You are on page 1of 64

Alteon Switch

운영자 교육

- Alteon switch
- Alteon swich 제품군 - Server Load Balancing 이해 - Server Load Balancing 운용과 설정 - Troubleshooting Guide

- Alteon switch 제품군
AAS 2216
• • • •

AAS 3408
• • • • 8ea 10/100/1000 Mbps ports 8ea Gigabit ports 2M concurrent sessions 16 Gbps backplane capacity

16ea 10/100 Mbps ports 2ea Gigabit ports 1M concurrent sessions 16 Gbps backplane capacity

WSM
• • • 4- 10/100 TX or Gig SX ports 80MB of Memory 512K concurrent sessions

Price

AAS 2424 184(AD4)
• • • • • • • • • • Nine 10/100/1000 Mbps ports 4 MB of memory per port (1-8) 8 MB of memory on port 9 512K concurrent sessions 8 Gbps backplane capacity • • • • 24 10/100Mbps ports 4ea Gigabit ports 2M concurrent sessions 16 Gbps backplane capacity

AAS 2208
• • • • 8ea 10/100 Mbps ports 2ea Gigabit ports 600K concurrent sessions 16 Gbps backplane capacity

180e(AD3)
Eight 10/100/1000 Mbps ports One 1000BASE-SX port 2MB of memory per port 336K concurrent sessions 8 Gbps backplane capacity

Feature/Function

Alteon Web switches Selectable 8 x 10/100 or 1000SX Ethernet ports 1.Active Alteon 184 Console port ..Link .100 or Gigabit Ethernet uplink on Port 9 AC and DC power available .Data 6 LEDs/port .

RISC Fwd Engine WebIC Memory Memory Memory • WebIC: network processing ASIC with hardware-assisted forwarding engine and dual RISC processors • Up to 20 RISC processor per switch • Optimized for processing-intensive session services • Separate centralized switch management processors ...Alteon Web switches RISC RISC Management Module Memory Flash 8 Gbps Switch Backplane RISC RISC Switch Ports RISC Fwd Engine WebIC RISC RISC Fwd Engine WebIC ..

-Passport 8600 Routing Switch with Alteon Web Switching Module • • • Complete Layer 2-7 switching solution Comprised of Alteon Web Switching Module for the Passport 8600 Integrated platform provides a higher level of intelligent networking for LAN/WAN/MAN and data center requirements Lower total cost of ownership with L2-7 integration and device consolidation Passport 8600 L2-7 Intelligent Routing Switch • Alteon Web Switching Module (WSM) .

Alteon Application Switch Nomenclature Alteon Application Switch Series Number 2 = Fast Ethernet 3 = Gigabit Ethernet Gigabit Uplink Ports Port Density Alteon nn nn ..

- 4가지 모델의 Alteon Application Switch
AAS 2208
(8FEx2GE)
2 8 1 7 9 10

8 FE

2 GE
7 8 9 10 15 16 17 18

AAS 2216
(16FEx2GE)

1 2

16 FE

2 GE
7 8 9 10 15 16 17 18 23 24 25 26 27 28

AAS 2424
(24FEx4GE)

1 2

24 FE

4 GE

AAS 3408
(12GE)

4 1000TX or GBIC Choice

1 2 3 4

3 4 5 6

5 6 7 8

9

10

11 12

4 1000TX Only 4 1000TX or GBIC Choice

4 GE

- Alteon Application Switch 2424
SFP GBICs: 1000Base-SX Or 1000Base-LX with LC Connectors

RJ45 Auto 10/100 Fast Ethernet Ports LEDs on Port

{
1-RU form factor

1 2

7 8

9 10

15 16

17 18

23 24

DB9 Console
25 26 27 28

RJ45 Management Port

LEDs: SFP

LED: Fan LED: Power

- Alteon Application Switch 3408
SFP GBICs: 1000Base-SX Or 1000Base-LX with LC Connectors DB9 Console

{
1-RU form factor

LEDs: SFP
1 23 4 3 4 5 6 5 6 7 8 9 10 11 12

Optional Copper or Optical

RJ45 Auto 10/100/1000 Ethernet Ports

LED: Power RJ45 Management LED: Fan Port

. Alteon 2000/3000 series SP refers to Switch Processor which is not the same as a Switch Port • Layer 2 – 7 processing M • 128-MB each of fast SDRAM (SP) • Total switch memory = 640-MB Gigabit Ethernet VMA SP1 M M SP2 SP3 M M SP4 MP M Gigabit or Fast Ethernet Architecture allows for flexibility in future software feature/ application development .Alteon Application Switch Inside MP • On AD/180 series. configurations… SP • On. AD/180 series Switch Processor and Switch Port are synonymous • On. Management Processor and Management Port are synonymous • On Alteon 2000/3000 series. start-up. MP refers to Management Processor and NOT Management Port • Health checking.

