Documente Academic
Documente Profesional
Documente Cultură
petrl@radware.com
Introducing Radware Application Delivery Solution
• Full availability
• Maximum performance
• Complete security
Slide 2
Radware Product Overview
Partner Inflight
Message Queuing
AppXML
System
Router
Intrusion Prevention
Mainframe
ESB
LinkProof DefensePro
Customers AppDirector
Data Center
Slide 3
Features
On Demand Software Option Licenses
With the on demand scalability, using a simple license upgrade one can:
Increase application acceleration scalability
– SSL offloading
– Compression
Add new application-aware services
– Global server load balancing
– Bandwidth Management
– Service and DoS protection
Local Load Balancing
Caching
Bandwidth Management
ACL
Compression
ACL++SYN
SYNProtection
Protection
Slide 5
Features
IP Communication
Slide 7
Technical Overview
Server Load Balancing
Slide 9
IP Communication
• L2 Header
Layer Source MAC Source MAC
– MAC Source Address 2
– MAC Destination Address Destination MAC VIP MAC
– Checksum
• IP Header
– IP Source Address Layer Source IP Client IP
3
– IP Destination Address Destination IP VIP
– Checksum
Checksum B35C
• TCP Header
– Source Port
– Destination Port
Layer Source Port 2165
– Checksum 4
Destination Port 80
• Session ID
– IP Source Address Checksum 037A
– Source Port
Slide 10
The Life of an HTTP Request
Slide 11
Basic Frame Flow & Client and
Server Processing
Slide 12
Basic Frame Flow Process
DNS
www.appswitch.com ~ 192.168.13.10
10.10.10.1
VIP 192.168.13.10
Port 80
10.10.10.2
Slide 13
Routing
Route entry
VIP 192.168.13.10 10.20.30.2
Port 80
Interface Interface
192.100.13.1/28 10.10.10.254/24
10.10.10.1
10.20.30.2
Client: 172.16.3.4:2000
Slide 14
Accessing the VIP
Network Manager
DNS
www.appswitch.com ~ 192.168.13.10
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000
DestIP: 192.168.13.10:80
Slide 15
Detect Request
SrcIP : 172.16.3.4:2000
DestIP: 192.168.13.10:80
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000 client process
DestIP: 192.168.13.10:80
Slide 16
Is request already served?
SessionTable
Source client-IP:port
Dest. VIP: service-port
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000 client process
Slide 17
Yes, Request Already Served
SessionTable
Source client-IP:port
Dest. VIP: service-port
LoadB. Rserver:listen-port
Protocol
client process
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000
Slide 18
No, Do Load Balancing
SessionTable
Source client-IP:port
Dest. VIP: service-port
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000 client process
Slide 19
Send Request to Real Server
SessionTable
Source client-IP:port
Dest. VIP: service-port
LoadB. Rserver:listen-port
Protocol
client process
VIP 192.168.13.10
Port 80
10.10.10.1
10.10.10.2
Client: 172.16.3.4:2000
SrcIP: 172.16.3.4:2000
DestIP: 10.10.10.3:80
Send request to real-server 10.10.10.3
Slide 20
Real Server Responds
VIP 192.168.13.10
Port 80
10.10.10.1
server
process
10.10.10.2
Client: 172.16.3.4:2000
SrcIP:10.10.10.3:80
DestIP: 172.16.3.4:2000
Real-server responds 10.10.10.3
Slide 21
Client Processing
Src IP Address
CIP CIP CIP CIP
Dst IP Address
VIP VIP RIP RIP
Src Port
TCP 2155 2155 2155 2155
Dst Port
80 80 80 80
Session table contain at minimum SrcIP, Sport, DestIP, Dport and protocol
Display content: /info/slb/sess/dump | other filter options | help
Slide 23
Server Processing
Src Port 80 80 80 80
TCP Dst Port 2155 2155 2155 2155
Slide 24
Server-to-Client Traffic
Forward using L2 switching if the packet is not associated with a virtual service.
Slide 25
Alteon SLB Terminology
Virtual Server – All client requests are forwarded to the virtual server defined on the Alteon
Virtual IP (VIP) – IP address of the virtual server on the Alteon
Service – This TCP or UDP service port select a group of real server
Slide 26
LB algorithms
VIPs and Farms
AppDirector
slide 28
Dispatch Methods
Dispatch Methods:
• Cyclic
VIP • Weighted Cyclic
• Fewest Users
• Least Traffic
AppDirector • Fewest Users Local
• Least Traffic Local
• SNMP
• Hashing
• Response Time
Server 1 Server 2
slide 29
Health Monitoring
Health Monitoring
Health Monitoring is the process of checking the health of servers to determine the status of a
server, place the server in or out of service and perform load-balancing decisions
Database
Customers AppDirector Server 2 servers
Employees
Available server farm after HC:
{server 1, server 2, server3, …, server n} Data Center
New connections will be sent only to these servers! Server n
slide 31
Page and Content Checks
Server 1 Server 2
slide 32
Checking Multiple Services
AppDirector
TCP 23 TCP 23
Server 1 Server 2
slide 33
Checking Backend Devices
AppDirector
3. Database Check
Server 1 Server 2
App 1 App 2
Database
slide 34
Sample List Of Pre-Defined Checks
• ARP
• Citrix ICA
• Citrix Application Browsing
• DHCP • Radius Authentication
• Diameter • RTSP
• DNS • SIP TCP
• FIX • SIP UDP
• FTP • SMTP
• HTTP • SNMP
• IMAP4 • SSL Hello
• LDAP • HTTPS
• LDAPS • TCP Port
• NNTP • UDP Port
• Physical Port • TFTP
• Ping • TCP User Defined
• POP3 • UDP User Defined
• Radius Accounting • ….
slide 35
Topologies
Physical Topologies – Routing Mode
192.168.1.13
AppDirector
192.168.1.12 Router
192.168.1.1 4.3.2.1
192.168.1.11
192.168.1.10
slide 37
Next-Hop-Router per VIP
192.168.1.13
Active AppDirector Router
192.168.1.1 4.3.2.1
VIP 1
4.3.2.253
192.168.1.12 VIP 2
Switch Switch
192.168.1.11
192.168.1.2 4.3.2.2 Router
Backup AppDirector
4.3.2.254
192.168.1.10
Slide 38
Full IPv4/6 Gateway
Slide 39
Supported Topologies
IPv6
Service VIP
IPv4 IPv6
S1 S2 S3 S4
Slide 40
Traffic Flow
AppDirector – Basics of Traffic Flow
slide 42
Flow Options
slide 43
Overview
Normal Flow:
– Client connects to a Layer-4 policy (VIP).
– AppDirector makes a forwarding decision.
– Client is sent to a selected Server.
– Server responds back to Client through AppDirector.
slide 44
Overview – Normal Flow
Client’s Request
Source IP = 4.3.2.1 Client – 4.3.2.1
Destination IP = VIP – 6.6.6.100
AppDirector to Client
Load Balancing Source IP = VIP – 6.6.6.100
Decision Destination IP = 4.3.2.1
VIP
VIP (6.6.6.100)
Client’s Request
Source IP = 4.3.2.1 Client – 4.3.2.1
Destination = VIP – 6.6.6.100
AppDirector to Client
Load Balancing Source IP = VIP – 6.6.6.100
Decision Destination = 4.3.2.1
Global:
– HTTP and DNS:
• Client is redirected based on HTTP or DNS and then
traffic is the same as a local traffic flow.
– Triangulation:
• Client connects to AD A is forwarded to AD B and
receives responses from AD B.
slide 47
Local Functionality
Note: You can tune the device to support up to 6000 Layer4 policies
slide 48
Layer 4 Policies
Layer 4 Policies
Virtual IP address
slide 50
Layer 4 Policies
VIP
slide 51
Application - Components of the Layer 4 Policy
• The Application parameter allows using custom TCP or UDP ports for
applications that require special handling, such as HTTP, HTTPS, FTP, SIP,
etc. For example, use port 2100 for FTP Control Channel.
• For well-known protocols, such as 80 for HTTP, there is no need to specify
the application.
• For Virtual IP Interface configuration, the Application parameter must be set
to Virtual IP Interface and L4 Port and Protocol to Any.
VIP
slide 54
HTTP Request Header
GET / HTTP/1.1
Host: www.radware.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.2) ….
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
slide 55
Layer 7 Methods
• A Layer 7 Method defines a specific criteria (namely the existence or non existence of certain
specific content within the message), evaluated on a specific part of each handled message.
• A condition will evaluate to TRUE only if all values specified in the method match values
appearing in the specified part of the message.
URL – www.red.com
Accept- Language: es* URL – www.red.com
Accept- Language: en*
URL – www.blue.com
VIP URL – www.blue.com
Accept- Language: es*
Accept- Language: en*
slide 57
Persistency Server Load
Balancing Bindings
Slide 58
Persistency Requirements
Slide 59
Immediate Bindings
1
TCP SYN request
2
Real Server
“Best Available Server” selection
4
Three-way handshake completion
Slide 60
Delayed Bindings
Client to Alteon
1
TCP 3-way handshake
LB records sequence #
Client sends 1st GET
2
Real Server
“Best Available Server” selection
Alteon to Server
4
Sequence # adjustment and connection splicing
Slide 61
Server Binding Mechanisms
Two types of binding mechanisms for ADCs
Immediate binding
– Decision about which real server to send the request to is made
upon arrival of the TCP SYN packet.
Delayed binding
– Decision about which real server to send the request to is made
after the TCP 3-way handshake is completed by the switch.
– Allows a load balancer to look inside the client’s request packet for
specifics and bind to the appropriate server
– Enables advanced load balancing options
• Layer7 Server Load Balancing
• Layer7 Redirection Filter
• SSL Session ID-based Binding for session persistence
• Cookies-based Binding for session persistence
Slide 62
Hash Metric Operation
20.6.7.8 47.1.2.3
Hash Table
R1 1
R2 2
R3 3
R1 4
VIP
Hash(20.6.7.8) = 3 R3 R2 5
R3 6
Hash(47.1.2.3) = 7 R1 R1 7
R2 8
Rx 1023
R1 R2 R3
Command line configuration:
/cfg/slb/group x/metric hash
Slide 63
Why Source IP Persistence Mode
Does Not Work
Client #1
RIP_2
Proxy Firewall
• Many individual users coming from a proxy firewall are directed to a single
server.
