Voice over IP- Session Initiation Protocol (SIP) Load Balancing in the IBM BladeCenter Solution Brief Load Balance Voice Over IP SIP traffic in your BladeCenter economically and efficiently with the Layer 2-7 Gigabit Ethernet Switch modules from BLADE Network Technologies. Introduction The convergence of voice and data applications over the IP network means that time- and latency-sensitive applications for voice and video have become dependent on the services of traditional IP networks to carry their traffic. Networks must be robust and provide uninterrupted service for these applications. The quality, reliability, and thus the reputation of applications such as Voice over IP and video conferencing depends largely on whether the IP networks they run on can provide prioritized service, low latency and high availability to ensure a quality experience. Connections that fail or are rerouted to another server either in the same or in another network must be handled transparently with no discernable impact to the user. Session Initiation Protocol (SIP) is the protocol that provides the framework for application such as IP telephony (Voice over IP), and Instant Messaging. This brief examines how SIP traffic can be managed for optimal connectivity, persistence, high availability, and security through use of a Layer 2-7 switching technology in the IBM BladeCenter. SIP application servers resident on BladeCenter server blades can realize optimal performance from the load balancing, high availability, global server load balancing, and security features available in a Layer 2-7 blade switch. Requirements Flexible and Upgradeable Infrastructure The cumulative spending forecast for networking equipment, software and professional services for IP-based telecommunications technology is expected to reach nearly $13 Billion from 2006 to 2010. i Deployment of voice over IP solutions are ideally matched to the blade server environments. Blade server systems are the fastest growing segment of the server market by form factor ii and their flexibility allows for rapid upgrades of equipment and software using off the shelf technology. An open blade server architecture as found in the IBM BladeCenter enables commercial off the shelf products to be installed onto a blade server easily and without code modifications. Application Load balancing at layer 4-7 Any server, regardless of its form factor or application, is limited in the number of concurrent connections and sessions it can handle at any given time. Servers must operate at their optimal capacity, and traffic loadbalanced amongst multiple servers for ideal network performance. Individual SIP servers have limited scalability. In order to maximize scalability and availability, application servers should be load balanced and client to server sessions should be maintained. Load balancing is achieved by assigning the servers a virtual IP address. Client requests to real servers are intercepted by the application switch s virtual IP address, and load balancing metrics assigned on the switch determine how traffic is to be distributed. When a new session is established, the switch directs client traffic to a server based on server availability and routes new sessions to a server. A mathematical hashing function within the load balancing metric, combined with a session entry in a session table, ensures that subsequent sessions from the same client are routed to the same server.
Session Persistence Session persistence increases efficiency of server responses. When repeated requests from the same client are sent to the same server, information stored in the server s short-term cache memory can be accessed with much greater efficiency than if a server has to send those requests out to cache servers located elsewhere on the network. For example, SIP server queries to the home subscriber server (HSS) can be cached in local server memory. By providing client persistence to the same server, the BNT Layer 2-7 GbESM increases the efficiency of SIP server response. VOIP Application Performance For systems running VOIP applications, the blade servers must not become overloaded by distributing the incoming calls. An imbalance of overloaded and under loaded servers results in dropped calls, jittery voice quality, or service interruptions. VOIP applications must remain available to users during periods of peak call volume. Incoming calls must be redirected if a server reaches peak capacity, or if a link fails, or if a server has been attacked. VOIP applications are also extremely timesensitive--voip traffic must be guaranteed high priority using Quality of Service in order to minimize latency and maintain call quality. Session Initiation Protocol Typically most VOIP sessions are initiated through the Session Initiation Protocol (SIP), which is an application-level control protocol for Internet multimedia conferencing, telephony, event notification and instant messaging. Defined as RFC 3261 by the Internet Engineering Task Force (IETF), SIP protocol initiates call setup, routing, authentication and other feature messages to endpoints within an IP domain. SIP protocol performs the following functions: locate users (callers and called parties) determine user capability (what type of protocol (TCP, UDP) and other capabilities the user can support) determine user availability determine call setup (how to create the call) determining call handling (how to keep the call up and how to bring the call down) The Solution BNT Layer 2-7 Gigabit Ethernet Switch Module for IBM BladeCenter The BNT Layer 2-7 Gigabit Ethernet Switch Module (GbESM) for IBM BladeCenter is a high performance application switch that performs at wire speed at Layer 2 through Layer 7, and delivers more than 60% better Layer 4 session performance than using an external Layer 4-7 switch, and offers a 60% price-performance advantage over a blade server with integrated layer 2 and external Layer 3-7 switching.iii The BNT Layer 2-7 GbESM inserts into networking bays with the IBM BladeCenter chassis. Capable of handling 28,000 SIP session setups and teardowns per second, the BNT Layer 2-7 GbESM and is an ideal candidate for small and medium sized businesses (SMB) wishing to implement VOIP in IBM BladeCenter. Each switch is capable of up to 36 Gbps of full-duplex bandwidth per switch, and can handle up to 150,000 concurrent SIP sessions. iv SIP Load Balancing Cost-effective SIP load balancing of SIP proxy servers in the IBM BladeCenter can be achieved using BNT Layer 2-7 GbESM switch modules. Compatible with IBM BladeCenter, BladeCenter T, BladeCenter H or BladeCenter HT, the BNT Layer 2-7 GbESM is an excellent alternative to more expensive external load balancers or other NAT devices. Session Initiation Protocol (SIP) load balancing on the BNT Layer 2-7 GbESM can function with any SIP server that uses shared or clustered databases to share signaling data for registration and invites. v A pair of Layer 2-7 GbESMs per chassis can provide high availability and perform application-intelligent switching for up to 64 virtual servers for up to 256 virtual services including SIP. 2
Stateful Inspection The BNT Layer 2-7 GbESM performs stateful inspection of SIP messages to scan and hash calls based on a SIP Call-ID header destined for a SIP server. Stateful inspection means that a packet is inspected not only for its source and destination information found in the header, but also packet contents found at Layer 7 (the application layer). Once the switch has identified the Call-ID which identifies a specific SIP session, it sends future messages from the same Call-ID to the same SIP server. UDP-based Load Balancing Voice protocols use both control (RTP/RTCP) and signaling (SIP) channels for each call. Voice content is carried over RTP/RTCP, which runs on dynamically generated UDP port numbers. Session Persistence Once a SIP session has been established between the client and SIP server, the BNT Layer 2-7 GbESM will maintain a persistent session so that the call originating from the same client IP address will always go to the server with the established session. As noted above, session persistence is established from the first client-to-server connection by means of the mathematical hash in the load balancing metric. This hashing function determines which server should receive the connection, and then records an entry in the GbESM s session table. Subsequent requests from this client bypass the load balancing metric as the switch directs the connection to the server recorded in the session table. SIP Health Checks The BNT Layer 2-7 GbESM can perform a SIPspecific application health check on real servers based on SIP requests and responses. Some of the responses SIP health check monitors are shown in the table below: SIP Response Message Types 1xx 2xx 3xx 4xx Description Information Responses For Example: 180, Ringing Successful Responses For Example: 200, OK Redirection Responses For Example: 302, Moved Temporarily Request Failures Responses For Example: 403, Forbidden 5xx Server Failure Responses For Example: 504, Gateway Time-out 6xx Global Failure Responses For Example: 600, Busy Everywhere For SIP register health checks, the BNT Layer 2-7 GbESM sends a SIP REGISTER request to the configured server(s). The switch looks for server response message type 1xx, 2xx", "3xx" or "4xx" to determine if the server is UP. If the switch receives a response message type 2xx, 3xx or 4xx the server(s) are declared as UP. If switch receives a type "5xx" or "6xx" response the switch will declare the server(s) as DOWN. If after 3 register requests the switch does not receive any response back from the server(s), the switch will mark the server(s) as down. Network Address Translation Network Address Translation is an Internet standard implemented on the BNT Layer 2-7 GbESM, which maps external IP addresses outside the network, to hidden internal IP addresses. The BNT Layer2-7 GbESM performs deep packet inspection and changes the private addresses of Media Portal Servers in the SDP/RTP packet to the advertised Public address to avoid one way speech problems. 3
Traffic Prioritization The Layer 2-7 GbESM software includes rate limiting based on Quality of Service Access control lists (IP ACLs or MAC ACLs), class maps, and policy maps which guarantee highest priority for SIP traffic and minimize dropped packets. High Availability In addition to optimizing the load on multiple SIP servers in an IBM BladeCenter, the BNT Layer 2-7 GbESM can ensure high availability at Layer 2, Layer 3, and Layer 4. Layer 2 Trunk Failover - At Layer 2, network adapter teaming on the blade servers, combined with Layer 2 Trunk Failover on the BNT Layer 2-7 GbESM can be enabled on any switch trunk group. If any of the links in a trunk fail, the switch triggers the Network Interface Card (NIC) team on the affected server blades to failover from the primary to the backup NIC. This feature can also be enabled to detect failover for links within a VLAN, and enable/disable service to VLANs. Virtual Router Redundancy Protocol - At Layer 3, Virtual Router Redundancy Protocol (VRRP) enables redundant router configurations within a LAN, providing alternate router paths for a host to eliminate single points-of-failure within a network. VRRP ensures that if the master switch fails, traffic will be rerouted through the backup switch. In high availability environments where the backup switch takes over when a master fails, all the SIP sessions on the master switch are reestablished on back up switch. Active-Active Redundancy - In order to minimize the possibility of complete session failover on a switch, Active-Active redundancy, using BLADEOS Layer 4 extension to VRRP, can provide redundancy for virtual services such as SIP, HTTP, FTP). In Active-Active redundancy, a pair of BNT Layer 2-7 GbESMs remains active and provides failover for one another at the same time on different virtual server IP addresses (VIPs), resulting in higher capacity and performance than when the switches are used in an Active-Standby configuration. For example, each Layer 2-7 GbESM is configured with two VIP addresses for load balancing SIP traffic. Switch 1 is configured with VRRP to be the Active (master) switch for VIP address 1, and the Standby (backup) switch for VIP 2. Switch 2 is configured as the Standby on VIP address 1 and Active (master switch) on VIP address 2. Content-Intelligent Security Advanced Denial of Service Attack Prevention - Many types of cyber-attacks have exploited the weaknesses of traditional firewalls, which allow or deny traffic by opening or closing certain service ports, such as HTTP port 80. Absent a better security method, malicious content can pass through these well-known service ports. The BNT Layer 2-7 GbESM can protect SIP severs by performing deep packet inspection to block any malicious content before it is sent to the real servers.vi Protection against UDP Blast Attacks - Malicious attacks over UDP protocol ports are becoming a common way to bring down real servers. The switch can be configured to restrict the amount of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with data. UDP Pattern Matching - For SIP protocol, which is UDP-based, the switch can be configured to examine a UDP packet from either the beginning, from a specific offset value (starting point) within the packet, and/or from a specified depth (number of characters) into the packet. If an offending pattern is matched, the switch will drop those packets. Site Availability: Global Server Load Balancing Geographically redundant sites ensure the availability of key applications and minimize service outages in the event of a natural disaster or other catastrophe. The BNT Layer 2-7 GbESM can load balance traffic both locally and across multiple sites and domains. The Global Server Load Balancing (GSLB) feature performs or initiates a global server selection to direct client traffic to the best server for a given domain during the initial client connection. GSLB ensures that if all connectivity within a BladeCenter fails, user sessions can be redirected to another BladeCenter chassis in another location and domain. Based on DNS 4
name resolution of SIP URIs, GSLB redirects client sessions to another GSLB-enabled site based on site health, site proximity to the client, and the response time required to retrieve content. Conclusion Deployment of voice over IP solutions using the Session Initiation Protocol (SIP) are increasingly migrating to blade servers due to the flexibility, scalability and performance advantages inherent in the bladed environment. IBM is the only blade server system vendor with integrated Layer 2-7 switching. IBM BladeCenter customers have the unique opportunity to take advantage of the content-intelligence, application load balancing, security, availability and price performance benefits of the BNT Layer 2-7 GbESM for optimal SIP application performance and availability, while reducing infrastructure and deployment costs. Equipment List Infrastructure VOIP 2 IBM BladeCenterE/H/S/T/HT Chassis 2 BNT Layer 2-7 Gigabit ESMs 14 IBM blade serves running commercial off the shelf SIP server software 14 PCI side cards (optional) for connectivity to Public Switches Telephone Network (PSTN) Standard server software as recommended by your vendor Standard client software as recommended by your vendor N IP enabled terminals/phones About BLADE Network Technologies BLADE Network Technologies is the leading supplier of Gigabit and 10G Ethernet network infrastructure solutions that reside in blade servers and scale-out server and storage racks. BLADE s new virtual, cooler and easier top-ofrack switches demonstrate the promise of Rackonomics a revolutionary approach for scaling out data center networks to drive down total cost of ownership. The company s customers include half of the Fortune 500 across 26 industry segments, and an installed base of over 250,000 network switches connecting more than 2,000,000 servers and over 5 million switch ports. i Doyle, Lee, and Bozman, Jean: The Benefits of Blade Servers in Telecommunications IT and Network Infrastructure, IDC Whitepaper #205415, Feb 2, 2007. ii Ibid. iii, IBM eserver BladeCenter with Nortel Networks Layer 2-7 Gigabit Ethernet Switching Module: Price/Performance of Integrated vs. External Switching, Tolly Group, No 204104, January 2004. iv The actual performance will vary depending on the number of SIP servers and their capacity. v Nortel MCS (Multimedia Communications Server), Commmunigate Pro and Cisco are examples of SIP servers with synchronized databases. However, this does not constitute a product recommendation by BLADE Network Technologies or IBM. vi This feature can be useful as an emergency fix during early stages of a virus attack, and is designed to function as a supplement, not a replacement for more advanced content-aware firewalls on the network. 5
BNT Layer 2-7 GbESM Details Major Applications Real server support 64 Policy filters 1,024 Server load balancing Local server load balancing Global server load balancing Application health checks VLANs 128 Default gateways 255 SIP, IP, LDAP, DNS, RTSP and others Trunk groups (for external ports) 2 Network device load balancing Application redirection and load balancing Content Intelligence Embedded security services VPN Intrusion detection Uplink to Core Routing Infrastructure WAP gateway SSL persistence Cache Streaming media Layer 7 inspection Cookie, URL, HTTP header, user agent Access control Network protocol & standards compatibility 10Base-T/100Base-TX/1000 Base-TX EEE 802.3-2000 Spanning Tree EEE 802.1d Logical link control EEE 802.2 Flow control EEE 802.3x Link negotiation EEE 802.3z VLANs EEE 802.1Q Frame tagging on all ports when VLANs enabled EEE 802.1Q Technical Specifications Total ports: 20 Layer 2 & 3 throughput Denial of service attach 4 External 10/10/100 Mbps 14 internal 1000 Mbps 2 Management (internal) 100Mbps Line rate Concurrent Sessions 300,000 SNMP support FC 1213 MIB-II, RFC 1493 Bridge MIB, FC 1398 Ethernet-like MIB, RFC 1757 RMON1 (groups 1-4), and RFC 1573 MIB compliant. Alteon Enterprise MIB Denial of service attack prevention IP ACLs Protection against common DoS attacks Protocol-based rate limiting UDP Blast Attack Prevention Layer 4 sessions/second Up to 64,000 (with zero session loss) TCP or UDP pattern matching Layer 7 sessions/second IP routing interfaces 128 Virtual service support 256 MKT080925 Up to 28,000 (with zero session loss) 2009 BLADE Network Technologies, Inc. All rights reserved. Information in this document is subject to change without notice. BLADE Network Technologies assumes no responsibility for any errors that may appear in this document. All statements regarding BLADE s future direction and intent are subject to change or withdrawal without notice, at BLADE s sole discretion. http://www.bladenetwork.net. 6