Radware_2011_技术培训.ppt

appdirector level 1 course code: 400-101 radware knowledge & education ,slide 2,contents,appdirector: training presentations day 1 overview lab configuration management farms layer 4 traffic redirection health monitoring,slide 3,contents,appdirector: training presentations day 2 server management client management layer 7 policies client nat,slide 4,contents,appdirector: training presentations day 3 transaction acceleration redundancy exam,slide 5,radware certified application specialist (rcas),certification is split into two parts part 1: hands-on practical exam part 2: web-based certification exam included at course fee (first try) hands-on always proctored from trainer usually done directly after the training certification exam,appdirector high level overview,slide 7,agenda,appdirector : overview introduction features and licensing appdirector hardware,introduction,introducing radware application delivery solution,radware application delivery solution is a comprehensive, cost-effective solution ensuring: full availability maximum performance complete security of your mission-critical applications, while enabling greater cost reduction and higher roi,slide 9,slide 10,employees & users,customers,partners,data center,application servers,web & portal servers,esb,message queuing system,mainframe,database servers,appdirector,appxml,identity management system,radware adc solution topology,web services & xml gateway,intelligent application delivery controller,best-in-class web application firewall,appwall,virtual director,application delivery solution for the virtualized data center,virtual adc adapter network diagram,customers,mainframe,database servers,vcenter vmware management server,appdirector,vi virtual infrastructure,virtual adc adapter listens to any configuration change in vcenter,virtual adc adapter automatically configures the adc with the new configuration change,virtual adc adapter,slide 11,slide 12,data center cost reduction,cost reduction involves the following factors: reduce capex product and equipments costs reduce opex maintenance, electricity, cooling, space costs faster roi lower tco,radwares adc solution enables significant cost reduction through: on demand throughput and service scalability platform longevity green platform leadership superior performance per watt,slide 13,multiple elements evolve with the organization over time throughput requirements application requirements,new! ip telephony service,traditional it applications,additional server capacity,new customers,on demand scalability in services and throughput,radwares on demand scalability enables: elimination of overspending on the adc solution to deliver full investment protection paying for the exact capacity required through the “pay-as-you-grow” approach on demand scaling when more throughput or services are required without a forklift upgrade all translate into significant savings on capex,slide 14,5-year platform longevity guaranteed,radware platform longevity guarantees business benefits: extended platform life time sold for at least the next five years platform standardization and operational simplicity reduce opex on maintenance, training and spare units platform longevity, combined with platform performance leadership and scalability options, enables you to achieve full business benefits with capex and opex savings,platform longevity guaranteed,slide 15,ondemand switch: designed green,radware adc hardware platforms are designed green using custom-made hardware with: embedded components providing more efficient power consumption small footprint of 1u devices for minimal rack footprint less heat dissipation and in addition: reducing your data centers overall energy consumption thanks to offloading servers!,radware adc solution reduces opex and enables your green environmental objectives,superior l7 tps processing,validated performance leadership,consistent 4gbps throughput capacity,superior ssl acceleration,slide 16,slide 17,radware provides the most comprehensive global traffic management solution reachability through dns and anycast us patented global load balancing based on proximity redirection methods: dns, http, rtsp us patented triangulation network products guide best global load balancing award,radware global solution,radware gslb guarantees transaction completion for all applications in distributed sites at all times delivering the best response time,guarantee business continuity ensure transaction completion increase asset roi,radware adc solution business value,slide 18,features and licensing,slide 20,appdirector features and licensing,the appdirector is available with the following licenses: standard-local license optional licenses can be purchased: global license throughput license ssl license (2.x, 500 cps included in standard license) compression license (2.x, 100mbps included in standard license) bandwidth management and intrusion prevention dos shield and b-dos,slide 21,local and global functionality,local health monitoring traffic redirection ssl compression application security dos protection bandwidth management,slide 22,appdirector features and licensing,traffic redirection and optimization the main focus of the appdirector is the ability to redirect traffic loads included in this function are: load balancing client management layer 7 switching client persistency ssl caching compression,slide 23,appdirector features and licensing,health monitoring monitoring active applications to verify the servers health over 20 different predefined protocol checks including: http and https dns ftp ldap/s smtp rtsp .,slide 24,appdirector features and licensing,ips the ips functionality provides the following internal mechanisms: application security anti-scanning stateful inspection protocol anomalies