Transcription
Radware-Alteon Application Switch and Blue Coat ProxyImplementation GuideProducts:Radware-Alteon Application SwitchSoftware: Radware-Alteon Application Switch version 26.3.0.3Platform: Alteon Application Switch 5412Blue Coat : CacheFlow 5000 Series-1-
Table of ContentsSolution Overview .3Blue Coat CacheFlow 5000 Series Overview .3Radware-Alteon Application Switch Overview .5Design Overview.6Joint Subsystem Traffic Flow Definition .7Primary Radware-Alteon Application Switch Configuration .7Initial Configuration of the Switch Management Interface. 8Connecting to the Switch. 8Logging into the Switch. 8Detailed Configuration Overview. 9Setting up the Redundant Radware-Alteon Application Switch. 12Initial Configuration of the Switch Management Interface.12Connecting to the Switch.13Logging into the Switch.13Redundant Unit Networking Configuration to Prepare Sync.13From the Primary Unit Command line, Sync Redundant Unit .15Appendix 1 – Optional Advanced Configurations .15Steering Configuration to Classify Top Talking Domains with URL Hashing .15Hostname Hashing for Redirection Filters Layer 7 Dispatch .15Appendix 2 – Primary Unit Configuration .16Technical Support . 20-2-
Solution OverviewThe Radware-Alteon and Blue Coat joint solution ensures Blue Coat customers aresilient, efficient and scalable solution. Radware‟s Alteon Application DeliveryController (ADC) guarantees Blue Coat Proxies devices maximum availability,scalability, performance and security, while managing traffic for WAN Optimizationand Securing Web Gateway services.By offloading processor intensive operations from Blue Coat Proxies, AlteonApplication Switch frees the proxies‟ CPUs to handle additional traffic andenhances the Quality of Experience for end users. The advanced healthmonitoring capabilities of Alteon eliminate system down time and the advancedLayer 7 traffic management capabilities allows maximum flexibility of the system.By embracing Radware‟s “Pay-as-you-Grow” approach, the joint solutioncustomers only pay for the exact capacity currently required and preventover-spending on the initial solution. Throughput capacity, accelerationcapabilities and application-aware services can be added on demand to meet newbusiness requirements.Blue Coat CacheFlow 5000 Series OverviewThe Blue Coat CacheFlow appliance enables service providers to managedramatic increases in network traffic and subscriber growth. Utilizing highlyeffective Web caching technology, CacheFlow appliances save bandwidth onexpensive international links and backhaul traffic, while improving the end-userWeb experience. Through a scalable architecture of cache farms, serviceproviders can accelerate the delivery of rich Web 2.0 content, large files and video.This significantly reduces infrastructure costs by controlling bandwidthconsumption while improving customer satisfaction.Key Benefits and Feature Overview:Save bandwidth. By caching content in-region and closer to the user, theCacheFlow appliance drastically reduces bandwidth consumption. Thistranslates into a rapid return on investment and significant long-term costsavings for service providers on international bandwidth, as well as reducingbackhaul traffic on domestic links.Accelerate Web 2.0 and Rich Media Delivery. CacheFlow enables you tocache popular, rich media and Web 2.0 sites, including file-sharing and videosites. Caching saves on bandwidth while boosting the user experience.Ensure Caching Effectiveness. CacheFlow leverages Blue CoatCachePulse for automatic, network-based updates as the Web changes toensure the appliance effectively caches content and consistently delivers highbandwidth savings.-3-
Filter and Secure Web Traffic. By turning on the built-in Blue CoatWebFilter option, CacheFlow filters and secures web traffic, includingundesirable content and malware-infected sites. CacheFlow also allows you tocreate customized exception and block lists for specific sites, as well asleverage the Internet Watch Foundation list to filter illegal content.Scale with User and Traffic Growth. CacheFlow was designed for highthroughput service provider environments with the ability to scale tomulti-gigabit support through the use of cache farms. CacheFlow offers both1GigE and 10GigE interfaces for high-speed network infrastructurerequirements and tight integration with load-balancing switches for greaterscalability and performance.Manage and Report on Web Traffic. CacheFlow provides an intuitiveWeb-based management console and command-line tools for administeringthe appliance. For ongoing monitoring, CacheFlow integrates via SNMP withcommon network management solutions and supports event logging viasyslog.Carrier-class Service and Support. Global 24/7 support options areavailable for the CacheFlow appliance. The appliance is supported by adedicated team of service provider experts at Blue Coat, plus the applianceincludes built-in features so support can proactively mitigate issues andexpedite resolution.For more information, please visit: http://www.bluecoat.com/Radware-AlteonDiagram 1.0 – Blue Coat CacheFlow and Radware-Alteon ApplicationSwitch Logical Topology-4-
