Nortel Networks 212777 manual

50 Great O ak s Boulevar d San Jose, Ca li fornia 951 19 408-360-5 500 M ain 408-360-55 01 Fax www .nortelnetworks.com W eb OS Switch Sof tware 10.0 Application Guide Part Number: 21 277 7, Revision A, Febru ar y 2002[...]

Web OS 1 0.0 Applic ation Gu ide 2 212777-A , F ebr uar y 2002 Copyrigh t 2002 N ortel Netw orks, I nc., 50 Great Oaks Bo ulevard, S an Jose, C aliforn ia 95119, USA. All rights re served. Part Numb er: 2127 77, Re vision A. This do cument is p rotec ted by co pyrig ht and di stribut ed unde r licenses restr icting i ts use, copyin g, distri bution[...]

212777-A , Februar y 2002 3 Content s Preface 21 Who Should Use This Guide 21 What You ’ ll Find i n This Guide 21 Typographi c Conventi ons 23 Contacti ng Us 24 Part 1: Basic Sw itching & Routing Chapter 1: Basic IP Routing 27 IP Routin g Benefits 28 Routing Be tween IP Subnets 28 Example of Subnet Routi ng 31 Definin g IP Address Ranges for[...]

Web OS 1 0.0 Applic ation Gu ide 4 Contents 212777-A , Febr uary 200 2 VLANs and Spanni ng Tree Pr otocol 49 Bridge Pr otocol Data Units (BPDUs) 50 Multiple Spanning Trees 51 VLANs and Defau lt Gateways 58 Segregat ing VLAN Traffic 58 Configur ing the Loc al Network 60 Configur ing Default Gat eways per VLAN 60 VLANs and Jumbo Fr ames 63 Isolat ing[...]

Web OS 10.0 App lication G uide Contents 5 212777-A , Februar y 2002 OSPF Configurat io n Examples 83 Example 1: Simple OSPF Domain 84 Example 2: Virtual L inks 86 Example 3: Summarizing Ro utes 90 Example 4: Host Routes 92 Verifyi ng OSPF Configurat ion 98 Chapter 5: Secure Switch Management 99 Settin g Allowable Source IP Addres s Ranges 100 Secu[...]

Web OS 1 0.0 Applic ation Gu ide 6 Contents 212777-A , Febr uary 200 2 Load Balan cing Speci al Servic es 149 IP Se rver L oad B alan cing 149 FTP Server Load Balanci ng 150 Domain Name Ser ver (DNS) Load Bal ancing 151 Real Time St reaming Proto col SLB 155 Wireless Application Protocol SLB 158 Intrus ion Detect ion System Se rver Load Ba lancing [...]

Web OS 10.0 App lication G uide Contents 7 212777-A , Februar y 2002 Chapter 8: Applicat ion Redi rection 203 Overview 204 Web Cache Redi rection Environment 204 Addition al Applicati on Redirecti on Options 205 RTSP Web Cach e Redirectio n 211 IP Proxy Add resses for NAT 213 Excludin g Noncacheabl e Sites 215 Chapter 9: Virtua l Matrix Architectur[...]

Web OS 1 0.0 Applic ation Gu ide 8 Contents 212777-A , Febr uary 200 2 Chapter 11: High Availabil ity 247 VRRP Overview 248 VRRP Components 248 VRRP Operation 251 Selecti ng the Mast er VRRP Router 251 Active- Standby Fai lover 252 Failove r Methods 253 Active- Standby Redun dancy 254 Active- Active Redun dancy 255 Hot-Stan dby Redundancy 256 Synch[...]

Web OS 10.0 App lication G uide Contents 9 212777-A , Februar y 2002 Part 3: Advanced Web Sw itching Chapter 12: Global Server Load Balancing 289 GSLB Overview 290 Bene fits 29 0 Comp atibil ity w ith Ot her We b OS F e atu re s 2 90 How GSLB Works 291 Configur ing GSLB 293 IP Proxy f or Non-HTTP Redi rects 304 How IP Proxy Wor ks 305 Configur ing [...]

Web OS 1 0.0 Applic ation Gu ide 10 Contents 212777-A , Febr uary 200 2 Chapter 15: Content Intel ligent Switching 371 Overview 372 Parsing Content 373 HTTP Header I nspection 374 Bufferi ng Content wi th Mult iple Frame s 374 Cont ent In tell ig en t S erver Loa d Bala nci ng 375 URL -B ased Serv er Lo ad Ba lanci ng 375 Virtu al Ho s ting 380 Coo[...]

Web OS 10.0 App lication G uide Contents 11 212777-A , Februar y 2002 Chapter 16: Persistence 421 Overview o f Persisten ce 422 Using Sour ce IP Addres s 422 Using Cookies 423 Using SSL Ses sion ID 423 Cookie -Bas ed Per sis te nce 424 Permanent and Temporar y Cookies 425 Cookie For mats 425 Cook ie P rope rti e s 4 26 Client Br owsers th at Do Not[...]

Web OS 1 0.0 Applic ation Gu ide 12 Contents 212777-A , Febr uary 200 2 Configur ing Bandwidth Manag ement 454 Addition al Configurat ion Example s 457 Prefer ential Servi ces Examples 460 Glossary 471 Index 475[...]

212777-A , Februar y 2002 13 Figures Figure 1- 1: The Router Legacy Network 29 Figure 1- 2: Switch-Ba sed Routing Topology 30 Figure 1- 3: iBGP and eBGP 37 Figure 1- 4: BGP Failove r Configurati on Example 38 Figure 1- 5: DHCP Relay Agent Configurati on 42 Figure 2- 1: Example 1: Multiple VLANs with Taggin g Gigabit Ada pters 46 Figure 2- 2: Exampl[...]

Web OS 1 0.0 Applic ation Gu ide 14 Figures 212777-A , Febr uary 200 2 Figure 6- 1: Traditi onal Versus SLB Ne twork Confi gurations 119 Figure 6- 2: Web Hosting Configurat ion Without SLB 121 Figure 6- 3: Web Hosting with SLB Solutio ns 121 Figure 6- 4: SLB Client /Server Traf fic Routi ng 122 Figure 6- 5: Example Network for Client/Ser ver Port C[...]

Web OS 10.0 App lication G uide Figures 15 212777-A , Februar y 2002 Figure 12 -1: DNS Resol ution with Global Server Load Balancing 291 Figure 12 -2: GSLB To pology Example 294 Figure 12 -3: HTTP and Non -HTTP Redirects 304 Figure 12 -4: POP3 Reque st Fulfill ed via IP Proxy 305 Figure 12 -5: GSLB Proxi mity Tables: How They Work 309 Figure 12 -6:[...]

Web OS 1 0.0 Applic ation Gu ide 16 Figures 212777-A , Febr uary 200 2 Figure 17 -1: Ban dwidth Management: How It Works 442 Figure 17 -2: Bandwidth Rate Limits 444 Figure 17 -3: Virt ual Clocks and TDT 446 Figure 17 -4: URL-B ased Bandwidth Mana gement 450 Figure 17-5: URL-Based Ba ndwidth Managemen t with Web Ca che Redirecti on 450 Figure 17 -6:[...]

212777-A , Februar y 2002 17 Ta b l e s Table 1- 1: Subnet Rout ing Example : IP Address Ass ignments 31 Table 1- 2: Subnet Rout ing Examp le: IP Inte rface Assi gnments 31 Table 1- 3: Subnet Rout ing Example: Opt ional VLAN Ports 33 Table 1- 4: Local Rout ing Cache Add ress Ranges 35 Table 2- 1: Ports, Tr unk Groups, and VLANs 49 Table 2- 2: Multi[...]

Web OS 1 0.0 Applic ation Gu ide 18 Tables 212777-A , Febr uary 200 2 Table 12- 1: GSLB Example: Ca lifornia Re al Server IP Addresses 296 Table 12- 2: GSLB Example: Ca lifornia Al teon 180 Por t Usage 297 Table 12- 3: Denver Real Server IP Addr esses 300 Table 12- 4: Web Host Exampl e: Alteon 180 Port Usage 301 Table 12- 5: HTTP Versus Non -HTTP R[...]

212777-A , Februar y 2002 19 New Features The following table lists the new features in W eb OS 10.0 and the supported platforms: Feature Alteon W eb Switches AD3/180e Alteon We b Switches AD4/184 Vlan-based defau lt gateway No Y es Vlan Filterin g No Y es Multip l e Instances of Span ning Tree Y es Y es Layer 7 deny filter Y es Y es Increase real [...]

Web OS 1 0.0 Applic ation Gu ide 20 New Features 212777-A , Febr uary 200 2 Hash on any HTT P header Y es Y es Increase su pport of 16 rport to vport No Y es Increased num ber of scrip ted healt h check to 16 No Y es Descriptive names for filters Y es Y es OSPF No Y es LDAP health ch eck Y es Y es Streaming Cache Redirecti on Y es Y es L7 Pa r sing[...]

212777-A , Februar y 2002 21 Preface This Application Guide describes how to configure and use the W eb OS software on the Alteon W eb switch e s. Fo r documentation on installin g the switches physically , see the H a rd w a re Installation Guide for your parti cular switc h model. Who Shou ld Use Th is Guid e This Application Guide is intended fo[...]

Web OS 1 0.0 Applic ation Guide 22 Preface 21277 7-A, Febr uary 2002 n Chap te r 5, “ Secure Switch Managem ent, ” describ es how to manag e the switch using sp e- cific IP addre sses, RADIUS authentication, Secure Shell (SSH), and Sec ure Copy (SCP). Part 2: Web Swi tchin g Fu ndam en tals n Chap te r 6, “ Server Load Bal ancing, ” describ[...]

Web O S 10. 0 Application Guide Preface 23 212777-A , Februar y 2002 T ypographic Conventions The following table descr ibes the typographic s tyles used in this book. Ta b l e 1 T ypo graph ic Conventio ns Ty p e f a c e o r Symbol Meaning E xample AaBbCc123 This type is used fo r name s of co mmands , files, and directories used within the text. [...]

Web OS 1 0.0 Applic ation Guide 24 Preface 21277 7-A, Febr uary 2002 Cont ac ting Us For complete product su pport and sales informatio n, visit the Nortel Networ ks we bs ite at the following URL: http://www.nortelnetworks.com See the contact information on this s ite for regional support and sales phon e numbers and e-mail addresses. n In North A[...]

212777-A , Februar y 2002 25 Part 1: Basic Switching & Routing This sect ion discu sses basic Layer 1 throug h Layer 3 swit ching and rou ting funct ions. In addi- tion to switching traffic at near line rates, the W eb switch can perform mul ti-protocol routing. This sect ion includes t he following basic switchi ng and rout ing topics: n Basic[...]

Web OS 1 0.0 Applic ation Gu ide 26 Basic Switching & Routin g 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 27 C HAPTER 1 Basic IP Routing T his c ha p te r provides con figuratio n background and examples for using the Al teon W eb switch to perform IP routing functions. The following topics are addressed in this chapter: n “ IP Routing Ben efits ” on page 28 n “ Routing Between IP Sub net s ” on page 28 n “ Example o[...]

Web OS 1 0.0 Applic ation Gu ide 28 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 IP Rout in g Bene fits The Alteon W eb switch uses a combination of configurable IP switch interfaces and IP ro uting options. The switch IP routing capabilit ies provide the following ben ef its: n Connects the server I P subnets to the res t of the backbon[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 29 212777-A , Februar y 2002 For examp le, consider t he following topology mi gration: Figure 1- 1 The Router Legacy Network In this exampl e, a corporate campus has migrated from a router -centric topology to a faster , more powerful, switch-based topology . As is often th e case, the le[...]

Web OS 1 0.0 Applic ation Gu ide 30 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 T a ke a closer lo ok at the Al teon W eb switch in the following conf igur atio n exam ple: Figure 1-2 Switch-B ased Routi ng T opology The Alteo n W eb s witch connects th e Gigabit Ether net and Fast Et hernet trunks from vari ous switched subnets through[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 31 212777-A , Februar y 2002 Example of Subn et Routing Prior to configu ring, you must b e connected to the switch Command Line Interface (CLI) as the administrator . N OTE – For details about accessing and using any of the menu commands described in this example, see the W eb O S Com m[...]

Web OS 1 0.0 Applic ation Gu ide 32 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 IP interfaces are co nfigured using the following commands at the CLI: 3. Set each server and workstation’s default gateway to the appro pr iate switch IP interface (the one in the same subnet as the server or workstation). 4. Configure the default g atewa[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 33 212777-A , Februar y 2002 Using VLANs to Se gregate Br oadcast Do mains In the previous example, devices that share a commo n IP network ar e all in the same b roadcast domain. If you want t o limit the broad casts on yo ur network, you could u se VLANs to create distinct broadcast do m[...]

Web OS 1 0.0 Applic ation Gu ide 34 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 Each time yo u add a port to a VLAN, you may get the following prompt: Enter y to set the default Port VLAN ID (PVID) for the port. 3. Add each IP interface to the appr opriate VLAN. Now that the ports are s eparated into three VLANs, the IP interface fo r e[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 35 212777-A , Februar y 2002 Defining IP Ad dress Ranges for the Local Route Cache A local route cache lets you us e switch resources more ef ficiently . The local network addre ss and local network mask par ameters (accessed via the /cfg/ip/frwd/local/add com- mand) define a range of addr[...]

Web OS 1 0.0 Applic ation Gu ide 36 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 Border Gateway Protocol (BGP) Border Gateway Protocol (B GP) is an Internet protocol that enables routers on a network to share and advertise routing infor mation with each other about the segments of the IP ad dress space they can access within their networ[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 37 212777-A , Februar y 2002 Figure 1-3 iBGP and eBGP T ypicall y , an AS has one or more multiple bor der router s — peer routers that exch ange routes with other ASs — and an internal routin g scheme that enables ro uters in that AS to reach every other router and destination within [...]

Web OS 1 0.0 Applic ation Gu ide 38 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 As sh own in Figure 1 -4 , the switch is connected to ISP 1 and ISP 2. The customer neg otiates with both ISPs to allow th e W eb switch to use their p eer routers as default gateways. The ISP peer routers will th en need to announce themselves as default ga[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 39 212777-A , Februar y 2002 2. Define the VLANs. For simplicity , both default gateways are configured in the same VLAN in this example. The gateways could be in the same VLAN or dif f eren t VLANs . 3. Define the IP interfaces. The switch will need an IP interface for each default gatewa[...]

Web OS 1 0.0 Applic ation Gu ide 40 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 5. Configure BG P peer router 1 and 2. Peer 1 is the primary g ateway router . Peer 2 is configured with a metric of “ 3. ” The metric option is key to en suring gateway traff ic is directed to Peer 1, as it will make Peer 2 appear to be three r outer ho[...]

Web OS 10.0 App lication G uide Chapter 1: Basic IP Routing 41 212777-A , Februar y 2002 DHCP Rela y Dynamic Hos t Configurat ion Protoco l (DHCP) is a transport pr otocol that pr ovides a frame- work for au tomatically as signing IP address es and conf iguration info rmation to o ther IP hos ts or client s in a large TC P/IP network . W ithout DHC[...]

Web OS 1 0.0 Applic ation Gu ide 42 Chapter 1: B asic IP Routing 212777-A , Febr uary 200 2 respond as a a UDP Unicast message back to the s witch , with the default gateway and IP address for the client. The d estination IP address in th e server response repr esents the interface address on the switch that received the client request. This interf[...]

212777-A , Februar y 2002 43 C HAPTER 2 VLANs This ch apter de scribes ne twork de sign and top ology c onsidera tions for us ing V irt u al Lo c a l A r ea Ne two rk s ( VL ANs ) . VLANs are commonly u s ed to sp lit up g roups of ne twork use rs i nto m an- ageable broadcas t domai ns, to create logical segm entation of workgro ups, and to en for[...]

Web OS 1 0.0 Applic ation Guide 44 Chapter 2: VLANs 212777-A , Febr uary 200 2 VLAN ID Numbers W eb OS su pport s up to 246 VLA Ns per swit ch. Even tho ugh t he maxi mum n umber o f VLAN s supported at any given time is 246, each can be identified with any num ber between 1 and 4094. VLANs are d efined on a per -port basis . Each port on the switc[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 45 212777-A , Februar y 2002 VLANs and the IP Interfac es Carefully con sider how you create VLANs within the sw itch, so that communication with the switch Ma nagem e nt Proce s sor (M P ) rema ins poss ibl e. Y ou can acces s the switch for remote config uration, trap messages, an d other managemen[...]

Web OS 1 0.0 Applic ation Guide 46 Chapter 2: VLANs 212777-A , Febr uary 200 2 Example 1: Multip le VLANS with T agging Adap ter s Figure 2-1 Example 1 : Multi ple VLAN s with T aggi ng Gigabit A dapters The features of this VLAN are described below: Component Description W eb Switch This switch is conf igured for three VLANs that repres ent three [...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 47 212777-A , Februar y 2002 N OTE – VLAN t agging is r equired on ly on ports th at are connected to other Alt eon W eb switches or on p orts that connect to tag-capable end-stations, such as servers with VLAN- taggi ng adapte rs. PCs #1 and #2 These PCs are attach ed to a shared me dia hub that i[...]

Web OS 1 0.0 Applic ation Guide 48 Chapter 2: VLANs 212777-A , Febr uary 200 2 Example 2: Parallel Links with VLANs Figure 2-2 Example 2 : Par allel Link s with VLA Ns The following items des cribe the features of this example: n Example 2 shows how it is possi ble, throu gh the use of VLANs, to create con figurations where there are mu ltiple link[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 49 212777-A , Februar y 2002 VLANs and S p anning T ree Protocol Spanning T ree Protocol (STP) detects and eliminates logical lo ops in a bridged o r switched network. STP forces redundant data paths into a standby (blocked ) state. When multiple paths exist, Spanning T ree configures the network so [...]

Web OS 1 0.0 Applic ation Guide 50 Chapter 2: VLANs 212777-A , Febr uary 200 2 Bridge Protocol Dat a Unit s (BPDUs) T o create a Spanning T r ee, the W eb switch generates a configuration Bridge Protocol Data Unit (BPDU), which it then forwards out of its por ts. All switches in the Layer 2 network par - ticipating in the Spanning T ree gather info[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 51 212777-A , Februar y 2002 Multip le S p anni ng T rees W eb OS 10.0 supports up to 16 ins tances of Sp anning T rees or Spanning T ree groups. Each VLAN can be placed on a unique Spanning T ree group per s witch except for the default Span- ning T ree grou p (STG 1). The d efault Spann ing T ree g[...]

