server. Alteon Web switch # 1 will act as a backup for virtual server 10.10.10.2. Both virtual servers in this example are configured with the same real server group and provide identical servi...

Web OS 10.0 Application Guide Chapter 4: OSPF n 95 212777-A, February 2002 10. Attach the network interface to the backbone. 11. Attach the network interface to the stub area. 12. Configure host routes. One host route is needed for each virtual server on Web switch 1. Since virtual server 10.10.10.1...

Web OS 10.0 Application Guide 96 n Chapter 4: OSPF 212777-A, February 2002 Configuring OSPF for Host Routes on Web Switch 2 1. Configure basic SLB parameters. Web switch 2 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group. 2. Config...

Web OS 10.0 Application Guide 98 n Chapter 4: OSPF 212777-A, February 2002 9. Configure host routes. Host routes are configured just like those on Web switch 1, except their costs are reversed. Since virtual server 10.10.10.2 is preferred for Web switch 2, its host route has been given a low cost. B...

212777-A, February 2002 99 C HAPTER 5 Secure Switch Management This chapter discusses the use of secure tunnels so that the data on the network is encrypted and secured for messages between a remote administrator and the switch. To limit access to the switch’s Management Processor without having to ...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 101 212777-A, February 2002 Secure Switch Management Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured manage-m...

Web OS 10.0 Application Guide 102 n Chapter 5: Secure Switch Management 212777-A, February 2002 Requirements The following components are required for authorization and authentication: n A remote administrator n The Web switch with authentication and authorization protocol support, acting as a clien...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 103 212777-A, February 2002 RADIUS Authentication and Authorization RADIUS is an access server authentication, authorization, and accounting protocol used to secure remote access to networks and network services against unauthorized...

Web OS 10.0 Application Guide 104 n Chapter 5: Secure Switch Management 212777-A, February 2002 RADIUS Authentication Features in Web OS The following Radius Authentication features are supported in Web OS: n Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and 286...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 105 212777-A, February 2002 Web Switch User Accounts The user accounts listed in Table 5-1 can be defined in the RADIUS server dictionary file. Table 5-1 User Access Levels User Account Description and Tasks Performed Password User ...

Web OS 10.0 Application Guide 106 n Chapter 5: Secure Switch Management 212777-A, February 2002 When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the remote...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 107 212777-A, February 2002 Secure Shell and Secure Copy Although a remote network administrator can manage the configuration of an Alteon Web switch via Telnet, this method does not provide a secure connection. Using Secure Shell (...

Web OS 10.0 Application Guide 108 n Chapter 5: Secure Switch Management 212777-A, February 2002 N OTE – There can be a maximum number of four simultaneous Telnet/SSH/SCP connections at one time. The /cfg/sys/radius/telnet command also applies to SSH/SCP connec- tions. Encryption of Management Messag...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 109 212777-A, February 2002 RSA Host and Server Keys To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the Web switch. The server key is 76...

Web OS 10.0 Application Guide 110 n Chapter 5: Secure Switch Management 212777-A, February 2002 Radius Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RAD...

Web OS 10.0 Application Guide 112 n Chapter 5: Secure Switch Management 212777-A, February 2002 To save the current configuration to FLASH, use this command: Usually, there will be no need to generate manually the RSA host and server keys. However, you may still do so by using the following commands...

Web OS 10.0 Application Guide Chapter 5: Secure Switch Management n 113 212777-A, February 2002 Port Mirroring Port mirroring is implemented to enhance the security of your network. For example, an IDS server can be connected to the monitor port to detect intruders attacking the network. The port mi...

Web OS 10.0 Application Guide 114 n Chapter 5: Secure Switch Management 212777-A, February 2002 N OTE – Port mirroring and bandwidth management cannot be enabled at the same time. To configure port mirroring for the example shown in Figure 5-2 , 1. Specify the monitoring port. 2. Select the ports th...

212777-A, February 2002 117 C HAPTER 6 Server Load Balancing Server Load Balancing (SLB) allows you to configure the Alteon Web switch to balance user session traffic among a pool of available servers that provide shared services. The following sections in this chapter describe how to configure and ...

Web OS 10.0 Application Guide 118 n Chapter 6: Server Load Balancing 212777-A, February 2002 Understanding Server Load Balancing SLB benefits your network in a number of ways: n Increased efficiency for server utilization and network bandwidth With SLB, your Alteon Web switch is aware of the shared ...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 119 212777-A, February 2002 How Server Load Balancing Works In an average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these ser...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 121 212777-A, February 2002 Implementing Basic Server Load Balancing Consider a situation where customer Web sites are being hosted by a popular Web hosting company and/or Internet Service Provider (ISP). The Web content is relatively ...

Web OS 10.0 Application Guide 122 n Chapter 6: Server Load Balancing 212777-A, February 2002 All of the above issues can be addressed by adding an Alteon Web switch with SLB software. n Reliability is increased by providing multiple paths from the clients to the Web switch and by accessing a pool of...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 123 212777-A, February 2002 n Some services require that a series of client requests go to the same real server so that ses-sion-specific state data can be retained between connections. Services of this nature include Web search result...

Web OS 10.0 Application Guide 124 n Chapter 6: Server Load Balancing 212777-A, February 2002 Configuring Server Load Balancing This section describes the steps for configuring an SLB Web hosting solution. In the following procedure, many of the SLB options are left to their default values. See “Addi...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 125 212777-A, February 2002 2. Define an IP interface on the switch. The switch must have an IP route to all of the real servers that receive Web switching services. For SLB, the switch uses this path to determine the level of TCP/IP r...

Web OS 10.0 Application Guide 126 n Chapter 6: Server Load Balancing 212777-A, February 2002 5. Define a virtual server. All client requests will be addressed to a virtual server IP address on a virtual server defined on the switch. Clients acquire the virtual server IP address through normal DNS re...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 127 212777-A, February 2002 The ports are configured as follows: 7. Enable, apply, and verify the configuration. Examine the resulting information. If any settings are incorrect, make the appropriate changes. 8. Save your new configura...

Web OS 10.0 Application Guide 128 n Chapter 6: Server Load Balancing 212777-A, February 2002 Additional Server Load Balancing Options In the previous section ( “Configuring Server Load Balancing” on page 124 ), many of the SLB options are left to their default values. The following configuration opt...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 129 212777-A, February 2002 Disabling and Enabling Real Servers If you need to reboot a server, you must make sure that new sessions are not sent to the real server and that old sessions are not discarded. When the session count gets t...

Web OS 10.0 Application Guide 130 n Chapter 6: Server Load Balancing 212777-A, February 2002 Health Checks for Real Servers Determining health for each real server is a necessary function for SLB. By default for TCP services, the switch checks health by opening a TCP connection to each service port ...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 131 212777-A, February 2002 Metrics for Real Server Groups Metrics are used for selecting which real server in a group will receive the next client connec-tion. The available metrics minmisses (minimum misses), hash , leastconns (least...

Web OS 10.0 Application Guide 132 n Chapter 6: Server Load Balancing 212777-A, February 2002 Hash The hash metric uses IP address information in the client request to select a server. The spe- cific IP address information used depends on the application: n For Application Redirection, the client des...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 133 212777-A, February 2002 Response Time The response metric uses real server response time to assign sessions to servers. The response time between the servers and the switch is used as the weighting factor. The switch monitors and r...

Web OS 10.0 Application Guide 134 n Chapter 6: Server Load Balancing 212777-A, February 2002 Weights for Real Servers Weights can be assigned to each real server. These weights bias load balancing to give the fast-est real servers a larger share of connections. Weight is specified as a number from 1...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 135 212777-A, February 2002 Backup/Overflow Servers A real server can backup other real servers and can handle overflow traffic when the maximum connection limit is reached. Each backup real server must be assigned a real server number...

Web OS 10.0 Application Guide 136 n Chapter 6: Server Load Balancing 212777-A, February 2002 Extending SLB Topologies For standard SLB, all client-to-server requests to a particular virtual server and all related server-to-client responses must pass through the same Web switch. In complex network to...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 137 212777-A, February 2002 The following procedure can be used for configuring proxy IP addresses: 1. Disable server processing on affected switch ports. When implementing proxies, switch ports can be reconfigured to disable server pr...

Web OS 10.0 Application Guide 138 n Chapter 6: Server Load Balancing 212777-A, February 2002 3. If the Virtual Matrix Architecture (VMA) feature is enabled, add proxy IP addresses for all other switch ports (except port 9). VMA is normally enabled on the switch. In addition to enhanced resource mana...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 139 212777-A, February 2002 Mapping Ports An Alteon Web switch allows you to hide the identity of a port for security by mapping a vir-tual server port to a different real server port. Mapping a Virtual Server Port to a Real Server Por...

Web OS 10.0 Application Guide 140 n Chapter 6: Server Load Balancing 212777-A, February 2002 Consider the following network: Figure 6-6 Basic Virtual Port to Real Port Mapping Configuration In this example, four real servers are used to support a single service (HTTP). Clients access this service th...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 141 212777-A, February 2002 Load Balancing Metric For each service, a real server is selected using the configured load balancing metric ( hash , leastconns , minmisses , or roundrobin ). To ensure even distribution, once an avail- abl...

Web OS 10.0 Application Guide 142 n Chapter 6: Server Load Balancing 212777-A, February 2002 4. Turn on multiple rport for Port 80. 5. Add the ports to which the Web server listens. Direct Server Interaction Direct access to real servers can be provided in the following ways: n Using Direct Server R...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 143 212777-A, February 2002 The sequence of steps that are executed in this scenario are shown in Figure 6-7 : Figure 6-7 Direct Server Return 1. A client request is forwarded to the Web switch. 2. Because only MAC addresses are substi...

Web OS 10.0 Application Guide 144 n Chapter 6: Server Load Balancing 212777-A, February 2002 Using Proxy IP Addresses Proxy IP addresses are used primarily to eliminate SLB topology restrictions in complex net-works (see “Proxy IP Addresses” on page 136 ). Proxy IP addresses can also provide direct ...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 145 212777-A, February 2002 Monitoring Real Servers Typically, the management network is used by network administrators to monitor real servers and services. By configuring the mnet and mmask options of the SLB Configuration Menu ( /cf...

Web OS 10.0 Application Guide 146 n Chapter 6: Server Load Balancing 212777-A, February 2002 Delayed Binding The delayed binding feature on the switch prevents SYN Denial-of-Service (DoS) attacks on the server. DoS occurs when the server or switch is denied servicing the client because it is sat-ura...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 147 212777-A, February 2002 Figure 6-10 Repelling DoS SYN Attacks With Delayed Binding Once the Web switch receives a valid ACK or DATA REQ from the client, the Web switch sends a SYN request to the server on behalf of the client, wait...

Web OS 10.0 Application Guide 148 n Chapter 6: Server Load Balancing 212777-A, February 2002 Configuring Delayed Binding To configure your switch for delayed binding, use the following command: N OTE – Enable delayed binding without configuring any HTTP SLB processing or persistent binding types. To...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 149 212777-A, February 2002 Load Balancing Special Services This section discusses load balancing based on special services, such as n IP Server Load Balancing n FTP Server Load Balancing n Domain Name Server (DNS) Load Balancing n Rea...

Web OS 10.0 Application Guide 150 n Chapter 6: Server Load Balancing 212777-A, February 2002 FTP Server Load Balancing As defined in RFC 959, FTP uses two connections—one for control information and another for data. Each connection is unique. Unless the client requests a change, the server always u...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 151 212777-A, February 2002 Domain Name Server (DNS) Load Balancing In previous releases of Web OS, DNS load balancing was based on virtual server IP address and virtual port (VPORT) only. In Web OS 10.0 however, DNS load balancing all...

Web OS 10.0 Application Guide 152 n Chapter 6: Server Load Balancing 212777-A, February 2002 Preconfiguration Tasks 1. Enable server load balancing. 2. Configure the four real servers and their real IP addresses. 3. Configure group 1 for UDP and group 2 for TCP. For more information on configuring h...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 153 212777-A, February 2002 Configuring UDP-based DNS Load Balancing 1. Configure and enable a virtual server IP address 1 on the switch. 2. Set up the DNS service for the virtual server, and add real server group 1. 3. Disable delayed...

Web OS 10.0 Application Guide 154 n Chapter 6: Server Load Balancing 212777-A, February 2002 Configuring TCP-based DNS Load Balancing 1. Configure and enable the virtual server IP address 2 on the switch. 2. Set up the DNS service for virtual server, and select real server group 2. 3. Enable delayed...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 155 212777-A, February 2002 Real Time Streaming Protocol SLB Real Time Streaming Protocol (RTSP) is an application-level protocol for control over the delivery of data with real-time properties as documented in RFC 2326. RTSP is used a...

Web OS 10.0 Application Guide 156 n Chapter 6: Server Load Balancing 212777-A, February 2002 Corporation, and Quicktime Streaming Server marketed by the Apple Inc. The RTSP stream setup sequence is different for these two servers, and the switch handles each differently. Some of these differences ar...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 157 212777-A, February 2002 Configuring RTSP Load Balancing Before configuring your Web switch for RTSP load balancing, do the following: n Enable Virtual Matrix Architecture (VMA) n Enable Direct Access Mode (DAM) n Disable port-based...

Web OS 10.0 Application Guide 158 n Chapter 6: Server Load Balancing 212777-A, February 2002 Wireless Application Protocol SLB Wireless Application Protocol (WAP) is an open, global specification for a suite of protocols designed to allow wireless devices to communicate and interact with other devic...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 159 212777-A, February 2002 TPCP is Alteon’s proprietary protocol that is used to establish communication between the RADIUS servers and the Alteon Web switch. It is UDP-based and uses ports 3121, 1812, and 1645. Using TPCP, a static s...

Web OS 10.0 Application Guide 160 n Chapter 6: Server Load Balancing 212777-A, February 2002 Using RADIUS Snooping Radius snooping allows the Alteon Web switch to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries to the se...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 161 212777-A, February 2002 Preconfiguring WAP Server Load Balancing n Configure WAP server load balancing on Alteon AD4 and Alteon 184 platforms only. n Enable Virtual Matrix Architecture (VMA). n Disable DAM (Direct Access Mode). n D...

Web OS 10.0 Application Guide 162 n Chapter 6: Server Load Balancing 212777-A, February 2002 n If a session entry for a client cannot be added because of resource constraints, the subse-quent WAP packets for that client will not be load balanced correctly; and the client will need to drop the connec...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 163 212777-A, February 2002 Intrusion Detection System Server Load Balancing Intrusion Detection System (IDS) is a type of security management system for computers and networks. An Intrusion Detection System gathers and analyzes inform...

Web OS 10.0 Application Guide 164 n Chapter 6: Server Load Balancing 212777-A, February 2002 Load Balancing Metrics for IDS The following metrics are supported in IDS load balancing: n minmisses n roundrobin Disable delayed binding if you select this metric. n hash To select a real server, Web OS al...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 165 212777-A, February 2002 2. Create a group and add IDS servers to the group. Each IDS server must be connected directly to a different switch port or VLAN. If the IDS group will be configured for link health check, match the IDS ser...

Web OS 10.0 Application Guide 166 n Chapter 6: Server Load Balancing 212777-A, February 2002 WAN Link Load Balancing Wide Area Networking (WAN) is a telecommunications network system spread across a broad geographic area. A WAN may be privately owned or rented, but the term usually means the inclusi...

Web OS 10.0 Application Guide Chapter 6: Server Load Balancing n 167 212777-A, February 2002 To configure the switch for WAN link load balancing: 1. Define a real server with proxy disabled. 2. Add the real server to a real server group using the response metric. 3. Define the WAN link load balancin...

212777-A, February 2002 169 C HAPTER 7 Filtering This chapter provides a conceptual overview of filters and includes configuration examples showing how filters can be used for network security and Network Address Translation (NAT). The following topics are discussed in this chapter: n “Overview” on ...

Web OS 10.0 Application Guide 170 n Chapter 7: Filtering 212777-A, February 2002 Overview Alteon Web switches are used to deliver content efficiently and secure your servers from unau-thorized intrusion, probing, and Denial-of-Service (DoS) attacks. Web OS includes extensive filtering capabilities a...

Web OS 10.0 Application Guide 172 n Chapter 7: Filtering 212777-A, February 2002 Stacking Filters Stacking filters are assigned and enabled on a per-port basis. Each filter can be used by itself or in combination with any other filter on any given switch port. The filters are numbered 1 through 2048...

Web OS 10.0 Application Guide Chapter 7: Filtering n 173 212777-A, February 2002 The Default Filter Before filtering can be enabled on any given port, a default filter should be configured. This filter handles any traffic not covered by any other filter. All the criteria in the default filter must b...

Web OS 10.0 Application Guide Chapter 7: Filtering n 175 212777-A, February 2002 Configuring VLAN-based Filtering 1. Configure filter 2 to allow local clients to browse the Web and then assign VLAN 20 to the filter. The filter must recognize and allow TCP traffic from VLAN 20 to reach the local clie...

Web OS 10.0 Application Guide 176 n Chapter 7: Filtering 212777-A, February 2002 3. Configure Filter 7 to deny traffic and then assign VLAN 70 to the filter. As a result, ingress traffic from VLAN 70 is denied entry to the switch. Optimizing Filter Performance Filter efficiency can be increased by p...

Web OS 10.0 Application Guide 178 n Chapter 7: Filtering 212777-A, February 2002 IP Address Ranges You can specify a range of IP addresses for filtering both the source and/or destination IP address for traffic. When a range of IP addresses is needed, the source IP ( sip ) address or des- tination I...

Web OS 10.0 Application Guide Chapter 7: Filtering n 179 212777-A, February 2002 TCP Rate Limiting Web OS 10.0 allows you to prevent a client or a group of clients from claiming all the TCP resources on the servers. This is done by monitoring the rate of incoming TCP connection requests to a virtual...

Web OS 10.0 Application Guide 180 n Chapter 7: Filtering 212777-A, February 2002 In Figure 7-5 , the default filter 224 configured for Any is applied for all other connection requests. Figure 7-5 Configuring Clients with Different Rates Configuring TCP Rate Limiting Filters TCP rate limiting can be ...

Web OS 10.0 Application Guide Chapter 7: Filtering n 181 212777-A, February 2002 3. Set the timewin parameter and calculate the total time window in seconds. The total time window is a multiple of fastage (for information on fastage , see the Con- figuration chapter in the Web OS 10.0 Command Refere...

Web OS 10.0 Application Guide 182 n Chapter 7: Filtering 212777-A, February 2002 TCP Rate Limiting Filter Based on Source IP Address This example shows how to define a filter that limits clients with IP address 30.30.30.x to 150 TCP connections per second. Once a user exceeds that limit, they are no...

Web OS 10.0 Application Guide Chapter 7: Filtering n 183 212777-A, February 2002 TCP Rate Limiting Filter Based on Virtual Server IP Address This example defines a filter that limits clients to 100 TCP connections per second to a specific destination (VIP 10.10.10.100). Once a client exceeds that li...

Web OS 10.0 Application Guide 184 n Chapter 7: Filtering 212777-A, February 2002 All clients are limited to 100 new TCP connections/second to the server. If a client exceeds this rate, then the client is not allowed to make any new TCP connections to the server for 40 min-utes. N OTE – All SLB sessi...

Web OS 10.0 Application Guide Chapter 7: Filtering n 185 212777-A, February 2002 Filter-based Security This section provides an example of configuring filters for providing the best security. It is generally recommended that you configure filters to deny all traffic except for those services that yo...

Web OS 10.0 Application Guide 186 n Chapter 7: Filtering 212777-A, February 2002 Configuring a Filter-Based Security Solution Before you begin, you must be connected to the switch CLI as the administrator. In this example, all filters are applied only to the switch port that connects to the Internet...

Web OS 10.0 Application Guide 188 n Chapter 7: Filtering 212777-A, February 2002 5. Create a filter that will allow local clients to browse the Web. The filter must recognize and allow TCP traffic to reach the local client destination IP addresses if traffic originates from any HTTP source port: 6. ...

Web OS 10.0 Application Guide 190 n Chapter 7: Filtering 212777-A, February 2002 8. Assign the filters to the switch port that connects to the Internet. Web OS allows you to add and remove a contiguous block of filters with a single command. 9. Apply and verify the configuration. Examine the resulti...

Web OS 10.0 Application Guide Chapter 7: Filtering n 191 212777-A, February 2002 Network Address Translation Network Address Translation (NAT) is an Internet standard that enables an Alteon Web switch to use one set of IP addresses for internal traffic and a second set of addresses for external traf...

Web OS 10.0 Application Guide 192 n Chapter 7: Filtering 212777-A, February 2002 In this example, clients on the Internet require access to servers on the private network: Figure 7-8 Static Network Address Translation Configuring Static NAT >> # /cfg/slb/filt 10 (Select the menu for outbound f...

Web OS 10.0 Application Guide Chapter 7: Filtering n 193 212777-A, February 2002 Note the following important points about this configuration: n Within each filter, the smask and dmask values are identical. n All parameters for both filters are identical except for the NAT direction. For Filter 10, ...

Web OS 10.0 Application Guide 194 n Chapter 7: Filtering 212777-A, February 2002 Configuring Dynamic NAT N OTE – The invert option in this example filter makes this specific configuration easier but is not a requirement for dynamic NAT. N OTE – Dynamic NAT solutions apply only to TCP/UDP traffic. Al...

Web OS 10.0 Application Guide Chapter 7: Filtering n 195 212777-A, February 2002 FTP Client NAT Alteon Web switches provide NAT services to many clients with private IP addresses. In Web OS, an FTP enhancement provides the capability to perform true FTP NAT for dynamic NAT. Because of the way FTP wo...

Web OS 10.0 Application Guide 196 n Chapter 7: Filtering 212777-A, February 2002 Configuring Active FTP Client NAT N OTE – The passive mode does not need this feature. 1. Make sure that a proxy IP address is enabled on the filter port. 2. Make sure that a source NAT filter is set up for the port.: 3...

Web OS 10.0 Application Guide Chapter 7: Filtering n 197 212777-A, February 2002 Matching TCP Flags Web OS supports packet filtering based on any of the following TCP flags. Any filter may be set to match against more than one TCP flag at the same time. If there is more than one flag enabled, the fl...

Web OS 10.0 Application Guide 200 n Chapter 7: Filtering 212777-A, February 2002 5. A default filter is required to deny all other traffic. 6. Apply the filters to the appropriate switch ports. >> Filter 17# ../filt 224 (Select a default filter) >> Filter 224# sip any (From any source IP...

Web OS 10.0 Application Guide Chapter 7: Filtering n 201 212777-A, February 2002 Matching ICMP Message Types Internet Control Message Protocol (ICMP) is used for reporting TCP/IP processing errors. There are numerous types of ICMP messages, as shown in Table 7-6 . Although ICMP packets can be filter...

Web OS 10.0 Application Guide 202 n Chapter 7: Filtering 212777-A, February 2002 The command to enable or disable ICMP message type filtering is entered from the Advanced Filtering menu as follows: For any given filter, only one ICMP message type can be set at any one time. The any option disables I...

212777-A, February 2002 203 C HAPTER 8 Application Redirection Application Redirection improves network bandwidth and provides unique network solutions. Filters can be created to redirect traffic to cache and application servers improving speed of access to repeated client access to common Web or ap...

Web OS 10.0 Application Guide 204 n Chapter 8: Application Redirection 212777-A, February 2002 Overview Most of the information downloaded from the Internet is not unique, as clients will often access the Web page many times for additional information or to explore other links. Duplicate information...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 205 212777-A, February 2002 The network needs a solution that addresses the following key concerns: n The solution must be readily scalable n The administrator should not need to reconfigure all the clients’ browsers to use proxy ser...

Web OS 10.0 Application Guide 206 n Chapter 8: Application Redirection 212777-A, February 2002 Web Cache Configuration Example The following is required prior to configuration: n You must connect to the Web switch Command Line Interface (CLI) as the administrator. n Optional Layer 4 software must be...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 207 212777-A, February 2002 2. Install transparent Web cache software on all three Web cache servers. 3. Define an IP interface on the Web switch. Since, by default, the Web switch only remaps destination MAC addresses, it must have ...

Web OS 10.0 Application Guide 208 n Chapter 8: Application Redirection 212777-A, February 2002 6. Set the real server group metric to minmisses . This setting helps minimize Web cache misses in the event real servers fail or are taken out of service: 7. Verify that server processing is disabled on t...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 209 212777-A, February 2002 9. Create a default filter. In this case, the default filter will allow all noncached traffic to proceed normally: N OTE – When the proto parameter is not tcp or udp, then sport and dport are ignored. 10. ...

Web OS 10.0 Application Guide 210 n Chapter 8: Application Redirection 212777-A, February 2002 13. Save your new configuration changes. 14. Check the SLB information. Check that all SLB parameters are working according to expectation. If necessary, make any appropriate configuration changes and then...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 211 212777-A, February 2002 RTSP Web Cache Redirection Web OS 10.0 supports Web Cache Redirection (WCR) for Real Time Streaming Protocol (RTSP). RTSP WCR is similar to HTTP WCR in configuration and in concept. Multimedia presentation...

Web OS 10.0 Application Guide 212 n Chapter 8: Application Redirection 212777-A, February 2002 3. Configure an RTSP redirection filter to cache data and balance the load among the cache servers. 4. Configure a default allow filter to facilitate traffic. 5. Turn on filtering on the port and add filte...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 213 212777-A, February 2002 IP Proxy Addresses for NAT Transparent proxies provide the benefits listed below when used with application redirection. Application redirection is automatically enabled when a filter with the redir action...

Web OS 10.0 Application Guide 214 n Chapter 8: Application Redirection 212777-A, February 2002 The following commands can be used to configure the additional unique proxy IP addresses: N OTE – Port 9 does not require a proxy IP address with VMA enabled. See the Web OS Command Reference for more info...

Web OS 10.0 Application Guide Chapter 8: Application Redirection n 215 212777-A, February 2002 Excluding Noncacheable Sites Some Web sites provide content that is not well suited for redirection to cache servers. Such sites might provide browser-based games or applications that keep real-time sessio...

212777-A, February 2002 217 C HAPTER 9 Virtual Matrix Architecture Virtual Matrix Architecture (VMA) is a hybrid architecture that takes full advantage of the dis-tributed processing capability in Alteon Web switches. With VMA, the switch makes optimal use of system resources by distributing the wor...

212777-A, February 2002 219 C HAPTER 10 Health Checking Content intelligent Web switches allow Web masters to customize server health checks to ver-ify content accessibility in large Web sites. As the amount of content grows and information is distributed across different server farms, flexible, cus...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 221 212777-A, February 2002 Real Server Health Checks Alteon Web switches running Server Load Balancing (SLB) monitor the servers in the real server group and the load-balanced application(s) running on them. If a switch detects that a serv...

Web OS 10.0 Application Guide 222 n Chapter 10: Health Checking 212777-A, February 2002 DSR Health Checks Direct Server Return (DSR) health checks are used to verify the existence of a server-provided service where the server replies directly back to the client without responding through the vir-tua...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 223 212777-A, February 2002 Link Health Checks Link health check is performed at the Layer 1 (physical) level. The server is considered to be up when the link (connection) is present and the server is considered to be down when the link is ...

Web OS 10.0 Application Guide 224 n Chapter 10: Health Checking 212777-A, February 2002 TCP Health Checks TCP health checks are useful in verifying user-specific TCP applications that cannot be scripted. Session switches monitor the health of servers and applications by sending Layer 4 connection re...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 225 212777-A, February 2002 Script-Based Health Checks The “send/expect” script-based health checks dynamically verify application and content availability using scripts. These scripts execute a sequence of tests to verify application and c...

Web OS 10.0 Application Guide 226 n Chapter 10: Health Checking 212777-A, February 2002 Script Format The general format for health-check scripts is shown below: N OTE – If you are doing HTTP 1.1 pipelining, you need to individually open and close each response in the script. n Each script should st...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 227 212777-A, February 2002 Scripting Guidelines n Use generic result codes that are standard and defined by the RFC, as applicable. This helps ensure that if the customer changes server software, the servers won’t start failing unexpectedl...

Web OS 10.0 Application Guide 228 n Chapter 10: Health Checking 212777-A, February 2002 Script Example 2: GSLB URL Health Check In earlier Web OS releases, each remote Global Server Load Balancing site’s virtual server IP address was required to be a real server of the local switch. Each switch send...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 229 212777-A, February 2002 Script-based health checking is intelligent in that it will only send the appropriate requests to the relevant servers. In the example above, the first GET statement will only be sent to Real Server 1 and Real Se...

Web OS 10.0 Application Guide 230 n Chapter 10: Health Checking 212777-A, February 2002 Application-Specific Health Checks Application-specific health checks include the following applications: n “HTTP Health Checks” on page 231 n “UDP-Based DNS Health Checks” on page 233 n “FTP Server Health Checks...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 231 212777-A, February 2002 HTTP Health Checks HTTP-based health checks can include the hostname for HOST: headers. The HOST: header and health check URL are constructed from the following components: If the HOST: header is required, an HTT...

Web OS 10.0 Application Guide 232 n Chapter 10: Health Checking 212777-A, February 2002 Health check is performed using: GET /index.html HTTP/1.1 Host: jansus Example 4: hname = (none) dname = (none) content = index.html Health check is performed using: GET /index.html HTTP/1.0 (since no HTTP HOST: ...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 233 212777-A, February 2002 UDP-Based DNS Health Checks Web OS 10.0 supports UDP-based health checks along with TCP health checks, and performs load-balancing based on TCP and UDP protocols. DNS servers can be based on both TCP and UDP prot...

Web OS 10.0 Application Guide 234 n Chapter 10: Health Checking 212777-A, February 2002 FTP Server Health Checks The Internet File Transfer Protocol (FTP) provides facilities for transferring files to and from remote computer systems. Usually the user transferring a file needs authority to login and...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 235 212777-A, February 2002 POP3 Server Health Checks The Post Office Protocol - Version 3 (POP3) is intended to permit a workstation to dynami-cally access a maildrop on a server host. The POP3 protocol is used to allow a workstation to re...

Web OS 10.0 Application Guide 236 n Chapter 10: Health Checking 212777-A, February 2002 SMTP Server Health Checks Simple Mail Transfer Protocol is a protocol to transfer e-mail messages between servers reli-ably and efficiently. This protocol traditionally operates over TCP, port 25 and is documente...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 237 212777-A, February 2002 IMAP Server Health Checks Internet Message Access Protocol (IMAP) is a mail server protocol used between a client sys-tem and a mail server that allows a user to retrieve and manipulate mail messages. IMAP is not...

Web OS 10.0 Application Guide 238 n Chapter 10: Health Checking 212777-A, February 2002 NNTP Server Health Checks Net News Transfer Protocol (NNTP) is a TCP/IP protocol based upon text strings sent bidirec-tionally over 7 bit ASCII TCP channels, and listens to port 119. It is used to transfer articl...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 239 212777-A, February 2002 RADIUS Server Health Checks The Remote Authentication Dial-In User Service (RADIUS) protocol is used to authenticate dial-up users to Remote Access Servers (RASs) and the client application they will use during t...

Web OS 10.0 Application Guide 240 n Chapter 10: Health Checking 212777-A, February 2002 Configuring the Switch for RADIUS Secret and Password RADIUS is stateless and uses UDP as its transport protocol. To support RADIUS health checking, the network administrator must configure two parameters on the ...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 241 212777-A, February 2002 WSP Content Health Checks Wireless Session Protocol content health checks can be configured in two modes: connection-less and connection-oriented. Connectionless WSP runs on UDP/IP protocol, port 9200. Therefore,...

Web OS 10.0 Application Guide 242 n Chapter 10: Health Checking 212777-A, February 2002 4. Enter the WSP port. 5. Set the offset value. 6. Because WAP gateways are UDP-based and operate on a UDP port, configure UDP ser-vice in the virtual server menu. 7. Enable WSP health checks for group 1. 8. Appl...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 243 212777-A, February 2002 Configuring the Switch for WTLS Health Checks 1. Select the group with the WAP gateway. 2. Use the sndcnt command to enter the content to be sent to the WSP gateway. 3. Select a port number other than 9203, if yo...

Web OS 10.0 Application Guide 244 n Chapter 10: Health Checking 212777-A, February 2002 Configuring the Switch for LDAP Health Checks Configure the switch to verify if the LDAP server is alive. 1. Select the health check menu for the real server group. 2. Set the health check type to LDAP for the re...

Web OS 10.0 Application Guide Chapter 10: Health Checking n 245 212777-A, February 2002 ARP Health Checks Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for...

Web OS 10.0 Application Guide 246 n Chapter 10: Health Checking 212777-A, February 2002 Failure Types Service Failure If a certain number of connection requests for a particular service fail, the session switch places the service into the service failed state. While in this state, no new connection ...

212777-A, February 2002 247 C HAPTER 11 High Availability Alteon Web switches support high-availability network topologies through an enhanced imple-mentation of the Virtual Router Redundancy Protocol (VRRP). The following topics are discussed in this chapter: n “VRRP Overview” on page 248 . This se...

Web OS 10.0 Application Guide 248 n Chapter 11: High Availability 212777-A, February 2002 VRRP Overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your ne...

Web OS 10.0 Application Guide Chapter 11: High Availability n 249 212777-A, February 2002 Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest-order octets of the virtual router MAC Address are the standard MAC prefix (00-00-5E-00-01) defined in RFC 2...

Web OS 10.0 Application Guide Chapter 11: High Availability n 251 212777-A, February 2002 VRRP Operation The host shown in Figure 11-1 is configured with the virtual interface router’s IP address as its default gateway. The master forwards packets destined to remote subnets and responds to ARP reque...

Web OS 10.0 Application Guide 252 n Chapter 11: High Availability 212777-A, February 2002 Active-Standby Failover The previous text described the use of a group of VRRP routers to form a single virtual inter-face router. It implements a traditional hot-standby configuration in which the backup route...

Web OS 10.0 Application Guide Chapter 11: High Availability n 253 212777-A, February 2002 Failover Methods With service availability becoming a major concern on the Internet, service providers are increasingly deploying Internet traffic control devices, such as Web switches, in redundant configurati...

Web OS 10.0 Application Guide 254 n Chapter 11: High Availability 212777-A, February 2002 Active-Standby Redundancy In an active-standby configuration, shown in Figure 11-4 , two Web switches are used. Both switches support active traffic but are configured so that they do not simultaneously support...

Web OS 10.0 Application Guide Chapter 11: High Availability n 255 212777-A, February 2002 Active-Active Redundancy In an active-active configuration, two Web switches provide redundancy for each other, with both active at the same time for the same services. Web OS has extended VRRP to include virtu...

Web OS 10.0 Application Guide 256 n Chapter 11: High Availability 212777-A, February 2002 Hot-Standby Redundancy In a hot-standby configuration, Spanning Tree Protocol (STP) is not needed to eliminate bridge loops. This speeds up failover when a switch fails. The standby switch blocks all ports conf...

Web OS 10.0 Application Guide Chapter 11: High Availability n 257 212777-A, February 2002 Virtual Router Group The virtual router group ties all of the virtual routers together as a single entity and is central to the hot-standby configuration. All virtual routers on a given switch must all be eithe...

Web OS 10.0 Application Guide 258 n Chapter 11: High Availability 212777-A, February 2002 When the hotstan option ( /cfg/slb/port x/hotstan ) is enabled and all hot-standby ports have link, the virtual router group's priority is automatically incremented by the “track other virtual routers” value. T...

Web OS 10.0 Application Guide Chapter 11: High Availability n 259 212777-A, February 2002 Web OS Extensions to VRRP This section describes the following VRRP enhancements that are implemented in Web OS: n Virtual Server Routers n Sharing/Active-Active Failover n Tracking VRRP Router Priority Virtual...

Web OS 10.0 Application Guide 260 n Chapter 11: High Availability 212777-A, February 2002 Sharing/Active-Active Failover Web OS supports sharing of interfaces at both Layer 3 and Layer 4, as shown in Figure 11-7 . With sharing, an IP interface or a VIP address can be active simultaneously on multipl...

Web OS 10.0 Application Guide Chapter 11: High Availability n 261 212777-A, February 2002 When sharing is enabled, the master election process still occurs. Although the process does not affect which switch processes packets that must be routed or that are destined for the vir-tual server IP address...

Web OS 10.0 Application Guide Chapter 11: High Availability n 263 212777-A, February 2002 High Availability Configurations Alteon Web switches offer flexibility in implementing redundant configurations. This section discusses a few of the more useful and easily deployed configurations: n “Active-Sta...

Web OS 10.0 Application Guide 264 n Chapter 11: High Availability 212777-A, February 2002 To implement the active-standby example, perform the following switch configuration: 1. Configure the appropriate Layer 2 and Layer 3 parameters on both switches. This includes any required VLANs, IP interfaces...

Web OS 10.0 Application Guide Chapter 11: High Availability n 265 212777-A, February 2002 Active-Active VIR and VSR Configuration Figure 11-9 two Alteon Web switches are used as VRRP routers in an active-active configura- tion implementing a virtual server router. As noted earlier, this is the prefe...

Web OS 10.0 Application Guide 266 n Chapter 11: High Availability 212777-A, February 2002 To implement this example, configure the switches as follows: 1. Configure the appropriate Layer 2 and Layer 3 parameters on both switches. This configuration includes any required VLANs, IP interfaces, default...

Web OS 10.0 Application Guide Chapter 11: High Availability n 267 212777-A, February 2002 Active/Active Server Load Balancing Configuration In this example, you set up four virtual servers each load balancing two servers providing one service (for example, HTTP) per virtual server. You are load bala...

Web OS 10.0 Application Guide 268 n Chapter 11: High Availability 212777-A, February 2002 2. Define the VLANs. In this configuration, set up two VLANs: One for the outside world (the ports connected to the upstream switches, toward the routers) and one for the inside (the ports connected to the down...

Web OS 10.0 Application Guide Chapter 11: High Availability n 269 212777-A, February 2002 Task 2: SLB Configuration 1. Define the Real Servers. The real server IP addresses are defined and put into four groups, depending on the service they are running. Notice that RIPs 7 and 8 are on routable subne...

Web OS 10.0 Application Guide 270 n Chapter 11: High Availability 212777-A, February 2002 3. Define the virtual servers. After defining the virtual server IP addresses and associating them with a real server group number, you must tell the switch which IP ports/services/sockets you want to load bala...

Web OS 10.0 Application Guide Chapter 11: High Availability n 271 212777-A, February 2002 Task 3: Virtual Router Redundancy Configuration 1. Configure virtual routers 2, 4, 6, and 8. These virtual routers will have the same IP addresses as the virtual server IP address. This is what tells the switch...

Web OS 10.0 Application Guide 272 n Chapter 11: High Availability 212777-A, February 2002 3. Set the renter priority for each virtual router. Since you want Switch 1 to be the master router, you need to bump the default virtual router priorities (which are 100 to 101 on virtual routers 1-4) to force...

Web OS 10.0 Application Guide Chapter 11: High Availability n 273 212777-A, February 2002 Task 4: Configuring Switch 2 Use the following procedure to dump the configuration script (text dump) out of Switch 1: n Using the Browser Based Interface (BBI) (a) You need a serial cable that is a DB-9 Male t...

Web OS 10.0 Application Guide 274 n Chapter 11: High Availability 212777-A, February 2002 3. Scroll to the bottom of the text file and delete anything past “Script End.” 4. Save the changes to the text file as “Customer Name” Switch 2. Move your serial cable to the console port on the second switch....

Web OS 10.0 Application Guide 276 n Chapter 11: High Availability 212777-A, February 2002 By reducing complexity to a single subnet and not requiring routing (L3), hot-standby can be used. The key to hot-standby is that the interswitch link (the link between switches), does NOT participate in STP, s...

Web OS 10.0 Application Guide Chapter 11: High Availability n 277 212777-A, February 2002 Virtual Router Deployment Considerations Review the following issues described in this section to prevent network problems when deploying virtual routers: n Mixing Active-Standby and Active-Active Virtual Route...

Web OS 10.0 Application Guide 278 n Chapter 11: High Availability 212777-A, February 2002 Eliminating Loops with STP and VLANs VRRP active/active failover is significantly different from the hot-standby failover method supported in previous releases. As shown in Figure 11-11 , active-active configur...

Web OS 10.0 Application Guide Chapter 11: High Availability n 279 212777-A, February 2002 Using Spanning Tree Protocol to Eliminate Loops VRRP generally requires Spanning Tree Protocol (STP) to be enabled in order to resolve bridge loops that usually occur in cross-redundant topologies, as shown in ...

Web OS 10.0 Application Guide 280 n Chapter 11: High Availability 212777-A, February 2002 Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point a...

Web OS 10.0 Application Guide 284 n Chapter 11: High Availability 212777-A, February 2002 What Happens When a Switch Fails Assume that the user performing an e-commerce transaction has selected a number of items and placed them in the shopping cart. The user has already established a persistent sess...

Web OS 10.0 Application Guide Chapter 11: High Availability n 285 212777-A, February 2002 Stateful Failover Configuration Example After the VRRP setup, perform the following additional steps to enable stateful failover on the switches. On the Master Switch 1. Enable stateful failover. 2. Set the upd...

Web OS 10.0 Application Guide 286 n Chapter 11: High Availability 212777-A, February 2002 Viewing Statistics on Persistent Port Sessions You can view statistics on persistent port sessions using the /stats/slb/ssl command. To determine which switch is the master and which is the backup, use the /inf...

212777-A, February 2002 289 C HAPTER 12 Global Server Load Balancing This chapter provides information for configuring Global Server Load Balancing (GSLB) across multiple geographic sites. The following topics are covered: n “GSLB Overview” on page 290 n “Configuring GSLB” on page 293 n “IP Proxy fo...

Web OS 10.0 Application Guide 290 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 GSLB Overview GSLB allows balancing server traffic load across multiple physical sites. The Alteon GSLB implementation takes into account an individual site’s health, response time, and geographic lo...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 291 212777-A, February 2002 How GSLB Works GSLB is based on the Domain Name System (DNS) and proximity by source IP address. In the example in Figure 12-1 , a client is using a browser to view the Web site for the Foo Corporati...

Web OS 10.0 Application Guide 292 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 4. The California Web switch responds to the DNS request, listing the IP address with the current best service. Each switch with GSLB software is capable of responding to the client’s name resolution...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 293 212777-A, February 2002 Configuring GSLB Configuring GSLB is simply an extension of the configuration procedure for SLB. The process is summarized as follows: n Use the administrator login to connect to the switch you want ...

Web OS 10.0 Application Guide 294 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Example GSLB Topology Consider the following example network: Figure 12-2 GSLB Topology Example In the following examples, many of the options are left to their default values. See “Additional Server...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 295 212777-A, February 2002 Task 1: Configure the Basics at the California Site 1. If the Browser-Based Interface (BBI) is to be used for managing the California switch, change its service port. GSLB uses service port 80 on the...

Web OS 10.0 Application Guide 296 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Task 2: Configure the California Switch for Standard SLB 1. Assign an IP address to each of the real servers in the local California server pool. The real servers in any real server group must have a...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 297 212777-A, February 2002 4. On the California switch, define a virtual server. All client requests will be addressed to a virtual server IP address defined on the switch. Cli-ents acquire the virtual server IP address throug...

Web OS 10.0 Application Guide 298 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Task 3: Configure the California Site for GSLB 1. On the California switch, define each remote site. When you start configuring at the California site, California is local and Denver is remote. Add a...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 299 212777-A, February 2002 3. On the California switch, define the domain name and host name for each service hosted on each virtual server. In this example, the domain name for the Foo Corporation is “foocorp.com,” and the ho...

Web OS 10.0 Application Guide 300 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 2. On the Denver switch, define an IP interface. 3. On the Denver switch, define the default gateway. 4. Configure the local DNS server to recognize the local GSLB switch as the authoritative name se...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 301 212777-A, February 2002 3. On the Denver switch, define a real server group. 4. On the Denver switch, define a virtual server. 5. On the Denver switch, define the type of Layer 4 processing each port must support. In this e...

Web OS 10.0 Application Guide 302 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Task 6: Configure the Denver Site for GSLB Following the same procedure described for California (see “Task 3: Configure the California Site for GSLB” on page 298 ), configure the Denver site as foll...

Web OS 10.0 Application Guide 304 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 IP Proxy for Non-HTTP Redirects Typically, client requests for HTTP applications are automatically redirected to the location with the best response and least load for the requested content. This is ...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 305 212777-A, February 2002 Table 12-5 explains the packet -flow process in detail. In this example, the initial DNS request from the client reaches Site 2, but Site 2 has no available services. How IP Proxy Works Figure 12-4 s...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 307 212777-A, February 2002 Configuring Proxy IP Addresses Refer to the example starting on page 294 and Figure 12-4 , the switch at Site 1 in California is configured with switch port 6 connecting to the default gateway and re...

Web OS 10.0 Application Guide 308 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Verifying GSLB Operation n Use your browser to request the configured service ( www.foocorp.com in the previous example). n Examine the /info/slb information on each switch. n Check to see that all S...

Web OS 10.0 Application Guide Chapter 12: Global Server Load Balancing n 309 212777-A, February 2002 Figure 12-5 illustrates GSLB proximity tables. The client sends a request to the DNS server, which is forwarded to the master switch. The master switch looks through its proximity table and returns t...

Web OS 10.0 Application Guide 310 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Client A, with a source IP address of 205.178.13.10, initiates a request that is sent to the local DNS server. The local DNS server is configured to forward requests to the DNS server at Site 4. The ...

Web OS 10.0 Application Guide 312 n Chapter 12: Global Server Load Balancing 212777-A, February 2002 Using Border Gateway Protocol for GSLB Border Gateway Protocol (BGP)-based GSLB utilizes the Internet’s routing protocols to local-ize content delivery to the most efficient and consistent site. It d...

212777-A, February 2002 313 C HAPTER 13 Firewall Load Balancing Firewall Load Balancing (FWLB) with Alteon Web switches allows multiple active firewalls to operate in parallel. Parallel operation allows users to maximize firewall productivity, scale firewall performance without forklift upgrades, an...

Web OS 10.0 Application Guide 314 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Firewall Overview Firewall devices have become indispensable for protecting network resources from unautho-rized access. Prior to FWLB, however, firewalls could become critical bottlenecks or single point...

Web OS 10.0 Application Guide 316 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Basic FWLB The basic FWLB method uses a combination of static routes and redirection filters to allow multiple active firewalls to operate in parallel. Figure 13-2 shows a basic FWLB topology: Figure 13-2...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 317 212777-A, February 2002 Basic FWLB Implementation In this example, traffic is load balanced among the available firewalls. Figure 13-3 Basic FWLB Process 1. The client requests data. The external clients intend to connect to ser...

Web OS 10.0 Application Guide 318 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 4. The firewalls decide if they should allow the packets and, if so, forwards them to a virtual server on the clean-side Web switch. Client requests are forwarded or discarded according to rules configure...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 319 212777-A, February 2002 Configuring Basic FWLB The steps for configuring basic FWLB are provided below. While two or four switches can be used, the following procedure assumes a simple network topology with only two Web switches...

Web OS 10.0 Application Guide 320 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 3. Configure the clean-side IP interface as if they were real servers on the dirty side. Later in this procedure, you’ll configure one clean-side IP interface on a different subnet for each firewall path ...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 321 212777-A, February 2002 8. Create a filter to allow local subnet traffic on the dirty side of the firewalls to reach the firewall interfaces. 9. Create the FWLB redirection filter. This filter will redirect inbound traffic, load...

Web OS 10.0 Application Guide 322 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Configure the Clean-Side Web Switch 1. Define the clean-side IP interfaces. Create one clean-side IP interface on a different subnet for each firewall being load balanced. N OTE – An extra IP interface (I...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 323 212777-A, February 2002 4. Set the health check type for the real server group to ICMP. 5. Set the load-balancing metric for the real server group to hash . N OTE – The clean-side Web switch must use the same metric as defined o...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 325 212777-A, February 2002 15. Add the filters to the ingress ports for the outbound packets. Redirection filters are needed on all the ingress ports on the clean-side Web switch. Ingress ports are any that attach to real servers o...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 327 212777-A, February 2002 As shown in Figure 13-5 , the network is divided into four sections: n Subnet 1 includes all equipment between the exterior routers and dirty-side Web switches. n Subnet 2 includes the dirty-side Web swit...

Web OS 10.0 Application Guide 328 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 1. Incoming traffic converges on the primary dirty-side Web switch. External traffic arrives through redundant routers. A set of interconnected switches ensures that both routers have a path to each dirty...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 329 212777-A, February 2002 Configuring Four-Subnet FWLB An example network for four-subnet FWLB is illustrated in Figure 13-7 . While other complex topologies are possible, this example assumes a high-availability network using blo...

Web OS 10.0 Application Guide 330 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Configure the Routers The routers must be configured with a static route to the destination services being accessed by the external clients. In this example, the external clients intend to connect to serv...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 331 212777-A, February 2002 Configure Connectivity for the Primary Dirty-Side Web Switch 1. Configure VLANs on the primary dirty-side Web switch. Two VLANs are required. VLAN 1 includes port 1, for the Internet connection. VLAN 2 in...

Web OS 10.0 Application Guide 332 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 4. Configure static routes on the primary dirty-side Web switch. Four static routes are required: n To primary clean-side IF 2 via Firewall 1 using dirty-side IF 2 n To primary clean-side IF 3 via Firewal...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 333 212777-A, February 2002 Configure Connectivity for the Secondary Dirty-Side Web Switch Except for the IP interfaces, this configuration is identical to the primary dirty-side Web switch. 1. Configure VLANs on the secondary dirty...

Web OS 10.0 Application Guide 334 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Configure Connectivity for the Primary Clean-Side Web Switch 1. Configure VLANs on the primary clean-side Web switch. Two VLANs are required. VLAN 3 includes the firewall port and interswitch connection p...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 335 212777-A, February 2002 4. Configure static routes on the primary clean-side Web switch. Four static routes are needed: n To primary dirty-side IF 2 via Firewall 1 using clean-side IF 2 n To primary dirty-side IF 3 via Firewall ...

Web OS 10.0 Application Guide 336 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 2. Configure IP interfaces on the secondary clean-side Web switch. 3. Turn STP off for the secondary clean-side Web switch. 4. Configure static routes on the secondary clean-side Web switch. 5. Apply and ...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 337 212777-A, February 2002 Verify Proper Connectivity To verify proper configuration up to this point, use the ping option to test network connectiv- ity. At each Web switch, you should receive a valid response when pinging the des...

Web OS 10.0 Application Guide 338 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Complete the Configuration of the Primary Dirty-Side Web Switch 1. Create an FWLB real server group on the primary dirty-side Web switch. A real server group is used as the target for the FWLB redirection...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 339 212777-A, February 2002 2. Create the FWLB filters. Three filters are required on the port attaching to the routers: n Filter 10 prevents local traffic from being redirected. n Filter 20 prevents VRRP traffic (and other multicas...

Web OS 10.0 Application Guide 340 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 3. Configure VRRP on the primary dirty-side Web switch. VRRP in this example requires two virtual routers–one for the subnet attached to the routers, and one for the subnet attached to the firewalls. 4. C...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 341 212777-A, February 2002 Complete the Configuration of the Primary Clean-Side Web Switch 1. Create an FWLB real server group on the primary clean-side Web switch. A real server group is used as the target for the FWLB redirection...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 343 212777-A, February 2002 3. Create the FWLB filters on the primary clean-side Web switch. Three filters are required on the port attaching to the real servers: n Filter 10 prevents local traffic from being redirected. n Filter 20...

Web OS 10.0 Application Guide 344 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 4. Configure VRRP on the primary clean-side Web switch. VRRP in this example requires two virtual routers to be configured–one for the subnet attached to the real servers, and one for the subnet attached ...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 345 212777-A, February 2002 5. Configure the peer on the primary clean-side Web switch. 6. Apply and save your configuration changes. 7. Synchronize primary and secondary dirty-side Web switches. >> # /cfg/slb/sync >> # ...

Web OS 10.0 Application Guide 346 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Advanced FWLB Concepts Free-Metric FWLB Free-metric FWLB allows to you use load-balancing metrics other than hash , such as leastconns , roundrobin , minmiss , response , and bandwidth for more versatile ...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 347 212777-A, February 2002 3. On the dirty-side Web switch, set the FWLB metric. Any of the following load-balancing metrics can be used: hash , leastconns , roun- drobin , minmiss , response , and bandwidth . See “Metrics for Real...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 349 212777-A, February 2002 Adding a Demilitarized Zone (DMZ) Implementing a DMZ in conjunction with firewall load balancing enables the Web switch to do the traffic filtering, off-loading this task from the firewall. A DMZ is creat...

Web OS 10.0 Application Guide 350 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 You could add the filters required for the DMZ (to each Web switch) as follows: 1. On the dirty-side Web switch, create the filter to allow HTTP traffic to reach the DMZ Web servers. In this example, the ...

Web OS 10.0 Application Guide Chapter 13: Firewall Load Balancing n 351 212777-A, February 2002 Firewall Health Checks Basic FWLB health checking is automatic. No special configuration is necessary unless you wish to tune the health checking parameters. See Chapter 10, “Health Checking” for details....

Web OS 10.0 Application Guide 352 n Chapter 13: Firewall Load Balancing 212777-A, February 2002 Using HTTP Health Checks For those firewalls that do not permit ICMP pings to pass through, Web switches can be con-figured to perform HTTP health checks, as described below. 1. Set the health check type ...

Web OS 10.0 Application Guide 354 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 Overview Virtual Private Networks A VPN is a connection that has the appearance and advantages of a dedicated link, but it occurs over a shared network. Using a technique called tunneling, ...

Web OS 10.0 Application Guide Chapter 14: Virtual Private Network Load Balancing n 355 212777-A, February 2002 Figure 14-1 Basic Network Frame Flow and Operation The basic steps that occur at the switches when a request arrives from the Internet are described below: 1. The user prepares to send traf...

Web OS 10.0 Application Guide 356 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 VPN Load-Balancing Configuration Requirements n Configure the switch with firewall load balancing. For more information, see “Firewall Load Balancing” on page 313 . n Enable the Return to S...

Web OS 10.0 Application Guide Chapter 14: Virtual Private Network Load Balancing n 357 212777-A, February 2002 Configure the First Clean-Side Switch (CA) 1. Turn off BOOTP. 2. Define and enable VLAN 2 for ports 7, and 8. 3. Turn off Spanning Tree Protocol (STP). 4. Define the clean-side IP interface...

Web OS 10.0 Application Guide 358 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 One static route is required for each VPN device being load balanced. 6. Configure VRRP for virtual routers 1 and 2. >> # /cfg/ip/route >> IP Static Route# add 10.0.0.10 (Static...

Web OS 10.0 Application Guide Chapter 14: Virtual Private Network Load Balancing n 359 212777-A, February 2002 7. Enable Server Load Balancing (SLB) on the first clean switch. 8. Configure real servers for health checking VPN devices. 9. Configure real server group 1, and add real servers 1, 2, 3, a...

Web OS 10.0 Application Guide 360 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 Configure the Second Clean-Side Switch (CB) 1. Turn off bootp. 2. Define and enable VLAN 2 for ports 7 and 8. 3. Turn off Spanning Tree Protocol. 4. Define the clean-side IP interfaces. Cre...

Web OS 10.0 Application Guide Chapter 14: Virtual Private Network Load Balancing n 361 212777-A, February 2002 6. Configure Virtual Router Redundancy Protocol (VRRP) for virtual routers 1 and 2. 7. Enable SLB. 8. Configure real servers for health checking VPN devices. 9. Enable the real server group...

Web OS 10.0 Application Guide 362 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 11. Enable filter processing on the server ports so that the response from the real server will be looked up in VPN session table. 12. Apply and save the configuration, and reboot the switc...

Web OS 10.0 Application Guide 364 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 10. Configure the filters to allow local subnet traffic on the dirty side of the VPN device to reach the VPN device interfaces. 11. Create a filter to allow the management firewall (Policy ...

Web OS 10.0 Application Guide 368 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 Test Configurations and General Topology The switches should be able to health check each other, and all switches should see four real servers up. (Rules on the VPN devices permit this—see ...

Web OS 10.0 Application Guide Chapter 14: Virtual Private Network Load Balancing n 369 212777-A, February 2002 Test the VPN 1. Launch the SecuRemote client on the dirty side of the network. 2. Add a new site. 3. Enter the policy server IP address: 192.168.10.120. You have the option of adding a nick...

Web OS 10.0 Application Guide 370 n Chapter 14: Virtual Private Network Load Balancing 212777-A, February 2002 7. You will see a message verifying that you were authenticated. 8. Browse to the Web site. If there are other services running on other servers in the internal network, you should also be ...

212777-A, February 2002 371 C HAPTER 15 Content Intelligent Switching This chapter discusses advanced load balancing solutions utilizing Layer 7 content switching. Inspecting HTTP headers, examining content identifiers such as URLs and cookies, and pars-ing content requests are discussed in the foll...

Web OS 10.0 Application Guide 372 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Overview Alteon Web switches performs content intelligent switching by processing numerous tasks for each incoming session, including connection setup, traffic parsing, applying server selection alg...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 373 212777-A, February 2002 Parsing Content Examining session content places heavier demands upon the Web switch than examining TCP/IP headers for the following reasons: n Content is non-deterministic. Content identifiers such...

Web OS 10.0 Application Guide 374 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 HTTP Header Inspection Content intelligent switching is performed by inspecting HTTP headers. HTTP headers include additional information about requests and responses. The HTTP 1.1 specification def...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 375 212777-A, February 2002 Content Intelligent Server Load Balancing Web OS allows you to load balance HTTP requests based on different HTTP header informa-tion, such as “Cookie:” header for persistent load balancing, “Host:”...

Web OS 10.0 Application Guide 376 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Figure 15-2 URL-Based Server Load Balancing Configuring URL-Based Server Load Balancing To configure URL-based SLB, perform the following steps: 1. Before you can configure URL-based load balancing,...

Web OS 10.0 Application Guide 378 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 3. Apply and save your configuration changes. 4. Identify the defined string IDs. For easy configuration and identification, each defined string has an ID attached, as shown in the following example...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 379 212777-A, February 2002 7. Enable SLB on the switch. 8. Enable DAM on the switch or configure a proxy IP address on the client port. n To turn on DAM: n To turn off DAM and configure a proxy IP address on the client port: ...

