You are on page 1of 91

Cisco Application Control Engine

Pravin Wankhade
NCE GSP-GTP
April 2012

Background Load Balancers and ACE Product Overview and Recent Releases New Capabilities Hardware Modular Policy CLI Virtualization Role Based Access Control Security Features Redundancy Deployment
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

ADC is newer terminology ACE is an Application Delivery Controller (ADC) or Load Balancer

(SLB).
LB/ADC distributes L4-L7 Traffic Flows to Application Servers. Server Load Balancing (SLB) is critical to *any* scalable application

deployment.
ACE Clients
Distributes Traffic Flows SSL Offload Persistence (sticky) Compression Virtualization App / Health Checking

Application Server Farm

DC Site Selection DNS load balancing Application Keep-Alive Geo-DB Intelligence

GSS

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

ACE Uses Nexus 7000 OTV

functionality.
ACE Uses Virtual Contexts to

provide isolated, load balancing to applications Up to 250 VCs per Module.


ACE distributes traffic to VM

250

server farms in UCS deployments.


ACE works with VMware for

Manageability and Dynamic Workload Scaling (DWS)

vCenter
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5

Clients Clients
Datacenter A

Datacenter B

ACE GSS
ACE GSS Steers traffic Flows to ACE VIPs ACE Distributes Client Flows in the Datacenter

Datacenter C
ANM Provisions, Operates, Monitors and shows end-to-end connectivity

ACE product family including GSS, Module & Appliance

and ANM Management provide critical Application Delivery Solutions in the Globally Connected Datacenter.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Network Server
Application (Service) Endpoint A

Clients
Client has no knowledge/visibility of the underlying Network
2012 Cisco and/or its affiliates. All rights reserved.

Such as:

Cisco Confidential

No Load

Performance

High Load

Application Failure

Business Impact
Traffic & Client Load

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

SSL Offload & Health Monitoring

S
A

Network

A
A

ACE

Health Probe

Application Server Farm

Clients
Virtual IP

ADC Scales and enhances the application

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10

No Load

Application Continuity

Performance

High Load

Business Continuity

Traffic & Client Load

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

A A

ACE

B B

Clients
Multiple Apps (Services) are Virtualized by ACE
2012 Cisco and/or its affiliates. All rights reserved.

C C

vCenter

Cisco Confidential

12

Today

Application Control Engine Integrated Layer 4 and Layer 7 Rules

Infrastructure simplification with L47 Services integration Converged policy creation, management, and troubleshooting Reduced latency (single TCP termination for all functions)
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
13

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

14

Therefore, we use the Load Balancer to enhance the application

Security Mobility Reliability


(virtualization)

Manageabity

Scalability

Application (a.k.a. Service)

And Distribute traffic to all those UCS Servers and Virtual Machines.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15

Scalability

N + 1 Server Scaling SNAT Compression Persistence

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16

Reliability

Scalability

Health Monitoring Failover (server farm) Validation

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17

Security Reliability

Scalability

SSL Offload DDOS Protection SNAT

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18

Security Mobility Reliability


(virtualization)

Scalability

Virtual IP Virtual Contexts (isolation) VCenter Integration OTV Integration

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

Security Mobility Reliability


(virtualization)

Scalability

ANM Unified View KPI Monitoring Role-Based Access Control (Operations and Provisioning) VCenter Plug-In Delegation Mobile Application (iPhone/Android..etc)

Manageabity

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Security Mobility Reliability


(virtualization)

Scalability

Application ++ Application ++

Manageabity

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

22

New ACE30 Module shipping

416 Gbps

0.5-4 Gbps

App Service Delivery


Integrates load balancing, server offload, compression, app optimization & app security

Centralized Management
Configuration, operations, and monitoring of ACE equipment & services

Virtualized Architecture
Industry leading virtualized Application Delivery Controller (ADC)

VMWare Integrated
Integration with vCenter provides streamlined VM and ACE provisioning and monitoring

Investment Protection
Pay as you grow licensing model. increase performance & scale without deploying new hw

Operations Excellence
Secure delegation of service & server tasks for ACE, CSS, CSM, GSS

Established Products
Over 30K units deployed world-wide

IT Agility
Granular role based access control with user activity logging supports managing multi-tenant/use

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23

Global Load Balancers


GSS Appliance
New Software ACE GSS
20K DNS RPS

New 16G Bundle

Application Delivery Controllers Multi-module

System Bundles

Scaling to 64 Gbps

ACE Module
New Software

ACE30 System Bundles

Application Networking Manager

ACE Appliance
ACE 4710
0.5-4 Gbps

ACE30
416 Gbps

ANM Mobility Application


ANM VMWare Plug-In
New Software

Management & Provisioning


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
24

+
ACE Software A4.2.1/ A5.1.0 Delivers: GSS Software v4.1 Delivers:

+
Application Networking Manager (ANM) v4/v5 Delivers:

Dynamic Workload
Scaling

Dual stack IPv4/v6 SLB64 Gateway HTTP/S support for IPv6 IPv6 certification OCSP support

Geo-location based GSLB AAAA record support IDN support IPv6 support DNSSEC ready

Application Templates ANM Mobile App ACE 5.1 IPv6 support Web Services API DWS support vCenter integration Virtual ANM

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

25

Testing Metric
L4 CPS SSL TPS SSL Bulk Throughput

ACE20
325,000 15,000 3.3 Gbps

ACE30
500,000 30,000 6 Gbps

Compare
54% 100% 82%

Compression

Not Available

6 Gbps

+ 6 Gbps

ACE30 Only Not Available on ACE20


Higher performance

Compression IPv6 dual stack with translation Nexus OTV integration with Dynamic Workload Scaling ACE10 and 20 EOS For February 2012 All Roadmap Now On ACE30
Cisco Confidential

2012 Cisco and/or its affiliates. All rights reserved.

26

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

Remote User Shared DSL

HTTP Compression

Branch Office 128k Leased line

Roaming User 56k Dial-up

Problem: Big Page + Small Pipe ACE Solution: Small compressed page, small Pipe

Challenge: Large amounts of client traffic is being sent over low speed links result in slow performance and poor user experience. Compression Overview
Reduces the amount of HTTP traffic that is sent between client and server ACE30 is utilized at the host site to compress/decompress traffic Clients leverage compression technology in existing Web browsers

Benefits:
Up to 90% reduction in size of web objects Improves application response time Reduces bandwidth costs

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28

ACE Monitors client connection setups


Client

Internet
Client

Slow
ACE

Servers

Client

Challenge: Slow detection of server outages results in lost transactions and delayed time to recovery.

Inband Health Check Overview


ACE proactively monitors TCP and UDP data to detect server failures. Should be combined with probes to meet server failure detection SLAs Internal tracking method to ACE; does not solicit information from servers
2012 Cisco and/or its affiliates. All rights reserved.

Benefits:
Detection moves from seconds with probes to milliseconds Unlike probes, monitoring has no impact on server performance Improves the recovery time for server outages
Cisco Confidential
29

IPv4 Clients

IPv6 Clients

IPv6 Overview All IPv4 Modes are supported in IPv6 (One-arm, Routed, Bridged, ASR) IPv6 -> IPv4 and IPv4 -> IPv6 translation modes Solution delivery includes IPv6 on the ACE Module, Appliance, ANM, and Global Site Selector Compliance
IPv4 Server Farm IPv6 Server Farm

New IPv4-to-IPv4 IPv6-to-IPv6 IPv6-to-IPv4 IPv4-to-IPv6

One Arm Routed Bridged

USGv6 IPv6 Ph2 Logo

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

30

Dual Stack
IPv4-to-IPv4 and IPv6-to-IPv6 HTTP and DNS inspection for native IPv6-IPv6 traffic

Translation
SLB64, SLB46 for all the Layer4 load balancing, which do not need payload modifications or pinholing SLB64 and SLB46 support L7 loadbalancing for HTTP and SSL protocols. NAT64, NAT46 for all TCP, UDP protocols, which do not need payload modifications or pinholing No DNS64 or DNS46 support on ACE

Mixed v4 &v6 rserver support Duplicate Address Discovery Neighbor Discovery

ICMPv6
IPV6 Ph2 Logo Certification Application Awareness
HTTP, HTTPS and DNS
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