Web OS 1 0.0 Applic ation Guide 52 Chapter 2: VLANs 212777-A , Febr uary 200 2 Exam ple of a Fou r-Sw itch T opolo gy with a Single S pan ning T r ee In the four-switch topology example shown in Figure 2-4 o n page 52 , and assuming W eb switch A has a higher priority , you can have at least three loops on the network: n Data flowing from W eb swit[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 53 212777-A , Februar y 2002 Exam ple of a Fou r-Swit ch T opolo gy with M ultiple S pan ning T rees If multiple Spanning T r ees are implemented and each VLAN is on a different Spanning T ree, elimination of logical loops wil l not isolate any VLAN. Figure 2-5 show s the sam e fou r -swit ch to polo[...]

Web OS 1 0.0 Applic ation Guide 54 Chapter 2: VLANs 212777-A , Febr uary 200 2 Switch- Centric S pannin g T ree Protocol In Figur e 2-5 on page 53 , VLAN 2 i s shared by W eb s witch A and B on ports 8 an d 1 respec- tively . W eb switch A identifies VLAN 2 in Sp anning T ree group 2 and W eb switch B identifies VLAN 2 in Spanning T ree group 1. Sp[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 55 212777-A , Februar y 2002 VLAN P articip ation in S panning T ree Grou ps The VLAN participation for each Spanning T ree grou p in Figu re 2- 5 on pa ge 53 is dis cussed i n the followin g sections: n VLAN 1 Participation If W eb s witch A is th e root bridge, then W eb s witch A will tr ansmit th[...]

Web OS 1 0.0 Applic ation Guide 56 Chapter 2: VLANs 212777-A , Febr uary 200 2 Config uring Mul tiple S panning T re e Groups This configuration shows h ow to config ure th e three ins tances of Spannin g T ree groups on the W eb switch e s A, B, C, an d D illustrated in Figure 2- 5 on page 53 . By default Spannin g T rees 2-1 5 are empty , and Spa[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 57 212777-A , Februar y 2002 3. Configure the following on W eb swi tch C: Add port 8 to VLAN 3 an d define Span ning T ree group 3 for VLAN 3. VLAN 3 is au tomatically remo ved from Spanni ng T ree group 1 and by d efault VLAN 2 remains i n Spanning T ree Group 1. N OTE – W eb switch D does n ot r[...]

Web OS 1 0.0 Applic ation Guide 58 Chapter 2: VLANs 212777-A , Febr uary 200 2 VLANs and Default Gateways W eb OS allows you to assign different defau lt gateways for each VLAN. Y ou can ef fectively map multiple customers to sp ecific gateways on a single switch. The benefits o f segregating customers to dif ferent default gateways are: n Resource[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 59 212777-A , Februar y 2002 In the example sho wn in Figure 2-6 , if default gateways 5 or 6 fail, then traf fic is directed to default gat eway 1, wh ich is conf igured with IP address 10. 10.4.1. If d efault gatewa ys 1 through 4 are not configured on the switch, then packets fro m VLAN 2 and VLAN[...]

Web OS 1 0.0 Applic ation Guide 60 Chapter 2: VLANs 212777-A , Febr uary 200 2 Configuring the Local Network T o completely segregate VLAN traf fic to its own default gateway , you can co nfigure the local network addresses of the VLAN. This will ensure that all traf fic from VLAN 2 is forwarded to Gateway 5 and all traf fic from VLAN 3 is forwarde[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 61 212777-A , Februar y 2002 3. Configure the default ga teways. Config urin g def ault gatew ays 5 and 6 fo r V LAN s 2 and 3 respectively . Configu re def a ult gat e- way 1 fo r load balancin g session requ ests and as back up when defaul t gateways 5 and 6 fail. N OTE – The IP address for defau[...]

Web OS 1 0.0 Applic ation Guide 62 Chapter 2: VLANs 212777-A , Febr uary 200 2 6. (Optional) Configur e the local networks to ensure that the VLANs use the configured default gate ways. 7. Apply and s ave your new conf ig uration chan ges. >> IP# frwd/local (Select the local network Me nu) >> IP Forwarding# add 10.10.0.0 (Specify the ne[...]

Web O S 10. 0 Application Guide Chapter 2: VLANs 63 212777-A , Februar y 2002 VLANs and Jumbo Frames T o reduce host frame proces sing overhead, Gigabit network adapters that can handle f rame sizes of 9K and higher (such as the 3COM PCI-X/PCI Gigabit adapters) and Alteon W eb switches, bot h ru nnin g ope rati ng W eb OS version 2.0 o r later , ca[...]

Web OS 1 0.0 Applic ation Guide 64 Chapter 2: VLANs 212777-A , Febr uary 200 2 Figure 2-7 Jumbo Fr ame VLAN s Routing Jumbo Frames to Non -Jumbo Frame VLANs When IP routing is used to route t raff ic between VLAN s, the switch will f ragment Jumbo UDP datagrams when ro uting fro m a Jumbo fr ame VLAN to a non-Jumbo frame VLAN. The result- ing Jumbo[...]

212777-A , Februar y 2002 65 C HAPTER 3 Port T runking T runk groups can provide super-bandwidth, multi-link connecti ons be tween Alteon W eb switches or other trunk -capable devices . A trunk gro up is a group of ports th at act together , combining their ban dwidth to create a sing le, lar ger virtual link. T h is c ha p t er prov ides configu -[...]

Web OS 1 0.0 Applic ation Gu ide 66 Chapter 3: Por t Trunking 212777-A , Febr uary 200 2 St atistical Load Distribution Network traffic is statistically load balanced between the ports in a trunk group. The W eb OS- powered switch uses bo th the Layer 2 MAC ad dress and Layer 3 IP address information present in each transmitted frame for determinin[...]

Web OS 10.0 App lication G uide Chapter 3: Port Trunk ing 67 212777-A , Februar y 2002 Port T run ki ng Example In the example below , three ports will be trunked between two Alteon W eb switches. Figure 3-2 Port Trunk Group Conf iguratio n Exampl e Prior to configu ring each switch in the above exam ple, you must conn ect to the appropr iate switc[...]

Web OS 1 0.0 Applic ation Gu ide 68 Chapter 3: Por t Trunking 212777-A , Febr uary 200 2 3. Repeat the pr ocess on W eb sw itch 2. T runk group 1 (o n W eb switch 1) is now conn ected to tr unk group 3 ( on W eb switch 2). N OTE – In this examp le, two Alteon W eb switc he s are us ed. If a third-part y de vice suppo rti ng link a ggre g atio n i[...]

212777-A , Februar y 2002 69 C HAPTER 4 OSPF W eb OS 10.0 supports the Open Shor test Path F irst (OSP F) routing protocol. The W eb OS implementation conforms to the OSP F versi on 2 specif icatio n s detailed in Internet RFC 1583. The follo wing sections discuss OS PF suppo rt for the Alt eon AD4/184 W eb switches: n “ OSPF Overview ” on page[...]

Web OS 1 0.0 Applic ation Guide 70 Chapter 4: OSPF 212777-A , Febr uary 200 2 T ypes of OSPF Areas An AS can be b roken into logi cal units kno wn as ar eas . In any AS with multiple ar eas, one area must be d esignated as area 0, k nown as the backbon e . The backbone acts as the central OSPF area. All other areas in the AS must be connected to th[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 71 212777-A , Februar y 2002 T ypes of OSPF Routing Devices As sh own in Figure 4 -2 , OSPF uses the fo llowing ty pes of routin g devices: n Internal Rou ter (IR) — a router that h as all of its interfaces within the same area. IRs ma in- tain LSDBs identical to those of ot her r outin g dev ices w[...]

Web OS 1 0.0 Applic ation Guide 72 Chapter 4: OSPF 212777-A , Febr uary 200 2 Neighbors and Adjacenci es In areas with two or more routing devices, neighbor s and adjacencies are for med. Neighb ors are routing devices that maintain information about each others ’ health. T o establish neighbor r elationships, routing d evices periodically send h[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 73 212777-A , Februar y 2002 The Shortest Path First T ree The routing d evices use a link-state algorithm (Dijkstra ’ s algorith m ) to calculate the shortest path to all known dest inations, based on the cumul ative cost required to reach the destination. The cost of an individual interface in OSP[...]

Web OS 1 0.0 Applic ation Guide 74 Chapter 4: OSPF 212777-A , Febr uary 200 2 OSPF Implement ation in W eb O S W eb OS 10.0 supports a single instance o f OSPF and up t o 1K routes on the networ k. The fol- lowing sections describ e OSPF implementation in W eb OS: n “ Configurab le Parameters ” on page 74 n “ Defi ning Area s ” on pag e 75 [...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 75 212777-A , Februar y 2002 Defining Areas If you are configurin g multiple areas in your OSPF domain, one of the areas must be desig- nated as area 0 , known as the bac kbone . The backbone is the central OSPF area and is usually physically connected to all other areas . The areas inject rou ting in[...]

Web OS 1 0.0 Applic ation Guide 76 Chapter 4: OSPF 212777-A , Febr uary 200 2 Using the A rea ID to Assign the OSPF Area Number The OSPF area number is defin ed in the areaid <IP addr ess> option. The octet format is used in or der to be compat ible with two dif ferent systems of notati on used by o ther OSPF net - work vendo rs. There are tw[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 77 212777-A , Februar y 2002 Interface Cost The OSPF link-state algorithm (Dijkstra ’ s algorithm) p laces each routing d evice at the root of a tree and determines the cumulative cost required to reach each destination. Usually , the cost is inversely pr oportional to the bandwidth of the interface[...]

Web OS 1 0.0 Applic ation Guide 78 Chapter 4: OSPF 212777-A , Febr uary 200 2 Default Routes When an OSPF routing device encounters traf fic for a destination addres s it does not recog- nize, it forwards that traf f ic along th e default r oute . T ypically , the default route leads upstream toward the backbone until it reaches the intended area o[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 79 212777-A , Februar y 2002 V irtual Links Usually , all areas in an OSPF AS are physically connected to the backbo ne. In some cases where this is not possible, you can use a virt u a l lin k . V irtual links are created to connect one area to the b ackbone throu gh another no n-backbone area (s ee [...]

Web OS 1 0.0 Applic ation Guide 80 Chapter 4: OSPF 212777-A , Febr uary 200 2 Router ID Routing devi ces in OSPF areas are identified by a router ID. Th e router ID is expres sed in IP address form at. The IP address of the router ID is not required to be included in any I P inter- face range or in any OSPF area. The router ID can be configured in [...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 81 212777-A , Februar y 2002 T o configure O SPF passwords on the W eb swit ches shown i n Figure 4- 4 use the following commands: 1. Enable OSPF authenticati on for Area 0 on W eb switc hes 1, 2, and 3 . 2. Configure a simple text password up to eight characters for each OSPF IP interface in Area 0 o[...]

Web OS 1 0.0 Applic ation Guide 82 Chapter 4: OSPF 212777-A , Febr uary 200 2 Host Routes for Load Balancing W eb OS 10.0 implementation o f OSPF includes host routes. Host routes are used for ad vertis- ing network d evice IP addresses to external networks , accomplishing the following g oals: n Server Load Balancing (SLB) within OSPF Host routes [...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 83 212777-A , Februar y 2002 OSPF Con figurati on Exampl es A summary of the basic steps for conf ig urin g OSPF on the W eb switch is listed here. Detailed instructions for each of the steps is covered in the follow ing sections: 1. Configure I P interfaces. One IP interface is required for each desi[...]

Web OS 1 0.0 Applic ation Guide 84 Chapter 4: OSPF 212777-A , Febr uary 200 2 Example 1: Simple O SPF Domain In this example, two OSPF areas are defined — one area is the backbone and the other is a stub area. A stub area do es not allow advertisements o f external routes, thus reducin g the s ize of th e database. Ins tead, a default su mmary ro[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 85 212777-A , Februar y 2002 3. Define the backbone. The backbone is always configured as a transit area u sing areaid 0.0.0.0 . 4. Define the stu b area. 5. Attach the network interface to the backbone. 6. Attach the network interface to the stub area. 7. Apply and save t he configu ration changes . [...]

Web OS 1 0.0 Applic ation Guide 86 Chapter 4: OSPF 212777-A , Febr uary 200 2 Example 2: V irtual Links In the example sho wn in Figure 4-6 , area 2 is n ot physically connected to the backbone as is usually required. Instead, area 2 will be connected to the backbone via a virtual link through area 1. The virtual link m ust be configured at each en[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 87 212777-A , Februar y 2002 4. Define the backbone. 5. Define the t ransit ar ea. The area that contains the virtual link must be configured as a trans it area. 6. Attach the network interface to the backbone. 7. Attach the network interface to the transit ar ea. 8. Configure the virt ual link. The n[...]

Web OS 1 0.0 Applic ation Guide 88 Chapter 4: OSPF 212777-A , Febr uary 200 2 Config uring OS PF fo r a Virtual Link on Swi tc h #2 1. Configure IP interfaces on each network that will be attached t o OSPF areas. T wo IP interfaces are needed on Switch #2: one for the transit area network o n 10.10.12.0/24 and one fo r the stub area n etwork on 10.[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 89 212777-A , Februar y 2002 6. Define the stu b area. 7. Attach the network interface to the backbone. 8. Attach the network interface to the transit ar ea. 9. Configure the virt ual link. The nbr router I D configured in this s tep must be the same as the router ID that was con fig- ured for W eb sw[...]

Web OS 1 0.0 Applic ation Guide 90 Chapter 4: OSPF 212777-A , Febr uary 200 2 Example 3: Summarizing Routes By default, ABRs adve rtise all the network addresses from one area into ano ther area. Route summarization can be u sed for consolid ating advertised addresses an d reducing the perceived complexity of the network. If the network IP addresse[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 91 212777-A , Februar y 2002 3. Define the backbone. 4. Define the stu b area. 5. Attach the network interface to the backbone. 6. Attach the network interface to the stub area. 7. Configure r oute summarization by specifying the s tarting addr ess and mask of the range of addresses to be su mm arized[...]

Web OS 1 0.0 Applic ation Guide 92 Chapter 4: OSPF 212777-A , Febr uary 200 2 Example 4: Host Routes The W eb OS 10.0 implementation of OSPF includes host routes. Host routes are used for advertising netwo rk device IP addresses to external networks and allows fo r Server Load Bal- ancing (SLB) within OSPF . It also makes AB R lo ad sharing and fai[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 93 212777-A , Februar y 2002 Configuring OSPF for Host Routes on W eb Switch #1 1. Configure bas ic SLB parameters. W eb switch 1 is connected to two real servers. Each r eal server is given an IP address and is placed in the same real s erver group. 2. Configure client and server pr ocessing on speci[...]

Web OS 1 0.0 Applic ation Guide 94 Chapter 4: OSPF 212777-A , Febr uary 200 2 5. Configure the backup virtual s erver . Alteon W eb switch # 1 will act as a backu p for virtual server 10.10.10.2 . Both virtual servers in this example are c onfigured with the same r eal server group and pr ovide identical services. 6. Configure I P interfaces for ea[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 95 212777-A , Februar y 2002 10. Attach the network interface to the backbone. 11 . Attach the network interface to the stub ar ea. 12. Configu re host r outes. One host ro ute is needed for each virtual server on W eb switch 1. Sin ce virtual server 10.10.10.1 is preferred for W eb switch 1 , its hos[...]

Web OS 1 0.0 Applic ation Guide 96 Chapter 4: OSPF 212777-A , Febr uary 200 2 Configuring OSPF for Host Routes on Web Switch 2 1. Configure bas ic SLB parameters. W eb switch 2 is connected to two real servers. Each r eal server is given an IP addr ess and is placed in the same real s erver group. 2. Configure the virt ual server parameters. The sa[...]

Web O S 10. 0 Application Guide Chapter 4: OSPF 97 212777-A , Februar y 2002 4. Enable O SPF on W eb swit ch #2. 5. Define the backbone. 6. Define the stu b area. 7. Attach the network interface to the backbone. 8. Attach the network interface to the stub area. >> IP Interface 2 # ../ospf/on (Enable OSPF on W eb swit ch #2) >> Open Shor[...]

Web OS 1 0.0 Applic ation Guide 98 Chapter 4: OSPF 212777-A , Febr uary 200 2 9. Configure host routes. Host routes are configured just like those on W eb switch 1, excep t their costs are r eversed . Since vi rtual server 10. 10.10.2 is preferred for W eb switch 2, its ho st route h as been given a low cost. Because v irtual server 10. 10.10.1 is [...]

212777-A , Februar y 2002 99 C HAPTER 5 Secure Switch Management This chapter discu sses the use of secure tunnels so that the data on the n etwork is encrypted and secured fo r messages between a remote ad ministrator and the switch. T o li mi t access to the switch ’ s Management Processo r without having to configure filters for each switch po[...]

Web OS 1 0.0 Applic ation Gu ide 100 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 Setting Allowable Source IP Address Ranges The allowabl e managem ent IP ad dress range is confi gured u sing the s ystem mnet and mmask options available on the Command Line Interfa ce (CLI) System Menu ( /cfg/sys ). N OTE – The mnet and mmas[...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 101 212777-A , Februar y 2002 Secure Sw itch Ma nagemen t Secure swi tch managem ent is needed fo r environment s that perfor m significant m anagement functions acros s the Internet. The following are some of the functions f or secured manage- ment: n Authentication of remote adm[...]

Web OS 1 0.0 Applic ation Gu ide 102 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 Requirement s The following com ponents are required for authorization and authentication: n A remote administrator n The W eb switch w ith authenticat ion and aut horization pr otocol suppo rt, acting as a client in the AA model n A back-end au[...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 103 212777-A , Februar y 2002 RADIUS Authentication and Authorization RADIUS is an access s erver authentication, authorization , and accounting pro tocol used to secure remo te access to networks and network s ervices against unauthorized access. RADIUS consists of three co mpone[...]

Web OS 1 0.0 Applic ation Gu ide 104 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 RADIUS Authentication Features in Web OS The following Radius Authentication features are supp orted in W eb OS: n Suppor ts RADIUS cli ent on the switch, b ased on t he protocol definition s in RFC 2138 and 2866. n Enables/disables s upport of [...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 105 212777-A , Februar y 2002 Web Switch User Account s The user accounts listed in Ta b l e 5 - 1 can be defi ned in the RA DIUS server di ctionary file. T able 5-1 User Access Levels User Ac count Descripti on and T asks Perform ed Password User The Us er has n o direc t respon [...]

Web OS 1 0.0 Applic ation Gu ide 106 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 When the user logs in, the switch authenticates his/h er level of access by sending the RA DIUS access request, that is, the client authentication request, to the RADIUS authentication s erver . If the remote user is successfully authenticated b[...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 107 212777-A , Februar y 2002 Secure Shell and Secure Copy Although a remote network administrato r can manage t he configuration of an Alteon W eb switch via T elnet, this method does no t provid e a secur e connection. Us ing Secure Shell (SSH) and Secure Copy ( SCP), messages b[...]

Web OS 1 0.0 Applic ation Gu ide 108 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 N OTE – The re can be a maximu m number of fou r simultaneou s T elnet/SSH/SCP connectio ns at one time. The /cfg/sys/radius/t elnet command also applies to SSH/SCP connec- tions. Encryption of Manageme nt Messages The supp orted encry ption a[...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 109 212777-A , Februar y 2002 RSA Host and S erver Keys T o support the SSH server feature, two sets of RSA keys (ho st and server key s) are required. The host key i s 102 4 bits and i s used to identify t he W eb switch. Th e ser ver key is 76 8 bits and is used to make it impo [...]

Web OS 1 0.0 Applic ation Gu ide 110 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 Radius Authentication SSH/SCP is integ rated with RADIUS authentication . After th e RADIUS s erver is enabled on the switch, all subsequen t SSH au th entication requests will be redir ected to the sp ecified RADIUS servers for auth enti catio [...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 111 212777-A , Februar y 2002 Configuri ng SSH/SCP SSH/SCP parameters can be configu red only via the co nsole port, using the CLI. The switch SSH daemon us es TCP port 2 2 only and is not configurab le. T o enable or disable the SSH/SCP feature, use the following commands: T o s [...]

Web OS 1 0.0 Applic ation Gu ide 112 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 T o save the current configuration to FLASH, use this command: Usually , there will be no need to generate man ually th e RSA host and server keys. However , you ma y sti ll do so by us i ng th e follo wing comm ands: N OTE – These two command[...]

Web OS 10.0 App lication G uide Chapter 5: Secure Switch Manageme nt 113 212777-A , Februar y 2002 Port Mirroring Port mirror ing is implemented to enhan ce the security of you r network. For exam ple, an IDS server can b e connected to the monitor port to detect intruders attack ing the network. The port mirro ring feature in W eb OS 10.0 allows y[...]

Web OS 1 0.0 Applic ation Gu ide 114 Chapte r 5: Se cure Swit ch Man ageme nt 212777-A , Febr uary 200 2 N OTE – Po rt mirroring and bandwidth man agement cannot be en abled at the s ame time. T o configure por t mirrori ng for the exam ple shown i n Figure 5-2 , 1. Specify the monitoring port. 2. Select the ports that you want to mirr or . 3. En[...]

212777-A , Februar y 2002 115 Part 2: W eb Switching Fundamentals Internet traf fic consists of myr iad services and application s which use the Internet Protoco l (IP) for data delivery . IP , however, is not optimized for all the various applications. W eb switching goes beyon d IP and makes int elligent switching decision s b ased on the applica[...]

Web OS 1 0.0 Applic ation Gu ide 116 Web Sw itching Fundame ntals 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 117 C HAPTER 6 Server Load Balancing Server Load Balancing ( SLB) allows you t o configur e the Alteon W eb switch to balance user session traf fic among a pool of available server s that provide share d services. The following sections in this ch apter describe how to configu re and use SLB: n “ Underst anding Server Lo[...]

Web OS 1 0.0 Applic ation Guide 118 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Underst anding Server Load Balancing SLB benef its your net work in a numb er of ways: n Increased efficiency for server utilization and network bandwidth W ith SLB, your Alteon W eb switch is aware of the s hared services provided by your server po ol[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 119 212777-A , Februar y 2002 How Server Load Balancing W orks In an av erag e ne twor k that e mploys mult ip le se rve rs w itho ut ser ver lo ad ba la ncin g , each se rver usually spe cializes in providing one or t wo unique service s. If one of these servers prov ides access to[...]

Web OS 1 0.0 Applic ation Guide 120 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 The W eb swit ch, with SLB software, acts as a front-end to th e servers, interpreting user sess ion requests and distributing them among the available servers. Load balancin g in W eb OS can be done in the following ways: n V irtual server -based load[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 121 212777-A , Februar y 2002 Implementing Ba sic Server Load Ba lancing Consider a situation where customer W eb sites are being hosted by a popular W eb hosting company and /or Internet Service Provider ( ISP). The W eb content is relatively s tatic and is kept on a sin gle NFS se[...]

Web OS 1 0.0 Applic ation Guide 122 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 All of the above issu es can be addr essed by ad ding an Alteon W eb switch wit h SLB soft ware. n Reliability is increas ed by providing multiple path s from the clients to the W eb switch and by accessing a pool o f servers with identical content. If[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 123 212777-A , Februar y 2002 n Some services require that a series of client requests go to the same real s erver so that ses- sion-specifi c state data can be retained between co nnections. Services of this na ture include W eb search r esu lts, multi-page forms that the user fi l[...]

Web OS 1 0.0 Applic ation Guide 124 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Configuring Server Load Bala ncing This secti on descr ibes the step s for conf igurin g an SLB W eb host ing sol ution. In the foll owing procedure, many of the SLB options are left to their default values . See “ Additional Serv er Load Bal ancing [...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 125 212777-A , Februar y 2002 2. Define an IP interface on the switch. The switch must have an IP route to all of t he real servers that receive W eb switch ing services. For SLB, the switch uses this path to determine the level of TCP/IP reach of the real servers. T o configure an [...]

Web OS 1 0.0 Applic ation Guide 126 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 5. Define a virtual server . All client re quests wil l be addressed to a virt ual server IP add ress on a virtual server defined on the switch . Clients acqu ire the virtual server IP address th rough normal DNS resolut ion. In this example, HTTP is c[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 127 212777-A , Februar y 2002 The ports are con figured as follows: 7. Enable, apply , and verify the configuratio n. Examine the resulting information. If any settings are incorrect, make the appropriate changes. 8. Sav e your n ew conf igura tion c hanges . N OTE – Y ou must app[...]

Web OS 1 0.0 Applic ation Guide 128 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Additional Server Load Balancing Options In the previous section ( “ Configuring S erver Load Balancin g ” on page 12 4 ), many of th e SLB options are left to their default values. The following configuratio n op tions can be used to cus- tomize S[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 129 212777-A , Februar y 2002 Disabli ng and E na bling Rea l Ser v ers If you n eed to reboot a server , you must make sur e that new sessio ns are not sen t to the real server and that old sessions are n ot discarded. When the s ession count gets to zero, you may shut down the ser[...]

Web OS 1 0.0 Applic ation Guide 130 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Health Checks for Real Servers Determining health fo r each real server is a n ecessary function for SLB. By default for TC P services, the switch checks health by open ing a TCP connection to each service port config- ured as part of each service. For[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 131 212777-A , Februar y 2002 Metrics fo r Real Se rver Groups Metrics are used for selecting which real server in a group will receive the next client connec- tion. The available metr ics minmisses (minimum misses), hash , leastconns (least con- nections), roundrobin , bandwidth , [...]

Web OS 1 0.0 Applic ation Guide 132 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Hash The hash metric uses I P address information in the client request to select a serv er . The spe- cific IP addr ess information used de pends on the application: n For Appli cation Redire ction, the cl ient destinati on IP address is used. All req[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 133 212777-A , Februar y 2002 Response Time The response metric us es real server response time to assign sessions to servers. The response time between the s ervers and the switch is used as the weighting factor . The switch monitors and records th e amount of time it takes for eac[...]

Web OS 1 0.0 Applic ation Guide 134 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Weights for Real Ser vers W eights can be assigned to each r eal server . These weights bias load balancing to giv e the fas t- est real servers a larger share of connections. W eight is specified as a number f rom 1 to 48. Each increment in creases th[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 135 212777-A , Februar y 2002 Backup/Ove rflow Servers A real serv er can bac kup othe r real servers and can handle overfl ow traf fic when the maxim um conne ction limit i s reached. Ea ch back up real s erver must be ass igned a real se rver n umber and real s erver IP ad dress. [...]

Web OS 1 0.0 Applic ation Guide 136 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Extending SLB T opologies For standard SLB, all client-to-se rver requests to a particular virtual server and all related server -to-cli ent respo nses must pass through the same W eb swit ch. In comple x network t opol- ogies, routers and other device[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 137 212777-A , Februar y 2002 The following pr ocedure can be used for configuring proxy IP addr esses: 1. Disable server processing on af fected switch ports. When implementing pr oxies, switch por ts can be reconfigur ed to disable server p rocessing. Referring to the T abl e 6-2 [...]

Web OS 1 0.0 Applic ation Guide 138 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 3. If the V irtual Matrix Architecture ( VMA) feature is enabled, add pro xy IP addresses for all other switch ports (except port 9). VMA is normally enabled on the switch. In addition to enhanced resource management, VMA eliminates many of the restric[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 139 212777-A , Februar y 2002 Mapping Ports An Alteon W eb switch allo ws you to hide the identity of a port for security by mapping a vir- tual server p ort to a differen t real server port. Mappi ng a V irtual Serv er Port t o a Real Serv er Port In addi tion to pr oviding di rect[...]

Web OS 1 0.0 Applic ation Guide 140 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Con side r th e fo llow ing n etwo rk: Figure 6-6 Basic Virtual Port to Re al Port Mappin g Configur ation In this exampl e, four real servers are used to support a single s ervice (HTTP). Clients access this se rvice through a virtual serv er with IP [...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 141 212777-A , Februar y 2002 Load Balanci ng Metric For each serv ice, a real server is selected using the configured load balancin g metric ( hash , leastconns , minmisses , or roundrobin ). T o ensure even distribution, once an avail- able server is selected, the switch will use [...]

Web OS 1 0.0 Applic ation Guide 142 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 4. T urn on multiple rport for Port 80. 5. Add the ports to which the W eb server listens. Direc t Serv er Interac tion Direct access to real serv ers can be provided in the following ways: n Using Direct Server Return n Usi ng Di r ect Acc e ss Mod e [...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 143 212777-A , Februar y 2002 The sequence of steps that are executed in this s cenario are shown in Figure 6-7 : Figure 6-7 Direct Server Return 1. A client request is forwarded to the W eb switch. 2. Because only MAC addresses ar e substituted, the switch forwards the request to t[...]

Web OS 1 0.0 Applic ation Guide 144 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Using Proxy IP A ddresses Proxy IP addresses are used primar ily to elim in ate SLB topology restrictions in co mplex net- works (see “ P roxy IP Addres ses ” on page 13 6 ). Proxy IP add resses can also prov ide direct access to real serv ers. If [...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 145 212777-A , Februar y 2002 Monitoring Re al Server s T ypically , the mana gement network is used by network administrat ors to mo nitor real ser vers and services. B y configuring the mnet and mmask options o f the SLB Conf iguration Menu ( /cfg/slb/adv ), you can access the rea[...]

Web OS 1 0.0 Applic ation Guide 146 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Delayed Binding The delayed binding feat ure on the swi tch prevents SYN Denial-o f-Service (DoS) at tacks on the server . DoS occurs when the server or switch is den ied s erv icing the client becau se it is sa t- urated with invalid traffic. T ypical[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 147 212777-A , Februar y 2002 Figure 6-10 Repe lling DoS SYN Attacks W ith Delay ed Bindi ng Once the W eb switch receives a valid AC K or DA T A REQ from the client, the W eb switch sends a SYN request to t he server on behalf of the cl ient, waits fo r the server to respond with a[...]

Web OS 1 0.0 Applic ation Guide 148 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Configur ing Delayed Bind ing T o configure you r switch fo r delayed bin ding, use the f ollowing comma nd: N OTE – Enabl e delayed b inding wi thout confi guring any H TTP SLB pro cessing or p ersistent bind i ng ty p es. T o configure d elayed bin[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 149 212777-A , Februar y 2002 Load Balancing S pecial Services This section discusses load balancing based o n special services, such as n IP Server Lo ad Balancing n FTP Server Load Ba lanci ng n Domain Name Server (DNS) Load Balancing n Real T ime Streami ng Protocol SLB n W irele[...]

Web OS 1 0.0 Applic ation Guide 150 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 FTP Server Load Balancing As defined in RF C 959 , FTP us es t wo connect io ns — one for control information and anot her for data. Each connection is unique. Unless the client requests a change, the server always uses TCP port 21 (a well-known po r[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 151 212777-A , Februar y 2002 Domain Name Server (DNS) Load Balancing In previ ous releases of W eb OS, DNS load balanci ng was base d on virtual server IP address and vir tual port (VPO R T) only . In W eb OS 10.0 however , D NS load bal ancing allows you to choose the serv ice bas[...]

Web OS 1 0.0 Applic ation Guide 152 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Precon fi gura tion T asks 1. Enable server load balancing. 2. Configure the fo ur real servers and their r eal IP addresses. 3. Configure group 1 for UDP and group 2 for TCP . For more info rmation on config uring health check, see “ UDP-Based DNS H[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 153 212777-A , Februar y 2002 Configuri ng UDP-based DNS Load Balanci ng 1. Configure and enable a v irtual server IP address 1 on t he switch. 2. Set up the DNS service for the virtual server , and add real server group 1. 3. Disable d elayed binding. Delayed binding is not require[...]

Web OS 1 0.0 Applic ation Guide 154 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Configur ing TCP-based DNS Lo ad Balancin g 1. Configure and enable the virtual server IP addr ess 2 on the switch. 2. Set up the DNS service for virtual server , and select real server gr oup 2. 3. Enable delayed binding. 4. As this is TCP-b as ed lo [...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 155 212777-A , Februar y 2002 Real Time Streaming Protocol SLB Real T ime Streaming Protocol (R TSP) is an application-level protocol fo r control over the delivery of d ata with real-time properties as do cumented in RFC 2326 . R TSP is used as a “ n etwork remo te control ” fo[...]

Web OS 1 0.0 Applic ation Guide 156 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Corporation, and Quicktime Streaming Server marketed by the Apple Inc. The R TSP stream setup se quence is d iffe rent for these two servers, and the switch handles each dif ferently . Some of these dif ferences are describ ed below . n Real Server Rea[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 157 212777-A , Februar y 2002 Confi gurin g RT SP Load Balanci ng Befor e configurin g your W eb swit ch for R TSP load balan cing, do th e following: n Enable V irtual Matrix Architecture (VMA) n Enable Direct Access Mode ( DAM) n Disable po rt-based Band width Management n Disabl [...]

Web OS 1 0.0 Applic ation Guide 158 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Wire less Application Protoc ol SLB W ireless Applicatio n Protocol (W AP) is an op en, global speci fication fo r a suite of pr otocols designed to allow wireless devices to communicate and interact with other devices. It empowers mobile us ers with w[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 159 212777-A , Februar y 2002 TPCP is Alteon ’ s proprietary protocol that is used to establish communication between the RADIUS serv ers and the Al teon W eb switch. It is UDP-based and uses por ts 3121, 1812, and 1645. Using TPCP , a static session entry is added or removed by t[...]

Web OS 1 0.0 Applic ation Guide 160 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Using RADIUS Snooping Radius snoo ping allows the Alteon W eb switch to examine RADIUS accounting pack ets for client information. This informati on is needed to add to or delete static sess io n entries to the session table of the switch so that it ca[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 161 212777-A , Februar y 2002 Prec onfiguring W AP Server Load Ba lancin g n Configure W AP s erver load bal ancing on Alte on AD4 and Alt eon 184 platfo rms only . n Enable V irtual Matrix Architecture (VMA). n Disable DAM (Direct Access Mode). n Disable pbind and enable udp under [...]

Web OS 1 0.0 Applic ation Guide 162 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 n If a session entry for a client cann ot be added because of r esource constraints, the s ubse- quent W AP packets for that client will not be load balanced correctly; and th e client will need to drop the connection and then reconnect to his wir eles[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 163 212777-A , Februar y 2002 Intrusio n Detect ion System Ser ver Load Balancing Intrusion Detection System (IDS) is a type of security management system for computers and networks. An I ntrus ion Detection Sys tem g athers an d analyzes in form ation from v a rious areas within a [...]

Web OS 1 0.0 Applic ation Guide 164 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 Load Balanci ng Metrics f or IDS The following metrics are supported in IDS load balancin g: n minmisses n roundrobin Disable delayed binding if y ou select th is metric. n hash T o select a real server , W eb OS allows you to implement the hash metric[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 165 212777-A , Februar y 2002 2. Cr eate a gr oup and add IDS servers to the grou p. Each IDS server mu st be con nected directly to a dif ferent switch port or VLAN. If the I DS group will be co nfigured for lin k health check, match the IDS s erver number to the ph ysical port num[...]

Web OS 1 0.0 Applic ation Guide 166 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2 W AN Lin k Load Balan cin g W ide Area Networking (W AN) is a tele communicati ons network s ys tem spread across a broad geographic area. A W AN may be privat ely owned or rented , but the term us ually means the inclusion o f publi c (sh ared user) n[...]

Web O S 10. 0 Application Guide Chapter 6: Serve r Load Balanci ng 167 212777-A , Februar y 2002 T o con figure the switch for W AN link load balancing: 1. Define a real server with p r ox y disabled. 2. Add the real server to a real s erver group using the response metric. 3. Define the W AN link load balancing redirection filter . 4. Enable W AN [...]

Web OS 1 0.0 Applic ation Guide 168 Chapter 6 : Server Load Balanc ing 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 169 C HAPTER 7 Filtering This chapter prov ides a conceptual overview of f ilters and includes configuration examples showing how filters can be used for network security and N etwork Address T ranslation ( NA T ). The following topics are discussed in this chapter: n “ Overview ” on pag e 17 0 . Th i s sect ion descr [...]

