Cisco Public APP-1102 Application Control Engine (ACE) Overview
2 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Agenda Introduction Architecture Application Infrastructure Control Role-Based Access Control Application Security Application Availability Management Roadmap 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Introduction 4 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Evolution of the Data Center Infrastructure Phased Approach AUTOMATION Storage Network Compute Dynamic Provisioning and Information Lifecycle Management (ILM) to Enable Business Agility Business Policies On-Demand Service Oriented VIRTUALIZATION Storage Network Compute Enterprise Applications Management of Resources Independent of Underlying Physical Infrastructure to Increase Utilization, Efficiency and Flexibility Data Network Server Fabric Network Centralization and Standardization to Lower Costs, Improve Efficiency and Uptime CONSOLIDATION LAN WAN MAN SAN Storage Network Intelligent Information Network HPC Cluster GRID 5 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Server-Centric to Service-Centric Service-Centric Model Pools of Standardized Resources Assembled On-Demand to Create Virtual Infrastructure DATA CENTER NETWORK User Access Network Shared Application Services Pooled Compute Resources Pooled Storage Resources Aggregation of Storage into SAN Prevalence of 1-RU and Blade Servers with Consolidated I/O Application Silos Application Silos Server-Centric Monolithic Proprietary Compute Silos Application Silos 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Servers Home/Road User Typical Application Environment Today WAN, VPN, Internet DATA CENTER HTTP, HTTPS Enterprise Applications Web Servers App Servers DB Servers E-mail Servers Exchange Servers Notes Servers MAPI, IMAP, WebDAV CIFS, NFS, WebDAV Legacy Application Servers Emulation and Citrix Servers Mainframe & Legacy 2-Tier ICA, TN3270 Majority of Users are Remote Branch Office User Streaming Media Servers MMS, RTSP/RTP Multiple applications Distributed users partner, supplier Complex application environments Security and data management concerns 7 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco Application Delivery Business Unit Application Networking Services Client to Application Application to Application WAN Integrated Services Router Wide Area Application Engine Branch Office User Core WAE Application Engine File Servers Exchange Citrix Servers Catalyst Switch Web Servers Application Control Engine Application Velocity System (AVS) Home/Road User Business Partner HTTP/HTTPS/WebDAV Infiniband NAS Application Delivery Application Integration Web Servers Web Servers Secondary or Partner Data Center Catalyst Switch Application Control Engine (CSS/CSM/GSS)
Data Center Intranet and Infrastructure 8 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Innovation Virtual Partitioning Hierarchical Management Domains Role-Based Access Control ACE & AVS Innovations At-a-Glance Application Infrastructure Control *Available in AVS Today Application Performance Application Security Infrastructure Simplification Innovation Highest Throughput Maximum Scalability Multi-tiered reliability, availability, and scalability
Base Server Load Balancing Content Switching Web Acceleration Intelligent Compression Innovation Richest App-Layer Security* Hardware-accelerated Protocol Control Highest Performing NAT & Access Control List (ACL)
Base TCP Optimization SSL Termination XML API 9 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 CSS 11506 CSM Appliances Modules ACE Cisco L4-7 Switching Portfolio CSS 11503 CSS 11501 10 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Architecture 11 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco Application Control Engine (ACE) Parallel network-processor based architecture with separate control and data paths 12 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Switch Fabric Interface Sup Connect 16G 100M ACE Hardware Architecture Daughter Card 1 Daughter Card 2 8G 8G SSL Crypto 10G Data Plane NP1 Data Plane NP2 10G 10G Control Plane ACSW OS 2G CDE Switch 60 Gbps 16 Micro-Engines on each 20B ops / sec 13 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Dataplane Subsystems on Micro-Engines Receive + Fastpath (+ Transmit) IP Reassembly + Timers + Syslog Inbound Connection Manager Outbound Connection Manager Connection Close Management TCP HTTP ACL Classification, Forwarding NAT Application fixups SSL Record Layer Static and user-configurable REGEX TCP Normalization + FixUps Rx Fast Path Fast Path Fast Path Fast Path Fast Path IP Frag Timers ICM OCM CCM TCP HTTP HTTP SSL Record RegEx FixUps TCP Norm.
