Nortel Web OS Switch Software Application Manual

Switch software
Table of Contents

Advertisement

Quick Links

Web OS Switch Software
10.0 Application Guide
Part Number: 212777, Revision A, February 2002
50 Great Oaks Boulevard
San Jose, California 95119
408-360-5500 Main
408-360-5501 Fax
www.nortelnetworks.com

Advertisement

Table of Contents
loading

Summary of Contents for Nortel Web OS Switch Software

  • Page 1 Web OS Switch Software 10.0 Application Guide Part Number: 212777, Revision A, February 2002 50 Great Oaks Boulevard San Jose, California 95119 408-360-5500 Main 408-360-5501 Fax www.nortelnetworks.com...
  • Page 2 Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.
  • Page 3: Table Of Contents

    Contents Preface 21 Who Should Use This Guide 21 What You’ll Find in This Guide 21 Typographic Conventions 23 Contacting Us 24 Part 1: Basic Switching & Routing Chapter 1: Basic IP Routing 27 IP Routing Benefits 28 Routing Between IP Subnets 28 Example of Subnet Routing 31 Defining IP Address Ranges for the Local Route Cache 35 Border Gateway Protocol (BGP) 36...
  • Page 4 Web OS 10.0 Application Guide VLANs and Spanning Tree Protocol 49 Bridge Protocol Data Units (BPDUs) 50 Multiple Spanning Trees 51 VLANs and Default Gateways 58 Segregating VLAN Traffic 58 Configuring the Local Network 60 Configuring Default Gateways per VLAN 60 VLANs and Jumbo Frames 63 Isolating Jumbo Frame Traffic using VLANs 63 Routing Jumbo Frames to Non-Jumbo Frame VLANs 64...
  • Page 5 Web OS 10.0 Application Guide OSPF Configuration Examples 83 Example 1: Simple OSPF Domain 84 Example 2: Virtual Links 86 Example 3: Summarizing Routes 90 Example 4: Host Routes 92 Verifying OSPF Configuration 98 Chapter 5: Secure Switch Management 99 Setting Allowable Source IP Address Ranges 100 Secure Switch Management 101 Authentication and Authorization 101...
  • Page 6 Web OS 10.0 Application Guide Load Balancing Special Services 149 IP Server Load Balancing 149 FTP Server Load Balancing 150 Domain Name Server (DNS) Load Balancing 151 Real Time Streaming Protocol SLB 155 Wireless Application Protocol SLB 158 Intrusion Detection System Server Load Balancing 163 WAN Link Load Balancing 166 Chapter 7: Filtering 169 Overview 170...
  • Page 7 Web OS 10.0 Application Guide Chapter 8: Application Redirection 203 Overview 204 Web Cache Redirection Environment 204 Additional Application Redirection Options 205 RTSP Web Cache Redirection 211 IP Proxy Addresses for NAT 213 Excluding Noncacheable Sites 215 Chapter 9: Virtual Matrix Architecture 217 Chapter 10: Health Checking 219 Real Server Health Checks 221 DSR Health Checks 222...
  • Page 8 Web OS 10.0 Application Guide Chapter 11: High Availability 247 VRRP Overview 248 VRRP Components 248 VRRP Operation 251 Selecting the Master VRRP Router 251 Active-Standby Failover 252 Failover Methods 253 Active-Standby Redundancy 254 Active-Active Redundancy 255 Hot-Standby Redundancy 256 Synchronizing Configurations 258 Web OS Extensions to VRRP 259 Virtual Server Routers 259...
  • Page 9 Web OS 10.0 Application Guide Part 3: Advanced Web Switching Chapter 12: Global Server Load Balancing 289 GSLB Overview 290 Benefits 290 Compatibility with Other Web OS Features 290 How GSLB Works 291 Configuring GSLB 293 IP Proxy for Non-HTTP Redirects 304 How IP Proxy Works 305 Configuring Proxy IP Addresses 307 Verifying GSLB Operation 308...
  • Page 10 Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching 371 Overview 372 Parsing Content 373 HTTP Header Inspection 374 Buffering Content with Multiple Frames 374 Content Intelligent Server Load Balancing 375 URL-Based Server Load Balancing 375 Virtual Hosting 380 Cookie-Based Preferential Load Balancing 383 Browser-Smart Load Balancing 386 URL Hashing for Server Load Balancing 387...
  • Page 11 Web OS 10.0 Application Guide Chapter 16: Persistence 421 Overview of Persistence 422 Using Source IP Address 422 Using Cookies 423 Using SSL Session ID 423 Cookie-Based Persistence 424 Permanent and Temporary Cookies 425 Cookie Formats 425 Cookie Properties 426 Client Browsers that Do Not Accept Cookies 426 Cookie Modes of Operation 427 Configuring Cookie-Based Persistence 430...
  • Page 12 Web OS 10.0 Application Guide Configuring Bandwidth Management 454 Additional Configuration Examples 457 Preferential Services Examples 460 Glossary 471 Index 475 Contents 212777-A, February 2002...
  • Page 13 Figures Figure 1-1: The Router Legacy Network 29 Figure 1-2: Switch-Based Routing Topology 30 Figure 1-3: iBGP and eBGP 37 Figure 1-4: BGP Failover Configuration Example 38 Figure 1-5: DHCP Relay Agent Configuration 42 Figure 2-1: Example 1: Multiple VLANs with Tagging Gigabit Adapters 46 Figure 2-2: Example 2: Parallel Links with VLANs 48 Figure 2-3:...
  • Page 14 Web OS 10.0 Application Guide Figure 6-1: Traditional Versus SLB Network Configurations 119 Figure 6-2: Web Hosting Configuration Without SLB 121 Figure 6-3: Web Hosting with SLB Solutions 121 Figure 6-4: SLB Client/Server Traffic Routing 122 Figure 6-5: Example Network for Client/Server Port Configuration 123 Figure 6-6: Basic Virtual Port to Real Port Mapping Configuration 140 Figure 6-7:...
  • Page 15 Web OS 10.0 Application Guide Figure 12-1: DNS Resolution with Global Server Load Balancing 291 Figure 12-2: GSLB Topology Example 294 Figure 12-3: HTTP and Non-HTTP Redirects 304 Figure 12-4: POP3 Request Fulfilled via IP Proxy 305 Figure 12-5: GSLB Proximity Tables: How They Work 309 Figure 12-6: Configuring Client Proximity Table 310 Figure 13-1: Typical Firewall Configuration Before FWLB 314 Figure 13-2: Basic FWLB Topology 316...
  • Page 16 Web OS 10.0 Application Guide Figure 17-1: Bandwidth Management: How It Works 442 Figure 17-2: Bandwidth Rate Limits 444 Figure 17-3: Virtual Clocks and TDT 446 Figure 17-4: URL-Based Bandwidth Management 450 Figure 17-5: URL-Based Bandwidth Management with Web Cache Redirection 450 Figure 17-6: Cookie-Based Bandwidth Management 451 Figure 17-7: Cookie-Based Preferential Services 467 Figures...
  • Page 17 Tables Table 1-1: Subnet Routing Example: IP Address Assignments 31 Table 1-2: Subnet Routing Example: IP Interface Assignments 31 Table 1-3: Subnet Routing Example: Optional VLAN Ports 33 Table 1-4: Local Routing Cache Address Ranges 35 Table 2-1: Ports, Trunk Groups, and VLANs 49 Table 2-2: Multiple Spanning Tree Groups per VLAN 54 Table 2-3:...
  • Page 18 Web OS 10.0 Application Guide Table 12-1: GSLB Example: California Real Server IP Addresses 296 Table 12-2: GSLB Example: California Alteon 180 Port Usage 297 Table 12-3: Denver Real Server IP Addresses 300 Table 12-4: Web Host Example: Alteon 180 Port Usage 301 Table 12-5: HTTP Versus Non-HTTP Redirects 305 Table 15-1:...
  • Page 19: A, February

    New Features The following table lists the new features in Web OS 10.0 and the supported platforms: Feature Alteon Web Switches Alteon Web Switches AD3/180e AD4/184 Vlan-based default gateway Vlan Filtering Multiple Instances of Spanning Tree Layer 7 deny filter Increase real server support to 1024 SYN Attack Detection/Protection Enhanced Port Mirroring...
  • Page 20 Web OS 10.0 Application Guide Feature Alteon Web Switches Alteon Web Switches AD3/180e AD4/184 Hash on any HTTP header Increase support of 16 rport to vport Increased number of scripted health check to 16 Descriptive names for filters OSPF LDAP health check Streaming Cache Redirection L7 Parsing of RTSP SLB ARP health check...
  • Page 21: Preface

    Preface This Application Guide describes how to configure and use the Web OS software on the Alteon Web switches. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model. Who Should Use This Guide This Application Guide is intended for network installers and system administrators engaged in configuring and maintaining a network.
  • Page 22 Web OS 10.0 Application Guide Chapter 5, “Secure Switch Management,” describes how to manage the switch using spe- cific IP addresses, RADIUS authentication, Secure Shell (SSH), and Secure Copy (SCP). Part 2: Web Switching Fundamentals Chapter 6, “Server Load Balancing,” describes how to configure the Web switch to bal- ance network traffic among a pool of available servers for more efficient, robust, and scal- able network services.
  • Page 23: Typographic Conventions

    Web OS 10.0 Application Guide Typographic Conventions The following table describes the typographic styles used in this book. Table 1 Typographic Conventions Typeface or Meaning Example Symbol This type is used for names of commands, View the readme.txt file. AaBbCc123 files, and directories used within the text.
  • Page 24: Contacting Us

    Web OS 10.0 Application Guide Contacting Us For complete product support and sales information, visit the Nortel Networks website at the following URL: http://www.nortelnetworks.com See the contact information on this site for regional support and sales phone numbers and addresses.
  • Page 25: Part 1: Basic Switching & Routing

    Part 1: Basic Switching & Routing This section discusses basic Layer 1 through Layer 3 switching and routing functions. In addi- tion to switching traffic at near line rates, the Web switch can perform multi-protocol routing. This section includes the following basic switching and routing topics: Basic IP Routing VLANs Jumbo Frames...
  • Page 26 Web OS 10.0 Application Guide Basic Switching & Routing 212777-A, February 2002...
  • Page 27: Chapter 1: Basic Ip Routing

    HAPTER Basic IP Routing This chapter provides configuration background and examples for using the Alteon Web switch to perform IP routing functions. The following topics are addressed in this chapter: “IP Routing Benefits” on page 28 “Routing Between IP Subnets” on page 28 “Example of Subnet Routing”...
  • Page 28: Ip Routing Benefits

    Web OS 10.0 Application Guide IP Routing Benefits The Alteon Web switch uses a combination of configurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benefits: Connects the server IP subnets to the rest of the backbone network. Performs server load balancing (using both Layer 3 and Layer 4 switching in combina- tion) to server subnets that are separate from backbone subnets.
  • Page 29: Figure 1-1 The Router Legacy Network

    Web OS 10.0 Application Guide For example, consider the following topology migration: Admin. Subnet Admin/Sales Switch Eng. Subnet Eng/Staff2/Sales Switch Staff Subnet Staff/Eng2 Switch Server Server Subnet Subnet Web Switch Router FDDI FDDI Internet Internet Router Figure 1-1 The Router Legacy Network In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch-based topology.
  • Page 30: Figure 1-2 Switch-Based Routing Topology

    Web OS 10.0 Application Guide Take a closer look at the Alteon Web switch in the following configuration example: First Floor Second Floor Third Floor 10/100 Client Subnet 10/100 Client Subnet 10/100 Client Subnet 100.20.10.1-254 131.15.15.1-254 208.31.177.1-254 Primary Default 1000 Mbps Router: 205.21.17.1 IF#3 IF#2...
  • Page 31: Example Of Subnet Routing

    Web OS 10.0 Application Guide Example of Subnet Routing Prior to configuring, you must be connected to the switch Command Line Interface (CLI) as the administrator. – For details about accessing and using any of the menu commands described in this example, see the Web OS Command Reference.
  • Page 32 Web OS 10.0 Application Guide IP interfaces are configured using the following commands at the CLI: >> # /cfg/ip/if 1 (Select IP interface 1) (Assign IP address for the interface) >> IP Interface 1# addr 205.21.17.3 (Enable IP interface 1) >>...
  • Page 33: Table 1-3 Subnet Routing Example: Optional Vlan Ports

    Web OS 10.0 Application Guide Using VLANs to Segregate Broadcast Domains In the previous example, devices that share a common IP network are all in the same broadcast domain. If you want to limit the broadcasts on your network, you could use VLANs to create distinct broadcast domains.
  • Page 34 Web OS 10.0 Application Guide Each time you add a port to a VLAN, you may get the following prompt: Port 4 is untagged and VLAN 2 is not a configured PVID for port 4. Would you like to change all PVIDS for port 4 to VLAN 2 [y n]? Enter y to set the default Port VLAN ID (PVID) for the port.
  • Page 35: Defining Ip Address Ranges For The Local Route Cache

    Web OS 10.0 Application Guide Defining IP Address Ranges for the Local Route Cache A local route cache lets you use switch resources more efficiently. The local network address and local network mask parameters (accessed via the /cfg/ip/frwd/local/add com- mand) define a range of addresses that will be cached on the switch. The local network address is used to define the base IP address in the range that will be cached.
  • Page 36: Border Gateway Protocol (Bgp)

    Web OS 10.0 Application Guide Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share and advertise routing information with each other about the segments of the IP address space they can access within their network and with routers on external networks. BGP allows you to decide what is the “best”...
  • Page 37: Forming Bgp Peer Routers

    Web OS 10.0 Application Guide AS 11 AS 20 ISP A iBGP eBGP Internet Switches AS 50 ISP B Figure 1-3 iBGP and eBGP Typically, an AS has one or more multiple border routers—peer routers that exchange routes with other ASs—and an internal routing scheme that enables routers in that AS to reach every other router and destination within that AS.
  • Page 38: Figure 1-4 Bgp Failover Configuration Example

    Web OS 10.0 Application Guide As shown in Figure 1-4, the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the Web switch to use their peer routers as default gateways. The ISP peer routers will then need to announce themselves as default gateways to the Web switch.
  • Page 39 Web OS 10.0 Application Guide Define the VLANs. For simplicity, both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs >> # /cfg/vlan 1 (Select VLAN 1) >>...
  • Page 40 Web OS 10.0 Application Guide Configure BGP peer router 1 and 2. Peer 1 is the primary gateway router. Peer 2 is configured with a metric of “3.” The metric option is key to ensuring gateway traffic is directed to Peer 1, as it will make Peer 2 appear to be three router hops away from the switch.
  • Page 41: Dhcp Relay

    “generic” file name to be booted, the address of the default gateway, and so forth). Nortel Networks DHCP relay agent eliminates the need to have DHCP/BOOTP servers on every subnet. It allows the administrator to reduce the number of DHCP servers deployed on the network and to centralize them.
  • Page 42: Dhcp Relay Agent Configuration

    Web OS 10.0 Application Guide respond as a a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client.
  • Page 43: Chapter 2: Vlans

    HAPTER VLANs This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into man- ageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments.
  • Page 44: Vlan Id Numbers

    Web OS 10.0 Application Guide VLAN ID Numbers Web OS supports up to 246 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 246, each can be identified with any number between 1 and 4094.
  • Page 45: Vlans And The Ip Interfaces

    Web OS 10.0 Application Guide VLANs and the IP Interfaces Carefully consider how you create VLANs within the switch, so that communication with the switch Management Processor (MP) remains possible. You can access the switch for remote configuration, trap messages, and other management functions only from stations on VLANs that include an IP interface to the switch (see “IP Inter- face Menu”...
  • Page 46: Example 1: Multiple Vlans With Tagging Adapters

    Web OS 10.0 Application Guide Example 1: Multiple VLANS with Tagging Adapters Server #1 Server #2 VLAN #3 Gigabit/Tagged adapter (All VLANs) Alteon Web Switch Shared Media PC #1 PC #2 PC #3 PC #4 PC #5 VLAN #2 VLAN #2 VLAN #1 VLAN #3 Gigabit/Tagged...
  • Page 47 Web OS 10.0 Application Guide Component Description PCs #1 and #2 These PCs are attached to a shared media hub that is then connected to the switch. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. Tagging is not enabled on their switch port.
  • Page 48: Example 2: Parallel Links With Vlans

    Web OS 10.0 Application Guide Example 2: Parallel Links with VLANs Web Switch Gigabit Powered 10/100/10000 Mbps Ethernet Server Switch Data Link Data Active Link Data Link Active Power Console Gigabit Ethernet Port 7 Gigabit Ethernet Port 8 VLAN #10, VLAN #22 VLAN #32, VLAN #109 Web Switch Gigabit...
  • Page 49: Vlans And Spanning Tree Protocol

    Web OS 10.0 Application Guide VLANs and Spanning Tree Protocol Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations.
  • Page 50: Bridge Protocol Data Units (Bpdus)

    Web OS 10.0 Application Guide Bridge Protocol Data Units (BPDUs) To create a Spanning Tree, the Web switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its ports. All switches in the Layer 2 network par- ticipating in the Spanning Tree gather information about other switches in the network through an exchange of BPDUs.
  • Page 51: Multiple Spanning Trees

    Web OS 10.0 Application Guide Multiple Spanning Trees Web OS 10.0 supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed on a unique Spanning Tree group per switch except for the default Span- ning Tree group (STG 1).
  • Page 52: Figure 2-4 Vlan 3 Isolated In A Single Spanning Tree Group

    Web OS 10.0 Application Guide Example of a Four-Switch Topology with a Single Spanning Tree In the four-switch topology example shown in Figure 2-4 on page 52, and assuming Web switch A has a higher priority, you can have at least three loops on the network: Data flowing from Web switches A to B to C and back to Web switch A.
  • Page 53: Figure 2-5 Implementing Multiple Spanning Tree Groups

    Web OS 10.0 Application Guide Example of a Four-Switch Topology with Multiple Spanning Trees If multiple Spanning Trees are implemented and each VLAN is on a different Spanning Tree, elimination of logical loops will not isolate any VLAN. Figure 2-5 shows the same four-switch topology as in Figure 2-4 on page 52, but with multiple...
  • Page 54: Table 2-2 Multiple Spanning Tree Groups Per Vlan

    Web OS 10.0 Application Guide Table 2-2 Multiple Spanning Tree Groups per VLAN VLAN 1 VLAN 2 VLAN 3 Web Switch A Spanning Tree Group 1 Spanning Tree Group 2 Ports 1 and 2 Port 8 Web Switch B Spanning Tree Group 1 Spanning Tree Group 2 Port 1 Port 8...
  • Page 55 Web OS 10.0 Application Guide VLAN Participation in Spanning Tree Groups The VLAN participation for each Spanning Tree group in Figure 2-5 on page 53 is discussed in the following sections: VLAN 1 Participation If Web switch A is the root bridge, then Web switch A will transmit the BPDU for VLAN 1 on ports 1 and 2.
  • Page 56 Web OS 10.0 Application Guide Configuring Multiple Spanning Tree Groups This configuration shows how to configure the three instances of Spanning Tree groups on the Web switches A, B, C, and D illustrated in Figure 2-5 on page By default Spanning Trees 2-15 are empty, and Spanning Tree Group 1 contains all configured VLANs until individual VLANs are explicitly assigned to other Spanning Tree groups.
  • Page 57 Web OS 10.0 Application Guide Configure the following on Web switch C: Add port 8 to VLAN 3 and define Spanning Tree group 3 for VLAN 3. (Select VLAN 3 menu) >> # /cfg/vlan3 (Add port 8) >> VLAN 3# add 8 (Select STP menu) >>...
  • Page 58: Vlans And Default Gateways

    Web OS 10.0 Application Guide VLANs and Default Gateways Web OS allows you to assign different default gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single switch. The benefits of segregating customers to different default gateways are: Resource optimization Enhanced customer segmentation Improved service differentiation...
  • Page 59: Table 2-3 Route Cache Example

    Web OS 10.0 Application Guide In the example shown in Figure 2-6, if default gateways 5 or 6 fail, then traffic is directed to default gateway 1, which is configured with IP address 10.10.4.1. If default gateways 1 through 4 are not configured on the switch, then packets from VLAN 2 and VLAN 3 are dis- carded.
  • Page 60: Configuring The Local Network

    Web OS 10.0 Application Guide Configuring the Local Network To completely segregate VLAN traffic to its own default gateway, you can configure the local network addresses of the VLAN. This will ensure that all traffic from VLAN 2 is forwarded to Gateway 5 and all traffic from VLAN 3 is forwarded to Gateway 6.
  • Page 61 Web OS 10.0 Application Guide Configure the default gateways. Configuring default gateways 5 and 6 for VLANs 2 and 3 respectively. Configure default gate- way 1 for load balancing session requests and as backup when default gateways 5 and 6 fail. (Select default gateway 5) >>...
  • Page 62 Web OS 10.0 Application Guide (Optional) Configure the local networks to ensure that the VLANs use the configured default gateways. (Select the local network Menu) >> IP# frwd/local (Specify the network for routers 1, 2, >> IP Forwarding# add 10.10.0.0 &...
  • Page 63: Vlans And Jumbo Frames

    Web OS 10.0 Application Guide VLANs and Jumbo Frames To reduce host frame processing overhead, Gigabit network adapters that can handle frame sizes of 9K and higher (such as the 3COM PCI-X/PCI Gigabit adapters) and Alteon Web switches, both running operating Web OS version 2.0 or later, can receive and transmit frames that are far larger than the maximum normal Ethernet frame.
  • Page 64: Routing Jumbo Frames To Non-Jumbo Frame Vlans

    Web OS 10.0 Application Guide Jumbo Frame VLAN Normal Frame Normal Frame VLAN VLAN Figure 2-7 Jumbo Frame VLANs Routing Jumbo Frames to Non-Jumbo Frame VLANs When IP routing is used to route traffic between VLANs, the switch will fragment Jumbo UDP datagrams when routing from a Jumbo frame VLAN to a non-Jumbo frame VLAN.
  • Page 65: Chapter 3: Port Trunking

    Trunk groups are also useful for connecting an Alteon Web switch to third-party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL trunking technology) and Sun's Quad Fast Ethernet Adapter. Nortel Networks trunk group technology is compatible with these devices when they are configured manually.
  • Page 66: Statistical Load Distribution

    Web OS 10.0 Application Guide Statistical Load Distribution Network traffic is statistically load balanced between the ports in a trunk group. The Web OS- powered switch uses both the Layer 2 MAC address and Layer 3 IP address information present in each transmitted frame for determining load distribution. The addition of Layer 3 IP address examination is an important advance for traffic distribution in trunk groups.
  • Page 67: Port Trunking Example

    Web OS 10.0 Application Guide Port Trunking Example In the example below, three ports will be trunked between two Alteon Web switches. Switch #1 Switch #2 Web Switch Web Switch Gigabit Gigabit Powered Powered 10/100/10000 Mbps Ethernet Server Switch 10/100/10000 Mbps Ethernet Server Switch Data Data Link...
  • Page 68 Web OS 10.0 Application Guide Repeat the process on Web switch 2. >> # /cfg/trunk 3 (Select trunk group 3) (Add port 4 to trunk group 3) >> Trunk group 3# add 4 (Add port 6 to trunk group 3) >>...
  • Page 69: Chapter 4: Ospf

    HAPTER OSPF Web OS 10.0 supports the Open Shortest Path First (OSPF) routing protocol. The Web OS implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. The following sections discuss OSPF support for the Alteon AD4/184 Web switches: “OSPF Overview”...
  • Page 70: Types Of Ospf Areas

    Web OS 10.0 Application Guide Types of OSPF Areas An AS can be broken into logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area.
  • Page 71: Types Of Ospf Routing Devices

    Web OS 10.0 Application Guide Types of OSPF Routing Devices As shown in Figure 4-2, OSPF uses the following types of routing devices: Internal Router (IR)—a router that has all of its interfaces within the same area. IRs main- tain LSDBs identical to those of other routing devices within the local area. Area Border Router (ABR)—a router that has interfaces in multiple areas.
  • Page 72: Neighbors And Adjacencies

    Web OS 10.0 Application Guide Neighbors and Adjacencies In areas with two or more routing devices, neighbors and adjacencies are formed. Neighbors are routing devices that maintain information about each others’ health. To establish neighbor relationships, routing devices periodically send hello packets on each of their inter- faces.
  • Page 73: The Shortest Path First Tree

    Web OS 10.0 Application Guide The Shortest Path First Tree The routing devices use a link-state algorithm (Dijkstra’s algorithm) to calculate the shortest path to all known destinations, based on the cumulative cost required to reach the destination. The cost of an individual interface in OSPF is an indication of the overhead required to send packets across it.
  • Page 74: Ospf Implementation In Web Os

    Web OS 10.0 Application Guide OSPF Implementation in Web OS Web OS 10.0 supports a single instance of OSPF and up to 1K routes on the network. The fol- lowing sections describe OSPF implementation in Web OS: “Configurable Parameters” on page 74 “Defining Areas”...
  • Page 75: Defining Areas

    Web OS 10.0 Application Guide Defining Areas If you are configuring multiple areas in your OSPF domain, one of the areas must be desig- nated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas.
  • Page 76 Web OS 10.0 Application Guide Using the Area ID to Assign the OSPF Area Number The OSPF area number is defined in the areaid <IP address> option. The octet format is used in order to be compatible with two different systems of notation used by other OSPF net- work vendors.
  • Page 77: Interface Cost

    Web OS 10.0 Application Guide Interface Cost The OSPF link-state algorithm (Dijkstra’s algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following command: OSPF interface number cost value (1-65535)
  • Page 78: Default Routes

    Web OS 10.0 Application Guide Default Routes When an OSPF routing device encounters traffic for a destination address it does not recog- nize, it forwards that traffic along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each Web switch acting as an ABR automatically inserts a default route into each attached area.
  • Page 79: Virtual Links

    Web OS 10.0 Application Guide Virtual Links Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use a virtual link. Virtual links are created to connect one area to the backbone through another non-backbone area (see Figure 4-1 on page 70).
  • Page 80: Router Id

    Web OS 10.0 Application Guide Router ID Routing devices in OSPF areas are identified by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP inter- face range or in any OSPF area.
  • Page 81 Web OS 10.0 Application Guide To configure OSPF passwords on the Web switches shown in Figure 4-4 use the following commands: Enable OSPF authentication for Area 0 on Web switches 1, 2, and 3. /cfg/ip/ospf/aindex 0/auth password >> # (Turn on OSPF password authenti cation) Configure a simple text password up to eight characters for each OSPF IP interface in Area 0 on Web switches 1, 2, and 3.
  • Page 82: Host Routes For Load Balancing

    Web OS 10.0 Application Guide Host Routes for Load Balancing Web OS 10.0 implementation of OSPF includes host routes. Host routes are used for advertis- ing network device IP addresses to external networks, accomplishing the following goals: Server Load Balancing (SLB) within OSPF Host routes advertise virtual server IP addresses to external networks.
  • Page 83: Ospf Configuration Examples

    Web OS 10.0 Application Guide OSPF Configuration Examples A summary of the basic steps for configuring OSPF on the Web switch is listed here. Detailed instructions for each of the steps is covered in the following sections: Configure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the Web switch.
  • Page 84: Example 1: Simple Ospf Domain

    Web OS 10.0 Application Guide Example 1: Simple OSPF Domain In this example, two OSPF areas are defined—one area is the backbone and the other is a stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database.
  • Page 85 Web OS 10.0 Application Guide Define the backbone. The backbone is always configured as a transit area using areaid 0.0.0.0. (Select menu for area index 0) >> Open Shortest Path First # aindex 0 (Set the ID for backbone area 0) >>...
  • Page 86: Example 2: Virtual Links

    Web OS 10.0 Application Guide Example 2: Virtual Links In the example shown in Figure 4-6, area 2 is not physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1.
  • Page 87 Web OS 10.0 Application Guide Define the backbone. >> Open Shortest Path First # aindex 0 (Select menu for area index 0) (Set the area ID for backbone area 0) >> OSPF Area (index) 0 # areaid 0.0.0.0 (Define backbone as transit type) >>...
  • Page 88 Web OS 10.0 Application Guide Configuring OSPF for a Virtual Link on Switch #2 Configure IP interfaces on each network that will be attached to OSPF areas. Two IP interfaces are needed on Switch #2: one for the transit area network on 10.10.12.0/24 and one for the stub area network on 10.10.24.0/24.
  • Page 89 Web OS 10.0 Application Guide Define the stub area. >> OSPF Area (index) 1 # ../aindex 2 (Select the menu for area index 2) (Set the area ID for OSPF area 2) >> OSPF Area (index) 2 # areaid 0.0.0.2 (Define area as stub type) >>...
  • Page 90: Example 3: Summarizing Routes

    Web OS 10.0 Application Guide Example 3: Summarizing Routes By default, ABRs advertise all the network addresses from one area into another area. Route summarization can be used for consolidating advertised addresses and reducing the perceived complexity of the network. If the network IP addresses in an area are assigned to a contiguous subnet range, you can con- figure the ABR to advertise a single summary route that includes all the individual IP addresses within the area.
  • Page 91 Web OS 10.0 Application Guide Define the backbone. (Select menu for area index 0) >> Open Shortest Path First # aindex 0 >> OSPF Area (index) 0 # areaid 0.0.0.0 (Set the ID for backbone area 0) (Define backbone as transit type) >>...
  • Page 92: Example 4: Host Routes

    Web OS 10.0 Application Guide Example 4: Host Routes The Web OS 10.0 implementation of OSPF includes host routes. Host routes are used for advertising network device IP addresses to external networks and allows for Server Load Bal- ancing (SLB) within OSPF. It also makes ABR load sharing and failover possible. Consider the example network in Figure 4-8.
  • Page 93 Web OS 10.0 Application Guide Configuring OSPF for Host Routes on Web Switch #1 Configure basic SLB parameters. Web switch 1 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group. (Select menu for real server 1) >>...
  • Page 94 Web OS 10.0 Application Guide Configure the backup virtual server. Alteon Web switch # 1 will act as a backup for virtual server 10.10.10.2. Both virtual servers in this example are configured with the same real server group and provide identical services. >>...
  • Page 95 Web OS 10.0 Application Guide Attach the network interface to the backbone. >> OSPF Area (index) 1 # ../if 1 (Select OSPF menu for IP interface 1) (Attach network to backbone index) >> OSPF Interface 1 # aindex 0 (Enable the backbone interface) >>...
  • Page 96 Web OS 10.0 Application Guide Configuring OSPF for Host Routes on Web Switch 2 Configure basic SLB parameters. Web switch 2 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group. (Select menu for real server 1) >>...
  • Page 97 Web OS 10.0 Application Guide Enable OSPF on Web switch #2. >> IP Interface 2 # ../ospf/on (Enable OSPF on Web switch #2) Define the backbone. (Select menu for area index 0) >> Open Shortest Path First # aindex 0 (Set the ID for backbone area 0) >>...
  • Page 98: Verifying Ospf Configuration

    Web OS 10.0 Application Guide Configure host routes. Host routes are configured just like those on Web switch 1, except their costs are reversed. Since virtual server 10.10.10.2 is preferred for Web switch 2, its host route has been given a low cost.
  • Page 99: Chapter 5: Secure Switch Management

    HAPTER Secure Switch Management This chapter discusses the use of secure tunnels so that the data on the network is encrypted and secured for messages between a remote administrator and the switch. To limit access to the switch’s Management Processor without having to configure filters for each switch port, you can set a source IP address (or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the Web OS Browser-Based Interface (BBI).
  • Page 100: Setting Allowable Source Ip Address Ranges

    Web OS 10.0 Application Guide Setting Allowable Source IP Address Ranges The allowable management IP address range is configured using the system mnet and mmask options available on the Command Line Interface (CLI) System Menu (/cfg/sys). – The mnet and mmask commands in the /cfg/slb/adv menu are used for a differ- ent purpose.
  • Page 101: Secure Switch Management

    Web OS 10.0 Application Guide Secure Switch Management Secure switch management is needed for environments that perform significant management functions across the Internet. The following are some of the functions for secured manage- ment: Authentication of remote administrators Authentication is the action of determining and verifying who the administrator is; it usu- ally involves a name and a password.
  • Page 102: Requirements

    Web OS 10.0 Application Guide Requirements The following components are required for authorization and authentication: A remote administrator The Web switch with authentication and authorization protocol support, acting as a client in the AA model A back-end authentication and authorization server that performs the following functions: Authenticates remote administrators Checks the remote administrator’s authorization to access the switch Optionally, tracks and logs the administrator’s activity while logging on...
  • Page 103: Radius Authentication And Authorization

    Web OS 10.0 Application Guide RADIUS Authentication and Authorization RADIUS is an access server authentication, authorization, and accounting protocol used to secure remote access to networks and network services against unauthorized access. RADIUS consists of three components: A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866) A centralized server that stores all the user authorization information A client, in this case, the switch The operation of RADIUS authentication and authorization protocol is based on the AA model...
  • Page 104: Radius Authentication Features In Web Os

    Web OS 10.0 Application Guide RADIUS Authentication Features in Web OS The following Radius Authentication features are supported in Web OS: Supports RADIUS client on the switch, based on the protocol definitions in RFC 2138 and 2866. Enables/disables support of RADIUS authentication and authorization. The default disables the use of RADIUS for authentication and authorization.
  • Page 105: Web Switch User Accounts

    Web OS 10.0 Application Guide Web Switch User Accounts The user accounts listed in Table 5-1 can be defined in the RADIUS server dictionary file. Table 5-1 User Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for switch management. user He/she can view all switch status information and statistics but cannot make any configuration changes to the switch.
  • Page 106: Table 5-2 Web Os Alteon Levels

    Web OS 10.0 Application Guide When the user logs in, the switch authenticates his/her level of access by sending the RADIUS access request, that is, the client authentication request, to the RADIUS authentication server. If the remote user is successfully authenticated by the authentication server, the switch will verify the privileges of the remote user and authorize the appropriate access.
  • Page 107: Secure Shell And Secure Copy

    Web OS 10.0 Application Guide Secure Shell and Secure Copy Although a remote network administrator can manage the configuration of an Alteon Web switch via Telnet, this method does not provide a secure connection. Using Secure Shell (SSH) and Secure Copy (SCP), messages between a remote administrator and the switch use secure tunnels so that the data on the network is encrypted and secured.
  • Page 108: Encryption Of Management Messages

    Web OS 10.0 Application Guide – There can be a maximum number of four simultaneous Telnet/SSH/SCP connections at one time. The /cfg/sys/radius/telnet command also applies to SSH/SCP connec- tions. Encryption of Management Messages The supported encryption and authentication methods for both SSH and SCP are listed below: Server Host Authentication: Client RSA authenticates the switch at the beginning of every connection...
  • Page 109: Rsa Host And Server Keys

    Web OS 10.0 Application Guide RSA Host and Server Keys To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify the Web switch. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into the Web switch at a later time.
  • Page 110: Radius Authentication

    Web OS 10.0 Application Guide Radius Authentication SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS servers for authentication. The redirection is transparent to the SSH clients. SecurID Support SSH/SCP can also work with SecurID, a token card-based authentication method.
  • Page 111 Web OS 10.0 Application Guide Configuring SSH/SCP SSH/SCP parameters can be configured only via the console port, using the CLI. The switch SSH daemon uses TCP port 22 only and is not configurable. To enable or disable the SSH/SCP feature, use the following commands: (Turn SSH/SCP on) >>...
  • Page 112 Web OS 10.0 Application Guide To save the current configuration to FLASH, use this command: >> # save Usually, there will be no need to generate manually the RSA host and server keys. However, you may still do so by using the following commands: (Generates the host key) >>...
  • Page 113: Port Mirroring

    Web OS 10.0 Application Guide Port Mirroring Port mirroring is implemented to enhance the security of your network. For example, an IDS server can be connected to the monitor port to detect intruders attacking the network. The port mirroring feature in Web OS 10.0 allows you to attach a sniffer to a monitoring port that is configured to receive a copy of every single packet that is forwarded from the mirrored port.
  • Page 114 Web OS 10.0 Application Guide – Port mirroring and bandwidth management cannot be enabled at the same time. To configure port mirroring for the example shown in Figure 5-2, Specify the monitoring port. (Select port 5 for monitoring) monport 5 >>...
  • Page 115 Part 2: Web Switching Fundamentals Internet traffic consists of myriad services and applications which use the Internet Protocol (IP) for data delivery. IP, however, is not optimized for all the various applications. Web switching goes beyond IP and makes intelligent switching decisions based on the application and its data.
  • Page 116 Web OS 10.0 Application Guide Web Switching Fundamentals 212777-A, February 2002...
  • Page 117: Chapter 6: Server Load Balancing

    HAPTER Server Load Balancing Server Load Balancing (SLB) allows you to configure the Alteon Web switch to balance user session traffic among a pool of available servers that provide shared services. The following sections in this chapter describe how to configure and use SLB: “Understanding Server Load Balancing”...
  • Page 118: Understanding Server Load Balancing

    Web OS 10.0 Application Guide Understanding Server Load Balancing SLB benefits your network in a number of ways: Increased efficiency for server utilization and network bandwidth With SLB, your Alteon Web switch is aware of the shared services provided by your server pool and can then balance user session traffic among the available servers.
  • Page 119: How Server Load Balancing Works

    Web OS 10.0 Application Guide How Server Load Balancing Works In an average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become overutilized. Placing this kind of strain on a server can decrease the performance of the entire network as user requests are rejected by the server and then resubmitted by the user stations.
  • Page 120 Web OS 10.0 Application Guide The Web switch, with SLB software, acts as a front-end to the servers, interpreting user session requests and distributing them among the available servers. Load balancing in Web OS can be done in the following ways: Virtual server-based load balancing This is the traditional load balancing method.
  • Page 121: Implementing Basic Server Load Balancing

    Web OS 10.0 Application Guide Implementing Basic Server Load Balancing Consider a situation where customer Web sites are being hosted by a popular Web hosting company and/or Internet Service Provider (ISP). The Web content is relatively static and is kept on a single NFS server for easy administration. As the customer base increases, the num- ber of simultaneous Web connection requests also increases.
  • Page 122: Network Topology Requirements