Web OS 1 0.0 Applic ation Guide 170 Chapter 7 : Filtering 212777-A , Febr uary 200 2 Overv iew Alteon W eb switches are used to d eliver co ntent ef ficiently and secure your servers from unau - thorized intrusion, probing, and Denial-of-Service (D oS) attacks. W eb OS includes extensive filtering capabilities at the IP and TCP/ UDP levels. Filteri[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 171 212777-A , Februar y 2002 n proto : proto col number or name as shown in Ta b l e 7 - 1 n sport : TCP/UDP application or source por t as shown i n Ta b l e 7 - 2 , or s ource port rang e (such as 31000-33000 ) N OTE – The service number specified on the switch must mat ch the service spec [...]

Web OS 1 0.0 Applic ation Guide 172 Chapter 7 : Filtering 212777-A , Febr uary 200 2 St acking Filters Stacking filters are assigned and enab led on a per-port basis. Each filter can be used by itself o r in combination with any other filter on any given switch port. The filters are numbered 1 throug h 2048 on Al teon 184 and Al teon AD4 W eb switc[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 173 212777-A , Februar y 2002 The Default Filter Before filtering can be enabled on any given port, a default filter should be configu red. This filter handles any traffic not covered by any other filter . All the criteria in the default filter must be set to the full range possible ( any ). For[...]

Web OS 1 0.0 Applic ation Guide 174 Chapter 7 : Filtering 212777-A , Febr uary 200 2 VLAN-based Filterin g Filters are applied per switch, per port, or per VLAN. VLAN-based filtering allows a singl e W eb switch to pr ovid e differentiated services for multiple custo mers, groups, or departments. For example, you can define separate filters for Cus[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 175 212777-A , Februar y 2002 Configuri ng VLAN-based Filterin g 1. Configure filter 2 to allow local clients to bro wse the W eb and then assign VLAN 20 to the filter . The filt er must reco gnize and allow TCP traf fic fr om VLAN 20 t o reach t he local c lient destin a- tion IP ad dr es s es [...]

Web OS 1 0.0 Applic ation Guide 176 Chapter 7 : Filtering 212777-A , Febr uary 200 2 3. Configure Filter 7 to deny traffic and then assign VLAN 70 to the filter . As a result, ingress traffic from VLAN 70 is denied entry to the sw itch. Optimizing Fil ter Performance Filter efficiency can be increased by placing filters that are used most often nea[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 177 212777-A , Februar y 2002 Exampl e: A network ad ministrato r has noticed a signifi cant number of ICMP frames on one portion of the network and wants to determin e the specific sources o f the ICMP messages. The administrator uses the Command Line Interface (CLI) to create an d apply the fo[...]

Web OS 1 0.0 Applic ation Guide 178 Chapter 7 : Filtering 212777-A , Febr uary 200 2 IP Address Ranges Y ou can specify a range of IP addresses for filtering both the source and/or destin ation IP address for traf fic. When a range of IP addresses is needed, the source IP ( sip ) address or des - tination IP ( dip ) address defines the base IP addr[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 179 212777-A , Februar y 2002 TCP R ate Limiti ng W eb OS 10.0 al lows you to p revent a client or a group of clients from claiming all the TCP resources on the servers. This is done by monitor ing the rate o f incoming TCP con nection requests to a virtual IP address and lim itin g the client r[...]

Web OS 1 0.0 Applic ation Guide 180 Chapter 7 : Filtering 212777-A , Febr uary 200 2 In Figur e 7-5 , the default filter 224 configured for Any is appl ied for all o ther connection requests. Figure 7-5 Configuring Clie nts with Different Rates Configuring TCP Rate Limiting Filters TCP rate limiting can b e configured for all filter types ( allow ,[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 181 212777-A , Februar y 2002 3. Set the timewin parameter and calculate the to tal time window in seconds. The total time window is a multiple of fastage (for information on fastage , see the Con- figuration chapter in the W e b O S 10. 0 Com m and R eference ). The total time window is calcu- [...]

Web OS 1 0.0 Applic ation Guide 182 Chapter 7 : Filtering 212777-A , Febr uary 200 2 TCP Rate Lim it ing Fi l te r Base d on Sou rc e IP Addr ess This example sho ws how to define a filter that limits cli ents with IP add ress 30.30.30.x to 1 50 TCP connections per second. Once a user exceeds that limit, they are not allowed any new TCP conn ection[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 183 212777-A , Februar y 2002 TCP Rate Lim it in g Fil te r Base d on V irtual Server IP Addr ess This example defines a filter that limits clients to 100 TCP connections per s econd to a specific destination (VIP 10.10 .10.100). Once a client exceeds that limit, the client is not allowed to mak[...]

Web OS 1 0.0 Applic ation Guide 184 Chapter 7 : Filtering 212777-A , Febr uary 200 2 All clients are limited to 100 new TCP connections/second to the ser ver . If a client exceeds this rate, then the client is not allowed to make any new TCP con necti ons to the s erver for 40 mi n- utes . N OTE – All SLB sessions on the switch are af fected when[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 185 212777-A , Februar y 2002 Filter-based Security This section provides an example of config urin g filters for providing the best security . It is generally recomm ended that you configu re filters to deny all traffic except for those services that you specifically wish to allow . Consider th[...]

Web OS 1 0.0 Applic ation Guide 186 Chapter 7 : Filtering 212777-A , Febr uary 200 2 Configuring a Filter-Based Secur ity Solution Before you begin, you must be connect ed to the swit ch CLI as the admi nistrator . In this example, all filters are applied only to the switch po rt that co nnects to the Internet . If intranet res trictions are r equi[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 187 212777-A , Februar y 2002 3. Crea te a f ilte r th at w ill a llow ex t erna l HTTP r equest s to r each the W eb server . The filter must recognize and allow TCP traffic with the W eb server ’ s destination IP address and HTTP des tination por t: 4. Create a pair of filters to allow incom[...]

Web OS 1 0.0 Applic ation Guide 188 Chapter 7 : Filtering 212777-A , Febr uary 200 2 5. Create a filter that will allow local cli e nt s t o bro wse t he W eb. The fil ter must r ecognize a nd allo w TCP traf fic to rea ch the lo cal client destin ation IP addr esses if tr affic ori gin ates f rom a ny HTT P s ource p ort: 6. Create a filter that w[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 189 212777-A , Februar y 2002 For UDP: Similarl y , for TCP: >> Filter 5# ../filt 6 (Select the menu for Filter 6) >> Filter 6# sip any (Fro m any so urce IP address) >> Filter 6# dip 205.177.15.4 (T o local DNS Server) >> Filter 6# dmask 255.255.255.255 (Se t mask for ex[...]

Web OS 1 0.0 Applic ation Guide 190 Chapter 7 : Filtering 212777-A , Febr uary 200 2 8. Assign the filters to t he switch port that connects to the I nternet. W eb OS allows you to add and remove a contiguous block of filters with a single co mmand . 9. Apply and v erif y the co nfiguration. Examine the res ulting information. If any settings are i[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 191 212777-A , Februar y 2002 Network Address T ranslation Network Address T ranslation (NA T) is an Internet standard that enables an Alteon W eb switch to use one set of IP addresses for internal traf fic and a s econd set of addresses for exter nal traf- fic. Alteon W eb switch es use filters[...]

Web OS 1 0.0 Applic ation Guide 192 Chapter 7 : Filtering 212777-A , Febr uary 200 2 In this exampl e, clients on the Internet require acces s to servers on th e private network: Figure 7-8 S tatic Netwo rk Address T ranslation Configur ing S tatic NA T >> # /cfg/slb/filt 10 (Select the me nu for outbound filter) >> Filter 10# action na[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 193 212777-A , Februar y 2002 Note the following importan t poin ts about this configu rati on: n W ith in each filter , the smask and dmask values are identical. n All parameters for both filters are identical except for the NA T direction. For Filter 10, nat source is used. For Filter 1 1, nat[...]

Web OS 1 0.0 Applic ation Guide 194 Chapter 7 : Filtering 212777-A , Febr uary 200 2 Configur ing Dynamic NA T N OTE – The invert opti on in this example f ilter makes thi s specific configuratio n easier but is not a requ irement for dynamic NA T . N OTE – Dynamic NA T solutions apply only to TCP/UDP traf fic. Also, filters for dyn amic NA T s[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 195 212777-A , Februar y 2002 FTP Clie nt NA T Alteon W eb swit ches provide NA T services to man y clients with private IP addresses. In W eb OS, an FTP en hancement provides the capability to perform true FTP NA T for dynamic NA T . Because of the way FTP works in active mode, a client send s [...]

Web OS 1 0.0 Applic ation Guide 196 Chapter 7 : Filtering 212777-A , Febr uary 200 2 Configur ing Active FTP Clien t NA T N OTE – The pas sive mode does not n eed this feature. 1. Make sure that a proxy IP address is enabled on the filter port. 2. Make sure that a source NA T filter is set up for the port.: 3. Enable active FTP NA T using the fol[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 197 212777-A , Februar y 2002 Matching TCP Flag s W eb OS supports packet f ilter ing b ased on any of the following TCP flags. Any filter may be set to match against more than one TCP flag at the sam e time . If there is more than one flag enabled, the flags are applied with a logical AND opera[...]

Web OS 1 0.0 Applic ation Guide 198 Chapter 7 : Filtering 212777-A , Febr uary 200 2 In this network, the W eb servers inside the LAN must be able to transfer mail to any SMTP- based mail server ou t on the Internet. At the sam e time, you want to preven t access to the LAN from the Inter net, except for HTTP . SMTP traffic uses well-known TCP Port[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 199 212777-A , Februar y 2002 2. A filter that allows SMTP traffic f rom the Internet t o pass through the switch onl y if the destination is one of the W eb servers, and the frame is an a cknowledgment (ACK) of a TCP sessi on. 3. A filter that al lows trusted HTTP traffic fr om the I nternet to[...]

Web OS 1 0.0 Applic ation Guide 200 Chapter 7 : Filtering 212777-A , Febr uary 200 2 5. A default filter is required to deny all other traf fic. 6. Apply the filters to the appr opriate switch ports. >> Filter 17# ../filt 224 (Select a default filte r) >> Filter 224# sip any (Fro m any so urce IP address) >> Filter 224# dip any (T[...]

Web O S 10. 0 Application Guide Chapter 7: Filte ring 201 212777-A , Februar y 2002 Matching ICMP Message T ypes Internet Control Mes sage Protocol (ICMP) is used for reporting TCP/IP processing errors. There are numerous types of ICMP messages, as shown in T able 7-6 . Although I CMP packets can be filtered using the proto icmp option, by default,[...]

Web OS 1 0.0 Applic ation Guide 202 Chapter 7 : Filtering 212777-A , Febr uary 200 2 The command to enable or disable ICMP message type filter ing is entered from the Advanced Filtering menu as follows : For any given filter , only one ICMP message type can be set at any one time. The any optio n disables ICMP message type filtering. The list optio[...]

212777-A , Februar y 2002 203 C HAPTER 8 Application Redirection Applica tion Redirect ion impr oves network bandwidth and prov ides uni que network s olutions. Filters can be created to redirect traff ic to cache and application servers improving speed of access to repeated client acces s to common W eb or application content and freeing valuable [...]

Web OS 1 0.0 Applic ation Guide 204 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 Overv iew Most of the information downloaded from the Internet is no t unique, as clients will often access the W eb page many times for additional information or to explore other links. Duplicate information also gets requested as the components tha[...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 20 5 212777-A , Februar y 2002 The network need s a solution that addresses the following key concern s: n The solution mus t be readily scalable n The administrator should not need to reconfigure all the clients ’ browsers t o use proxy serve rs. Figure 8-2 Network with Web Cach[...]

Web OS 1 0.0 Applic ation Guide 206 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 Web Cache Conf igurat ion Exam ple The following is required prior to config uratio n : n Y ou must co nnect to the W eb switch Command Line I nterface (CLI) as the administr ator . n Optional Layer 4 softwar e must be enabled. N OTE – For details [...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 20 7 212777-A , Februar y 2002 2. Install transpar ent W eb cache softwar e on all thr ee W eb cache servers. 3. Define an IP interface on the W eb switch. Since, by default, the W eb switch only remaps destinatio n MAC addresses, it must have an IP interface on the same s ubnet as[...]

Web OS 1 0.0 Applic ation Guide 208 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 6. Set the r eal server gr oup metric to minmisses . This setting helps minimize W eb cache misses in the ev ent real servers fail or are taken out of service: 7. V erify that server pr ocessing is disabled on the ports supporting application r edire[...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 20 9 212777-A , Februar y 2002 9. Create a d efault filter . In this case, the default filter will allow all noncached traffic to proceed normally: N OTE – When the proto paramet er is no t tcp or ud p, th e n sport and dport are ignored. 10. Assign the filters to the client port[...]

Web OS 1 0.0 Applic ation Guide 210 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 13. Save yo ur new confi gurat ion ch anges. 14. Check the SLB information. Check that all SLB parameters are working according to expectation. If necessary , make any appropriate configu ration changes and the n check the information again . N OTE ?[...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 21 1 212777-A , Februar y 2002 RTSP W e b Cache Redirection W eb OS 10.0 supports W eb Cache R edirection (WCR) for Re al T i me Streamin g Protocol (R TSP). R TSP WCR is similar to HTTP WCR in configuration and in concept. Mu ltim edia presentations consume a lot of Intern et band[...]

Web OS 1 0.0 Applic ation Guide 212 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 3. Configure a n R TSP redir ection filter to cache data and balance the loa d among the cache servers. 4. Configure a default allow filter to facilitate traffic. 5. T urn on filtering on the port and add filters to the port to support basic WCR. 6. [...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 21 3 212777-A , Februar y 2002 IP Proxy Addresses for NA T T ransparent proxies provide the benefi ts lis ted below when used with application red irection. Application redirection is automatically enabled when a filter with the redir action is ap plied on a po rt. n W ith proxies [...]

Web OS 1 0.0 Applic ation Guide 214 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2 The following com mands can be used to config ure the additional unique p roxy IP addresse s: N OTE – Port 9 d oes not require a pr oxy IP address with VMA enabled. See the W eb OS Com mand Ref e r ence f o r more information ( /cfg/slb/adv/matrix [...]

Web O S 10. 0 Application Guide Chapter 8: Applicatio n Redirection 21 5 212777-A , Februar y 2002 Excluding Noncacheable Sites Some W eb sites provide content that is not well suited for redirection to cache servers. Suc h sites might provide brows e r-based games or applications that k eep real-time session informa- tion or authen ticate by clien[...]

Web OS 1 0.0 Applic ation Guide 216 Chapter 8 : Application Re direction 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 217 C HAPTER 9 V irtual Matrix Architecture V irtual Matrix Architecture (VMA) is a hy brid architecture that takes full ad vantag e of the dis- tributed processing capabilit y in Alteo n W eb swit ches. W ith VMA , the swi tch makes optimal use of system res ources by distribut ing the workload to mult i ple proces sors, [...]

Web OS 1 0.0 Applic ation Gu ide 218 Chapter 9 : Virtual Matrix Architecture 212777-A , Febr uary 200 2 Frames ingressing a port that has been config ured with a proxy IP add ress and the proxy option e nabled ( /cfg/slb/port x/proxy ena ) can be p rocessed usi ng a proxy IP address by any swi tch port. Th e client sour ce address is substituted wi[...]

212777-A , Februar y 2002 219 C HAPTER 10 Health Checking Content intelligent W eb switches allow W eb masters to cust omize ser v er health checks to ver- ify content accessibility in large W eb sites. As the amount of content grows and in formation is distributed acro ss different s erver farms, flexible, cu stomizable content health checks are c[...]

Web OS 1 0.0 Applic ation Gu ide 220 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 “ FTP Server Health Checks ” on page 234 . This section describes how the F ile Trans- fer Protocol (FTP) s erver is used to perfor m health checks and ex plains how to con- figure the switch to per form FTP health checks. “ POP3 Server Health Checks [...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 221 212777-A , Februar y 2002 Real Ser ver Health C hecks Alteon W eb swit ches running Server Load Balancin g (SLB) mo nit or th e servers in th e real server gr oup and the load-balan ced application(s) ru nning on them. If a switch detects that a server or application has failed , it [...]

Web OS 1 0.0 Applic ation Gu ide 222 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 DSR Health Checks Direct Server Return (DSR) health checks are used to ver ify the existence of a s erver -prov ided service where the server replies directly ba ck to the client without respon ding through the vir - tual server IP address. In this configur[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 223 212777-A , Februar y 2002 Link Health Checks Link health check is performed at the Layer 1 (physical) level. The server is con sidered to be up when the link (co nnection ) is pr esent and the s erver is considered to b e do wn when the link is absent. These checks are used o n serve[...]

Web OS 1 0.0 Applic ation Gu ide 224 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 TCP Health Checks TCP health checks are u seful in verifying user -specific TCP applications that cannot be scrip ted. Session switches monito r the health of servers and appli cations by s ending Layer 4 connect ion requests (TCP SYN packets) f or each loa[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 225 212777-A , Februar y 2002 Script-Based Health Checks The “ send/exp ect ” script-based health ch ecks dynamically verify ap plication and content availability using s cripts. These scripts ex ecute a sequence of tests to v erify application and content availability . Configuring [...]

Web OS 1 0.0 Applic ation Gu ide 226 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Script Format The general fo rmat for health-check scripts is s hown below: N OTE – If y ou are doing HTTP 1.1 p ipelining, you need to individually open an d close each respon se in the s cript. n Each script shou ld start with the command open port <[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 227 212777-A , Februar y 2002 Scripting Guidelines n Use generic result cod es that are standard and d efined by the RFC, as applicable. This helps ensure th at if the customer changes server software, the ser vers won ’ t start failing unexpectedly . n Search only for the smallest and[...]

Web OS 1 0.0 Applic ation Gu ide 228 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Script Exam ple 2: GSL B URL Healt h Chec k In earlier W eb OS releases, each rem ote Global Server Load Balancing site ’ s virtual se rver IP address was r equired to be a real serv er of the local switch. Each s witch sends a health check request to the[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 229 212777-A , Februar y 2002 Script-based health checking is intelli gent in that it will only send the appro priate requests to the relevant servers. In the example above, the first GET statement will only be sent to Real Server 1 and Real Server 2. Going through the health-check state[...]