Xscale Processor XScale Processor Layer 7 policy matching Load balancing algorithms SSL Handshake FTP and RTSP inspection & fixups HA heartbeats 14 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Control Plane Subsystems CP System Manager Configuration Manager Policy / ACL Compiler L2/L3 Services: Route Manager, Interface Manager, ARP Health monitoring DHCP Relay 15 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 ACE and AVS Innovations: Raising the Bar for Application Performance Multi-tiered reliability, availability, and scalability: Per application; intra-chassis; inter-chassis; inter-data center Maximum protection for your critical business 2-5X improvement in application response times High application performance impact: Patented latency and bandwidth reduction techniques; common inspection engine Pay-as-you-grow without fork-lift upgrade Highest throughput: 16 Gbps; 345K L4 CPS Handles large data files, rich- media applications and large user-base with ease Maximum scalability: Up to 4 modules in a Catalyst 6500 chassis; Architected for add-on Services Industry Leading Application Performance 16 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Application Infrastructure Control 17 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 One physical device Multiple virtual systems (dedicated control and data path) Traditional device Single configuration file Single routing table Limited RBAC Limited resource allocation 25% 25% 20% 15% 15% 100% Cisco Application Infrastructure Control Distinct configuration files Separate routing tables RBAC with Contexts, Roles, Domains Management and data resource control Independent application rule sets Global administration and monitoring Virtual Partitioning System Separation 18 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Physical Device Context 1 Admin Context Context Definition
Resource Allocation Management station Context 2 Context 250 Virtual Partitioning Deployments AAA Isolate Depts / Customers / Apps Rapid Application Roll-out Lower Cost to deploy / change / add 19 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Per context Control Guaranteed resource levels for each context Support for over-subscription Virtual Partitions Resource Control Guaranteed Rates Guaranteed Memory Bandwidth Data connections / sec Management connections / sec SSL bandwidth Syslogs / sec Access Lists Regular expressions # Data connections # Management connections # SSL connections # Xlates # Sticky entries 20 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 ACE in Action: Data Center Consolidation Multiple Virtual Partitions (each with functions and resources N-Tier Applications Web Servers App Servers DB Servers Front End Network C2 C1 C3 C4 C5 C6 Single ACE Module N-Tier Applications Web Servers App Servers DB Servers Front End Network ACE consolidates horizontal application silos and supports central control with distributed management Depts, Users, Applications 21 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Role-Based Access Control 22 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Grouping of objects in a Virtual Context to restrict management access Objects can belong to multiple Domains Max 10 Domains / Context Domains VIP1 VIP3 VIP4 VIP2 R1 R2 R3 R3 R4 R5 Domain A Domain B Context 1 23 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Admin Access to ALL functions in the context / device SLB-Admin Serverfarm, Servers, Health Monitoring Security-Admin Access Contorl, Inspection, AAA, NAT Server-Maintenance Servers in/out of rotation Server-Application-Maintenance Servers, Health Monitoring, Load Balancing Rules Network-Admin Interfaces, Routing, NAT, TCP Network-Monitor Access to all show commands only Default Roles in the System Create
Modify
Debug
Monitor 24 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Admin Context Context A definition
Context B definition
Resource allocation
Admin management config Physical module Context B Context A VIP1 VIP 2 Farm1 Farm2 VIP3 Farm3 Farm4 SSL cert1,2 Domain1 Domain2 Admin Network/Security Server Admin Monitor Management station Role AAA
Application Infrastructure Control Contexts, Roles, Domains 25 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 RBAC in Action Application Infrastructure Control Application team Network Administrators Server Administrators Config changes Continuous Change Request = Bottleneck Prone to conflicting changes and errors Application role Server role Network role 26 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 ACE Innovations: Application Infrastructure Control The New Standard For Application Delivery Systems Up to 250 Virtual Partitions Adapt application infrastructure to business operations Fewer devices with superior control Maximum utilization of system & physical resources Guaranteed performance levels Centralized control, decentralized management Improved workflow Rapid response to application demands Aligns IT operations with IT organization structure Hierarchical Management Domains
Role-Based Access Control 27 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 TCP Reuse TCP1 ACE-TCP1 Pool1 TCP2 TCP3 ACE-TCP2 Pool2 Connection pools are established per real server per server-farm Multiple pools can be established per real server A connection is added to the reuse pool upon completion of server response Client connections matched to server connections based on TCP options - sack, timestamp, window_scale, MSS Client TCP options/parameters are preserved
Significantly reduces server overhead 28 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Application Health Monitoring Overview Continually monitor the health of Applications and Server availability Health Monitoring Support - Out-of-band monitoring - Ability to monitor a gateway or other remote device for failover purposes - Optional port and IP address probe configuration - 15 different native probe types, including TCL support - 4K unique probe configurations - 16K probe associations supported 29 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Application Availability 30 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Most Robust Application Availability Physical Redundancy Inter-chassis ACE ACE Catalyst 6500 Catalyst 6500 Physical Redundancy Intra-chassis ACE ACE Catalyst 6500 A B ACE-1 ACE-2 Active Active C D Active Active C D Standby Standby A B Standby Standby Red-grp2 Red-grp1 Red-grp3 Red-grp4 Application Redundancy -- Inter-Context FT VLAN TRP protocol packets Heart-beats Configuration sync packets State replication packets
Failover Tracking HSRP Interface up / down Multiple probes with priority 31 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Benefits of Integration with the Catalyst 6500 Unique Cisco strength -- presence, market and technology leadership of the Catalyst 6500 enterprise-class switching family Leverage all L2-L4 Catalyst 6500 HW-based features (VACLs, QoS, per-flow policing, SPAN, PBR, port-security, Private VLANs, etc) Largest offer of connectivity options: 10/100/1000, 10G, WAN interfaces, copper / fiber, Integration with the MSFC routing table, injecting/removing VIP host routes based on server and application health (Route Health Injection) Integration with other L4-7 services modules, with Safe Harbor certified releases (http://www.cisco.com/go/safeharbor/) and integration design documents (http://www.cisco.com/go/srnd/) Includes NAM modules for Network Analysis 32 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Management 33 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Device Management XML Interface Configuration, Provisioning and Monitoring All features on ACE can be configured using XML over HTTP / HTTPS Monitoring support via XLM-ized "show commands" XML DTD is available for both Monitoring and Provisioning
SNMP Supervisor agent provides environmental status of ACE SNMP agent is virtualized to allow SNMP settings per virtual context Up to 10 SNMP hosts are supported per virtual context ACE supports SNMP v1, v2c and v3 Modular Policy Command (MPC) 34 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Management Solution for ACE and Across Application Networking Services - Provisioning, Monitoring, Reporting of Virtualized Services - RBAC - Templates - Rich GUI 35 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 ACE Innovations: Infrastructure Simplification
Most Comprehensively Integrated Solution Reduced footprint; Improved application availability Layer 2 - Layer 7 network integration: Bi-directional communications between 6500 supervisor and ACE modules Better application performance; Simpler topologies Functional consolidation: SLB, SSL, Firewall, protocol optimization Quick and concurrent application deployment at multiple points Application Network Manager: Management for virtual partitions, hierarchical management domains across multiple devices 36 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 37 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 AVS 38 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco AVS 3120 / 3180 Delivery Functions Accelerate Best response time on existing infrastructure Optimize Minimize required network infrastructure Offload Maximize capacity of application infrastructure Service Functions Monitor Provide end-user quality of service metrics Secure Policy-based protection of app infrastructure Manage Management and exception handling 39 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Typical Deployment with Cisco CSS/CSM L7 Switch SSL
VIP1
VIP2 40 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Application Optimization Industrys best set of optimizations Dramatic real-time application impact Any web application or web front-end Highly configurable Granular rules-based control Pre-built application templates Comprehensive best practices No application or desktop changes Rapid deployment Benefit Application performance engineering in a box
Network Latency Mitigation Techniques Bandwidth Reduction Options Server Offload Functions Application Delivery Engine 41 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco AVS-3120 Manages Network Latency Minimizes network roundtrips per page or transaction Proxy manages sessions for both clients and servers Includes both proprietary and industry-standard features FlashForward object acceleration Smart redirect Fast redirect TCP Multiplexing Multiplies performance benefits under SSL 42 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco AVS 3120 Minimizes Bandwidth Needs Converts browser cache into dynamic engine Intelligently reduces content payloads Includes both proprietary and industry-standard features Delta Optimization Smart Image Compression Just-in-time object acceleration GZIP and DEFLATE compression Leapfrogs compression alone Multiplies performance benefits under SSL Leverages existing caching and CDN 43 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco AVS-3120 Reduces Server Contention Offloads web and application servers Provides additional scalability for clustered environments Includes both proprietary and industry-standard features Adaptive dynamic caching Static caching TCP connection offload 44 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Cisco AVS-3120 Deployment Scenarios AVS 3120 devices are deployed in two configurations: Inline using internal clustering for scalability and failover Out of band using Layer 4-7 SLB to manage infrastructure Proven configurations available with Cisco CSS Velocity appears as another web server to the SLB CSS / CSM Application Velocity System Network Integration Network Security Application Availability Service Virtualization Application Security Application Acceleration 45 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102
Process packets Manage Load Maximize throughput SSL Offload
Process applications Control Request/Response Maximize efficiency Switch Architecture Proxy Architecture Packet Load Balancing Application Delivery Engine Network Latency Mitigation Techniques Bandwidth Reduction Options End-user Monitoring Application Firewall Server Offload Functions Application Control & Optimization 46 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Technology Advantage Functional Areas Basic Capabilities AVS Capabilities (*= Patented) Accelerate Network Latency Management
Logging System health checking End-to-end response time monitoring Business transactions capability First-line service triage Secure Protect Applications and Infrastructure Rules-based protection Out-of-the-box Layer-7 protections Stateful Content inspection policies Comprehensive exception handling and monitoring Management/ Integration SNMP access and control Application delivery dashboard Service-level integration with BMC, HP, etc. 47 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102 Specific Features and Benefits of the Condenser Features Impact Benefits Network Latency Mitigation Request aggregation Browser cache management* Browser TCP multiplexing* PDF download optimization Response redirection control* 2X - 5X minimum improvements in response time Dramatically improved end-user performance Network Optimization Delta encoding* Dynamic browser caching* Dynamic image optimization (JPG, GIF, PNG)* Gzip/DEFLATE compression Flexible processing rules 70-90% reduction in bandwidth use Reduce bandwidth costs Delay or eliminate network upgrades Better end-user performance Server Offload Configurable dynamic caching* Load-based caching* Lazy request evaluation* Single sign-on optimizations TCP connection multiplexing SSL offload and acceleration Static caching 50% reduction in server cycles Delay or reduce server purchases Minimize application licenses Better performance 48 2006 Cisco Systems, Inc. All rights reserved. Cisco Public APP-1102