Transparent Cache Switching Using Brocade ServerIron and Blue Coat ProxySG
Size: px
Start display at page:

Download "Transparent Cache Switching Using Brocade ServerIron and Blue Coat ProxySG"

Transcription

1 Transparent Cache Switching Using Brocade ServerIron and Blue Coat ProxySG This document provides best-practice guidance for Brocade ServerIron ADC deployments using Transparent Cache Switching (TCS) with Blue Coat ProxySG.

2 CONTENTS Introduction...3 Overview...4 Prerequisites...4 Components...5 Traffic Flow...5 Proxy Flow...5 Client Spoofing...6 Asymmetric Routing...6 Important Considerations...7 Don t Proxy Twice...7 Balancing Cache Distribution...7 Trunking Protocol...7 Appendix: ServerIron Configurations...8 SI SI Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 2 of 18

3 INTRODUCTION Brocade ServerIron switches can transparently redirect Internet traffic to one or more caching servers for client or server acceleration. Transparent Cache Switching (TCS) allows network administrators to quickly deploy caches anywhere in the network with no modification to end-user browsers or other software. Blue Coat ProxySG provides a scalable proxy platform architecture to protect and accelerate the delivery of business applications. Brocade ServerIron switches offer enterprises and service providers a highly resilient, server load balancing switch, which features both stackable and high-port-density, chassis-based solutions. The ServerIron's transparent cache switching capability improves Internet response time and reduces WAN operating costs by redirecting Web traffic destined for remote Internet hosts to a group of local cache servers. ServerIron switches can redirect content requests for either forward or reverse cache installations, providing the industry's most powerful content-aware cache switching to enable intelligent content networks that route traffic based on content rather than just IP addresses. ServerIron TCS, standard on all switches, features include: Intelligent load balancing of caches to eliminate content duplication, increase cache-hit ratio, and improve the Internet response time Accelerate delivery of dynamic content and optimize the cache utilization by bypassing the caches automatically for dynamic content Specify content-based rules to determine what content should be cached Organize caches into logical groups that serve different content to provide differentiated service offerings to content providers The Blue Coat ProxySG family of appliances delivers a scalable proxy platform architecture to protect Web traffic and accelerate the delivery of business applications. ProxySG is built on SGOS, a custom, object-based operating system that enables flexible policy control over content, users, applications, and protocols. With Blue Coat ProxySG appliances, you can: Manage various proxy requirements across a distributed enterprise Protect internal users and networks from spyware and other attacks Significantly reduce bandwidth with leading compression, byte caching, and object caching technologies Accelerate application performance for files, , Web, SSL, and rich media applications. Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 3 of 18

4 AV810 AV810 AV810 AV810 AV810 AV810 AV810 AV810 APPLICATION DELIVERY CONTROLLERS OVERVIEW As shown in the example in Figure 1, an active-active pair of Brocade ServerIron ADCs is used to load balance traffic to be cached and inspected by Blue Coat ProxySG and ProxyAV devices. Incoming client traffic from Spirent Avalanche test equipment is directed to a shared VRRP address owned by the ServerIrons, which load balance those sessions to a the Blue Coat SG devices. Redundant switches are used between the ServerIrons and Blue Coat devices. The last feature of this configuration is the ability to handle traffic routed asymmetrically to other sites. Blue Coat ProxySG and ProxyAV devices Avalanche server Firewall Brocade ServerIron 350 switch Port connections AV810-B AV810-B AV810-B AV810-B Firewall Avalanche client Brocade ServerIron 350 switch Port connections AV810-B AV810-B AV810-B AV810-B Figure 1. Using an HA pair of ServerIrons with Blue Coat ProxySG and ProxyAV appliances Prerequisites The following prerequisites are required to deploy this solution: Working knowledge of Web caching Working knowledge of Transparent Cache Switching Experience with basic networking and troubleshooting Experience installing and configuring the Brocade ServerIron ADC Working knowledge of the Brocade ServerIron command-line interface (CLI) Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 4 of 18

