Northern Universities - Cisco - ACE

1
2006 Cisco Systems, Inc. All rights reserved.

Cisco Public
APP-1102
Application Control Engine (ACE) Overview

2
Cisco Public
APP-1102
Agenda
Introduction
Architecture
Application Infrastructure Control
Role-Based Access Control
Application Security
Application Availability
Management
Roadmap
3
Cisco Public
APP-1102
Introduction
4
Cisco Public
APP-1102
Evolution of the Data Center Infrastructure
Phased Approach
AUTOMATION
Storage
Network
Compute
Dynamic Provisioning and
Information Lifecycle
Management (ILM) to Enable
Business Agility
Business Policies
On-Demand
Service Oriented
VIRTUALIZATION
Storage Network Compute
Enterprise
Applications
Management of Resources
Independent of Underlying
Physical Infrastructure to
Increase Utilization,
Efficiency and Flexibility
Data
Network
Server
Fabric
Network
Centralization and
Standardization to
Lower Costs, Improve
Efficiency and Uptime
CONSOLIDATION
LAN
WAN
MAN
SAN
Storage
Network
Intelligent
Information
Network
HPC
Cluster
GRID
5
Cisco Public
APP-1102
Server-Centric to Service-Centric
Service-Centric Model
Pools of Standardized Resources
Assembled On-Demand to Create
Virtual Infrastructure
DATA
CENTER
NETWORK
User Access
Network
Shared Application
Services
Pooled
Compute
Resources
Pooled
Storage
Resources
Aggregation of
Storage into SAN
Prevalence of
1-RU and Blade
Servers with
Consolidated I/O
Application
Silos
Application
Silos
Server-Centric
Monolithic
Proprietary
Compute Silos
Application
Silos
6
Cisco Public
APP-1102
Servers
Home/Road User
Typical Application Environment Today
WAN, VPN,
Internet
DATA
CENTER
HTTP, HTTPS
Enterprise Applications
Web Servers App Servers DB Servers
E-mail Servers
Exchange
Servers
Notes
Servers
MAPI, IMAP,
WebDAV
CIFS, NFS,
WebDAV
Legacy Application Servers
Emulation and
Citrix Servers
Mainframe &
Legacy 2-Tier
ICA, TN3270
Majority of Users are Remote
Branch Office User
Streaming Media
Servers
MMS,
RTSP/RTP
Multiple applications
Distributed users partner, supplier
Complex application environments
Security and data management concerns
7
Cisco Public
APP-1102
Cisco Application Delivery Business Unit
Application Networking Services
Client to Application
Application to Application
WAN
Integrated
Services
Router
Wide Area
Application
Engine
Branch
Office
User
Core WAE
Application
Engine
File Servers
Exchange
Citrix Servers
Catalyst Switch
Web Servers
Application
Control Engine
Application
Velocity
System (AVS)
Home/Road User
Business Partner
HTTP/HTTPS/WebDAV
Infiniband
NAS
Application Delivery
Application Integration
Web Servers
Web Servers
Secondary
or Partner
Data Center
Catalyst Switch
Application Control Engine
(CSS/CSM/GSS)

Data Center
Intranet and
Infrastructure
8
Cisco Public
APP-1102
Innovation
Virtual Partitioning
Hierarchical Management Domains
ACE & AVS Innovations At-a-Glance
*Available in AVS Today
Application Performance Application Security Infrastructure Simplification
Innovation
Highest Throughput
Maximum Scalability
Multi-tiered reliability,
availability, and scalability

Base
Server Load Balancing
Content Switching
Web Acceleration
Intelligent Compression
Innovation
Richest App-Layer Security*
Hardware-accelerated Protocol
Control
Highest Performing NAT &
Access Control List (ACL)

Base
Limited Network Address
Translation
DDoS Protection
Innovation
Layer 2-7 Network Integration
Functional Consolidation
Application Network
Management solution

Base
TCP Optimization
SSL Termination
XML API
9
Cisco Public
APP-1102
CSS 11506
CSM
Appliances
Modules
ACE
Cisco L4-7 Switching Portfolio
CSS 11503
CSS 11501
10
Cisco Public
APP-1102
Architecture
11
Cisco Public
APP-1102
Cisco Application Control Engine (ACE)
Parallel network-processor based architecture
with separate control and data paths
12
Cisco Public
APP-1102
Switch
Fabric
Interface
Sup
Connect
16G
100M
ACE Hardware Architecture
Daughter
Card 1
Daughter
Card 2
8G
8G
SSL
Crypto
10G
Data Plane
NP1
Data Plane
NP2
10G 10G
Control
Plane
ACSW OS
2G
CDE
Switch
60 Gbps
16 Micro-Engines on each
20B ops / sec
13
Cisco Public
APP-1102
Dataplane Subsystems on Micro-Engines
Receive + Fastpath (+ Transmit)
IP Reassembly + Timers + Syslog
Inbound Connection Manager
Outbound Connection Manager
Connection Close Management
TCP
HTTP
ACL Classification, Forwarding
NAT
Application fixups
SSL Record Layer
Static and user-configurable REGEX
TCP Normalization + FixUps
Rx Fast
Path
Fast
Path
Fast
Path
Fast
Path
Fast
Path
IP Frag
Timers
ICM
OCM CCM TCP HTTP
HTTP SSL
Record
RegEx FixUps
TCP
Norm.