RIP_A DA_Y. SA_3. SA_1. RIP_B DA_X.. RIP_A Server Unattached port Server DA_X SA_3 Performance of distributed architecture with centralized architecture’s resource utilization • CPUs at all ports actively share L4-7 processing load – – – • Each ingress packet hashed to one of 8 ports for L4-7 processing Hashing algorithm ensures even distribution of Internet traffic Packets in same session always hashed to the same CPU Memory at all ports pooled and utilized at all times – Session entries kept in memory local to designated CPUs – Global session table kept for cookie persistent sessions – All ports store all filtering/redirection policies . SA_2. RIP_A DA_Y SA_2 DA_X SA_1 DA_X. SA_1.Alteon Application Switch VMA Virtual Matrix Architecture (VMA) Client CPU CPU CPU CPU CPU CPU CPU CPU DA_X SA_1 DA_X.

* Base:300 Max:1000 Yes 1.048 2M(4M) >51K * >110K.024 2.024 1.024 1.75/1 2424(E) 28 24 4 256 1.75/1 2208(E) 10 8 2 256 1024 1024 2.* No No 1.75/1 2216(E) 18 16 2 256 1024 1024 2.048 2M(4M) >51K * >110K.* No No 1.Alteon Application Switch 성능 구분 Total Ports 10/100 Ethernet Ports Gigabit Ethernet Ports IP Routing Interfaces Virtual Server Support Real Server Support Policy Filters Concurrent Sessions Layer 7 Performance (sessions/second) Layer 4 Performance (sessions/second) Integrated SSL Acceleration (tps.75/1 .048 600K91M) 15K* 20K * No No 1.024 2.)** Integrated SSL VPN Height (inches/RU) 3408(E) 12 4+4** 4+4** 256 1.048 2M(4M) >51K * >110K.024 1.048 1M(2M) 30K * 40K * No No 1.024 2..75/1 2424-SSL(E) 28 24 4 256 1.

NAT. Redirect DPI Layer 7 Deep Packet Inspection 기능 Ascii. 공격명) 사용자별 세션 내역 트래킹 트래픽 통계 기능 Bandwidth Management 하우리 바이러스 패턴 . Deny..Alteon Application Switch 활용 VPN 서버 로드밸런싱 Application LB Global Server LB Application Health Checks 네트워크 장비 가속화 Firewall/IDS LB 양방향 VPN LB WAN Links WAP Gateways 애플리케이션 리디렉션 Web Site 각종 Cache SSL Appliance Streaming Media 고급 필터링 Layer 2-4 Attributes VLAN Filtering Accept. Binary Pattern 제공 패턴 그룹핑 기능 보안 서비스 기본 DoS 방지 기능 응용프로그램 과용 SSL VPN 기능 트래픽 관리 Flow기반 BWM 보안 패턴 업데이트 노텔 P2P 패턴 Bogon 필터 리스트 관리 기능 공격 상세 로깅(송수신 IP 및 포트.

Application Switch 기반 Layer 4-7 Application/Content Intelligence OSI 7-Layer Model Protocol Example Device Example 서버/IDS 지능적인 L2-7 장비 Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1 HTTP& URL.. 패턴 SSL TCP IP Ethernet 이더넷 스위치와 같은 L2 장비 라우터와 같은 L3 장비 애플리케이션 스위치 .

com = x Servers X y z .com = y www..com Internet DNSwww.abc.abc.SLB ( Server Load Balancing) Server load Balancing의 이해 • 기존 Server Load Balancing 방법 .DNS Roundrobin을 이용한 Server Load Balancing Client Request: www.com = z www.abc.abc.

abc. .com = VIP 접속하게 된다.SLB ( Server Load Balancing) Client Request: www.Client가 웹브라우저 상에서 URL을 입력하여 DNS로 하여금 얻어지는 Ip address값 (L4에서는 Virtual IP : VIP 이라고 말한다.Virtual Server로 접속하게된 http request는 Vip로 mapping되어있는 실제 서버들(real server)의 Group Virtual IP Address Health Checking 으로 matching시켜주게 된다..) 을 통하여 L4의 Virtual Server로 Internet DNS www. .Server group으로 Matching 시키는 기법은 L4가 가지고 있는 여러 가지 분산 알고리즘에 의해 작동하게 되는데 Servers R_IP 1 R_IP 2 R_IP 3 Real IP Addresses 사이트의 성격에 따라 알맞게 선택하여 주면 된다.com L4를 통한 Server Load Balancing . .abc.