Web OS 1 0.0 Applic ation Gu ide 230 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Application-Sp ecific He alth Chec ks Application-specific health check s include the following applications: n “ HTTP Health Checks ” on page 231 n “ UDP-Based DNS Health Checks ” on page 233 n “ FTP Server Health Checks ” on page 234 n “ POP[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 231 212777-A , Februar y 2002 HTTP Health Checks HTTP-based health checks can include the hostnam e for HOST: headers. The HOST: head er and health c heck URL are constructed from the following comp onents: If the HOST: header is required, an HTTP/1.1 GET will occur . Otherwise, an HTTP/[...]

Web OS 1 0.0 Applic ation Gu ide 232 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Health check is per formed using: GET /index.html HTTP/1.1 Host: jansus Exampl e 4: hname = (none) dname = (none) content = index.html Health check is per formed using: GET /index.html HTTP/1.0 (since n o HTTP HOST: header is required) Exampl e 5: hname = ([...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 233 212777-A , Februar y 2002 UDP-Based DNS Health Checks W eb OS 10.0 supports UDP-based health checks alon g with TCP health checks, and per forms load-balan cing based on TCP and UDP pro tocols. DNS servers can be based on both TCP and UDP protoc ols. W ith UDP-based DNS health checks[...]

Web OS 1 0.0 Applic ation Gu ide 234 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 FTP Server Health Checks The Internet File T ransfer Protoco l (FTP) provides facilities for trans ferrin g files to and f rom remote computer systems. Usually the user transfer ring a file needs authority to lo gin and access files on the remote system. Th[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 235 212777-A , Februar y 2002 POP3 Server Health Check s The Post Office Pro tocol - V ersion 3 (POP3) i s intended to permit a works tation to dy nami- cally access a maildrop on a server host. The POP3 protocol is used to allow a workstation to retrieve mail that the server is h oldin [...]

Web OS 1 0.0 Applic ation Gu ide 236 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 SMTP Server Health Checks Simple Mail T ransfer Protocol is a pr otocol to transfer e-mail messag es between servers reli- ably and ef ficiently . This pr otocol traditionally operates over TCP , port 25 and is docu mented in RFC 821. Most e-m ail systems t[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 237 212777-A , Februar y 2002 IMAP Serve r Health Checks Internet Message Acces s Protocol (IMAP) is a mail server proto col used between a client sys- tem and a mail server that allows a user to retrieve and manipulate mail messages. I MAP is not used for mail trans fers between mail se[...]

Web OS 1 0.0 Applic ation Gu ide 238 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 NNTP Server Health Checks Net News T ransfer P rotocol (NNT P) is a TCP /IP protoco l based upo n text st rings se nt bidirec- tionally over 7 bit ASCII TCP channels, and listens to port 1 1 9. It is used to transfer articles between servers as well as to r[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 239 212777-A , Februar y 2002 RADIUS Server Health Checks The Remote Authentication Dial-In User Service (RADIUS) protocol is used to authenticate dial-up users to Remo te Access Servers (RASs ) and the client applicati on they will use d uring the dial-up connection. n RADIUS Content He[...]

Web OS 1 0.0 Applic ation Gu ide 240 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Configuring the Switch for RADIUS Secret a nd Password RADIUS is stateless and uses UDP as its tran sport protocol. T o support RADIUS health checking, t he network admi nistrator mus t configure two parameters on the switch: n the /cfg/slb/secret value n t[...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 241 212777-A , Februar y 2002 WSP Cont ent Healt h Checks W ireless Session Protocol content health checks can be configured in two modes: connection- less and co nnection-or iented. Con nectionless WSP runs on U DP/IP prot ocol, port 920 0. Therefore, Alteon W eb switches can be used to[...]

Web OS 1 0.0 Applic ation Gu ide 242 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 4. Enter the WSP port. 5. Set the offset v alue. 6. Because W AP gateways ar e UDP-based and operate on a UDP port , configure UDP ser- vice in the virtual server menu. 7. Enable WSP health checks for group 1. 8. Apply and s ave the configura t ion. WTLS H [...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 243 212777-A , Februar y 2002 Configu r in g t he Swi tch for WTLS H ealth Che cks 1. Select the gro up with the W AP gateway . 2. Use the sndcnt command to enter the content t o be sent to the WSP gateway . 3. Select a port number other than 9203, if you want to change the port number o[...]

Web OS 1 0.0 Applic ation Gu ide 244 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Configuring the Switch for LDAP Health Checks Configure the switch to v erify if the LDAP s erver is alive. 1. Select the health check menu for the real s erver group. 2. Set the health check type to L DAP for the real server group. 3. Apply and s ave your [...]

Web OS 10.0 App lication G uide Chapter 10 : Health Che cking 245 212777-A , Februar y 2002 ARP Health Checks Address Resolu tio n Protocol (ARP) is th e TCP/ IP protocol that resid es within the Internet layer . ARP resolves a phys ical addres s fro m an I P addres s. ARP qu eries machines on the local network for their physical addresses. ARP als[...]

Web OS 1 0.0 Applic ation Gu ide 246 Chapter 1 0: Health Checking 212777-A , Febr uary 200 2 Failure T ypes Service Failure If a certain number of connection requests f or a particu lar ser vice fail, the session switch places the service into the ser vice failed state. While in this state, no new con nection requests are sent to the s erver for th[...]

212777-A , Februar y 2002 247 C HAPTER 11 High A vailability Alteon W eb switches support h igh-availability n etwork topolo gies through an enhanced i mple- mentation o f the V irtua l Router Redun dancy Protoco l (VRRP). The following topics are discussed in this chapter: n “ VRRP Overview ” on page 248 . This sectio n discusse s VRRP operati[...]

Web OS 1 0.0 Applic ation Guide 248 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 VRRP Overview In a high-availability network topology , no de vice can create a single point- of-failure for the network o r force a sing le point-of- failure to any other part of t he network. This means that your network will remain in service desp ite t[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 249 212777-A , Februar y 2002 Virtual Route r MAC Addr ess The VRID is used to build the virtual r outer MAC Addr ess . Th e five highes t-order octets of t he virtual router MAC Addres s are the stan dard MAC prefi x (00-00-5E-0 0-01) defined in RFC 2338. The VRID is used to form the [...]

Web OS 1 0.0 Applic ation Guide 250 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 The Alteon W eb switches in Figure 1 1- 1 hav e been configured as VRRP routers. T ogether , they form a virt ual interface r outer (VIR) . Figure 1 1- 1 Ex ample 1: V RRP Router W eb switch 1 in Figure 1 1-1 has its real interface configured with the IP a[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 251 212777-A , Februar y 2002 VRRP Operation The host sh own i n F igure 1 1- 1 is configured with the virtual interface ro uter ’ s IP address as its default gateway . The master for wards packets destined to remote subnets and responds to ARP requests. In this ex ample, the master [...]

Web OS 1 0.0 Applic ation Guide 252 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Active-S t andby Failover The previ ous text de scribed the us e of a group of VRRP rout ers to form a single virtu al inter- face router . It implements a traditio n al hot- standby co nfiguration in wh ich the backup router only functions wh en the activ[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 253 212777-A , Februar y 2002 Failover Methods W ith service availability becoming a major concern on the Interne t, service providers are increasingly deploy ing Internet traff ic control devices, such as W eb switches, in red undant configurations. Tr aditionally , these conf ig urat[...]

Web OS 1 0.0 Applic ation Guide 254 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Active-S t andby Redundancy In an active-s tandby configuration, shown in Figu re 1 1-4 , two W e b sw itches are used. Both switches support active traf fic but are configured so that they do not simultaneously s upport the same service. Each switch is ac[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 255 212777-A , Februar y 2002 Active-Active Redundancy In an active-active co nfiguration, two W eb switches pr ovide redundancy f or each other , with both active at the s ame time for the same services. W eb OS has extended VRRP to include virtual servers, allowing full active/active[...]

Web OS 1 0.0 Applic ation Guide 256 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Hot-St andby Redundancy In a hot-standby conf iguration, Spanning T ree Protocol (STP) is not needed to elimi nate bridge loops. This speeds up f ailover when a switch fails. The standby swi tch blocks all ports configured as standby po rts, w hereas the m[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 257 212777-A , Februar y 2002 Virtual Route r Group The virtual router group ties all of the virtual routers together as a sin gle entity and is central to the hot-s tand by config uration . All v irtual ro uters on a given switc h must all be ei ther mast er or backup. The y cannot fa[...]

Web OS 1 0.0 Applic ation Guide 258 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 When the hotstan option ( /cfg/slb/port x/hotstan ) is enabled and all hot-st andb y port s h ave l i nk, the vi r tual rout er gr ou p's pr ior ity i s a utom a tica l ly in cre me nted by the “ track other virtu al r outer s ” value. This action[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 259 212777-A , Februar y 2002 W eb OS Extensions to VRRP This section desc ribes the following VRRP enhancemen ts that are implemented in W eb OS: n V irt ual S e rver Rout ers n Sharing/Active-Active Failo ver n T racking VRRP Ro uter Priority V irtual Server R outers W eb OS su pport[...]

Web OS 1 0.0 Applic ation Guide 260 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Sharing/Active-Acti ve Failover W e b OS s upp orts shar ing o f i n ter faces at bo th Lay er 3 a nd La yer 4 , as sh own i n Figure 11 -7 . W ith sharing, an IP interface or a VIP add ress can be active simultaneously o n multiple switches, enabling acti[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 261 212777-A , Februar y 2002 When sharing is en abled, the mast er election process still o ccurs. Alt hough the process does not af fect which switch processes packets that must be routed or that are destined for the vir- tual server IP addres s, it does determine wh ich switch sends[...]

Web OS 1 0.0 Applic ation Guide 262 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Each tracked par ameter has a user- configurable weight ass ociated with it. As the count associ- ated with each tracked item in creases (or decreases), so does the VRRP router ’ s prio ri ty , sub- ject to the weighting associated with each tr acked ite[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 263 212777-A , Februar y 2002 High A vailability Configurations Alteon W eb swit ches offer flexibility in implementing redundant configu rati ons. This section discuss es a few of t he more useful and easily depl oyed configurat ions: n “ Active-S tandby V irtual Server Router Confi[...]

Web OS 1 0.0 Applic ation Guide 264 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 T o implement the active-standby ex ample, perform the followin g switch configuration: 1. Configure the appr opriate Layer 2 and Layer 3 parameters on both switches. This includes any r equired VLANs, IP interfaces, def ault gateways, and so on. If IP int[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 265 212777-A , Februar y 2002 Active-Active VIR and VSR Configuratio n Figure 1 1-9 two Alteon W eb switches are used as VRRP routers in an active-active con figura- tion implementing a v irtual server router . As noted earlier , this is the preferred r edundant con- figu ratio n. Figu[...]

Web OS 1 0.0 Applic ation Guide 266 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 T o implement this example, configure the switches as follows: 1. Configure the appr opriate Layer 2 and Layer 3 parameters on both switches. This configuration includes any requ ired VLANs, IP interfaces, default gateways, and so on. If IP interfaces are [...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 267 212777-A , Februar y 2002 Active/Active Server Load Balancing Configuration In this exampl e, you set up fou r virtual servers each load balancing two server s providing one service (for example, HTTP) per virtua l server . Y ou are load balancing HTTP , HTTPS, POP3, SMTP , and FTP[...]

Web OS 1 0.0 Applic ation Guide 268 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 2. Define the VLANs. In this conf iguration , set up two VL ANs: One for the outs ide world (the por ts connect ed to the upstream switches, toward the rou t ers) an d o ne for the inside (th e po rts con nected to the do wn- stream switches, toward the se[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 269 212777-A , Februar y 2002 T ask 2 : SLB Conf ig uratio n 1. Define the Real Servers. The real server IP addresses are defined and put into fo ur groups, d epending on the ser vice they are runn ing. Notice that RIPs 7 and 8 are on rou table subnets in order to s upport pas sive FTP[...]

Web OS 1 0.0 Applic ation Guide 270 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 3. Define the virtual servers. After defining the virtual server IP addresses an d associating them with a real s erver group number , you must tell the switch which IP por ts/s ervices/sockets you want to load balan ce on each VIP . Y ou can specify the s[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 271 212777-A , Februar y 2002 T ask 3: V irtual Router R edundan cy Configur ation 1. Configure virtual routers 2, 4, 6, and 8. These virtual routers will have the same IP addresses as the virtual server IP add ress. This is what tells the switch that these are virtual service routers [...]

Web OS 1 0.0 Applic ation Guide 272 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 3. Set the r enter priority for each virtual r outer . Since you want Switch 1 to be the mast er router , you need to bump the defau lt virtual r outer priorities (which are 100 to 101 on virtual routers 1-4) to force swit ch 1 to be the master for these v[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 273 212777-A , Februar y 2002 T ask 4: Conf iguring Sw itch 2 Use the f ollowing procedur e to dump the conf iguration sc ript (text dump) out of Swit ch 1: n Using the Browser Based Interface (BBI) (a) Y ou need a serial cable that is a DB-9 Male to DB-9 Female, straight-through (not [...]

Web OS 1 0.0 Applic ation Guide 274 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 3. Scroll to the bottom of th e text file and del ete an ythin g past “ Script End. ” 4. Save the ch anges to the text file as “ Customer Name ” Swi tc h 2. Move your s erial cabl e to the consol e port on t he second sw itch. An y confi guratio n [...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 275 212777-A , Februar y 2002 VRRP-Based Hot-S t a nd by Configu ration A hot-st andby configu ration allows all processes t o failover to a b ackup switch if any type of failure s hould occur . The primary appl ication for hot -standby red undancy is to avoi d bridging loops w hen usi[...]

Web OS 1 0.0 Applic ation Guide 276 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 By reducing comple xity to a s ing le subnet and not requi ri ng rou ting ( L3) , hot-st andby can be used. The key to hot-standb y i s that the interswitch li nk (the link between switches), do es NOT participate in STP , so there ar e no loops in the top[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 277 212777-A , Februar y 2002 V i rtual Router Deployment Consi derations Review the f ollowing iss ues described i n this section t o prevent networ k problems wh en deployi ng virtual routers: n Mixing Active-S tandby and Active-Active V irtual Routers n Synchronizing Active/A ctive [...]

Web OS 1 0.0 Applic ation Guide 278 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Eliminating Loops with STP a nd VLANs VRRP active/active failo ver is significantly different from the hot-st andb y failo ver method supported in previo us releas es. As sh own in Figure 1 1- 11 , active-active configurations can introduce loops into comp[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 279 212777-A , Februar y 2002 Using S pan ning T ree Pr otocol to Eliminat e Loops VRRP gen erally requires S panning T ree Protocol (S TP) to be enabl ed in order t o resolve brid ge lo ops t hat us ual ly occ ur in cros s-re dunda nt to polog ies, as sh own in Figure 11- 12 . In this[...]

Web OS 1 0.0 Applic ation Guide 280 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Assigning VRRP Virtual R outer ID During the software upgrade process, VRRP virtual r outer ID s will be automatically assig ned if failover is en abled on the switch. When con figuring virtual routers at any point after upgrade, vi rtua l router ID nu mbe[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 281 212777-A , Februar y 2002 If one ser ver attached to W eb switch 1 fails, th en W eb switch 1 ’ s prio rity w ill be redu ced by 6 to 123 . Since 123 is gr eater than 120 (W eb switch 2 ’ s priorit y), W eb switch 1 will rem ain the master . If a second s erver attached to W eb[...]

Web OS 1 0.0 Applic ation Guide 282 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 Synchronizing Confi gurati ons As noted above, each VRRP-capab le switch is autonomo us. Switches in a virtua l router need not be identica lly configu red. As a result, confi gu rations ca nno t be synchronize d automati ca lly . For user con venience, it[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 283 212777-A , Februar y 2002 S t ateful Failover of Layer 4 and Layer 7 Persistent Sessions W eb OS provides s tateful failover of content-intelli gent pers istent session state and Layer 7 persistent session s tate. This includ es the following: n SSL sessio n state n HTTP cookie sta[...]

Web OS 1 0.0 Applic ation Guide 284 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 What Happens When a Switch Fails Assume that the us er performing an e-co mmerce transaction h as selected a number o f items and placed them in the shopping cart. The u ser has already established a per sistent session on the top serv er in Figure 1 1-1 4[...]

Web O S 10. 0 Application Guide Chapter 11: High Avail abili ty 285 212777-A , Februar y 2002 S tat eful Failover Co nfigurati on Exam ple After the V RRP setup, perf orm the foll owing additional steps to enab le stateful failo ver on the switches. On the Master Switch 1. Enab le stat e ful fai lover . 2. Set the update interva l. On the Backup Sw[...]

Web OS 1 0.0 Applic ation Guide 286 Chapter 1 1: High Availability 212777-A , Febr uary 200 2 V iewing St atistics on Persis tent Port Sess ions Y ou can view statistics on persisten t por t ses sions using the /stats/slb/ssl comm and. T o deter mine which switch is the master and wh ich is the backup , use the /info/vrrp command. If the switch is [...]

212777-A , Februar y 2002 287 Part 3: Advanced W eb Switching W eb OS can parse requ ests and classify flows using URLs, host tags, and coo kies so that each request can be is olated an d treated intelligently . This section describes the following ad vance d W e b sw i tch i ng ap pli c ati on s: n Global Server Load B alancing n Firewall Load Bal[...]

Web OS 1 0.0 Applic ation Gu ide 288 Advanc ed Web Switchin g 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 289 C HAPTER 12 Global Server Load Balancing This chapt er provides information for configuri ng Global Server Load Ba lancing (GSLB) across multiple geographic sites. The fo llo wing topics are covered: n “ GSLB Overview ” on pa g e 290 n “ Config uring GSLB ” on page 29 3 n “ IP Proxy for Non-HTT P Redirect s ?[...]

Web OS 1 0.0 Applic ation Gu ide 290 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 GSLB Overview GSLB allows bala ncing ser ver traffic load across multiple physical sites. The Alteon GSLB implementation takes into accou nt an individual site ’ s health, res ponse time, and geographi c location to smoothly integr ate th e [...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 29 1 212777-A , Februar y 2002 How GSLB W orks GSLB is based on t he Dom ain Name System (D NS) and proxi mity by sourc e IP address. In the exam ple in Figu re 12-1 , a client is using a browser to view the W eb site for t he Foo Corporati on at “ ww w .foocorp. com. ” [...]

Web OS 1 0.0 Applic ation Gu ide 292 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 4. The California W eb switch responds to the DNS r equest, listing the IP address with the current best service. Each switch with GSLB software is cap able of responding to the client ’ s name resolu tion request. Since each switch r egular[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 29 3 212777-A , Februar y 2002 Configuring GSLB Config uring GSLB is simp ly an exten sion of t he configurat ion proced ure for S LB. The proc ess is summarized as follows : n Use the administrator login to connect to th e switch you want to configure. n Activate SLB and GS[...]

Web OS 1 0.0 Applic ation Gu ide 294 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 Exampl e GSL B T opology Consider the following example n etwork: Figure 12-2 GSLB T opology Ex ample In the following examples, many of the options are left to their default values. See “ Additional Server Load Balancing Options ” on page[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 29 5 212777-A , Februar y 2002 T ask 1 : Config ure th e Basics a t the Ca liforni a Site 1. If the Bro wser- Based Interface (BBI) is to be used for managing the Ca lifornia switch, change its service port. GSLB uses service port 80 on the IP interface for DSSP updates. By [...]

Web OS 1 0.0 Applic ation Gu ide 296 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 T ask 2 : Con figure t h e Califor nia S wit ch for S tan dard SL B 1. Assign an IP addr ess to each of the r eal servers in the local California server pool. The real servers in any real server group must have an IP route to the switch that w[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 29 7 212777-A , Februar y 2002 4. On the California switch, define a virtual server . All client requests will be addr essed to a virtual server IP address defined o n the swit ch. Cli- ents acqui re the virtual s erver IP addres s through nor mal DNS reso lution. HTTP uses [...]

Web OS 1 0.0 Applic ation Gu ide 298 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 T ask 3 : Con figure t h e Califor nia S ite for GS LB 1. On the California switch, define each r emote site. When you start config uring at the California site, Calif ornia is local and Denver is remote. Add and enable the r emote switch ’ [...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 29 9 212777-A , Februar y 2002 3. On the California switch, define the domain name and host name for each service hosted on each virtual server . In this exampl e, the domain name for th e Foo Corporation is “ fooco rp.co m, ” and the host name for the only service (HTTP[...]

Web OS 1 0.0 Applic ation Gu ide 300 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 2. On the Denver switch, define an IP interface. 3. On the Denver switch, define the defa ult gateway . 4. Configure the loca l DNS server to recog nize the local GSLB switch as the authoritative name server for the hosted services. The Denver[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 30 1 212777-A , Februar y 2002 3. On the Denver switch, define a r eal server gr oup. 4. On the Denver switch, define a virtual server . 5. On the Denver switch, define the type of L ayer 4 processing ea ch port mu st support. In this example, the following ports are being u[...]

Web OS 1 0.0 Applic ation Gu ide 302 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 T ask 6: Configure the Denver Site fo r GSLB Following the same procedure d escribed f or Californi a (see “ T ask 3: Conf igur e the Ca lifo rnia Site for GSLB ” on p age 2 98 ), configure the Denver site as follows: 1. On the Denver swit[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 30 3 212777-A , Februar y 2002 For example : N OTE – T ake care to note where each configured value or iginates or this step can result in impr o per c onfi g urat i on. 3. On the Denver switch, define the domain name and h ost name for each service hosted on each virtual [...]

Web OS 1 0.0 Applic ation Gu ide 304 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 IP Proxy for Non -HTTP Redi rect s T ypically , client req u est s for HTTP ap p lic ati o ns ar e au t om at i ca lly re di rect ed to the lo c atio n with the best resp onse and least load for t he re quested con te nt . This is because t he[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 30 5 212777-A , Februar y 2002 T able 12-5 ex plains the packet -flow process in detail. In this example, the init ial DNS request from the client reach es Site 2, but Site 2 has no available services. How IP Proxy W o rks Figure 12 -4 shows examples of t wo GSLB si tes depl[...]

Web OS 1 0.0 Applic ation Gu ide 306 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 The following pr ocedure explains the three-way h andshake between the two sites and th e cli- ent for a no n-HTTP application (POP3). When POP3 processes at Site 1 terminate because of operator error , the following events occur to allo w POP[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 30 7 212777-A , Februar y 2002 Configuring Proxy IP Addresses Refer to the examp le starting on p age 294 and Figure 12-4 , the swi tch at Site 1 in Califo rnia is configured with switch port 6 connecting to the d efault gateway and real server 3 represents the remote server[...]

Web OS 1 0.0 Applic ation Gu ide 308 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 V erifying GSLB Op eration n Use y our b rowser to re quest the con figur ed ser vice ( www.foocorp.com in the previous example ). n Examine the /info/slb inf ormation on each switch. n Check to see that all SLB parameters are working accordin[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 30 9 212777-A , Februar y 2002 Figure 12 -5 illustrates GSLB p roximity tables. The client sends a request to the DNS server , which is forwarded to the master swit ch. The master switch looks through its proximity table and returns the r equest to the DNS server with the vi[...]

Web OS 1 0.0 Applic ation Gu ide 310 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 Client A, with a source IP address of 205 .17 8.13.10 , initiates a request that is s ent to th e local DNS server . The local DNS server is configured to forward requests to the DNS server at Site 4. The W eb switch at Site 4 loo ks up its pr[...]

Web OS 10.0 App lication G uide Chapter 12: Gl obal Server Load Bala ncing 31 1 212777-A , Februar y 2002 Use the following comman ds to configure a prox imity table on the W eb switch at Site 4: N OTE – For each client subnet, add only one static entry . Using this conf i gur atio n, the DNS request “ nortel networks.com ” from 205.178.13.0 [...]

Web OS 1 0.0 Applic ation Gu ide 312 Chapter 1 2: Global Server Load Balancin g 212777-A , Febr uary 200 2 Using Border Gateway Pro tocol for GSLB Border Gateway Protocol ( BGP )-based GSLB utilizes the In ter net ’ s routing prot ocols to local- ize content delivery to the most efficien t and consistent site. It does s o by using a shared IP blo[...]

212777-A , Februar y 2002 313 C HAPTER 13 Firewall Load Balancing Firewall Load Balancing ( FWLB ) with Alteon W eb switches allows multip le active firewalls to operate in parallel. Parallel operation allows users to maximize firewall productivity , scale firewall performance without forkl if t upgrad es, and elim in ate the firewall as a single p[...]

Web OS 1 0.0 Applic ation Gu ide 314 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Firewa ll Ov ervie w Firewall devices have beco me indispens able for protect ing network resources f rom unautho- rized access. Prior to FWLB, h owever , firewalls could become cr itical bottlenecks or single points-of-failu re for your netwo rk. A[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 315 212777-A , Februar y 2002 Alteon W eb switches su pport the f ollowing methods of F WLB: n Basic FWLB for simple networks This method uses a combination of s tatic routes and redirectio n filters and is usually emplo yed i n smal l e r net work s. A W eb s witch filter on the [...]

Web OS 1 0.0 Applic ation Gu ide 316 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Basi c FWLB The basic FWLB method uses a combination of s tatic routes and redirection filters to allow multiple active firewalls to o perate in parallel. Figure 13 -2 shows a basic FWLB t opology: Figure 13-2 Basic F WLB T opology The firewall s be[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 317 212777-A , Februar y 2002 Basic FWLB Implement ation In this exampl e, traffic is load balanced among the available firewalls . Figure 13-3 Basic FWLB Pr ocess 1. The client requests data. The external clients intend to connect to services at the pu blicly advertis ed IP addre[...]

Web OS 1 0.0 Applic ation Gu ide 318 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 4. The firewa lls decide if they should allow the packets and, if so, forwa rds them to a virtual server on the clean-side W eb switch. Client requests are f orwarded or discarded acco rding to rules conf igured for each firewall. N OTE – Rule set[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 319 212777-A , Februar y 2002 Configuring Basic FWLB The steps for configuring basic FWLB are provid ed below . While two or fou r switches can be used, the fol lowing pro cedure assumes a si mple network topology wi th only two W eb sw itches (one on each sid e of the firewalls) [...]

Web OS 1 0.0 Applic ation Gu ide 320 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 3. Configure the clean-s ide IP interface as if they wer e real servers on the dirty side. Later in this procedure, you ’ ll configure o ne clean-side IP interface on a dif ferent subnet for each firewall path being load balanced. On the dirty- si[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 321 212777-A , Februar y 2002 8. Create a filter to allow local subnet traffic on the dirty side of the fir ewalls to rea ch the firewall interfaces . 9. Create t he FWLB redir ection filter . This filter will redirect inbound traffic, load balancing it among the defined real serv[...]

Web OS 1 0.0 Applic ation Gu ide 322 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Config ur e the Clea n-Side Web Switch 1. Define the clean-side IP interfaces. Create one clean-side I P interface on a diff erent subnet for each firewall being load balanced. N OTE – An extra IP interface (IF 1) prev ents server-to- server traff[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 323 212777-A , Februar y 2002 4. Set the health check type for the real server group to ICMP . 5. Set the load-balancing metric for the r eal server gr oup to hash . N OTE – The clean- side W eb switch must use the same metric as defined on the dirty side. 6. Enable server load [...]

Web OS 1 0.0 Applic ation Gu ide 324 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 10. Place the real serv ers into a re al server gro up. 11 . Configure ports 4 and 5, which are connected to the real servers , for server pr ocessing. 12. Enable server load balancing on the switch. 13. Create a filter t o prevent server -to-server[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 325 212777-A , Februar y 2002 15. Add the filters to the in gres s ports for the outbound packets. Redirection filters are needed on all the ingr ess p orts on the clean-side W eb switch. Ingress ports are any that attach to real servers or internal clients on the clean-side of th[...]

Web OS 1 0.0 Applic ation Gu ide 326 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Four-Subnet F WLB The four -subnet FWLB m eth od is o ften deployed in lar ge networks t hat r e quire high-avail abi l - ity solutions. This me th od us es f ilter in g, static routing, and V irtual Rou ter Redundancy Proto- col (VRR P) to provid e[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 327 212777-A , Februar y 2002 As sh own in Figure 13- 5 , the network is divided into four sections : n Subnet 1 includes all equipment between the exterior routers and dirty-side W eb switches. n Subnet 2 includes the d irty-side W eb swit ches with th eir inters witch link, and [...]

Web OS 1 0.0 Applic ation Gu ide 328 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 1. Incoming traffic converg es on the primary dirty-side W eb switch. External traf fic arrives through redundant routers . A set of interconnected sw itches ensures that both rou ters have a path to each d irty-side W eb switch. VRRP is configured [...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 329 212777-A , Februar y 2002 Configuring Fou r-Subnet FWLB An example network for four-subnet FWLB is il lustrated in Figure 13-7 . While other comp lex topologies are possible, this example ass umes a high-availability network using bl ock (rath er than diag onal) intercon necti[...]

Web OS 1 0.0 Applic ation Gu ide 330 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Config ure the Router s The routers must be configured with a static route to the destination services being accessed by the external clients. In this exampl e, the external clients intend to connect to services at a publicly advertised IP address o[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 331 212777-A , Februar y 2002 Configure Co nn ectivity for the Primary Dirty-Si de Web Switch 1. Configure VLANs on the primary dirty-side W e b swit ch . T wo VLANs are required. VLAN 1 includ es port 1, for the Intern et connection. VLAN 2 includes port 2, for the firewall conne[...]

Web OS 1 0.0 Applic ation Gu ide 332 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 4. Configure s tatic routes on t he primary dirty-side W eb switch. Four sta tic routes are r equired: n T o primary clean-si de IF 2 via Fi rewall 1 us ing dirty-s ide IF 2 n T o primary clean-si de IF 3 via Fi rewall 2 us ing dirty-s ide IF 3 n T [...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 333 212777-A , Februar y 2002 Config ure Connec t ivity f or the Seco ndary Dirty-Sid e Web Swi tch Except f or th e IP inter fa ce s, th is con fi gur ati o n is iden ti cal to the primary di rt y-side W eb switc h. 1. Configure VLANs on the s econdary dirty-side W eb switch. 2. [...]

Web OS 1 0.0 Applic ation Gu ide 334 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Config ur e Conn ec tivity f or the P rim ary Clea n-Side Web Sw it ch 1. Configure VLANs on the prim ary clean-side W e b sw itch. T wo VLANs are required. VLAN 3 includes the firewall port and interswitch connection port. VLAN 4 includes the port [...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 335 212777-A , Februar y 2002 4. Configure s tatic routes on the primary clean-side W eb switch. Four static routes are n eeded: n T o primary dirty-side IF 2 via Firewall 1 u sing clean-side IF 2 n T o primary dirty-side IF 3 via Firewall 2 u sing clean-side IF 3 n T o secondary [...]

Web OS 1 0.0 Applic ation Gu ide 336 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 2. Configure I P interfaces on the secondary clean-side W eb switch. 3. T urn STP off for the secondary clean-side W eb switch. 4. Configure s tatic routes on the secondary clean-side W eb switch. 5. Apply and save y our changes . >> # /cfg/ip[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 337 212777-A , Februar y 2002 V erify Proper C onnectivity T o verify proper configur atio n up to this point, use the ping option to test netwo rk conn ect iv- ity . At each W eb switch, yo u should receive a valid res ponse when pinging the d estination addresses established in [...]

Web OS 1 0.0 Applic ation Gu ide 338 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Complete the Co nfiguration o f the Primary Dirty-Si de Web Switch 1. Create a n FWLB real server group on the primary dirty-side W eb switch. A real server group is used as the tar get for th e FWLB redirection filter . Each IP addres s that is ass[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 339 212777-A , Februar y 2002 2. Create t he FWLB filters. Three filters are required on the port attaching to the routers: n Filter 10 prevents local traf fic from being redirected. n Filter 20 prevents VRRP tra ffic (and other mult icast traf fic on the res erved 224.0 .0.0/24 n[...]

Web OS 1 0.0 Applic ation Gu ide 340 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 3. Configure VRRP on the primary dirty-side W eb switch. VRRP in this example re quir es two virtual routers – one for the subnet attached to the router s, and one fo r the subnet attached to the firewalls. 4. Configure the VRRP peer on the primar[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 341 212777-A , Februar y 2002 Complete the Co nfiguratio n o f the Primary Clean-Sid e Web Switch 1. Create a n FWLB real server group on the primary clean-side W eb switch. A real server group is used as the target for the FWLB redirection filter . Each IP address assigned to the[...]

Web OS 1 0.0 Applic ation Gu ide 342 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 2. Create a n SLB real server group on the primary clean-s ide W eb switch, to which traffic will be load-bala nced. The external clients intend to connect to HTTP services at a publicly advertised IP addr ess. The server s on this network are load [...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 343 212777-A , Februar y 2002 3. Create t he FWLB filters on the primary clean-side W eb switch. Three filters are required on the port attaching to the real servers: n Filter 10 prevents local traf fic from being redirected. n Filter 20 prevents VRR P traffic from being redirecte[...]

Web OS 1 0.0 Applic ation Gu ide 344 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 4. Configure VRRP on the primary clean-side W eb sw itch. VRRP in th is example r equires two v irtual routers to be conf igured – one for th e subnet attached to the real serv ers, and one for the subnet attached to the fir ewalls. A third virtua[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 345 212777-A , Februar y 2002 5. Configure the peer on t he primary clean-side W eb switch. 6. Apply and s ave your config uration chang e s . 7. Synchronize primary an d secondary dirt y- side W eb swit ches. >> # /cfg/slb/sync >> # prios d >> # peer 1 >> [...]

Web OS 1 0.0 Applic ation Gu ide 346 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Advanced FWLB Co ncept s Free-Metric FWLB Free-metric FWLB allows to you us e load-balancing metrics other than hash , s uch as leastconns , roundrobin , minmiss , response , and bandwidth for more versatile FWLB. The free-metric metho d uses the Re[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 347 212777-A , Februar y 2002 3. On the dirty-side W eb switch, set the FWLB metric. Any of the fo llowing load-balancing metrics can be used: hash , l eastconns , roun- drobin , minmiss , response , an d bandwidth . See “ Metrics for Real Server Gro ups ” on pa ge 131 for det[...]

Web OS 1 0.0 Applic ation Gu ide 348 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 T o use free-metric FWLB in this network, th e following configuration chang es are necessary . 1. On the clean-side W eb switches, enable RTS o n the ports attached to the firewalls (port 3) and on the interswitch port (port 9). On both clean-side [...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 349 212777-A , Februar y 2002 Adding a Dem ilit arized Zon e (DMZ) Implementing a DMZ in conjunction with firewall lo ad balancing enables the W eb swit ch to do the traffic filtering, off-loading this task from the firewall. A DMZ is created by configuring FWLB with another real [...]

Web OS 1 0.0 Applic ation Gu ide 350 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Y ou could ad d the filters requ ired for the DMZ (to each W eb switch) as follows: 1. On the dirty-side W eb switch, cr eate the filter to allow HTTP traffic to r each the DMZ W eb servers. In this examp le, the DMZ W eb servers use IP addresses 20[...]

Web OS 10.0 App lication G uide Chapter 13: Firewall Load Balanci ng 351 212777-A , Februar y 2002 Firewall Health Che cks Basic FWLB health checkin g is automatic. No special configu ration is necessary unless you wish to tune the health ch ecking parameters. See Chap ter 10, “ Health C hecking ” for deta ils. Firewall Service Monitoring T o m[...]

Web OS 1 0.0 Applic ation Gu ide 352 Chapter 1 3: Firewall Load Balancing 212777-A , Febr uary 200 2 Using HTTP Health Checks For thos e firewalls t hat do not permi t ICMP ping s to pass t hrough, W eb swit ches can be con - figu r ed to pe rfo rm HTT P hea lth ch ecks, as des cribe d bel ow . 1. Set the health check type to H TTP instead of ICMP [...]

212777-A , Februar y 2002 353 C HAPTER 14 V irtual Private Network Load Balancing The VPN (V irtual Private Network) load balanci ng feature in W eb OS 10.0 allows th e switch to load balance s imultaneously up to 255 VPN dev ices. The switch records from which VPN server a session was initiated and ensures that the traf fic returns back to the sam[...]

Web OS 1 0.0 Applic ation Gu ide 354 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 Overv iew V irtual Private Networ ks A VPN is a connection that has the appearance and advan tages of a dedicated link, but it occurs over a s har ed n etwork. Using a technique called tunn eling , data packets are transmitted across a[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 355 212777-A , Februar y 2002 Figure 14-1 Basic Ne twork Frame Flow and Operation The basic steps th at occur at the switches when a request arrives from the I nternet are desc ribed bel ow : 1. The user prepares to send traffic to the destination s erver . 2. The VP[...]