Xscale Processor
XScale Processor
Layer 7 policy matching
Load balancing algorithms
SSL Handshake
FTP and RTSP inspection & fixups
HA heartbeats
14
Cisco Public
APP-1102
Control Plane Subsystems
CP
System Manager
Configuration Manager
Policy / ACL Compiler
L2/L3 Services: Route Manager, Interface Manager,
ARP
Health monitoring
DHCP Relay
15
Cisco Public
APP-1102
ACE and AVS Innovations:
Raising the Bar for Application Performance
Multi-tiered reliability, availability,
and scalability:
Per application; intra-chassis;
inter-chassis; inter-data center
Maximum protection for your
critical business
2-5X improvement in
application response times
High application performance
impact: Patented latency and
bandwidth reduction techniques;
common inspection engine
Pay-as-you-grow without
fork-lift upgrade
Highest throughput:
16 Gbps; 345K L4 CPS
Handles large data files, rich-
media applications and large
user-base with ease
Maximum scalability:
Up to 4 modules in a Catalyst 6500
chassis; Architected for add-on
Services
Industry Leading Application Performance
16
Cisco Public
APP-1102
17
Cisco Public
APP-1102
One physical device
Multiple virtual systems
(dedicated control and data path)
Traditional device
Single configuration file
Single routing table
Limited RBAC
Limited resource
allocation
25% 25%
20% 15% 15%
100%
Cisco Application Infrastructure Control
Distinct configuration files
Separate routing tables
RBAC with Contexts, Roles, Domains
Management and data resource control
Independent application rule sets
Global administration and monitoring
Virtual Partitioning System Separation
18
Cisco Public
APP-1102
Physical Device
Context 1
Admin
Context
Context
Definition

Resource
Allocation
Management
station
Context 2 Context 250
Virtual Partitioning Deployments
AAA
Isolate Depts / Customers / Apps
Rapid Application Roll-out
Lower Cost to deploy / change / add
19
Cisco Public
APP-1102
Per context Control
Guaranteed resource levels for each context
Support for over-subscription
Virtual Partitions Resource Control
Guaranteed
Rates
Guaranteed
Memory
Bandwidth
Data connections / sec
Management connections / sec
SSL bandwidth
Syslogs / sec
Access Lists
Regular expressions
# Data connections
# Management connections
# SSL connections
# Xlates
# Sticky entries
20
Cisco Public
APP-1102
ACE in Action:
Data Center Consolidation
Multiple
Virtual
Partitions
(each with
functions
and
resources
N-Tier Applications
Web
Servers
App
Servers
DB
Servers
Front End Network
C2 C1 C3 C4 C5 C6
Single
ACE
Module
N-Tier Applications
Web
Servers
App
Servers
DB
Servers
Front End Network
ACE consolidates horizontal
application silos and supports central
control with distributed management
Depts, Users, Applications
21
Cisco Public
APP-1102
22
Cisco Public
APP-1102
Grouping of objects in a Virtual Context to restrict management access
Objects can belong to multiple Domains
Max 10 Domains / Context
Domains
VIP1 VIP3 VIP4 VIP2
R1 R2 R3
R3 R4 R5
Domain A Domain B
Context 1
23
Cisco Public
APP-1102
Admin
Access to ALL functions in the context / device
SLB-Admin
Serverfarm, Servers, Health Monitoring
Security-Admin
Access Contorl, Inspection, AAA, NAT
Server-Maintenance
Servers in/out of rotation
Server-Application-Maintenance
Servers, Health Monitoring, Load Balancing Rules
Network-Admin
Interfaces, Routing, NAT, TCP
Network-Monitor
Access to all show commands only
Default Roles in the System
Create

Modify

Debug

Monitor
24
Cisco Public
APP-1102
Admin
Context
Context A
definition

Context B
definition

Resource
allocation

Admin
management
config
Physical module
Context
B
Context
A
VIP1
VIP 2
Farm1
Farm2
VIP3
Farm3
Farm4
SSL
cert1,2
Domain1 Domain2
Admin
Network/Security
Server Admin
Monitor
Management station
Role
AAA

Contexts, Roles, Domains
25
Cisco Public
APP-1102
RBAC in Action
Application
team
Network
Administrators
Server
Administrators
Config
changes
Continuous Change
Request = Bottleneck
Prone to conflicting
changes and errors
Application role
Server role
Network role
26
Cisco Public
APP-1102
ACE Innovations:
The New Standard For Application Delivery Systems
Up to 250 Virtual
Partitions
Adapt application infrastructure to
business operations
Fewer devices with superior control
Maximum utilization of system &
physical resources
Guaranteed performance levels
Centralized control,
decentralized management
Improved workflow
Rapid response to application
demands
Aligns IT operations with IT
organization structure
Hierarchical Management
Domains

27
Cisco Public
APP-1102
TCP Reuse
TCP1
ACE-TCP1 Pool1
TCP2
TCP3
ACE-TCP2 Pool2
Connection pools are established per real server per server-farm
Multiple pools can be established per real server
A connection is added to the reuse pool upon completion of server
response
Client connections matched to server connections based on TCP options
- sack, timestamp, window_scale, MSS
Client TCP options/parameters are preserved

Significantly reduces
server overhead
28
Cisco Public
APP-1102
Application Health Monitoring Overview
Continually monitor the health of Applications and
Server availability
Health Monitoring Support
- Out-of-band monitoring
- Ability to monitor a gateway or other remote device for
failover purposes
- Optional port and IP address probe configuration
- 15 different native probe types, including TCL support
- 4K unique probe configurations
- 16K probe associations supported
29
Cisco Public
APP-1102
30
Cisco Public
APP-1102
Most Robust Application Availability
Physical Redundancy
Inter-chassis
ACE
ACE
Catalyst 6500 Catalyst 6500
Physical Redundancy
Intra-chassis
ACE
ACE
Catalyst 6500
A B
ACE-1
ACE-2
Active Active
C D
Active Active
C D
Standby Standby
A B
Standby Standby
Red-grp2 Red-grp1 Red-grp3 Red-grp4
Application Redundancy --
Inter-Context
FT VLAN
TRP protocol packets
Heart-beats
Configuration sync packets
State replication packets

Failover Tracking
HSRP
Interface up / down
Multiple probes with priority
31
Cisco Public
APP-1102
Benefits of Integration with the Catalyst 6500
Unique Cisco strength -- presence, market and technology
leadership of the Catalyst 6500 enterprise-class switching family
Leverage all L2-L4 Catalyst 6500 HW-based features (VACLs, QoS,
per-flow policing, SPAN, PBR, port-security, Private VLANs, etc)
Largest offer of connectivity options: 10/100/1000, 10G, WAN
interfaces, copper / fiber,
Integration with the MSFC routing table, injecting/removing VIP host
routes based on server and application health (Route Health
Injection)
Integration with other L4-7 services modules, with Safe Harbor
certified releases (http://www.cisco.com/go/safeharbor/) and integration
design documents (http://www.cisco.com/go/srnd/)
Includes NAM modules for Network Analysis
32
Cisco Public
APP-1102
Management
33
Cisco Public
APP-1102
Device Management
XML Interface
Configuration, Provisioning and Monitoring
All features on ACE can be configured using XML over HTTP /
HTTPS
Monitoring support via XLM-ized "show commands"
XML DTD is available for both Monitoring and Provisioning

SNMP
Supervisor agent provides environmental status of ACE
SNMP agent is virtualized to allow SNMP settings per virtual context
Up to 10 SNMP hosts are supported per virtual context
ACE supports SNMP v1, v2c and v3
Modular Policy Command (MPC)
34
Cisco Public
APP-1102
Management Solution for ACE and
Across Application Networking Services
- Provisioning, Monitoring, Reporting of Virtualized Services
- RBAC - Templates - Rich GUI
35
Cisco Public
APP-1102
ACE Innovations:
Infrastructure Simplification

Most Comprehensively Integrated Solution
Reduced footprint; Improved
application availability
Layer 2 - Layer 7 network
integration: Bi-directional
communications between 6500
supervisor and ACE modules
Better application performance;
Simpler topologies
Functional consolidation:
SLB, SSL, Firewall, protocol
optimization
Quick and concurrent
application deployment at
multiple points
Application Network Manager:
Management for virtual partitions,
hierarchical management domains
across multiple devices
36
Cisco Public
APP-1102
37
Cisco Public
APP-1102
AVS
38
Cisco Public
APP-1102
Cisco AVS 3120 / 3180
Delivery
Functions
Accelerate
Best response time on
existing infrastructure
Optimize
Minimize required
network infrastructure
Offload
Maximize capacity of
application infrastructure
Service
Functions
Monitor
Provide end-user
quality of service metrics
Secure
Policy-based protection
of app infrastructure
Manage
Management and
exception handling
39
Cisco Public
APP-1102
Typical Deployment with Cisco CSS/CSM
L7
Switch
SSL