VPort to Rport and VMAC to RMAC . RPort to VPort and RMAC to VMAC • Filter – Fires Filters and performs associated action • Client – Translates VIP to RIP..Alteon Application Switch WebOS Traffic Flow • At each Ingress Port if Layer 4 parameters are configured traffic flow follows these 3 processes: • Server – Translates RIP to VIP.

SLB ( Server Load Balancing) Client -Terminology • Virtual IP Address (VIP) – Also called Virtual Server – Each VIP must have at least one service – Each VIP can support 8 Services • Real Servers Internet – Can have Public or Private IP Addresses – Must run a TCP/UDP service – Up to 1024 Real Servers can be configured (Version 10) – Can have maximum connections and timeout values assigned Virtual IP Address (VIP) • Groups – Support of up to 256 Groups – A Group can support 1024 Real Servers – Requires a Health Check metric – Requires a Load Balancing Metric Real server IP Address (RIP) Group ..

Rport – real server : • IP address. VMAC. Vport – virtual server : • IP address.RPORT Group . PMAC. TCP/UDP port • CIP. TCP/UDP port • PIP. MAC address. IP flow Internet VMAC .CMAC. RMAC. TCP/UDP port • Session – TCP connection.CPORT • VIP. MAC address. Pport – proxy : • IP address. MAC address. CMAC. Cport – Client : • IP address.VIP.VPORT RMAC. UDP session.RIP. MAC address. TCP/UDP port • RIP..SLB ( Server Load Balancing) -Terminology Client CIP.

SLB ( Server Load Balancing) -Terminology Client • Client ports .각각의 session을 server로 할당 Internet VIP를 RIP로 변환 • Server ports ..Server의 이상유무를 수시로 점검하는 기능 ( http. icmp .) SERVERS .Server processing을 적용할 수 있는 switch port Client ports Server ports Health Check RIP를 VIP로 변환 • Health Check .Client processing을 적용할 수 있는 switch port . tcp. ftp...

1.SLB ( Server Load Balancing) • Client / Server processing – Changes DIP from VIP to Real server IP and vice-versa – Client processing also creates session binding entry based on client SIP and Sport SIP 200.20.10.20.1 DIP 192.1 DMAC = C-MAC SIP 192.20.10.168.10.1 DIP 100.10.1 DIP 200.1 Server processing SIP 100.10.1.20.20.20.1 DMAC = V-MAC VIP 100.1.1 DMAC = R-MAC Server 192.20.1 Client processing SIP 200.168.20.168.1 DMAC = DGW-MAC .1 DIP 200..10.

VIP (Virtual IP address)를 RIP (Real IP address)로 변환하는 작업 Client port? no yes 구 분 Src MAC Dst Src v mac C ip V ip 2155 80 v mac C ip V ip 2155 80 R mac C ip R ip 2155 80 R mac C ip R ip 2155 80 Clients C mac L4 C mac C mac Server C mac Session Table Existing session entry? IP Dst Src TCP Dst no 1.SLB ( Server Load Balancing) • Client Processing . Select Server 2.. Forward to real server egress port . Translate VMAC:VIP:Vport to RMAC:RIP:Rport 2. Place Entry in Session Table yes 1.

SLB ( Server Load Balancing) • Server Processing ..RIP (Real IP address)를 VIP (Virtual IP address)로 변환하는 작업 Server port? 구분 Src Server R mac C mac R ip C ip 80 2155 L4 R mac C mac R ip C ip 80 2155 V mac C mac V ip C ip 80 2155 Clients V mac C mac V ip C ip 80 2155 yes Service Mapping Table Frame IP SA and source UDP/TCP port matches a configured RIP:Rport? Translate RIP:Rport to VIP:Vport MAC Dst Src IP Dst Src TCP Dst Filtering .

Retry counts . SSL. expected response • Health check parameters (realserver) .Scripted – send sequence.SLB ( Server Load Balancing) • Health Check • Health check types . DNS etc.Interval ( default 2sec) .3 way handshake (Service port) .Content .ICMP .HTTP .Restroe counts .Application specific – Radius..TCP . POP. .etc R1_OK R2_OK R3_Fail .

.SLB ( Server Load Balancing) • Load Balancing Metrics • Load Based: – Round Robin / Weighted Round Robin – Least Connections / Weighted Least Connections – Response Time – Bandwidth • Persistent IP Based – Hash – Minimum Misses – SSL ID – Cookie Option : Weights . Maxcon… .

각 real server들이 서로 상이한 resource와 connection에 부수되는 시간과 데이터 양이 서로 다른 환경에서 활용할 수 있다.weight (가중치).real server의 open 세션 수를 고려한 다음. Maximum connection 적용 가능 • LeastConns Load Balancing .SLB ( Server Load Balancing) >> Load Balancing Metrics << • Round Robin Load Balancing . .Real server로 session을 순차적을 맺어주는 방식 . 가장 적은 수의 open session을 가진 real server로 session을 맺어 주는 방식. ..

Hash Algorithm과 거의 유사 . 이 Algorithm은 Cache Redirection에 주로 사용하도록 권장 .그러나.Clients와 Server 간에 한번 성립된 session을 계속해서 유지해 주는 방식으로 특정 client는 특정 server로만 접속하게 된다.SLB ( Server Load Balancing) >> Load Balancing Metrics << • Hash . .역시 clients source IP address (32 bit) 값을 real server의 대수로 나눈 나머지 값으로 connection할 server 결정 .이 방식은 clients source IP address (32 bit) 값을 real server의 대수로 나눈 나머지 값으로 connection할 server 결정 • Minimum Missies ..

대역폭의 사용량에 따라 Load Balancing .응답 속도에 따라 Load Balancing .SLB ( Server Load Balancing) >> Load Balancing Metrics << • Bandwith .응답 속도가 빠른 server로 먼저 session 연결 .대역폭이 적게 사용되는 server로 먼저 session 연결 • Respose Time ..

Active . it requires that the Session Table is checked first Internet Real IP ..g.Active • No Direct Access to the RIP is possible • The RIP to VIP translation is not done automatically.SLB ( Server Load Balancing) • DAM( Direct Access Mode) Client • When Server Processing is run the switch assumes flows with a IP SA of a RIP are using a load balanced service and the IP SA is always translated from RIP to VIP without checking the session table • This allows packets to enter one switch and leave on another and still be translated from RIP to VIP e.

SLB ( Server Load Balancing) • DSR ( Direct Sever Return) Client • To configure DSR Alteon switch /cfg/slb/real 1/submac en /cfg/slb/virt 1/ser http/nonat en Internet 1 3 2 Servers R_IP 1 R_IP 2 R_IP 3 Loopback if = VIP ..

0..rfc 2338 .Alteon extensions to VRRP support Layer4 redunancy with virtual server routers(VSR) shared Mode 4 3 2 3 Master Answers ARP M 4 Path For Traffic 1 Multicast Updates 1 B 2 ARP for Default Gateway 2 .SLB ( Server Load Balancing) • High Availablity with VRRP VRRP (Virtual Router Redundancy Protocol) .18 .Use of a multicast MAC address ( 00-00-5E-00-01-02 for VRID = 2 ) .0.VRRP uses IP multicast to communicate on 224.

SLB ( Server Load Balancing) • High Availablity with VRRP Active – standby .. but for different virtual services and/or interfaces Active Standby .All switches actively perform load balancing and/or routing functions.

BLOCKING Active Hot Standby .STP is not needed to eliminate bridge loops..SLB ( Server Load Balancing) • High Availablity with VRRP Active – Hot standby . Only master processes layer 4 traffic .One master with one or more backups.

SLB ( Server Load Balancing) • High Availablity with VRRP Active – Active .All switches can actively forward traffic for the same virtual services and/or interface Active Active ..

SLB ( Server Load Balancing) • Basic configration and operation .Maintenance Menu diff .Revert pending or applied changes [global command] exit .Exit [global command.Boot Options Menu maint .Operations Command Menu boot .CLI (Command Line Interface ) [Main Menu] info .Information Menu stats .Apply pending config changes [global command] save .Save updated config to FLASH [global command] revert .Show pending config changes [global command] apply . always available] .Statistics Menu cfg ..Configuration Menu oper .

/cfg/snmp . /cfg/sys/wport <port> .BBI (Browser Base Interface) /cfg/sys/http enalbe .CLI (Command Line Interface) : consloe (DB9) . telnet /cfg/sys/tnet enalbe .RMON .SLB ( Server Load Balancing) • Basic configration and operation Administration Interfaces ..SNMP : EMS /cfg/sys/snmp .

BBI (Browser Base Interface) ..SLB ( Server Load Balancing) • Basic configration and operation .

. Graphical Configuration Tool – Java based Client/Server Application – Stand-alone client – Unix/Windows support • Platform-Less Operation – Optional usage in HP OpenView environment .EMS ( Alteon Element Management System) • • An Intuitive.SLB ( Server Load Balancing) • Basic configration and operation .