5 Components The following components are used in this solution: Brocade ServerIron 350 switch Blue Coat SG 810 Proxy Servers NOTE: The firewall is not specified since for testing purposes it was configured for transparent mode to allow all traffic to pass through. Traffic Flow The test diagram in Figure 2 shows the connectivity implemented in the test bed. The firewalls are not shown in the test diagram. Figure 2. Testing connectivity Proxy Flow This solution relies on a policy route on the external router to direct client HTTP traffic to an address shared by the ServerIron switches running VRRP-Extended. The traffic is distributed to the ProxySG farm based on a hash of the destination address and the last octet of the client address. This hash combination was used to ensure a wider spread of the limited streams in use for testing. In real-world applications, a hash of the destination network address would minimize duplicate caching of content on multiple ProxySG devices. Once traffic reaches a ProxySG, the TCP connection is terminated, the HTTP is evaluated, and a new connection is originated from the Proxy SG to the destination server with the HTTP request. This second connection is from a source address of the ProxySG to the destination server, which ensures that the return packets are forwarded to the same proxy. Once the proxy receives the return packets from the destination server, the content is evaluated by the ProxySG and forwarded to the client via the connection between the client and proxy. Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 5 of 18

6 Client Spoofing In cases where the client IP address must be preserved when it reaches the server, the ProxySG must be configured to reflect the client IP address. Additionally, the ServerIron must be set to support client spoofing. This ServerIron feature allows it to create a session table entry for the connection from the proxy to the destination server, even though the source IP address is that of the client. This ensures that the return packet from the server is directed back to the correct proxy. To support situations in which the client address is preserved when it gets sent to the server, the router on the left side of the figure must have a policy route forcing the traffic returning from the server to go to the ServerIron shared address. Otherwise the return packets are routed directly back to the client, creating TCP errors on the proxy. Asymmetric Routing In cases where there are multiple proxy sites between a large network and the Internet and the client address is preserved, while packets are sent to the destination server, return packets could be routed back to the wrong site, that is, not the same proxy site that processed the connection to the server, as shown in Figure 3. The ProxySG devices have the ability to cluster with each other to forward misrouted packets back to the original site. In such cases, the ServerIron must know which address ranges are associated with the client-spoofed traffic in order to forward such traffic to the local ProxySGs configured for this purpose. In Figure 3, the ProxySG at Site 2 uses a GRE (Generic Routing Encapsulation) tunnel to forward return packets back to Site 1, so that the connection can be proxied by the same device from start to finish. Site Site 2 3 Figure 3. Site connectivity Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 6 of 18

7 IMPORTANT CONSIDERATIONS Don t Proxy Twice For initial testing, the ProxySG devices were connected directly to the ServerIron switches with a crossconnect trunk between the ServerIron switches. However, when the cache policy is applied globally, the ServerIron will attempt to proxy any traffic matching the cache policy. When proxying HTTP, this could mean that any client traffic or even health checks that go from one ServerIron through the other to reach a ProxySG device will become subject to the cache policy. Because the setup described in this document is essentially a one-armed configuration, caching policy could not be configured on a local basis. To resolve this, switches were added between the ServerIron switches and the ProxySG devices. Eliminating the cross-connect trunk was not the only step needed to avoid a potential double proxy. The VRRP (Virtual Router Redundancy Protocol) setup uses track port to ensure that if the interfaces on one side of the primary ServerIron go down, traffic is not forwarded from ServerIron 2 to ServerIron 1, because ServerIron 1 is the VRRP master on the proxy side. The ServerIron configuration used in this test set the VRRP master to priority 150 with track priority 30. That allows the primary ServerIron to continue forwarding traffic if only one of the two interfaces on the left side of the figure go down. If both interfaces go down, ServerIron 2 becomes master for VRRP instances on both sides. The last step taken to avoid a double proxy of data was to give the LS switches the top bridge priorities (in 802.1w) on the right side of the figure. If this step had not been taken, failed links could have caused traffic to transit both ServerIron switches, which in turn would cause both to attempt to proxy the traffic. Balancing Cache Distribution During testing, a limited number of clients and servers were used in the test profile. In order to ensure that the traffic was widely distributed across the candidate caching devices, the hash mask was changed from the default to This caused the ServerIron to assign each destination server and client host (actually all hosts with the same last octet) its own hash value. Since traffic for a computed hash value is load balanced based to the same cache server, this action avoids having too few hash values causing unequal load distribution. When testing runs for short periods of time with frequent changes, it often makes sense to clear the hash buckets so that the traffic can be distributed evenly. The ServerIron does not have a clear hash command available, so the hash bucket mappings were cleared by changing the hash mask to a new value and then changing it back to the desired value to allow a clean start (from a traffic distribution perspective). Trunking Protocol The generic firewall shown in Figure 1 supports aggregate interfaces, but it does not support 802.1d. As a result, LACP (Link Aggregation Control Protocol) aggregation does not work correctly. The trunk appears to be up, but traffic is seen on only one link. This may be due to error messages being sent back to a single host, but it was not fully diagnosed. The solution was to use the older trunk server syntax associated with the non-standard trunking supported by IronWare. Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 7 of 18