VIP1

VIP2
40
Cisco Public
APP-1102
Application Optimization
Industrys best set of
optimizations
Dramatic real-time
application impact
Any web application
or web front-end
Highly configurable
Granular rules-based control
Pre-built application templates
Comprehensive best practices
No application or desktop
changes
Rapid deployment
Benefit
Application performance
engineering in a box

Network Latency
Mitigation
Techniques
Bandwidth
Reduction
Options
Server
Offload
Functions Application
Delivery
Engine
41
Cisco Public
APP-1102
Cisco AVS-3120 Manages Network Latency
Minimizes network
roundtrips per page or
transaction
Proxy manages sessions for
both clients and servers
Includes both proprietary
and industry-standard
features
FlashForward object
acceleration
Smart redirect
Fast redirect
TCP Multiplexing
Multiplies performance
benefits under SSL
42
Cisco Public
APP-1102
Cisco AVS 3120 Minimizes Bandwidth Needs
Converts browser cache into
dynamic engine
Intelligently reduces content
payloads
Includes both proprietary and
industry-standard features
Delta Optimization
Smart Image Compression
Just-in-time object acceleration
GZIP and DEFLATE
compression
Leapfrogs compression alone
Multiplies performance benefits
under SSL
Leverages existing caching and
CDN
43
Cisco Public
APP-1102
Cisco AVS-3120 Reduces Server Contention
Offloads web and
application servers
Provides additional
scalability for clustered
environments
Includes both proprietary
and industry-standard
features
Adaptive dynamic
caching
Static caching
TCP connection offload
44
Cisco Public
APP-1102
Cisco AVS-3120 Deployment Scenarios
AVS 3120 devices are deployed in two configurations:
Inline using internal clustering for scalability and
failover
Out of band using Layer 4-7 SLB to manage
infrastructure
Proven configurations available with Cisco CSS
Velocity appears as another web server to the SLB
CSS / CSM
Application Velocity System
Network Integration
Network Security
Service Virtualization
Application Security
Application Acceleration
45
Cisco Public
APP-1102

Process packets
Manage Load
Maximize throughput
SSL Offload

Process applications
Control Request/Response
Maximize efficiency
Switch Architecture
Proxy Architecture
Packet Load
Balancing
Application
Delivery
Engine
Network Latency
Mitigation
Techniques
Bandwidth
Reduction
Options
End-user
Monitoring
Application
Firewall
Server
Offload
Functions
Application Control & Optimization
46
Cisco Public
APP-1102
Technology Advantage
Functional Areas Basic Capabilities AVS Capabilities (*= Patented)
Accelerate
Network Latency
Management

Request aggregation / browser cache management*
Browser TCP multiplexing*
PDF download optimization
Response redirection control*
Optimize
Bandwidth Reduction
Gzip/DEFLATE compression
Delta encoding*
Dynamic browser caching*
Dynamic image optimization (JPG, GIF, PNG)
Flexible processing rules
Offload
Server Efficiency
TCP connection multiplexing
SSL offload and acceleration
Static caching
Configurable dynamic caching*
Load-based caching*
Lazy request evaluation*
Single sign-on optimizations
XML merging/transformation
Monitor
Application QoS

Logging
System health checking
End-to-end response time monitoring
Business transactions capability
First-line service triage
Secure
Protect Applications
and Infrastructure
Rules-based protection
Out-of-the-box Layer-7 protections
Stateful Content inspection policies
Comprehensive exception handling and monitoring
Management/
Integration
SNMP access and control
Application delivery dashboard
Service-level integration with BMC, HP, etc.
47
Cisco Public
APP-1102
Specific Features and Benefits of the
Condenser
Features Impact Benefits
Network
Latency
Mitigation
Request aggregation
Browser cache management*
Browser TCP multiplexing*
PDF download optimization
Response redirection
control*
2X - 5X minimum
improvements in
response time
Dramatically improved
end-user performance
Network
Optimization
Delta encoding*
Dynamic browser caching*
Dynamic image optimization
(JPG, GIF, PNG)*
Gzip/DEFLATE compression
Flexible processing rules
70-90% reduction
in bandwidth use
Reduce bandwidth costs
Delay or eliminate network upgrades
Better end-user performance
Server
Offload
Configurable dynamic
caching*
Load-based caching*
Lazy request evaluation*
Single sign-on optimizations
TCP connection multiplexing
SSL offload and acceleration
Static caching
50% reduction in
server cycles
Delay or reduce server purchases
Minimize application licenses
Better performance
48
Cisco Public
APP-1102

Northern Universities - Cisco - ACE

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Northern Universities - Cisco - ACE

Enviado por

Direitos autorais:

Formatos disponíveis

1

2006 Cisco Systems, Inc. All rights reserved.

Você também pode gostar