protection,slide 25,appdirector features and licensing,bandwidth management services the bandwidth management services are provided using the following internal mechanisms: the policy database the classifier the queues the scheduler,slide 26,appdirector features and licensing,dos mitigator the dos license provides the following internal mechanisms: rate based dos protection syn flood protection with syn cookies behavioral dos protection and attack mitigation,slide 27,appdirector features and licensing,global the global license enables the ability to redirect traffic to multiple sites and collect global statistics from those sites for optimal load considerations. two mechanisms are enabled with global: redirection http dns triangulation rtsp any cast client proxy proximity based on hop count, latency, and load.,ondemand switch hardware,appdirector platform offering,throughput (gbps),port density, processing power,1g,2g,4g,8g,12g,16g,appdirector x016,appdirector x08,slide 29,8-20 gbps on demand, scalable throughput ports: 8 x ge, 4 x 10ge, 4 x sfp serial, dual out-of-band management ports lcd, usb port layer 2 switch dual ac/dc power supply,0-4 gbps on demand, scalable throughput ports: 6 x ge, 2 x sfp usb port, serial dual ac/dc power supply,20g,appdirector on ondemand switch vl,slide 30,radwares most-affordable appdirector offering: up to 4 gbps throughput,2 sfp (1g) ports,6 ge ports,usb port,rj-45 standard console port,ha: dual power supplies,ondemand switch vl highlights,port density 6 gigabit ethernet ports (copper) 2 gigabit fiber ports (sfp-gbic mini) one of the ge ports can be configured for out-of-band management front panel controls power and reset button short and long press power button press button, state remembered usb rj-45 standard console port leds: pwr, sys ok high reliability high mtbf - 190k hours,slide 31,ondemand switch 3,up to 20gbps throughput capacity 2u form factor nebs ready dual, redundant ac/dc power supply configurations 16 gb memory (upgradeable to 32 gb) 2 amd shanghai 2.5 ghz quad core processors,slide 32,ondemand switch 3: port density,traffic ports 4 10 gigabit fiber ports (xfp pluggable optics) ports 4 gigabit ethernet sfp ports (sfp-gbic mini) 8 gigabit ethernet copper ports on switch management ports 2 out-of-band gigabit ethernet for management, bypassing switch switch h/w trunks supported stp supported,slide 33,slide 34,front panel input/output,power and reset buttons short and long press power button press button, state remembered usb serial console leds: pwr, fan, sys ok lcd,slide 35,dedicated management ports,two dedicated management ports reliable even under high load of traffic ports a separate trunk can be built of 2 for reliability no traffic forwarded between management and traffic ports,slide 36,ods1 ods2,ondemandswitch 1 & 2,ondemand switch 1 versus 2,ods 1&2 provide the same throughput levels, but differ in: ports density switching - ods2 provides hardware switching capabilities performance - ods2 delivers a bit more performance over ods1 memory - ods1 & ods2 are shipped with sufficient memory to address most application requirements. ods1 shipped with 2gb ods2 shipped with 2gb, upgradeable to 4gb,slide 37,ondemand switch 1,ports 4 gigabit ethernet (copper/fiber) for traffic 2 gigabit ethernet for management dual mode ports inserted gbic select sfp port otherwise rj45 copper port is active amd opteron dual-core 2.2 ghz up to 2gb memory,ondemand switch 2,ports 4 sfp for gbic on switch 12 gigabit ethernet copper ports on switch 2 separate gigabit ethernet for management switch h/w trunks supported stp supported amd opteron dual-core 2.6 ghz up to 4gb memory,slide 39,ondemand switch tech specs summary,slide 40,enhanced acceleration,standard acceleration,ondemandswitch vl,3 and ondemandswitch vl,3 xl,slide 41,enhanced acceleration,appdirector ods hardware platforms comparison chart:,standard acceleration,ondemandswitch 1,2 and ondemandswitch 1,2 xl,slide 42,technical overview,slide 44,agenda,appdirector: technical overview introduction physical topologies basics of traffic flow,slide 45,introduction,the appdirector is a high-speed application load balancer, able to maintain traffic flows for both local and geographically diverse application server operations. the capabilities of the appdirector are divided into two categories part of the apsolute os architecture: traffic redirection health monitoring,slide 46,introduction,traffic redirection parameters to create, manage and manipulate the flow of traffic are found in the traffic redirection menu. menu items included are: farms layer 4 policies layer 7 policies distributed site nat dns segmentation,slide 47,introduction traffic redirection,slide 48,health monitoring,health monitoring contains two parts: health check db the db of all the health checks being performed by the appdirector binding table binding the health checks to the servers in the appdirector.,slide 49,appdirector terminology,some basic terminology that will be used through the presentation. a farm is a collection of servers running the same application web, mail, dns, ftp, etc a virtual ip address is used to forward traffic to farms layer4/7 policies are used to tie the vip to the farm,physical topologies,slide 51,appdirector physical topologies,switch,switch,backup appdirector,active appdirector,router,54,,,slide 52,appdirector physical topologies,switch,backup appdirector,active appdirector,router 54,server 0,server default gateway active appdirector,server 1,server 2,server 3,,,one-leg mode,vlan tagging 802.1q,for appdirector to support vlan tags you need to enable 802.1q environment support. after enabling you need to reboot the device! vlan tag handling can be retain vlan tags: preserves vlan tags on incoming traffic passing through the device (used only with segmentation