Web OS 1 0.0 Applic ation Gu ide 356 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 VPN Load-Balancing Configuration Requirement s n Configure the switch wi th fir ewall lo ad balancing. For more informatio n, see “ Firewall Load Balancing ” on page 313 . n Enable the Return to Sender (R TS) feature on the ports a[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 357 212777-A , Februar y 2002 Configure the First Clean-Side Sw itch (CA) 1. Tu r n o f f B O O T P. 2. Define and enable VLAN 2 for po rts 7, and 8. 3. T urn off S panning T ree Pr otocol (STP). 4. Define the clean-side IP interfaces. Create one clean-side I P inter[...]

Web OS 1 0.0 Applic ation Gu ide 358 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 One static route is requ ired for each VPN device be ing load balanced. 6. Configure VRRP for virtual r o uters 1 and 2. >> # /cfg/ip/route >> IP Static Route# add 10.0.0.10 (Static r oute de stination IP a ddr e ss) >&g[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 359 212777-A , Februar y 2002 7. Enable Server Load Balancing (SLB) on the first clea n switch. 8. Configure r eal servers for health checking VPN devices. 9. Config ure r eal server gr oup 1, and add r eal servers 1 , 2, 3, and 4 to the gr oup. 10. Enable RT S on th[...]

Web OS 1 0.0 Applic ation Gu ide 360 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 Config ur e the Se cond Cl ea n-Sid e Switch (CB ) 1. T urn of f bootp. 2. Define and enable VLAN 2 for ports 7 and 8. 3. T urn off S panning T ree Pr otocol. 4. Define the clean-side IP interfaces. Create one clean-side I P interface [...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 361 212777-A , Februar y 2002 6. Configure V irtual Router Redun dan cy Protocol (VRRP) for virtual r outers 1 and 2. 7. Enab le SLB. 8. Configure r eal servers for health checking VPN devices. 9. Enable t he real s erver gr oup. 10. Enable RT S on the necessary port[...]

Web OS 1 0.0 Applic ation Gu ide 362 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 11 . En ab le fil ter processing on the serv er po rts so that the response from the r e a l server will be looked up in VPN session table. 12. Apply a nd save the con figura tion, and reboot the sw itch . Config ur e the First Dirty-S[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 363 212777-A , Februar y 2002 6. Configure VRRP for virtual r outers 1 and 2. 7. Enab le SLB. 8. Configure r eal servers for health-checking VPN devices. 9. Enable t he real s erver gr oup. >> # /cfg/vrrp/on >> Virtual Router Redundancy Protocol# /cfg/vrr[...]

Web OS 1 0.0 Applic ation Gu ide 364 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 10. Configure the filters to allow lo cal subnet traffic on the dirty side of the VPN device t o reach the VPN device interfa ces. 11 . Create a filter to allow the m anagem ent firewall (Policy S erver) to reach th e VPN firewall . 12[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 365 212777-A , Februar y 2002 Configure the Se cond Dirty-Side WebSwitch (DB) 1. Tu r n o f f B O O T P. 2. Define and enable VLAN 2 for ports 7 and 8. 3. Tu r n o f f S T P. 4. Configure I P interfaces 1, 2, and 3. 5. Configure r outes for each of the IP interfaces [...]

Web OS 1 0.0 Applic ation Gu ide 366 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 6. Configure VRRP for virtual r o uters 1 and 2. 7. Enab le SLB. 8. Configure r eal servers for health checking VPN devices. 9. Enable the r eal server gr oup, and place r eal servers 1-4 into the r eal server group. >> # /cfg/vr[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 367 212777-A , Februar y 2002 10. Configure the filters to allow lo cal subnet traffic on the dirty side of the VPN device t o reach the VPN device interfa ces. 11 . Create the r edirection filter and enable fir ewall load balancing. This filter will redirect inbound[...]

Web OS 1 0.0 Applic ation Gu ide 368 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 T est Co nfigur ations and Ge ne ral T opology The switches should b e able to health check each other , and all switches should see fo ur real servers up. (Rules on the VPN devices permit this — see Figure 14-3 on page 368 .) Figure[...]

Web OS 10.0 App lication G uide Chapter 14: Virtual Private Network Load Balancing 369 212777-A , Februar y 2002 T est the VPN 1. Launch the SecuRemote client on the dirty side of the network. 2. Add a new site. 3. Enter the p olicy server IP a ddress : 192.168 .10.120. Y ou have the opti on of addin g a nickname . 4. Launch a browser (s uch as Net[...]

Web OS 1 0.0 Applic ation Gu ide 370 Chapter 1 4: Virtual Private Network Load Balancing 21277 7-A, Febr uary 2002 7. Y ou will see a message verifying that you were authenticated. 8. Browse to t he W e b sit e. If there are other services running on other servers in the intern al network, you s hould also be able to reach those services. All of th[...]

212777-A , Februar y 2002 371 C HAPTER 15 Content Intelligent Switching This chapter discusses advanced load balancing so lu tio ns utilizing Layer 7 content switching. Inspecting HTTP headers , examining content identifiers s uch as URLs and cook ies, and pars- ing content req uests are discussed in the f ollowing topics: n “ Overview ” on pag[...]

Web OS 1 0.0 Applic ation Gu ide 372 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Overv iew Alteon W eb switches performs conten t intelligent switching by processing numerous tasks for each incoming ses sion, including conn ection setup, traf fic parsing, applying server selection algorithms, splicing connections and tran[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 373 212777-A , Februar y 2002 Parsi ng Co ntent Examining sess ion content places heavier demand s upon the W eb switch than examining TCP/IP headers f or the following reason s: n Content is non- deterministic. Content identifiers su ch as URLs and cookies can b e of varyi[...]

Web OS 1 0.0 Applic ation Gu ide 374 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 HTTP Header Inspecti on Content intelligent sw itch ing is performed by inspecting HTTP headers. HTTP headers include additional information abo ut requests and responses. The HTTP 1.1 specification defines a total of 46 headers. For W eb Cac[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 375 212777-A , Februar y 2002 Content I ntelligent Server Load Balancing W eb OS allows you t o load balance H TTP requests based on dif ferent HTTP header inf orma- tion, such as “ Cookie: ” header for persist ent load balancin g, “ Host: ” header for virtual host [...]

Web OS 1 0.0 Applic ation Gu ide 376 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Figure 15-2 URL- Base d Serve r Load Ba lancing Confi guring UR L-Based Se rver Lo ad Bala ncing T o con figu re UR L-ba s ed SLB , per for m the f o llo w ing st eps : 1. Before you can configure URL-based lo ad balancing, ensu re that the s[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 377 212777-A , Februar y 2002 2. Define the string(s) to be us ed f or URL load balancing. n add : Add s tring or a pa th. n rem : Remo ve s t ring or a path . A default string “ any ” indicates that the particular server can handle all URL or W eb-cache requests. Refer[...]

Web OS 1 0.0 Applic ation Gu ide 378 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 3. Apply and s ave your config uration chang e s . 4. Identif y the defined st ring IDs. For easy configur ation and identification, each defined string has an ID attached, as sho wn in the following example: Number of entries: si x 5. Config[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 379 212777-A , Februar y 2002 7. Enab le SLB on th e switc h . 8. Enable DAM on the switch or configur e a proxy IP addr ess on the client port. n T o turn on D AM: n T o turn off DAM and configure a prox y IP address on the client po rt: N OTE – By enabling DAM on the sw[...]

Web OS 1 0.0 Applic ation Gu ide 380 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 V irtual Hosting W eb OS allows individuals and com panies to have a pres ence on the Internet in the form of a dedicated W eb site address. For ex ample, you can have a “ www .site-a.com ” and “ www .site- b.co m ” instead of “ w w[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 381 212777-A , Februar y 2002 Virtual Hosting Configu ration Overvi ew The sequence of events for configuring virtual hosting based on HTTP Host: headers is desc ribed bel ow : 1. The network administrato r defines a domain name as part of the 128 supported URL strings. Bot[...]

Web OS 1 0.0 Applic ation Gu ide 382 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Confi guring t he “Host” H eader f or V irtua l Hosting T o support virtual hos ti ng, confi g ure the s witch for Hos t header -based load balanci ng wi th the followi ng procedure: 1. Befor e you can configur e header -based server load[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 383 212777-A , Februar y 2002 Cookie-Based Preferential Load Balancing Cookies can be u sed to provide preferen tial services for custo mers, ensuring that certain users are of fered better access to r esources than other users when site resources are scarce. For example, a[...]

Web OS 1 0.0 Applic ation Gu ide 384 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Configu ring Co okie-Based Preferen tial Load Balancin g T o configure cook ie-based prefer ential load bal ancing, perform the following procedure. 1. Befor e you can configur e header -based load balancing, ensure that the switch has alr ea[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 385 212777-A , Februar y 2002 Examp le : n Real Server 1: “ Gold ” h andles gold req uests. n Real Server 2: “ Silver ” ha ndles silver request. n Real Server 3: “ Bronze ” h andles bronze request. n Real Server 4: “ any ” han dles any requ est that does not[...]

Web OS 1 0.0 Applic ation Gu ide 386 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Brow ser-Smart L oa d Balanc ing HTTP requests can be directed to differen t servers based on b rowser type by inspecting the “ User -Agent ” header . For example, GET /products/180/ HTTP/1.0 User-agent: Mozilla/3.0 Accept: text/html, ima[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 387 212777-A , Februar y 2002 URL Hashing for Server Load Balancing By default, hash ing algorithms use the IP source address and/or IP destination address (depending on the application area) to determine content location. Th e default hashing algo- rithm for SLB is the I P[...]

Web OS 1 0.0 Applic ation Gu ide 388 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 T o configure U RL hashing, perform the foll owing procedu re: 1. Befor e you can configur e URL hashing, ensure that the switch has already been config- ured for basi c SLB with the following tasks: n Assign an IP address to each of the re a[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 389 212777-A , Februar y 2002 Header Hash Load Balancing W eb OS allows you t o hash on any selected HTTP header . T o configure the W eb switch for load balan cing based on header hash, perf orm the follo wing procedure: 1. Ensure t hat the switch has already been configur[...]

Web OS 1 0.0 Applic ation Gu ide 390 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 DNS Loa d Balancing The Internet name r egistry has become s o lar g e that a single s erver cann ot keep tr ack o f all th e entries. This is resolved by splitt ing the registry and saving it on dif ferent servers. If you have l ar ge DNS se[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 391 212777-A , Februar y 2002 T o configure the s witch for DNS lo ad balancing, perform the fo llowing proced ure: 1. Befor e you can configur e DNS load balancing, ensure that the switch has alr eady been configured for basic SLB with the following tasks: n Assign an IP a[...]

Web OS 1 0.0 Applic ation Gu ide 392 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Number of entries: fiv e 7. Add the defined string IDs to the real server using the following co mmand: N OTE – If you do n' t add a defined st r in g (or add the defin ed st rin g “ any ” ) the server will han- dle any request. La[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 393 212777-A , Februar y 2002 T o configure R TSP load balanci ng using pattern matchi ng, follow this procedure: 1. Add the URL string. n Y ou can remove the URL st ring by perfo rming the fol lowing: n Y ou can rename the URL str ing by perfor ming the fo llowing: 2. Assi[...]

Web OS 1 0.0 Applic ation Gu ide 394 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Content Intelligent W e b Cache Redirection W eb OS allows you to r edi rect W eb cac he re quests based o n d if f erent H TTP header information, such as “ Host: ” head er o r “ User-Age nt ” for browser -smart load balancing. For m[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 395 212777-A , Februar y 2002 URL-Based Web Cache Redirection URL p ars i ng fo r W eb Cache Redirection operat es in a man ner si mil ar to URL- base d ser ver load balancing except that in WCR a virtual serv er on the sw itch is the target of all IP/HTTP requests . For in[...]

Web OS 1 0.0 Applic ation Gu ide 396 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 The switch is preconfigured with a list of 13 noncacheable items that you can add to, delete, or modify . These items are either known dynamic content file extensions or dynamic URL parameters, as described belo w: n Dynamic content files: Co[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 397 212777-A , Februar y 2002 Networ k Address T ranslation Options URL-based W CR support s three types of Network Ad dress T ranslation ( NA T): No NA T , Half N A T, a n d F u l l N A T. n No NA T In this NA T method, the traffic is redirected to the W eb cache with the [...]

Web OS 1 0.0 Applic ation Gu ide 398 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 3. Configure the para meters and file extensions that bypass WCR. The switch is precon figured with a list of 13 n oncacheable items: n Dynamic content files : Common gateway interface files (.cgi), co ld fusion files (.cfm ), ASP files (.asp[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 399 212777-A , Februar y 2002 4. Define the string(s) to be used for W eb cache SLB. Refer to the parameters listed below: n add : Add a s tring or a path. n rem : Remo ve s t ring or a path . A default string “ any ” indicates that the particular server can handle all [...]

Web OS 1 0.0 Applic ation Gu ide 400 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 5. Apply and s ave your config uration chang e s . 6. Identif y the defined st ring IDs. For easy configur ation and identification, each defined string has an ID attached, as sho wn in the following example: Number of entries: si x 7. Config[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 401 212777-A , Februar y 2002 9. Configure a filter to support ba sic WCR. The filter must be able to inter cept all TCP traffic for the HTTP destination port and must redi- rect it to the p roper port in the real s erver group: 10. Enable URL-based WCR o n the sa me filter[...]

Web OS 1 0.0 Applic ation Gu ide 402 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 12. Create a default f ilter for noncached traffic on the switch. N OTE – When the proto parameter is not tcp or udp , then sport an d dport are ig nored. 13. T urn on filtering for the port. 14. Add the filters to the client port. 15. Enab[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 403 212777-A , Februar y 2002 HTTP Header-Based W eb Cache Redirection T o configure t he switch for WC R based on the “ Host: ” header , use the follo wing procedure: 1. Configure basic SLB . Before you can configure header- based cache redirection, ensu re that the sw[...]

Web OS 1 0.0 Applic ation Gu ide 404 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 7. Configure the r eal server(s) to handle the appropriate load balance s tring(s). Add the defined string IDs to the real servers: where ID is the iden tification number of the de fined string. N OTE – If y ou don ’ t add a defined strin[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 405 212777-A , Februar y 2002 Browser-Based W eb Cache Redirection Browser -based W eb cache redirectio n uses the User-agent: header . T o configure br owser- base d WCR , perf orm t he fo llow i ng pro ced ure. 1. Befor e you can configur e header -based WCR, ensure that [...]

Web OS 1 0.0 Applic ation Gu ide 406 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 7. Add the defined string IDs to configure the r eal server(s) to handle the appropriate load balance string(s). where ID is the iden tification number of the de fined string. N OTE – If y ou don ’ t add a defined string (or add the ID 1 [...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 407 212777-A , Februar y 2002 2. T urn on URL parsing for the filter . 3. Enable hash to dir ect a cacheable URL r equest to a specific cache server . By default, the host head er field is used to calculate the has h key and URL hashing is disab led. n hash ena : Enables ha[...]

Web OS 1 0.0 Applic ation Gu ide 408 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Figure 15-6 URL H ashi ng fo r WCR Exampl e 2: Hashi ng on the H ost Header Field Onl y In this example, UR L hashing is disabled. If you use the Ho st header field to calculate the hash key , the same URL request goes to the same cache s erv[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 409 212777-A , Februar y 2002 Layer 7 RTSP Stream ing Cache Redirection This section explains Layer 7 suppo rt for R TSP Streaming C ache Redirection. For concep tual information on R TSP Stream ing Cache Redirection, see “ R TSP W eb Cache R edirection ” on page 21 1 .[...]

Web OS 1 0.0 Applic ation Gu ide 410 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Exclusionary S tring Matching fo r Real Servers URL-based SL B and WCR can match or exclude up to 128 st rings . Examp l es of st r ings are as follows: n “ /produ ct, ” matches URLs that starts with /product. n “ product , ” matches [...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 411 212777-A , Februar y 2002 For info rmation on h ow to configure your network f or server load balancing, s ee Cha pter 6, “ Server Load Balancing . ” 2. Add the load balancing strings (for exam ple test , /images , and /product ) to th e real server . 3. Apply and s[...]

Web OS 1 0.0 Applic ation Gu ide 412 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Regular Expression Matchin g Regular expr essions ar e used to descri be patterns for string matc hing. They enable you to match the exact strin g, such as URLs, host n ames, or IP addresses . It is a powerful and ef fec- tive w ay to e xpre [...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 413 212777-A , Februar y 2002 n Size of the regular expres sion structure after compilation cannot exceed 43 bytes for load balancing strings and 23 by tes for W eb Cache Redi rection. The size of r egular expression after compilation var ies, based on reg ular expression c[...]

Web OS 1 0.0 Applic ation Gu ide 414 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Content Precedence Lookup The Laye r 7 Precedence Lookup fe ature in W eb OS al lows you t o give prec edence to one Layer 7 parameter over another and selectivel y decide whi ch paramete r should be analyz ed first. The Content Precedence Lo[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 415 212777-A , Februar y 2002 Requirement s n Enable Direct Access Mode ( DAM), or configure pro xy IP address if DAM is disabled. n Enab le de layed bind ing. Using the or and and Operators Figure 15 -7 shows a network with real servers 1 and 3 co nfigured for URL SLB and [...]

Web OS 1 0.0 Applic ation Gu ide 416 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Assigning Multipl e Strings Figure 15 -8 shows an example of a company pro viding content for two lar g e customers: Cus- tomers A and B. Customer A uses www.a.com as their d omain name, and Cust omer B uses www.b.com . The company has a limi[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 417 212777-A , Februar y 2002 When a client requ est is received with www.a.com in the Host Header and .jpg in the URL, the request will be load balanced between Server 1 and Server 2. T o accomplish this configurati on, you must assi gn multiple strings (a Host Header stri[...]

Web OS 1 0.0 Applic ation Gu ide 418 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2 Config ur ing a L ay e r 7 Deny Fil ter 1. Befor e you can configure L ayer 7 deny filter , ensure that the switch has already been con- figured for basic switch functions: n Assign an IP address to each of the re al servers in the server poo[...]