Radware-Alteon Application Switch OverviewRadware-Alteon Application Switch is an intelligent application delivery controller(ADC) that provides scalability and application-level security for serviceinfrastructure optimization, fault tolerance and redundancy. Radware combined itsnext-generation, OnDemand Switch multi-gigabit hardware platform with thepowerful capabilities of the Alteon operating system, resulting in acceleratedapplication performance, local and global server availability, and applicationsecurity and infrastructure scalability for fast, reliable and secure delivery ofapplications over IP networks.Radware-Alteon Application Switch is powered by the innovative OnDemandSwitch platform. OnDemand Switch, which has established a newprice/performance standard in the industry, delivers breakthrough performanceand superior scalability to meet evolving network and business requirements.Based on its on demand, “pay-as-you-grow” approach, no forklift upgrade isrequired even when new business requirements arise. This helps companiesguarantee short-term and long-term savings on CAPEX and OPEX for fullinvestment protection. Radware‟s OnDemand Switch enables customers to pay forthe exact capacity currently required, while allowing them to scale their ADCthroughput capacity and add advanced application-aware services or applicationacceleration services on demand to meet new or changing application andinfrastructure needs. And it does it without compromising on performance.Radware-Alteon Application Switch lets you get the most out of your serviceinvestments by maximizing the utilization of service infrastructure resources andenabling seamless consolidation and high scalability. Radware-Alteon ApplicationSwitch throughput licensing options allows pay as you grow investment protection.Make your network adaptive and more responsive to your dynamic services andbusiness needs with Radware-Alteon Application Switch fully integrated trafficclassification and flow management, health monitoring and failure bypassing,traffic redirection, bandwidth management, intrusion prevention and DoSprotection.Key Benefits: Support for Bridge and Routed deployment options, providing a powerfulin-line vehicle.Simultaneous support for VIP (CDN) and transparently intercepted(Standard) Optimization service traffic.Intelligent request differentiation and distribution based on flexible filtersoptimizing cache hit ratios.Bi-Directional persistency for transparent service deployments.OnDemand throughput for Incremental growth and long term solutionviability.Repeatable deployment model standardizing configurations and minimizingrisk.-5-
For more information, please visit: http://www.radwarealteon.com/Design OverviewThere are two types of traffic interception models used in Content DeliveryNetworks and Optimization Infrastructure designs. One is a transparent modelgeared toward transparently intercepting requests destined for origin serversoutside of the systems domain where traffic forwarding logic and load distributionstrategies are equally important based on the load and availability ofcache/optimization resources. The goal of the ADC in this model is to providelayer 7 inspection of requests to ensure content support, switching and persistencyin a high volume environment. This model is highly dependent on surroundingrouting infrastructure to policy route traffic via the in-line vehicle (Radware-AlteonApplication Switch) for advanced packet handling consideration. Thistransparency design which includes source IP integrity throughout the jointsubsystem represents the most complex configuration and will therefore be thefocus of this implementation guide.The second design model, which can be easily supported in parallel to thetransparent configuration by the Radware-Alteon Application Switch, is that of ahostname/virtual IP model. In this model, domains are under the control of systemadministration and content is intelligently published to one or many optimizationnodes where the goal of the ADC is to intelligently steer incoming requests to themost appropriate resource locally or geographically.Edge RouterRadware-AlteonProviderRouterStandard HTTPAccessInternetBlue Coat CachesCDN HTTPUserAgentsProviderRouterEdge RouterDiagram 2.0 – Blue Coat CacheFlow and Radware-Alteon ApplicationSwitch Physical Topology-6-