    Web OS 10.0 Application Guide All of the above issues can be addressed by adding an Alteon Web switch with SLB software. Reliability is increased by providing multiple paths from the clients to the Web switch and by accessing a pool of servers with identical content. If one server fails, the others can take up the additional load.
  • Page 123: Figure 6-5: Example Network For Client/Server Port Configuration

    Web OS 10.0 Application Guide Some services require that a series of client requests go to the same real server so that ses- sion-specific state data can be retained between connections. Services of this nature include Web search results, multi-page forms that the user fills in, or custom Web-based applications typically created using cgi-bin scripts.
  • Page 124: Configuring Server Load Balancing

    Web OS 10.0 Application Guide Configuring Server Load Balancing This section describes the steps for configuring an SLB Web hosting solution. In the following procedure, many of the SLB options are left to their default values. See “Additional Server Load Balancing Options” on page 128 for more options.
  • Page 125 Web OS 10.0 Application Guide Define an IP interface on the switch. The switch must have an IP route to all of the real servers that receive Web switching services. For SLB, the switch uses this path to determine the level of TCP/IP reach of the real servers. To configure an IP interface for this example, enter these commands from the CLI: (Select IP interface 1) >>...
  • Page 126: Table 6-2 Web Host Example: Port Usage

    Web OS 10.0 Application Guide Define a virtual server. All client requests will be addressed to a virtual server IP address on a virtual server defined on the switch. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP is configured as the only service running on this virtual server, and this service is associated with the real server group.
  • Page 127 Web OS 10.0 Application Guide The ports are configured as follows: >> Virtual server 1# /cfg/slb/port 1 (Select physical switch port 1) (Enable server processing on port 1) >> SLB port 1# server ena (Select physical switch port 2) >> SLB port 1# ../port 2 (Enable server processing on port 2) >>...
  • Page 128: Additional Server Load Balancing Options

    Web OS 10.0 Application Guide Additional Server Load Balancing Options In the previous section (“Configuring Server Load Balancing” on page 124), many of the SLB options are left to their default values. The following configuration options can be used to cus- tomize SLB on your Web switch: “Supported Services and Applications”...
  • Page 129 Web OS 10.0 Application Guide Disabling and Enabling Real Servers If you need to reboot a server, you must make sure that new sessions are not sent to the real server and that old sessions are not discarded. When the session count gets to zero, you may shut down the server.
  • Page 130 Web OS 10.0 Application Guide Health Checks for Real Servers Determining health for each real server is a necessary function for SLB. By default for TCP services, the switch checks health by opening a TCP connection to each service port config- ured as part of each service.
  • Page 131 Web OS 10.0 Application Guide Metrics for Real Server Groups Metrics are used for selecting which real server in a group will receive the next client connec- tion. The available metrics minmisses (minimum misses), hash, leastconns (least con- nections), roundrobin, bandwidth, and response (response time) are explained in detail below.
  • Page 132 Web OS 10.0 Application Guide Hash The hash metric uses IP address information in the client request to select a server. The spe- cific IP address information used depends on the application: For Application Redirection, the client destination IP address is used. All requests for a specific IP destination address will be sent to the same server.
  • Page 133 Web OS 10.0 Application Guide Response Time The response metric uses real server response time to assign sessions to servers. The response time between the servers and the switch is used as the weighting factor. The switch monitors and records the amount of time it takes for each real server to reply to a health check to adjust the real server weights.
  • Page 134 Web OS 10.0 Application Guide Weights for Real Servers Weights can be assigned to each real server. These weights bias load balancing to give the fast- est real servers a larger share of connections. Weight is specified as a number from 1 to 48. Each increment increases the number of connections the real server gets.
  • Page 135 Web OS 10.0 Application Guide Backup/Overflow Servers A real server can backup other real servers and can handle overflow traffic when the maximum connection limit is reached. Each backup real server must be assigned a real server number and real server IP address. It must then be enabled. Finally, the backup server must be assigned to each real server that it will back up.
  • Page 136: Extending Slb Topologies

    Web OS 10.0 Application Guide Extending SLB Topologies For standard SLB, all client-to-server requests to a particular virtual server and all related server-to-client responses must pass through the same Web switch. In complex network topol- ogies, routers and other devices can create alternate paths around the Web switch managing SLB functions (see Figure 6-4 on page 122).
  • Page 137: Table 6-4 Proxy Example: Port Usage

    Web OS 10.0 Application Guide The following procedure can be used for configuring proxy IP addresses: Disable server processing on affected switch ports. When implementing proxies, switch ports can be reconfigured to disable server processing. Referring to the Table 6-2 on page 126, the following revised port conditions are used: Table 6-4 Proxy Example: Port Usage Port...
  • Page 138 Web OS 10.0 Application Guide If the Virtual Matrix Architecture (VMA) feature is enabled, add proxy IP addresses for all other switch ports (except port 9). VMA is normally enabled on the switch. In addition to enhanced resource management, VMA eliminates many of the restrictions found in earlier versions of the Web OS.
  • Page 139: Mapping Ports

    Web OS 10.0 Application Guide Mapping Ports An Alteon Web switch allows you to hide the identity of a port for security by mapping a vir- tual server port to a different real server port. Mapping a Virtual Server Port to a Real Server Port In addition to providing direct real server access in some situations (see “Mapping Ports”...
  • Page 140: Figure 6-6: Basic Virtual Port To Real Port Mapping Configuration

    Web OS 10.0 Application Guide Consider the following network: Real Servers Web Clients 192.168.2.1 8001 8002 Web Switch 192.168.2.2 Internet 8001 8002 Web Host Routers 192.168.2.3 8001 8002 192.168.2.4 8001 8002 Figure 6-6 Basic Virtual Port to Real Port Mapping Configuration Domain Name virtual server IP Ports Activated Port Mapping...
  • Page 141 Web OS 10.0 Application Guide Load Balancing Metric For each service, a real server is selected using the configured load balancing metric (hash, leastconns, minmisses, or roundrobin). To ensure even distribution, once an avail- able server is selected, the switch will use the roundrobin metric to choose a real port to receive the incoming connection.
  • Page 142: Direct Server Interaction

    Web OS 10.0 Application Guide Turn on multiple rport for Port 80. >> # /cfg/slb/virt 1/service 80/rport 0 Add the ports to which the Web server listens. (Add port 8001 to real server 1) >> # /cfg/slb/real 1/addport 8001 (Add port 8002 to real server 1) >>...
  • Page 143: Figure 6-7: Direct Server Return

    Web OS 10.0 Application Guide The sequence of steps that are executed in this scenario are shown in Figure 6-7: Web Switch Server farm Client Internet Layer 2 Switch Figure 6-7 Direct Server Return A client request is forwarded to the Web switch. Because only MAC addresses are substituted, the switch forwards the request to the best server, based on the configured load-balancing policy.
  • Page 144: Figure 6-8: Mapped And Nonmapped Server Access

    Web OS 10.0 Application Guide Using Proxy IP Addresses Proxy IP addresses are used primarily to eliminate SLB topology restrictions in complex net- works (see “Proxy IP Addresses” on page 136). Proxy IP addresses can also provide direct access to real servers. If the switch port to the client is configured with a proxy IP address, the client can access each real server directly using the real server’s IP address.
  • Page 145 Web OS 10.0 Application Guide Monitoring Real Servers Typically, the management network is used by network administrators to monitor real servers and services. By configuring the mnet and mmask options of the SLB Configuration Menu (/cfg/slb/adv), you can access the real services being load balanced. –...
  • Page 146: Delayed Binding

    Web OS 10.0 Application Guide Delayed Binding The delayed binding feature on the switch prevents SYN Denial-of-Service (DoS) attacks on the server. DoS occurs when the server or switch is denied servicing the client because it is sat- urated with invalid traffic. Typically, a three-way handshake occurs before a client connects to a server.
  • Page 147: Figure 6-10 Repelling Dos Syn Attacks With Delayed Binding

    Web OS 10.0 Application Guide Normal Request with Delayed Binding Server Web Switch Client Internet Client sends a SYN request Switch responds with special SYN ACK Client sends an ACK or DATA REQ Switch recognizes valid three-way handshake Switch sends a SYN request to server Server responds with SYN ACK Switch sends ACK or DATA REQ Server responds with DATA and switch splices connection to client...
  • Page 148 Web OS 10.0 Application Guide Configuring Delayed Binding To configure your switch for delayed binding, use the following command: /cfg/slb/virt <virtual server number>/service <service type>/dbind >> # – Enable delayed binding without configuring any HTTP SLB processing or persistent binding types. To configure delayed binding for Web cache redirection, see “Delayed Binding for Web Cache Redirection”...
  • Page 149: Load Balancing Special Services

    Web OS 10.0 Application Guide Load Balancing Special Services This section discusses load balancing based on special services, such as IP Server Load Balancing FTP Server Load Balancing Domain Name Server (DNS) Load Balancing Real Time Streaming Protocol SLB Wireless Application Protocol SLB Intrusion Detection System Server Load Balancing WAN Link Load Balancing IP Server Load Balancing...
  • Page 150: Ftp Server Load Balancing

    Web OS 10.0 Application Guide FTP Server Load Balancing As defined in RFC 959, FTP uses two connections—one for control information and another for data. Each connection is unique. Unless the client requests a change, the server always uses TCP port 21 (a well-known port) for control information, and TCP port 20 as the default data port.
  • Page 151: Figure 6-11 Layer 4 Dns Load Balancing

    Web OS 10.0 Application Guide Domain Name Server (DNS) Load Balancing In previous releases of Web OS, DNS load balancing was based on virtual server IP address and virtual port (VPORT) only. In Web OS 10.0 however, DNS load balancing allows you to choose the service based on the two forms of DNS queries: UDP and TCP.
  • Page 152: Preconfiguration Tasks

    Web OS 10.0 Application Guide Preconfiguration Tasks Enable server load balancing. /slb/ena >> # /cfg Configure the four real servers and their real IP addresses. /slb/real 20 >> # /cfg (Enable real server 20) >> Real server 20 # (Specify the IP address) rip 10.10.10.20 >>...
  • Page 153 Web OS 10.0 Application Guide Configuring UDP-based DNS Load Balancing Configure and enable a virtual server IP address 1 on the switch. (Specify the virt server IP address) /slb/virt 1/vip 20.20.20.20 >> # /cfg (Enable the virtual server) >> Virtual Server 1# ena Set up the DNS service for the virtual server, and add real server group 1.
  • Page 154 Web OS 10.0 Application Guide Configuring TCP-based DNS Load Balancing Configure and enable the virtual server IP address 2 on the switch. (Specify the virt server IP address) /slb/virt 2/vip 20.20.20.20 >> # /cfg (Enable the virtual server) >> Virtual Server 2# ena Set up the DNS service for virtual server, and select real server group 2.
  • Page 155: Real Time Streaming Protocol Slb

    Web OS 10.0 Application Guide Real Time Streaming Protocol SLB Real Time Streaming Protocol (RTSP) is an application-level protocol for control over the delivery of data with real-time properties as documented in RFC 2326. RTSP is used as a “network remote control” for multimedia servers. Typically, a multimedia presentation consists of several streams of data (for example, video stream, audio stream, and text) that must be presented in a synchronized fashion.
  • Page 156 Web OS 10.0 Application Guide Corporation, and Quicktime Streaming Server marketed by the Apple Inc. The RTSP stream setup sequence is different for these two servers, and the switch handles each differently. Some of these differences are described below. Real Server Real Server supports both UDP and TCP transport protocols for the RTSP streams.
  • Page 157 Web OS 10.0 Application Guide Configuring RTSP Load Balancing Before configuring your Web switch for RTSP load balancing, do the following: Enable Virtual Matrix Architecture (VMA) Enable Direct Access Mode (DAM) Disable port-based Bandwidth Management Disable proxy IP addressing To configure a virtual server for Layer 4 load balancing of RTSP, select rtsp or port 554 as a service for the virtual server.
  • Page 158: Wireless Application Protocol Slb

    Web OS 10.0 Application Guide Wireless Application Protocol SLB Wireless Application Protocol (WAP) is an open, global specification for a suite of protocols designed to allow wireless devices to communicate and interact with other devices. It empowers mobile users with wireless devices to easily access and interact with information and services instantly by allowing non-voice data, such as text and images, to pass between these devices and the Internet.
  • Page 159 Web OS 10.0 Application Guide TPCP is Alteon’s proprietary protocol that is used to establish communication between the RADIUS servers and the Alteon Web switch. It is UDP-based and uses ports 3121, 1812, and 1645. Using TPCP, a static session entry is added or removed by the external devices, such as the RADIUS servers.
  • Page 160 Web OS 10.0 Application Guide Using RADIUS Snooping Radius snooping allows the Alteon Web switch to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries to the session table of the switch so that it can perform the required persistency for load balancing. A static session entry does not age out.
  • Page 161 Web OS 10.0 Application Guide Preconfiguring WAP Server Load Balancing Configure WAP server load balancing on Alteon AD4 and Alteon 184 platforms only. Enable Virtual Matrix Architecture (VMA). >> # /cfg/slb/adv/matrix ena Disable DAM (Direct Access Mode). >> # /cfg/slb/adv/direct dis Disable pbind and enable udp under the WAP services (ports 9200 to 9203) menu.
  • Page 162 Web OS 10.0 Application Guide If a session entry for a client cannot be added because of resource constraints, the subse- quent WAP packets for that client will not be load balanced correctly; and the client will need to drop the connection and then reconnect to his wireless service. The persistence of a session cannot be maintained if the number of healthy real WAP gate- ways changes during the session.
  • Page 163: Intrusion Detection System Server Load Balancing

    Web OS 10.0 Application Guide Intrusion Detection System Server Load Balancing Intrusion Detection System (IDS) is a type of security management system for computers and networks. An Intrusion Detection System gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organi- zation).
  • Page 164 Web OS 10.0 Application Guide Load Balancing Metrics for IDS The following metrics are supported in IDS load balancing: minmisses roundrobin Disable delayed binding if you select this metric. hash To select a real server, Web OS allows you to implement the hash metric in two ways: Client processing on port If the port is configured for client processing only, then the switch hashes on the source IP address.
  • Page 165 Web OS 10.0 Application Guide Create a group and add IDS servers to the group. Each IDS server must be connected directly to a different switch port or VLAN. If the IDS group will be configured for link health check, match the IDS server number to the physical port number (1 to 9) to which it is connected.
  • Page 166: Wan Link Load Balancing

    Web OS 10.0 Application Guide WAN Link Load Balancing Wide Area Networking (WAN) is a telecommunications network system spread across a broad geographic area. A WAN may be privately owned or rented, but the term usually means the inclusion of public (shared user) networks, such as the telephone system. WANs can also be con- nected through leased lines and satellites.
  • Page 167 Web OS 10.0 Application Guide To configure the switch for WAN link load balancing: Define a real server with proxy disabled. (Select the real server menu) >> # /cfg/slb/real 1 (Enable real server 1) >> Real server 1# ena >> Real server 1# rip <IP address> (Set the real server IP address) (Disable proxy) >>...
  • Page 168 Web OS 10.0 Application Guide Chapter 6: Server Load Balancing 212777-A, February 2002...
  • Page 169: Chapter 7: Filtering

    HAPTER Filtering This chapter provides a conceptual overview of filters and includes configuration examples showing how filters can be used for network security and Network Address Translation (NAT). The following topics are discussed in this chapter: “Overview” on page 170. This section describes the benefits and filtering criteria to allow for extensive filtering at the IP and TCP/UDP levels.
  • Page 170: Overview

    Web OS 10.0 Application Guide Overview Alteon Web switches are used to deliver content efficiently and secure your servers from unau- thorized intrusion, probing, and Denial-of-Service (DoS) attacks. Web OS includes extensive filtering capabilities at the IP and TCP/UDP levels. Filtering Benefits Layer 3 (IP) and Layer 4 (application) filtering give the network administrator a powerful tool with the following benefits:...
  • Page 171: Table 7-1 Well-Known Protocol Types

    Web OS 10.0 Application Guide proto: protocol number or name as shown in Table 7-1 Table 7-1 Well-Known Protocol Types Number Protocol Name icmp igmp ospf vrrp sport: TCP/UDP application or source port as shown in Table 7-2, or source port range (such as 31000-33000) Table 7-2 Well-Known Application Ports Number TCP/UDP...
  • Page 172: Stacking Filters

    Web OS 10.0 Application Guide Stacking Filters Stacking filters are assigned and enabled on a per-port basis. Each filter can be used by itself or in combination with any other filter on any given switch port. The filters are numbered 1 through 2048 on Alteon 184 and Alteon AD4 Web switches, and 1 though 224 on other Alteon Web switches.
  • Page 173: The Default Filter

    Web OS 10.0 Application Guide The Default Filter Before filtering can be enabled on any given port, a default filter should be configured. This filter handles any traffic not covered by any other filter. All the criteria in the default filter must be set to the full range possible (any).
  • Page 174: Vlan-Based Filtering

    Web OS 10.0 Application Guide VLAN-based Filtering Filters are applied per switch, per port, or per VLAN. VLAN-based filtering allows a single Web switch to provide differentiated services for multiple customers, groups, or departments. For example, you can define separate filters for Customers A and B on the same Web switch on two different VLANs.
  • Page 175 Web OS 10.0 Application Guide Configuring VLAN-based Filtering Configure filter 2 to allow local clients to browse the Web and then assign VLAN 20 to the filter. The filter must recognize and allow TCP traffic from VLAN 20 to reach the local client destina- tion IP addresses if originating from any HTTP source port: (Select the menu for Filter 2) >>...
  • Page 176: Optimizing Filter Performance

    Web OS 10.0 Application Guide Configure Filter 7 to deny traffic and then assign VLAN 70 to the filter. As a result, ingress traffic from VLAN 70 is denied entry to the switch. (Select the menu for Filter 7) >> # /cfg/slb/filt 7 (From any source IP address) >>...
  • Page 177 Web OS 10.0 Application Guide Example: A network administrator has noticed a significant number of ICMP frames on one portion of the network and wants to determine the specific sources of the ICMP messages. The administrator uses the Command Line Interface (CLI) to create and apply the following filter: (Select filter 15) >>...
  • Page 178: Cache-Enabled Versus Cache-Disabled Filters

    Web OS 10.0 Application Guide IP Address Ranges You can specify a range of IP addresses for filtering both the source and/or destination IP address for traffic. When a range of IP addresses is needed, the source IP (sip) address or des- tination IP (dip) address defines the base IP address in the desired range.
  • Page 179: Tcp Rate Limiting

    Web OS 10.0 Application Guide TCP Rate Limiting Web OS 10.0 allows you to prevent a client or a group of clients from claiming all the TCP resources on the servers. This is done by monitoring the rate of incoming TCP connection requests to a virtual IP address and limiting the client requests with a known set of IP addresses.
  • Page 180: Configuring Tcp Rate Limiting Filters

    Web OS 10.0 Application Guide Figure 7-5, the default filter 224 configured for Any is applied for all other connection requests. Client 1 limit: 10 conn/sec Client 2 limit: 20 conn/sec Client 3 limit: 30 conn/sec Clients Real servers Client 4 limit: 10 conn/sec Web Switch Internet Filter 10: 10 conn/sec...
  • Page 181 Web OS 10.0 Application Guide Set the timewin parameter and calculate the total time window in seconds. (Set the time window) >> # /cfg/slb/adv/timewin 3 The total time window is a multiple of fastage (for information on fastage, see the Con- figuration chapter in the Web OS 10.0 Command Reference).
  • Page 182 Web OS 10.0 Application Guide TCP Rate Limiting Filter Based on Source IP Address This example shows how to define a filter that limits clients with IP address 30.30.30.x to 150 TCP connections per second. Once a user exceeds that limit, they are not allowed any new TCP connections for 10 minutes.
  • Page 183: Figure 7-6: Limiting User Access To Server

    Web OS 10.0 Application Guide TCP Rate Limiting Filter Based on Virtual Server IP Address This example defines a filter that limits clients to 100 TCP connections per second to a specific destination (VIP 10.10.10.100). Once a client exceeds that limit, the client is not allowed to make any new TCP connection request to that destination for 40 minutes.
  • Page 184: Tunable Hash For Filter Redirection

    Web OS 10.0 Application Guide All clients are limited to 100 new TCP connections/second to the server. If a client exceeds this rate, then the client is not allowed to make any new TCP connections to the server for 40 min- utes.
  • Page 185: Filter-Based Security

    Web OS 10.0 Application Guide Filter-based Security This section provides an example of configuring filters for providing the best security. It is generally recommended that you configure filters to deny all traffic except for those services that you specifically wish to allow. Consider the following sample network: Alteon Web Switch Internet Client Switch...
  • Page 186: Table 7-4 Web Cache Example: Real Server Ip Addresses

    Web OS 10.0 Application Guide Configuring a Filter-Based Security Solution Before you begin, you must be connected to the switch CLI as the administrator. In this example, all filters are applied only to the switch port that connects to the Internet. If intranet restrictions are required, filters can be placed on switch ports connecting to local devices.
  • Page 187 Web OS 10.0 Application Guide Create a filter that will allow external HTTP requests to reach the Web server. The filter must recognize and allow TCP traffic with the Web server’s destination IP address and HTTP destination port: >> Filter 224# ../filt 1 (Select the menu for filter 1) (From any source IP address) >>...
  • Page 188 Web OS 10.0 Application Guide Create a filter that will allow local clients to browse the Web. The filter must recognize and allow TCP traffic to reach the local client destination IP addresses if traffic originates from any HTTP source port: >>...
  • Page 189 Web OS 10.0 Application Guide For UDP: >> Filter 5# ../filt 6 (Select the menu for Filter 6) (From any source IP address) >> Filter 6# sip any (To local DNS Server) >> Filter 6# dip 205.177.15.4 (Set mask for exact dest. address) >>...
  • Page 190 Web OS 10.0 Application Guide Assign the filters to the switch port that connects to the Internet. >> Filter 9# ../port 5 (Select the SLB port 5 to the Internet) (Add filters 1-9 to port 5) >> SLB Port 5# add 1-9 (Add the default filter to port 5) >>...
  • Page 191: Network Address Translation

    Web OS 10.0 Application Guide Network Address Translation Network Address Translation (NAT) is an Internet standard that enables an Alteon Web switch to use one set of IP addresses for internal traffic and a second set of addresses for external traf- fic.
  • Page 192: Figure 7-8: Static Network Address Translation

    Web OS 10.0 Application Guide In this example, clients on the Internet require access to servers on the private network: Outbound filter: NAT source info Public IP Address: External Clients to public address 205.178.13.x Router Internet Server: Inbound filter: 10.10.10.1 NAT destination (Private network) to private address...
  • Page 193: Dynamic Nat

    Web OS 10.0 Application Guide Note the following important points about this configuration: Within each filter, the smask and dmask values are identical. All parameters for both filters are identical except for the NAT direction. For Filter 10, nat source is used. For Filter 11, nat dest is used. Filters for static (non-proxy) NAT should take precedence over dynamic NAT filters (fol- lowing example).
  • Page 194 Web OS 10.0 Application Guide Configuring Dynamic NAT (Select the menu for client filter) >> # /cfg/slb/filt 14 (Invert the filter logic) >> Filter 14# invert ena (If the destination is not private) >> Filter 14# dip 10.10.10.0 (For the entire private subnet range) >>...
  • Page 195: Ftp Client Nat

    Web OS 10.0 Application Guide FTP Client NAT Alteon Web switches provide NAT services to many clients with private IP addresses. In Web OS, an FTP enhancement provides the capability to perform true FTP NAT for dynamic NAT. Because of the way FTP works in active mode, a client sends information on the control chan- nel, information that reveals their private IP address, out to the Internet.
  • Page 196 Web OS 10.0 Application Guide Configuring Active FTP Client NAT – The passive mode does not need this feature. Make sure that a proxy IP address is enabled on the filter port. Make sure that a source NAT filter is set up for the port.: (Select the menu for client filter) >>...
  • Page 197: Matching Tcp Flags

    Web OS 10.0 Application Guide Matching TCP Flags Web OS supports packet filtering based on any of the following TCP flags. Table 7-5 TCP Flags Flag Description Urgent Acknowledgement Push Reset Synchronize Finish Any filter may be set to match against more than one TCP flag at the same time. If there is more than one flag enabled, the flags are applied with a logical AND operator.
  • Page 198 Web OS 10.0 Application Guide In this network, the Web servers inside the LAN must be able to transfer mail to any SMTP- based mail server out on the Internet. At the same time, you want to prevent access to the LAN from the Internet, except for HTTP.
  • Page 199 Web OS 10.0 Application Guide A filter that allows SMTP traffic from the Internet to pass through the switch only if the destination is one of the Web servers, and the frame is an acknowledgment (ACK) of a TCP session. (Select a filter for Internet SMTP ACKs) >>...
  • Page 200 Web OS 10.0 Application Guide A default filter is required to deny all other traffic. (Select a default filter) >> Filter 17# ../filt 224 (From any source IP address) >> Filter 224# sip any >> Filter 224# dip any (To any destination IP address) (Block matching traffic) >>...
  • Page 201: Matching Icmp Message Types

    Web OS 10.0 Application Guide Matching ICMP Message Types Internet Control Message Protocol (ICMP) is used for reporting TCP/IP processing errors. There are numerous types of ICMP messages, as shown in Table 7-6. Although ICMP packets can be filtered using the proto icmp option, by default, the Web switch ignores the ICMP message type when matching a packet to a filter.
  • Page 202 Web OS 10.0 Application Guide The command to enable or disable ICMP message type filtering is entered from the Advanced Filtering menu as follows: /cfg/slb/filt <filter number>/adv >> # icmp <message type|number|any list> >> Filter 1 Advanced# For any given filter, only one ICMP message type can be set at any one time. The any option disables ICMP message type filtering.
  • Page 203: Chapter 8: Application Redirection

    HAPTER Application Redirection Application Redirection improves network bandwidth and provides unique network solutions. Filters can be created to redirect traffic to cache and application servers improving speed of access to repeated client access to common Web or application content and freeing valuable network bandwidth.
  • Page 204: Web Cache Redirection Environment

    Web OS 10.0 Application Guide Overview Most of the information downloaded from the Internet is not unique, as clients will often access the Web page many times for additional information or to explore other links. Duplicate information also gets requested as the components that make up Internet data at a particular Web site (pictures, buttons, frames, text, and so on) are reloaded from page to page.
  • Page 205: Additional Application Redirection Options

    Web OS 10.0 Application Guide The network needs a solution that addresses the following key concerns: The solution must be readily scalable The administrator should not need to reconfigure all the clients’ browsers to use proxy servers. HTTP requests are redirected HTTP Requests Client Switch...
  • Page 206: Table 8-1 Web Cache Example: Real Server Ip Addresses

    Web OS 10.0 Application Guide Web Cache Configuration Example The following is required prior to configuration: You must connect to the Web switch Command Line Interface (CLI) as the administrator. Optional Layer 4 software must be enabled. – For details about the procedures above, and about any of the menu commands described in this example, see the Web OS Command Reference.
  • Page 207 Web OS 10.0 Application Guide Install transparent Web cache software on all three Web cache servers. Define an IP interface on the Web switch. Since, by default, the Web switch only remaps destination MAC addresses, it must have an IP interface on the same subnet as the three Web cache servers.
  • Page 208 Web OS 10.0 Application Guide Set the real server group metric to minmisses. This setting helps minimize Web cache misses in the event real servers fail or are taken out of service: (Metric for minimum cache misses.) >> Real server group 1# metric minmisses Verify that server processing is disabled on the ports supporting application redirection.
  • Page 209 Web OS 10.0 Application Guide Create a default filter. In this case, the default filter will allow all noncached traffic to proceed normally: (Select the default filter) >> Filter 2# ../filt 224 (From any source IP addresses) >> Filter 224# sip any (To any destination IP addresses) >>...
  • Page 210 Web OS 10.0 Application Guide Save your new configuration changes. >> Layer 4# save (Save for restore after reboot) Check the SLB information. (View SLB information) >> Layer 4# /info/slb Check that all SLB parameters are working according to expectation. If necessary, make any appropriate configuration changes and then check the information again.
  • Page 211: Rtsp Web Cache Redirection

    Web OS 10.0 Application Guide RTSP Web Cache Redirection Web OS 10.0 supports Web Cache Redirection (WCR) for Real Time Streaming Protocol (RTSP). RTSP WCR is similar to HTTP WCR in configuration and in concept. Multimedia presentations consume a lot of Internet bandwidth. The quality of these presentations depends upon the real time delivery of the data.
  • Page 212 Web OS 10.0 Application Guide Configure an RTSP redirection filter to cache data and balance the load among the cache servers. (Select the menu for filter 1) >> # /cfg/slb/filt 1 (Set the action for redirection) >> Filter 1# action redir (Enter TCP protocol) >>...
  • Page 213: Ip Proxy Addresses For Nat

    Web OS 10.0 Application Guide IP Proxy Addresses for NAT Transparent proxies provide the benefits listed below when used with application redirection. Application redirection is automatically enabled when a filter with the redir action is applied on a port. With proxies IP addresses configured on redirected ports, the Web switch can redirect cli- ent requests to servers located on any subnet, anywhere.
  • Page 214 Web OS 10.0 Application Guide The following commands can be used to configure the additional unique proxy IP addresses: (Select network port 1) >> SLB port 6# ../port 1 (Set proxy IP address for port 1) >> SLB port 1# pip 200.200.200.70 (Select network port 2) >>...
  • Page 215: Excluding Noncacheable Sites

    Web OS 10.0 Application Guide Excluding Noncacheable Sites Some Web sites provide content that is not well suited for redirection to cache servers. Such sites might provide browser-based games or applications that keep real-time session informa- tion or authenticate by client IP address. To prevent such sites from being redirected to cache servers, create a filter which allows this specific traffic to pass normally through the Web switch.
  • Page 216 Web OS 10.0 Application Guide Chapter 8: Application Redirection 212777-A, February 2002...
  • Page 217: Chapter 9: Virtual Matrix Architecture

    HAPTER Virtual Matrix Architecture Virtual Matrix Architecture (VMA) is a hybrid architecture that takes full advantage of the dis- tributed processing capability in Alteon Web switches. With VMA, the switch makes optimal use of system resources by distributing the workload to multiple processors, thereby improving switch performance and increasing session capacity.
  • Page 218 Web OS 10.0 Application Guide Frames ingressing a port that has been configured with a proxy IP address and the proxy option enabled (/cfg/slb/port x/proxy ena) can be processed using a proxy IP address by any switch port. The client source address is substituted with the proxy IP address of the port processing the request.
  • Page 219: Chapter 10: Health Checking

    HAPTER Health Checking Content intelligent Web switches allow Web masters to customize server health checks to ver- ify content accessibility in large Web sites. As the amount of content grows and information is distributed across different server farms, flexible, customizable content health checks are criti- cal to ensure end-to-end availability.
  • Page 220 Web OS 10.0 Application Guide “FTP Server Health Checks” on page 234. This section describes how the File Trans- fer Protocol (FTP) server is used to perform health checks and explains how to con- figure the switch to perform FTP health checks. “POP3 Server Health Checks”...
  • Page 221: Real Server Health Checks

    Web OS 10.0 Application Guide Real Server Health Checks Alteon Web switches running Server Load Balancing (SLB) monitor the servers in the real server group and the load-balanced application(s) running on them. If a switch detects that a server or application has failed, it will not direct any new connection requests to that server. When a service fails, an Alteon Web switch can remove the individual service from the load- balancing algorithm without affecting other services provided by that server.
  • Page 222: Dsr Health Checks

    Web OS 10.0 Application Guide DSR Health Checks Direct Server Return (DSR) health checks are used to verify the existence of a server-provided service where the server replies directly back to the client without responding through the vir- tual server IP address. In this configuration, the server will be configured with a real server IP address and virtual server IP address.
  • Page 223: Link Health Checks

    Web OS 10.0 Application Guide Link Health Checks Link health check is performed at the Layer 1 (physical) level. The server is considered to be up when the link (connection) is present and the server is considered to be down when the link is absent.
  • Page 224: Tcp Health Checks

    Web OS 10.0 Application Guide TCP Health Checks TCP health checks are useful in verifying user-specific TCP applications that cannot be scripted. Session switches monitor the health of servers and applications by sending Layer 4 connection requests (TCP SYN packets) for each load-balanced TCP service to each server in the server group on a regular basis.
  • Page 225: Script-Based Health Checks

    Web OS 10.0 Application Guide Script-Based Health Checks The “send/expect” script-based health checks dynamically verify application and content availability using scripts. These scripts execute a sequence of tests to verify application and content availability. Configuring the Switch for Script-Based Health Checks You can configure the switch to send a series of health check requests to real servers or real server groups and monitor the responses.
  • Page 226: Script Format

    Web OS 10.0 Application Guide Script Format The general format for health-check scripts is shown below: open application_port (e.g., 80 for HTTP, 23 for Telnet, etc.) send request1 expect response1 send request2 expect response2 send request3 expect response3 close – If you are doing HTTP 1.1 pipelining, you need to individually open and close each response in the script.
  • Page 227: Scripting Guidelines

    Web OS 10.0 Application Guide Scripting Guidelines Use generic result codes that are standard and defined by the RFC, as applicable. This helps ensure that if the customer changes server software, the servers won’t start failing unexpectedly. Search only for the smallest and most concise piece of information possible. Each script cannot exceed 1K in size, so use the space wisely.
  • Page 228 Web OS 10.0 Application Guide Script Example 2: GSLB URL Health Check In earlier Web OS releases, each remote Global Server Load Balancing site’s virtual server IP address was required to be a real server of the local switch. Each switch sends a health check request to the other switch’s virtual servers that are configured on the local switch.
  • Page 229 Web OS 10.0 Application Guide Script-based health checking is intelligent in that it will only send the appropriate requests to the relevant servers. In the example above, the first GET statement will only be sent to Real Server 1 and Real Server 2. Going through the health-check statements serially will ensure that all content is available by at least one real server on the remote site.
  • Page 230: Application-Specific Health Checks

    Web OS 10.0 Application Guide Application-Specific Health Checks Application-specific health checks include the following applications: “HTTP Health Checks” on page 231 “UDP-Based DNS Health Checks” on page 233 “FTP Server Health Checks” on page 234 “POP3 Server Health Checks” on page 235 “SMTP Server Health Checks”...
  • Page 231: Http Health Checks

    Web OS 10.0 Application Guide HTTP Health Checks HTTP-based health checks can include the hostname for HOST: headers. The HOST: header and health check URL are constructed from the following components: Item Option Configured Under Max. Length Virtual server hostname 9 characters hname /cfg/slb/virt/service...
  • Page 232 Web OS 10.0 Application Guide Health check is performed using: GET /index.html HTTP/1.1 Host: jansus Example 4: = (none) hname = (none) dname content = index.html Health check is performed using: GET /index.html HTTP/1.0 (since no HTTP HOST: header is required) Example 5: = (none) hname...
  • Page 233: Udp-Based Dns Health Checks

    Web OS 10.0 Application Guide UDP-Based DNS Health Checks Web OS 10.0 supports UDP-based health checks along with TCP health checks, and performs load-balancing based on TCP and UDP protocols. DNS servers can be based on both TCP and UDP protocols. With UDP-based DNS health checks enabled, you can send TCP-based queries to one real server group and UDP-based que- ries to another real server group.
  • Page 234: Ftp Server Health Checks

    Web OS 10.0 Application Guide FTP Server Health Checks The Internet File Transfer Protocol (FTP) provides facilities for transferring files to and from remote computer systems. Usually the user transferring a file needs authority to login and access files on the remote system. This protocol is documented in RFC 1123. In normal Internet operation, the FTP server listens on the well-known port number 21 for con- trol connection requests.
  • Page 235: Pop3 Server Health Checks

    Web OS 10.0 Application Guide POP3 Server Health Checks The Post Office Protocol - Version 3 (POP3) is intended to permit a workstation to dynami- cally access a maildrop on a server host. The POP3 protocol is used to allow a workstation to retrieve mail that the server is holding for it.
  • Page 236: Smtp Server Health Checks

    Web OS 10.0 Application Guide SMTP Server Health Checks Simple Mail Transfer Protocol is a protocol to transfer e-mail messages between servers reli- ably and efficiently. This protocol traditionally operates over TCP, port 25 and is documented in RFC 821. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another;...
  • Page 237: Imap Server Health Checks

    Web OS 10.0 Application Guide IMAP Server Health Checks Internet Message Access Protocol (IMAP) is a mail server protocol used between a client sys- tem and a mail server that allows a user to retrieve and manipulate mail messages. IMAP is not used for mail transfers between mail servers.
  • Page 238: Nntp Server Health Checks

    Web OS 10.0 Application Guide NNTP Server Health Checks Net News Transfer Protocol (NNTP) is a TCP/IP protocol based upon text strings sent bidirec- tionally over 7 bit ASCII TCP channels, and listens to port 119. It is used to transfer articles between servers as well as to read and post articles.
  • Page 239: Radius Server Health Checks

    Web OS 10.0 Application Guide RADIUS Server Health Checks The Remote Authentication Dial-In User Service (RADIUS) protocol is used to authenticate dial-up users to Remote Access Servers (RASs) and the client application they will use during the dial-up connection. RADIUS Content Health Check Enhancements Include the switch IP as the Network-attached storage (NAS) IP parameter in the RADIUS content health check RADIUS health check using the configured real server port (rport)
  • Page 240: Https/Ssl Server Health Checks

    Web OS 10.0 Application Guide Configuring the Switch for RADIUS Secret and Password RADIUS is stateless and uses UDP as its transport protocol. To support RADIUS health checking, the network administrator must configure two parameters on the switch: the /cfg/slb/secret value the content parameter with a username:password value >>...
  • Page 241 Web OS 10.0 Application Guide WSP Content Health Checks Wireless Session Protocol content health checks can be configured in two modes: connection- less and connection-oriented. Connectionless WSP runs on UDP/IP protocol, port 9200. Therefore, Alteon Web switches can be used to load balance the gateways in this mode of oper- ation.
  • Page 242 Web OS 10.0 Application Guide Enter the WSP port. >> WAP Health Check# wspport 9200 Set the offset value. >> WAP Health Check# offset 0 Because WAP gateways are UDP-based and operate on a UDP port, configure UDP ser- vice in the virtual server menu. >>...
  • Page 243: Ldap Health Checks

    Web OS 10.0 Application Guide Configuring the Switch for WTLS Health Checks Select the group with the WAP gateway. >> Main# /cfg/slb/group 1 (Select the Real Server Group 1 menu) Use the sndcnt command to enter the content to be sent to the WSP gateway. >>...
  • Page 244 Web OS 10.0 Application Guide Configuring the Switch for LDAP Health Checks Configure the switch to verify if the LDAP server is alive. Select the health check menu for the real server group. >> # /cfg/slb/group 1 Set the health check type to LDAP for the real server group. >>...
  • Page 245: Arp Health Checks

    Web OS 10.0 Application Guide ARP Health Checks Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory.
  • Page 246: Failure Types

    Web OS 10.0 Application Guide Failure Types Service Failure If a certain number of connection requests for a particular service fail, the session switch places the service into the service failed state. While in this state, no new connection requests are sent to the server for this service;...
  • Page 247: Chapter 11: High Availability

    HAPTER High Availability Alteon Web switches support high-availability network topologies through an enhanced imple- mentation of the Virtual Router Redundancy Protocol (VRRP). The following topics are discussed in this chapter: “VRRP Overview” on page 248. This section discusses VRRP operation and Web OS redundancy configurations.
  • Page 248: Vrrp Overview

    Web OS 10.0 Application Guide VRRP Overview In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components.
  • Page 249 Web OS 10.0 Application Guide Virtual Router MAC Address The VRID is used to build the virtual router MAC Address. The five highest-order octets of the virtual router MAC Address are the standard MAC prefix (00-00-5E-00-01) defined in RFC 2338. The VRID is used to form the lowest-order octet. Owners and Renters Only one of the VRRP routers in a virtual interface router may be configured as the IP address owner.
  • Page 250: Figure 11-1 Example 1: Vrrp Router

    Web OS 10.0 Application Guide The Alteon Web switches in Figure 11-1 have been configured as VRRP routers. Together, they form a virtual interface router (VIR). VRRP Router VRID = 1 Router #1 = Master Active VR IP address = 205.178.13.226 MAC address = 00.00.SE.00.01.01 Priority = 255 IP interface = 205.178.13.226...
  • Page 251: Vrrp Operation

    Web OS 10.0 Application Guide VRRP Operation The host shown in Figure 11-1 is configured with the virtual interface router’s IP address as its default gateway. The master forwards packets destined to remote subnets and responds to ARP requests. In this example, the master is also the virtual interface router’s IP address owner— therefore it also responds to ICMP ping requests and IP datagrams destined for the virtual interface router's IP address.
  • Page 252: Active-Standby Failover

    Web OS 10.0 Application Guide Active-Standby Failover The previous text described the use of a group of VRRP routers to form a single virtual inter- face router. It implements a traditional hot-standby configuration in which the backup router only functions when the active router has failed. VRRP can also be used to implement active- standby configurations.
  • Page 253: Failover Methods

    Web OS 10.0 Application Guide Failover Methods With service availability becoming a major concern on the Internet, service providers are increasingly deploying Internet traffic control devices, such as Web switches, in redundant configurations. Traditionally, these configurations have been hot-standby configurations, where one switch is active and the other is in a standby mode.
  • Page 254: Figure 11-4 Active-Standby Redundancy

    Web OS 10.0 Application Guide Active-Standby Redundancy In an active-standby configuration, shown in Figure 11-4, two Web switches are used. Both switches support active traffic but are configured so that they do not simultaneously support the same service. Each switch is active for its own set of services, such as IP routing interfaces or load-balancing virtual server IP addresses, and acts as a standby for other services on the other switch.
  • Page 255: Figure 11-5 Active-Active Redundancy

    Web OS 10.0 Application Guide Active-Active Redundancy In an active-active configuration, two Web switches provide redundancy for each other, with both active at the same time for the same services. Web OS has extended VRRP to include virtual servers, allowing full active/active redundancy between its Layer 4 switches.
  • Page 256: Figure 11-6 Hot-Standby Redundancy

    Web OS 10.0 Application Guide Hot-Standby Redundancy In a hot-standby configuration, Spanning Tree Protocol (STP) is not needed to eliminate bridge loops. This speeds up failover when a switch fails. The standby switch blocks all ports configured as standby ports, whereas the master switch enables these same ports. Consequently, on a given switch, all virtual routers are either master or backup;...
  • Page 257 Web OS 10.0 Application Guide Virtual Router Group The virtual router group ties all of the virtual routers together as a single entity and is central to the hot-standby configuration. All virtual routers on a given switch must all be either master or backup.
  • Page 258: Synchronizing Configurations

    Web OS 10.0 Application Guide When the hotstan option (/cfg/slb/port x/hotstan) is enabled and all hot-standby ports have link, the virtual router group's priority is automatically incremented by the “track other virtual routers” value. This action allows the switches to failover when a hot-standby port loses link.
  • Page 259: Web Os Extensions To Vrrp

    Web OS 10.0 Application Guide Web OS Extensions to VRRP This section describes the following VRRP enhancements that are implemented in Web OS: Virtual Server Routers Sharing/Active-Active Failover Tracking VRRP Router Priority Virtual Server Routers Web OS supports virtual server routers, which extend the benefits of VRRP to virtual server IP addresses that are used to perform SLB.
  • Page 260: Figure 11-7 Active-Active High Availability

    Web OS 10.0 Application Guide Sharing/Active-Active Failover Web OS supports sharing of interfaces at both Layer 3 and Layer 4, as shown in Figure 11-7. With sharing, an IP interface or a VIP address can be active simultaneously on multiple switches, enabling active-active operation as shown in Table 11-2.
  • Page 261: Tracking Vrrp Router Priority

    Web OS 10.0 Application Guide When sharing is enabled, the master election process still occurs. Although the process does not affect which switch processes packets that must be routed or that are destined for the vir- tual server IP address, it does determine which switch sends advertisements and responds to ARP requests sent to the virtual router’s IP address.
  • Page 262 Web OS 10.0 Application Guide Table 11-3 VRRP Tracking Parameters Parameter Description Number of physical switch ports that Helps elect the main Layer 4 switch as the master. have active Layer 4 processing on the This parameter influences the VRRP router's prior- switch ity in both virtual interface routers and virtual server routers.
  • Page 263: High Availability Configurations

    Web OS 10.0 Application Guide High Availability Configurations Alteon Web switches offer flexibility in implementing redundant configurations. This section discusses a few of the more useful and easily deployed configurations: “Active-Standby Virtual Server Router Configuration” on page 263 “Active-Active VIR and VSR Configuration” on page 265 “Active/Active Server Load Balancing Configuration”...
  • Page 264 Web OS 10.0 Application Guide To implement the active-standby example, perform the following switch configuration: Configure the appropriate Layer 2 and Layer 3 parameters on both switches. This includes any required VLANs, IP interfaces, default gateways, and so on. If IP interfaces are configured, none should use the virtual server IP address described in Step 4.
  • Page 265: Active-Active Vir And Vsr Configuration

    Web OS 10.0 Application Guide Active-Active VIR and VSR Configuration Figure 11-9 two Alteon Web switches are used as VRRP routers in an active-active configura- tion implementing a virtual server router. As noted earlier, this is the preferred redundant con- figuration.
  • Page 266 Web OS 10.0 Application Guide To implement this example, configure the switches as follows: Configure the appropriate Layer 2 and Layer 3 parameters on both switches. This configuration includes any required VLANs, IP interfaces, default gateways, and so on. If IP interfaces are configured, none of them should use the VIP address described in Step 4.
  • Page 267: Active/Active Server Load Balancing Configuration

    Web OS 10.0 Application Guide Active/Active Server Load Balancing Configuration In this example, you set up four virtual servers each load balancing two servers providing one service (for example, HTTP) per virtual server. You are load balancing HTTP, HTTPS, POP3, SMTP, and FTP. Each protocol is load balanced via a different virtual server.
  • Page 268 Web OS 10.0 Application Guide Define the VLANs. In this configuration, set up two VLANs: One for the outside world (the ports connected to the upstream switches, toward the routers) and one for the inside (the ports connected to the down- stream switches, toward the servers).
  • Page 269 Web OS 10.0 Application Guide Task 2: SLB Configuration Define the Real Servers. The real server IP addresses are defined and put into four groups, depending on the service they are running. Notice that RIPs 7 and 8 are on routable subnets in order to support passive FTP.
  • Page 270 Web OS 10.0 Application Guide Define the virtual servers. After defining the virtual server IP addresses and associating them with a real server group number, you must tell the switch which IP ports/services/sockets you want to load balance on each VIP. You can specify the service by either the port number, service name, or socket num- ber.
  • Page 271 Web OS 10.0 Application Guide Task 3: Virtual Router Redundancy Configuration Configure virtual routers 2, 4, 6, and 8. These virtual routers will have the same IP addresses as the virtual server IP address. This is what tells the switch that these are virtual service routers (VSRs). In this example, Layer 3 bindings are left in their default configuration, which is disabled.
  • Page 272 Web OS 10.0 Application Guide Set the renter priority for each virtual router. Since you want Switch 1 to be the master router, you need to bump the default virtual router priorities (which are 100 to 101 on virtual routers 1-4) to force switch 1 to be the master for these virtual routers.
  • Page 273 Web OS 10.0 Application Guide Task 4: Configuring Switch 2 Use the following procedure to dump the configuration script (text dump) out of Switch 1: Using the Browser Based Interface (BBI) (a) You need a serial cable that is a DB-9 Male to DB-9 Female, straight-through (not a null modem) cable.
  • Page 274 Web OS 10.0 Application Guide Scroll to the bottom of the text file and delete anything past “Script End.” Save the changes to the text file as “Customer Name” Switch 2. Move your serial cable to the console port on the second switch. Any configuration on it needs to be deleted by resetting it to factory settings, using the following command: >>...
  • Page 275: Vrrp-Based Hot-Standby Configuration

    Web OS 10.0 Application Guide VRRP-Based Hot-Standby Configuration A hot-standby configuration allows all processes to failover to a backup switch if any type of failure should occur. The primary application for hot-standby redundancy is to avoid bridging loops when using the Spanning Tree Protocol (STP), IEEE 802.1d. VRRP-based hot-standby supports the default Spanning Tree only.
  • Page 276: Configuration Procedure

    Web OS 10.0 Application Guide By reducing complexity to a single subnet and not requiring routing (L3), hot-standby can be used. The key to hot-standby is that the interswitch link (the link between switches), does NOT participate in STP, so there are no loops in the topology (see Figure 11-10).
  • Page 277: Virtual Router Deployment Considerations

    Web OS 10.0 Application Guide Virtual Router Deployment Considerations Review the following issues described in this section to prevent network problems when deploying virtual routers: Mixing Active-Standby and Active-Active Virtual Routers Synchronizing Active/Active Failover Eliminating Loops with STP and VLANs Assigning VRRP Virtual Router ID Configuring the Switch for Tracking Synchronizing Configurations...
  • Page 278: Eliminating Loops With Stp And Vlans

    Web OS 10.0 Application Guide Eliminating Loops with STP and VLANs VRRP active/active failover is significantly different from the hot-standby failover method supported in previous releases. As shown in Figure 11-11, active-active configurations can introduce loops into complex LAN topologies. Server Web Switch Router...
  • Page 279: Figure 11-12 Cross-Redundancy Creates Loops, But Stp Resolves Them

    Web OS 10.0 Application Guide Using Spanning Tree Protocol to Eliminate Loops VRRP generally requires Spanning Tree Protocol (STP) to be enabled in order to resolve bridge loops that usually occur in cross-redundant topologies, as shown in Figure 11-12. In this example, a number of loops are wired into the topology.
  • Page 280: Assigning Vrrp Virtual Router Id

    Web OS 10.0 Application Guide Assigning VRRP Virtual Router ID During the software upgrade process, VRRP virtual router IDs will be automatically assigned if failover is enabled on the switch. When configuring virtual routers at any point after upgrade, virtual router ID numbers (/cfg/vrrp/vr /vrid) must be assigned.
  • Page 281 Web OS 10.0 Application Guide If one server attached to Web switch 1 fails, then Web switch 1’s priority will be reduced by 6 to 123. Since 123 is greater than 120 (Web switch 2’s priority), Web switch 1 will remain the master.
  • Page 282: Synchronizing Configurations

    Web OS 10.0 Application Guide Synchronizing Configurations As noted above, each VRRP-capable switch is autonomous. Switches in a virtual router need not be identically configured. As a result, configurations cannot be synchronized automatically. For user convenience, it is possible to synchronize a configuration from one VRRP-capable switch to another using the /oper/slb/sync command.
  • Page 283: Stateful Failover Of Layer 4 And Layer 7 Persistent Sessions

    Web OS 10.0 Application Guide Stateful Failover of Layer 4 and Layer 7 Persistent Sessions Web OS provides stateful failover of content-intelligent persistent session state and Layer 7 persistent session state. This includes the following: SSL session state HTTP cookie state Layer 4 persistent FTP session state Providing stateful failover enables network administrators to mirror their Layer 7 and Layer 4...
  • Page 284: What Happens When A Switch Fails

    Web OS 10.0 Application Guide What Happens When a Switch Fails Assume that the user performing an e-commerce transaction has selected a number of items and placed them in the shopping cart. The user has already established a persistent session on the top server in Figure 11-14.
  • Page 285 Web OS 10.0 Application Guide Stateful Failover Configuration Example After the VRRP setup, perform the following additional steps to enable stateful failover on the switches. On the Master Switch Enable stateful failover. >> # /cfg/slb/sync/state ena Set the update interval. (The default is 30) >>...
  • Page 286: Viewing Statistics On Persistent Port Sessions

    Web OS 10.0 Application Guide Viewing Statistics on Persistent Port Sessions You can view statistics on persistent port sessions using the /stats/slb/ssl command. To determine which switch is the master and which is the backup, use the /info/vrrp command. If the switch is a master: (View VRRP Information) >>...
  • Page 287 Part 3: Advanced Web Switching Web OS can parse requests and classify flows using URLs, host tags, and cookies so that each request can be isolated and treated intelligently. This section describes the following advanced Web switching applications: Global Server Load Balancing Firewall Load Balancing Virtual Private Network Load Balancing Content Intelligent Switching...
  • Page 288 Web OS 10.0 Application Guide Advanced Web Switching 212777-A, February 2002...
  • Page 289: Chapter 12: Global Server Load Balancing

    HAPTER Global Server Load Balancing This chapter provides information for configuring Global Server Load Balancing (GSLB) across multiple geographic sites. The following topics are covered: “GSLB Overview” on page 290 “Configuring GSLB” on page 293 “IP Proxy for Non-HTTP Redirects” on page 304 “Verifying GSLB Operation”...
  • Page 290: Gslb Overview

    Web OS 10.0 Application Guide GSLB Overview GSLB allows balancing server traffic load across multiple physical sites. The Alteon GSLB implementation takes into account an individual site’s health, response time, and geographic location to smoothly integrate the resources of the dispersed server sites for complete global performance.
  • Page 291: How Gslb Works

    Web OS 10.0 Application Guide How GSLB Works GSLB is based on the Domain Name System (DNS) and proximity by source IP address. In the example in Figure 12-1, a client is using a browser to view the Web site for the Foo Corporation at “www.foocorp.com.”...
  • Page 292 Web OS 10.0 Application Guide The California Web switch responds to the DNS request, listing the IP address with the current best service. Each switch with GSLB software is capable of responding to the client’s name resolution request. Since each switch regularly checks and communicates health and performance infor- mation with its peers, either switch can determine which site(s) are best able to serve the cli- ent’s Web access needs.
  • Page 293: Configuring Gslb

    Web OS 10.0 Application Guide Configuring GSLB Configuring GSLB is simply an extension of the configuration procedure for SLB. The process is summarized as follows: Use the administrator login to connect to the switch you want to configure. Activate SLB and GSLB software keys. See the Web OS Command Reference for details. Configure the switch at each site with basic attributes.
  • Page 294: Figure 12-2 Gslb Topology Example

    Web OS 10.0 Application Guide Example GSLB Topology Consider the following example network: California Site Denver Site 200.200.200.X Network 174.14.70.X Network DNS Server: DNS Server: 200.200.200.102 174.14.70.102 Web Switch Web Switch Internet IP Interface: Default Gateway: Default Gateway: IP Interface: 200.200.200.101 174.14.70.101 200.200.200.100...
  • Page 295 Web OS 10.0 Application Guide Task 1: Configure the Basics at the California Site If the Browser-Based Interface (BBI) is to be used for managing the California switch, change its service port. GSLB uses service port 80 on the IP interface for DSSP updates. By default, the Web OS Browser-Based Interface (BBI) also uses port 80.
  • Page 296: Table 12-1 Gslb Example: California Real Server Ip Addresses

    Web OS 10.0 Application Guide Task 2: Configure the California Switch for Standard SLB Assign an IP address to each of the real servers in the local California server pool. The real servers in any real server group must have an IP route to the switch that will perform the SLB functions.
  • Page 297: Table 12-2 Gslb Example: California Alteon 180 Port Usage

    Web OS 10.0 Application Guide On the California switch, define a virtual server. All client requests will be addressed to a virtual server IP address defined on the switch. Cli- ents acquire the virtual server IP address through normal DNS resolution. HTTP uses well- known TCP port 80.
  • Page 298 Web OS 10.0 Application Guide Task 3: Configure the California Site for GSLB On the California switch, define each remote site. When you start configuring at the California site, California is local and Denver is remote. Add and enable the remote switch’s IP address interface. In this example, there is only one remote site: Denver, with an IP interface address of 174.14.70.100.
  • Page 299 Web OS 10.0 Application Guide On the California switch, define the domain name and host name for each service hosted on each virtual server. In this example, the domain name for the Foo Corporation is “foocorp.com,” and the host name for the only service (HTTP) is “www.” These values are configured as follows: (Select virtual server 1) >>...
  • Page 300: Table 12-3 Denver Real Server Ip Addresses

    Web OS 10.0 Application Guide On the Denver switch, define an IP interface. >> # /cfg/ip/if 1 (Select IP interface 1) (Assign IP address for the interface) >> IP Interface 1# addr 174.14.70.100 (Enable IP interface 1) >> IP Interface 1# ena On the Denver switch, define the default gateway.
  • Page 301: Table 12-4 Web Host Example: Alteon 180 Port Usage

    Web OS 10.0 Application Guide On the Denver switch, define a real server group. >> Real server 2# ../group 1 (Select real server group 1) (Add real server 1 to group 1) >> Real server group 1# add 1 (Add real server 2 to group 1) >>...
  • Page 302 Web OS 10.0 Application Guide Task 6: Configure the Denver Site for GSLB Following the same procedure described for California (see “Task 3: Configure the California Site for GSLB” on page 298), configure the Denver site as follows: On the Denver switch, define each remote site. When you start configuring at the Denver site, Denver is local and California is remote.
  • Page 303 Web OS 10.0 Application Guide For example: (Create an entry for real server 3) >> Remote site 1# /cfg/slb/real 3 (Set remote virtual server IP address) >> Real server 3# rip 200.200.200.1 (Define the real server as remote) >> Real server 3# remote enable >>...
  • Page 304: Ip Proxy For Non-Http Redirects

    Web OS 10.0 Application Guide IP Proxy for Non-HTTP Redirects Typically, client requests for HTTP applications are automatically redirected to the location with the best response and least load for the requested content. This is because the HTTP proto- col has a built-in redirection function that allows requests to be redirected to an alternate site. If a client requests a non-HTTP application such as FTP, POP3, or SMTP, then the lack of a redirection function in these applications requires that a proxy IP address be configured on the client port.
  • Page 305: How Ip Proxy Works

    Web OS 10.0 Application Guide Table 12-5 explains the packet -flow process in detail. In this example, the initial DNS request from the client reaches Site 2, but Site 2 has no available services. Table 12-5 HTTP Versus Non-HTTP Redirects Site 2 Web switch Site 1 Web switch HTTP application...
  • Page 306 Web OS 10.0 Application Guide The following procedure explains the three-way handshake between the two sites and the cli- ent for a non-HTTP application (POP3). When POP3 processes at Site 1 terminate because of operator error, the following events occur to allow POP3 requests to be fulfilled: A user POP3 TCP SYN request is received by the virtual server at Site 1.
  • Page 307: Configuring Proxy Ip Addresses

    Web OS 10.0 Application Guide Configuring Proxy IP Addresses Refer to the example starting on page 294 Figure 12-4, the switch at Site 1 in California is configured with switch port 6 connecting to the default gateway and real server 3 represents the remote server in Denver.
  • Page 308: Verifying Gslb Operation

    Web OS 10.0 Application Guide Verifying GSLB Operation Use your browser to request the configured service (www.foocorp.com in the previous example). Examine the /info/slb information on each switch. Check to see that all SLB parameters are working according to expectation. If necessary, make any appropriate configuration changes and then check the information again.
  • Page 309: Figure 12-5: Gslb Proximity Tables: How They Work

    Web OS 10.0 Application Guide Figure 12-5 illustrates GSLB proximity tables. The client sends a request to the DNS server, which is forwarded to the master switch. The master switch looks through its proximity table and returns the request to the DNS server with the virtual server IP address of the preferred site.
  • Page 310: Figure 12-6 Configuring Client Proximity Table

    Web OS 10.0 Application Guide Client A, with a source IP address of 205.178.13.10, initiates a request that is sent to the local DNS server. The local DNS server is configured to forward requests to the DNS server at Site 4.
  • Page 311 Web OS 10.0 Application Guide Use the following commands to configure a proximity table on the Web switch at Site 4: (Enable the lookup or proximity table >> # /cfg/slb/gslb/lookup/lookups ena (Select the domain name >> # dname nortelnetworks.com >> # network 1 (Select Client A subnet (Assign source address for Client A >>...
  • Page 312: Using Border Gateway Protocol For Gslb

    Web OS 10.0 Application Guide Using Border Gateway Protocol for GSLB Border Gateway Protocol (BGP)-based GSLB utilizes the Internet’s routing protocols to local- ize content delivery to the most efficient and consistent site. It does so by using a shared IP block that co-exists in each Internet Service Provider’s (ISP’s) network and is then advertised, using BGP, throughout the Internet.
  • Page 313: Chapter 13: Firewall Load Balancing

    HAPTER Firewall Load Balancing Firewall Load Balancing (FWLB) with Alteon Web switches allows multiple active firewalls to operate in parallel. Parallel operation allows users to maximize firewall productivity, scale firewall performance without forklift upgrades, and eliminate the firewall as a single point-of- failure.
  • Page 314: Firewall Overview

    Web OS 10.0 Application Guide Firewall Overview Firewall devices have become indispensable for protecting network resources from unautho- rized access. Prior to FWLB, however, firewalls could become critical bottlenecks or single points-of-failure for your network. As an example, consider the following network: "Dirty"...
  • Page 315 Web OS 10.0 Application Guide Alteon Web switches support the following methods of FWLB: Basic FWLB for simple networks This method uses a combination of static routes and redirection filters and is usually employed in smaller networks. A Web switch filter on the dirty-side splits incoming traffic into streams headed for differ- ent firewalls.
  • Page 316: Basic Fwlb

    Web OS 10.0 Application Guide Basic FWLB The basic FWLB method uses a combination of static routes and redirection filters to allow multiple active firewalls to operate in parallel. Figure 13-2 shows a basic FWLB topology: "Dirty" Side of Network "Clean"...
  • Page 317: Basic Fwlb Implementation

    Web OS 10.0 Application Guide Basic FWLB Implementation In this example, traffic is load balanced among the available firewalls. "Dirty" Side "Clean" Side Firewalls Servers Web Switch Web Switch Client Internet 1. Client sends a request 2. Redir filter selects upper or lower path 3.
  • Page 318 Web OS 10.0 Application Guide The firewalls decide if they should allow the packets and, if so, forwards them to a virtual server on the clean-side Web switch. Client requests are forwarded or discarded according to rules configured for each firewall. –...
  • Page 319: Configuring Basic Fwlb

    Web OS 10.0 Application Guide Configuring Basic FWLB The steps for configuring basic FWLB are provided below. While two or four switches can be used, the following procedure assumes a simple network topology with only two Web switches (one on each side of the firewalls) as shown in Figure 13-4.
  • Page 320 Web OS 10.0 Application Guide Configure the clean-side IP interface as if they were real servers on the dirty side. Later in this procedure, you’ll configure one clean-side IP interface on a different subnet for each firewall path being load balanced. On the dirty-side Web switch, create two real servers using the IP address of each clean-side IP interface used for FWLB.
  • Page 321 Web OS 10.0 Application Guide Create a filter to allow local subnet traffic on the dirty side of the firewalls to reach the firewall interfaces. (Select filter 10) >> Layer 4# /cfg/slb/filt 10 (From any source IP address) >> Filter 10# sip any (To this destination IP address) >>...
  • Page 322 Web OS 10.0 Application Guide Configure the Clean-Side Web Switch Define the clean-side IP interfaces. Create one clean-side IP interface on a different subnet for each firewall being load balanced. – An extra IP interface (IF 1) prevents server-to-server traffic from being redirected. (Select IP interface 1) >>...
  • Page 323 Web OS 10.0 Application Guide Set the health check type for the real server group to ICMP. >> Real server group 1# health icmp (Select ICMP as health check type) Set the load-balancing metric for the real server group to hash. (Select SLB hash metric for group 1) >>...
  • Page 324 Web OS 10.0 Application Guide Place the real servers into a real server group. >> Real server 3# ../group 200 (Select real server group 1) (Select real server 2 to group 200) >> Real server group 200# add 2 (Select real server 3 to group 200) >>...
  • Page 325 Web OS 10.0 Application Guide Add the filters to the ingress ports for the outbound packets. Redirection filters are needed on all the ingress ports on the clean-side Web switch. Ingress ports are any that attach to real servers or internal clients on the clean-side of the network. In this case, two real servers are attached to the clean-side Web switch on port 4 and port 5.
  • Page 326: Four-Subnet Fwlb

    Web OS 10.0 Application Guide Four-Subnet FWLB The four-subnet FWLB method is often deployed in large networks that require high-availabil- ity solutions. This method uses filtering, static routing, and Virtual Router Redundancy Proto- col (VRRP) to provide parallel firewall operation between redundant Web switches. Figure 13-5 shows one possible network topology using the four-subnet method: Dirty Side...
  • Page 327: Four-Subnet Fwlb Implementation

    Web OS 10.0 Application Guide As shown in Figure 13-5, the network is divided into four sections: Subnet 1 includes all equipment between the exterior routers and dirty-side Web switches. Subnet 2 includes the dirty-side Web switches with their interswitch link, and dirty-side firewall interfaces.
  • Page 328 Web OS 10.0 Application Guide Incoming traffic converges on the primary dirty-side Web switch. External traffic arrives through redundant routers. A set of interconnected switches ensures that both routers have a path to each dirty-side Web switch. VRRP is configured on each dirty-side Web switch so that one acts as the primary routing switch.
  • Page 329: Configuring Four-Subnet Fwlb

    Web OS 10.0 Application Guide Configuring Four-Subnet FWLB An example network for four-subnet FWLB is illustrated in Figure 13-7. While other complex topologies are possible, this example assumes a high-availability network using block (rather than diagonal) interconnections between switches. Dirty Side Clean Side Subnet 1 (VLAN 1): Subnet 2 (VLAN 2):...
  • Page 330 Web OS 10.0 Application Guide Configure the Routers The routers must be configured with a static route to the destination services being accessed by the external clients. In this example, the external clients intend to connect to services at a publicly advertised IP address on this network.
  • Page 331 Web OS 10.0 Application Guide Configure Connectivity for the Primary Dirty-Side Web Switch Configure VLANs on the primary dirty-side Web switch. Two VLANs are required. VLAN 1 includes port 1, for the Internet connection. VLAN 2 includes port 2, for the firewall connection, and port 9, for the interswitch connection. >>...
  • Page 332 Web OS 10.0 Application Guide Configure static routes on the primary dirty-side Web switch. Four static routes are required: To primary clean-side IF 2 via Firewall 1 using dirty-side IF 2 To primary clean-side IF 3 via Firewall 2 using dirty-side IF 3 To secondary clean-side IF 2 via Firewall 1 using dirty-side IF 2 To secondary clean-side IF 3 via Firewall 2 using dirty-side IF 3 –...
  • Page 333 Web OS 10.0 Application Guide Configure Connectivity for the Secondary Dirty-Side Web Switch Except for the IP interfaces, this configuration is identical to the primary dirty-side Web switch. Configure VLANs on the secondary dirty-side Web switch. >> # /cfg/vlan 2 >>...
  • Page 334 Web OS 10.0 Application Guide Configure Connectivity for the Primary Clean-Side Web Switch Configure VLANs on the primary clean-side Web switch. Two VLANs are required. VLAN 3 includes the firewall port and interswitch connection port. VLAN 4 includes the port that attaches to the real servers. >>...
  • Page 335 Web OS 10.0 Application Guide Configure static routes on the primary clean-side Web switch. Four static routes are needed: To primary dirty-side IF 2 via Firewall 1 using clean-side IF 2 To primary dirty-side IF 3 via Firewall 2 using clean-side IF 3 To secondary dirty-side IF 2 via Firewall 1 using clean-side IF 2 To secondary dirty-side IF 3 via Firewall 2 using clean-side IF 3 Again, the static route add command uses the following format:...
  • Page 336 Web OS 10.0 Application Guide Configure IP interfaces on the secondary clean-side Web switch. >> # /cfg/ip/if 1 >> # mask 255.255.255.0 >> # addr 10.10.4.11 >> # vlan 4 >> # ena >> # ../if 2 >> # mask 255.255.255.0 >>...
  • Page 337 Web OS 10.0 Application Guide Verify Proper Connectivity To verify proper configuration up to this point, use the ping option to test network connectiv- ity. At each Web switch, you should receive a valid response when pinging the destination addresses established in the static routes. For example, on the secondary clean-side Web switch, the following commands should receive a valid response: >>...
  • Page 338 Web OS 10.0 Application Guide Complete the Configuration of the Primary Dirty-Side Web Switch Create an FWLB real server group on the primary dirty-side Web switch. A real server group is used as the target for the FWLB redirection filter. Each IP address that is assigned to the group represents a path through a different firewall.
  • Page 339 Web OS 10.0 Application Guide Create the FWLB filters. Three filters are required on the port attaching to the routers: Filter 10 prevents local traffic from being redirected. Filter 20 prevents VRRP traffic (and other multicast traffic on the reserved 224.0.0.0/24 network) from being redirected.
  • Page 340 Web OS 10.0 Application Guide Configure VRRP on the primary dirty-side Web switch. VRRP in this example requires two virtual routers–one for the subnet attached to the routers, and one for the subnet attached to the firewalls. >> # /cfg/vrrp >>...
  • Page 341 Web OS 10.0 Application Guide Complete the Configuration of the Primary Clean-Side Web Switch Create an FWLB real server group on the primary clean-side Web switch. A real server group is used as the target for the FWLB redirection filter. Each IP address assigned to the group represents a return path through a different firewall.
  • Page 342 Web OS 10.0 Application Guide Create an SLB real server group on the primary clean-side Web switch, to which traffic will be load-balanced. The external clients intend to connect to HTTP services at a publicly advertised IP address. The servers on this network are load balanced by a virtual server on the clean-side Web switch. SLB options are configured as follows: (Select the SLB menu) >>...
  • Page 343 Web OS 10.0 Application Guide Create the FWLB filters on the primary clean-side Web switch. Three filters are required on the port attaching to the real servers: Filter 10 prevents local traffic from being redirected. Filter 20 prevents VRRP traffic from being redirected. Filter 224 redirects the remaining traffic to the firewall group.
  • Page 344 Web OS 10.0 Application Guide Configure VRRP on the primary clean-side Web switch. VRRP in this example requires two virtual routers to be configured–one for the subnet attached to the real servers, and one for the subnet attached to the firewalls. >>...
  • Page 345 Web OS 10.0 Application Guide Configure the peer on the primary clean-side Web switch. >> # /cfg/slb/sync >> # prios d >> # peer 1 >> # ena >> # addr 10.10.4.11 Apply and save your configuration changes. >> # apply >>...
  • Page 346: Advanced Fwlb Concepts

    Web OS 10.0 Application Guide Advanced FWLB Concepts Free-Metric FWLB Free-metric FWLB allows to you use load-balancing metrics other than hash, such as leastconns, roundrobin, minmiss, response, and bandwidth for more versatile FWLB. The free-metric method uses the Return to Sender (RTS) option. RTS can be used with basic FWLB or four-subnet FWLB networks.
  • Page 347: Figure 13-9 Four-Subnet Fwlb Example Network

    Web OS 10.0 Application Guide On the dirty-side Web switch, set the FWLB metric. >> # ../group 1 >> # metric <metric type> Any of the following load-balancing metrics can be used: hash, leastconns, roun- drobin, minmiss, response, and bandwidth. See “Metrics for Real Server Groups”...
  • Page 348 Web OS 10.0 Application Guide To use free-metric FWLB in this network, the following configuration changes are necessary. On the clean-side Web switches, enable RTS on the ports attached to the firewalls (port 3) and on the interswitch port (port 9). On both clean-side switches: >>...
  • Page 349: Adding A Demilitarized Zone (Dmz)

    Web OS 10.0 Application Guide Adding a Demilitarized Zone (DMZ) Implementing a DMZ in conjunction with firewall load balancing enables the Web switch to do the traffic filtering, off-loading this task from the firewall. A DMZ is created by configuring FWLB with another real server group and a redirection filter towards the DMZ subnets.
  • Page 350 Web OS 10.0 Application Guide You could add the filters required for the DMZ (to each Web switch) as follows: On the dirty-side Web switch, create the filter to allow HTTP traffic to reach the DMZ Web servers. In this example, the DMZ Web servers use IP addresses 205.178.29.0/24. (Select filter 80) >>...
  • Page 351: Firewall Health Checks

    Web OS 10.0 Application Guide Firewall Health Checks Basic FWLB health checking is automatic. No special configuration is necessary unless you wish to tune the health checking parameters. See Chapter 10, “Health Checking” for details. Firewall Service Monitoring To maintain high availability, Web switches monitor firewall health status and send packets only to healthy firewalls.
  • Page 352 Web OS 10.0 Application Guide Using HTTP Health Checks For those firewalls that do not permit ICMP pings to pass through, Web switches can be con- figured to perform HTTP health checks, as described below. Set the health check type to HTTP instead of ICMP. (Select HTTP health checks) >>...
  • Page 353: Chapter 14: Virtual Private Network Load Balancing

    HAPTER Virtual Private Network Load Balancing The VPN (Virtual Private Network) load balancing feature in Web OS 10.0 allows the switch to load balance simultaneously up to 255 VPN devices. The switch records from which VPN server a session was initiated and ensures that the traffic returns back to the same VPN server from which the session started.
  • Page 354: Virtual Private Networks

    Web OS 10.0 Application Guide Overview Virtual Private Networks A VPN is a connection that has the appearance and advantages of a dedicated link, but it occurs over a shared network. Using a technique called tunneling, data packets are transmitted across a routed network, such as the Internet, in a private tunnel that simulates a point-to-point connection.
  • Page 355: Figure 14-1 Basic Network Frame Flow And Operation

    Web OS 10.0 Application Guide Figure 14-1 Basic Network Frame Flow and Operation The basic steps that occur at the switches when a request arrives from the Internet are described below: The user prepares to send traffic to the destination server. The VPN client software encrypts the packet and sends it to the cluster IP address of the VPN devices.
  • Page 356: Vpn Load-Balancing Configuration

    Web OS 10.0 Application Guide VPN Load-Balancing Configuration Requirements Configure the switch with firewall load balancing. For more information, see “Firewall Load Balancing” on page 313. Enable the Return to Sender (RTS) feature on the ports attached to the VPN devices, using the following command: >>...
  • Page 357 Web OS 10.0 Application Guide Configure the First Clean-Side Switch (CA) Turn off BOOTP. >> # /cfg/sys/bootp dis Define and enable VLAN 2 for ports 7, and 8. >> # /cfg/vlan 2/ena/def 7 8 Turn off Spanning Tree Protocol (STP). >>...
  • Page 358 Web OS 10.0 Application Guide One static route is required for each VPN device being load balanced. >> # /cfg/ip/route (Static route destination IP address) >> IP Static Route# add 10.0.0.10 >> IP Static Route# 255.255.255.255 (Destination subnet mask) (Enter gateway IP address) >>...
  • Page 359 Web OS 10.0 Application Guide Enable Server Load Balancing (SLB) on the first clean switch. >> # /cfg/slb/on Configure real servers for health checking VPN devices. (Enable slb for real server 1) >> # /cfg/slb/real 1/ena (Assign IP address for real server 1) >>...
  • Page 360 Web OS 10.0 Application Guide Configure the Second Clean-Side Switch (CB) Turn off bootp. >> # /cfg/sys/bootp dis Define and enable VLAN 2 for ports 7 and 8. >> # /cfg/vlan 2/ena/def 7 8 Turn off Spanning Tree Protocol. >> # /cfg/stp/off Define the clean-side IP interfaces.
  • Page 361 Web OS 10.0 Application Guide Configure Virtual Router Redundancy Protocol (VRRP) for virtual routers 1 and 2. >> # /cfg/vrrp/on >> Virtual Router Redundancy Protocol# vr 1 >> VRRP Virtual Router 1# ena >> VRRP Virtual Router 1# vrid 1 >>...
  • Page 362 Web OS 10.0 Application Guide Enable filter processing on the server ports so that the response from the real server will be looked up in VPN session table. >> SLB port 8# ../port 1/filter ena Apply and save the configuration, and reboot the switch. >>...
  • Page 363 Web OS 10.0 Application Guide Configure VRRP for virtual routers 1 and 2. >> # /cfg/vrrp/on >> Virtual Router Redundancy Protocol# /cfg/vrrp/vr 1 >> VRRP Virtual Router 1# ena >> VRRP Virtual Router 1# vrid 1 >> VRRP Virtual Router 1# if 1 >>...
  • Page 364 Web OS 10.0 Application Guide Configure the filters to allow local subnet traffic on the dirty side of the VPN device to reach the VPN device interfaces. >> # ../filt 100 >> # ena >> # sip any >> # dip 192.168.10.0/dmask 255.255.255.0 >>...
  • Page 365 Web OS 10.0 Application Guide Configure the Second Dirty-Side WebSwitch (DB) Turn off BOOTP. >> # /cfg/sys/bootp dis Define and enable VLAN 2 for ports 7 and 8. >> # /cfg/vlan 2/ena/def 7 8 Turn off STP. >> # /cfg/stp/off Configure IP interfaces 1, 2, and 3.
  • Page 366 Web OS 10.0 Application Guide Configure VRRP for virtual routers 1 and 2. >> # /cfg/vrrp/on >> # /cfg/vrrp/vr 1 >> # ena >> # vrid 1 >> # if 1 >> # addr 192.168.10.50 >> # share dis >> # track >>...
  • Page 367 Web OS 10.0 Application Guide Configure the filters to allow local subnet traffic on the dirty side of the VPN device to reach the VPN device interfaces. >> # /cfg/slb/filt 100 >> # ena >> # sip any >> # dip 192.168.10.0/dmask 255.255.255.0 >>...
  • Page 368: Figure 14-3 Checkpoint Rules For Both Vpn Devices As Seen In The Policy Editor

    Web OS 10.0 Application Guide Test Configurations and General Topology The switches should be able to health check each other, and all switches should see four real servers up. (Rules on the VPN devices permit this—see Figure 14-3 on page 368.) Figure 14-3 Checkpoint Rules for Both VPN Devices as Seen in the Policy Editor Disconnect the cables (cause failures) to change the available servers that are up.
  • Page 369 Web OS 10.0 Application Guide Test the VPN Launch the SecuRemote client on the dirty side of the network. Add a new site. Enter the policy server IP address: 192.168.10.120. You have the option of adding a nickname. Launch a browser (such as Netscape or Internet Explorer) and go to http://30.0.0.100 You will be asked to authenticate yourself.
  • Page 370 Web OS 10.0 Application Guide You will see a message verifying that you were authenticated. Browse to the Web site. If there are other services running on other servers in the internal network, you should also be able to reach those services. All of this traffic is traveling over the VPN and is being decrypted at the VPN device.
  • Page 371: Chapter 15: Content Intelligent Switching

    HAPTER Content Intelligent Switching This chapter discusses advanced load balancing solutions utilizing Layer 7 content switching. Inspecting HTTP headers, examining content identifiers such as URLs and cookies, and pars- ing content requests are discussed in the following topics: “Overview” on page 372 “Content Intelligent Server Load Balancing”...
  • Page 372: Figure 15-1 Content Intelligent Load Balancing Example

    Web OS 10.0 Application Guide Overview Alteon Web switches performs content intelligent switching by processing numerous tasks for each incoming session, including connection setup, traffic parsing, applying server selection algorithms, splicing connections and translating session addresses, metering and controlling server bandwidth usage, processing traffic filters, collecting statistics, and so on. Figure 15-1 illustrates the process of content intelligent switching in the Web switch.
  • Page 373: Parsing Content

    Web OS 10.0 Application Guide Parsing Content Examining session content places heavier demands upon the Web switch than examining TCP/IP headers for the following reasons: Content is non-deterministic. Content identifiers such as URLs and cookies can be of varying lengths and can appear at unpredictable locations within a request. Scanning ses- sion traffic for a specific string is far more processor-intensive than looking at a known location in a session for a specific number of bytes.
  • Page 374: Http Header Inspection

    Web OS 10.0 Application Guide HTTP Header Inspection Content intelligent switching is performed by inspecting HTTP headers. HTTP headers include additional information about requests and responses. The HTTP 1.1 specification defines a total of 46 headers. For Web Cache Redirection, at any given time one HTTP header is supported globally for the entire switch.
  • Page 375: Content Intelligent Server Load Balancing

    Web OS 10.0 Application Guide Content Intelligent Server Load Balancing Web OS allows you to load balance HTTP requests based on different HTTP header informa- tion, such as “Cookie:” header for persistent load balancing, “Host:” header for virtual hosting, or “User-Agent” for browser-smart load balancing. URL-Based Server Load Balancing on this page “Virtual Hosting”...
  • Page 376: Figure 15-2 Url-Based Server Load Balancing

    Web OS 10.0 Application Guide String matching for: GET/www.foo.com/images/abc.gif images /product GET/www.foo.com/event/reg.bin .gif .jpg GET/www.foo.com/product/abc.html String matching for: /product Alteon Web Switch .cgi .bin .exe String matching for: /product In groups with multiple servers, .html traffic is distributed within the group via standard SLB metric or URL hashing Figure 15-2 URL-Based Server Load Balancing...
  • Page 377 Web OS 10.0 Application Guide Define the string(s) to be used for URL load balancing. >> # /cfg/slb/layer7/slb/add|rem <string> add: Add string or a path. rem: Remove string or a path. A default string “any” indicates that the particular server can handle all URL or Web-cache requests.
  • Page 378 Web OS 10.0 Application Guide Apply and save your configuration changes. Identify the defined string IDs. >> # /cfg/slb/layer7/slb/cur For easy configuration and identification, each defined string has an ID attached, as shown in the following example: Number of entries: six SLB String .gif /sales...
  • Page 379 Web OS 10.0 Application Guide Enable SLB on the switch. >> # /cfg/slb/on (Turn SLB on) Enable DAM on the switch or configure a proxy IP address on the client port. To turn on DAM: >> # /cfg/slb/adv/direct ena To turn off DAM and configure a proxy IP address on the client port: >>...
  • Page 380: Virtual Hosting

    Web OS 10.0 Application Guide Virtual Hosting Web OS allows individuals and companies to have a presence on the Internet in the form of a dedicated Web site address. For example, you can have a “www.site-a.com” and “www.site- b.com” instead of “www.hostsite.com/site-a” and “www.hostsite.com/site-b.” Service providers, on the other hand, do not want to deplete the pool of unique IP addresses by dedicating an individual IP address for each home page they host.
  • Page 381 Web OS 10.0 Application Guide Virtual Hosting Configuration Overview The sequence of events for configuring virtual hosting based on HTTP Host: headers is described below: The network administrator defines a domain name as part of the 128 supported URL strings. Both domain names “www.company-a.com”...
  • Page 382 Web OS 10.0 Application Guide Configuring the “Host” Header for Virtual Hosting To support virtual hosting, configure the switch for Host header-based load balancing with the following procedure: Before you can configure header-based server load balancing, ensure that the switch has already been configured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool.
  • Page 383: Cookie-Based Preferential Load Balancing

    Web OS 10.0 Application Guide Cookie-Based Preferential Load Balancing Cookies can be used to provide preferential services for customers, ensuring that certain users are offered better access to resources than other users when site resources are scarce. For example, a Web server could authenticate a user via a password and then set cookies to identify them as “Gold,”...
  • Page 384 Web OS 10.0 Application Guide Configuring Cookie-Based Preferential Load Balancing To configure cookie-based preferential load balancing, perform the following procedure. Before you can configure header-based load balancing, ensure that the switch has already been configured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool.
  • Page 385 Web OS 10.0 Application Guide Example: Real Server 1: “Gold” handles gold requests. Real Server 2: “Silver” handles silver request. Real Server 3: “Bronze” handles bronze request. Real Server 4: “any” handles any request that does not have a cookie or matching cookie.
  • Page 386: Browser-Smart Load Balancing

    Web OS 10.0 Application Guide Browser-Smart Load Balancing HTTP requests can be directed to different servers based on browser type by inspecting the “User-Agent” header. For example, GET /products/180/ HTTP/1.0 User-agent: Mozilla/3.0 Accept: text/html, image/gif, image/jpeg To allow the switch to perform browser-smart load balancing, perform the following proce- dure.
  • Page 387: Url Hashing For Server Load Balancing

    Web OS 10.0 Application Guide URL Hashing for Server Load Balancing By default, hashing algorithms use the IP source address and/or IP destination address (depending on the application area) to determine content location. The default hashing algo- rithm for SLB is the IP source address. By enabling URL hashing, requests going to the same page of an origin server are redirected to the same real server or cache server.
  • Page 388 Web OS 10.0 Application Guide To configure URL hashing, perform the following procedure: Before you can configure URL hashing, ensure that the switch has already been config- ured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool. Define an IP interface on the switch.
  • Page 389: Header Hash Load Balancing

    Web OS 10.0 Application Guide Header Hash Load Balancing Web OS allows you to hash on any selected HTTP header. To configure the Web switch for load balancing based on header hash, perform the following procedure: Ensure that the switch has already been configured for basic SLB: Assign an IP address to each of the real servers in the server pool.
  • Page 390: Dns Load Balancing

    Web OS 10.0 Application Guide DNS Load Balancing The Internet name registry has become so large that a single server cannot keep track of all the entries. This is resolved by splitting the registry and saving it on different servers. If you have large DNS server farms, Web OS allows you to load balance traffic based on DNS names.
  • Page 391 Web OS 10.0 Application Guide To configure the switch for DNS load balancing, perform the following procedure: Before you can configure DNS load balancing, ensure that the switch has already been configured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool. Define an IP interface on the switch.
  • Page 392: Layer 7 Rtsp Load Balancing

    Web OS 10.0 Application Guide Number of entries: five SLB String any, cont 1024 www.[abcdefg]*.com, cont 1024 www.[hijklm]*.com, cont 1024 www.[nopqrst]*.com, cont 1024 www.[uvwxyz]*.com, cont 1024 Add the defined string IDs to the real server using the following command: >> # /cfg/slb/real 1/layer7/addlb 2 >>...
  • Page 393 Web OS 10.0 Application Guide To configure RTSP load balancing using pattern matching, follow this procedure: Add the URL string. >> # /cfg/slb/layer7/slb/add <URL string ID> (Add URL string ID, for example, g2video.rm) You can remove the URL string by performing the following: >>...
  • Page 394: Content Intelligent Web Cache Redirection

    Web OS 10.0 Application Guide Content Intelligent Web Cache Redirection Web OS allows you to redirect Web cache requests based on different HTTP header information, such as “Host:” header or “User-Agent” for browser-smart load balancing. For more information on layer 4 Web cache redirection, see Chapter 8, “Application Redirection.”...
  • Page 395: Url-Based Web Cache Redirection

    Web OS 10.0 Application Guide URL-Based Web Cache Redirection URL parsing for Web Cache Redirection operates in a manner similar to URL-based server load balancing except that in WCR a virtual server on the switch is the target of all IP/HTTP requests.
  • Page 396: Figure 15-5 Url-Based Web Cache Redirection

    Web OS 10.0 Application Guide The switch is preconfigured with a list of 13 noncacheable items that you can add to, delete, or modify. These items are either known dynamic content file extensions or dynamic URL parameters, as described below: Dynamic content files: Common gateway interface files (.cgi) cold fusion files (.cfm), ASP files (.asp)
  • Page 397 Web OS 10.0 Application Guide Network Address Translation Options URL-based WCR supports three types of Network Address Translation (NAT): No NAT, Half NAT, and Full NAT. No NAT In this NAT method, the traffic is redirected to the Web cache with the destination MAC address replaced by the MAC address of the cache.
  • Page 398 Web OS 10.0 Application Guide Configure the parameters and file extensions that bypass WCR. The switch is preconfigured with a list of 13 noncacheable items: Dynamic content files: Common gateway interface files (.cgi), cold fusion files (.cfm), ASP files (.asp), BIN directory, CGI-BIN directory, SHTML (scripted html), Microsoft HTML extension files (.htx), executable files(.exe) Dynamic URL parameters: +, !, %, =, &...
  • Page 399 Web OS 10.0 Application Guide Define the string(s) to be used for Web cache SLB. Refer to the parameters listed below: >> # /cfg/slb/layer7/slb/add|rem <string> add: Add a string or a path. rem: Remove string or a path. A default string “any” indicates that the particular server can handle all URL or Web-cache requests.
  • Page 400 Web OS 10.0 Application Guide Apply and save your configuration changes. Identify the defined string IDs. >> # /cfg/slb/layer7/slb/cur For easy configuration and identification, each defined string has an ID attached, as shown in the following example: Number of entries: six SLB String .gif /sales...
  • Page 401 Web OS 10.0 Application Guide Configure a filter to support basic WCR. The filter must be able to intercept all TCP traffic for the HTTP destination port and must redi- rect it to the proper port in the real server group: >>...
  • Page 402 Web OS 10.0 Application Guide Create a default filter for noncached traffic on the switch. >> # /cfg/slb/filt <filter number> (Select the default filter) >> Filter <filter number># sip any (From any source IP addresses) >> Filter <filter number># dip any (To any destination IP addresses) >>...
  • Page 403: Http Header-Based Web Cache Redirection

    Web OS 10.0 Application Guide HTTP Header-Based Web Cache Redirection To configure the switch for WCR based on the “Host:” header, use the following procedure: Configure basic SLB. Before you can configure header-based cache redirection, ensure that the switch has already been configured for basic SLB (see “Server Load Balancing”...
  • Page 404 Web OS 10.0 Application Guide Configure the real server(s) to handle the appropriate load balance string(s). Add the defined string IDs to the real servers: >> # /cfg/slb/real 2/layer7/addlb <ID> where ID is the identification number of the defined string. –...
  • Page 405: Browser-Based Web Cache Redirection

    Web OS 10.0 Application Guide Browser-Based Web Cache Redirection Browser-based Web cache redirection uses the User-agent: header. To configure browser- based WCR, perform the following procedure. Before you can configure header-based WCR, ensure that the switch is already config- ured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool.
  • Page 406: Url Hashing For Web Cache Redirection

    Web OS 10.0 Application Guide Add the defined string IDs to configure the real server(s) to handle the appropriate load balance string(s). >> # /cfg/slb/real 2/layer7/addlb <ID> where ID is the identification number of the defined string. – If you don’t add a defined string (or add the ID 1), the server will handle any request. URL Hashing for Web Cache Redirection By default, hashing algorithms use the source IP address and/or destination IP address (depending on the application area) to determine content location.
  • Page 407 Web OS 10.0 Application Guide Turn on URL parsing for the filter. >> # /cfg/slb/filt 1/adv/urlp ena Enable hash to direct a cacheable URL request to a specific cache server. By default, the host header field is used to calculate the hash key and URL hashing is disabled. hash ena: Enables hashing based on the URL and the host header if it is present.
  • Page 408: Figure 15-6 Url Hashing For Wcr

    Web OS 10.0 Application Guide http://www.nortelnetworks.com Cache server farm Clients Internet Alteon Web Switch Figure 15-6 URL Hashing for WCR Example 2: Hashing on the Host Header Field Only In this example, URL hashing is disabled. If you use the Host header field to calculate the hash key, the same URL request goes to the same cache server: Client 1 request http://www.nortelnetworks.com is directed to cache server 1.
  • Page 409: Layer 7 Rtsp Streaming Cache Redirection

    Web OS 10.0 Application Guide Layer 7 RTSP Streaming Cache Redirection This section explains Layer 7 support for RTSP Streaming Cache Redirection. For conceptual information on RTSP Streaming Cache Redirection, see “RTSP Web Cache Redirection” on page 211. For detailed information on two prominent commercial RTSP servers—Real Player and QuickTime—see “Real Time Streaming Protocol SLB”...
  • Page 410: Exclusionary String Matching For Real Servers

    Web OS 10.0 Application Guide Exclusionary String Matching for Real Servers URL-based SLB and WCR can match or exclude up to 128 strings. Examples of strings are as follows: “/product,” matches URLs that starts with /product. “product,” matches URLs that have the string “product” anywhere in the URL. You can assign one or more strings to each real server.
  • Page 411 Web OS 10.0 Application Guide For information on how to configure your network for server load balancing, see Chapter 6, “Server Load Balancing.” Add the load balancing strings (for example test, /images, and /product) to the real server. >> # /cfg/slb/layer7/slb/add test >>...
  • Page 412: Regular Expression Matching

    Web OS 10.0 Application Guide Regular Expression Matching Regular expressions are used to describe patterns for string matching. They enable you to match the exact string, such as URLs, host names, or IP addresses. It is a powerful and effec- tive way to express complex rules for Layer 7 string matching.
  • Page 413: Configuring Regular Expressions

    Web OS 10.0 Application Guide Size of the regular expression structure after compilation cannot exceed 43 bytes for load balancing strings and 23 bytes for Web Cache Redirection. The size of regular expression after compilation varies, based on regular expression characters used in the user input string.
  • Page 414: Content Precedence Lookup

    Web OS 10.0 Application Guide Content Precedence Lookup The Layer 7 Precedence Lookup feature in Web OS allows you to give precedence to one Layer 7 parameter over another and selectively decide which parameter should be analyzed first. The Content Precedence Lookup feature allows you to combine up to two Layer 7 load balanc- ing mechanisms.
  • Page 415: Using The Or And And Operators

    Web OS 10.0 Application Guide Requirements Enable Direct Access Mode (DAM), or configure proxy IP address if DAM is disabled. Enable delayed binding. Using the or and and Operators Figure 15-7 shows a network with real servers 1 and 3 configured for URL SLB and real serv- ers 2 and 3 configured for HTTP Host SLB.
  • Page 416: Assigning Multiple Strings

    Web OS 10.0 Application Guide Assigning Multiple Strings Figure 15-8 shows an example of a company providing content for two large customers: Cus- tomers A and B. Customer A uses www.a.com as their domain name, and Customer B uses www.b.com. The company has a limited number of public IP addresses and wishes to assign them on a very conservative basis.
  • Page 417: A, February

    Web OS 10.0 Application Guide When a client request is received with www.a.com in the Host Header and .jpg in the URL, the request will be load balanced between Server 1 and Server 2. To accomplish this configuration, you must assign multiple strings (a Host Header string and a URL string) for each real server.
  • Page 418 Web OS 10.0 Application Guide Configuring a Layer 7 Deny Filter Before you can configure Layer 7 deny filter, ensure that the switch has already been con- figured for basic switch functions: Assign an IP address to each of the real servers in the server pool. Define an IP interface on the switch.
  • Page 419 Web OS 10.0 Application Guide Enable the Layer 7 deny option. (Select the Layer 7 deny menu) >> Filter 1 Advanced# l7deny (Enable Layer 7 deny filter) >> Filter 1 Advanced L7deny# ena Assign the URL string ID from Step 4 to the filter.
  • Page 420 Web OS 10.0 Application Guide Chapter 15: Content Intelligent Switching 212777-A, February 2002...
  • Page 421: Chapter 16: Persistence

    HAPTER Persistence The Web OS persistence feature ensures that all connections from a specific client session reach the same real server, even when Server Load Balancing (SLB) is used. The following topics are addressed in this chapter: “Overview of Persistence” on page 422.
  • Page 422: Overview Of Persistence

    Web OS 10.0 Application Guide Overview of Persistence In a typical SLB environment, traffic comes from various client networks across the Internet to the virtual server IP address on the Web switch. The switch then load balances this traffic among the available real servers. In any authenticated Web-based application, it is necessary to provide a persistent connection between a client and the Web server to which it is connected.
  • Page 423: Using Cookies

    Web OS 10.0 Application Guide Using Cookies Cookies are strings passed via HTTP from servers to browsers. Based on the mode of opera- tion, cookies are inserted by either the Web switch or the server. After a client receives a cookie, a server can poll that cookie with a GET command, which allows the querying server to positively identify the client as the one that received the cookie earlier.
  • Page 424: Cookie-Based Persistence

    Web OS 10.0 Application Guide Cookie-Based Persistence Cookies are a mechanism for maintaining state between clients and servers. When the server receives a client request, the server issues a cookie, or token, to the client, which the client then sends to the server on all subsequent requests. Using cookies, the server does not require authentication, the client IP address, or any other time-consuming mechanism to determine that the user is the same user that sent the original request.
  • Page 425: Permanent And Temporary Cookies

    Web OS 10.0 Application Guide The following topics discussing cookie-based persistence are detailed in this section: “Permanent and Temporary Cookies” on page 425 “Cookie Formats” on page 425 “Cookie Properties” on page 426 “Client Browsers that Do Not Accept Cookies” on page 426 “Cookie Modes of Operation”...
  • Page 426: Cookie Properties

    Web OS 10.0 Application Guide Cookie Properties Cookies are configured on the Web switch by defining the following properties: Cookie names of up to 20 bytes The offset of the cookie value within the cookie string For security, the real cookie value can be embedded somewhere within a longer string. The offset directs the Web switch to the starting point of the real cookie value within the longer cookie string.
  • Page 427: Cookie Modes Of Operation

    Web OS 10.0 Application Guide Cookie Modes of Operation Web OS supports the following modes of operation for cookie-based session persistence: insert, passive, and rewrite mode. The following table shows the differences among the modes: Table 16-1 Comparison Among the Three Cookie Modes Cookie Mode Configuration Required Cookie Location...
  • Page 428: Figure 16-3 Passive Cookie Mode

    Web OS 10.0 Application Guide Passive Cookie Mode In Passive Cookie mode, when the client first makes a request, the switch selects the server based on the load-balancing metric. The real server embeds a cookie in its response to the cli- ent.
  • Page 429: Figure 16-4 Rewrite Cookie Mode

    Web OS 10.0 Application Guide Rewrite Cookie Mode In rewrite cookie mode, the Web switch generates the cookie value on behalf of the server, eliminating the need for the server to generate cookies for each client. Instead, the server is configured to return a special persistence cookie which the switch is con- figured to recognize.
  • Page 430: Configuring Cookie-Based Persistence

    Web OS 10.0 Application Guide Configuring Cookie-Based Persistence Before you can configure cookie-based persistence, you need to configure the switch for basic SLB. This includes the following tasks: Assign an IP address to each of the real servers in the server pool. Define an IP interface on the switch.
  • Page 431 Web OS 10.0 Application Guide Select the appropriate load-balancing metric for the real server group. >> # /cfg/slb/group 2/metric hash (Select hash as server group metric) If embedding an IP address in the cookie, select roundrobin or leastconns as the metric.
  • Page 432 Web OS 10.0 Application Guide Set multiple response count This parameter is set for passive mode only. Typically, the Web switch searches the first HTTP response packet from the server and, if a persistence cookie is found, sets up a per- sistent connection between the server and the client.
  • Page 433 Web OS 10.0 Application Guide Example 1: Setting the Cookie Location In this example, the client request has two different cookies labeled “UID.” One exists in the HTTP header and the other appears in the URI: GET /product/switch/UID=12345678;ck=1234... Host: www.alteonwebsystems.com Cookie: UID=87654321 Look for the cookie in the HTTP header >>...
  • Page 434 Web OS 10.0 Application Guide Example 2: Parsing the Cookie This example shows three configurations where the switch uses the hashing key or wild cards to determine which part of the cookie value should be used for determining the real server. For example, the value of the cookie is defined as follows: Cookie: sid=0123456789abcdef;...
  • Page 435 Web OS 10.0 Application Guide Example 4: Using Rewrite Cookie Mode Rewrite server cookie with the encrypted real server IP address: In cookie rewrite mode, if the cookie length parameter is configured to be eight bytes, the switch will rewrite the placeholder cookie value with the encrypted real server IP address. >>...
  • Page 436: Server-Side Multi-Response Cookie Search

    Web OS 10.0 Application Guide Server-Side Multi-Response Cookie Search Cookie-based persistence requires the switch to search the HTTP response packet from the server and, if a persistence cookie is found, sets up a persistence connection between the server and the client. The Alteon switch looks through the first HTTP response from the server. While this approach works for most servers, some customers with complex server configurations might send the persistence cookie a few responses later.
  • Page 437: Ssl Session Id-Based Persistence

    Web OS 10.0 Application Guide SSL Session ID-Based Persistence SSL is a set of protocols built on top of TCP/IP that allows an application server and client to communicate over an encrypted HTTP session, providing authentication, non-repudiation, and security. The SSL protocol handshake is performed using clear (unencrypted) text. The content data is then encrypted (using an algorithm exchanged during the handshake) prior to being transmitted.
  • Page 438: Figure 16-5 Ssl Session Id-Based Persistence

    Web OS 10.0 Application Guide Figure 16-5 illustrates persistence based on SSL session ID as follows: An SSL Hello handshake occurs between Client 1 and Server 1 via the Web switch. An SSL session ID is assigned to Client 1 by Server 1. The Web switch records the SSL session ID.
  • Page 439 Web OS 10.0 Application Guide Configuring SSL Session ID-Based Persistence To configure session ID-based persistence for a real server, perform the following steps: Configure real servers and services for basic SLB, as indicated below: Define each real server and assign an IP address to each real server in the server pool. Define a real server group and set up health checks for the group.
  • Page 440 Web OS 10.0 Application Guide Chapter 16: Persistence 212777-A, February 2002...
  • Page 441: Chapter 17: Bandwidth Management

    HAPTER Bandwidth Management Bandwidth Management (BWM) enables Web site managers to allocate a certain portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical business traffic, such as e-commerce transactions, receive higher priority versus non- critical traffic.
  • Page 442: Figure 17-1 Bandwidth Management: How It Works

    Web OS 10.0 Application Guide Overview To manage bandwidth, create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. 2. Administrator configures bandwidth policy and contract 3. Classification is done on ingress port of switch Web Switch Internet 1.
  • Page 443 Web OS 10.0 Application Guide When Virtual Matrix Architecture (VMA) is not enabled, bandwidth classification is done on the ingress side of the switch (at the ingress port or designated port) and can be based on the following: source port, VLAN, filters, Virtual Internet Protocol (VIP) address, ser- vice on the Virtual server, URL, and so on.
  • Page 444: Bandwidth Policies

    Web OS 10.0 Application Guide Bandwidth Policies Bandwidth policies are bandwidth limitations defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host or co-location provider could charge a customer for bandwidth utilization. There are three rates that are configured: a Committed Information Rate (CIR)/Reserved Limit, a Soft Limit, and a Hard Limit, as described below.
  • Page 445: Bandwidth Policy Configuration

    Web OS 10.0 Application Guide Rate Limits A bandwidth policy specifies three limits, listed and described in Table 17-1: Table 17-1 Bandwidth Rate Limits Rate Limit Description Committed Information This is a rate that a bandwidth classification is always guaranteed. In con- Rate (CIR) figuring BWM contracts, ensure that the sum of all committed informa- or Reserved Limit...
  • Page 446: Data Pacing

    Web OS 10.0 Application Guide Data Pacing The mechanism used to keep the individual traffic flows under control is called data pacing. It is based on the concept of a virtual clock and theoretical departure times (TDT). The actual cal- culation of the TDT is based initially on the soft limit rate.
  • Page 447: Classification Criteria

    Web OS 10.0 Application Guide Classification Criteria The frames associated with a particular BWM contract are specified, using the parameters listed below. All of these classifications are aimed at limiting the traffic outbound from the server farm for bandwidth measurement and control. Server Output Bandwidth Control Physical Port - All frames are from a specified physical port.
  • Page 448: Combinations

    Web OS 10.0 Application Guide Combinations Combinations of classifications are limited to grouping items together into a contract. For example, if you wanted to have three different virtual servers associated with a contract, you would specify the same contract index on each of the three virtual server IP addresses. You can also combine filters in this manner.
  • Page 449: Frame Discard

    Web OS 10.0 Application Guide Frame Discard When packets in a contract queue have not yet been sent and the buffer size set for the queue is full, any new frames attempting to be placed in the queue will be discarded. URL-Based Bandwidth Management URL-based BWM allows the network administrator or Web site manager to control bandwidth based on URLs, HTTP headers, or cookies.
  • Page 450: Figure 17-4 Url-Based Bandwidth Management

    Web OS 10.0 Application Guide Figure 17-4 URL-Based Bandwidth Management Cache servers Figure 17-5 URL-Based Bandwidth Management with Web Cache Redirection Chapter 17: Bandwidth Management 212777-A, February 2002...
  • Page 451: Http Header-Based Bandwidth Management

    Web OS 10.0 Application Guide HTTP Header-Based Bandwidth Management HTTP header-based BWM allows Web site managers to allocate bandwidth based on header value. Thus, they can allocate bandwidth based on browser type, cookie value, and so forth. Cookie-Based Bandwidth Management Cookie-based BWM enables Web site managers to prevent network abuse by bandwidth-hog- ging users.
  • Page 452: Bandwidth Statistics And History

    Web OS 10.0 Application Guide Bandwidth Statistics and History Statistics are maintained in order to allow Web switch owners to bill for bandwidth usage. Sta- tistics for frequency and count are configurable. Statistics are kept in the individual Switch Processors (SP) and then collected every second by the MP (Management Processor). The MP then combines the statistics, as statistics for some classifications may be spread across multiple SPs.
  • Page 453: Packet Coloring (Tos Bits) For Burst Limit

    Web OS 10.0 Application Guide Packet Coloring (TOS bits) for Burst Limit Whenever the soft limit is exceeded, optional packet coloring can be done to allow down- stream routers to use diff-serv mechanisms (that is, writing the Type-Of-Service (TOS) byte of the IP header) to delay or discard these out-of-profile frames.
  • Page 454: Configuring Bandwidth Management

    Web OS 10.0 Application Guide Configuring Bandwidth Management The following procedure provides general instructions for configuring BWM on the switch. Specific configuration examples begin on page 457. Configure the switch as you normally would for SLB. Configuration includes the follow- ing tasks: Assign an IP address to each of the real servers in the server pool.
  • Page 455 Web OS 10.0 Application Guide (Optional) Set the TOS byte value, between 0-255, for the policy underlimit and over- limit. There are two parameters for specifying the TOS bits: underlimit (utos) and overlimit (otos). These TOS values are used to overwrite the TOS values of IP packets if the traffic for a contract is under or over the soft limit, respectively.
  • Page 456 Web OS 10.0 Application Guide (Optional) Enable TOS overwriting for the BWM contract. >> BWM Contract 1# wtos ena (Enables overwriting for contract) Set the bandwidth policy for this contract. Each bandwidth management contract must be assigned a bandwidth policy. (Assign policy 1 to BWM contract 1) >>...
  • Page 457: Additional Configuration Examples

    Web OS 10.0 Application Guide Additional Configuration Examples Examples are provided for the following Bandwidth Management applications: User/Application Fairness: see next section Preferential Services: page 460 URL-Based: page 463 Cookie-Based: page 465 Security Management: page 468 User/Application Fairness Example Bandwidth Management can be applied to prevent heavy bursters from locking out other users, such as in preventing the following: Customers using broadband access (such as DSL) from blocking dial-up customers Customers from the same hosting facility locking out each other because of flash crowd...
  • Page 458 Web OS 10.0 Application Guide On the switch, select a BWM contract and name the contract. Each contract must have a unique number from 1 to 256. (Select BWM contract 1) >> Policy 1# /cfg/bwm/cont 1 (Assign contract name “dial-up”) >>...
  • Page 459 Web OS 10.0 Application Guide Assign the BWM contracts to different switch ports. Physical switch ports are used to classify which frames are managed by each contract—that is, one BWM contract will be applied to all frames from a specific port. The second contract will be applied to all frames from another specified port.
  • Page 460: Preferential Services Examples

    Web OS 10.0 Application Guide Preferential Services Examples BWM can be used to provide preferential treatment to certain traffic, based on source IP blocks, applications, URL paths, or cookies. You may find it useful to configure higher policy rate limits for specific sites, for example, those used for e-commerce. Web Site Preference Example In the following example, there are two Web sites, “A.com”...
  • Page 461 Web OS 10.0 Application Guide Set the bandwidth policy for this contract. Each BWM contract must be assigned a bandwidth policy. (Assign policy 1 to BWM contract 1) >> BWM Contract 1# pol 1 Enable this BWM contract. (Enables this BWM contract) >>...
  • Page 462 Web OS 10.0 Application Guide Create a virtual server that will be used to classify the frames for contract 1 and assign the Virtual server IP address for this server. Then, assign the BWM contract to the vir- tual server. Repeat this procedure for a second virtual server. –...
  • Page 463 Web OS 10.0 Application Guide URL-Based Bandwidth Management Example In this example, you will assign bandwidth based on URL paths. For URL-based server load balancing, a user has to first define strings to monitor. Each of these strings is attached to real servers, and any URL with the string is load balanced across the assigned servers.
  • Page 464 Web OS 10.0 Application Guide Configure a real server to handle the URL request. To add a defined string: >> # /cfg/slb/real 2/layer7/addlb <URL path ID> where URL path ID is the identification number of the defined string as displayed when you enter the cur command.
  • Page 465 Web OS 10.0 Application Guide Turn on URL-based server load balancing on the virtual server. Configure everything under the virtual server as in Configuration Example 1. >> # /cfg/slb/virt 1/service 80/httpslb enable urlslb If the same string is used by more than one service, and you want to allocate a certain percent- age of bandwidth to this URL string for this service on the virtual server, then define a rule using the command.
  • Page 466 Web OS 10.0 Application Guide Allocate bandwidth for each string. To do this, assign a BWM contract to each defined string. >> # /cfg/slb/layer7/lb/cont <URL path ID> <BWM Contract number> Configure a real server to handle the cookie. To add a defined string: >>...
  • Page 467: Figure 17-7 Cookie-Based Preferential Services

    Web OS 10.0 Application Guide Scenario 2: In this scenario, the Web site has multiple virtual server IP addresses, and the same user classification or multiple sites use the same string name. In this scenario, there are two Virtual IP (VIP) addresses: 172.17.1.1 and 172.17.1.2. Both the virtual servers and sites have first class and business class customers, with different bandwidth allocations, as shown in Figure 17-7 on page 467.
  • Page 468 Web OS 10.0 Application Guide Security Management Example BWM can be used to prevent Denial of Service (DoS) attacks by a flooding of “necessary evil” packets and limiting the rate of TCP SYN, ping, other disruptive packets, and alerting/logging the network manager when soft limits are exceeded. In the following example, a filter is configured to match ping packets, and BWM is configured to prevent DoS attacks by limiting the bandwidth policy rate of those packets: Configure the switch as usual for SLB (see...
  • Page 469 Web OS 10.0 Application Guide Set the bandwidth policy for the contract. Each BWM contract must be assigned a bandwidth policy. (Assign policy 1 to BWM contract 1) >> BWM Contract 1# pol 1 Enable the BWM contract. (Enables this BWM contract) >>...
  • Page 470 Web OS 10.0 Application Guide Chapter 17: Bandwidth Management 212777-A, February 2002...
  • Page 471: Glossary

    Glossary DIP (Destination IP The destination IP address of a frame. Address) Dport (Destination The destination port (application socket: for example, http-80/https-443/DNS-53) Port) NAT (Network Any time an IP address is changed from one source IP or destination IP address to another Address Translation) address, network address translation can be said to have taken place.
  • Page 472 Web OS 10.0 Application Guide SIP (Source IP The source IP address of a frame. Address) SPort (Source Port) The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53). Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled).
  • Page 473 Web OS 10.0 Application Guide VRRP (Virtual Router A protocol that acts very similarly to Cisco’s proprietary HSRP address sharing protocol. Redundancy The reason for both of these protocols is so devices have a next hop or default gateway that Protocol) is always available.
  • Page 474 Web OS 10.0 Application Guide Glossary 212777-A, February 2002...
  • Page 475: Index

    Index Symbols ............... 23 ........... 135 backup servers ......449 to 450 bandwidth management ........... 453 burst limit Numerics ........447 classification policies ............295 80 (port) .......454 to 456 configuration, general ........44, 45 802.1Q VLAN tagging ....460 configuration, preferential service .........
  • Page 476 Web OS 10.0 Application Guide configuring ......430 cookie-based persistence ............. 354 egress traffic ....150, 151 FTP Server Load Balancing ............. 354 encrypt ......436 multi-response cookie search ............65 EtherChannel ...........285 stateful failover ......68 as used with port trunking ............24 contacting us ......
  • Page 477 Web OS 10.0 Application Guide HTTP ......231 application health checks gateway. See default gateway......292 redirects (Global SLB option) Gigabit adapters HTTP header ..........63 jumbo frames ............389 hashing Global SLB ..........417 HTTP URL request ......294 to 303 configuration tutorial ........
  • Page 478 Web OS 10.0 Application Guide ............123 IP routing load balancing ........28 ..........151, 390 cross-subnet example ....32, 61 ..........150 default gateway configuration FTP traffic ....31, 34, 60 ..........163 IP interface configuration IDS traffic .............29 ..........375 IP subnets layer 7 traffic ..........29 ..........
  • Page 479 Web OS 10.0 Application Guide persistent ............. 123 bindings . 291 name servers, Global SLB configuration example ..........286 port sessions ....208 Network Address Translation (NAT) PIP. See proxies, proxy IP address....... 191 to 193 configuration example ..............304 POP3 ..........
  • Page 480 Web OS 10.0 Application Guide ............122 ............110 real servers SecurID .......135 backup/overflow servers security ........296 ..........170, 185 configuration example filtering ........134 ............. 185 connection timeouts firewalls ..........231 ..........170 health checks from viruses .........134 ........417 maximum connections layer 7 deny filter ......125 ..........
  • Page 481 Web OS 10.0 Application Guide ..........128, 171 ....136, 205, 208 to 213 service ports transparent proxies ......432 ..........184 setting multiple response count tunable hashing ..........118 ............354 shared services tunneling ..... 178 ........23 SIP (source IP address for filtering) typographic conventions smask ......
  • Page 482 Web OS 10.0 Application Guide VLANs .......33, 43, 45, 48 broadcast domains ..........44 default PVID ......241 WSP content health check ....46 example showing multiple VLANs ........242 WTLS health check ............174 filtering ..........158 WAP Gateway ..........58 gateway, default WAP load balancing ...........44 ID numbers...

This manual is also suitable for:

Web os 10.0

Table of Contents