Web OS 10.0 App lication G uide Chapter 15: Cont ent Intelligen t Switching 419 212777-A , Februar y 2002 7. Enable the Layer 7 deny option. 8. Assi gn the U RL st ring ID fr om St e p 4 to the filter . 9. Apply and s ave the configura t ion. 10. Apply the filter to the client port. If the incoming client requests are on port 3, then add the f ilte[...]

Web OS 1 0.0 Applic ation Gu ide 420 Chapter 1 5: Content Intellige nt Switching 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 421 C HAPTER 16 Persistence The W eb OS persistence feature ensures that all con nections from a specific client session reach the same r eal server , even when Server Load Balancing (SLB) is used. The following topi cs are addressed in this chap ter: n “ Overview of Persistence ” o n page 422 . This secti on gi ves an[...]

Web OS 1 0.0 Applic ation Gu ide 422 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Overvi ew of Persistenc e In a typical SLB environment, traff ic comes from various client networks across the Internet to the virtual serv er IP address on the W eb switch. The s witch then load balances this traf fic among the available real servers. In any a[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 423 212777-A , Februar y 2002 Using Cookies Cookie s are strings passed via HTTP f rom servers to browsers . Based on th e mode of oper a- tion, cookies are inse rted by either the W eb switch or the s erver . After a client receives a cookie, a ser ver can poll that cookie with a GET comman [...]

Web OS 1 0.0 Applic ation Gu ide 424 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Cookie-Bas ed Persistence Cookies are a mech anism for maintaining state between clients and servers. When the server receives a client request, the server issues a cookie , or to ken, to the client, wh ich the client then sends t o the server on all subseq uen[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 425 212777-A , Februar y 2002 The following topics discussing cookie-based persistence are detailed in this sectio n : n “ Permanent and T emporary Cook ies ” on p age 4 25 n “ Cooki e Formats ” on page 425 n “ Cooki e Proper ties ” on pa ge 426 n “ Client Browsers that Do Not A[...]

Web OS 1 0.0 Applic ation Gu ide 426 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Cookie Properties Cookie s are configur ed on the W eb switch by defining t he following properties: n Cooki e names of up t o 20 bytes n The of fset of the cookie v alue within the cookie string For security , the real cookie value can be e mbedded somewhere w[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 427 212777-A , Februar y 2002 Cookie Modes of Operation W eb OS suppo rts the followi ng modes of operation fo r cookie-based session persistence: insert , passive , and r ewr ite mode. The following tabl e shows the dif feren ces among the mod es: Each of the mo des are explained in detail i[...]

Web OS 1 0.0 Applic ation Gu ide 428 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Passive Cookie Mode In Passive Cookie mod e, when the client first makes a request, the switch selects the serv er based on the load -balancing metric. The real ser ver embeds a cookie in its response to the cli- ent. The switch reco rds the cookie value a nd m[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 429 212777-A , Februar y 2002 Rewrite Coo kie Mode In rewrite cookie mode, the W eb switch generates the cookie value on behalf of the ser ver, eliminating the need f or the server to generate coo kies for each client. Instead, the serv er is configured to r eturn a special persistence coo ki[...]

Web OS 1 0.0 Applic ation Gu ide 430 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Configuring Cookie-Based Persistence 1. Befor e you can configur e cookie-based persistence, you need to configur e the switch for basic SLB. This includes the following tasks: n Assign an IP address to each of the re al servers in the server pool. n Define an [...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 431 212777-A , Februar y 2002 4. Select the appropriate lo ad-balancing metric for the rea l server group. n If embedding an IP address in th e cookie, select roundrobin or leastconns as the metric. n If you are not embedding the IP address in the coo kie, select hash as the metric in con- ju[...]

Web OS 1 0.0 Applic ation Gu ide 432 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 n Set multiple response count This parameter is set for pass ive mo de onl y . T ypically , the W eb switch searches the first HTTP response pack et from the server and, if a persistence cookie is foun d, sets up a per- sistent conn ection between the server an[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 433 212777-A , Februar y 2002 Exam ple 1: Sett ing the Cookie Locat ion In this example, the clie nt request has two diffe rent cookies l abeled “ UID. ” One exists in the HTTP header and the other appears in the URI: GET /product/switch/UID=12345678;ck=1234 ... Host: www.alteonwebsystems[...]

Web OS 1 0.0 Applic ation Gu ide 434 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Exampl e 2: Par sing the C ookie This example shows thr ee configurations where the switch uses the hashing key or wild cards to determi ne which part of the cookie valu e should be used for determin ing the real serv er . For example, the value of the cookie i[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 435 212777-A , Februar y 2002 Exampl e 4: Usin g Rewri te Cookie Mode n Rewrite server cookie with the encrypted real server IP address: In cookie rewrite mode, if the cookie length parameter is configured to be eight b ytes, the switch will rewrite the placeholder cookie value with the encry[...]

Web OS 1 0.0 Applic ation Gu ide 436 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Server-Side Multi- Response Cookie Search Cookie-based p ersistence requires the switch to search the HTTP response p acket from the server and, if a per sistence cookie is found, sets up a persistence connection between the server and the client. The Alteon sw[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 437 212777-A , Februar y 2002 SSL Session ID-Based Persistence SSL is a set of protocols built on top of TCP/IP that allow s an application server and client to communicate over an encrypted HTTP session, pro viding authentication, non-repudiation, and security . The SSL protocol handsh ake i[...]

Web OS 1 0.0 Applic ation Gu ide 438 Chapter 1 6: Persistence 212777-A , Febr uary 200 2 Figure 16 -5 illustrates persis tence based on SSL session ID as follows: 1. An SSL Hello ha ndshake occurs bet ween Client 1 and Serv er 1 v ia the W eb sw itch . 2. An SSL session ID is assigned to Client 1 by Server 1. 3. The W eb switch records the SSL sess[...]

Web OS 10.0 App lication G uide Chapte r 16: Persistence 439 212777-A , Februar y 2002 Confi gurin g SSL Sess ion ID- Based Pe rsist ence T o configure session I D-based persistence for a real server , perform the following steps: 1. Configure r eal servers and services for basic SLB, as indicated below: n Define each real ser ver and assign an IP [...]

Web OS 1 0.0 Applic ation Gu ide 440 Chapter 1 6: Persistence 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 441 C HAPTER 17 Bandwid th Management Bandwidth Management ( BWM) enables W eb site managers to allocate a certain porti on of the available bandwidth fo r specific users or applications. It allows com panies to guarantee that critical business traf fic, such as e-commerce tran sactions, receive higher prio rity versus non[...]

Web OS 1 0.0 Applic ation Gu ide 442 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Overv iew T o manage bandwidth, create one or more bandwidth man agement contr acts. The switch us es these contracts to limit indiv idual traffic flows. Figure 17-1 Bandwi dth Management: How It Works Each contract comp rises the following: n A class[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 443 212777-A , Februar y 2002 n When V irtual Matrix Architecture (VMA) is not enab led, bandwidth classif ication is done on th e ingr ess side of t he switch (at th e ingress po rt or designat ed port) and can be based on the following: source port, VLAN, filters, V irt ual In ter[...]

Web OS 1 0.0 Applic ation Gu ide 444 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Bandwid th Policies Bandwidth policies are ba ndwidth limitati ons define d for any se t of frames, specify ing the guaranteed ban dwidth rate s. A bandwidt h policy is oft en based on a r ate struct ure whereby a W eb host or co-location provider cou[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 445 212777-A , Februar y 2002 Rate Limit s A bandwidth policy specifies three lim its , listed and described in T able 17-1 : Bandwid th Poli cy Configuration Each bandwidth policy , comprised of the r eserved, soft, and har d limits, is assigned an ind ex. These policies can be fou[...]

Web OS 1 0.0 Applic ation Gu ide 446 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Dat a Pacing The m echanism u sed to keep the individu al traf fic flows under control is calle d data pa cing . It is based on th e co nc ep t of a vir t u al cl oc k and theoreti cal dep ar t ure times (TDT ). The actua l cal- culation of the TDT is[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 447 212777-A , Februar y 2002 Classification Crit eria The frames associated with a particular BWM contract are specified, using the parame ters listed below . All of these classifications are aimed at limiting the traf fic outbound from the server farm for bandwidth measurement a n[...]

Web OS 1 0.0 Applic ation Gu ide 448 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Combinat ions Combinations of classifications are limited to gr ouping items together in to a contract. For example, if you wanted to have three different virtual s ervers associated with a contract, you would specif y the same co ntract index on each[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 449 212777-A , Februar y 2002 Frame Discard When packets in a contract queu e have not y et been sent and the buf fer si ze set for the queue is full, any new frames attempting to be placed in the queue will be discarded. URL-Based Bandwid th Management URL-based B WM allows the net[...]

Web OS 1 0.0 Applic ation Gu ide 450 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Figure 17-4 URL- Based B andwidth Ma nagement Figure 17-5 URL- Based B andwidth Manag ement wi th Web Cache Re directi on Cache se rvers[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 451 212777-A , Februar y 2002 HTTP Header-Based Bandwi d th Manag ement HTTP header -based BWM allows W eb site managers to allocate bandwidth b ased on header value. Thus , they can allocate bandwidth bas ed on browser type, co okie value, and so f orth. Cookie-Based Bandwid th Man[...]

Web OS 1 0.0 Applic ation Gu ide 452 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Bandwid th S t atistics and Hist ory Statistics are maintained in order to allow W eb switch o wners to bill for bandwidth usage. Sta- tistics for frequency and count are configu rable. Statistics are kept in the indi vidu al Switch Processors (SP) an[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 453 212777-A , Februar y 2002 Packet Coloring (T OS bit s) for Burst Limit Whenever the soft limit is exceeded, option al packet coloring can be done to allow down- stream routers to us e diff-serv mechanisms (that is, writing the T y pe-Of-Serv ice (T O S) byte o f the IP header) t[...]

Web OS 1 0.0 Applic ation Gu ide 454 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Configu ri ng Band wid t h Manage men t The follo wing procedure p rovides gener al instr uctions for co nfiguring BW M on the switch . Specific configuration examples begin on page 457 . 1. Configure the switch as you norma lly would for SLB. Conf ig[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 455 212777-A , Februar y 2002 5. (Optional) Set the T OS byte value, between 0-255, for the policy underlimit and over- limit. There are two par ameters for specifying the T OS bits: underlimit ( utos ) and overlimit ( otos ). These T OS values are used to overwrite the T OS values [...]

Web OS 1 0.0 Applic ation Gu ide 456 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 9. (Optional) Enable T OS overwriting for the BWM contract. 10. Set the bandwidth policy for this contract. Each bandwi dth management contract must be assigned a ban dwidth poli cy . 11 . Enable the BWM contract. 12. Classify the frames for this cont[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 457 212777-A , Februar y 2002 Additional Co nfiguration Examples Examples are prov ided for the follo wing Bandwidth Management app lications: n User/Application Fairness: see next section n Preferential Services: page 460 n URL-Based: pag e 463 n Cookie-Based: page 465 n Security M[...]

Web OS 1 0.0 Applic ation Gu ide 458 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 3. On the switch, select a BWM contract and name the contract. Each contract must have a un ique number f rom 1 to 256. 4. Set the bandwidth policy for this co ntract. Each BWM con tract must be ass igned a bandwidt h policy . 5. Enable this BWM contr[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 459 212777-A , Februar y 2002 11 . Assign the BWM contracts to differ ent switch ports. Physical switch ports are used to classify which frames are manag ed by each contract — that is, one BWM contract will be applied to all frames from a specific port. The second contract will be[...]

Web OS 1 0.0 Applic ation Gu ide 460 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Preferential Services Examples BWM can be used to p rovide preferential treatment to certain traffic, based on source IP blocks, app lications, U RL paths, or cookies. Y ou may find it useful to confi gure higher policy rate limits for s pecific sites[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 461 212777-A , Februar y 2002 5. Set the bandwidth policy for this contract. Each BWM con tract must be ass igned a bandwidt h policy . 6. Enable this BWM contract. 7. Select the second band width policy . 8. Set the hard, soft, a nd reserved rate limits for this policy , in Mbps. 9[...]

Web OS 1 0.0 Applic ation Gu ide 462 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 12. Create a virtual server that will be used to classify the frames for contract 1 and assign the V irtual server IP address f or this server . Then, assign the BWM contract to t he vir- tual server . Repeat this pr ocedure for a second virtual serve[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 463 212777-A , Februar y 2002 URL-Ba sed Ba ndwid th Mana gement Example In this example, you will assign ban dwidth bas e d on URL paths . For URL-based server load balancing, a us er has to first define str ings to monitor . Each of thes e strings is attached to real servers, and [...]

Web OS 1 0.0 Applic ation Gu ide 464 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 3. Configure a real server to handle the URL request. T o add a defined s tring: where URL pat h ID is the ident ification numb er of the defi ned string as di splayed when yo u enter the cur command. Example: /cfg/slb/real 2/layer7/addlb 3 4. Either [...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 465 212777-A , Februar y 2002 5. T urn on URL-based server load balancing on the virtual server . Configure everything under the vi rtual server as in Configurati on Example 1. If the same st ring is used by mor e than one service, and you want to allocate a certain percen t- age of[...]

Web OS 1 0.0 Applic ation Gu ide 466 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 2. Allocate bandwidth for each string. T o do t his, assign a BWM contract to each defined string. 3. Configure a real server to handle the cookie. T o add a defined s tring: where URL path ID is t he identification nu mber of the def ined string . Ex[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 467 212777-A , Februar y 2002 Scenario 2: In this scenario, the W eb site has m ultiple virtual server IP addresses, and the same user classification o r multiple sites use the same s tring name. In th is scenario, there are two V irtual IP (VIP) ad dresses: 1 72.17.1.1 and 1 72.17.[...]

Web OS 1 0.0 Applic ation Gu ide 468 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2 Security M anagemen t Exampl e BWM can be used to preven t Denial of Service (DoS) attacks by a flooding of “ necessary ev il ” packets and limiting the rate of TCP SYN, ping, oth er disruptive packets, and alert ing/logging the network manag er w[...]

Web OS 10.0 App lication G uide Chapter 17: Ba ndwidth Manag ement 469 212777-A , Februar y 2002 6. Set the bandwidth policy for the contract . Each BWM con tract must be ass igned a bandwidt h policy . 7. Enable the BWM contract. 8. Create a filter that will be used to classify the frames for this contract and assign the BWM contract to the filter[...]

Web OS 1 0.0 Applic ation Gu ide 470 Chapter 1 7: Bandwidth Ma nagement 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 471 Glossary DIP (Destination IP Addr ess) The de stination IP addr ess o f a frame. Dport (Desti nation Port) The destinatio n port (ap plica tion soc ket: for exa mple , http-8 0/h ttp s-44 3/DNS -53 ) NA T (Ne twork Address T ranslation) Any time an IP address is chan ged from one sou rce IP or destinati on IP address t[...]

Web OS 1 0.0 Applic ation Gu ide 472 Glos sary 212777-A , Febr uary 200 2 SIP (Source IP Addr ess) The so urce IP address of a frame . SPort (Source Port) The source p ort (applicat io n so cket: for examp l e, HTTP-80/HTT PS- 44 3/DNS-53) . T r ackin g In VRRP , a method to increase the priority of a v irtual router and thus maste r designation (w[...]

Web OS 10.0 App lication G uide Glossa ry 473 212777-A , Februar y 2002 VRRP (Virtual Router Redundancy Protocol) A protoc ol that ac ts very simi l arly to Ci sco ’ s propri etary HS RP ad dress sha ring pr otocol . The rea son for bo th of these p rotoc ols is so de vices ha ve a next hop or de fault gat eway that is always avail able. T wo or [...]

Web OS 1 0.0 Applic ation Gu ide 474 Glos sary 212777-A , Febr uary 200 2[...]

212777-A , Februar y 2002 475 Index Symbols [ ] ............................ ................. ................. ......... 23 Numerics 80 (p ort) ...... ....................... ............................ .. 295 802.1Q VLAN t agging .................... ............... 44, 45 A active cook ie mo de .............. ................. ............. 42[...]

Web OS 1 0.0 Applic ation Gu ide 476 Index 212777-A, F ebruary 2002 config uring cookie-based persistence ... ................. ..........430 FTP Server Load Balancing ................ ..150, 151 multi-response coo kie search .... ................. ....436 stat eful fa ilo ver ........... ................. ...............285 contacti ng us ........[...]

Web OS 10.0 App lication G uide Index 477 212777-A , Februar y 2002 G gateway. See default gatew a y. Gigabit adap te rs jumb o fram es .......................... ................. .... 63 Global SLB configuration tutorial ...................... .. 294 to 30 3 Distribu ted S ite State Protoc ol .............. 290, 295 DNS resolution (diagram) .....[...]

Web OS 1 0.0 Applic ation Gu ide 478 Index 212777-A, F ebruary 2002 IP routing .................... ................. ................. ....123 cross -su bnet exam ple ........ ................. ............28 defa ult gatew ay co nfi gurat ion ........ ...........32, 61 IP interface configuration .. .................31, 34, 6 0 IP subnets ........[...]

Web OS 10.0 App lication G uide Index 479 212777-A , Februar y 2002 N name servers, Global S LB configuration examp le .2 9 1 Network Address Translation (NAT) ...... ............. 208 configuration e xa mp le .................... .. 191 to 19 3 filter example .......................... ................. .. 194 prox y ............... ..............[...]

Web OS 1 0.0 Applic ation Gu ide 480 Index 212777-A, F ebruary 2002 real servers .................. ................. ................. ....122 backup/o verf low s erve rs .... ................. ..........135 configuration e xa mp le ................... ...............296 connection timeouts ...................... ...............134 heal th ch ecks[...]

Web OS 10.0 App lication G uide Index 481 212777-A , Februar y 2002 service ports ........................ ................. ..... 128, 171 setting multi ple resp on se count .............. ............. 43 2 shared servi ces .................... ................. ............. 118 SIP (source IP address for filtering) ................... .. 178 sm[...]

Web OS 1 0.0 Applic ation Gu ide 482 Index 212777-A, F ebruary 2002 VLANs broa dca st dom ai ns .......................33, 4 3, 45, 48 defa ult PVI D ............... ................. ................ . 44 example showing multiple VLANs ................. . 46 filtering ................ ................. ................. ....174 gateway, de fault .[...]