Joint Subsyste m Traffic Flow DefinitionFocusing on the transparent design model, traffic is policy routed to the ADC forservice evaluation bi-directionally. If the request is an HTTP request, the ADC willhash a forwarding decision from the value contained in the „Host‟ header. Thisoptimizes hit ratios per domain, avoiding object level granularity seen in evaluationof the entire URI. If necessary, it is also possible to switch on a given domain thenhash on the full URI to enjoy URI or object level granularity given unusually highvolume for a specific domain. By evaluating the host header, Radware-Alteoneliminates the challenge where a single domain may be represented by more thanone destination IP address, optimizing hit ratios and lowering day twoadministration requirements. Ultimately this process ensures optimization of thecaches while removing unnecessary traffic.Once the Cache is invoked for a given session, it will forward the request on to theorigin server spoofing the original client IP. To ensure bi-directional persistency ofrequest/responses the Radware-Alteon Application Switch tracks outboundconnections to ensure proper bi-directional state management.Primary Radware-Alteon Application Switch ConfigurationDiagram 3.0 – Blue Coat CacheFlow and Radware-Alteon ApplicationSwitch Reference Topology-7-
Initial Configuration of the Switch Management InterfaceUsing a serial cable and a terminal emulation program, connect to theRadware-Alteon Application Switch.The default console port settings are: Bits per Second: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: NoneUse the /cfg/sys/mmgmt menu to configure the management IP address10.168.1.100, subnet mask 255.255.0.0, and default gateway 10.168.0.1./cfg/sys/mmgmt/addr 10.168.1.100/cfg/sys/mmgmt/mask 255.255.0.0/cfg/sys/mmgmt/gw 10.168.0.1/cfg/sys/mmgmt/enaEnable access to the Radware-Alteon Application Switch Switch for Telnet, SSHand ena/cfg/sys/access/sshd/on/enaapplysaveConnecting to the SwitchYou can accomplish initial switch configuration and management in a number ofways. An Application Switch offers a console connection, Telnet session, SSH andWeb Browser connection for initial configuration.Logging into the SwitchThe user and password is (Default “admin”) for both.-8-
Detailed Configuration OverviewNote: The configuration reviewed below defines DST IP hashing. Please seeAppendix 1 for advanced configuration options.script start "Alteon Application Switch 5412" 4 /**** DO NOT EDIT THIS LINE!/* Configuration dump taken 2:31:18 Wed Nov 18, 2009/* Configuration last applied at 2:24:15 Wed Nov 18, 2009/* Configuration last save at 2:24:20 Wed Nov 18, 2009/* Version 26.3.0.3, Base MAC address 00:03:b2:4f:b4:00/c/sys/mmgmtaddr 10.168.1.100mask 255.255.0.0Management Interface Configurationbroad 10.168.255.255gw 10.168.0.1tftp mgmtena/c/sys/mmgmt/portspeed anymode anyauto on/c/sysidle 121Display the host name on LCD display and CLI prompthprompt ena/c/sys/accesssnmp rhttp enatnet enaHost name definition/c/sys/ssnmpname "Alpha"/c/l2/trunk 1add 7Create L2 Trunk1 and add phy. Ports 7 and 8add 8/c/port 1tag enatag ena enable VLAN Tagging on ph. port 1pvid 66/c/port 4tag enapvid 66/c/port 6tag enapvid 65/c/l2/vlan 65Create VLAN 65 “Proxy Facing” and add phy. ports 6 – 8learn enaRepeat for VLAN 66 and ports 1 and 4def 6 7 8/c/l2/vlan 66-9-
enalearn enadef 1 4stg 1/ off disable Spanning Tree/c/l2/stg 1/off/c/l3/if 65enaipver v4Create L3 IP-Address and Mask for VLAN 65 (Proxies)addr 10.65.0.5mask 255.255.0.0broad 10.65.255.255vlan 65/c/l3/if 66Create L3 IP-Address and Mask for VLAN 66 (Network)enaipver v4addr 10.66.0.5mask 255.255.0.0broad 10.66.255.255vlan 66Create the Default Gateway pointing to the PBR HA Address/c/l3/gw 1enaipver v4addr 10.66.0.1vrrp/on Enable VRRP redundancy mode/c/l3/vrrp/on/c/l3/vrrp/vr 66EnaCreate Virtual Router VRID 66 for L3 interface 66.Ipver v4vrid 66Change priority to 101 and add VRRP address.if 66Repeat for VRID 65addr 10.66.0.1prio 101share dis/c/l3/vrrp/vr 65/vrid 65/addr 10.65.0.1/prio 101/if 65/en/c/l3/vrrp/vr 65/vrid 65/share dis/c/l3/vrrp/hotstan en/c/l3/vrrp/group/en/c/l3/vrrp/group/prio 101/if 65/c/l3/vrrp/group/share dis/c/slb/onTurn on slb (server load balancing)/c/slb/sync/peer 1addr 10.65.0.6ena/c/slb/sync/prio dis/c/slb/advsubmac enaEnable configuration sync.Define backup Alteon IP address- 10 -
