Application Delivery Networking

Similar documents
Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Availability Digest. Redundant Load Balancing for High Availability July 2013

Network Virtualization and Application Delivery Using Software Defined Networking

Internet Privacy Options

Understanding Slow Start

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Chapter 5. Data Communication And Internet Technology

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

AppDirector Load balancing IBM Websphere and AppXcel

ExamPDF. Higher Quality,Better service!

How To Manage A Network On A Network With A Global Server (Networking)

FortiBalancer: Global Server Load Balancing WHITE PAPER

Network Configuration Settings

SonicOS Enhanced 4.0: NAT Load Balancing

APV9650. Application Delivery Controller

Data Center Network Topologies

SonicWALL NAT Load Balancing

Radware s AppDirector and Microsoft Windows Terminal Services 2008 Integration Guide

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Proxy Server, Network Address Translator, Firewall. Proxy Server

LAN TCP/IP and DHCP Setup

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

Networking Issues For Big Data

Configuring Citrix NetScaler for IBM WebSphere Application Services

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

安 瑞 科 技 物 聯 網 對 應 用 交 付 器 (ADC) 的 需 求 及 應 用 實 例 徐 乃 丁 博 士 研 發 副 總 裁 / 技 術 長

TCP/IP Basis. OSI Model

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Building a Highly Available and Scalable Web Farm

DMZ Network Visibility with Wireshark June 15, 2010

Network Security Part II: Standards

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

SiteCelerate white paper

Application Note. Lync 2010 deployment guide. Document version: v1.2 Last update: 12th December 2013 Lync server: 2010 ALOHA version: 5.

Cisco Application Networking for BEA WebLogic

Transport and Network Layer

IERG 4080 Building Scalable Internet-based Services

Load Balancing Microsoft Terminal Services. Deployment Guide

APV x600 Series. Application Delivery Controller APV1600, APV2600, APV4600, APV5600, APV6600, APV8600, APV9600

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Cisco ACE Application Control Engine: ACEBC Catalyst 6500 and 4710 Applicance Boot Camp

Global Server Load Balancing

Mobile IP Part I: IPv4

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

INTRODUCTION TO FIREWALL SECURITY

Content Switching Module for the Catalyst 6500 and Cisco 7600 Internet Router

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

Deployment Guide AX Series with Citrix XenApp 6.5

CSET 4750 Computer Networks and Data Communications (4 semester credit hours) CSET Required IT Required

CLE202 Introduction to ServerIron ADX Application Switching and Load Balancing

MULTI WAN TECHNICAL OVERVIEW

Cornerstones of Security

WAN Traffic Management with PowerLink Pro100

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

FAQs for Oracle iplanet Proxy Server 4.0

Cisco Application Networking for IBM WebSphere

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Deployment Guide Microsoft Exchange 2013

Strategies for Getting Started with IPv6

Global Server Load Balancing

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

Network Security TCP/IP Refresher

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Microsoft Windows Server 2008 R2 Remote Desktop Services

More than just Layer 2-7 Load Balancing Citrix NetScaler & CloudGateway

ENTERPRISE DATA CENTER CSS HARDWARE LOAD BALANCING POLICY

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

VMware vcloud Air Networking Guide

Multi-Homing Security Gateway

VPN Lesson 2: VPN Implementation. Summary

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

Configuring Windows Server 2008 Network Infrastructure

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Lecture 02b Cloud Computing II

Load Balancing Servers, Firewalls, and Caches

Deployment Guide MobileIron Sentry

High Availability HTTP/S. R.P. (Adi) Aditya Senior Network Architect

Networking TCP/IP routing and workload balancing

TESTING & INTEGRATION GROUP SOLUTION GUIDE

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

VXLAN: Scaling Data Center Capacity. White Paper

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Stretched Active- Active Application Centric Infrastructure (ACI) Fabric

Chapter 3 LAN Configuration

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

Load Balancing Microsoft Remote Desktop Services. Deployment Guide

LinkProof And VPN Load Balancing

Server Load Balancing Configuration Guide Cisco IOS Release 12.2SX

Security Policy Revision Date: 23 April 2009

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

Transcription:

Application Delivery Networking. Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu These slides and audio/video recordings of this class lecture are at: 8-1

Overview 1. Application Delivery Controllers (ADCs) 2. Load Balancing Concepts and Modes 3. Network Address Translation (NAT) 4. Other ADCs 5. Virtual ADCs 8-2

Application Delivery in a Data Center Replication: Performance and Fault Tolerance If Load on S1 >0.5, send to S2 If link to US broken, send to UK Content-Based Partitioning: Video messages to S1 Accounting to S2 Users Middle Boxes Proxies Context Based Partitioning: ADCs Application Context: Different API calls Reads to S1, Writes to S2 User Context: If Windows Phone user, send to S1 If laptop user, send to HD, send to S2 Multi-Segment: User-ISP Proxy-Load Balancer-Firewall- 8-3 s Mobile Video Data Reads Data Writes Desktop Video

Application Delivery Controllers (ADCs) Networking Service: Tasks that apply to multiple applications, e.g., security, monitoring, acceleration, offload etc. Several applications can share a service ADC: Appliance that provide network services, e.g., load balancing, firewall, proxy, SSL offload, Load balancer is an example of ADC and also the basic component of most ADCs. Other ADCs: Firewalls, Reverse Proxies, SSL Offload, TCP Multiplexing, HTTP Compression 8-4

Load Balancing Concepts Load Balancer: Allows adding servers as needed. Cluster: A centrally managed set of servers working together on one application. Appear as one server. Farm: A set of independent servers. Ref: G. Santana, Datacenter Virtualization Fundamentals, Cisco Press, 2014, ISBN: 1587143240 8-5

Load Balancing Concepts (Cont) Probes: Synthetic requests sent by load balancer to see if a server and application is up. E.g., HTTP get request. Virtual IP (VIP): Client facing IP address of the load balancer Stickiness Table: Lists which server a client has been mapped to. Predictor: Load balancing rules, e.g., round-robin, least connections, hashing, least loaded Round-robin DNS load balancing does not know whether a server is down, overloaded, or appropriate for different types of application traffic (video, voice, data, ) 8-6

Load Balancing Concepts (Cont) Layer 4 Switching: L2-L4 fields are used to assign a server. can be assigned at TCP Syn. Layer 7 Switching: L5-L7 fields such as data type or application request type is used. Load balancer accepts all TCP connections but assigns servers only when the client sends an application request. Delayed Binding Symmetric Connection Management: Traffic in both direction passes through the load balancer. LB changes the source IP in the requests to server. Asymmetric Connection Management: Client-to- traffic passes through the load balancer. -to-client traffic goes directly. Good for video servers. Used rarely. 8-7

Load Balancing Using DNS Domain Name System (DNS) allows multiple IP addresses for a name On query, DNS returns a list of addresses. The order of entries is rotated on each subsequent query. For example, abc.com 1 st Time: 74.25.21.201, 74.25.21.202, 74.25.21.203 2 nd Time: 74.25.21.202, 74.25.21.203, 74.25.21.201 3 rd Time: 74.25.21.203, 74.25.21.201, 74.25.21.202 Rotating DNS is used for load balancing Problems: DNS does not know geo-location of servers DNS does not know whether a server is loaded DNS does not whether a server is up Adding or removing a server is too slow 8-8

Global Load Balancing (GSLB) Specialized DNS servers that keep track of server locations and states Good only for intra-company use. Not able to change caches at external servers. Load Balancer Load Balancer Load Balancer VIP1 VIP3 VIP3 Internet Probes Client 1 DNS Request GSLB DNS Request Client 3 DNS Response VIP1 DNS Response VIP2 8-9

Load Balancing Modes What changes are made to client requests so that the request is routed to the correct server? 1. Dual NAT (One-Arm mode) 2. NAT (Routed Mode) 3. Transparent Mode (Direct Routed Mode) Type Change Source IP Address? Change Source TCP Port? Dual NAT Y Y NAT N Y Transparent N N 8-10

Network Address Translation (NAT) 192.168.0.201 192.168.0.203 128.252.73.216 NAT Internet 192.168.0.204 192.168.0.205 Private IP addresses 192.168.x.x cannot be used on the public Internet NAT overwrites source addresses and port on all outgoing packets. Makes a note. Writes corresponding destination addresses and port on all incoming packets Only outgoing connections are possible 8-11

NAT Example 192.168.0.201 192.168.0.202 128.252.73.216 NAT Internet Outgoing Source Address Outgoing Source Port New Source Port 192.168.0.201 8001 3001 192.168.0.201 3002 3002 192.168.0.202 8001 3003 IP Dst: 74.125.224.210 Src: 192.168.0.201 TCP Dst: 80 Src: 8001 IP Dst: 74.125.224.210 Src: 128.252.73.216 TCP Dst: 80 Src: 3001 Public Address New Port # Source NAT Destination IP Dst: 192.168.0.201 Src: 74.125.224.210 IP Dst: 128.252.73.216 Src: 74.125.224.210 TCP Dst: 8001 Src: 80 TCP Dst: 3001 Src: 80 8-12

NAT64 and NAT46 NAT described so far is called NAT44 (both internal and external addresses are IPv4). A NAT allows internal addresses to be IPv6 even if the external Internet is still IPv4 and vice-versa. Will also need to encapsulate traffic. This allows organizations and/or carriers to transition to IPv6 now. IPv6 Intranet NAT64 IPv4 Internet Dual-Stack IPv4 Intranet NAT46 IPv6 Internet Dual-Stack Ref: http://en.wikipedia.org/wiki/nat64 8-13

Carrier Grade NAT Internet Addressing and Naming Authority (IANA) has recorded 100.64.0.0/10 as shared address range Like private address space but reserved for use by carriers Carriers can allocate an address from this range to their subscriber and then use a small number of public IPv4 or IPV6 addresses using a Carrier Grade NAT (CGNAT) Also known as NAT444, Large Scale NAT (LSN) These addresses can be used inside a carrier s own network but not on public internet. These addresses can be re-used inside other carrier s network Shared. Subscriber A s Home network 192.168.0.0/24 Subscriber B s Home network 192.168.0.0/24 NAT NAT 100.64.1.2 100.64.1.3 Router CGNAT 128.25.67.89 8-14

Dual NAT Also known as One Arm Mode Load balancer changes both source and destination addresses and destination port numbers on client requests. Like a regular NAT. sends the response to load balancer, Load balancer uses the port # to find the client address and forwards it to clients Client and servers can be on the same subnet. s can not see real client addresses. IP Dst: 74.125.224.210 Src: 128.252.73.216 TCP Dst: 80 Src: 8001 Load Balancer Client 74.125.224.210 128.252.73.216 192.168.0.2 IP Dst: 128.252.73.216 192.168.0.1 IP Dst: 192.168.0.1 Src: 74.125.224.210 Src: 192.168.0.2 TCP Dst: 8001 TCP Dst: 3001 192.168.0.4 Src: 80 Src: 80 Ref: P. Srisuresh and D. Gan, Load Sharing using IP NAT (LSNAT), RFC 2391, Aug 1998, http://tools.ietf.org/html/rfc2391 8-15 IP Dst: 192.168.0.2 Src: 192.168.0.1 TCP Dst: 80 Src: 3001 192.168.0.3

NAT Also known as Routed Mode Load balancer changes destination IP on client requests No changes to port numbers. sends the response directly to client Load balancer is made the default gateway. All server responses go through the load balancer Load balancer changes the source IP addresses on responses. Works only if clients and servers are on different subnets. s can see the real client addresses (Good for security). Client 128.252.73.216 IP Dst: 74.125.224.210 Src: 128.252.73.216 TCP Dst: 80 Src: 8001 IP Dst: 128.252.73.216 Src: 74.125.224.210 TCP Dst: 8001 Src: 80 Load Balancer 74.125.224.210 192.168.0.1 TCP Dst: 8001 Src: 80 8-16 IP Dst: 192.168.0.2 Src: 128.252.73.216 TCP Dst: 80 Src: 8001 IP Dst: 128.252.73.216 Src: 192.168.0.2 192.168.0.3 192.168.0.2 192.168.0.4

Transparent Mode Also known as Direct Routing Mode All servers are programmed to respond to the same Virtual IP adr but not respond to ARP for that VIP. They have different real IP adrs for other purposes and respond to ARP for that RIP. Load balancer is the sole layer 2 switch to server subnet. It does not changes anything at L3 or L4 Transparent It simply changes the MAC address and directs the frame to the selected server. Client 128.252.73.216 IP Dst: 74.125.224.210 Src: 128.252.73.216 TCP Dst: 80 Src: 8001 IP Dst: 128.252.73.216 Src: 74.125.224.210 TCP Dst: 8001 Src: 80 Load Balancer 8-17 IP TCP IP TCP Dst: 74.125.224.210 Src: 128.252.73.216 Dst: 80 Src: 8001 Dst: 128.252.73.216 Src: 74.125.224.210 Dst: 8001 Src: 80 74.125.224.210 74.125.224.210 74.125.224.210

Firewall Load Balancing They need to see real IP addresses of clients Transparent mode (balance via MAC addresses) Firewalls are stateful Return traffic through the same firewall Solution: Complementary hashing using return load balancer. LB1 hashes source IP and/or Port to select firewall instance LB2 hashes destination IP and/or Port to select firewall instance. This is also known as a Firewall Sandwich Client Firewall Client LB1 Firewall LB2 Client Firewall 8-18

Reverse Proxy Load Balancing Proxies used for security, caching, application acceleration Proxies are usually used for outgoing requests Reverse proxies are used for incoming requests Usually transparent mode is used Load balancing using predictors such as hashing or round robin Client Reverse Proxy Client Load Balancer Reverse Proxy Client Reverse Proxy 8-19

SSL Offload Secure Socket Layer (SSL) and Transport Layer Security (TLS) are used for secure connections, e.g., https:// Secure Application data is encrypted. Some load balancer provide SSL offload 1. SSL Termination: Client to LB is secure. LB to s is clear. LB can select servers based on application data. 2. SSL Initiation: Client to LB is clear. LB to servers is secure. Used when the client is local but the server is remote. Helps clients by SSL offload. Client LB One certificate can be used for all clients Save cost 3. End-to-end SSL: Client-to-LB, LB-to-servers both secure. Internal encryption can be simpler. One Certificate for all servers. 8-20

TCP Multiplexing ADC TCP connections require 3-way handshake, ack for segments, sliding window flow control, congestion control, and termination for each connection A ADC can be used to reduce the number of TCP connections. Also, helps reduce total latency since LB to server connection runs at high window levels. Client Client Client Multiple short-term TCP connections from clients TCP Multiplexing ADC 8-21 Single long-term TCP connection to server

HTTP Compression Most http responses are compressed to reduce bandwidth usage A load balancer can offer this service and relieve the servers This is just one example of numerous other application acceleration techniques 8-22

ADC Proliferation in Data Centers Application logic in servers Security (firewall, intrusion detection, SSL offload) in middle boxes Performance optimization (WAN optimizers, content caches) middleboxes Application-level policy routing (APR): Partitioning and replication Application s L2 Switches Application Level Gateways (ALG) & Content-Based Routers CBR) Load Balancers Application Firewalls Load Balancers Intrusion Detection and Prevention Systems Load Balancers SSL SSL SSL SSL SSL middleboxes Offloaders Load Balancers CBR ALG CBR ALG CBR ALG CBR ALG L2 Switches Data Center Public Internet 8-23

ADC Proliferation (Cont) Number of middleboxes (Application Delivery Controllers) is comparable to the number of routers Market size of optimization ADCs will grow from 1.5B in 2009 to $2.24B in 2013 Security appliances will grow from $1.5B in 2010 to $10B in 2016 Appliance Type Number Firewalls 166 NIDS 127 Conferencing/Media Gateways 110 Load Balancers 67 Proxy Caches 66 VPN devices 45 WAN optimizers 44 Voice Gateways 11 Middleboxes total 636 Routers ~ 900 Ref: Technavio, Global Application Delivery Controllers Market in Datacenters 2009-2013, March, 2010, http://www.technavio.com/content/global-application-delivery-controllersmarket-datacenters-2009-2013 Ref: Vyas Sekar, et. al., The Middlebox Manifesto: Enabling Innovation in Middlebox Deployments, ACM HotNets 2011. 8-24

Hardware Based vadcs: Virtual ADCs A single physical ADC presents multiple virtual contexts Each virtual ADC can be used by a different tenant or different application vadc 1 vadc 2 vadc n ADC Software Based vadcs: Inside or outside a physical server. Run on standard processors (padcs generally run on monolithic hardware) v v v Hypervisor vload Balancer 8-25

Combine in one ADC: Multi-Function ADCs Protocol optimization Location based DNS Load balancing Security Data compression 8-26

Summary 1. Application delivery involves partitioning an application based on server context, user context, application context 2. Load balancer was the first application delivery controller. Now ADCs are used for many common services such as firewalls, TCP multiplexing, proxy, etc. 3. Many different flavors of NAT are used by ADCs. 4. ADCs are becoming virtual and multi-function. 8-27

Reading List G. Santana, Datacenter Virtualization Fundamentals, Cisco Press, 2014, pp. 110-139, ISBN: 1587143240 (Safari Book) (Must Read) 8-28

Wikipedia Links http://en.wikipedia.org/wiki/address_resolution_protocol http://en.wikipedia.org/wiki/application_delivery_controller http://en.wikipedia.org/wiki/application_delivery_network http://en.wikipedia.org/wiki/carrier-grade_nat http://en.wikipedia.org/wiki/delayed_binding http://en.wikipedia.org/wiki/domain_name_system http://en.wikipedia.org/wiki/http_compression http://en.wikipedia.org/wiki/load_balancing_(computing) http://en.wikipedia.org/wiki/middlebox http://en.wikipedia.org/wiki/network_address_translation http://en.wikipedia.org/wiki/proxy_server http://en.wikipedia.org/wiki/reverse_proxy http://en.wikipedia.org/wiki/round-robin_dns http://en.wikipedia.org/wiki/secure_socket_layer http://en.wikipedia.org/wiki/ssl_acceleration http://en.wikipedia.org/wiki/virtual_ip_address 8-29

ADC ALG API APR ARP CBR CGNAT DNS GSLB HTTP IANA IP Acronyms Application Delivery Controller Application Level Gateways Application Programming Interface Application-level Policy Routing Address Resolution Protocol Content Based Router Carrier Grade Network Address Translation Domain Name System Global Service Load Balancer Hypertext Transfer Protocol Internet Addressing and Naming Authority Internet Protocol 8-30

Acronyms (Cont) IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 ISP LB MAC NAT NAT44 NAT444 NAT46 NAT64 NIDS Internet Service Provider Load Balancing Media Access Control Network Address Translation NAT IPv4 private to IPv4 public NAT IPv4 private to IPv4 public via IPv4 Carrier NAT IPv4 private to IPv6 public NAT IPv6 private to IPv4 public Network Intrusion Detection Systems 8-31

Acronyms (Cont) padc RIP SSL TCP TLS vadcs VIP VPN v WAN Physical Application Delivery Controller Real IP Address Secure Socket Layer Transmission Control Protocol Transport Layer Security Virtual Application Delivery Controller Virtual IP address Virtual Private Network Virtual Wide Area Network 8-32

Quiz 8 1. Video messages going to one server group while accounting to another is an example of -based partitioning 2. Windows users being served by a different server group than iphone user is an example of -context based partitioning. 3. A centrally managed set of servers working together on one application is called server 4. are synthetic request sent by load balancer to see if a server is up. 5. Load balancing rules are called 6. Layer switching requires delayed binding. 7. One problem with load balancing using is that it does not know whether a server is up. 8. Global server load balancing is good mostly for use. 9. In a NAT64 system, the private network is and the public network is. 10. 100.64.0.0/10 has been allocated as address range. 8-34

Solution to Quiz 8 1. Video messages going to one server group while accounting to another is an example of *content*-based partitioning 2. Windows users being served by a different server group than iphone user is an example of *user*-context based partitioning. 3. A centrally managed set of servers working together on one application is called server *Cluster* 4. *Probes* are synthetic request sent by load balancer to see if a server is up. 5. Load balancing rules are called *Predictor* 6. Layer *7* switching requires delayed binding. 7. One problem with load balancing using *rotating DNS* is that it does not know whether a server is up. 8. Global server load balancing is good mostly for *intra-company* use. 9. In a NAT64 system, the private network is *IPv6* and the public network is *IPv4*. 10. 100.64.0.0/10 has been allocated as *shared* address range. 8-35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information