8 APPENDIX: SERVERIRON CONFIGURATIONS There are two cache-groups in this configuration: One for handling traffic that is totally proxied by the ProxySG (that is, the source IP of the packet going to the Internet belongs to the ProxySG) One for handling situations in which the client IP address is preserved as requests are forwarded to the internet (client spoofing) ProxySG devices SG1 and SG8 were set aside for handling client spoofing and subsequently asymmetrically routed traffic. This technique of clustering ProxySG devices across sites is also known as IP reflection. The original intent was to create an active-standby pair with these two devices in which a shared address SG-VIP is used. However, this was not actually tested, so cache-group 2 forwards traffic only to SG1. Access list 101 is used to filter traffic that should go to cache-group 1, and access list 102 is reserved for cache-group 2. SI-1 ver eTG4 module 1 bi-0-port-wsm7-management-module module 2 bi-jc-16-port-gig-copper-module module 3 bi-jc-16-port-gig-copper-module global-stp global-protocol-vlan trunk server ethe 2/3 to 2/4 port-name "To_ISG1" ethernet 2/3 trunk server ethe 3/3 to 3/4 port-name "To_ISG2" ethernet 3/3 session sync-update server active-active-port ethe 3/11 vlan-id 200 server force-cache-rehash server port 80 session-sync tcp context default server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 8 of 18

9 url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 9 of 18

10 server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG-VIP url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-group 1 hash-mask filter-acl 101 cache-name SG2 cache-name SG3 cache-name SG4 cache-name SG5 cache-name SG6 cache-name SG7 cache-name SG9 Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 10 of 18

11 cache-name SG10 cache-name SG11 cache-name SG12 cache-name SG13 cache-name SG14 server cache-group 2 hash-mask filter-acl 102 cache-name SG1 spoof-support vlan 1 name DEFAULT-VLAN by port vlan 10 by port untagged ethe 2/5 to 2/6 ethe 3/5 to 3/6 router-interface ve 10 spanning-tree 802-1w spanning-tree 802-1w priority 7000 vlan 100 by port untagged ethe 2/3 to 2/4 ethe 3/3 to 3/4 router-interface ve 100 spanning-tree 802-1w spanning-tree 802-1w priority 7000 vlan 200 by port untagged ethe 3/11 static-mac-address 0012.f2a7.bd4a ethernet 3/11 vlan 99 by port untagged ethe 3/13 router-interface ve 99 spanning-tree 802-1w spanning-tree 802-1w priority 7000 default-mtu 9000 aaa authentication web-server default local aaa authentication enable default local aaa authentication login default local aaa authentication login privilege-mode enable telnet authentication enable aaa console hostname SI-1 ip acl-permit-udp-1024 ip l4-policy 1 cache tcp http global ip route no telnet server username admin password... router vrrp-extended snmp-server snmp-server community... ro Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 11 of 18

12 snmp-server host no web-management http web-management https interface ethernet 2/3 port-name To_ISG1 interface ethernet 2/5 port-name To_LS-top link-aggregate configure key link-aggregate active interface ethernet 2/6 link-aggregate configure key link-aggregate active interface ethernet 3/1 port-name Mgmt ip address interface ethernet 3/3 port-name To_ISG2 interface ethernet 3/5 port-name To_LS-bottom link-aggregate configure key link-aggregate active interface ethernet 3/6 link-aggregate configure key link-aggregate active interface ethernet 3/13 interface ethernet 3/14 interface ethernet 3/15 interface ethernet 3/16 interface ve 10 port-name To_SGs ip address ip vrrp-extended vrid 2 backup priority 150 ip-address track-port e 2/3 priority 30 track-trunk-port e 2/3 track-port e 3/3 priority 30 Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 12 of 18