per vlan, but is default) overwrite vlan tags: rewrites vlan tags based on the local subnet to which the traffic is sent or on the destination mac of the packet. cli net vlan-tag-environment set enable web based management device vlan tagging,slide 53,slide 54,local triangulation,single-leg configuration servers with routable addresses servers gateway is not the appdirector uses loopback adapter on each server in farm loopback address on each server is that of the vip loopbacks must not answer arp requests,slide 55,local triangulation,appdirector,router ,ip = 0 loop back = 00 default gateway = ,vip = 00,ip = 0 loop back = 00 default gateway = ,load balancing decision,source ip client destination ip vip destination mac - server,triangle,segmentation,if using a single appdirector to load balance multiple farms - each located on a different segment around a firewall - appdirector must ensure that all traffic between segments is passed through the firewall. segmentation involves dividing your network into logical segments, where a single appdirector load balances the traffic so that all segments can be inspected by a single firewall. segmentation can be done by physical ports or vlan-tags,slide 56,segmentation - notes,segmentation is a global appdirector feature and can not be turned on and off per farm. all the segments must be of the same type: either port segments or vlan tag segments. device management can only be performed via a port/vlan tag that belongs to the default segment. appdirector default gateway can only belong to the default segment. you can also assign a nhr to each segment, similar to the way next hop routers can be associated with virtual ips. a configuration where farms associated with the same layer 4 policy vip are associated with different segments is not supported. you need to ensure that these configuration conflicts are avoided. similarly, configurations where servers and the virtual ip do not belong to the same segment are not supported. segmentation by physical ports cannot be used when the same physical port belongs to multiple segments and is used with delayed binding (layer 7 policies, session id persistency, syn flood protection, etc).,slide 57,slide 58,next-hop-router per vip,switch,switch,backup appdirector,active appdirector,router,54,,,router,53,vip 1,vip 2,slide 59,next-hop-router per vip,traffic flow,slide 61,appdirector basics of traffic flow,in most circumstances, the ad requires that traffic flow bi-directionally through the device- clients send a request to a layer-4 policy and the ad forwards the request to a server: the server responds back through the ad. the ad will only load balance traffic that is destined to a matching layer-4 policy the ad will not intercept other traffic flowing through the device. it will only route it.,slide 62,overview,flow options there are 4 different possible flow configurations on the appdirector: normal local triangulation client nat global,slide 63,overview,normal flow: client connects to a layer-4 policy (vip). appdirector makes a forwarding decision. client is sent to a selected server. server responds back to client through appdirector.,slide 64,overview normal flow,vip (00),client ,server 1 0,server 2 1,server 3 2,load balancing decision,vip,slide 65,overview,local triangulation: client connects to a layer-4 policy (vip). appdirector makes a forwarding decision. appdirector sends client to the mac address of the server with a loopback adapter configured as the vip. server responds back to client through a router bypassing appdirector.,slide 66,overview local triangulation,vip (00),client ,server 1 0,server 2 1,server 3 2,load balancing decision,vip,slide 67,overview,client nat: client connects to a vip. appdirector makes a forwarding decision. client is nated and then sent to a selected server. server responds back to client through appdirector.,slide 68,overview client nat,vip (00),client ,server 1 0,server 2 1,server 3 2,load balancing decision,vip,client nat 0,slide 69,overview,global: http and dns: client is redirected based on http or dns and then traffic is the same as a local traffic flow. triangulation: client connects to ad a is forwarded to ad b and receives responses from ad b.,slide 70,overview global triangulation,client =0,vip = 00,client ,server 1 0,global triangulation,mapped vip,vip,slide 71,local functionality,appdirector,farm 1,farm 2,farm 3,512 layer4 policies,50.000 logical servers,note: you can tune the device to support up to 6000 layer4 policies,tuning for appdirector 2.13,slide 72,tuning for appdirector 2.13 (continued),slide 73,slide 74,global functionality,local and global,dallas servers,beijing servers,london servers,local and global,lima servers,local,local,slide 75,dallas servers,beijing servers,london servers,appdirector basics of traffic flow proximity,prp to dallas,prp to dallas,slide 76,site evolution and growth,dallas local,dallas global,license upgrade,slide 77,server offloading & application acceleration,slide 78,server offloading & application acceleration,enhanced application acceleration functions server offloading: ssl acceleration client authentication caching content delivery acceleration: http compression caching tcp optimization central certificate repository improved adc manageability,ssl acceleration: functionality,supports both front-end and back-end ssl select server certificate select predefined cipher suite or user-defined list use intermediate ca to create certificates chaining define back-end server listening port in case it is different from front-end define back-end ssl with its own cipher suite supports http headers redirect modification to https http response hostname that appears in requests is always converted define which hosts to redirect using regular-expressions,slide 79,caching: