Content Switch Introduction of content web switch Some

Content Switch . Introduction of content web switch. . Some content switch products in the market. . Design of a content switch. 11/2/2000 Weihong Wang/Content Switch Page 1

Introduction of Content Switch (1) What is web server load balancing? 11/2/2000 . Distribute incoming request to achieve parallel services. . Transport layer load balancing, balancing the incoming request based on address and port number. . Application layer load balancing, redirecting the user request based on the content of the request. (e. g. url, http header…) Weihong Wang/Content Switch Page 2

Introduction of Content Switch (2) What is Content Switch? . An application layer load distribution. . A network device which routes the unique user request for specific content to the optimal server best able to handle the request. . For example, a Content Switch can classify the incoming request based on its url, http meta header, cookie value and so on. 11/2/2000 Weihong Wang/Content Switch Page 3

Arrow. Point Network Services (Support url and cookie-based switching) 11/2/2000 . Who the customer is based on user cookie located within HTTP header. . What information or transaction the customer is requesting. . Where best to service the customers. Weihong Wang/Content Switch Page 4

Content Switch Architecture Content switch processor • From Apostolopoulos 2000. • Port controller matches incoming packets • Forward packets to content switch processor or route them directly. • Rule matching results download to port controller 11/2/2000 Weihong Wang/Content Switch Page 5

Content Switch Operations Content Switch Rules Incoming Packets CS Rule Editor Packet Classification Header Content Extraction Network Path Info Server Load Status 11/2/2000 Content Switching Rule Matching Algorithm Packet Routing (Load Balancing) Weihong Wang/Content Switch Forward Packet To Servers Page 6

Component of Content Switch . Defining the rules. Determine the type of web content being request. . Rule matching process Identifying specific type of traffic, then routing that traffic to the location best able to serve the traffic or customer request. 11/2/2000 Weihong Wang/Content Switch Page 7

Two different design approach of Content Switch . Process content type classification and routing policy on application level. For example: application level proxies. . Process content type classification and routing policy on tcp/ip level. Need to modify operating system kernel. For example: using NAT to develop a content switch. 11/2/2000 Weihong Wang/Content Switch Page 8

Cisco Content Engine 2. 20(CE). Cisco CE supports HTTP and HTTPS proxy server. . CE examines web request and makes the action decision such as block, cache, or proxy. . CE is worked in application level. . An example of the matching rules: rule no-cache url-regex. *cgi-bin. * This rule configures that the incoming packets with the url matching the pattern “*cgi-bin” will not be forward to the proxy servers. 11/2/2000 Weihong Wang/Content Switch Page 9

Intel Action/Classification Engines(ACEs). ACE classifies incoming packets according to the predefined rule files. . ACE then triggers action in the associated action files. . ACE use Network Classification Language(NCL) to configure rules. . ACE is developed in tcp/ip level. . Example of NCL, Rule check_http{tcp&&(tcp. sport==80)}{action_scan()}. check_http is the name of the rule, {tcp&&(tcp. sport==80)} is class matching condition, and {action_scan()} is action function of this condition. . This rule means that incoming request with protocol=tcp and port=80 will go to action “action_scan()”. . NCL is simple for configuration. 11/2/2000 Weihong Wang/Content Switch Page 10

Design of the Content Switch . Architecture of Content Switch. . Matching rules and routing policy. . Flow chart. 11/2/2000 Weihong Wang/Content Switch Page 11

TCP/IP level Content Switch Architecture (1) NAT(network address translation). Incoming and out going packets all pass through Content Switch. . Content Switch masquerades the ip address and port number of incoming and out going packets. . Content Switch uses delayed binding to connect with back server. 11/2/2000 Weihong Wang/Content Switch Page 12

Packet Processing in Content Switch Phase 1: Phase 2: Phase 3: 11/2/2000 Weihong Wang/Content Switch Page 13

TCP Delay Binding 11/2/2000 Weihong Wang/Content Switch Page 14

NAT Content Switch delayed binding . Content Switch establishes a connection with client first. . When get data, choose a server to establish another connection, forward original syn msg, discard the ack from back server. . For the following data transmission, Content Switch only forward it after masquerades its ip address and port number. 11/2/2000 Weihong Wang/Content Switch Page 15

TCP/IP level Content Switch Architecture (2) IP Tunnel and IP Direct Routing. Content Switch accepts request and forward it to the choosed server. . The server then connects with client directly. . Delayed binding. . Need to modify back end server’s tcp protocol. . Faster than NAT approach. 11/2/2000 Weihong Wang/Content Switch Page 16

Content Switch Rules The contents should be covered : . Source IP address and TCP/UDP port number. . URL regular expression. . HTTP meta header. . SSL session ID. . Values of XML tags. 11/2/2000 Weihong Wang/Content Switch Page 17

Content Switch Rules (1) Examples of Content Switch Rules Cisco Network Based Application Recognition Router(config)#class-map match-all http_secure Router(config)#match protocol secure-http Router(ifconfig)#class-map match any audio_video Router(config)#match protocol http mime “audio/*” Router(config)#match protocol http mime “video/*” Router(config)#policy-map e-express Router(config-pmap-c)#class http_secure Router(config-pmap-c)#bandwidth 32 Router(config-pmap-c)#class audio_video Router(config-pmap-c)#bandwidth 10 First define classes for secure http request and audio/video request, and then distribute the outbound bandwidth for each class. 11/2/2000 Foundry Server. Iron(config)#url-map gif. Policy Server. Iron(config-url-gif. Policy)#method suffix Server. Iron(config-url-gif. Policy)#match “gif” 1 Server. Iron(config-gif. Policy)#default 2 Server. Iron(config-gif. Policy)#exit If the suffix of url in the incoming packets is gif, route to server group 1, else route to server group 2. Intel IX-API SDK Rule check_src {ip. src==10. 10. 30} {action_A()} Rule check_http{tcp&&(tcp. sport==80)}{action_scan()} The meaning of rule check_src is: if source ip address is 10. 10. 30, then execute the action function “action_A()”. Weihong Wang/Content Switch Page 18

Content Switching Rule Matching Algorithm. Brute Forced Sequential Execution – Early rules have higher priority. . Easy to solve conflict problem. . Ways to speed up the process of rule matching: - Set flags based on the headers and content by-passed rules not related. - Use compiler-optimization techniques to speed up the set of rule 11/2/2000 Weihong Wang/Content Switch Page 19

Flow Chart of Content Switch (1) packet from client input to ip_input masquerade ip addr port, seq. forward ib packet return y connection established? n y TCP/SYN? create ACK back msg send back ACK to client 11/2/2000 n TCP/data/ack n y choose server UDP? n y choose server masq SYN msg masq UDP packet forward to server return Weihong Wang/Content Switch deliver to upper layer Page 20

Flow Chart of Content Switch packet from back server input to ip_forward Connection established? msaq packet forward it SYN/ACK? create connection hash table masq ip addr, port, seq . forward as normal forward saved ip packet 11/2/2000 return Weihong Wang/Content Switch Page 21