SLB ( Server Load Balancing) • Basic configration and operation .EMS ( Alteon Element Management System) Real Time Statistical Information Graphing ..

1.Set telnet .1.L3.10 (enter) en (enter) // enalbe 3.100 sevice http 1 L4`IP 10.Set gateway ip address /cfg/ip/gw 1 (enter) add 10.Set IP address of switch Internet gateway 10.1/24 VIP 10.1.1.10/24 2 3 4 /cfg/ip/if 1 (enter) mask 255.1.SLB ( Server Load Balancing) • Basic configration and operation Step1 L2.0 (enter) add 10.1.Connect switch Enter password : admin (default) 2.255.system configration 1.1.1..1 en (enter) Client 4.11~13 . http access /cfg/sys/tnet en (enter) /cfg/sys/http en (enter) apply (enter) save (enter) Realserver IP 10.255.1.1.1.1.

1. /info/link >>Main# /info/link -----------------------------------------------------------------Port Speed Duplex Flow Ctrl Link ----.1.1.0 10.1.255. Port speed setting(manual) /cfg/port 24/fast/speed 100/mode full/auto off Current port 24 speed setting: 10/100 Pending new speed setting: 100 Current port 24 mode setting: any Pending new mode setting: full duplex Current port 24 autonegotiation: on Pending new autonegotiation: off 3.-------.1.L3 monitor and information 1. Default gateway information: metric strict 1: 10.255. vlan any. gateway 10..-----1 100 full yes yes up 2 100 full yes yes up 3 100 full yes yes up 4 100* full* no* no* up 5 10/100 any yes yes down 6 10/100 any yes yes down 7 10/100 any yes yes down * = value set by configuration.0 255. not autonegotiated.1.SLB ( Server Load Balancing) • Basic configration and operation Step2 L2.1.1.1.10/24 2 Client 3 4 2. /info/l3/ip (/info/ip) >> Information# /info/ip Interface information: 1: 10.1/24 Internet health check ( icmp ) 1 L4`IP 10.1.255. up vlan 1.1.1. up Realserver IP 10.--TX-----RX-.1.11~13 .----.

SLB ( Server Load Balancing) • Basic configration and operation Step3 L4 SLB configration 1.Group load balancing Metric configration /cfg/slb/gr 1/metric leastconns | roundrobin | minmisses|hash… .10/24 2 3 4 Health check /cfg/slb/real 1/rip 10.1. Real server 2 added to real server group 1.1.1.1.1.1.13/en (enter) 3.1..11/en (enter) Current real server IP address: 0.1.Group.12/en (enter) /cfg/slb/real 3/rip 10.1.1.1. /cfg/slb/gr 1/health http Current health check type: tcp New pending health check type: http Client Group 1 Realserver IP 10.1.0. Real server 3 added to real server group 1.11 /cfg/slb/real 2/rip 10. health check configraion /cfg/slb/gr 1/add 1/add 2/add 3 (enter) Real server 1 added to real server group 1.100 sevice http 1 L4`IP 10.0.0 New pending real server IP address: 10.1.1.Real server configration Internet VIP 10.SLB ON /cfg/slb/on 2.11~13 4.

10/24 2 3 4 Client Health check Group 1 Realserver IP 10. >> Virtual Server 1 http Service# gr 1 Current real server group: 1 New pending real server group: 1 Internet gateway 10.0.0. group configration >> Main# /cfg/slb/virt 1/vip 10..1. .0 New pending virtual server IP address: 10.1.1. Service port..Set real port hname .1.1.1.1/24 VIP 10.Set real server group number rport .1.1.1.1.100 Current status: disabled New status: enabled >> Main# /cfg/slb/virt 1/service http -----------------------------------------------------------[Virtual Server 1 http Service Menu] group .100/en Current virtual server IP address: 0.1..1.100 sevice http 1 L4`IP 10.11~13 .SLB ( Server Load Balancing) • Basic configration and operation Step3 L4 SLB configration 5. VIP.Set hostname .

Client .1/24 Client side port 1 2 L4`IP 10.1.1.SLB ( Server Load Balancing) • Basic configration and operation Step3 L4 SLB configration 6 .10/24 3 4 >> SLB port 1# /cfg/slb/port 2/server en (enter) Current server processing: disabled New server processing: enabled >> SLB port 2# /cfg/slb/port 3/server en (enter) >> SLB port 3# /cfg/slb/port 4/server en (enter) Client Server side port Group 1 Realserver IP 10.11~13 .1.Server process configration >> Main# /cfg/slb/port 1/client en (enter) Current client processing: disabled New client processing: enabled Internet gateway 10..1.1.1.

server 5: 0. port 3. vlan 0.0.0.11~13 Real server state: 1: 10.1. 00:00:00:00:00:00. port 0. server 3: 0.1/24 VIP 10.0. group 1. vlan 1. 00:e0:00:8c:cd:19. up 3: 10.0. port 2.VIP.1.0 6: 0. 0 ms. up 2: 10..1.1.1.12.1. 00:60:cf:4b:04:6e virtual ports: http: rport http. backup none real servers: 1: 10.1.1. client 2: 0. 00:e0:00:8c:cd:18. server 4: 0. backup none.0.1.10/24 2 3 4 Client Group 1 Realserver IP 10.100.0.1.11. backup none.1.0.1. up 3: 10.12.0 .13. 1 ms. health 4.0.1. Realserver heath check monitor Main# /iinfo/slb/du Internet gateway 10.13.1. health 4.1.1.0.1. up 2: 10. FAILED Virtual server state: 1: 10. health 4. backup none.11.1. vlan 1.1.0.0.1.0.0. FAILED Redirect filter state: Port state: 1: 0.SLB ( Server Load Balancing) • Basic configration and operation Step4 L4 SLB monitor and operation 1.1.1. 2 ms.100 sevice http 1 L4`IP 10.0.0.0.

1.1.-------.1/24 VIP 10.1.1.--------------1 10.-----------------------0 1 1 134204 Internet gateway 10.Group LB monitor >>Main# /stat/slb/gr 1 -----------------------------------------------------------------Real server group 1 stats: Current Total Highest Octets Real IP address Sessions Sessions Sessions ---.----.SLB ( Server Load Balancing) • Basic configration and operation Step4 L4 SLB monitor and operation 2.1.1.10/24 2 3 4 Client 3.1.---------.12 0 1 1 75884 ---.12 80 age 10 E Group 1 Realserver IP 10.1.11 0 0 0 58320 2 10. Session talbe monitor >> Main # /info/slb/se/du 4.1.1.1.1.1.--------------------------.-------.1 1322 --> 10.11~13 .1.1.--------------------------.1025: 10.100 sevice http 1 L4`IP 10..1.-------.

1. the session is freed. 2. (3) Source IP address: This field contains the source IP address from client IP packet.1.2. this address is the destination server's address.1 http age 6 f:10 ELNPSRtUW c:# (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) 3. associated with a session. For load balancing. 01: 1. 2.3.1. Session talbe monitor >> Main # /info/slb/sess/help The fields.1 4586. (6) Destination port: This field identifies the TCP/UDP destination port from client packet.1 http age 6 f:10 ELNPSRtUW c:# (7a) (7) (8) (9) (10) (11) (12) (13) -----------------------------------------------------------------(1) SP number: This field indicates which SP created the session. (8) Real server IP address: (9) Server port: (10) Age: This is the session timeout value. .2.1.2.1 http -> (1) (2) (3) (4) (5) (6) 1. 01: 1.. this address is the virtual IP address. (5) Destination IP address:This is the destination IP address from client TCP/UDP packet.2 3567 3.3.1 4586.SLB ( Server Load Balancing) • Basic configration and operation Step4 L4 SLB monitor and operation 4.3.1 http -> 3567 3. as identified in the example below are described in the following.1. (2) Ingress port: This field shows the physical port# of the client traffic that entered to the switch. 3. If no packet is received within the value specified.1.2. (1)-(13).3. (4) Source port: This field identifies the TCP/UDP source port from client packet. For filtering redirect.

.SLB ( Server Load Balancing) • Troubleshooting command Tip .) check the port stats ( /stats/port # ….. ARP tables /info/l2/fdb/dump ( /info/fdb/dump) /info/l3/arp/dump ( /info/arp/dump) check the interface and gateway /info/l3/ip ( /info/ip) .) check the FDB.3 Issuse check the LED check the calbe check link negotiation (/info/link .link and Layer 2. /cfg/port # /fast….

.Layer 4 Issuse Cannot connect VIP service port and ping VIP check the client . server process at the ports check the realserver heath checking ( /info/slb/du ) Cannot connect realserver IP service port check the Direct Access Mode(DAM) configration ( /cfg/slb/adv/dire ) .SLB ( Server Load Balancing) • Troubleshooting command Tip .

..) .SLB ( Server Load Balancing) • Troubleshooting command Tip . /stats/slb/virt # ) Realserver operation disalbe ( /oper/slb/dis <realserver number> ) Switch slb configraion ( /cfg/slb/cu .Layer 4 Issuse Load Balancing state ( /stats/slb/gr # .

SLB ( Server Load Balancing) • Troubleshooting command Tip Alteon technical support files ( /maint/tsdump ……scripts) ..

보안 가속 • 애플리케이션 스위치를 적용한 파이어월 로드밸런싱 디자인 Internal Network Application Switch Firewall 보안 가속이란? – 이미 존재하는 보안시스템에 애플리케이션 스위 치를 접목시켜 효율적인 고가용성 보안 서비스를 제공하는 것 보안 가속 응용 – Firewall 로드밸런싱 – Virtual Private Network (VPN) 로드밸런싱 – Intrusion Detection System (IDS) 로드밸런싱 – Viruswall 로드밸런싱 장점 – 단일 장애 포인트 제거를 통한 무정지 서비스 – 기존 플랫폼 및 자원의 활용을 통한 서비스 확장 – 병렬로 구성된 여러 개의 보안 장비 활용을 통한 고성능 서비스 제공 • • Application Switch Internet ..

FWLB ( Firewall Load Balancing) 내부 네트웍 1. “Dirty” Side of Network Internet Server Load Balancing Application Switch Firewall Load Balancing Application Switch . 서버의 응답은 동일한 과정을 거쳐 클라이언트 로 전달 6. “Dirty” side 의 Redirection filter를 통해 유입된 “Clean” Side 트래픽들을 세션별 스트림으로 구분 of Network 2. 파이어월에서 허가된 스트림은 “Clean” side 의 애플리케이션 스위치로 전달 4.. 동일한 IP Source / Destination 조합을 가진 트 래픽은 항상 같은 파이어월을 통해 전송되게끔 하여 하나의 파이어월이 세션내의 전체 스트림 을 감시할 수 있게 된다. “Clean” side 스위치는 서버 로드밸런싱을 수행 5. 스트림을 각 파이어월로 전달 3.

애플리케이션 스위치를 통한 VPN Load Balancing – VPN 서비스의 확장성 보장 – 클라이언트 및 원격지 장비의 쉬운 관리 • 마치 하나의 VPN장비처럼 하나의 IP로 접근되어 다 수의 VPN장비로 로드 밸런싱 – 외부 스위치 : IKE(UDP 500).VPN Load Balancing • VPN 장비의 보안 특성상 내부망으로의 유입 및 유출 트래픽 은 항상 같은 VPN장비를 이용하도록 구성 되어야 한다. – 애플리케이션 스위치는 어느 VPN장비를 통해 세션이 들 어 왔는지를 세션 테이블에 기억 – 세션 테이블은 항상 같은 VPN장비가 내부의 사용자와 외부 사용자 간의 특정 세션의 트래픽을 관리할 수 있도 록 한다. IPSEC 세션의 Persistency 유지 – 내부 스위치 : 내부에서 생성된 세션의 적합한 VPN장비 선택 Branch Offices With VPN VPN Load Balancing VPN Servers DNS Internet • Application Switch Application Switch LDAP Internal Network ..

.IDS Load Balancing – 침입탐지 시스템(IDS)은 보안 서비스에 있어 반드시 필요하나 대부분 성능이 매우 낮은 것이 현실임 – IDS 로드밸런싱은 성능 향상을 위해 다수의 IDS로 부 하를 분산하는 서비스 • IDS의 확장성 향상 • IDS의 가용성 향상 – 애플리케이션 스위치는 IDS로 전달된 프레임의 세션 을 기억하므로서 항상 같은 IDS로 프레임을 전송 한 다 IDS Servers Application Switch Internet * IDS = Intrusion Detection System Secured Servers Application Switch .

168.100.168.0/24 Firewall #1 Firewall #2 192.168.255.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step1 L2.255.255.1/24 IF 10 : 192.168.0/24 192.0 (enter) add 192.Set IP address of switch /cfg/ip/if 1 (enter) mask 255.2.168.255.Connect switch Enter password : admin (default) IF 20 : 192.10.168.10.2/24 192.168.0 (enter) add 192.L3.1/24 .1.168.168.1.1 (enter) en (enter) // enalbe 192.255.168.1/24 2.1.1 (enter) en (enter) // enalbe /cfg/ip/if 20 (enter) mask 255.1 (enter) en (enter) // enalbe /cfg/ip/if 10 (enter) mask 255.0 (enter) add 192.255.1..1/24 1.168.2.system configration(up) IF 1: 192.2/24 192.2.2.

2/24 3 192.1.168.168.2.2.2.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step1 L2.0/24 4.Vlan config /cfg/ip/if 1/vlan 1 /cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20 /cfg/ vlan 10/en/add 2 /cfg/ vlan 20/en/add 3 192.100.1/24 .1..168.2/24 1 192.168.L3.STP OFF /cfg/stp/off 1 192.1/24 2 3 192.1.0/24 Firewall #1 Firewall #2 192.168.168.168.168.1/24 3.system configration(up) 192.10.1/24 2 192.

1/24 1. Realserver and group /cfg/slb/real 1/rip 192. SLB On /cfg/slb/on 192.168.2.168.2/en /cfg/slb/gr 1/add 1/add 2 Firewall #1 Firewall #2 /cfg/slb/gr 1/health icmp /cfg/slb/gr 1/metric hash 192.2.2.1.168.168.1/24 2.2/24 Real server 1 192.168.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step2 L4 configration(up) 192.168..2/24 Real server 2 1 192.10.1.1.1/24 2 3 .168.2/en /cfg/slb/real 2/rip 192.

1/24 3.168. Allow Filter config /cfg/slb/fil 10/en/dip 192.2.0 /cfg/slb/fil 30/en/dip 192.255.168.0 /dmask 255.255.0 Firewall #1 Firewall #2 4.2/24 Real server 1 192.168.0 /cfg/slb/fil 20/en/dip 192.255.255.1.2.168.168.0 /dmask 255.10.0 /dmask 255.10.1/24 .168.168.1..255.2.Redir Filter config /cfg/slb/fil 100/en/ac re/gr 1 192.1/24 2 3 192.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step2 L4 configration(up) 192.1.255.168.2/24 Real server 2 /cfg/slb/port 1/filter en/ /cfg/slb/port 1/add 10/add 20/add 30 /add 100 1 192.

2(enter) en (enter) // enalbe /cfg/ip/if 20 (enter) mask 255..168.2 (enter) en (enter) // enalbe 192.10.1.Set IP address of switch /cfg/ip/if 1 (enter) mask 255.168.1/24 192.1/24 .1/24 1.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step1 L2.100.255.255.1 (enter) en (enter) // enalbe /cfg/ip/if 10 (enter) mask 255.1.0/24 Firewall #1 Firewall #2 192.168.2.255.168.0/24 IF 10 : 192.2/24 IF 20 : 192.100.2.0 (enter) add 192.0 (enter) add 192.2.255.255.168.2/24 IF 1 :192.255.system configration(down) 192.0 (enter) add 192.168.2.Connect switch Enter password : admin (default) 2.1/24 192.168.168.168.1.1.168.L3.168.

0/24 4.2/24 3 192.1/24 192.L3.1/24 3.system configration(down) 192.1.1.0/24 Firewall #1 Firewall #2 192.1/24 .168.Vlan config /cfg/ip/if 1/vlan 1 /cfg/ip/if 10/vlan 10 /cfg/ip/if 20/vlan 20 /cfg/ vlan 10/en/add 2 /cfg/ vlan 20/en/add 3 192.168.STP OFF /cfg/stp/off 2 192.168.168.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step1 L2.168..168.168.1.2.100.10.168.2/24 1 192.1/24 192.2.2.

168.168.2.2.100.1.168. Realserver and group /cfg/slb/real 1/rip 192.168.168.1/24 2.2/24 2 192.168. SLB On /cfg/slb/on Real server 2 192.2..1/24 1.1.2/24 3 1 192.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step2 L4 configration(down) Real server 1 192.1/en /cfg/slb/gr 1/add 1/add 2 Firewall #1 Firewall #2 /cfg/slb/gr 1/health icmp /cfg/slb/gr 1/metric hash 192.168.1/en /cfg/slb/real 2/rip 192.1/24 .1.

168.0 /dmask 255.168.255.100.168.Redir Filter config /cfg/slb/fil 100/en/ac re/gr 1 192.255.168.1/24 Real server 2 192.255.2.2.1/24 /cfg/slb/fil 10/en/dip 192.168.255.2/24 3 1 192.0 Firewall #1 Firewall #2 4.168.168.168.1.2.2/24 /cfg/slb/port 1/filter en/ /cfg/slb/port 1/add 10/add 20/add 30 /add 100 2 192..0 /cfg/slb/fil 30/en/dip 192.1.255.0 /dmask 255.0 /dmask 255.1/24 .0 /cfg/slb/fil 20/en/dip 192.FWLB (Firewall Load Balancing) • Basic configration and operation(Bride firewall Mode) Step2 L4 configration(down) 3. Allow Filter config Real server 1 192.255.1.10.