Web OS 10.0 Application Guide 380 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Virtual Hosting Web OS allows individuals and companies to have a presence on the Internet in the form of a dedicated Web site address. For example, you can have a “www.site-a.com” and “www.site-b.c...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 381 212777-A, February 2002 Virtual Hosting Configuration Overview The sequence of events for configuring virtual hosting based on HTTP Host: headers is described below: 1. The network administrator defines a domain name as pa...

Web OS 10.0 Application Guide 382 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Configuring the “Host” Header for Virtual Hosting To support virtual hosting, configure the switch for Host header-based load balancing with the following procedure: 1. Before you can configure head...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 383 212777-A, February 2002 Cookie-Based Preferential Load Balancing Cookies can be used to provide preferential services for customers, ensuring that certain users are offered better access to resources than other users when ...

Web OS 10.0 Application Guide 384 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Configuring Cookie-Based Preferential Load Balancing To configure cookie-based preferential load balancing, perform the following procedure. 1. Before you can configure header-based load balancing, ...

Web OS 10.0 Application Guide 386 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Browser-Smart Load Balancing HTTP requests can be directed to different servers based on browser type by inspecting the “User-Agent” header. For example, GET /products/180/ HTTP/1.0 User-agent: Mozi...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 387 212777-A, February 2002 URL Hashing for Server Load Balancing By default, hashing algorithms use the IP source address and/or IP destination address (depending on the application area) to determine content location. The de...

Web OS 10.0 Application Guide 388 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 To configure URL hashing, perform the following procedure: 1. Before you can configure URL hashing, ensure that the switch has already been config-ured for basic SLB with the following tasks: n Assi...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 389 212777-A, February 2002 Header Hash Load Balancing Web OS allows you to hash on any selected HTTP header. To configure the Web switch for load balancing based on header hash, perform the following procedure: 1. Ensure that...

Web OS 10.0 Application Guide 390 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 DNS Load Balancing The Internet name registry has become so large that a single server cannot keep track of all the entries. This is resolved by splitting the registry and saving it on different ser...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 391 212777-A, February 2002 To configure the switch for DNS load balancing, perform the following procedure: 1. Before you can configure DNS load balancing, ensure that the switch has already been configured for basic SLB with...

Web OS 10.0 Application Guide 392 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Number of entries: five 7. Add the defined string IDs to the real server using the following command: N OTE – If you don't add a defined string (or add the defined string “ any ”) the server will ha...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 393 212777-A, February 2002 To configure RTSP load balancing using pattern matching, follow this procedure: 1. Add the URL string. n You can remove the URL string by performing the following: n You can rename the URL string by...

Web OS 10.0 Application Guide 394 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Content Intelligent Web Cache Redirection Web OS allows you to redirect Web cache requests based on different HTTP header information, such as “Host:” header or “User-Agent” for browser-smart load b...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 395 212777-A, February 2002 URL-Based Web Cache Redirection URL parsing for Web Cache Redirection operates in a manner similar to URL-based server load balancing except that in WCR a virtual server on the switch is the target ...

Web OS 10.0 Application Guide 396 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 The switch is preconfigured with a list of 13 noncacheable items that you can add to, delete, or modify. These items are either known dynamic content file extensions or dynamic URL parameters, as de...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 397 212777-A, February 2002 Network Address Translation Options URL-based WCR supports three types of Network Address Translation (NAT): No NAT, Half NAT, and Full NAT. n No NAT In this NAT method, the traffic is redirected to...

Web OS 10.0 Application Guide 398 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 3. Configure the parameters and file extensions that bypass WCR. The switch is preconfigured with a list of 13 noncacheable items: n Dynamic content files: Common gateway interface files (.cgi), col...

Web OS 10.0 Application Guide 400 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 5. Apply and save your configuration changes. 6. Identify the defined string IDs. For easy configuration and identification, each defined string has an ID attached, as shown in the following example...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 401 212777-A, February 2002 9. Configure a filter to support basic WCR. The filter must be able to intercept all TCP traffic for the HTTP destination port and must redi-rect it to the proper port in the real server group: 10. ...

Web OS 10.0 Application Guide 402 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 12. Create a default filter for noncached traffic on the switch. N OTE – When the proto parameter is not tcp or udp , then sport and dport are ignored. 13. Turn on filtering for the port. 14. Add th...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 403 212777-A, February 2002 HTTP Header-Based Web Cache Redirection To configure the switch for WCR based on the “Host:” header, use the following procedure: 1. Configure basic SLB. Before you can configure header-based cache ...

Web OS 10.0 Application Guide 404 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 7. Configure the real server(s) to handle the appropriate load balance string(s). Add the defined string IDs to the real servers: where ID is the identification number of the defined string. N OTE –...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 405 212777-A, February 2002 Browser-Based Web Cache Redirection Browser-based Web cache redirection uses the User-agent: header. To configure browser- based WCR, perform the following procedure. 1. Before you can configure hea...

Web OS 10.0 Application Guide 406 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 7. Add the defined string IDs to configure the real server(s) to handle the appropriate load balance string(s). where ID is the identification number of the defined string. N OTE – If you don’t add ...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 407 212777-A, February 2002 2. Turn on URL parsing for the filter. 3. Enable hash to direct a cacheable URL request to a specific cache server. By default, the host header field is used to calculate the hash key and URL hashin...

Web OS 10.0 Application Guide 408 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Figure 15-6 URL Hashing for WCR Example 2: Hashing on the Host Header Field Only In this example, URL hashing is disabled. If you use the Host header field to calculate the hash key, the same URL re...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 409 212777-A, February 2002 Layer 7 RTSP Streaming Cache Redirection This section explains Layer 7 support for RTSP Streaming Cache Redirection. For conceptual information on RTSP Streaming Cache Redirection, see “RTSP Web Cac...

Web OS 10.0 Application Guide 410 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Exclusionary String Matching for Real Servers URL-based SLB and WCR can match or exclude up to 128 strings. Examples of strings are as follows: n “/product,” matches URLs that starts with /product. ...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 411 212777-A, February 2002 For information on how to configure your network for server load balancing, see Chapter 6, “Server Load Balancing .” 2. Add the load balancing strings (for example test , /images , and /product ) to...

Web OS 10.0 Application Guide 412 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Regular Expression Matching Regular expressions are used to describe patterns for string matching. They enable you to match the exact string, such as URLs, host names, or IP addresses. It is a power...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 413 212777-A, February 2002 n Size of the regular expression structure after compilation cannot exceed 43 bytes for load balancing strings and 23 bytes for Web Cache Redirection. The size of regular expression after compilatio...

Web OS 10.0 Application Guide 414 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Content Precedence Lookup The Layer 7 Precedence Lookup feature in Web OS allows you to give precedence to one Layer 7 parameter over another and selectively decide which parameter should be analyze...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 415 212777-A, February 2002 Requirements n Enable Direct Access Mode (DAM), or configure proxy IP address if DAM is disabled. n Enable delayed binding. Using the or and and Operators Figure 15-7 shows a network with real serve...

Web OS 10.0 Application Guide 416 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Assigning Multiple Strings Figure 15-8 shows an example of a company providing content for two large customers: Cus- tomers A and B. Customer A uses www.a.com as their domain name, and Customer B us...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 417 212777-A, February 2002 When a client request is received with www.a.com in the Host Header and .jpg in the URL, the request will be load balanced between Server 1 and Server 2. To accomplish this configuration, you must a...

Web OS 10.0 Application Guide 418 n Chapter 15: Content Intelligent Switching 212777-A, February 2002 Configuring a Layer 7 Deny Filter 1. Before you can configure Layer 7 deny filter, ensure that the switch has already been con-figured for basic switch functions: n Assign an IP address to each of t...

Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching n 419 212777-A, February 2002 7. Enable the Layer 7 deny option. 8. Assign the URL string ID from Step 4 to the filter. 9. Apply and save the configuration. 10. Apply the filter to the client port. If the incoming client request...

212777-A, February 2002 421 C HAPTER 16 Persistence The Web OS persistence feature ensures that all connections from a specific client session reach the same real server, even when Server Load Balancing (SLB) is used. The following topics are addressed in this chapter: n “Overview of Persistence” on...

Web OS 10.0 Application Guide 422 n Chapter 16: Persistence 212777-A, February 2002 Overview of Persistence In a typical SLB environment, traffic comes from various client networks across the Internet to the virtual server IP address on the Web switch. The switch then load balances this traffic amon...

Web OS 10.0 Application Guide Chapter 16: Persistence n 423 212777-A, February 2002 Using Cookies Cookies are strings passed via HTTP from servers to browsers. Based on the mode of opera-tion, cookies are inserted by either the Web switch or the server. After a client receives a cookie, a server can...

Web OS 10.0 Application Guide 424 n Chapter 16: Persistence 212777-A, February 2002 Cookie-Based Persistence Cookies are a mechanism for maintaining state between clients and servers. When the server receives a client request, the server issues a cookie, or token, to the client, which the client the...

Web OS 10.0 Application Guide Chapter 16: Persistence n 425 212777-A, February 2002 The following topics discussing cookie-based persistence are detailed in this section: n “Permanent and Temporary Cookies” on page 425 n “Cookie Formats” on page 425 n “Cookie Properties” on page 426 n “Client Browse...

Web OS 10.0 Application Guide 426 n Chapter 16: Persistence 212777-A, February 2002 Cookie Properties Cookies are configured on the Web switch by defining the following properties: n Cookie names of up to 20 bytes n The offset of the cookie value within the cookie string For security, the real cooki...

Web OS 10.0 Application Guide Chapter 16: Persistence n 427 212777-A, February 2002 Cookie Modes of Operation Web OS supports the following modes of operation for cookie-based session persistence: insert, passive, and rewrite mode. The following table shows the differences among the modes: Each of t...