• Traffic is concentrated on a single server instead of being load balanced.
Slide 64
Dynamic Session ID Example - Cookie
Session-ID-Value
Session-ID-Identifier
slide 65
Dynamic Session ID Example – URL-Parameter
Session-ID-Value
Session-ID-Identifier
Page 66
XML Tag based Persistency
Slide 67
Transaction Acceleration
Server Offloading & Application Acceleration
Slide 69
Server Offloading & Application Acceleration
Slide 70
Demo Conclusions
Slide 71
Redundancy
Redundancy – Interface Grouping
The Problem . . .
Active AD Backup AD
VRRP Advertisements
Server Farm
slide 73
Global SLB
Radware Global Solution Flow
Slide 75
Site Selection
Global Server Load Balancing is based on:
• Site Load - direct clients to the most available site, according to the site
which is the least loaded and has the most operational servers
– Cyclic
– Least amount of users
– Least amount of traffic
– Windows NT agent
– SNMP customized
– Response time
– Server weights
• Network Proximity – direct clients to the ‘closest’ site, in terms of:
– Router hops
– Latency
Slide 76
Site Selection – cont.
Calculate
network
proximity
AppDirector
Calculate
Web-GW1 network
proximity
Calculate
site load
Calculate
site load
Calculate
network
proximity
Slide 77
DNS Redirection
Best site
selection
www.site.com?
AppDirector 1 WEB1
www.site.com?
DNS
Ask DNS NP2
AppDirector 2 WEB2
Best site
selection www.site.com=AD2
Slide 78
Application Redirection
• HTTP redirection
Unique to Radware
• Global Triangulation Redirection
With competitive solutions - 5% of HTTP
• RTSP redirectionare lost
transactions
• HTTPS redirection
• Case examples:
• SIP redirection
– Customers using applications which do NOT use DNS
• –Proxy
Userredirection
session already open to another site
• How?
– Wide range of Application Redirection methods
Slide 79
HTTP redirection
Client
Client
Slide 80
Global Triangulation Redirection
Client
Slide 81
RTSP redirection
Redirect RTSP NY
HTTP HTTP
RTSP
HTTP
RTSP HTTP
AppDirector AppDirector
WSD NP
London Hong Kong
HTTP
RTSP
RTSP
RTSP
AppDirector
RTSP
New York
Slide 82
RTSP redirection: Business Benefits
Slide 83
OnDemand Switch Hardware
Alteon Platform Portfolio
On demand scalable
0-4 Gbps and
1-24 vADCs
Port Density, Processing Power
On demand scalable
Alteon 5224 on ODS LS 20-80 Gbps and
1-256 vADCs
Slide 85
Understanding VADI
Slide 86
Radware vADCs and ADC-VXTM
Slide 87
Radware ADC-VX Solution
ADC-VX is the industry’s first ADC hypervisor that runs multiple virtual
ADC instances
• Each vADC is private and isolated
30x higher consolidation ratio than the competition!
• Each vADC performance is reserved, predictable and guaranteed
• Highest
• vADCs vADC density
are instantly in the market
provisioned on demand
• Lowest
• Best costfor
solution perADC
vADC
virtualization and consolidation
• vADC throughput range – 10Mbps to 20Gbps
• Fit any size and type of customer
Has been deployed in more than 100 projects and consolidated more
than 1000 ADC devices!
Slide 88
Radware Alteon VA Solution
Slide 89
Alteon 10,000
• Platform
o High-end 80G ADC platform
o Up to 4 processing blades of 20Gbps each
o Switch blade for internal communication
o External ports:15 x 10G, 8 x 1G
• Performance
o 80 Gbps throughput
o 1.4M L4 CPS
o 700K L7 CPS
o 56M concurrent connections
Slide 90
Alteon 10,000
greener IT
o Up to 3 power supply units
Slide 91
Alteon 10,000 and VADI
• Alteon 10,000 fully benefits from all VADI services and can be managed by the
Orchestration systems
Slide 92
Integration into the Ecosystem
Slide 93
Radware ADC FabricTM
Data Center
Migrate a vADC from
Management
Migrate across &the
physical ADC to
Cross form factor
Orchestration
ADC
Scale Fabric when
to meet System Provision vADC with
virtualized
redundancy ADC
capacity
businessisneeds
maxed out AppShape technology
from catalogue
A B
Slide 94
Radware ADC Provides the Best of Both Models
Slide 95
Radware ADC Provides the Best of Both Models
Slide 96
Radware vADC per App with AppShape
Technology Changes the ADC Paradigm
Slide 97
Management Options
Management Methods
• APSolute API
• SOAP/XML
slide 99
Management Dashboard
Slide 100
Fast Rollout Using vADC and AppShape
Slide 101
Thank You
www.radware.com
102