rtsvlan enasubdmac enatpcp ena/c/slb/advhc/script 1open "80,tcp"close/c/slb/real 1enaipver v4rip 10.65.254.200maxcon 0/c/slb/real 2enaipver v4rip 10.65.254.201maxcon 0/c/slb/group 1ipver v4metric minmisseshealth script 1add 1add 2/c/slb/filt 10enaaction rediripver v4sip anysmask 0.0.0.0dip anydmask 0.0.0.0proto tcpdport httpgroup 1rport 0vlan any/c/slb/filt 20enaaction allowipver v4sip anysmask 0.0.0.0dip anydmask 0.0.0.0vlan any/c/slb/port 1filt enaTurn on Return to Sender for Response PersistencyDefine a health check script specifying DST port valueCreate real server Proxy 1 with IP address. Repeat for all.Allow unlimited connections maxcon 0Create group for cache/proxy clusterLoad balancing metric minmisses – protecting removal ofservers while maintaining persistency. Also compatible withLayer 7 lookups if enabled.Use advanced health check (watchdog) script 1Add real serversCreate a filter to redirect all http traffic to group 1Create a filter to route all other traffic to default gatewayEnable the filter process on port 1 Ingress and add therelevant filters.This port is also marked for Hot Standby support.- 11 -
hot enaadd 10add 20/c/slb/port 6Enable the RTS process on port 6 Ingress for Proxy sessionrts enatrackinghot enaThis port is also marked for Hot Standby support./c/slb/port 4filt enahot ena/c/slb/port 7inters enaEnable the InterSwitch process on ports 7 and 8 for/c/slb/port 8redundancyinters ena/script end /**** DO NOT EDIT THIS LINE!Setting up the Redundant Radware-Alteon Application SwitchInitial Configuration of the Switch Management InterfaceUsing a serial cable and a terminal emulation program, connect to theRadware-Alteon Application Switch.The default console port settings are: Bits per Second: 9600 Data Bits: 8 Parity: None Stop Bits: 1 Flow Control: NoneUse the /cfg/sys/mmgmt menu to configure the management IP address10.168.1.101, subnet mask 255.255.0.0, and default gateway 10.168.0.1./cfg/sys/mmgmt/addr 10.168.1.101/cfg/sys/mmgmt/mask 255.255.0.0/cfg/sys/mmgmt/gw 10.168.0.1/cfg/sys/mmgmt/enaEnable access to the Alteon Application Switch Switch for Telnet, SSH and ena- 12 -
/cfg/sys/access/sshd/on/enaapplysaveConnecting to the SwitchYou can accomplish initial switch configuration and management in a number ofways. An Application Switch offers a console connection, Telnet session, SSH andWeb Browser connection for initial configuration.Logging into the SwitchThe user and password is (Default “admin”) for both.Redundant Unit Networking Configuration to Prepare Sync/c/sys/mmgmtaddr 10.168.1.101mask 255.255.0.0broad 10.168.255.255gw 10.168.0.1tftp mgmtena/c/sys/mmgmt/portspeed anymode anyauto on/c/sysidle 121hprompt ena/c/sys/accesssnmp rhttp enatnet ena/c/sys/ssnmpname "Beta"/c/l2/trunk 1add 7add 8/c/port 1tag enapvid 66/c/port 4tag enapvid 66/c/port 6- 13 -
tag enapvid 65/c/l2/vlan 65learn enadef 6 7 8/c/l2/vlan 66enalearn enadef 1 4/c/l2/stg 1/off/c/l3/if 65enaipver v4addr 10.65.0.6mask 255.255.0.0broad 10.65.255.255vlan 65/c/l3/if 66enaipver v4addr 10.66.0.6mask 255.255.0.0broad 10.66.255.255vlan 66/c/l3/gw 1enaipver v4addr 10.66.0.1/c/slb/sync/peer 1addr 10.65.0.5ena/c/slb/sync/prio disApply and SaveUse the command below to apply and save the configurationapplysave- 14 -
From the Primary Unit Command line, Sync Redundant UnitUse the command below to manually sync the backup switch/oper/slb/syncNOTE: Use the "/cfg/slb/sync" menu to configure omitting sections of theconfiguration.Appendix 1 – Optional Advanced ConfigurationsSteering Configuration to Classify Top Talking Domains with URL Hashing/c/slb/adv/direct ena/c/slb/layer7/redir/header ena host/c/slb/layer7/redir/hash ena/c/slb/layer7/slb/addstr "x.com"/c/slb/filt x /adv/layer 7/l7lkup enableHostname Hashing for Redirection Filters Layer 7 Dispatch/c/slb/adv/direct ena/c/slb/filt x /adv/layer 7l7lkup enahttphash headerhash Host 255To remove case sensitivity:/c/slb/layer7/slbcase dis- 15 -
Appendix 2 – Primary Unit Configurationscript start "Alteon Application Switch 5412" 4 /**** DO NOT EDIT THIS LINE!/* Configuration dump taken 2:31:18 Wed Nov 18, 2009/* Configuration last applied at 2:24:15 Wed Nov 18
requirements and tight integration with load-balancing switches for greater scalability and performance. Manage and Report on Web Traffic. CacheFlow provides an intuitive Web-based management console and