32

Now featuring enhanced Template, DWS / OTV provisioning


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
33

New for Version 5


Application Templates
Simple application deployment
User Export and Modify

IPV6 Support
ACE Module ACE Appliance ACE Global Site Selector

ANM Mobile for Mobile Devices


Native iPhone and Android Mobile Browser

API support for App deployment from templates


Full Provisioning vi API RBAC for Network and Application sections of template

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

34

GSS ACE

VM

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

35

Hardware

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

36

Parallel network-processor based hardware with separate control and data-path CPUs
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37

Control Plane ACSW OS


100M 2G

NP1
10G

NP2
10G 8G

Sup Connect Switch Fabric Interface


16G

CDE Switch 60Gbps


10G

Daughter Card 1

8G

Daughter Card 2

SSL Crypto
Cisco Confidential
38

2012 Cisco and/or its affiliates. All rights reserved.

ACSW OS

2x 700MHz MIPS 1 GB Memory


Control Plane Software

60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation Verification Variable Load Distribution

Parallel NPs handle Data Processing 16 ME (1.4 GHz) XScale 700MHz 1.5 GB RDRAM 32MB SRAM 20B ops/s

CPU
20 Gbps Switch Fabric 100 Mbps Supervisor Connection

Daughter Card Expansion Slot 1


Field upgradeable
8 Gbps
DRAM 1.5 GB

Network Processor 1
Micro Engines

20 Gbps

C P U

1 Gbps

Cisco ASIC

16 Gbps 10 Gbps

Classification Distribution Engine


8 Gbps 4 FIFO Interlinks

10 Gbps

10 Gbps
DRAM 1.5 GB

Network Processor 2
Micro Engines

C P U

SSL, IPSec Crypto

Crypto chip
DBUS 16 Gbps Bus RBUS EOBC

Daughter Card Expansion Slot 2


Field upgradeable

40K RSA ops

CEF720 Linecard
Cisco Confidential
39

2012 Cisco and/or its affiliates. All rights reserved.

Modular Policy CLI

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

40

Modular Policy CLI (MPC) in ACE

ACE CLI is based on C3PL (Cisco Common Class-based Policy

Language)
Provides a common CLI framework across security

implementations in-order to define consistent CLI across platforms


The CLI aims at seamless integration in terms of configuring

SLB, SSL and Security features


No need to session in or enter a sub-mode of configuration for

the different features


Traffic classification is the core functionality for all delivery and

security features

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

41

Features that can be configured via Policy

CLI can be grouped as follows: through the box traffic


Security access-lists Server Load Balancing Protocol Fix-ups & Application Inspection NAT TCP & IP Normalization

to the box (mgmt / control-plane)


Restrict access to protocol and/or hosts

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

42

1. Define match criteria 2. Associate actions to match criteria 3. Activate the classification-action rules on either an interface or globally class-map C1 match <criteria>

policy-map P1 class C1 <action>

interface vlanX service-policy input P1


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
43

Management Traffic to ACE

Interface Service-Policy
Apply to any Interface

Management Policy-map

Management Class-map
Match allowed connections for remote access

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

44

Client Traffic through ACE at Layer 7


Interface Service-Policy
Apply to any Interface

Multi-Match Policy-map
GET /example.html

Traffic Class-map
Match VIP connections

LoadBalancing Policy Map


Class for URL1 Serverfarm
Real

Class for URL2 Serverfarm


Real

Serverfarm
Real1 Real2

Default

Class

Only allow Traffic Destined to a VIP


2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

Virtualization

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

46

Abstraction
Physical elements are represented by an abstract entity HSRP, VRRP

VIP, NAT

Pooling
Multiple physical entities appear and treated as one Link-bundling (EtherChannel)

TCP connection pooling

Partitioning
Single physical entity partitioned as multiple distinct entities VLANs (data-path only)

VRFs (data-path only)


FWSM virtual contexts (both data- and control-path)

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

47

Service Virtualization System Separation

One physical device


100%

Multiple virtual systems (dedicated control and data path)


25% 25% 15% 15% 20%

Cisco Application Services Virtualization Distinct configuration files Single configuration file Separate routing tables Single routing table RBAC with Contexts, Roles, Domains Limited RBAC Limited resource allocation Management and data resource control Independent application rule sets Global administration and monitoring

Traditional device

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

48

Service Virtualization Resource Control

Per context Control Guaranteed resource levels for each context Support for over-subscription

Guaranteed Rates
Bandwidth Data connections / sec Management connections / sec Ssl-bandwidth Syslogs / sec

Guaranteed Memory
Access Lists Regular Expressions Data connections Management connections SSL connections Xlates Sticky entries
Cisco Confidential
49

2012 Cisco and/or its affiliates. All rights reserved.

1.

Isolate departments or customers


Provide direct configuration access Reduce exposure to critical config components

Provide consistent access across GUI, API, CLI


Dedicated resources 2.

Isolate applications
Guarantee resources to critical applications

Isolate from impact of other app roll outs


Central config file for managing policy change Reduced complexity of security/application rules Possiblity to have a parallel test environment with no impact to production

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

50

Applications over Multiple Load Balancers


Enterprise with Growing Number of Applications
LB 1

Enterprise Network

App C LB 2

LB App A App D

LB App B
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51

Applications over Multiple Load Balancers


Enterprise with Growing Number of Applications
Enterprise Network

Virtual Partition 1

App C App D App E App F

Virtual Partition 2 Virtual Partition 3

ACE

Virtual Partition 4

Virtual Partition 1

App A App B

Virtual Partition 2

ACE

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

52

Multi-tier Applications
Enterprise Network
Firewalls LB

Enterprise Network

Front-end Firewalls

Front-end servers

LB

Application servers Front-end servers


LB

Application servers
APP virtual partition

ACE with Application Infrastructure Control and Application DataBase Security servers
DB virtual partition
Cisco Confidential
53

DataBase servers
2012 Cisco and/or its affiliates. All rights reserved.

FE virtual partition

Data-Center Consolidation
Multiple Contexts

C1 C2 C3

C4 C5 C6

Single ACE Module

Front End Network Front End Network N-Tier Applications N-Tier Applications Web Servers App Servers DB Servers

Web Servers App Servers

DB Servers

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

54

Role-Based Access Control

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

55

Fully integrated Role Based Access Control Four main levels of actions over categories of commands
1. 2. 3. 4. Create Modify Debug Monitor

Roles are defined by specifying which actions can be performed on the sets of commands Pre-defined roles New roles can be created to adapt to different organization structures

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

56

Default Roles in the System Admin

Access to all functions in the context/device.


SLB-Admin

Serverfarm, Servers, Health Monitoring


Security-Admin

Access Contorl, Inspection, AAA, NAT


Server-Maintenance

Servers in/out of rotation, debug of SLB functions


Server-Application-Maintenance

Servers, Health Monitoring, Load Balancing Rules


Network-Admin

Interfaces, Routing, NAT, TCP


Network-Monitor

Access to all show commands only


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
57

Control over user access to instances of objects Flexible multi-user maintenance operations

Context 1 Domain A VIP1 VIP2 Domain B VIP3 VIP4

R1 R2 R3
2012 Cisco and/or its affiliates. All rights reserved.

R4 R5 R6
Cisco Confidential

58

Contexts, Roles, Domains

Physical module
Admin Context
Context A definition Context B definition

Role
Context A Context B Domain2
VIP3 Farm3 Farm4 SSL cert1,2

Admin

Domain1
VIP1 VIP 2 Farm1 Farm2

Network/Security
Server Admin Monitor

Resource allocation
Admin management config

Management station

AAA

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

59

Security Features

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

60

TCP/IP normalization Built-in Transport Protocol Security User Configurable, to meet Security Requirements

Application Protocol Inspection


Advanced HTTP Inspection RFC Compliance MIME Type Validation Prevent Tunneling Protocols over HTTP Ports

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

61

Always enabled Entirely performed in hardware Following packets are dropped


1. src IP == dest IP 2. src IP or dest IP == 127.x.x.x 3. dest IP >= 240.0.0.0

4. src IP == 0.x.x.x
5. src IP >= 224.0.0.0

src IP == 0.0.0.0 and dest IP == 255.255.255.255 allowed for DHCP requests

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

62

TCP Standard Header Checks


Always performed
I. II. III. IV. V. VI. VII. src port and dest port != 0 Only SYN packet allowed to create connection TCP header >= of 20 bytes TCP header <= ip->length ip->header_length urg flag cleared if urg_pointer is zero If urg flag not present urg_pointer is cleared Illegal flags combinations dropped ( SYN|RST etc.)

TCP option processing TCP state tracking

TCP window checking

Configurable
I. II. III. IV. V. reserved bits allow/clear/drop urg flag allow/clear/drop syn-data allow/drop exceed-mss allow/drop random-seq-num-disable
Cisco Confidential

User configurable Random Sequence Numbers


2012 Cisco and/or its affiliates. All rights reserved.

63

Protocol-Specific Inspection Supported for:


FTP Strict FTP

Performed on NP CPU

RTSP
ICMP DNS

HTTP/S

Performed on NP Micro Engines

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

64

Redundancy

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

65

Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts.
Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby. The peer ACE can be in the same or different Catalyst 6k chassis. Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy) ACE-1 Example: 2 ACE modules 4 FT groups 4 Virtual Contexts (A,B,C,D) A
Active FT VLAN

B
Active

Standby Standby

A ACE-2
FT group 1

C
Active
FT group 3

D
Active
FT group 4
66

Standby Standby
FT group 2

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

There is a designated VLAN (FT VLAN) between the ACE pairs All Redundancy related traffic are sent over this VLAN
1. TRP protocol packets 2. Heart Beats 3. Configuration sync packets 4. State replication packets

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

67

Bulk Sync
The entire configuration gets transferred in bulk from Active to Standby HA is in Active/Standby_config state during Bulk Sync

Incremental Sync
A line-by-line sync of configuration as it is being configured on active HA is in Active/Standby_hot state during Incremental Sync

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

68

HSRP The Supervisor notifies ACE of all state changes for the HSRP group Interface Supervisor sends UP and DOWN events to ACE Host Multiple Probes may be configured with a priority. The individual probe priorities provide granular control of ACE failover

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

69

Deployments

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

70

Enterprise Campus Core ACE

Aggregation with L4-7 Services

L2 or L3 Access
Mainframe

Web / Front-end Servers 2012 Cisco and/or its affiliates. All rights reserved.

Application Servers

Data-Base

Cisco Confidential

71

Client VLAN and server


MSFC

MSFC

VLANs on different IP subnets


Servers default gateway is

Data Port-Channel

ACE alias IP
All data VLANs and FT VLAN

FT Control Port-Channel

carried over port-channels


Each Cisco Catalyst has

redundant physical links to each access switch


Serverfarms can span multiple

access switches
Management access to

servers requires access-list


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
72

Pairs of one client and one server

VLAN on the same subnet (BVI used to merge the two VLANs)
MSFC MSFC

Limit of two VLANs in the

same subnet
Data Port-Channel

Servers default gateway is

FT Control Port-Channel

MSFC (or other router) HRSP virtual address


All data VLANs and FT VLAN

carried over port-channels


Each Cisco Catalyst has

redundant physical links to each access switch


Serverfarms can span multiple

access switches
Management access to servers

requires access-list

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

73

Single VLAN on ACE Servers default gateway is


MSFC MSFC

MSFC HSRP IP
All data VLANs and FT

Data Port-Channel
FT Control Port-Channel

VLAN carried over portchannels


Each Cisco Catalyst has

redundant physical links to each access switch


Serverfarms can span

multiple access switches


Management access to

servers bypass ACE


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
74

Virtual Contexts can be


VRF A VRF B Context C

mapped to VRFs on the MSFC


Or directly to

Context B

Context A

external routers
VRF-aware Route Health

Injection (add/remove routes to/from MSFC main routing table as well as VRF routing tables)

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

75

Further Assistance
Cisco ACE Family Webpage
www.cisco.com/go/ace/

Cisco ACE Applications


http://www.cisco.com/go/optimizemyapp

Cisco Validated Designs


http://www.cisco.com/go/cvd

Cisco Design Zone


http://www.cisco.com/go/srnd

Doc Wiki
http://docwiki.cisco.com/wiki/ACE

PDI Helpdesk
www.cisco.com/go/pdihelpdesk

Further Assistance Internal only


PDI Helpdesk
www.cisco.com/go/pdihelpdesk/

DCAS KB
dcaskb/

DCAS CEC Page


wwwin.cisco.com/dss/adbu/dcas/

DCAS Cisco.com Page


www.cisco.com/go/ace/

cs-ans-dc@cisco.com

Thank you.

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

79

2x 700MHz MIPS 1 GB Memory

ACSW OS

Cavium Octeon CN5860 (OcteonPlus) 16 core, 600 MHz CPUs with 4G DRAM 32k iCache, 16k dCache, 2MB L2 cache On chip support for Encryption/Decryption Coprocessors for Compression/Decompression

Control Plane Software

CPU

Network Processor 1

Daughter Card 1
DRAM 4 GB DRAM 4 GB

Network Processor 2

shared memory

Verni
20 Gbps Switch Fabric 100 Mbps 1 Gbps Supervisor Connection

FPGA

8 Gbps

20 Gbps

16 Gbps

Classification Distribution Engine (CDE)


8 Gbps
Verni DRAM 4 GB FPGA DRAM 4 GB

60Gbps switching Capacity IPv4, IPv6 Classifications TCP Checksum Generation/Verification Variable Load Distribution

Cisco ASIC
Network Processor 3
DBUS 16 Gbps Bus RBUS EOBC

shared memory

Network Processor 4

Daughter Card 2

CEF720 Line Card

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

80

Control Plane ACSW OS


100M Sup Connect

DaughterCard1

NP1

NP2
8G

1G

CDESwitch 60Gbps
16G 8G

Switch Fabric Interface

DaughterCard1 NP1 NP2

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

81

Clients

Servers

FED Cluster (Active/Standby) {Enhanced HA}

BED Cluster Scaling L7 Services

L7 services can scale until L4 capacity is met


2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
82

Modular Policy CLI

Detailed

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

83

Class-maps are used to classify interesting L3-4/7 traffic They contain a set of match statements specifying match criteria Class-maps are typed based on the protocol and actions being performed for a given traffic classification. Support both logical AND (match-all default) and logical OR (matchany) semantics. Notion of class-default: well-known class-map that matches any traffic if none of the user specified class-maps match in a policy-map. Every match statement has a line number Easy deletion/modification of a particular match statement

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

84

A class-map can associate an existing class-map of the same type

using the match class statement


Supported only for L7 class-maps; up to 2 levels of association
Used to achieve more complex logical expressions

Easy combination of AND and OR statements

class-map type http loadbalance match-any C1 match http url /news match http url /sport class-map type http loadbalance match-all C2 match http header User-Agent header-value FireFox match class C1

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

85

Policy-maps are typed as per the action/feature Support policy-maps for both L3-4/L7 actions.

The L7 policy-maps are child policies within an L3-L4 policy-map and cannot be applied on interface
Support for various execution semantics as dictated by the specific

feature
If none of the classification specified in policy-maps match then the

default actions specified against class-default are executed


Support for inline match statements for ease of use. These are allowed

only for L7 match statements


Support for flexible class-map ordering, within a policy-map
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
86

[no] policy-map type <main-type> <sub-type> {first-match|all-match|multi-match} <policy-name> [no] class <cmap-name> action1 [no] class class-default default-action

policy-map type loadbalance first-match SLB-POLICY class C1 serverfarm SF1 class C2 serverfarm SF2 class class-default serverfarm BACKUP
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
87

first-match

The class-action pairs within the policy-map are looked up sequentially & the actions listed against first matching class-map in the policy-map are executed. Order of class-maps within policy-map matters. E.g. policy-map of type loadbalance, management &ftp
all-match

An attempt is made to match traffic against all classes in the policymap and the actions of all matching classes will be executed. E.g. policy-map of type inspect http
multi-match

Specifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
88

Support for inline match statements for ease of use, especially if there is

only a single match criteria to be specified. Currently allowed only for L7 policy-maps.
action can be specified against only a single match statement in the

policy. To specify actions against more than one match statement, use a class-map

class-map type http loadbalance match-any TEST match protocol http header User-Agent header-value *IE* match protocol http url *jpg*
policy-map type loadbalance first-match TESTPOLICY match M1 http url /finance (inline match command) serverfarm farm1 class TEST (pre-defined class-map) serverfarm farm2
2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
89

Policies are activated on an interface or globally using the servicepolicy command


syntax:
service-policy [input | output] <policy-name>

The policy-map can be enabled either on the input or output or both directions.
Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

90

There can be many features applied on a given interface, so feature lookup ordering is important The feature lookup order followed by datapath in ACE is as follows:
1) Access-control (permit or deny a packet) 2) Management Traffic 3) TCP normalization/Connection parameters 4) Server Load Balancing

5) Fix-ups/Application inspection
6) Source NAT 7) Destination NAT

The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface

2012 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

91