13 track-trunk-port e 3/3 enable interface ve 99 port-name To_ISG2 ip address ip vrrp-extended vrid 3 backup ip-address track-port e 2/5 priority 30 track-port e 3/5 priority 30 interface ve 100 port-name To_ISGs ip address ip vrrp-extended vrid 1 backup priority 150 ip-address track-port e 2/5 priority 30 track-port e 3/5 priority 30 enable access-list 101 deny tcp any eq http access-list 101 deny tcp any access-list 101 permit tcp any any access-list 102 permit tcp any eq http access-list 102 permit tcp any eq ssl SI-2 ver eTG4 module 1 bi-0-port-wsm7-management-module module 2 bi-jc-16-port-gig-copper-module module 3 bi-jc-16-port-gig-copper-module global-stp global-protocol-vlan trunk server ethe 2/3 to 2/4 trunk server ethe 3/3 to 3/4 port-name "To_ISG2" ethernet 3/3 session sync-update server active-active-port ethe 3/11 vlan-id 200 server force-cache-rehash server port 80 Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 13 of 18

14 session-sync tcp context default server cache-name SG-VIP url "HEAD /" l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 14 of 18

15 server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only l4-check-only server cache-name SG url "HEAD /" l4-check-only Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 15 of 18

16 l4-check-only server cache-group 1 hash-mask filter-acl 101 cache-name SG2 cache-name SG3 cache-name SG4 cache-name SG5 cache-name SG6 cache-name SG7 cache-name SG9 cache-name SG10 cache-name SG11 cache-name SG12 cache-name SG13 cache-name SG14 server cache-group 2 filter-acl 102 cache-name SG1 spoof-support vlan 1 name DEFAULT-VLAN by port vlan 100 by port untagged ethe 2/3 to 2/4 ethe 3/3 to 3/4 router-interface ve 100 spanning-tree 802-1w vlan 10 by port untagged ethe 2/5 to 2/10 ethe 3/5 to 3/10 router-interface ve 10 spanning-tree 802-1w vlan 200 by port untagged ethe 3/11 static-mac-address 0012.f2a7.fa4a ethernet 3/11 vlan 99 by port untagged ethe 3/13 router-interface ve 99 spanning-tree 802-1w spanning-tree 802-1w priority 7000 default-mtu 9000 aaa authentication web-server default local aaa authentication enable default local aaa authentication login default local aaa authentication login privilege-mode enable telnet authentication enable aaa console Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 16 of 18

17 hostname SI-2 ip acl-permit-udp-1024 ip l4-policy 1 cache tcp http global ip route no telnet server username admin password... router vrrp-extended snmp-server snmp-server community... ro snmp-server host no web-management http web-management https interface ethernet 2/5 port-name To_LS-top link-aggregate configure key link-aggregate active interface ethernet 2/6 link-aggregate configure key link-aggregate active interface ethernet 3/1 port-name Mgmt ip address interface ethernet 3/3 port-name To_ISG2 interface ethernet 3/5 port-name To_LS-bottom link-aggregate configure key link-aggregate active interface ethernet 3/6 link-aggregate configure key link-aggregate active interface ethernet 3/13 interface ethernet 3/14 interface ethernet 3/15 interface ethernet 3/16 interface ve 10 port-name To_SGs Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 17 of 18

18 ip address ip vrrp-extended vrid 2 backup ip-address track-port e 2/3 priority 30 track-trunk-port e 2/3 track-port e 3/3 priority 30 track-trunk-port e 3/3 enable interface ve 99 port-name To_ISG2 ip address ip vrrp-extended vrid 3 backup priority 150 ip-address track-port e 2/5 priority 30 track-port e 3/5 priority 30 interface ve 100 port-name To_ISGs ip address ip vrrp-extended vrid 1 backup ip-address track-port e 2/5 priority 30 track-port e 3/5 priority 30 enable access-list 101 deny tcp any eq http access-list 101 deny tcp any access-list 101 permit tcp any any access-list 102 permit tcp any eq http access-list 102 permit tcp any eq ssl 2009 Brocade Communications Systems, Inc. All Rights Reserved. 02/09 GA-TB Brocade, the B-wing symbol, BigIron, DCX, Fabric OS, FastIron, IronPoint, IronShield, IronView, IronWare, JetCore, NetIron, SecureIron, ServerIron, StorageX, and TurboIron are registered trademarks, and DCFM and SAN Health are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. Transparent Cache Switching using Brocade ServerIron and Blue Coat Proxy SG 18 of 18

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information