Web OS 10.0 Application Guide 428 n Chapter 16: Persistence 212777-A, February 2002 Passive Cookie Mode In Passive Cookie mode, when the client first makes a request, the switch selects the server based on the load-balancing metric. The real server embeds a cookie in its response to the cli-ent. The...

Web OS 10.0 Application Guide Chapter 16: Persistence n 429 212777-A, February 2002 Rewrite Cookie Mode In rewrite cookie mode, the Web switch generates the cookie value on behalf of the server, eliminating the need for the server to generate cookies for each client. Instead, the server is configure...

Web OS 10.0 Application Guide 430 n Chapter 16: Persistence 212777-A, February 2002 Configuring Cookie-Based Persistence 1. Before you can configure cookie-based persistence, you need to configure the switch for basic SLB. This includes the following tasks: n Assign an IP address to each of the real...

Web OS 10.0 Application Guide Chapter 16: Persistence n 431 212777-A, February 2002 4. Select the appropriate load-balancing metric for the real server group. n If embedding an IP address in the cookie, select roundrobin or leastconns as the metric. n If you are not embedding the IP address in the c...

Web OS 10.0 Application Guide 432 n Chapter 16: Persistence 212777-A, February 2002 n Set multiple response count This parameter is set for passive mode only. Typically, the Web switch searches the first HTTP response packet from the server and, if a persistence cookie is found, sets up a per-sisten...

Web OS 10.0 Application Guide Chapter 16: Persistence n 433 212777-A, February 2002 Example 1: Setting the Cookie Location In this example, the client request has two different cookies labeled “UID.” One exists in the HTTP header and the other appears in the URI: GET /product/switch/UID=12345678;ck=...

Web OS 10.0 Application Guide 434 n Chapter 16: Persistence 212777-A, February 2002 Example 2: Parsing the Cookie This example shows three configurations where the switch uses the hashing key or wild cards to determine which part of the cookie value should be used for determining the real server. Fo...

Web OS 10.0 Application Guide Chapter 16: Persistence n 435 212777-A, February 2002 Example 4: Using Rewrite Cookie Mode n Rewrite server cookie with the encrypted real server IP address: In cookie rewrite mode, if the cookie length parameter is configured to be eight bytes, the switch will rewrite ...

Web OS 10.0 Application Guide 436 n Chapter 16: Persistence 212777-A, February 2002 Server-Side Multi-Response Cookie Search Cookie-based persistence requires the switch to search the HTTP response packet from the server and, if a persistence cookie is found, sets up a persistence connection between...

Web OS 10.0 Application Guide Chapter 16: Persistence n 437 212777-A, February 2002 SSL Session ID-Based Persistence SSL is a set of protocols built on top of TCP/IP that allows an application server and client to communicate over an encrypted HTTP session, providing authentication, non-repudiation,...

Web OS 10.0 Application Guide 438 n Chapter 16: Persistence 212777-A, February 2002 Figure 16-5 illustrates persistence based on SSL session ID as follows: 1. An SSL Hello handshake occurs between Client 1 and Server 1 via the Web switch. 2. An SSL session ID is assigned to Client 1 by Server 1. 3. ...

Web OS 10.0 Application Guide Chapter 16: Persistence n 439 212777-A, February 2002 Configuring SSL Session ID-Based Persistence To configure session ID-based persistence for a real server, perform the following steps: 1. Configure real servers and services for basic SLB, as indicated below: n Defin...

212777-A, February 2002 441 C HAPTER 17 Bandwidth Management Bandwidth Management (BWM) enables Web site managers to allocate a certain portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical business traffic, such as e-commerce transacti...

Web OS 10.0 Application Guide 442 n Chapter 17: Bandwidth Management 212777-A, February 2002 Overview To manage bandwidth, create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. Figure 17-1 Bandwidth Management: How It Works Each contrac...

Web OS 10.0 Application Guide 444 n Chapter 17: Bandwidth Management 212777-A, February 2002 Bandwidth Policies Bandwidth policies are bandwidth limitations defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web h...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 445 212777-A, February 2002 Rate Limits A bandwidth policy specifies three limits, listed and described in Table 17-1 : Bandwidth Policy Configuration Each bandwidth policy, comprised of the reserved, soft, and hard limits, is assigned...

Web OS 10.0 Application Guide 446 n Chapter 17: Bandwidth Management 212777-A, February 2002 Data Pacing The mechanism used to keep the individual traffic flows under control is called data pacing. It is based on the concept of a virtual clock and theoretical departure times (TDT). The actual cal-cu...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 447 212777-A, February 2002 Classification Criteria The frames associated with a particular BWM contract are specified, using the parameters listed below. All of these classifications are aimed at limiting the traffic outbound from the...

Web OS 10.0 Application Guide 448 n Chapter 17: Bandwidth Management 212777-A, February 2002 Combinations Combinations of classifications are limited to grouping items together into a contract. For example, if you wanted to have three different virtual servers associated with a contract, you would s...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 449 212777-A, February 2002 Frame Discard When packets in a contract queue have not yet been sent and the buffer size set for the queue is full, any new frames attempting to be placed in the queue will be discarded. URL-Based Bandwidth...

Web OS 10.0 Application Guide 450 n Chapter 17: Bandwidth Management 212777-A, February 2002 Figure 17-4 URL-Based Bandwidth Management Figure 17-5 URL-Based Bandwidth Management with Web Cache Redirection Cache servers

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 451 212777-A, February 2002 HTTP Header-Based Bandwidth Management HTTP header-based BWM allows Web site managers to allocate bandwidth based on header value. Thus, they can allocate bandwidth based on browser type, cookie value, and s...

Web OS 10.0 Application Guide 452 n Chapter 17: Bandwidth Management 212777-A, February 2002 Bandwidth Statistics and History Statistics are maintained in order to allow Web switch owners to bill for bandwidth usage. Sta-tistics for frequency and count are configurable. Statistics are kept in the in...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 453 212777-A, February 2002 Packet Coloring (TOS bits) for Burst Limit Whenever the soft limit is exceeded, optional packet coloring can be done to allow down-stream routers to use diff-serv mechanisms (that is, writing the Type-Of-Ser...

Web OS 10.0 Application Guide 454 n Chapter 17: Bandwidth Management 212777-A, February 2002 Configuring Bandwidth Management The following procedure provides general instructions for configuring BWM on the switch. Specific configuration examples begin on page 457 . 1. Configure the switch as you no...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 455 212777-A, February 2002 5. (Optional) Set the TOS byte value, between 0-255, for the policy underlimit and over-limit. There are two parameters for specifying the TOS bits: underlimit ( utos ) and overlimit ( otos ). These TOS valu...

Web OS 10.0 Application Guide 456 n Chapter 17: Bandwidth Management 212777-A, February 2002 9. (Optional) Enable TOS overwriting for the BWM contract. 10. Set the bandwidth policy for this contract. Each bandwidth management contract must be assigned a bandwidth policy. 11. Enable the BWM contract....

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 457 212777-A, February 2002 Additional Configuration Examples Examples are provided for the following Bandwidth Management applications: n User/Application Fairness: see next section n Preferential Services: page 460 n URL-Based: page ...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 459 212777-A, February 2002 11. Assign the BWM contracts to different switch ports. Physical switch ports are used to classify which frames are managed by each contract—that is, one BWM contract will be applied to all frames from a spe...

Web OS 10.0 Application Guide 460 n Chapter 17: Bandwidth Management 212777-A, February 2002 Preferential Services Examples BWM can be used to provide preferential treatment to certain traffic, based on source IP blocks, applications, URL paths, or cookies. You may find it useful to configure higher...

Web OS 10.0 Application Guide 462 n Chapter 17: Bandwidth Management 212777-A, February 2002 12. Create a virtual server that will be used to classify the frames for contract 1 and assign the Virtual server IP address for this server. Then, assign the BWM contract to the vir-tual server. Repeat this...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 463 212777-A, February 2002 URL-Based Bandwidth Management Example In this example, you will assign bandwidth based on URL paths. For URL-based server load balancing, a user has to first define strings to monitor. Each of these strings...

Web OS 10.0 Application Guide 464 n Chapter 17: Bandwidth Management 212777-A, February 2002 3. Configure a real server to handle the URL request. To add a defined string: where URL path ID is the identification number of the defined string as displayed when you enter the cur command. Example: /cfg/...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 465 212777-A, February 2002 5. Turn on URL-based server load balancing on the virtual server. Configure everything under the virtual server as in Configuration Example 1. If the same string is used by more than one service, and you wan...

Web OS 10.0 Application Guide 466 n Chapter 17: Bandwidth Management 212777-A, February 2002 2. Allocate bandwidth for each string. To do this, assign a BWM contract to each defined string. 3. Configure a real server to handle the cookie. To add a defined string: where URL path ID is the identificat...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 467 212777-A, February 2002 Scenario 2: In this scenario, the Web site has multiple virtual server IP addresses, and the same user classification or multiple sites use the same string name. In this scenario, there are two Virtual IP (V...

Web OS 10.0 Application Guide 468 n Chapter 17: Bandwidth Management 212777-A, February 2002 Security Management Example BWM can be used to prevent Denial of Service (DoS) attacks by a flooding of “necessary evil” packets and limiting the rate of TCP SYN, ping, other disruptive packets, and alerting...

Web OS 10.0 Application Guide Chapter 17: Bandwidth Management n 469 212777-A, February 2002 6. Set the bandwidth policy for the contract. Each BWM contract must be assigned a bandwidth policy. 7. Enable the BWM contract. 8. Create a filter that will be used to classify the frames for this contract ...

212777-A, February 2002 471 Glossary DIP (Destination IP Address) The destination IP address of a frame. Dport (Destination Port) The destination port (application socket: for example, http-80/https-443/DNS-53) NAT (Network Address Translation) Any time an IP address is changed from one source IP or...

212777-A, February 2002 475 Index Symbols [ ] ....................................................................... 23 Numerics 80 (port) ........................................................... 295 802.1Q VLAN tagging ................................... 44, 45 A active cookie mode ...............